Profiling Problem & Web Authentication Proxy

Dear All,
I am facing problem with profiling of workstation over wireless network as ISE is marking these workstations as 'Unknown'. Whereas if I connect same workstation using wired connection then it gets profiled in the right category.
Profiling for wireless network was working fine initially but as soon as I pointed AAA towards ISE in the employee SSID then ISE started marking any new workstation as 'Unknown'. Before enabling AAA in the WLAN (SSID) the profiling was working fine using 'Radius NAC' setting in advanced tab of the same SSID. Becasue of the unknown category, workstation gets authorization rejection as per the authorization policy.
I have another query reagrding enabling 'web authentication proxy' on Cisco WLC. I have guest wireless setup using dedicated anchor controller and ISE is providing the guest sponsor and guest portal services. So when a guest user comes in and if the user already has some proxy configured in the browser then url redirection for guest portal doesn't work and guest user must remove the proxy.
So this requires someone to enagage with guest user but the client want this process to be automatic. I have gone through following document,
http://www.cisco.com/en/US/products/ps10315/products_configuration_example09186a0080b8a909.shtml
but I am not sure if this solution will also work if the guest portal service is through ISE instead of WLC itself ??
Thanks & Regards,
Mujeeb

Not a problem the reason your profiling is failing for wireless users is that the profiling information for dhcp isnt hitting the ise nodes. For the wired devices are you using the dhcp probe to profile the users? If so, then your issue is with the dhcp proxy setting on the controller. Even through you have the ip helper statement on the svi, essentially your controller is proxying the dhcp broadcasts from the client straight to the dhcp server, so even you enable the ip helper statements on the svi for the ISE nodes it will not work.
You are correct for the guests, typically if a guest has enabled proxy settings before they should know that they should probably disable this setting when the connect to a new network.
Also I can not remember but arent the proxy settings configured under the network settings tab? Meaning the only time you would experience this issue is if the ssid you are broadcasting is the same as the ssid they have connected to previously?
Thanks,
Tarik Admani
*Please rate helpful posts*

Similar Messages

ISE Web Authentication with Profile

   Hi,
   I'm using Web Authentication with Cisco ISE 1.2.1 without problems.
   The Cisco ISE didn't find the endpoint in my internal endpoint store and continue with Web Authentication
   But when I enable the PSN with the Profile Server, the Cisco ISE populate dynamically the internal endpoint store and I cannot use
   the Web Authentication cause the endpoint is already in the internal endpoint store.
   What's the better way to solve this problem ?
   Thanks in Advanced
   Andre Gustavo Lomonaco

    Hi Neno, let me clarify my question
    I'm already using my internal endpoints to permit authenticate via MAB my IP Phones, Access Points and Printers. I'm using Profile to be able to populate this ISE internet database.
    Now imagine that I wanna use the Web Authentication to permit authenticate guest workstations without 802.1x.If the profile put the guest workstation mac in the endpoints database, those workstation always will be authenticate using the MAC authentication and not the Web Authentication. Remember that for the Web authentication works we need to configure the continue options if the mac are not found in the endpoints database. But when the profile is on, the news (guest workstations) macs are inserted in endpoints database before I have chance to use the Web Authentication.

