ISE: Dynamic Authorization Failed

Similar Messages

• ISE Alarm (WARNING): Dynamic Authorization Failed for Device

  Hi all,
  I am posting this discussion as previous posts that I have found in this forum have never been resolved or the resolution is not applicable to me.
  I am using ISE 1.1.1.268 and WLC 7.2.111.3 and NAC agent version 4.9.1.6 on Windows 7 Client machines.
  About once a day i get the error "ISE Alarm (WARNING): Dynamic Authorization Failed for Device".
  The device it is reffering to is my NAD, a WLC 5508 running 7.2.111.3
  I have looked at the logs and I cannot see anything in the logs which correcponds to this message so that I can troubleshoot further. Maybe I can if I am enabling the correct logging level on the correct ISE component.
  Can someone suggest the components and the logging level that I should set to get some more detail about this error?
  At the moment, I have only set debug logging on Active Directory. I have TRACE logging set on Posture, Runtime AAA & prrt-JNI.
  I do not want to enable too much debug logs, so I was wondering whether anyone can help with a specific element that I should be debugging.
  I thought debugging the posture element would be enough but when I look at the logs there is nothing there that relates to this message.
  Can anyone help?
  thanks
  Mario

  Firstly, I wouldn't run a production deployment of ISE on 1.1.1.... 1.1.3 Patch 1 or 1.1.4 is the way to go.
  Secondly, this error happen a lot, especially with Wireless, and it's not worth worrying about.  I've had a couple of TAC cases opened for this and some similar errors, generally they're caused by a Client going to sleep, leaving the coverage area or otherwise leaving the WLC while ISE is trying to do something with it.
  Only worry if you actually have a Client-impacting problem, which by the sounds of it, you don't.

• Dynamic Authorization Failed - Posture with Guest Portal - ISE - WLC

  Hello everybody,
  I'm implementing a NAC solution based on Cisco ISE. Unfortunately, I'm facing a problem related to the CoA (Change of Authorization).
  The guest can authenticate successfully via portal and then he is redirected to the page of client provisioning.
  When he is compliant with the policy he gets access without any problem and this means that CoA works perfectly. The issue occurs when he has to remediate (download the file from ISE and install it). In this case, we need a change of authorization profile.
  The authentication logs show that the posture status changed from non-compliant to compliant but the users doesn't obtain access .
  Here are details :
  Authentication Details
  Source Timestamp
  2015-04-30 18:43:13.179
  Received Timestamp
  2015-04-30 18:43:13.18
  Policy Server
  ISE-CISCO
  Event
  5417 Dynamic Authorization failed
  Failure Reason
  11213 No response received from Network Access Device after sending a Dynamic Authorization request
  Resolution
  Check the connectivity between ISE and Network Access Device. Ensure that ISE is defined as Dynamic Authorization Client on Network Access Device and that CoA is supported on device.
  Root cause
  No response received from Network Access Device after sending a Dynamic Authorization request
  Username
  User Type
  Endpoint Id
  E0:9D:31:07:**:**
  Endpoint Profile
  IP Address
  Identity Store
  Identity Group
  Audit Session Id
  ca0019ac00000003ae674255
  Authentication Method
  Authentication Protocol
  Service Type
  Network Device
  WLC-1
  Device Type
  Location
  NAS IP Address
  172.25.0.202
  NAS Port Id
  NAS Port Type
  Authorization Profile
  Posture Status
  Compliant
  Security Group
  Response Time
  15002
  Other Attributes
  ConfigVersionId
  4
  RadiusPacketType
  CoARequest
  Event-Timestamp
  1430415778
  AcsSessionID
  50149c2f-08fb-4f9d-b1b5-f655e71d039f
  StepLatency
  3=15001
  Device IP Address
  172.25.0.202
  CiscoAVPair
  subscriber:command=reauthenticate
  audit-session-id
  ca0019ac00000003ae674255
  Session Events
  2015-04-30 18:43:13.18
  Dynamic Authorization failed
  2015-04-30 18:41:44.159
  Dynamic Authorization failed
  2015-04-30 18:35:42.64
  Guest Authentication Passed
  2015-04-30 18:34:39.214
  RADIUS Accounting start request

  You can use LWA for this . he WLC redirects  the HTTP traffic to an internal or external server where the user is prompted to  authenticate. The WLC then fetches the credentials (sent back via an HTTP GET  request in the case of external server) and makes a RADIUS authentication. In  the case of a guest user, an external server (such as Identity Service Engine  (ISE) or NAC Guest Server (NGS)) is required as the portal provides features  such as device registering and self-provisioning.
  Refer to the following link for  configuration  example
  http://www.cisco.com/en/US/products/ps11640/products_configuration_example09186a0080bead09.shtml

