Enable mode authorization failed.

Similar Messages

• Aaa authorization (device doesn't always go into enable mode)

  When I log into the 4500 switch with my domain account, I get priv 1 only and have to “enable” with the local enable password to get to priv 15.  How do I set this up to get directly to enable? The ACS 5.1 is setup with a authorization/shell profile for Priv 15, no problems there.
  2821-RTR2#show run | incl aaa
  aaa new-model
  aaa authentication login default group tacacs+ local enable
  aaa authentication login CONSOLE local-case line
  aaa authorization exec default group tacacs+ none
  aaa accounting exec default start-stop group tacacs+
  aaa accounting commands 15 default start-stop group tacacs+
  aaa session-id common
  4500 that drops into enable mode
  4500-SW1#show run | incl aaa
  aaa new-model
  aaa authentication login default group tacacs+ local enable
  aaa authentication login CONSOLE local-case line
  aaa authorization exec default group tacacs+ none
  aaa accounting exec default start-stop group tacacs+
  aaa accounting commands 15 default start-stop group tacacs+
  aaa session-id common

  On the non-working device enable:
  debug aaa authen
  debug aaa author
  debug tacacs
  and post the results.
  Also, on ACS 5.1 review the details for the authen/author on both the working and non-working devices and see if the desired shell profile is picked for the non-working device.

• Enabling aaa authorization on pix/asa

  I managed to get authentication on easy enough but now am having difficulty getting authorization to work properly. I have auth/author turned on for my IOS stuff so any techs logged in will have rights based on what I give them on secure ACS. However I can't get the same to work on PIX code. I can log in fine with aa authentication but it still prompts me for the enable password. End result is I want to be able to login just once (and enabled). Any white papers that can point me the right way?

  Thank you, Prem. here is my concern. When I enable AAA access on the firewalls, from what you said there is no way for me to govern what rights a tech has when accessing the device? I want to establish the same restrictions as the IOS gear I have where normal techs will only have certain commands and others have full command. The way it is now, anyone with an account on Secure ACS can access it via ASDM.
  EDIT:
  Also I'm a little confused about the various fields on the AAA Access (from Device Access) tab. In Authentication, there is an option to toggle to require auth to be able to use enable mode. I am not sure how this auth against our ACS server (i checked the various settings in ACS and enabled what I think are all PIX commands to permit enable) and it doesn't work. I entere the enable password when I telnet in and I get auth failed when running any commands.
  Also there is an Authorization tab which I am assuming allows to you to push down rights from an aaa server? Where on the ACS can I configure that?

• AAA -- Int range configuration gives "Command authorization failed" msg.

