Problem Authentication with AP 1130AG

I have a problem with my access point model is 1130AG, it works fine , im using WEP encrypt, but just only 2 clients can connect to it, if i want to connect a 3rd client either laptop or pc the client sends a message Connectivity Null, but if disconnect or disabled any of the connected clients, the 3rd that i was trying connect, its connect inmediately. i dont know why just 2 clients can connect only to the access point, any help, i already attached the configuration, with no pass and WEP passwords. Pls Need Help with this

There's nothing in your config to suggest any limit on the number of client associations, however there are a number of bad practises on there that you may want to clean up in general.
Username = Cisco
Client VLAN = AP Mgmt VLAN
Using Static WEP = Very Bad
Still got all of the low-speed data-rates enabled
AP is on a massive broadcast domain, so performance is likely to be / get very bad
int dot11 0 channel not set
int dot11 0 power not set
int dot11 1 config is all over the place
The error message you posted suggests the client is opting to leave the AP, as opposed to the AP kicking it. What is the physical proximity of the AP & Laptops? Also, please please please make sure you've got the very latest drivers on your clients.

Similar Messages

Problem authenticating with Active Directory

Hi,
We want to authenticate the users from Microsoft Active directory.We created users by doing a bootstrapping from AD to OID (10.1.2).
I enabled the plug in by following the Chapter 18 Configuring Active Directory External Authentication plug -in.
After running through the plug in is installed if i try to login with AD user id I am getting authentication failure error.
I am not sure whether OID is connecting to Active Directory for authentication.How to ensure that it is connecting to AD
I am giving uid attribute as login id.What is the login id to be given
I have tried many combinations no luck. I am getting following error in ssoServer.log
Sun Dec 11 19:44:13 EST 2005 [ERROR] AJPRequestHandler-ApplicationServerThread-5 Communication Exception received. Cleaning up the stale connection
oracle.ldap.util.CommunicationErrorException: Unable to establish connection to directory. Please verify the input parameters: host, port, dn & password connection closed
     at oracle.ldap.util.Subscriber.getUser_NICKNAME(Subscriber.java:1213)
     at oracle.ldap.util.Subscriber.getUser(Subscriber.java:912)
     at oracle.ldap.util.Subscriber.getUser(Subscriber.java:859)
     at oracle.security.sso.server.ldap.OIDUserRepository.getUserProperties(OIDUserRepository.java:493)
     at oracle.security.sso.server.auth.SSOServerAuth.authenticate(SSOServerAuth.java:485)
     at oracle.security.sso.server.ui.SSOLoginServlet.processSSOPartnerRequest(SSOLoginServlet.java:796)
     at oracle.security.sso.server.ui.SSOLoginServlet.doPost(SSOLoginServlet.java:328)
     at javax.servlet.http.HttpServlet.service(HttpServlet.java:760)
     at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
     at com.evermind.server.http.ServletRequestDispatcher.invoke(ServletRequestDispatcher.java:824)
     at com.evermind.server.http.ServletRequestDispatcher.forwardInternal(ServletRequestDispatcher.java:330)
     at com.evermind.server.http.HttpRequestHandler.processRequest(HttpRequestHandler.java:830)
     at com.evermind.server.http.AJPRequestHandler.run(AJPRequestHandler.java:224)
     at com.evermind.server.http.AJPRequestHandler.run(AJPRequestHandler.java:133)
     at com.evermind.util.ReleasableResourcePooledExecutor$MyWorker.run(ReleasableResourcePooledExecutor.java:192)
     at java.lang.Thread.run(Thread.java:534)
Thanks

Did you check the debug information from the external auth plugin.?
This is mentioned in metalink note https://metalink.oracle.com/metalink/plsql/showdoc?db=NOT&id=277382.1
here an excerpt:
D) Enabled plug in debugging at the database level. Reference documentation: Oracle Internet Directory Administrator's Guide 10g (9.0.4) Chapter 43 Integration with the Microsoft Windows Environment - Troubleshooting Integration with Microsoft Windows Under section "Debugging the Microsoft Active Directory External Authentication Plug-in"
...enable the plug-in debugging. To do this, enter:
sqlplus ods/odspassword @$ORACLE_HOME/ldap/admin/oidspdon.plsTo check the plug-in debugging log, enter:
sqlplus system/managerSQL> select * from ods.plg_debug_log order by id;
(To delete the plug-in debugging log:
sqlplus system/managerSQL> truncate table ods.plg_debug_log
To disable the plug-in debugging:
sqlplus ods/ods @$ORACLE_HOME/ldap/admin/oidspdof.plsE) Dump the plug-in profile to make sure it is enabled and configured correctly:
ldapsearch -h <OID host> -p <OID port> -D "cn=orcladmin" -w <orcladmin password> -b "cn=plugin,cn=subconfigsubentry" -L -s sub "(objectclass=*)" "*"please take also a look into the DIPTESTER tool available in
http://www.oracle.com/technology/sample_code/products/oid/java_diptester.tar
regards
--Olaf

Problems authentication with PEAP WLC IAS Windows 2k3

Hi all
I have configured a WLC (6.0.182.0 model 2100) with authentiacion PEAP with IAS and a DA of Microsoft Windows 2003. I have been reading in the documentation "PEAP Under Unified Wireless Networks with Microsoft Internet Authentication Service (IAS)" that in the installation proccess of Active Directory it must select the option "Permissions compatible with pre-Windows 2000 server operation systems". In my scenario the other option was chosen "Permissions compatible only with Windows 200 or Windows Server 2003 operations system".
I have test this scenario and it does not work.
Is there some configuration in the WLC so that it can work without having to reinstall the AD?
Thanks

For the most part the WLC doesn't care about what type of authentication is being used. It really is just proxying the requests between the client and Radius server.
I would make sure your EAP timer are extended with the commands:
config advanced eap identity-request-timeout 10
config advanced eap request-timeout 10

I have a very similar problem (5506) in that I changed my appleID loginid and now none of my home shares work. All itunes have been re-authorized/authenticated with the new appleID string. Yet I still receive this error. I too am looking for suggestions.

I have a very similar problem in that I changed my appleID loginid and now none of my home shares work (5506) . All itunes have been re-authorized/authenticated with the new appleID string. Yet I still receive this error. I too am looking for suggestions.

If you no longer have the computer(s) you want to deauthorise,
Log in to iTunes, go to "view your account info" on the itunes store, deauthorise all five, (Please Note: this can only be done Once every 12 months) and then re-authorize your current Computer(s) one at a time.
Authorise / Deauthorise About
http://support.apple.com/kb/HT1420

LENOVO S90 PROBLEM WIFI WITH AUTHENTICATION!

HI.
Why is impossible to authentication with my WIFI?
the password is ok.
My ADSL WIFI is TELECOM ITALIA.
Solved!
Go to Solution.