• 5417 Dynamic Authorization failed

  Hi guys,
  Does anyone meet this Radius Error in Cisco ISE 1.2 and the switch 2960 12.2(55)SE7 ?
  When i reauthentication the guest profile to the other profile using Radius CoA on the Self-Service Guest Workflow.
  The error is :
  Event
  5417 Dynamic Authorization failed
  Failure Reason
  11103 RADIUS-Client encountered error during processing flow
  Resolution
  Do the following: 1) Verify shared secret matches on the ISE Server and corresponding AAA Client, External AAA Server or External RADIUS Token Server. 2) Check the AAA Client or External Server for hardware problems. 3) Check the network devices that connect the AAA peer to ISE for hardware problems. 4) Check whether the network device or AAA Client has any known RADIUS compatibility issues.
  Root cause
  RADIUS-Client encountered an error during processing flow
  I checked all the resolution steps but the error sitll exsit.
  I would greatly appreciate any help you can give me in working this problem

  An internal error has been detected during the processing of an incoming RADIUS packet. Make sure that the client device is compatible with AD Agent, has been configured properly, and is functioning properly. Make sure that the same RADIUS shared secret has been properly configured, both in the client device and in AD Agent.
  http://www.cisco.com/c/en/us/td/docs/security/ibf/setup_guide/ad_agent_setup_guide/ibf10_log_msgs.html

• Dynamic Authorization Failed

  hi
  I keep getting error meesages on the ISE in regards to RADIUS
  the error is
  Dynamic Authorization failed : 1213 No response received from Network Access Device
  i am using ISE version 1.1.1 and the NAD is a WLC running version 7.0.98.0
  i use ISE to authenticate users via PEAP. I deleted the NAD and re-added it twice but i still keep getting this issue. this set up was working fine for the last few weeks.
  i dont think location and device type would cause an issue to authentication under the NAD list
  anyone have any ideas?

  the option i.e drop down box wasnt there. lookin at the compatibility chart of ISE 1.1.1 and WLC, minimum version for WLC is 7.2.103.0
  Do you need to have RADIUS NAC enabled if the ISE is only used to authenticate corporate wireless users against AD. there is no CoA,
  the other function is to use RADIUS as network management logon. to WLC using the AD. depending on the AD group , one could get priv 15 or priv 5 access. i am also using device attribute by location so that remote offices network enigineer cannot log onto the WLC. i.e i created a NAD , put it in a location and use that location AND the AD group to qualify for priv 15 access.
  Coudl this policy interrupt the wireless RADIUS policy? Wireless policy is at the top of the list under authorization tab.

• Dynamic Authorization Failed: DiconnectNAK

  I have WLC 7.6 and ISE 1.2 Patch 6.
  My use case is WLAN Guest Access with CWA. I have ISE Appliance 3395 (2 Admin/Mon, 2 PSN). Everything work fine so far.
  But from time to time I get these strange message (it does not matter if I do a manual Session termination in the Operations Tab) Everything is configured in the right way, since normal CWA works (CoA is working fine, but not always...).
  Here the corresponding Log-Entry:
  0000001241 2 0 2014-02-28 11:11:37.241 +01:00 0000106595 5417 NOTICE Dynamic-Authorization: Dynamic Authorization failed, ConfigVersionId=53, Device IP Address=a.b.c.d, Device Port=42121, DestinationIPAddress=a.b.c.d, DestinationPort=1700, RadiusPacketType=DisconnectRequest, Protocol=Radius, RequestLatency=3, NetworkDeviceName=xx-WLC01, NAS-IP-Address=172.16.226.26, Calling-Station-ID=1C:AB:A7:96:7B:99, Acct-Session-Id=53105c2a/1c:ab:a7:96:7b:99/336136, Acct-Terminate-Cause=Admin Reset, Event-Timestamp=1393582297, cisco-av-pair=audit-session-id=ac10e21a00052f6953105f07, AcsSessionID=ise-04/182359788/9392, Step=11044, Step=11017, Step=11100, Step=11101, Step=11048, NetworkDeviceGroups=Location#All Locations#xx_VPN, NetworkDeviceGroups=Device Type#All Device Types#Wireless Devices#WLC Foreign, CPMSessionID=ac10e21a00052f6953105f07, EndPointMACAddress=1C-AB-A7-96-7B-99, Location=Location#All Locations#xx_VPN,
  Has anybody ever had the same expirence, or is this a know issue?
  Thanks for feedback!

