ISE Radius - Access-accept is returned with no autorization policy
Hello,
With ISE Radius service / PAP, the authentication passes OK, but the Network Element which send the autorization request, returns message "not enough user priviledges to execute command" and the HTTP page is blank.
The reason for that is, the Network Element is sending in the Access-Request with Service-Type value = 8, which means Authenticate-Only (and this can be seen at ISE . This causes the Radius server to authenticate, but not to send the authorization parameters back to the NE in the Access-Accept, causing the login to fail. A bit inside of the RFC:
5.6. Service-Type
Description
This Attribute indicates the type of service the user has
requested, or the type of service to be provided. It MAY be used
in both Access-Request and Access-Accept packets. A NAS is not
required to implement all of these service types, and MUST treat
unknown or unsupported Service-Types as though an Access-Reject
had been received instead.
Type
6 for Service-Type.
The Value field is four octets.
1 Login
2 Framed
3 Callback Login
4 Callback Framed
5 Outbound
6 Administrative
7 NAS Prompt
8 Authenticate Only
9 Callback NAS Prompt
10 Call Check
11 Callback Administrative
There is no way to modify the value on the network element in the Access-Request packet.
Question: Is there a way to for the Cisco ISE to ignore the service type value (Authenticate Only), and return the autorization parametes back with the Access-Accept packet?
Thanks,
Lucho
Lucho,
I Checked the rfc and the answer is no, rfc states that no authorzation information needs to returned for this request.
http://www.ietf.org/rfc/rfc2865.txt
Thanks,
Tarik
Similar Messages
-
FlexConnect local/central switched and Access-Accept Packets
For our branch offices’s wireless access, we would like to use FlexConnect with one SSID and two distinct user profiles:
• Full network access, local switched.
• Limited network access, central switched:
◦ To isolate traffic from the branch’s LAN.
◦ To force traffic through a firewall at the central site.
▪ To ease access rules management.
◦ Internet access only by default.
▪ Internet access is located at the central site.
▪ We expect to manage some exceptions to the rule.
We know that it’s not possible to switch from local to central switched using the same SSID with FlexConnect and AAA Override.
However, we found an interesting bit in the documentation pages regarding RADIUS attributes:
Authentication Attributes Honored in Access-Accept Packets (Airespace)
VAP ID
This attribute indicates the WLAN ID of the WLAN to which the client should belong. When the WLAN-ID attribute is present in the RADIUS Access Accept, the system applies the WLAN-ID (SSID) to the client station after it authenticates. [...]
Source:
http://www.cisco.com/c/en/us/td/docs/wireless/controller/7-6/configuration/guide/b_cg76/b_cg76_chapter_0101000.html#reference_327F94A40AAE46E48153B265E521DDCF
We then made an assumption that the following was possible:
• Create a second SSID
◦ Broadcast not enabled
◦ Central Switched
• Users would authenticate using the first SSID
• In it’s access-accept packet, the RADIUS server would return an
Airespace-WLAN-Id attribute with the value of the second SSID.
• The WLC would then assign the second SSID to the users so they’re central switched and forwarded through the firewall at the main site.
So far, our tests showed no results.
• Is that solution achievable at all? It seemed so from the documentation, but we haven’t found any documented evidence that someone actually tried it.
• If not, what would you recommend?
For RADIUS, we are using Microsoft 2012r2 NPS servers. Everything’s been working fine with them so far. We can do AAA vlan override for our main site and with FlexConnect also, without any problems. What’s not working is the local/central switched scenario we’re trying to pull off. The RADIUS server sends the Airespace-WLAN-Id attribute from what I see with Wireshark, but the WLC does not seem to react to it like I thought it would. I couldn’t find a debug command that would tell me what the WLC does with the attributes from the access-accept packet. Maybe the behaviour I’m experiencing is to be expected, that’s what I would like to know.
Thank you very much,Your WLAN is defined with as centrally switched or locally switched, AAA override will not chage that value. AAA attributes can change a users vlan, acl and QoS. The other attributes are intended to use for rules... example:
Is the user part of this AD group and is this user on WLAN ID=1.
You will not be able to go from centrally switched to locally swithed and vice versa. I don't know how you would be able to achieve what your trying to acomplish with one SSID to be honest. -
ISE Admin Access Authentication to RADIUS Token Server
Hi all!
I want to use an External RADIUS Token Server for ISE Admin Access Authentication and Authorization.
Authentication works, but how do I map the users to Admin Groups? Is there a way to map a returned RADIUS Attribute (IETF "Class" or Cisco-AVPair "CiscoSecure-Group-Id") to an Admin Group?
Thanks in advance,
Michael LangerreiterISE 1.3 does have an bug: Authentication failed due to zero RBAC Groups.
Cisco Bug: CSCur76447 - External Admin access fails with shadow user & Radius token
Last Modified
Nov 25, 2014
Product
Cisco Identity Services Engine (ISE) 3300 Series Appliances
Known Affected Releases
1.3(0.876)
Description (partial)
Symptom:
ISE 1.3 RBAC fails with shadow user & Radius token
Operations > Reports > Deployment Status > Administrator Logins report shows
Authentication failed due to zero RBAC Groups
Conditions:
RBAC with shadow user & Radius token
View Bug Details in Bug Search Tool
Why Is Login Required?
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.