  Versions involved:
  AAA
  ACS 4.1.4.13.12
  Devices:
  C2960-LANBASE-M, Version 12.2(25)SEE3, RELEASE SOFTWARE (fc2)
  C3550-I9Q3L2-M, Version 12.1(14)EA1a, RELEASE SOFTWARE (fc1)
  If we try to configure a single interface or just a very small range, it works fine, but if we try to configure a larger range of interfaces, we get a Command authorization failed message, as can be seen below:
  HOST1184(config)#int range fastEthernet 0/1 - 3
  HOST1184(config-if-range)# switchport access vlan 24
  HOST1184(config-if-range)# switchport mode access
  HOST1184(config-if-range)# switchport voice vlan 301
  HOST1184(config-if-range)# dot1x pae authenticator
  HOST1184(config-if-range)# dot1x port-control auto
  HOST1184(config-if-range)# dot1x timeout reauth-period 7200
  HOST1184(config-if-range)# dot1x timeout supp-timeout 120
  HOST1184(config-if-range)# dot1x max-req 1
  HOST1184(config-if-range)# dot1x max-reauth-req 1
  HOST1184(config-if-range)# dot1x reauthentication
  HOST1184(config-if-range)# dot1x guest-vlan 280
  HOST1184(config-if-range)# spanning-tree portfast
  HOST1184(config-if-range)#!
  OST1184(config-if-range)#end
  HOST1184#conf t
  Enter configuration commands, one per line. End with CNTL/Z.
  HOST1184(config)#int range fastEthernet 0/4 - 14
  HOST1184(config-if-range)# switchport access vlan 24
  Command authorization failed.
  Command authorization failed.
  Command authorization failed.
  HOST1184(config-if-range)# switchport mode access
  HOST1184(config-if-range)# switchport voice vlan 301
  HOST1184(config-if-range)# dot1x pae authenticator
  HOST1184(config-if-range)# dot1x port-control auto
  Command authorization failed.
  HOST1184(config-if-range)# dot1x timeout reauth-period 7200
  Command authorization failed.
  HOST1184(config-if-range)# dot1x timeout supp-timeout 120
  Command authorization failed.
  HOST1184(config-if-range)# dot1x max-req 1
  Command authorization failed.
  HOST1184(config-if-range)# dot1x max-reauth-req 1
  Command authorization failed.
  HOST1184(config-if-range)# dot1x reauthentication
  Command authorization failed.
  HOST1184(config-if-range)# dot1x guest-vlan 280
  Command authorization failed.
  HOST1184(config-if-range)# spanning-tree portfast
  Command authorization failed.
  HOST1184(config-if-range)#!
  The pieces of config are as follows:
  aaa new-model
  aaa group server radius dot1x
  server 10.61.156.136 auth-port 1812 acct-port 1813
  aaa authentication login default group tacacs+ enable
  aaa authentication enable default group tacacs+ enable
  aaa authentication dot1x default group dot1x
  aaa authorization config-commands
  aaa authorization exec default group tacacs+ if-authenticated none
  aaa authorization commands 0 default group tacacs+ if-authenticated
  aaa authorization commands 1 default group tacacs+ if-authenticated
  aaa authorization commands 15 default group tacacs+ if-authenticated
  aaa accounting exec default start-stop group tacacs+
  aaa accounting commands 0 default start-stop group tacacs+
  aaa accounting commands 1 default start-stop group tacacs+
  aaa accounting commands 15 default start-stop group tacacs+
  aaa accounting system default start-stop group tacacs+
  enable secret 5 <removed>
  logging 10.142.4.45
  snmp-server community <removed> RO
  snmp-server community <removed> RW
  snmp-server location "SD"
  snmp-server contact contact - [email protected]
  tacacs-server host A.B.C.D timeout 5 key <removed>
  tacacs-server host A.B.C.D timeout 5 key <removed>
  tacacs-server host A.B.C.D timeout 5 key <removed>
  no tacacs-server directed-request
  radius-server host 10.61.156.136 auth-port 1812 acct-port 1813 key 7 096E5C3D4851
  radius-server retransmit 3
  Anyone out there has a solution for such a problem?
  Regards,
  AL

  Hi JG, thanks for your response.
  I don't have the appliance close to me, so I cannot check on this setting.
  As soon as I have a chance, I will return with this info.
  Anyway, why does it work for other devices and also, why we don't have any problem when configuring a small range of interfaces?
  Once again, thanks for your reply.
  Regards,
  AL

• AAA issue ( command authorization failed)

