EA6400: Problems for wireless users

Similar Messages

• Problem authenticating Wireless users with peap

  Good afternoon,
  I am currently trying to authenticate wireless users using PEAP and an external RADIUS server. The problem is when I try to authenticate I get this error :
  AAA/AUTHEN/PPP : Pick method list 'Permanent Local'
  DOT11-7-AUTH_FAILED : Station ... Authentication failed
  It shouldn't use local authentication, but the aaa server I configured.
  I looked on the internet but didn't find a working solution.
  Does anyone know why it is not working ?
  Here is my running configuration :
  Current configuration : 4276 bytes
  ! Last configuration change at 00:45:40 UTC Mon Mar 1 1993
  ! NVRAM config last updated at 16:38:23 UTC Thu Jul 24 2014
  ! NVRAM config last updated at 16:38:23 UTC Thu Jul 24 2014
  version 15.2
  no service pad
  service timestamps debug datetime msec
  service timestamps log datetime msec
  service password-encryption
  hostname ap
  logging rate-limit console 9
  enable secret 5 $1$QVC3$dIVAarlXOo52rN3ceZm1k0
  aaa new-model
  aaa group server radius rad_eap
   server 192.168.2.2 auth-port 1812 acct-port 1813
  aaa group server radius rad_mac
  aaa group server radius rad_acct
  aaa group server radius rad_admin
  aaa group server tacacs+ tac_admin
  aaa group server radius rad_pmip
  aaa group server radius dummy
  aaa authentication login eap_methods group rad_eap
  aaa authentication login mac_methods local
  aaa authorization exec default local
  aaa accounting network acct_methods start-stop group rad_acct
  aaa session-id common
  no ip routing
  no ip cef
  dot11 syslog
  dot11 ssid test
     authentication open eap eap_list
     authentication key-management wpa version 2
     guest-mode
  eap profile peap
   method peap
  crypto pki token default removal timeout 0
  bridge irb
  interface Dot11Radio0
   no ip address
   no ip route-cache
   encryption mode ciphers aes-ccm
   ssid test
   antenna gain 0
   stbc
   beamform ofdm
   station-role root
   bridge-group 1
   bridge-group 1 subscriber-loop-control
   bridge-group 1 spanning-disabled
   bridge-group 1 block-unknown-source
   no bridge-group 1 source-learning
   no bridge-group 1 unicast-flooding
  interface Dot11Radio1
   no ip address
   no ip route-cache
   shutdown
   antenna gain 0
   no dfs band block
   channel dfs
   station-role root
   bridge-group 1
   bridge-group 1 subscriber-loop-control
   bridge-group 1 spanning-disabled
   bridge-group 1 block-unknown-source
   no bridge-group 1 source-learning
   no bridge-group 1 unicast-flooding
  interface GigabitEthernet0
   no ip address
   no ip route-cache
   duplex auto
   speed auto
   dot1x pae authenticator
   bridge-group 1
   bridge-group 1 spanning-disabled
   no bridge-group 1 source-learning
  interface BVI1
   ip address 192.168.3.10 255.255.255.0
   no ip route-cache
  ip default-gateway IP
  ip forward-protocol nd
  ip http server
  ip http secure-server
  ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
  ip radius source-interface BVI1
  radius-server attribute 32 include-in-access-req format %h
  radius-server host 192.168.2.2 auth-port 1812 acct-port 1813 key 7 140441081E501F0B7D
  radius-server vsa send accounting
  bridge 1 route ip
  line con 0
  line vty 0 4
   transport input all
  end
  Thank you

  I haven't setup autonomous APs before but I think I might see the problem. You are defining an authentication list called "eap_methods" but you never call for it in your SSID settings. Instead there you call a list named "eap_list" In addition, I think you might be missing one more command. So perhaps try this:
  dot11 ssid test
  authentication open eap eap_methods
  authentication network-eap eap_methods
  authentication key-management wpa version 2
  guest-mode
  Hope this helps!
  Thank you for rating helpful posts!

