ISE 1.0.4 - identity Sequence refuses to use AD after RSA

Similar Messages

• [Q] Identity Sequence issue causes MAB to auth against AD ??

  We have a strange issue whereby some users have suddenly failed to correctly authenticate against ACS 5.1 - we cant work out why, as nothing has changed and would greatly appreciate your help.
  We have dot1x configured on our network with MAB fallback. We havent yet rolled out dot1x to the clients even though the network is set up for this. In the meantime, we are using Mac Authentication Bypass. We do use 802.1x for wireless though.
  I have set up the folowing Identity Sequence:
  AD1 (this is set up as our AD servers for 802.1X user and machine auth)
  SecurID Server (we dont use this yet either)
  Internal Users (this is just used to authenticate ciscoworks)
  Internal Hosts (this contains the list of allowed MAC addresses)
  Typically what we have seen today is a user initially authenticates successfully by matching the Internal Hosts identity store, but then an hour later, re-authentication fails as the MAC address matches the AD1 id store and subsequently fails due to the MAC address not being present within AD.
  Here is the successful connection entry (all MAC addresses substituted form the originals)...
  Steps
  11001  Received RADIUS Access-Request
  11017  RADIUS created a new session
  11027  Detected Host Lookup UseCase (Service-Type = Call Check (10))
  Evaluating Service Selection Policy
  15004  Matched rule
  15012  Selected Access Service - Network Access
  Evaluating Identity Policy
  15006  Matched Default Rule
  15013  Selected Identity Store - Internal Hosts
  24432  Looking up user in Active Directory - 00-1B-78-00-33-00
  24412  User not found in Active Directory
  24559  Searching for user in the RSA identity store.
  24556  User record was not found in the cache.
  24210  Looking up User in Internal Users IDStore - 00-1B-78-00-33-00
  24216  The user is not found in the internal users identity store.
  24209  Looking up Host in Internal Hosts IDStore - 00-1B-78-00-33-00
  24211  Found Host in Internal Hosts IDStore
  22037  Authentication Passed
  22023  Proceed to attribute retrieval
  24432  Looking up user in Active Directory - 00-1B-78-00-33-00
  24412  User not found in Active Directory
  22016  Identity sequence completed iterating the IDStores
  Evaluating Group Mapping Policy
  24423  ACS has not been able to confirm previous successful machine authentication for user in Active Directory
  Evaluating Exception Authorization Policy
  15042  No rule was matched
  Evaluating Authorization Policy
  15004  Matched rule
  15016  Selected Authorization Profile - MAB-PC
  11022  Added the dACL specified in the Authorization Profile
  11002  Returned RADIUS Access-Accept
  Here is the failed connection entry....
  Steps
  11001  Received RADIUS Access-Request
  11017  RADIUS created a new session
  11027  Detected Host Lookup UseCase (Service-Type = Call Check (10))
  Evaluating Service Selection Policy
  15004  Matched rule
  15012  Selected Access Service - Network Access
  Evaluating Identity Policy
  15006  Matched Default Rule
  15013  Selected Identity Store - AD1
  24432  Looking up user in Active Directory - 00-1B-78-00-33-00
  24416  User's Groups retrieval from Active Directory succeeded
  22037  Authentication Passed
  22023  Proceed to attribute retrieval
  22038  Skipping the next IDStore for attribute retrieval because it is the one we authenticated against
  22016  Identity sequence completed iterating the IDStores
  Evaluating Group Mapping Policy
  24423  ACS has not been able to confirm previous successful machine authentication for user in Active Directory
  Evaluating Exception Authorization Policy
  15042  No rule was matched
  Evaluating Authorization Policy
  15006  Matched Default Rule
  15016  Selected Authorization Profile - DenyAccess
  15039  Selected Authorization Profile is DenyAccess
  11003  Returned RADIUS Access-Reject
  Any help greatly appreciated!