Hi
Try to delete the network connection from the phone->restart the phone and recreate the connection.
Hope this helps.
Did someone help you today? Press the star on the left to thank them with a Kudo!
If you find a post helpful and it answers your question, please mark it as ''ACCEPT AS SOLUTION"!
Unsolicited PM's will not be answered! ....Please post your question/s in the appropriate forum board.
English Community Deutsche Community Comunidad en Español Русскоязычное Сообщество

Error in authentication with ldap server with certificate

Hi,
i have a problem in authentication with ldap server with certificate.
here i am using java API to authenticate.
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: timestamp check failed.
I issued the new certificate which is having the up to 5 years valid time.
is java will authenticate up to one year only?
Can any body help on this issue...
Regards
Ranga

sorry i am gettting ythe same error
javax.naming.CommunicationException: simple bind failed: servername:636 exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: timestamp check failed]
here when i am using the old certificate and changing the system date means i can get the authentication.
can you tell where we can concentrate and solve the issue..
where is the issue
1. need to check with the ldap server only
2. problem in java code only.
thanks in advance

Ricoh Aficio MP C2051 Scan to Folder - Windows 7 64 bit Error: Authentication with the destination has failed check settings

I got an issue with OS of widows 7.
unable to scan documents to user's PC.am getting error message "Authentication with the destination has failed. Check settings. To check the current status, press [Scanned Files Status
Other Windows xp PC can do this.
How can I fix this problem?
Printer Model :C2051 /mp2001sp

Hi,
I searched for the error and it is mentioned in Ricoh's website:
Messages Displayed on the Control Panel When Using the Scanner Function
http://support.ricoh.com/bb_v1oi/pub_e/oi_view/0001045/0001045718/view/trouble/int/0036.htm
Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.
Message
Cause
Solution
“Authentication with the destination has failed. Check settings. To check the current status, press [Comm. Status/Print].”
The entered login user name or login password is not correct.
Check that the user name and password are correct.
Check that the ID and password for the destination folder are correct.
A password of 128 or more characters may not be recognized.
From the solution, it mentioned that the issue could relate to user account or its password.
Please let me know if it is in domain environment. If so, please test to log the same user account currently on Windows 7 to Windows XP and see if issue persists.
Also please test to directly access the scanning folder on printer server to see if there is any issue in accessing the destination folder.

Policy agent 2.2 amfilter local authentication with session binding failed

Hi All,
I have policy agent 2.2 for weblogic 8.1 sp4 installed on redhat linux. All are working fine in my development box. But I was running all the process under user root, so today I decided to change it to a regular user, joe. I changed all the files' owner for weblogic server and policy agent from root to joe, and restart server as user Joe. After the change, I can not access the application on Weblogic server. I changed file ownership back to root and restart weblogic server as root, still same error.
Here is the error I got:
10.4.4 403 Forbidden
The server understood the request, but is refusing to fulfill it. Authorization will not help and the request SHOULD NOT be repeated. If the request method was not HEAD and the server wishes to make public why the request has not been fulfilled, it SHOULD describe the reason for the refusal in the entity. This status code is commonly used when the server does not wish to reveal exactly why the request has been refused, or when no other response is applicable.
Here is the error I found from agent log file, amFilter:
AmFilter: now processing: SSO Task Handler
05/24/2006 06:27:08:127 PM PDT: Thread[ExecuteThread: '14' for queue: 'weblogic.kernel.Default',5,Thread Group for Queue: 'weblogic.kernel.Default']
SSOTaskHandler: caching SSO Token for user uid=amAdmin,ou=People,dc=etouch,dc=net
05/24/2006 06:27:08:127 PM PDT: Thread[ExecuteThread: '14' for queue: 'weblogic.kernel.Default',5,Thread Group for Queue: 'weblogic.kernel.Default']
AmBaseSSOCache: cached the sso token for user principal : uid=amadmin,ou=people,dc=etouch,dc=net sso token: AQIC5wM2LY4Sfcx4XY/x/M7G1Y3ScVjFj8E3oT0BV45mh0Q=@AAJTSQACMDE=#, cache size = 1
05/24/2006 06:27:08:127 PM PDT: Thread[ExecuteThread: '14' for queue: 'weblogic.kernel.Default',5,Thread Group for Queue: 'weblogic.kernel.Default']
SSOTaskHandler: SSO Validation successful for uid=amAdmin,ou=People,dc=etouch,dc=net
05/24/2006 06:27:08:128 PM PDT: Thread[ExecuteThread: '14' for queue: 'weblogic.kernel.Default',5,Thread Group for Queue: 'weblogic.kernel.Default']
AmFilter: now processing: J2EE Local Logout Task Handler
05/24/2006 06:27:08:128 PM PDT: Thread[ExecuteThread: '14' for queue: 'weblogic.kernel.Default',5,Thread Group for Queue: 'weblogic.kernel.Default']
AmFilter: local logout skipped SSO User => amAdmin, principal =>null
05/24/2006 06:27:08:128 PM PDT: Thread[ExecuteThread: '14' for queue: 'weblogic.kernel.Default',5,Thread Group for Queue: 'weblogic.kernel.Default']
AmFilter: now processing: J2EE Local Auth Task Handler
05/24/2006 06:27:08:128 PM PDT: Thread[ExecuteThread: '14' for queue: 'weblogic.kernel.Default',5,Thread Group for Queue: 'weblogic.kernel.Default']
LocalAuthTaskHandler: No principal found. Initiating local authentication for amAdmin
05/24/2006 06:27:08:128 PM PDT: Thread[ExecuteThread: '14' for queue: 'weblogic.kernel.Default',5,Thread Group for Queue: 'weblogic.kernel.Default']
LocalAuthTaskHandler: doing local authentication with session binding
05/24/2006 06:27:08:129 PM PDT: Thread[ExecuteThread: '14' for queue: 'weblogic.kernel.Default',5,Thread Group for Queue: 'weblogic.kernel.Default']
LocalAuthTaskHandler: Local authentication failed, invalidating session.05/24/2006 06:27:08:129 PM PDT: Thread[ExecuteThread: '14' for queue: 'weblogic.kernel.Default',5,Thread Group for Queue: 'weblogic.kernel.Default']
WARNING: LocalAuthTaskHandler: Local authentication failed for : /portal/index.jsp, SSO Token: AQIC5wM2LY4Sfcx4XY/x/M7G1Y3ScVjFj8E3oT0BV45mh0Q=@AAJTSQACMDE=#
05/24/2006 06:27:08:129 PM PDT: Thread[ExecuteThread: '14' for queue: 'weblogic.kernel.Default',5,Thread Group for Queue: 'weblogic.kernel.Default']
AmFilter: result =>
FilterResult:
     Status      : FORBIDDEN
     RedirectURL     : null
     RequestHelper:
          null
     Data:
          null
-----------------------------------------------------------

