Dot1x mda

Hi,
 I have to use dotx and mda with a nps Windows server and non-Cisco phone but Cisco switch (cause I have a PC connected behind a phone and both must be authenticated).
I've succedded as my phone and my pc connected behind the phone suceed authentication and authorization and a "show authentication sessions" show me that authentication is right in domain DATA and VOICE.
But a few minutes after, there is port violation beacuse the phone (yealink) try to authenticate again and fails this time (while it had succeeded the first time...)
I really does not understand what can happen and why it's ok a frist time and ko few minutes later...
Thank you for your help!

..usually a session behind a phone remains forever when using MAB. So you need to configure "autentication violation replace" to allow another device to connect behind the phone and starts the authentication process.
Horst

Similar Messages

  • Dot1x MAB with MDA Issue

    I have configured MAB (MAC Authentication Bypass) with MDA (Multi Domain Access). All devices are successfully authenticating with their respective VLAN. MAB devices got authenticating as Voice.
    I am using ACS (Radius) for authentication and DHCP relay.
    Problem is voice device is not getting IP from DHCP server. There is no error reporting on switch and radius. Without Dot1x everything is working.
    switchport access vlan 105
    switchport mode access
    switchport voice vlan 108
    switchport port-security maximum 2
    switchport port-security
    switchport port-security aging time 2
    switchport port-security violation restrict
    switchport port-security aging type inactivity
    dot1x mac-auth-bypass eap
    dot1x pae authenticator
    dot1x port-control auto
    dot1x host-mode multi-domain
    dot1x max-req 1
    dot1x guest-vlan 105
    spanning-tree portfast
    spanning-tree bpduguard enable
    ip verify source

    we are using 3 Layer model (Core, Distribution & Access) and all VLAN interfaces are on distribution.
    I am passing av-pair value device-traffic-class=voice from ACS
    We are using ACS 4.1 for windows and ACS is successfully authenticating both devices.
    Even show Dot1x Interface shows proper authentication with proper domain

  • 802.1X Port Based Authentication - IP Phone- MDA - Port Security Violation

    I have configured 802.1X authentication on selected ports of a Cisco Catalyst 2960S with Micorsoft NPS Radius authentication on a test LAN. I have tested the authentication with a windows XP laptop, a windows 7 laptop with 802.1X, eap-tls authentication and a Mitel 5330 IP Phone using EAP-MD5 aithentication. All the above devices work with with the MS NPS server. However in MDA mode when the  802.1x compliant  windows 7 laptop is connected to the already authenticated Mitel IP Phone, the port experiences a security violation and the goes into error sdisable mode.
    Feb  4 19:16:16.571: %AUTHMGR-5-START: Starting 'dot1x' for client (24b6.fdfa.749b) on Interface Gi1/0/1 AuditSessionID AC10A0FE0000002F000D3CED
    Feb  4 19:16:16.645: %DOT1X-5-SUCCESS: Authentication successful for client (24b6.fdfa.749b) on Interface Gi1/0/1 AuditSessionID AC10A0FE0000002F000D3CED
    Feb  4 19:16:16.645: %PM-4-ERR_DISABLE: security-violation error detected on Gi1/0/1, putting Gi1/0/1 in err-disable state
    Feb  4 19:16:17.651: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/1, changed state to down
    Feb  4 19:16:18.658: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/1, changed state to down
    If the port config  is changed to "authentication host-mode multi-auth", and the laptop is connected to the phone the port does not experience the security violation but the 802.1x authentication for the laptop fails.
    The ports GI1/0./1 & Gi1/02 are configured thus:
    interface GigabitEthernet1/0/1
    switchport mode access
    switchport voice vlan 20
    authentication event fail action authorize vlan 4
    authentication event no-response action authorize vlan 4
    authentication event server alive action reinitialize
    authentication host-mode multi-domain
    authentication order dot1x mab
    authentication priority dot1x mab
    authentication port-control auto
    mab
    mls qos trust cos
    dot1x pae authenticator
    spanning-tree portfast
    sh ver
    Switch Ports Model              SW Version            SW Image
    *    1 52    WS-C2960S-48FPS-L  15.2(1)E1             C2960S-UNIVERSALK9-M
    Full config attached. Assistance will be grately appreciated.
    Donfrico

    I am currently trying to get 802.1x port authentication working on a Cat3550 against Win2003 IAS but the IAS log shows a invalid message-authenticator error. The 3550 just shows failed. When I authenticate against Cisco ACS (by simply changing the radius-server) it works perfectly.
    However, I am successfully using IAS to authenticate WPA users on AP1210s so RADIUS appears to be OK working OK.
    Are there special attributes that need to be configured on the switch or IAS?

