ISE 1.2 rejects RADIUS messages from vWLC

Similar Messages

• ISE 1.2 rejects RADIUS messages from 5508 WLC

  The setup in ref is:
  WLC 5508 HA pair running 7.6 talking to ISE 1.2 patch 7 (was 6).
  Wireless users are authenticated fine, so the 5508 is a valid NAD in ISE, but...
  When I setup active RADIUS fallback, so that the WLC can poll the ISE servers I get the message:
  "The RADIUS request from a non-wireless device was dropped because the installed license is for wireless devices only"
  Why would ISE drop a RADIUS message from a WLC which is a wireless device?  Surely this is a mistake?

  Hi Nicholas,
  This is a known defect.
  CSCug34679    ISE drop keep alive coming from WLC. 
  <B>Symptom:</B>
  ISE drops keep alive authentications coming from the WLC, with message 11054 Request from a non-wireless device due to installed wireless license.
  <B>Conditions:</B>
  When only a wireless license is install on the ISE and using active keep alive on the WLC.
  <B>Workaround:</B>
  Use passive keep alive on the WLC and not active.
  Regards,
  Jatin Katyal
  *Do rate helpful posts*

• Rejected record message from Essbase Studio load (3355)

  I receive the following error when deploying an outline via Essbase Studio to an ASO cube (ver 11.1.2):
  \\Record #36798 - Member XXX does not exist. Reference member column types require the field to be an existing member (3355)
  As I read the error (BTW, can someone help me find the table of rejected record codes?), it is rejecting the assignment of an attribute to a member because the member does not exist.
  What could be a reason though that I did not receive an "Error adding member XXX" rejection beforehand or something indicating that there was an error adding the member originally? I am puzzled because I cannot find anything special about the source data when comparing to the many others that loaded successfullly.

  Hi All,
  Towards this error if we are talking about Hyperion Essbase - Version 11.1.2.1.000 and later.
  So mostly we are facing this issue has been verified as unpublished Bug 12967639.
  As documented in KM:
  Unable to Save ASO Outline After Renaming Members, "Error(1007072) Member [xxx] tagged as <REFER does not have a member to refer to" [ID 1465850.1]
  Also towards ASO there is another document having all there as:
  Oracle Hyperion Essbase and Aggregate Storage (ASO) [ID 1291202.1]
  Thanks,
  Shaker

• Cannot get SG300 switch to send RADIUS messages for 802.1x

  I  want to eventually configure the SG300 to authenticate wired clients with 802.1x and Microsoft NPS (RADIUS). I am currently testing this setup using a single port (Port 7) on my SG300, a test machine, and an AD based Network Policy Server.
  The problem I have is that when I change the Administrative Port Control for Port 7 to Force Authorized, I see this log entry:
  Informational %SEC-I-PORTAUTHORIZED: Port gi7 is Authorized
  And then when I change the port control to Auto the port immediately changes to Unauthorized and I see this log entry:
  Warning %SEC-W-PORTUNAUTHORIZED: Port gi7 is unAuthorized
  However I never see any RADIUS messages being sent from the SG300 to my RADIUS server or from the SG300 to the test machine plugged into port 7. I am using WireShark on my RADIUS server to watch for messages from the SG300 IP Address and I'm using WireShark on a second test machine that is configured to monitor the NIC card in the test machine plugged into port 7 (I'm using Hyper-V and its facilities for this NIC monitoring setup.)
  Here is my configuration:
  Switch - 10.1.1.3
  RADIUS (Microsoft NPS)- 10.1.1.15
  Switch Usage Type - All (Login and 802.1x)
  Port 7 configuration:
  VLAN Mode is General
  Host Authentication is Single Host Authentication
  Administrative Port Control is Auto
  RADIUS VLAN Assignment is Disabled
  Guest VLAN is Enabled
  802.1x Based Authentication is Enabled
  Additional Configurations under Security - 802.1x/MAC/Web Authentication:
  Port Based Authentication is Enabled
  Authentication Method is RADIUS
  Guest VLAN is Enabled
  Guest VLAN ID is 2
  All of my VLANs are enabled for Authentication
  I've got to be missing something but I do not know what that something is.
  One last note:
  The SG300 uses the same RADIUS server for management console access and it works without problem. When I log into the switch, WireShark shows the RADIUS messages from the switch to the RADIUS server and back. So I know RADIUS is configured correctly on the switch.

