Local Radius Authentication - Fails

Hello all,
Access Point 1230AG (c1200-k9w7-mx.123-2.JA)
Client Adapter ABG (PCI)
I am new to Wireless Lan configuration with Aironet products (first project). I am configuring an Access Point for a small LAN and i can not get local radius authentication working. The password always fails if I try:
test aaa group radius xxxxx port 1812 new-code
although the password is matching..........
another thing is that in the configuration, it always defaults to 'nthash' mode. is this normal? in other words if i type:
radius-server local
user dgarnett password xxxx
when i do a 'show run' it displays as
user xxxx
I also get the following during a debug:
There is no RADIUS DB Some Radius attributes may not be stored
any help greatly appreciated
ap#test aaa group radius dgarnett 123456789 port 1812 new-code
Trying to authenticate with Servergroup radius
User rejected
ap#
Feb 19 20:57:44.535: RADIUS(00000000): Config NAS IP: 10.14.14.14
Feb 19 20:57:44.535: RADIUS(00000000): Config NAS IP: 10.14.14.14
Feb 19 20:57:44.535: RADIUS(00000000): sending
Feb 19 20:57:44.535: RADIUS(00000000): Send Access-Request to 10.14.14.14:1812 id 21645/14, len 64
Feb 19 20:57:44.535: RADIUS: authenticator 9C C4 E8 64 80 8B 64 8A - E7 5F 0A 64 14 2F 5D B6
Feb 19 20:57:44.536: RADIUS: User-Password [2] 18 *
Feb 19 20:57:44.536: RADIUS: User-Name [1] 10 "dgarnett"
Feb 19 20:57:44.536: RADIUS: Service-Type [6] 6 Login [1]
Feb 19 20:57:44.536: RADIUS: NAS-IP-Address [4] 6 10.14.14.14
Feb 19 20:57:44.536: RADIUS: Nas-Identifier [32] 4 "ap"
Feb 19 20:57:44.537: RADSRV: Client dgarnett password failed
Feb 19 20:57:44.537: RADIUS: Received from id 21645/14 10.14.14.14:1812, Access-Reject, len 88
Feb 19 20:57:44.538: RADIUS: authenticator 3C B3 9A 7F 61 27 3A A6 - 84 39 B6 DF 22 DF 45 26
Feb 19 20:57:44.538: RADIUS: State [24] 50
Feb 19 20:57:44.538: RADIUS: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF [????????????????]
Feb 19 20:57:44.539: RADIUS: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF [????????????????]
Feb 19 20:57:44.539: RADIUS: 6B 7C 18 EA F0 20 A4 E5 B1 28 0E BD 57 61 24 9A [k|??? ???(??Wa$?]
Feb 19 20:57:44.539: RADIUS: Message-Authenticato[80] 18 *
Feb 19 20:57:44.539: RADIUS(00000000): Received from id 21645/14
Feb 19 20:57:44.539: RADIUS(00000000): Unique id not in use
Feb 19 20:57:44.540: RADIUS/DECODE(00000000): There is no RADIUS DB Some Radius attributes may not be stored

Just as an update.......I set this up authenticating to an external (ACSNT) Radius server and it authenticates successfully. But still will not for the local dbase. My goal is to use the Corporate ACS as primary and the local as backup. I think my problem has to do with the Radius attributes 24 (State) and 80 (Message Auth). I also think that it points back to the NTHash stuff. Please advise as I am not new security practices and wireless, but I am new to Cisco Wireless networking.

Similar Messages

  • Configuring a 1230 AP as a "Local Radius Authenticator"

    Configuring a 1230 AP as a "Local Radius Authenticator"
    CCO-URL: Configuring an Access Point as a Local Authenticator
    http://www.cisco.com/en/US/partner/products/hw/wireless/ps4570/products_configuration_guide_chapter09186a0080184a9b.html
    this is the minimal config, i think:
    AP# configure terminal
    AP(config)# radius-server local
    AP(config-radsrv)# nas 1.1.1.1 key 111
    AP(config-radsrv)# group clerks
    AP(config-radsrv-group)# vlan 2
    AP(config-radsrv-group)# ssid batman
    AP(config-radsrv-group)# reauthentication time 1800
    AP(config-radsrv-group)# lockout count 2 time 600
    AP(config-radsrv-group)# exit
    AP(config-radsrv)# user jsmith password twain74 group clerks
    AP(config-radsrv)# end
    whereas 1.1.1.1 is the IP of the AP himself ?
    is there a must for additional config commands like this:
    radius-server host 1.1.1.1 auth-port 1812 acct-port 1813 key 111
    aaa group server radius rad_eap
    server 1.1.1.1 auth-port 1812 acct-port 1813
    aaa group server radius rad_admin
    server 1.1.1.1 auth-port 1812 acct-port 1813
    all attempts didn't work
    "station <MAC> authentication failed"
    is there anything else nessecary ???

    You seem to be missing the following commands;
    authentication network-eap eap_methods
    authentication key-management cckm optional
    The following commands are useful for diagnosis;
    • Show radius local statistics
    • show interface dot11Radio 0 aaa client
    • Debug dot11 aaa dot1x state
    • Debug dot11 mgmt interface
    Local authentication is designed as a fall-back service for when the primary RADIUS server fails. We not encourage the use of Local authentication as a replacement for a radius server.
    * With an ACS you get Authentication, Authorization and Accounting. With Local authentication you only get Authentication.
    * ACS scales, supports external user-databases, supports multiple authentication types, supports database backup and replication, etc, etc... Local authentication supports a maximum of 50 users, internal static configuration only, and LEAP only.
    Following is an IOS configuration, that I have tested, and works on an AP1200 (should work on an 1100 too, I just haven’t tested it);
    · This configuration enables a single AP to do local authentication. No WDS is included for fast roaming.
    · This configuration can be cut-and-pasted into an AP that has been write-erased (blank config), and it will configure all the parameters to allow a client to LEAP authenticate to it (even if no Ethernet cable is connected to it)
    · Replace usernames/passwords with your own usernames/passwords
    · Replace ip-addresseswith the APs IP address
    · I added DHCP configuration so you can connect to a stand-alone AP with your DHCP-enabled laptop (with a profile that matches the test APs SSID and LEAP settings).
    conf t
    host loc-auth-ap-name
    enable secret cisco
    no ip domain-lookup
    line vty 0 4
    password cisco
    exec-timeout 0 0
    login
    int bvi 1
    ip address 10.11.12.13 255.255.255.0
    Interface dot11 0
    no ssid tsunami
    encryption mode ciphers ckip-cmic
    ssid test-loc-auth
    authentication network-eap eap_methods
    authentication key-management cckm optional
    ip dhcp excluded-address 10.11.12.13
    ip dhcp pool temp
    network 10.11.12.0 255.255.255.0
    interface BVI1
    ip address 10.11.12.13 255.255.255.0
    no ip route-cache
    aaa new-model
    aaa group server radius rad_eap
    ! add a real AAA server (with auth-port 1645) before
    ! the following statement if you are configuring a
    ! fallback authentication service instead of a
    ! standalone service
    server 10.11.12.13 auth-port 1812 acct-port 1646
    aaa authentication login eap_methods group rad_eap
    ! add a real AAA server (with auth-port 1645) before
    ! the following statement if you are configuring a
    ! fallback authentication service instead of a
    ! standalone service
    radius-server host 10.11.12.13 auth-port 1812 acct-port 1646 key 0 l0cal-key-secret
    radius-server deadtime 10
    dot11 holdoff-time 1
    ip radius source-interface BVI1
    radius-server local
    nas 10.11.12.13 key 0 l0cal-key-secret
    user testuser password 0 testuser-key-secret
    exit
    exit
    wri

