ISE - AV Link remediation redirect problem

Similar Messages

• ISE 1.2 web authentication problem with wired clients

  Hello,
  i am having problems with centralized web authentication using a Catalyst 3650X with IOS 15.0.2 SE01 and ISE 1.2.
  Redirecting the client works fine, but as soon the client opens a web browser and ISE websites open to authenticate the client, the switch port resets, the authentication process restarts and the session ID changes. After the client enters the credentials a session expired messages appears on the client and i get an 86017 Session Missing message in ISE.
  here the output form the debug aaa coa log.
  Any ideas
  thanks in advanced
  Alex
  ! CLIENT CONNECT TO SWITCHPORT
  ISE-TEST-SWITCH#show authentication sessions interface gi0/3
              Interface:  GigabitEthernet0/3
            MAC Address:  001f.297b.bd82
             IP Address:  10.2.12.45
              User-Name:  00-1F-29-7B-BD-82
                 Status:  Authz Success
                 Domain:  DATA
        Security Policy:  Should Secure
        Security Status:  Unsecure
         Oper host mode:  multi-auth
       Oper control dir:  both
          Authorized By:  Authentication Server
            Vlan Policy:  N/A
                ACS ACL:  xACSACLx-IP-PERMIT_ALL_TRAFFIC-537cb1d6
       URL Redirect ACL:  ACL-WEBAUTH-REDIRECT
           URL Redirect:  https://nos-ch-wbn-ise1.nosergroup.lan:8443/guestportal/gateway?sessionId=AC1484640000026B28C02CDC&action=cwa
        Session timeout:  N/A
           Idle timeout:  N/A
      Common Session ID:  AC1484640000026B28C02CDC
        Acct Session ID:  0x0000029C
                 Handle:  0x8C00026C
  Runnable methods list:
         Method   State
         dot1x    Failed over
         mab      Authc Success
  ! CLIENT OPENS INTERNETEXPLORER -> REDIRECTS TO ISE 
  ! SWITCHPORT GOES IN ADMINISTRATIVE DOWN STARTS AUTHENTICATION AGAIN
  ISE-TEST-SWITCH#
  191526: .Jun 24 10:42:24.340 UTC: COA: 10.0.128.38 request queued
  191527: .Jun 24 10:42:24.340 UTC: RADIUS:  authenticator 7F A9 85 AB F6 4A D0 F3 - B4 E6 F2 56 74 C6 2D 33
  191528: .Jun 24 10:42:24.340 UTC: RADIUS:  NAS-IP-Address      [4]   6   172.20.132.100
  191529: .Jun 24 10:42:24.340 UTC: RADIUS:  Calling-Station-Id  [31]  19  "00:1F:29:7B:BD:82"
  191530: .Jun 24 10:42:24.340 UTC: RADIUS:  Acct-Terminate-Cause[49]  6   admin-reset               [6]
  191531: .Jun 24 10:42:24.340 UTC: RADIUS:  Event-Timestamp     [55]  6   1403606529
  191532: .Jun 24 10:42:24.340 UTC: RADIUS:  Message-Authenticato[80]  18
  191533: .Jun 24 10:42:24.340 UTC: RADIUS:   E0 3C B2 8C 89 47 67 A8 69 F5 3D 08 61 FF 53 6E          [ <Ggi=aSn]
  191534: .Jun 24 10:42:24.340 UTC: RADIUS:  Vendor, Cisco       [26]  43
  191535: .Jun 24 10:42:24.340 UTC: RADIUS:   Cisco AVpair       [1]   37  "subscriber:command=bounce-host-port"
