Failed to privilege mode when authenticated by radius server

hi,
I tried to authenticate and authorized Nokia/checkpoint Nortel/AD3 and Nortel 5510 platform using an 4.1 for windows ACS. the ACCESS-REQUEST is well processed bi the radius server wich send ACCESS-ACCEPT to the AAA Client (ie NORTEL or NOKIA), but i'have got privilege access denied on the Client side.
RADIUS IETF Dictionnary is used for every device.
all others Cisco Devices authenticate and are well authorized.
I didn't found any documentation about this item.
best regards
Alain

Hi,
You need to configure proper parameters in ACS based on the device requirement which you can get from the vendor.
To add Vendor Specific Attribute in ACS based on the dictionary file specified by vendor, you need to create an INI file and upload it to windows using following command:
CSUtil.exe -addUDV slot-number filename
Following link can give you more information on the same:
http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.1/user/A_CSUtil.html#wp365540
~Rohit

Similar Messages

  • Web authentication with Radius server problem

    Hello,
    I'm having problem to web authenticate users via radius server for one WLC. Here is the outpu from WLC:
    *emWeb: Mar 26 14:17:31.537: 20:7d:xx:xx:d8:f0 Username entry (aaaaaa) created for mobile, length = 7
    *emWeb: Mar 26 14:17:31.537: 20:7d:xx:xx:d8:f0 Username entry (aaaaaa) created in mscb for mobile, length = 7
    *aaaQueueReader: Mar 26 14:17:31.537: Unable to find requested user entry for aaaaaa
    *aaaQueueReader: Mar 26 14:17:31.537: ReProcessAuthentication previous proto 8, next proto 1
    *aaaQueueReader: Mar 26 14:17:31.537: AuthenticationRequest: 0x1e08eb94
    *aaaQueueReader: Mar 26 14:17:31.538:   Callback.....................................0x10908d90
    *aaaQueueReader: Mar 26 14:17:31.538:   protocolType.................................0x00000001
    *aaaQueueReader: Mar 26 14:17:31.538:   proxyState...................................20:7D:xx:xx:D8:F0-00:00
    *aaaQueueReader: Mar 26 14:17:31.538:   Packet contains 11 AVPs (not shown)
    *aaaQueueReader: Mar 26 14:17:31.538: apfVapRadiusInfoGet: WLAN(1) dynamic int attributes srcAddr:0x0, gw:0x0, mask:0x0, vlan:0, dpPort:0, srcPort:0
    *aaaQueueReader: Mar 26 14:17:31.538: 20:7d:xx:xx:d8:f0 Successful transmission of Authentication Packet (id 67) to 10.xx.33.249:1645, proxy state 20:7d:xx:xx:d8:f0-00:01
    *aaaQueueReader: Mar 26 14:17:31.538: 00000000: 01 43 00 8c 48 7c a7 ff  df 06 53 30 c0 be e1 8e  .C..H|....S0....
    *aaaQueueReader: Mar 26 14:17:31.538: 00000010: d7 fd 8b d3 01 09 73 65  66 72 73 76 65 02 12 7b  ......aaaaaa..{
    *aaaQueueReader: Mar 26 14:17:31.538: 00000020: ae 2e f5 eb fa cf f5 cc  3b 08 65 d7 04 0e ba 06  ........;.e.....
    *aaaQueueReader: Mar 26 14:17:31.538: 00000030: 06 00 00 00 01 04 06 0a  2e 09 14 05 06 00 00 00  ................
    *aaaQueueReader: Mar 26 14:17:31.538: 00000040: 0d 20 0d 73 65 76 73 74  2d 6c 77 63 31 30 3d 06  ...xxxxx-lwc10=.
    *aaaQueueReader: Mar 26 14:17:31.538: 00000050: 00 00 00 13 1a 0c 00 00  37 63 01 06 00 00 00 01  ........7c......
    *aaaQueueReader: Mar 26 14:17:31.538: 00000060: 1f 0e 31 39 32 2e 31 36  38 2e 31 2e 36 31 1e 0c  ..192.168.1.61..
    *aaaQueueReader: Mar 26 14:17:31.538: 00000070: 31 30 2e 34 36 2e 39 2e  32 30 50 12 95 11 7c d9  10.xx.9.20P...|.
    *aaaQueueReader: Mar 26 14:17:31.538: 00000080: 75 8e 01 6e bf 62 38 f8  38 ab 68 4a              u..n.b8.8.hJ
    *radiusTransportThread: Mar 26 14:17:31.603: 00000000: 03 43 00 14 e5 8c e7 75  52 04 af e0 07 b7 fb 96  .C.....uR.......
    *radiusTransportThread: Mar 26 14:17:31.603: 00000010: c1 4a fb 40                                       .J.@
    *radiusTransportThread: Mar 26 14:17:31.603: ****Enter processIncomingMessages: response code=3
    *radiusTransportThread: Mar 26 14:17:31.603: ****Enter processRadiusResponse: response code=3
    *radiusTransportThread: Mar 26 14:17:31.603: 20:7d:xx:xx:d8:f0 Access-Reject received from RADIUS server 10.xx.33.249 for mobile 20:7d:xx:xx:d8:f0 receiveId = 0
    *radiusTransportThread: Mar 26 14:17:31.603: ReProcessAuthentication previous proto 1, next proto 2
    *radiusTransportThread: Mar 26 14:17:31.603: AuthenticationRequest: 0x1da9fa4c
    *radiusTransportThread: Mar 26 14:17:31.603:    Callback.....................................0x10908d90
    *radiusTransportThread: Mar 26 14:17:31.603:    protocolType.................................0x00000002
    *radiusTransportThread: Mar 26 14:17:31.603:    proxyState...................................20:7D:xx:xx:D8:F0-00:00
    *radiusTransportThread: Mar 26 14:17:31.603:    Packet contains 11 AVPs (not shown)
    *radiusTransportThread: Mar 26 14:17:31.605: 20:7d:xx:xx:d8:f0 Returning AAA Error 'No Server' (-7) for mobile 20:7d:xx:xx:d8:f0
    *radiusTransportThread: Mar 26 14:17:31.605: AuthorizationResponse: 0x2dd03648
    *radiusTransportThread: Mar 26 14:17:31.605:    structureSize................................32
    *radiusTransportThread: Mar 26 14:17:31.605:    resultCode...................................-7
    *radiusTransportThread: Mar 26 14:17:31.605:    protocolUsed.................................0x00000002
    *radiusTransportThread: Mar 26 14:17:31.605:    proxyState...................................20:7D:xx:xx:D8:F0-00:00
    *radiusTransportThread: Mar 26 14:17:31.605:    Packet contains 0 AVPs:
    *emWeb: Mar 26 14:17:31.605: Authentication failed for aaaaaa
    *emWeb: Mar 26 14:17:31.605: 20:7d:xx:xx:d8:f0 Username entry deleted for mobile
    *emWeb: Mar 26 14:17:31.605: 20:7d:xx:xx:d8:f0 Plumbing web-auth redirect rule due to user logout
    *emWeb: Mar 26 14:17:31.605: 20:7d:xx:xx:d8:f0 192.168.1.61 WEBAUTH_REQD (8) Deleting mobile policy rule 42461
    *emWeb: Mar 26 14:17:31.605: 20:7d:xx:xx:d8:f0 Adding Web RuleID 42464 for mobile 20:7d:xx:xx:d8:f0
    *emWeb: Mar 26 14:17:31.605: 20:7d:xx:xx:d8:f0 Web Authentication failure for station
    *emWeb: Mar 26 14:17:31.605: 20:7d:xx:xx:d8:f0 192.168.1.61 WEBAUTH_REQD (8) Reached ERROR: from line 5069
    That was pretty clear for me that Radius is refusing to give user access.
    Fully-Qualified-User-Name = NMEA\aaaaaa
    NAS-IP-Address = 10.xx.9.20
    NAS-Identifier = xxxxx-lwc10
    Called-Station-Identifier = 10.xx.9.20
    Calling-Station-Identifier = 192.168.1.61
    Client-Friendly-Name = YYY10.xx
    Client-IP-Address = 10.xx.9.20
    NAS-Port-Type = Wireless - IEEE 802.11
    NAS-Port = 13
    Proxy-Policy-Name = Use Windows authentication forall users
    Authentication-Provider = Windows
    Authentication-Server = <undetermined>
    Policy-Name = YYYYY Wireless Users
    Authentication-Type = PAP
    EAP-Type = <undetermined>
    Reason-Code = 66
    Reason = The user attempted to use an authentication method that is not enabled on the matching remote access policy
    That output is from WLC 5508 version 7.0.235
    What is strange, that user was able to authenticate from other before refresh WLC 4402 ver 4.2.207. I cannot change WLC because of AP which cannot run old version.
    this is output from working client connection from old WLC
    NAS-IP-Address = 10.xx.9.13
    NAS-Identifier = xxxxx-lwc03
    Client-Friendly-Name = YYY10.46
    Client-IP-Address = 10.xx.9.13
    Calling-Station-Identifier = 192.168.19.246
    NAS-Port-Type = <not present>
    NAS-Port = <not present>
    Proxy-Policy-Name = Use Windows authentication for all users
    Authentication-Provider = Windows
    Authentication-Server = <undetermined>
    Policy-Name = YYYYY Wireless Guest Access
    Authentication-Type = PAP
    EAP-Type = <undetermined>
    I know there is different Policy Name used, but my question is why it is not using the same as on old WLC when configuration is same.
    Is there any way I can force users to use different policy from WLC or AP configuration or is this solely configuration of Radius?
    Is it maybe problem of version 7.0.235?
    Any toughts would be much appriciated.

