ISE 1.2 rejects RADIUS messages from 5508 WLC

The setup in ref is:
WLC 5508 HA pair running 7.6 talking to ISE 1.2 patch 7 (was 6).
Wireless users are authenticated fine, so the 5508 is a valid NAD in ISE, but...
When I setup active RADIUS fallback, so that the WLC can poll the ISE servers I get the message:
"The RADIUS request from a non-wireless device was dropped because the installed license is for wireless devices only"
Why would ISE drop a RADIUS message from a WLC which is a wireless device? Surely this is a mistake?

Hi Nicholas,
This is a known defect.
CSCug34679 ISE drop keep alive coming from WLC.
Symptom:
ISE drops keep alive authentications coming from the WLC, with message 11054 Request from a non-wireless device due to installed wireless license.
Conditions:
When only a wireless license is install on the ISE and using active keep alive on the WLC.
Workaround:
Use passive keep alive on the WLC and not active.
Regards,
Jatin Katyal
*Do rate helpful posts*

Similar Messages

ISE 1.2 rejects RADIUS messages from vWLC

Hello,
I have an ISE appliance with the Wireless license. The Cisco vWLC is configured to send Radius traffic to the device, but is getting the error message:
11054 Request from a non-wireless device was dropped due to installed Wireless license
The vWLC is showing up under endpoints as a VMWARE workstation, and not a WLC, and so under the licensing requirements will not allow RADIUS to be received from anything other than a WLC. I tried hard-coding the policy to match a Cisco WLC with a condition of matching its MAC address, and even disabled the VMWARE profile policy, but the endpoint then only matches the "Unknown" policy. Any ideas?

Check the Cisco ISE dashboard (
Operations > Authentications
) for any indication
regarding the nature of RADIUS communication loss. (Look for instances of your
specified RADIUS usernames and scan the sy
stem messages that are associated with
any error message entries.)
Log into the Cisco ISE CLI
2
and enter the following command to produce RADIUS
attribute output that may aid in debugging connection issues:
test aaa group radius
new-code
If this test command is successful, you should see the following attributes:
Connect port
Connect NAD IP address
Connect Policy Service ISE node IP address
Correct server key
Recognized username or password
Connectivity between the NAD and Policy Service ISE node
You can also use this command to help narrow the focus of the potential problem
with RADIUS communication by deliberatel
y specifying incorrect parameter values
in the command line and then returning to the administrator dashboard (
Operations
> Authentications
) to view the type and frequency
of error message entries that
result from the incorrect command line. For example, to test whether or not user
credentials may be the source
of the problem, enter a username and or password that
you
know
is incorrect, and then go look for error message entries that are pertinent
to that username in the
Operations > Authentications
page to see what Cisco ISE
is reporting.)
Note
This command does not validate whether or not the NAD is configured to use
RADIUS, nor does it verify whether th
e NAD is configured to use the new
AAA model.

Unterstanding syslog messages from our wlc

Hello,
we use two wlc 4402 (4.1.181.0) and several leightweight accesspoints (AIR-AP1010-E-K9 and AIR-AP1030-E-K9 ) connected to them.
On our syslog server we get a lot of messages from the two wlc, and there are 3 message types which I am a little bit afraid of.
1. ca. 10 times per hour we get the message
apf_80211.c:4792 APF-6-NO_CONFIG_CHANGES: Not saving 'apf.cfg' - no config changes."
Cisco system message guide:
Error Message %APF-6-NO_CONFIG_CHANGES: Not saving '[chars]' - no config changes.
Explanation Not saving - no config changes.
Recommended Action No action is required.
Does anybody know why we get this messages and if it's possibly to suppress them?
2. Intermittently (several times a day) we get the following message types:
a) [ERROR] spam_l2.c 723: Max retransmissions reached on AP 00:0B:85:56:63:40 (CONFIGURE_COMMAND^M , 2)"
b) [ERROR] spam_tmr.c 569: Did not receive hearbeat reply from AP 00:0b:85:56:ae:40"
The MAC address is not every time the same but one of our accesspoints.
On our network management system we get the following trap messages with nearly exactly the same timestamp:
14.01.2008 04:21:56 CET
AP ''00.0b.85.56.63.40'', interface ''0x1'' is down.
When Airespace AP's interface operation status goes down this trap will be sent.
bsnAPDot3MacAddress = 00.0b.85.56.63.40
bsnAPIfSlotId = 0x1
14.01.2008 04:21:56 CET
AP disassociated from Switch.
When an Airespace AP disassociates from a Airespace Switch, the AP disassociated notification will be sent with the dot3 MAC address of the Airespace AP. This will notify the management system to remove Airespace AP from this Airespace Switch.
bsnAPMacAddrTrapVariable =
14.01.2008 04:22:25 CET
AP associated with Switch.
When an Airespace AP Associates to a Airespace Switch, the AP associated notification will be sent with the dot3 MAC address of the Airespace AP. This will help the management system to discover the Airespace AP and add it to system.
bsnAPMacAddrTrapVariable =
bsnAPPortNumberTrapVariable = 1
Cisco system message guide:
a) Error Message %LWAPP-3-TX_ERR3: Max retransmissions for LWAPP control message reached on AP [hex]:[hex]:[hex]:[hex]:[hex]:[hex] for [chars] (number of pending messages is [dec])
Explanation Maximum number of times an LWAPP control packet is transmitted before declaring the AP dead has been reached for this AP. The AP may not be on the network, or might have rebooted.
Recommended Action Check if the AP has rebooted or if it has been removed from the network, or if there are connectivity issues between the AP and the controller.
b) Error Message %LWAPP-3-ECHO_ERR: Did not receive heartbeat reply; AP: [hex]:[hex]:[hex]:[hex]:[hex]:[hex]
Explanation Controller did not get a response for the AP heartbeat message. There may be connectivity issues between the AP and the controller.
Recommended Action Check if the AP has rebooted or if it has been removed from the network, or if there are connectivity issues between the AP and the controller.
Because we don't see any network problems I'm wondering why the connection is lost.
Does anybody have an idea, perhaps CSCsh13928 (http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsh13928, but we don't have much traffic on the wlans) ?
Is there any possibility to remotely check if the accesspoint rebooted?
If you need further information please give me a short feedback.
Many thanks in advance,
Thorsten Steffen

Thanks for the help.
I have set up to send email and syslog messages from the RME applications. LMS server immediately started to send messages to the email server but syslog messages are not forwarded to the syslog server. Everything was done according to your instructions except that the name of the first script (syslog_forward.pl) is made consistent with what the second script (.bat) refer to (forward1.pl). What's the problem? Do RME sends the standard syslog messages via UDP port 514?
Sincerely.