  191536: .Jun 24 10:42:24.340 UTC: COA: Message Authenticator decode passed
  191537: .Jun 24 10:42:24.340 UTC:  ++++++ CoA Attribute List ++++++
  191538: .Jun 24 10:42:24.340 UTC: 06D96C58 0 00000001 nas-ip-address(600) 4 172.20.132.100
  191539: .Jun 24 10:42:24.349 UTC: 06D9AC18 0 00000081 formatted-clid(37) 17 00:1F:29:7B:BD:82
  191540: .Jun 24 10:42:24.349 UTC: 06D9AC4C 0 00000001 disc-cause(434) 4 admin-reset
  191541: .Jun 24 10:42:24.349 UTC: 06D9AC80 0 00000001 Event-Timestamp(445) 4 1403606529(53A95601)
  191542: .Jun 24 10:42:24.349 UTC: 06D9ACB4 0 00000081 ssg-command-code(490) 1 33
  191543: .Jun 24 10:42:24.349 UTC:
  191544: .Jun 24 2014 10:42:24.365 UTC: %EPM-6-IPEVENT: IP 10.2.12.45| MAC 001f.297b.bd82| AuditSessionID AC1484640000026B28C02CDC| AUTHTYPE DOT1X| EVENT IP-RELEASE
  191545: .Jun 24 2014 10:42:24.382 UTC: %EPM-6-IPEVENT: IP 10.2.12.45| MAC 001f.297b.bd82| AuditSessionID AC1484640000026B28C02CDC| AUTHTYPE DOT1X| EVENT IP-WAIT
  191546: .Jun 24 2014 10:42:24.382 UTC: %EPM-6-POLICY_REQ: IP 0.0.0.0| MAC 001f.297b.bd82| AuditSessionID AC1484640000026B28C02CDC| AUTHTYPE DOT1X| EVENT REMOVE
  191547: .Jun 24 2014 10:42:24.390 UTC: %EPM-6-AUTH_ACL: POLICY Auth-Default-ACL-OPEN| EVENT DETACH-SUCCESS
  191548: .Jun 24 2014 10:42:26.353 UTC: %LINK-5-CHANGED: Interface GigabitEthernet0/3, changed state to administratively down
  191549: .Jun 24 2014 10:42:27.359 UTC: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/3, changed state to down
  ISE-TEST-SWITCH#
  191550: .Jun 24 2014 10:42:36.366 UTC: %LINK-3-UPDOWN: Interface GigabitEthernet0/3, changed state to down
  191551: .Jun 24 10:42:40.592 UTC: AAA/BIND(000002A7): Bind i/f
  191552: .Jun 24 2014 10:42:41.129 UTC: %AUTHMGR-5-START: Starting 'dot1x' for client (001f.297b.bd82) on Interface Gi0/3 AuditSessionID AC1484640000026C28C2FA05
  191553: .Jun 24 2014 10:42:42.580 UTC: %LINK-3-UPDOWN: Interface GigabitEthernet0/3, changed state to up
  191554: .Jun 24 2014 10:42:43.586 UTC: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/3, changed state to up
  ! SESSION ID CHANGES, USER ENTERS CREDENTIALS 
  ! ERROR MESSAGE AT CLIENT "YOUR SESSION HAS EXPIRED"
  ! ERROR MESSAGE IN ISE "86017 SESSION MISSING"
  ISE-TEST-SWITCH#show authentication sessions interface gi0/3
              Interface:  GigabitEthernet0/3
            MAC Address:  001f.297b.bd82
             IP Address:  10.2.12.45
                 Status:  Running
                 Domain:  UNKNOWN
        Security Policy:  Should Secure
        Security Status:  Unsecure
         Oper host mode:  multi-auth
       Oper control dir:  both
        Session timeout:  N/A
           Idle timeout:  N/A
      Common Session ID:  AC1484640000026C28C2FA05
        Acct Session ID:  0x0000029D
                 Handle:  0x2C00026D
  Runnable methods list:
         Method   State
         dot1x    Running
         mab      Not run