Hi,
I'm having the exact same problem in the Prod environment, but on a Sun App Server. In development all is fine, in prod we now have:
ERROR: AmFilter: Error while delegating to inbound handler: J2EE Local Auth Task Handler, access will be denied
java.lang.IllegalStateException: invalidate: Session already invalidated
at org.apache.catalina.session.StandardSession.invalidate(StandardSession.java:1258)
at org.apache.catalina.session.StandardSessionFacade.invalidate(StandardSessionFacade.java:164)
at com.sun.identity.agents.filter.LocalAuthTaskHandler.doLocalAuthWithSessionBinding(LocalAuthTaskHandler.java:289)
at com.sun.identity.agents.filter.LocalAuthTaskHandler.authenticate(LocalAuthTaskHandler.java:159)
at com.sun.identity.agents.filter.LocalAuthTaskHandler.process(LocalAuthTaskHandler.java:106)
at com.sun.identity.agents.filter.AmFilter.processTaskHandlers(AmFilter.java:185)
at com.sun.identity.agents.filter.AmFilter.isAccessAllowed(AmFilter.java:152)
at com.sun.identity.agents.filter.AmAgentBaseFilter.doFilter(AmAgentBaseFilter.java:38)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:210)
at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:55)
at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:161)
at java.security.AccessController.doPrivileged(Native Method)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:157)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:263)
at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:551)
at org.apache.catalina.core.StandardContextValve.invokeInternal(StandardContextValve.java:225)
FilterResult:
Status : FORBIDDEN
RedirectURL : null
RequestHelper:
null
Data:
null
Also, we I debug I see:
LocalAuthTaskHandler: No principal found. Initiating local authentication for ...
Did you receive any solution for this?
Many, many thanks,
Philip

Lync 2013 Error 31055 ,31059 LS Call Park Service, The database being used by Group Pickup is not the appropriate version and There was a problem communicating with the Group Pickup backend database.

Hello
I have Lync 2013 and 2010 , still i didn't finish my migration completely from 2010 to 2013 .this is coexistence environment that contains both Lync Server 2010 and Lync Server 2013 .
There was no error's in my lync 2013 front end and back end server's and every thing was fine, yesterday I installed windows updated AND CU for my lync 2013 front end and backend server's .
later on after restarting both the front end and the back end server's i start having hundred's of these error's related to "LS Call Park Service".
so any advice for these issue ? and what is the effect for these error .
below is the error I got .
The database being used by Group Pickup is not the appropriate version.
The database is not the correct version:
Connection: Data Source=HQ-LYNC2013-BE.aaaaaaaaaaaaaaaaaaaaaaaaaaa\rtc;Initial Catalog=cpsdyn;Integrated Security=True
Expected... SchemaVersion: 1, SprocVersion: 1, UpgradeVersion: 2
Actual... SchemaVersion: 0, SprocVersion: 0, UpgradeVersion: 0
Cause: The database has not been upgraded.
Resolution:
Upgrade the database to CU1.
==============================================================
There was a problem communicating with the Group Pickup backend database.
There were problems accessing SQL server:
Connection: Data Source=HQ-LYNC2013-BE.aaaaaaaaaaaaaaaaaaaaaaaaaa\rtc;Initial Catalog=cpsdyn;Integrated Security=True
Message: The EXECUTE permission was denied on the object 'DbpGetVersionSchema', database 'cpsdyn', schema 'dbo'.
Error code: -2146232060
Error number: 229
Cause: This may be caused by connectivity issues with the backend database.
Resolution:
Check if SQL backend is running and accepts connections from Group Pickup.
=============================================================================
Kind Regards
MK