  Please go through the link below for best practice.
  http://www.redelijkheid.com/blog/2013/4/2/cisco-ise-change-of-authorization-coa-not-working

• ISE 1.2 - Dynamic Authorization Failed

  Hello!
  In my design network I use the ISE for CWA with a WLC, but when a client entrer his credentials, the CoA failed with this error : "11213 No response received from Network Access Device after sending a Dynamic Authorization request"
  This error is really strange because I can contact the ISE from the WLC. My ISE, and my broadcasted network are in the same VLAN, is it possible that this error come from this network architecture?
  My is is patched with the cumulative patch 7 and for information, I can do a "manual CoA" by disconnect/reconnect the client manually and after that the client has a network access.
  Used configuration for ISE and WLC : http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/116087-configure-cwa-wlc-ise-00.html
  Thanks in advance if you have the least clue to resolve this issue.
  Kévin

  I will perform some additional testing and let you know my results.  I have this setup in the lab now with ISE 1.2 Patch 7 as well.... Since I only have a couple of PC's in the lab, I've noticed that I am unable to terminate the users session manually.  So I usually end up stopping and restarting the services. This is how i clear my live sessions.
  Is your setup in a Lab or Production?  If its in a lab can you restart ISE and your WLC.   I know when I first did my "debug client <mac>" My airespace ACL was showing the incorrect ACL ID.  After a reboot of ISE and recreating my WLC ACL it went away.   I haven't noticed my service IP ever showing up in ISE.  I usually see the users MAC address then a [email protected] "User Authentication" with his IP.  Next its the WLC MNGT Interface and finally the User Authorization again show Authz Internet-Only.
  My lab does not always function 100% so I am hoping after we go Live this weekend,  these flaky issues go away.  One of my problems is I don't have internet access.  Just a web server hosting a web page. I'll keep notes on anything I find that hopefully assist you.

• WLC, FlexConnect, ISE: Dynamic VLAN not working

  Hi,
  Not sure if this is a WLC or ISE problem, but since I am unsure of the WLC config I will try here first.
  Equipment:
  WiSM2 7.2.111.3
  ISE 1.1.1.268
  AP 3502 in FlexConnect
  What I want to achive:
  One SSID, multiple VLAN
  Devices gets profiled in ISE and based on type of device it gets asigned to a VLAN
  Problem:
  When the device connects the first time it ends up in native VLAN and not switched to the right VLAN, but when I reconnect then it is added to the right VLAN.
  WLC config (I know you like images so here you go ):
  I must be missing something but I can't figure out what. I will be attaching a debug aaa event enable for when the client connect the first time.
  In ISE I have an Authorization Profile that just say VLAN ID/Tag 158 (the VLAN that the device should go to) an it is added to the Authorization rule of the profiled device. CoA is set to Reauth.
  When the client connects I get three events in ISE:
  1.
  Authentication failed :
  22056 Subject not found in the applicable identity store(s)
  2. Authentication Success. With the results:
  UserName=00:18:DE:A2:BC:3A
  User-Name=00-18-DE-A2-BC-3A
  State=ReauthSession:c20e8b2f0000027e50ed27f8
  Class=CACS:c20e8b2f0000027e50ed27f8:ISE01/144259326/671335
  Termination-Action=RADIUS-Request
  Tunnel-Type=(tag=1) VLAN
  Tunnel-Medium-Type=(tag=1) 802
  Tunnel-Private-Group-ID=(tag=1) 158
  cisco-av-pair=profile-name=AX-Intel-Device
  3.
  Dynamic Authorization failed :
  11213 No response received from Network Access Device
  Has anyone got this to work? Do I need to add FlexConnect groups? If so then why?
  Regards,
  Philip

  I think you're hitting CSCua58554
  The bugtoolkit description is horrible....  From what I recall when I ran into it, I believe that Flex connect is having a problem with Mac filtering based AAA override on open wlans (and/or CWA based).  In general, AAA override works fine when it is from like an eap authentication.
  We had to use a 7.3 ES to resolve it.....
  Looks like it is implemented in 7.4 though.....     If you dont want to join the 7.4 bandwagon quite yet, you might could ask TAC for an ES of 7.3,  don't think they have a 7.2 build.