  • Wireless local radius authentication

    Greetings,
    I have a AIR-AP1121G-A-K9, and I would like to authenticate users with a username and password on the AP using the local radius server.
    I used the configuration at http://www.aironet.info/en/US/products/hw/wireless/ps4570/products_configuration_example09186a00801c0912.shtml
    and tried a couple other posted configuration, but are running into the same issue regardless of which method I am using.
    show ver
    Cisco IOS Software, C1100 Software (C1100-K9W7-M), Version 12.3(8)JED1, RELEASE
    SOFTWARE (fc3)
    Technical Support: http://www.cisco.com/techsupport
    Copyright (c) 1986-2010 by Cisco Systems, Inc.
    Compiled Tue 27-Apr-10 12:52 by alnguyen
    ROM: Bootstrap program is C1100 boot loader
    BOOTLDR: C1100 Boot Loader (C1100-BOOT-M) Version 12.2(8)JA, EARLY DEPLOYMENT RE
    LEASE SOFTWARE (fc1)
    ORP_ROOFDECK uptime is 21 hours, 3 minutes
    System returned to ROM by power-on
    System image file is "flash:/c1100-k9w7-mx.123-8.JED1/c1100-k9w7-mx.123-8.JED1"
    This product contains cryptographic features and is subject to United
    States and local country laws governing import, export, transfer and
    use. Delivery of Cisco cryptographic products does not imply
    third-party authority to import, export, distribute or use encryption.
    Importers, exporters, distributors and users are responsible for
    compliance with U.S. and local country laws. By using this product you
    agree to comply with applicable laws and regulations. If you are unable
    to comply with U.S. and local laws, return this product immediately.
    A summary of U.S. laws governing Cisco cryptographic products may be found at:
    http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
    If you require further assistance please contact us by sending email to
    [email protected].
    cisco AIR-AP1121G-A-K9     (PowerPCElvis) processor (revision A0) with 15138K/12
    36K bytes of memory.
    Processor board ID FOC08370K83
    PowerPCElvis CPU at 197Mhz, revision number 0x0950
    Last reset from power-on
    1 FastEthernet interface
    1 802.11 Radio(s)
    32K bytes of flash-simulated non-volatile configuration memory.
    Base ethernet MAC Address: 00:12:01:6B:86:46
    Part Number                          : 73-7886-07
    PCA Assembly Number                  : 800-21481-07
    PCA Revision Number                  : A0
    PCB Serial Number                    : XXX
    Top Assembly Part Number             : 800-22053-04
    Top Assembly Serial Number           : XXX
    Top Revision Number                  : A0
    Product/Model Number                 : AIR-AP1121G-A-K9
    Configuration register is 0xF
    show run
    Current configuration : 4240 bytes
    version 12.3
    no service pad
    service timestamps debug datetime msec
    service timestamps log datetime msec
    service password-encryption
    hostname XXX
    ip subnet-zero
    ip domain name XXX!
    ip ssh version 2
    aaa new-model
    aaa group server radius rad_eap
    server 172.16.1.35 auth-port 1812 acct-port 1813
    aaa group server radius rad_acct
    server 172.16.1.35 auth-port 1812 acct-port 1813
    aaa authentication login eap_methods group rad_eap
    aaa authorization exec default local
    aaa accounting network acct_methods start-stop group rad_acct
    aaa session-id common
    dot11 syslog
    dot11 ssid YYY
       authentication open eap eap_methods
       authentication network-eap eap_methods
       guest-mode
    bridge irb
    interface Dot11Radio0
    no ip address
    ip helper-address 172.16.1.1
    no ip route-cache
    encryption key 1 size 128bit 7 66061D688B874859701297485642 transmit-key
    encryption mode wep mandatory
    broadcast-key change 300
    ssid YYY
    speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0
    54.0
    channel 2437
    station-role root
    rts threshold 2312
    bridge-group 1
    bridge-group 1 subscriber-loop-control
    bridge-group 1 block-unknown-source
    no bridge-group 1 source-learning
    no bridge-group 1 unicast-flooding
    bridge-group 1 spanning-disabled
    interface FastEthernet0
    no ip address
    no ip route-cache
    duplex auto
    speed auto
    bridge-group 1
    no bridge-group 1 source-learning
    bridge-group 1 spanning-disabled
    interface BVI1
    ip address 172.16.1.35 255.255.255.0
    ip helper-address 172.16.1.1
    no ip route-cache
    ip default-gateway 172.16.1.1
    ip http server
    ip http authentication local
    ip http secure-server
    ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
    ip radius source-interface BVI1
    radius-server local
      no authentication eapfast
      no authentication mac
      nas 172.16.1.35 key 7 VVV
      group YYY
        ssid YYY
        block count 3 time 30
        reauthentication time 300
      user zzz nthash 7 0225540F2A2429741C162F3C2636455854560E72760A6A667B315E37
    5553010B7A group YYY
    radius-server attribute 32 include-in-access-req format %h
    radius-server host 172.16.1.35 auth-port 1812 acct-port 1813 key 7 VVV
    radius-server vsa send accounting
    bridge 1 route ip
    line con 0
    line vty 0 4
    access-class 10 in
    line vty 5 15
    end
    Debug Output:
    331: AAA/ACCT(00000000): add node, session 4
    *Mar  1 21:37:37.331: AAA/ACCT/NET(00000004): add, count 1
    *Mar  1 21:37:37.331: dot11_auth_add_client_entry: Create new client 0023.6c85.3
    2cd for application 0x1
    *Mar  1 21:37:37.331: dot11_auth_initialize_client: 0023.6c85.32cd is added to t
    he client list for application 0x1
    *Mar  1 21:37:37.331: dot11_auth_add_client_entry: req->auth_type 4
    *Mar  1 21:37:37.331: dot11_auth_add_client_entry: auth_methods_inprocess: 2
    *Mar  1 21:37:37.331: dot11_auth_add_client_entry: eap list name: eap_methods
    *Mar  1 21:37:37.331: dot11_run_auth_methods: Start auth method EAP or LEAP
    *Mar  1 21:37:37.331: dot11_auth_dot1x_start: in the dot11_auth_dot1x_start
    *Mar  1 21:37:37.331: dot11_auth_dot1x_send_id_req_to_client: Sending identity r
    equest to 0023.6c85.32cd
    *Mar  1 21:37:37.332: EAPOL pak dump tx
    *Mar  1 21:37:37.332: EAPOL Version: 0x1  type: 0x0  length: 0x0036
    *Mar  1 21:37:37.332: EAP code: 0x1  id: 0x1  length: 0x0036 type: 0x1
    00ECBA00: 01000036 01010036 01006E65 74776F72  ...6...6..networ
    00ECBA10: 6B69643D 4F52505F 5075626C 69632C6E  kid=YYY,n
    00ECBA20: 61736964 3D4F5250 5F524F4F 46444543  asid=YYY
    00ECBA30: 4B2C706F 72746964 3D30               K,portid=0
    *Mar  1 21:37:37.333: dot11_auth_send_msg:  sending data to requestor status 1
    *Mar  1 21:37:37.333: dot11_auth_send_msg: Sending EAPOL to requestor
    *Mar  1 21:37:37.333: dot11_auth_dot1x_send_id_req_to_client: Client 0023.6c85.3
    2cd timer started for 30 seconds
    *Mar  1 21:38:07.333: dot11_auth_dot1x_run_rfsm: Executing Action(CLIENT_WAIT,TI
    MEOUT) for 0023.6c85.32cd
    *Mar  1 21:38:07.333: dot11_auth_dot1x_send_client_fail: Authentication failed f
    or 0023.6c85.32cd
    *Mar  1 21:38:07.333: dot11_auth_send_msg:  sending data to requestor status 0
    *Mar  1 21:38:07.333: dot11_auth_send_msg: client FAILED to authenticate 0023.6c
    85.32cd, node_type 64 for application 0x1
    *Mar  1 21:38:07.333: dot11_auth_delete_client_entry: 0023.6c85.32cd is deleted
    for application 0x1
    *Mar  1 21:38:07.334: %DOT11-7-AUTH_FAILED: Station 0023.6c85.32cd Authenticatio
    n failed
    *Mar  1 21:38:07.334: AAA/ACCT/HC(00000004): Update DOT11/00A83CE0
    *Mar  1 21:38:07.335: AAA/ACCT/HC(00000004): DOT11/00A83CE0 [pre-sess] (rx/tx) b
    ase 0/0 pre 6861/188 call 6861/188
    *Mar  1 21:38:07.335: AAA/ACCT/HC(00000004): DOT11/00A83CE0 [pre-sess] (rx/tx) a
    djusted, pre 6861/188 call 0/0
    *Mar  1 21:38:07.335: AAA/ACCT/HC(00000004): Deregister DOT11/00A83CE0
    *Mar  1 21:38:07.335: dot11_auth_client_abort: Received abort request for client
    0023.6c85.32cd
    *Mar  1 21:38:07.335: dot11_auth_client_abort: No client entry to abort: 0023.6c
    85.32cd for application 0x1
    *Mar  1 21:38:07.335: AAA/ACCT/EVENT/(00000004): CALL STOP
    *Mar  1 21:38:07.335: AAA/ACCT/CALL STOP(00000004): Sending stop requests
    *Mar  1 21:38:07.336: AAA/ACCT(00000004): Send all stops
    *Mar  1 21:38:07.336: AAA/ACCT/NET(00000004): STOP
    *Mar  1 21:38:07.336: AAA/ACCT/NET(00000004): Method list not found
    *Mar  1 21:38:07.336: AAA/ACCT(00000004): del node, session 4
    *Mar  1 21:38:07.336: AAA/ACCT/NET(00000004): free_rec, count 0
    *Mar  1 21:38:07.336: AAA/ACCT/NET(00000004) reccnt 0, csr TRUE, osr 0
    *Mar  1 21:38:07.337: AAA/ACCT/NET(00000004): Last rec in db, intf not enqueued
    *Mar  1 21:41:34.645: AAA/BIND(00000005): Bind i/f
    *Mar  1 21:41:34.645: AAA/ACCT/EVENT/(00000005): CALL START
    *Mar  1 21:41:34.645: Getting session id for NET(00000005) : db=C4EBC0
    *Mar  1 21:41:34.645: AAA/ACCT(00000000): add node, session 5
    *Mar  1 21:41:34.646: AAA/ACCT/NET(00000005): add, count 1
    *Mar  1 21:41:34.646: Getting session id for NONE(00000005) : db=C4EBC0
    *Mar  1 21:41:34.646: AAA/AUTHEN/LOGIN (00000005): Pick method list 'Permanent L
    ocal'
    *Mar  1 21:41:39.002: AAA/AUTHOR (0x5): Pick method list 'default'
    *Mar  1 21:41:39.002: AAA/AUTHOR/EXEC(00000005): processing AV cmd=
    *Mar  1 21:41:39.003: AAA/AUTHOR/EXEC(00000005): processing AV priv-lvl=15
    *Mar  1 21:41:39.003: AAA/AUTHOR/EXEC(00000005): Authorization successful
    Any ideas how I can get simple username/password working on an autonomous AP with local radius server?
    Thank you,

    You could get a better idea of why the auth is being failed with the output of "show radius local-server statistics".  You could also run "debug radius local-server client" and "debug radius local-server error".