  Guest authentication failed: 86017: Session cache entry missing
  try adjusting the UTC timezone during the guest creation in the sponsor portal.
  86017
  Guest
  Session Missing
  Session ID missing. Please contact your System Administrator.
  Info

• HT4101 The SD card reader won't import images to the iPad. I purchase 10 months ago, and haven't had a problem with it until today. How do I remedy this problem? I'm about the go out of town and prefer not a travel with my laptop.

  My SD card reader won't import images from the SD card. I purchased this product 10 months ago and have had no problem with it up to now. How do I remedy this problem. Using the product allows me to travel without a laptop ...Please help!

  Have you tried to give your device a reset? Sometimes that helps with glitches. Hold down the sleep and home keys, past when you see the red power down slider and until you see the silver apple. Let it reboot and try again.
  ALso, the card reader will only see files that are formatted correctly. If you just took the images from your computer and put them onto the card, then it won't work. They have to follow a strict naming convention. There has to be a folder named DCIM on the card and then all those images have to have a file name of exactly 8 characters, DSC_3857 for example. Your camera makes this naming structure but if you manually put the photos on that card you may not have replicated it.
  Is this a card you've used before? If it's a new card and is empty then the iPad won't read it. Also if it's SDXC it won't read those either (XC cards use a file structure that the iPad can't decipher)

• Where is the link for submitting problem to apple?

  Where is apple link for submitting problems?

  Hi,
  Was this the link your looking for
  http://www.apple.com/feedback/iphone.html
  Dale

• My Premier Pro software that I get from Adobe Cloud subscription, no longer RENDERS.  How can I speak with Tech support to remedy this problem?

  My Premier Pro software that I get from Adobe Cloud subscription, no longer RENDERS.  How can I speak with Tech support to remedy this problem?

  For several hundred productions, Pr CS6 worked perfectly for me.  Now, for some unknown reason, when I attempt to render video, the render progress window continually shows more and more frames to be processed.  Therefore when I get to 80% rendered it drops back to 70% and increases the total frames in the render.... over and over, so that I never get past 99% rendered... regardless of how long I let it process.

• Solaris 8 says: "Link down, Cable Problem?"

  I have these on my home LAN:
  1. Sun Ultra 5 Solaris 8
  2. Win 2000 PC
  3. Win NT laptop
  They are all hooked into a LinkSys Router.
  The Router is hooked into my Motorala Cable Modem.
  Here's the problem:
  The PC and the laptop can see each other on the LAN.
  The Solaris 8 is only visible on the Lan INTERMITTENTLY.
  The lights on the Router for the PC and laptop are always ON.
  When I reboot the Solaris box, the lights on the Router sometimes come ON, and sometimes they stay OFF. When they stay OFF, I see the message: "Link down, Cable Problem?" during reboot.
  I have tried different cables, and tried various combinations of the 4 avalable ports on the back of my Router.
  If I plug in the Sun box DIRECTLY into my cable modem, then I don't see the above message. (but then I don't have a LAN anymore)
  Please help, I've been struggling with this for a while now.
  Thanks,
  Irshad Ahmed (I am relatively new to Sun)

  Hi
  You have not indicated if you have the router ethernet ports working
  at 100Mbps or 10Mbps. Depending on this sometimes, Sun systems may
  not be correctly auto-negotiating their ethernet port settings.
  You may set these parameters to force Sun Ultra 5 to a 100Mbps mode or a 10Mbps mode.
  For forcing it to 100Mbps, Full Duplex mode and disabling the auto-negotiation, put these entries in /etc/system:
  set hme:hme_adv_autoneg_cap=0
  set hme:hme_adv_100T4_cap=0
  set hme:hme_adv_100fdx_cap=1
  set hme:hme_adv_100hdx_cap=0
  set hme:hme_adv_10fdx_cap=0
  set hme:hme_adv_10hdx_cap=0
  Conversely, if you want to force your Sun to work on 10Mbps, Full
  duplex mode, (if your router does not support 100Mbps) in the same
  /etc/system file, put the following entries :
  set hme:hme_adv_autoneg_cap=0
  set hme:hme_adv_100T4_cap=0
  set hme:hme_adv_100fdx_cap=0
  set hme:hme_adv_100hdx_cap=0
  set hme:hme_adv_10fdx_cap=1
  set hme:hme_adv_10hdx_cap=0
  One of these should solve your problem. You need to reboot the system
  after putting these entries.
  You can also check the port at the OK prompt using the command
  "watch-net". This test the onboard ethernet interface.
  You may also apply the hme patch released by Sun that fixes many
  known problems with hme ethernet driver. The patch id is 108981-03.
  It is available from the site :
  http://sunsolve.sun.com
  HTH
  Shridhar
  Sun-DTS

• My PS cs6 ask me to buy the program.  I bought it several years ago.  This is the third or 4th time I have had to talk to someone to straighten the program out.  How can we remedy this problem PERMANENTLY?