Bug Details Include
Full Description (including symptoms, conditions and workarounds)
Status
Severity
Known Fixed Releases
Related Community Discussions
Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract. -
Having trouble accessing my email account thru the mail app, after entering the account information in the settings page, hotmail returns with the error message " The user name or password for Hotmail is incorrect". Help
Hotmail is having problems:
http://bostinno.streetwise.co/2013/08/15/hotmail-outage-hotmail-is-down-for-user s-still-photos/
http://www.engadget.com/2013/08/14/outlook-outage/
http://www.infoworld.com/d/applications/microsofts-skydrive-outlookcom-are-down- some-users-224940
http://mashable.com/2013/08/14/outlook-down/
http://techcrunch.com/2013/08/14/microsoft-acknowledges-outlook-com-messenger-sk ydrive-outages/ -
Yesterday I've bought the old mac book air, will Apple accept a return and replace it with the new one?
Hi micjhal,
Call them up! If you look on your receipt it'll indicate you have 14-days to return it (if bought at a retail store) and 30-days if bought through the online store. -
Documentation for ISE RADIUS messages?
In ISE, clicking on Operations => Authentications, => Show Live Authentications brings up a list of authentication attempts. Clicking on Details on any one of the attempts brings up a list of authentication steps, each of which has an ID number and a description:
11001 Received RADIUS Access-Request
11017 RADIUS created a new session
15049 Evaluating Policy Group
15008 Evaluating Service Selection Policy
15048 Queried PIP
15048 Queried PIP
15004 Matched rule
11507 Extracted EAP-Response/Identity
12300 Prepared EAP-Request proposing PEAP with challenge
etc.....
Is there a document that describes these messages? I am a newb at this and I am unable to find anything.
Thanks,
-JeffSource: Cisco Internal DB.
Google can serach a troubleshooting guide for you:
http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/troubleshooting_guide/ise_tsg.html
~BR
Jatin Katyal
**Do rate helpful posts** -
Cffunction - Accepting and Returning PDFs in memory
Hello,
This is something that I should probably know by now in my CF career, but up until now I have never thought/had to do this type of thing.
I have defined a couple functions that I would like to handle accepting, manipulating, and returning PDFs in memory. What data types should I be using for accepting and returning the PDF in memory between functions? I would prefer to stay away from "any" if possible, but let me know if that is the only choice.
<cffunction name="AddMeUhWaddaMak" returntype="any" access="public" output="no">
<cfargument name="src" type="any" required="yes">
<cfargument name="name" type="string" required="no">
<cfpdf action="addWatermark"
source="#arguments.src#"
name="#arguments.name#"
...>
<cfreturn arguments.name>
</cffunction>Thanks again for the advice. I was doing a little tinkering around with isPDFObject() just to see how it works and came to another question. See below..
<cfdocument format="pdf" name="test2">
test
</cfdocument>
<cfdump var="#isPDFObject(test2)#"><cfabort>
The result says "NO", even though when I dump out "test2" it shows up as binary. -
Tpcall return with tperrno=8 (TUXEDO - WLS)
Greetings,
I'm trying to connect a tuxedo client to WLS exported service (EJB) but
I'm getting always a tpcall return with tperrno=8.
In atmi.h is referred by: #define TPEPERM 8
However, I haven't my configured any authentication defined!!
Can anyone help me trace the error? I put below all the configurations I
think that matters.
Thanks,
Pedro Salazar.
This is log message in my server receiving a connection from my client.
======================================================================
####<Apr 1, 2004 12:48:24 AM WEST> <Info> <WTC> <firewire> <ms_1>
<Thread-8> <<WLS Kernel>> <> <BEA-180086> <Accepted Connection from
remote domain LDOM1.>
=======================================================================
This is a log message in tuxedo establishing a connection:
===================================================================
004824.firewire!WSH.6576.16384.0: 04-01-2004: Tuxedo Version 8.1
004824.firewire!WSH.6576.16384.0: WSNAT_CAT:1030: INFO: Work Station
Handler joining application
004824.firewire!GWTDOMAIN.6572.16384.0: LIBGWT_CAT:1129: INFO:
Connection established with domain (domainid=<RDOM1>)
====================================================================
I put below my configuration files.
This is my configuration of my WTC:
=======================================
<WTCServer Name="WTC01" Targets="ms_1">
<WTCLocalTuxDom AccessPoint="RDOM1" AccessPointId="RDOM1"
NWAddr="//localhost:3200" Name="WTCLocalTuxDom-1080681989679"/>
<WTCRemoteTuxDom AccessPoint="LDOM1" AccessPointId="LDOM1"
LocalAccessPoint="RDOM1" NWAddr="//localhost:3100"
Name="WTCRemoteTuxDom-1080682068919"/>
<WTCImport LocalAccessPoint="RDOM1"
Name="WTCImport-1080682135407" RemoteAccessPointList="LDOM1"
RemoteName="TOUPPER" ResourceName="TOUPPER"/>
<WTCExport
EJBName="pt.ptinovacao.nginpro.uif.tuxedo.ejb.interfaces.AccessTuxedoHome"
LocalAccessPoint="RDOM1" Name="WTCExport-1080682173825"
RemoteName="TOLOWER" ResourceName="TOLOWER"/>
</WTCServer>
=======================================
This is my dmconfig configuration:
====================================
*DM_RESOURCES
*DM_LOCAL_DOMAINS
LDOM1