  Hi,
  This is my working configuration where port gi3 has DVA configured as well. You might skip port gi3 but please compare to your config:
  interface  gi3
  dot1x host-mode multi-sessions
  exit
  vlan database
  vlan 30,100
  exit
  interface vlan 100
  dot1x guest-vlan
  exit
  dot1x system-auth-control
  interface range gi1,gi3
  dot1x reauthentication
  exit
  interface range gi1,gi3
  dot1x mac-authentication mac-only
  exit
  interface  gi3
  dot1x radius-attributes vlan
  exit
  interface range gi1,gi3
  dot1x guest-vlan enable
  exit
  interface gigabitethernet1
  dot1x port-control auto
  exit
  interface gigabitethernet3
  dot1x port-control auto
  exit
  radius-server host 192.168.1.122 priority 1
  radius-server key testing123
  aaa authentication dot1x default radius
  switch3ba5e1#
  Regards,
  Aleksandra

• ISE PSN rejecting RADIUS request

  Hi,
  We have a distributed ISE infrastructure version 1.3.
  We begin noticing the following problem.
  Randomly the PSN's started dropping radius requests.
  Basically they didn't serviced any client.
  It looked like this bug:
  ISE PSN rejecting RADIUS request; deadlocks found @ catalina.out
  CSCur43427
  Symptom:
  ++ CU runs distributed deployment; 2PSN +MnT +PMN;
  ++ PSN "node status were up during the issue;
  ++ PSNs were rejecting RADIUS request; ICMP reachability to PSN were OK;
  ++ both wired and wireless are affected
  ++ removing accounting from both foreign/anchor did not fix the issue;
  Conditions:
  ++ ISE 1.2.0.p10
  ++ happens every 2-3 weeks;
  Workaround:
  ++ restart ISE services;
  So we installed patch 2.
  But now we got the same problem and there is no newer patch.
  Did anyone encountered this also?
  thanks,
  laszlo

  We've also encountered this with 1.3 and logged a TAC case but unfortunately they weren't able to determine the cause due to not enough detail. They suggested changing the log level for runtime-AAA and prrt-JNI to debug temporarily and when it happens again, before restarting the PSN, download the logs from it to supply to TAC.
   

• ISE continue to receiving authentication message after removed the radius host test configuration on a IOS router