AP unable to download the image from 5508 WLC

Hi,
I have a 5508 WLC connected to 2950 Switch and the LAP 1262 connected to the same default VLAN. My AP's are able to join the controller since they are in the same broadcast domain but They are NOT able to download the image from WLC. When I am looking at the wireless TAB of WLC.. it says... Downloading Image.
Can anyone pls. suggest what all needs to be done to make UP the APs. Also, Following is the error i am seeing at the AP.
*Apr 27 11:48:40.640: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 192.168.1.99:5246
*Apr 27 11:48:40.640: %CAPWAP-5-CHANGED: CAPWAP changed state to DISCOVERY
*Apr 27 11:48:40.640: %CAPWAP-5-CHANGED: CAPWAP changed state to DISCOVERY
*Apr 27 11:48:40.694: %CAPWAP-3-ERRORLOG: capwap ifs: read error or timeout
*Apr 27 11:48:40.700: capwap_image_proc: problem extracting tar file
*Apr 27 11:48:40.700: %CAPWAP-3-ERRORLOG: Dropping dtls packet since session is not established.
*Apr 27 11:48:51.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 192.168.1.99 peer_port: 5246
*Apr 27 11:48:51.000: %CAPWAP-5-CHANGED: CAPWAP changed state to
*Apr 27 11:48:51.569: %CAPWAP-5-DTLSREQSUCC: DTLS connection created sucessfully peer_ip: 192.168.1.99 peer_port: 5246
*Apr 27 11:48:51.569: %CAPWAP-5-SENDJOIN: sending Join Request to 192.168.1.99
*Apr 27 11:48:51.569: %CAPWAP-5-CHANGED: CAPWAP changed state to JOIN
examining image...
*Apr 27 11:48:56.571: %CAPWAP-5-SENDJOIN: sending Join Request to 192.168.1.99perform archive download capwap:/ap3g1 tar file
*Apr 27 11:48:56.583: %CAPWAP-5-AP_IMG_DWNLD: Required image not found on AP. Downloading image from Controller.
*Apr 27 11:48:56.589: %CAPWAP-5-CHANGED: CAPWAP changed state to IMAGE
*Apr 27 11:48:56.589: Loading file /ap3g1...
logging facility kern
        ^
% Invalid input detected at '^' marker.
%Error opening flash:/update/info (No such file or directory)
ERROR: Image is not a valid IOS image archive.
archive download: takes 48 seconds
*Apr 27 11:49:44.640: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 192.168.1.99:5246
*Apr 27 11:49:44.640: %CAPWAP-5-CHANGED: CAPWAP changed state to DISCOVERY
*Apr 27 11:49:44.640: %CAPWAP-5-CHANGED: CAPWAP changed state to DISCOVERY
*Apr 27 11:49:44.694: %CAPWAP-3-ERRORLOG: capwap ifs: read error or timeout
*Apr 27 11:49:44.700: capwap_image_proc: problem extracting tar file
*Apr 27 11:49:44.700: %CAPWAP-3-ERRORLOG: Dropping dtls packet since session is not established.
*Apr 27 11:49:54.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 192.168.1.99 peer_port: 5246
*Apr 27 11:49:54.000: %CAPWAP-5-CHANGED: CAPWAP changed state to
*Apr 27 11:49:54.569: %CAPWAP-5-DTLSREQSUCC: DTLS connection created sucessfully peer_ip: 192.168.1.99 peer_port: 5246
*Apr 27 11:49:54.572: %CAPWAP-5-SENDJOIN: sending Join Request to 192.168.1.99
*Apr 27 11:49:54.572: %CAPWAP-5-CHANGED: CAPWAP changed state to JOIN
examining image...
*Apr 27 11:49:59.571: %CAPWAP-5-SENDJOIN: sending Join Request to 192.168.1.99perform archive download capwap:/ap3g1 tar file
*Apr 27 11:49:59.583: %CAPWAP-5-AP_IMG_DWNLD: Required image not found on AP. Downloading image from Controller.
*Apr 27 11:49:59.589: %CAPWAP-5-CHANGED: CAPWAP changed state to IMAGE
*Apr 27 11:49:59.589: Loading file /ap3g1...
logging facility kern
        ^
% Invalid input detected at '^' marker.
%Error opening flash:/update/info (No such file or directory)
ERROR: Image is not a valid IOS image archive.
archive download: takes 48 seconds
*Apr 27 11:50:47.644: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 192.168.1.99:5246
*Apr 27 11:50:47.644: %CAPWAP-5-CHANGED: CAPWAP changed state to DISCOVERY
*Apr 27 11:50:47.644: %CAPWAP-5-CHANGED: CAPWAP changed state to DISCOVERY
*Apr 27 11:50:47.697: %CAPWAP-3-ERRORLOG: capwap ifs: read error or timeout
*Apr 27 11:50:47.697: %CAPWAP-3-ERRORLOG: Dropping dtls packet since session is not established.
*Apr 27 11:50:47.703: capwap_image_proc: problem extracting tar file
*Apr 27 11:50:57.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 192.168.1.99 peer_port: 5246
*Apr 27 11:50:57.000: %CAPWAP-5-CHANGED: CAPWAP changed state to
*Apr 27 11:50:57.569: %CAPWAP-5-DTLSREQSUCC: DTLS connection created sucessfully peer_ip: 192.168.1.99 peer_port: 5246
*Apr 27 11:50:57.569: %CAPWAP-5-SENDJOIN: sending Join Request to 192.168.1.99
*Apr 27 11:50:57.569: %CAPWAP-5-CHANGED: CAPWAP changed state to JOIN
examining image...
*Apr 27 11:51:02.571: %CAPWAP-5-SENDJOIN: sending Join Request to 192.168.1.99perform archive download capwap:/ap3g1 tar file
*Apr 27 11:51:02.583: %CAPWAP-5-AP_IMG_DWNLD: Required image not found on AP. Downloading image from Controller.
*Apr 27 11:51:02.589: %CAPWAP-5-CHANGED: CAPWAP changed state to IMAGE
*Apr 27 11:51:02.589: Loading file /ap3g1...
logging facility kern
        ^
% Invalid input detected at '^' marker.
%Error opening flash:/update/info (No such file or directory)
ERROR: Image is not a valid IOS image archive.
archive download: takes 48 seconds
*Apr 27 11:51:50.640: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 192.168.1.99:5246
*Apr 27 11:51:50.640: %CAPWAP-5-CHANGED: CAPWAP changed state to DISCOVERY
*Apr 27 11:51:50.640: %CAPWAP-5-CHANGED: CAPWAP changed state to DISCOVERY
*Apr 27 11:51:50.694: %CAPWAP-3-ERRORLOG: capwap ifs: read error or timeout
*Apr 27 11:51:50.700: capwap_image_proc: problem extracting tar file
*Apr 27 11:51:50.700: %CAPWAP-3-ERRORLOG: Dropping dtls packet since session is not established.
*Apr 27 11:52:00.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 192.168.1.99 peer_port: 5246
*Apr 27 11:52:00.000: %CAPWAP-5-CHANGED: CAPWAP changed state to
*Apr 27 11:52:00.569: %CAPWAP-5-DTLSREQSUCC: DTLS connection created sucessfully peer_ip: 192.168.1.99 peer_port: 5246
*Apr 27 11:52:00.569: %CAPWAP-5-SENDJOIN: sending Join Request to 192.168.1.99
*Apr 27 11:52:00.569: %CAPWAP-5-CHANGED: CAPWAP changed state to JOIN
examining image...
*Apr 27 11:52:05.571: %CAPWAP-5-SENDJOIN: sending Join Request to 192.168.1.99perform archive download capwap:/ap3g1 tar file
*Apr 27 11:52:05.583: %CAPWAP-5-AP_IMG_DWNLD: Required image not found on AP. Downloading image from Controller.
*Apr 27 11:52:05.589: %CAPWAP-5-CHANGED: CAPWAP changed state to IMAGE
*Apr 27 11:52:05.589: Loading file /ap3g1...
logging facility kern