  I am getting the issue, and following is the script , cannot find  and locate the cause of error !
  version 12.2
  no service pad
  service timestamps debug datetime msec
  service timestamps log datetime msec
  service password-encryption
  hostname hexxor
  boot-start-marker
  boot-end-marker
  enable secret 5 $1$Y.Nt$aZ9/2rl2DMbEnSGJVqmln1
  enable password 7 0525112F05411F075231123E
  username hexxor password 7 024D2A103F26243363593D1C2B5C
  aaa new-model
  aaa authentication login T-AUTH group tacacs+ local
  aaa authorization console
  aaa authorization config-commands
  aaa authorization exec T-AUTHOR group tacacs+ if-authenticated
  aaa authorization commands 15 T-AUTHOR group tacacs+ if-authenticated
  aaa accounting exec T-ACC start-stop group tacacs+
  aaa accounting commands 15 T-ACC start-stop group tacacs+
  interface Vlan1
  no ip address
  interface Vlan50
  ip address 128.1.50.54 255.255.255.0
  no ip route-cache
  ip default-gateway 128.1.50.254
  no ip http server
  ip http secure-server
  ip sla enable reaction-alerts
  logging trap debugging
  logging 10.241.40.20
  logging 128.1.50.245
  access-list 1 permit 128.1.50.245
  snmp-server host 10.241.40.27 Armageddon
  snmp-server host 128.1.50.245 Armageddon
  tacacs-server host 10.241.40.22
  tacacs-server host 10.241.40.23
  tacacs-server directed-request
  tacacs-server key 7 020813480E052F2E4D
  line con 0
  exec-timeout 5 0
  password 7 1142374E2332201E2B3D1F210678
  authorization commands 15 T-AUTHOR
  authorization exec T-AUTHOR
  accounting commands 15 T-ACC
  accounting exec T-ACC
  login authentication T-AUTH
  transport preferred none
  line vty 0 4
  exec-timeout 5 0
  password 7 06281801684358174E231727
  authorization commands 15 T-AUTHOR
  authorization exec T-AUTHOR
  accounting commands 15 T-ACC
  accounting exec T-ACC
  login authentication T-AUTH
  transport input telnet
  transport output telnet
  line vty 5 15
  password 7 0228137B2F0B5E2F077A0C35
  end

  Based on what I think I understand in this reply it appears that the problem is caused in the named authorization method of T-AUTHOR. This named method sends an authorization request to the TACACS server. So it appears that the TACACS server is not authorizing the commands that you enter.
  I would suggest this as a first test:
  - login to the device.
  - go into enabl mode.
  - attempt the show run command. (I assume that it will fail)
  - check on the TACACS server. look in the logs for indications of how it processed the request and why it did not authorize it.
  If you want to do a second test to verify the cause of the problem then I would suggest this:
  - remove from the config these lines
  aaa authorization exec T-AUTHOR group tacacs+ if-authenticated
  aaa authorization commands 15 T-AUTHOR group tacacs+ if-authenticated
  then login to the device, go into enable mode, attempt the show run command
  Try one or both of these tests and post back to tell us of the results.
  HTH
  Rick

• ISE Alarm (WARNING): Dynamic Authorization Failed for Device

  Hi all,
  I am posting this discussion as previous posts that I have found in this forum have never been resolved or the resolution is not applicable to me.
  I am using ISE 1.1.1.268 and WLC 7.2.111.3 and NAC agent version 4.9.1.6 on Windows 7 Client machines.
  About once a day i get the error "ISE Alarm (WARNING): Dynamic Authorization Failed for Device".
  The device it is reffering to is my NAD, a WLC 5508 running 7.2.111.3
  I have looked at the logs and I cannot see anything in the logs which correcponds to this message so that I can troubleshoot further. Maybe I can if I am enabling the correct logging level on the correct ISE component.
  Can someone suggest the components and the logging level that I should set to get some more detail about this error?
  At the moment, I have only set debug logging on Active Directory. I have TRACE logging set on Posture, Runtime AAA & prrt-JNI.
  I do not want to enable too much debug logs, so I was wondering whether anyone can help with a specific element that I should be debugging.
  I thought debugging the posture element would be enough but when I look at the logs there is nothing there that relates to this message.
  Can anyone help?
  thanks
  Mario

  Firstly, I wouldn't run a production deployment of ISE on 1.1.1.... 1.1.3 Patch 1 or 1.1.4 is the way to go.
  Secondly, this error happen a lot, especially with Wireless, and it's not worth worrying about.  I've had a couple of TAC cases opened for this and some similar errors, generally they're caused by a Client going to sleep, leaving the coverage area or otherwise leaving the WLC while ISE is trying to do something with it.
  Only worry if you actually have a Client-impacting problem, which by the sounds of it, you don't.