  I have two issues but related and need help:    
  anyone know how to disable or stop a radius host test message send every seconds from a IOS router after the test statement removed and all radius server information removed from the configuration?   I have this odd testing for the new ISE server.  the purpose of testing is not for load balancing, but find out if IOS support different protocol using radius other than PAP if PPP is not used. after the test, I cannot stop it.  I have a case opened with Cisco, the answer is no way to stop it other than reboot the router. I tried to remove aaa new model and add it back, no help. I have put an access-list on the LAN interface deny the IP any to the radius host and port, no match found.
  On the ISE (version 1.1.1), due to the IOS router test cannot be stopped, the alive authentication page fills up all the authentication failure messages. anyone know how to block the host from ISE live authentication log (the router has been removed from the device page)? 
  below is part of messages from the IOS router (version 15.0.1M6) debug. where 10.2.2.144 is the ISE IP and totally removed from the config. there is no any radius or the ISE IP in the config.
  Aug 28 10:21:15.384: AAA/SG/TEST(Req#: 1): Sending test AAA Access-Request.
  Aug 28 10:21:15.384: AAA/SG/TEST(Req#: 1): Sending test AAA Accounting-Request.
  Aug 28 10:21:15.384: AAA/SG/TEST: Verifying if further testing required to determine server state.
  Aug 28 10:21:15.384: AAA/SG/TEST: DEAD state verification already in progress for server (10.2.2.144:1645,1646).
  Aug 28 10:21:15.384: AAA/SG/TEST: Server (10.2.2.144:1645,1646) assumed DEAD. Dead time updated to 60 secs(s).
  Aug 28 10:21:33.752: AAA/SG/TEST: No Test response from server (10.2.2.144:1645,1646)
  Aug 28 10:21:33.976: AAA/SG/TEST: No Test response from server (10.2.2.144:1645,1646)
  Aug 28 10:21:33.976: AAA/SG/TEST: Necessary responses NOT received from server (10.2.2.144:1645,1646).
  Aug 28 10:21:33.976: AAA/SG/TEST: Server (10.2.2.144:1645,1646) marked DEAD. Dead time set for 60 sec(s).
  Aug 28 10:21:33.976: AAA/SG/TEST: Server (10.2.2.144:1645,1646) removed from quarantine.
  Aug 28 10:22:33.976: AAA/SG/TEST: Verifying if further testing required to determine server state.
  Aug 28 10:22:33.976: AAA/SG/TEST: Server (10.2.2.144:1645,1646) quarantined.
  Aug 28 10:22:33.976: AAA/SG/TEST: Sending 1 Access-Requests, 1 Accounting-Requests in current batch.
  Aug 28 10:22:33.976: AAA/SG/TEST(Req#: 1): Sending test AAA Access-Request.
  Aug 28 10:22:33.976: AAA/SG/TEST(Req#: 1): Sending test AAA Accounting-Request.
  Aug 28 10:22:33.976: AAA/SG/TEST: Verifying if further testing required to determine server state.
  Aug 28 10:22:33.976: AAA/SG/TEST: DEAD state verification already in progress for server (10.2.2.144:1645,1646).
  Aug 28 10:22:33.976: AAA/SG/TEST: Server (10.2.2.144:1645,1646) assumed DEAD. Dead time updated to 60 secs(s).
  Aug 28 10:22:52.760: AAA/SG/TEST: No Test response from server (10.2.2.144:1645,1646)
  Aug 28 10:22:53.176: AAA/SG/TEST: No Test response from server (10.2.2.144:1645,1646)
  Aug 28 10:22:53.176: AAA/SG/TEST: Necessary responses NOT received from server (10.2.2.144:1645,1646).
  Aug 28 10:22:53.176: AAA/SG/TEST: Server (10.2.2.144:1645,1646) marked DEAD. Dead time set for 60 sec(s).
  Aug 28 10:22:53.176: AAA/SG/TEST: Server (10.2.2.144:1645,1646) removed from quarantine.
  Aug 28 10:21:15.384: AAA/SG/TEST(Req#: 1): Sending test AAA Access-Request.
  Aug 28 10:21:15.384: AAA/SG/TEST(Req#: 1): Sending test AAA Accounting-Request.
  Aug 28 10:21:15.384: AAA/SG/TEST: Verifying if further testing required to determine server state.
  Aug 28 10:21:15.384: AAA/SG/TEST: DEAD state verification already in progress for server (10.2.2.144:1645,1646).
  Aug 28 10:21:15.384: AAA/SG/TEST: Server (10.2.2.144:1645,1646) assumed DEAD. Dead time updated to 60 secs(s).
  Aug 28 10:21:33.752: AAA/SG/TEST: No Test response from server (10.2.2.144:1645,1646)
  Aug 28 10:21:33.976: AAA/SG/TEST: No Test response from server (10.2.2.144:1645,1646)
  Aug 28 10:21:33.976: AAA/SG/TEST: Necessary responses NOT received from server (10.2.2.144:1645,1646).
  Aug 28 10:21:33.976: AAA/SG/TEST: Server (10.2.2.144:1645,1646) marked DEAD. Dead time set for 60 sec(s).
  Aug 28 10:21:33.976: AAA/SG/TEST: Server (10.2.2.144:1645,1646) removed from quarantine.
  Aug 28 10:22:33.976: AAA/SG/TEST: Verifying if further testing required to determine server state.
  Aug 28 10:22:33.976: AAA/SG/TEST: Server (10.2.2.144:1645,1646) quarantined.
  Aug 28 10:22:33.976: AAA/SG/TEST: Sending 1 Access-Requests, 1 Accounting-Requests in current batch.
  Aug 28 10:22:33.976: AAA/SG/TEST(Req#: 1): Sending test AAA Access-Request.
  Aug 28 10:22:33.976: AAA/SG/TEST(Req#: 1): Sending test AAA Accounting-Request.
  Aug 28 10:22:33.976: AAA/SG/TEST: Verifying if further testing required to determine server state.
  Aug 28 10:22:33.976: AAA/SG/TEST: DEAD state verification already in progress for server (10.2.2.144:1645,1646).
  Aug 28 10:22:33.976: AAA/SG/TEST: Server (10.2.2.144:1645,1646) assumed DEAD. Dead time updated to 60 secs(s).
  Aug 28 10:22:52.760: AAA/SG/TEST: No Test response from server (10.2.2.144:1645,1646)
  Aug 28 10:22:53.176: AAA/SG/TEST: No Test response from server (10.2.2.144:1645,1646)
  Aug 28 10:22:53.176: AAA/SG/TEST: Necessary responses NOT received from server (10.2.2.144:1645,1646).
  Aug 28 10:22:53.176: AAA/SG/TEST: Server (10.2.2.144:1645,1646) marked DEAD. Dead time set for 60 sec(s).
  Aug 28 10:22:53.176: AAA/SG/TEST: Server (10.2.2.144:1645,1646) removed from quarantine.
  Thanks in advance,

  It seems reload is the only way to fix it. I don't think there is any way to stop or ignore messages for specific host in live authentication page of ISE. From security point of view it is required to logs all the authentication hits.
  Regards,
  ~JG
  Do rate helpful posts!

• MQ Adapter does not clear the rejected message from the queue

  Hi All,
  I'm using a MQ Adapter to fetch the message from the queue without any Backout queue configured. However, whenever there is any bad structured message found in the queue, MQ adapter rejects the message and moves the message to the rejmsg folder but does not clear it off the queue, as a result of which it keeps retrying the same hence, filling the logs and the physical memory. Somehow we do not have any backout queue configured so I can move the message to blackout queue. I have tried configuring the jca retry properties and global jca retry as well but to no avail.
  - Is it not the default behaviour of MQ Adapter to remove the rejected message from the queue irrespective of Backout queue is configured or not? The same behaviour working well with the JMS and File Adapter though.
  - Is there any way I can make MQ Adapter delete the message from that queue once it is rejected?
  Regards,
  Neeraj Sehgal