Web authentication with Radius server problem

Hello,
I'm having problem to web authenticate users via radius server for one WLC. Here is the outpu from WLC:
*emWeb: Mar 26 14:17:31.537: 20:7d:xx:xx:d8:f0 Username entry (aaaaaa) created for mobile, length = 7
*emWeb: Mar 26 14:17:31.537: 20:7d:xx:xx:d8:f0 Username entry (aaaaaa) created in mscb for mobile, length = 7
*aaaQueueReader: Mar 26 14:17:31.537: Unable to find requested user entry for aaaaaa
*aaaQueueReader: Mar 26 14:17:31.537: ReProcessAuthentication previous proto 8, next proto 1
*aaaQueueReader: Mar 26 14:17:31.537: AuthenticationRequest: 0x1e08eb94
*aaaQueueReader: Mar 26 14:17:31.538:   Callback.....................................0x10908d90
*aaaQueueReader: Mar 26 14:17:31.538:   protocolType.................................0x00000001
*aaaQueueReader: Mar 26 14:17:31.538:   proxyState...................................20:7D:xx:xx:D8:F0-00:00
*aaaQueueReader: Mar 26 14:17:31.538:   Packet contains 11 AVPs (not shown)
*aaaQueueReader: Mar 26 14:17:31.538: apfVapRadiusInfoGet: WLAN(1) dynamic int attributes srcAddr:0x0, gw:0x0, mask:0x0, vlan:0, dpPort:0, srcPort:0
*aaaQueueReader: Mar 26 14:17:31.538: 20:7d:xx:xx:d8:f0 Successful transmission of Authentication Packet (id 67) to 10.xx.33.249:1645, proxy state 20:7d:xx:xx:d8:f0-00:01
*aaaQueueReader: Mar 26 14:17:31.538: 00000000: 01 43 00 8c 48 7c a7 ff df 06 53 30 c0 be e1 8e .C..H|....S0....
*aaaQueueReader: Mar 26 14:17:31.538: 00000010: d7 fd 8b d3 01 09 73 65 66 72 73 76 65 02 12 7b ......aaaaaa..{
*aaaQueueReader: Mar 26 14:17:31.538: 00000020: ae 2e f5 eb fa cf f5 cc 3b 08 65 d7 04 0e ba 06 ........;.e.....
*aaaQueueReader: Mar 26 14:17:31.538: 00000030: 06 00 00 00 01 04 06 0a 2e 09 14 05 06 00 00 00 ................
*aaaQueueReader: Mar 26 14:17:31.538: 00000040: 0d 20 0d 73 65 76 73 74 2d 6c 77 63 31 30 3d 06 ...xxxxx-lwc10=.
*aaaQueueReader: Mar 26 14:17:31.538: 00000050: 00 00 00 13 1a 0c 00 00 37 63 01 06 00 00 00 01 ........7c......
*aaaQueueReader: Mar 26 14:17:31.538: 00000060: 1f 0e 31 39 32 2e 31 36 38 2e 31 2e 36 31 1e 0c ..192.168.1.61..
*aaaQueueReader: Mar 26 14:17:31.538: 00000070: 31 30 2e 34 36 2e 39 2e 32 30 50 12 95 11 7c d9 10.xx.9.20P...|.
*aaaQueueReader: Mar 26 14:17:31.538: 00000080: 75 8e 01 6e bf 62 38 f8 38 ab 68 4a              u..n.b8.8.hJ
*radiusTransportThread: Mar 26 14:17:31.603: 00000000: 03 43 00 14 e5 8c e7 75 52 04 af e0 07 b7 fb 96 .C.....uR.......
*radiusTransportThread: Mar 26 14:17:31.603: 00000010: c1 4a fb 40                                       .J.@
*radiusTransportThread: Mar 26 14:17:31.603: ****Enter processIncomingMessages: response code=3
*radiusTransportThread: Mar 26 14:17:31.603: ****Enter processRadiusResponse: response code=3
*radiusTransportThread: Mar 26 14:17:31.603: 20:7d:xx:xx:d8:f0 Access-Reject received from RADIUS server 10.xx.33.249 for mobile 20:7d:xx:xx:d8:f0 receiveId = 0
*radiusTransportThread: Mar 26 14:17:31.603: ReProcessAuthentication previous proto 1, next proto 2
*radiusTransportThread: Mar 26 14:17:31.603: AuthenticationRequest: 0x1da9fa4c
*radiusTransportThread: Mar 26 14:17:31.603:    Callback.....................................0x10908d90
*radiusTransportThread: Mar 26 14:17:31.603:    protocolType.................................0x00000002
*radiusTransportThread: Mar 26 14:17:31.603:    proxyState...................................20:7D:xx:xx:D8:F0-00:00
*radiusTransportThread: Mar 26 14:17:31.603:    Packet contains 11 AVPs (not shown)
*radiusTransportThread: Mar 26 14:17:31.605: 20:7d:xx:xx:d8:f0 Returning AAA Error 'No Server' (-7) for mobile 20:7d:xx:xx:d8:f0
*radiusTransportThread: Mar 26 14:17:31.605: AuthorizationResponse: 0x2dd03648
*radiusTransportThread: Mar 26 14:17:31.605:    structureSize................................32
*radiusTransportThread: Mar 26 14:17:31.605:    resultCode...................................-7
*radiusTransportThread: Mar 26 14:17:31.605:    protocolUsed.................................0x00000002
*radiusTransportThread: Mar 26 14:17:31.605:    proxyState...................................20:7D:xx:xx:D8:F0-00:00
*radiusTransportThread: Mar 26 14:17:31.605:    Packet contains 0 AVPs:
*emWeb: Mar 26 14:17:31.605: Authentication failed for aaaaaa
*emWeb: Mar 26 14:17:31.605: 20:7d:xx:xx:d8:f0 Username entry deleted for mobile
*emWeb: Mar 26 14:17:31.605: 20:7d:xx:xx:d8:f0 Plumbing web-auth redirect rule due to user logout
*emWeb: Mar 26 14:17:31.605: 20:7d:xx:xx:d8:f0 192.168.1.61 WEBAUTH_REQD (8) Deleting mobile policy rule 42461
*emWeb: Mar 26 14:17:31.605: 20:7d:xx:xx:d8:f0 Adding Web RuleID 42464 for mobile 20:7d:xx:xx:d8:f0
*emWeb: Mar 26 14:17:31.605: 20:7d:xx:xx:d8:f0 Web Authentication failure for station
*emWeb: Mar 26 14:17:31.605: 20:7d:xx:xx:d8:f0 192.168.1.61 WEBAUTH_REQD (8) Reached ERROR: from line 5069
That was pretty clear for me that Radius is refusing to give user access.
Fully-Qualified-User-Name = NMEA\aaaaaa
NAS-IP-Address = 10.xx.9.20
NAS-Identifier = xxxxx-lwc10
Called-Station-Identifier = 10.xx.9.20
Calling-Station-Identifier = 192.168.1.61
Client-Friendly-Name = YYY10.xx
Client-IP-Address = 10.xx.9.20
NAS-Port-Type = Wireless - IEEE 802.11
NAS-Port = 13
Proxy-Policy-Name = Use Windows authentication forall users
Authentication-Provider = Windows
Authentication-Server = <undetermined>
Policy-Name = YYYYY Wireless Users
Authentication-Type = PAP
EAP-Type = <undetermined>
Reason-Code = 66
Reason = The user attempted to use an authentication method that is not enabled on the matching remote access policy
That output is from WLC 5508 version 7.0.235
What is strange, that user was able to authenticate from other before refresh WLC 4402 ver 4.2.207. I cannot change WLC because of AP which cannot run old version.
this is output from working client connection from old WLC
NAS-IP-Address = 10.xx.9.13
NAS-Identifier = xxxxx-lwc03
Client-Friendly-Name = YYY10.46
Client-IP-Address = 10.xx.9.13
Calling-Station-Identifier = 192.168.19.246
NAS-Port-Type = <not present>
NAS-Port = <not present>
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server = <undetermined>
Policy-Name = YYYYY Wireless Guest Access
Authentication-Type = PAP
EAP-Type = <undetermined>
I know there is different Policy Name used, but my question is why it is not using the same as on old WLC when configuration is same.
Is there any way I can force users to use different policy from WLC or AP configuration or is this solely configuration of Radius?
Is it maybe problem of version 7.0.235?
Any toughts would be much appriciated.

Scott,
You are probably right. The condition that is checked for the first policy name (we have 2) is to match
NAS-Port-Type = Wireless - IEEE 802.11, and this is basically used to differentiate guests from other company users.
as you can see from the logs the one that is working correctly is not sending NAS-Port-Type. The question is why.
As I said before.
WLC 5508 ver. 7.0.235 is sending NAS-Port-Type
WLC 4402 ver. 4.2.207 is not.
The same user was working OK on 4402 WLC and after refresh and associating APs to 5508 it all broke, so client did not changed anything on adapter.

How to use Axis to access a web service through Authentication proxy

Using axis access internat web service is success,but access a web service through Authentication proxy is failure.But other java classes connect through a proxy to the internet which works very well:
please help me ,thank you!!!
import org.apache.axis.client.Call;
import org.apache.axis.client.Service;
import javax.xml.namespace.QName;
//this is my access webservice faliure   codes
public class TestClient
   public static void main(String [] args) {
       try {
            System.getProperties().setProperty("http.proxySet", "true");
            System.getProperties().setProperty("http.proxyHost","proxy.com");
            System.getProperties().setProperty("http.proxyPort", "8080");
            System.getProperties().setProperty("http.proxyUser", "username");
            System.getProperties().setProperty("http.proxyPassword","password");
           String endpoint =
                    "http://nagoya.apache.org:5049/axis/services/echo";
           Service service = new Service();
           Call     call    = (Call) service.createCall();
           call.setTargetEndpointAddress( new java.net.URL(endpoint) );
           call.setOperationName(new QName("http://soapinterop.org/", "echoString") );
           String ret = (String) call.invoke( new Object[] { "Hello!" } );
           System.out.println("Sent 'Hello!', got '" + ret + "'");
       } catch (Exception e) {
           System.err.println(e.toString());
   }I get an "(407)Proxy authorization required" error?

I am also looking for a solution. Does any one know how to do through code instead of jvm settings?
Thanks in advance!

