Machine authentication oddity
I'm seeing AD Authentication Failed messages in the console for systems that should trigger that alert. However, the alert description is showing a %%5 every time similar to below -
The session setup from the computer XYZZY failed to authenticate. The following error occurred: %%5
I've got ADMP 6.0.6452, but this hasn't happened until recently. The only changes prior to this starting to occur was setting up a newer DC as a proxy agent that hadn't been set previously and applying the latest batch of MS OS-related patches from the last couple of patch Tuesdays. Any ideas?
-J.
ാ㰊敭慴渠浡㵥敇敮慲潴潣瑮湥㵴䴢捩潲潳瑦匠晡䡥䵔≌ാഊഊਊ⼼敨摡ാ㰊潢祤戠捧汯牯∽昣晦晦≦ാ㰊楤㹶昼湯⁴楳敺㈽映捡㵥牁慩㹬晉礠畯氠潯瑡琠敨猠畯捲敳癲牥獩ഠ琊敨攠敶瑮ഠ渊牯慭潦浲瑡整Ɽ琠敨攠敶瑮琠慨⁴牴杩敧敲桴污牥㽴㰠是湯㹴⼼楤㹶搼癩㰾潦瑮猠穩㵥′慦散䄽楲污㰾牢㸯ⴭ㰠牢㸯戼⽲䄾摮牥敂杮獴潳㱮牢㸯楍牣獯景⁴噍⁐灏牥瑡潩獮䴠湡条牥戼⽲㰾牨晥∽瑨灴⼺眯睷挮湯潴潳献≥眾睷挮湯潴潳献㱥愯㰾是湯㹴⼼楤㹶⼼潢祤ാഊ㰊牨挠慬獳∽楳≧䄾摮牥敂杮獴潳⁼楍牣獯景⁴噍⁐灏牥瑡潩獮䴠湡条牥簠栠瑴㩰⼯睷潣瑮獯敳⼼楤㹶 †††††††††††㰠湩異⁴祴数∽楨摤湥•摩∽㡣戸扥挶㌭搳ⴲ昴㡡愭ㅥⵦ慢㈴愷换ㅣ㡥慟瑴捡浨湥獴•慶畬㵥∢⼠ਾ †††††††㰠搯癩ਾ†††††††† †††††††㰠楤⁶汣獡㵳洢獥慳敧潆瑯牥㸢 ††††††††††搼癩挠慬獳∽捡楴湯≳ਾ††††††††††††搼癩挠慬獳∽慤整㸢桔牵摳祡敓瑰浥敢〱〲㤰㜠ㄺ‹䵐⼼楤㹶 †††††††††††㰠楤⁶汣獡㵳洢湥⁵敭獳条≥ਾ††††††††††††††††††††††搼癩瘠污敵∽敲汰≹ਾ††††††††††愼栠敲㵦樢癡獡牣灩㩴潶摩⤨∻琠瑩敬∽敒汰≹渠浡㵥爢灥祬•敲㵬渢景汯潬≷甠汲∽瑨灴㩳⼯潬楧楬敶挮浯氯杯湩献晲眿㵡獷杩楮ㅮ〮愦灭眻牴慥浬猽捯慩整档敮業牣獯景潣♭浡㭰牷灥祬栽瑴獰㌥╡昲㈥獦捯慩整档敮業牣獯景潣╭昲潆畲獭㈥敦单㈥㝦㐱㘰㑢ⴶ㑤ㅤ㐭搱ⴶ慡㡦攭户㈰愰㙡捦╤昲慭档湩ⵥ畡桴湥楴慣楴湯漭摤瑩╹昳潦畲╭搳灯牥瑡潩獮慭慮敧浲浧灴捡獫㈥瀶潲╦搳敲畱物摥㈥猶潴䥁㌥ㅤ☰浡㭰灷䴽䥂䙟䑅卟䱓愦灭眻捬瑸洽捩潲潳瑦㈥洴捩潲潳瑦㈥洴捩潲潳瑦㸢 †††††††††††删灥祬 †††††††††㰠愯ਾ††††††††⼼楤㹶 †††††††††㰠楤⁶汣獡㵳猢灥牡瑡牯㸢猼慰㹮㱼猯慰㹮⼼楤㹶 †††††††㰠楤⁶慶畬㵥焢潵整㸢 †††††††††㰠牨晥∽慪慶捳楲瑰瘺楯⡤㬩•楴汴㵥儢潵整•慮敭∽畱瑯≥爠汥∽潮潦汬睯•牵㵬栢瑴獰⼺氯杯湩氮癩潣⽭潬楧牳㽦慷眽楳湧湩⸱☰浡㭰瑷敲污㵭潳楣污琮捥湨瑥洮捩潲潳瑦挮浯愦灭眻敲汰㵹瑨灴╳愳㈥╦昲潳楣污琮捥湨瑥洮捩潲潳瑦挮浯㈥䙦牯浵╳昲湥唭╓昲ㄷ〴戶㘴搭搴ⴱㄴ㙤愭晡ⴸ㝥ぢ〲慡昶摣㈥浦捡楨敮愭瑵敨瑮捩瑡潩摯楤祴㌥晦牯浵㌥潤数慲楴湯浳湡条牥杭瑭慰正╳㘲牰景㌥牤煥極敲╤㘲瑳䅯╉搳〱愦灭眻㵰䉍彉䕆彄卓♌浡㭰汷硣㵴業牣獯景╴㐲業牣獯景╴㐲業牣獯景≴ਾ††††††††††††畑瑯††††††††††⼼㹡 †††††††㰠搯癩ਾ †††††††††††††ਠ††††††††††††††搼癩挠慬獳∽汣慥≲㰾搯癩ਾ††††††††††††⼼楤㹶 †††††††††㰠搯癩ਾ††††††††††搼癩挠慬獳∽獵牥湉潦㸢 †††††††††††㰠楤⁶汣獡㵳產楮楦摥戭獡扥污慣摲洭湩≩搠瑡ⵡ牰景汩ⵥ獵牥摩∽愶搱㜲敤㠭㑡ⵤ㔴愹㤭㌶ⵦㄸ敦㐹㑡户昵•慤慴瀭潲楦敬甭敳捲牡ⵤ畣瑳浯楬歮✽≻牨晥㨢栢瑴獰⼺猯捯慩整档敮業牣獯景潣⽭潆畲獭支单甯敳⽲桴敲摡㽳獵牥⸽湁敤獲㈥䈰湥瑧獳湯Ⱒ∠整瑸㨢⸢湁敤獲䈠湥瑧獳湯⌦㤳猻琠牨慥獤索㸧 †††††††††††††㰠楤⁶汣獡㵳瀢潲楦敬洭湩潣瑮湥≴ਾ潍敤慲潴†††††††††††††㰠搯癩ਾ††††††††††††⼼楤㹶ਊ††††††††††⼼楤㹶 ††††††††† †††††††㰠搯癩ਾ††††††⼼楤㹶 †††㰠搯癩ਾ††⼼楬‾ †㰠楤⁶汣獡㵳挢敬牡㸢⼼楤㹶 †††㰠楬椠㵤攢晡ㄲ㥥ⴸ㠵㑤㐭㑣ⴷ㌸〶戭㐵昴慡㐲㑢∲挠慬獳∽敭獳条愠獮敷≲ਾ††††搼癩挠慬獳∽敭獳条䍥湯整瑮潃瑮楡敮≲ਾ†††† †††ਠ††††††搼癩挠慬獳∽敭獳条卥摩扥牡㸢ਊ††††††††搼癩挠慬獳∽捩湯牗灡数≲ਾ††††††††††搼癩挠慬獳∽瑳瑡獵洠獥慳敧捉湯†畱獥楴湯愠獮敷敲≤ਾ††††††††††††椼杭挠慬獳∽捩湯†畱獥楴湯愠獮敷敲≤猠捲∽瑨灴㩳⼯ㅩ献捯慩獭瑦挮浯䘯牯浵⽳⸮术潬慢牬獥畯捲獥䤯慭敧⽳牴湡楧㽦癣牥〽〥╤愰•污㵴儢敵瑳潩≮⼠ਾ††††††††††⼼楤㹶 †††††††㰠搯癩ਾ††††††††搼癩挠慬獳∽潶楴杮畯整扲硯㸢††††††搼癩挠慬獳∽潶楴杮㸢 †††††††㰠汣獡㵳瘢瑯略桰敲汦湩≫渠浡㵥瘢瑯略≰琠瑩敬∽潖整愠敨灬畦≬栠敲㵦栢瑴獰⼺氯杯湩氮癩潣⽭潬楧牳㽦慷眽楳湧湩⸱☰浡㭰瑷敲污㵭潳楣污琮捥湨瑥洮捩潲潳瑦挮浯愦灭眻敲汰㵹瑨灴╳愳㈥╦昲潳楣污琮捥湨瑥洮捩潲潳瑦挮浯㈥䙦牯浵╳昲湥唭╓昲ㄷ〴戶㘴搭搴ⴱㄴ㙤愭晡ⴸ㝥ぢ〲慡昶摣㈥浦捡楨敮愭瑵敨瑮捩瑡潩摯楤祴㌥晦牯浵㌥潤数慲楴湯浳湡条牥杭瑭慰正╳㘲牰景㌥牤煥極敲╤㘲瑳䅯╉搳〱愦灭眻㵰䉍彉䕆彄卓♌浡㭰汷硣㵴業牣獯景╴㐲業牣獯景╴㐲業牣獯景≴ਾ††††††††††椼杭挠慬獳∽捩湯瘠瑯略≰愠瑬∽楓湧椠潴瘠瑯≥琠瑩敬∽楓湧椠潴瘠瑯≥猠捲∽瑨灴㩳⼯ㅩ献捯慩獭瑦挮浯䘯牯浵⽳⸮术潬慢牬獥畯捲獥䤯慭敧⽳牴湡楧㽦癣牥〽〥╤愰•㸯 †††††††††㰠楤⁶汣獡㵳瘢瑯湥浵敢≲猠祴敬∽楤灳慬㩹戠潬正∻〾⼼楤㹶 †††††††㰠愯ਾ †††††㰠搯癩ਾ††††††搼癩挠慬獳∽潶楴杮慬敢≬ਾ††††††††猼慰汣獡㵳瘢瑯湩汧扡汥琠灹≥ਾ††††††††††††††愼琠瑩敬∽楓湧椠潴瘠瑯≥栠敲㵦栢瑴獰⼺氯杯湩氮癩潣⽭潬楧牳㽦慷眽楳湧湩⸱☰浡㭰瑷敲污㵭潳楣污琮捥湨瑥洮捩潲潳瑦挮浯愦灭眻敲汰㵹瑨灴╳愳㈥╦昲潳楣污琮捥湨瑥洮捩潲潳瑦挮浯㈥䙦牯浵╳昲湥唭╓昲ㄷ〴戶㘴搭搴ⴱㄴ㙤愭晡ⴸ㝥ぢ〲慡昶摣㈥浦捡楨敮愭瑵敨瑮捩瑡潩摯楤祴㌥晦牯浵㌥潤数慲楴湯浳湡条牥杭瑭慰正╳㘲牰景㌥牤煥極敲╤㘲瑳䅯╉搳〱愦灭眻㵰䉍彉䕆彄卓♌浡㭰汷硣㵴業牣獯景╴㐲業牣獯景╴㐲業牣獯景≴匾杩湩琠潶整⼼㹡 †††††††㰠猯慰㹮 †††††㰠搯癩ਾ⼼楤㹶 †††††㰠搯癩ਾ†††† †††††㰠楤⁶汣獡㵳洢獥慳敧潃瑮湥≴ਾ††††††††搼癩挠慬獳∽潣瑮楡敮≲ਾ††††††††††搼癩挠慬獳∽潢祤㸢教䤠⁴灡数牡潴戠潦浲瑡整潮浲污祬桔癥湥⁴潳牵散椠䕎䱔䝏乏桴癅湥⁴摉㔠〸ⰵ愠摮琠敨琠硥⁴獩ⴠ戼⽲㰾牢㸯猼慰瑳汹㵥昢湯楳敺砺浳污≬ਾ瀼吾敨猠獥楳湯猠瑥灵映潲桴潣灭瑵牥堠婙奚倭⁃慦汩摥琠畡桴湥楴慣整桔潦汬睯湩牥潲捯畣牲摥㰺瀯ਾ瀼䄾捣獥獩搠湥敩⼼㹰㰊㹰潆潭敲椠普牯慭楴湯敳效灬愠摮匠灵潰瑲䌠湥整瑡栠瑴㩰⼯潧洮捩潲潳瑦挮浯是汷湩⽫癥湥獴愮灳㰮牢㸯戼⽲㰾牢㸯⁉潤爠浥浥敢楳業慬污牥獴猠潨楷杮✠捁散獳椠敤楮摥‧湩琠敨瀠獡䤠洧渠瑯猠牵桷⁹瑩眠畯摬戠牰扯敬慭楴潮吠敨搠瑡潦桴污牥⁴獩愠潦汬睯㩳戼⽲㰾牢㸯〰〰›っ〰〰㈲⼼㹰㰊猯慰㹮⼼楤㹶 †††††††††††㰠湩異⁴祴数∽楨摤湥•摩∽慥㉦攱㠹㔭搸ⴴ挴㜴㠭㘳ⴰ㕢㐴慦㉡戴㈴慟瑴捡浨湥獴•慶畬㵥∢⼠ਾ †††††††㰠搯癩ਾ††††††††††††搼癩ਾ††††††甼汣獡㵳栢獩潴祲㸢 †††††††††㰠楬ਾ††††††††††††猼慰汣獡㵳琢灹≥䴾牡敫獡愠獮敷祢⼼灳湡ਾ††††††††††††††愼挠慬獳∽畡桴牯•牨晥∽瑨灴㩳⼯潳楣污琮捥湨瑥洮捩潲潳瑦挮浯㐺㌴瀯潲楦敬ⸯ湡敤獲㈥戰湥瑧獳湯㼯祴数昽牯浵愦灭爻晥牥敲㵲瑨灴⼺猯捯慩整档敮業牣獯景潣⽭潆畲獭支单㜯㐱㘰㑢ⴶ㑤ㅤ㐭搱ⴶ慡㡦攭户㈰愰㙡捦⽤慭档湩ⵥ畡桴湥楴慣楴湯漭摤瑩㽹潦畲㵭灯牥瑡潩獮慭慮敧浲浧灴捡獫•敲㵬渢景汯潬≷琠瑩敬∽扁畯⁴䄮摮牥敂杮獴潳≮㰾灳湡⸾湁敤獲䈠湥瑧獳湯⼼灳湡㰾扡牢挠慬獳∽晡楦≬䴾捩潲潳瑦攠灭潬敹ⱥ䴠摯牥瑡牯⼼扡牢㰾愯ਾ††††††††††††猼慰汣獡㵳搢瑡≥䴾湯慤ⱹ丠癯浥敢㌲〲㤰ㄠ㨰㌲倠㱍猯慰㹮 †††††††††㰠氯㹩 †††††㰠甯㹬 †††㰠搯癩ਾ †††††††㰠楤⁶汣獡㵳洢獥慳敧潆瑯牥㸢 ††††††††††搼癩挠慬獳∽捡楴湯≳ਾ††††††††††††搼癩挠慬獳∽慤整㸢牆摩祡敓瑰浥敢ㄱ〲㤰㐠㐺″䵁⼼楤㹶 †††††††††††㰠楤⁶汣獡㵳洢湥⁵敭獳条≥ਾ††††††††††††††††††††††搼癩瘠污敵∽敲汰≹ਾ††††††††††愼栠敲㵦樢癡獡牣灩㩴潶摩⤨∻琠瑩敬∽敒汰≹渠浡㵥爢灥祬•敲㵬渢景汯潬≷甠汲∽瑨灴㩳⼯潬楧楬敶挮浯氯杯湩献晲眿㵡獷杩楮ㅮ〮愦灭眻牴慥浬猽捯慩整档敮業牣獯景潣♭浡㭰牷灥祬栽瑴獰㌥╡昲㈥獦捯慩整档敮業牣獯景潣╭昲潆畲獭㈥敦单㈥㝦㐱㘰㑢ⴶ㑤ㅤ㐭搱ⴶ慡㡦攭户㈰愰㙡捦╤昲慭档湩ⵥ畡桴湥楴慣楴湯漭摤瑩╹昳潦畲╭搳灯牥瑡潩獮慭慮敧浲浧灴捡獫㈥瀶潲╦搳敲畱物摥㈥猶潴䥁㌥ㅤ☰浡㭰灷䴽䥂䙟䑅卟䱓愦灭眻捬瑸洽捩潲潳瑦㈥洴捩潲潳瑦㈥洴捩潲潳瑦㸢 †††††††††††删灥祬 †††††††††㰠愯ਾ††††††††⼼楤㹶 †††††††††㰠楤⁶汣獡㵳猢灥牡瑡牯㸢猼慰㹮㱼猯慰㹮⼼楤㹶 †††††††㰠楤⁶慶畬㵥焢潵整㸢 †††††††††㰠牨晥∽慪慶捳楲瑰瘺楯⡤㬩•楴汴㵥儢潵整•慮敭∽畱瑯≥爠汥∽潮潦汬睯•牵㵬栢瑴獰⼺氯杯湩氮癩潣⽭潬楧牳㽦慷眽楳湧湩⸱☰浡㭰瑷敲污㵭潳楣污琮捥湨瑥洮捩潲潳瑦挮浯愦灭眻敲汰㵹瑨灴╳愳㈥╦昲潳楣污琮捥湨瑥洮捩潲潳瑦挮浯㈥䙦牯浵╳昲湥唭╓昲ㄷ〴戶㘴搭搴ⴱㄴ㙤愭晡ⴸ㝥ぢ〲慡昶摣㈥浦捡楨敮愭瑵敨瑮捩瑡潩摯楤祴㌥晦牯浵㌥潤数慲楴湯浳湡条牥杭瑭慰正╳㘲牰景㌥牤煥極敲╤㘲瑳䅯╉搳〱愦灭眻㵰䉍彉䕆彄卓♌浡㭰汷硣㵴業牣獯景╴㐲業牣獯景╴㐲業牣獯景≴ਾ††††††††††††畑瑯††††††††††⼼㹡 †††††††㰠搯癩ਾ †††††††††††††ਠ††††††††††††††搼癩挠慬獳∽汣慥≲㰾搯癩ਾ††††††††††††⼼楤㹶 †††††††††㰠搯癩ਾ††††††††††搼癩挠慬獳∽獵牥湉潦㸢 †††††††††††㰠楤⁶汣獡㵳產楮楦摥戭獡扥污慣摲洭湩≩搠瑡ⵡ牰景汩ⵥ獵牥摩∽㘸㜹挲挲〭㈴ⴸ㘴㥤戭昰ⴵ㝡㔴㙢晥㈳㝣•慤慴瀭潲楦敬甭敳捲牡ⵤ畣瑳浯楬歮✽≻牨晥㨢栢瑴獰⼺猯捯慩整档敮業牣獯景潣⽭潆畲獭支单甯敳⽲桴敲摡㽳獵牥䨽┮〲慒摮浯匭獹摡≭琢硥≴∺⹊删湡潤祓慳浤⌦㤳猻琠牨慥獤索㸧 †††††††††††††㰠楤⁶汣獡㵳瀢潲楦敬洭湩潣瑮湥≴ਾ††††††††††††††⼼楤㹶 †††††††††††㰠搯癩ਾ †††††††††㰠搯癩ਾ†††††††††ਠ††††††††⼼楤㹶 †††††㰠搯癩ਾ††††⼼楤㹶 †㰠氯㹩ਠ††搼癩挠慬獳∽汣慥≲㰾搯癩ਾ††††氼摩∽㕢挳搱㘵搭㈴ⴴ㘴〷戭ⴵ㤵昱㍥㜰㍡•汣獡㵳洢獥慳敧∠ਾ††††搼癩挠慬獳∽敭獳条䍥湯整瑮潃瑮楡敮≲ਾ†††† †††ਠ††††††搼癩挠慬獳∽敭獳条卥摩扥牡㸢ਊ††††††††搼癩挠慬獳∽捩湯牗灡数≲ਾ††††††††††搼癩挠慬獳∽瑳瑡獵洠獥慳敧捉湯†畱獥楴湯爠灥祬㸢 †††††††††††㰠浩汣獡㵳椢潣焠敵瑳潩敲汰≹猠捲∽瑨灴㩳⼯ㅩ献捯慩獭瑦挮浯䘯牯浵⽳⸮术潬慢牬獥畯捲獥䤯慭敧⽳牴湡楧㽦癣牥〽〥╤愰•污㵴儢敵瑳潩≮⼠ਾ††††††††††⼼楤㹶 †††††††㰠搯癩ਾ††††††††搼癩挠慬獳∽潶楴杮畯整扲硯㸢††††††搼癩挠慬獳∽潶楴杮㸢 †††††††㰠汣獡㵳瘢瑯略桰敲汦湩≫渠浡㵥瘢瑯略≰琠瑩敬∽潖整愠敨灬畦≬栠敲㵦栢瑴獰⼺氯杯湩氮癩潣⽭潬楧牳㽦慷眽楳湧湩⸱☰浡㭰瑷敲污㵭潳楣污琮捥湨瑥洮捩潲潳瑦挮浯愦灭眻敲汰㵹瑨灴╳愳㈥╦昲潳楣污琮捥湨瑥洮捩潲潳瑦挮浯㈥䙦牯浵╳昲湥唭╓昲ㄷ〴戶㘴搭搴ⴱㄴ㙤愭晡ⴸ㝥ぢ〲慡昶摣㈥浦捡楨敮愭瑵敨瑮捩瑡潩摯楤祴㌥晦牯浵㌥潤数慲楴湯浳湡条牥杭瑭慰正╳㘲牰景㌥牤煥極敲╤㘲瑳䅯╉搳〱愦灭眻㵰䉍彉䕆彄卓♌浡㭰汷硣㵴業牣獯景╴㐲業牣獯景╴㐲業牣獯景≴ਾ††††††††††椼杭挠慬獳∽捩湯瘠瑯略≰愠瑬∽楓湧椠潴瘠瑯≥琠瑩敬∽楓湧椠潴瘠瑯≥猠捲∽瑨灴㩳⼯ㅩ献捯慩獭瑦挮浯䘯牯浵⽳⸮术潬慢牬獥畯捲獥䤯慭敧⽳牴湡楧㽦癣牥〽〥╤愰•㸯 †††††††††㰠楤⁶汣獡㵳瘢瑯湥浵敢≲猠祴敬∽楤灳慬㩹戠潬正∻〾⼼楤㹶 †††††††㰠愯ਾ †††††㰠搯癩ਾ††††††搼癩挠慬獳∽潶楴杮慬敢≬ਾ††††††††猼慰汣獡㵳瘢瑯湩汧扡汥琠灹≥ਾ††††††††††††††愼琠瑩敬∽楓湧椠潴瘠瑯≥栠敲㵦栢瑴獰⼺氯杯湩氮癩潣⽭潬楧牳㽦慷眽楳湧湩⸱☰浡㭰瑷敲污㵭潳楣污琮捥湨瑥洮捩潲潳瑦挮浯愦灭眻敲汰㵹瑨灴╳愳㈥╦昲潳楣污琮捥湨瑥洮捩潲潳瑦挮浯㈥䙦牯浵╳昲湥唭╓昲ㄷ〴戶㘴搭搴ⴱㄴ㙤愭晡ⴸ㝥ぢ〲慡昶摣㈥浦捡楨敮愭瑵敨瑮捩瑡潩摯楤祴㌥晦牯浵㌥潤数慲楴湯浳湡条牥杭瑭慰正╳㘲牰景㌥牤煥極敲╤㘲瑳䅯╉搳〱愦灭眻㵰䉍彉䕆彄卓♌浡㭰汷硣㵴業牣獯景╴㐲業牣獯景╴㐲業牣獯景≴匾杩湩琠潶整⼼㹡 †††††††㰠猯慰㹮 †††††㰠搯癩ਾ⼼楤㹶 †††††㰠搯癩ਾ†††† †††††㰠楤⁶汣獡㵳洢獥慳敧潃瑮湥≴ਾ††††††††搼癩挠慬獳∽潣瑮楡敮≲ਾ††††††††††搼癩挠慬獳∽潢祤㸢焦潵㭴慍歲愠湁睳牥焦潵㭴潮愠瑣癩瑩⁹潦潭瑮䘠敥牦敥琠敲漭数桴獩格汣獡㵳猢杩㸢湁敤獲䈠湥瑧獳湯簠䴠捩潲潳瑦䴠偖ⴠ传数慲楴湯慍慮敧⁼瑨灴⼺眯睷挮湯潴潳献㱥搯癩ਾ††††††††††††椼灮瑵琠灹㵥栢摩敤≮椠㵤戢㌵ㅣ㕤ⴶ㑤㐲㐭㜶ⴰぢ㔱㔭ㄹて攱〳愷弳瑡慴档敭瑮≳瘠污敵∽•㸯ਊ††††††††⼼楤㹶 †††††††ਠ††††††††搼癩挠慬獳∽敭獳条䙥潯整≲ਾ††††††††††㰠楤⁶汣獡㵳愢瑣潩獮㸢 †††††††††††㰠楤⁶汣獡㵳搢瑡≥䴾湯慤ⱹ丠癯浥敢㌲〲㤰ㄠ㨰㐲倠㱍搯癩ਾ††††††††††††搼癩挠慬獳∽敭畮洠獥慳敧㸢 †††††††††††††††††††††㰠楤⁶慶畬㵥爢灥祬㸢 †††††††††㰠牨晥∽慪慶捳楲瑰瘺楯⡤㬩•楴汴㵥刢灥祬•慮敭∽敲汰≹爠汥∽潮潦汬睯•牵㵬栢瑴獰⼺氯杯湩氮癩潣⽭潬楧牳㽦慷眽楳湧湩⸱☰浡㭰瑷敲污㵭潳楣污琮捥湨瑥洮捩潲潳瑦挮浯愦灭眻敲汰㵹瑨灴╳愳㈥╦昲潳楣污琮捥湨瑥洮捩潲潳瑦挮浯㈥䙦牯浵╳昲湥唭╓昲ㄷ〴戶㘴搭搴ⴱㄴ㙤愭晡ⴸ㝥ぢ〲慡昶摣㈥浦捡楨敮愭瑵敨瑮捩瑡潩摯楤祴㌥晦牯浵㌥潤数慲楴湯浳湡条牥杭瑭慰正╳㘲牰景㌥牤煥極敲╤㘲瑳䅯╉搳〱愦灭眻㵰䉍彉䕆彄卓♌浡㭰汷硣㵴業牣獯景╴㐲業牣獯景╴㐲業牣獯景≴ਾ††††††††††††敒汰††††††††††⼼㹡 †††††††㰠搯癩ਾ††††††††††搼癩挠慬獳∽敳慰慲潴≲㰾灳湡簾⼼灳湡㰾搯癩ਾ††††††††搼癩瘠污敵∽畱瑯≥ਾ††††††††††愼栠敲㵦樢癡獡牣灩㩴潶摩⤨∻琠瑩敬∽畑瑯≥渠浡㵥焢潵整•敲㵬渢景汯潬≷甠汲∽瑨灴㩳⼯潬楧楬敶挮浯氯杯湩献晲眿㵡獷杩楮ㅮ〮愦灭眻牴慥浬猽捯慩整档敮業牣獯景潣♭浡㭰牷灥祬栽瑴獰㌥╡昲㈥獦捯慩整档敮業牣獯景潣╭昲潆畲獭㈥敦单㈥㝦㐱㘰㑢ⴶ㑤ㅤ㐭搱ⴶ慡㡦攭户㈰愰㙡捦╤昲慭档湩ⵥ畡桴湥楴慣楴湯漭摤瑩╹昳潦畲╭搳灯牥瑡潩獮慭慮敧浲浧灴捡獫㈥瀶潲╦搳敲畱物摥㈥猶潴䥁㌥ㅤ☰浡㭰灷䴽䥂䙟䑅卟䱓愦灭眻捬瑸洽捩潲潳瑦㈥洴捩潲潳瑦㈥洴捩潲潳瑦㸢 †††††††††††儠潵整 †††††††††㰠愯ਾ††††††††⼼楤㹶ਊ†††††††††††††† †††††††††††††㰠楤⁶汣獡㵳挢敬牡㸢⼼楤㹶 †††††††††††㰠搯癩ਾ††††††††††⼼楤㹶 †††††††††㰠楤⁶汣獡㵳產敳䥲普≯ਾ††††††††††††搼癩挠慬獳∽湵晩敩ⵤ慢敳慢汬挭牡ⵤ業楮•慤慴瀭潲楦敬甭敳楲㵤㘢ㅡ㉤搷ⵥ愸搴㐭㤵ⵡ㘹昳㠭昱㥥愴㜴㕢≦搠瑡ⵡ牰景汩ⵥ獵牥慣摲挭獵潴汭湩㵫笧栢敲≦∺瑨灴㩳⼯潳楣污琮捥湨瑥洮捩潲潳瑦挮浯䘯牯浵⽳湥唭⽓獵牥琯牨慥獤甿敳㵲䄮摮牥╳〲敂杮獴潳≮琢硥≴∺䄮摮牥敂杮獴潳♮㌣㬹桴敲摡≳❽ਾ††††††††††††††搼癩挠慬獳∽牰景汩ⵥ業楮挭湯整瑮㸢䴊摯牥瑡牯††††††††††††††⼼楤㹶 †††††††††††㰠搯癩ਾ †††††††††㰠搯癩ਾ†††††††††ਠ††††††††⼼楤㹶 †††††㰠搯癩ਾ††††⼼楤㹶 †㰠氯㹩ਠ††搼癩挠慬獳∽汣慥≲㰾搯癩ਾ††††氼摩∽㘴㙥攳ㄸ㘭挹ⴲ挴ㄸ㤭㤹ⴷ摥㐵㡣㠱敡〶•汣獡㵳洢獥慳敧∠ਾ††††搼癩挠慬獳∽敭獳条䍥湯整瑮潃瑮楡敮≲ਾ†††† †††ਠ††††††搼癩挠慬獳∽敭獳条卥摩扥牡㸢ਊ††††††††搼癩挠慬獳∽捩湯牗灡数≲ਾ††††††††††搼癩挠慬獳∽瑳瑡獵洠獥慳敧捉湯†畱獥楴湯爠灥祬㸢 †††††††††††㰠浩汣獡㵳椢潣焠敵瑳潩敲汰≹猠捲∽瑨灴㩳⼯ㅩ献捯慩獭瑦挮浯䘯牯浵⽳⸮术潬慢牬獥畯捲獥䤯慭敧⽳牴湡楧㽦癣牥〽〥╤愰•污㵴儢敵瑳潩≮⼠ਾ††††††††††⼼楤㹶 †††††††㰠搯癩ਾ††††††††搼癩挠慬獳∽潶楴杮畯整扲硯㸢††††††搼癩挠慬獳∽潶楴杮㸢 †††††††㰠汣獡㵳瘢瑯略桰敲汦湩≫渠浡㵥瘢瑯略≰琠瑩敬∽潖整愠敨灬畦≬栠敲㵦栢瑴獰⼺氯杯湩氮癩潣⽭潬楧牳㽦慷眽楳湧湩⸱☰浡㭰瑷敲污㵭潳楣污琮捥湨瑥洮捩潲潳瑦挮浯愦灭眻敲汰㵹瑨灴╳愳㈥╦昲潳楣污琮捥湨瑥洮捩潲潳瑦挮浯㈥䙦牯浵╳昲湥唭╓昲ㄷ〴戶㘴搭搴ⴱㄴ㙤愭晡ⴸ㝥ぢ〲慡昶摣㈥浦捡楨敮愭瑵敨瑮捩瑡潩摯楤祴㌥晦牯浵㌥潤数慲楴湯浳湡条牥杭瑭慰正╳㘲牰景㌥牤煥極敲╤㘲瑳䅯╉搳〱愦灭眻㵰䉍彉䕆彄卓♌浡㭰汷硣㵴業牣獯景╴㐲業牣獯景╴㐲業牣獯景≴ਾ††††††††††椼杭挠慬獳∽捩湯瘠瑯略≰愠瑬∽楓湧椠潴瘠瑯≥琠瑩敬∽楓湧椠潴瘠瑯≥猠捲∽瑨灴㩳⼯ㅩ献捯慩獭瑦挮浯䘯牯浵⽳⸮术潬慢牬獥畯捲獥䤯慭敧⽳牴湡楧㽦癣牥〽〥╤愰•㸯 †††††††††㰠楤⁶汣獡㵳瘢瑯湥浵敢≲猠祴敬∽楤灳慬㩹戠潬正∻〾⼼楤㹶 †††††††㰠愯ਾ †††††㰠搯癩ਾ††††††搼癩挠慬獳∽潶楴杮慬敢≬ਾ††††††††猼慰汣獡㵳瘢瑯湩汧扡汥琠灹≥ਾ††††††††††††††愼琠瑩敬∽楓湧椠潴瘠瑯≥栠敲㵦栢瑴獰⼺氯杯湩氮癩潣⽭潬楧牳㽦慷眽楳湧湩⸱☰浡㭰瑷敲污㵭潳楣污琮捥湨瑥洮捩潲潳瑦挮浯愦灭眻敲汰㵹瑨灴╳愳㈥╦昲潳楣污琮捥湨瑥洮捩潲潳瑦挮浯㈥䙦牯浵╳昲湥唭╓昲ㄷ〴戶㘴搭搴ⴱㄴ㙤愭晡ⴸ㝥ぢ〲慡昶摣㈥浦捡楨敮愭瑵敨瑮捩瑡潩摯楤祴㌥晦牯浵㌥潤数慲楴湯浳湡条牥杭瑭慰正╳㘲牰景㌥牤煥極敲╤㘲瑳䅯╉搳〱愦灭眻㵰䉍彉䕆彄卓♌浡㭰汷硣㵴業牣獯景╴㐲業牣獯景╴㐲業牣獯景≴匾杩湩琠潶整⼼㹡 †††††††㰠猯慰㹮 †††††㰠搯癩ਾ⼼楤㹶 †††††㰠搯癩ਾ†††† †††††㰠楤⁶汣獡㵳洢獥慳敧潃瑮湥≴ਾ††††††††搼癩挠慬獳∽潣瑮楡敮≲ਾ††††††††††搼癩挠慬獳∽潢祤㸢瀼䠾汥潬㰬瀯ാ㰊㹰湁⁹湉潦漠桴獩洠瑡整獡䤠猠瑥灵愠爠汵楷桴愠污牥⁴湯琠敨攠敶瑮䤠⁄㠵㔰愠摮䤠愠敧瑴湩污潳琠敨┠㔥愠摮洠獩焦潵㭴捁散獳椠敤楮摥焦潵㭴⼼㹰瀼吾慨歮ⱳ⼼㹰瀼䐾浯⼼㹰格㹲瀼匾獹整敃瑮牥传数慲楴湯慍慮敧〲㜰⼠匠獹整敃瑮牥䌠湯楦畧慲楴湯䴠湡条牥㈠〰‷㉒⼠䘠牯晥潲瑮䌠楬湥⁴敓畣楲祴⼠䘠牯晥潲瑮䤠敤瑮瑩⁹慍慮敧㱲瀯ാ㰊牢㸯⼼楤㹶 †††††††††††㰠湩異⁴祴数∽楨摤湥•摩∽㘴㙥攳ㄸ㘭挹ⴲ挴ㄸ㤭㤹ⴷ摥㐵㡣㠱敡〶慟瑴捡浨湥獴•慶畬㵥∢⼠ਾ †††††††㰠搯癩ਾ††††††††††††搼癩ਾ††††††甼汣獡㵳栢獩潴祲㸢 †††††††††㰠楬ਾ††††††††††††猼慰汣獡㵳琢灹≥䔾楤整祢⼼灳湡ਾ††††††††††††††愼挠慬獳∽畡桴牯•牨晥∽瑨灴㩳⼯潳楣污琮捥湨瑥洮捩潲潳瑦挮浯㐺㌴瀯潲楦敬是汥橹獯㼯祴数昽牯浵愦灭爻晥牥敲㵲瑨灴⼺猯捯慩整档敮業牣獯景潣⽭潆畲獭支单㜯㐱㘰㑢ⴶ㑤ㅤ㐭搱ⴶ慡㡦攭户㈰愰㙡捦⽤慭档湩ⵥ畡桴湥楴慣楴湯漭摤瑩㽹潦畲㵭灯牥瑡潩獮慭慮敧浲浧灴捡獫•敲㵬渢景汯潬≷琠瑩敬∽扁畯⁴敆祬潪≳㰾灳湡䘾汥橹獯⼼灳湡㰾扡牢挠慬獳∽晡楦≬㰾愯扢㹲⼼㹡 †††††††††††㰠灳湡挠慬獳∽慤整㸢敗湤獥慤ⱹ䨠湵㜲〲㈱ㄠ㨲㤳䄠㱍猯慰㹮 †††††††††㰠氯㹩 †††††㰠甯㹬 †††㰠搯癩ਾ †††††††㰠楤⁶汣獡㵳洢獥慳敧潆瑯牥㸢 ††††††††††搼癩挠慬獳∽捡楴湯≳ਾ††††††††††††搼癩挠慬獳∽慤整㸢慓畴摲祡畊敮㈠ⰳ㈠′㨵ㄱ倠㱍搯癩ਾ††††††††††††搼癩挠慬獳∽敭畮洠獥慳敧㸢 †††††††††††††††††††††㰠楤⁶慶畬㵥爢灥祬㸢 †††††††††㰠牨晥∽慪慶捳楲瑰瘺楯⡤㬩•楴汴㵥刢灥祬•慮敭∽敲汰≹爠汥∽潮潦汬睯•牵㵬栢瑴獰⼺氯杯湩氮癩潣⽭潬楧牳㽦慷眽楳湧湩⸱☰浡㭰瑷敲污㵭潳楣污琮捥湨瑥洮捩潲潳瑦挮浯愦灭眻敲汰㵹瑨灴╳愳㈥╦昲潳楣污琮捥湨瑥洮捩潲潳瑦挮浯㈥䙦牯浵╳昲湥唭╓昲ㄷ〴戶㘴搭搴ⴱㄴ㙤愭晡ⴸ㝥ぢ〲慡昶摣㈥浦捡楨敮愭瑵敨瑮捩瑡潩摯楤祴㌥晦牯浵㌥潤数慲楴湯浳湡条牥杭瑭慰正╳㘲牰景㌥牤煥極敲╤㘲瑳䅯╉搳〱愦灭眻㵰䉍彉䕆彄卓♌浡㭰汷硣㵴業牣獯景╴㐲業牣獯景╴㐲業牣獯景≴ਾ††††††††††††敒汰††††††††††⼼㹡 †††††††㰠搯癩ਾ††††††††††搼癩挠慬獳∽敳慰慲潴≲㰾灳湡簾⼼灳湡㰾搯癩ਾ††††††††搼癩瘠污敵∽畱瑯≥ਾ††††††††††愼栠敲㵦樢癡獡牣灩㩴潶摩⤨∻琠瑩敬∽畑瑯≥渠浡㵥焢潵整•敲㵬渢景汯潬≷甠汲∽瑨灴㩳⼯潬楧楬敶挮浯氯杯湩献晲眿㵡獷杩楮ㅮ〮愦灭眻牴慥浬猽捯慩整档敮業牣獯景潣♭浡㭰牷灥祬栽瑴獰㌥╡昲㈥獦捯慩整档敮業牣獯景潣╭昲潆畲獭㈥敦单㈥㝦㐱㘰㑢ⴶ㑤ㅤ㐭搱ⴶ慡㡦攭户㈰愰㙡捦╤昲慭档湩ⵥ畡桴湥楴慣楴湯漭摤瑩╹昳潦畲╭搳灯牥瑡潩獮慭慮敧浲浧灴捡獫㈥瀶潲╦搳敲畱物摥㈥猶潴䥁㌥ㅤ☰浡㭰灷䴽䥂䙟䑅卟䱓愦灭眻捬瑸洽捩潲潳瑦㈥洴捩潲潳瑦㈥洴捩潲潳瑦㸢 †††††††††††儠潵整 †††††††††㰠愯ਾ††††††††⼼楤㹶ਊ†††††††††††††† †††††††††††††㰠楤⁶汣獡㵳挢敬牡㸢⼼楤㹶 †††††††††††㰠搯癩ਾ††††††††††⼼楤㹶 †††††††††㰠楤⁶汣獡㵳產敳䥲普≯ਾ††††††††††††搼癩挠慬獳∽湵晩敩ⵤ慢敳慢汬挭牡ⵤ業楮•慤慴瀭潲楦敬甭敳楲㵤㠢㠳挵晤ⴷ捤㝢㐭㘲ⵦ晢㑣戭㡦愱挵㡢㑡≡搠瑡ⵡ牰景汩ⵥ獵牥慣摲挭獵潴汭湩㵫笧栢敲≦∺瑨灴㩳⼯潳楣污琮捥湨瑥洮捩潲潳瑦挮浯䘯牯浵⽳湥唭⽓獵牥琯牨慥獤甿敳㵲敆祬潪≳琢硥≴∺敆祬潪♳㌣㬹桴敲摡≳❽ਾ††††††††††††††搼癩挠慬獳∽牰景汩ⵥ業楮挭湯整瑮㸢 †††††††††††††㰠搯癩ਾ††††††††††††⼼楤㹶ਊ††††††††††⼼楤㹶 ††††††††† †††††††㰠搯癩ਾ††††††⼼楤㹶 †††㰠搯癩ਾ††⼼楬‾ †㰠楤⁶汣獡㵳挢敬牡㸢⼼楤㹶 †††㰠楬椠㵤戢㜹㝢㍥ⴴ㘴挲㐭改ⴳ㤸愱㘭愸挶挰て晢∱挠慬獳∽敭獳条㸢 †††㰠楤⁶汣獡㵳洢獥慳敧潃瑮湥䍴湯慴湩牥㸢 †††ਠ†††† †††††㰠楤⁶汣獡㵳洢獥慳敧楓敤慢≲ਾ †††††††㰠楤⁶汣獡㵳椢潣坮慲灰牥㸢 †††††††††㰠楤⁶汣獡㵳猢慴畴敭獳条䥥潣焠敵瑳潩敲汰≹ਾ††††††††††††椼杭挠慬獳∽捩湯†畱獥楴湯爠灥祬•牳㵣栢瑴獰⼺椯⸱潳楣污献洭晳潣⽭潆畲獭ⸯ⼮汧扯污敲潳牵散⽳浉条獥琯慲獮朮晩挿敶㵲┰搰〥≡愠瑬∽畑獥楴湯•㸯 †††††††††㰠搯癩ਾ††††††††⼼楤㹶 †††††††㰠楤⁶汣獡㵳瘢瑯湩潧瑵牥潢≸‾†††††㰠楤⁶汣獡㵳瘢瑯湩≧ਾ††††††††愼挠慬獳∽潶整灵牨晥楬歮•慮敭∽潶整灵•楴汴㵥嘢瑯獡栠汥晰汵•牨晥∽瑨灴㩳⼯潬楧楬敶挮浯氯杯湩献晲眿㵡獷杩楮ㅮ〮愦灭眻牴慥浬猽捯慩整档敮業牣獯景潣♭浡㭰牷灥祬栽瑴獰㌥╡昲㈥獦捯慩整档敮業牣獯景潣╭昲潆畲獭㈥敦单㈥㝦㐱㘰㑢ⴶ㑤ㅤ㐭搱ⴶ慡㡦攭户㈰愰㙡捦╤昲慭档湩ⵥ畡桴湥楴慣楴湯漭摤瑩╹昳潦畲╭搳灯牥瑡潩獮慭慮敧浲浧灴捡獫㈥瀶潲╦搳敲畱物摥㈥猶潴䥁㌥ㅤ☰浡㭰灷䴽䥂䙟䑅卟䱓愦灭眻捬瑸洽捩潲潳瑦㈥洴捩潲潳瑦㈥洴捩潲潳瑦㸢 †††††††††㰠浩汣獡㵳椢潣潶整灵•污㵴匢杩湩琠潶整•楴汴㵥匢杩湩琠潶整•牳㵣栢瑴獰⼺椯⸱潳楣污献洭晳潣⽭潆畲獭ⸯ⼮汧扯污敲潳牵散⽳浉条獥琯慲獮朮晩挿敶㵲┰搰〥≡⼠ਾ††††††††††搼癩挠慬獳∽潶整畮扭牥•瑳汹㵥搢獩汰祡›汢捯㭫㸢㰰搯癩ਾ††††††††⼼㹡ਊ††††††⼼楤㹶 †††††㰠楤⁶汣獡㵳瘢瑯湩汧扡汥㸢 †††††††㰠灳湡挠慬獳∽潶楴杮慬敢祴数㸢 †††††††††††††㰠楴汴㵥匢杩湩琠潶整•牨晥∽瑨灴㩳⼯潬楧楬敶挮浯氯杯湩献晲眿㵡獷杩楮ㅮ〮愦灭眻牴慥浬猽捯慩整档敮業牣獯景潣♭浡㭰牷灥祬栽瑴獰㌥╡昲㈥獦捯慩整档敮業牣獯景潣╭昲潆畲獭㈥敦单㈥㝦㐱㘰㑢ⴶ㑤ㅤ㐭搱ⴶ慡㡦攭户㈰愰㙡捦╤昲慭档湩ⵥ畡桴湥楴慣楴湯漭摤瑩╹昳潦畲╭搳灯牥瑡潩獮慭慮敧浲浧灴捡獫㈥瀶潲╦搳敲畱物摥㈥猶潴䥁㌥ㅤ☰浡㭰灷䴽䥂䙟䑅卟䱓愦灭眻捬瑸洽捩潲潳瑦㈥洴捩潲潳瑦㈥洴捩潲潳瑦㸢楓湧椠潴瘠瑯㱥愯ਾ††††††††⼼灳湡ਾ††††††⼼楤㹶㰊搯癩ਾ††††††⼼楤㹶 †††ਠ††††††搼癩挠慬獳∽敭獳条䍥湯整瑮㸢 †††††††㰠楤⁶汣獡㵳挢湯慴湩牥㸢 †††††††††㰠楤⁶汣獡㵳戢摯≹㼾畢灭㰿牨挠慬獳∽楳≧㰾㹰祓瑳浥䌠湥整灏牥瑡潩獮䴠湡条牥㈠〰‷ 祓瑳浥䌠湥整潃普杩牵瑡潩慍慮敧〲㜰删′ 潆敲牦湯⁴汃敩瑮匠捥牵瑩⁹ 潆敲牦湯⁴摉湥楴祴䴠湡条牥⼼㹰⼼楤㹶 †††††††††††㰠湩異⁴祴数∽楨摤湥•摩∽㥢户攷㐳㐭㈶ⵣ㤴㍥㠭ㄹⵡ㠶㙡っ晣戰ㅦ慟瑴捡浨湥獴•慶畬㵥∢⼠ਾ †††††††㰠搯癩ਾ†††††††† †††††††㰠楤⁶汣獡㵳洢獥慳敧潆瑯牥㸢 ††††††††††搼癩挠慬獳∽捡楴湯≳ਾ††††††††††††搼癩挠慬獳∽慤整㸢敗湤獥慤ⱹ䨠湵㜲〲㈱ㄠ㨲㤳䄠㱍搯癩ਾ††††††††††††搼癩挠慬獳∽敭畮洠獥慳敧㸢 †††††††††††††††††††††㰠楤⁶慶畬㵥爢灥祬㸢 †††††††††㰠牨晥∽慪慶捳楲瑰瘺楯⡤㬩•楴汴㵥刢灥祬•慮敭∽敲汰≹爠汥∽潮潦汬睯•牵㵬栢瑴獰⼺氯杯湩氮癩潣⽭潬楧牳㽦慷眽楳湧湩⸱☰浡㭰瑷敲污㵭潳楣污琮捥湨瑥洮捩潲潳瑦挮浯愦灭眻敲汰㵹瑨灴╳愳㈥╦昲潳楣污琮捥湨瑥洮捩潲潳瑦挮浯㈥䙦牯浵╳昲湥唭╓昲ㄷ〴戶㘴搭搴ⴱㄴ㙤愭晡ⴸ㝥ぢ〲慡昶摣㈥浦捡楨敮愭瑵敨瑮捩瑡潩摯楤祴㌥晦牯浵㌥潤数慲楴湯浳湡条牥杭瑭慰正╳㘲牰景㌥牤煥極敲╤㘲瑳䅯╉搳〱愦灭眻㵰䉍彉䕆彄卓♌浡㭰汷硣㵴業牣獯景╴㐲業牣獯景╴㐲業牣獯景≴ਾ††††††††††††敒汰††††††††††⼼㹡 †††††††㰠搯癩ਾ††††††††††搼癩挠慬獳∽敳慰慲潴≲㰾灳湡簾⼼灳湡㰾搯癩ਾ††††††††搼癩瘠污敵∽畱瑯≥ਾ††††††††††愼栠敲㵦樢癡獡牣灩㩴潶摩⤨∻琠瑩敬∽畑瑯≥渠浡㵥焢潵整•敲㵬渢景汯潬≷甠汲∽瑨灴㩳⼯潬楧楬敶挮浯氯杯湩献晲眿㵡獷杩楮ㅮ〮愦灭眻牴慥浬猽捯慩整档敮業牣獯景潣♭浡㭰牷灥祬栽瑴獰㌥╡昲㈥獦捯慩整档敮業牣獯景潣╭昲潆畲獭㈥敦单㈥㝦㐱㘰㑢ⴶ㑤ㅤ㐭搱ⴶ慡㡦攭户㈰愰㙡捦╤昲慭档湩ⵥ畡桴湥楴慣楴湯漭摤瑩╹昳潦畲╭搳灯牥瑡潩獮慭慮敧浲浧灴捡獫㈥瀶潲╦搳敲畱物摥㈥猶潴䥁㌥ㅤ☰浡㭰灷䴽䥂䙟䑅卟䱓愦灭眻捬瑸洽捩潲潳瑦㈥洴捩潲潳瑦㈥洴捩潲潳瑦㸢 †††††††††††儠潵整 †††††††††㰠愯ਾ††††††††⼼楤㹶ਊ†††††††††††††† †††††††††††††㰠楤⁶汣獡㵳挢敬牡㸢⼼楤㹶 †††††††††††㰠搯癩ਾ††††††††††⼼楤㹶 †††††††††㰠楤⁶汣獡㵳產敳䥲普≯ਾ††††††††††††搼癩挠慬獳∽湵晩敩ⵤ慢敳慢汬挭牡ⵤ業楮•慤慴瀭潲楦敬甭敳楲㵤㠢㠳挵晤ⴷ捤㝢㐭㘲ⵦ晢㑣戭㡦愱挵㡢㑡≡搠瑡ⵡ牰景汩ⵥ獵牥慣摲挭獵潴汭湩㵫笧栢敲≦∺瑨灴㩳⼯潳楣污琮捥湨瑥洮捩潲潳瑦挮浯䘯牯浵⽳湥唭⽓獵牥琯牨慥獤甿敳㵲敆祬潪≳琢硥≴∺敆祬潪♳㌣㬹桴敲摡≳❽ਾ††††††††††††††搼癩挠慬獳∽牰景汩ⵥ業楮挭湯整瑮㸢 †††††††††††††㰠搯癩ਾ††††††††††††⼼楤㹶ਊ††††††††††⼼楤㹶 ††††††††† †††††††㰠搯癩ਾ††††††⼼楤㹶 †††㰠搯癩ਾ††⼼楬‾ †㰠楤⁶汣獡㵳挢敬牡㸢⼼楤㹶 †††㰠楬椠㵤搢㥡戸㜰ⴱ㙣㈴㐭搰ⴳ攸ㅡ昭挷ㅥ搳㠴㉡≦挠慬獳∽敭獳条㸢 †††㰠楤⁶汣獡㵳洢獥慳敧潃瑮湥䍴湯慴湩牥㸢 †††ਠ†††† †††††㰠楤⁶汣獡㵳洢獥慳敧楓敤慢≲ਾ †††††††㰠楤⁶汣獡㵳椢潣坮慲灰牥㸢 †††††††††㰠楤⁶汣獡㵳猢慴畴敭獳条䥥潣焠敵瑳潩敲汰≹ਾ††††††††††††椼杭挠慬獳∽捩湯†畱獥楴湯爠灥祬•牳㵣栢瑴獰⼺椯⸱潳楣污献洭晳潣⽭潆畲獭ⸯ⼮汧扯污敲潳牵散⽳浉条獥琯慲獮朮晩挿敶㵲┰搰〥≡愠瑬∽畑獥楴湯•㸯 †††††††††㰠搯癩ਾ††††††††⼼楤㹶 †††††††㰠楤⁶汣獡㵳瘢瑯湩潧瑵牥潢≸‾†††††㰠楤⁶汣獡㵳瘢瑯湩≧ਾ††††††††愼挠慬獳∽潶整灵牨晥楬歮•慮敭∽潶整灵•楴汴㵥嘢瑯獡栠汥晰汵•牨晥∽瑨灴㩳⼯潬楧楬敶挮浯氯杯湩献晲眿㵡獷杩楮ㅮ〮愦灭眻牴慥浬猽捯慩整档敮業牣獯景潣♭浡㭰牷灥祬栽瑴獰㌥╡昲㈥獦捯慩整档敮業牣獯景潣╭昲潆畲獭㈥敦单㈥㝦㐱㘰㑢ⴶ㑤ㅤ㐭搱ⴶ慡㡦攭户㈰愰㙡捦╤昲慭档湩ⵥ畡桴湥楴慣楴湯漭摤瑩╹昳潦畲╭搳灯牥瑡潩獮慭慮敧浲浧灴捡獫㈥瀶潲╦搳敲畱物摥㈥猶潴䥁㌥ㅤ☰浡㭰灷䴽䥂䙟䑅卟䱓愦灭眻捬瑸洽捩潲潳瑦㈥洴捩潲潳瑦㈥洴捩潲潳瑦㸢 †††††††††㰠浩汣獡㵳椢潣潶整灵•污㵴匢杩湩琠潶整•楴汴㵥匢杩湩琠潶整•牳㵣栢瑴獰⼺椯⸱潳楣污献洭晳潣⽭潆畲獭ⸯ⼮汧扯污敲潳牵散⽳浉条獥琯慲獮朮晩挿敶㵲┰搰〥≡⼠ਾ††††††††††搼癩挠慬獳∽潶整畮扭牥•瑳汹㵥搢獩汰祡›汢捯㭫㸢㰰搯癩ਾ††††††††⼼㹡ਊ††††††⼼楤㹶 †††††㰠楤⁶汣獡㵳瘢瑯湩汧扡汥㸢 †††††††㰠灳湡挠慬獳∽潶楴杮慬敢祴数㸢 †††††††††††††㰠楴汴㵥匢杩湩琠潶整•牨晥∽瑨灴㩳⼯潬楧楬敶挮浯氯杯湩献晲眿㵡獷杩楮ㅮ〮愦灭眻牴慥浬猽捯慩整档敮業牣獯景潣♭浡㭰牷灥祬栽瑴獰㌥╡昲㈥獦捯慩整档敮業牣獯景潣╭昲潆畲獭㈥敦单㈥㝦㐱㘰㑢ⴶ㑤ㅤ㐭搱ⴶ慡㡦攭户㈰愰㙡捦╤昲慭档湩ⵥ畡桴湥楴慣楴湯漭摤瑩╹昳潦畲╭搳灯牥瑡潩獮慭慮敧浲浧灴捡獫㈥瀶潲╦搳敲畱物摥㈥猶潴䥁㌥ㅤ☰浡㭰灷䴽䥂䙟䑅卟䱓愦灭眻捬瑸洽捩潲潳瑦㈥洴捩潲潳瑦㈥洴捩潲潳瑦㸢楓湧椠潴瘠瑯㱥愯ਾ††††††††⼼灳湡ਾ††††††⼼楤㹶㰊搯癩ਾ††††††⼼楤㹶 †††ਠ††††††搼癩挠慬獳∽敭獳条䍥湯整瑮㸢 †††††††㰠楤⁶汣獡㵳挢湯慴湩牥㸢 †††††††††㰠楤⁶汣獡㵳戢摯≹猾Ɐ眠慨獴礠畯潳畬楴湯㰿搯癩ਾ††††††††††††椼灮瑵琠灹㵥栢摩敤≮椠㵤搢㥡戸㜰ⴱ㙣㈴㐭搰ⴳ攸ㅡ昭挷ㅥ搳㠴㉡彦瑡慴档敭瑮≳瘠污敵∽•㸯ਊ††††††††⼼楤㹶 †††††††ਠ††††††††搼癩挠慬獳∽敭獳条䙥潯整≲ਾ††††††††††㰠楤⁶汣獡㵳愢瑣潩獮㸢 †††††††††††㰠楤⁶汣獡㵳搢瑡≥䘾楲慤ⱹ䴠牡档㈠ⰱ㈠‴㨲㤱䄠㱍搯癩ਾ††††††††††††搼癩挠慬獳∽敭畮洠獥慳敧㸢 †††††††††††††††††††††㰠楤⁶慶畬㵥爢灥祬㸢 †††††††††㰠牨晥∽慪慶捳楲瑰瘺楯⡤㬩•楴汴㵥刢灥祬•慮敭∽敲汰≹爠汥∽潮潦汬睯•牵㵬栢瑴獰⼺氯杯湩氮癩潣⽭潬楧牳㽦慷眽楳湧湩⸱☰浡㭰瑷敲污㵭潳楣污琮捥湨瑥洮捩潲潳瑦挮浯愦灭眻敲汰㵹瑨灴╳愳㈥╦昲潳楣污琮捥湨瑥洮捩潲潳瑦挮浯㈥䙦牯浵╳昲湥唭╓昲ㄷ〴戶㘴搭搴ⴱㄴ㙤愭晡ⴸ㝥ぢ〲慡昶摣㈥浦捡楨敮愭瑵敨瑮捩瑡潩摯楤祴㌥晦牯浵㌥潤数慲楴湯浳湡条牥杭瑭慰正╳㘲牰景㌥牤煥極敲╤㘲瑳䅯╉搳〱愦灭眻㵰䉍彉䕆彄卓♌浡㭰汷硣㵴業牣獯景╴㐲業牣獯景╴㐲業牣獯景≴ਾ††††††††††††敒汰††††††††††⼼㹡 †††††††㰠搯癩ਾ††††††††††搼癩挠慬獳∽敳慰慲潴≲㰾灳湡簾⼼灳湡㰾搯癩ਾ††††††††搼癩瘠污敵∽畱瑯≥ਾ††††††††††愼栠敲㵦樢癡獡牣灩㩴潶摩⤨∻琠瑩敬∽畑瑯≥渠浡㵥焢潵整•敲㵬渢景汯潬≷甠汲∽瑨灴㩳⼯潬楧楬敶挮浯氯杯湩献晲眿㵡獷杩楮ㅮ〮愦灭眻牴慥浬猽捯慩整档敮業牣獯景潣♭浡㭰牷灥祬栽瑴獰㌥╡昲㈥獦捯慩整档敮業牣獯景潣╭昲潆畲獭㈥敦单㈥㝦㐱㘰㑢ⴶ㑤ㅤ㐭搱ⴶ慡㡦攭户㈰愰㙡捦╤昲慭档湩ⵥ畡桴湥楴慣楴湯漭摤瑩╹昳潦畲╭搳灯牥瑡潩獮慭慮敧浲浧灴捡獫㈥瀶潲╦搳敲畱物摥㈥猶潴䥁㌥ㅤ☰浡㭰灷䴽䥂䙟䑅卟䱓愦灭眻捬瑸洽捩潲潳瑦㈥洴捩潲潳瑦㈥洴捩潲潳瑦㸢 †††††††††††儠潵整 †††††††††㰠愯ਾ††††††††⼼楤㹶ਊ†††††††††††††† †††††††††††††㰠楤⁶汣獡㵳挢敬牡㸢⼼楤㹶 †††††††††††㰠搯癩ਾ††††††††††⼼楤㹶 †††††††††㰠楤⁶汣獡㵳產敳䥲普≯ਾ††††††††††††搼癩挠慬獳∽湵晩敩ⵤ慢敳慢汬挭牡ⵤ業楮•慤慴瀭潲楦敬甭敳楲㵤ㄢ㠳つ㥦ⴰ㈴攴㐭愶ⴰ㈹ㄵ㘭攷㔷㜶㌰㌵≦搠瑡ⵡ牰景汩ⵥ獵牥慣摲挭獵潴汭湩㵫笧栢敲≦∺瑨灴㩳⼯潳楣污琮捥湨瑥洮捩潲潳瑦挮浯䘯牯浵⽳湥唭⽓獵牥琯牨慥獤甿敳㵲牰祩桯≷琢硥≴∺牰祩桯♷㌣㬹桴敲摡≳❽ਾ††††††††††††††搼癩挠慬獳∽牰景汩ⵥ業楮挭湯整瑮㸢 †††††††††††††㰠搯癩ਾ††††††††††††⼼楤㹶ਊ††††††††††⼼楤㹶 ††††††††† †††††††㰠搯癩ਾ††††††⼼楤㹶 †††㰠搯癩ਾ††⼼楬‾ †㰠楤⁶汣獡㵳挢敬牡㸢⼼楤㹶 †††㰠楬椠㵤ㄢ㌶㜹㤰ⵣ㕡挳㐭昹ⴹ挸愷〭㠱㜶愲搸㝤∱挠慬獳∽敭獳条㸢 †††㰠楤⁶汣獡㵳洢獥慳敧潃瑮湥䍴湯慴湩牥㸢 †††ਠ†††† †††††㰠楤⁶汣獡㵳洢獥慳敧楓敤慢≲ਾ †††††††㰠楤⁶汣獡㵳椢潣坮慲灰牥㸢 †††††††††㰠楤⁶汣獡㵳猢慴畴敭獳条䥥潣焠敵瑳潩敲汰≹ਾ††††††††††††椼杭挠慬獳∽捩湯†畱獥楴湯爠灥祬•牳㵣栢瑴獰⼺椯⸱潳楣污献洭晳潣⽭潆畲獭ⸯ⼮汧扯污敲潳牵散⽳浉条獥琯慲獮朮晩挿敶㵲┰搰〥≡愠瑬∽畑獥楴湯•㸯 †††††††††㰠搯癩ਾ††††††††⼼楤㹶 †††††††㰠楤⁶汣獡㵳瘢瑯湩潧瑵牥潢≸‾†††††㰠楤⁶汣獡㵳瘢瑯湩≧ਾ††††††††愼挠慬獳∽潶整灵牨晥楬歮•慮敭∽潶整灵•楴汴㵥嘢瑯獡栠汥晰汵•牨晥∽瑨灴㩳⼯潬楧楬敶挮浯氯杯湩献晲眿㵡獷杩楮ㅮ〮愦灭眻牴慥浬猽捯慩整档敮業牣獯景潣♭浡㭰牷灥祬栽瑴獰㌥╡昲㈥獦捯慩整档敮業牣獯景潣╭昲潆畲獭㈥敦单㈥㝦㐱㘰㑢ⴶ㑤ㅤ㐭搱ⴶ慡㡦攭户㈰愰㙡捦╤昲慭档湩ⵥ畡桴湥楴慣楴湯漭摤瑩╹昳潦畲╭搳灯牥瑡潩獮慭慮敧浲浧灴捡獫㈥瀶潲╦搳敲畱物摥㈥猶潴䥁㌥ㅤ☰浡㭰灷䴽䥂䙟䑅卟䱓愦灭眻捬瑸洽捩潲潳瑦㈥洴捩潲潳瑦㈥洴捩潲潳瑦㸢 †††††††††㰠浩汣獡㵳椢潣潶整灵•污㵴匢杩湩琠潶整•楴汴㵥匢杩湩琠潶整•牳㵣栢瑴獰⼺椯⸱潳楣污献洭晳潣⽭潆畲獭ⸯ⼮汧扯污敲潳牵散⽳浉条獥琯慲獮朮晩挿敶㵲┰搰〥≡⼠ਾ††††††††††搼癩挠慬獳∽潶整畮扭牥•瑳汹㵥搢獩汰祡›汢捯㭫㸢㰰搯癩ਾ††††††††⼼㹡ਊ††††††⼼楤㹶 †††††㰠楤⁶汣獡㵳瘢瑯湩汧扡汥㸢 †††††††㰠灳湡挠慬獳∽潶楴杮慬敢祴数㸢 †††††††††††††㰠楴汴㵥匢杩湩琠潶整•牨晥∽瑨灴㩳⼯潬楧楬敶挮浯氯杯湩献晲眿㵡獷杩楮ㅮ〮愦灭眻牴慥浬猽捯慩整档敮業牣獯景潣♭浡㭰牷灥祬栽瑴獰㌥╡昲㈥獦捯慩整档敮業牣獯景潣╭昲潆畲獭㈥敦单㈥㝦㐱㘰㑢ⴶ㑤ㅤ㐭搱ⴶ慡㡦攭户㈰愰㙡捦╤昲慭档湩ⵥ畡桴湥楴慣楴湯漭摤瑩╹昳潦畲╭搳灯牥瑡潩獮慭慮敧浲浧灴捡獫㈥瀶潲╦搳敲畱物摥㈥猶潴䥁㌥ㅤ☰浡㭰灷䴽䥂䙟䑅卟䱓愦灭眻捬瑸洽捩潲潳瑦㈥洴捩潲潳瑦㈥洴捩潲潳瑦㸢楓湧椠潴瘠瑯㱥愯ਾ††††††††⼼灳湡ਾ††††††⼼楤㹶㰊搯癩ਾ††††††⼼楤㹶 †††ਠ††††††搼癩挠慬獳∽敭獳条䍥湯整瑮㸢 †††††††㰠楤⁶汣獡㵳挢湯慴湩牥㸢 †††††††††㰠楤⁶汣獡㵳戢摯≹栾睯琠潳癬桴獩‿汰慥敳愠癤捩㱥搯癩ਾ††††††††††††椼灮瑵琠灹㵥栢摩敤≮椠㵤ㄢ㌶㜹㤰ⵣ㕡挳㐭昹ⴹ挸愷〭㠱㜶愲搸㝤弱瑡慴档敭瑮≳瘠污敵∽•㸯ਊ††††††††⼼楤㹶 †††††††ਠ††††††††搼癩挠慬獳∽敭獳条䙥潯整≲ਾ††††††††††㰠楤⁶汣獡㵳愢瑣潩獮㸢 †††††††††††㰠楤⁶汣獡㵳搢瑡≥䘾楲慤ⱹ䴠牡档㈠ⰱ㈠‴㨲〲䄠㱍搯癩ਾ††††††††††††搼癩挠慬獳∽敭畮洠獥慳敧㸢 †††††††††††††††††††††㰠楤⁶慶畬㵥爢灥祬㸢 †††††††††㰠牨晥∽慪慶捳楲瑰瘺楯⡤㬩•楴汴㵥刢灥祬•慮敭∽敲汰≹爠汥∽潮潦汬睯•牵㵬栢瑴獰⼺氯杯湩氮癩潣⽭潬楧牳㽦慷眽楳湧湩⸱☰浡㭰瑷敲污㵭潳楣污琮捥湨瑥洮捩潲潳瑦挮浯愦灭眻敲汰㵹瑨灴╳愳㈥╦昲潳楣污琮捥湨瑥洮捩潲潳瑦挮浯㈥䙦牯浵╳昲湥唭╓昲ㄷ〴戶㘴搭搴ⴱㄴ㙤愭晡ⴸ㝥ぢ〲慡昶摣㈥浦捡楨敮愭瑵敨瑮捩瑡潩摯楤祴㌥晦牯浵㌥潤数慲楴湯浳湡条牥杭瑭慰正╳㘲牰景㌥牤煥極敲╤㘲瑳䅯╉搳〱愦灭眻㵰䉍彉䕆彄卓♌浡㭰汷硣㵴業牣獯景╴㐲業牣獯景╴㐲業牣獯景≴ਾ††††††††††††敒汰††††††††††⼼㹡 †††††††㰠搯癩ਾ††††††††††搼癩挠慬獳∽敳慰慲潴≲㰾灳湡簾⼼灳湡㰾搯癩ਾ††††††††搼癩瘠污敵∽畱瑯≥ਾ††††††††††愼栠敲㵦樢癡獡牣灩㩴潶摩⤨∻琠瑩敬∽畑瑯≥渠浡㵥焢潵整•敲㵬渢景汯潬≷甠汲∽瑨灴㩳⼯潬楧楬敶挮浯氯杯湩献晲眿㵡獷杩楮ㅮ〮愦灭眻牴慥浬猽捯慩整档敮業牣獯景潣♭浡㭰牷灥祬栽瑴獰㌥╡昲㈥獦捯慩整档敮業牣獯景潣╭昲潆畲獭㈥敦单㈥㝦㐱㘰㑢ⴶ㑤ㅤ㐭搱ⴶ慡㡦攭户㈰愰㙡捦╤昲慭档湩ⵥ畡桴湥楴慣楴湯漭摤瑩╹昳潦畲╭搳灯牥瑡潩獮慭慮敧浲浧灴捡獫㈥瀶潲╦搳敲畱物摥㈥猶潴䥁㌥ㅤ☰浡㭰灷䴽䥂䙟䑅卟䱓愦灭眻捬瑸洽捩潲潳瑦㈥洴捩潲潳瑦㈥洴捩潲潳瑦㸢 †††††††††††儠潵整 †††††††††㰠愯ਾ††††††††⼼楤㹶ਊ†††††††††††††† †††††††††††††㰠楤⁶汣獡㵳挢敬牡㸢⼼楤㹶 †††††††††††㰠搯癩ਾ††††††††††⼼楤㹶 †††††††††㰠楤⁶汣獡㵳產敳䥲普≯ਾ††††††††††††搼癩挠慬獳∽湵晩敩ⵤ慢敳慢汬挭牡ⵤ業楮•慤慴瀭潲楦敬甭敳楲㵤ㄢ㠳つ㥦ⴰ㈴攴㐭愶ⴰ㈹ㄵ㘭攷㔷㜶㌰㌵≦搠瑡ⵡ牰景汩ⵥ獵牥慣摲挭獵潴汭湩㵫笧栢敲≦∺瑨灴㩳⼯潳楣污琮捥湨瑥洮捩潲潳瑦挮浯䘯牯浵⽳湥唭⽓獵牥琯牨慥獤甿敳㵲牰祩桯≷琢硥≴∺牰祩桯♷㌣㬹桴敲摡≳❽ਾ††††††††††††††搼癩挠慬獳∽牰景汩ⵥ業楮挭湯整瑮㸢 †††††††††††††㰠搯癩ਾ††††††††††††⼼楤㹶ਊ††††††††††⼼楤㹶 ††††††††† †††††††㰠搯癩ਾ††††††⼼楤㹶 †††㰠搯癩ਾ††⼼楬‾ †㰠楤⁶汣獡㵳挢敬牡㸢⼼楤㹶ਊ††⼼汵ਾ †††㰠搯癩ਾਊ††††††††⼼楤㹶 †††††㰠猯捥楴湯ਾ††††⼼楤㹶 †㰠搯癩ਾ †††††㰠楤⁶汣獡㵳挢敬牡㸢⼼楤㹶 †††㰠搯癩ਾ††⼼楤㹶† †㰠楤⁶摩∽牮畓癲祥㸢 †††ਠ猼牣灩⁴祴数∽整瑸樯癡獡牣灩≴ਾ††晩⠠␡䴮捩潲潳瑦 ⸤楍牣獯景⁴‽絻††晩⠠␡䴮捩潲潳瑦䴮灴⥳␠䴮捩潲潳瑦䴮灴‽絻††晩⠠␡䴮捩潲潳瑦䴮灴敎剴晥敬瑣牯湉瑩††††⸤楍牣獯景瑍獰丮瑥敒汦捥潴䥲楮⁴‽††††††畳癲祥牕㩬✠瑨灴⼺猯灵潰瑲洮捩潲潳瑦挮浯振浯潭⽮畳癲祥愮灳㽸捳摩猽╷戳湥㌥㍢㘷☳污獴祴敬渽牡潲♷敲摮牥灯楴湯漽敶牲摩摥晥畡瑬琦敨敭琽捥♨牵㵬瑨灴⼺猯捯慩整档敮業牣獯景潣⽭潆畲獭支单㜯㐱㘰㑢ⴶ㑤ㅤ㐭搱ⴶ慡㡦攭户㈰愰㙡捦⽤慭档湩ⵥ畡桴湥楴慣楴湯漭摤瑩㽹潦畲㵭灯牥瑡潩獮慭慮敧浲浧灴捡獫倦㴰㔹愲㡢っㄭ扥ⵢ搴㈶㠭敥ⴴ㠱㠹㈸㈲挶㤴Ⱗ †††††琠牨瑯汴剥瑡㩥∠⸵〰Ⱒ †††††瀠楲慶祣瑓瑡浥湥呴硥㩴∠牐癩捡⁹瑳瑡浥湥≴ਬ††††††牴捡敫坲湩潤呷硥㩴∠瀼倾敬獡潤渠瑯挠潬敳琠楨楷摮睯㰮瀯㰾㹰桔湡潹ⅵ吠敨猠牵敶⁹楷汬愠灰慥敨敲眠敨潹❵敶挠浯汰瑥摥礠畯楶楳ⱴ猠戼瀾敬獡潤渠瑯挠潬敳琠楨楷摮睯⼼㹢㰮瀯∾ਬ††††††潬潧牕㩬✠瑨灴㩳⼯睷業牣獯景潣⽭楬牢牡⽹癳⽹瑳⽯整档敮彴潬潧朮晩Ⱗ †††††挠潬敳畂瑴湯牕㩬✠瑨灴㩳⼯睷業牣獯景潣⽭楬牢牡⽹癳⽹瑳⽯整档敮汣獯楧❦ਬ††††††潴䉰牡牕㩬✠瑨灴㩳⼯睷業牣獯景潣⽭楬牢牡⽹癳⽹瑳⽯潴⵰瑳楲数朮晩Ⱗ †††††戠瑯潴䉭牡牕㩬✠瑨灴㩳⼯睷業牣獯景潣⽭楬牢牡⽹癳⽹瑳⽯潢瑴浯猭牴灩楧❦ਬ††††††汢湡偫条㩥✠瑨灴㩳⼯潳楣污琮捥湨瑥洮捩潲潳瑦挮浯是牯浵⽳汢湡瑨❭ਬ††††††桳睯畓癲祥潔潃獭潣敲獕牥›渧❯ †††素⼼捳楲瑰ਾ氼湩牨晥∽瑨灴㩳⼯ㅩ献捯慩獭瑦挮浯䘯牯浵⽳敲潳牵散⽳敎剴晥敬瑣牯丯瑥敒汦捥潴獣㽳癣牥〽〥╤愰ਢ††敲㵬猢祴敬桳敥≴琠灹㵥琢硥⽴獣≳⼠ਾ猼牣灩⁴祴数∽整瑸樯癡獡牣灩≴ਾ †猠瑥楔敭畯⡴䘢牯浵潬摡捓楲瑰✨瑨灴㩳⼯ㅩ献捯慩獭瑦挮浯䘯牯浵⽳敲潳牵散⽳敎剴晥敬瑣牯丯瑥敒汦捥潴獪挿敶㵲┰搰〥❡∩〱〰㬩㰊猯牣灩㹴㰊楤⁶摩∽楤乶䵒楡≮猠祴敬∽潰楳楴湯›楦數㭤搠獩汰祡›潮敮※慢正牧畯摮挭汯牯›桗瑩㭥 †稠椭摮硥›〱∻ਾ††琼扡敬眠摩桴∽㘳∰挠汥灬摡楤杮∽∳挠汥獬慰楣杮∽∰戠牯敤㵲〢•杢潣潬㵲⌢䙆䙆䙆㸢 †††㰠牴ਾ††††††琼瑳汹㵥瀢摡楤杮›瀳㭸㸢 †††††††㰠慴汢楷瑤㵨ㄢ〰∥挠汥灬摡楤杮∽∱挠汥獬慰楣杮∽∰戠牯敤㵲〢•杢潣潬㵲⌢㤹㤹㤹㸢 †††††††††㰠牴ਾ††††††††††††琼瑳汹㵥瀢摡楤杮›瀱㭸㸢 †††††††††††††㰠慴汢楷瑤㵨ㄢ〰∥挠汥灬摡楤杮∽∰挠汥獬慰楣杮∽∰戠牯敤㵲〢•杢潣潬㵲⌢䙆䙆䙆㸢 †††††††††††††††㰠牴瘠污杩㵮琢灯㸢 †††††††††††††††††㰠摴ਾ††††††††††††††††††††椼杭猠捲∽瑨灴㩳⼯睷業牣獯景潣⽭楬牢牡⽹癳⽹瑳⽯整档敮彴潬潧朮晩•㸯椼杭椠㵤椢杭剎汃獯≥戠牯敤㵲〢•牳㵣栢瑴獰⼺眯睷洮捩潲潳瑦挮浯氯扩慲祲猯祶猯潴琯捥湨瑥挭潬敳朮晩•㸯戼㸯 †††††††††††††††††††㰠浩牳㵣栢瑴獰⼺眯睷洮捩潲潳瑦挮浯氯扩慲祲猯祶猯潴琯灯猭牴灩楧≦⼠ਾ††††††††††††††††††††琼扡敬眠摩桴∽〱┰•散汬慰摤湩㵧㔢•散汬灳捡湩㵧〢㸢 †††††††††††††††††††††㰠牴ਾ††††††††††††††††††††††††琼瑳汹㵥瀢摡楤杮›瀲≸ਾ††††††††††††††††††††††††††搼癩ਾ††††††††††††††††††††††††††††瀼䴾捩潲潳瑦椠潣摮捵楴杮愠湯楬敮猠牵敶⁹潴甠摮牥瑳湡潹牵漠楰楮湯漠桴敔档敮⁴敗楳整晉礠畯挠潨獯潴瀠牡楴楣慰整桴湯楬敮猠牵敶⁹楷汬戠牰獥湥整潴礠畯眠敨潹⁵敬癡桴敔档敮⁴敗楳整㰮瀯㰾㹰潗汵潹⁵楬敫琠慰瑲捩灩瑡㽥⼼㹰 †††††††††††††††††††††††††㰠搯癩ਾ††††††††††††††††††††††††††搼癩愠楬湧∽散瑮牥㸢 †††††††††††††††††††††††††††㰠湩異⁴摩∽瑢乮奒獥•祴数∽畢瑴湯•慶畬㵥•夠獥†•㸯渦獢㭰渦獢㭰 †††††††††††††††††††††††††††㰠湩異⁴摩∽瑢乮乒≯琠灹㵥戢瑵潴≮瘠污敵∽丠•㸯 †††††††††††††††††††††††††㰠搯癩ਾ††††††††††††††††††††††††††搼癩ਾ††††††††††††††††††††††††††††愼栠敲㵦栢瑴㩰⼯牰癩捡業牣獯景潣⽭湥甭⽳敤慦汵獭硰•慴杲瑥∽扟慬歮㸢 †††††††††††††††††††††††††††††倠楲慶祣猠慴整敭瑮⼼㹡⼼楤㹶 †††††††††††††††††††††††㰠琯㹤 †††††††††††††††††††††㰠琯㹲 †††††††††††††††††††㰠琯扡敬ਾ††††††††††††††††††††椼杭猠捲∽瑨灴㩳⼯睷業牣獯景潣⽭楬牢牡⽹癳⽹瑳⽯潢瑴浯猭牴灩楧≦⼠ਾ††††††††††††††††††††椼灮瑵琠灹㵥栢摩敤≮椠㵤栢湤畓癲祥牕≬瘠污敵∽瑨灴⼺猯灵潰瑲洮捩潲潳瑦挮浯振浯潭⽮畳癲祥愮灳㽸捳摩猽╷戳湥㌥㍢㘷☳污獴祴敬渽牡潲♷敲摮牥灯楴湯漽敶牲摩摥晥畡瑬琦敨敭琽捥♨牵㵬瑨灴⼺猯捯慩整档敮業牣獯景潣⽭潆畲獭支单㜯㐱㘰㑢ⴶ㑤ㅤ㐭搱ⴶ慡㡦攭户㈰愰㙡捦⽤慭档湩ⵥ畡桴湥楴慣楴湯漭摤瑩㽹潦畲㵭灯牥瑡潩獮慭慮敧浲浧灴捡獫倦㴰㔹愲㡢っㄭ扥ⵢ搴㈶㠭敥ⴴ㠱㠹㈸㈲挶㤴•㸯 †††††††††††††††††††㰠湩異⁴祴数∽楨摤湥•摩∽摨䱮杯啯汲•慶畬㵥栢瑴獰⼺眯睷洮捩潲潳瑦挮浯氯扩慲祲猯祶猯潴琯捥湨瑥江杯楧≦⼠ਾ††††††††††††††††††††椼灮瑵琠灹㵥栢摩敤≮椠㵤栢湤潔印牴灩牕≬瘠污敵∽瑨灴㩳⼯睷業牣獯景潣⽭楬牢牡⽹癳⽹瑳⽯潴⵰瑳楲数朮晩•㸯 †††††††††††††††††††㰠湩異⁴祴数∽楨摤湥•摩∽摨䉮浴瑓楲啰汲•慶畬㵥栢瑴獰⼺眯睷洮捩潲潳瑦挮浯氯扩慲祲猯祶猯潴戯瑯潴瑳楲数朮晩•㸯 †††††††††††††††††††㰠湩異⁴祴数∽楨摤湥•摩∽摨呮慲正牥敔瑸•慶畬㵥㰢㹰汐慥敳搠潮⁴汣獯桴獩眠湩潤⼼㹰瀼吾慨歮礠畯‡桔畳癲祥眠汩灡数牡栠牥桷湥礠畯瘧潣灭敬整潹牵瘠獩瑩潳㰠㹢汰慥敳搠潮⁴汣獯桴獩眠湩潤㱷戯⸾⼼㹰•㸯 †††††††††††††††††††㰠湩異⁴祴数∽楨摤湥•摩∽摨偮楲慶祣敔瑸•慶畬㵥倢楲慶祣猠慴整敭瑮•㸯 †††††††††††††††††㰠琯㹤 †††††††††††††††㰠琯㹲 †††††††††††††㰠琯扡敬ਾ††††††††††††⼼摴ਾ††††††††††⼼牴ਾ††††††††⼼慴汢㹥 †††††㰠琯㹤 †††㰠琯㹲 †㰠琯扡敬ਾ⼼楤㹶ਊ††⼼楤㹶† †ഠ †††††††††††††††††㰠楤⁶汣獡㵳䌢敬牡㸢⼼楤㹶††††††††††††††††⼼楤㹶††††††††††††††††⼼楤㹶††††††††††††⼼楤㹶††††††††††⼼楤㹶††††††††††††††††††搼癩挠慬獳∽汃慥扲瑯潴≭㰾搯癩‾††††ഠ †††††††††㰠楤⁶汣獡㵳戢瑯潴汭晥捴牯敮≲㰾搯癩‾†††††ഠ †††††††††㰠楤⁶汣獡㵳戢瑯潴牭杩瑨潣湲牥㸢⼼楤㹶ഠ †††††††††ഠ †††††††††††††††††ഠ ††††††††††††搼癩椠㵤䘢潯整≲ാ †††††††††††††㰠楤⁶汣獡㵳䘢潯整䱲杯䍯湯慴湩牥㸢愼栠敲㵦栢瑴㩰⼯睷業牣獯景潣⽭湥甯⽳敤慦汵獡硰㸢搼癩挠慬獳∽潆瑯牥潌潧•楴汴㵥䴢捩潲潳瑦䌠牯潰慲楴湯㸢渦獢㭰⼼楤㹶⼼㹡⼼楤㹶搼癩椠㵤䘢潯整䍲灯特杩瑨•汣獡㵳䘢潯整䍲灯特杩瑨㸢挦灯㭹㈠‵䴠捩潲潳瑦汁楲桧獴爠獥牥敶⼼楤㹶搼癩挠慬獳∽潆瑯牥楌歮≳㰾灳湡挠慬獳∽潆瑯牥湁档牯楌瑳㸢愼栠敲㵦栢瑴㩰⼯整档敮業牣獯景潣⽭捣㐵ㄳ㘹愮灳≸举睥汳瑥整㱲愯㰾灳湡挠慬獳∽楐数㸢㱼猯慰㹮愼栠敲㵦栢瑴㩰⼯整档敮業牣獯景潣⽭捣ㄵ㜲㤵愮灳≸䌾湯慴瑣唠㱳愯㰾灳湡挠慬獳∽楐数㸢㱼猯慰㹮愼栠敲㵦栢瑴㩰⼯潧洮捩潲潳瑦挮浯是汷湩⽫䰿湩䥫㵤㐲㘸ㄸ㸢牐癩捡⁹瑓瑡浥湥㱴愯㰾灳湡挠慬獳∽楐数㸢㱼猯慰㹮愼栠敲㵦栢瑴㩰⼯整档敮業牣獯景潣⽭捣〳㌰㤸愮灳≸吾牥獭漠獕㱥愯㰾灳湡挠慬獳∽楐数㸢㱼猯慰㹮愼栠敲㵦栢瑴㩰⼯睷業牣獯景潣⽭扁畯⽴敌慧⽬久唯⽓湉整汬捥畴污牐灯牥祴启慲敤慭歲⽳久唭⹓獡硰㸢牔摡浥牡獫⼼㹡猼慰汣獡㵳倢灩≥簾⼼灳湡㰾牨晥∽瑨灴㩳⼯慬獭湤洮捩潲潳瑦挮浯洯楡晬牯⽭潣瑮捡畴獡硰爿晥牵㵬瑨灴㌥╡昲㈥獦捯慩整档敮業牣獯景潣╭昲潆畲獭㈥敦单㈥㝦㐱㘰㑢ⴶ㑤ㅤ㐭搱ⴶ慡㡦攭户㈰愰㙡捦╤昲慭档湩ⵥ畡桴湥楴慣楴湯漭摤瑩╹昳潦畲╭搳灯牥瑡潩獮慭慮敧浲浧灴捡獫•慴杲瑥∽扟慬歮㸢楓整䘠敥扤捡㱫愯㰾猯慰㹮⼼楤㹶†††††††††††††† †ਠ ††††††††††††⼼楤㹶††††††††††††††††††††††††ഠ †††††††㰠搯癩ാ †††††㰠搯癩ാ †††㰠搯癩ാ †㰠搯癩ാ ††ഠ †㰠楤⁶慤慴挭慨敭敬湯琭浥汰瑡㵥洢来扡慬敤•‾†ਠ††††ਊ††搼癩椠㵤洢来扡慬敤潃瑮楡敮≲砠汭獮∽瑨灴⼺眯睷眮⸳牯⽧㤱㤹砯瑨汭㸢 †††㰠楤⁶摩∽敭慧汢摡䍥湯慴湩牥敃瑮牥㸢 †††††㰠汵椠㵤洢来扡慬敤瑉浥≳ਾ††††††††氼汣獡㵳䰢杯≯㰾牨晥∽瑨灴㩳⼯整档敮業牣獯景潣⽭•楴汴㵥吢捥乨瑥㸢敔档敎㱴愯㰾氯㹩 †††††††††††㰠楬搠瑡ⵡ慶畬㵥栢㍨㘲㜱∲挠慬獳∽汢摡䥥整汢摡䥥整坭瑩䵨湥≵㰾汣獡㵳氢扡汥•牨晥∽•湯汣捩㵫爢瑥牵慦獬㭥㸢牐摯捵獴⼼㹡猼慰汣獡㵳挢牡瑥㸢⼼灳湡㰾氯㹩 †††††††††††㰠楬搠瑡ⵡ慶畬㵥栢㡨〸㘸∰挠慬獳∽汢摡䥥整汢摡䥥整坭瑩䵨湥≵㰾汣獡㵳氢扡汥•牨晥∽•湯汣捩㵫爢瑥牵慦獬㭥㸢呉删獥畯捲獥⼼㹡猼慰汣獡㵳挢牡瑥㸢⼼灳湡㰾氯㹩 †††††††††††㰠楬搠瑡ⵡ慶畬㵥栢㍨ㄷ㈳∶挠慬獳∽汢摡䥥整汢摡䥥整坭瑩䵨湥≵㰾汣獡㵳氢扡汥•牨晥∽•湯汣捩㵫爢瑥牵慦獬㭥㸢潄湷潬摡㱳愯㰾灳湡挠慬獳∽慣敲≴㰾猯慰㹮⼼楬ਾ††††††††††††氼慤慴瘭污敵∽橪㌸ㄷ㠵•汣獡㵳戢慬敤瑉浥戠慬敤瑉浥楗桴敍畮㸢愼挠慬獳∽慬敢≬栠敲㵦∢漠据楬正∽敲畴湲映污敳∻吾慲湩湩㱧愯㰾灳湡挠慬獳∽慣敲≴㰾猯慰㹮⼼楬ਾ††††††††††††氼慤慴瘭污敵∽桨㜳㌱㜲•汣獡㵳戢慬敤瑉浥戠慬敤瑉浥楗桴敍畮㸢愼挠慬獳∽慬敢≬栠敲㵦∢漠据楬正∽敲畴湲映污敳∻匾灵潰瑲⼼㹡猼慰汣獡㵳挢牡瑥㸢⼼灳湡㰾氯㹩 †††††㰠甯㹬 †††††㰠楤⁶汣獡㵳戢慬敤瑉浥敍畮潃瑮楡敮≲ਾ††††††††††搼癩搠瑡ⵡ慶畬㵥栢㍨㘲㜱∲挠慬獳∽汢摡䥥整䵭湥≵猠祴敬∽楤灳慬㩹渠湯㭥㸢 †††††††††††㰠楤⁶汣獡㵳洢湥䍵湯慴湩牥慌潹瑵㸢 㰠㕨倾潲畤瑣㱳栯㸵 㰠汵ਾ††氼㹩 ††㰠牨晥∽瑨灴㩳⼯整档敮業牣獯景潣⽭楷摮睯≳圾湩潤獷⼼㹡 †㰠氯㹩 †㰠楬ਾ†††愼栠敲㵦栢瑴獰⼺琯捥湨瑥洮捩潲潳瑦挮浯眯湩潤獷敳癲牥㸢楗摮睯敓癲牥⼼㹡 †㰠氯㹩 †㰠楬ਾ†††愼栠敲㵦栢瑴獰⼺琯捥湨瑥洮捩潲潳瑦挮浯猯獹整捭湥整≲匾獹整敃瑮牥⼼㹡 †㰠氯㹩 †㰠楬ਾ†††愼栠敲㵦栢瑴獰⼺琯捥湨瑥洮捩潲潳瑦挮浯椯≥䤾瑮牥敮⁴硅汰牯牥⼼㹡 †㰠氯㹩 㰠甯㹬㰊搯癩㰾楤⁶汣獡㵳洢湥䍵湯慴湩牥慌潹瑵㸢 㰠㕨☾扮灳㰻栯㸵 㰠汵ਾ††氼㹩 ††㰠牨晥∽瑨灴㩳⼯整档敮業牣獯景潣⽭景楦散㸢晏楦散⼼㹡 †㰠氯㹩 †㰠楬ਾ†††愼栠敲㵦栢瑴獰⼺琯捥湨瑥洮捩潲潳瑦挮浯漯晦捩㍥㔶㸢晏楦散㌠㔶⼼㹡 †㰠氯㹩 †㰠楬ਾ†††愼栠敲㵦栢瑴獰⼺琯捥湨瑥洮捩潲潳瑦挮浯支捸慨杮≥䔾捸慨杮敓癲牥⼼㹡 †㰠氯㹩 㰠甯㹬㰊搯癩㰾楤⁶汣獡㵳洢湥䍵湯慴湩牥慌潹瑵㸢 㰠㕨☾扮灳㰻栯㸵 㰠汵ਾ††氼㹩 ††㰠牨晥∽瑨灴㩳⼯整档敮業牣獯景潣⽭煳≬匾䱑匠牥敶㱲愯ਾ††⼼楬ਾ††氼㹩 ††㰠牨晥∽瑨灴㩳⼯整档敮業牣獯景潣⽭桳牡灥楯瑮㸢桓牡健楯瑮倠潲畤瑣㱳愯ਾ††⼼楬ਾ††氼㹩 ††㰠牨晥∽瑨灴㩳⼯整档敮業牣獯景潣⽭祬据㸢祌据⼼㹡 †㰠氯㹩 †㰠楬ਾ†††愼栠敲㵦栢瑴獰⼺琯捥湨瑥洮捩潲潳瑦挮浯支獵戯㑢ㄲㄵ⸷獡硰眿癳㵬潭敲损湥整獲江湩≫匾敥愠汬瀠潲畤瑣爦煡潵㰻愯ਾ††⼼楬ਾ†⼼汵ਾ⼼楤㹶 †††††††††㰠搯癩ਾ††††††††††搼癩搠瑡ⵡ慶畬㵥栢㡨〸㘸∰挠慬獳∽汢摡䥥整䵭湥≵猠祴敬∽楤灳慬㩹渠湯㭥㸢 †††††††††††㰠楤⁶汣獡㵳洢湥䍵湯慴湩牥慌潹瑵㸢 㰠㕨刾獥畯捲獥⼼㕨ਾ†甼㹬 †㰠楬ਾ†††愼栠敲㵦栢瑴獰⼺振牵桡洮捩潲潳瑦挮浯 •楴汴㵥䌢牵桡∡䌾牵桡‡畣慲楴湯猠牥楶散⼼㹡 †㰠氯㹩 †㰠楬ਾ†††愼栠敲㵦栢瑴獰⼺眯睷洮捩潲潳瑦挮浯振楬正猯牥楶散⽳敒楤敲瑣⸲獡硨䌿归䍃㈽〰㔱㜷㈷㸢癅污慵楴湯䌠湥整㱲愯ਾ††⼼楬ਾ††氼㹩 ††㰠牨晥∽瑨灴㩳⼯整档敮業牣獯景潣⽭扢㤲〱㈲㸢敌牡楮杮删獥畯捲獥⼼㹡 †㰠氯㹩 †㰠楬ਾ†††愼栠敲㵦栢瑴獰⼺琯捥湨瑥洮捩潲潳瑦挮浯支獵搯㑮〴㐱∴䴾捩潲潳瑦吠捥潃灭湡潩灁㱰愯ਾ††⼼楬ਾ††氼㹩 ††㰠牨晥∽瑨灴㩳⼯整档敮業牣獯景潣⽭湤㔵㠰㌵•楴汴㵥䴢捩潲潳瑦吠捥湨捩污䌠浯畭楮楴獥㸢楍牣獯景⁴敔档楮慣潃浭湵瑩敩㱳愯ਾ††⼼楬ਾ††氼㹩 ††㰠牨晥∽瑨灴㩳⼯睷業牣獯景潣⽭汣捩⽫敳癲捩獥刯摥物捥㉴愮桳㽸剃䍟㵃〲㜵㜷∴䴾捩潲潳瑦嘠物畴污䄠慣敤祭⼼㹡 †㰠氯㹩 †㰠楬ਾ†††愼栠敲㵦栢瑴獰⼺琯捥湨瑥洮捩潲潳瑦挮浯猯牣灩捴湥整≲匾牣灩⁴敃瑮牥⼼㹡 †㰠氯㹩 †㰠楬ਾ†††愼栠敲㵦栢瑴㩰⼯汢杯整档敮潣⽭
