Framed-IP-Address in RADIUS Access Request for WLC web-auth users

Similar Messages

• Framed-Ip-Address missing in Access-Request & Acct-Start messages

  We have a Cisco 7206(IOS12.2(33)) equipment associated with freeRadius server2.1.10.  Upon PPPOE client start, dynamic IP is assigned from the IP-Pool to the PPPOE client. However this IP address, is not included in the Frame-IP-Address AVP sent in the Access-Request or Acct-Start message from the NAS. It is sent only in Acct-Update or Acct-Stop messages though,  I have enabled this AVP inclusion with the NAS command, radius-server attribute 8 include-in-access-req
  Also i have attached the configuration used in NAS for your reference. Request to provide your inputs to get this resolved at the earliest.
  Appreciate your inputs.
  thanks,
  Raj

  It worked well, after adding "aaa accounting delay-start" to the conf file.
  thanks,
  Raj

• Certificate for WLC web auth - HELP

  Hi all
  I need to buy a cert for my WLC web authentication
  I have read the document below
  http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a0080a77592.shtml              
  However, I want to fill in the details and generate the CSR via the provider im buying the cert from, thawte
  Am I ok doing all this via the provider, or do I need to use open SSL to generate the CSR?    
  Can anyone post the steps in here I need to take when purchasing and installing a chained certificate on my WLC.
  The WLC has the latest version of code.
  cheers
  Carl

  Here are the instructions for a chained certificate.
  http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a0080a77592.shtml
  It's simple enough, copy and paste the chanin below the certificate when you generate the final.pem.
  Main thing to remember when compiling the final.pem use a version of OpenSSL < 1.0 as it won't install.
  If your provider will generate the CSR for you it should be fine, but you will need the private key to recompile the certificate.
  As you'll be using OpenSSL to recompile the certificate you may as well use it to generate the CSR, there's not much to it.
  Thanks
  Chris

• Missing AVP 29 VSA 23 in the Radius Access-Request sent by ASA 5545-X 8.6

  Hello,
  we are migrating from ASA 5520 Version 8.4(3) to ASA 5545-X Version 8.6(1)2 with the same configuration ;
  we are stuck with a Radius authentication problem related to an ASA clientless ASA access ;
  when we compare the Radius dialog between each ASA (the old one and the new one) and the same Radius ACS 5.3 server, we can see that the only difference is there is a missing AVP 29 VSA 23 in the Radius Access-Request sent by the new ASA-5545-X compared to the good one sent   by the old ASA 5520;
  this AVP 29 VSA 23 carries the tunnel-group name as defined in the ASA configurtion ;
  5545-X ad 5520 configuration files have been double-checked and compared : no difference between both files
  any help would be appreciated to diagnose this problem
  thanks in advance

  This problem was solved by upgrading the 5545-X from version 8.6(1)2 to version 9.1.2;
  nothing else changed

• GRC 10.0 Access Request Creation- Data Source of User Details

  Hi Experts,
  I was doing GRC 10.0 Configuration and found a query which I am not able to resolve.
  While creation of any kind of Access Request in GRC through NWBC> Acces Management Tab>Access Request>Access Request Creation.
  In the user details section, I can see the HR records( like Pernr, position, manager) have been visible to some extent.
  My question is where from these details came in GRC. What configuration we should maintain to achieve these HR records?
  Hope to get a quick response as this is one of the requirement of the implementation which I am doing with my customer.
  Thanks,
  Atanu

  Alessandro,
  Thanks for your response. It helped me to know certain things.
  But when I am navigating to SPRO > GRC > Access Control > Maintain Data Sources Configuration > [User Detail Data Source], it is configured with a ECC system in target connector and User data type is maintained as "SU01".
  Now my question is where from in my case the GRC is pulling the HR records (PA20) like PERNR, POSITION,PERSONEL AREA etc? SU01 does not provide these information. My ECC box is integrated with HR module, so is it taking the data from HR directly?
  Thanks in advance!
  Atanu

• Need a way to request for a web resource (e.g .css, .gif file) using jpdk

  I am wondering if there is any way by which we can request for a web resource from portal to portlet provider.
  Currently if in order to display image I need to make direct request to portlet provider rather than routing the request through portal. As a result of this there is no session affiliation.
  My web resource can also be .jsp or .html file
  Any suggestions are welcome.

