Failed authorization

I keep getting failed authorization and when it does authorize it will not allow me to copy books over to my device. What is up with this. Had no problems with it at all for the longest time and now that is all i have. HELP.. would like to read my books.

Hi,
In order to fix error "E_AUTH_FAILED http://adeactivate.adobe.com/adept/SignInDirect" do following.
Solution 1)
Open Internet Explorer
In menu bar go to Tools>>Internet Options
Select Security tab.
Now select Trusted Sites.
Click on Sites button.
Now add http://adeactivate.adobe.com
Solution 2)
1) Open Adobe Digital Editions.
2) Press Ctrl+Shift+D key of your Keyboard and deauthorize Digital Editions
3) Move your e-books to some different Location.
4) uninstall Adobe Digital Editions from your computer.
     Click start>>Control Panel>>Add or remove Program
     Select Adobe Digital Editions from the list and Delete.
5) Also delete following files.
    Click Start>>Run
    Type "regedit" without quotes in the box and hit enter.
    Locate the following key "HKEY_CURRENT_USER>Software>Adobe>Digital Editions"
    delete the full folder (Right click on it and click delete).
     Also locate HKEY_CURRENT_USER>Software>Adobe>Adept
     Delete the full folder.
6) Now download and install Adobe Digital Editions from the link given below.
     http://www.adobe.com/products/digitaleditions/
7) When asked to authorize computer then please enter same Adobe ID and password which you were using earlier.
I hope this will help you .!!!
Regards
Rizwan

Similar Messages

Credit Block For Failed Authorization

Hi All,
During sales order processing, the payment card authorization fails, the automatic credit check is set to block.
To be able to re-authorize a sales order with a failed Payment Card authorization, the user can use transaction VCC1.
But it can not remove the block, so when i create the billing document, No accounting document created..... Can you please help me to solve this issue?
Thankx

Hello,
If I understood it correctly, U want to release the blocked credit documents.
If so, go to transaction VKM3/VKM4 & choose the appropriate documents you want to release i.e. SO or Delivery and proceed.
Please note that only authorized persons should release after sufficient permissions from the business.
I hope this helps.
Rgds,
Raghu.

"Amount you own" due to credit card failed authorization. Please help

I was using a prepaid creditcard on my iTunes account but I didnt know it ran out, I downloaded Angry Bird Space HD from the app store after that and now I have a certain amount I own apple because it failed to authorize the prepaid credit card yet allowed me to install the app. I'm going to buy an iTunes gift card tonight, will that allow me to repay the amount due? Because I don't want to get banned or anything bad like that.
Also if anyone else has had this happen to them before please tell me what you did. Thanks!

Yes, just enter the new card details and click done when finished. It will then charge the new card for the amount owed.

Logout fails Authorization Scheme

I'm using the following logout url on the authentication scheme:
wwv_flow_custom_auth_std.logout?p_this_flow=&APP_ID.&p_next_flow_page_sess=140:12
On page 12 the authorization scheme is - No Page Authorization Required - and the Authentication is 'Page is Public'.
Page 12 fails on authentication. I get Access denied by Application security check and the error message for the authentication scheme.
I know it's happening because the authentication scheme is using a query to verify the user exists in a table:
Exists SQL Query
select 1
from Personnel
where upper(USERid) = :APP_USER
:APP_USER is now empty because they logged out.
My question is how can I get the application to skip the authentication scheme? I thought when I picked, 'no page authorization required' and 'page is public' the application no longer checks the authentication and authorization.
Thanks, Elizabeth

Sorry about that. I tried to write it from memory.
I'm using the following logout url on the Authentication Scheme:
wwv_flow_custom_auth_std.logout?p_this_flow=&APP_ID.&p_next_flow_page_sess=140:12
On page 12 the Authorization Scheme is - No Page Authorization Required - and the Authentication is 'Page is Public'.
Page 12 fails on authorization. I get Access denied by Application security check and the error message for the Authorization Scheme.
I know it's happening because the Authorization Scheme is using a query to verify the user exists in a table:
Exists SQL Query
select 1
from Personnel
where upper(USERid) = :APP_USER
:APP_USER is now empty because they logged out.
My question is how can I get the application to skip the Authorization Scheme? I thought when I picked, 'no page authorization required' and 'page is public' the application no longer checks the authentication and authorization.
Thanks, Elizabeth

Authorization-check P_PCR fails...

Hey Guys,
I have a little authorization problem...
I created a role with authorizationobject P_PCR.
Payroll Area B8
Activity Change
In my program i have following code to check authorization :
GET pernr.
AUTHORITY-CHECK OBJECT 'P_PCR'
 ID 'ABKRS' FIELD pernr-abkrs
 ID 'ACTVT' FIELD '02'.
IF sy-subrc NE 0.
 REJECT.
ENDIF.
* further processing..
Everytime i execute this code, sy-subrc eq 4... :(.
When i look into SU53 :
The authorization check failed
Authorization obj. P_PCR HR: Payroll Control Record
 Object Class HR Human Resources
 B8
 Activity 02
My user is added to the role, so i don't see anymore why i can't execute this report ... Does anyone has an idea for me ?
Thanks,
Kind Regards,
Tom

Bon... Found the error...
AUTHORITY-CHECK OBJECT 'P_PCR'
 ID 'ABKRS' FIELD pernr-abkrs
 ID 'ACTVT' FIELD '02'.
IF sy-subrc NE 0.
 REJECT.
ENDIF.
In object P_PCR the field is not ABKRS, but the field is ABRKS.
So, problem solved...
Greetz,
Tom

ISE first authorization sucess and then fail (MAB)