Hello
thanks Holger for u r replay .
due to the Microsoft article about the cu :
I run only :
Install-CsDatabase -ConfiguredDatabases -SqlServerFqdn FEBE.FQDN -Verbose
Note In a coexistence environment that contains both Lync Server 2010 and Lync Server 2013 and in which the Central Management Service is located on a Lync Server 2010 pool, do not run the
Install-CsDatabase -CentralManagementDatabase command. If you later move the Central Management Service to a Lync Server 2013 pool, you have to run the
Install-CsDatabase -CentralManagementDatabase command to apply the changes.
here is what I get on my power shell after i run the command : "WARNING: Warning: Failed to execute batch --"
PS C:\Users\MK> Install-CsDatabase -ConfiguredDatabases -SqlServerFqdn HQ-LYNC2013-BE.MyDomain -Verbose
VERBOSE: Creating new log file
"C:\Users\MK\AppData\Local\Temp\2\Install-CsDatabase-82d6613c-f2e3-47e6-8fc4-8f75d2efe6e4.xml".
VERBOSE: Install databases required by Lync Server role(s).
****Creating DbSetupInstance for 'Microsoft.Rtc.Common.Data.BlobStore'****
Trying to connect to Sql Server HQ-LYNC2013-BE.MyDomain\rtc. using windows authentication...
Sql version: Major: 11, Minor: 0, Build 5058.
Sql version is acceptable.
Checking state for database rtcxds.
****Creating DbSetupInstance for 'Microsoft.Rtc.Common.Data.AbsDatabase'****
Trying to connect to Sql Server HQ-LYNC2013-BE.MyDomain\rtc. using windows authentication...
Sql version: Major: 11, Minor: 0, Build 5058.
Sql version is acceptable.
Checking state for database rtcab.
****Creating DbSetupInstance for 'Microsoft.Rtc.Common.Data.RgsConfigDatabase'****
Trying to connect to Sql Server HQ-LYNC2013-BE.MyDomain\rtc. using windows authentication...
Sql version: Major: 11, Minor: 0, Build 5058.
Sql version is acceptable.
Checking state for database rgsconfig.
****Creating DbSetupInstance for 'Microsoft.Rtc.Common.Data.RgsDynDatabase'****
Trying to connect to Sql Server HQ-LYNC2013-BE.MyDomain\rtc. using windows authentication...
Sql version: Major: 11, Minor: 0, Build 5058.
Sql version is acceptable.
Checking state for database rgsdyn.
****Creating DbSetupInstance for 'Microsoft.Rtc.Common.Data.CpsDynDatabase'****
Trying to connect to Sql Server HQ-LYNC2013-BE.MyDomain\rtc. using windows authentication...
Sql version: Major: 11, Minor: 0, Build 5058.
Sql version is acceptable.
Checking state for database cpsdyn.
****Creating DbSetupInstance for 'Microsoft.Rtc.Common.Data.ArchivingDatabase'****
Trying to connect to Sql Server HQ-LYNC2013-BE.MyDomain\arc. using windows authentication...
Sql version: Major: 11, Minor: 0, Build 5058.
Sql version is acceptable.
Checking state for database LcsLog.
****Creating DbSetupInstance for 'Microsoft.Rtc.Common.Data.MonitoringDatabase'****
Trying to connect to Sql Server HQ-LYNC2013-BE.MyDomain\mon. using windows authentication...
Sql version: Major: 11, Minor: 0, Build 5058.
Sql version is acceptable.
Checking state for database LcsCDR.
VERBOSE: Assigning "BackendStore:BlobStore:LogPath" to F:\CsData
VERBOSE: Assigning "BackendStore:RtcSharedDatabase:LogPath" to F:\CsData
VERBOSE: Assigning "ArchivingStore:ArchivingDatabase:LogPath" to F:\CsData
VERBOSE: Assigning "MonitoringStore:MonitoringDatabase:LogPath" to F:\CsData
VERBOSE: Assigning "MonitoringStore:QoEMetricsDatabase:LogPath" to F:\CsData
VERBOSE: Assigning "ArchivingStore:ArchivingDatabase:DbPath" to F:\CsData
VERBOSE: Assigning "MonitoringStore:MonitoringDatabase:DbPath" to F:\CsData
VERBOSE: Assigning "MonitoringStore:QoEMetricsDatabase:DbPath" to F:\CsData
VERBOSE: Assigning "ABSStore:AbsDatabase:LogPath" to F:\CsData
VERBOSE: Assigning "ApplicationStore:RgsConfigDatabase:LogPath" to F:\CsData
VERBOSE: Assigning "ApplicationStore:RgsDynDatabase:LogPath" to F:\CsData
VERBOSE: Assigning "ApplicationStore:CpsDynDatabase:LogPath" to F:\CsData
VERBOSE: Assigning "BackendStore:BlobStore:DbPath" to F:\CsData
VERBOSE: Assigning "BackendStore:RtcSharedDatabase:DbPath" to F:\CsData
VERBOSE: Assigning "ABSStore:AbsDatabase:DbPath" to F:\CsData
VERBOSE: Assigning "ApplicationStore:RgsConfigDatabase:DbPath" to F:\CsData
VERBOSE: Assigning "ApplicationStore:RgsDynDatabase:DbPath" to F:\CsData
VERBOSE: Assigning "ApplicationStore:CpsDynDatabase:DbPath" to F:\CsData
VERBOSE: Installing "BackendStore" on HQ-LYNC2013-BE.MyDomain\rtc, collocated: False
****Creating DbSetupInstance for 'Microsoft.Rtc.Common.Data.BlobStore'****
Trying to connect to Sql Server HQ-LYNC2013-BE.MyDomain\rtc. using windows authentication...
Sql version: Major: 11, Minor: 0, Build 5058.
Sql version is acceptable.
Checking state for database rtcxds.
Checking state for database rtcxds.
State of database rtcxds is DbState_RequiresMinorUpgrade.
Database rtcxds set to mode Restricted.
Dropping all procedures, functions and views from database rtcxds.
Executing RtcDb.sql...
Adding master role...
Setting owner for database rtcxds to sa.
Creating login MyDomain\RTCHSUniversalServices.
Creating user MyDomain\RTCHSUniversalServices.
Creating Schema MyDomain\RTCHSUniversalServices.
Creating login MyDomain\RTCUniversalReadOnlyAdmins.
Creating user MyDomain\RTCUniversalReadOnlyAdmins.
Creating Schema MyDomain\RTCUniversalReadOnlyAdmins.
Creating login MyDomain\RTCUniversalServerAdmins.
Creating user MyDomain\RTCUniversalServerAdmins.
Creating Schema MyDomain\RTCUniversalServerAdmins.
Adding account MyDomain\RTCHSUniversalServices to role ConsumerRole.
Adding account MyDomain\RTCUniversalReadOnlyAdmins to role ConsumerRole.
Adding account MyDomain\RTCHSUniversalServices to role ReplicatorRole.
Adding account MyDomain\RTCHSUniversalServices to role PublisherRole.
Adding account MyDomain\RTCUniversalServerAdmins to role PublisherRole.
Setting database version: Schema Version 15, Sproc Version 13, Update Version 2.
Setting the database rtcxds to multi user mode.
Database rtcxds is set to multi user mode.
****Creating DbSetupInstance for 'Microsoft.Rtc.Common.Data.RtcSharedDatabase'****
Trying to connect to Sql Server HQ-LYNC2013-BE.MyDomain\rtc. using windows authentication...
Sql version: Major: 11, Minor: 0, Build 5058.
Sql version is acceptable.
Checking state for database rtcshared.
Database created by script "RtcSharedDatabase" already exists and is current.
VERBOSE: Successfully installed the database. For details, see the following log:
"C:\Users\MK\AppData\Local\Temp\2\Create-BackendStore-HQ-LYNC2013-BE.MyDomain_rtc-[2014_11_13][14_35_01].log"
VERBOSE: Installing "ABSStore" on HQ-LYNC2013-BE.MyDomain\rtc, collocated: False
****Creating DbSetupInstance for 'Microsoft.Rtc.Common.Data.AbsDatabase'****
Trying to connect to Sql Server HQ-LYNC2013-BE.MyDomain\rtc. using windows authentication...
Sql version: Major: 11, Minor: 0, Build 5058.
Sql version is acceptable.
Checking state for database rtcab.
Checking state for database rtcab.
State of database rtcab is DbState_RequiresMinorUpgrade.
Database rtcab set to mode Restricted.
Dropping all procedures, functions and views from database rtcab.
Executing RtcAbTypes.sql...
WARNING: Warning: Failed to execute batch --
-- Copyright (c) Microsoft Corporation. All rights reserved.
exec sp_addrole N'ServerRole'.
Executing RtcAbDb.sql...
Setting owner for database rtcab to sa.
Creating login MyDomain\RTCComponentUniversalServices.
Creating user MyDomain\RTCComponentUniversalServices.
Creating Schema MyDomain\RTCComponentUniversalServices.
Adding account MyDomain\RTCComponentUniversalServices to role ServerRole.
Setting database version: Schema Version 62, Sproc Version 42, Update Version 3.
Setting the database rtcab to multi user mode.
Database rtcab is set to multi user mode.