  • Wlc 5508 radius authentication fail

    I am trying to setup a wireless lan for the first time using 5508, all is working to a point, until i try to setup client authentication using the following
    so settings are:
    Layer Wlan settings:
    Layer 2 security:WPA+WPA2
    AES
    Auth Key mgmt:802.1x
    We have the authentication server enabled:
    Ip an port are correct
    AAA overide not enabled
    Order for authentication, radius only
    Advanced: dafault settings
    Radius authentication servers:
    Call Station ID Type: IP address
    MAC Delimiter: Colon
    Network User
    Management
    Server Index
    Server Address
    Port
    IPSec
    Admin Status
    Server Index
    Server Address
    Shared Secret Format
                     ASCII                 Hex              
    Shared Secret
    Confirm Shared Secret
    Key Wrap
      (Designed for FIPS customers and requires a key wrap compliant RADIUS server)
    Port Number
    Server Status
                     Enabled                  Disabled              
    Support for RFC 3576
                     Enabled                  Disabled              
    Server Timeout
      seconds
    Network User
    Enable
    Management
    Enable
    IPSec
    Enable
    *radiusTransportThread: Dec 21 12:07:46.488: %AAA-4-RADIUS_RESPONSE_FAILED: radius_db.c:412 RADIUS server X.X.X.X:1812 failed to respond to request(ID 115) for STA 00:19:d2:b9:d5:e1 / user 'unknownUser'
    *radiusTransportThread: Dec 21 12:07:46.012: %AAA-4-RADIUS_RESPONSE_FAILED: radius_db.c:412 RADIUS server X.X.X.X:1812 failed to respond to request(ID 114) for STA 00:19:d2:b9:d5:e1 / user 'unknownUser'
    *Dot1x_NW_MsgTask_1: Dec 21 12:07:29.811: %DOT1X-3-MAX_EAP_RETRIES: 1x_auth_pae.c:3028 Max EAP identity request retries (3) exceeded for client 00:19:d2:b9:d5:e1
    *Dot1x_NW_MsgTask_1: Dec 21 12:07:29.811: %DOT1X-3-ABORT_AUTH: 1x_bauth_sm.c:447 Authentication aborted for client 00:19:d2:b9:d5:e1
    *radiusTransportThread: Dec 21 12:07:16.412: %AAA-4-RADIUS_RESPONSE_FAILED: radius_db.c:412 RADIUS server X.X.X.X:1812 failed to respond to request(ID 113) for STA 00:19:d2:b9:d5:e1 / user 'unknownUser'
    *Dot1x_NW_MsgTask_1: Dec 21 12:06:59.741: %DOT1X-3-MAX_EAP_RETRIES: 1x_auth_pae.c:3028 Max EAP identity request retries (3) exceeded for client 00:19:d2:b9:d5:e1
    Radius server occasionally sees attempts from user "XXZZYY"

    Osvaldo,
    Your observation is correct and this should be documented on the WLC help tab if you search for keyword network user under radius auth.
    Quote:
    Network User—Network user authentication check box. If this option is enabled, this entry is considered as the network user RADIUS authenticating server entry. If you did not set the RADIUS server entry on the WLAN configuration (WLANs > Edit > Security > AAA Servers), you must enable this option for networkusers.
    Management—Management authentication check box. If this option is enabled, this entry is considered as the management RADIUS authenticating server entry. If you enable this option, authentication requests go to the RADIUS server
    AAA server defined on WLAN takes precedence over global.

  • Local web authentication fails

    hello experts!!!
    i'm having trouble making clients authenticate locally on a 2106 controller with ios v.4.1.171.0.
    do i need a radius server to be able to do local auth.
    also the auth login page does not appear automatically when i open a browser and type www.cisco.com or any other url.
    i have to type in vip 1.1.1.1 to be able to bring up the login in page.
    is this how it supposed to be for this particular code.
    thanks for any input... really appreciate it.

    tried the 0 timing but the guest will have unlimited time session like a legit user.
    i wanted to set guest accounts, say guest1=1hour, guest2=2hours, guest3=3hours. and that these accounts should not be deleted automatically when their times expire. so the next time a guest comes to the office i can just choose guest1,2 or 3 account to allow him to use the internet.
    also i notice that after creating the guest account, its timer starts and continues regardless whether i use the account or not. and eventually, deleted after it reached the time limit.
    did i get through...
    thanks-a-banks!!!

  • How to set local radius with AP 1240AG series

    Hi,
    I have been trying to set up a AP with AIR-AP1242AG-Ak9 as a local authenticator radius but with no success. I have followed the steps from a lot of posts but no go, even with the most simple and understanable post like this one: 
    https://supportforums.cisco.com/document/101121/configuring-autonomous-ap-local-radius-authentication
    The guy at the end of the post says:
    Configuring AP
    1. Go to Security>Encryption Manager
    2. Specify Encryption (can be WEP or WPA)
    3. Specify that WEP is Mandatory
    4. Specify the key accordingly
    5. Click Apply
    6. Go to Security>SSID Manage
    7. Select the desired SSID
    But when I go via GUI fist of all:
    I dont understand why it says it can be WEP o WPA because if I select WEP and follow the rest of the steps, I got an error message: WPA mandatory is supported only with Cipher TKIP or AES CCMP or AES CCMP +TKIP <see encryption managerpage>
    Besides WEP, as far as I kknow it only works with a password only and I want the PC clients to aunthenticate with the AP itself as a Radius local server so it should ask for a username and password defined in the AP.
    Second of all, the steps from the guy states on item 4, specfy the key acordinly? what this means? I only see keys filed in hexa.
    third of all, if I do the steps in the error above, it allows me to set WPA with key management Mandatory but only by selecting the Cipher drop down menu, so which item should I pick ?there are a lot like AES CCMP, AES CCMP+TKIP, etc
    But whenever another PC tries to login, it asks for the username and password, but it never get passed just saying error on the network.
    I include the debug for the local radius below
    I also included the config of the AP
    All I want is the AP ask for a username and password, login successfully and thats it.
    anybody else or someone that has a function config to share with me? I would appreciate it, cause I have been more than 12 hours in a row trying to set it up but no go 

    Here is a one of my post related to this topic,see if that helps,
    http://mrncciew.com/2013/03/03/autonomous-ap-as-local-radius-server/
    If supported use WPA2 with AES as that is most secure. Do not use WEP. If WPA2/AES is not supported then try to use WAP with TKIP.
    Here is other useful configuration example on the same topic
    https://rscciew.wordpress.com/2014/07/24/autonomous-ap-with-local-radius-server-eap-fast/
    HTH
    Rasika
    **** Pls rate all useful responses ***

  • PPTP VPN works with local but not RADIUS authentication

    iPhone OS v3.1
    My VPN server is a Draytek 3300v. The iPhone connects OK when an account is set up locally on the server, but as soon as I switch it to use a RADIUS server (no other settings changed), authentication fails. I have tried 2 different RADIUS servers, with the same result. Immediately after successful authentication comes back from RADIUS, the VPN server log shows:
    pppd: peer 'john.smith' authenticate succeed, protocol:49699
    MSCHAP-v2 peer authentication succeeded for john.smith
    rcvd [LCP TermReq id=0x2]
    LCP terminated by peer
    pptpd: EOF or bad error reading ctrl packet length
    pptpd: cannot read packet header, exit
    pptpd: read pptp packet failed
    Clients using various versions of Windows all connect OK, but the iPhone fails authentication both over the carrier network and wireless.
    Any ideas anyone?

    Have you checked the Enterprise Deployment Guide for 3.1? It's at http://www.apple.com/support/iphone/enterprise

  • RADIUS rlm_mschap: authentication failed -14090

    We have a Mac mini server running Snow Leopard, and we have configured the RADIUS server to provide WPA2 Enterprise authentication for our Airport Base Stations. I thought I'd share the solution to a problem we were experiencing from time to time where a user could not fully-authenticate to the network. Our logs radiusd would show:
    Auth: rlm_opendirectory: User <username> is authorized
    Auth: rlm_mschap: authentication failed -14090
    Auth: rlm_opendirectory: Could not get the user's uuid
    This happened most recently when a user got a new laptop and had migrated everything from a Time Machine back-up. I tried restarting the server, RADIUS, resetting the user's password, etc. Nothing seemed to make a difference, and these logs might as well say nothing at all -- completely unhelpful.
    I then had the user log in to his Mac under a different account and try to connect and it was successful. Back to the original account, and we found a whole bunch duplicated profiles under the 802.1X tab in the Network panel of System Preferences. After deleting all of those and trying it again, it finally worked.
    Not sure why the server side couldn't be a little more helpful in diagnosing the problem, but there you go...

    I have similar issues, and tried what you suggested, but no dice. Cross-posted here: http://discussions.apple.com/thread.jspa?messageID=11894473
    Summary, one OD account is able to authenticate via AEBS, other accounts are not, and I cannot see any difference.