    Scott,
    You are probably right. The condition that is checked for the first policy name (we have 2) is to match
    NAS-Port-Type = Wireless - IEEE 802.11, and this is basically used to differentiate guests from other company users.
    as you can see from the logs the one that is working correctly is not sending NAS-Port-Type. The question is why.
    As I said before.
    WLC 5508 ver. 7.0.235 is sending NAS-Port-Type
    WLC 4402 ver. 4.2.207 is not.
    The same user was working OK on 4402 WLC and after refresh and associating APs to 5508 it all broke, so client did not changed anything on adapter.

  • How to configure a Cisco 3560 with MAC-based 802.1x authentication by radius server

    Hi dearI 
    How can I configure a Cisco 3560 to authenticate a client based on its mac address with 802.1x and radius server. Many tanks in advance!

    Olivier,
    You can't reference WLP visitor roles in weblogic.xml, but you can
    reference global roles (created using the WLS console):
    - <security-role-assignment>
    <role-name>PortalSystemAdministrator</role-name>
    <externally-defined />
    </security-role-assignment>
    -Phil
    "Olivier" <[email protected]> wrote in message
    news:[email protected]..
    >
    We need to have login page to our portal app.
    When using "form based" authentication is it possible to map the securityon a
    "entitlement role" ?
    Our need is to be abled to give direct url acces to some pages of theportal (for
    exemple by sending urls like"http://server/appcontextpath/appmanager/myportal/mydesktop?_nfpb=true&_page
    Label=mypage")"
    by email to portal users) and need a simple mecanism of authenticationbefore
    redirecting to the portal page.
    Inste

  • Cisco Prime Infrastructure 2.1 GUI authentication via RADIUS server (Cisco ISE 1.2 integrated with AD)

    Hi,
    I want to access Cisco PI 2.1 GUI using my AD credentials, so on PI I've enabled RADIUS AAA Mode and added RADIUS servers (two ISE nodes in our case). On ISE I added PI as RADIUS client and configured the same keys. Next, on ISE I created authorization profile PRIME_ADMIN_ACCESS with only attribute settings defined:
    My authentication and authorization rules relating that case are as on following screenshots:
    So when I open GUI of PI and enter my AD credentials to log in I have no success and I receive following message:
    Looking in ISE's Authentication section I can see following:
    Time difference between these two authentication/authorizations is just 25 msecs and clicking on each of them reveals following:
    So at first I can authenticate and authorize (authorization profile has necessary attributes defined for PI management access (NCS:role0=Root, NCS:virtual-domain0=ROOT-DOMAIN)) and after 25 msecs I am getting failure. So what could be cause of such things and how I can successfully log in to PI GUI authenticating via ISE using AD credentials?