Publish Sharepoint 2013 via Web Application Proxy and Kerberos Authentication

This is similar to
http://social.technet.microsoft.com/Forums/windowsserver/en-US/66c23aae-8774-4257-b9f9-b796e69b0318/action?threadDisplayName=publishing-sharepoint-2010-using-web-application-proxy
However I have tried his resolution to no avail.
I am trying to publish a SharePoint 2013 website via web application proxy. SharePoint 2013 is using negotiate (Kerberos) as its authentication provider. When trying to browse to the site externally via the WAP I get an http error 500 internal server error.
In the web application proxy's event viewer I find the following two entries every time I try to browse the site.
event ID 13019
level: warning
Web Application Proxy cannot retrieve a Kerberos ticket on behalf of the user because of the following general API error: No credentials are available in the security package
(0x8009030e).
Details:
Transaction ID: {5672be45-a4b8-0005-58ff-7256b8a4cf01}
Session ID: {5672be45-a4b8-0000-3909-7356b8a4cf01}
Published Application Name: sharepoint
Published Application ID: ****
Published Application External URL: https://sharepoint.domain.com
Published Backend URL: https://sharepoint.domain.com
User: [email protected]
User-Agent: Mozilla/5.0 (Windows NT 6.2; ARM; Trident/7.0; Touch; rv:11.0; WPDesktop; NOKIA; Lumia 920) like Gecko
Device ID: <Not Applicable>
Token State: OK
Cookie State: NotFound
Client Request URL:
https://sharepoint.domain.com/home?authToken=****client-request-id=****
Backend Request URL: <Not Applicable>
Preauthentication Flow: PreAuthBrowser
Backend Server Authentication Mode: WIA
State Machine State: BackendRequestProcessing_Pending
Response Code to Client: <Not Applicable>
Response Message to Client: <Not Applicable>
Client Certificate Issuer: <Not Found>"
And
event ID 12027
level: error
Web Application Proxy encountered an unexpected error while processing the request.
Error: No credentials are available in the security package
(0x8009030e).
Details:
Transaction ID: ****
Session ID: ****
Published Application Name: Sharepoint
Published Application ID: ****
Published Application External URL: https://sharepoint.domain.com/
Published Backend URL: https://sharepoint.domain.com/
User: [email protected]
User-Agent: Mozilla/5.0 (Windows NT 6.2; ARM; Trident/7.0; Touch; rv:11.0; WPDesktop; NOKIA; Lumia 920) like Gecko
Device ID: <Not Applicable>
Token State: OK
Cookie State: NotFound
Client Request URL:
https://gateway.dcsch.co.uk/home?authToken=****client-request-id=****
Backend Request URL: <Not Applicable>
Preauthentication Flow: PreAuthBrowser
Backend Server Authentication Mode: WIA
State Machine State: OuOfOrderFEHeadersWriting
Response Code to Client: 500
Response Message to Client: <Not Applicable>
Client Certificate Issuer: <Not Found>"
I have tried everything I have seen in many posts and the one linked above but cannot get this working. It does work fine internally.

And within the next 10 minutes I found this
http://technet.microsoft.com/en-us/library/dn308246.aspx#Kerberos
Needed to set up delegation to ANY service in the Web application proxy

Web service proxy take ~4 minutes to detect connection problem in AIX!

Dear All,
i am developing a client application that consume web service , by jdeveloper 10.1.3.1.
i found a problem, in AIX, that the web service proxy generated by jdeveloper take long time
to detect connection problem to the server (e.g. server is down, network down, invalid
ip address or port supplied).
in ms window, if the proxy can't reach the server, it throw exception within seconds.
but in ibm AIX, it take about 4 minutes !!! the time is too long until the exception is thrown.
could anybody help me?
is there something i can set to greatly shorten the hanging time when connection
problem?
thank you.

nobody experience this problem?