  • Configuring the Access Point 1602 IOS 15.2(2)JAX as a Local RADIUS for a MAC authenticator

    Hello Everyone,
    I have an issue with my Cisco 1602 WAP. I am trying to configure the WPA-PSK and MAC authentication on local RADIUS but I don't know why it doesn't work and client can bypass the MAC authentication. below is partial configuration:
    dot11 ssid WLAN
       vlan 20
       authentication open
       authentication key-management wpa version 2
       mbssid guest-mode
       wpa-psk ascii 7 XXX
    interface Dot11Radio0
     no ip address
     no ip route-cache
     encryption mode ciphers aes-ccm
     encryption vlan 20 mode ciphers aes-ccm
     ssid WLAN
     antenna gain 0
     stbc
     beamform ofdm
     mbssid
     channel 2462
     station-role root
    interface Dot11Radio0.20
     encapsulation dot1Q 20 native
     no ip route-cache
     bridge-group 1
     bridge-group 1 subscriber-loop-control
     bridge-group 1 spanning-disabled
     bridge-group 1 block-unknown-source
     no bridge-group 1 source-learning
     no bridge-group 1 unicast-flooding
    interface BVI1
     ip address 10.133.16.2 255.255.255.128
     no ip route-cache
    adius-server local
        nas 10.133.16.2 key 7 10.133.16.2
      group MAC
        vlan 20
        ssid WLAN
        block count 3 time infinite
        reauthentication time 1800
     user 54724f80421c  password 54724f80421c group MAC 
    Further information can be provided by request.
    Cheers,
    Parham

    what are you trying to accomplish?
    With the PSK you aren't telling the client it needs to do .1x auth for the Mac authentication.
    If you are just trying to keep some clients off the wireless, I would take a look at doing a MAC ACL (ACL 700)
    HTH,
    Steve