  Hi Hernando,
  It seems I haven't put my question correctly, probably following might help me explain you what I require:
  Portlets are added to portal page. Portlet content is served by portlet provider. So when you are viewing a portal page containing portlets in reality portal requests the portlet data from portlet-provider. So the actual request flow is: Request for a portal page, portal analyzes portlets on the page, and then request the portlet provider for the content associated with portlet. In the exact reversal process data flow is: portlet-provider generates the content which is passed to portal & then portal forwards it to end user.
  Now want something similar to happen with images (.gif files). But the problem is I am failing to create a link for this resource. I want the request for image to flow through portal very much the same way as its doing for the content. In other words I want to create a link which would inform portal to request for the resource to portlet provider. In this scenario portlet provider would pass the image to portal which would be forwarded to end user. Currently to get the images I am making direct request to portlet provider there by bypassing the request to flow through portal, which I do not want. Above all this resource can be anything a css file or a image or a .js file.
  So can you suggest me how to achieve it?

• ACS 4.2 doesn't response RADIUS access-request

  I have configured radius 4,2:
  - Create an internal database, a account
  - Create an AAA client, with pass the same on Authenticator server
  - Authenticate using Radius-Aironet (and try with other radius vendor)
  - Submit and Apply
  From Authenticator ( Ruckus Zone-director 1000)
  - Configure the same secret pass with ACS
  - IP: ACS, Port: 1812
  - Send user name and pass which created on ACS server
  From authenticator, send raidius access-request with username & pass have created on ACS, but ACS doesn't response any message even fail ..
  Could you please help me figure out the happening problem
  Thank a lot
  -Brian.

  Brian,
  I would also like you to check following,
  Please go to Network Configuration > If we have Network Device Group option enabled, then go the network device group---Edit properties---remove the shared secret from there---submit the changes.
  And try again, If authentication works, that would mean that we have configured a Network Device Group level key. And a NDG level key over rides the AAA
  Client level key.
  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.1/user/NetCfg.html#wp342699
  Are we seeing "unknown NAS" with the same NAS ip address the one we have added on the ACS under network configuration?
  Regds,
  JK
  Do rate helpful posts-

• How to create transport request for standard web template

  hi all
  can any one tell me the step by step procedure to create transport request for standard template?
  thanks
  shalini

  Business Content --> Choose & Install the standard web template & then collect the object for transport...Assign a Package & when prompted for Transport Request --> Opt for a new transport request.
  Message was edited by:
          Jerome

• Access denied for all (most?) users in all site collections of web app

  Hi,
  I have a Sharepoint 2010 farm pre-SP1 (yes should be updated!) and for all site collections of a web app, all users are getting access denied.
  Now in my title I said "most?" because I have found one user in another office who does not have this issue. This web app/site collections also do not go through f5 or any proxies.
  Even if I add myself as a site collection admin via central admin, I get the same result. I've looked at everything, windows time on the server (not using kerberos), errors in event log (nothing), uls logs just say access denied (very helpful!), etc...
  I can try what's suggested at http://social.technet.microsoft.com/Forums/en-US/e66f1b09-605d-4546-a581-2a9283c238c0/access-denied-for-all-users-and-for-site-collections-owner?forum=sharepointgeneralprevious but when asking colleagues, there's been no
  changes, let alone with those accounts? I can do a get on the property tomorrow to find if there is a value set first, however.
  Any suggestions on this?