• ISE first authorization sucess and then fail (MAB)

  Hi,
  Using ISE 1.1.1 and Switch 3650 12.2(55)SE6.
  I have a client (computer) that should be authenticated with MAB and then the switch port should be asigned a DACL and VLAN 90. I do get
  "Authorization succeeded"  but directly after it fails and I can't figure out why. ISE only shows the successful authentication under "Live Authenticaions".
  As you can se from the log below 802.1x fails, as it should, and then MAB succeed, asigns the VLAN and then fails:
  0002SWC002(config)#int fa0/13
  0002SWC002(config-if)#shut
  0002SWC002(config-if)#
  Jan  7 13:26:59.640: %LINK-5-CHANGED: Interface FastEthernet0/13, changed state to administratively down
  Jan  7 13:27:00.647: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/13, changed state to down
  0002SWC002(config-if)#no shut
  0002SWC002(config-if)#
  Jan  7 13:27:19.689: %LINK-3-UPDOWN: Interface FastEthernet0/13, changed state to down
  Jan  7 13:27:22.063: %LINK-3-UPDOWN: Interface FastEthernet0/13, changed state to up
  Jan  7 13:27:22.776: %AUTHMGR-5-START: Starting 'dot1x' for client (f04d.a223.8f43) on Interface Fa0/13 AuditSessionID 0A0005FC00000
  020D7C192D1
  Jan  7 13:27:23.070: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/13, changed state to up
  Jan  7 13:27:51.054: %DOT1X-5-FAIL: Authentication failed for client (f04d.a223.8f43) on Interface Fa0/13 AuditSessionID
  Jan  7 13:27:51.054: %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'dot1x' for client (f04d.a223.8f43) on Interface Fa
  0/13 AuditSessionID 0A0005FC00000020D7C192D1
  Jan  7 13:27:51.054: %AUTHMGR-7-FAILOVER: Failing over from 'dot1x' for client (f04d.a223.8f43) on Interface Fa0/13 AuditSessionID 0
  A0005FC00000020D7C192D1
  Jan  7 13:27:51.054: %AUTHMGR-5-START: Starting 'mab' for client (f04d.a223.8f43) on Interface Fa0/13 AuditSessionID 0A0005FC0000002
  0D7C192D1
  Jan  7 13:27:51.088: %MAB-5-SUCCESS: Authentication successful for client (f04d.a223.8f43) on Interface Fa0/13 AuditSessionID 0A0005
  FC00000020D7C192D1
  Jan  7 13:27:51.088: %AUTHMGR-7-RESULT: Authentication result 'success' from 'mab' for client (f04d.a223.8f43) on Interface Fa0/13 AuditSessionID 0A0005FC00000020D7C192D1
  Jan  7 13:27:51.088: %AUTHMGR-5-VLANASSIGN: VLAN 90 assigned to Interface Fa0/13 AuditSessionID 0A0005FC00000020D7C192D1
  Jan  7 13:27:51.096: %EPM-6-POLICY_REQ: IP 0.0.0.0| MAC f04d.a223.8f43| AuditSessionID 0A0005FC00000020D7C192D1| AUTHTYPE DOT1X| EVENT APPLY
  Jan  7 13:27:51.096: %EPM-6-IPEVENT: IP 0.0.0.0| MAC f04d.a223.8f43| AuditSessionID 0A0005FC00000020D7C192D1| AUTHTYPE DOT1X| EVENT
  IP-WAIT
  Jan  7 13:27:51.255: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (f04d.a223.8f43) on Interface Fa0/13 AuditSessionID 0A00
  05FC00000020D7C192D1
  Jan  7 13:27:52.027: %EPM-6-IPEVENT: IP 10.90.5.1| MAC f04d.a223.8f43| AuditSessionID 0A0005FC00000020D7C192D1| AUTHTYPE DOT1X| EVENT IP-ASSIGNMENTReplacing duplicate ACE entry for host 10.90.5.1
  Jan  7 13:27:52.036: %AUTHMGR-5-FAIL: Authorization failed for client (f04d.a223.8f43) on Interface Fa0/13 AuditSessionID 0A0005FC00
  000020D7C192D1
  Jan  7 13:27:52.036: %EPM-6-POLICY_REQ: IP 10.90.5.1| MAC f04d.a223.8f43| AuditSessionID 0A0005FC00000020D7C192D1| AUTHTYPE DOT1X| EVENT REMOVE
  After this the proces starts over again.
  This is the switch port config:
  interface FastEthernet0/13
  description VoIP/Data
  switchport mode access
  switchport voice vlan 20
  switchport port-security
  switchport port-security violation restrict
  ip access-group ACL-ALLOW in
  srr-queue bandwidth share 1 70 25 5
  srr-queue bandwidth shape 3 0 0 0
  priority-queue out
  authentication event fail action next-method
  authentication event server dead action authorize voice
  authentication host-mode multi-auth
  authentication open
  authentication order dot1x mab
  authentication priority dot1x mab
  authentication port-control auto
  mab
  snmp trap mac-notification change added
  no snmp trap link-status
  dot1x pae authenticator
  dot1x timeout tx-period 10
  storm-control broadcast level 2.00 1.00
  storm-control multicast level 2.00 1.00
  storm-control action shutdown
  storm-control action trap
  spanning-tree portfast
  service-policy input ax-qos_butnet
  ip dhcp snooping limit rate 5
  end
  Is there a problem with the client (computer) or in ISE/Switch?