Hi,
Using ISE 1.1.1 and Switch 3650 12.2(55)SE6.
I have a client (computer) that should be authenticated with MAB and then the switch port should be asigned a DACL and VLAN 90. I do get
"Authorization succeeded" but directly after it fails and I can't figure out why. ISE only shows the successful authentication under "Live Authenticaions".
As you can se from the log below 802.1x fails, as it should, and then MAB succeed, asigns the VLAN and then fails:
0002SWC002(config)#int fa0/13
0002SWC002(config-if)#shut
0002SWC002(config-if)#
Jan 7 13:26:59.640: %LINK-5-CHANGED: Interface FastEthernet0/13, changed state to administratively down
Jan 7 13:27:00.647: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/13, changed state to down
0002SWC002(config-if)#no shut
0002SWC002(config-if)#
Jan 7 13:27:19.689: %LINK-3-UPDOWN: Interface FastEthernet0/13, changed state to down
Jan 7 13:27:22.063: %LINK-3-UPDOWN: Interface FastEthernet0/13, changed state to up
Jan 7 13:27:22.776: %AUTHMGR-5-START: Starting 'dot1x' for client (f04d.a223.8f43) on Interface Fa0/13 AuditSessionID 0A0005FC00000
020D7C192D1
Jan 7 13:27:23.070: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/13, changed state to up
Jan 7 13:27:51.054: %DOT1X-5-FAIL: Authentication failed for client (f04d.a223.8f43) on Interface Fa0/13 AuditSessionID
Jan 7 13:27:51.054: %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'dot1x' for client (f04d.a223.8f43) on Interface Fa
0/13 AuditSessionID 0A0005FC00000020D7C192D1
Jan 7 13:27:51.054: %AUTHMGR-7-FAILOVER: Failing over from 'dot1x' for client (f04d.a223.8f43) on Interface Fa0/13 AuditSessionID 0
A0005FC00000020D7C192D1
Jan 7 13:27:51.054: %AUTHMGR-5-START: Starting 'mab' for client (f04d.a223.8f43) on Interface Fa0/13 AuditSessionID 0A0005FC0000002
0D7C192D1
Jan 7 13:27:51.088: %MAB-5-SUCCESS: Authentication successful for client (f04d.a223.8f43) on Interface Fa0/13 AuditSessionID 0A0005
FC00000020D7C192D1
Jan 7 13:27:51.088: %AUTHMGR-7-RESULT: Authentication result 'success' from 'mab' for client (f04d.a223.8f43) on Interface Fa0/13 AuditSessionID 0A0005FC00000020D7C192D1
Jan 7 13:27:51.088: %AUTHMGR-5-VLANASSIGN: VLAN 90 assigned to Interface Fa0/13 AuditSessionID 0A0005FC00000020D7C192D1
Jan 7 13:27:51.096: %EPM-6-POLICY_REQ: IP 0.0.0.0| MAC f04d.a223.8f43| AuditSessionID 0A0005FC00000020D7C192D1| AUTHTYPE DOT1X| EVENT APPLY
Jan 7 13:27:51.096: %EPM-6-IPEVENT: IP 0.0.0.0| MAC f04d.a223.8f43| AuditSessionID 0A0005FC00000020D7C192D1| AUTHTYPE DOT1X| EVENT
IP-WAIT
Jan 7 13:27:51.255: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (f04d.a223.8f43) on Interface Fa0/13 AuditSessionID 0A00
05FC00000020D7C192D1
Jan 7 13:27:52.027: %EPM-6-IPEVENT: IP 10.90.5.1| MAC f04d.a223.8f43| AuditSessionID 0A0005FC00000020D7C192D1| AUTHTYPE DOT1X| EVENT IP-ASSIGNMENTReplacing duplicate ACE entry for host 10.90.5.1
Jan 7 13:27:52.036: %AUTHMGR-5-FAIL: Authorization failed for client (f04d.a223.8f43) on Interface Fa0/13 AuditSessionID 0A0005FC00
000020D7C192D1
Jan 7 13:27:52.036: %EPM-6-POLICY_REQ: IP 10.90.5.1| MAC f04d.a223.8f43| AuditSessionID 0A0005FC00000020D7C192D1| AUTHTYPE DOT1X| EVENT REMOVE
After this the proces starts over again.
This is the switch port config:
interface FastEthernet0/13
description VoIP/Data
switchport mode access
switchport voice vlan 20
switchport port-security
switchport port-security violation restrict
ip access-group ACL-ALLOW in
srr-queue bandwidth share 1 70 25 5
srr-queue bandwidth shape 3 0 0 0
priority-queue out
authentication event fail action next-method
authentication event server dead action authorize voice
authentication host-mode multi-auth
authentication open
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
mab
snmp trap mac-notification change added
no snmp trap link-status
dot1x pae authenticator
dot1x timeout tx-period 10
storm-control broadcast level 2.00 1.00
storm-control multicast level 2.00 1.00
storm-control action shutdown
storm-control action trap
spanning-tree portfast
service-policy input ax-qos_butnet
ip dhcp snooping limit rate 5
end
Is there a problem with the client (computer) or in ISE/Switch?

Hi Tarik,
First off; thank you for helping me troubleshoot this problem.
I think the "IP-" part of "IP-ACL-IWMAC" is beeing added automaticly (in the switch maby?). I see this behaviour on other dACL too. I did not change the name of the ACL.
You seem to have a valid theory about the icmp statement. I changed it to "permit icmp any any" and it seems to work. But I can't explain why this is happening.
When I look at the debugs I see this difference
With the original ACL I get this:
%EPM-6-POLICY_REQ: IP 0.0.0.0| MAC f04d.a223.8f43| AuditSessionID 0A0005FC00000053E70733F4| AUTHTYPE DOT1X| EVENT APPLYReplacing duplicate ACE entry for host 10.90.5.1
%EPM-6-IPEVENT: IP 10.90.5.1| MAC f04d.a223.8f43| AuditSessionID 0A0005FC00000053E70733F4| AUTHTYPE DOT1X| EVENT IP-RELEASE
%EPM-6-IPEVENT: IP 10.90.5.1| MAC f04d.a223.8f43| AuditSessionID 0A0005FC00000053E70733F4| AUTHTYPE DOT1X| EVENT IP-WAIT
%AUTHMGR-5-FAIL: Authorization failed for client (f04d.a223.8f43) on Interface Fa0/13 AuditSessionID 0A0005FC00000053E70733F4
When using "permit icmp any any" i get this:
%EPM-6-POLICY_REQ: IP 0.0.0.0| MAC f04d.a223.8f43| AuditSessionID 0A0005FC00000055E70B8E7D| AUTHTYPE DOT1X| EVENT APPLY
%EPM-6-AAA: POLICY xACSACLx-IP-ACL-IWMAC-50eea905| EVENT DOWNLOAD-REQUEST
I tried googeling but can't find what "Replacing duplicate ACE entry for host xxx" means.
I have added debugs in attachment.
device1_orig_acl - the none working device with original ACL
device1_any_any - the none working device with permit icmp any any
working_device_orig_acl - the device that works with the original ACL
Do you have an answer to why this is happening?
Regards,
Philip

Authorization issue - help request

Hi guys,
One of the consultants is having an authorization issue ( He is not abele to run a t-code)
I ask him to run a su53 report and i am not sure how to proceed with this.
Please help.
Here are the details from the SU53 report.
DISPLAY AUTHORIZATION DATA FOR USER VYXXXX
User : VYXXX                       profile parameter authorization buffering    4
Authorization Object: F_KNA1_GRP
Description
Authorization check failed:
      + Authorization object F_KNA1_GRP Customer Account Group Authorization
            Activity                                08
            Customer Account Group     ZM01
Users Authorization Data :
      + Authorization object F_KNA1_GRP Customer Account Group Authorization
               Authorization T-PD19002300
              Authorization T-UG39000900
              Authorization T-UG39001000
Please help me guys what need to be performed.
Regards,
Vamsi.

Hi Vamsi,
SU53 shows us the last failed authorization for a user. However, it might not only be the failed authorization object failed.
Hence, "just to learn" , you can use transaction ST01 to enable and run a trace for particular users. Be sure to use in a test environment first, and with proper filters. (for a particular user only).
Then check-> which auth object is failing.
RC=4 means a object value is failing.
RC=12 means an object is missing!
Check, which tcode is calling that object and this tcode is present in which role. Then.........proceed.
You can check the SAP documentation on running traces on the help portal of SAP. I think you will find the answer yourself by troubleshooting more and may be massaging some test roles here and there!
Likewise, if you are new to security, I would encourage you to start by reading some books on SAP security. Authorizations made easy is a good book to start with.
Let me know if you have any questions
EOD for me :P . take care
Abhishek

ISE v1.1 NAD 6500 failed to decrypt Key......

