ISE authentication fail during windows re-logon

Background:
Deployed a Cisco ISE 1.1.2. that is used to authenticate and posture validate for wired users, attached to Cisco IP Phones. Backend database is Microsoft AD.
Problem:
At the first time both, users and IP Phones, pass authentication and posture validation steps successfully. When the user logs off from windows, the log off is done whithout any problem, and I can see it switch.
The problem takes place when the user try to log on again. The ise does not match the configured authenticion rules as in the first time, and put the user directly to default "DenyAccess" policy (rule).
Anyone out there experienced something similar or have any ideas on why this is happening?
Thanks.

Hi
Possible Causes
• This could be either a MAB or 802.1X authentication issue.
• The authorization profile could be missing the Cisco av-pair=”device-traffic-class=voice” attribute. As a result, the switch does not recognize the traffic on the voice VLAN.
• The administrator did not add the endpoint as static identity, or did not allow an unregistered endpoint to pass. create a policy rule to (“Continue/Continue/Continue” upon failure).
Resolution
• Verify that the Authorization Policy is framed properly for groups and conditions, and check to see whether the IP phone is profiled as an “IP phone”or as a “Cisco-device.”
• Verify the switch port configuration for multidomain and voice VLAN configuration.
• Add the continue/continue/continue to allow the endpoint to pass:
Choose Policy > Policy Elements > Results > Authentication > Allowed
Protocols to create a Protocol Policy. MAC authentications use PAP/ASCII and EAP-MD5 protocols. Enable the following MAB Protocols settings:
– Process Host Lookup
– PAP/ASCII
– Detect PAP as Host Lookup
– EAP-MD5
– Detect EAP-MD5 as Host Lookup
• From the main menu, choose Policy > Authentication.
• Change the authentication method from Simple to Rule-Based
• Use the action icon to create new Authentication Method entries for MAB:
– Name: MAB
– Condition: IF MAB RADIUS:Service-Type == Call Check
– Protocols: allow protocols MAB_Protocols and use
– Identity Source: Internal
– Hosts: Continue/Continue/Continue

Similar Messages

  • Cisco ISE authentication failed because client reject certificate

    Hi Experts,
    I am a newbie in ISE and having problem in my first step in authentication. Please help.
    I am trying to deploy a standalone Cisco ISE 1.1.2 with WLC using 802.1x authentication. The user authentication configured to be checked to ISE's internal user database for early deployment. But when the user try to authenticate, they failed with error message in ISE :
    Authentication failed : 12321 PEAP failed SSL/TLS handshake because the client rejected the ISE local-certificate
    I've generate a certificate for ISE using Windows Server CA and replace ISE's self-signed certificate with the new certificate but authentication still failed with the same error message. Must I generate a certificate for WLC also? Please help me in solving this problem.
    Regards,
    Ratna

    Certificate-Based User Authentication via Supplicant Failing
    Symptoms or
    Issue
    User authentication is failing on the client machine, and the user is receiving a
    “RADIUS Access-Reject” form of message.
    Conditions (This issue occurs with authentication protocols that require certificate validation.)
    Possible Authentications report failure reasons:
    • “Authentication failed: 11514 Unexpectedly received empty TLS message;
    treating as a rejection by the client”
    • “Authentication failed: 12153 EAP-FAST failed SSL/TLS handshake because
    the client rejected the Cisco ISE local-certificate”
    Click the magnifying glass icon from Authentications to display the following output
    in the Authentication Report:
    • 12305 Prepared EAP-Request with another PEAP challenge
    • 11006 Returned RADIUS Access-Challenge
    • 11001 Received RADIUS Access-Request
    • 11018 RADIUS is reusing an existing session
    • 12304 Extracted EAP-Response containing PEAP challenge-response
    • 11514 Unexpectedly received empty TLS message; treating as a rejection by the
    client
    • 12512 Treat the unexpected TLS acknowledge message as a rejection from the
    client
    • 11504 Prepared EAP-Failure
    • 11003 Returned RADIUS Access-Reject
    • 11006 Returned RADIUS Access-Challenge
    • 11001 Received RADIUS Access-Request
    • 11018 RADIUS is re-using an existing session
    • 12104 Extracted EAP-Response containing EAP-FAST challenge-response
    • 12815 Extracted TLS Alert message
    • 12153 EAP-FAST failed SSL/TLS handshake because the client rejected the
    Cisco ISE local-certificate
    • 11504 Prepared EAP-Failure
    • 11003 Returned RADIUS Access-Reject
    Note This is an indication that the client does not have or does not trust the Cisco
    ISE certificates.
    Possible Causes The supplicant or client machine is not accepting the certificate from Cisco ISE.
    The client machine is configured to validate the server certificate, but is not
    configured to trust the Cisco ISE certificate.
    Resolution The client machine must accept the Cisco ISE certificate to enable authentication.