  Hello Paul,
  If a switch is configured for dot1x with MAB fallback as ours is, does  the switch still send the MAC address for a dot1x-enabled client as well  as the user and host AD credentials even though the MAC address is not  required for auth in this case?
  A switchport configured for 802.1x with MAB fallback will first send an EAPOL Start message. An 802.1x enabled client would be able to provide the appropriate User and Host information and get authenticated via 802.1x. No MAC address will be send at this point.
  For the same switch and a client with dot1x DISABLED, does the switch forward just the MAC address to ACS?
  Yes, the switch will send the EAPOL Start messages to the 802.1x Disabled client. It will not be able to respond to the switchport request. After the retries the switchport will fallback to MAB and expect the client to send the MAC Address to get authenticated.
  If the switch invokes MAB and passes just the MAC address to ACS, does  ACS still run the MAC address through the full identity store sequence  which starts with AD1, even though dot1x is not running (and therefore  AD matching is not relevant)?
  Yes, the ACS will still run the authentication against all the Database specified on the Identity Store Sequest from top to bottom
  Ultimately, I am trying to decide if
  a) ACS is passing non-dot1x credentials (namely the MAC address)  to AD erroneously ---> Do not think this might be the case as it will  always pass the credentials to the every database on the specified  order
  b) if AD is responding (correctly or incorrectly) with a match ---> We know this one is happening.
  c)   if AD is rejecting the MAC address but that the rejection message isnt   triggering the next iteration in the identity store sequence. ---->  Do not think AD is rejecting the MAC Address based on:
  24432  Looking up user in Active Directory - 00-1B-78-00-33-00
  24416  User's Groups retrieval from Active Directory succeeded
  At this point I have no suggestions on how to determine if the MAC Address is being properly authenticated on the AD Side

• Wsrm Sequence refused error

  Hi All,
  I am trying to implement reliable messaging at the OSB level. I keep getting this error when I invoked the service after adding RM.
  Fri Apr 26 10:07:47 EST 2013:DEBUG:<< "<env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/"><env:Header xmlns:wsrm="http://schemas.xmlsoap.org/ws/2005/02/rm" xmlns:wsa="http://www.w3.org/2005/08/addressing"><wsrm:SequenceFault xmlns:wsrm="http://schemas.xmlsoap.org/ws/2005/02/rm"><wsrm:FaultCode>wsrm:UnknownSequence</wsrm:FaultCode><wsrm:Identifier>wsrm:CreateSequenceRefused</wsrm:Identifier></wsrm:SequenceFault><wsa:Action xmlns:wsu="http://schemas.xmlsoap.org/ws/2002/07/utility">http://www.w3.org/2005/08/addressing/fault</wsa:Action><wsa:MessageID xmlns:wsu="http://schemas.xmlsoap.org/ws/2002/07/utility">uuid:11d1def534ea1be0:-605f7376:13e16e4a85b:-7fc2</wsa:MessageID><wsa:RelatesTo xmlns:wsu="http://schemas.xmlsoap.org/ws/2002/07/utility" xmlns:wsa="http://www.w3.org/2005/08/addressing" wsa:RelationshipType="http://www.w3.org/2005/08/addressing/reply">uuid:3940a61c-50a2-4392-9996-5fcf576457be</wsa:RelatesTo><wsa:To xmlns:wsu="http://schemas.xmlsoap.org/ws/2002/07/utility">http://www.w3.org/2005/08/addressing/anonymous</wsa:To></env:Header><env:Body><env:Fault><faultcode>env:Client</faultcode><faultstring xml:lang="en-US">The value of wsrm:Identifier is not a known Sequence identifier.</faultstring></env:Fault></env:Body></env:Envelope>"
  In the endpoint payload I get a fault returned as
  javax.xml.rpc.JAXRPCException: Offered sequence refused. There are no output messages defined on this endpoint, so no offer sequence is required or allowed.
  The service is a one-way message so, obviously no output message is defined on this endpoint.
  The flow of the service calls in my application are as follows
  SOAPUI ---> OSB Proxy (one-way) ---> OSB Business Service (one-way) ---> SOA Implementation Service (one-way).
  Please suggest how to implement RM on a one-way service
  Thanks in advance