Hello everyone ,
I´ve implemented 2 Cisco ISE v1.1 in HA to run MAB and 802.x Authentication / Authorization. Using Local ISE DB and Active Directory as an External Identity Source for wireless and wired users and devices. This was working fine 2 weeks ago after finishing installation.
My NAD devices are a Core SW 6500 for wired users (there are no access SW, just the Core for the whole network, its a small office) and a WLC 2405 for Wireless Users.
Here is the network topology:
DNSs are fully resolvable forward and reverse zone and ISEs, AD, WLC and SW Core are synched with the same NTP server.
As I mentioned Authentication and Authorization were working fine. Two weekends ago there was an electrical outage in the office. When the ISEs servers came up, the trust relationship between AD and ISEs was broken and so was HA replication. I did some troubleshoot to delete and install new certificates from AD into both ISEs and build again the HA configuration. I finally got the ISEs working fine again.
This last weekend, another electrical outage occurs in the office (client is working with a temporary plant and is already warned about electrical damages not covered by warranty) and the ISE servers came up in the same condition again, no trust relationship with AD (Domain Controller). So I fix this again by deleting and installing new certificates into ISE. The problem is that for some reason the NAD 6500 is not authenticating to the ISE. I´m receiving the following debug messages in the SW:
Sep 12 17:41:00.222: RADIUS(00000000): Request timed out
Sep 12 17:41:00.222: RADIUS: Retransmit to (172.16.3.5:1812,1813) for id 1645/165
Sep 12 17:41:00.222: RADIUS(00000000): Started 5 sec timeout
Sep 12 17:41:00.226: RADIUS: Received from id 1645/165 172.16.3.5:1812, Access-Reject, len 20
Sep 12 17:41:00.226: RADIUS: authenticator 00 D5 B6 0B C9 49 83 81 - 87 17 23 82 2B 6A CB C7
Sep 12 17:41:00.226: RADIUS: response-authenticator decrypt fail, pak len 20
Sep 12 17:41:00.226: RADIUS: packet dump: 03A5001400D5B60BC9498381871723822B6ACBC7
Sep 12 17:41:00.226: RADIUS: expected digest: BFAB772B5BA4B134F46E13A21F722317
Sep 12 17:41:00.226: RADIUS: response authen: 00D5B60BC9498381871723822B6ACBC7
Sep 12 17:41:00.226: RADIUS: request authen: 41EAE3A7DAEE6332CE646436F949C5A1
Sep 12 17:41:00.226: RADIUS: Response (165) failed decrypt
Sep 12 17:41:05.110: RADIUS(00000000): Request timed out
Sep 12 17:41:05.110: RADIUS: Retransmit to (172.16.3.5:1812,1813) for id 1645/165
Sep 12 17:41:05.110: RADIUS(00000000): Started 5 sec timeout
Sep 12 17:41:05.114: RADIUS: Received from id 1645/165 172.16.3.5:1812, Access-Reject, len 20
Sep 12 17:41:05.114: RADIUS: authenticator 00 D5 B6 0B C9 49 83 81 - 87 17 23 82 2B 6A CB C7
Sep 12 17:41:05.114: RADIUS: response-authenticator decrypt fail, pak len 20
Sep 12 17:41:05.114: RADIUS: packet dump: 03A5001400D5B60BC9498381871723822B6ACBC7
Sep 12 17:41:05.114: RADIUS: expected digest: BFAB772B5BA4B134F46E13A21F722317
Sep 12 17:41:05.114: RADIUS: response authen: 00D5B60BC9498381871723822B6ACBC7
Sep 12 17:41:05.114: RADIUS: request authen: 41EAE3A7DAEE6332CE646436F949C5A1
Sep 12 17:41:05.114: RADIUS: Response (165) failed decrypt
Sep 12 17:41:10.438: RADIUS(00000000): Request timed out
Sep 12 17:41:10.438: RADIUS: No response from (172.16.3.5:1812,1813) for id 1645/165
Sep 12 17:41:10.438: RADIUS/DECODE: parse response no app start; FAIL
Sep 12 17:41:10.438: RADIUS/DECODE: parse response; FAIL
Sep 12 17:41:13.682: %MAB-5-FAIL: Authentication failed for client (a44c.11ca.eadf) on Interface Gi1/29
Sep 12 17:41:13.682: %AUTHMGR-7-RESULT: Authentication result 'server dead' from 'mab' for client (a44c.11ca.eadf) on Interface Gi1/29
Sep 12 17:41:13.682: %AUTHMGR-5-FAIL: Authorization failed for client (a44c.11ca.eadf) on Interface Gi1/29
Sep 12 17:41:00.222: RADIUS(00000000): Request timed out
I have deleted and created again the 6500 NAD in the ISE, and configured againd the Radius-Key in the 6500 making sure they are exactly the same. But I keep receiving the same errors.
I have already reviewed the following links:
http://www.cisco.com/en/US/docs/wireless/access_point/12.3_7_JA/configuration/guide/s37err.html
http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_logging.html#wp1061989
http://puck.nether.net/pipermail/cisco-nas/2004-May/000686.html
And the troubleshooting section from the Cisco Identity Services Engine User Guide, Release 1.0.4
Everything points me that the Radius Key between ISE and the 6500SW is wrong, but I´ve configured it again twice and typed it letter by letter slowly to avoid any typos.
ISE version: 1.1.0.665
ADE OS: 2
Active Directory: Windows 2008 R2 Standard
6500 SW Config:
Building configuration...
Current configuration : 65413 bytes
! Last configuration change at 12:22:42 MXVeran Tue Jul 31 2012 by ho1a
! NVRAM config last updated at 22:21:11 MXVeran Mon Jul 30 2012 by ho1a
version 15.0
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
service compress-config
service counters max age 5
boot-start-marker
boot system flash bootdisk:
boot-end-marker
logging buffered 64000
enable secret 5 $1$QoxK$w6sZJ66pXDMLS1lGPp3KR.
username ho1a privilege 15 secret 5 $1$DYMo$O8BQi2u.emzdCFfNMxCTd.
username test-radius password 7 14141B180F0B7B7977
aaa new-model
aaa authentication login Tr3s41ia.2012 local
aaa authentication dot1x default group radius
aaa authorization exec default local
aaa authorization network default group radius
aaa authorization auth-proxy default group radius
aaa accounting update periodic 5
aaa accounting dot1x default start-stop group radius
aaa accounting system default start-stop group radius
aaa server radius dynamic-author
client 172.16.3.5 server-key 7 110A1016141D5A5E57
aaa session-id common
platform ip cef load-sharing ip-only
platform rate-limit layer2 port-security pkt 300 burst 10
clock timezone MXInv -6
clock summer-time MXVerano recurring
authentication critical recovery delay 1000
interface GigabitEthernet8/1
switchport
switchport access vlan 2
switchport mode access
ip access-group ACL_ISE_Default in
authentication host-mode multi-auth
authentication open
authentication order mab dot1x
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
mab
dot1x pae authenticator
spanning-tree portfast edge
ip default-gateway 172.16.3.2
ip forward-protocol nd
ip http server
ip http secure-server
ip route 0.0.0.0 0.0.0.0 172.16.3.2
ip radius source-interface Vlan3 vrf default
logging origin-id ip
logging source-interface Vlan3
logging host 172.16.3.5 transport udp port 20514
snmp-server group Tr3s41ia.2012aes v3 priv
snmp-server group Tr3s41ia.2012md5 v3 auth
snmp-server community public RO
snmp-server community tresaliarw RW
snmp-server community tresaliaro RO
snmp-server trap-source Vlan3
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
snmp-server enable traps memory bufferpeak
no snmp-server enable traps entity-sensor threshold
snmp-server enable traps cpu threshold
snmp-server enable traps vtp
snmp-server enable traps flash insertion removal
snmp-server enable traps mac-notification move change
snmp-server enable traps errdisable
snmp-server host 172.16.3.4 version 3 priv Tr3s41ia.2012aes
snmp-server host 172.16.3.4 version 3 auth Tr3s41ia.2012md5
snmp-server host 172.16.3.5 version 2c tresaliaro
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server dead-criteria time 30 tries 3
radius-server host 172.16.3.5 auth-port 1812 acct-port 1813 test username test-radius key 7 104D000A061843595F
radius-server vsa send accounting
radius-server vsa send authentication
control-plane
service-policy input policy-default-autocopp
line con 0
logging synchronous
login authentication Tr3s41ia.2012
line aux 0
line vty 0 4
login authentication defaulTr3s41ia.2012
transport input ssh
line vty 5 1509
login authentication defaulTr3s41ia.2012
transport input ssh
ntp clock-period 17179836
ntp peer 172.16.4.9
no event manager policy Mandatory.go_switchbus.tcl type system
end
Additionaly, I´m getting the following screen when accesing the Stand-by server via https:
I´m thinking that there might be some problems with the CA Certificates installed on ISEs, or some corrupted data due to the 2 sudden restarts.
Any help, hint or direction will be really appreciated.
Thanks in advanced for your time. Best Regards.