  • ISE; machine based dot1x authentication not working

    Hi there,
    I'm currently trying out dot1x authentication with MDA. The phone is currently authenticated via MAB. I succeeded to do the same with a Win7 workstation, but now I have a problem with true dot1x auth. Whenever the client tries to authenticate to the ISE it is using the notorious "host/" prefix. I read in the ACS 5.2 user guide that there is an option to crop it. I tried to find the same feature in the ISE, but it seems there is none.
    I have the authentication policy configured to use a certificate authentication profile as identity source when the method is dot1x without any additional conditions.
    In this profile I tried several options, including the common name, subject, subject alternative name. Nothing helped.
    Does anybody have a tip on how to solve this?
    Thanks in advance

    If I understood correctly I don't need to create an external identity source when using the Certificate Authentication Profile feature.
    This is what I got from the documentation:
    "Certificate authentication profiles are used in  authentication policies for certificate-based authentications in place  of identity sources to verify the authenticity of the user."
    I intend to use machine based authentication without contacting an external identity source.
    I also ensured the root CA certificate is selected to be used for EAP-TLS authentication.
    This brings me to another question.
    If the CA issuing machine or user certificates is itself an intermediate CA do I have to install a chained certificate (intermediade CA+root CA) in the ISE or both CA certificates separately?
    Thanks in advance
    Regards,
    Patrick

  • 802.1x MDA with Cisco 3750, ACS and Avaya phones

    Hello,
    What is the minimum software level on the C3750 to support the 'device type class=voice' AV-pair returned by ACS?  I found 12.2(35) introduced MDA, but also I found 12.2(40) required for dynamic voice VLAN on MDA ports. 
    What i observe is :
    - phone connects
    - phone is dot1x authenticated in data VLAN and gets its DHCP address there
    - DHCP advertises (option 242) the voice vlan id
    - phone reauthenticates in voice vlan
    - phone reacquires a new DHCP address, now in voice VLAN
    so far so good ... and we start using the phone
    - pc behind phone starts and enters credentials
    - pc authenticates ok (in data vlan)
    but 3750 shuts the port down per security violation ("new mac-address found").
    The mac-address of the phone stays in the data vlan's  mac table, despite the phone moved correctly to the voice vlan.  This macaddress excludes the 'new' pc mac-address, causing a shutdown of the port. 
    NB : "setting port-security max mac-addresses" to say 5 does not change anything to  this behavior.
    Can anybody give some hints?
    Tx.

    Searching further, I found that 12.2(40) requirement for dynamic voice VLAN on MDA ports only applies to dynamically provisioning the voice vlan ID by radius, applying the (65)tunnel (medium) type and (81) tunnel private groupid  attributes.  So, obviously, MDA support with 'static' voice vlan assignment by switchport configuration *should work* with our 12.2(35), *
    So, the question remains : why does the data VLAN keep an entry with the phone's MAC address in its MAC table?
    Tx.

  • 802.1x MDA LLDP Disabled on Switch (3750) but detected on phone?

    I have been playing around with 802.1x and some IP phones.  The test senario we have is that LLDP is globally disabled on the switch and enabled on the phone.  When the phone boots up a non-LLDP enabled device is allowed to use the data vlan to boot and learn (via DHCP) the voice vlan.
    http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Security/TrustSec_1-99/IP_Tele/IP_Telephony_DIG.html#pgfId-389460
    We found that if LLDP is disabled on the switch it still detects LLDP on the phone and blocks the LLDP enabled phone from using the data vlan.  This causes the phone to "hang" waiting for DHCP.
    Turning LLDP off on the switch port did not seem to help as the switch tests for LLDP reguardless and then blocks access to the data vlan.  It seems like *if* LLDP is disabled on the switch it should treat all devices as non-LLDP devices and allow the use of the data vlan.  Even if the device (IP Phone) is capable of LLDP.
    Cisco IOS Software, C3750 Software (C3750-IPBASEK9-M), Version 12.2(55)SE8, RELEASE SOFTWARE (fc2)

    Turned out that this was being caused by not having a valid DATA vlan set (leaving it in vlan 1).  It looks like with MDA you cannot assign the data VLAN the phone will use to boot in a Radius reply.  It has to be assigned manually?
    Is there another way to tell the switch to allow the phone on data vlan 20 for a short period of time?
    interface x/y/z
     switchport access vlan 20
     switchport mode access
     switchport nonegotiate
     switchport voice vlan 60
     switchport port-security maximum 5
     switchport port-security
     switchport port-security aging time 2
     switchport port-security violation restrict
     switchport port-security aging type inactivity
     authentication event fail retry 1 action authorize vlan 20
     authentication event no-response action authorize vlan 20
     authentication host-mode multi-domain
     authentication order mab dot1x
     authentication priority mab dot1x
     authentication port-control auto
     authentication periodic
     authentication timer reauthenticate server
     mab
     snmp trap mac-notification change added
     dot1x pae authenticator
     dot1x timeout quiet-period 3
     dot1x timeout server-timeout 2
     dot1x timeout tx-period 5
     dot1x timeout supp-timeout 2
     spanning-tree portfast

  • Dot1x/mab multiple clients

    Hi,
    we would to authenticate (with dot1x/mab) more than one mac address on a port. When a user connect his workstation the switch must put the workstation in a vlan and when the user start a vmware in bridge mode the swtich must be put the vmware in a vlan trunk. Can anyone help me, are Cisco Switches able to do this?
    Thanks, Dominik

    Hi Dominik
    You can't run dot1x on a trunk, generally speaking. There's only one scenario where you can run dot1x in a special trunking setup, that is using multi-domain authentication (MDA) using VoIP phones. There are some restrictions to that which you can find out reading through the Config Guide.

