NW6SP4e killed RADIUS

Similar Messages

• Radius Authentication - Reauthentication via Accounting logs

  Hi,  we'r working on a scenario like this;
  Client logs in to an WLAN via dot1x authentication, though we want to be able to disable re-authentication of the client on the radius when the session-timeout is reached. We also need the accounting logs to make sure that we can also kill the session if a certain traffic limit is reached. (WiSM-1 , 7.0.116 code)
  The thing is that, whenever the session timeout occurs(that we set manually on the wlan), the client re-authanticates automatically and we can see access-requests and stuff though in terms of status we only see an "interim-update" accounting package in the radius thus unable to take action.  The controller also uses PMK lifetime instead of the session-timeout we set which, I suppose, is derived fromt he session-timeout and some other timers as well. How do we get an accouting log when the session-timeout is reached thus the client needs to reauthenticate? (or how do we differentiate it actually, since we already see a log but its just an interim-update log)
  WLC fires this when the PMK timeout is triggered.
  15:23:35.224: ec:35:86:95:14:5e Initiating 802.1x due to PMK Timeout Event for STA.....15:23:35.562: ec:35:86:95:14:5e Setting re-auth timeout to 300 seconds, got from WLAN config.15:23:35.562: ec:35:86:95:14:5e Station ec:35:86:95:71:5e setting dot1x reauth timeout = 300...15:23:35.563: ec:35:86:95:14:5e Disabling re-auth since PMK lifetime can take care of same.
  after the negotiation part(which is also not enough to make differentiation); radius gets this.
  15:23:35.588: P6231982: Trace of Accounting-Request packet...15:23:35.592: P6231982:    Acct-Status-Type = Interim-Update
  Is there a way to enforce a session-timeout and make sure that the client will not re-auth automatically after this timeout and get and appropriate radius log?. PS: PMK cannot be disabled before 7.2 and WiSM-1 doesn't support that.
  Thanks a lot for your responses in advance
  Regards,
  A.

  Hey Scott, thanks for the tip.
  The thing is, after an idle-timeout expires, I can see a stop accouting log at the radius side.
  But after a session-timeout expires, I can only see an (re)authentication (without any start of course) and an interim-update log which gives no clue if this is a normal interim update or its sent because of the session-timeout. How am I to find which interim-update means a re-auth because of a session-timeout? or is it possible to make it send another accounting log to help me mark the session end?
  Regards,
  A.

• Manually start RADIUS, Authentication and groups for Cisco ASAs

  I am testing moving a 10.7 server to 10.8.
  We have used RADIUS to authenticate VPN traffic on our Cisco ASAs in the past.  In the past Server Admin allowed for our ASAs to be added manually to the list of devices using the service.  With Server Admin being removed and the limited funtionality of automated addition of Airports to the system I have no GUI method to get our ASAs into the service.  The ability to tell RADIUS which groups are using the service is no longer available in the GUI as well.
  I have found the clients file in /etc/raddb and added our ASAs to the clients list.  I believe I have done this correctly in accordance with the instructions on the freeRADIUS website.
  I need help with:
  1- I was hoping someone knows how to manually tell RADIUS which groups are permitted to use the service.
  2- Can anyone tell me how to turn on RADIUS?  radiusconfig -start appears to only tell the system to keep it on after a restart if i understand the manual page.
  Thanks