• Dynamic Authorization Failed

  hi
  I keep getting error meesages on the ISE in regards to RADIUS
  the error is
  Dynamic Authorization failed : 1213 No response received from Network Access Device
  i am using ISE version 1.1.1 and the NAD is a WLC running version 7.0.98.0
  i use ISE to authenticate users via PEAP. I deleted the NAD and re-added it twice but i still keep getting this issue. this set up was working fine for the last few weeks.
  i dont think location and device type would cause an issue to authentication under the NAD list
  anyone have any ideas?

  the option i.e drop down box wasnt there. lookin at the compatibility chart of ISE 1.1.1 and WLC, minimum version for WLC is 7.2.103.0
  Do you need to have RADIUS NAC enabled if the ISE is only used to authenticate corporate wireless users against AD. there is no CoA,
  the other function is to use RADIUS as network management logon. to WLC using the AD. depending on the AD group , one could get priv 15 or priv 5 access. i am also using device attribute by location so that remote offices network enigineer cannot log onto the WLC. i.e i created a NAD , put it in a location and use that location AND the AD group to qualify for priv 15 access.
  Coudl this policy interrupt the wireless RADIUS policy? Wireless policy is at the top of the list under authorization tab.

• ASA enable mode with ACS

  Hi
  When I SSH to my ASA is there anyway to go straight to enable mode? We use RSA SecurID which means I have to wait for the token to change before I go into enable mode at the moment.
  ASA config:
  aaa authentication ssh console CISCO-ACS LOCAL
  aaa authentication serial console CISCO-ACS LOCAL
  aaa authentication http console CISCO-ACS LOCAL
  aaa authorization command CISCO-ACS LOCAL
  aaa accounting enable console CISCO-ACS
  aaa accounting serial console CISCO-ACS
  aaa accounting ssh console CISCO-ACS
  aaa accounting command CISCO-ACS
  ACS config (Group Level)
  Privilege level 15
  Read/write command authorisation set
  Thanks

  Unfortunately that is not possible as ASA does not support Exec Authorization.
  Regards,
  ~JG
  Do rate helpful posts

• Log into Device with AAA, how do I get right into enable mode?

  I am using a Cisco ACS server with an RSA server behind it. When the user is authenticated from the ACS server, I want them to go straight into enable mode, not have to type the enable mode password. What line am I missing?
  aaa authentication login ACS group ACS_servers local enable
  aaa authorization exec ACS group ACS_servers local
  aaa authorization commands 15 ACS group ACS_servers local
  aaa accounting commands 1 default start-stop group ACS_servers
  aaa accounting commands 15 default start-stop group ACS_servers
  line vty 0 5
  login authentication ACS
  authorization commmands 15 ACS

  The configuration in question is for telnet, but I do need to design my new console access connection. Console access would be either remotely or on-site, but I don't feel comfortable giving priv 15 right into it. I plan to use the same authentication method on the console (ACS group 1st, local database 2nd) and will just have to enter the enable password through the console.
  One more question on the aaa config, I kept getting this error in the log:
  AAA/AUTHOR: config command authorization not enabled
  So I added:
  aaa authorization config-commands
  I don't know if it was needed because I could still execute config-commands, but it kept giving me that warning if I didn't have that line.
  Also, do I really need this line if the ACS server is taking care of priv 15 authorization:
  aaa authorization commands 15 ACS if-authenticated

• 3850 Stack - "Authorization Failed" from Console

  Hello,
  I have a stack of 3 x 3850s. All connected up via the stack cables. I have the Primary Active Switch, The Standby and Member.
  When I connect a console cable into the Primary Active I get access to the stack. If I connect to any of the other 2 switches in the stack via console I just keep seeing authorization failed.
  I disconnected all the switches from the stack (it's a lab environment) and was then able to access each switch via console. The issue with Authorization Failed only seems to be apparent when they are stacked. I have another stack of 3850s which allows me access to the CLI from any of the stack members.
  Anyone came across this slight issue?