• EAP-TLS on ACS v4 for wireless users

  Hi,
  I?m trying to deploy EAP-TLS authentication method on ACS v4.0 for my local wireless users; really I stuck with the certificate issue and need your assistance to understand the required procedures to accomplish the task.
  As mentioned on the ACS configuration guide I have to have CA server to generate certificates for both ACS and wireless users, but I found an option on the ACS under System configuration tab then ACS Certificate Setup a Generate Self-Signed Certificate, I generated a certificate and uploaded a copy to my PC, installed and followed the recommended steps to configure the Microsoft XP client configuration but still I got the error ?Windows was unable to find a certificate to log you on to the network SSID? . Honestly I don?t know if this is possible but I gave it a try but failed.
  Kindly advice what is the appropriate and easiest way to accomplish the task, if you could provide me with helpful documents I?ll appreciate it.
  Regards,
  Belal

  I am currently using EAP-TLS authentication on my wireless users using ACS 3.2. I have had that problem before. This is what I did...
  Setup a Microsoft Certificate server as my
  CA. You can use same machine wih your ACS and CA.
  Then, generate certificate signing request from ACS then request a server certificate from CA then copy and install a certificate to ACS. On the ACS, go to global authentication setup check the EAP-TLS cetificate. If it failed to respond means that the server certificate is not properly setup.
  On the windows xp clients, connect your machine using wired LAN, then request a certificate from CA(the same CA that you have use to your ACS) using IE (ex. http://CAip/certsrv), but this time request a client certificate. The name you should put when requesting the cert must be you local windows user, use 1024, choose microsoft base cryptographic provider 1.0. then installl the certificate on the client. Verify you client certificate it i was installed properly.
  At that poit you should be able to connect you r wireless client using EAP-TLS.

• Language problem for one user

  Hi experts,
  In KM we created a folder for BW report links. The user start the report and the BW report is shown in the language selected in the IE settings (SAP user language is empty). This works fine, but for one user the BW reports always displayed in French. I set the SAP user language to English (the welcome text is English, portal menu is English etc), but the reports are still displayed in French. Cache are emptied, tried another pc, change IE langaue to English, but still the same problem.
  When I check the source, the next 2 lines are always ending with xx_fr.js instead of xx_en.js or another selected langauge
  javascript "/irj/portalapps/com.sap.ip.bi.web.portal.mimes/unifiedrendering/resources/js/languages/urMessageBundle_fr.js
  sapbi_page.registerInclude "/irj/portalapps/com.sap.ip.bi.web.portal.mimes/unifiedrendering/resources/js/languages/urMessageBundle_fr.js
  How to solve this?
  thanks in advance.
  Vo.

  Pproblem is solved, user had set the personal property language to French.

• ALV grid Refresh problem  for one user

  Have an ALV with editable columns. Validation and save works for all columns for one user but not for the other. The user with the issue is able to modify the values and save to the database fine.The problem is it doesn't display in the ALV once refreshed. Please suggest any ideas of how to look into this issue as it works for one and not other user.

  Strange work for one user not for other.
  Once you save the data, rebind the data to table. so that new data will display. ( that use set_initial_elements as true, so that old values not display ).
  Regards
  Srinivas