Hello Tarik, thanks for your response,
I´ll go ahead and remove and configure again the complete radius configuration on the SW and let you know what happens, if this doesn´t work I´m thinking that re-installing the ISE server might be the solution. It´s was working fine after the fresh install.
I use the command "test aaa group radius username password new-code" to test SW communication to ISE and here is the debug output from the SW:
Sep 12 20:42:59.713: RADIUS/ENCODE(00000000):Orig. component type = INVALID
Sep 12 20:42:59.713: RADIUS(00000000): Config NAS IP: 172.16.3.1
Sep 12 20:42:59.713: RADIUS(00000000): sending
Sep 12 20:42:59.713: RADIUS(00000000): Send Access-Request to 172.16.3.5:1812 id 1645/93, len 56
Sep 12 20:42:59.713: RADIUS: authenticator 24 52 30 41 B7 06 74 CE - C7 4B 7B FF 87 88 F7 23
Sep 12 20:42:59.713: RADIUS: User-Password       [2]   18 *
Sep 12 20:42:59.713: RADIUS: User-Name           [1]   6   test
Sep 12 20:42:59.713: RADIUS: Service-Type        [6]   6   Login                     [1]
Sep 12 20:42:59.713: RADIUS: NAS-IP-Address      [4]   6   172.16.3.1
Sep 12 20:42:59.713: RADIUS(00000000): Started 5 sec timeout
Sep 12 20:43:14.485: RADIUS(00000000): Started 5 sec timeout
Sep 12 20:43:14.489: RADIUS: Received from id 1645/93 172.16.3.5:1812, Access-Reject, len 20
Sep 12 20:43:14.489: RADIUS: authenticator B2 89 18 4B F5 D8 D6 67 - 85 4D 1E C3 DE C9 06 85
Sep 12 20:43:14.489: RADIUS: response-authenticator decrypt fail, pak len 20
Sep 12 20:43:14.489: RADIUS: packet dump: 035D0014B289184BF5D8D667854D1EC3DEC90685
Sep 12 20:43:14.489: RADIUS: expected digest: EDB6C64ADA12BCD81CD21C3EF28CDB27
Sep 12 20:43:14.489: RADIUS: response authen: B289184BF5D8D667854D1EC3DEC90685
Sep 12 20:43:14.489: RADIUS: request authen: 24523041B70674CEC74B7BFF8788F723
Sep 12 20:43:14.489: RADIUS: Response (93) failed decryptUser rejected
And here are the results from the Operations/Authentications Tabe from ISE:
There are no other SWs in the network, just the Core. I cannot test Wireless Authentication since the AccessPoint Switchport is also controlled by ISE and is not Authenticated right now. I can Authenticate the Active Directory Users using NTRadPing tool as a test and its succesful. AD and 6500 SW are using the same Radius key to communicate with ISE. Here is the AD usert Authentication:
So I´ll proceed to re-configure the SW for Radius server and let you know if this is the solution.
Thanks in advanced for your time and comments.