  Just a question in the one-way messaging pattern how will the Sequence create response be sent back. Is there any good example.
  Thanks

• How to find which sequence name is used in a table

  Hi..
  I have a table.. it uses some sequence name..
  But how can we find that the table is using so and so sequence...
  From which USER_* table is used for that
  thanks

  user5451445 wrote:
  I know this is an old thread but I was in the position of the original author and I use this, based on responses here I make this query that can be useful when the sequence is attached to the table using triggers (the most common scenario). I would agree that the most common use of a sequence is probably to generate a PK for a table.
  I would agree that, when using a sequence to generate a PK, using a trigger is best practice.
  But those two agreements do NOT add up to validating you assumption that "attaching" a sequence to a table using a trigger is the most common scenario.. Many shops feel that triggers are inherently evil and forbid there use. Even without that, many developers refuse to use the facilities of the database and insist on putting everything in their app code. Thus, even when using a sequence, they embed it in their app, thus allowing the use of the sequence to be bypassed by other code.
  And in the case of someone trying to locate the use of the trigger, they must keep in mind that not all application code is in PL/SQL modules - it may very well exist completely outside of the database and thus be invisible to any query you could run on the database.
  Let's say we have a table tblproceso and a sequence proceso_id_seq, we wrote a trigger that put the next value from the sequence on every INSERT. With this query we can see in what table we use sequences like 'proceso_id_seq':
  select trigger_body, table_name
  from user_triggers
  where triggering_event = 'INSERT'
  and UPPER(dbms_metadata.get_ddl ('TRIGGER', trigger_name)) LIKE '%PROCESO_ID_SEQ%'
  This will show the trigger body and the name of the table where it's used
  Hope this can help other users with this scenario

• HT1947 The lastest app will pair with my 9.2.1 library but not control it. I refuse to use 10 as it has a feature that degrades the sound via the airport express so I no longer can use my library, any anwers? How can I get the older app back on my IOS 5 d

  I have an Iphone 4 on the latest IOS 5 and latest 2.3 remote control app as I use Itunes 10 to manage the phone. Since version 10 of Itunes the airport express output has been degraded with a digital volume control so I refuse to use version 10 for my lossless audio. I specifically purchased the AE knowing that I would have pefect lossless digital audio to pass on to my high end music system (I understand that turning the volume to the maximum should have the same result but to me it just does not sound as good as with itunes 9). This step back with version 10 of Itunes has made me determined to stay with Itunes 9.2.1 Now I find that the upgraded version of the remote control app will not pair with or control a 9.2.1 library. Does anyone have a solution that does not involve using Itunes 10 to stream my audio under the control of the Iphone. I would dearly love to just go back to an older version of the iphone app but again how can that be done? Or better still have the option in Itunes 10 to have garanteed bit perfect output to airport devices as many people would really appreciate this as true lossless audio is essential for many serious music lovers.
  Kind regards from a disappointed apple owner and dedicated music listener.

  Strangely enough the pref file did not show up in the Preferences folder.  I don't know what this means but it could be signifigant.

• Mail refuses to use current SMTP

  Mail Version 2.0.7
  Problem: With SOME but NOT all messages Mail refuses to use currently active SMTP server. When the problem occurs, on some occasions, Mail provides a choice of available SMTP servers, ( I have to manually change servers for each message for the rest of the session but messages are sent OK). On other occasions it only provides the inapropriate server as available FOR THIS MESSAGE ONLY. Other messages -in the same session- can be posted OK (mail uses the active server).
  This is an IMAP account; there are 2 SMTP severs on the list (corresponding to 2 locations I send e-mail from) both SMPT's are configured fine. port is NOT blocked. (I have 3 other accounts on the account list but these are "not active")
  Tried: removing extra SMTP servers from the list; Re starting Mail; restarting Mac; re submitting mail etc, etc. The problem is address specific (always with the same address) BUT this address used in another computer is working fine.