Problem with web service proxy and connections.xml

JDev 11.1.14
Hello
I'm trying to create a web service proxy that takes advantage of the connections.xml so that the endpoints can be changed without recompiling the code (as described here http://download.oracle.com/docs/cd/E17904_01/web.1111/b31974/web_services.htm#ADFFD548 - 13.2.2 How to Create a New Web Service Connection)
I created the web service proxy using the Jdev wizard and a test client. The access to the web service works as expected.
The client test code is :
package model;
import ch.mit.trac.ws.proxy.*;
import ch.mit.trac.ws.root.Currency;
import javax.naming.NamingException;
public class wsTest {
public wsTest() {
    super();
public void testIt() throws NamingException {
    CurrencyConvertor currencyConvertor = new CurrencyConvertor();
    CurrencyConvertorSoap currencyConvertorSoap = currencyConvertor.getCurrencyConvertorSoap();
    Double res = currencyConvertorSoap.conversionRate(Currency.CHF, Currency.USD);
    System.out.println("Hello");
    System.out.println(res);
public static void main(String [] args) throws NamingException {
    wsTest tt = new wsTest();
    tt.testIt();
}I then create a connection as described in the docs.
I now have a connections.xml as follows:
<?xml version = '1.0' encoding = 'UTF-8'?>
<References xmlns="http://xmlns.oracle.com/adf/jndi">
   <Reference name="CurrencyConvertor" className="oracle.adf.model.connection.webservice.impl.WebServiceConnectionImpl" xmlns="">
      <Factory className="oracle.adf.model.connection.webservice.api.WebServiceConnectionFactory"/>
      <RefAddresses>
         <XmlRefAddr addrType="WebServiceConnection">
            <Contents>
               <wsconnection description="file:/C:/JDeveloper/mywork/WebServiceTest/Model/src/ch/mit/trac/ws/proxy/CurrencyConvertor.wsdl" service="{http://www.webserviceX.NET/}CurrencyConvertor">
                  <model name="{http://www.webserviceX.NET/}CurrencyConvertor" xmlns="http://oracle.com/ws/model">
                     <service name="{http://www.webserviceX.NET/}CurrencyConvertor">
                        <port name="CurrencyConvertorHttpPost" binding="{http://www.webserviceX.NET/}CurrencyConvertorHttpPost">
                           <operation name="ConversionRate">
                              <output name=""/>
                              <input name=""/>
                           </operation>
                        </port>
                        <port name="CurrencyConvertorHttpGet" binding="{http://www.webserviceX.NET/}CurrencyConvertorHttpGet">
                           <operation name="ConversionRate">
                              <output name=""/>
                              <input name=""/>
                           </operation>
                        </port>
                        <port name="CurrencyConvertorSoap12" binding="{http://www.webserviceX.NET/}CurrencyConvertorSoap12">
                           <soap addressUrl="http://www.webservicex.com/CurrencyConvertor.asmx" xmlns="http://schemas.xmlsoap.org/wsdl/soap/"/>
                           <operation name="ConversionRate">
                              <soap soapAction="http://www.webserviceX.NET/ConversionRate" xmlns="http://schemas.xmlsoap.org/wsdl/soap/"/>
                              <output name=""/>
                              <input name=""/>
                           </operation>
                        </port>
                        <port name="CurrencyConvertorSoap" binding="{http://www.webserviceX.NET/}CurrencyConvertorSoap">
                           <soap addressUrl="http://www.webservicex.com/CurrencyConvertor.asmx" xmlns="http://schemas.xmlsoap.org/wsdl/soap/"/>
                           <operation name="ConversionRate">
                              <soap soapAction="http://www.webserviceX.NET/ConversionRate" xmlns="http://schemas.xmlsoap.org/wsdl/soap/"/>
                              <output name=""/>
                              <input name=""/>
                           </operation>
                        </port>
                     </service>
                  </model>
               </wsconnection>
            </Contents>
         </XmlRefAddr>
      </RefAddresses>So far so good.
I then created a new jspx page with a button that calls a method in a request scoped bean.
The method is supposed to use the connections.xml to get the web service proxy in order to call the web service.
The bean code is as follows :
package ch.mit.test;
import javax.faces.event.ActionEvent;
import ch.mit.trac.ws.proxy.*;
import ch.mit.trac.ws.root.Currency;
import javax.naming.Context;
import javax.naming.NamingException;
import oracle.adf.model.connection.webservice.api.WebServiceConnection;
import oracle.adf.share.ADFContext;
public class test {
public test() {
public void testIt() throws NamingException {
    Context ctx;
    ctx = ADFContext.getCurrent().getConnectionsContext();
    WebServiceConnection wsc;
    wsc = (WebServiceConnection) ctx.lookup("CurrencyConvertor");
    CurrencyConvertor currencyConvertor = wsc.getJaxWSPort(CurrencyConvertor.class);   -- NPE here
    CurrencyConvertorSoap currencyConvertorSoap = currencyConvertor.getCurrencyConvertorSoap();
    Double res = currencyConvertorSoap.conversionRate(Currency.CHF, Currency.USD);
    System.out.println("Hello");
    System.out.println(res);
public void testws(ActionEvent actionEvent) {
    try {
      testIt();
    } catch (NamingException e) {
}When running the application and clicking on the button I keep getting the following error at the line marked NPE Here above:
<LifecycleImpl> <_handleException> ADF_FACES-60098:Le cycle de vie Faces reçoit des exceptions non traitées en phase INVOKE_APPLICATION 5
javax.faces.el.EvaluationException: java.lang.NullPointerException
     at org.apache.myfaces.trinidadinternal.taglib.util.MethodExpressionMethodBinding.invoke(MethodExpressionMethodBinding.java:58)
     at org.apache.myfaces.trinidad.component.UIXComponentBase.broadcastToMethodBinding(UIXComponentBase.java:1256)
     at org.apache.myfaces.trinidad.component.UIXCommand.broadcast(UIXCommand.java:183)
     at javax.faces.component.UIViewRoot.broadcastEvents(UIViewRoot.java:475)
     at javax.faces.component.UIViewRoot.processApplication(UIViewRoot.java:756)
     at oracle.adfinternal.view.faces.lifecycle.LifecycleImpl._invokeApplication(LifecycleImpl.java:765)
     at oracle.adfinternal.view.faces.lifecycle.LifecycleImpl._executePhase(LifecycleImpl.java:305)
     at oracle.adfinternal.view.faces.lifecycle.LifecycleImpl.execute(LifecycleImpl.java:185)
     at javax.faces.webapp.FacesServlet.service(FacesServlet.java:265)
     at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:227)
     at weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelper.java:125)
     at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:300)
     at weblogic.servlet.internal.TailFilter.doFilter(TailFilter.java:26)
     at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
     at oracle.adf.share.http.ServletADFFilter.doFilter(ServletADFFilter.java:62)
     at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
     at oracle.adfinternal.view.faces.webapp.rich.RegistrationFilter.doFilter(RegistrationFilter.java:106)
     at org.apache.myfaces.trinidadinternal.webapp.TrinidadFilterImpl$FilterListChain.doFilter(TrinidadFilterImpl.java:446)
     at oracle.adfinternal.view.faces.activedata.AdsFilter.doFilter(AdsFilter.java:60)
     at org.apache.myfaces.trinidadinternal.webapp.TrinidadFilterImpl$FilterListChain.doFilter(TrinidadFilterImpl.java:446)
     at org.apache.myfaces.trinidadinternal.webapp.TrinidadFilterImpl._doFilterImpl(TrinidadFilterImpl.java:271)
     at org.apache.myfaces.trinidadinternal.webapp.TrinidadFilterImpl.doFilter(TrinidadFilterImpl.java:177)
     at org.apache.myfaces.trinidad.webapp.TrinidadFilter.doFilter(TrinidadFilter.java:92)
     at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
     at oracle.security.jps.ee.http.JpsAbsFilter$1.run(JpsAbsFilter.java:111)
     at java.security.AccessController.doPrivileged(Native Method)
     at oracle.security.jps.util.JpsSubject.doAsPrivileged(JpsSubject.java:313)
     at oracle.security.jps.ee.util.JpsPlatformUtil.runJaasMode(JpsPlatformUtil.java:413)
     at oracle.security.jps.ee.http.JpsAbsFilter.runJaasMode(JpsAbsFilter.java:94)
     at oracle.security.jps.ee.http.JpsAbsFilter.doFilter(JpsAbsFilter.java:161)
     at oracle.security.jps.ee.http.JpsFilter.doFilter(JpsFilter.java:71)
     at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
     at oracle.dms.servlet.DMSServletFilter.doFilter(DMSServletFilter.java:136)
     at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
     at weblogic.servlet.internal.RequestEventsFilter.doFilter(RequestEventsFilter.java:27)
     at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
     at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.wrapRun(WebAppServletContext.java:3715)
     at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletContext.java:3681)
     at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
     at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:120)
     at weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:2277)
     at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:2183)
     at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1454)
     at weblogic.work.ExecuteThread.execute(ExecuteThread.java:207)
     at weblogic.work.ExecuteThread.run(ExecuteThread.java:176)
Caused by: java.lang.NullPointerException
     at java.lang.Class.isAssignableFrom(Native Method)
     at oracle.j2ee.ws.common.jaxws.runtime.GenericJavaType.create(GenericJavaType.java:97)
     at oracle.j2ee.ws.common.jaxws.runtime.GenericJavaType.create(GenericJavaType.java:118)
     at oracle.j2ee.ws.common.jaxws.runtime.OperationMappingModeler.processParameters(OperationMappingModeler.java:268)
     at oracle.j2ee.ws.common.jaxws.runtime.OperationMappingModeler.processMethod(OperationMappingModeler.java:155)
     at oracle.j2ee.ws.common.jaxws.runtime.ServiceEndpointRuntimeModeler.buildRuntimeModel(ServiceEndpointRuntimeModeler.java:114)
     at oracle.j2ee.ws.client.jaxws.WsClientProxyFactory.getRuntimeMetadata(WsClientProxyFactory.java:69)
     at oracle.j2ee.ws.client.jaxws.WsClientProxyFactory.createProxy(WsClientProxyFactory.java:126)
     at oracle.j2ee.ws.client.jaxws.WsClientProxyFactory.createProxy(WsClientProxyFactory.java:106)
     at oracle.j2ee.ws.common.jaxws.ServiceDelegateImpl.getPort(ServiceDelegateImpl.java:219)
     at oracle.j2ee.ws.common.jaxws.ServiceDelegateImpl.getPort(ServiceDelegateImpl.java:249)
     at oracle.adf.model.connection.webservice.impl.WebServiceConnectionImpl.getJaxWSPort(WebServiceConnectionImpl.java:399)
     at ch.mit.test.test.testIt(test.java:27)
     at ch.mit.test.test.testws(test.java:41)
     at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
     at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
     at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
     at java.lang.reflect.Method.invoke(Method.java:597)
     at com.sun.el.parser.AstValue.invoke(Unknown Source)
     at com.sun.el.MethodExpressionImpl.invoke(Unknown Source)
     at org.apache.myfaces.trinidadinternal.taglib.util.MethodExpressionMethodBinding.invoke(MethodExpressionMethodBinding.java:53)
     ... 44 moreCan anybody help as to what the problem is...
(the WSDL is at http://www.webservicex.com/CurrencyConvertor.asmx?WSDL)
Regards
Paul