  • EAP-TLS or PEAP authentication failed during SSL handshake

    Hi Pros,
                   I am a newbie in the ACS 4.2 and EAP-TLS implementation, with that being said. I face an issue during a EAP-TLS implementation. My search shows that this kind of error message is already certificate issue;However, I have deleted and recreated the certificate in both ACS and the client with the same result. I have deleted and re-install the certchain as well.
    When I check my log in the failed attemps, there is what I found:
    Date
    Time
    Message-Type
    User-Name
    Group-Name
    Caller-ID
    Network Access Profile Name
    Authen-Failure-Code
    Author-Failure-Code
    Author-Data
    NAS-Port
    NAS-IP-Address
    Filter Information
    PEAP/EAP-FAST-Clear-Name
    EAP Type
    EAP Type Name
    Reason
    Access Device
    Network Device Group
    06/23/2010
    17:39:51
    Authen failed
    000e.9b6e.e834
    Default Group
    000e.9b6e.e834
    (Default)
    EAP-TLS or PEAP authentication failed during SSL handshake
    1101
    10.111.22.24
    25
    MS-PEAP
    wbr-1121-zozo-test
    Office Networ
    06/23/2010
    17:39:50
    Authen failed
    [email protected]
    Default Group
    000e.9b6e.e834
    (Default)
    EAP-TLS or PEAP authentication failed during SSL handshake
    1098
    10.111.22.24
    25
    MS-PEAP
    wbr-1121-zozo-test
    Office Network
    [email protected] = my windows active directory name
    1. Why under EAP-TYPE it shows MS-PEAP not EAP-TLS? I did configure EAP-TLS....
    2. Why sometimes it just shows the MAC of the client for username?
    3. Why  it puts me in DEFAULT-GROUP even though i belongs to a group well definy in the acs?
    2. Secondly, When I check in pass authentications... there is what i saw
    Date
    Time
    Message-Type
    User-Name
    Group-Name
    Caller-ID
    NAS-Port
    NAS-IP-Address
    Network Access Profile Name
    Shared RAC
    Downloadable ACL
    System-Posture-Token
    Application-Posture-Token
    Reason
    EAP Type
    EAP Type Name
    PEAP/EAP-FAST-Clear-Name
    Access Device
    Network Device Group
    06/23/2010
    17:30:49
    Authen OK
    groszozo
    NOC Tier 2
    10.11.10.105
    1
    10.111.22.24
    (Default)
    wbr-1121-zozo-test
    Office Network
    06/23/2010
    17:29:27
    Authen OK
    groszozo
    NOC Tier 2
    10.11.10.105
    1
    10.111.22.24
    (Default)
    wbr-1121-zozo-test
    Office Network
    In the output below, it says that the user is authenticate and it puts the user in the right group with the right username, but the user never really authenticate. Maybe for the first few seconds when I initiate the connection.
    Before I forget, the suppliant is using WIN XP and 802.1x is enable. I even uncheck not verify the server and the ACS under External User Databases, I did  check ENABLE EAP-TLS machine authentication.
    Thanks in advance for your help,
    Crazy---

    Any ideas on this guys?? In my end, i've been reading some docs... Things started to make sens to me, but I still cannot authenticate, still the same errors. One more thing that catch my  attention now is the time it takes to open a telnet session to cisco device which has the ACS for auth server.
    My AD(Active Direct) and the ACS server are local same subnet(server subnet). Ping to the ACS from my desktop which is in different subnet is only take 1ms. To confirm that the issue is the ACS server, I decided to use another server in remote location, the telnet connection is way faster than the local ACS.
    Let's brain storm together to figure out this guys.
    Thanks in advance,
    ----Paul