  Hi,
  Please try logging in the site with farm account.
  If it works, please make sure you have superuser and superreader accounts in CA > Application management > web application policy. If not, please add both accounts with the powershell script in the article below, this can cause all users denied when
  access the site:
  http://technet.microsoft.com/en-us/library/ff758656.aspx
  Here is a similar thread:
  http://social.technet.microsoft.com/Forums/sharepoint/en-US/a49b1ab8-273f-41e4-a0b8-be0e31c6733b/all-users-including-site-collection-admins-receiving-access-denied-from-one-site-collection?forum=sharepointadminprevious
  Regards,
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact
  [email protected] .
  Rebecca Tu
  TechNet Community Support

• WLC Web-auth fail with external RADIUS server

  I follow step by step the link bellow to configure web-auth with external RADIUS server but I receive a error on console debug of the WLC "Returning AAA Error No Server (-7) for mobile"
  My Radius Server is fine, because I can authenticate on WLC Web page with RADIUS user.
  WLC 4402 version 4.1.171.0
  http://www.cisco.com/en/US/products/ps6366/prod_technical_reference09186a0080706f5f.html

  Hi,
  I am having some issues when I try to authenticate an AD account against a NAP Radius Server on Windows 2008.
  In fact, I own a WLC 2106 and I configured it to authenticate users againts a radius Server with Active Directory. I set the Web Radius Authentication to CHAP on the controller tab from the WLC 2106 and i am getting the error below  
  : Authentication failed for gcasanova. When I set the controller to  Web Radius Authentication to PAP, everything is working fine. I am able to connect to through the controller using an AD Account. But my purpose is not use PAP which is an unsecure protocol since password are sent as plaintext on the network.
  Can someone tell me what's wrong?
  *radiusTransportThread: Oct 26 11:02:13.975:    proxyState......................                                                                                                 .............00:24:D7:40:E5:00-00:00
  *radiusTransportThread: Oct 26 11:02:13.975:    Packet contains 0 AVPs:
  *emWeb: Oct 26 11:02:13.977: Authentication failed for gcasanova
  *aaaQueueReader: Oct 26 11:02:29.985: AuthenticationRequest: 0xb6564634
  *aaaQueueReader: Oct 26 11:02:29.985:   Callback.....................................0x8576720
  *aaaQueueReader: Oct 26 11:02:29.985:   protocolType.................................0x00000001
  *aaaQueueReader: Oct 26 11:02:29.985:   proxyState...................................00:24:D7:40:E5:00-00:00
  *aaaQueueReader: Oct 26 11:02:29.986:   Packet contains 11 AVPs (not shown)
  *aaaQueueReader: Oct 26 11:02:29.986: apfVapRadiusInfoGet: WLAN(4) dynamic int attributes srcAddr:0x0, gw:0x0, mask:0x0, vlan:0, dpPort:0, srcPort:0
  *aaaQueueReader: Oct 26 11:02:29.986: 00:24:d7:40:e5:00 Successful transmission of Authentication Packet (id 86) to 10.2.0.15:1812, proxy state 00:24:d7:40:e5:00-00:00
  *aaaQueueReader: Oct 26 11:02:29.987: 00000000: 01 56 00 9a 8e 48 e7 20  1d ef be 29 e6 3a 61 6d  .V...H.....).:am
  *aaaQueueReader: Oct 26 11:02:29.987: 00000010: 2b de 07 24 01 0b 67 63  61 73 61 6e 6f 76 61 3c  +..$..gcasanova<
  *aaaQueueReader: Oct 26 11:02:29.987: 00000020: 12 3c ce a0 87 ac df 7a  a5 35 af 7c ef 83 c7 58  .<.....z.5.|...X
  *aaaQueueReader: Oct 26 11:02:29.987: 00000030: ed 03 13 28 a7 5a 0d 26  6d ab 49 ea da 7c 5a 8e  ...(.Z.&m.I..|Z.
  *aaaQueueReader: Oct 26 11:02:29.987: 00000040: 1d 94 70 69 06 06 00 00  00 01 04 06 0a 02 00 06  ..pi............
  *aaaQueueReader: Oct 26 11:02:29.987: 00000050: 05 06 00 00 00 01 20 0a  50 41 52 2d 57 4c 43 31  ........PAR-WLC1
  *aaaQueueReader: Oct 26 11:02:29.987: 00000060: 3d 06 00 00 00 13 1a 0c  00 00 37 63 01 06 00 00  =.........7c....
  *aaaQueueReader: Oct 26 11:02:29.988: 00000070: 00 04 1f 0c 31 30 2e 32  2e 30 2e 31 35 36 1e 0a  ....10.2.0.156..
  *aaaQueueReader: Oct 26 11:02:29.988: 00000080: 31 30 2e 32 2e 30 2e 36  50 12 7f 86 5a c5 61 ad  10.2.0.6P...Z.a.
  *aaaQueueReader: Oct 26 11:02:29.988: 00000090: af 54 fa fa 42 e7 f6 16  9e 10                    .T..B.....
  *radiusTransportThread: Oct 26 11:02:29.988: 00000000: 03 56 00 14 a9 10 07 84  83 00 87 83 b9 10 64 e1  .V............d.
  *radiusTransportThread: Oct 26 11:02:29.988: 00000010: 66 b3 c5 5e                                       f..^
  *radiusTransportThread: Oct 26 11:02:29.988: ****Enter processIncomingMessages: response code=3
  *radiusTransportThread: Oct 26 11:02:29.988: ****Enter processRadiusResponse: response code=3
  *radiusTransportThread: Oct 26 11:02:29.988: 00:24:d7:40:e5:00 Access-Reject received from RADIUS server 10.2.0.15 for mobile 00:24:d7:40:e5:00 receiveId = 0
  *radiusTransportThread: Oct 26 11:02:29.989: 00:24:d7:40:e5:00 Returning AAA Error 'Authentication Failed' (-4) for mobile 00:24:d7:40:e5:00
  *radiusTransportThread: Oct 26 11:02:29.989: AuthorizationResponse: 0xb97fe774
  *radiusTransportThread: Oct 26 11:02:29.989:    structureSize................................32
  *radiusTransportThread: Oct 26 11:02:29.989:    resultCode...................................-4
  *radiusTransportThread: Oct 26 11:02:29.989:    protocolUsed.................................0xffffffff
  *radiusTransportThread: Oct 26 11:02:29.989:    proxyState...................................00:24:D7:40:E5:00-00:00
  *radiusTransportThread: Oct 26 11:02:29.989:    Packet contains 0 AVPs:

• WRT54G not working with cable internet access - request for help

  Good evening!
  At least that's the time when I write this.
  I have a PC running Vista 64-bit version. 
  Until yesterday, I was connected to the internet using my WRT54G and a cable modem. There was a power outage (or blackout) and I lost my internet connection. I was not home when this happened. I got home and found the circuit breaker off. Since then, I can not access the internet anymore when I use the router. 
  If I connect the computer to the cable model directly, I can access the internet without a problem (hence I'm able to post this). 
  If I connect the computer to port 1 in the router, and connect the cable modem to the internet port in the router, I am not able to connect to the internet. 
  I have already:
   - updated the firmware to the latest version (it was already installed)
   - reset the router pressing the "reset" button for 30 seconds, unplugging it, and reconnecting power still pressing the "reset" button for 30 seconds. 
   - power cycled the devices
   - tested 3 differnet patch cables that I know are good and they work
   - reset the modem via a soft-reset remote request sent from the cable operator
  None of these options have helped me restore my router's connection to the internet.
  I know the router is working because I can print using my wireless printer and I can see my shared drives in the other PC I have connected to it,  but none of them are able to connect to the internet!
  Does anyone have any additional ideas on how I can fix this, before I go out and buy a new router?
  Thanks in advance!
  Pablo

  As you have mentioned in your previous post, that you have resetted your router and you are still able to Print from your Wireless Printer, I Feel that your Router is not getting Resetted properly, whenever you reset your router your router goes to Factory default mode, and it will change the wireless network name to "linksys" and your Network will be unsecured. Press and hold the reset button for 60 seconds...Release the reset button...Unplug the power cable from your router, wait for 60 seconds and re-connect the power cable.
  Once you reconnect the power to the Linksys router, On your computer Open IE and in the address bar type (http://192.168.1.1) and hit enter, when prompted for username and password, Leave the username blank and in password type "admin" and click Ok. Below the Setup tab you will find MTU, So change it to "Manual" and change the size from 1500 to 1365 and Click on Save Settings. Then Below the Setup Tab you will find the Sub tab "MAC address Clone" click on it and "Enable" and click on "Clone your PC's MAC" and click on Save Settings. Now you can Unplug the Power from Router and Unplug the Power for Modem. Wait for 30 seconds, and 1st connect the Power to your Modem and wait till all the lights goes Stable then you can connect the power to Linksys router and once all the lights are sold. On your computer Open IE and check if you are Online. 