  Intriguing problem indeed.
  Is there any commonality in the email addresses that poses these problems?
  Just to see if I now read you correctly:
  When you send from work to address A, it works.
  When taking the powerbook home and send now from a different SMTP, but also to address A, it won't let you do it. And to make it more puzzling, this is only with some addresses, not with all?

• How to pass value for value field of return parameters for an action step in teststand sequence file programatically using c#

  I used a method LoadPrototypeFromMetaDataToken(token,options) to load the return type parameters. I am unable to set the value field in the return parameters for an action step in teststand sequence file programatically using C#.How can I do that.

  Continue here

• How to create a local object reference variable in teststand sequence file programatically using C#

  I want to create a local object reference variable in a TestStand sequence file programatically using C#.

  Hi,
  Accoring to your reply in this Thread
  http://forums.ni.com/ni/board/message?board.id=330&thread.id=26984
  Just try this example. There you will create a numeric variable during excuting a sequence!
  Hope this is what you are looking for. 
  Please attach all your questions here.
  juergen
  =s=i=g=n=a=t=u=r=e= Click on the Star and see what happens :-) =s=i=g=n=a=t=u=r=e=
  Attachments:
  CTestStandDialog.zip ‏31 KB

• Executing sequence of commands using exec

  How do I execute sequence of commads using java.lang.Runtime.exec()?
  As a part of an assignment, I need to use the exec command to
  a. change drive and then
  b. change directory and then
  c. execute some command.
  Thanks.

  windows
  "pushd <dir path> && <some command>"

• Mail refuses to use outgoing SMTP servers

  I have two accounts in my mail, one for my ISP, the other is my .Mac account. For some reason mail refuses to use the correct SMTP servers. The setup is correct, and the problem just cropped up one day.
  How do I blow them out and start from scratch?

  Hmmm, sounds like you have some Disk problems.
  "Try Disk Utility
  1. Insert the Mac OS X Install disc that came with your computer, then restart the computer while holding the C key.
  2. When your computer finishes starting up from the disc, choose Disk Utility from the Installer menu. (In Mac OS X 10.4 or later, you must select your language first.)
  *Important: Do not click Continue in the first screen of the Installer. If you do, you must restart from the disc again to access Disk Utility.*
  3. Click the First Aid tab.
  4. Click the disclosure triangle to the left of the hard drive icon to display the names of your hard disk volumes and partitions.
  5. Select your Mac OS X volume.
  6. Click Repair. Disk Utility checks and repairs the disk."
  http://docs.info.apple.com/article.html?artnum=106214
  Then Safe Boot from the HD, (holding Shift key down at bootup), run Disk Utility in Applications>Utilities, then highlight your drive, click on Repair Permissions, reboot when it completes.
  Please report errors.

• Sound panel refuses to use existing airplay device

  The Sound Panel in System Preferences refuses to use existing airplay device, unless the computer is restarted. What's wrong?
  Presently using Maverick, but the problem existed on Mountain Lion as well.

  Hi there Bill_townsville,
  You may find the troubleshooting steps in the article below helpful.
  Resolve issues with AirPlay and AirPlay Mirroring from iPhone, iPad, and iPod touch 
  -Griff W.  

• HT204267 My Macbook Pro 13 refuses to turn on after i place it in sleep mode by closing the lid.

  My Macbook Pro 13 refuses to turn on after i place it in sleep mode by closing the lid, after opening the lid the led sleep indicator is still on and the screen hasn't revived but once i press any button to revive it, it goes off and refuses to turn on. Is there a way to fix this?