  • EAP-TLS or PEAP authentication failed during SSL handshake error

    I have 2 Windows 2003 ACS 3.2 servers. I am in the process of upgrading them to ACS 4.0. I am using them for WPA2/PEAP wireless authentication in a WDS environment. I recently upgraded one to ACS 4.0 and ever since that time some (not all) of my Windows XP clients have started to not be authenticated and logging the error "EAP-TLS or PEAP authentication failed during SSL handshake" on the ACS 4.0 server. During the upgrade (which was successful) I did change the Certificate since the current one was going to expire November 2007.
    The clients that do not authenticate on the ACS 4.0 server I can point to the ACS 3.2 server and they successfully authenticate there. I am able to resolve the issue by recreating the Windows XP PEAP profile for the wireless network and by getting a new client Cert. But, I have a couple of questions:
    Is the "EAP-TLS or PEAP authentication failed during SSL handshake" error due to the upgrade to ACS 4.0 or to the fact that I changed the Certificate, or both?
    Can this error ("EAP-TLS or PEAP authentication failed during SSL handshake") be resolved without me touching every Windows XP client (we have over 250+)?
    Thanks for the help

    My experience suggests that the problem is the certificate.
    I'm running ACS 3.3.
    I received the same error message when my clients copied the certificate to the wrong location, or otherwise did not correctly follow the provided instructions.
    Correctly following the instructions led to a successful connection and no more error message.

  • EAP-TLS or PEAP authentication failed during SSL handshake to the ACS serve

    We are running the LWAPP (2006 wlc's and 1242 AP's) and using the ACS 4.0 for authentication. Our users are
    experiencing an issue, where they are successfully authenticated the first time, however as the number of them is increasing, they're starting to drop the connections and being prompted to re-authenticate. At this point, they are not being able to authenticate again.
    We're using PEAP for the authentication and Win XP SP2 clients as the supplicants. The error message that we are seeing on the ACS for that controller is "EAP-TLS or PEAP authentication failed during SSL handshake to the ACS server"...Not sure if this error msg is relevant since we have other WLC's that are working OK and still generating the same error msg on the ACS...
    Thanks..

    Here are some configs you can try:
    config advanced eap identity-request-timeout 120
    config advanced eap identity-request-retries 20
    config advanced eap request-timeout 120
    config advanced eap request-retries 20
    save config

  • Cisco ISE (Authentication failed: 24415 User authentication against Active Directory failed since user's account is locked out)

    Hi,
    I have a setup ISE 1.1.1. Users are getting authenticate against AD. Everything is working fine except some users report disconnection. I see in the ISE that (Authentication failed: 24415 User authentication against Active Directory failed since user's account is locked out). Users are using Windows 7 OS.
    Error is enclosed & here is the port configuration.
    Port Configuration.
    interface GigabitEthernet0/2
    switchport access vlan 120
    switchport mode access
    switchport voice vlan 121
    authentication event fail action next-method
    authentication event server dead action reinitialize vlan 120
    authentication event server alive action reinitialize
    authentication host-mode multi-auth
    authentication order mab dot1x
    authentication priority dot1x mab
    authentication port-control auto
    authentication periodic
    authentication timer reauthenticate server
    mab
    dot1x pae authenticator
    dot1x timeout tx-period 60
    spanning-tree portfast
    ip dhcp snooping limit rate 30 interface GigabitEthernet0/2
    switchport access vlan 120
    switchport mode access
    switchport voice vlan 121
    authentication event fail action next-method
    authentication event server dead action reinitialize vlan 120
    authentication event server alive action reinitialize
    authentication host-mode multi-auth
    authentication order mab dot1x
    authentication priority dot1x mab
    authentication port-control auto
    authentication periodic
    authentication timer reauthenticate server
    mab
    dot1x pae authenticator
    dot1x timeout tx-period 60
    spanning-tree portfast
    ip dhcp snooping limit rate 30
    Please help.