  Hi,
  Try these commands:
  Switch(config)# redundancy
  Switch(config-red)# main-cpu
  Switch(config-r-mc)# standby console enable
  Switch(config-r-mc)#
  You need Cisco IOS XE 3.2SE or later.
  Link:
  http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3850/software/release/3se/ha_stack_manager/command_reference/b_hastck_3se_3850_cr/b_hastck_3se_3850_cr_chapter_010.html#wp2758849103
  HTH

• Logging directly into enable mode on a PIX using TACACS

  I have setup TACACS authentication on a PIX running 6.3(3). I can authenticate using TACACS just fine, but do not get put directly into enable mode. The ACS server is setup to do so, it works for routers and switches, but not the PIX box. If I put the "aaa authentication enable console TACACS" in the config I must enter the enable command and use the same password I logged in with to get into enable mode. Without the command, I have to use the configured enable secret password to get into the enable mode.
  Does anyone know it there is a way to configure the PIX to log someone directly into enable mode via TACACS?
  Thanks in advance

  Hi,
  PIX does not support exec authorization. Hence user cannot login to level 15 directly.
  Regards,
  Vivek

• Enable mode using privilege levels

  Hi All,
  We use TACACS+ for telnet access and enable secret password for privileged access. An user would like to enter the enable mode without entering the enable secret password. Is it possible to do this using privilege levels and shell exec on the AAA server?

  I have configured a user on AAA server and under the enable options, I have selected level 15 and under shell exec, I have selected privilege level 15.
  The router has following config
  aaa authorization exec default tacacs+ if-authenticated
  aaa authorization commands 1 default tacacs+ if-authenticated
  aaa authorization commands 15 default tacacs+ if-authenticated
  Am I missing any other commands?

• How to skip enable mode password prompt.

  Hi,
  I just installed ACS 4.1 (first time working with ACS). Everything is working great and I'm using the ACS internal database for user authentication.
  The question I have is this. When logging into a router, which is authenticating against the ACS server, is there a way to bypass having to enter my password a second time to get to enable mode??
  Currently, I have to enter my username and password to login to the router and when I go to enable mode, I have to re-enter my password again.
  Any help is greatly appreciated.
  Thanks,
  Tony

  Hi,
  Here's my two penny's worth;
  I would take off the "authorization" lines as these are only needed to authorize exec and commands:
  no aaa authorization exec default group tacacs+ if-authenticated
  no aaa authorization commands 15 default group tacacs+ if-authenticated
  I would also remove the authentication enable line as this tells the device to authenticate enable mode access
  no aaa authentication enable default group tacacs+ enable
  And just test with the authentication login line, leave the accounting lines for now
  I would double check the following in ACS:
  Is the device in the right NDG?
  Do you have Per Group Defined Network Access Restrictions defined for this device?
  Is the user in the right group?
  In the group settings, Check you have Shell(exec) enabled, Privilege level set to 15, and under Enable Options ensure you have the right Priv level defined, per device, per group etc.
  Do you have either Shell Command Authorization Set or Per Group Command Authorization radio button selected?
  If you have Shell Command Authorization Set for the group ensure you have Unmatched Commands Permit selected.
  And authentication should be ok, then you can troubleshoot the authorization part...
  Is this on an appliance or other operating system? My experience of the appliances are that they're pretty c**p, too many bugs and little things that don't work...
  Just for info, you should have a last resort local username configured if ACS is down:
  username priv 15 password
  This will give you local access, and, if you find you have access issues as you have, you can remove the device from ACS, so it doesn't know about it, the device will try ACS not a get a response after the timeout period and prompt you for your username, enter your local password and you're in...
  I hope this helps...

• -2 ERR_USRFAIL: User authorization failed

  Hello guys,
  First to mention my system:
  OS: Windows 2003 server
  DB: MaxDB  7_7_06_17
  I have one problem to connect through Database Manager to one DB instance that  just now I have installed.
  What I want to do is to install one MDM server.
  The bellow are the steps that were already performed:
  -installed Java server with sapinst (this created its database ZJD)
  -after this Java server was finished installed I started to create one DB MDM instance using SDBSETUP.exe
  -I was able to create this MDM instance successful
  And the problem is here: This MDM database instance that was created with defaults users DBA and DBM. When the creation of this MDM was finished I tried to connect with both Database Manager and DBMCLI to MDM instance using these users but I am not able to connect. I get the   "-2 ERR_USRFAIL: User authorization failed" error. Can you tell me which is the reason?
  I am sure that I typed the right user and password. I tried to uninstall all and installed again inclusive OS and the same error. I mention that to instance ZJD I am able to connect.
  I tried with default users for Maxdb (DBA with pass: SECRET and DBA and DBM with pass: SECRET and DBM) but this doesn't work.
  Can you help me to solve this problem?
  Best regards,
  Florin Radulea