  • Critical Authentication VLAN: MDA Mode

    Hello again
    One problem is solved, but another problem has come.
    I use the MDA Mode. And if the radius is not available, the voice and data device will placed in the data domain.
    A security voliation blocked the port after: SECURITY_VIOLATION: Security violation on the interface FastEthernet0/1, new MAC address...
    What can I do? Only the data device should placed in the critical VLAN.The voice device should not move in any vlan, when this szenario ocur.
    I use IOS 12.2.(55)SE1.
    Here a short excert of the configuration:
    interface FastEthernet0/1
    switchport mode access
    switchport voice vlan 2
    authentication event server dead action authorize vlan 3
    authentication event server alive action reinitialize
    authentication host-mode multi-domain
    authentication port-control auto
    dot1x pae authenticator
    Thanks for any help.
    Marco Serato

    Cisco IOS Software, C2960 Software (C2960-LANBASEK9-M), Version 12.2(55)SE1, RELEASE SOFTWARE (fc1)
    Technical Support: http://www.cisco.com/techsupport
    Copyright (c) 1986-2010 by Cisco Systems, Inc.
    Compiled Thu 02-Dec-10 08:16 by prod_rel_team
    Image text-base: 0x00003000, data-base: 0x01800000
    ROM: Bootstrap program is C2960 boot loader
    BOOTLDR: C2960 Boot Loader (C2960-HBOOT-M) Version 12.2(44)SE5, RELEASE SOFTWARE (fc1)
    Authenticator uptime is 2 days, 4 hours, 29 minutes
    System returned to ROM by power-on
    System image file is "flash:/c2960-lanbasek9-mz.122-55.SE1.bin"
    Switch Ports Model             SW Version            SW Image
    *   1 26   WS-C2960-24TT-L   12.2(55)SE1           C2960-LANBASEK9-M

  • Dot1x guest VLAN on 2960G

    Hi,
    I have a 2960 sw configured for dot1x authentication, the problem is the Guest VLAN and Restricted VLAN didnot work. The switch port was stuck in authenticating status.
    The server is Juniper IC4500.
    Switch is 2960G, IOS 15.0(1)SE2
    the configuration:
    aaa new-model
    aaa authentication login default local
    aaa authentication dot1x default group radius
    aaa authorization exec default local
    aaa authorization network default group radius
    dot1x system-auth-control
    dot1x test timeout 30
    dot1x guest-vlan supplicant
    dot1x critical eapol
    interface FastEthernet0/32
    switchport access vlan 28
    switchport mode access
    authentication event fail action authorize vlan 41
    authentication event server dead action authorize vlan 41
    authentication event server dead action authorize voice
    authentication event no-response action authorize vlan 41
    authentication event server alive action reinitialize
    authentication host-mode multi-auth
    authentication order mab
    authentication port-control auto
    authentication timer reauthenticate 300
    authentication violation protect
    mab eap
    dot1x pae authenticator
    dot1x timeout quiet-period 5
    dot1x max-req 1
    dot1x max-reauth-req 1
    dot1x max-start 1
    spanning-tree portfast
    Anyone with experience on this pls help.
    Thanks,
    hoanghiep

    forgot to mention that multi-auth do not support actions on either no-response or fail authentication events. So you need to set host-mode to MDA or single host.
    Ref:
    http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_55_se/configuration/guide/sw8021x.html#wp1454875