    The error message means that Active Directory server Reject the authentication attempt
    as for some reasons the user account got locked.I guess, You should ask your AD Team to check in the AD
    Event Logs why did the user account got locked.
    Under Even Viewers, You can find it out
    Regards
    Minakshi (Do rate the helpful posts)

  • Cisco ISE authentication failed for Win XP SP3

    Hello,
    I have some trouble this Win XP wired Client authentication. With Win7 everything works well.
    ISE 1.2 (patch 4)
    Switch: 2960 / 2960S (15.0.(2)SE2)
    Authentication details:
    Event:
    5400 Authentication failed:
    Failure Reason
    11514 Unexpectedly received empty TLS message; treating as a rejection by the client
    Resolution
    Ensure that the client's supplicant does not have any known compatibility issues and that it is properly configured. Also ensure that the ISE server certificate is trusted by the client, by configuring the supplicant with the CA certificate that signed the ISE server certificate. It is strongly recommended to not disable the server certificate validation on the client!
    Root cause While trying to negotiate a TLS handshake with the client, ISE expected to receive a non-empty TLS message or TLS alert message, but instead received an empty TLS message. This could be due to an inconformity in the implementation of the protocol between ISE and the supplicant. For example, it is a known issue that the XP supplicant sends an empty TLS message instead of a non-empty TLS alert message. It might also involve the supplicant not trusting the ISE server certificate for some reason. ISE treated the unexpected message as a sign that the client rejected the tunnel establishment.
    I try to disable validate server certificates on Win XP Clients, but it won´t work for me.
    Add ISE self-sign certificate to clients trusted root certification authorities and enable validate server certificates also won´t work.
    Any idea?
    thanks

    The ISE use a self-signed certificate. I add this self-signed certificate to the clients "trusted root certification authorities", enable validate server certificates at the eap properties and select the added certificate from the trust list. But if I uncheck validate server certificates, I see the same error message as well.
    Are there any differences between xp client config and win7 client config?
    thanks,

  • WIndows 7 and Windows 2008 authentication failed in Windows 2003 Domain

    Hi,
    We have Domain with Windows 2003 and recently Windows 2008 Doamin controllers also added.
    We are facing authentication failure for Windows 7 and Windows 2008 Domain members when user is trying to login.
    Schema Master is on Windows 2003 and remaining roles on Windows 2008 Domain controller.
    Windows XP clients login is working fine.
    Problem si for Windows 7 and Windows 2008 Domain members login.
    Any hint/solution will be really great help.
    Pls share if you have any solutions.
    Regards:Mahesh

    Hi,
    I found some more details about issue
    Below are the events getting generated. It looks like due to encryption mismatch with Windows 2003 Domain and Windows7 and Windows 2008 clients. However i am looking for solution if someone tested this case.
    Event Type:        Error
    Event Source:    KDC
    Event Category:                None
    Event ID:              26
    Date:                     08/06/2014
    Time:                     9:41:04 AM
    User:                     N/A
    Computer:          AAAAAA
    Description:
    While processing an AS request for target service krbtgt, the account ADDADA$ did not  have a suitable key for generating a Kerberos ticket (the missing key has an ID of 2). The requested etypes were 17.  The accounts
    available etypes were 23  -133  -128  3  -140.
    For more information, see Help and Support Center at
    http://go.microsoft.com/fwlink/events.asp.
    Event Type:        Error
    Event Source:    Kerberos
    Event Category:                None
    Event ID:              4
    Date:                     08/06/2014
    Time:                     9:34:17 AM
    User:                     N/A
    Computer:          AAAAAA
    Description:
    The kerberos client received a KRB_AP_ERR_MODIFIED error from the server ADADDFHDHDH$.  The target name used was . This indicates that the password used to encrypt the kerberos service ticket is different than that on the
    target server. Commonly, this is due to identically named  machine accounts in the target realm (DOMAINNAME.COM), and the client realm.   Please contact your system administrator.
    For more information, see Help and Support Center at
    http://go.microsoft.com/fwlink/events.asp.
    Regards:Mahesh

  • EAP TLS authentication failed during SSL handshake

    We see this message, trying to set up EAP TLS. Anyone come across this ?