Similar Messages
-
ACS 5.3, EAP-TLS Machine Authentication with Active Directory
I have ACS 5.3. I am testing EAP-TLS Machine Authentication using Active Directory as an external Identity Store. II was testing and everything was going fine until I did some failure testing.
My problem: I deleted my computer account out of Active Directory and tried to authenticate my wireless laptop and it still worked when it should have failed.
Here is some of the output of the ACS log. You can see that the computer could not be found in AD and this was returned to the ACS. However, ACS still went ahead and authenticated the computer successfully.
Evaluating Identity Policy
15006 Matched Default Rule
22037 Authentication Passed
22023 Proceed to attribute retrieval
24433 Looking up machine/host in Active Directory - LAB-PC-PB.VITS.attcst.sbc.com
24437 Machine not found in Active Directory
22016 Identity sequence completed iterating the IDStores
Evaluating Group Mapping Policy
12506 EAP-TLS authentication succeeded
11503 Prepared EAP-Success
Evaluating Exception Authorization Policy
15042 No rule was matched
Evaluating Authorization Policy
15006 Matched Default Rule
15016 Selected Authorization Profile - Permit Access
22065 Max sessions policy passed
22064 New accounting session created in Session cache
11002 Returned RADIUS Access-Accept
I was assuming that if the computer was not found, the Identity Policy would fail, so I did not configure any authorization policy. Do I need an authorization policy to tell the ACS to fail the authentication if the machine cannot be found in AD? If I need an authorization policy, how do I configure it?
Note: In my Identity Store Sequence, I did enable the option:
For Attribute Retrieval only:
If internal user/host not found or disabled then exit sequence and treat as "User Not Found"
but this only seems to work for internal identity stores (at least based on my testing)
Under my Access Policy Identity tab, I configured the following Advanced features:
Advanced Options
If authentication failed
RejectDropContinue
If user not found
RejectDropContinue
If process failed
RejectDropContinue
And that didn't do anything either.
Any ideas? Thanks in advance.Can try the following. Define an attribute to be retrieved from Active Directory and that exists for all objects. When defining the attribute it can be given a default value. Assign a default value which is a value that will never be returned for a real machine entry (eg "DEFAULTVALUE") and give it a "Policy Condition Name"
Then can make a rule in the authorization policy such as
If "Policy Condition Name" equals "DEFAULTVALUE" then "DenyAccess" -
ISE 1.2 - 24492 Machine authentication against AD has failed
Currently experiencing a machine authentication problem between ISE 1.2 patch 2 and a customer AD installation.
AuthZ policy is set to match agains /Users/Domain Computers and /Users Domain Users. User authentication works, machine auth doesnt.
Machine authentication box is ticked.
If you try to disable an AD machine, or try a machine not in the domain you get the appropriate different response in the ISE logs which sugests it has the right access into AD to check this info.
This happens on all computers, both WinXP and Win7 corporate builds.
I know its not an ISE policy configuration as I have resorted to testing the same ISE against a vanilla lab AD environment with the same AD domain name (just by changing the DNS servers ISE uses) and the computer lookup works!
Anybody got any ideas?
thanks.24492
External-Active-Directory
Machine authentication against Active Directory has failed
Machine authentication against Active Directory has failed.
Error
Please check NTP is in sync or not ISE -
ISE 1.1 - 24492 Machine authentication against AD has failed
We implement Cisco ISE 802.1X and Machine Authentication With EAP-TLS.
Authentication Summary
Logged At:
March 11,2015 7:00:13.374 AM
RADIUS Status:
RADIUS Request dropped : 24492 Machine authentication against Active Directory has failed
NAS Failure:
Username:
[email protected]
MAC/IP Address:
00:26:82:F1:E6:32
Network Device:
WLC : 192.168.1.225 :
Allowed Protocol:
TDS-PEAP-TLS
Identity Store:
AD1
Authorization Profiles:
SGA Security Group:
Authentication Protocol :
EAP-TLS
Authentication Result
RadiusPacketType=Drop
AuthenticationResult=Error
Related Events
Authentication Details
Logged At:
March 11,2015 7:00:13.374 AM
Occurred At:
March 11,2015 7:00:13.374 AM
Server:
ISE-TDS
Authentication Method:
dot1x
EAP Authentication Method :
EAP-TLS
EAP Tunnel Method :
Username:
[email protected]
RADIUS Username :
host/LENOVO-PC.tdsouth.com
Calling Station ID:
00:26:82:F1:E6:32
Framed IP Address:
Use Case:
Network Device:
WLC
Network Device Groups:
Device Type#All Device Types,Location#All Locations
NAS IP Address:
192.168.1.225
NAS Identifier:
WLC-TDS
NAS Port:
4
NAS Port ID:
NAS Port Type:
Wireless - IEEE 802.11
Allowed Protocol:
TDS-PEAP-TLS
Service Type:
Framed
Identity Store:
AD1
Authorization Profiles:
Active Directory Domain:
tdsouth.com
Identity Group:
Allowed Protocol Selection Matched Rule:
TDS-WLAN-DOT1X-EAP-TLS
Identity Policy Matched Rule:
Default
Selected Identity Stores:
Authorization Policy Matched Rule:
SGA Security Group:
AAA Session ID:
ISE-TDS/215430381/40
Audit Session ID:
c0a801e10000007f54ffe828
Tunnel Details:
Cisco-AVPairs:
audit-session-id=c0a801e10000007f54ffe828
Other Attributes:
ConfigVersionId=7,Device Port=32768,DestinationPort=1812,RadiusPacketType=AccessRequest,Protocol=Radius,Framed-MTU=1300,State=37CPMSessionID=c0a801e10000007f54ffe828;30SessionID=ISE-TDS/215430381/40;,Airespace-Wlan-Id=1,CPMSessionID=c0a801e10000007f54ffe828,EndPointMACAddress=00-26-82-F1-E6-32,GroupsOrAttributesProcessFailure=true,Device Type=Device Type#All Device Types,Location=Location#All Locations,Device IP Address=192.168.1.225,Called-Station-ID=e0-d1-73-28-a7-70:TDS-Corp
Posture Status:
EPS Status:
Steps
11001 Received RADIUS Access-Request
11017 RADIUS created a new session
Evaluating Service Selection Policy
15048 Queried PIP
15048 Queried PIP
15048 Queried PIP
15048 Queried PIP
15004 Matched rule
11507 Extracted EAP-Response/Identity
12500 Prepared EAP-Request proposing EAP-TLS with challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12502 Extracted EAP-Response containing EAP-TLS challenge-response and accepting EAP-TLS as negotiated
12800 Extracted first TLS record; TLS handshake started
12805 Extracted TLS ClientHello message
12806 Prepared TLS ServerHello message
12807 Prepared TLS Certificate message
12809 Prepared TLS CertificateRequest message
12505 Prepared EAP-Request with another EAP-TLS challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12504 Extracted EAP-Response containing EAP-TLS challenge-response
12505 Prepared EAP-Request with another EAP-TLS challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12504 Extracted EAP-Response containing EAP-TLS challenge-response
12505 Prepared EAP-Request with another EAP-TLS challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12504 Extracted EAP-Response containing EAP-TLS challenge-response
12505 Prepared EAP-Request with another EAP-TLS challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12504 Extracted EAP-Response containing EAP-TLS challenge-response
12571 ISE will continue to CRL verification if it is configured for specific CA
12571 ISE will continue to CRL verification if it is configured for specific CA
12811 Extracted TLS Certificate message containing client certificate
12812 Extracted TLS ClientKeyExchange message
12813 Extracted TLS CertificateVerify message
12804 Extracted TLS Finished message
12801 Prepared TLS ChangeCipherSpec message
12802 Prepared TLS Finished message
12816 TLS handshake succeeded
12509 EAP-TLS full handshake finished successfully
12505 Prepared EAP-Request with another EAP-TLS challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12504 Extracted EAP-Response containing EAP-TLS challenge-response
Evaluating Identity Policy
15006 Matched Default Rule
24433 Looking up machine/host in Active Directory - [email protected]
24492 Machine authentication against Active Directory has failed
22059 The advanced option that is configured for process failure is used
22062 The 'Drop' advanced option is configured in case of a failed authentication request
But the user can authenticated by EAP-TLS
AAA Protocol > RADIUS Authentication Detail
RADIUS Audit Session ID :
c0a801e10000007f54ffe828
AAA session ID :
ISE-TDS/215430381/59
Date :
March 11,2015
Generated on March 11, 2015 2:48:43 PM ICT
Actions
Troubleshoot Authentication
View Diagnostic MessagesAudit Network Device Configuration
View Network Device Configuration
View Server Configuration Changes
Authentication Summary
Logged At:
March 11,2015 7:27:32.475 AM
RADIUS Status:
Authentication succeeded
NAS Failure:
Username:
[email protected]
MAC/IP Address:
00:26:82:F1:E6:32
Network Device:
WLC : 192.168.1.225 :
Allowed Protocol:
TDS-PEAP-TLS
Identity Store:
AD1
Authorization Profiles:
TDS-WLAN-PERMIT-ALL
SGA Security Group:
Authentication Protocol :
EAP-TLS
Authentication Result
[email protected]
State=ReauthSession:c0a801e10000007f54ffe828
Class=CACS:c0a801e10000007f54ffe828:ISE-TDS/215430381/59
Termination-Action=RADIUS-Request
cisco-av-pair=ACS:CiscoSecure-Defined-ACL=#ACSACL#-IP-PERMIT_ALL_TRAFFIC-508adc03
MS-MPPE-Send-Key=5a:9a:ca:b0:0b:2a:fe:7d:fc:2f:8f:d8:96:25:50:bb:c8:7d:91:ba:4c:09:63:57:3e:6e:4e:93:5d:5c:b0:5d
MS-MPPE-Recv-Key=24:fa:8d:c3:65:94:d8:29:77:aa:71:93:05:1b:0f:a5:58:f8:a2:9c:d0:0e:80:2d:b6:12:ae:c3:8c:46:22:48
Airespace-Wlan-Id=1
Related Events
Authentication Details
Logged At:
March 11,2015 7:27:32.475 AM
Occurred At:
March 11,2015 7:27:32.474 AM
Server:
ISE-TDS
Authentication Method:
dot1x
EAP Authentication Method :
EAP-TLS
EAP Tunnel Method :
Username:
[email protected]
RADIUS Username :
[email protected]
Calling Station ID:
00:26:82:F1:E6:32
Framed IP Address:
Use Case:
Network Device:
WLC
Network Device Groups:
Device Type#All Device Types,Location#All Locations
NAS IP Address:
192.168.1.225
NAS Identifier:
WLC-TDS
NAS Port:
4
NAS Port ID:
NAS Port Type:
Wireless - IEEE 802.11
Allowed Protocol:Hello,
I am analyzing your question and seeing the ISE logs i can see that the machine credentials was LENOVO-PC. Do you have shure that these credentials has in your Active Directory to validate this machine ? The machine certificate has the correct machine credentials from the domain ? The group mapped in the ISE rule has the machine inside this group ?