  • Dot1x with port security and redundant radius servers

    I have a strange issue with my dot1x port authentication.  I have two radius servers configured in my switch for redundancy, and on my switchport I have a Cisco IP phone and a PC.  Testing redundnacy with the radius servers, when I have both servers active and running, the port authentication works fine for both phone and pc.  When I fail the radius servers in the configuration, by disconnecting the NIC on it, the switch goes to the surviving radius server and authenticates, (I can see it in the running log) both the phone and PC get an access-accept, but only the phone works on the network and the port light stays amber showing it's blocking for the pc.  Strange, since it showed an accept on the radius server.
    This only seems to happen when the first one on the list is failed.  When the second one is failed, it obviously won't need to try it, so there's not an issue.  Any ideas?
    Here's the setup and configs:
    freeradius 2.1.12-4
    cisco 3560
    Switch Ports Model              SW Version            SW Image                
    *    1 52    WS-C3560G-48PS     12.2(53)SE2           C3560-IPBASEK9-M 
    aaa new-model
    aaa authentication dot1x default group radius
    aaa authorization network default group radius
    interface GigabitEthernet0/1
    switchport access vlan 100
    switchport mode access
    switchport voice vlan 110
    authentication event no-response action authorize vlan 901
    authentication host-mode multi-domain
    authentication port-control auto
    authentication periodic
    authentication violation protect
    mab
    dot1x pae authenticator
    dot1x timeout quiet-period 10
    dot1x timeout tx-period 1
    no mdix auto
    spanning-tree portfast
    radius-server host 10.90.1.88 auth-port 1645 acct-port 1646 key 7 xxx
    radius-server host 10.90.1.85 auth-port 1645 acct-port 1646 key 7 xxx
    Here's an authentication string from the radius server:
    (there are two mac address.  The first one 00.13 is the PC and the second 30.37 is the phone)
    rad_recv: Access-Request packet from host 10.90.100.7 port 1645, id=204, length=160
    User-Name = "001372b639a6"
    User-Password = "001372b639a6"
    Service-Type = Call-Check
    Framed-MTU = 1500
    Called-Station-Id = "9C-AF-CA-23-D9-01"
    Calling-Station-Id = "00-13-72-B6-39-A6"
    Message-Authenticator = 0xfeef777a8033c24934306b3cce78c8f1
    NAS-Port-Type = Ethernet
    NAS-Port = 50001
    NAS-Port-Id = "GigabitEthernet0/1"
    NAS-IP-Address = 10.90.100.7
    Wed Sep 18 10:48:06 2013 : Info: # Executing section authorize from file /etc/raddb/sites-enabled/default
    Wed Sep 18 10:48:06 2013 : Info: +- entering group authorize {...}
    Wed Sep 18 10:48:06 2013 : Info: ++[preprocess] returns ok
    Wed Sep 18 10:48:06 2013 : Info: ++[chap] returns noop
    Wed Sep 18 10:48:06 2013 : Info: ++[mschap] returns noop
    Wed Sep 18 10:48:06 2013 : Info: ++[digest] returns noop
    Wed Sep 18 10:48:06 2013 : Info: [suffix] No '@' in User-Name = "001372b639a6", looking up realm NULL
    Wed Sep 18 10:48:06 2013 : Info: [suffix] No such realm "NULL"
    Wed Sep 18 10:48:06 2013 : Info: ++[suffix] returns noop
    Wed Sep 18 10:48:06 2013 : Info: [eap] No EAP-Message, not doing EAP
    Wed Sep 18 10:48:06 2013 : Info: ++[eap] returns noop
    Wed Sep 18 10:48:06 2013 : Info: [sql]           expand: %{User-Name} -> 001372b639a6
    Wed Sep 18 10:48:06 2013 : Info: [sql] sql_set_user escaped user --> '001372b639a6'
    Wed Sep 18 10:48:06 2013 : Debug: rlm_sql (sql): Reserving sql socket id: 3
    Wed Sep 18 10:48:06 2013 : Info: [sql]           expand: SELECT id, username, attribute, value, op           FROM radcheck           WHERE username = '%{SQL-User-Name}'           ORDER BY id -> SELECT id, username, attribute, value, op           FROM radcheck           WHERE username = '001372b639a6'           ORDER BY id
    Wed Sep 18 10:48:06 2013 : Debug: rlm_sql_mysql: query:  SELECT id, username, attribute, value, op           FROM radcheck           WHERE username = '001372b639a6'           ORDER BY id
    Wed Sep 18 10:48:06 2013 : Info: [sql] User found in radcheck table
    Wed Sep 18 10:48:06 2013 : Info: [sql]           expand: SELECT id, username, attribute, value, op           FROM radreply           WHERE username = '%{SQL-User-Name}'           ORDER BY id -> SELECT id, username, attribute, value, op           FROM radreply           WHERE username = '001372b639a6'           ORDER BY id
    Wed Sep 18 10:48:06 2013 : Debug: rlm_sql_mysql: query:  SELECT id, username, attribute, value, op           FROM radreply           WHERE username = '001372b639a6'           ORDER BY id
    Wed Sep 18 10:48:06 2013 : Info: [sql]           expand: SELECT groupname           FROM radusergroup           WHERE username = '%{SQL-User-Name}'           ORDER BY priority -> SELECT groupname           FROM radusergroup           WHERE username = '001372b639a6'           ORDER BY priority
    Wed Sep 18 10:48:06 2013 : Debug: rlm_sql_mysql: query:  SELECT groupname           FROM radusergroup           WHERE username = '001372b639a6'           ORDER BY priority
    Wed Sep 18 10:48:06 2013 : Debug: rlm_sql (sql): Released sql socket id: 3
    Wed Sep 18 10:48:06 2013 : Info: ++[sql] returns ok
    Wed Sep 18 10:48:06 2013 : Info: ++[expiration] returns noop
    Wed Sep 18 10:48:06 2013 : Info: ++[logintime] returns noop
    Wed Sep 18 10:48:06 2013 : Info: ++[pap] returns updated
    Wed Sep 18 10:48:06 2013 : Info: Found Auth-Type = PAP
    Wed Sep 18 10:48:06 2013 : Info: # Executing group from file /etc/raddb/sites-enabled/default