    I had this message recently. The first issue I found was that the username entered into the laptop was not correct (I had djohnson, need to have DJohnson)
    The second issue I had was that my AP's were not authenticating to my WDS access point. I had turned off LEAP on my ACS server by accident causing the WDS authentication to fail. Once I turned this back on, my AP's authenticated to my WDS device and my users authenticated to the AP's.
    Otherwise, the meaning of this is that the certs are not matching up correctly with the server either due to expiered certs, incorrect cert type on the users machine or incorrect information in the cert.
    Hope this helps.

  • Content compliance: failed during windows 8 (32 bit) App Submission?

    Content compliance: failed
    This test evaluates your software for content compliance with Windows Store Certification Requirements. Learn
    more
    Your app doesn't meet requirement 10.1.10. Learn
    more
    Notes from Testers:
    The app is about a non-Windows platform.
    Not getting 10.1.10 Certification requirement document in App certification requirements for the Windows Store.
    How can I know the exact issue of this failure?
    How can I resolve it.

    Raise a support request. I would guess that requirement 10.1.10 is new and part of the next update for Windows 10. There is no mention of it that I can find.
    Unfortunately some of the people who certify apps are useless. They give incredibly unhelpful notes.
    "The app is about a non-Windows platform." doesn't help because there doesn't seem to be any requirement that this relates to.
    What is the app about? If the given reasoning doesn't make sense to you, try resubmitting with a note to the testers (there is unfortunately no guarantee that it will be read). If you make a clear case that your app is not violating any terms (and get a
    competent reviewer) your app might be accepted.
    Check your dashboard, there might be a report with more details (I'm not sure if they provide reports if the app failed for non-crashing reasons).
    I'm a self-taught noob amateur. Please take this into account when responding to my posts or when taking advice from me.

  • EAP-TLS PEAP FAIL DURING SSH HANDSHAKE

    Hi Pros,
                   I am a newbie in the ACS 4.2 and EAP-TLS implementation, with that being said. I face an issue during a EAP-TLS implementation. My search shows that this kind of error message is already certificate issue;However, I have deleted and recreated the certificate in both ACS and the client with the same result. I have deleted and re-install the certchain as well.
    When I check my log in the failed attemps, there is what I found:
    Date
    Time
    Message-Type
    User-Name
    Group-Name
    Caller-ID
    Network Access Profile Name
    Authen-Failure-Code
    Author-Failure-Code
    Author-Data
    NAS-Port
    NAS-IP-Address
    Filter Information
    PEAP/EAP-FAST-Clear-Name
    EAP Type
    EAP Type Name
    Reason
    Access Device
    Network Device Group
    06/23/2010
    17:39:51
    Authen failed
    000e.9b6e.e834
    Default Group
    000e.9b6e.e834
    (Default)
    EAP-TLS or PEAP authentication failed during SSL handshake
    1101
    10.111.22.24
    25
    MS-PEAP
    wbr-1121-zozo-test
    Office Networ
    06/23/2010
    17:39:50
    Authen failed
    [email protected]
    Default Group
    000e.9b6e.e834
    (Default)
    EAP-TLS or PEAP authentication failed during SSL handshake
    1098
    10.111.22.24
    25
    MS-PEAP
    wbr-1121-zozo-test
    Office Network
    [email protected]
    = my windows active directory name
    1. Why under EAP-TYPE it shows MS-PEAP not EAP-TLS? I did configure EAP-TLS....
    2. Why sometimes it just shows the MAC of the client for username?
    3. Why  it puts me in DEFAULT-GROUP even though i belongs to a group well definy in the acs?
    2. Secondly, When I check in pass authentications... there is what i saw
    Date
    Time
    Message-Type
    User-Name
    Group-Name
    Caller-ID
    NAS-Port
    NAS-IP-Address
    Network Access Profile Name
    Shared RAC
    Downloadable ACL
    System-Posture-Token
    Application-Posture-Token
    Reason
    EAP Type
    EAP Type Name
    PEAP/EAP-FAST-Clear-Name
    Access Device
    Network Device Group
    06/23/2010
    17:30:49
    Authen OK
    groszozo
    NOC Tier 2
    10.11.10.105
    1
    10.111.22.24
    (Default)
    wbr-1121-zozo-test
    Office Network
    06/23/2010
    17:29:27
    Authen OK
    groszozo
    NOC Tier 2
    10.11.10.105
    1
    10.111.22.24
    (Default)
    wbr-1121-zozo-test
    Office Network
    In the output below, it says that the user is authenticate and it puts the user in the right group with the right username, but the user never really authenticate. Maybe for the first few seconds when I initiate the connection.
    Before I forget, the suppliant is using WIN XP and 802.1x is enable. I even uncheck not verify the server and the ACS under External User Databases, I did  check ENABLE EAP-TLS machine authentication.
    Thanks in advance for your help,
    Crazy---