  Hi Tarik,
  First off; thank you for helping me troubleshoot this problem.
  I think the "IP-" part of "IP-ACL-IWMAC" is beeing added automaticly (in the switch maby?). I see this behaviour on other dACL too. I did not change the name of the ACL.
  You seem to have a valid theory about the icmp statement. I changed it to "permit icmp any any" and it seems to work. But I can't explain why this is happening.
  When I look at the debugs I see this difference
  With the original ACL I get this:
  %EPM-6-POLICY_REQ: IP 0.0.0.0| MAC f04d.a223.8f43| AuditSessionID 0A0005FC00000053E70733F4| AUTHTYPE DOT1X| EVENT APPLYReplacing duplicate ACE entry for host 10.90.5.1
  %EPM-6-IPEVENT: IP 10.90.5.1| MAC f04d.a223.8f43| AuditSessionID 0A0005FC00000053E70733F4| AUTHTYPE DOT1X| EVENT IP-RELEASE
  %EPM-6-IPEVENT: IP 10.90.5.1| MAC f04d.a223.8f43| AuditSessionID 0A0005FC00000053E70733F4| AUTHTYPE DOT1X| EVENT IP-WAIT
  %AUTHMGR-5-FAIL: Authorization failed for client (f04d.a223.8f43) on Interface Fa0/13 AuditSessionID 0A0005FC00000053E70733F4
  When using "permit icmp any any" i get this:
  %EPM-6-POLICY_REQ: IP 0.0.0.0| MAC f04d.a223.8f43| AuditSessionID 0A0005FC00000055E70B8E7D| AUTHTYPE DOT1X| EVENT APPLY
  %EPM-6-AAA: POLICY xACSACLx-IP-ACL-IWMAC-50eea905| EVENT DOWNLOAD-REQUEST
  I tried googeling but can't find what "Replacing duplicate ACE entry for host xxx" means.
  I have added debugs in attachment.
  device1_orig_acl - the none working device with original ACL
  device1_any_any - the none working device with permit icmp any any
  working_device_orig_acl - the device that works with the original ACL
  Do you have an answer to why this is happening?
  Regards,
  Philip

• RV320 Dynamic DNS failing

  I have an RV320 I am testing in order to determine if it's suitable for use in the company I work for.  We have several remote offices, and will be using IPSEC tunnels, VPN for IT troubleshooting and other features.
  Dynamic DNS is returning
  "Authorization failed(username or password)." error, although I think it's properly configured and works on
  error, although I think it's properly configured and works on other firewall/router units.  I have reentered the user, password and domain several times, each time it returns the same error.
  Can anyone provide insight into the problem?
  I also notice the options do not seem to include any way to use a Custom DNS, that is instead of xxx.dyndns.org it would be myhost.TLD.  We have a bunch of xxx.dyndns.org, but do have a few myhost.tld.  I hope this is something that could be fixed.
  Thanks,
  Jeff

  Hi Jeff,
  I think that the issue is that the PW is too long. I recall a case a while back where a customer had a passord over 20 characters and he had to shorten it. My recollection is not great, but I think that 18 was the limit. A feature request was made to lengthen the password field but no change was made due to hardware or maybe OS limitation. I think that the router was the RV042, which has similar code to the RV320. Sorry I can't be more specific. I would try changing the password at least temporarily to see if it works.
  If you would like to make a feature request, please call support and open a case.
  www.cisco.com/go/sbsc
  - Marty

• Analysis Authorization failed for Multiprovider

  Hi all,
  We are facing an issue pertaining to the Analysis Authorization for a multiprovider. When we attempt to access a query base on a multiprovider, the program complains that it has insufficient authorization. So we did debugging in the customer exit and we realise it fails to populate the rest of the authorization variables in I_step = 0. Base on our initial investigation this only happens on queries on multiprovider, so is there anything I need to set or do to curb this error?
  Many thanks!