• Authorization-problem for standard users when running WDR_TEST_ZCI

  hi
  we've developed a WDA application incorporating several interactive forms. it all runs fine in QA--environment when a user with developer-role are running the application, but when standard users are running it, it fails.
  the same happens with the demo-app WDR_TEST_ZCI.
  i so belive this to be caused by missing authorizations for the users. can anyone shed any light on which these might be?
  the error as reported in the browser:
  The following error text was processed in the system Q97 : Access via 'NULL' object reference not possible.
  The error occurred on the application server xx-x168_Q97_05 and in the work process 0 .
  The termination type was: RABAX_STATE
  The ABAP call stack was:
  Method: PARSE_XML_SCHEMA of program CL_WD_ADOBE_SERVICES==========CP
  Method: GET_SCHEMA_VERSION of program CL_WD_ADOBE_SERVICES==========CP
  Method: CONSTRUCTOR of program CL_WD_ADOBE_SERVICES==========CP
  Method: IF_WDR_VIEW_ELEMENT_ADAPTER~SET_CONTENT of program /1WDA/LADOBE==================CP
  Method: IF_WDR_VIEW_ELEMENT_ADAPTER~SET_CONTENT of program /1WDA/LADOBE==================CP
  Method: IF_WDR_VIEW_ELEMENT_ADAPTER~SET_CONTENT of program /1WDA/L8STANDARD==============CP
  Method: IF_WDR_VIEW_ELEMENT_ADAPTER~SET_CONTENT of program /1WDA/L8STANDARD==============CP
  Method: IF_WDR_VIEW_ELEMENT_ADAPTER~SET_CONTENT of program /1WDA/L8STANDARD==============CP
  Method: IF_WDR_VIEW_ELEMENT_ADAPTER~SET_CONTENT of program /1WDA/L7STANDARD==============CP
  Method: IF_WDR_VIEW_ELEMENT_ADAPTER~SET_CONTENT of program /1WDA/L8STANDARD==============CP
  any input appreciated.
  cheers
  tom

  Hi Tom,
  When you are familiar with authorizations in PFCG trabsaction you are finaliar with S_DEVELOP if not ask the authorization team on your project.
  Basically this authorization object handles the read/write etc authorization related to devlopment objects. If you implement Adobe forms you will probably develop your own forms or at least copy the SAP forms to customer namespace.
  For Adobe you will therefore have 2 custom development objects (1 for the form and 1 for the interface that is automatically generated). The end-user shoulf have at least READ access to these objects. If not the portal will trow an error on this.
  To determine the tech names of the objects find the form and related interface in transaction SFP. These should be inserted in the object S_DEVELOP in the role for the end users.
  You may want to consider to put the value Z* in the object which will give authorization for all the custom developed objects.
  If you can't find the object reply again and i will send a screenshot.
  Finally, make use of the splended transaction ST01!! It will make your life a lot more easy in portal! It traces all the authorizations needed and missing for any user you specify. After activating the trace and running a portal scenario the log will tell you want went OK and what not on an authorization object level.
  Good luck,
  Thomas
  ps. Thanks for the appreciation you gave in my other thread. Now we have the answers in both threads as well. Take Care.

• PEAP authentication failed for wireless users

  Dears
  Hello
  i'm receiving this error when i'm trying to authenticate wireless users using PEAP MSCHAPv2. can anyone please support me.
  thanks 

  Dear Neno
  the customer has sent me this in aruba
  aaa authentication dot1x "dot1xProfile"     
     termination eap-type eap-peap                                                                                                                                                                                                                                             
     termination inner-eap-type eap-mschapv2       
  aaa authentication-server radius "SERVER"
     host x.x.x.x
     key xxxx
     nas-ip x.x.x.x
  aaa server-group "RADIUS-GROUP"
    auth-server “SERVER”
  aaa profile "KSAU-JED-AAA-Profile"
     authentication-dot1x "dot1xProfile"
     dot1x-server-group "RADIUS-GROUP"
  wlan virtual-ap "SSID-NAME"
     aaa-profile "KSAU-JED-AAA-Profile"
     ssid-profile "SSID-NAME"
     vlan <VLAN ID>

• Flash install problem for multiple users

  Working on an home PC trying to set up Flash. Go through
  install logged in as myself (systemadmin access) and install goes
  fine. Flash pages load on IE Other users on system, also Admin
  access, can not get same Flash pages to load. Running WinXp. Have
  tried both IE 6 and 7. Firefox is running fine for all users
  Thanks for any help you can provide

  During install, you should be prompted whether you want to install the loops for the current user only or for every user. In the latter case, the loops should end up in HD/Library/Audio/Apple Loops