  With David's suggestion I was able to get RADIUS running.  The following assumes that you are comfortable with Terminal and would be able to back up any files you edit.  Here is what I did to our fresh installation of 10.8 Server:
  In Terminal enter "sudo radiusd -Xx" which tries to turn RADIUS on and runs it with full logging of activity in the window.  The last line after this entry should be something similar to "Ready to process records."  In our new installtion there were errors relating to "instantiating" sql and the ready message never came.
  In Terminal enter "sudo pico /etc/raddb/radiusd.conf" and authenticate as needed.  Scroll down in the file to the section where there are "instantiate" items.  I commented out the SQL setup, by putting a # before the line that says "sql".  Save the file by pressing Control-O, press return to save in the default location, and press Control-X to get out of the editor.  I redid step number 1 twice and eventually RADIUS was running.  Removing SQL from RADIUS will assure that problems will arise if you plan to use Server.app to add AirPorts to the network in the future.  OS X Server adds its clients in an SQL database according to the programming notes in the .conf files.  I will only be using our Cisco ASAs so SQL is not relevant to our setup.
  Testing the running RADIUS server was easy as well.  In Terminal enter "sudo pico /etc/raddb/users" and authenticate as needed.  This file contains details for users if you wanted to add them manually to the RADIUS server.  For testing purposes I removed the # before a line referring to a user "steve."  I had to get RADIUS restarted to take up the new information about Steve.  I killed the process using Activity Monitor and reran step number 1.
  In Terminal I opened a new tab and entered "sudo radtest steve testing localhost 0 testing123 -t".  You should get back a positive authentication message.  Switching back to the original tab will show the output of the RADIUS server.
  Reverse the entry in step 3 by adding back the # to comment out the line about steve in the users file.
  RADIUS is now running and authenticating against its own users file.
  Now we need to add our ASAs to the RADIUS server so it knows that it can authenticate for them.  In Terminal enter "sudo pico /etc/raddb/clients.conf".  We added lines for our ASAs, following the samples in the code.  The information in the lines we added included a generic name for each ASA or device needing RADIUS type authentication, its IP address, and the shared secret for device authentication.
  Following David's advice from above I created the RADIUS sacl by entering in Terminal "sudo dseditgroup -q -o create -u <admin user> -P <admin password> -n . com.apple.access_radius".  This created the sacl for the service.  Editing of the associated users and groups permitted to use the service was able to be done in Server.  Be sure to select from the View menu "Show system accounts".  Selecting "Groups" from the left margin of the Server window will show all of the SACLs along with any groups you have created.  The RADIUS sacl can then have groups and users added to it.
  To ensure that RADIUS is running and stays running enter the following in Terminal.  First, "sudo radiusd.conf" will start RADIUS without logging in the Terminal window.  Then, "sudo radiusconfig -start" to tell the system to keep it running and also run after a reboot.
  I made no changes to our ASA settings and found that I was able to authenticate the "Steve" user from the RADIUS test in the ASA.  I was also able to authenticate a user which had been added to the "Users" in Server.  It appears that the ASA will be permitted to authenticate Open Directory users without additional setup.
  I now need to set up our user groups to match those we use in our 10.7 server and add them to the RADIUS SACL and we should be set.
  Once I have everything running properly, I will add a post here to close this discussion.
  If anyone can shorten this procedure please let us know what you suggest.
  -Erich

• Radius for the Mac

  Anyone have a good radius server installed on their mac for use with WPA ent.
  I have an iMac that is on all the time and I would like to put a radius server on it so I can kill my debian box (which is handling radius) for a while.

  Here's a howto I did a while back.
  http://home.sw.rr.com/jguidroz/radius.html
  The current version of OpenRadius should build fine, and you just run it with ./radiusd -X. I have radius server tied into OpenDirectory on my server, but you should be able to read through the config files and setup users for it.

• Wireless isp non-line of sight 30 mile radius

  I am looking for a product that i heard that cisco offers. The product that is in question is a wireless non-line of site acces point that will cover a 30 mile raduis. If anyone has any detail or that can point me in the direction of what i am looking for i would appreciate it thanks.
  You can email me at [email protected]
  Thanks

  That product was killed last year.
  Other manufacturers make VOFDM equipment at 5GHz (specs for the discontinued product), but a 30 mile radius has many hurdles.
  What are you trying to accomplish?
  Matthew Wheeler
  www.BlueModal.com