  My PS cs6 ask me to buy the program.  I bought it several years ago.  This is the third or 4th time I have had to talk to someone to straighten the program out.  How can we remedy this problem PERMANENTLY?

  What steps are you following each of those times to get things working again?
  The way that Adobe activation and serialization works is kinda like signing into a website. When you log in, a cookie is left on your computer so that you don't have to sign in every time. With Adobe activation and serialization, you get similar cookie files, that way you never have to go through that process again. Adobe never touches those files again, it just checks them to make sure they are there.
  You issue you are encountering is the result of this sort of cookie file being deleted, damaged, or invalidated in some way. In most cases, it is because of cleaning software treating it like a website cookie, thinking it is unimportant, and removing it. However, there are many other possibilities including files becoming corrupted due to disk or file handling errors by the system and major system changes.
  To take care of the problem permanently, we have to find out exactly what the source of the issue is on your computer and eliminate it (or mitigate it if removing third-party software is out of the question).

• Hme0: Link Down - cable problem?

  i've a problem i've buyed an ultra 10 (used)
  i've reinstalled solaris 10 01/06
  when it boot the o.s. it give this error message "hme0: Link Down - cable problem?"
  and network don't work.
  i cannot ping my router but i've gave to my sun an ip of the same netmask (sun ip 192.168.1.88 router ip 192.168.1.1)
  i've checked the cable and it's good (it work with a normal pc)
  the led on the switch is on (it's green)
  maybe i need some patch
  how can i do?

  gio,
  You didn't necesarily do anything wrong.
  You do not necessarily have any broken equipment.
  There may just be somthing that is incomplete in the setup.
  Begin by checking if your network settings were set up correctly by running:
  <b># ifconfig -a</b>
  (it's usually best to troubleshoot while you are root user)
  If the output from the <i>ifconfig</i> command seem to be complete, you could always think about reconfiguring the NIC all over again.
  If you are not sure, then just paste the entire output results back here.
  Also, use the forum search function, using keyword <u>sys-unconfig</u>.
  Next, read the Solaris man pages for sys-unconfig.
  That command will force you to repeat the setup of the connection.

• Howto Link Down-Cable problem?

  Hi,
  I am having a Ultra Sparc 5 with a hme interface and a quad card. When the machine boots it checks at boot prom level all 5 interface and reports for all qfe interfaces "Link Down-Cable problem?". All qfe interfaces do not have a ethernet connx but I also do not want to deinstall the quad card. Is there any possibility to turn thoose "interface checks" off.
  Thanks Marcus

  Never mind I just figured out that thoose checks just run after the boot cdrom command.

• I would like to know if anyone, after downloading Lion OS, lost their Quicken 2007?  If so, what have they done to remedy the problem?

  I would like to know if anyone, after downloading Lion OS, lost their Quicken 2007?  If so, what have they done to remedy the problem?

  From the quicken website:
  Converting your data from Quicken for Mac
  Create a copy of your current Quicken for Mac data file.
  Important: You'll want to use the copy for the conversion. Do not use your original data file.
  Launch the Quicken File Exchange Utility (it's located on your Quicken Essentials disk).
  Follow the on-screen instructions to locate the copy of your old data file and then convert your data from Quicken for Mac to Quicken Essentials.
  Open Quicken Essentials.
  If you want to import your old data into a new Quicken Essentials data file that you’ve already started using (optional), make sure that the new data file is now open in Quicken Essentials.
  Choose File > Import, and then select the file that you just created during the conversion process.
  The conversion file has a .QDFX extension. You’ll find it in the same folder as the copy of your old Quicken for Mac file.

• Dynamic form "Cancel" redirect  problem in frames - bugfix?