GWGRP=GROUPGW1
TYPE=TDOMAIN
DOMAINID=LDOM1
*DM_REMOTE_DOMAINS
RDOM1
TYPE=TDOMAIN
DOMAINID=RDOM1
*DM_TDOMAIN
#dominio tuxedo local
LDOM1 NWADDR="//localhost:3100"
#weblogic
RDOM1 NWADDR="//localhost:3200"
*DM_LOCAL_SERVICES
TOUPPER LDOM=LDOM1
*DM_REMOTE_SERVICES
TOLOWER RDOM=RDOM1
=======================================
This is my ubbconfig configuration:
========================================
*RESOURCES
IPCKEY 113456
DOMAINID simpapp
MASTER simple
MAXACCESSERS 50
MAXSERVERS 20
MAXSERVICES 1000
MODEL SHM
LDBAL N
PERM 0777
*MACHINES
firewire
LMID=simple
APPDIR="/home/tuxapp1"
TUXCONFIG="/home/tuxapp1/tuxconfig"
TUXDIR="/opt/bea/tuxedo8.1"
MAXWSCLIENTS=10
MAXACCESSERS=30
*GROUPS
GROUP1
LMID=simple GRPNO=1 OPENINFO=NONE
GROUP2
LMID=simple GRPNO=10 OPENINFO=NONE
GROUPGWADM
LMID=simple GRPNO=20 OPENINFO=NONE
GROUPGW1
LMID=simple GRPNO=30 OPENINFO=NONE
*SERVERS
DEFAULT:
CLOPT="-A"
simpserv SRVGRP=GROUP1 SRVID=1
WSL SRVGRP=GROUP2 SRVID=10
CLOPT="-A -- -n //localhost:3000"
DMADM SRVGRP=GROUPGWADM SRVID=20
GWADM SRVGRP=GROUPGW1 SRVID=30
GWTDOMAIN SRVGRP=GROUPGW1 SRVID=40
*SERVICES
TOUPPER
=========================================Hi Pedro Salazar,
For Tperrno=6, my question is: Are you using the WTC sample from BEA? if so, the EJB name in you WTC configuration should be "tuxedo.services.TOLOWERHome", which in your configuration file is as following:
pt.ptinovacao.nginpro.uif.tuxedo.ejb.interfaces.AccessTuxedoHome
That's probably why you get no entry error.
I am getting the same error with "tperrno=8" when I try to connect to WLS from Tuxedo. But I fixed it exactly as you said " add one user in realm as the same name as Remote Access Point ID", then it works fine. Thanks for your hints
Actually I tried this on one machine for WLS and TUXEDO, it works fine, no need to create a user in realm. I got this error when I seperated WLS and TUXEDO into two different physical machine.
Thanks,
James Yu
[email protected] -
Unable to access Custom UDTs returned from a Java Stored Procedure
Hi,
I have a UDT in the DB :-
create type contactrecord as object (
CN_ID NUMBER(8),
CN_TITLE VARCHAR2(40),
CN_FIRST_NAME VARCHAR2(25)
and this is the corresponding java class ContactDetails.java that maps to this UDT, that I loaded in the Aurora VM.
package package1;
mport java.sql.SQLData;
import java.sql.SQLException;
import java.sql.SQLInput;
import java.sql.SQLOutput;
public class ContactDetails implements SQLData
private String sql_type;
private long CN_ID;
private String CN_TITLE;
private String CN_FIRST_NAME;
public String getSQLTypeName() throws SQLException
return this.sql_type;
//implementation of readSql
public void readSQL(SQLInput stream, String typeName) throws SQLException
sql_type = typeName;
CN_ID = stream.readLong();
CN_TITLE = stream.readString();
CN_FIRST_NAME = stream.readString();
public void writeSQL(SQLOutput stream) throws SQLException
stream.writeLong(CN_ID);
stream.writeString(CN_TITLE);
stream.writeString(CN_FIRST_NAME);
//getters and setters for the class vars go here.....
There is another class A.java that has a java stored procedure/function, which I loaded into the Aurora VM
Here is the class.
package package1;
public class A
public static ContactDetails returnObject(String name )
ContactDetails cd = new ContactDetails();
cd.setCN_ID(1);
cd.setCN_FIRST_NAME(name);
return cd;
Then I declared the call spec for A.returnObject() as
FUNCTION returnObject(name varchar2) return contactrecord
AS LANGUAGE JAVA
NAME 'package1.A.returnObject(java.lang.String) return package1.ContactDetails';
Then I tried to call the function returnObject through JDBC calls from a class in another VM.
When I access the object returned by the function, I get a null object.
Here is the Client code:
CallableStatement cs = null;
ResultSet rs = null;
try
cs = conn.prepareCall("{ ? = call returnObject(?) }");
java.util.Map map = conn.getTypeMap();
map.put("ADMIN.CONTACTRECORD", Class.forName("package1.ContactDetails"));
conn.setTypeMap(map);
cs.registerOutParameter(1, OracleTypes.STRUCT, "ADMIN.CONTACTRECORD");
cs.setString(2, "John Doe" );
cs.execute();
ContactDetails cd = (ContactDetails)cs.getObject(1);
System.out.println("contact first name is:-"+cd.getCN_FIRST_NAME()); //Null Pointer here..cd is null....:(
if (cs != null) cs.close();
catch(Exception e)
e.printStackTrace();
Although If I try to access the same function from a pl/sql block, I am able
to access the contactrecord fields.
What could be wrong ..???
I could not find any error with the object mapping, as it works perfectly when I interact directly from my VM to the DB,
without going thru the aurora VM.
I am using a OCI driver to connect to the DB via JDBC.
Thanx in advance for any help at all.
-skShahid,
I too have had bad luck in many cases with the automatic translation of Java types to PL/SQL and back. I think the SYS package on the PL/SQL side which handles some of the conversion is DBMS_PICKLER (there are equivalent Java classes which do the same in that world and seem to execute automagically when a conversion is needed). You might want to double-check the data type mappings against the DOC on OTN to make sure they map 1-1. Also make sure the permissions are granted against your objects to whoever is executing them, etc. Very often, I've resorted to passing simple scalar types between the two languages as in some cases the results with complex types are inconsistent.