• IPhone 4 - 4.2 upgrade killed visual voicemail

  *iPhone 4 - 4.2 upgrade killed visual voicemail*
  Ok, I upgraded to 4.2 and deleted all previous backups, so I know I'm screwed untill the next update.
  I've synced, backed up, restored from backup and still no "Visual Voicemail".
  My voicemail only works if I restore the phone to original settings. But if I do that, I loose important data in my apps. As soon as I "Restore From Backup" I loose my "Visual Voicemail".
  If I reset my voicemail password with AT&T, I get the screen to set up a new password and greeting in Visual Voicemail. When I go through these steps I get the spinning wheel "Saving".
  It never saves, and I get an alert that says it can't connect to voicemail.
  I can set up voicemail by dialing "1", but then all I see is a blank screen in my "Visual Voicemail".
  I've also tried a full reset of my voicemail with AT&T.
  I even got a new SIM card. That didn't work.
  Can anybody figure this one out???
  -Thanks

  Well, thats the first time I've been told that after a week of phone calls. Maybe it's possible.
  I forgot to backup my phone before I upgraded to 4.2. Oops!
  When I noticed my Visual Voicemail was gone I tried to backup but ran out of memory.
  So I deleted previous backups to make more room. It backed up fine after that.
  I don't think it ran out of memory during the update, but maybe it did.
  Crap!

• VPN client and radius or CAR

  Hello:
  I am trying to setup remote access vpn on IOS router with cisco Radius or CAR.
  the vpn client user needs to be authenticated by group id and password, and user id and password.
  How should I setup CAR, could someone provides me an example?
  I saw this sample, but there is no relationship between user and group.
  Any suggestions?
  thx
  [ //localhost/RADIUS/UserLists/Default/joe-coke ]
  Name = joe-coke
  Description =
  Password = <encrypted>
  AllowNullPassword = FALSE
  Enabled = TRUE
  Group~ =
  BaseProfile~ =
  AuthenticationScript~ =
  AuthorizationScript~ =
  UserDefined1 =
  [ //localhost/RADIUS/UserLists/Default/group1 ]
  Name = group1
  Description =
  Password = <encrypted> (would be "cisco")
  AllowNullPassword = FALSE
  Enabled = TRUE
  Group~ =
  BaseProfile~ = group1profile
  AuthenticationScript~ =
  AuthorizationScript~ =
  UserDefined1 =
  Define the group attributes such as pre-shared key, IP address pool name, etc. using Cisco
  AV-pairs:
  [ //localhost/RADIUS/Profiles/group1profile/Attributes ]
  cisco-avpair = ipsec:key-exchange=ike
  cisco-avpair = ipsec:tunnel-password=cisco123
  cisco-avpair = ipsec:addr-pool=pool1
  Service-Type = Outbound

  you can define the group locally on the router to define the values which the client will use to build the tunnel (pre-shared key, etc). The client's username/pw can then be defined within AAA server to allow access to the network once the tunnel has been established.
  The link below should show how to setup the group config in IOS and you should change the AAA method to point to radius instead of local to authenticate the client at your AAA server.
  http://www.cisco.com/en/US/partner/products/sw/secursw/ps2308/products_configuration_example09186a00801c4246.shtml

• ISE 1.2 Patch 2 External RADIUS Server Sequence Broken?

  Hi community,
  We have upgraded our proof of concept ISE 1.2 lab to Patch level 2.
  Our lab design includes the use of external RADIUS servers which we off-load certain authentication rules to.
  To ensure resiliency of the external RADIUS service, we have two of these which we add to a RADIUS Server Sequence, the idea being that if the first in the list is unavailable, ISE will try the second and all will be well.
  Now this worked for us in testing ISE 1.2, but I have noticed that after the upgrade to Patch 2 ISE is sending the majority RADIUS traffic to the first (failed) external RADIUS server, with only the odd RADIUS Access-Request to thte next in the list.
  Anybody else come across this??
  All helpful comments rated!
  Many thanks, Ash.

  I couldn't find any known issues with this feature. Could you please paste the screen shot of external radius sequence and configuration. Also, how are we determing that the first server in the sequence is DEAD?
  ~BR
  Jatin Katyal
  **Do rate helpful posts**

• Creative Cloud update to version 2.7.1.418 killed my Windows 8.1 system!