Hi Frank
The page is ADF bound, I've added the page source and the adfc-config source below :
Page
<?xml version='1.0' encoding='UTF-8'?>
<jsp:root xmlns:jsp="http://java.sun.com/JSP/Page" version="2.1"
          xmlns:f="http://java.sun.com/jsf/core"
          xmlns:h="http://java.sun.com/jsf/html"
          xmlns:af="http://xmlns.oracle.com/adf/faces/rich">
<jsp:directive.page contentType="text/html;charset=UTF-8"/>
<f:view>
    <af:document id="d1">
      <af:form id="f1">
        <af:commandButton text="commandButton 1" id="cb1"
                          actionListener="#{test.testws}"/>
      </af:form>
    </af:document>
</f:view>
</jsp:root>adfc-config
<?xml version="1.0" encoding="windows-1252" ?>
<adfc-config xmlns="http://xmlns.oracle.com/adf/controller" version="1.2">
<view id="view1">
    <page>/view1.jspx</page>
</view>
<managed-bean id="__4">
    <managed-bean-name id="__3">test</managed-bean-name>
    <managed-bean-class id="__2">ch.mit.test.test</managed-bean-class>
    <managed-bean-scope id="__1">request</managed-bean-scope>
</managed-bean>
</adfc-config>It seems to be the same sort of problem as in Re: Error in ADF Web Service Connection
Regards
Paul

ISE 1.2 web authentication problem with wired clients

Hello,
i am having problems with centralized web authentication using a Catalyst 3650X with IOS 15.0.2 SE01 and ISE 1.2.
Redirecting the client works fine, but as soon the client opens a web browser and ISE websites open to authenticate the client, the switch port resets, the authentication process restarts and the session ID changes. After the client enters the credentials a session expired messages appears on the client and i get an 86017 Session Missing message in ISE.
here the output form the debug aaa coa log.
Any ideas
thanks in advanced
Alex
! CLIENT CONNECT TO SWITCHPORT
ISE-TEST-SWITCH#show authentication sessions interface gi0/3
Interface: GigabitEthernet0/3
MAC Address: 001f.297b.bd82
IP Address: 10.2.12.45
User-Name: 00-1F-29-7B-BD-82
Status: Authz Success
Domain: DATA
Security Policy: Should Secure
Security Status: Unsecure
Oper host mode: multi-auth
Oper control dir: both
Authorized By: Authentication Server
Vlan Policy: N/A
ACS ACL: xACSACLx-IP-PERMIT_ALL_TRAFFIC-537cb1d6
URL Redirect ACL: ACL-WEBAUTH-REDIRECT
URL Redirect: https://nos-ch-wbn-ise1.nosergroup.lan:8443/guestportal/gateway?sessionId=AC1484640000026B28C02CDC&action=cwa
Session timeout: N/A
Idle timeout: N/A
Common Session ID: AC1484640000026B28C02CDC
Acct Session ID: 0x0000029C
Handle: 0x8C00026C
Runnable methods list:
Method State
dot1x Failed over
mab Authc Success
! CLIENT OPENS INTERNETEXPLORER -> REDIRECTS TO ISE
! SWITCHPORT GOES IN ADMINISTRATIVE DOWN STARTS AUTHENTICATION AGAIN
ISE-TEST-SWITCH#
191526: .Jun 24 10:42:24.340 UTC: COA: 10.0.128.38 request queued
191527: .Jun 24 10:42:24.340 UTC: RADIUS: authenticator 7F A9 85 AB F6 4A D0 F3 - B4 E6 F2 56 74 C6 2D 33
191528: .Jun 24 10:42:24.340 UTC: RADIUS: NAS-IP-Address [4] 6 172.20.132.100
191529: .Jun 24 10:42:24.340 UTC: RADIUS: Calling-Station-Id [31] 19 "00:1F:29:7B:BD:82"
191530: .Jun 24 10:42:24.340 UTC: RADIUS: Acct-Terminate-Cause[49] 6 admin-reset [6]
191531: .Jun 24 10:42:24.340 UTC: RADIUS: Event-Timestamp [55] 6 1403606529
191532: .Jun 24 10:42:24.340 UTC: RADIUS: Message-Authenticato[80] 18
191533: .Jun 24 10:42:24.340 UTC: RADIUS: E0 3C B2 8C 89 47 67 A8 69 F5 3D 08 61 FF 53 6E [ <Ggi=aSn]
191534: .Jun 24 10:42:24.340 UTC: RADIUS: Vendor, Cisco [26] 43
191535: .Jun 24 10:42:24.340 UTC: RADIUS: Cisco AVpair [1] 37 "subscriber:command=bounce-host-port"
191536: .Jun 24 10:42:24.340 UTC: COA: Message Authenticator decode passed
191537: .Jun 24 10:42:24.340 UTC: ++++++ CoA Attribute List ++++++
191538: .Jun 24 10:42:24.340 UTC: 06D96C58 0 00000001 nas-ip-address(600) 4 172.20.132.100
191539: .Jun 24 10:42:24.349 UTC: 06D9AC18 0 00000081 formatted-clid(37) 17 00:1F:29:7B:BD:82
191540: .Jun 24 10:42:24.349 UTC: 06D9AC4C 0 00000001 disc-cause(434) 4 admin-reset
191541: .Jun 24 10:42:24.349 UTC: 06D9AC80 0 00000001 Event-Timestamp(445) 4 1403606529(53A95601)
191542: .Jun 24 10:42:24.349 UTC: 06D9ACB4 0 00000081 ssg-command-code(490) 1 33
191543: .Jun 24 10:42:24.349 UTC:
191544: .Jun 24 2014 10:42:24.365 UTC: %EPM-6-IPEVENT: IP 10.2.12.45| MAC 001f.297b.bd82| AuditSessionID AC1484640000026B28C02CDC| AUTHTYPE DOT1X| EVENT IP-RELEASE
191545: .Jun 24 2014 10:42:24.382 UTC: %EPM-6-IPEVENT: IP 10.2.12.45| MAC 001f.297b.bd82| AuditSessionID AC1484640000026B28C02CDC| AUTHTYPE DOT1X| EVENT IP-WAIT
191546: .Jun 24 2014 10:42:24.382 UTC: %EPM-6-POLICY_REQ: IP 0.0.0.0| MAC 001f.297b.bd82| AuditSessionID AC1484640000026B28C02CDC| AUTHTYPE DOT1X| EVENT REMOVE
191547: .Jun 24 2014 10:42:24.390 UTC: %EPM-6-AUTH_ACL: POLICY Auth-Default-ACL-OPEN| EVENT DETACH-SUCCESS
191548: .Jun 24 2014 10:42:26.353 UTC: %LINK-5-CHANGED: Interface GigabitEthernet0/3, changed state to administratively down
191549: .Jun 24 2014 10:42:27.359 UTC: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/3, changed state to down
ISE-TEST-SWITCH#
191550: .Jun 24 2014 10:42:36.366 UTC: %LINK-3-UPDOWN: Interface GigabitEthernet0/3, changed state to down
191551: .Jun 24 10:42:40.592 UTC: AAA/BIND(000002A7): Bind i/f
191552: .Jun 24 2014 10:42:41.129 UTC: %AUTHMGR-5-START: Starting 'dot1x' for client (001f.297b.bd82) on Interface Gi0/3 AuditSessionID AC1484640000026C28C2FA05
191553: .Jun 24 2014 10:42:42.580 UTC: %LINK-3-UPDOWN: Interface GigabitEthernet0/3, changed state to up
191554: .Jun 24 2014 10:42:43.586 UTC: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/3, changed state to up
! SESSION ID CHANGES, USER ENTERS CREDENTIALS
! ERROR MESSAGE AT CLIENT "YOUR SESSION HAS EXPIRED"
! ERROR MESSAGE IN ISE "86017 SESSION MISSING"
ISE-TEST-SWITCH#show authentication sessions interface gi0/3
Interface: GigabitEthernet0/3
MAC Address: 001f.297b.bd82
IP Address: 10.2.12.45
Status: Running
Domain: UNKNOWN
Security Policy: Should Secure
Security Status: Unsecure
Oper host mode: multi-auth
Oper control dir: both
Session timeout: N/A
Idle timeout: N/A
Common Session ID: AC1484640000026C28C2FA05
Acct Session ID: 0x0000029D
Handle: 0x2C00026D
Runnable methods list:
Method State
dot1x Running
mab Not run