Sorry this isn't much help,
-Dan
http://www.compuware.com/products/devpartner/db/oracle_debug.htm
Debug PL/SQL and Java in the Oracle Database -
Inconsistent delivery balance after return with restocking fee
My client does not like the work around she must use to delete negative delivery balances after returns are processed with a restocking fee. Here is her description of the problem:
1. We receive this unit back from customer. When a return is created the unit is received back into stock and cost account is credited.
2. We revised the unit and decided to accept the return but charge a 10% restocking fee which means we will give back to the customer only 90% of what he paid for the unit.
When a credit memo is created, the customer receives the credit and the revenue account is debited. Also the base return document is closed.
3. However the system indicates that there is a negative delivery amount of $509 (On the BP master screen) We donu2019t want to see that balance; there is no document open linked to that balance.
If I do the same process, but add the total credit amount to the unit price directly the system does not show this negative balance even though the total amount of the return document is different than the total amount of the credit memo.
In order for me to clear that balance, I needed to create a return, copy it to a credit memo, and create an invoice to offset the invoice.
Is ther a better way to do this?The proper way to do it would be full credit plus new service invoice to complete this transaction. The restocking fee s a new charge to customer. That process will reflect the true financial transaction.
Thanks,
Gordon -
802.1x port authentication failing after getting a access-accept packet
Hi all,
Im not 100% sure what the hell is going on here.
Any idea's or help will be appreciated.
Heres the topology.
1 x windows 2012 NPS
1x 3750X
1x Windows 7 x64
data flow
<laptop> - - [gi 1/0/13]<3750X>[gi 1/0/48]- -[gi 5/39]<6513>[po 1] - - [po 4]<6509><5/1> - - <VMWARE>[NPS Server]
The switch that is doing the authentication is the 3750X. Here is the IOS version.
Switch Ports Model SW Version SW Image
* 1 54 WS-C3750X-48 15.2(1)E C3750E-UNIVERSALK9-M
A wireshark trace on the NPS server shows that the packets are arriving and being sent back
Wireshark on a mirror of the trunk port connecting the 6513. It also shows packets being sent and arriving. access-accept packets are being recieved.
As you can see in the debug output, the switch is getting a access-accept, then it is stating a AAA failure.
here is a debug output as you plug in the laptop.
Oct 24 10:53:44.653: dot1x-ev:[Gi1/0/13] Interface state changed to DOWN
Oct 24 10:53:44.653: dot1x-ev:[Gi1/0/13] No DOT1X subblock found for port down
Oct 24 10:53:45.643: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/13, changed state to down
Oct 24 10:53:46.641: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/13, changed state to down
Oct 24 10:53:47.538: dot1x-ev:[Gi1/0/13] Interface state changed to UP
Oct 24 10:53:47.564: dot1x-packet:[6431.500e.9b00, Gi1/0/13] queuing an EAPOL pkt on Auth Q
Oct 24 10:53:47.572: dot1x-ev:DOT1X Supplicant not enabled on GigabitEthernet1/0/13
Oct 24 10:53:47.572: dot1x-packet:EAPOL pak rx - Ver: 0x1 type: 0x1
Oct 24 10:53:47.572: dot1x-packet: length: 0x0000
Oct 24 10:53:47.572: dot1x-ev:[Gi1/0/13] Dequeued pkt: Int Gi1/0/13 CODE= 0,TYPE= 0,LEN= 0
Oct 24 10:53:47.572: dot1x-ev:[Gi1/0/13] Received pkt saddr =6431.500e.9b00 , daddr = 0180.c200.0003, pae-ether-type = 888e.0101.0000
Oct 24 10:53:47.572: dot1x-ev:[Gi1/0/13] Couldn't find the supplicant in the list
Oct 24 10:53:47.572: dot1x-ev:[6431.500e.9b00, Gi1/0/13] New client detected, sending session start event for 6431.500e.9b00
Oct 24 10:53:47.572: AAA/BIND(00000047): Bind i/f
Oct 24 10:53:47.580: dot1x-ev:[6431.500e.9b00, Gi1/0/13] Sending create new context event to EAP for 0x15000045 (6431.500e.9b00)