  • 802.1x port authentication failing after getting a access-accept packet

    Hi all,
    Im not 100% sure what the hell is going on here.
    Any idea's or help will be appreciated.
    Heres the topology.
    1 x windows 2012 NPS
    1x 3750X
    1x Windows 7 x64
    data flow
    <laptop> - - [gi 1/0/13]<3750X>[gi 1/0/48]- -[gi 5/39]<6513>[po 1] - - [po 4]<6509><5/1> - - <VMWARE>[NPS Server]
    The switch that is doing the authentication is the 3750X. Here is the IOS version.
    Switch Ports Model              SW Version            SW Image
    *    1 54    WS-C3750X-48       15.2(1)E              C3750E-UNIVERSALK9-M
    A wireshark trace on the NPS server shows that the packets are arriving and being sent back
    Wireshark on a mirror of the trunk port connecting the 6513. It also shows packets being sent and arriving. access-accept packets are being recieved.
    As you can see in the debug output, the switch is getting a access-accept, then it is stating a AAA failure.
    here is a debug output as you plug in the laptop.
    Oct 24 10:53:44.653: dot1x-ev:[Gi1/0/13] Interface state changed to DOWN
    Oct 24 10:53:44.653: dot1x-ev:[Gi1/0/13] No DOT1X subblock found for port down
    Oct 24 10:53:45.643: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/13, changed state to down
    Oct 24 10:53:46.641: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/13, changed state to down
    Oct 24 10:53:47.538: dot1x-ev:[Gi1/0/13] Interface state changed to UP
    Oct 24 10:53:47.564: dot1x-packet:[6431.500e.9b00, Gi1/0/13] queuing an EAPOL pkt on Auth Q
    Oct 24 10:53:47.572: dot1x-ev:DOT1X Supplicant not enabled on GigabitEthernet1/0/13
    Oct 24 10:53:47.572: dot1x-packet:EAPOL pak rx - Ver: 0x1  type: 0x1
    Oct 24 10:53:47.572: dot1x-packet: length: 0x0000
    Oct 24 10:53:47.572: dot1x-ev:[Gi1/0/13] Dequeued pkt: Int Gi1/0/13 CODE= 0,TYPE= 0,LEN= 0
    Oct 24 10:53:47.572: dot1x-ev:[Gi1/0/13] Received pkt saddr =6431.500e.9b00 , daddr = 0180.c200.0003, pae-ether-type = 888e.0101.0000
    Oct 24 10:53:47.572: dot1x-ev:[Gi1/0/13] Couldn't find the supplicant in the list
    Oct 24 10:53:47.572: dot1x-ev:[6431.500e.9b00, Gi1/0/13] New client detected, sending session start event for 6431.500e.9b00
    Oct 24 10:53:47.572: AAA/BIND(00000047): Bind i/f
    Oct 24 10:53:47.580: dot1x-ev:[6431.500e.9b00, Gi1/0/13] Sending create new context event to EAP for 0x15000045 (6431.500e.9b00)
    Oct 24 10:53:47.580: EAP-EVENT: Received context create from LL (Dot1x-Authenticator) (0x15000045)
    Oct 24 10:53:47.580: EAP-AUTH-EVENT: Received AAA ID 0x00000047 from LL
    Oct 24 10:53:47.580: EAP-AUTH-AAA-EVENT: Assigning AAA ID 0x00000047
    Oct 24 10:53:47.580: EAP-AUTH-AAA-EVENT: CTS not enabled on interface Gi1/0/13
    Oct 24 10:53:47.580: EAP-AUTH-EVENT: Received Session ID "C0A846660000004700DF6030" from LL
    Oct 24 10:53:47.580: EAP-AUTH-EVENT: Setting authentication mode: Passthrough
    Oct 24 10:53:47.580:     eap_authen : initial state eap_auth_initialize has enter
    Oct 24 10:53:47.580: EAP-EVENT: Allocated new EAP context (handle = 0xE8000047)
    Oct 24 10:53:47.580: dot1x-ev:[6431.500e.9b00, Gi1/0/13] Created a client entry (0x15000045)
    Oct 24 10:53:47.580: dot1x-ev:[6431.500e.9b00, Gi1/0/13] Dot1x authentication started for 0x15000045 (6431.500e.9b00)
    Oct 24 10:53:47.580: %AUTHMGR-5-START: Starting 'dot1x' for client (6431.500e.9b00) on Interface Gi1/0/13 AuditSessionID C0A846660000004700DF6030
    Oct 24 10:53:47.580: EAP-EVENT: Received EAP event 'EAP_AUTHENTICATOR_START' on handle 0xE8000047
    Oct 24 10:53:47.580:     eap_authen : during state eap_auth_initialize, got event 25(eapStartTmo)
    Oct 24 10:53:47.580: @@@ eap_authen : eap_auth_initialize -> eap_auth_select_action
    Oct 24 10:53:47.580:     eap_authen : during state eap_auth_select_action, got event 20(eapDecisionPropose)
    Oct 24 10:53:47.580: @@@ eap_authen : eap_auth_select_action -> eap_auth_propose_method
    Oct 24 10:53:47.580:     eap_authen : idle during state eap_auth_propose_method
    Oct 24 10:53:47.580: @@@ eap_authen : eap_auth_propose_method -> eap_auth_method_request
    Oct 24 10:53:47.580:     eap_authen : idle during state eap_auth_method_request
    Oct 24 10:53:47.580: @@@ eap_authen : eap_auth_method_request -> eap_auth_tx_packet
    Oct 24 10:53:47.580: EAP-AUTH-EVENT: Current method = Identity
    Oct 24 10:53:47.580: EAP-EVENT: Sending LL (Dot1x-Authenticator) event 'EAP_CUSTOMIZE_ID_REQUEST' on handle 0xE8000047
    Oct 24 10:53:47.580:     eap_authen : idle during state eap_auth_tx_packet
    Oct 24 10:53:47.580: @@@ eap_authen : eap_auth_tx_packet -> eap_auth_idle
    Oct 24 10:53:47.589: EAP-AUTH-TX-PAK: Code:REQUEST  ID:0x1   Length:0x0005  Type:IDENTITY
    Oct 24 10:53:47.589: EAP-EVENT: Started 'Authenticator ReqId Retransmit' timer (30s) for EAP sesion handle 0xE8000047
    Oct 24 10:53:47.589: EAP-EVENT: Started EAP tick timer
    Oct 24 10:53:47.589: EAP-EVENT: Sending LL (Dot1x-Authenticator) event 'EAP_TX_PACKET' on handle 0xE8000047
    Oct 24 10:53:47.597: dot1x-ev:[Gi1/0/13] Sending EAPOL packet to group PAE address
    Oct 24 10:53:47.597: dot1x-ev:[Gi1/0/13] Sending out EAPOL packet
    Oct 24 10:53:47.597: dot1x-packet:EAPOL pak Tx - Ver: 0x3  type: 0x0
    Oct 24 10:53:47.597: dot1x-packet: length: 0x0005
    Oct 24 10:53:47.597: dot1x-packet:EAP code: 0x1  id: 0x1  length: 0x0005
    Oct 24 10:53:47.597: dot1x-packet: type: 0x1
    Oct 24 10:53:47.597: dot1x-packet:[6431.500e.9b00, Gi1/0/13] EAPOL packet sent to client 0x15000045
    Oct 24 10:53:47.606: dot1x-packet:[6431.500e.9b00, Gi1/0/13] Queuing an EAPOL pkt on Authenticator Q
    Oct 24 10:53:47.606: dot1x-packet:EAPOL pak rx - Ver: 0x1  type: 0x0
    Oct 24 10:53:47.606: dot1x-packet: length: 0x001F
    Oct 24 10:53:47.606: dot1x-ev:[Gi1/0/13] Dequeued pkt: Int Gi1/0/13 CODE= 2,TYPE= 1,LEN= 31
    Oct 24 10:53:47.606: dot1x-ev:[Gi1/0/13] Received pkt saddr =6431.500e.9b00 , daddr = 0180.c200.0003, pae-ether-type = 888e.0100.001f
    Oct 24 10:53:47.606: dot1x-packet:EAPOL pak rx - Ver: 0x1  type: 0x0
    Oct 24 10:53:47.606: dot1x-packet: length: 0x001F
    Oct 24 10:53:47.606: dot1x-ev:[6431.500e.9b00, Gi1/0/13] Response sent to the server from 0x15000045
    Oct 24 10:53:47.606: EAP-EVENT: Received LL (Dot1x-Authenticator) event 'EAP_RX_PACKET' on handle 0xE8000047
    Oct 24 10:53:47.606: EAP-AUTH-RX-PAK: Code:RESPONSE  ID:0x1   Length:0x001F  Type:IDENTITY
    Oct 24 10:53:47.606:     Payload:  47454E4552414C5C72616E64792E636F ...
    Oct 24 10:53:47.606:     eap_authen : during state eap_auth_idle, got event 1(eapRxPacket)
    Oct 24 10:53:47.606: @@@ eap_authen : eap_auth_idle -> eap_auth_received
    Oct 24 10:53:47.606: EAP-AUTH-EVENT: EAP Response received by context 0xE8000047
    Oct 24 10:53:47.606: EAP-AUTH-EVENT: EAP Response type = Identity
    Oct 24 10:53:47.606: EAP-EVENT: Stopping 'Authenticator ReqId Retransmit' timer for EAP sesion handle 0xE8000047
    Oct 24 10:53:47.606:     eap_authen : during state eap_auth_received, got event 10(eapMethodData)
    Oct 24 10:53:47.606: @@@ eap_authen : eap_auth_received -> eap_auth_method_response
    Oct 24 10:53:47.606: EAP-AUTH-EVENT: Received peer identity: GENERAL\randy.coburn.admin
    Oct 24 10:53:47.606: EAP-EVENT: Sending LL (Dot1x-Authenticator) event 'EAP_IDENTITY' on handle 0xE8000047
    Oct 24 10:53:47.606:     eap_authen : during state eap_auth_method_response, got event 13(eapMethodEnd)
    Oct 24 10:53:47.606: @@@ eap_authen : eap_auth_method_response -> eap_auth_select_action
    Oct 24 10:53:47.606:     eap_authen : during state eap_auth_select_action, got event 19(eapDecisionPass)
    Oct 24 10:53:47.606: @@@ eap_authen : eap_auth_select_action -> eap_auth_passthru_init
    Oct 24 10:53:47.606:     eap_authen : during state eap_auth_passthru_init, got event 22(eapPthruIdentity)
    Oct 24 10:53:47.614: @@@ eap_authen : eap_auth_passthru_init -> eap_auth_aaa_req
    Oct 24 10:53:47.614: EAP-EVENT: Sending LL (Dot1x-Authenticator) event 'EAP_GET_PEER_MAC_ADDRESS' on handle 0xE8000047
    Oct 24 10:53:47.614: EAP-AUTH-AAA-EVENT: Adding Audit-Session-ID "C0A846660000004700DF6030" to RADIUS Req
    Oct 24 10:53:47.614: EAP-AUTH-AAA-EVENT: Added Audit-Session-ID
    Oct 24 10:53:47.614: EAP-AUTH-AAA-EVENT: Adding IDB "0x070B90F8" to RADIUS Req
    Oct 24 10:53:47.614: EAP-AUTH-AAA-EVENT: Added IDB
    Oct 24 10:53:47.614: EAP-EVENT: Sending LL (Dot1x-Authenticator) event 'EAP_CUSTOMIZE_AAA_REQUEST' on handle 0xE8000047
    Oct 24 10:53:47.614: EAP-AUTH-AAA-EVENT: eap_auth_aaa_authen_request_shim aaa_service 19, eap aaa_list handle 0, mlist handle 0
    Oct 24 10:53:47.614: AAA/AUTHEN/8021X (00000000): Pick method list 'default'
    Oct 24 10:53:47.614: EAP-AUTH-AAA-EVENT: Request sent successfully
    Oct 24 10:53:47.614:     eap_authen : during state eap_auth_aaa_req, got event 24(eapAAAReqOk)
    Oct 24 10:53:47.614: @@@ eap_authen : eap_auth_aaa_req -> eap_auth_aaa_idle
    Oct 24 10:53:47.614: RADIUS/ENCODE(00000000):Orig. component type = Invalid
    Oct 24 10:53:47.614: RADIUS/ENCODE(00000000): Unsupported AAA attribute hwidb
    Oct 24 10:53:47.614: RADIUS/ENCODE(00000000): Unsupported AAA attribute aaa-authen-type
    Oct 24 10:53:47.614: RADIUS/ENCODE(00000000): Unsupported AAA attribute aaa-authen-service
    Oct 24 10:53:47.614: RADIUS/ENCODE(00000000): Unsupported AAA attribute clid-mac-addr
    Oct 24 10:53:47.614: RADIUS/ENCODE(00000000): Unsupported AAA attribute target-scope
    Oct 24 10:53:47.614: RADIUS/ENCODE(00000000): Unsupported AAA attribute aaa-unique-id
    Oct 24 10:53:47.614: RADIUS(00000000): Config NAS IP: 0.0.0.0
    Oct 24 10:53:47.614: RADIUS(00000000): sending
    Oct 24 10:53:47.614: RADIUS/ENCODE: Best Local IP-Address 192.168.70.102 for Radius-Server 192.168.19.121
    Oct 24 10:53:47.614: RADIUS(00000000): Send Access-Request to 192.168.19.121:1645 id 1645/21, len 288
    Oct 24 10:53:47.614: RADIUS:  authenticator F1 BA E5 31 71 54 BF 1A - A2 B1 5E 1A 63 72 1E 72
    Oct 24 10:53:47.614: RADIUS:  User-Name           [1]   28  "GENERAL\randy.coburn.admin"
    Oct 24 10:53:47.614: RADIUS:  Service-Type        [6]   6   Framed                    [2]
    Oct 24 10:53:47.614: RADIUS:  Vendor, Cisco       [26]  27
    Oct 24 10:53:47.614: RADIUS:   Cisco AVpair       [1]   21  "service-type=Framed"
    Oct 24 10:53:47.614: RADIUS:  Framed-MTU          [12]  6   1500
    Oct 24 10:53:47.614: RADIUS:  Called-Station-Id   [30]  19  "AC-F2-C5-75-7D-0D"
    Oct 24 10:53:47.614: RADIUS:  Calling-Station-Id  [31]  19  "64-31-50-0E-9B-00"
    Oct 24 10:53:47.614: RADIUS:  EAP-Message         [79]  33
    Oct 24 10:53:47.614: RADIUS:   02 01 00 1F 01 47 45 4E 45 52 41 4C 5C 72 61 6E 64 79 2E 63 6F  [GENERAL\randy.co]
    Oct 24 10:53:47.622: RADIUS:   62 75 72 6E 2E 61 64 6D 69 6E        [ burn.admin]
    Oct 24 10:53:47.622: RADIUS:  Message-Authenticato[80]  18
    Oct 24 10:53:47.622: RADIUS:   EE 52 4D ED B9 06 F3 CE 63 AC 9D 73 24 1B A7 ED             [ RMcs$]
    Oct 24 10:53:47.622: RADIUS:  EAP-Key-Name        [102] 2   *
    Oct 24 10:53:47.622: RADIUS:  Vendor, Cisco       [26]  49
    Oct 24 10:53:47.622: RADIUS:   Cisco AVpair       [1]   43  "audit-session-id=C0A846660000004700DF6030"
    Oct 24 10:53:47.622: RADIUS:  Vendor, Cisco       [26]  20
    Oct 24 10:53:47.622: RADIUS:   Cisco AVpair       [1]   14  "method=dot1x"
    Oct 24 10:53:47.622: RADIUS:  NAS-IP-Address      [4]   6   192.168.70.102
    Oct 24 10:53:47.622: RADIUS:  NAS-Port            [5]   6   60000
    Oct 24 10:53:47.622: RADIUS:  NAS-Port-Id         [87]  23  "GigabitEthernet1/0/13"
    Oct 24 10:53:47.622: RADIUS:  NAS-Port-Type       [61]  6   Ethernet                  [15]
    Oct 24 10:53:47.622: RADIUS(00000000): Sending a IPv4 Radius Packet
    Oct 24 10:53:47.622: RADIUS(00000000): Started 10 sec timeout
    Oct 24 10:53:47.622: RADIUS: Received from id 1645/21 192.168.19.121:1645, Access-Accept, len 66
    Oct 24 10:53:47.622: RADIUS:  authenticator 92 F6 07 AF C1 AB 0B 4C - 1D 9E A0 D1 01 36 27 26
    Oct 24 10:53:47.622: RADIUS:  Class               [25]  46
    Oct 24 10:53:47.622: RADIUS:   76 E3 06 66 00 00 01 37 00 01 02 00 C0 A8 13 79 00 00 00 00 00 00 00 00 00 00 00 00 01 CE CF F8 1F 7B 75 41 00 00 00 00 00 00 00 50          [ vf7y{uAP]
    Oct 24 10:53:47.622: RADIUS(00000000): Received from id 1645/21
    Oct 24 10:53:47.622: EAP-EVENT: eap_aaa_reply
    Oct 24 10:53:47.622: EAP-AUTH-AAA-EVENT: Reply received session_label 72000033
    Oct 24 10:53:47.622: EAP-EVENT: Received AAA event 'EAP_AAA_FAIL' on handle 0xE8000047
    Oct 24 10:53:47.622:     eap_authen : during state eap_auth_aaa_idle, got event 8(eapAAAFail)
    Oct 24 10:53:47.622: @@@ eap_authen : eap_auth_aaa_idle -> eap_auth_failure
    Oct 24 10:53:47.631: EAP-EVENT: Received get canned status from lower layer (0xE8000047)
    Oct 24 10:53:47.631: EAP-AUTH-TX-PAK: Code:FAILURE  ID:0x1   Length:0x0004
    Oct 24 10:53:47.631: EAP-AUTH-EVENT: FAIL for EAP method ID: 1, name: , on handle 0xE8000047
    Oct 24 10:53:47.631: EAP-EVENT: Sending LL (Dot1x-Authenticator) event 'EAP_FAIL' on handle 0xE8000047
    Oct 24 10:53:47.631: dot1x-ev:[6431.500e.9b00, Gi1/0/13] Received an EAP Fail
    Oct 24 10:53:47.639: %DOT1X-5-FAIL: Authentication failed for client (6431.500e.9b00) on Interface Gi1/0/13 AuditSessionID C0A846660000004700DF6030
    Oct 24 10:53:47.639: dot1x-packet:[6431.500e.9b00, Gi1/0/13] Added username in dot1x
    Oct 24 10:53:47.639: dot1x-packet:[6431.500e.9b00, Gi1/0/13] Dot1x did not receive any key data
    Oct 24 10:53:47.639: dot1x-ev:[6431.500e.9b00, Gi1/0/13] Processing client delete for hdl 0x15000045 sent by Auth Mgr
    Oct 24 10:53:47.639: dot1x-ev:[6431.500e.9b00, Gi1/0/13] 6431.500e.9b00: sending canned failure due to method termination
    Oct 24 10:53:47.639: EAP-EVENT: Received get canned status from lower layer (0xE8000047)
    Oct 24 10:53:47.639: dot1x-ev:[Gi1/0/13] Sending EAPOL packet to group PAE address
    Oct 24 10:53:47.639: dot1x-ev:[Gi1/0/13] Sending out EAPOL packet
    Oct 24 10:53:47.639: dot1x-packet:EAPOL pak Tx - Ver: 0x3  type: 0x0
    Oct 24 10:53:47.639: dot1x-packet: length: 0x0004
    Oct 24 10:53:47.639: dot1x-packet:EAP code: 0x4  id: 0x1  length: 0x0004
    Oct 24 10:53:47.639: dot1x-packet:[6431.500e.9b00, Gi1/0/13] EAPOL canned status packet sent to client 0x15000045
    Oct 24 10:53:47.639: dot1x-ev:[6431.500e.9b00, Gi1/0/13] Deleting client 0x15000045 (6431.500e.9b00)
    Oct 24 10:53:47.639: %AUTHMGR-7-STOPPING: Stopping 'dot1x' for client 6431.500e.9b00 on Interface Gi1/0/13 AuditSessionID C0A846660000004700DF6030
    Oct 24 10:53:47.639: %AUTHMGR-5-FAIL: Authorization failed or unapplied for client (6431.500e.9b00) on Interface Gi1/0/13 AuditSessionID C0A846660000004700DF6030
    Oct 24 10:53:47.648: dot1x-ev:[6431.500e.9b00, Gi1/0/13] Delete auth client (0x15000045) message
    Oct 24 10:53:47.648: EAP-EVENT: Received free context (0xE8000047) from LL (Dot1x-Authenticator)
    Oct 24 10:53:47.648: dot1x-ev:Auth client ctx destroyed
    Oct 24 10:53:47.648: EAP-EVENT: Received LL (Dot1x-Authenticator) event 'EAP_DELETE' on handle 0xE8000047
    Oct 24 10:53:47.648: EAP-AUTH-EVENT: Freed EAP auth context
    Oct 24 10:53:47.648: EAP-EVENT: Freed EAP context
    Oct 24 10:53:48.621: EAP-EVENT: Stopped EAP tick timer
    Oct 24 10:53:49.485: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/13, changed state to up
    Oct 24 10:53:50.491: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/13, changed state to up
    Oct 24 10:53:53.528: dot1x-ev:[Gi1/0/13] Interface state changed to DOWN
    Oct 24 10:53:53.528: dot1x-ev:[Gi1/0/13] No DOT1X subblock found for port down
    Oct 24 10:53:54.518: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/13, changed state to down
    Oct 24 10:53:55.524: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/13, changed state to down