802.1x port authentication failing after getting a access-accept packet

Hi all,
Im not 100% sure what the hell is going on here.
Any idea's or help will be appreciated.
Heres the topology.
1 x windows 2012 NPS
1x 3750X
1x Windows 7 x64
data flow
<laptop> - - [gi 1/0/13]<3750X>[gi 1/0/48]- -[gi 5/39]<6513>[po 1] - - [po 4]<6509><5/1> - - <VMWARE>[NPS Server]
The switch that is doing the authentication is the 3750X. Here is the IOS version.
Switch Ports Model SW Version SW Image
* 1 54 WS-C3750X-48 15.2(1)E C3750E-UNIVERSALK9-M
A wireshark trace on the NPS server shows that the packets are arriving and being sent back
Wireshark on a mirror of the trunk port connecting the 6513. It also shows packets being sent and arriving. access-accept packets are being recieved.
As you can see in the debug output, the switch is getting a access-accept, then it is stating a AAA failure.
here is a debug output as you plug in the laptop.
Oct 24 10:53:44.653: dot1x-ev:[Gi1/0/13] Interface state changed to DOWN
Oct 24 10:53:44.653: dot1x-ev:[Gi1/0/13] No DOT1X subblock found for port down
Oct 24 10:53:45.643: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/13, changed state to down
Oct 24 10:53:46.641: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/13, changed state to down
Oct 24 10:53:47.538: dot1x-ev:[Gi1/0/13] Interface state changed to UP
Oct 24 10:53:47.564: dot1x-packet:[6431.500e.9b00, Gi1/0/13] queuing an EAPOL pkt on Auth Q
Oct 24 10:53:47.572: dot1x-ev:DOT1X Supplicant not enabled on GigabitEthernet1/0/13
Oct 24 10:53:47.572: dot1x-packet:EAPOL pak rx - Ver: 0x1 type: 0x1
Oct 24 10:53:47.572: dot1x-packet: length: 0x0000
Oct 24 10:53:47.572: dot1x-ev:[Gi1/0/13] Dequeued pkt: Int Gi1/0/13 CODE= 0,TYPE= 0,LEN= 0
Oct 24 10:53:47.572: dot1x-ev:[Gi1/0/13] Received pkt saddr =6431.500e.9b00 , daddr = 0180.c200.0003, pae-ether-type = 888e.0101.0000
Oct 24 10:53:47.572: dot1x-ev:[Gi1/0/13] Couldn't find the supplicant in the list
Oct 24 10:53:47.572: dot1x-ev:[6431.500e.9b00, Gi1/0/13] New client detected, sending session start event for 6431.500e.9b00
Oct 24 10:53:47.572: AAA/BIND(00000047): Bind i/f
Oct 24 10:53:47.580: dot1x-ev:[6431.500e.9b00, Gi1/0/13] Sending create new context event to EAP for 0x15000045 (6431.500e.9b00)
Oct 24 10:53:47.580: EAP-EVENT: Received context create from LL (Dot1x-Authenticator) (0x15000045)
Oct 24 10:53:47.580: EAP-AUTH-EVENT: Received AAA ID 0x00000047 from LL
Oct 24 10:53:47.580: EAP-AUTH-AAA-EVENT: Assigning AAA ID 0x00000047
Oct 24 10:53:47.580: EAP-AUTH-AAA-EVENT: CTS not enabled on interface Gi1/0/13
Oct 24 10:53:47.580: EAP-AUTH-EVENT: Received Session ID "C0A846660000004700DF6030" from LL
Oct 24 10:53:47.580: EAP-AUTH-EVENT: Setting authentication mode: Passthrough
Oct 24 10:53:47.580: eap_authen : initial state eap_auth_initialize has enter
Oct 24 10:53:47.580: EAP-EVENT: Allocated new EAP context (handle = 0xE8000047)
Oct 24 10:53:47.580: dot1x-ev:[6431.500e.9b00, Gi1/0/13] Created a client entry (0x15000045)
Oct 24 10:53:47.580: dot1x-ev:[6431.500e.9b00, Gi1/0/13] Dot1x authentication started for 0x15000045 (6431.500e.9b00)
Oct 24 10:53:47.580: %AUTHMGR-5-START: Starting 'dot1x' for client (6431.500e.9b00) on Interface Gi1/0/13 AuditSessionID C0A846660000004700DF6030
Oct 24 10:53:47.580: EAP-EVENT: Received EAP event 'EAP_AUTHENTICATOR_START' on handle 0xE8000047
Oct 24 10:53:47.580: eap_authen : during state eap_auth_initialize, got event 25(eapStartTmo)
Oct 24 10:53:47.580: @@@ eap_authen : eap_auth_initialize -> eap_auth_select_action
Oct 24 10:53:47.580: eap_authen : during state eap_auth_select_action, got event 20(eapDecisionPropose)
Oct 24 10:53:47.580: @@@ eap_authen : eap_auth_select_action -> eap_auth_propose_method
Oct 24 10:53:47.580: eap_authen : idle during state eap_auth_propose_method
Oct 24 10:53:47.580: @@@ eap_authen : eap_auth_propose_method -> eap_auth_method_request
Oct 24 10:53:47.580: eap_authen : idle during state eap_auth_method_request
Oct 24 10:53:47.580: @@@ eap_authen : eap_auth_method_request -> eap_auth_tx_packet
Oct 24 10:53:47.580: EAP-AUTH-EVENT: Current method = Identity
Oct 24 10:53:47.580: EAP-EVENT: Sending LL (Dot1x-Authenticator) event 'EAP_CUSTOMIZE_ID_REQUEST' on handle 0xE8000047
Oct 24 10:53:47.580: eap_authen : idle during state eap_auth_tx_packet
Oct 24 10:53:47.580: @@@ eap_authen : eap_auth_tx_packet -> eap_auth_idle
Oct 24 10:53:47.589: EAP-AUTH-TX-PAK: Code:REQUEST ID:0x1 Length:0x0005 Type:IDENTITY
Oct 24 10:53:47.589: EAP-EVENT: Started 'Authenticator ReqId Retransmit' timer (30s) for EAP sesion handle 0xE8000047
Oct 24 10:53:47.589: EAP-EVENT: Started EAP tick timer
Oct 24 10:53:47.589: EAP-EVENT: Sending LL (Dot1x-Authenticator) event 'EAP_TX_PACKET' on handle 0xE8000047
Oct 24 10:53:47.597: dot1x-ev:[Gi1/0/13] Sending EAPOL packet to group PAE address
Oct 24 10:53:47.597: dot1x-ev:[Gi1/0/13] Sending out EAPOL packet
Oct 24 10:53:47.597: dot1x-packet:EAPOL pak Tx - Ver: 0x3 type: 0x0
Oct 24 10:53:47.597: dot1x-packet: length: 0x0005
Oct 24 10:53:47.597: dot1x-packet:EAP code: 0x1 id: 0x1 length: 0x0005
Oct 24 10:53:47.597: dot1x-packet: type: 0x1
Oct 24 10:53:47.597: dot1x-packet:[6431.500e.9b00, Gi1/0/13] EAPOL packet sent to client 0x15000045
Oct 24 10:53:47.606: dot1x-packet:[6431.500e.9b00, Gi1/0/13] Queuing an EAPOL pkt on Authenticator Q
Oct 24 10:53:47.606: dot1x-packet:EAPOL pak rx - Ver: 0x1 type: 0x0
Oct 24 10:53:47.606: dot1x-packet: length: 0x001F
Oct 24 10:53:47.606: dot1x-ev:[Gi1/0/13] Dequeued pkt: Int Gi1/0/13 CODE= 2,TYPE= 1,LEN= 31
Oct 24 10:53:47.606: dot1x-ev:[Gi1/0/13] Received pkt saddr =6431.500e.9b00 , daddr = 0180.c200.0003, pae-ether-type = 888e.0100.001f
Oct 24 10:53:47.606: dot1x-packet:EAPOL pak rx - Ver: 0x1 type: 0x0
Oct 24 10:53:47.606: dot1x-packet: length: 0x001F
Oct 24 10:53:47.606: dot1x-ev:[6431.500e.9b00, Gi1/0/13] Response sent to the server from 0x15000045
Oct 24 10:53:47.606: EAP-EVENT: Received LL (Dot1x-Authenticator) event 'EAP_RX_PACKET' on handle 0xE8000047
Oct 24 10:53:47.606: EAP-AUTH-RX-PAK: Code:RESPONSE ID:0x1 Length:0x001F Type:IDENTITY
Oct 24 10:53:47.606: Payload: 47454E4552414C5C72616E64792E636F ...
Oct 24 10:53:47.606: eap_authen : during state eap_auth_idle, got event 1(eapRxPacket)
Oct 24 10:53:47.606: @@@ eap_authen : eap_auth_idle -> eap_auth_received
Oct 24 10:53:47.606: EAP-AUTH-EVENT: EAP Response received by context 0xE8000047
Oct 24 10:53:47.606: EAP-AUTH-EVENT: EAP Response type = Identity
Oct 24 10:53:47.606: EAP-EVENT: Stopping 'Authenticator ReqId Retransmit' timer for EAP sesion handle 0xE8000047
Oct 24 10:53:47.606: eap_authen : during state eap_auth_received, got event 10(eapMethodData)
Oct 24 10:53:47.606: @@@ eap_authen : eap_auth_received -> eap_auth_method_response
Oct 24 10:53:47.606: EAP-AUTH-EVENT: Received peer identity: GENERAL\randy.coburn.admin
Oct 24 10:53:47.606: EAP-EVENT: Sending LL (Dot1x-Authenticator) event 'EAP_IDENTITY' on handle 0xE8000047
Oct 24 10:53:47.606: eap_authen : during state eap_auth_method_response, got event 13(eapMethodEnd)
Oct 24 10:53:47.606: @@@ eap_authen : eap_auth_method_response -> eap_auth_select_action
Oct 24 10:53:47.606: eap_authen : during state eap_auth_select_action, got event 19(eapDecisionPass)
Oct 24 10:53:47.606: @@@ eap_authen : eap_auth_select_action -> eap_auth_passthru_init
Oct 24 10:53:47.606: eap_authen : during state eap_auth_passthru_init, got event 22(eapPthruIdentity)
Oct 24 10:53:47.614: @@@ eap_authen : eap_auth_passthru_init -> eap_auth_aaa_req
Oct 24 10:53:47.614: EAP-EVENT: Sending LL (Dot1x-Authenticator) event 'EAP_GET_PEER_MAC_ADDRESS' on handle 0xE8000047
Oct 24 10:53:47.614: EAP-AUTH-AAA-EVENT: Adding Audit-Session-ID "C0A846660000004700DF6030" to RADIUS Req
Oct 24 10:53:47.614: EAP-AUTH-AAA-EVENT: Added Audit-Session-ID
Oct 24 10:53:47.614: EAP-AUTH-AAA-EVENT: Adding IDB "0x070B90F8" to RADIUS Req
Oct 24 10:53:47.614: EAP-AUTH-AAA-EVENT: Added IDB
Oct 24 10:53:47.614: EAP-EVENT: Sending LL (Dot1x-Authenticator) event 'EAP_CUSTOMIZE_AAA_REQUEST' on handle 0xE8000047
Oct 24 10:53:47.614: EAP-AUTH-AAA-EVENT: eap_auth_aaa_authen_request_shim aaa_service 19, eap aaa_list handle 0, mlist handle 0
Oct 24 10:53:47.614: AAA/AUTHEN/8021X (00000000): Pick method list 'default'
Oct 24 10:53:47.614: EAP-AUTH-AAA-EVENT: Request sent successfully
Oct 24 10:53:47.614: eap_authen : during state eap_auth_aaa_req, got event 24(eapAAAReqOk)
Oct 24 10:53:47.614: @@@ eap_authen : eap_auth_aaa_req -> eap_auth_aaa_idle
Oct 24 10:53:47.614: RADIUS/ENCODE(00000000):Orig. component type = Invalid
Oct 24 10:53:47.614: RADIUS/ENCODE(00000000): Unsupported AAA attribute hwidb
Oct 24 10:53:47.614: RADIUS/ENCODE(00000000): Unsupported AAA attribute aaa-authen-type
Oct 24 10:53:47.614: RADIUS/ENCODE(00000000): Unsupported AAA attribute aaa-authen-service
Oct 24 10:53:47.614: RADIUS/ENCODE(00000000): Unsupported AAA attribute clid-mac-addr
Oct 24 10:53:47.614: RADIUS/ENCODE(00000000): Unsupported AAA attribute target-scope
Oct 24 10:53:47.614: RADIUS/ENCODE(00000000): Unsupported AAA attribute aaa-unique-id
Oct 24 10:53:47.614: RADIUS(00000000): Config NAS IP: 0.0.0.0
Oct 24 10:53:47.614: RADIUS(00000000): sending
Oct 24 10:53:47.614: RADIUS/ENCODE: Best Local IP-Address 192.168.70.102 for Radius-Server 192.168.19.121
Oct 24 10:53:47.614: RADIUS(00000000): Send Access-Request to 192.168.19.121:1645 id 1645/21, len 288
Oct 24 10:53:47.614: RADIUS: authenticator F1 BA E5 31 71 54 BF 1A - A2 B1 5E 1A 63 72 1E 72
Oct 24 10:53:47.614: RADIUS: User-Name [1] 28 "GENERAL\randy.coburn.admin"
Oct 24 10:53:47.614: RADIUS: Service-Type [6] 6 Framed [2]
Oct 24 10:53:47.614: RADIUS: Vendor, Cisco [26] 27
Oct 24 10:53:47.614: RADIUS: Cisco AVpair [1] 21 "service-type=Framed"
Oct 24 10:53:47.614: RADIUS: Framed-MTU [12] 6 1500
Oct 24 10:53:47.614: RADIUS: Called-Station-Id [30] 19 "AC-F2-C5-75-7D-0D"
Oct 24 10:53:47.614: RADIUS: Calling-Station-Id [31] 19 "64-31-50-0E-9B-00"
Oct 24 10:53:47.614: RADIUS: EAP-Message [79] 33
Oct 24 10:53:47.614: RADIUS: 02 01 00 1F 01 47 45 4E 45 52 41 4C 5C 72 61 6E 64 79 2E 63 6F [GENERAL\randy.co]
Oct 24 10:53:47.622: RADIUS: 62 75 72 6E 2E 61 64 6D 69 6E [ burn.admin]
Oct 24 10:53:47.622: RADIUS: Message-Authenticato[80] 18
Oct 24 10:53:47.622: RADIUS: EE 52 4D ED B9 06 F3 CE 63 AC 9D 73 24 1B A7 ED [ RMcs$]
Oct 24 10:53:47.622: RADIUS: EAP-Key-Name [102] 2 *
Oct 24 10:53:47.622: RADIUS: Vendor, Cisco [26] 49
Oct 24 10:53:47.622: RADIUS: Cisco AVpair [1] 43 "audit-session-id=C0A846660000004700DF6030"
Oct 24 10:53:47.622: RADIUS: Vendor, Cisco [26] 20
Oct 24 10:53:47.622: RADIUS: Cisco AVpair [1] 14 "method=dot1x"
Oct 24 10:53:47.622: RADIUS: NAS-IP-Address [4] 6 192.168.70.102
Oct 24 10:53:47.622: RADIUS: NAS-Port [5] 6 60000
Oct 24 10:53:47.622: RADIUS: NAS-Port-Id [87] 23 "GigabitEthernet1/0/13"
Oct 24 10:53:47.622: RADIUS: NAS-Port-Type [61] 6 Ethernet [15]
Oct 24 10:53:47.622: RADIUS(00000000): Sending a IPv4 Radius Packet
Oct 24 10:53:47.622: RADIUS(00000000): Started 10 sec timeout
Oct 24 10:53:47.622: RADIUS: Received from id 1645/21 192.168.19.121:1645, Access-Accept, len 66
Oct 24 10:53:47.622: RADIUS: authenticator 92 F6 07 AF C1 AB 0B 4C - 1D 9E A0 D1 01 36 27 26
Oct 24 10:53:47.622: RADIUS: Class [25] 46
Oct 24 10:53:47.622: RADIUS: 76 E3 06 66 00 00 01 37 00 01 02 00 C0 A8 13 79 00 00 00 00 00 00 00 00 00 00 00 00 01 CE CF F8 1F 7B 75 41 00 00 00 00 00 00 00 50 [ vf7y{uAP]
Oct 24 10:53:47.622: RADIUS(00000000): Received from id 1645/21
Oct 24 10:53:47.622: EAP-EVENT: eap_aaa_reply
Oct 24 10:53:47.622: EAP-AUTH-AAA-EVENT: Reply received session_label 72000033
Oct 24 10:53:47.622: EAP-EVENT: Received AAA event 'EAP_AAA_FAIL' on handle 0xE8000047
Oct 24 10:53:47.622: eap_authen : during state eap_auth_aaa_idle, got event 8(eapAAAFail)
Oct 24 10:53:47.622: @@@ eap_authen : eap_auth_aaa_idle -> eap_auth_failure
Oct 24 10:53:47.631: EAP-EVENT: Received get canned status from lower layer (0xE8000047)
Oct 24 10:53:47.631: EAP-AUTH-TX-PAK: Code:FAILURE ID:0x1 Length:0x0004
Oct 24 10:53:47.631: EAP-AUTH-EVENT: FAIL for EAP method ID: 1, name: , on handle 0xE8000047
Oct 24 10:53:47.631: EAP-EVENT: Sending LL (Dot1x-Authenticator) event 'EAP_FAIL' on handle 0xE8000047
Oct 24 10:53:47.631: dot1x-ev:[6431.500e.9b00, Gi1/0/13] Received an EAP Fail
Oct 24 10:53:47.639: %DOT1X-5-FAIL: Authentication failed for client (6431.500e.9b00) on Interface Gi1/0/13 AuditSessionID C0A846660000004700DF6030
Oct 24 10:53:47.639: dot1x-packet:[6431.500e.9b00, Gi1/0/13] Added username in dot1x
Oct 24 10:53:47.639: dot1x-packet:[6431.500e.9b00, Gi1/0/13] Dot1x did not receive any key data
Oct 24 10:53:47.639: dot1x-ev:[6431.500e.9b00, Gi1/0/13] Processing client delete for hdl 0x15000045 sent by Auth Mgr
Oct 24 10:53:47.639: dot1x-ev:[6431.500e.9b00, Gi1/0/13] 6431.500e.9b00: sending canned failure due to method termination
Oct 24 10:53:47.639: EAP-EVENT: Received get canned status from lower layer (0xE8000047)
Oct 24 10:53:47.639: dot1x-ev:[Gi1/0/13] Sending EAPOL packet to group PAE address
Oct 24 10:53:47.639: dot1x-ev:[Gi1/0/13] Sending out EAPOL packet
Oct 24 10:53:47.639: dot1x-packet:EAPOL pak Tx - Ver: 0x3 type: 0x0
Oct 24 10:53:47.639: dot1x-packet: length: 0x0004
Oct 24 10:53:47.639: dot1x-packet:EAP code: 0x4 id: 0x1 length: 0x0004
Oct 24 10:53:47.639: dot1x-packet:[6431.500e.9b00, Gi1/0/13] EAPOL canned status packet sent to client 0x15000045
Oct 24 10:53:47.639: dot1x-ev:[6431.500e.9b00, Gi1/0/13] Deleting client 0x15000045 (6431.500e.9b00)
Oct 24 10:53:47.639: %AUTHMGR-7-STOPPING: Stopping 'dot1x' for client 6431.500e.9b00 on Interface Gi1/0/13 AuditSessionID C0A846660000004700DF6030
Oct 24 10:53:47.639: %AUTHMGR-5-FAIL: Authorization failed or unapplied for client (6431.500e.9b00) on Interface Gi1/0/13 AuditSessionID C0A846660000004700DF6030
Oct 24 10:53:47.648: dot1x-ev:[6431.500e.9b00, Gi1/0/13] Delete auth client (0x15000045) message
Oct 24 10:53:47.648: EAP-EVENT: Received free context (0xE8000047) from LL (Dot1x-Authenticator)
Oct 24 10:53:47.648: dot1x-ev:Auth client ctx destroyed
Oct 24 10:53:47.648: EAP-EVENT: Received LL (Dot1x-Authenticator) event 'EAP_DELETE' on handle 0xE8000047
Oct 24 10:53:47.648: EAP-AUTH-EVENT: Freed EAP auth context
Oct 24 10:53:47.648: EAP-EVENT: Freed EAP context
Oct 24 10:53:48.621: EAP-EVENT: Stopped EAP tick timer
Oct 24 10:53:49.485: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/13, changed state to up
Oct 24 10:53:50.491: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/13, changed state to up
Oct 24 10:53:53.528: dot1x-ev:[Gi1/0/13] Interface state changed to DOWN
Oct 24 10:53:53.528: dot1x-ev:[Gi1/0/13] No DOT1X subblock found for port down
Oct 24 10:53:54.518: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/13, changed state to down
Oct 24 10:53:55.524: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/13, changed state to down