  Hello,
  Bellow is the output for
  sdbregview u2013l command:
  package "DB Analyzer":
  PACKAGE DIRECTORY:    e:/sapdb/programs
  SOFTWARE VERSION:     7.7.06.17
  PACKAGE VERSION:      0
  VALID:                YES
  MODE:                 64 bit
  MODIFICATION DATE:    13.04.2010
  REQUIRE:              Base >= 7.7.06.17
  FILELIST:             YES
  HAS DISPLAY NAME:     NO
  SCRIPT:               YES
  TEST FILE:            bin/dbanalyzer.exe
  IS SUBPACKAGE:        NO
  DBANALYZER PATH:      E:/sapdb/programs
  package "Server Utilities":
  PACKAGE DIRECTORY:           e:/sapdb/programs
  SOFTWARE VERSION:            7.7.06.17
  PACKAGE VERSION:             0
  VALID:                       YES
  MODE:                        64 bit
  MODIFICATION DATE:           13.04.2010
  REQUIRE:                     Base >= 7.7.06.17
  FILELIST:                    YES
  HAS DISPLAY NAME:            NO
  SCRIPT:                      YES
  TEST FILE:                   bin/x_server.exe
  IS SUBPACKAGE:               NO
  INDEPENDENT PROGRAM PATH:    E:/sapdb/programs
  package "PCR 7300":
  PACKAGE DIRECTORY:        e:/sapdb/programs
  SOFTWARE VERSION:         7.3.00.59
  PACKAGE VERSION:          0
  VALID:                    YES
  MODIFICATION DATE:        13.04.2010
  REQUIRE:                  Base >= 7.3.00.59
  FILELIST:                 YES
  HAS DISPLAY NAME:         NO
  SCRIPT:                   YES
  TEST FILE:                runtime/7300/pgm/libpcr.dll
  IS SUBPACKAGE:            NO
  PRECOMPILER 7300 PATH:    e:/sapdb/programs
  package "PCR 7301":
  PACKAGE DIRECTORY:        e:/sapdb/programs
  SOFTWARE VERSION:         7.3.01.22
  PACKAGE VERSION:          0
  VALID:                    YES
  MODIFICATION DATE:        13.04.2010
  REQUIRE:                  Base
  FILELIST:                 YES
  HAS DISPLAY NAME:         NO
  SCRIPT:                   YES
  TEST FILE:                runtime/7301/pgm/libpcr.dll
  IS SUBPACKAGE:            NO
  PRECOMPILER 7301 PATH:    e:/sapdb/programs
  package "PCR 7500":
  PACKAGE DIRECTORY:        e:/sapdb/programs
  SOFTWARE VERSION:         7.5.00.51
  PACKAGE VERSION:          0
  VALID:                    YES
  MODE:                     64 bit
  MODIFICATION DATE:        13.04.2010
  REQUIRE:                  Base >= 7.5.00.51
  FILELIST:                 YES
  HAS DISPLAY NAME:         NO
  SCRIPT:                   YES
  TEST FILE:                runtime/7500/pgm/pgm64/libpcr.dll
  IS SUBPACKAGE:            NO
  PRECOMPILER 7500 PATH:    E:/sapdb/programs
  package "Webtools":
  PACKAGE DIRECTORY:    e:/sapdb/programs/web
  SOFTWARE VERSION:     7.6.03.09
  PACKAGE VERSION:      0
  VALID:                YES
  MODE:                 64 bit
  MODIFICATION DATE:    13.04.2010
  REQUIRE:              ODBC >= 7.6.03.09 64
  FILELIST:             YES
  HAS DISPLAY NAME:     NO
  SCRIPT:               YES
  TEST FILE:            pgm/webdbm.dll
  IS SUBPACKAGE:        NO
  WEBTOOLS PATH:        E:/sapdb/programs/web
  package "SAP Utilities":
  PACKAGE DIRECTORY:           e:/sapdb/programs
  SOFTWARE VERSION:            7.7.06.17
  PACKAGE VERSION:             0
  VALID:                       YES