VERBOSE: Successfully installed the database. For details, see the following log:
"C:\Users\MK\AppData\Local\Temp\2\Create-ABSStore-HQ-LYNC2013-BE.MyDomain_rtc-[2014_11_13][14_35_20].log"
VERBOSE: Installing "ApplicationStore" on HQ-LYNC2013-BE.MyDomain\rtc, collocated: False
****Creating DbSetupInstance for 'Microsoft.Rtc.Common.Data.RgsConfigDatabase'****
Trying to connect to Sql Server HQ-LYNC2013-BE.MyDomain\rtc. using windows authentication...
Sql version: Major: 11, Minor: 0, Build 5058.
Sql version is acceptable.
Checking state for database rgsconfig.
Database created by script "RgsConfigDatabase" already exists and is current.
****Creating DbSetupInstance for 'Microsoft.Rtc.Common.Data.RgsDynDatabase'****
Trying to connect to Sql Server HQ-LYNC2013-BE.MyDomain\rtc. using windows authentication...
Sql version: Major: 11, Minor: 0, Build 5058.
Sql version is acceptable.
Checking state for database rgsdyn.
Database created by script "RgsDynDatabase" already exists and is current.
****Creating DbSetupInstance for 'Microsoft.Rtc.Common.Data.CpsDynDatabase'****
Trying to connect to Sql Server HQ-LYNC2013-BE.MyDomain\rtc. using windows authentication...
Sql version: Major: 11, Minor: 0, Build 5058.
Sql version is acceptable.
Checking state for database cpsdyn.
Checking state for database cpsdyn.
State of database cpsdyn is DbState_RequiresMinorUpgrade.
Database cpsdyn set to mode Restricted.
Dropping all procedures, functions and views from database cpsdyn.
Executing CpsDyn.sql...
Setting owner for database cpsdyn to sa.
Creating login MyDomain\RTCComponentUniversalServices.
Creating user MyDomain\RTCComponentUniversalServices.
Creating Schema MyDomain\RTCComponentUniversalServices.
Creating login MyDomain\RTCUniversalReadOnlyAdmins.
Creating user MyDomain\RTCUniversalReadOnlyAdmins.
Creating Schema MyDomain\RTCUniversalReadOnlyAdmins.
Creating login MyDomain\RTCUniversalServerAdmins.
Creating user MyDomain\RTCUniversalServerAdmins.
Creating Schema MyDomain\RTCUniversalServerAdmins.
Adding account MyDomain\RTCComponentUniversalServices to role ReadWriteRole.
Adding account MyDomain\RTCUniversalServerAdmins to role ReadWriteRole.
Adding account MyDomain\RTCUniversalReadOnlyAdmins to role ReadOnlyRole.
Setting database version: Schema Version 1, Sproc Version 1, Update Version 2.
Setting the database cpsdyn to multi user mode.
Database cpsdyn is set to multi user mode.
VERBOSE: Successfully installed the database. For details, see the following log:
"C:\Users\MK\AppData\Local\Temp\2\Create-ApplicationStore-HQ-LYNC2013-BE.MyDomain_rtc-[2014_11_13][14_35_37].log"
VERBOSE: Installing "ArchivingStore" on HQ-LYNC2013-BE.MyDomain\arc, collocated: False
****Creating DbSetupInstance for 'Microsoft.Rtc.Common.Data.ArchivingDatabase'****
Trying to connect to Sql Server HQ-LYNC2013-BE.MyDomain\arc. using windows authentication...
Sql version: Major: 11, Minor: 0, Build 5058.
Sql version is acceptable.
Checking state for database LcsLog.
Database created by script "ArchivingDatabase" already exists and is current.
VERBOSE: Successfully installed the database. For details, see the following log:
"C:\Users\MK\AppData\Local\Temp\2\Create-ArchivingStore-HQ-LYNC2013-BE.MyDomain_arc-[2014_11_13][14_35_51].log"
VERBOSE: Installing "MonitoringStore" on HQ-LYNC2013-BE.MyDomain\mon, collocated: False
****Creating DbSetupInstance for 'Microsoft.Rtc.Common.Data.MonitoringDatabase'****
Trying to connect to Sql Server HQ-LYNC2013-BE.MyDomain\mon. using windows authentication...
Sql version: Major: 11, Minor: 0, Build 5058.
Sql version is acceptable.
Checking state for database LcsCDR.
Checking state for database LcsCDR.
Checking state for database LcsCDR.
State of database LcsCDR is DbState_RequiresMinorUpgrade.
WARNING: The database LcsCDR being updated has data file path at
\\HQ-LYNC2013-BE.MyDomain\C$\CsData\MonitoringStore\mon\DbPath\LcsCDR.mdf and supplied data file path is
\\HQ-LYNC2013-BE.MyDomain\F$\CsData\MonitoringStore\mon\DbPath\LcsCDR.mdf. Supplied path will be ignored.
WARNING: The database LcsCDR being updated has log file path at
\\HQ-LYNC2013-BE.MyDomain\C$\CsData\MonitoringStore\mon\LogPath\LcsCDR.ldf and supplied data file path is
\\HQ-LYNC2013-BE.MyDomain\F$\CsData\MonitoringStore\mon\LogPath\LcsCDR.ldf. Supplied path will be ignored.
Database LcsCDR set to mode Restricted.
Dropping all procedures, functions and views from database LcsCDR.
Executing CdrDb.sql...
Setting owner for database LcsCDR to sa.
Creating login MyDomain\CSAdministrator.
Creating user MyDomain\CSAdministrator.
Creating Schema MyDomain\CSAdministrator.
Creating login MyDomain\RTCComponentUniversalServices.
Creating user MyDomain\RTCComponentUniversalServices.
Creating Schema MyDomain\RTCComponentUniversalServices.
Adding account MyDomain\RTCComponentUniversalServices to role ServerRole.
Adding account MyDomain\RTCComponentUniversalServices to role ReportsReadOnlyRole.
Adding account MyDomain\CSAdministrator to role ReportsReadOnlyRole.
Setting database version: Schema Version 39, Sproc Version 82, Update Version 2.
Setting the database LcsCDR to multi user mode.
Database LcsCDR is set to multi user mode.
SQL Server Agent is running and its start mode was detected as Auto.
Executing CdrJobs.sql...
****Creating DbSetupInstance for 'Microsoft.Rtc.Common.Data.QoEMetricsDatabase'****
Trying to connect to Sql Server HQ-LYNC2013-BE.MyDomain\mon. using windows authentication...
Sql version: Major: 11, Minor: 0, Build 5058.
Sql version is acceptable.
Checking state for database QoEMetrics.
Checking state for database QoEMetrics.
Checking state for database QoEMetrics.
State of database QoEMetrics is DbState_RequiresMinorUpgrade.
WARNING: The database QoEMetrics being updated has data file path at
\\HQ-LYNC2013-BE.MyDomain\C$\CsData\MonitoringStore\mon\DbPath\QoEMetrics.mdf and supplied data file path is
\\HQ-LYNC2013-BE.MyDomain\F$\CsData\MonitoringStore\mon\DbPath\QoEMetrics.mdf. Supplied path will be ignored.
WARNING: The database QoEMetrics being updated has log file path at
\\HQ-LYNC2013-BE.MyDomain\C$\CsData\MonitoringStore\mon\LogPath\QoEMetrics.ldf and supplied data file path is
\\HQ-LYNC2013-BE.MyDomain\F$\CsData\MonitoringStore\mon\LogPath\QoEMetrics.ldf. Supplied path will be ignored.
Database QoEMetrics set to mode Restricted.
Dropping all procedures, functions and views from database QoEMetrics.
Executing QoEDb.sql...
Setting owner for database QoEMetrics to sa.
Creating login MyDomain\RTCComponentUniversalServices.
Creating user MyDomain\RTCComponentUniversalServices.
Creating Schema MyDomain\RTCComponentUniversalServices.
Adding account MyDomain\RTCComponentUniversalServices to role ServerRole.
Setting database version: Schema Version 62, Sproc Version 90, Update Version 1.
Setting the database QoEMetrics to multi user mode.
Database QoEMetrics is set to multi user mode.
SQL Server Agent is running and its start mode was detected as Auto.
Executing QoEJobs.sql...
VERBOSE: Successfully installed the database. For details, see the following log:
"C:\Users\MK\AppData\Local\Temp\2\Create-MonitoringStore-HQ-LYNC2013-BE.MyDomain_mon-[2014_11_13][14_35_51].log"
VERBOSE: No changes were made to the Central Management Store.
VERBOSE: Creating new log file
"C:\Users\MK\AppData\Local\Temp\2\Install-CsDatabase-82d6613c-f2e3-47e6-8fc4-8f75d2efe6e4.html".
WARNING: "Install-CsDatabase" processing has completed with warnings. "5" warnings were recorded during this run.
WARNING: Detailed results can be found at
"C:\Users\MK\AppData\Local\Temp\2\Install-CsDatabase-82d6613c-f2e3-47e6-8fc4-8f75d2efe6e4.html".
PS C:\Users\MK>
I hope some one can confirm no issue with what I did ??
Kind Regards
MK