Hi Jatin,
See below the data that you have requested.
show run bits.
aaa new-model
aaa authentication dot1x default group radius
aaa session-id common
clock timezone BST 0 0
clock summer-time UTC recurring last Sun Mar 1:00 last Sun Oct 2:00
dot1x system-auth-control
interface GigabitEthernet1/0/13
switchport access vlan 80
switchport mode access
authentication port-control auto
dot1x pae authenticator
spanning-tree portfast
interface GigabitEthernet1/0/48
switchport trunk encapsulation dot1q
switchport trunk native vlan 70
switchport mode trunk
radius server NPS1
address ipv4 192.168.19.121 auth-port 1645 acct-port 1646
timeout 10
key thesecret
ip default-gateway 192.168.70.1
SW1-randy#show auth sessions interface gig 1/0/13
Interface MAC Address Method Domain Status Fg Session ID
Gi1/0/13 803f.5d09.189e N/A UNKNOWN Unauth C0A846660000002F00251DBC
SW1-randy#Show mac address-table Interface GigabitEthernet1/0/13
 Mac Address Table
Vlan Mac Address Type Ports
80 803f.5d09.189e DYNAMIC Drop
SW1-randy#ping 192.168.19.121
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.19.121, timeout is 2 seconds:
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/8 ms
Here is a wireshark of the accept packet.
Message was edited by: randy coburn
Added wireshark trace