Differently from the user authentication that happens with success because the domain credentials can be validate from the Active Directory and get access to the network. -
We are running ISE 1.3 tied to AD with WLC 7.6.130.0. Our ISE has a GoDaddy (none wildcard) certificate loaded for https and EAP. We are just running PEAP. We have a mix of IOS, Android, and Windows 7/8 devices. IOS and Android devices can self create a wireless profile and after entering credentials can connect without issue. Our Windows 7/8 devices, when auto creating a wireless profile are selecting 802.1x machine authentication instead of User authentication or the best option which is machine or user authentication. This is problematic as we do allow for machine authentication but have an authorization rule limiting machine auth to domain controller and ISE connectivity only. This is to allow domain Windows 7/8 devices to have domain connectivity prior to user sign-in but force user auth to get true network connectivity. The problem is why are the Windows devices not auto setting to user authentication (as I think they did when we ran ISE1.2), or the best option which is to allow both types of authentication? I have limited authentication protocols to just EAP CHAP and moved the machine auth profile to the bottom of the list. Neither have helped. I also notice that the Windows 7/8 endpoints have to say allow connectivity several times even though we are using a global and should be trusted certificate authority (probably a separate issue).
Thank you for any help or ideas,When connecting a windows device to the ISE enabled SSID when there is not a saved wireless profile on that machine, it will connect and auto create the profile. In that profile, 802.1x computer authentication option is chosen by windows. That has to be changed to computer or user for the machine to function correctly on the network.
On 1.2, this behavior was different. The Windows device would auto select user authentication by default. At other customer sites, windows devices auto select user authentication. This of course needs to be changed to user or computer in order to support machine auth, but at least the default behavior of user authentication would allow machines to get on the network and functional easily to begin with. -
Machine authentication in Aironet
i'm trying to authenticate laptops to Active directory before joining wireless AP (aironet 1240A)
i'm using EAP in AP
and PEAP with certificates in NPS
i'm forcing laptops to use "computer authentication" through a GPO
certificates already deployed to All machines
policy is configured in NPS with "machine group" condition
the problem i'm facing that their is some laptops are authenticated successfully while the others are not
all machines are using windows 7 and located in the same Active Directory OU (same GPO applied)
here is what i saw in AP after enabling debug radius authentication
the working machines
*Mar 4 20:25:34.125: RADIUS/ENCODE(00000009):Orig. component type = DOT11
*Mar 4 20:25:34.125: RADIUS: AAA Unsupported Attr: ssid [265] 9
*Mar 4 20:25:34.126: RADIUS: 63 6F 72 70 6F 72 61 [corpora]
*Mar 4 20:25:34.126: RADIUS: AAA Unsupported Attr: interface [157] 3
*Mar 4 20:25:34.126: RADIUS: 32 [2]
*Mar 4 20:25:34.126: RADIUS(00000009): Config NAS IP: X.Y.64.229
*Mar 4 20:25:34.126: RADIUS/ENCODE(00000009): acct_session_id: 8
*Mar 4 20:25:34.126: RADIUS(00000009): Config NAS IP: X.Y.64.229
*Mar 4 20:25:34.126: RADIUS(00000009): sending
*Mar 4 20:25:34.127: RADIUS(00000009): Send Access-Request to X.Y.64.30:1812 id 1645/8, len 160
*Mar 4 20:25:34.127: RADIUS: authenticator AC E6 88 FF CD B5 F3 CE - EA 56 67 37 2F 72 B5 C5
*Mar 4 20:25:34.127: RADIUS: User-Name [1] 23 "host/FADI-LT.domain.com"
*Mar 4 20:25:34.127: RADIUS: Framed-MTU [12] 6 1400
*Mar 4 20:25:34.128: RADIUS: Called-Station-Id [30] 16 "0027.0c68.1dc0"
*Mar 4 20:25:34.128: RADIUS: Calling-Station-Id [31] 16 "0811.9699.ba30"
*Mar 4 20:25:34.128: RADIUS: Service-Type [6] 6 Login [1]
*Mar 4 20:25:34.128: RADIUS: Message-Authenticato[80] 18
*Mar 4 20:25:34.128: RADIUS: 1C 45 ED 5A 5D 1E DA 88 73 E5 D3 16 9F A2 62 A9 [?E?Z]???s?????b?]
*Mar 4 20:25:34.128: RADIUS: EAP-Message [79] 28
*Mar 4 20:25:34.128: RADIUS: 02 02 00 1A 01 68 6F 73 74 2F 46 41 44 49 2D 4C [?????host/FADI-L]
*Mar 4 20:25:34.129: RADIUS: 54 2E 61 64 61 73 69 2E 61 65 [T.domain.com]
*Mar 4 20:25:34.129: RADIUS: NAS-Port-Type [61] 6 802.11 wireless [19]
*Mar 4 20:25:34.129: RADIUS: NAS-Port [5] 6 263
*Mar 4 20:25:34.129: RADIUS: NAS-Port-Id [87] 5 "263"
*Mar 4 20:25:34.129: RADIUS: NAS-IP-Address [4] 6 10.10.64.229
*Mar 4 20:25:34.129: RADIUS: Nas-Identifier [32] 4 "AP"
*Mar 4 20:25:34.166: RADIUS: Received from id 1645/8 10.10.64.30:1812, Access-Challenge, len 90
*Mar 4 20:25:34.167: RADIUS: authenticator 36 94 18 74 91 6F AA 0E - D4 D7 DC 48 A8 53 43 68
*Mar 4 20:25:34.167: RADIUS: Session-Timeout [27] 6 30
*Mar 4 20:25:34.167: RADIUS: EAP-Message [79] 8
*Mar 4 20:25:34.167: RADIUS: 01 03 00 06 0D 20 [????? ]
*Mar 4 20:25:34.167: RADIUS: State [24] 38
the non working machines
*Mar 4 20:26:18.949: RADIUS/ENCODE(0000000A):Orig. component type = DOT11
*Mar 4 20:26:18.949: RADIUS: AAA Unsupported Attr: ssid [265] 9
*Mar 4 20:26:18.949: RADIUS: 63 6F 72 70 6F 72 61 [corpora]
*Mar 4 20:26:18.949: RADIUS: AAA Unsupported Attr: interface [157] 3
*Mar 4 20:26:18.949: RADIUS: 32 [2]
*Mar 4 20:26:18.949: RADIUS(0000000A): Config NAS IP: X.Y.64.229
*Mar 4 20:26:18.950: RADIUS/ENCODE(0000000A): acct_session_id: 9
*Mar 4 20:26:18.950: RADIUS(0000000A): Config NAS IP: X.Y.64.229
*Mar 4 20:26:18.950: RADIUS(0000000A): sending
*Mar 4 20:26:18.950: RADIUS(0000000A): Send Access-Request to X.Y.64.30:1812 id 1645/11, len 150
*Mar 4 20:26:18.951: RADIUS: authenticator 17 64 A0 78 8E 49 12 7C - 79 8A 55 17 79 1F D5 A1
*Mar 4 20:26:18.951: RADIUS: User-Name [1] 18 "domain\username"
*Mar 4 20:26:18.951: RADIUS: Framed-MTU [12] 6 1400
*Mar 4 20:26:18.951: RADIUS: Called-Station-Id [30] 16 "0027.0c68.1dc0"
*Mar 4 20:26:18.951: RADIUS: Calling-Station-Id [31] 16 "0022.faf1.9258"
*Mar 4 20:26:18.951: RADIUS: Service-Type [6] 6 Login [1]
*Mar 4 20:26:18.951: RADIUS: Message-Authenticato[80] 18
*Mar 4 20:26:18.951: RADIUS: 06 FC 55 89 6D 45 AA E5 8A 73 73 2C 82 87 28 BA [??U?mE???ss,??(?]
*Mar 4 20:26:18.952: RADIUS: EAP-Message [79] 23
*Mar 4 20:26:18.952: RADIUS: 02 02 00 15 01 41 44 41 53 49 5C 66 61 64 69 2E [?????domain\user]
*Mar 4 20:26:18.952: RADIUS: 61 64 6D 69 6E [name]
*Mar 4 20:26:18.952: RADIUS: NAS-Port-Type [61] 6 802.11 wireless [19]
*Mar 4 20:26:18.952: RADIUS: NAS-Port [5] 6 264
*Mar 4 20:26:18.952: RADIUS: NAS-Port-Id [87] 5 "264"
*Mar 4 20:26:18.952: RADIUS: NAS-IP-Address [4] 6 X.Y.64.229
*Mar 4 20:26:18.953: RADIUS: Nas-Identifier [32] 4 "AP"
*Mar 4 20:26:18.980: RADIUS: Received from id 1645/11 X.Y.64.30:1812, Access-Challenge, len 90
*Mar 4 20:26:18.980: RADIUS: authenticator 54 84 DD 91 72 03 E9 08 - EA 61 C0 B3 B5 D6 9A 42
*Mar 4 20:26:18.981: RADIUS: Session-Timeout [27] 6 30
*Mar 4 20:26:18.981: RADIUS: EAP-Message [79] 8
*Mar 4 20:26:18.981: RADIUS: 01 03 00 06 0D 20 [????? ]
*Mar 4 20:26:18.981: RADIUS: State [24] 38
*Mar 4 20:26:18.981: RADIUS: 15 D3 02 D9 00 00 01 37 00 01 02 00 0A 0A 40 1E [???????7??????@?]
*Mar 4 20:26:18.982: RADIUS: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 [????????????????]
*Mar 4 20:26:18.982: RADIUS: 55 9E B9 77 [U??w]
*Mar 4 20:26:18.982: RADIUS: Message-Authenticato[80] 18
*Mar 4 20:26:18.982: RADIUS: 1A EC 06 E6 E0 46 C4 06 15 87 E9 26 30 49 63 47 [?????F?????&0IcG]
*Mar 4 20:26:18.983: RADIUS(0000000A): Received from id 1645/11
*Mar 4 20:26:18.983: RADIUS/DECODE: EAP-Message fragments, 6, total 6 bytes
*Mar 4 20:26:18.986: RADIUS/ENCODE(0000000A):Orig. component type = DOT11
*Mar 4 20:26:18.986: RADIUS: AAA Unsupported Attr: ssid [265] 9
*Mar 4 20:26:18.986: RADIUS: 63 6F 72 70 6F 72 61 [corpora]
*Mar 4 20:26:18.987: RADIUS: AAA Unsupported Attr: interface [157] 3
*Mar 4 20:26:18.987: RADIUS: 32 [2]
*Mar 4 20:26:18.987: RADIUS(0000000A): Config NAS IP: X.Y..64.229
*Mar 4 20:26:18.987: RADIUS/ENCODE(0000000A): acct_session_id: 9
*Mar 4 20:26:18.987: RADIUS(0000000A): Config NAS IP: X.Y..64.229
*Mar 4 20:26:18.987: RADIUS(0000000A): sending
*Mar 4 20:26:18.988: RADIUS(0000000A): Send Access-Request to 10.10.64.30:1812 id 1645/12, len 173
*Mar 4 20:26:18.988: RADIUS: authenticator 37 26 0B EC 12 5D 6A E5 - 22 1A 27 4A B0 5B E2 AA
*Mar 4 20:26:18.988: RADIUS: User-Name [1] 18 "domain\username"
*Mar 4 20:26:18.988: RADIUS: Framed-MTU [12] 6 1400
*Mar 4 20:26:18.988: RADIUS: Called-Station-Id [30] 16 "0027.0c68.1dc0"
*Mar 4 20:26:18.988: RADIUS: Calling-Station-Id [31] 16 "0022.faf1.9258"
*Mar 4 20:26:18.988: RADIUS: Service-Type [6] 6 Login [1]
*Mar 4 20:26:18.988: RADIUS: Message-Authenticato[80] 18
*Mar 4 20:26:18.989: RADIUS: 3D 11 05 D8 6E DF 92 2B 51 EC BA BA FB C4 10 5F [=???n??+Q??????_]
*Mar 4 20:26:18.989: RADIUS: EAP-Message [79] 8
*Mar 4 20:26:18.989: RADIUS: 02 03 00 06 03 19 [??????]
*Mar 4 20:26:18.989: RADIUS: NAS-Port-Type [61] 6 802.11 wireless [19]
*Mar 4 20:26:18.989: RADIUS: NAS-Port [5] 6 264
*Mar 4 20:26:18.989: RADIUS: NAS-Port-Id [87] 5 "264"
*Mar 4 20:26:18.989: RADIUS: State [24] 38
*Mar 4 20:26:18.990: RADIUS: 15 D3 02 D9 00 00 01 37 00 01 02 00 0A 0A 40 1E [???????7??????@?]
*Mar 4 20:26:18.990: RADIUS: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 [????????????????]
*Mar 4 20:26:18.990: RADIUS: 55 9E B9 77 [U??w]
*Mar 4 20:26:18.990: RADIUS: NAS-IP-Address [4] 6 X.Y.64.229
*Mar 4 20:26:18.990: RADIUS: Nas-Identifier [32] 4 "AP"
*Mar 4 20:26:18.992: RADIUS: Received from id 1645/12 10.10.64.30:1812, Access-Reject, len 44
*Mar 4 20:26:18.992: RADIUS: authenticator 76 30 DF F4 7A 36 AC E7 - 20 AA 83 C1 05 8B 62 EC
*Mar 4 20:26:18.992: RADIUS: EAP-Message [79] 6
*Mar 4 20:26:18.993: RADIUS: 04 03 00 04 [????]
*Mar 4 20:26:18.993: RADIUS: Message-Authenticato[80] 18
*Mar 4 20:26:18.993: RADIUS: FD 21 74 AF A8 7F A1 A5 9E CE 3A 35 45 DA EA C9 [?!t???????:5E???]
*Mar 4 20:26:18.993: RADIUS(0000000A): Received from id 1645/12
*Mar 4 20:26:18.994: RADIUS/DECODE: EAP-Message fragments, 4, total 4 bytes
*Mar 4 20:26:18.994: %DOT11-7-AUTH_FAILED: Station 0022.faf1.9258 Authentication failed
obviously the machine who send machine name (host\machinename) will be authenticated successfully
and machines who send username (domain\username) will not be authenticated successfully
now
i tested those unsuccessful machines in a wired dot1x switch using the same NPS policy and they were sending their machine names instead of usernames and they were authenticated successfully
i suspected that this is maybe because of the AP config
here it is
Current configuration : 2662 bytes
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname AP
enable secret 5 $1$gtul$Uhe4qVAC8GN0drownggAb0
aaa new-model
aaa group server radius rad_eap
server X.Y.64.30 auth-port 1812 acct-port 1813
aaa group server radius rad_mac
aaa group server radius rad_acct
aaa group server radius rad_admin
aaa group server tacacs+ tac_admin
aaa group server radius rad_pmip
aaa group server radius dummy
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa authorization exec default local
aaa accounting network acct_methods start-stop group rad_acct
aaa session-id common
ip domain name domain
dot11 ssid corporate
vlan 64
authentication open eap eap_methods
authentication network-eap eap_methods
authentication key-management wpa version 2
mbssid guest-mode
dot11 network-map
power inline negotiation prestandard source
username Cisco password 7 13261E010803
bridge irb
interface Dot11Radio0
no ip address
no ip route-cache
encryption mode ciphers aes-ccm
encryption vlan 64 mode ciphers aes-ccm
ssid corporate
mbssid
station-role root
interface Dot11Radio0.64
encapsulation dot1Q 64 native
no ip route-cache
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
interface Dot11Radio1
no ip address
no ip route-cache
shutdown
no dfs band block
channel dfs
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
interface FastEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
interface FastEthernet0.64
encapsulation dot1Q 64 native
no ip route-cache
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
interface BVI1
ip address X.Y.64.229 255.255.255.0
no ip route-cache
ip default-gateway X.Y.64.1
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
ip radius source-interface BVI1
snmp-server community cable RO
snmp-server enable traps tty
radius-server attribute 32 include-in-access-req format %h
radius-server host X.Y.64.30 auth-port 1812 acct-port 1813 key 7 104F0D18161E2D1E0D071538212B213036
radius-server vsa send accounting
bridge 1 route ip
line con 0
line vty 5 15
endHi,
You will need o be more specific so we can help you.