RSA authentication with LDAP group mapping

Greetings,
I'm trying to set up RSA authentication with LDAP group mapping with ACS Release 4.2(1) Build 15 Patch 3.
The problem I'm having is that my users are in multiple OU's on our AD tree. When I only put our base DN in for User Directory Subtree on ACS, it fails with a "External DB reports about an error condition" error. If I add an OU in front of it, then it will work fine.
As far as I know, you can only use one LDAP configuration with RSA.
Any thoughts on this?

@Tarik
I believe your suggestion is the only way i'm going to get this to work. I ran across a similar method just this week that I have been working on.
I was hoping for dynamic mapping with the original method, but I haven't found any way to make it happen. I have resorted to creating a Radius profile on the RSA appliance for each access group I need. Using the Class attribute, I then pass the desired Group name to the ACS, i.e. OU=Admins, and that seems to work.
Thankfully, I have a small group of users that I am attempting to map. I will only map those who need elevated priviliges to narrow down how many profiles I will have to manually create. Likewise, our Account Admin will have to determine who gets assigned a particular access group.
I would still prefer to do this dynamically.
Scott

Machine authentication with Windows 7

Version: ISE 1.2p12
Hello,
I'm doing user and machine authentication with ISE.
I use a first authorization rule to authenticate the machine against the AD. If it's part computers of the domain.
Then I use an authorization rule to check if the user's group in AD with the credential he used to open the session + "Network Access:WasMachineAuthenticated = True"
Things seems to be working and I see my switch port is "Authz Success" but shortly after the Windows 7 machine is behaving like 802.1X authentication fails. The little computer on the bottom right has a cross on it.
If I disable and enable again the network card of that windows machine it works.
Does any one of you have an idea about this problem ? something to tweak on Windows 7 like timers...
Thank you

Hi Mika. My comments below:
a) You told me that MAR ("Network Access:WasMachineAuthenticated = True") has some drawbacks. When hibernation is used it can cause problems since the MAC address could have been removed from the cache when the user un-hibernate its computer. Then why not increasing the MAR cache to a value of 7 days then ? Regarding the roaming between wire and wireless it's a problem indeed.
NS: I don't believe that the MAR cache would be affected by a machine hibernating or going to sleep. There are some dot1x related bug fixes that Massimo outlined in his first pos that you should look into. But yes, you can increase the MAR timer to a value that fits your environent
b) You suggest to use one authorization rule for the device which should be part of the AD and one authorization rule for the user with the extra result "IdentityAccessRestricted = False". By the was, are we really talking about authorization rules here ? I will try this but it's difficult for me to imagine how it would really work.
NS: Perhaps there is some confusion here but let me try to explain this again. The "IdentityAccessRestricted" is a check that can be done against a machine or a user account in AD. It is an optional attribute and you don't have to have it. I use it so I can prevent terminated users from gaining access to the network by simply disabling their AD account. Again, that account can be either for a "user" or for a "machine"
z) One question I was asking myself for a long time. All of us want to do machine+user authentication but Windows write Machine OR User Authentication. This "OR" is very confusing.
NS: At the moment, the only way you can accomplish a true machine+user authentication is to use the Cisco AnyConnect supplicant. The process is also known as "EAP-Chaining" and/or "EAP-TEAP." In fact there is an official RFC (RFC 7170 - See link below). Now the question is when and if Microsoft, Apple, Linux, etc will start supporting it:
https://tools.ietf.org/html/rfc7170
Thank you for rating helpful posts!

ISE Web Authentication with Profile

   Hi,
   I'm using Web Authentication with Cisco ISE 1.2.1 without problems.
   The Cisco ISE didn't find the endpoint in my internal endpoint store and continue with Web Authentication
   But when I enable the PSN with the Profile Server, the Cisco ISE populate dynamically the internal endpoint store and I cannot use
   the Web Authentication cause the endpoint is already in the internal endpoint store.
   What's the better way to solve this problem ?
   Thanks in Advanced
   Andre Gustavo Lomonaco

    Hi Neno, let me clarify my question
    I'm already using my internal endpoints to permit authenticate via MAB my IP Phones, Access Points and Printers. I'm using Profile to be able to populate this ISE internet database.
    Now imagine that I wanna use the Web Authentication to permit authenticate guest workstations without 802.1x.If the profile put the guest workstation mac in the endpoints database, those workstation always will be authenticate using the MAC authentication and not the Web Authentication. Remember that for the Web authentication works we need to configure the continue options if the mac are not found in the endpoints database. But when the profile is on, the news (guest workstations) macs are inserted in endpoints database before I have chance to use the Web Authentication.

Apple macosx machine authentication with ISE using EAP-TLS

Hello,
On a ongoing setup we are using eap-tls authentication with account validation against AD. We have our own CA (microsoft based). ISE version 1.2.1 patch 1.
With windows machines all is working well. We are using computer authentication only.
Now the problem is that we wish to do the same with MAC OSX machines.
We are using casper software suite and are able to push certificates into macosx, and are doing machine authentication.
in ISE the certificate authentication profile is being set to look at the subject alternative name - DNS name of the machines. Whenever we set it to the UPN (hostname$) windows accounts are not found in ad.
When MAC OSX authenticate as machines (they have a computer account in AD) they present themselves with RADIUS-Username = hostname$ instead of host/hostname.
The consequence is that by lacking the host/, ISE considers that this is a user authentication, instead of a computer one, and when it sets off to find the account, it searches in User class instead of Computer - which obviously returns no results.
Is anybody aware of any way to force MAC OSX to present a host/hostname RADIUS-Username when authenticating?
Any similar experiences of authenticating MAC OSX with ISE and machine/computer authentication are welcome.
Thanks
Gustavo Novais

Additional information from the above question.
I have the following setup;
ACS 3.2(3) built 11 appliance
-Cisco AP1200 wireless access point
-Novell NDS to be used as an external database
-Windows 2003 enterprise with standalone Certificate Authorithy Services Installed
-Windows XP SP2 Client
My Goal is to use Windows XP Native Wlan Utility to connect to AP using EAP-TLS authentication against Novell NDS.
Tried to connect using Cisco compatible wlaN utility and authenticate using EAP-GTC against Novell NDS for for users, it works fine and perfectly.
When connecting using EAP-TLS, I am getting an error from ACS failed attempt "Auth type Not supported by External DB". But in the ACS documentation says that it supports EAP-TLS. How true is this? Is there anybody have the same problem? Do I need to upgrade my ACS? What should I do? What other authentication type could be used to utilize native WinXP Wlan Utility?
Please help...
Thanks