Authorization Scheme problem using query

Greetings:
I have an application with 4 different roles in my application. Depending on the user role, the access to different pages within the application are filtered. We have 4 group types: admin, general, transactional and read_only; each, with descending levels of authorization.
The application utilizes a two-level tab navigation system in which I hide the tabs that the users are not supposed to see, depending on the level of authorization that they have. I have implemented three authorization schemes for three different types of access depending on the pages within my application. The only page without any auhorization is the login page.
The three created authorization schemes are as follows.
My first scheme (set as scheme type: exists SQL Query):
Select APP_USER_NAME, APP_GROUP_TYPE from APP_USERS
where
APP_USER_NAME = :APP_USER
AND
APP_GROUP_TYPE != 'READ_ONLY'
This one is supposed to negate access to the READ_ONLY group, but allow access to all other groups.
My Second scheme (set as scheme type: exists SQL Query):
Select APP_USER_NAME, APP_GROUP_TYPE from APP_USERS
where
APP_USER_NAME = :APP_USER
AND
(APP_GROUP_TYPE != 'READ_ONLY'
and
APP_GROUP_TYPE != 'transactional')
The second one, I have added the transactional group as to be explicitly negated access.
My Third scheme
Select APP_USER_NAME, APP_GROUP_TYPE from APP_USERS
where
APP_USER_NAME = :APP_USER
AND
(APP_GROUP_TYPE != 'READ_ONLY'
AND
APP_GROUP_TYPE != 'transactional'
AND
APP_GROUP_TYPE != 'general')
the last one, I have added the general group as to be explicitly negated access.
I am thinking that, logically, this would work, but the pages do not display properly. I am always getting the failed authorization page, even with my admin user. Is there something wrong with my methodology? Should I be white-listing instead of black-listing in my queries? Thanks for your support.

I appreciate your help Jeff, you helped me a great deal, but not in the way you may think. In your link, there was a post that offered a solution with a simple query. There was one person that posted a query using (upper) to bring the username to uppercase so it can be properly compared to :APP_USER. Yes, the users were entered as lowercase, the logic was ok. I changed the query logic to a white list as to avoid possible users that may be able to authenticate into the application without a proper group configured.
Thanks for your support. Maybe this can help someone on the forums out.

HELP AUTHORIZATION ISSUE

So I've only ever connected my ipod to my macbook, never to another computer, and I never authorized my ipod with my computer or anything because I would download apps with wifi and i would be fine. I downloaded some music with my ipod the other day though and I authorized my computer and it said i have 2 authorizations with my account? I don't understand why I have two authorizations. Can anyone help explain this to me?
Message was edited by: TKhan91

Hi Vamsi,
SU53 shows us the last failed authorization for a user. However, it might not only be the failed authorization object failed.
Hence, "just to learn" , you can use transaction ST01 to enable and run a trace for particular users. Be sure to use in a test environment first, and with proper filters. (for a particular user only).
Then check-> which auth object is failing.
RC=4 means a object value is failing.
RC=12 means an object is missing!
Check, which tcode is calling that object and this tcode is present in which role. Then.........proceed.
You can check the SAP documentation on running traces on the help portal of SAP. I think you will find the answer yourself by troubleshooting more and may be massaging some test roles here and there!
Likewise, if you are new to security, I would encourage you to start by reading some books on SAP security. Authorizations made easy is a good book to start with.
Let me know if you have any questions
EOD for me :P . take care
Abhishek

Authorization Issue in SM50

Hi All,
One of our user is facing authorization issue in SM50. He goes to SM50 and tries to open a work process. This is where he gets message "You are not authorized to use function Work Process List".
When I check the trace, I see only missing access for SM04. I checked trace for my own id (with no error) and found that SM04 is not even checked for my id and rest all authorization checked are same for both ids.
I assigned a BASIS role to this user and that resolved the issue. But strange thing is still that user's trace shows SM04 missing. (SM04 is not there in that Basis role).
Now I don't understand what exactly is the missing authorization for this user. Definitely SM04 is not the one and I can't assign this basis role to him. Could any one guide with this issue? Below is the trace for the user in both cases (without Basis role assigned and with this role assigned).