    Hi,
    -- Please Go to Administration > Logging > set the Message level to TRACE > Click save
    -- Then try to add the ISE.
    -- Once it fails, collect the logs from Administration > Logging > 
    check the "ncs-0-0.log"  & search the file for "ERROR" & paste the results here. This will give us exact reason.
    - Ashok
    Please rate the post or mark as correct answer as it will help others looking for similar information

  • WLC "radius server overwrite interface" setting

    Hello
    I'm looking at using "radius server overwrite interface" on a WLAN as a replacement for Called-Station-ID for Radius to match on SSID.
    When I enable "radius server overwrite interface" on a WLAN and join a client to the SSID I can see (via packet capture) that the WLC is correctly sourcing the Radius packets with the WLAN's "dynamic" interface IP Address. The problem is that the Radius server doesn't repond to these requests. Radius is configured with rules to match the new IP address but I see nothing (pass or fail) in the logs.
    Interestingly, the packet captures shows the correct NAS IP address (the WLAN interface IP Address) but always shows the WLC hostname as NAS-ID (regardless of NAS-ID settings on the WLAN or WLAN interface)
    I've tried WLC software 7.4.110.0, 7.4.121.0 and 7.6.100.0 with the same results but Radius never responds. Radius is Cisco ACS 5.5.0.46. Any ideas as to why this is happening?
    Thanks
    Andy

    Hi Scott
    installed ACS 5.4 0.46.6 and I still have the same problem - ACS doesn't respond to request from WLC when  "radius server overwrite interface" is enabled on WLAN and nothing appears in the logs. With  "radius server overwrite interface" disabled on the WLAN, authentication is a success and I can see this in the logs.
    I had a look a the packet captures I took earlier and the attributes in the Access-Request look ok - the only attribute I wasn't sure about was Message-Authenticator. Found this ietf document http://www.ietf.org/rfc/rfc2869.txt which mentions "silent discards" of Radius packets with non existent or incorrect Message-Authenticator attributes. I'm not sure if this is what I'm seeing on ACS when it receives the  "radius server overwrite interface" Access-Request packets. ACS is under contract so I will contact TAC about this.
    Mt production ACS cluster was upgraded from latest version of 5.3 to 5.5 with no loss of historic logs (logging after upgrade worked fine also). The upgrade did take a while with the log-collector. When it had completed I checked the Data Upgrade Status under Monitoring configuration and it showed that the upgrade was successful.
    Thanks for your help with this.
    Cheers
    Andy

  • Radius server 00.00.00.00 deactivated in global list

    Hi
    we unable to authenticate the users connecting to WLC over EAP-FAST from the ACS 5.1.
    AD is integrated with the acs....
    The error msg coming in wlc is :Radius server deactivated in global list
    Radius server failed to respond to request(ID:xx) for client xx:xx;xx:xx:xx:xx:xx
    I find that problem with time skew error happen between the AD and ACS. But after i configured ntp server in acs the problem
    still exist.
    I removed the controller from the acs and added back, same thing done in controller(reconfigured aaa settings).
    But the problem not resolved
    Thanks
    Subhash

    After working with TAC, I resolved this issue recently.  Increasing the timeout value did not help. On the WLC, try:
    config radius aggressive-failover disable
    As per http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a0080665d18.shtml :
    If the aggressive failover feature is enabled in WLC, the WLC is too aggressive to mark the AAA server as not responding. But, this should not be done because the AAA server is possibly not responsive only to that particular client, if you do silent discard. It can be a response to other valid clients with valid certificates. But, the WLC can still mark the AAA server as not responding and not functional.
    In order to overcome this, disable the aggressive failover feature. Issue the config radius aggressive-failover disable command from the controller GUI in order to perform this. If this is disabled, then the controller only fails over to the next AAA server if there are three consecutive clients that fail to receive a response from the RADIUS server.

  • Dynamic VLAN Assignment with RADIUS Server and Aironet Access Points

    Hi Guys,
    I would like to go for "Dynamic VLAN Assignment with RADIUS Server and Aironet Access Points 1300". I want the AP to broadcast only 1 SSID. The client find the SSID ->put in his user credential->Raudius athentication->assign him to an specific vlan based on his groupship.
    The problem here is that I don't have a AP controller but only configurable Aironet Access Points 1300. I can connect to the radius server, but I am not sure how to confirgure the AP's port, radio port, vlan and SSID.
    http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008076317c.shtml#switch
    I go through some references:
    3.5  RADIUS-Based VLAN Access Control
    As discussed earlier, each SSID is mapped to a default VLAN-ID on the wired side. The IT administrator may wish to impose back end (such as RADIUS)-based VLAN access control using 802.1X or MAC address authentication mechanisms. For example, if the WLAN is set up such that all VLANs use 802.1X and similar encryption mechanisms for WLAN user access, then a user can "hop" from one VLAN to another by simply changing the SSID and successfully authenticating to the access point (using 802.1X). This may not be preferred if the WLAN user is confined to a particular VLAN.
    There are two different ways to implement RADIUS-based VLAN access control features:
    1. RADIUS-based SSID access control: Upon successful 802.1X or MAC address authentication, the RADIUS server passes back the allowed SSID list for the WLAN user to the access point or bridge. If the user used an SSID on the allowed SSID list, then the user is allowed to associate to the WLAN. Otherwise, the user is disassociated from the access point or bridge.
    2. RADIUS-based VLAN assignment: Upon successful 802.1X or MAC address authentication, the RADIUS server assigns the user to a predetermined VLAN-ID on the wired side. The SSID used for WLAN access doesn't matter because the user is always assigned to this predetermined VLAN-ID.
    extract from: Wireless Virtual LAN Deployment Guide
    http://www.cisco.com/en/US/products/hw/wireless/ps430/prod_technical_reference09186a00801444a1.html
    ==============================================================
    Dynamic VLAN Assignment with RADIUS Server and Wireless LAN Controller Configuration Example
    http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008076317c.shtml#switch
    ==============================================================
    Controller: Wireless Domain Services Configuration
    http://www.cisco.com/en/US/products/hw/wireless/ps4570/products_configuration_example09186a00801c951f.shtml
    Any help on this issue is appreicated.
    Thanks.

    I'm not sure if the Autonomous APs have the option for AAA Override.  On the WLC, I can go into the BSSID, Security, Advanced, and there's a checkbox that I would check to allow a Radius server to send back the VLAN.
    I did a little research and it looks like the 1300 may give this option but instead is defined as "VLAN Override".  I've found the release notes for 12.3(7)JA5 (not sure what version you're running) that give mention and a link to configuring EAP on page 4: http://www.ciscosystems.ch/en/US/docs/wireless/access_point/1300/release/notes/o37ja5rn.pdf
    Hope this helps

  • EAP Response frame is not always forwarded to the Radius Server when doing Full Authentications.