hi amjad,i am working on the same controller and i upload the image to another AP and cponvert it to LAP. bot this is not registering on controller and behaves like first as first ap is registered and working fine. 2nd ap console output is given below
%Error opening flash:/update/info (No such file or directory)
ERROR: Image is not a valid IOS image archive.
archive download: takes 48 seconds
*Apr 29 10:16:29.644: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 192
.168.1.59:5246
*Apr 29 10:16:29.644: %CAPWAP-5-CHANGED: CAPWAP changed state to DISCOVERY
*Apr 29 10:16:29.647: %CAPWAP-5-CHANGED: CAPWAP changed state to DISCOVERY
*Apr 29 10:16:29.707: %CAPWAP-3-ERRORLOG: capwap ifs: read error or timeout
*Apr 29 10:16:29.713: capwap_image_proc: problem extracting tar file
*Apr 29 10:16:29.713: %CAPWAP-3-ERRORLOG: Dropping dtls packet since session is
not established.
*Apr 29 10:16:40.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_i
p: 192.168.1.59 peer_port: 5246
*Apr 29 10:16:40.000: %CAPWAP-5-CHANGED: CAPWAP changed state to
*Apr 29 10:16:40.569: %CAPWAP-5-DTLSREQSUCC: DTLS connection created sucessfully
peer_ip: 192.168.1.59 peer_port: 5246
*Apr 29 10:16:40.569: %CAPWAP-5-SENDJOIN: sending Join Request to 192.168.1.59
*Apr 29 10:16:40.569: %CAPWAP-5-CHANGED: CAPWAP changed state to JOIN
examining image...
*Apr 29 10:16:45.571: %CAPWAP-5-SENDJOIN: sending Join Request to 192.168.1.59pe
rform archive download capwap:/ap3g1 tar file
*Apr 29 10:16:45.583: %CAPWAP-5-AP_IMG_DWNLD: Required image not found on AP. Do
wnloading image from Controller.
*Apr 29 10:16:45.589: %CAPWAP-5-CHANGED: CAPWAP changed state to IMAGE
*Apr 29 10:16:45.589: Loading file /ap3g1...
logging facility kern
        ^
% Invalid input detected at '^' marker.
%Error opening flash:/update/info (No such file or directory)
ERROR: Image is not a valid IOS image archive.
archive download: takes 48 seconds
*Apr 29 10:17:33.647: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 192
.168.1.59:5246
*Apr 29 10:17:33.647: %CAPWAP-5-CHANGED: CAPWAP changed state to DISCOVERY
*Apr 29 10:17:33.650: %CAPWAP-5-CHANGED: CAPWAP changed state to DISCOVERY
*Apr 29 10:17:33.710: %CAPWAP-3-ERRORLOG: capwap ifs: read error or timeout
*Apr 29 10:17:33.716: capwap_image_proc: problem extracting tar file
*Apr 29 10:17:33.716: %CAPWAP-3-ERRORLOG: Dropping dtls packet since session is
not established.
*Apr 29 10:17:43.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_i
p: 192.168.1.59 peer_port: 5246
*Apr 29 10:17:43.000: %CAPWAP-5-CHANGED: CAPWAP changed state to
*Apr 29 10:17:43.569: %CAPWAP-5-DTLSREQSUCC: DTLS connection created sucessfully
peer_ip: 192.168.1.59 peer_port: 5246
*Apr 29 10:17:43.569: %CAPWAP-5-SENDJOIN: sending Join Request to 192.168.1.59
*Apr 29 10:17:43.569: %CAPWAP-5-CHANGED: CAPWAP changed state to JOIN
examining image...
*Apr 29 10:17:48.571: %CAPWAP-5-SENDJOIN: sending Join Request to 192.168.1.59pe
rform archive download capwap:/ap3g1 tar file
*Apr 29 10:17:48.583: %CAPWAP-5-AP_IMG_DWNLD: Required image not found on AP. Do
wnloading image from Controller.
*Apr 29 10:17:48.589: %CAPWAP-5-CHANGED: CAPWAP changed state to IMAGE
*Apr 29 10:17:48.589: Loading file /ap3g1...
logging facility kern
        ^
% Invalid input detected at '^' marker.
%Error opening flash:/update/info (No such file or directory)
ERROR: Image is not a valid IOS image archive.
archive download: takes 48 seconds
*Apr 29 10:18:36.647: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 192
.168.1.59:5246
*Apr 29 10:18:36.650: %CAPWAP-5-CHANGED: CAPWAP changed state to DISCOVERY
*Apr 29 10:18:36.650: %CAPWAP-5-CHANGED: CAPWAP changed state to DISCOVERY
*Apr 29 10:18:36.710: %CAPWAP-3-ERRORLOG: capwap ifs: read error or timeout
*Apr 29 10:18:36.716: capwap_image_proc: problem extracting tar file
*Apr 29 10:18:36.716: %CAPWAP-3-ERRORLOG: Dropping dtls packet since session is
not established.
*Apr 29 10:18:46.000: %CAPWAP-5-DTLSRE
pls help