    Hi Jatin,
    See below the data that you have requested.
    show run bits.
    aaa new-model
    aaa authentication dot1x default group radius
    aaa session-id common
    clock timezone BST 0 0
    clock summer-time UTC recurring last Sun Mar 1:00 last Sun Oct 2:00
    dot1x system-auth-control
    interface GigabitEthernet1/0/13
    switchport access vlan 80
    switchport mode access
    authentication port-control auto
    dot1x pae authenticator
    spanning-tree portfast
    interface GigabitEthernet1/0/48
    switchport trunk encapsulation dot1q
    switchport trunk native vlan 70
    switchport mode trunk
    radius server NPS1
    address ipv4 192.168.19.121 auth-port 1645 acct-port 1646
    timeout 10
    key thesecret
    ip default-gateway 192.168.70.1
    SW1-randy#show auth sessions interface gig 1/0/13
    Interface    MAC Address    Method       Domain          Status    Fg Session ID
    Gi1/0/13     803f.5d09.189e N/A          UNKNOWN      Unauth         C0A846660000002F00251DBC
    SW1-randy#Show mac address-table Interface GigabitEthernet1/0/13
              Mac Address Table
    Vlan    Mac Address       Type        Ports
      80    803f.5d09.189e    DYNAMIC     Drop
    SW1-randy#ping 192.168.19.121
    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 192.168.19.121, timeout is 2 seconds:
    Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/8 ms
    Here is a wireshark of the accept packet.
    Message was edited by: randy coburn
    Added wireshark trace

  • EAP-FAST with local radius on 1242AG

    I'm trying to get EAP-FAST working using the local radius server on a 1242AG autonomous AP using the latest firmware from Cisco. The cypher I'm using is CCMP. LEAP works fine with all my clients, however if I move to EAP-FAST in the radius config my clients fail to authenticate
    I know I need to set PAC to automatic somewhere, but the EAP-FAST configuration in the 1242AG GUI doesn't make this clear what to do.
    Any help or a basic example you be great.
    thanks,
    Simon

    I think this is what you're looking for;
    Local EAP Authentication on the Wireless LAN Controller with EAP-FAST and LDAP Server Configuration Example
    http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a008093f1b9.shtml
    HTH
    Regards,
    Jatin
    Do rate helpful posts~

  • Radius authentication with ISE - wrong IP address

    Hello,
    We are using ISE for radius authentication.  I have setup a new Cisco switch stack at one of our locations and setup the network device in ISE.  Unfortunately, when trying to authenticate, the ISE logs show a failure of "Could not locate Network Device or AAA Client" The reason for this failure is the log shows it's coming from the wrong IP address.  The IP address of the switch is 10.xxx.aaa.241, but the logs show it is 10.xxx.aaa.243.  I have removed and re-added the radius configs on both ISE and the switch, but it still comes in as .243.  There is another switch stack at that location (same model, IOS etc), that works properly.
    The radius config on the switch:
    aaa new-model
    aaa authentication login default local
    aaa authentication login Comm group radius local
    aaa authentication enable default enable
    aaa authorization exec default group radius if-authenticated
    ip radius source-interface Vlanyy
    radius server 10.xxx.yyy.zzz
     address ipv4 10.xxx.yyy.zzz auth-port 1812 acct-port 1813
     key 7 abcdefg
    The log from ISE:
    Overview
    Event  5405 RADIUS Request dropped 
    Username  
    Endpoint Id  
    Endpoint Profile  
    Authorization Profile  
    Authentication Details
    Source Timestamp  2014-07-30 08:48:51.923 
    Received Timestamp  2014-07-30 08:48:51.923 
    Policy Server  ise
    Event  5405 RADIUS Request dropped 
    Failure Reason  11007 Could not locate Network Device or AAA Client 
    Resolution  Verify whether the Network Device or AAA client is configured in: Administration > Network Resources > Network Devices 
    Root cause  Could not find the network device or the AAA Client while accessing NAS by IP during authentication. 
    Username  
    User Type  
    Endpoint Id  
    Endpoint Profile  
    IP Address  
    Identity Store  
    Identity Group  
    Audit Session Id  
    Authentication Method  
    Authentication Protocol  
    Service Type  
    Network Device  
    Device Type  
    Location  
    NAS IP Address  10.xxx.aaa.243 
    NAS Port Id  tty2 
    NAS Port Type  Virtual 
    Authorization Profile  
    Posture Status  
    Security Group  
    Response Time  
    Other Attributes
    ConfigVersionId  107 
    Device Port  1645 
    DestinationPort  1812 
    Protocol  Radius 
    NAS-Port  2 
    AcsSessionID  ise1/186896437/1172639 
    Device IP Address  10.xxx.aaa.243 
    CiscoAVPair  
       Steps
      11001  Received RADIUS Access-Request 
      11017  RADIUS created a new session 
      11007  Could not locate Network Device or AAA Client 
      5405  
    As a test, I setup a device using the .243 address.  While ISE claims it authenticates, it really doesn't.  I have to use my local account to access the device.
    Any advice on how to resolve this issue would be appreciated.  Please let me know if more information is needed.