    We have seen issues with a Cisco 5500 and 2405 WLAN controller with older and the latest controller firmware(8.x) of not forwarding the first EAP Response frame to the radius server on 802.1x WLAN devices doing full authentications. The first EAP Response frame from the WLAN client is supposed to be forwarded to the Radius server but a Wireshark trace shows that frame is never sent by the WLAN controller. The WLAN controller does ack the first EAP Response frame but the EAP response frame when the problem occurs always seems to be a retried packet.   I do have all RRM and AP scanning turned off. This is an intermittent issue and only occurs on devices doing full authentications and does occur on multiple vendors products. This produces a 18-20 second drop-off until the station recovers by sending an EAP-Start frame and then it associates properly. Since the first EAP Response frame is never forwarded to the Radius server and the EAP Response frame is being ack’d on the retried packet, this seems to be a WLAN controller issues but I’m looking at all possibilities. Does anyone have any thoughts?
    I attached a wireless and wired trace of the issue. See the Readme.txt file in the attachment for specific information.
    Thanks in advance.

    Do you have a packet capture to see this ? If so pls attach it
    Rasika

  • Issue with authentication with RADIUS when using VPN

    Our customer has a problem with auhtentication against Radius vhen he is using VPN or SSL VPN. Authentication on SSH or TELNET via RADIUS is working fine . When I configure on VPN (and SSL VPN) authentication against the local database, everything is working fine and tunnel is established.
    In attachement is running-config of customer's gateway and capture file of communication between RADIUS server and gateway (radius access request starting at 85th line).
    I found in this file at AVP attributes that the gateway is sending ipsec profile name (in this case "VPN") instead of username.

    SSLVPN is configured to use the local database of usernames only in this config. It is not configured to use RADIUS.

  • Flash Access DRM FMP Fails When Authentication Dialog Triggered for Display

    Hi all,
    Flash Media Playback is failing in the case when playing a video that has Flash Access DRM that requires display of an authentication dialog.  A sample failing configuration is here:
    http://provenwebvideo.com/codesamples/10/fmp_drm/ 
    Note, the link above includes the same video asset running successfully in Strobe Media Playback 1.0 (alongside to the right).
    Also, the link above includes FMP working successfully with a second video that has Flash Access DRM but which does NOT trigger display of an authentication dialog (second video in player in a row below the failing player).
    Source on the Flash Access DRM video test assets are from the Flash Access team via the following link:
    http://forums.adobe.com/message/3144143#3144143
    fyi, This is not a showstopper for me.  I am just reporting it as I was surprised that it works with SMP, but fails with current FMP.
    hth,
    g

    Wow, Greg, the test page is awesome! I can only wish that all the issues get reported this way!
    The issue with DRM content played with http://fpdownload.adobe.com/strobe/FlashMediaPlayback.swf is caused by the fact that the FlashMediaPlayback.swf is compiled for the Flash Player 10.0.
    I tested your sample with the Flash Media Playback compiled for 10.1 (http://fpdownload.adobe.com/strobe/FlashMediaPlayback_101.swf) and it works fine: http://smpfmp.appspot.com/fmp_drm.html
    Note that you need to ask your viewers to upgrade to the latest flash player, since Flash Media Playback doesn't handle this automatically, yet. (we have this feature in the backlog, but it might not fit into our future 1.5 release). Check this for technical details related to this: http://www.adobe.com/devnet/flashplayer/articles/swfobject.html
    Does this information help? Is there something that you would expect us to implement or document better?
    -Andrian