Oct 24 10:53:47.580: EAP-EVENT: Received context create from LL (Dot1x-Authenticator) (0x15000045)
Oct 24 10:53:47.580: EAP-AUTH-EVENT: Received AAA ID 0x00000047 from LL
Oct 24 10:53:47.580: EAP-AUTH-AAA-EVENT: Assigning AAA ID 0x00000047
Oct 24 10:53:47.580: EAP-AUTH-AAA-EVENT: CTS not enabled on interface Gi1/0/13
Oct 24 10:53:47.580: EAP-AUTH-EVENT: Received Session ID "C0A846660000004700DF6030" from LL
Oct 24 10:53:47.580: EAP-AUTH-EVENT: Setting authentication mode: Passthrough
Oct 24 10:53:47.580: eap_authen : initial state eap_auth_initialize has enter
Oct 24 10:53:47.580: EAP-EVENT: Allocated new EAP context (handle = 0xE8000047)
Oct 24 10:53:47.580: dot1x-ev:[6431.500e.9b00, Gi1/0/13] Created a client entry (0x15000045)
Oct 24 10:53:47.580: dot1x-ev:[6431.500e.9b00, Gi1/0/13] Dot1x authentication started for 0x15000045 (6431.500e.9b00)
Oct 24 10:53:47.580: %AUTHMGR-5-START: Starting 'dot1x' for client (6431.500e.9b00) on Interface Gi1/0/13 AuditSessionID C0A846660000004700DF6030
Oct 24 10:53:47.580: EAP-EVENT: Received EAP event 'EAP_AUTHENTICATOR_START' on handle 0xE8000047
Oct 24 10:53:47.580: eap_authen : during state eap_auth_initialize, got event 25(eapStartTmo)
Oct 24 10:53:47.580: @@@ eap_authen : eap_auth_initialize -> eap_auth_select_action
Oct 24 10:53:47.580: eap_authen : during state eap_auth_select_action, got event 20(eapDecisionPropose)
Oct 24 10:53:47.580: @@@ eap_authen : eap_auth_select_action -> eap_auth_propose_method
Oct 24 10:53:47.580: eap_authen : idle during state eap_auth_propose_method
Oct 24 10:53:47.580: @@@ eap_authen : eap_auth_propose_method -> eap_auth_method_request
Oct 24 10:53:47.580: eap_authen : idle during state eap_auth_method_request
Oct 24 10:53:47.580: @@@ eap_authen : eap_auth_method_request -> eap_auth_tx_packet
Oct 24 10:53:47.580: EAP-AUTH-EVENT: Current method = Identity
Oct 24 10:53:47.580: EAP-EVENT: Sending LL (Dot1x-Authenticator) event 'EAP_CUSTOMIZE_ID_REQUEST' on handle 0xE8000047
Oct 24 10:53:47.580: eap_authen : idle during state eap_auth_tx_packet
Oct 24 10:53:47.580: @@@ eap_authen : eap_auth_tx_packet -> eap_auth_idle
Oct 24 10:53:47.589: EAP-AUTH-TX-PAK: Code:REQUEST ID:0x1 Length:0x0005 Type:IDENTITY
Oct 24 10:53:47.589: EAP-EVENT: Started 'Authenticator ReqId Retransmit' timer (30s) for EAP sesion handle 0xE8000047
Oct 24 10:53:47.589: EAP-EVENT: Started EAP tick timer
Oct 24 10:53:47.589: EAP-EVENT: Sending LL (Dot1x-Authenticator) event 'EAP_TX_PACKET' on handle 0xE8000047
Oct 24 10:53:47.597: dot1x-ev:[Gi1/0/13] Sending EAPOL packet to group PAE address
Oct 24 10:53:47.597: dot1x-ev:[Gi1/0/13] Sending out EAPOL packet
Oct 24 10:53:47.597: dot1x-packet:EAPOL pak Tx - Ver: 0x3 type: 0x0
Oct 24 10:53:47.597: dot1x-packet: length: 0x0005
Oct 24 10:53:47.597: dot1x-packet:EAP code: 0x1 id: 0x1 length: 0x0005
Oct 24 10:53:47.597: dot1x-packet: type: 0x1
Oct 24 10:53:47.597: dot1x-packet:[6431.500e.9b00, Gi1/0/13] EAPOL packet sent to client 0x15000045
Oct 24 10:53:47.606: dot1x-packet:[6431.500e.9b00, Gi1/0/13] Queuing an EAPOL pkt on Authenticator Q
Oct 24 10:53:47.606: dot1x-packet:EAPOL pak rx - Ver: 0x1 type: 0x0
Oct 24 10:53:47.606: dot1x-packet: length: 0x001F
Oct 24 10:53:47.606: dot1x-ev:[Gi1/0/13] Dequeued pkt: Int Gi1/0/13 CODE= 2,TYPE= 1,LEN= 31
Oct 24 10:53:47.606: dot1x-ev:[Gi1/0/13] Received pkt saddr =6431.500e.9b00 , daddr = 0180.c200.0003, pae-ether-type = 888e.0100.001f
Oct 24 10:53:47.606: dot1x-packet:EAPOL pak rx - Ver: 0x1 type: 0x0
Oct 24 10:53:47.606: dot1x-packet: length: 0x001F
Oct 24 10:53:47.606: dot1x-ev:[6431.500e.9b00, Gi1/0/13] Response sent to the server from 0x15000045
Oct 24 10:53:47.606: EAP-EVENT: Received LL (Dot1x-Authenticator) event 'EAP_RX_PACKET' on handle 0xE8000047
Oct 24 10:53:47.606: EAP-AUTH-RX-PAK: Code:RESPONSE ID:0x1 Length:0x001F Type:IDENTITY
Oct 24 10:53:47.606: Payload: 47454E4552414C5C72616E64792E636F ...