  Best solution is to trace the authorization for your issue in ST01.
  Switch on the trace in ST01 and start your work. if you face authoirzation check failed. look into the trace there you will find the logs and authorization failed for your userid.
  And one more thing, have you got anything in SU53 as authorization check failed?
  Hope this would help you.

• Authorization failed when trying to connect Hyperion to BW 7.0

  Hello gurus,
  Using Hyperion interactive Reporting Studio, I try to access BW cubes.
  I select OLE DB as connection type and SAP BW OLE DB provider, I am prompted for a BW system to connect to.
  I then get the following error message:
  OLE Error: 80040e4d
  Error Source: MDrmSAP.2
  Error Desciption: Authorization failed.
  Using the same BW provider and the same BW user, I am able to connect form Excel.
  So I wonder what the problem is.
  Help really appreciated.
  Alex-

  Hi Ingo,
  I do not get any error while using the Universe Designer, I get this error when trying to connect a SAP BW related universe in Crystal Reports. There is no problem at all with WebIntelligence by the way. It is possible to connect a SAP BW related universe in WebIntelligence.
  I use BO XI 3.0 with Crystal Reports 2008 and the SAP Integrations Kit client components are installed on the client machine.
  Nevertheless the BO Enterprise system is not configured with SAP Authentification, but with an own authentification.
  Best Regards,
  Thomas

• 10.6.4 Server L2TP VPN using external RADIUS - Authorization Failed

  I'm using 10.6.4 with VPN L2TP configured successfully using local user database for authentication. Now i want to configure the VPN to use Steel Belted Radius server for authentication (that hooked up to another LDAP server) for authentication.
  I've configured the VPN service to use the radius server, authentication to radius is occurring but i'm getting errors that the user is not authorized to use the VPN service.
  Is there a way to configure 10.6's VPN service to authorize any user that successfully authenticates against Radius?
  NOTE: I've played around with Server Admin's access for VPN, with it set to all users, everyone ect, this did not make any difference to the error i'm getting from the vpn service.
  Here's the log out put when the connection fails.
  2010-08-27 12:52:34 PDT Loading plugin /System/Library/Extensions/L2TP.ppp
  2010-08-27 12:52:34 PDT Listening for connections...
  2010-08-27 12:52:39 PDT Incoming call... Address given to client = 192.168.105.1
  Fri Aug 27 12:52:39 2010 : Directory Services Authorization plugin initialized
  Fri Aug 27 12:52:39 2010 : L2TP incoming call in progress from '[ip address redacted]'…
  Fri Aug 27 12:52:39 2010 : L2TP received SCCRQ
  Fri Aug 27 12:52:39 2010 : L2TP sent SCCRP
  Fri Aug 27 12:52:39 2010 : L2TP received SCCCN
  Fri Aug 27 12:52:39 2010 : L2TP received ICRQ
  Fri Aug 27 12:52:39 2010 : L2TP sent ICRP
  Fri Aug 27 12:52:39 2010 : L2TP received ICCN
  Fri Aug 27 12:52:39 2010 : L2TP connection established.
  Fri Aug 27 12:52:39 2010 : using link 0
  Fri Aug 27 12:52:39 2010 : Using interface ppp0
  Fri Aug 27 12:52:39 2010 : Connect: ppp0 <--> socket[34:18]
  Fri Aug 27 12:52:39 2010 : sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0x55fc9b88> <pcomp> <accomp>]
  Fri Aug 27 12:52:39 2010 : rcvd [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x7e9db3cb> <pcomp> <accomp>]
  Fri Aug 27 12:52:39 2010 : lcp_reqci: returning CONFACK.
  Fri Aug 27 12:52:39 2010 : sent [LCP ConfAck id=0x1 <asyncmap 0x0> <magic 0x7e9db3cb> <pcomp> <accomp>]
  Fri Aug 27 12:52:39 2010 : rcvd [LCP ConfAck id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0x55fc9b88> <pcomp> <accomp>]
  Fri Aug 27 12:52:39 2010 : sent [LCP EchoReq id=0x0 magic=0x55fc9b88]
  Fri Aug 27 12:52:39 2010 : sent [CHAP Challenge id=0xc8 <086a03234947113037497f4326585a1f>, name = "OSX SERVER"]
  Fri Aug 27 12:52:39 2010 : rcvd [LCP EchoReq id=0x0 magic=0x7e9db3cb]
  Fri Aug 27 12:52:39 2010 : sent [LCP EchoRep id=0x0 magic=0x55fc9b88]
  Fri Aug 27 12:52:39 2010 : rcvd [LCP EchoRep id=0x0 magic=0x7e9db3cb]
  Fri Aug 27 12:52:39 2010 : rcvd [CHAP Response id=0xc8 <5ad3c0cb063694e473f51c9252e007f400000000000000003701b4fa8e7b844e072cddeceefa73 173d7415c85cae976700>, name = "USERNAME"]
  Fri Aug 27 12:52:40 2010 : sent [CHAP Success id=0xc8 "S=934D6E79F45791A61C378789A4D719BC6F249574"]
  *Fri Aug 27 12:52:40 2010 : CHAP peer authentication succeeded for USERNAME*
  *Fri Aug 27 12:52:40 2010 : DSAccessControl plugin: User 'USERNAME' not authorized for access*
  *Fri Aug 27 12:52:40 2010 : sent [LCP TermReq id=0x2 "Authorization failed"]*
  Fri Aug 27 12:52:40 2010 : Connection terminated.
  Fri Aug 27 12:52:40 2010 : L2TP disconnecting...
  Fri Aug 27 12:52:40 2010 : L2TP sent CDN
  Fri Aug 27 12:52:40 2010 : L2TP sent StopCCN
  Fri Aug 27 12:52:40 2010 : L2TP disconnected
  2010-08-27 12:52:40 PDT --> Client with address = 192.168.105.1 has hungup
  Message was edited by: sarah mays