  • Aironet 2702i Autonomous - Web-Authentication with Radius Window 2008

    Hi Guys,
    I have a problems with case, i have diagrams sample like then : AD(Win2008) - Radius(Win2008) - Aironet 2702i => Use methods Web-Auth for EndUser  
    This is my Configure file on Aironet 2702i
    Aironet2702i#show run
    Building configuration...
    Current configuration : 8547 bytes
    ! Last configuration change at 05:08:25 +0700 Fri Oct 31 2014 by admin
    version 15.3
    no service pad
    service timestamps debug datetime msec
    service timestamps log datetime msec
    service password-encryption
    hostname Aironet2702i
    logging rate-limit console 9
    aaa new-model
    aaa group server radius rad_mac
    aaa group server radius rad_acct
    aaa group server radius rad_admin
    aaa group server tacacs+ tac_admin
    aaa group server radius rad_pmip
    aaa group server radius dummy
    aaa authentication login default local
    aaa authentication login DTSGROUP group radius
    aaa authentication login webauth group radius
    aaa authentication login weblist group radius
    aaa authentication dot1x default group radius
    aaa authorization exec default local 
    aaa session-id common
    clock timezone +0700 7 0
    no ip source-route
    no ip cef 
    ip admission name webauth proxy http
    ip admission name webauth method-list authentication weblist 
    no ip domain lookup
    ip domain name dts.com.vn
    dot11 syslog
    dot11 activity-timeout unknown default 1000
    dot11 activity-timeout client default 1000
    dot11 activity-timeout repeater default 1000
    dot11 activity-timeout workgroup-bridge default 1000
    dot11 activity-timeout bridge default 1000
    dot11 vlan-name DTSGroup vlan 46
    dot11 vlan-name L6-Webauthen-test vlan 45
    dot11 vlan-name NetworkL7 vlan 43
    dot11 vlan-name SGCTT vlan 44
    dot11 ssid DTS-Group
       vlan 46
       authentication open eap DTSGROUP 
       authentication key-management wpa version 2
       mbssid guest-mode
    dot11 ssid DTS-Group-Floor7
       vlan 43
       authentication open 
       authentication key-management wpa version 2
       mbssid guest-mode
       wpa-psk ascii 7 013D03104C0414040D4D5B5E392559
    dot11 ssid L6-Webauthen-test
       vlan 45
       web-auth
       authentication open 
       dot1x eap profile DTSGROUP
       mbssid guest-mode
    dot11 ssid SaigonCTT-Public
       vlan 44
       authentication open 
       authentication key-management wpa version 2
       mbssid guest-mode
       wpa-psk ascii 7 04480A0F082E424D1D0D4B141D06421224
    dot11 arp-cache optional
    dot11 adjacent-ap age-timeout 3
    eap profile DTSGROUP
     description testwebauth-radius
     method peap
     method mschapv2
     method leap
    username TRIHM privilege 15 secret 5 $1$y1J9$3CeHRHUzbO.b6EPBmNlFZ/
    username ADMIN privilege 15 secret 5 $1$IvtF$EP6/9zsYgqthWqTyr.1FB0
    ip ssh version 2
    bridge irb
    interface Dot11Radio0
     no ip address
     encryption vlan 44 mode ciphers aes-ccm 
     encryption vlan 46 mode ciphers aes-ccm 
     encryption mode ciphers aes-ccm 
     encryption vlan 43 mode ciphers aes-ccm 
     encryption vlan 1 mode ciphers aes-ccm 
     ssid DTS-Group
     ssid DTS-Group-Floor7
     ssid L6-Webauthen-test
     ssid SaigonCTT-Public
     countermeasure tkip hold-time 0
     antenna gain 0
     stbc
     mbssid
     packet retries 128 drop-packet
     channel 2412
     station-role root
     rts threshold 2340
     rts retries 128
     ip admission webauth
    interface Dot11Radio0.1
     encapsulation dot1Q 1 native
     bridge-group 1
     bridge-group 1 subscriber-loop-control
     bridge-group 1 spanning-disabled
     bridge-group 1 block-unknown-source
     no bridge-group 1 source-learning
     no bridge-group 1 unicast-flooding
    interface Dot11Radio0.43
     encapsulation dot1Q 43
     bridge-group 43
     bridge-group 43 subscriber-loop-control
     bridge-group 43 spanning-disabled
     bridge-group 43 block-unknown-source
     no bridge-group 43 source-learning
     no bridge-group 43 unicast-flooding
    interface Dot11Radio0.44
     encapsulation dot1Q 44
     bridge-group 44
     bridge-group 44 subscriber-loop-control
     bridge-group 44 spanning-disabled
     bridge-group 44 block-unknown-source
     no bridge-group 44 source-learning
     no bridge-group 44 unicast-flooding
     ip admission webauth
    interface Dot11Radio0.45
     encapsulation dot1Q 45
     bridge-group 45
     bridge-group 45 subscriber-loop-control
     bridge-group 45 spanning-disabled
     bridge-group 45 block-unknown-source
     no bridge-group 45 source-learning
     no bridge-group 45 unicast-flooding
     ip admission webauth
    interface Dot11Radio0.46
     encapsulation dot1Q 46
     bridge-group 46
     bridge-group 46 subscriber-loop-control
     bridge-group 46 spanning-disabled
     bridge-group 46 block-unknown-source
     no bridge-group 46 source-learning
     no bridge-group 46 unicast-flooding
    interface Dot11Radio1
     no ip address
     shutdown
     encryption vlan 46 mode ciphers aes-ccm 
     encryption vlan 44 mode ciphers aes-ccm 
     encryption vlan 1 mode ciphers aes-ccm 
     encryption vlan 43 mode ciphers aes-ccm 
     encryption vlan 45 mode ciphers ckip-cmic 
     ssid DTS-Group
     ssid DTS-Group-Floor7
     ssid SaigonCTT-Public
     countermeasure tkip hold-time 0
     antenna gain 0
     peakdetect
     dfs band 3 block
     stbc
     mbssid
     packet retries 128 drop-packet
     channel 5745
     station-role root
     rts threshold 2340
     rts retries 128
    interface Dot11Radio1.1
     encapsulation dot1Q 1 native
     bridge-group 1
     bridge-group 1 subscriber-loop-control
     bridge-group 1 spanning-disabled
     bridge-group 1 block-unknown-source
     no bridge-group 1 source-learning
     no bridge-group 1 unicast-flooding
    interface Dot11Radio1.43
     encapsulation dot1Q 43
     bridge-group 43
     bridge-group 43 subscriber-loop-control
     bridge-group 43 spanning-disabled
     bridge-group 43 block-unknown-source
     no bridge-group 43 source-learning
     no bridge-group 43 unicast-flooding
    interface Dot11Radio1.44
     encapsulation dot1Q 44
     bridge-group 44
     bridge-group 44 subscriber-loop-control
     bridge-group 44 spanning-disabled
     bridge-group 44 block-unknown-source
     no bridge-group 44 source-learning
     no bridge-group 44 unicast-flooding
     ip admission webauth
    interface Dot11Radio1.45
     encapsulation dot1Q 45
     bridge-group 45
     bridge-group 45 subscriber-loop-control
     bridge-group 45 spanning-disabled
     bridge-group 45 block-unknown-source
     no bridge-group 45 source-learning
     no bridge-group 45 unicast-flooding
     ip admission webauth
    interface Dot11Radio1.46
     encapsulation dot1Q 46
     bridge-group 46
     bridge-group 46 subscriber-loop-control
     bridge-group 46 spanning-disabled
     bridge-group 46 block-unknown-source
     no bridge-group 46 source-learning
     no bridge-group 46 unicast-flooding
    interface GigabitEthernet0
     no ip address
     duplex auto
     speed auto
     dot1x pae authenticator
     dot1x authenticator eap profile DTSGROUP
     dot1x supplicant eap profile DTSGROUP
    interface GigabitEthernet0.1
     encapsulation dot1Q 1 native
     bridge-group 1
     bridge-group 1 spanning-disabled
     no bridge-group 1 source-learning
    interface GigabitEthernet0.43
     encapsulation dot1Q 43
     bridge-group 43
     bridge-group 43 spanning-disabled
     no bridge-group 43 source-learning
    interface GigabitEthernet0.44
     encapsulation dot1Q 44
     bridge-group 44
     bridge-group 44 spanning-disabled
     no bridge-group 44 source-learning
    interface GigabitEthernet0.45
     encapsulation dot1Q 45
     bridge-group 45
     bridge-group 45 spanning-disabled
     no bridge-group 45 source-learning
    interface GigabitEthernet0.46
     encapsulation dot1Q 46
     bridge-group 46
     bridge-group 46 spanning-disabled
     no bridge-group 46 source-learning
    interface GigabitEthernet1
     no ip address
     shutdown
     duplex auto
     speed auto
    interface GigabitEthernet1.1
     encapsulation dot1Q 1 native
     bridge-group 1
     bridge-group 1 spanning-disabled
     no bridge-group 1 source-learning
    interface GigabitEthernet1.43
     encapsulation dot1Q 43
     bridge-group 43
     bridge-group 43 spanning-disabled
     no bridge-group 43 source-learning
    interface GigabitEthernet1.44
     encapsulation dot1Q 44
     bridge-group 44
     bridge-group 44 spanning-disabled
     no bridge-group 44 source-learning
    interface GigabitEthernet1.45
     encapsulation dot1Q 45
     bridge-group 45
     bridge-group 45 spanning-disabled
     no bridge-group 45 source-learning
    interface GigabitEthernet1.46
     encapsulation dot1Q 46
     bridge-group 46
     bridge-group 46 spanning-disabled
     no bridge-group 46 source-learning
    interface BVI1
     mac-address 58f3.9ce0.8038
     ip address 172.16.1.62 255.255.255.0
     ipv6 address dhcp
     ipv6 address autoconfig
     ipv6 enable
    ip forward-protocol nd
    ip http server
    ip http authentication aaa
    no ip http secure-server
    ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
    ip radius source-interface BVI1 
    radius-server attribute 32 include-in-access-req format %h
    radius server 172.16.50.99
     address ipv4 172.16.50.99 auth-port 1645 acct-port 1646
     key 7 104A1D0A4B141D06421224
    bridge 1 route ip
    line con 0
     logging synchronous
    line vty 0 4
     exec-timeout 0 0
     privilege level 15
     logging synchronous
     transport input ssh
    line vty 5 15
     exec-timeout 0 0
     privilege level 15
     logging synchronous
     transport input ssh
    end
    This is My Logfile on Radius Win 2008 : 
    Network Policy Server denied access to a user.
    Contact the Network Policy Server administrator for more information.
    User:
    Security ID: S-1-5-21-858235673-3059293199-2272579369-1162
    Account Name: xxxxxxxxxxxxxxxx
    Account Domain: xxxxxxxxxxx
    Fully Qualified Account Name: xxxxxxxxxxxxxxxxxxx
    Client Machine:
    Security ID: S-1-0-0
    Account Name: -
    Fully Qualified Account Name: -
    OS-Version: -
    Called Station Identifier: -
    Calling Station Identifier: -
    NAS:
    NAS IPv4 Address: 172.16.1.62
    NAS IPv6 Address: -
    NAS Identifier: Aironet2702i
    NAS Port-Type: Async
    NAS Port: -
    RADIUS Client:
    Client Friendly Name: Aironet2702i
    Client IP Address: 172.16.1.62
    Authentication Details:
    Connection Request Policy Name: Use Windows authentication for all users
    Network Policy Name: DTSWIRELESS
    Authentication Provider: Windows
    Authentication Server: xxxxxxxxxxxxxx
    Authentication Type: PAP
    EAP Type: -
    Account Session Identifier: -
    Logging Results: Accounting information was written to the local log file.
    Reason Code: 66
    Reason: The user attempted to use an authentication method that is not enabled on the matching network policy.
    So i will explain problems what i have seen:
    SSID: DTS-Group using authentication EAP with RADIUS and it working great (Authentication Type from Aironet to RADIUS is PEAP)
    SSID:L6-Webauthen-test using web-auth and i had try to compare with RADIUS but ROOT CAUSE is AUTHENTICATION TYPE from Aironet to RADIUS default is PAP. (Reason Code : 66)
    => I had trying to find how to change Authentication Type of Web-Auth on Cisco Aironet from PAP to PEAP or sometime like that for combine with RADIUS.
    Any idea or recommend for me ?
    Thanks for see my case  