    I had this message recently. The first issue I found was that the username entered into the laptop was not correct (I had djohnson, need to have DJohnson)
    The second issue I had was that my AP's were not authenticating to my WDS access point. I had turned off LEAP on my ACS server by accident causing the WDS authentication to fail. Once I turned this back on, my AP's authenticated to my WDS device and my users authenticated to the AP's.
    Otherwise, the meaning of this is that the certs are not matching up correctly with the server either due to expiered certs, incorrect cert type on the users machine or incorrect information in the cert.
    Hope this helps.

  • EAP-TLS & ACE Appliance "EAP-TLS or PEAP authentication failed"

    Hello - I have a version 3.2 of the ACS appliance and I am trying to set up a successful test of EAP-TLS. I have a W2K server for a CA and I believe I have the certificate install properly. However, I get the "EAP-TLS or PEAP authentication failed during SSL handshake" error message in my failed attempts log. The troubleshooting document tells me to look at the CSAuth.log file but I can't seem to find in on the ACS Appliance.
    Does anyone have any ideas how to troubleshoot this problem with the appliance?

    If the client's certificate on the ACS is invalid (which depends on the certificate's valid "from" and "to" dates, the server's date and time settings, and CA trust), then the server will reject it and authentication will fail. The ACS will log the failed authentication in the web interface under Reports and Activity > Failed Attempts > Failed Attempts XXX.csv with the Authentication Failure-Code similar to "EAP-TLS or PEAP authentication failed during SSL handshake." If the ACS rejects the client's certificate because the ACS does not trust the CA, the expected error message in the CSAuth.log file is similar to the following.
    AUTH 06/04/2003 15:47:43 E 0345 1696 EAP: ProcessResponse:
    SSL handshake failed, status = 3 (SSL alert fatal:unknown CA certificate)If the ACS rejects the client's certificate because the certificate has expired, the expected error message in the CSAuth.log file is similar to the following.
    AUTH 06/04/2005 15:02:08 E 0345 1692 EAP: ProcessResponse:
    SSL handshake failed, status = 3 (SSL alert fatal:certificate expired)
    http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00801df0ea.shtml

  • Customize "authentication failed" error message

    I would like to customize the "authentication failed" message to "authentication failed - network ID and password required" when a user fails to provide the correct ID and password logging on to the portal.  Has anyone done something similar to this?
    Thank you in advance for any replies.
    Pat

    Hi,
    download the PAR file.
    Extract the PAR (it's a ZIP).
    Take a look into the file localization.properties:
    Authentication_failed = Authentication failed.
    Portal_Logon = Portal Logon
    Logon_ID = User Name
    Password = Password
    Auth_Scheme = Auth Scheme
    Log_On = Log On
    Change the Authentication_failed = Authentication failed part and insert your new text. Zip the file again as a PAR and upload it:
    http://server:port/irj/irj
    Clear the cache and try if the new message appears.
    br,
    Tobias

  • EAP-TLS or PEAP authentication failed due to unknown CA certificate during SSL handshake

    Hi All ,
                 I am trying to test EAP_TLS authentication on acs 4.2.1.15 running on Appliance 1120 , I have installed my server certficate along with CA certficate on my appliance box , I have enabled features of  EAP_TLS under golbal authentication setup .
                 I have downloaded client supplicant certficate file for my windows XP machine .
    When i tried to authenticated i am finding following error message under  failed attempts(EAP-TLS or PEAP authentication failed due to unknown CA certificate during SSL handshake) on my acs appliance box .
    Under certficate revocation list , I have forced my CA as CRL in use . Attached snap shot of all .
    Suggest me whether i need to enable all corresponding CA certficate undercertficate trust list , Kindly let me know were i am doing wrong on this ..