What exactly is happening/not working?
Please keep in mind that with MAR, the PC needs to do machine authentication prior to user login, as the ACS will only allow users to login from previously authenticated machines.
Is your PC doing machine authentication?
HTH,
Tiag
If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it. -
Machine authentication using certificates
Hi,
I am facing this error while machine authenticates agaist AD for wireless users. My requirement is users with corporate laptop get privileged vlan and BYOD should get normal vlan.I am using Cisco ISE 1.1.1 and configured authentication policies to diffrenciate clients based on corp asset and BYOD. Authentication policy result is identity sequnce which uses certificate profile and AD. All corp laptops should be authenticated using certificates and then followed by AD user and pass. when I configure XP users to validate server certificate this error comes in ISE log "Authentication failed : 11514 Unexpectedly received empty TLS message; treating as a rejection by the client" and if I disable validate sewrver certificate then this error "Authentication failed : 22049 Binary comparison of certificates failed".
Any help??
Thanks in advance.Hi [answers are inline]
I have tried using Cisco Anyconnect NAM on Wondows XP for machine and user authentication but EAP-chaining feature is not working as expected. I am facing few challenges. I have configured NAM to use eap-fast for machine and user authentication and ISE is configured with required authorisation rule and profiles/results. when machine boots up it sends machine certificate and gets authenticated against AD and ISE matches the authorisation rule and assigns authZ profile without waiting for user credentials.
This is expected for machine authentication, since the client hasnt logged in machine authentication will succeed so the computer has connectivity to the domain.
Now when a user logs on using AD user/pass, authentication fails as the VLAN assigned in AuthZ profile does not have access to AD. ISE should actually check with their external database but Its not.
Do you see the authentication report in ISE? Keep in mind that you are authenticating with a client that has never logged into the workstation before. I am sure you are looking for the feature which starts the NAM process before the user logs in. Try checking this option here:
http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect31/administration/guide/ac04namconfig.html#wp1074333
Note the section below:
–Before User Logon—Connect to the network before the user logs on. The user logon types that are supported include user account (Kerberos) authentication, loading of user GPOs, and GPO-based logon script execution.
If you choose Before User Logon, you also get to set Time to Wait Before Allowing a User to Logon:
Time to Wait Before Allowing User to Logon—Specifies the maximum (worst case) number of seconds to wait for the Network Access Manager to make a complete network connection. If a network connection cannot be established within this time, the Windows logon process continues with user log on. The default is 5 seconds.
Note If the Network Access Manager is configured to manage wireless connections, set Time to wait before allowing user to logon to 30 seconds or more because of the additional time it may take to establish a wireless connection. You must also account for the time required to obtain an IP address via DHCP. If two or more network profiles are configured, you may want to increase the value to cover two or more connection attempts.
You will have to enable this setting to allow the supplicant to connect to the network using the credentials you provide, the reason for this is you are trying to authenticate a user that has never logged into this workstation before. Please make changes to the configuration.xml file, and then select the repair option on the anyconnect client and test again.
Interestingly, if I login with an AD user which is local to the machine its gets authenticated and gets correct AuthZ profile/access level. If I logoff and login with different user, Windows adapter gets IP address and ISE shows successful authentication /authz profile but NAM agent prompts limited connectivity. Any help??
Please make the changes above and see if the error message goes away.
Thanks,
Tarik Admani
*Please rate helpful posts* -
Currently my clients (XP/SP2/latest MS hotfix) are logging onto the wireless network using WPA/TKIP/PEAP. They are configured for both machine authentication (needed to download correct profile from server) and user authentication. I notice that for each logon there are multiple machine authentications showing up in the ACS (anywhere from 3 - 15) This varies and is random. Anyone know why I am seeing this many machine authentications and if there is something I can do to eliminate them? My clients are not consistently logging onto the network and I am thinking this may have something to do with it. I do not see any errors on AP or ACS when clients fail.
So you only ever see one machine authentication.
Do you use the windows wireless client software for client configuration? I do.
WPA
TKIP
PEAP
Check authenticate as computer when info is available
Have acs server and certificate authority entered
Enable fast reconnect (client and server)
Automatically use windows login information.
I have the autologon setup so once the client boots up the information is passed to the wireless client to the radius server.
How is the SSID configured on the AP?
I have the TKIP cipher selected for encryption
I have OPEN with EAP, NETWORK EAP selected
I select KEY Exchange mandatory, CCKM and WPA.
Any information on your particular setup would be appreciated. -
Machine authentication on WPA2 PEAP-MSCHAPv2 wireless network
Is there anyway to setup machine authentication on Leopard or Snow Leopard associating the device to a WPA2 Enterprise wireless network using PEAP with MSCHAPv2
In Snow Leopard open Network preferences and select the Airport port then click on the Advanced button. Click on the 802.1X tab where you should find what you want.
-
Machine authentication is a little slow causing logon script to fail
using:
- Windows Zero with PEAP
- Machine authentication only (AuthMode is set to 2 in the registry)
- PCs are loginning it automatically, so it's a fast process
It appears that machine authentication is a little slow. I can ping the PC's IP after the auto login happens. This cuses logon script to fail.
If I hold shift to cancel auto-login, and wait for 10-20 seconds, the ping of the PC starts, and then if I login the logon script works.
Does anyone know a solution to this issue? Maybe a way to introduce a delay for login window (msgina.dll) to appear, so that machine authentication has time to connectIt's a common issue when authentication takes time.
You can simply delay the logon scripts.
This is an example of waiting for network to be up by pinging 10.10.10.10
Only when network is up, then it will execute the script
:CHECK
@echo off
echo Please wait....
ping -n 1 -l 1 10.10.10.10
if errorlevel 1 goto CHECK
@echo on
# Now the actual Logon script:
net use L: \\fileserver\share
Note: Modify the script in accordance with the network topology.
Nicolas
===
Don't forget to rate answers that you find useful -
CSSC with machine authentication in Ms AD
I need to set the CSSC able to run a machine authetication. My need is to be able to run scripts logon to AD.
In NEtwork Connection Type i select the machine and user connection option, machine and user auth Method EAP-PEAP and machine identity default, machine credential "use machine credential".
Event on IAS is:
Event Type: Warning
Event Source: IAS
Event Category: None
Event ID: 2
Date: 3/19/2008
Time: 11:49:37 AM
User: N / A
Computers: xxxx
Description:
User host / anonymous was denied access.
Fully-Qualified-User-Name = MYDOMAIN \ host / anonymous
NAS-IP-Address = x.x.x.x
NAS-Identifier = WLC_AP
Called-Station-Identifier =
Calling-Station-Identifier =
Client-Friendly-Name = wlc_ap
Client-IP-Address = x.x.x.x
NAS-Port-Type = 19
NAS-Port = 1
Policy-Name = <undetermined>
Authentication-Type = EAP
EAP-Type = <undetermined>
Reason-Code = 8
Reason = The specified user does not exist.
The CSSC put MYDOMAIN (correct) and \host / anonymous (not correct) WHY?
How can I configure the CSSC part of the machine and user credentials credentials ?
Thanks.
Mirko SeveriHi,
You will need o be more specific so we can help you.
What exactly is happening/not working?
Please keep in mind that with MAR, the PC needs to do machine authentication prior to user login, as the ACS will only allow users to login from previously authenticated machines.
Is your PC doing machine authentication?
HTH,
Tiag
If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it. -
Only machine authentication in ISE
Hello,
I would like to know is it possible to have only machine authentication (No user auth at all) in ISE infrastructure. If yes then what credential need to be provide at the time of 802.1X auth login or there is no need to provide any credential and workstation automatically passed authentication process.
Thanks in advancedHi,
Yes but you will need to use your normal login credentials and set every supplicant to do computer authentication only. Keep in mind most windows supplicant only do machine authentications at certain times.
Keep in mind you can do machine and user auth and build policies such that only users on authenticated machines are granted access.
Sent from Cisco Technical Support iPad App -
Machine authentication not working with peap mschapv2
I have installed ACS ver 4.1.1 trial downloaded from cisco web sites. I have configure 802.1x machine authentication using self generated certificate with unknown user policy configure for windows database authentication. I can authenticate user via peap authentication. but i can never get the machine authentication working. on failed attempted.psv, i found EAP-TLS or PEAP authentication failed during SSL handshake. in the auth.log i found below message:
TH 03/02/2008 07:01:13 I 0143 6184 [PDE]: PolicyMgr::CreateContext: new context id=3
AUTH 03/02/2008 07:01:13 I 0143 6184 [PDE]: PdeAttributeSet::addAttribute: User-Name=host/paul2.test.com
AUTH 03/02/2008 07:01:13 I 0143 6184 [PDE]: PdeAttributeSet::addAttribute: Service-Type=2
AUTH 03/02/2008 07:01:13 I 0143 6184 [PDE]: PdeAttributeSet::addAttribute: Framed-MTU=1500
AUTH 03/02/2008 07:01:13 I 0143 6184 [PDE]: PdeAttributeSet::addAttribute: Called-Station-Id=00-11-93-69-C5-9A
AUTH 03/02/2008 07:01:13 I 0143 6184 [PDE]: PdeAttributeSet::addAttribute: Calling-Station-Id=00-0E-7B-30-FA-08
AUTH 03/02/2008 07:01:13 I 0143 6184 [PDE]: PdeAttributeSet::addAttribute: EAP-Message=(binary value)
AUTH 03/02/2008 07:01:13 I 0143 6184 [PDE]: PdeAttributeSet::addAttribute: Message-Authenticator=(binary value)
AUTH 03/02/2008 07:01:13 I 0143 6184 [PDE]: PdeAttributeSet::addAttribute: NAS-Port-Type=15
AUTH 03/02/2008 07:01:13 I 0143 6184 [PDE]: PdeAttributeSet::addAttribute: NAS-Port=50024
AUTH 03/02/2008 07:01:13 I 0143 6184 [PDE]: PdeAttributeSet::addAttribute: NAS-IP-Address=10.20.209.2
AUTH 03/02/2008 07:01:13 I 0143 6184 [PDE]: PdeAttributeSet::addAttribute: PDE-NAS-Vendor-14=1
AUTH 03/02/2008 07:01:13 I 0143 6184 [PDE]: PdeAttributeSet::addAttribute: PDE-Service-ID-0=0
AUTH 03/02/2008 07:01:13 I 0143 6184 [PDE]: PolicyMgr::SelectService: context id=3; no profile was matched - using default (0)
AUTH 03/02/2008 07:01:13 I 5081 6184 Done RQ1152, client 2, status 0
AUTH 03/02/2008 07:01:13 I 5094 6448 Worker 1 processing message 7.
AUTH 03/02/2008 07:01:13 I 5081 6448 Start RQ1026, client 50 (127.0.0.1)
AUTH 03/02/2008 07:01:13 I 0143 6448 [PDE]: PolicyMgr::Process: request type=5; context id=3; applied default profiles (0) - do nothing
AUTH 03/02/2008 07:01:13 I 5394 6448 Attempting authentication for Unknown User 'host/paul2.test.com'
AUTH 03/02/2008 07:01:13 I 1645 6448 pvAuthenticateUser: authenticate 'host/paul2.test.com' against CSDB
AUTH 03/02/2008 07:01:13 I 5081 6448 Done RQ1026, client 50, status -2046
AUTH 03/02/2008 07:01:13 I 5094 6448 Worker 1 processing message 8.
AUTH 03/02/2008 07:01:13 I 5081 6448 Start RQ1027, client 50 (127.0.0.1)
AUTH 03/02/2008 07:01:13 I 0928 6448 AuthenProcessResponse: process response for 'host/paul2.test.com'
AUTH 03/02/2008 07:01:13 I 5081 6448 Done RQ1027, client 50, status -2046
AUTH 03/02/2008 07:01:13 I 5094 6448 Worker 1 processing message 9.
AUTH 03/02/2008 07:01:13 I 5081 6448 Start RQ1027, client 50 (127.0.0.1)
AUTH 03/02/2008 07:01:13 I 0928 6448 AuthenProcessResponse: process response for 'host/paul2.test.com'
AUTH 03/02/2008 07:01:13 E 0381 6448 EAP: PEAP: ProcessResponse: invalid TLS data size received: 0
AUTH 03/02/2008 07:01:13 I 0381 6448 EAP: PEAP: Second phase: 0 authentication FAILED
AUTH 03/02/2008 07:01:13 I 5081 6448 Done RQ1027, client 50, status -2120
AUTH 03/02/2008 07:01:13 I 5094 6184 Worker 0 processing message 36.
If anyone can shed some light on this.
Cheers,
Andy -
Machine authentication with Windows 7
Version: ISE 1.2p12
Hello,
I'm doing user and machine authentication with ISE.
I use a first authorization rule to authenticate the machine against the AD. If it's part computers of the domain.
Then I use an authorization rule to check if the user's group in AD with the credential he used to open the session + "Network Access:WasMachineAuthenticated = True"
Things seems to be working and I see my switch port is "Authz Success" but shortly after the Windows 7 machine is behaving like 802.1X authentication fails. The little computer on the bottom right has a cross on it.
If I disable and enable again the network card of that windows machine it works.
Does any one of you have an idea about this problem ? something to tweak on Windows 7 like timers...
Thank youHi Mika. My comments below:
a) You told me that MAR ("Network Access:WasMachineAuthenticated = True") has some drawbacks. When hibernation is used it can cause problems since the MAC address could have been removed from the cache when the user un-hibernate its computer. Then why not increasing the MAR cache to a value of 7 days then ? Regarding the roaming between wire and wireless it's a problem indeed.
NS: I don't believe that the MAR cache would be affected by a machine hibernating or going to sleep. There are some dot1x related bug fixes that Massimo outlined in his first pos that you should look into. But yes, you can increase the MAR timer to a value that fits your environent
b) You suggest to use one authorization rule for the device which should be part of the AD and one authorization rule for the user with the extra result "IdentityAccessRestricted = False". By the was, are we really talking about authorization rules here ? I will try this but it's difficult for me to imagine how it would really work.
NS: Perhaps there is some confusion here but let me try to explain this again. The "IdentityAccessRestricted" is a check that can be done against a machine or a user account in AD. It is an optional attribute and you don't have to have it. I use it so I can prevent terminated users from gaining access to the network by simply disabling their AD account. Again, that account can be either for a "user" or for a "machine"
z) One question I was asking myself for a long time. All of us want to do machine+user authentication but Windows write Machine OR User Authentication. This "OR" is very confusing.
NS: At the moment, the only way you can accomplish a true machine+user authentication is to use the Cisco AnyConnect supplicant. The process is also known as "EAP-Chaining" and/or "EAP-TEAP." In fact there is an official RFC (RFC 7170 - See link below). Now the question is when and if Microsoft, Apple, Linux, etc will start supporting it:
https://tools.ietf.org/html/rfc7170
Thank you for rating helpful posts! -
Machine authentication over Client IPSEC tunnel
I am in the process of converting our existing remote access from Microsoft Threat Management Gateway to Cisco ASA. Our security folks just made me aware that in addition to the Radius authentication against AD credentials that they also want me to do machine authentication to make sure that the machine name of the system trying to get remote access has a machinea account in AD.
I have been looking for a way to do this with the IPSEC client but havent found anything as yet. Would appreciate any links that show me how to get this done. Moving to Anyconnect isnt an option at this point due to budgetary issues. I am using the latest Cisco VPN client in the 5.x train and have 8.2.5 code running on my 5520.
What I may be looking at might be NAC (Network Admission Control ?). Looking for all suggestions at this point.
Thanks,
RonI've used enrolled user X.509 USER certificates with Cisco VPN Client 4.x / 5.x into an ASA. They were issued by a partner's root CA and the connection was allowed on the basis of that root CA being trusted by the remote ASA.
But yes, what you are asking about is more of a NAC, or the successor Identity Services Engine (ISE) product type of feature. In the case of ISE, it can do what you ask but requires a good bit of investment to get that and many many other features.
I strongly suspect that some additional investment will be necessary to get what your security team is requesting. At the very least AnyConnect Premium licenses and use of the Network Access Manager (NAM) feature. See this reference.
Maybe you are looking for
-
ITUNES WON'T OPEN!!! PLEASE HELP ME I'M GOING INSANE!!
I have a dell computer.. I have Windows XP I got itunes wiht a new ipod mini in the fall. everything was going great, I even upgraded to the new itunes and everything was fine until about a month ago when it just quit on me. when I try to open itunes
-
How can i get my e-mail address linked to my skype...
I need help!!!! How can i get my e-mail address linked to my skype user name. Regards Gerald
-
I am tryng to transfer my files from an exteranl to the time capsule and it says something about the formats are not conpatable. Please help.
-
One stuck key on iMac keyboard after spill
I took off all the keys, cleaned and replaced after an orange juice spill (ugh!) - but now just the spacebar will not work. I've tried prodding and WD40 but nothing works. All other keys are fine.
-
I've recently been trying to neaten up all of my files in finder, as I tend to just let everything pile up and be completely unorganized. I typically have two windows upon so I can drag and drop into the appropriate folder. I've recently been having