Oct 24 10:53:47.606: eap_authen : during state eap_auth_idle, got event 1(eapRxPacket)
Oct 24 10:53:47.606: @@@ eap_authen : eap_auth_idle -> eap_auth_received
Oct 24 10:53:47.606: EAP-AUTH-EVENT: EAP Response received by context 0xE8000047
Oct 24 10:53:47.606: EAP-AUTH-EVENT: EAP Response type = Identity
Oct 24 10:53:47.606: EAP-EVENT: Stopping 'Authenticator ReqId Retransmit' timer for EAP sesion handle 0xE8000047
Oct 24 10:53:47.606: eap_authen : during state eap_auth_received, got event 10(eapMethodData)
Oct 24 10:53:47.606: @@@ eap_authen : eap_auth_received -> eap_auth_method_response
Oct 24 10:53:47.606: EAP-AUTH-EVENT: Received peer identity: GENERAL\randy.coburn.admin
Oct 24 10:53:47.606: EAP-EVENT: Sending LL (Dot1x-Authenticator) event 'EAP_IDENTITY' on handle 0xE8000047
Oct 24 10:53:47.606: eap_authen : during state eap_auth_method_response, got event 13(eapMethodEnd)
Oct 24 10:53:47.606: @@@ eap_authen : eap_auth_method_response -> eap_auth_select_action
Oct 24 10:53:47.606: eap_authen : during state eap_auth_select_action, got event 19(eapDecisionPass)
Oct 24 10:53:47.606: @@@ eap_authen : eap_auth_select_action -> eap_auth_passthru_init
Oct 24 10:53:47.606: eap_authen : during state eap_auth_passthru_init, got event 22(eapPthruIdentity)
Oct 24 10:53:47.614: @@@ eap_authen : eap_auth_passthru_init -> eap_auth_aaa_req
Oct 24 10:53:47.614: EAP-EVENT: Sending LL (Dot1x-Authenticator) event 'EAP_GET_PEER_MAC_ADDRESS' on handle 0xE8000047
Oct 24 10:53:47.614: EAP-AUTH-AAA-EVENT: Adding Audit-Session-ID "C0A846660000004700DF6030" to RADIUS Req
Oct 24 10:53:47.614: EAP-AUTH-AAA-EVENT: Added Audit-Session-ID
Oct 24 10:53:47.614: EAP-AUTH-AAA-EVENT: Adding IDB "0x070B90F8" to RADIUS Req
Oct 24 10:53:47.614: EAP-AUTH-AAA-EVENT: Added IDB
Oct 24 10:53:47.614: EAP-EVENT: Sending LL (Dot1x-Authenticator) event 'EAP_CUSTOMIZE_AAA_REQUEST' on handle 0xE8000047
Oct 24 10:53:47.614: EAP-AUTH-AAA-EVENT: eap_auth_aaa_authen_request_shim aaa_service 19, eap aaa_list handle 0, mlist handle 0
Oct 24 10:53:47.614: AAA/AUTHEN/8021X (00000000): Pick method list 'default'
Oct 24 10:53:47.614: EAP-AUTH-AAA-EVENT: Request sent successfully
Oct 24 10:53:47.614: eap_authen : during state eap_auth_aaa_req, got event 24(eapAAAReqOk)
Oct 24 10:53:47.614: @@@ eap_authen : eap_auth_aaa_req -> eap_auth_aaa_idle
Oct 24 10:53:47.614: RADIUS/ENCODE(00000000):Orig. component type = Invalid
Oct 24 10:53:47.614: RADIUS/ENCODE(00000000): Unsupported AAA attribute hwidb
Oct 24 10:53:47.614: RADIUS/ENCODE(00000000): Unsupported AAA attribute aaa-authen-type
Oct 24 10:53:47.614: RADIUS/ENCODE(00000000): Unsupported AAA attribute aaa-authen-service
Oct 24 10:53:47.614: RADIUS/ENCODE(00000000): Unsupported AAA attribute clid-mac-addr
Oct 24 10:53:47.614: RADIUS/ENCODE(00000000): Unsupported AAA attribute target-scope
Oct 24 10:53:47.614: RADIUS/ENCODE(00000000): Unsupported AAA attribute aaa-unique-id
Oct 24 10:53:47.614: RADIUS(00000000): Config NAS IP: 0.0.0.0
Oct 24 10:53:47.614: RADIUS(00000000): sending
Oct 24 10:53:47.614: RADIUS/ENCODE: Best Local IP-Address 192.168.70.102 for Radius-Server 192.168.19.121
Oct 24 10:53:47.614: RADIUS(00000000): Send Access-Request to 192.168.19.121:1645 id 1645/21, len 288
Oct 24 10:53:47.614: RADIUS: authenticator F1 BA E5 31 71 54 BF 1A - A2 B1 5E 1A 63 72 1E 72
Oct 24 10:53:47.614: RADIUS: User-Name [1] 28 "GENERAL\randy.coburn.admin"
Oct 24 10:53:47.614: RADIUS: Service-Type [6] 6 Framed [2]
Oct 24 10:53:47.614: RADIUS: Vendor, Cisco [26] 27
Oct 24 10:53:47.614: RADIUS: Cisco AVpair [1] 21 "service-type=Framed"
Oct 24 10:53:47.614: RADIUS: Framed-MTU [12] 6 1500
Oct 24 10:53:47.614: RADIUS: Called-Station-Id [30] 19 "AC-F2-C5-75-7D-0D"
Oct 24 10:53:47.614: RADIUS: Calling-Station-Id [31] 19 "64-31-50-0E-9B-00"
Oct 24 10:53:47.614: RADIUS: EAP-Message [79] 33
Oct 24 10:53:47.614: RADIUS: 02 01 00 1F 01 47 45 4E 45 52 41 4C 5C 72 61 6E 64 79 2E 63 6F [GENERAL\randy.co]
Oct 24 10:53:47.622: RADIUS: 62 75 72 6E 2E 61 64 6D 69 6E [ burn.admin]
Oct 24 10:53:47.622: RADIUS: Message-Authenticato[80] 18
Oct 24 10:53:47.622: RADIUS: EE 52 4D ED B9 06 F3 CE 63 AC 9D 73 24 1B A7 ED [ RMcs$]
Oct 24 10:53:47.622: RADIUS: EAP-Key-Name [102] 2 *
Oct 24 10:53:47.622: RADIUS: Vendor, Cisco [26] 49
Oct 24 10:53:47.622: RADIUS: Cisco AVpair [1] 43 "audit-session-id=C0A846660000004700DF6030"
Oct 24 10:53:47.622: RADIUS: Vendor, Cisco [26] 20