Hi Julius,
I created a test id with same rights as the user. My id has SAP_ALL assigned. Now I am doing exactly same activity (double click on same work process). But I don't see SM04 access being checked for my id.
Even if I assume that I am doing something different than the user. The thing which is strange to me is: when I assigned a basis role which doesn't have SM04 access, to the test user, I still see the same trace results but this time there is no authorization error. I don't think there are authorization checkes which are not recorded in ST01 trace.
There could be one tiny possibility that SM50 is throwing an error message (authorization error) but its not triggered through failed authorization check, instead based on some other condition. For that I would need to bedug the tcode. But that doesn't seem likely as this is a standard and widely used tcode.
Thanks

Authorization Issue for Object CRM_ORD_PR

Dear All,
When user search sales orders in PCUI by sales org, Distributional Channel and Division criteria it shows the result list. But it is also throwing the error as "You are not authorized to Display this transaction"
I am not sure why system is showing this message.
I have checked the auth objects for this user.Authorization Objects CRM_ORD_PR and Object CRM_ORD_OE are inactive for the Role.
When I searched the sales order in SAP GUI and when I click on the sales order from Locator it is giving the message as "You are not authorized to Display this transaction". When I checked the SU53 dump it is giving the message "Authorization check failed
Authorization Obj CRM_ORD_PR Authorization Object CRM Order -Business transaction Type.
So my question is though we have made the CRM_ORD_PR object inactive why system is showing the message in SU53.
Also when I checked the trace system is also checking this object.
Please help.
Pankaj

Rika,
Thanks for taking the time to reply, it's really appreciated.
I will pass the details of this note over to our Basis team to see if this helps us resolve our issue also (we are trying to prevent unauthorised objects showing in user search result lists).
We are on CRM 2007 though, so I am not sure whether it will still be relevant.
Many thanks again,
Andrew G.

ISE 1.1.3 posture status OK but network connection failed

hello,
I am on my way to make this ISE works.
Now I am able to do posture assessment and reauthenticate with success.
The logs says that's OK, I have two lines.
NACAgent on the host do the job correctly but the NIC says : "Network failure" despite NACagent grants the access.
Any Ideas folks ???
Regards.
Vincent.
The switch says :
03:04:28: %AUTHMGR-5-START: Starting 'dot1x' for client (bcae.c530.0948) on Interface Fa1/0/1 AuditSessionID C0A8066400000028009C4FA8
03:04:59: %DOT1X-5-FAIL: Authentication failed for client (bcae.c530.0948) on Interface Fa1/0/1 AuditSessionID
03:04:59: %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'dot1x' for client (bcae.c530.0948) on Interface Fa1/0/1 AuditSessionID C0A8066400000028009C4FA8
03:04:59: %AUTHMGR-7-FAILOVER: Failing over from 'dot1x' for client (bcae.c530.0948) on Interface Fa1/0/1 AuditSessionID C0A8066400000028009C4FA8
03:04:59: %AUTHMGR-7-NOMOREMETHODS: Exhausted all authentication methods for client (bcae.c530.0948) on Interface Fa1/0/1 AuditSessionID C0A8066400000028009C4FA8
03:04:59: %AUTHMGR-5-FAIL: Authorization failed for client (bcae.c530.0948) on Interface Fa1/0/1 AuditSessionID C0A8066400000028009C4FA8
Here is the SW's config :
aaa new-model
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa authorization auth-proxy default group radius
aaa accounting dot1x default start-stop group radius
aaa server radius dynamic-author
client 192.168.6.10 server-key 123456789
aaa session-id common
no ip domain-lookup
ip domain-name security.com
ip dhcp excluded-address 192.168.6.29 192.168.6.100
ip dhcp pool test
network 192.168.6.0 255.255.255.0
ip dhcp snooping vlan 1
ip device tracking
dot1x system-auth-control
dot1x critical eapol
spanning-tree mode pvst
spanning-tree extend system-id
vlan internal allocation policy ascending
interface FastEthernet1/0/1
switchport mode access
authentication open
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
interface Vlan1
ip address 192.168.6.100 255.255.255.0
ip classless
ip http server
ip http secure-server
ip sla enable reaction-alerts
snmp-server community snmp RO
snmp-server enable traps mac-notification change move threshold
snmp-server host 192.168.6.10 version 2c snmp mac-notification
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server dead-criteria time 5 tries 3
radius-server host 192.168.6.10 auth-port 1645 acct-port 1646 key 123456789
radius-server vsa send accounting
radius-server vsa send authentication
line con 0
line vty 5 15
ntp clock-period 36029254
ntp server 192.168.6.29
end

Hello Tarik, thanks for trying to help !
I guess that we all have configured the Sw and ISE as described in the documentation.
It would be kind to give us a standard Sw config that works. In my opinion, dACL is the point to be clarified urgently.
No IP Phone at all.
How to configure dACL on ISE ? ( pre-posture, redirect ) ????
What are the ports ? ( 8443, 8905n any ?)
Do we need a ACL to be set in the Sw before the dACL is applied ???
Please answer those questions first, and we will provide you some logs.
I'am not able to have a stable behaviour any more.
Lastest tested IOS : c3750-ipbasek9-mz.122-52.SE.bin (compatibility matrix on Cisco Website)
We waste of lot of time trying not to debug the software, but trying to find which parts work together.
Thanks again Tarik.

Cisco 2960 802.1x authentication fail

Physical switch version:
C2960 Boot Loader (C2960-HBOOT-M) Version 15.0(2r)EZ1, RELEASE SOFTWARE (fc1)
System image file is "flash:/c2960-lanbasek9-mz.150-2.SE5/c2960-lanbasek9-mz.150-2.SE5.bin"
The goal of this lab is only authenticated by the MAC address of the laptop.
Currently,I have a trouble as following and don't know what is this root cause .
Please give me a guide point.
Thanks so much
*Mar 2 20:45:03.908: %AUTHMGR-5-START: Starting 'mab' for client (3c97.0e04.7075) on Interface Fa0/1 AuditSessionID C0A8DCA9000000AE099A3F70
*Mar 2 20:45:04.218: %MAB-5-FAIL: Authentication failed for client (3c97.0e04.7075) on Interface Fa0/1 AuditSessionID C0A8DCA9000000AE099A3F70
*Mar 2 20:45:04.218: %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'mab' for client (3c97.0e04.7075) on Interface Fa0/1 AuditSessionID C0A8DCA9000000AE099A3F70
*Mar 2 20:45:04.218: %AUTHMGR-7-FAILOVER: Failing over from 'mab' for client (3c97.0e04.7075) on Interface Fa0/1 AuditSessionID C0A8DCA9000000AE099A3F70
*Mar 2 20:45:04.218: %AUTHMGR-7-NOMOREMETHODS: Exhausted all authentication methods for client (3c97.0e04.7075) on Interface Fa0/1 AuditSessionID C0A8DCA9000000AE099A3F70
*Mar 2 20:45:04.218: %AUTHMGR-5-FAIL: Authorization failed or unapplied for client (3c97.0e04.7075) on Interface Fa0/1 AuditSessionID C0A8DCA9000000AE099A3F70
*Mar 2 20:45:05.720: %LINK-3-UPDOWN: Interface FastEthernet0/1, changed state to up
*Mar 2 20:45:06.726: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to up

I have a few questions:
1. What type of Radius server do you have?
2. Can you post a screen shot of your Radius AAA policies
3. Do you have the mac address entered in your Radius server
4. Provide the output from the following commands:
- show aaa servers
- show authentication session interface interface_name_number
Thank you for rating helpful posts!

Failed authorization

Similar Messages

Maybe you are looking for