    Well from the debug I would say there may be an issue with the addressing of the radius server on the switch.
    radius-server host 10.xxx.xxx.xxx key******** <--- Make sure this address and Key matches what you have in ISE PSN and that switch. Watch for spaces in your key at the begining or end of the string.
    What interface should your switch be sending the radius request?
    ip radius source-interface VlanXXX vrf default
    Here is what my debug looks like when it is working correctly.
    Aug  4 15:58:47 EST: RADIUS/ENCODE(00000265): ask "Password: "
    Aug  4 15:58:47 EST: RADIUS/ENCODE(00000265):Orig. component type = EXEC
    Aug  4 15:58:47 EST: RADIUS(00000265): Config NAS IP: 10.xxx.xxx.251
    Aug  4 15:58:47 EST: RADIUS/ENCODE(00000265): acct_session_id: 613
    Aug  4 15:58:47 EST: RADIUS(00000265): sending
    Aug  4 15:58:47 EST: RADIUS(00000265): Send Access-Request to 10.xxx.xxx.35:1645 id 1645/110, len 104
    Aug  4 15:58:47 EST: RADIUS:  authenticator 97 FB CF 13 2E 6F 62 5D - 5B 10 1B BD BA EB C9 E3
    Aug  4 15:58:47 EST: RADIUS:  User-Name           [1]   9   "admin"
    Aug  4 15:58:47 EST: RADIUS:  Reply-Message       [18]  12 
    Aug  4 15:58:47 EST: RADIUS:   50 61 73 73 77 6F 72 64 3A 20        [ Password: ]
    Aug  4 15:58:47 EST: RADIUS:  User-Password       [2]   18  *
    Aug  4 15:58:47 EST: RADIUS:  NAS-Port            [5]   6   3                        
    Aug  4 15:58:47 EST: RADIUS:  NAS-Port-Id         [87]  6   "tty3"
    Aug  4 15:58:47 EST: RADIUS:  NAS-Port-Type       [61]  6   Virtual                   [5]
    Aug  4 15:58:47 EST: RADIUS:  Calling-Station-Id  [31]  15  "10.xxx.xxx.100"
    Aug  4 15:58:47 EST: RADIUS:  Service-Type        [6]   6   Login                     [1]
    Aug  4 15:58:47 EST: RADIUS:  NAS-IP-Address      [4]   6   10.xxx.xxx.251           
    Aug  4 15:58:47 EST: RADIUS(00000265): Started 5 sec timeout
    Aug  4 15:58:47 EST: RADIUS: Received from id 1645/110 10.xxx.xxx.35:1645, Access-Accept, len 127
    Aug  4 15:58:47 EST: RADIUS:  authenticator 1B 98 AB 4F B1 F4 81 41 - 3D E1 E9 DB 33 52 54 C1
    Aug  4 15:58:47 EST: RADIUS:  User-Name           [1]   9   "admin"
    Aug  4 15:58:47 EST: RADIUS:  State               [24]  40 
    Aug  4 15:58:47 EST: RADIUS:   52 65 61 75 74 68 53 65 73 73 69 6F 6E 3A 30 61  [ReauthSession:0a]
    Aug  4 15:58:47 EST: RADIUS:   30 63 66 65 32 33 30 30 30 31 46 37 30 37 35 33  [0cfe230001F70753]
    Aug  4 15:58:47 EST: RADIUS:   44 46 45 35 46 37            [ DFE5F7]
    Aug  4 15:58:47 EST: RADIUS:  Class               [25]  58 
    Aug  4 15:58:47 EST: RADIUS:   43 41 43 53 3A 30 61 30 63 66 65 32 33 30 30 30  [CACS:0a0cfe23000]
    Aug  4 15:58:47 EST: RADIUS:   31 46 37 30 37 35 33 44 46 45 35 46 37 3A 50 52  [1F70753DFE5F7:PR]
    Aug  4 15:58:47 EST: RADIUS:   59 49 53 45 30 30 32 2F 31 39 33 37 39 34 36 39  [YISE002/19379469]
    Aug  4 15:58:47 EST: RADIUS:   38 2F 32 30 36 33 31 36          [ 8/206316]
    Aug  4 15:58:47 EST: RADIUS(00000265): Received from id 1645/110
    ---------------------------------------------------------------------------------------------------------------This is after I added the incorrect Radius server address.
    Aug  4 16:05:19 EST: RADIUS/ENCODE(00000268): ask "Password: "
    Aug  4 16:05:19 EST: RADIUS/ENCODE(00000268):Orig. component type = EXEC
    Aug  4 16:05:19 EST: RADIUS(00000268): Config NAS IP: 10.xxx.xxx.251
    Aug  4 16:05:19 EST: RADIUS/ENCODE(00000268): acct_session_id: 616
    Aug  4 16:05:19 EST: RADIUS(00000268): sending
    Aug  4 16:05:19 EST: RADIUS(00000268): Send Access-Request to 10.xxx.xxx.55:1645 id 1645/112, len 104
    Aug  4 16:05:19 EST: RADIUS:  authenticator FC 94 BA 5D 75 1F 84 08 - E0 56 05 3A 7F BC FB BB
    Aug  4 16:05:19 EST: RADIUS:  User-Name           [1]   9   "admin"
    Aug  4 16:05:19 EST: RADIUS:  Reply-Message       [18]  12 
    Aug  4 16:05:19 EST: RADIUS:   50 61 73 73 77 6F 72 64 3A 20        [ Password: ]
    Aug  4 16:05:19 EST: RADIUS:  User-Password       [2]   18  *
    Aug  4 16:05:19 EST: RADIUS:  NAS-Port            [5]   6   7                        
    Aug  4 16:05:19 EST: RADIUS:  NAS-Port-Id         [87]  6   "tty7"
    Aug  4 16:05:19 EST: RADIUS:  NAS-Port-Type       [61]  6   Virtual                   [5]
    Aug  4 16:05:19 EST: RADIUS:  Calling-Station-Id  [31]  15  "10.xxx.xxx.100"
    Aug  4 16:05:19 EST: RADIUS:  Service-Type        [6]   6   Login                     [1]
    Aug  4 16:05:19 EST: RADIUS:  NAS-IP-Address      [4]   6   10.xxx.xxx.251           
    Aug  4 16:05:19 EST: RADIUS(00000268): Started 5 sec timeout
    Aug  4 16:05:23 EST: RADIUS(00000268): Request timed out
    Aug  4 16:05:23 EST: RADIUS: Retransmit to (10.xxx.xxx.55:1645,1646) for id 1645/112
    Aug  4 16:05:23 EST: RADIUS(00000268): Started 5 sec timeout
    Aug  4 16:05:29 EST: RADIUS(00000268): Request timed out
    Aug  4 16:05:29 EST: RADIUS: Retransmit to (10.xxx.xxx.55:1645,1646) for id 1645/112
    Aug  4 16:05:29 EST: RADIUS(00000268): Started 5 sec timeout
    Aug  4 16:05:33 EST: RADIUS(00000268): Request timed out
    Aug  4 16:05:33 EST: %RADIUS-4-RADIUS_DEAD: RADIUS server 10.xxx.xxx.55:1645,1646 is not responding.
    Aug  4 16:05:33 EST: %RADIUS-4-RADIUS_ALIVE: RADIUS server 10.xxx.xxx.55:1645,1646 is being marked alive.
    Aug  4 16:05:33 EST: RADIUS: Retransmit to (10.xxx.xxx.55:1645,1646) for id 1645/112
    Aug  4 16:05:33 EST: RADIUS(00000268): Started 5 sec timeout
    Aug  4 16:05:38 EST: RADIUS(00000268): Request timed out
    Aug  4 16:05:38 EST: RADIUS: Fail-over to (10.xxx.xxx.55:1645,1646) for id 1645/112
    Aug  4 16:05:38 EST: RADIUS(00000268): Started 5 sec timeout
    Aug  4 16:05:43 EST: RADIUS(00000268): Request timed out
    Aug  4 16:05:43 EST: RADIUS: Retransmit to (10.xxx.xxx.55:1645,1646) for id 1645/112
    Aug  4 16:05:43 EST: RADIUS(00000268): Started 5 sec timeout
    Aug  4 16:05:48 EST: RADIUS(00000268): Request timed out
    Aug  4 16:05:48 EST: RADIUS: Retransmit to (10.xxx.xxx.55:1645,1646) for id 1645/112
    Aug  4 16:05:48 EST: RADIUS(00000268): Started 5 sec timeout
    Aug  4 16:05:53 EST: RADIUS(00000268): Request timed out
    Aug  4 16:05:53 EST: %RADIUS-4-RADIUS_DEAD: RADIUS server 10.xxx.xxx.55:1645,1646 is not responding.
    Aug  4 16:05:53 EST: %RADIUS-4-RADIUS_ALIVE: RADIUS server 10.xxx.xxx.55:1645,1646 is being marked alive.
    Aug  4 16:05:53 EST: RADIUS: Retransmit to (10.xxx.xxx.55:1645,1646) for id 1645/112
    Aug  4 16:05:53 EST: RADIUS(00000268): Started 5 sec timeout
    Aug  4 16:05:57 EST: RADIUS(00000268): Request timed out
    Aug  4 16:05:57 EST: RADIUS: No response from (10.xxx.xxx.55:1645,1646) for id 1645/112
    Aug  4 16:05:57 EST: RADIUS/DECODE: parse response no app start; FAIL
    Aug  4 16:05:57 EST: RADIUS/DECODE: parse response; FAIL
    This is a default template I use for all my devices routers or switches hope it helps. I have two PSN's that is why we have two radius-server host commands..
    aaa authentication login vty group radius local enable
    aaa authentication login con group radius local enable
    aaa authentication dot1x default group radius
    aaa authorization network default group radius 
    aaa accounting system default start-stop group radius
    ip radius source-interface VlanXXX vrf default
    radius-server attribute 6 on-for-login-auth
    radius-server attribute 6 support-multiple
    radius-server attribute 8 include-in-access-req
    radius-server attribute 25 access-request include
    radius-server dead-criteria time 30 tries 3
    radius-server host xxx.xxx.xxx.xxx auth-port 1645 acct-port 1646 key *********
    radius-server host xxx.xxx.xxx.xxx auth-port 1645 acct-port 1646 key *********
    radius-server vsa send accounting
    radius-server vsa send authentication
    You can use this in the switch to test radius
    test aaa group radius server 10.xxx.xxx.xxx <username> <password>