Rejected record message from Essbase Studio load (3355)

I receive the following error when deploying an outline via Essbase Studio to an ASO cube (ver 11.1.2):
\\Record #36798 - Member XXX does not exist. Reference member column types require the field to be an existing member (3355)
As I read the error (BTW, can someone help me find the table of rejected record codes?), it is rejecting the assignment of an attribute to a member because the member does not exist.
What could be a reason though that I did not receive an "Error adding member XXX" rejection beforehand or something indicating that there was an error adding the member originally? I am puzzled because I cannot find anything special about the source data when comparing to the many others that loaded successfullly.

Hi All,
Towards this error if we are talking about Hyperion Essbase - Version 11.1.2.1.000 and later.
So mostly we are facing this issue has been verified as unpublished Bug 12967639.
As documented in KM:
Unable to Save ASO Outline After Renaming Members, "Error(1007072) Member [xxx] tagged as <REFER does not have a member to refer to" [ID 1465850.1]
Also towards ASO there is another document having all there as:
Oracle Hyperion Essbase and Aggregate Storage (ASO) [ID 1291202.1]
Thanks,
Shaker

1131AG keeps disconnecting from 5508 wlc

We have about 20 APs in our network and about 4-5 are 1131AGs and the rest are 3500s. The 1131s disconnect from the controller for about 2 minutes (i guess it is rebooting) and then comes back up. This happens every 1-5 days. I have tried changing the power level and the channel. I am not sure why the 1131s keep disconnecting.

I checked the wireless tab on the WLC gui and the AP uptime resets back to 0. So it is probably rebooting/crashing.
I tried pulling up logs from both the APs and the WLC. The logs stop about 3 months before and then continues right when the AP comes back online (ex. Apr 14 was the last log then Jul 1 was when the AP reset and came back online and joined the controller).
Although there is a Jul 5th message:
*Jul 5 16:00:13.121: %CAPWAP-3-ERRORLOG: Received a upload request from controller for event log buffer

TFTP 'configuration update' from 5508 WLC fails stating reason as '%Error: Config file transfer failed – Unknown error –refer to log'

Dear Experts,
I have two WLCs and other management devices as part of same subnet. I am able to upload ‘configs’ from all the devices on to my TFTP server. However when I am attempting to do the same from one of my WLC, it is failing consistently stating error message as:
‘%Error: Config file transfer failed – Unknown error –refer to log
Has anyone else too faced the same issue and how would we overcome this? Any specific debug that could help get more details on it?
Though the error message says, refer to log but still I don’t see anything that gets reflected in ‘Monitor logs’ which is related to ‘configuration file’ upload failure.
WLC code: 7.4.100.0
PFA as the error snippet.
Thanks and Regards,
Adnan

Hi Kaneswaran,
Just a soft reboot helped me solved the problem :). Still I am on 7.4 and facing no issues after this.
Apologies for coming too late to respond. Getting a down time window was not that easy and so was much delayed to try soft reload. I am still on 7.4 and facing no issue.
Glad that in your case it starting working all of a sudden. Could you please verify from 'show tech-support' to confirm if by chance your WLC had undergone any crash that could have caused the WLC to reload and thus accidently fixing the issue :)
Best Regards,
Muhammed Adnan

Cannot get SG300 switch to send RADIUS messages for 802.1x

I want to eventually configure the SG300 to authenticate wired clients with 802.1x and Microsoft NPS (RADIUS). I am currently testing this setup using a single port (Port 7) on my SG300, a test machine, and an AD based Network Policy Server.
The problem I have is that when I change the Administrative Port Control for Port 7 to Force Authorized, I see this log entry:
Informational %SEC-I-PORTAUTHORIZED: Port gi7 is Authorized
And then when I change the port control to Auto the port immediately changes to Unauthorized and I see this log entry:
Warning %SEC-W-PORTUNAUTHORIZED: Port gi7 is unAuthorized
However I never see any RADIUS messages being sent from the SG300 to my RADIUS server or from the SG300 to the test machine plugged into port 7. I am using WireShark on my RADIUS server to watch for messages from the SG300 IP Address and I'm using WireShark on a second test machine that is configured to monitor the NIC card in the test machine plugged into port 7 (I'm using Hyper-V and its facilities for this NIC monitoring setup.)
Here is my configuration:
Switch - 10.1.1.3
RADIUS (Microsoft NPS)- 10.1.1.15
Switch Usage Type - All (Login and 802.1x)
Port 7 configuration:
VLAN Mode is General
Host Authentication is Single Host Authentication
Administrative Port Control is Auto
RADIUS VLAN Assignment is Disabled
Guest VLAN is Enabled
802.1x Based Authentication is Enabled
Additional Configurations under Security - 802.1x/MAC/Web Authentication:
Port Based Authentication is Enabled
Authentication Method is RADIUS
Guest VLAN is Enabled
Guest VLAN ID is 2
All of my VLANs are enabled for Authentication
I've got to be missing something but I do not know what that something is.
One last note:
The SG300 uses the same RADIUS server for management console access and it works without problem. When I log into the switch, WireShark shows the RADIUS messages from the switch to the RADIUS server and back. So I know RADIUS is configured correctly on the switch.