  MODE:                        64 bit
  MODIFICATION DATE:           13.04.2010
  REQUIRE:                     Base >= 7.7.06.17
  FILELIST:                    YES
  HAS DISPLAY NAME:            NO
  SCRIPT:                      YES
  TEST FILE:                   bin/dbmrfc.exe
  IS SUBPACKAGE:               NO
  :                            E:/sapdb/data
  INDEPENDENT PROGRAM PATH:    E:/sapdb/programs
  package "Redist Python":
  PACKAGE DIRECTORY:     e:/sapdb/programs
  SOFTWARE VERSION:      7.7.06.17
  PACKAGE VERSION:       0
  VALID:                 YES
  MODE:                  64 bit
  MODIFICATION DATE:     13.04.2010
  REQUIRE:               Base
  FILELIST:              YES
  HAS DISPLAY NAME:      NO
  SCRIPT:                YES
  TEST FILE:             bin/x_python.exe
  IS SUBPACKAGE:         NO
  REDIST PYTHON PATH:    E:/sapdb/programs
  package "Base":
  PACKAGE DIRECTORY:           e:/sapdb/programs
  SOFTWARE VERSION:            7.7.06.17
  PACKAGE VERSION:             0
  VALID:                       YES
  MODE:                        64 bit
  MODIFICATION DATE:           13.04.2010
  REQUIRE:                    
  FILELIST:                    YES
  HAS DISPLAY NAME:            NO
  SCRIPT:                      YES
  TEST FILE:                   pgm/dbmcli.exe
  IS SUBPACKAGE:               NO
  INDEPENDENT DATA PATH:       E:/sapdb/data
  INDEPENDENT PROGRAM PATH:    E:/sapdb/programs
  package "JDBC":
  PACKAGE DIRECTORY:    e:/sapdb/programs
  SOFTWARE VERSION:     7.6.06.05
  PACKAGE VERSION:      0
  VALID:                YES
  MODIFICATION DATE:    13.04.2010
  REQUIRE:              Base
  FILELIST:             YES
  HAS DISPLAY NAME:     NO
  SCRIPT:               YES
  TEST FILE:            NO
  IS SUBPACKAGE:        NO
  JAVA DRIVER PATH:     E:/sapdb/programs
  package "Messages":
  PACKAGE DIRECTORY:    e:/sapdb/programs
  SOFTWARE VERSION:     MSG 0.7732
  PACKAGE VERSION:      0
  VALID:                YES
  MODIFICATION DATE:    13.04.2010
  REQUIRE:              Base
  FILELIST:             YES
  HAS DISPLAY NAME:     NO
  SCRIPT:               YES
  TEST FILE:            NO
  IS SUBPACKAGE:        NO
  MESSAGES PATH:        E:/sapdb/programs
  package "ODBC":
  PACKAGE DIRECTORY:    e:/sapdb/programs
  SOFTWARE VERSION:     7.7.06.17
  PACKAGE VERSION:      0
  VALID:                YES
  MODE:                 64 bit
  MODIFICATION DATE:    13.04.2010
  REQUIRE:              Base >= 7.7.06.17
  FILELIST:             YES
  HAS DISPLAY NAME:     NO
  SCRIPT:               YES
  TEST FILE:            pgm/sdbodbc.dll
  IS SUBPACKAGE:        NO
  ODBC PATH:            E:/sapdb/programs
  package "SQLDBC 77":
  PACKAGE DIRECTORY:    e:/sapdb/programs
  SOFTWARE VERSION:     7.7.06.17
  PACKAGE VERSION:      0
  VALID:                YES
  MODE:                 64 bit
  MODIFICATION DATE:    13.04.2010
  REQUIRE:              Database Connectivity >= 7.7.06.17
  FILELIST:             YES
  HAS DISPLAY NAME:     NO
  SCRIPT:               YES
  TEST FILE:            pgm/libSQLDBC77.dll
  IS SUBPACKAGE:        NO
  DBC PATH:             E:/sapdb/programs
  package "Database Kernel":