  Earlier tonight, I saw the balloon from Creative Cloud stating that an update was available.  So I installed it.  Half-way during the installation, my windows desktop disappeared.
  I started the task manager and restarted "Explorer.exe".  That made the background reappear, but the taskbar was blank with just the lone Windows 8.1 icon on the very left.  Hovering over the taskbar showed the wait cursor.
  The task manager showed everything was running normally but the desktop was clearly broken.  I checked the directories and everything was as expected.
  So I held my breath and rebooted.  After logging in, the desktop slowly appeared over about 10 minutes, but all the desktop icons were still missing, as were the taskbar icons.  Only a few of the notification icons appeared.
  I then managed to bring up a command window with the task manager (fortunately, Ctrl+Alt+Esc still worked) and launched System Restore (rstrui.exe).  It showed me the Adobe Creative Cloud was the most recent restore point (below); the previous restore point after that was a Microsoft Windows update from 2 days ago.  When I asked for the list of files that were affected by the Creative Cloud update and would be reverted, it showed this:
  I again held my breath and restored my machine to before the above CC update; after about 20 minutes of shucking and jiving and a reboot, everything was working properly again.
  So there is clearly something out of kilter with this latest update.  Adobe the Time Vampire has once again stolen 2 hours of my life, but this time, at least it wasn't a license server issue.  I think.

  Dave: I did the Microsoft Update two days before this happened, and rebooted as required.  I just created a new restore point and lauched Creative Cloud.  Now I get the famous white screen:
  It just sits and spins (been 10 minutes now). 
  Fortunately, I saved away this command (which I've had to use 4 or 5 times already):
  del %USERPROFILE%\AppData\Local\Adobe\OOBE\opm.db
  Unfortunately now, I get this (even after closing the above window):
  The process cannot access the file because it is being used by another process.
  So I killed everything that said "Adobe" in the task manager and this time, the command succeeded.
  Fortunately, the current apps seem to still work.  I can't seem to find the "Creative Cloud" app in the applications on my system, but I launched Photoshop CC, told it to look for updates, and got a list of the 5 prgorams that need updates in the Adobe Application manager:
  I will proceed with the updates, holding my breath.

• Killing an application running on RT

  Hi
  Am using an PXI -8186 embedded controller with PharLap ETS RTOS, i have downloaded an application on to the RT startup directory. I want to deleted the application as i dont need it, but as it automatically starts running when pxi boots up i am unable to delete it. How can i Kill the application and delete it from startup? The rtos does not have a promt, so i can kill the task or look in to directory.
  I have to use only Ftp. can any one please help.
  thanx
  Arun

  Hello!
  On your 8186 there is a disable start up VI switch. On page 2-12 of the manual you will be able to find the location of this switch. Just incase I have pasted the link to the manual below.
  http://www.ni.com/pdf/manuals/370747c.pdf
  After you disable the start VI you will be able to remove it. Hope this helps. Let me know if I can give you anymore assistance.
  Allan S.
  National Instruments

• What does it happen if killing app then fast startup?

  Ask this question dues to my app is very likely to crash if I kill the app  then restart it very fast.  My debugging shows that when you double click back button then kill app, you see app really disappear, in fact it is still running, needs some time to exit completely. Then if you start up it very fast, app will re-access original dying app, instead of launch a new process, then it will be very likely to crash.
  It is not difficult to reproduce it on either device or simulator, the reason is my app running under heavy thread pool (C++ boost implementation), normally it will need some time to destroy the pool (waiting all working threads to join).
  I am not sure whether it is system behavior? Does user need to wait for a few seconds after killing app?  Or how can I avoid it on application layer?  Thank you.