Hi,
This is my working configuration where port gi3 has DVA configured as well. You might skip port gi3 but please compare to your config:
interface gi3
dot1x host-mode multi-sessions
exit
vlan database
vlan 30,100
exit
interface vlan 100
dot1x guest-vlan
exit
dot1x system-auth-control
interface range gi1,gi3
dot1x reauthentication
exit
interface range gi1,gi3
dot1x mac-authentication mac-only
exit
interface gi3
dot1x radius-attributes vlan
exit
interface range gi1,gi3
dot1x guest-vlan enable
exit
interface gigabitethernet1
dot1x port-control auto
exit
interface gigabitethernet3
dot1x port-control auto
exit
radius-server host 192.168.1.122 priority 1
radius-server key testing123
aaa authentication dot1x default radius
switch3ba5e1#
Regards,
Aleksandra

ISE PSN rejecting RADIUS request

Hi,
We have a distributed ISE infrastructure version 1.3.
We begin noticing the following problem.
Randomly the PSN's started dropping radius requests.
Basically they didn't serviced any client.
It looked like this bug:
ISE PSN rejecting RADIUS request; deadlocks found @ catalina.out
CSCur43427
Symptom:
++ CU runs distributed deployment; 2PSN +MnT +PMN;
++ PSN "node status were up during the issue;
++ PSNs were rejecting RADIUS request; ICMP reachability to PSN were OK;
++ both wired and wireless are affected
++ removing accounting from both foreign/anchor did not fix the issue;
Conditions:
++ ISE 1.2.0.p10
++ happens every 2-3 weeks;
Workaround:
++ restart ISE services;
So we installed patch 2.
But now we got the same problem and there is no newer patch.
Did anyone encountered this also?
thanks,
laszlo

We've also encountered this with 1.3 and logged a TAC case but unfortunately they weren't able to determine the cause due to not enough detail. They suggested changing the log level for runtime-AAA and prrt-JNI to debug temporarily and when it happens again, before restarting the PSN, download the logs from it to supply to TAC.

ISE continue to receiving authentication message after removed the radius host test configuration on a IOS router

I have two issues but related and need help:
anyone know how to disable or stop a radius host test message send every seconds from a IOS router after the test statement removed and all radius server information removed from the configuration? I have this odd testing for the new ISE server. the purpose of testing is not for load balancing, but find out if IOS support different protocol using radius other than PAP if PPP is not used. after the test, I cannot stop it. I have a case opened with Cisco, the answer is no way to stop it other than reboot the router. I tried to remove aaa new model and add it back, no help. I have put an access-list on the LAN interface deny the IP any to the radius host and port, no match found.
On the ISE (version 1.1.1), due to the IOS router test cannot be stopped, the alive authentication page fills up all the authentication failure messages. anyone know how to block the host from ISE live authentication log (the router has been removed from the device page)?
below is part of messages from the IOS router (version 15.0.1M6) debug. where 10.2.2.144 is the ISE IP and totally removed from the config. there is no any radius or the ISE IP in the config.
Aug 28 10:21:15.384: AAA/SG/TEST(Req#: 1): Sending test AAA Access-Request.
Aug 28 10:21:15.384: AAA/SG/TEST(Req#: 1): Sending test AAA Accounting-Request.
Aug 28 10:21:15.384: AAA/SG/TEST: Verifying if further testing required to determine server state.
Aug 28 10:21:15.384: AAA/SG/TEST: DEAD state verification already in progress for server (10.2.2.144:1645,1646).
Aug 28 10:21:15.384: AAA/SG/TEST: Server (10.2.2.144:1645,1646) assumed DEAD. Dead time updated to 60 secs(s).
Aug 28 10:21:33.752: AAA/SG/TEST: No Test response from server (10.2.2.144:1645,1646)
Aug 28 10:21:33.976: AAA/SG/TEST: No Test response from server (10.2.2.144:1645,1646)
Aug 28 10:21:33.976: AAA/SG/TEST: Necessary responses NOT received from server (10.2.2.144:1645,1646).
Aug 28 10:21:33.976: AAA/SG/TEST: Server (10.2.2.144:1645,1646) marked DEAD. Dead time set for 60 sec(s).
Aug 28 10:21:33.976: AAA/SG/TEST: Server (10.2.2.144:1645,1646) removed from quarantine.
Aug 28 10:22:33.976: AAA/SG/TEST: Verifying if further testing required to determine server state.
Aug 28 10:22:33.976: AAA/SG/TEST: Server (10.2.2.144:1645,1646) quarantined.
Aug 28 10:22:33.976: AAA/SG/TEST: Sending 1 Access-Requests, 1 Accounting-Requests in current batch.
Aug 28 10:22:33.976: AAA/SG/TEST(Req#: 1): Sending test AAA Access-Request.
Aug 28 10:22:33.976: AAA/SG/TEST(Req#: 1): Sending test AAA Accounting-Request.
Aug 28 10:22:33.976: AAA/SG/TEST: Verifying if further testing required to determine server state.
Aug 28 10:22:33.976: AAA/SG/TEST: DEAD state verification already in progress for server (10.2.2.144:1645,1646).
Aug 28 10:22:33.976: AAA/SG/TEST: Server (10.2.2.144:1645,1646) assumed DEAD. Dead time updated to 60 secs(s).
Aug 28 10:22:52.760: AAA/SG/TEST: No Test response from server (10.2.2.144:1645,1646)
Aug 28 10:22:53.176: AAA/SG/TEST: No Test response from server (10.2.2.144:1645,1646)
Aug 28 10:22:53.176: AAA/SG/TEST: Necessary responses NOT received from server (10.2.2.144:1645,1646).
Aug 28 10:22:53.176: AAA/SG/TEST: Server (10.2.2.144:1645,1646) marked DEAD. Dead time set for 60 sec(s).
Aug 28 10:22:53.176: AAA/SG/TEST: Server (10.2.2.144:1645,1646) removed from quarantine.
Aug 28 10:21:15.384: AAA/SG/TEST(Req#: 1): Sending test AAA Access-Request.
Aug 28 10:21:15.384: AAA/SG/TEST(Req#: 1): Sending test AAA Accounting-Request.
Aug 28 10:21:15.384: AAA/SG/TEST: Verifying if further testing required to determine server state.
Aug 28 10:21:15.384: AAA/SG/TEST: DEAD state verification already in progress for server (10.2.2.144:1645,1646).
Aug 28 10:21:15.384: AAA/SG/TEST: Server (10.2.2.144:1645,1646) assumed DEAD. Dead time updated to 60 secs(s).
Aug 28 10:21:33.752: AAA/SG/TEST: No Test response from server (10.2.2.144:1645,1646)
Aug 28 10:21:33.976: AAA/SG/TEST: No Test response from server (10.2.2.144:1645,1646)
Aug 28 10:21:33.976: AAA/SG/TEST: Necessary responses NOT received from server (10.2.2.144:1645,1646).
Aug 28 10:21:33.976: AAA/SG/TEST: Server (10.2.2.144:1645,1646) marked DEAD. Dead time set for 60 sec(s).
Aug 28 10:21:33.976: AAA/SG/TEST: Server (10.2.2.144:1645,1646) removed from quarantine.
Aug 28 10:22:33.976: AAA/SG/TEST: Verifying if further testing required to determine server state.
Aug 28 10:22:33.976: AAA/SG/TEST: Server (10.2.2.144:1645,1646) quarantined.
Aug 28 10:22:33.976: AAA/SG/TEST: Sending 1 Access-Requests, 1 Accounting-Requests in current batch.
Aug 28 10:22:33.976: AAA/SG/TEST(Req#: 1): Sending test AAA Access-Request.
Aug 28 10:22:33.976: AAA/SG/TEST(Req#: 1): Sending test AAA Accounting-Request.
Aug 28 10:22:33.976: AAA/SG/TEST: Verifying if further testing required to determine server state.
Aug 28 10:22:33.976: AAA/SG/TEST: DEAD state verification already in progress for server (10.2.2.144:1645,1646).
Aug 28 10:22:33.976: AAA/SG/TEST: Server (10.2.2.144:1645,1646) assumed DEAD. Dead time updated to 60 secs(s).
Aug 28 10:22:52.760: AAA/SG/TEST: No Test response from server (10.2.2.144:1645,1646)
Aug 28 10:22:53.176: AAA/SG/TEST: No Test response from server (10.2.2.144:1645,1646)
Aug 28 10:22:53.176: AAA/SG/TEST: Necessary responses NOT received from server (10.2.2.144:1645,1646).
Aug 28 10:22:53.176: AAA/SG/TEST: Server (10.2.2.144:1645,1646) marked DEAD. Dead time set for 60 sec(s).
Aug 28 10:22:53.176: AAA/SG/TEST: Server (10.2.2.144:1645,1646) removed from quarantine.
Thanks in advance,