ISE mab authentication with Avaya/Nortel switches

Currently using Cisco ISE 1.1 to authentication both dot1x and mab from Cisco switches. Both features are authenticating properly.
When we use a Nortel/Avaya switch for the authenticator, we are unable to authenticate using mac bypass (non-eap (or neap) in Avaya talk..). The correct authentication policy is found in the ISE, but the mac address is not found in the database. We know it is there because the same mac is authenticating with the Cisco switch. Dot1x authenticates properly from both the Cisco and Avaya authenticators.
Could this be an issues with the username/password format in the Radius packet from the Cisco?
Thanks in advance for any assistance.
-Kurt

As requested...
http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fet
chBugDetails&bugId=CSCuc22732
MAB works from a cisco switch because the cisco switch places the mac address in the calling-station-attribute and the user-name attribute. The Cisco ISE platform is looking at the calling-station attribute to find the user name.This is the problem.
The radius RFC says the user name must be in the user-name attribute. The calling-station-attribute is not a required field and is used for the phone number of a voip phone. Basically, the ISE platform is looking at the wrong field for the mac address.

Aironet 2702i Autonomous - Web-Authentication with Radius Window 2008

Hi Guys,
I have a problems with case, i have diagrams sample like then : AD(Win2008) - Radius(Win2008) - Aironet 2702i => Use methods Web-Auth for EndUser
This is my Configure file on Aironet 2702i
Aironet2702i#show run
Building configuration...
Current configuration : 8547 bytes
! Last configuration change at 05:08:25 +0700 Fri Oct 31 2014 by admin
version 15.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname Aironet2702i
logging rate-limit console 9
aaa new-model
aaa group server radius rad_mac
aaa group server radius rad_acct
aaa group server radius rad_admin
aaa group server tacacs+ tac_admin
aaa group server radius rad_pmip
aaa group server radius dummy
aaa authentication login default local
aaa authentication login DTSGROUP group radius
aaa authentication login webauth group radius
aaa authentication login weblist group radius
aaa authentication dot1x default group radius
aaa authorization exec default local
aaa session-id common
clock timezone +0700 7 0
no ip source-route
no ip cef
ip admission name webauth proxy http
ip admission name webauth method-list authentication weblist
no ip domain lookup
ip domain name dts.com.vn
dot11 syslog
dot11 activity-timeout unknown default 1000
dot11 activity-timeout client default 1000
dot11 activity-timeout repeater default 1000
dot11 activity-timeout workgroup-bridge default 1000
dot11 activity-timeout bridge default 1000
dot11 vlan-name DTSGroup vlan 46
dot11 vlan-name L6-Webauthen-test vlan 45
dot11 vlan-name NetworkL7 vlan 43
dot11 vlan-name SGCTT vlan 44
dot11 ssid DTS-Group
vlan 46
authentication open eap DTSGROUP
authentication key-management wpa version 2
mbssid guest-mode
dot11 ssid DTS-Group-Floor7
vlan 43
authentication open
authentication key-management wpa version 2
mbssid guest-mode
wpa-psk ascii 7 013D03104C0414040D4D5B5E392559
dot11 ssid L6-Webauthen-test
vlan 45
web-auth
authentication open
dot1x eap profile DTSGROUP
mbssid guest-mode
dot11 ssid SaigonCTT-Public
vlan 44
authentication open
authentication key-management wpa version 2
mbssid guest-mode
wpa-psk ascii 7 04480A0F082E424D1D0D4B141D06421224
dot11 arp-cache optional
dot11 adjacent-ap age-timeout 3
eap profile DTSGROUP
description testwebauth-radius
method peap
method mschapv2
method leap
username TRIHM privilege 15 secret 5 $1$y1J9$3CeHRHUzbO.b6EPBmNlFZ/
username ADMIN privilege 15 secret 5 $1$IvtF$EP6/9zsYgqthWqTyr.1FB0
ip ssh version 2
bridge irb
interface Dot11Radio0
no ip address
encryption vlan 44 mode ciphers aes-ccm
encryption vlan 46 mode ciphers aes-ccm
encryption mode ciphers aes-ccm
encryption vlan 43 mode ciphers aes-ccm
encryption vlan 1 mode ciphers aes-ccm
ssid DTS-Group
ssid DTS-Group-Floor7
ssid L6-Webauthen-test
ssid SaigonCTT-Public
countermeasure tkip hold-time 0
antenna gain 0
stbc
mbssid
packet retries 128 drop-packet
channel 2412
station-role root
rts threshold 2340
rts retries 128
ip admission webauth
interface Dot11Radio0.1
encapsulation dot1Q 1 native
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
interface Dot11Radio0.43
encapsulation dot1Q 43
bridge-group 43
bridge-group 43 subscriber-loop-control
bridge-group 43 spanning-disabled
bridge-group 43 block-unknown-source
no bridge-group 43 source-learning
no bridge-group 43 unicast-flooding
interface Dot11Radio0.44
encapsulation dot1Q 44
bridge-group 44
bridge-group 44 subscriber-loop-control
bridge-group 44 spanning-disabled
bridge-group 44 block-unknown-source
no bridge-group 44 source-learning
no bridge-group 44 unicast-flooding
ip admission webauth
interface Dot11Radio0.45
encapsulation dot1Q 45
bridge-group 45
bridge-group 45 subscriber-loop-control
bridge-group 45 spanning-disabled
bridge-group 45 block-unknown-source
no bridge-group 45 source-learning
no bridge-group 45 unicast-flooding
ip admission webauth
interface Dot11Radio0.46
encapsulation dot1Q 46
bridge-group 46
bridge-group 46 subscriber-loop-control
bridge-group 46 spanning-disabled
bridge-group 46 block-unknown-source
no bridge-group 46 source-learning
no bridge-group 46 unicast-flooding
interface Dot11Radio1
no ip address
shutdown
encryption vlan 46 mode ciphers aes-ccm
encryption vlan 44 mode ciphers aes-ccm
encryption vlan 1 mode ciphers aes-ccm
encryption vlan 43 mode ciphers aes-ccm
encryption vlan 45 mode ciphers ckip-cmic
ssid DTS-Group
ssid DTS-Group-Floor7
ssid SaigonCTT-Public
countermeasure tkip hold-time 0
antenna gain 0
peakdetect
dfs band 3 block
stbc
mbssid
packet retries 128 drop-packet
channel 5745
station-role root
rts threshold 2340
rts retries 128
interface Dot11Radio1.1
encapsulation dot1Q 1 native
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
interface Dot11Radio1.43
encapsulation dot1Q 43
bridge-group 43
bridge-group 43 subscriber-loop-control
bridge-group 43 spanning-disabled
bridge-group 43 block-unknown-source
no bridge-group 43 source-learning
no bridge-group 43 unicast-flooding
interface Dot11Radio1.44
encapsulation dot1Q 44
bridge-group 44
bridge-group 44 subscriber-loop-control
bridge-group 44 spanning-disabled
bridge-group 44 block-unknown-source
no bridge-group 44 source-learning
no bridge-group 44 unicast-flooding
ip admission webauth
interface Dot11Radio1.45
encapsulation dot1Q 45
bridge-group 45
bridge-group 45 subscriber-loop-control
bridge-group 45 spanning-disabled
bridge-group 45 block-unknown-source
no bridge-group 45 source-learning
no bridge-group 45 unicast-flooding
ip admission webauth
interface Dot11Radio1.46
encapsulation dot1Q 46
bridge-group 46
bridge-group 46 subscriber-loop-control
bridge-group 46 spanning-disabled
bridge-group 46 block-unknown-source
no bridge-group 46 source-learning
no bridge-group 46 unicast-flooding
interface GigabitEthernet0
no ip address
duplex auto
speed auto
dot1x pae authenticator
dot1x authenticator eap profile DTSGROUP
dot1x supplicant eap profile DTSGROUP
interface GigabitEthernet0.1
encapsulation dot1Q 1 native
bridge-group 1
bridge-group 1 spanning-disabled
no bridge-group 1 source-learning
interface GigabitEthernet0.43
encapsulation dot1Q 43
bridge-group 43
bridge-group 43 spanning-disabled
no bridge-group 43 source-learning
interface GigabitEthernet0.44
encapsulation dot1Q 44
bridge-group 44
bridge-group 44 spanning-disabled
no bridge-group 44 source-learning
interface GigabitEthernet0.45
encapsulation dot1Q 45
bridge-group 45
bridge-group 45 spanning-disabled
no bridge-group 45 source-learning
interface GigabitEthernet0.46
encapsulation dot1Q 46
bridge-group 46
bridge-group 46 spanning-disabled
no bridge-group 46 source-learning
interface GigabitEthernet1
no ip address
shutdown
duplex auto
speed auto
interface GigabitEthernet1.1
encapsulation dot1Q 1 native
bridge-group 1
bridge-group 1 spanning-disabled
no bridge-group 1 source-learning
interface GigabitEthernet1.43
encapsulation dot1Q 43
bridge-group 43
bridge-group 43 spanning-disabled
no bridge-group 43 source-learning
interface GigabitEthernet1.44
encapsulation dot1Q 44
bridge-group 44
bridge-group 44 spanning-disabled
no bridge-group 44 source-learning
interface GigabitEthernet1.45
encapsulation dot1Q 45
bridge-group 45
bridge-group 45 spanning-disabled
no bridge-group 45 source-learning
interface GigabitEthernet1.46
encapsulation dot1Q 46
bridge-group 46
bridge-group 46 spanning-disabled
no bridge-group 46 source-learning
interface BVI1
mac-address 58f3.9ce0.8038
ip address 172.16.1.62 255.255.255.0
ipv6 address dhcp
ipv6 address autoconfig
ipv6 enable
ip forward-protocol nd
ip http server
ip http authentication aaa
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
ip radius source-interface BVI1
radius-server attribute 32 include-in-access-req format %h
radius server 172.16.50.99
address ipv4 172.16.50.99 auth-port 1645 acct-port 1646
key 7 104A1D0A4B141D06421224
bridge 1 route ip
line con 0
logging synchronous
line vty 0 4
exec-timeout 0 0
privilege level 15
logging synchronous
transport input ssh
line vty 5 15
exec-timeout 0 0
privilege level 15
logging synchronous
transport input ssh
end
This is My Logfile on Radius Win 2008 :
Network Policy Server denied access to a user.
Contact the Network Policy Server administrator for more information.
User:
Security ID: S-1-5-21-858235673-3059293199-2272579369-1162
Account Name: xxxxxxxxxxxxxxxx
Account Domain: xxxxxxxxxxx
Fully Qualified Account Name: xxxxxxxxxxxxxxxxxxx
Client Machine:
Security ID: S-1-0-0
Account Name: -
Fully Qualified Account Name: -
OS-Version: -
Called Station Identifier: -
Calling Station Identifier: -
NAS:
NAS IPv4 Address: 172.16.1.62
NAS IPv6 Address: -
NAS Identifier: Aironet2702i
NAS Port-Type: Async
NAS Port: -
RADIUS Client:
Client Friendly Name: Aironet2702i
Client IP Address: 172.16.1.62
Authentication Details:
Connection Request Policy Name: Use Windows authentication for all users
Network Policy Name: DTSWIRELESS
Authentication Provider: Windows
Authentication Server: xxxxxxxxxxxxxx
Authentication Type: PAP
EAP Type: -
Account Session Identifier: -
Logging Results: Accounting information was written to the local log file.
Reason Code: 66
Reason: The user attempted to use an authentication method that is not enabled on the matching network policy.
So i will explain problems what i have seen:
SSID: DTS-Group using authentication EAP with RADIUS and it working great (Authentication Type from Aironet to RADIUS is PEAP)
SSID:L6-Webauthen-test using web-auth and i had try to compare with RADIUS but ROOT CAUSE is AUTHENTICATION TYPE from Aironet to RADIUS default is PAP. (Reason Code : 66)
=> I had trying to find how to change Authentication Type of Web-Auth on Cisco Aironet from PAP to PEAP or sometime like that for combine with RADIUS.
Any idea or recommend for me ?
Thanks for see my case