Oct 24 10:53:47.622: RADIUS: Cisco AVpair [1] 14 "method=dot1x"
Oct 24 10:53:47.622: RADIUS: NAS-IP-Address [4] 6 192.168.70.102
Oct 24 10:53:47.622: RADIUS: NAS-Port [5] 6 60000
Oct 24 10:53:47.622: RADIUS: NAS-Port-Id [87] 23 "GigabitEthernet1/0/13"
Oct 24 10:53:47.622: RADIUS: NAS-Port-Type [61] 6 Ethernet [15]
Oct 24 10:53:47.622: RADIUS(00000000): Sending a IPv4 Radius Packet
Oct 24 10:53:47.622: RADIUS(00000000): Started 10 sec timeout
Oct 24 10:53:47.622: RADIUS: Received from id 1645/21 192.168.19.121:1645, Access-Accept, len 66
Oct 24 10:53:47.622: RADIUS: authenticator 92 F6 07 AF C1 AB 0B 4C - 1D 9E A0 D1 01 36 27 26
Oct 24 10:53:47.622: RADIUS: Class [25] 46
Oct 24 10:53:47.622: RADIUS: 76 E3 06 66 00 00 01 37 00 01 02 00 C0 A8 13 79 00 00 00 00 00 00 00 00 00 00 00 00 01 CE CF F8 1F 7B 75 41 00 00 00 00 00 00 00 50 [ vf7y{uAP]
Oct 24 10:53:47.622: RADIUS(00000000): Received from id 1645/21
Oct 24 10:53:47.622: EAP-EVENT: eap_aaa_reply
Oct 24 10:53:47.622: EAP-AUTH-AAA-EVENT: Reply received session_label 72000033
Oct 24 10:53:47.622: EAP-EVENT: Received AAA event 'EAP_AAA_FAIL' on handle 0xE8000047
Oct 24 10:53:47.622: eap_authen : during state eap_auth_aaa_idle, got event 8(eapAAAFail)
Oct 24 10:53:47.622: @@@ eap_authen : eap_auth_aaa_idle -> eap_auth_failure
Oct 24 10:53:47.631: EAP-EVENT: Received get canned status from lower layer (0xE8000047)
Oct 24 10:53:47.631: EAP-AUTH-TX-PAK: Code:FAILURE ID:0x1 Length:0x0004
Oct 24 10:53:47.631: EAP-AUTH-EVENT: FAIL for EAP method ID: 1, name: , on handle 0xE8000047
Oct 24 10:53:47.631: EAP-EVENT: Sending LL (Dot1x-Authenticator) event 'EAP_FAIL' on handle 0xE8000047
Oct 24 10:53:47.631: dot1x-ev:[6431.500e.9b00, Gi1/0/13] Received an EAP Fail
Oct 24 10:53:47.639: %DOT1X-5-FAIL: Authentication failed for client (6431.500e.9b00) on Interface Gi1/0/13 AuditSessionID C0A846660000004700DF6030
Oct 24 10:53:47.639: dot1x-packet:[6431.500e.9b00, Gi1/0/13] Added username in dot1x
Oct 24 10:53:47.639: dot1x-packet:[6431.500e.9b00, Gi1/0/13] Dot1x did not receive any key data
Oct 24 10:53:47.639: dot1x-ev:[6431.500e.9b00, Gi1/0/13] Processing client delete for hdl 0x15000045 sent by Auth Mgr
Oct 24 10:53:47.639: dot1x-ev:[6431.500e.9b00, Gi1/0/13] 6431.500e.9b00: sending canned failure due to method termination
Oct 24 10:53:47.639: EAP-EVENT: Received get canned status from lower layer (0xE8000047)
Oct 24 10:53:47.639: dot1x-ev:[Gi1/0/13] Sending EAPOL packet to group PAE address
Oct 24 10:53:47.639: dot1x-ev:[Gi1/0/13] Sending out EAPOL packet
Oct 24 10:53:47.639: dot1x-packet:EAPOL pak Tx - Ver: 0x3 type: 0x0
Oct 24 10:53:47.639: dot1x-packet: length: 0x0004
Oct 24 10:53:47.639: dot1x-packet:EAP code: 0x4 id: 0x1 length: 0x0004
Oct 24 10:53:47.639: dot1x-packet:[6431.500e.9b00, Gi1/0/13] EAPOL canned status packet sent to client 0x15000045
Oct 24 10:53:47.639: dot1x-ev:[6431.500e.9b00, Gi1/0/13] Deleting client 0x15000045 (6431.500e.9b00)
Oct 24 10:53:47.639: %AUTHMGR-7-STOPPING: Stopping 'dot1x' for client 6431.500e.9b00 on Interface Gi1/0/13 AuditSessionID C0A846660000004700DF6030
Oct 24 10:53:47.639: %AUTHMGR-5-FAIL: Authorization failed or unapplied for client (6431.500e.9b00) on Interface Gi1/0/13 AuditSessionID C0A846660000004700DF6030
Oct 24 10:53:47.648: dot1x-ev:[6431.500e.9b00, Gi1/0/13] Delete auth client (0x15000045) message
Oct 24 10:53:47.648: EAP-EVENT: Received free context (0xE8000047) from LL (Dot1x-Authenticator)
Oct 24 10:53:47.648: dot1x-ev:Auth client ctx destroyed
Oct 24 10:53:47.648: EAP-EVENT: Received LL (Dot1x-Authenticator) event 'EAP_DELETE' on handle 0xE8000047
Oct 24 10:53:47.648: EAP-AUTH-EVENT: Freed EAP auth context
Oct 24 10:53:47.648: EAP-EVENT: Freed EAP context
Oct 24 10:53:48.621: EAP-EVENT: Stopped EAP tick timer
Oct 24 10:53:49.485: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/13, changed state to up
Oct 24 10:53:50.491: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/13, changed state to up
Oct 24 10:53:53.528: dot1x-ev:[Gi1/0/13] Interface state changed to DOWN
Oct 24 10:53:53.528: dot1x-ev:[Gi1/0/13] No DOT1X subblock found for port down
Oct 24 10:53:54.518: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/13, changed state to down
Oct 24 10:53:55.524: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/13, changed state to downHi Jatin,
See below the data that you have requested.