  You've posted your question in the iPhoto for iOS forum, but iPhoto for iOS is not compatible with an iPod touch. Are you trying to "edit" an album in the the Photos application?
  -Doug

• Java API - EventHandler threads not getting killed

  Hello everybody,
  I didn't know whether to post this in the PI forum or in the MDM forum. I use the following scenario:
  We run an EJB session bean in the Java Proxy environment of PI 7.1. In this bean we create an MDM session, log on to a repository and then attach a RecordListener that reacts to any change of the records. When an interesting change took place, the record is distributed to PI.
  The code looks like this:
  EventDispatcher evDis = new EventDispatcher(servername);
  RecordListener recLis = new RecordListener();
  evDis.registerDataNotifications(username, password, repIdent, regions[0]);
  evDis.addListener(recLis);
  The problem arises when we try to undeploy or stop the application. You would assume that it would stop everything connected to the application. However, it does not. The mentioned EventDispatcher creates a thread object when invoked, and this thread is never killed. The consequence: Records keep getting distributed as if nothing had happened, although the application is gone (even undeploying doesn't help). But when we redeploy the application, a new thread is created. So after some development you get 10 or more threads firing every change to PI. The only thing that helps is a restart of the J2EE engine.
  So, my question: Has anybody here made a similar experience? Is this common for MDM or is rather PI the cause of this issue?
  Any comments on that are very welcome.
  Best regards,
  Jörg

  Hi Veera,
  thanks a lot, that pot me on the right track! In fact, it's the @PreDestroy annotation which has to be used for some cleanup method. When we execute this and included the coding you mentioned the threads are killed properly.
  Currently we're facing the issue that somehow the commit status of the bean is not set to "Committed" and from the second message on we get exceptions. If anybody came across this, help is appreciated.
  Best regards,
  Jörg

• Itunes 6.0.1.3 is killing my network!

  The last time I updated all my podcasts was 12-8-5. I had not run Itunes since then. I fired it up this past weekend and something really strange happened.
  It was unable to update any podcasts. Also, my laptop had disconnected from my wireless network. I closed Itunes but my system still was unable to see any wireless network. I rebooted and was able to connect again. I then left the wireless properties open and started Itunes. My wireless connection began to drop in speed over the course of 1 minute from 54 -> 36 -> 24 -> 11 -> 1 -> 0 Mbps when it again disconnected and would not see wireless. I rebooted and started all over again. This time I closed Itunes before it killed the connection and within 1 minute my speed is back up to 54 Mbps.
  This is also happening on my hardwired Desktop! As soon as I fire up Itunes, the lights on my switch and router and every AP start flashing like crazy! I am talking about three switches and a wireless bridge. The activity lights on all devices go crazy until I kill Itunes on my desktop. As soon as I do, the activity stops, but I am forced to reboot all my network devices to get the network up again.
  No, I am not the only person in the world seeing this behavior. I just listened to Leo Laporte's KFI Tech Guy podcast from the first week of December and a caller was describing the exact same issue:
  http://leoville.tv/radio/ShowNotes/Show201#toc3
  I have also found another reference to the same thing here:
  http://forums.macnn.com/archive/index.php/t-246946.html
  And another here:
  http://groups.google.com/group/microsoft.public.windowsxp.networkweb/browsethread/thread/12be291b47a65868/04144bc0accb23f8#04144bc0accb23f8
  Basically, running Itunes kills my network!
  I have turned off all automatic network functions in Itunes, like automatic podcast updates and search for shared music. Turning off search for shared music seems to have solved the need to reboot every network device in my house, but running Itunes still causes the death of my wireless connection on my notebook.
  I can only postulate that this MUST be the result of a recent XP update since Itunes was working just fine a few weeks ago. To test this theory, I will be doing a parallel OS install of XP SP2 on my laptop with no additional updates and Itunes the only installed application. I might try doing this in Virtual PC first, but I am not sure I could trust its results.