Guest authentication failed: 86017: Session cache entry missing
try adjusting the UTC timezone during the guest creation in the sponsor portal.
86017
Guest
Session Missing
Session ID missing. Please contact your System Administrator.
Info

Problems with re authentications in a wireless with WLC working with web authentication and a radius server

Hi everyone, im having problems in a wireless network, the SSID has security layer 2 WPA, layer 3 web authentication (internal default page), and external RADIUS.
When a client makes a roaming from one AP to another one or when he has a idle time, he needs to re authenticate in the web login page. Somebody knows a solution to avoid this behavior?. Or somebody has a troubleshooting way to determine why the clients have this problems??

A few things I can share that might help .. Your actually feet on the ground will be importnat to see this issue for yourself.
I know when a client or if the AP sends a DEAUTH frame the client will need to reestablish its connection and it will 100% of the time require a new web auth. If a client loses connection while roaming and a DEAUTH is sent on either side you will get the page. If youre client isnt romaing cleanly this can be a problem.
Another problem is your using EAP. Are you using CCK or a device that supports OKC. What does your radius server say when a client roams ?
You could also simply your config and then reapply your security and see where it breaks. By this I mean. For testing, create a SSID turn off security and leave layer 3 web auth on. Roam and see what happens. If it works, then start to apply the security and see where it breaks.
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."

Problem in creating web serivce proxy

Please let me know how to create web serivce proxy? web service has the parameter of ArrayList<Attachment> . The Attachment is custom class. when i creating proxy it creates Arraylist of XML type
@XmlAccessorType(XmlAccessType.FIELD)
@XmlType(name = "abstractList")
@XmlSeeAlso({
ArrayList.class
public abstract class AbstractList
extends AbstractCollection
in this Arralist i could not able to cast java.util.ArrayList.
Thank You.

Hi Mithu,
Thanks for your reply, I dose the sam but still I m getting this problem.
it happens when I click on finish and tha it asks for adding proxy files to the and than to activity.When I click on add. the editor goes to Not Responding state.
RAM in the server is 8 GB.and in my system its 1 GB.
Waiting for your reply
Regards,
Yajush

WLC 4400/Web Authentication and proxy autodiscovery

We have a guest-SSID where people authenticate via the build in web authentication and RADIUS.
We use proxy autodiscovery (WPAD, DHCP option 252) in our network and this works on the guest-SSID, but only after the authenticated user closes and opens Internet Explorer. It seems that restarting Internet Explorer triggers the WPAD discovery process.
My question is if there is a smarter way to push proxy settings to guest users without user invention? How did you solve this?
Regards,
Rutger

The reason you need to restart IE is because the WLC will be blocking the initial discovery messages from IE to Proxy because the user won't have authenticated yet. When the user authenticates, closing / opening IE triggers the discovery messages thruogh, which are now allowed to pass to the proxy.
The most fool-proof way I've come across is to use Transparent URL Redicection. This is something you can setup on a PIX / ASA, but requires a compatible WebProxy / WebFilter - I've used WebSense, but I believe other products should work too.
Lots of documentation about how to achieve this via CCO.
Regards,
Richard