• POP3 and IMAP problem for one user

  Hi All,
  One of my users has recently connected her iPhone4 to our GW7. We set her up just like numerous other of our users, and she is having some issues. When set up as IMAP using the default application on her iPhone, she can see all her folders and all her mail up to December 21, 2011, but nothing after that. If she asks to download more messages, it successfully shows earlier messages, but still nothing more recent than December. When set up as POP, she is able to download recent messages, but there are wide gaps in what she can see. Whole days are missing. I can send her a new message, and she can POP it right away, but messages that came in just hours before will not come over. None of our other users have any such issues--including at least one with the same iPhone.
  The user swears that she has no other e-mail program POPing mail--and even if she did, I don't think it would explain the IMAP issue--but I may be wrong about that. This user does have an incredibly large online mail account--over 20,000 messages in her Mailbox folder alone. I have examined her POA indexes, and they show nothing un-indexed.
  I have used my own phone (Droid Bionic) to connect to her GWise account and I see the same behavior from her account.
  We are using GWIA 7.0.2, and I can see her phone making connections successfully. I see no errors, but I have not yet studied a Verbose display when she connects.
  Any suggestions about how to proceed to troubleshoot this?
  What could I do if I wanted to reset whatever information her account stores as to what messages have been POP'ed off or to reset whatever info about IMAP is maintained?
  Thanks in advance,
  Peter.

  On 1/12/2012 3:16 PM, pgsmick wrote:
  >
  > Many, or shall I say /imapreadlimit -10, thanks to you Michael.
  > Preumably there is a reason for this limit, and I don't feel like caving
  > in to pressure from users who refuse to clean out their mailboxes, but
  > what are the specific downsides to raising the limit? And does this
  > shed any light on the other issue with using the POP3 method?
  >
  > Again, you're a gem.
  >
  > Peter.
  >
  >
  My understanding is as you raise it, the memory usage of the POA and the
  CPU hit on the POA will increase. It's been explained to me that the
  IMAP standard requires certain correlations and bufferings to made
  between the different items, so the memory usage increases. (IMAP is
  fairly complex, so I doubt I can explain it all since I doubt I
  understand it all). For example IMAP requires synthetic UIDS to be
  correct for all the items in the mailbox during the session. There is
  room for improvement here, but it hasn't been a super-high priority is
  what I was told just this past BrainShare. It will never be a completely
  low memory "streaming" kind of solution though - a lot of state has to
  be built and maintained during the IMAP session.
  POP, I'm not sure about. I do know GW can get confused. Have her specify
  her pop UserID differently. For example if her normal gwmailbox is
  jsmith, have her try jsmith:v=2 .
  Also see other whacky POP switches
  you can set affect the date range, and #. The "v","l",and "t" are the
  most important.
  User ID Login Options
  With POP3 clients, users can add the options listed in the table below
  to the login name (GroupWise user ID) to control management of their
  mailbox messages. If used, these options override the POP3 settings
  assigned through the user’s class of service (see Section 47.1.2,
  Creating a Class of Service).
  Login options are appended to the user ID name with a colon character
  (:) between the user ID name and the switches:
  Syntax: user_ID:switch
  Example: User1:v=1
  You can combine options by stringing them together after the user ID and
  the colon without any spaces between the options:
  Syntax: user_ID:switch1switch2
  Example: User1:v=1sdl=10
  The syntax for the user ID options is not case sensitive. Login options
  are not required. If you do not want to include any login options, just
  enter the user ID name in the text box, or following the USER command if
  you are using a Telnet application as your POP3 client.
  Table 46-1 User ID Login Options
  Option
  Explanation
  Example
  v=number between 1-31
  The v option defines the POP3 client’s view number. If multiple POP3
  clients access the same GroupWise mailbox, each client must use a
  different view number in order to see a fresh mailbox.
  For example, if two POP3 clients access a mailbox and the first client
  downloads the unread messages, the second client cannot download the
  messages unless it is using a different view number than the first client.
  If this option is not used, the default value is 1.
  User_ID:v=1
  d
  The d option deletes the messages from the GroupWise mailbox after they
  have been downloaded to the POP3 client.
  User_ID:d
  p
  The p option purges the messages from the GroupWise mailbox after they
  have been downloaded to the POP3 client.
  User_ID:p
  t=1-1000
  The t option defines the download period, starting with the current day.
  For example, if you specify 14, then only messages that are 14 days old
  or newer are downloaded. If this option is not used, the default value
  is 30 days.
  User_ID:t=14
  n
  The n option downloads messages in RFC-822 format rather than the
  default MIME format.
  User_ID:N
  m
  The m option downloads messages in MIME format. This is the default.
  User_ID:M
  s
  The s option presets the file size when the STAT command is executed. If
  the user mailbox contains a lot of messages or large messages, it can
  take a long time to calculate the file size. With this option, the STAT
  command always reports an artificial file size of 1, which can save time.
  User_ID:S
  l=1-1000
  The l option limits the number of messages to download for each POP3
  session. For example, if you want to limit the number of messages to 10,
  you enter l=10. If this option is not used, the default value is 100
  messages.