    Wed Sep 18 10:48:06 2013 : Info: +- entering group PAP {...}
    Wed Sep 18 10:48:06 2013 : Info: [pap] login attempt with password "001372b639a6"
    Wed Sep 18 10:48:06 2013 : Info: [pap] Using clear text password "001372b639a6"
    Wed Sep 18 10:48:06 2013 : Info: [pap] User authenticated successfully
    Wed Sep 18 10:48:06 2013 : Info: ++[pap] returns ok
    Wed Sep 18 10:48:06 2013 : Info: # Executing section post-auth from file /etc/raddb/sites-enabled/default
    Wed Sep 18 10:48:06 2013 : Info: +- entering group post-auth {...}
    Wed Sep 18 10:48:06 2013 : Info: ++[exec] returns noop
    Sending Access-Accept of id 204 to 10.90.100.7 port 1645
    Wed Sep 18 10:48:06 2013 : Info: Finished request 0.
    Wed Sep 18 10:48:06 2013 : Debug: Going to the next request
    Wed Sep 18 10:48:06 2013 : Debug: Waking up in 4.9 seconds.
    Wed Sep 18 10:48:11 2013 : Info: Cleaning up request 0 ID 204 with timestamp +77
    Wed Sep 18 10:48:11 2013 : Info: Ready to process requests.
    rad_recv: Access-Request packet from host 10.90.100.7 port 1645, id=205, length=160
    User-Name = "3037a616cd49"
    User-Password = "3037a616cd49"
    Service-Type = Call-Check
    Framed-MTU = 1500
    Called-Station-Id = "9C-AF-CA-23-D9-01"
    Calling-Station-Id = "30-37-A6-16-CD-49"
    Message-Authenticator = 0xc9173e759dd759b9d414d192783e8a8e
    NAS-Port-Type = Ethernet
    NAS-Port = 50001
    NAS-Port-Id = "GigabitEthernet0/1"
    NAS-IP-Address = 10.90.100.7
    Wed Sep 18 10:48:13 2013 : Info: # Executing section authorize from file /etc/raddb/sites-enabled/default
    Wed Sep 18 10:48:13 2013 : Info: +- entering group authorize {...}
    Wed Sep 18 10:48:13 2013 : Info: ++[preprocess] returns ok
    Wed Sep 18 10:48:13 2013 : Info: ++[chap] returns noop
    Wed Sep 18 10:48:13 2013 : Info: ++[mschap] returns noop
    Wed Sep 18 10:48:13 2013 : Info: ++[digest] returns noop
    Wed Sep 18 10:48:13 2013 : Info: [suffix] No '@' in User-Name = "3037a616cd49", looking up realm NULL
    Wed Sep 18 10:48:13 2013 : Info: [suffix] No such realm "NULL"
    Wed Sep 18 10:48:13 2013 : Info: ++[suffix] returns noop
    Wed Sep 18 10:48:13 2013 : Info: [eap] No EAP-Message, not doing EAP
    Wed Sep 18 10:48:13 2013 : Info: ++[eap] returns noop
    Wed Sep 18 10:48:13 2013 : Info: [sql]           expand: %{User-Name} -> 3037a616cd49
    Wed Sep 18 10:48:13 2013 : Info: [sql] sql_set_user escaped user --> '3037a616cd49'
    Wed Sep 18 10:48:13 2013 : Debug: rlm_sql (sql): Reserving sql socket id: 2
    Wed Sep 18 10:48:13 2013 : Info: [sql]           expand: SELECT id, username, attribute, value, op           FROM radcheck           WHERE username = '%{SQL-User-Name}'           ORDER BY id -> SELECT id, username, attribute, value, op           FROM radcheck           WHERE username = '3037a616cd49'           ORDER BY id
    Wed Sep 18 10:48:13 2013 : Debug: rlm_sql_mysql: query:  SELECT id, username, attribute, value, op           FROM radcheck           WHERE username = '3037a616cd49'           ORDER BY id
    Wed Sep 18 10:48:13 2013 : Info: [sql] User found in radcheck table
    Wed Sep 18 10:48:13 2013 : Info: [sql]           expand: SELECT id, username, attribute, value, op           FROM radreply           WHERE username = '%{SQL-User-Name}'           ORDER BY id -> SELECT id, username, attribute, value, op           FROM radreply           WHERE username = '3037a616cd49'           ORDER BY id
    Wed Sep 18 10:48:13 2013 : Debug: rlm_sql_mysql: query:  SELECT id, username, attribute, value, op           FROM radreply           WHERE username = '3037a616cd49'           ORDER BY id
    Wed Sep 18 10:48:13 2013 : Info: [sql]           expand: SELECT groupname           FROM radusergroup           WHERE username = '%{SQL-User-Name}'           ORDER BY priority -> SELECT groupname           FROM radusergroup           WHERE username = '3037a616cd49'           ORDER BY priority
    Wed Sep 18 10:48:13 2013 : Debug: rlm_sql_mysql: query:  SELECT groupname           FROM radusergroup           WHERE username = '3037a616cd49'           ORDER BY priority
    Wed Sep 18 10:48:13 2013 : Debug: rlm_sql (sql): Released sql socket id: 2
    Wed Sep 18 10:48:13 2013 : Info: ++[sql] returns ok
    Wed Sep 18 10:48:13 2013 : Info: ++[expiration] returns noop
    Wed Sep 18 10:48:13 2013 : Info: ++[logintime] returns noop
    Wed Sep 18 10:48:13 2013 : Info: ++[pap] returns updated
    Wed Sep 18 10:48:13 2013 : Info: Found Auth-Type = PAP
    Wed Sep 18 10:48:13 2013 : Info: # Executing group from file /etc/raddb/sites-enabled/default
    Wed Sep 18 10:48:13 2013 : Info: +- entering group PAP {...}
    Wed Sep 18 10:48:13 2013 : Info: [pap] login attempt with password "3037a616cd49"
    Wed Sep 18 10:48:13 2013 : Info: [pap] Using clear text password "3037a616cd49"
    Wed Sep 18 10:48:13 2013 : Info: [pap] User authenticated successfully
    Wed Sep 18 10:48:13 2013 : Info: ++[pap] returns ok
    Wed Sep 18 10:48:13 2013 : Info: # Executing section post-auth from file /etc/raddb/sites-enabled/default
    Wed Sep 18 10:48:13 2013 : Info: +- entering group post-auth {...}
    Wed Sep 18 10:48:13 2013 : Info: ++[exec] returns noop
    Sending Access-Accept of id 205 to 10.90.100.7 port 1645
    Cisco-AVPair = "device-traffic-class=voice"
    Wed Sep 18 10:48:13 2013 : Info: Finished request 1.
    Wed Sep 18 10:48:13 2013 : Debug: Going to the next request
    Wed Sep 18 10:48:13 2013 : Debug: Waking up in 4.9 seconds.
    Wed Sep 18 10:48:18 2013 : Info: Cleaning up request 1 ID 205 with timestamp +84
    Wed Sep 18 10:48:18 2013 : Info: Ready to process requests.
    Thanks!