    Hello,
    I am NO expert on certificates but I have seen your error dozens of times from wireless clients on my Cisco ACS 4.2 Radius server.
    Through trial and error I wrote up this procedure for our Helpdesk for installing certs in Windows XP and Windows 7. These steps haven't failed me yet and the Helpdesk doesn't bother me as much anymore so see if this helps you:
    -          Manually install the Global CA under BOTH Trusted Root Certification Authorities\Certificates AND Intermediate Certification                      Authorities\Certificates
    -          Manually install the Intermediate CA under JUST the Intermediate Certification Authorities\Certificates
    -          Delete the wireless network from the computer
    -          REBOOT!!
    -          Open the Microsoft Management Console, “mmc”.
    -          Go FILE\Add Remove SnapIn. Select Certificates ..
    -          If promoted, do it for “My User Account”.
    -          Make sure the certificates are where you put them. 
    -          If you see any of these exact certificates out of place in either Trusted Root Certification Authorities\Certificates or Intermediate Certification                      Authorities\Certificates, remove them.
    -          Redo wireless network setup again
    I hope this helps you.
    Mike

  • ERROR: Ldap Authentication failed for dap during installation of iAS 6.0 SP3

    I am attempting to install ias Enterprise Edition (6.0 SP3) on solaris 2.8 using typical in basesetup. I am trying to install new Directory server as I don't have an existing one.
    During the installation I got the following error.
    ERROR: Ldap Authentication failed for url ldap://hostname:389/o=NetScape Root user id admin (151: Unknown Error)
    Fatal Slapd did not add Directory server information to config Server.
    Warning slapd could'nt populate with ldif file Yes error code 151.
    ERROR:Failure installing iPlanet Directory Server.
    Do you want to continue: ( I entered yes )
    Configuring Administration Server Segmentation fault core dumped.
    Error: Failure installing Netscape Administration Server.
    Do you want to continue:( I responded with yes).
    And during the Extraction I got the following
    ERROR:mple_bind: Can't connect to the LDAP server - No route to host
    ERROR: Unable to connect to LDAP Directory Server
    Hostname: hostname
    Port: 389
    User: cn=Directory Manager
    Password: <password-for-cn=Directory Manager
    Please make sure this Directory Server is currently running.
    You might need to run 'stop-slapd' and then
    'start-slapd' in the Directory Server home directory, in order to restart
    LDAP. When finished, press ENTER to continue, or S to skip this step:
    Start registering Bootstrap EJB...
    javax.naming.NameNotFoundException
    at java.lang.Throwable.fillInStackTrace(Native Method)
    at java.lang.Throwable.fillInStackTrace(Compiled Code)
    at java.lang.Throwable.<init>(Compiled Code)
    at java.lang.Exception.<init>(Compiled > Code)
    at javax.naming.NamingException.<init>(NamingException.java:114)
    at javax.naming.NameNotFoundException.<init>(NameNotFoundException.java: 48)
    at com.netscape.server.jndi.RootContext.resolveCtx(Unknown Source)
    "ldaperror" 76 lines, 2944 characters
    at com.netscape.server.jndi.RootContext.resolveCtx(Unknown Source)
    at com.netscape.server.jndi.RootContext.bind(Unknown Source)
    at com.netscape.server.jndi.RootContext.bind(Unknown Source)
    at javax.naming.InitialContext.bind(InitialContext.java:371)
    at com.netscape.server.deployment.EjbReg.deployToNaming(Unknown Source)
    at com.netscape.server.deployment.EjbReg.registerEjbJar(Compiled Code)
    at com.netscape.server.deployment.EjbReg.registerEjbJar(Compiled Code)
    at com.netscape.server.deployment.EjbReg.run(Compiled Code)
    at com.netscape.server.deployment.EjbReg.main(Unknown Source)
    Start registering iAS 60 Fortune Application...
    Start iPlanet Application Server
    Start iPlanet Application Server
    Start Web Server iPlanet-WebServer-Enterprise/6.0SP1 B08/20/200100:58
    warning: daemon is running as super-user
    [LS ls1] http://gedemo1.plateau.com, port 80 ready
    to accept requests
    startup: server started successfully.
    After completion of installation, I tried to start the console. But I got the following error;
    "Cant connect ot the admin server. The url is not correct or the server is not running.
    Finally,when I started the admintool(iASTT),it shows the iAS1
    was registered( marked with a red cross mark) and says "cant login. make sure the user
    name & passwdord are correct" when i click on it.
    Thanks in advance for any help
    Madhavi