  Hello Carlens J,
  Thanks for visiting Apple Support Communities.
  It sounds like your MacBook Pro does not wake from sleep, and shuts down when you try to wake it.
  Try these troubleshooting steps to remedy the situation, or if your Mac is currently not powering on:
  OS X: When your Mac doesn't sleep or wake - Apple Support
  Reset SMC
  The System Management Controller (SMC) is involved in managing power on your computer. Reset the SMC on your Mac if you are having difficulty sleeping or waking your computer.
  Reset NVRAM/PRAM
  Nonvolatile RAM (NVRAM)/Parameter RAM (PRAM) stores some power-related settings.Try resetting NVRAM/PRAM if you are having difficulty sleeping or waking your computer.
  Test with external devices disconnected
  Some external devices can prevent your computer from sleeping. Try disconnecting items other than your Apple keyboard or mouse from the built-in USB, Thunderbolt and Firewire ports on your Mac. If this resolves the issue, try reconnecting your external devices one at a time until you find the device preventing sleep or wake. Check the documentation that came with the device, or contact the device manufacturer for more information.
  Try Safe Mode
  Check to see if the issue still occurs when the computer is started in Safe Mode. If this resolves the issue, it could be related to a third party software item such as:
  a login item
  a startup item
  a third party kernel extension
  Best Regards,
  Jeremy

• I was upgrading my iOS last night but when I checked to see the progress ,the home page refused to show. After d apple icon comes on the screen immediately changes to show the iTunes icon with a charging port cable

  I was upgrading my iOS last night but when I checked to see the progress ,the home page refused to show. After d apple icon comes on the screen immediately changes to show the iTunes icon with a charging port cable. What should I do?

  That means that you have to connect your iPad to your computer and you need to use iTunes to restore the iOS. Software. Read this for the instructions.
  iTunes: Restoring iOS software - Support - Apple

• ISE max-login-ignore-identity-response

  Hi forumers'
  Greeting, I had a question regarding ISE login identity response.
  In my POC deployment, i'm using a single testing domain user account at the testing Active Directory. I able to login to the testing's secure network using the same user credential over normal workstation and handheld device (Ex: iphone, ipad etc),  SIMUTANEOUSLY.
  How do i can strengthen the authorization policy where
  1. ISE max-login identity response only allow to 2 concurrent connectivity on maximum one user per workstation and/or handheld device.
  example:
  AD user-A conencting to 1 unit of workstation and 1 unit of iPhone at the same time. If user-A trying to connect another iPad this time should make the connection fail.
  Can i fine tune and strengthen on this, thanks
  Noel

  I have had the same issue, the fault is caused by the time zone in the sponsor groups being set by default to UTC, so if you are in London the accounts wont become available until UTC time. The best practice is to add a local time zone and remove UTC at initial configuration
  To resolve this create a new local time zone in Guest Access>Settings>Guest Locations and SSIDs then under Guest Access>Configure>Sponsor Groups amend the time zone properties in each sponsor group
  One other problem is if you do not remove this at initial configuration you don't seem to be able to get rid of UTC, not really an issue unless you forget when creating new sponsor groups

• ISE and no External Identity Source

  I have this particular case in which I need to make authentications for users in ISE without Active Directory/LDAP etc.
  I would like to have some kind of MAC to USER binding where the user would no be able to add more devices to the network. I know the eap chaining using anyconnect is a way of achieving this but then again I can only see it using AD or some kind of external database. Also printers, wireless and phones are in the map. I tried using MAB and CWA for this but do not want to have the users be able to self register their devices as if they were guests.
  EAP chaining without AD??? Possible?
  Any hope?
  Thank you 

  Someone else can chime in here but I don't think it is possible to perform EAP-Chaining with the internal database of ISE. With that being said, feel free to read the EAP-TEAP IETF doc :)
  http://tools.ietf.org/html/draft-ietf-emu-eap-tunnel-method-01