    802.1X support    requires an authentication server that is configured for Remote    Authentication Dial-In User Service (RADIUS). 802.1X authentication does  not   work unless the network access switch can route packets to the  configured   RADIUS server.
    Please check the  below links which can be helpful in configurations:
    Link-1
    http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/50sg/configuration/guide/dot1x.html

  • ACS 5.3 Dot1x for Wired/Wireless

    Hi Community,
    I have a query regarding ACS 5.3 installation. I have wired and wireless clients in my setup, with Nexus 5k and 45k Switches and WLC-5508. Also we are using MicroSoft AD to authenticate clients for Network access.
    My questions are
    1.       Can we configure dot1x in this scenario to use Password only (no certificates needed at all)? OR we must need certificates in order to config it perfectly (like AD and ACS synch issues etc)?
    2.       If Yes can someone point out to any good docs that can help  ?
    Regards,
    Hammad

    Hi Jatin,
    Thanks for the tips earlier. However I installed ACS 5.4 and then configure the server from scratch.
    I am getting MAB as well as Dot1X authentication. But for two different users getting two different results for DOT1X, Wondering why is this happening? is it a ACS/Switch config issue or is it related to AD?
    I am finding one user is getting perfectly authenticated while the Other is showing "Authorization failed" yet still able to access the NW.
    #$cation sessions interface tenGigabitEthernet 1/1/12
               Interface: TenGigabitEthernet1/1/12
             MAC Address: 28d2.4421.109c
               IP Address: 10.160.193.100
               User-Name: ABC\shuser
                   Status: Authz Success
                   Domain: DATA
         Security Policy: Should Secure
         Security Status: Unsecure
           Oper host mode: multi-auth
         Oper control dir: both
           Authorized By: Authentication Server
            Vlan Policy: N/A
                 ACS ACL: xACSACLx-IP-SSH-PERMIT-ALL-5270ce52
         Session timeout: N/A
             Idle timeout: N/A
       Common Session ID: 0AA000010000010548A006AC
         Acct Session ID: 0x000007A4
                   Handle: 0xA1000106
    Runnable methods list:
           Method   State
           dot1x   Authc Success
    CS01#
    CS01#
    CS01#$cation sessions interface tenGigabitEthernet 1/1/12
               Interface: TenGigabitEthernet1/1/12
             MAC Address: 28d2.4421.109c
               IP Address: 10.160.193.100
               User-Name: host/TESTPC01.sportshub.com.sg
                   Status: Authz Failed
                   Domain: DATA
         Security Policy: Should Secure
         Security Status: Unsecure
           Oper host mode: multi-auth
         Oper control dir: both
           Authorized By: Authentication Server
             Vlan Policy: N/A
         Session timeout: N/A
             Idle timeout: N/A
       Common Session ID: 0AA000010000010648A11C04
         Acct Session ID: 0x000007AD
                   Handle: 0x61000107
    Runnable methods list:
           Method   State
           dot1x   Authc Success
    ================================
    SWITCH PORT CONFIG:
    int ten1/1/9
    switchport mode access
    dot1x pae authenticator
    dot1x port-control auto
    authentication host-mode multi-auth
    authentication violation restrict
    dot1x timeout tx-period 10
    dot1x timeout quiet-period 20
    authentication timer reauthenticate server
    dot1x max-reauth-req 3
    Regards,
    Hammad

  • BO 4.0 Advanced Analysis for OLAP - The MDAS service encountered an error.