    Hi,
    Make sure that the directory server is installed first. If it is running
    ok, then you can try adding an admin user, please check the following
    technote.
    http://knowledgebase.iplanet.com/ikb/kb/articles/4106.html
    regards
    Swami
    madhavi korupolu wrote:
    I am attempting to install ias Enterprise Edition (6.0 SP3) on
    solaris 2.8 using typical in basesetup. I am trying to install new
    Directory server as I don't have an existing one.
    During the installation I got the following error.
    ERROR: Ldap Authentication failed for url
    ldap://hostname:389/o=NetScape Root user id admin (151: Unknown
    Error)
    Fatal Slapd did not add Directory server information to config
    Server.
    Warning slapd could'nt populate with ldif file Yes error code 151.
    ERROR:Failure installing iPlanet Directory Server.
    Do you want to continue: ( I entered yes )
    Configuring Administration Server Segmentation fault core dumped.
    Error: Failure installing Netscape Administration Server.
    Do you want to continue:( I responded with yes).
    And during the Extraction I got the following
    ERROR:mple_bind: Can't connect to the LDAP server - No route to host
    ERROR: Unable to connect to LDAP Directory Server
    Hostname: hostname
    Port: 389
    User: cn=Directory Manager
    Password: <password-for-cn=Directory Manager
    Please make sure this Directory Server is currently running.
    You might need to run 'stop-slapd' and then
    'start-slapd' in the Directory Server home directory, in order to
    restart
    LDAP. When finished, press ENTER to continue, or S to skip this
    step:
    Start registering Bootstrap EJB...
    javax.naming.NameNotFoundException
    at java.lang.Throwable.fillInStackTrace(Native Method)
    at java.lang.Throwable.fillInStackTrace(Compiled Code)
    at java.lang.Throwable.<init>(Compiled Code)
    at java.lang.Exception.<init>(Compiled > Code)
    at javax.naming.NamingException.<init>(NamingException.java:114)
    at
    javax.naming.NameNotFoundException.<init>(NameNotFoundException.java:
    48)
    at com.netscape.server.jndi.RootContext.resolveCtx(Unknown Source)
    "ldaperror" 76 lines, 2944 characters
    at com.netscape.server.jndi.RootContext.resolveCtx(Unknown Source)
    at com.netscape.server.jndi.RootContext.bind(Unknown Source)
    at com.netscape.server.jndi.RootContext.bind(Unknown Source)
    at javax.naming.InitialContext.bind(InitialContext.java:371)
    at com.netscape.server.deployment.EjbReg.deployToNaming(Unknown
    Source)
    at com.netscape.server.deployment.EjbReg.registerEjbJar(Compiled
    Code)
    at com.netscape.server.deployment.EjbReg.registerEjbJar(Compiled
    Code)
    at com.netscape.server.deployment.EjbReg.run(Compiled Code)
    at com.netscape.server.deployment.EjbReg.main(Unknown Source)
    Start registering iAS 60 Fortune Application...
    Start iPlanet Application Server
    Start iPlanet Application Server
    Start Web Server iPlanet-WebServer-Enterprise/6.0SP1 B08/20/200100:58
    warning: daemon is running as super-user
    [LS ls1] http://gedemo1.plateau.com, port 80 ready
    to accept requests
    startup: server started successfully.
    After completion of installation, I tried to start the console. But I
    got the following error;
    "Cant connect ot the admin server. The url is not correct or the
    server is not running.
    Finally,when I started the admintool(iASTT),it shows the iAS1
    was registered( marked with a red cross mark) and says "cant login.
    make sure the user
    name & passwdord are correct" when i click on it.
    Thanks in advance for any help
    Madhavi
    Try our New Web Based Forum at http://softwareforum.sun.com
    Includes Access to our Product Knowledge Base!

Maybe you are looking for