• MBL - no LED, no dash, no access - request for help

  Hi, I have had my My Book LIve for a few years and it has been working without any trouble. It is connected to a WDTV Live.  Recently, I noticed that the LED on the front was no longer on. No blue / green light ever. Yet the device still worked and was accessible from my iPhone (through WD 2go) and I was still able to view all my media through the WDTV.  I first noticed the light wasn't working when I started to experience freezing during playback a few weeks ago. When I tried to investigate this I noticed I couldn't access the dashboard and the WD software said 0% full. However, everything else worked OK.  I tried to resolve this today by resetting the device. (Various ways including unplugging for 5 minutes, reset, long reset whilst plugging in etc). Since doing that I can't now access the drive at all. It is no longer showing up in the WD software or network on my PC and the WDTV can't find it.   The netowrk lights at the back are on, it's wired in to my router as is my WDTV live. I can hear the drive working. I think the drive was updating to the latest firmware automatically to my knowledge.  Does anyone have any ideas how to fix this?  Thanks  

  There are two possible things wrong.1) hardware failure - in this case, you can't do much except for replace it (or just the drive if limited to that)2) OS failure - this is the most likely situation, and can be fixed.  To fix OS failure, you need to do a debrick.  There are guides on how to do this on the forum.  Debrick is a way to reinstall the firmware, which means reintalling the OS.

• Message tracking fails with 'The server software doesn't support the type of search requested' for only a SINGLE user in org

  Ok this is a weird one.  Message tracking works fine for all my users except for one where I get the above message.  I've tried stopping/restarting the transport services and renaming the tracking log but no luck.  Any ideas?

  Updated and resolved for my situation:
  I called MS Premier and this is now resolved for my issue with a workaround. The technician is going to submit a bug fix but basically he found another bug ticket from summer 2009 that stated "if the mailbox has more than 49 proxy addresses entered within
  the Email addresses tab the search command will fail".
  We re-tested a few failed search mailboxes by removing unnecessary proxy addresses from that tab the searches worked fine.
  Hope this helps others.
  Mike
  This resolved the issue I was having as well - the recipient I was trying to track for had a ton of extra smtp addresses that were not needed.  Removing them fixed the issue.

• To Access AME for iProcurement, does the user needs to be set up as a buyer ?

  Hello,
  We are on Oracle R12.1.3.
  We are switching on the Approval Management Engine (AME) for iProcurement and Purchasing.
  we are about to assign the AME responsibilities “Approvals Management Administrator” and “Approvals Management Business Analyst”  to a user , USER123
  Does USER123 need to be set up as a buyer to create AME rules ?
  Regards,
  Natalia

  AME rules for iProcurement are defined for requester. So to test the AME rule itself, you need not be a buyer.
  Besides, configuration responsibility can be granted to any employee (From IT department) who may not be a buyer in the role.
  So the answer is "Not required"

• Access Control for SunOne Web Server 6.0.5 vs. 6.0.4

  This question is about bypassing an appserver by specifying an alias without the appserver vitual host so as to download a class or jar file. With only the default ACL on the 6.0.4 version of the Sunone web server I found that .class and .jar files were not downloadable. However, on version 6.0.5 they are. For example, the URL:
  https://myhost/appserv/alias/path/file.jsp
  would return the html resulting from that file.jsp file being processed by my application server. But by contrast, the URL:
  https://myhost/alias/path/file.jsp
  will prompt the user as to where they want to save the file. Specifying the alias immediately after the hostname (omitting appserv) will allow free access to any files under that aliases target directory. This is a problem especially for .class and .jar files which contain server side programs. I have created an ACL as described in the administrators guide and this does solve the problem (thank goodness for that). My question is, why didn't I experience this problem before?

  To Disable directory listing : http://www.sun.com/bigadmin/features/hub_techtips/dir_list_web_srvr.jsp