    Hi Dhiresh Yadav,
    Many thanks for your reply me,
    I will explain again for clear my problems.
    At this case, i had setup complete SSID DTS-Group use authentication with security as PEAP combine Radius Server running on Window 2008.
    I had login SSID by Account create in AD =>  It's work okay with me. Done
    Problems occurs when i try to use Web-authentication on Vlan45 With SSID :
    dot11 ssid L6-Webauthen-test
       vlan 45
       web-auth
       authentication open 
       dot1x eap profile DTSGROUP
       mbssid guest-mode
    After configured on Aironet and Window Radius , i had try to login with Account create in AD by WebBrowser but it Fail ( i have see mini popup said: Authentication Fail" . So i go to Radius Server and search log on EventViewer.
    This is My Logfile on Radius Win 2008 : 
    Network Policy Server denied access to a user.
    NAS:
    NAS IPv4 Address: 172.16.1.62
    NAS IPv6 Address: -
    NAS Identifier: Aironet2702i
    NAS Port-Type: Async
    NAS Port: -
    RADIUS Client:
    Client Friendly Name: Aironet2702i
    Client IP Address: 172.16.1.62
    Authentication Details:
    Connection Request Policy Name: Use Windows authentication for all users
    Network Policy Name: DTSWIRELESS
    Authentication Provider: Windows
    Authentication Server: xxxxxxxxxxxxxx
    Authentication Type: PAP
    EAP Type: -
    Account Session Identifier: -
    Logging Results: Accounting information was written to the local log file.
    Reason Code: 66
    Reason: The user attempted to use an authentication method that is not enabled on the matching network policy.
    Im  think ROOT CAUSE is :
    PAP is the default authentication type for web-auth users on Aironet 2702i, so it can't combine with Radius Window 2008 because they just support PEAP (CHAPv1,CHAPv2....) => Please give me a tip how to change Authentication Type from PAP to PEAP for Web Authentication on Aironet