    Hi guru's,
    We are running BO 4.0 SP02 Patch 11 with SAP BW 7 and experiencing the following error with Advanced Analysis for OLAP:
    "Analysis edition for OLAP
    The MDAS service encountered an error."
    After you click show details:
    "com.crystaldecisions.thirdparty.org.omg.CORBA.MARSHAL  minor code: 0x0  completed: No"
    I have researched into this and found forums such as:
    http://forums.sdn.sap.com/thread.jspa?threadID=2053481
    SAP KB 1560100 - BI4.0 Advanced Analysis Web problem: The MDAS Service encountered an error
    SAP KB 1661163 - An error is generated when selecting a query or cube in Analysis for OLAP: Error 15
    However, none of these have helped our situation too much.
    We have rebuilt the windows server 2008 R2 recently, hence the process we followed was a fresh install of BO 4.0 SP02 platform & tools, and then patch 11 on top of these.
    Crystal, WEBI's (using the same BICS connections as the AA's) and Dashboards are all working as per expected.
    The errors are for every AA including ones with only 2 variable selections (light queries) to ones with many more. Hence it is platform wide for Advanced Analysis.
    I have also tried creating new AA using existing BICS, new BICS existing AA, new BICS new AA all with no luck.
    We have also created new Adaptive Processing Servers with only the MDAS as a common service, turned on tracing etc but nothing springs to us as to what is going wrong.
    Any ideas would be greatly appreciated?
    Thanks all,

    Hi All,
    After conversing with SAP support technicians we have found what is causing this issue.
    On the windows servers we have the following installed locally:
    - BO platform 4.0 SP02
    - BO platform 4.0 SP02 patch 11
    - BO client tools 4.0 SP02
    - BO client tools 4.0 SP02 patch 11
    - Crystal reports 2011 SP02
    - Crystal reports 2011 SP02 patch 11
    - Crystal reports for Ent SP02
    - Crystal reports for Ent SP02 patch 11
    It seems that the crystal reports 2011 or cr for Ent was causing an issue in the .WAR files that BOE uses to run Advanced Analysis for OLAP.
    After uninstalling the two crystal products and removing any left over cr files in program files on the server, AA for OLAP works successfully in our environment.
    The other point after this was i stopped the tomcat and SIA, i renamed the BOE folder under <install dir>\SAP BO4.0\Tomcat6\webapps and restarted the tomcat and then the SIA. In 4.0 when the tomcat is started again it will go and recreate the BOE folder from the BO directories effectively recreating the apps .WAR files under the webapps\BOE folder.
    SAP will hopefully document this issue for other clients.
    Cheers,

  • Need help Please. Which play nice with macs? Palm Treo's Or Tmobile MDA?

    Hi all, I post on here from time to time, but hardly anyone ever answers my questions. Here's my dilema. I bought a Tmobile MDA over the weekend that runs microsoft windows mobile 5.0. And while playing with it have noticed some things about it that i think are'nt that good. For example, I like the fact that its a windows os, but think that it's flawed. I have done quite a bit of research but don't think that it's active sync software is even compatible with mac osx. so have'nt even tried to mess with it. now i'm still in the 14 day window and am thinking about returning it. but here's the thing....
    I know that tmobile has EDGE, and it's considerably slower than verizon or sprints EVDO. (since i've researched it i know that edge is around the 70-170KBPS range when EVDO has 300-700KBPS) And tonight i was messing with this tmobile MDA and finally got it to work to connect to the net with it using bluetooth and it's "modem" ability to connect it to the web. But it S U C K S! i went to and did a bandwith test and i was only getting like 12.1-27.1kbps download (after running 2 tests) dude, it feels slower than dialup!
    so with that bullet against it, comes the compatible part. I can't sycn this thing with my mac for NOTHING! do any of you out there have a palm treo? (either verizon, sprint, or att.... carrier X?) How does it sync with your mac? is it hard? any extra software i need to get/buy? have any of you used it to connect to the net? and if so, how's the speed? And here's an even bettter question... How long did it take to config it to work using the phone as a modem? Did you use bluetooth? or serial link? was it easy to config? Where did you find the instructions?
    I know these are a lot of questions, but this is a large investment for me. I mean this thing ain't cheap and it does'nt really play nice. I don't mind paying a little extra, for some peace of mind, and knowing that it won't crash often and will work with my mac. Anyone out there got any other suggestions? I would really appreciate it. I would like your opinion on which one is the easiest to use that plays nice with a mac, and has a interface that's almost as nice. Thank you so much for your time. I will be following this post closely and comment you all back for your replys
    Mac Book Pro 1.83 GHZ 512 Ram   Mac OS X (10.4.5)  