  Hi Jayson,
  Check this URL which answers a problem with com.sap.engine.boot.loader.ResourceMultiParentClassLoader problem:
  http://209.85.175.132/search?q=cache:RnFZ9viwuKkJ:https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/pcd!3aportal_content!2fcom.sap.sdn.folder.sdn!2fcom.sap.sdn.folder.application!2fcom.sap.sdn.folder.roles!2fcom.sap.sdn.folder.navigationroles!2fcom.sap.sdn.role.anonymous!2fcom.sap.sdn.tln.workset.forums!2fforumtest!2fcom.sap.sdn.app.iview.forumthread%3FQuickLink%3Dthread%26tstart%3D45%26threadID%3D1020700+com.sap.engine.boot.loader.ResourceMultiParentClassLoader&hl=en&ct=clnk&cd=3&gl=in&client=firefox-a
  Please check that the JDK compliance level is at 5.0
  Window->Preferences->Java->Compiler->Compiler compliance level set this to 5.0
  Set the installed JRE to the one you have mentioned JDK 5.0 update 16
  Window->Preferences->Java->Installed JRE's->
  Click on the add button to select the path of your JDK.
  once completed click on the check box next to it.
  regards,
  AKD

• Auth.log - Rejected send message, 2 matched rules; type="method_call"

  Hi,
  i'm checking the /var/log/auth.log and I found out that there is this error message
  Jun 9 20:19:56 localhost polkitd(authority=local): Registered Authentication Agent for unix-session:/org/freedesktop/ConsoleKit/Session2 (system bus name :1.23 [/usr/bin/gnome-shell], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8)
  Jun 9 20:19:57 localhost dbus[513]: [system] Rejected send message, 2 matched rules; type="method_call", sender=":1.23" (uid=1000 pid=861 comm="/usr/bin/gnome-shell ") interface="org.freedesktop.DBus.Properties" member="GetAll" error name="(unset)" requested_reply="0" destination=":1.1" (uid=0 pid=654 comm="/usr/sbin/console-kit-daemon --no-daemon ")
  Jun 9 20:19:57 localhost dbus[513]: [system] Rejected send message, 2 matched rules; type="method_call", sender=":1.23" (uid=1000 pid=861 comm="/usr/bin/gnome-shell ") interface="org.freedesktop.DBus.Properties" member="GetAll" error name="(unset)" requested_reply="0" destination=":1.1" (uid=0 pid=654 comm="/usr/sbin/console-kit-daemon --no-daemon ")
  Jun 9 20:19:57 localhost dbus[513]: [system] Rejected send message, 2 matched rules; type="method_call", sender=":1.23" (uid=1000 pid=861 comm="/usr/bin/gnome-shell ") interface="org.freedesktop.DBus.Properties" member="GetAll" error name="(unset)" requested_reply="0" destination=":1.1" (uid=0 pid=654 comm="/usr/sbin/console-kit-daemon --no-daemon ")
  if think the problem is in /etc/dbus-1/system.conf
  <deny send_type="method_call"/>
  I'm tempted to change this to allow,  but I won't as long as I don't understand why this deny-rule is implemented.
  Last edited by miky76 (2012-06-09 20:41:06)