• Report exection problem for one user - not able to see the data.

  Hello Friends ,
  Need some help . I have got the one ticket from bussniess side about the report execution .
  Unfortunately , I am also not having authorisation of that report due to sensible data.
  Problem - User is executing the report but some how he is not ABLE TO see the data for one company code Hierachy .
  I executed the same report through RSSMQ via his user id , and I got the  below message.
  All value were selected . Hierachy Authorisation cannot be used.
  A displayed hierachy requier a hierachy authorisation .
  But when i checked his authorisation , I am able to see that he should have authorisation to all the hireachy .
  could you please let me know , how can I check more ?
  Regards,

  after accessing the report , u go to su53 tcode and check the authorization and u can see what is problem in authorization for the that user and u can send the details to secuity team to rectify the issue ,

• 10.5.5 Active directory problem for mobile users

  I an running 10.5.5 on a MBP 2.4. The computer is attached to Active Directory for authentication. The accounted is setup as a mobile user with automatic home sync. Below is the problem I'm experiencing after 10.5.5.
  Upgrade worked fine, everything went through as expected. When I got home with computer, couldn't login. I did eventually get logged in, computer became extremely unresponsive at intermittent times.
  At work next day, everything worked fine.
  I believe this is a problem with 10.5.5 computers that are bound to AD, when AD is not available (but internet is.) Some type of weird priority locking or timeout setting? It seems to fail immediately if no network is available, but if the internet is available it is like it gets "hung" waiting for a response.
  Anybody else having similar problems?
  Below are the details on the specific tests that brought me to this conclusion.
  1) Boot with work network cable connected - Works fine
  2) Boot with work wifi network enabled - works fine
  3) Boot with public wifi network enabled and work cable - works fine.
  4) Boot with only public wifi - appears "frozen" (turned off after 5 minutes of trying to login)
  5) Boot without network or wifi - works fine using cached mobile account info
  6) Boot with network cable and public wifi, remove network cable after login- works fine for a period becomes periodically frozen. attempts to do anything become queued, when computer starts responding queue emptys out (can see menus / applications switch around to correspond with clicks.)
  7) Change account to Manual sync of mobile account, again boot with network cable and public wifi, remove network cable- no freezing responds normaly.
  All steps repeated after rebinding computer to AD - same results.

  First rule of installing an upgrade, run permissions repair both before & after. Did you do that?
  I'm using a Mac dual bound to AD & OD, works perfectly. I can't speak for the exact setup of your network but I personally would be suspicious of AD. I had a similar issue some time back where my processor would go crazy with the net directory authentication running like crazy. Turned out AD had somehow forgotten my computer. It only happened away from work where my Mac couldn't contact the AD server (not exactly sure why). I'd try the following.
  1. While at work create a local administrative account on your Mac (you should always have a backup account anyway).
  2. Login as local admin account.
  3. open Directory Utility from the Applications/Utilities folder & remove the AD server (you'll need an account that can bind machines to AD).
  4. re-add your Mac to AD.
  This may resolve your issue & shouldn't hurt anything in the least.