Hi Dhiresh Yadav,
Many thanks for your reply me,
I will explain again for clear my problems.
At this case, i had setup complete SSID DTS-Group use authentication with security as PEAP combine Radius Server running on Window 2008.
I had login SSID by Account create in AD =>  It's work okay with me. Done
Problems occurs when i try to use Web-authentication on Vlan45 With SSID :
dot11 ssid L6-Webauthen-test
vlan 45
web-auth
authentication open
dot1x eap profile DTSGROUP
mbssid guest-mode
After configured on Aironet and Window Radius , i had try to login with Account create in AD by WebBrowser but it Fail ( i have see mini popup said: Authentication Fail" . So i go to Radius Server and search log on EventViewer.
This is My Logfile on Radius Win 2008 :
Network Policy Server denied access to a user.
NAS:
NAS IPv4 Address: 172.16.1.62
NAS IPv6 Address: -
NAS Identifier: Aironet2702i
NAS Port-Type: Async
NAS Port: -
RADIUS Client:
Client Friendly Name: Aironet2702i
Client IP Address: 172.16.1.62
Authentication Details:
Connection Request Policy Name: Use Windows authentication for all users
Network Policy Name: DTSWIRELESS
Authentication Provider: Windows
Authentication Server: xxxxxxxxxxxxxx
Authentication Type: PAP
EAP Type: -
Account Session Identifier: -
Logging Results: Accounting information was written to the local log file.
Reason Code: 66
Reason: The user attempted to use an authentication method that is not enabled on the matching network policy.
Im think ROOT CAUSE is :
PAP is the default authentication type for web-auth users on Aironet 2702i, so it can't combine with Radius Window 2008 because they just support PEAP (CHAPv1,CHAPv2....) => Please give me a tip how to change Authentication Type from PAP to PEAP for Web Authentication on Aironet

Problem Authentication with AP 1130AG

Similar Messages

Maybe you are looking for