  That deny rule is the default. Things in /etc/dbus-1/system.d override it. There's a ConsoleKit.conf file in there that describes what interaction ConsoleKit actually allows.
  That said, ConsoleKit.conf also denies this access:
  <deny send_destination="org.freedesktop.ConsoleKit"
  send_interface="org.freedesktop.DBus.Properties" />
  I don't know why this is denied - most likely it's to prevent private data from being stolen from console-kit-daemon in this way. I don't see any such private data stored in properties on ConsoleKit, though:
  $ dbus-send --print-reply --system --dest=org.freedesktop.ConsoleKit /org/freedesktop/ConsoleKit/Session1 org.freedesktop.DBus.Introspectable.Introspect
  method return sender=:1.5 -> dest=:1.14 reply_serial=2
  string "<!DOCTYPE node PUBLIC "-//freedesktop//DTD D-BUS Object Introspection 1.0//EN"
  "http://www.freedesktop.org/standards/dbus/1.0/introspect.dtd">
  <node>
  <interface name="org.freedesktop.DBus.Introspectable">
  <method name="Introspect">
  <arg name="data" direction="out" type="s"/>
  </method>
  </interface>
  <interface name="org.freedesktop.DBus.Properties">
  <method name="Get">
  <arg name="interface" direction="in" type="s"/>
  <arg name="propname" direction="in" type="s"/>
  <arg name="value" direction="out" type="v"/>
  </method>
  <method name="Set">
  <arg name="interface" direction="in" type="s"/>
  <arg name="propname" direction="in" type="s"/>
  <arg name="value" direction="in" type="v"/>
  </method>
  <method name="GetAll">
  <arg name="interface" direction="in" type="s"/>
  <arg name="props" direction="out" type="a{sv}"/>
  </method>
  </interface>
  <interface name="org.freedesktop.ConsoleKit.Session">
  <method name="SetIdleHint">
  <arg name="idle_hint" type="b" direction="in"/>
  </method>
  <method name="GetIdleSinceHint">
  <arg name="iso8601_datetime" type="s" direction="out"/>
  </method>
  <method name="GetIdleHint">
  <arg name="idle_hint" type="b" direction="out"/>
  </method>
  <method name="Unlock">
  </method>
  <method name="Lock">
  </method>
  <method name="Activate">
  </method>
  <method name="GetCreationTime">
  <arg name="iso8601_datetime" type="s" direction="out"/>
  </method>
  <method name="IsLocal">
  <arg name="local" type="b" direction="out"/>
  </method>
  <method name="IsActive">
  <arg name="active" type="b" direction="out"/>
  </method>
  <method name="GetLoginSessionId">
  <arg name="login_session_id" type="s" direction="out"/>
  </method>
  <method name="GetRemoteHostName">
  <arg name="remote_host_name" type="s" direction="out"/>
  </method>
  <method name="GetDisplayDevice">
  <arg name="display_device" type="s" direction="out"/>
  </method>
  <method name="GetX11DisplayDevice">
  <arg name="x11_display_device" type="s" direction="out"/>
  </method>
  <method name="GetX11Display">
  <arg name="display" type="s" direction="out"/>
  </method>
  <method name="GetUnixUser">
  <arg name="uid" type="u" direction="out"/>
  </method>
  <method name="GetUser">
  <arg name="uid" type="u" direction="out"/>
  </method>
  <method name="GetSessionType">
  <arg name="type" type="s" direction="out"/>
  </method>
  <method name="GetSeatId">
  <arg name="sid" type="o" direction="out"/>
  </method>
  <method name="GetId">
  <arg name="ssid" type="o" direction="out"/>
  </method>
  <signal name="Unlock">
  </signal>
  <signal name="Lock">
  </signal>
  <signal name="IdleHintChanged">
  <arg type="b"/>
  </signal>
  <signal name="ActiveChanged">
  <arg type="b"/>
  </signal>
  <property name="idle-hint" type="b" access="readwrite"/>
  <property name="is-local" type="b" access="readwrite"/>
  <property name="active" type="b" access="readwrite"/>
  <property name="x11-display-device" type="s" access="readwrite"/>
  <property name="x11-display" type="s" access="readwrite"/>
  <property name="display-device" type="s" access="readwrite"/>
  <property name="remote-host-name" type="s" access="readwrite"/>
  <property name="session-type" type="s" access="readwrite"/>
  <property name="user" type="u" access="readwrite"/>
  <property name="unix-user" type="u" access="readwrite"/>
  </interface>
  </node>
  Note those properties at the end of that list, which are the same things you can learn by running ck-list-session.
  If you want to change the deny to allow, you may as well do it in the ConsoleKit.conf line, so it's specific to this usage, rather than allowing any method call in the world called through dbus.
  FWIW, I can reproduce this same error, trying to do it "by hand", though I don't use GNOME, as you do:
  $ dbus-send --print-reply --system --type=method_call --dest=org.freedesktop.ConsoleKit /org/freedesktop/ConsoleKit/Session1 org.freedesktop.DBus.Properties.GetAll string:org.freedesktop.ConsoleKit.Session
  Error org.freedesktop.DBus.Error.AccessDenied: Rejected send message, 2 matched rules; type="method_call", sender=":1.17" (uid=1000 pid=13892 comm="dbus-send --print-reply --system --type=method_cal") interface="org.freedesktop.DBus.Properties" member="GetAll" error name="(unset)" requested_reply="0" destination="org.freedesktop.ConsoleKit" (uid=0 pid=751 comm="/usr/sbin/console-kit-daemon --no-daemon ")

• Can't reject a call from lock screen with pin password

  When I set a PIN code for my iPhone with iOS7 "7.0.2" and recieve a call, I don't get an option to reject that call directly!
  The only valid options on the lock screen is either to set a reminder to call back the caller or reject with message. Is there any hidden feature behind this? or Apple really intended that?
  Attached 2 screen shots for a caller
  While screen is locked with PIN password
  While screen is unlocked

  It has been this way for some time. This is how you would decline a call from the lock screen, and then declining a call from the open screen is how you have it showing.