  My question: Is there a "long run" down side to my implementing this modification to style.js?
  The below post by Ionut:MX Division Support Specialist worked for me as a solution to a current form "click cancel" redirect navigation problem:
  When a DWtoolbox dynamic form wizard form is placed on a page within frames, clinking on cancel does not return a user to the list that sent them to the form. The user is sent somewhere else.
  Begin Ionut post-------------
  If you don't need to add extra parameters to the "Edit" button, you can solve the redirect problem by editing the "/includes/skins/style.js" file and replace:
  nxt_list_edit_link_form(this, myinput.previousSibling.href);
  with:
  nxt_list_edit_link_form(this, a.href);
  End----------------------
  Thanks Ionut for the tip and anyone in support for letting me know if this is a safe mod for the long run,
  Steve M

  Hi Marny,
  Hello Steve. I am new to Adobe & very confused. You seem to grasp the program very nicely, please help Me?
  I´m not not Steve, however -- what problem do you have exactly, and is this problem related to the "Adobe Dreamweaver Developer Toolbox" extension or related to Dreamweaver ?
  If it´s related to ADDT, please describe your problem by starting a new thread -- if it´s related to Dreamweaver, please post your questions in the general Dreamweaver forums.
  Cheers,
  Günter Schenk
  Adobe Community Expert, Dreamweaver

• HT204088 I am receiving unauthorised billings for purchase from application Kingdom Age from seller Funzio, Inc .  I can't find a place/link to cancel the billing neither report this problem. The link REPORT A PROBLEM only links you to Apple Store without

  I am receiving unauthorised billings for purchase from application Kingdom Age from seller Funzio, Inc .  I can't find a place/link to cancel the billing neither report this problem. The link REPORT A PROBLEM only links you to Apple Store without a hint/directions whre you can report the problem.
  I've been surfing all parts of the website and didn.t find a manner to REPORT A PROBLEM with purchases on my behalf not authorized.

  Hi..
  Just to be on the safe side if you have not already changed your Apple ID password, probably should do that.
  How to change your Apple ID password
  And you can use the email form for contacting Apple here > Apple - Support - iTunes Store - Contact Us

• When I make a telephone call on my Apple 4S, the person I'm calling cannot hear me, but I can hear them.  How do I remedy this problem?

  When I make a telephone call on my Apple 4S, the person I'm calling cannot hear me, but I can hear them.  How do I remedy this problem?

  Remove the protective plastic film that the phone was packed with, covering the mic,.

• My touchscreen stopped responding to my finger and I can't unlock the screen...any idea how to remedy this problem?

  My touchscreen stopped responding to my finger and I can't unlock the screen...any idea how to remedy this problem?

  Have you tried a soft-reset ? Press and hold both the sleep and home buttons for about 10 to 15 seconds (ignore the red slider if it appears), after which the Apple logo should appear - you won't lose any content, it's the iPad equivalent of a reboot.

• Proxy redirect problem

  I'm having a redirect problem going through a weblogic proxy. An app I was using appears to be redirecting the browser always to localhost:7121 which won't work with access via the my domain.
  To explain fully I set up a test JSP page which outputs request.getRequestURL().toString() so I could trace what was happening. The weblogic configuration is explained below:
  I'm using Weblogic 8.1 sp5. I've setup a 4 instances: a proxy (port 7120), redirector (port 7121) and cluster (two instances running on 7131, 7132)
  If I navigate to:
  http://localhost:7120/myapp/test.jsp my test page outputs: request.getRequestURL().toString() : http://localhost:7121/myapp/test.jsp
  and again to:
  http://localhost:7131/myapp/test.jsp my test page outputs: request.getRequestURL().toString() : http://localhost:7121/myapp/test.jsp
  or
  http://localhost:7132/myapp/test.jsp my test page outputs: request.getRequestURL().toString() : http://localhost:7121/myapp/test.jsp
  The output is always the same ... it always says the requestURL is from localhost:7121 the redirector?
  Can anyone help explain why I always get the same output? It is completely baffling me.
  Thanks,
  Matt
  Edited by: user5673380 on Oct 15, 2008 3:52 PM

  The problem was caused by incorrect configuration of FrontEndHttpPort and FrontEndListener and FrontEndHost in the cluster configuration. These values were incorrectly during config wizard install.