  • Authentication via RADIUS : MSCHAPv2 Error 691

    Hello All,
    I am working on setting up authentication into an Acme Packet Net-Net 3820 (SBC) via RADIUS. The accounting side of things is working just fine with no issues. The authentication side of things is another matter. I can see from a packet capture that the access-request
    messages are in fact getting to the RADIUS server at which point the RADIUS server starts communicating with the domain controllers. I then see the chain of communication going back to the RADIUS and then finally back to the SBC. The problem is the response
    I get back is always an access-reject message with a reason code of 16 (Authentication failed due to a user credentials mismatch. Either the user name provided does not match an existing user account or the password was incorrect). This is confirmed by looking
    at the security event logs where I can see events 4625 and 6273. See the events below (Note: The names and IPs have been changed to protect the innocent):
    Event ID: 6273
    Network Policy Server denied access to a user.
    Contact the Network Policy Server administrator for more information.
    User:
    Security ID:
    NULL SID
    Account Name:
    real_username
    Account Domain:
    real_domain
    Fully Qualified Account Name:
    real_domain\real_username
    Client Machine:
    Security ID:
    NULL SID
    Account Name:
    Fully Qualified Account Name:
    OS-Version:
    Called Station Identifier:
    Calling Station Identifier:
    NAS:
    NAS IPv4 Address:
    10.0.0.10
    NAS IPv6 Address:
    NAS Identifier:
    radius1.real_domain
    NAS Port-Type:
    NAS Port:
    101451540
    RADIUS Client:
    Client Friendly Name:
    sbc1mgmt
    Client IP Address:
    10.0.0.10
    Authentication Details:
    Connection Request Policy Name:
    SBC Authentication
    Network Policy Name:
    Authentication Provider:
    Windows
    Authentication Server:
    RADIUS1.real_domain
    Authentication Type:
    MS-CHAPv2
    EAP Type:
    Account Session Identifier:
    Logging Results:
    Accounting information was written to the SQL data store and the local log file.
    Reason Code:
    16
    Reason:
    Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect.
    Event ID: 4625
    An account failed to log on.
    Subject:
    Security ID:
    SYSTEM
    Account Name:
    RADIUS1$
    Account Domain:
    REAL_DOMAIN
    Logon ID:
    0x3E7
    Logon Type: 3
    Account For Which Logon Failed:
    Security ID:
    NULL SID
    Account Name:
    real_username
    Account Domain:
    REAL_DOMAIN
    Failure Information:
    Failure Reason:
    Unknown user name or bad password.
    Status:
    0xC000006D
    Sub Status:
    0xC000006A
    Process Information:
    Caller Process ID:
    0x2cc
    Caller Process Name:
    C:\Windows\System32\svchost.exe
    Network Information:
    Workstation Name:
    Source Network Address:
    Source Port:
    Detailed Authentication Information:
    Logon Process:
    IAS
    Authentication Package:
    MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
    Transited Services:
    Package Name (NTLM only):
    Key Length:
    0
    This event is generated when a logon request fails. It is generated on the computer where access was attempted.
    The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
    The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).
    The Process Information fields indicate which account and process on the system requested the logon.
    The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
    The authentication information fields provide detailed information about this specific logon request.
    - Transited services indicate which intermediate services have participated in this logon request.
    - Package name indicates which sub-protocol was used among the NTLM protocols.
    - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
    So at first glance it would seem that the issue is merely a case of an invalid username or mismatched password. This is further confirmed in the packet capture where I can see the MSCHAPv2 response has an error code of 691 (Access denied because username or
    password, or both, are not valid on the domain). The thing is I know I am using a valid username and I have tried many usernames including new ones I created just for troubleshooting. I don't know how many times I have reset the password in an attempt to ensure
    it is not a mismatch password. I have even made sure to use passwords that are fairly short and contain only letters to ensure there was no terminal encoding issues (we connect to the SBC via SSH clients). I have also done this same thing with the shared secret
    used during communication between the SBC and the RADIUS server. I have tried prefixing the username with the domain name at login (though I don't think that should be necessary). I have also tried using the full UPN of the user to login. I have tried several
    RADIUS testing clients (NTRadPing, RadiusTest, etc.), but they either don't support MSCHAPv2 or only support EAP-MSCHAPv2. I have even created my own client using PHP's PECL RADIUS module. Still it always seems to fail with the MSCHAPv2 authentication with
    an error code of 691. Does anyone have any ideas as to why I always get an invalid username or bad password response when I have done everything possible to ensure that is not the case?
    Here are the specs for our RADIUS configuration:
    Windows Server 2012 R2
    SQL Server 2012 Back End Database for accounting.
    The server has been authorized on the domain and is a member of the "RAS and IAS Servers" group. For which that group does have access to the accounts we are testing with.
    The accounts we are testing with do have the "Control access through NPS Network Policy" option checked under their "Dial-in" property tab.
    RADIUS clients configured to simply match on the IP address which you can see from the events above that it is applying the client friendly name.
    Connection Request Policy: The "SBC Authenication" policy is being applied as seen above. The only condition is a regex expression that does successfully match the friendly name.
    Network Policy: As seen in events above, none are getting applied. For troubleshooting purposes I have created a Network Policy that is set to "1" for the processing order and its only condition is a Day and Time Restriction currently set to any
    time, any day.
    The authentication method is set to only MSCHAPv2 or MSCHAPv2 (User can change password after it has expired). I have tried adding this to just the Network Policy and I have also tried adding this to the Connection Request Policy and setting it to override
    the authentication method of the Network Policy.
    We do have other RADIUS servers in our domain that use PEAP to authenticate wireless clients and they all work fine. However, we need this to work with MSCHAPv2 only (No EAP).
    All other configurations are set to the defaults.
    The only other things of note to consider is the fact that in the events above you can see that the Security ID is "NULL SID". Now I know this is common especially among failed logons but given that this issue is stating an invalid username or
    bad password, perhaps it matters in this case. Also, this server has been rebuilt using the same computer account in Active Directory. I do not know if it would have worked before the rebuild. Essentially we built this server and only got as far as authorizing
    the server to the domain and adding SQL when we decided to separate out the SQL role onto another server. Rather than uninstalling SQL we just rebuilt the machine. However, before reinstalling Windows I did do a reset on the computer account. I don't think
    this should matter but thought I would point it out if there is some weird quirk where reusing the same SID of a previously authorized NPS server would cause an issue.
    All in all it is a fairly basic setup and hopefully I have provided enough information for someone to get an idea of what might be going on. I hope this was the right forum to post this too, I figured there would be a higher number of RADIUS experts here than
    any of the other categories. Apologies if my understanding of this seems a bit basic, after all, when it comes to RADIUS servers I guess you could say I'm the new guy here.