Problem while creating web service proxy in Jdeveloper 10.1.3

I am using Jdeveloper 10.1.3 to create a web service proxy so that I can track my request/response in HTTP Analyzer.
I am following the steps as mentioned in the follwoing uRL:
http://www.oracle.com/technology/obe/obe1013jdev/ws/wsandascontrol.htm
But I get the following warning while creating the web servcice proxy:
Generating proxy
WARNING: value type package prefix is ignored for the types defined in the schema that has same target namespace as the target namespace of wsdl: <my web service namepsace>
Proxy generation finished
After adding my code in the main methoad of proxy, I get the following error while compiling:
WARNING: Unable to connect to URL: <my web service proxy URL> due to java.security.PrivilegedActionException: javax.xml.soap.SOAPException: Message send failed: Connection refused: connect
java.rmi.RemoteException: ; nested exception is:
HTTP transport error: javax.xml.soap.SOAPException: java.security.PrivilegedActionException: javax.xml.soap.SOAPException: Message send failed: Connection refused: connect
Please help as how to solve this.
Edited by: user11258855 on 02-Jul-2009 03:38

I am using Jdeveloper 10.1.3 to create a web service proxy so that I can track my request/response in HTTP Analyzer.
I am following the steps as mentioned in the follwoing uRL:
http://www.oracle.com/technology/obe/obe1013jdev/ws/wsandascontrol.htm
But I get the following warning while creating the web servcice proxy:
Generating proxy
WARNING: value type package prefix is ignored for the types defined in the schema that has same target namespace as the target namespace of wsdl: <my web service namepsace>
Proxy generation finished
After adding my code in the main methoad of proxy, I get the following error while compiling:
WARNING: Unable to connect to URL: <my web service proxy URL> due to java.security.PrivilegedActionException: javax.xml.soap.SOAPException: Message send failed: Connection refused: connect
java.rmi.RemoteException: ; nested exception is:
HTTP transport error: javax.xml.soap.SOAPException: java.security.PrivilegedActionException: javax.xml.soap.SOAPException: Message send failed: Connection refused: connect
Please help as how to solve this.
Edited by: user11258855 on 02-Jul-2009 03:38