  OK,
  I just installed Itunes 6.0.1.3 on a fresh install of XP SP2 in Virtual PC.
  Simply starting Itunes, No subscriptionsn no podcasts to update, and the same results.
  Within 1 minute, the network connection on the VPC was dead and reported limited or no connectivity. Before it died, the wireless on my laptop began to decrease in speed. As soon as the network connection in VPC died, it began rising again. As with my desktop, my network devices activity lights lit up almost solid! The ethernet bridge that connects my ReplayTV to the network went solid on activity and my Replay was knocked off the network. It would appear the 6.0.1.3 is spewing a bunch of garbage on the network to the point that it is killing all my devices.
  Whenever Itunes is open on any system on the network (In its default config), ALL devices lose network connectivity.
  Now I will try an older version on the virtual PC and see what happens..
  Stephen TN

• How do I get on-screen keyboard to work in tablet mode for Satellite Radius?

  I have a Radius P55W-B5318.  I love it, but when I use it in tablet mode, I can't seem to figure out how to get the on-screen touch keyboard to come up, which is necessary if I'm going to use it as a tablet. Any solutions? What am I missing here?

   
  Satellite Radius14 E45W-C4200
  Right-click the desktop, point to New, and click Shortcut. Type osk, click Next, type On-Screen Keyboard, and click Finish. 

• Windows Radius / NPS not working with mac book pro 10.9.4 wired

  Hi,
  I'm trying to get my Radius windows server 2012 working with the correct setting for using 802.1x wired connection for the mac book pro. The only issue I'm having is there is not much setting in the mac book pro. I'm not sure what need to setup on the sever to make it connect correctly and assign it to the correct vlan when it's authenticated.
  Here are some screen shoots for my mac book pro
  So I've got it up to a point where I have this issue and here is my screen shots setting:
  So the above are my windows 2012 screen shot settings.
  On the mac book pro, I'm getting a prompted about adding certificate and I've added that into the laptop and then I need to put the username and password information. I put the following:
  [email protected] and the password.
  I'm current working with someone at HP on the switch settings, everything looks good.
  I know the following:
  1. Wireshark: shows server is getting request from the switch but it's not accepting them here are my logs on the NPS:
  RAD01  6274    Information      Microsoft Windows security auditing.   Security            2014-08-21 12:40:24 PM
  Here is the detail of the machine:
  Network Policy Server discarded the request for a user.
  Contact the Network Policy Server administrator for more information.
  User:
  Security ID:                              S-1-5-21-2690993882-1154983957-2264505580-1328
  Account Name:                         [email protected]
  Account Domain:                                  LCS
  Fully Qualified Account Name:  LCS\username
  Client Machine:
  Security ID:                              S-1-0-0
  Account Name:                         -
  Fully Qualified Account Name:  -
  OS-Version:                             -
  Called Station Identifier:                      b4-39-d6-ec-2c-00
  Calling Station Identifier:                     ac-7f-3e-e6-32-34
  NAS:
  NAS IPv4 Address:                   xx.xx.xx.xx
  NAS IPv6 Address:                   -
  NAS Identifier:                         5412zl-xxx-xxxxswithname
  NAS Port-Type:                                    Ethernet
  NAS Port:                                 170
  RADIUS Client:
  Client Friendly Name:               HP Procurve 5412zl switch
  Client IP Address:                                xx.xx.xx.xx
  Authentication Details:
  Connection Request Policy Name:       Secure Wired (Ethernet) Connections
  Network Policy Name:              Secure Wired (Ethernet) Connections
  Authentication Provider:                      Windows
  Authentication Server:             rad01.xxx.xxx.ca
  Authentication Type:                EAP
  EAP Type:                                -
  Account Session Identifier:                  -
  Reason Code:                          1
  Reason:                                               An internal error occurred. Check the system event log for additional information.
  Again I don't know what's the correct setting the default 802.1x for mac book pro, but it should correct.
  I'm also not sure what the internal error message is regarding about. The switch should automatically put me to vlan 7
  Can you some please help out what the correct authentication method for mac 10.9.4.
  Thanks

  Flash Player is a browser add-on, not a standalone application.
  You can test if the player is correctly installed at http://www.adobe.com/software/flash/about/