It seems reload is the only way to fix it. I don't think there is any way to stop or ignore messages for specific host in live authentication page of ISE. From security point of view it is required to logs all the authentication hits.
Regards,
~JG
Do rate helpful posts!

MQ Adapter does not clear the rejected message from the queue

Hi All,
I'm using a MQ Adapter to fetch the message from the queue without any Backout queue configured. However, whenever there is any bad structured message found in the queue, MQ adapter rejects the message and moves the message to the rejmsg folder but does not clear it off the queue, as a result of which it keeps retrying the same hence, filling the logs and the physical memory. Somehow we do not have any backout queue configured so I can move the message to blackout queue. I have tried configuring the jca retry properties and global jca retry as well but to no avail.
- Is it not the default behaviour of MQ Adapter to remove the rejected message from the queue irrespective of Backout queue is configured or not? The same behaviour working well with the JMS and File Adapter though.
- Is there any way I can make MQ Adapter delete the message from that queue once it is rejected?
Regards,
Neeraj Sehgal

Hi Jayson,
Check this URL which answers a problem with com.sap.engine.boot.loader.ResourceMultiParentClassLoader problem:
http://209.85.175.132/search?q=cache:RnFZ9viwuKkJ:https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/pcd!3aportal_content!2fcom.sap.sdn.folder.sdn!2fcom.sap.sdn.folder.application!2fcom.sap.sdn.folder.roles!2fcom.sap.sdn.folder.navigationroles!2fcom.sap.sdn.role.anonymous!2fcom.sap.sdn.tln.workset.forums!2fforumtest!2fcom.sap.sdn.app.iview.forumthread%3FQuickLink%3Dthread%26tstart%3D45%26threadID%3D1020700+com.sap.engine.boot.loader.ResourceMultiParentClassLoader&hl=en&ct=clnk&cd=3&gl=in&client=firefox-a
Please check that the JDK compliance level is at 5.0
Window->Preferences->Java->Compiler->Compiler compliance level set this to 5.0
Set the installed JRE to the one you have mentioned JDK 5.0 update 16
Window->Preferences->Java->Installed JRE's->
Click on the add button to select the path of your JDK.
once completed click on the check box next to it.
regards,
AKD

WLC 5508 - LAP1242: Failed to handle capwap control message from controller

Hello everyone,
after finally successfully upgrading my WLCs from 6.0.199.4 to 7.6.100.0 there is another problem showing up...
If I want to change any configuration regarding the APs on the WLCs (which doesn't work) I get the following error-messages from the APs:
*spamApTask7: Feb 27 14:34:00.558: 00:3a:9a:d6:5d:30 Test-AP-09-03: *Feb 27 13:34:00.169: %CAPWAP-3-ERRORLOG: Validate Msg: msg type 12 does not supported payload 215
*spamApTask7: Feb 27 14:34:00.558: 00:3a:9a:d6:5d:30 Test-AP-09-03: *Feb 27 13:34:00.169: %CAPWAP-3-ERRORLOG: Validate Msg: error in Unknown Payload(215) payload (received length = 9, payload type = 215)
*spamApTask7: Feb 27 14:34:00.558: 00:3a:9a:d6:5d:30 Test-AP-09-03: *Feb 27 13:34:00.170: %CAPWAP-3-ERRORLOG: Failed to validate vendor specific message element type 215 len 9.
*spamApTask7: Feb 27 14:34:00.558: 00:3a:9a:d6:5d:30 Test-AP-09-03: *Feb 27 13:34:00.170: %CAPWAP-3-ERRORLOG: Failed to decode Configuration update request.
*spamApTask7: Feb 27 14:34:00.558: 00:3a:9a:d6:5d:30 Test-AP-09-03: *Feb 27 13:34:00.170: %CAPWAP-3-ERRORLOG: CAPWAP SM handler: Failed to process message type 7 state 11.
*spamApTask7: Feb 27 14:34:00.558: 00:3a:9a:d6:5d:30 Test-AP-09-03: *Feb 27 13:34:00.171: %CAPWAP-3-ERRORLOG: Failed to handle capwap control message from controller
Find attached some informations regarding the AP and the 5508.
Any suggestions are, as always, highly appriciated.
Regards
Manuel