    It really is a toss up cause Ive owned two Treo's and Ive read extensive reviews on Windows mobile devices and it seems to me like they're pretty similar in the way of hardware and software(minus the fact of using different operating systems). So I think the determining factor really ought to be more focused on how much you're willing to pay, and the level of support you get for each device. I recently got rid of my Treo 650 due to an interesting touchscreen problem and got a windows mobile device(should come tomorrow)
    in the way of syncing with a mac:
    The Treo is extremely simple to set up and use with a Mac(keep in mind Im not talking about the 700w/wx)in every aspect. Palm provides OSx compatible software(though its almost impossible to get rid of after installation). However, in my experience, Palm does not really do a good job in the customer service department. While they have a rather extensive support page for each device(some of the info is outdated), that's pretty much all you get unless you don't mind spending hrs scouring various forums. Talking to customer service is a joke. Like I said I had a problem with the touchscreen and the best the rep could give me was "try a hard reset" and "send it in for repair".
    I have yet to experience what windows mobile will be like. At the very least with syncing, theres syncing software made by people who had OSx in mind(ie: Missing Sync or Pocketmac) who will probably be able to help out a lot more in this area and possible also be able to help out with the other issues you mentioned.
    a good place to check out would be howardforums.com, you'll probably get better answers there.

  • ISE 1.2 Guest Access for EAP(Dot1x) Authentication

    Hi.
    I want to use encryption for guest access. 
    In order to use the "RADIUS-NAC" in the WLC, you can not use or "Open + MAC" only "WPA + dot1". 
    (Specification of the WLC) 
    When the "Open + MAC", return from the ISE at the time of the "Web Authentication" in the "Session-Timeout Attribute", I was able to forcibly disconnect the radio. 
    (Attribute is the same value as the (ISE TimeProfile) time the guest user can use) 
    If you connect to a wireless terminal to forced disconnect after screen of Web authentication is displayed, you can not login. 
    (Because the account has been revoked) 
    I want to make even dot1x this environment. 
    However, because it becomes the "re-authentication time" If dot1x, as long as the terminal is connected to the radio, it is not cut. 
    In addition, even in the setting of "Attribute Termination-Action = Default", does not return until the Web authentication. 
    (Status of the WLC remains "Auth Yes") 
    (Session of the ISE remains "Started") 
    Use the (EAP) Dot1x, Can I "is allowed to forcibly disconnected," "to match the time of TimeProfile" in the same way as "Open + MAC" thing? 
    Thank you.

    Note:
    Cisco ISE:Version1.2.0.899-8
    Cisco WLC(5508):Version 7.6.120

  • Limit the number of session per user in the Wired dot1x environment with ISE 1.2

    Hello,
    I need to check if there is any configuration/workaround to limit the number of sessions/access per user in the Wired dot1x configuration.
    I need to check if this feature is available or not to solve the following scenario:
    I have 2 SW ports configured to use dot1x authentication with ISE 1.2 server.
    If user A connects to the 1st port and authenticated then he will placed on a VLAN based on the authorization profile.
    The case, that I need to deny the same user to connect on a different machine with the same credentials.
    The ISE itself does not have this feature currently,  the only feature available is to limit the number of sessions for the guest user.
    Is there any workaround on the Cisco switches to solve this? Cisco WLC has this feature and for the VPN we can limit the number of sessions also from the ASA itself.
    Thanks.

    limit number of session per user using wired dot1x is not available in 1.3

Maybe you are looking for

  • Can not deploy a report using JDBC connection on CR2008 Server

    Hi Group, I have a report created with JDBC connection. When I tried to add it to CR2008 server, it gives an error - "An unexpected error has occurred ". Basically I want to add a report to a public folder via CMC. I am using adminstrator account. Th

  • Encoding JPEG renders "blurry"

    I have created a java servlet that dynamically renders an image for use as a heading for each page. The servlets works fine, except for when a "background image" is used to go behind the text. Here is what the result looks like: http://www.mikelukeno

  • Aperture - strange behavior with external editor

    Although I don't do this often, there are times I need to edit images with a 3rd party editor like Elements or Pixelmator. I noticed when I send an image by Photos> Edit with Pixelmator, the image that comes in is lacking any edits I may have created

  • Default save path using AXAcroPDF

    Hi, I'm using the AxAcroPDF component in a windows forms Application. I know that the default filename for the save dialog can be setup using AxAcroPDF.src("filename"); Is there an option to set the default path for the save dialog. Is there a way to

  • PL\SQL challange !!!

    hello all, I have a table which has undergone several changes (addition of columns) in different versions. Now, I want to write a stored procedure (having select, insert, and update like queries ) which would run successfully on all the versions of t