• Email failure - The following organization rejected your message

  Hi,
  We are getting failures in receiving emails from two client specifically (email from other clients are received successfully).  
  I can confirm that our SMTP server is configured NOT to check for reverse DNS.
  I am attaching below the notification message from one of the failed emails. 
  Delivery has failed to these recipients or groups:
  [email protected]
  A problem occurred during the delivery of this message to this e-mail address. Try sending this message again. If the problem continues, please contact your helpdesk.
  The following organization rejected your message: xxxxxxxxx.com.
  Diagnostic information for administrators:
  Generating server: server519.appriver.com
  [email protected]
  xxxxxxxxx.com #<xxxxxxxxx.com #4.0.0 smtp;connection with xxxxxxxxx.com is broken> #SMTP#
  Original message headers:
  Received: by server519.appriver.com (CommuniGate Pro PIPE 5.4.8)
    with PIPE id 517414458; Wed, 12 Mar 2014 06:10:06 -0500
  Received: from [4.28.183.90] (HELO hullmail.hullco.com)
    by server519.appriver.com (CommuniGate Pro SMTP 5.4.8)
    with ESMTPS id 517414455 for [email protected]; Wed, 12 Mar 2014 06:10:01 -0500
  Received: from ATL-EXMB03.HULL.COM ([2002:c0bd:6d9a::c0bd:6d9a]) by
   atl-exht04.HULL.COM ([2002:c0bd:6d8c::c0bd:6d8c]) with mapi id
   14.02.0298.004; Wed, 12 Mar 2014 07:10:00 -0400
  From: Joe Failla <[email protected]>
  To: "'[email protected]'" <[email protected]>
  Subject: Test Submission
  Thread-Topic: Test Submission
  Thread-Index: Ac8945alas54Yp+WQ4eldDiAOdcpKA==
  Date: Wed, 12 Mar 2014 11:10:00 +0000
  Message-ID: <[email protected]>
  Accept-Language: en-US
  Content-Language: en-US
  X-MS-Has-Attach: yes
  X-MS-TNEF-Correlator:
  x-originating-ip: [192.189.109.5]
  Content-Type: text/plain
  MIME-Version: 1.0
  X-Note-AR-ScanTimeLocal: 3/12/2014 6:10:01 AM
  X-Policy: hullco.com - hullco.com
  X-Primary: [email protected]
  X-Note: This Email was scanned by AppRiver SecureTide
  X-Note: VCH-CT/SI:0-2630/SG:1 3/12/2014 6:09:20 AM
  X-Virus-Scan: V-X0
  X-Note: Spam Tests Failed: 
  X-Country-Path: ->UNITED STATES->UNITED STATES
  X-Note-Sending-IP: 4.28.183.90
  X-Note-Reverse-DNS:
  X-Note-Return-Path: [email protected]
  X-Note: User Rule Hits: 
  X-Note: Global Rule Hits: G327 G328 G329 G330 G334 G335 G445 
  X-Note: Encrypt Rule Hits: 
  X-Note: Mail Class: VALID
  Any assistance will be gratefully received.
  Regards,
  Vishakha

  Hi Vishakha,
  From the NDR information, the email was scanned by AppRiver SecureTide and then Spam Tests Failed. I think the issue is related to AppRiver SecureTide. If possible, I recommend you disable the AppRiver SecureTide temporarily and check the result.
  Hope it helps.
  Best regards,
  Amy
  Amy Wang
  TechNet Community Support

• Framed IP Attribute missing in Accounting-Start messages from the ISG

  Framed IP Attribute missing in Accounting-Start messages from the ISG for the TAL Users. Account-Logon users and Interim updates have the Framed-IP though.
  We have the following command already enabled: aaa accounting include auth-profile framed-ip-address aaa accounting delay-start
  Any ideas or workarounds please?
  Debug:
  Aug 27 19:36:02.213: RADIUS(00000181): Send Accounting-Request to X.X.X.X:1813 id 21647/201, len 406
  Aug 27 19:36:02.213: RADIUS:  authenticator 23 FC FF 1B AC 01 77 B6 - 89 FE E2 9A 4E AA 0B 32
  Aug 27 19:36:02.213: RADIUS:  Acct-Session-Id     [44]  10  "000001BB"
  Aug 27 19:36:02.213: RADIUS:  Framed-Protocol     [7]   6   PPP                       [1]
  Aug 27 19:36:02.213: RADIUS:  Vendor, Cisco       [26]  20 
  Aug 27 19:36:02.213: RADIUS:   ssg-service-info   [251] 14  "NBWAUTHSVC01"
  Aug 27 19:36:02.213: RADIUS:  Vendor, Cisco       [26]  34 
  Aug 27 19:36:02.213: RADIUS:   Cisco AVpair       [1]   28  "parent-session-id=000001BA"
  Aug 27 19:36:02.213: RADIUS:  User-Name           [1]   22  "[email protected]"
  Aug 27 19:36:02.213: RADIUS:  Acct-Status-Type    [40]  6   Start                     [1]
  Aug 27 19:36:02.213: RADIUS:  Vendor, Cisco       [26]  25 
  Aug 27 19:36:02.213: RADIUS:   Cisco AVpair       [1]   19  "portbundle=enable"
  Aug 27 19:36:02.213: RADIUS:  Vendor, Cisco       [26]  23 
  Aug 27 19:36:02.213: RADIUS:   ssg-account-info   [250] 17  "SX.X.X.X"
  Aug 27 19:36:02.213: RADIUS:  Calling-Station-Id  [31]  19  "00-15-00-73-XX-XX"
  Aug 27 19:36:02.213: RADIUS:  NAS-Port-Type       [61]  6   Virtual                   [5]
  Aug 27 19:36:02.213: RADIUS:  NAS-Port            [5]   6   0                        
  Aug 27 19:36:02.213: RADIUS:  NAS-Port-Id         [87]  11  "0/2/0/200"
  Aug 27 19:36:02.213: RADIUS:  Vendor, Cisco       [26]  46 
  Aug 27 19:36:02.213: RADIUS:   Cisco AVpair       [1]   40  "remote-id-tag=020a00000a050001000800c8"
  Aug 27 19:36:02.213: RADIUS:  Vendor, Cisco       [26]  36 
  Aug 27 19:36:02.213: RADIUS:   Cisco AVpair       [1]   30  "vendor-class-id-tag=MSFT 5.0"
  Aug 27 19:36:02.213: RADIUS:  Service-Type        [6]   6   Framed                    [2]
  Aug 27 19:36:02.213: RADIUS:  NAS-IP-Address      [4]   6   X.X.X.X            
  Aug 27 19:36:02.213: RADIUS:  Ascend-Session-Svr-K[151] 10 
  Aug 27 19:36:02.213: RADIUS:   39 45 41 39 39 36 44 44          [ 9EA996DD]
  Aug 27 19:36:02.213: RADIUS:  Event-Timestamp     [55]  6   1346096162               
  Aug 27 19:36:02.213: RADIUS:  Nas-Identifier      [32]  24  "LAB-RAS01"
  Aug 27 19:36:02.213: RADIUS:  Acct-Delay-Time     [41]  6   0    
  Thanks in advance.