show run bits.
aaa new-model
aaa authentication dot1x default group radius
aaa session-id common
clock timezone BST 0 0
clock summer-time UTC recurring last Sun Mar 1:00 last Sun Oct 2:00
dot1x system-auth-control
interface GigabitEthernet1/0/13
switchport access vlan 80
switchport mode access
authentication port-control auto
dot1x pae authenticator
spanning-tree portfast
interface GigabitEthernet1/0/48
switchport trunk encapsulation dot1q
switchport trunk native vlan 70
switchport mode trunk
radius server NPS1
address ipv4 192.168.19.121 auth-port 1645 acct-port 1646
timeout 10
key thesecret
ip default-gateway 192.168.70.1
SW1-randy#show auth sessions interface gig 1/0/13
Interface MAC Address Method Domain Status Fg Session ID
Gi1/0/13 803f.5d09.189e N/A UNKNOWN Unauth C0A846660000002F00251DBC
SW1-randy#Show mac address-table Interface GigabitEthernet1/0/13
Mac Address Table
Vlan Mac Address Type Ports
80 803f.5d09.189e DYNAMIC Drop
SW1-randy#ping 192.168.19.121
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.19.121, timeout is 2 seconds:
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/8 ms
Here is a wireshark of the accept packet.
Message was edited by: randy coburn
Added wireshark trace -
I was asked to set a new passcode this morning which I did (including re-typing the new passcode). The first time I needed to re-enter, the phone failed to accept the new code. I've tried a few times and now I'm locked out. Seen stuff about recovering/restoring the phone but I'm here at work and don't have access to my computer with iTunes. Should I take the phone to an Apple store? Verizon? If so, do I have to wait for the disable period to end? Or is there something else I should do? Thanks.
No wait until you get off work and then restore your phone using your computer with itunes on it.
-
Missing AVP 29 VSA 23 in the Radius Access-Request sent by ASA 5545-X 8.6
Hello,
we are migrating from ASA 5520 Version 8.4(3) to ASA 5545-X Version 8.6(1)2 with the same configuration ;
we are stuck with a Radius authentication problem related to an ASA clientless ASA access ;
when we compare the Radius dialog between each ASA (the old one and the new one) and the same Radius ACS 5.3 server, we can see that the only difference is there is a missing AVP 29 VSA 23 in the Radius Access-Request sent by the new ASA-5545-X compared to the good one sent by the old ASA 5520;
this AVP 29 VSA 23 carries the tunnel-group name as defined in the ASA configurtion ;
5545-X ad 5520 configuration files have been double-checked and compared : no difference between both files
any help would be appreciated to diagnose this problem
thanks in advanceThis problem was solved by upgrading the 5545-X from version 8.6(1)2 to version 9.1.2;
nothing else changed -
Framed-IP-Address in RADIUS Access Request for WLC web-auth users
We have a web-auth WLAN (with 7.6.130.0 software on a 2504 WLC) configured to authenticate users through RADIUS. The Framed-IP-Address attribute, representing the client device's IP address is sent in the Accounting Request, as expected. However, this information should be available at the WLC before sending the RADIUS Access Request, since the device is already having an IP address.
So is there a way to configure the WLC to send the Framed-IP-Address attribute in the RADIUS Access Request as well?Hi ,
Try using:
aaa accounting delay-start
Regards,
~JG
Do rate helpful posts -
Accepting calendar invites with 2 exchange accounts on iPhone?
My setup:
iphone 4S - 5.1.1
2 Exchange server accounts (1 home, 1 work).
When I get sent a calendar invite from Work, I accept it on my iPhone and it goes back to sender with my personal email address. How do I prevent this? It didn't use to do this, it would accept the calendar invite and return with the work email.
Help??When you accept the appointment, is it in your business calender or in the private one?
When it goes back, is it your e-mail-adress or the signature that is wrong (you know, only one signature for both accounts unless you update to iOS6, which can handle separate sigs for each acccount).
I recommend setting your business calender as default (Settings>Mail, contacts...>Calender>"Default"
Maybe you are looking for
-
This is a repeat of this post: Java SSO and IIS Noone answered there. Hello, my organization uses Java SSO authentication in Oracle Application Server. Now we want to "expand" SSO so that our IIS applications can benefit from Oracle SSO and user need
-
[Flex 3] One SWF, multiple Applications?
I'm dealing with what might be a unique situation - I need to package multuple Applications within one exported SWF, and switch between which Application is loaded based on flash vars from the page the application will be in. File Size isn't a proble
-
Unable to install photoshop elements 13 on new computer (Windows 8.1 OS). Error message is: This installer does not support installation on a 64-Bit windows operating system. Please download the 64-Bit version of photoshop elements. How do I do t
-
What do I have to do to get WebHelp browser styles to match RH's style sheet?
What do I have to do to get WebHelp browser styles to match RH's style sheet? In the PDF rendering, the styles conform to the .css styles, but the generated WebHelp in the browsers (Firefox and IE) does not. I've check all the generated project's top
-
FRM-92102/FRM-92050 is being returned to the client browser, when try to access web-forms application. At this point, all users sessions are broken. no One can access forms applications anymore, OC4J_BI_FORMS has to be restarted for our web forms app