• LDAP access levels for wireless users

  How is it possible if I want my Directory Server 5.2 to authenticate only few number of users to have wireless and dial-up access. LDAP should not permit the other users when they try to login by wireless or dial-up. But everyone should be authenticated when they try to login through a direct ethernet connection. Currently all my users are under ou=people.
  Joshua

  Hi,
  Directly-connected APs are supported in 7.4 code, if you are not on that code then
  The PoE Ports are not for the APs
  Ports 3 and 4 are PoE only ports; do not connect access point devices to these ports. The ports can be used for infra-switch connection using multiple an AP-Manager or data interface
  Connect port 1 to a trunk port on the switch.
  configure the native vlan ON THE TRUNKPORT only eg vlan 10
  Let's assume your wireless is on vlan 10 and your WLC2504 is 10.10.10.20 /24 gateway 10.10.10.1
  Enable and Configure DHCP scope for vlan 10
  The APs are then connected to a vlan 10 access port on the switch
  Configure the SSID
  DHCP server tips
  - enable bridging mode if using the controller as the DHCP server, otherwise disable it. 
  - if using other DHCP server and the DHCP server is in the same vlan as the controller, nothing further is needed.
  - if DHCP server is on another vlan, you will need to configure option 43 (vendor specific into)
  Check with these configuration it will hopefully fix your issue.

• Criticial VLAN for Wireless Users

  Hi
  I have a setup were all users (LAN & WIRELESS) Are being authenticated using Dot1x with ACS
  In case of ACS failure (without a secondary one), I know i can configure the switch port on the LAN to have a critical VLAN, so in case ACS was detected as Dead, a new user being authenticated is assigned to the Critical VLAN,
  Is there any Similar solutions for users connecting through the wireless connection? Can we do a critical VLAN in case of ACS Failure, or anything similar to it? knowing that there is a WLC in the setup with Light weight access points.
  Thanks
  Best regards,

  Hello,
  Since in wireless network, the Radius server has an active part in the encryption key derivation, the WLC can't just grant network access to the end client when the radius server is down, as the client wouldn't have the necessary keying material (nor the WLC as well).
  The best option would be to either have multiple radius servers, or to make the WLC act as a radius server and use it as a backup method, so that if your radius server is down, your WLC will handle the radius request and generate the keying material. The issue is that you will need to have a consistent user database on the WLC.
  The easiest way would be to have a separate SSID with legacy WPA/WPA2 that are pre configured on clients computer, and allow network access to this SSID only when the primary SSID with Dot1x is down. This can be done manually, or on the layer 3 gateway using PBR/EEM...
  For example with PBR, you can set output interface to null0 from traffic originating from the WPA SSID, only of Radius server is reachable, otherwise let the traffic flow.

• Reg: WorkItem &  Mail Inbox Problem for Multiple users In workflow

  Hi,
  I have developed a wofkflow application to sent SAP mails and Workitems to multiple users. I Have a Container which has the property as multi line. and i mapped this container variable with expression of my mail step. This means i can send multiple mails at the sae time....Its working Fine. But the problem is,
  Suppose I am sending mails to User1 & User2. Both are receiving the mail, But if user1 read the mail user2 mail is set as read document instead of unread doucument.....
  How to Solve this? any solution ?

  Hi
  See if this document is of any help to you.
  <a href="https://www.sdn.sap.comhttp://www.sdn.sap.comhttp://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/c6456e89-0a01-0010-0189-a7961fe42034">An expert guide to new SAP workflow capabilities</a>
  Regards,
  Raj

• Added a BASE Station now Drop box's don't work for wireless users

  We have a small business run out of a large home. Since Tiger came out we were using the drop box networking technology flawlessly. But recently we installed an Airport Base station replacing our Linksys router and now all the laptop users who connect wirelessly cannot be accessed remotely, we can use the drop box only with the people hardwired. Does anyone have any suggestions.

  You might try making a Recovery set with the software included on your machine-though it may not work now either. Creating Recovery Media >> Windows 8
  ******Clicking the Thumbs-Up button is a way to say -Thanks!.******
  **Click Accept as Solution on a Reply that solves your issue to help others**