  I'm using 10.6.4 with VPN L2TP configured successfully using local user database for authentication. Now i want to configure the VPN to use Steel Belted Radius server for authentication (that hooked up to another LDAP server) for authentication.
  I've configured the VPN service to use the radius server, authentication to radius is occurring but i'm getting errors that the user is not authorized to use the VPN service.
  Is there a way to configure 10.6's VPN service to authorize any user that successfully authenticates against Radius?
  NOTE: I've played around with Server Admin's access for VPN, with it set to all users, everyone ect, this did not make any difference to the error i'm getting from the vpn service.
  Here's the log out put when the connection fails.
  2010-08-27 12:52:34 PDT Loading plugin /System/Library/Extensions/L2TP.ppp
  2010-08-27 12:52:34 PDT Listening for connections...
  2010-08-27 12:52:39 PDT Incoming call... Address given to client = 192.168.105.1
  Fri Aug 27 12:52:39 2010 : Directory Services Authorization plugin initialized
  Fri Aug 27 12:52:39 2010 : L2TP incoming call in progress from '[ip address redacted]'…
  Fri Aug 27 12:52:39 2010 : L2TP received SCCRQ
  Fri Aug 27 12:52:39 2010 : L2TP sent SCCRP
  Fri Aug 27 12:52:39 2010 : L2TP received SCCCN
  Fri Aug 27 12:52:39 2010 : L2TP received ICRQ
  Fri Aug 27 12:52:39 2010 : L2TP sent ICRP
  Fri Aug 27 12:52:39 2010 : L2TP received ICCN
  Fri Aug 27 12:52:39 2010 : L2TP connection established.
  Fri Aug 27 12:52:39 2010 : using link 0
  Fri Aug 27 12:52:39 2010 : Using interface ppp0
  Fri Aug 27 12:52:39 2010 : Connect: ppp0 <--> socket[34:18]
  Fri Aug 27 12:52:39 2010 : sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0x55fc9b88> <pcomp> <accomp>]
  Fri Aug 27 12:52:39 2010 : rcvd [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x7e9db3cb> <pcomp> <accomp>]
  Fri Aug 27 12:52:39 2010 : lcp_reqci: returning CONFACK.
  Fri Aug 27 12:52:39 2010 : sent [LCP ConfAck id=0x1 <asyncmap 0x0> <magic 0x7e9db3cb> <pcomp> <accomp>]
  Fri Aug 27 12:52:39 2010 : rcvd [LCP ConfAck id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0x55fc9b88> <pcomp> <accomp>]
  Fri Aug 27 12:52:39 2010 : sent [LCP EchoReq id=0x0 magic=0x55fc9b88]
  Fri Aug 27 12:52:39 2010 : sent [CHAP Challenge id=0xc8 <086a03234947113037497f4326585a1f>, name = "OSX SERVER"]
  Fri Aug 27 12:52:39 2010 : rcvd [LCP EchoReq id=0x0 magic=0x7e9db3cb]
  Fri Aug 27 12:52:39 2010 : sent [LCP EchoRep id=0x0 magic=0x55fc9b88]
  Fri Aug 27 12:52:39 2010 : rcvd [LCP EchoRep id=0x0 magic=0x7e9db3cb]
  Fri Aug 27 12:52:39 2010 : rcvd [CHAP Response id=0xc8 <5ad3c0cb063694e473f51c9252e007f400000000000000003701b4fa8e7b844e072cddeceefa73 173d7415c85cae976700>, name = "USERNAME"]
  Fri Aug 27 12:52:40 2010 : sent [CHAP Success id=0xc8 "S=934D6E79F45791A61C378789A4D719BC6F249574"]
  *Fri Aug 27 12:52:40 2010 : CHAP peer authentication succeeded for USERNAME*
  *Fri Aug 27 12:52:40 2010 : DSAccessControl plugin: User 'USERNAME' not authorized for access*
  *Fri Aug 27 12:52:40 2010 : sent [LCP TermReq id=0x2 "Authorization failed"]*
  Fri Aug 27 12:52:40 2010 : Connection terminated.
  Fri Aug 27 12:52:40 2010 : L2TP disconnecting...
  Fri Aug 27 12:52:40 2010 : L2TP sent CDN
  Fri Aug 27 12:52:40 2010 : L2TP sent StopCCN
  Fri Aug 27 12:52:40 2010 : L2TP disconnected
  2010-08-27 12:52:40 PDT --> Client with address = 192.168.105.1 has hungup
  Message was edited by: sarah mays