    Update 1:
    In an attempt to further troubleshoot this issue I have tried bringing up additional servers for testing. Here are the additional tests I have performed.
    Multiple Domains
    I have now tried this in 3 different isolated domains. Both our test and production domains as well as my private home domain which has very little in the way of customizations aside from the modifications made for Exchange and ConfigMgr. All have the same
    results described above.
    VPN Service
    Using Windows Server 2012 R2 we brought up a separate server to run a standard VPN setup. The intent was to see if we could use RADIUS authentication with the VPN and if that worked we would know the issue is with the SBCs. However, before we could even
    configure it to use RADIUS we just attempted to make sure it worked with standard Windows Authentication on the local VPN server. Interestingly, it too fails with the same events getting logged as the RADIUS servers. The client machine being a Windows 8.1
    workstation. Again I point out that we have working RADIUS servers used specifically for our wireless environment. The only difference between those RADIUS servers and the ones I am having problems with is that the working wireless servers are using PEAP instead
    of MSCHAPv2.
    FreeRADIUS
    Now I'm no Linux guru but I believe I have it up and running. I am able to use ntlm_auth to authenticate users when logged on to the console. However, when the radiusd service tries to use ntlm_auth to do essentially the same thing it fails and returns the
    same message I've been getting with the Windows server (E=691). I have the radiusd service running in debug mode so I can see more of what is going on. I can post the debug info I am getting if requested. The lines I am seeing of particular interest however
    are as follows:
    (1) ERROR: mschap : Program returned code (1) and output 'Logon failure (0xc000006d)'
    (1) mschap : External script failed.
    (1) ERROR: mschap : External script says: Logon Failure (0xc000006d)
    (1) ERROR: mschap : MS-CHAP2-Response is incorrect
    The thing to note here is that while we are essentially still getting a "wrong password" message, the actual status code (0xc000006d) is slightly different than what I was getting on the Windows Servers which was (0xc000006a). From this document
    you can see what these codes mean:
    NTSTATUS values . The good thing about this FreeRADIUS server is that I can see all of the challenge responses when it is in debug mode. So if I can wrap my head around how a MSCHAPv2 response is computed I can compare it to see if this is simply a miscomputed
    challenge response. Update: Was just noticing that the 6a code is just the sub-status code for the 6d code. So nothing different from the Windows Servers, I still wonder if there is a computation error with the challenge responses though.
    Currently, I am working on bringing up a Windows Server 2008 R2 instance of a RADIUS server to see if that helps at all. However, I would be surprised if something with the service broke between W2K8 R2 and W2K12 R2 without anyone noticing until now. If this
    doesn't work I may have to open a case with Microsoft. Update: Same results with W2K8 R2.

  • WLC RADIUS Server Failover - Passive mode timer

    In 7.2 WLC code, it appears it is now possible to specify which RADIUS servers are used as the preferred server for authentication (
    Security > AAA > RADIUS > Fallback to open the RADIUS > Fallback Parameters ).
    There are 3 mode for this: off, passive & active.
    In the passive mode, the operation is described in the config guide as :
    Passive
    —Causes the controller to revert to a server with a lower priority from the available backup servers without using extraneous probe messages. The controller ignores all inactive servers for a time period and retries later when a RADIUS message needs to be sent.
    Does anyone know how long this 'time period' is? If it is only a few seconds, then it could be that user authentications are being used to test against a failed RADIUS server frequently & will experience annoying time-out delays, causing support calls etc.
    Anyone know what it is, or if its configurable? I don't see anything in the docs...
    Nigel.

    Here you go.
    RADIUS Server Fallback Feature on WLC.
    http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a008098987e.shtml#passive

  • 802.1x authentication not trying second Radius server

    I have 802.1x setup for portbased authentication on my 3750. I have two identical Radius servers setup and both work when they are the initial server. If I disable the NIC on the first server, it never fails over to the second one. (This only happens with 802.1x, logging directly onto the switch works but just takes longer) What do I need to set to get the radius to failover faster or at all for matter?
    aaa authentication login default group radius local
    aaa authentication dot1x default group radius
    aaa authorization network default group radius
    interface FastEthernet1/0/11
    switchport access vlan 15
    switchport mode access
    dot1x pae authenticator
    dot1x port-control auto
    dot1x violation-mode protect
    spanning-tree portfast
    radius-server host 10.10.0.41 auth-port 1645 acct-port 1646 key radiuskey
    radius-server host 10.10.0.42 auth-port 1645 acct-port 1646 key radiuskey

    I have 802.1x setup for portbased authentication on my 3750. I have two identical Radius servers setup and both work when they are the initial server. If I disable the NIC on the first server, it never fails over to the second one. (This only happens with 802.1x, logging directly onto the switch works but just takes longer) What do I need to set to get the radius to failover faster or at all for matter?
    aaa authentication login default group radius local
    aaa authentication dot1x default group radius
    aaa authorization network default group radius
    interface FastEthernet1/0/11
    switchport access vlan 15
    switchport mode access
    dot1x pae authenticator
    dot1x port-control auto
    dot1x violation-mode protect
    spanning-tree portfast
    radius-server host 10.10.0.41 auth-port 1645 acct-port 1646 key radiuskey
    radius-server host 10.10.0.42 auth-port 1645 acct-port 1646 key radiuskey

  • ACS with RSA for privilege level 'enable' authentication

    Has anyone experienced problems with privilege level "Enable" password authentication via ACS using RSA two factor authentication? We have recently deployed ACS and use RSA two factor authentication for the telnet connection without any problems. When configuring the networking device and ACS to use RSA for the privelledge level authentication "enable" this fails. We get prompted to enter the token code and the RSA server indicates that authentication is succesful however the network device (ASA or switch) seems to reject it.
    Are there any tricks to this?
    Thanks in advance!

    David
    Like Collin the first thing that I think of is that you can not use the same token code to authenticate enable mode that was used to authenticate user mode. Beyond that I am not aware of things that should prevent this working. Are you sure that the ACS authentication server is configured to allow that user access to privilege mode?
    Perhaps it would be helpful if you would post the config (especially all the aaa related parts) of a device that is having that problem. And it might help find the issue if you would run debug for authentication, try to login to enable mode, and post the output.
    HTH
    Rick

Maybe you are looking for

  • Cannot edit data model after upgrading to 10.1.3.4.1

    Hi, I've recently upgraded from 10.1.3.4 to 10.1.3.4.1 running under Tomcat 6. But now I cannot work with data models anymore. When I click on 'New' while Report > Data Model is selected, a new model is created but I cannot work with it. While editin

  • HT201209 Since updating ios7 I can't do FaceTime can anyone out there give me some guidance pleeeeaaaase

    Can anyone help me since updating with the latest iOS for my iPad I can't do FaceTime and also when I go to camera I can't do video recording anymore been to settings to see if ther have been any obvious changes can't find anything that would cause t

  • Executing First Select in Union before second

    I have a dynamic select followed by a union, then another select. The first select does something like this Select NVL((Equivilized_pa_value * ConvFactor) ,1) as display_value The I have a Union and the second Select does a sum on the field from the

  • PROBLEM NAME:  BEX

    i got the windows 7 with the latest version of itunes and every time that i try to plug my iphone 3gs to my computer (itunes) it starts syncing by itself i think thats normal but as soon it finish sync... an error meseges pops out saying: "itunes has

  • Security Flaw in H323

    Has any heard of more information pretaining to this, If so does Cisco have something out there to fix it? http://www.conferencingnews.com/news/1607