  PACKAGE DIRECTORY:    f:/sapdb/mdm/db
  SOFTWARE VERSION:     7.7.06.17
  PACKAGE VERSION:      0
  VALID:                YES
  MODE:                 64 bit
  MODIFICATION DATE:    13.04.2010
  REQUIRE:              Server Utilities >= 7.7.06.17
  FILELIST:             YES
  HAS DISPLAY NAME:     NO
  SCRIPT:               YES
  TEST FILE:            pgm/kernel.exe
  IS SUBPACKAGE:        NO
  DEPENDENT PATH:       f:/sapdb/mdm/db
  PACKAGE DIRECTORY:    e:/sapdb/zjd/db
  SOFTWARE VERSION:     7.7.06.17
  PACKAGE VERSION:      0
  VALID:                YES
  MODE:                 64 bit
  MODIFICATION DATE:    13.04.2010
  REQUIRE:              Server Utilities >= 7.7.06.17
  FILELIST:             YES
  HAS DISPLAY NAME:     NO
  SCRIPT:               YES
  TEST FILE:            pgm/kernel.exe
  IS SUBPACKAGE:        NO
  DEPENDENT PATH:       e:/sapdb/zjd/db
  package "Loader":
  PACKAGE DIRECTORY:    e:/sapdb/programs
  SOFTWARE VERSION:     7.7.06.17
  PACKAGE VERSION:      0
  VALID:                YES
  MODE:                 64 bit
  MODIFICATION DATE:    13.04.2010
  REQUIRE:              Redist Python >= 7.7.06.17
  FILELIST:             YES
  HAS DISPLAY NAME:     NO
  SCRIPT:               YES
  TEST FILE:            bin/loadercli.exe
  IS SUBPACKAGE:        NO
  LOADER PATH:          E:/sapdb/programs
  package "SQLDBC":
  PACKAGE DIRECTORY:    e:/sapdb/programs
  SOFTWARE VERSION:     7.7.06.17
  PACKAGE VERSION:      0
  VALID:                YES
  MODE:                 64 bit
  MODIFICATION DATE:    13.04.2010
  REQUIRE:              Base
  FILELIST:             YES
  HAS DISPLAY NAME:     YES
  SCRIPT:               YES
  TEST FILE:            pgm/libSQLDBC.dll
  IS SUBPACKAGE:        NO
  DBC PATH:             E:/sapdb/programs
  package "SQLDBC 76":
  PACKAGE DIRECTORY:    e:/sapdb/programs
  SOFTWARE VERSION:     7.6.06.07
  PACKAGE VERSION:      0
  VALID:                YES
  MODE:                 64 bit
  MODIFICATION DATE:    13.04.2010
  REQUIRE:              Database Connectivity >= 7.6.06.07
  FILELIST:             YES
  HAS DISPLAY NAME:     YES
  SCRIPT:               YES
  TEST FILE:            pgm/libSQLDBC76.dll
  IS SUBPACKAGE:        NO
  DBC PATH:             E:/sapdb/programs
  package "Fastload API":
  PACKAGE DIRECTORY:    e:/sapdb/programs
  SOFTWARE VERSION:     7.7.06.17
  PACKAGE VERSION:      0
  VALID:                YES
  MODE:                 64 bit
  MODIFICATION DATE:    13.04.2010
  REQUIRE:              SQLDBC 77
  FILELIST:             YES
  HAS DISPLAY NAME:     NO
  SCRIPT:               YES
  TEST FILE:            pgm/libSDBLoader.dll
  IS SUBPACKAGE:        NO
  FASTLOAD PATH:        E:/sapdb/programs

• AAA Authorization Fail between WLC 2125 & LWAP 1042n

  In my Wireless environment, WLC 2125 is connected to a LWAP 1042n. The WLC is succesfully providing DHCP IP to the AP but is unable to discover it. All are connected. During debug mode following error message is encountered in WLC 2125, "AAA Authorization Fail....".
  Please suggest what to do.

  Here is a good doc that explains different errors:
  http://www.cisco.com/en/US/products/ps6366/products_tech_note09186a00808f8599.shtml