• Dynamic authorization in Integration Gateway with SMP 3.0.3

  Hi All,
  we have SAP ECC as backend system, we created service in ECC and added service in gateway cockpit. Now i can get the data from backend ECC using gateway cockpit URL.
  My doubt is
  While creating destination for ECC in SMP Gateway Cockpit, we have to give credentials for basic authentication. While calling service of SMP Gateway Cockpit , It is going to ECC with the user name given in Gateway Cockpit and giving the data authorized by same,
  How to make the dynamic authorization.
  Thanks
  Suresh
  Tags edited by: Jitendra Kansal (Moderator)

  suresh babu
  I followed the steps mentioned by you.
  1. Added a HTTP/HTTPS authentication provider to "SAP"  security provider.
  https://sapes1.sapdevcenter.com:443/sap/iwbep?sap-client=520
  2. In the gateway cockpit. modified the destination details:
  3. When i open service document, there is no pop-up. Did i miss something i between?
  Regards,
  JK

• Webservice call from PCo; FaultException: Authorization fail

  Hi,
  I am making a ME Webservice call from PCo.
  I have configured Destination System, added a service in Configuration tab.
  Using 'Test request message', i tested the call with all required inputs, the object is created in ME system.
  When the same service is triggered from PLC > PCo, the call fails and i see the following message in Log tab.
  UserName/password is correct..
  All the required systems are running.
  Log:
  ME Dispatcher Could not dispatch Message [id = 75c405c5-24d4-4f70-b19a-87f6b6ae0413].
  FaultException: Authorization failed. Please check security log for details.
  Server stack trace:
     at System.ServiceModel.Channels.ServiceChannel.HandleReply(ProxyOperationRuntime operation, ProxyRpc& rpc)
     at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout)
     at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs)
     at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)
     at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)
  Exception rethrown at [0]:
     at SAP.Manufacturing.Connectivity.WSDestination.WSDestination.Send(Guid notificationID, Dictionary`2 requestValues)
     at SAP.Manufacturing.Connectivity.WSDestination.WSDestination.Send(NotificationMessage message)
     at SAP.Manufacturing.Connectivity.Dispatcher.ProcessMessage(NotificationMessage message, DestinationBase destination)
     at SAP.Manufacturing.Connectivity.Dispatcher.DispatchMessageExecute(Message message, Boolean unlockMessage, Boolean& stopDispatcher)
  Am I missing anything?
  Version:
  ME: 6.1.4.9
  PCo:  2.3
  Thanks,

  Hello Shridhar, I guess you can  use use different user for authentication and user data inside XML request.
  In MII, I have used MESYS for authentication and other user name inside the request XML. But you need to make sure user name inside XML has ME_Integrator role.
  <me:UserId>USERID</me:UserId>
  Hope this helps.
  Thanks
  Hari