  It seems you already have tac case opened for this issue? Let me know if that is not the case.

• RADIUS messages in system.log, all day long

  My 10.6 server's system log is full of RADIUS messages, every few seconds, making me think that something isn't as it should be. We have an airport extreme base station as our router and RADIUS access point. I configured the airport base station from the server, thru server manager.
  Feb 3 17:50:32 192.168.2.1 ffasnyc 80211: Authenticating station 00:19:e3:00:f7:89 to RADIUS.
  Feb 3 17:51:54 192.168.2.1 ffasnyc 80211: Deauthenticating with station 00:19:e3:00:f7:89 (reserved 2).
  Feb 3 17:51:54 192.168.2.1 ffasnyc 80211: Disassociated with station 00:19:e3:00:f7:89
  Feb 3 17:51:54 192.168.2.1 ffasnyc 80211: Associated with station 00:19:e3:00:f7:89
  Feb 3 17:51:54 192.168.2.1 ffasnyc 80211: Authenticating station 00:19:e3:00:f7:89 to RADIUS.
  Feb 3 17:53:16 192.168.2.1 ffasnyc 80211: Deauthenticating with station 00:19:e3:00:f7:89 (reserved 2).
  Feb 3 17:53:16 192.168.2.1 ffasnyc 80211: Disassociated with station 00:19:e3:00:f7:89
  Feb 3 17:53:16 192.168.2.1 ffasnyc 80211: Associated with station 00:19:e3:00:f7:89
  Feb 3 17:53:16 192.168.2.1 ffasnyc 80211: Authenticating station 00:19:e3:00:f7:89 to RADIUS.
  Feb 3 17:54:38 192.168.2.1 ffasnyc 80211: Deauthenticating with station 00:19:e3:00:f7:89 (reserved 2).
  Feb 3 17:54:38 192.168.2.1 ffasnyc 80211: Disassociated with station 00:19:e3:00:f7:89
  Feb 3 17:54:38 192.168.2.1 ffasnyc 80211: Associated with station 00:19:e3:00:f7:89
  Feb 3 17:54:38 192.168.2.1 ffasnyc 80211: Authenticating station 00:19:e3:00:f7:89 to RADIUS.
  Feb 3 17:56:00 192.168.2.1 ffasnyc 80211: Deauthenticating with station 00:19:e3:00:f7:89 (reserved 2).
  Feb 3 17:56:00 192.168.2.1 ffasnyc 80211: Disassociated with station 00:19:e3:00:f7:89
  Feb 3 17:56:21 192.168.2.1 ffasnyc 80211: Associated with station 00:19:e3:00:f7:89
  Feb 3 17:56:21 192.168.2.1 ffasnyc 80211: Authenticating station 00:19:e3:00:f7:89 to RADIUS.
  Feb 3 17:57:43 192.168.2.1 ffasnyc 80211: Deauthenticating with station 00:19:e3:00:f7:89 (reserved 2).
  Feb 3 17:57:43 192.168.2.1 ffasnyc 80211: Disassociated with station 00:19:e3:00:f7:89
  Feb 3 17:57:43 192.168.2.1 ffasnyc 80211: Associated with station 00:19:e3:00:f7:89
  Feb 3 17:57:43 192.168.2.1 ffasnyc 80211: Authenticating station 00:19:e3:00:f7:89 to RADIUS.
  Feb 3 17:58:53 192.168.2.1 ffasnyc 80211: Associated with station 00:19:e3:00:f7:89
  Feb 3 17:59:04 192.168.2.1 ffasnyc 80211: Deauthenticating with station 00:19:e3:00:f7:89 (reserved 2).
  Feb 3 17:59:04 192.168.2.1 ffasnyc 80211: Disassociated with station 00:19:e3:00:f7:89
  Feb 3 17:59:04 192.168.2.1 ffasnyc 80211: Associated with station 00:19:e3:00:f7:89
  Feb 3 17:59:04 192.168.2.1 ffasnyc 80211: Authenticating station 00:19:e3:00:f7:89 to RADIUS.
  Feb 3 17:59:07 192.168.2.1 ffasnyc 80211: Disassociated with station 00:19:e3:00:f7:89
  Fe