Good morning,
if I need free space at the flash: How much is "enough" to handle config changes?
Here you can see the filesystem of one of my accesspoints (all are affected):
AP#dir all-filesystems
Directory of arch:/
    2 -rwx       91288 Feb 22 2014 18:16:42 +00:00 event.log
    8 drwx         448 Feb 22 2014 18:16:38 +00:00 c1240-k9w8-mx.124-25e.JAO3
    4 drwx           0   Nov 2 2011 23:32:18 +00:00 configs
    5 -rwx         397 Feb 22 2014 18:19:03 +00:00 env_vars
    6 -rwx        6168 Feb 27 2014 18:14:24 +00:00 private-multiple-fs
No space information available
Directory of flash:/
    2 -rwx       91288 Feb 22 2014 18:16:42 +00:00 event.log
    8 drwx         448 Feb 22 2014 18:16:38 +00:00 c1240-k9w8-mx.124-25e.JAO3
    4 drwx           0   Nov 2 2011 23:32:18 +00:00 configs
    5 -rwx         397 Feb 22 2014 18:19:03 +00:00 env_vars
    6 -rwx        6168 Feb 27 2014 18:14:24 +00:00 private-multiple-fs
15740928 bytes total (10614784 bytes free)
Directory of zflash:/
    2 -rwx       91288 Feb 22 2014 18:16:42 +00:00 event.log
    8 drwx         448 Feb 22 2014 18:16:38 +00:00 c1240-k9w8-mx.124-25e.JAO3
    4 drwx           0   Nov 2 2011 23:32:18 +00:00 configs
    5 -rwx         397 Feb 22 2014 18:19:03 +00:00 env_vars
    6 -rwx        6168 Feb 27 2014 18:14:24 +00:00 private-multiple-fs
15740928 bytes total (10614784 bytes free)
Directory of archive:/
No files in directory
No space information available
Directory of system:/
    2 dr-x           0                    memory
    1 -rw-       17631                    running-config
No space information available
Directory of nvram:/
   30 -rw-           0                    startup-config
   31 ----           0                    private-config
    1 ----        4100                    lwapp_ap.cfg
    6 ----         528                    lwapp_ap_tlv.cfg
32768 bytes total (26572 bytes free)
Regards, Manuel

Auth.log - Rejected send message, 2 matched rules; type="method_call"

Hi,
i'm checking the /var/log/auth.log and I found out that there is this error message
Jun 9 20:19:56 localhost polkitd(authority=local): Registered Authentication Agent for unix-session:/org/freedesktop/ConsoleKit/Session2 (system bus name :1.23 [/usr/bin/gnome-shell], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8)
Jun 9 20:19:57 localhost dbus[513]: [system] Rejected send message, 2 matched rules; type="method_call", sender=":1.23" (uid=1000 pid=861 comm="/usr/bin/gnome-shell ") interface="org.freedesktop.DBus.Properties" member="GetAll" error name="(unset)" requested_reply="0" destination=":1.1" (uid=0 pid=654 comm="/usr/sbin/console-kit-daemon --no-daemon ")
Jun 9 20:19:57 localhost dbus[513]: [system] Rejected send message, 2 matched rules; type="method_call", sender=":1.23" (uid=1000 pid=861 comm="/usr/bin/gnome-shell ") interface="org.freedesktop.DBus.Properties" member="GetAll" error name="(unset)" requested_reply="0" destination=":1.1" (uid=0 pid=654 comm="/usr/sbin/console-kit-daemon --no-daemon ")
Jun 9 20:19:57 localhost dbus[513]: [system] Rejected send message, 2 matched rules; type="method_call", sender=":1.23" (uid=1000 pid=861 comm="/usr/bin/gnome-shell ") interface="org.freedesktop.DBus.Properties" member="GetAll" error name="(unset)" requested_reply="0" destination=":1.1" (uid=0 pid=654 comm="/usr/sbin/console-kit-daemon --no-daemon ")
if think the problem is in /etc/dbus-1/system.conf
<deny send_type="method_call"/>
I'm tempted to change this to allow, but I won't as long as I don't understand why this deny-rule is implemented.
Last edited by miky76 (2012-06-09 20:41:06)