  • NPS Authentication Fails (Reason 16) After Migration to 2012 R2 from 2008 R2

    I'm using NPS for wired dot1x authentication and I just migrated my NPS server from 2008 R2 to 2012 R2.  When I point the network switch to start using the new 2012 R2 NPS as the RADIUS server, I get authentication failures - event 6273, reason code
    16.  When I switch it back to the 2008 R2 server, it works fine.  The two servers are configured EXACTLY the same as far as I can tell - same RADIUS client config, same connection request policies, same network policies - and it should be since I
    used the MS prescribed migration process.  The only thing that differs is the server's certificate name used in the PEAP setup screen.
    I'm using computer authentication only, so everything is based on computer accounts and I've selected to NOT validate server credentials on the group policy.
    I've verified the shared secrets multiple times.  Both servers are domain controllers.
    Here is an example of the errors logged on the 2012 R2 server.
    ========================================
    Network Policy Server denied access to a user.
    Contact the Network Policy Server administrator for more information.
    User:
        Security ID:            FAITHCHURCH\youthroom$
        Account Name:            host/YOUTHROOM.faithchurch.net
        Account Domain:            FAITHCHURCH
        Fully Qualified Account Name:    FAITHCHURCH\youthroom$
    Client Machine:
        Security ID:            NULL SID
        Account Name:            -
        Fully Qualified Account Name:    -
        OS-Version:            -
        Called Station Identifier:        -
        Calling Station Identifier:        44-37-E6-C0-32-CA
    NAS:
        NAS IPv4 Address:        192.168.1.1
        NAS IPv6 Address:        -
        NAS Identifier:            -
        NAS Port-Type:            Ethernet
        NAS Port:            1010
    RADIUS Client:
        Client Friendly Name:        Extreme X440
        Client IP Address:            192.168.1.1
    Authentication Details:
        Connection Request Policy Name:    Secure Wired (Ethernet) Connections 2
        Network Policy Name:        Secure Wired (Ethernet) Connections 2
        Authentication Provider:        Windows
        Authentication Server:        Sigma.faithchurch.net
        Authentication Type:        PEAP
        EAP Type:            -
        Account Session Identifier:        -
        Logging Results:            Accounting information was written to the local log file.
        Reason Code:            16
        Reason:                Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect.
    ========================================

    Hi,
    Have you added the NPS server to the RAS and IAS Servers
    security group in AD DS?
    The NPS server needs permission to read the dial-in properties of user accounts during the authorization process.
    Try to add a loal user on the NPS server, then test with the local user. If it works, it means that there is something wrong between NPS and DC.
    If the issue persists, it means that the configuration between NPS and NAS is wrong.
    Steven Lee
    TechNet Community Support

  • Authentication Failed to 2008 NPS from Cisco IOS VPN

    I'm trying to authenticate VPN connections to a Windows 2008 NPS Radius server.
    Local authentication works fine.
    Here are cisco configs:
    aaa new-model
    aaa authentication login default local
    aaa authentication login VPNauth group radius local
    aaa authorization network VPNgroup local
    aaa session-id common
    ip radius source-interface Loopback0
    radius-server host x.x.x.x auth-port 1645 acct-port 1646 key 7 xxxx
    crypto map VPNMAP client authentication list VPNauth
    crypto map VPNMAP isakmp authorization list VPNgroup
    crypto map VPNMAP client configuration address respond
    crypto map VPNMAP 10 ipsec-isakmp dynamic dynmap
    ... other crypto commands
    This is the section of the log from NPS:
    Authentication Details:
        Connection Request Policy Name:    VPN
        Network Policy Name:        -
        Authentication Provider:        Windows
        Authentication Server:        x.x.x.x
        Authentication Type:        PAP
        EAP Type:            -
        Account Session Identifier:        -
        Logging Results:            Accounting information was written to the local log file.
        Reason Code:            16
        Reason:                Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect.
    I do have PAP enabled on the Network/Connection Request Policies...
    I'm stuck
    Please help

    Can you run a "teat aaa " command to see if the user can be authenticated successfully?
    I think this might be a configuration issue on NPS. You can google it. Here is one I found, refer to "irishHam" post.
    http://social.technet.microsoft.com/Forums/en-US/winserverNIS/thread/bfbbbae4-a280-4b3f-b214-02867b7d33e3

  • Managing roles for ACE RADIUS authentication

    Hi,
    I have an ACE module running virtual contexts. I have configured the ACE contexts to authenticate against a RADIUS server (Windows IAS).
    When I log in, I am always given the role of 'network-monitoring'. I would like to configure the RADIUS server so it authenticates users as 'Admin'.
    Attached is a screeprint of the RADIUS clients set up on IAS (client names and IP addresses removed). The question here is if they should be configured as 'RADIUS Standard' or 'Cisco' in the 'Client-Vendor' field.
    Also attached is a screenshot of the IAS 'Remote Access Policy' that i have set up for the network devices (these include the ACE contexts aswell as Switches and FWSM contexts). The question here is whether I need both the 'Vendor-Specific' and 'Cisco-AV-Pair' attributes. Also, how do I need to configure these attributes so they will authenticate the Switches, Routers and FWSM contexts (allowing enable level 15) and authenticate the ACE contexts (allowing the 'Admin' role).
    I have also attached the RADIUS config lines that have been configured on the ACE contexts (IP address of server removed).
    I would appreciate any input.

    Hi Roble,
    That makes sense. I will configure the other contexts aswell.
    By the way, I noticed you have some 6513s using the RADIUS server with the same settings. I also have some 6513s and 6509s. I have configured them as follows:-
    aaa new-model
    aaa group server radius radius-grp
    server auth-port 1645 acct-port 1646
    aaa authentication attempts login 5
    aaa authentication fail-message ^CCCFailed login. Five consecutive fails will revoke.^C
    aaa authentication login default group radius-grp local
    aaa authentication enable default group radius-grp enable
    aaa session-id common
    radius-server host auth-port 1645 acct-port 1646 key
    radius-server source-ports 1645-1646
    line con 0
    password 7
    logging synchronous
    line vty 0 4
    exec-timeout 30 0
    password 7
    transport input telnet ssh
    line vty 5 15
    exec-timeout 30 0
    password 7
    transport input telnet ssh
    For some strange reason, when I log in, I can authenticate against the RADIUS server on IAS. When I try to go into enable mode, I am prompted for the password but the authentication fails. When I check the IAS server logs, I see the initial login request is coming into the IAS server with my username, however the enable request is coming into the IAS server with the user $enable15$.
    Do you know why this is the case? How do I configure the switches to insert the username in the enable authentication request?
    I have attached a screenshot of my current IAS attributes.
    I would really appreciate any input you may have on this second issue.

Maybe you are looking for

  • Switching from sprint droid to iphone4:is there an APP FOR THAT??? lol

    i was wondering how easiest way i can transfer contacts from droid to iphone.. i had a droid thru sprint and upgraded to iphone4.. droid is not activated, iphone is.. which would be better: sync info on droid (its not activated, can i connect to wifi

  • How do I edit a map in adobe acrobat?

    Hello? I have a document in adobe acrobat that I am using adobe reader to view. It is a map of my workplace and I'd like to make some alterations to this map. How do I do this? Can I do this? Do I need a full version of adobe and not just the reader?

  • Can't view Photos on my Nano

    Hi guys, i got following problem. i got an ipod nano (2nd generation & 8gb, i want to put some photos on it, 7 images (jpeg,bitmap & gif) about 1mb. so i created a folder and put these 7 photos in it, then i have chosen that folder wit iTunes and evr

  • Periodic Extract from FAGLFLEXT - NewGL ?

    Hi everyone, we are implementing a BCS system and want to transfer the totals from a migrated NewGL-System. Migration has been done to the beginning of this year, the old GL ist still for comparison reasons active. In the confuguration of the NewFL,

  • Findbar in fullscreen mood

    <i>Locking duplicate thread.<br>Please continue here: [[/questions/1009838]]</i> when I open the findbar in fullscreen mood the top toolbar will not fade away as always in fullscreen mood, how to fix this?