  Also NOW I suddenly have two 256 cards that are not showing up so I have lost half of my RAM! I have less than 12% space left on my hard drive. Two of the cards look the same and two others look alike ( I have four 256 cards) Two years ago the repair shop put in two used cards so I would have all the same. I tried re seating them but it didn't work and I still get repeating messages in my systems log.

• TS3276 Hotmail rejects all mail from Apple Mail

  Hot mail reject any mail sent through applemail. If I send it through AOL mail it is works fine.
  This is the return thread
  Diagnostic-Code: smtp; 550 SC-001 (BAY0-MC4-F6) Unfortunately, messages from
     64.12.140.129 weren't sent. Please contact your Internet service provider
     since part of their network is on our block list. You can also refer your
     provider to http://mail.live.com/mail/troubleshooting.aspx#errors.
  Any help

  Mail under Lion is 5.1
  I do not know of any upgrade since Lion.
  Please gieve us some more info about the message and your (yours wife sytem).
  You can try to look into the basket to see if the content of the Mail folder is there.
  Can you enter her Mail server (iCloud or MM or amithing different from Apple) and see if messages are There ?
  Probably you find some.
  What do you mean by "tag" in @me substituted (surry for my english).

• 421 4.4.5 Too many messages from this host last hour

  Hi, we are in a migration process from a Kerio system to Exchange 2013.
  Everything is working fine, except that we have been experiencing this error on the logs and the Exchange 2013 users are getting returned emails.
  The remote server is 10.10.10.85
  Remote Server at 10.10.10.85 (10.10.10.85) returned '400 4.4.7 Message delayed'
  19/12/13 7:21:57 p. m. - Remote Server at 10.10.10.85 (10.10.10.85) returned '451 4.4.0 Primary target IP address responded with: "421 4.4.5 Too many messages from this host last hour." Attempted failover to alternate host, but that did not succeed.
  Either there are no alternate hosts, or delivery failed to all alternate hosts. The last endpoint attempted was 10.10.10.85:25'
  My question is, is Exchange rejecting the messages or is the other system telling Exchange to slow things a bit?

  To update this.
  We found out that the other email system was configured NOT to accept more than 100 messages per hour from same sending IP.
  Once we removed the configuration value from the other email system, all started working.

• No response after NSP get RADIUS message

  I use Windows 8 as client and Windows 2012R2 as radius server for 802.11X wireless login.
  After Windows 2012 NSP got the RADIUS message, it didn't reply the message.
  From logs, it shows 'reason code 22, client can't be identified, becase EAP can't be processed'(changed from Chinese because I use Chinese windows.
  I've attached the packets captured with wireshark. Please suggest what may be the cause.

  Hi,
  According to your description, my understanding is that Windows Server 2012 R2 is configured as RADIUS server for 802.11x wireless, and it does not reply to Access Request message sent by client(Windows 8), with reason code 22(client can't be identified, because
  EAP can't be processed).
  On the RADIUS server, switch to the connection request policy, confirm that if the EAP Type has been specified in the Authentication Methods.
  Besides, I recommend you to reference the links below to confirm the configurations:
  Creating a secure 802.1x wireless infrastructure using Microsoft Windows
  http://blogs.technet.com/b/networking/archive/2012/05/30/creating-a-secure-802-1x-wireless-infrastructure-using-microsoft-windows.aspx
  IEEE 802.11 Wireless LAN Security with Microsoft Windows
  http://www.microsoft.com/downloads/details.aspx?familyid=67fdeb48-74ec-4ee8-a650-334bb8ec38a9&displaylang=en
  Checklist: Configure NPS for Secure Wireless Access
  http://technet.microsoft.com/en-us/library/cc771696.aspx
  Step-by-Step Guide: Demonstrate NAP 802.1X Enforcement in a Test Lab 
  http://www.microsoft.com/downloads/details.aspx?FamilyID=8a0925ee-ee06-4dfb-bba2-07605eff0608&displaylang=en
  Best Regards,
  Eve Wang 
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]