That deny rule is the default. Things in /etc/dbus-1/system.d override it. There's a ConsoleKit.conf file in there that describes what interaction ConsoleKit actually allows.
That said, ConsoleKit.conf also denies this access:
<deny send_destination="org.freedesktop.ConsoleKit"
send_interface="org.freedesktop.DBus.Properties" />
I don't know why this is denied - most likely it's to prevent private data from being stolen from console-kit-daemon in this way. I don't see any such private data stored in properties on ConsoleKit, though:
$ dbus-send --print-reply --system --dest=org.freedesktop.ConsoleKit /org/freedesktop/ConsoleKit/Session1 org.freedesktop.DBus.Introspectable.Introspect
method return sender=:1.5 -> dest=:1.14 reply_serial=2
string "<!DOCTYPE node PUBLIC "-//freedesktop//DTD D-BUS Object Introspection 1.0//EN"
"http://www.freedesktop.org/standards/dbus/1.0/introspect.dtd">
<node>
<interface name="org.freedesktop.DBus.Introspectable">
<method name="Introspect">
<arg name="data" direction="out" type="s"/>
</method>
</interface>
<interface name="org.freedesktop.DBus.Properties">
<method name="Get">
<arg name="interface" direction="in" type="s"/>
<arg name="propname" direction="in" type="s"/>
<arg name="value" direction="out" type="v"/>
</method>
<method name="Set">
<arg name="interface" direction="in" type="s"/>
<arg name="propname" direction="in" type="s"/>
<arg name="value" direction="in" type="v"/>
</method>
<method name="GetAll">
<arg name="interface" direction="in" type="s"/>
<arg name="props" direction="out" type="a{sv}"/>
</method>
</interface>
<interface name="org.freedesktop.ConsoleKit.Session">
<method name="SetIdleHint">
<arg name="idle_hint" type="b" direction="in"/>
</method>
<method name="GetIdleSinceHint">
<arg name="iso8601_datetime" type="s" direction="out"/>
</method>
<method name="GetIdleHint">
<arg name="idle_hint" type="b" direction="out"/>
</method>
<method name="Unlock">
</method>
<method name="Lock">
</method>
<method name="Activate">
</method>
<method name="GetCreationTime">
<arg name="iso8601_datetime" type="s" direction="out"/>
</method>
<method name="IsLocal">
<arg name="local" type="b" direction="out"/>
</method>
<method name="IsActive">
<arg name="active" type="b" direction="out"/>
</method>
<method name="GetLoginSessionId">
<arg name="login_session_id" type="s" direction="out"/>
</method>
<method name="GetRemoteHostName">
<arg name="remote_host_name" type="s" direction="out"/>
</method>
<method name="GetDisplayDevice">
<arg name="display_device" type="s" direction="out"/>
</method>
<method name="GetX11DisplayDevice">
<arg name="x11_display_device" type="s" direction="out"/>
</method>
<method name="GetX11Display">
<arg name="display" type="s" direction="out"/>
</method>
<method name="GetUnixUser">
<arg name="uid" type="u" direction="out"/>
</method>
<method name="GetUser">
<arg name="uid" type="u" direction="out"/>
</method>
<method name="GetSessionType">
<arg name="type" type="s" direction="out"/>
</method>
<method name="GetSeatId">
<arg name="sid" type="o" direction="out"/>
</method>
<method name="GetId">
<arg name="ssid" type="o" direction="out"/>
</method>
<signal name="Unlock">
</signal>
<signal name="Lock">
</signal>
<signal name="IdleHintChanged">
<arg type="b"/>
</signal>
<signal name="ActiveChanged">
<arg type="b"/>
</signal>
<property name="idle-hint" type="b" access="readwrite"/>
<property name="is-local" type="b" access="readwrite"/>
<property name="active" type="b" access="readwrite"/>
<property name="x11-display-device" type="s" access="readwrite"/>
<property name="x11-display" type="s" access="readwrite"/>
<property name="display-device" type="s" access="readwrite"/>
<property name="remote-host-name" type="s" access="readwrite"/>
<property name="session-type" type="s" access="readwrite"/>
<property name="user" type="u" access="readwrite"/>
<property name="unix-user" type="u" access="readwrite"/>
</interface>
</node>
Note those properties at the end of that list, which are the same things you can learn by running ck-list-session.
If you want to change the deny to allow, you may as well do it in the ConsoleKit.conf line, so it's specific to this usage, rather than allowing any method call in the world called through dbus.
FWIW, I can reproduce this same error, trying to do it "by hand", though I don't use GNOME, as you do:
$ dbus-send --print-reply --system --type=method_call --dest=org.freedesktop.ConsoleKit /org/freedesktop/ConsoleKit/Session1 org.freedesktop.DBus.Properties.GetAll string:org.freedesktop.ConsoleKit.Session
Error org.freedesktop.DBus.Error.AccessDenied: Rejected send message, 2 matched rules; type="method_call", sender=":1.17" (uid=1000 pid=13892 comm="dbus-send --print-reply --system --type=method_cal") interface="org.freedesktop.DBus.Properties" member="GetAll" error name="(unset)" requested_reply="0" destination="org.freedesktop.ConsoleKit" (uid=0 pid=751 comm="/usr/sbin/console-kit-daemon --no-daemon ")

Can't reject a call from lock screen with pin password

When I set a PIN code for my iPhone with iOS7 "7.0.2" and recieve a call, I don't get an option to reject that call directly!
The only valid options on the lock screen is either to set a reminder to call back the caller or reject with message. Is there any hidden feature behind this? or Apple really intended that?
Attached 2 screen shots for a caller
While screen is locked with PIN password
While screen is unlocked

It has been this way for some time. This is how you would decline a call from the lock screen, and then declining a call from the open screen is how you have it showing.

Email failure - The following organization rejected your message

Hi,
We are getting failures in receiving emails from two client specifically (email from other clients are received successfully).
I can confirm that our SMTP server is configured NOT to check for reverse DNS.
I am attaching below the notification message from one of the failed emails.
Delivery has failed to these recipients or groups:
[email protected]
A problem occurred during the delivery of this message to this e-mail address. Try sending this message again. If the problem continues, please contact your helpdesk.
The following organization rejected your message: xxxxxxxxx.com.
Diagnostic information for administrators:
Generating server: server519.appriver.com
[email protected]
xxxxxxxxx.com #<xxxxxxxxx.com #4.0.0 smtp;connection with xxxxxxxxx.com is broken> #SMTP#
Original message headers:
Received: by server519.appriver.com (CommuniGate Pro PIPE 5.4.8)
with PIPE id 517414458; Wed, 12 Mar 2014 06:10:06 -0500
Received: from [4.28.183.90] (HELO hullmail.hullco.com)
by server519.appriver.com (CommuniGate Pro SMTP 5.4.8)
with ESMTPS id 517414455 for [email protected]; Wed, 12 Mar 2014 06:10:01 -0500
Received: from ATL-EXMB03.HULL.COM ([2002:c0bd:6d9a::c0bd:6d9a]) by
atl-exht04.HULL.COM ([2002:c0bd:6d8c::c0bd:6d8c]) with mapi id
14.02.0298.004; Wed, 12 Mar 2014 07:10:00 -0400
From: Joe Failla <[email protected]>
To: "'[email protected]'" <[email protected]>
Subject: Test Submission
Thread-Topic: Test Submission
Thread-Index: Ac8945alas54Yp+WQ4eldDiAOdcpKA==
Date: Wed, 12 Mar 2014 11:10:00 +0000
Message-ID: <[email protected]>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-originating-ip: [192.189.109.5]
Content-Type: text/plain
MIME-Version: 1.0
X-Note-AR-ScanTimeLocal: 3/12/2014 6:10:01 AM
X-Policy: hullco.com - hullco.com
X-Primary: [email protected]
X-Note: This Email was scanned by AppRiver SecureTide
X-Note: VCH-CT/SI:0-2630/SG:1 3/12/2014 6:09:20 AM
X-Virus-Scan: V-X0
X-Note: Spam Tests Failed:
X-Country-Path: ->UNITED STATES->UNITED STATES
X-Note-Sending-IP: 4.28.183.90
X-Note-Reverse-DNS:
X-Note-Return-Path: [email protected]
X-Note: User Rule Hits:
X-Note: Global Rule Hits: G327 G328 G329 G330 G334 G335 G445
X-Note: Encrypt Rule Hits:
X-Note: Mail Class: VALID
Any assistance will be gratefully received.
Regards,
Vishakha

Hi Vishakha,
From the NDR information, the email was scanned by AppRiver SecureTide and then Spam Tests Failed. I think the issue is related to AppRiver SecureTide. If possible, I recommend you disable the AppRiver SecureTide temporarily and check the result.
Hope it helps.
Best regards,
Amy
Amy Wang
TechNet Community Support

ISE 1.2 rejects RADIUS messages from 5508 WLC

Similar Messages

Maybe you are looking for