Aironet 2702i Autonomous - Web-Authentication with Radius Window 2008

Hi Guys,
I have a problems with case, i have diagrams sample like then : AD(Win2008) - Radius(Win2008) - Aironet 2702i => Use methods Web-Auth for EndUser
This is my Configure file on Aironet 2702i
Aironet2702i#show run
Building configuration...
Current configuration : 8547 bytes
! Last configuration change at 05:08:25 +0700 Fri Oct 31 2014 by admin
version 15.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname Aironet2702i
logging rate-limit console 9
aaa new-model
aaa group server radius rad_mac
aaa group server radius rad_acct
aaa group server radius rad_admin
aaa group server tacacs+ tac_admin
aaa group server radius rad_pmip
aaa group server radius dummy
aaa authentication login default local
aaa authentication login DTSGROUP group radius
aaa authentication login webauth group radius
aaa authentication login weblist group radius
aaa authentication dot1x default group radius
aaa authorization exec default local
aaa session-id common
clock timezone +0700 7 0
no ip source-route
no ip cef
ip admission name webauth proxy http
ip admission name webauth method-list authentication weblist
no ip domain lookup
ip domain name dts.com.vn
dot11 syslog
dot11 activity-timeout unknown default 1000
dot11 activity-timeout client default 1000
dot11 activity-timeout repeater default 1000
dot11 activity-timeout workgroup-bridge default 1000
dot11 activity-timeout bridge default 1000
dot11 vlan-name DTSGroup vlan 46
dot11 vlan-name L6-Webauthen-test vlan 45
dot11 vlan-name NetworkL7 vlan 43
dot11 vlan-name SGCTT vlan 44
dot11 ssid DTS-Group
vlan 46
authentication open eap DTSGROUP
authentication key-management wpa version 2
mbssid guest-mode
dot11 ssid DTS-Group-Floor7
vlan 43
authentication open
authentication key-management wpa version 2
mbssid guest-mode
wpa-psk ascii 7 013D03104C0414040D4D5B5E392559
dot11 ssid L6-Webauthen-test
vlan 45
web-auth
authentication open
dot1x eap profile DTSGROUP
mbssid guest-mode
dot11 ssid SaigonCTT-Public
vlan 44
authentication open
authentication key-management wpa version 2
mbssid guest-mode
wpa-psk ascii 7 04480A0F082E424D1D0D4B141D06421224
dot11 arp-cache optional
dot11 adjacent-ap age-timeout 3
eap profile DTSGROUP
description testwebauth-radius
method peap
method mschapv2
method leap
username TRIHM privilege 15 secret 5 $1$y1J9$3CeHRHUzbO.b6EPBmNlFZ/
username ADMIN privilege 15 secret 5 $1$IvtF$EP6/9zsYgqthWqTyr.1FB0
ip ssh version 2
bridge irb
interface Dot11Radio0
no ip address
encryption vlan 44 mode ciphers aes-ccm
encryption vlan 46 mode ciphers aes-ccm
encryption mode ciphers aes-ccm
encryption vlan 43 mode ciphers aes-ccm
encryption vlan 1 mode ciphers aes-ccm
ssid DTS-Group
ssid DTS-Group-Floor7
ssid L6-Webauthen-test
ssid SaigonCTT-Public
countermeasure tkip hold-time 0
antenna gain 0
stbc
mbssid
packet retries 128 drop-packet
channel 2412
station-role root
rts threshold 2340
rts retries 128
ip admission webauth
interface Dot11Radio0.1
encapsulation dot1Q 1 native
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
interface Dot11Radio0.43
encapsulation dot1Q 43
bridge-group 43
bridge-group 43 subscriber-loop-control
bridge-group 43 spanning-disabled
bridge-group 43 block-unknown-source
no bridge-group 43 source-learning
no bridge-group 43 unicast-flooding
interface Dot11Radio0.44
encapsulation dot1Q 44
bridge-group 44
bridge-group 44 subscriber-loop-control
bridge-group 44 spanning-disabled
bridge-group 44 block-unknown-source
no bridge-group 44 source-learning
no bridge-group 44 unicast-flooding
ip admission webauth
interface Dot11Radio0.45
encapsulation dot1Q 45
bridge-group 45
bridge-group 45 subscriber-loop-control
bridge-group 45 spanning-disabled
bridge-group 45 block-unknown-source
no bridge-group 45 source-learning
no bridge-group 45 unicast-flooding
ip admission webauth
interface Dot11Radio0.46
encapsulation dot1Q 46
bridge-group 46
bridge-group 46 subscriber-loop-control
bridge-group 46 spanning-disabled
bridge-group 46 block-unknown-source
no bridge-group 46 source-learning
no bridge-group 46 unicast-flooding
interface Dot11Radio1
no ip address
shutdown
encryption vlan 46 mode ciphers aes-ccm
encryption vlan 44 mode ciphers aes-ccm
encryption vlan 1 mode ciphers aes-ccm
encryption vlan 43 mode ciphers aes-ccm
encryption vlan 45 mode ciphers ckip-cmic
ssid DTS-Group
ssid DTS-Group-Floor7
ssid SaigonCTT-Public
countermeasure tkip hold-time 0
antenna gain 0
peakdetect
dfs band 3 block
stbc
mbssid
packet retries 128 drop-packet
channel 5745
station-role root
rts threshold 2340
rts retries 128
interface Dot11Radio1.1
encapsulation dot1Q 1 native
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
interface Dot11Radio1.43
encapsulation dot1Q 43
bridge-group 43
bridge-group 43 subscriber-loop-control
bridge-group 43 spanning-disabled
bridge-group 43 block-unknown-source
no bridge-group 43 source-learning
no bridge-group 43 unicast-flooding
interface Dot11Radio1.44
encapsulation dot1Q 44
bridge-group 44
bridge-group 44 subscriber-loop-control
bridge-group 44 spanning-disabled
bridge-group 44 block-unknown-source
no bridge-group 44 source-learning
no bridge-group 44 unicast-flooding
ip admission webauth
interface Dot11Radio1.45
encapsulation dot1Q 45
bridge-group 45
bridge-group 45 subscriber-loop-control
bridge-group 45 spanning-disabled
bridge-group 45 block-unknown-source
no bridge-group 45 source-learning
no bridge-group 45 unicast-flooding
ip admission webauth
interface Dot11Radio1.46
encapsulation dot1Q 46
bridge-group 46
bridge-group 46 subscriber-loop-control
bridge-group 46 spanning-disabled
bridge-group 46 block-unknown-source
no bridge-group 46 source-learning
no bridge-group 46 unicast-flooding
interface GigabitEthernet0
no ip address
duplex auto
speed auto
dot1x pae authenticator
dot1x authenticator eap profile DTSGROUP
dot1x supplicant eap profile DTSGROUP
interface GigabitEthernet0.1
encapsulation dot1Q 1 native
bridge-group 1
bridge-group 1 spanning-disabled
no bridge-group 1 source-learning
interface GigabitEthernet0.43
encapsulation dot1Q 43
bridge-group 43
bridge-group 43 spanning-disabled
no bridge-group 43 source-learning
interface GigabitEthernet0.44
encapsulation dot1Q 44
bridge-group 44
bridge-group 44 spanning-disabled
no bridge-group 44 source-learning
interface GigabitEthernet0.45
encapsulation dot1Q 45
bridge-group 45
bridge-group 45 spanning-disabled
no bridge-group 45 source-learning
interface GigabitEthernet0.46
encapsulation dot1Q 46
bridge-group 46
bridge-group 46 spanning-disabled
no bridge-group 46 source-learning
interface GigabitEthernet1
no ip address
shutdown
duplex auto
speed auto
interface GigabitEthernet1.1
encapsulation dot1Q 1 native
bridge-group 1
bridge-group 1 spanning-disabled
no bridge-group 1 source-learning
interface GigabitEthernet1.43
encapsulation dot1Q 43
bridge-group 43
bridge-group 43 spanning-disabled
no bridge-group 43 source-learning
interface GigabitEthernet1.44
encapsulation dot1Q 44
bridge-group 44
bridge-group 44 spanning-disabled
no bridge-group 44 source-learning
interface GigabitEthernet1.45
encapsulation dot1Q 45
bridge-group 45
bridge-group 45 spanning-disabled
no bridge-group 45 source-learning
interface GigabitEthernet1.46
encapsulation dot1Q 46
bridge-group 46
bridge-group 46 spanning-disabled
no bridge-group 46 source-learning
interface BVI1
mac-address 58f3.9ce0.8038
ip address 172.16.1.62 255.255.255.0
ipv6 address dhcp
ipv6 address autoconfig
ipv6 enable
ip forward-protocol nd
ip http server
ip http authentication aaa
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
ip radius source-interface BVI1
radius-server attribute 32 include-in-access-req format %h
radius server 172.16.50.99
address ipv4 172.16.50.99 auth-port 1645 acct-port 1646
key 7 104A1D0A4B141D06421224
bridge 1 route ip
line con 0
logging synchronous
line vty 0 4
exec-timeout 0 0
privilege level 15
logging synchronous
transport input ssh
line vty 5 15
exec-timeout 0 0
privilege level 15
logging synchronous
transport input ssh
end
This is My Logfile on Radius Win 2008 :
Network Policy Server denied access to a user.
Contact the Network Policy Server administrator for more information.
User:
Security ID: S-1-5-21-858235673-3059293199-2272579369-1162
Account Name: xxxxxxxxxxxxxxxx
Account Domain: xxxxxxxxxxx
Fully Qualified Account Name: xxxxxxxxxxxxxxxxxxx
Client Machine:
Security ID: S-1-0-0
Account Name: -
Fully Qualified Account Name: -
OS-Version: -
Called Station Identifier: -
Calling Station Identifier: -
NAS:
NAS IPv4 Address: 172.16.1.62
NAS IPv6 Address: -
NAS Identifier: Aironet2702i
NAS Port-Type: Async
NAS Port: -
RADIUS Client:
Client Friendly Name: Aironet2702i
Client IP Address: 172.16.1.62
Authentication Details:
Connection Request Policy Name: Use Windows authentication for all users
Network Policy Name: DTSWIRELESS
Authentication Provider: Windows
Authentication Server: xxxxxxxxxxxxxx
Authentication Type: PAP
EAP Type: -
Account Session Identifier: -
Logging Results: Accounting information was written to the local log file.
Reason Code: 66
Reason: The user attempted to use an authentication method that is not enabled on the matching network policy.
So i will explain problems what i have seen:
SSID: DTS-Group using authentication EAP with RADIUS and it working great (Authentication Type from Aironet to RADIUS is PEAP)
SSID:L6-Webauthen-test using web-auth and i had try to compare with RADIUS but ROOT CAUSE is AUTHENTICATION TYPE from Aironet to RADIUS default is PAP. (Reason Code : 66)
=> I had trying to find how to change Authentication Type of Web-Auth on Cisco Aironet from PAP to PEAP or sometime like that for combine with RADIUS.
Any idea or recommend for me ?
Thanks for see my case

Hi Dhiresh Yadav,
Many thanks for your reply me,
I will explain again for clear my problems.
At this case, i had setup complete SSID DTS-Group use authentication with security as PEAP combine Radius Server running on Window 2008.
I had login SSID by Account create in AD =>  It's work okay with me. Done
Problems occurs when i try to use Web-authentication on Vlan45 With SSID :
dot11 ssid L6-Webauthen-test
vlan 45
web-auth
authentication open
dot1x eap profile DTSGROUP
mbssid guest-mode
After configured on Aironet and Window Radius , i had try to login with Account create in AD by WebBrowser but it Fail ( i have see mini popup said: Authentication Fail" . So i go to Radius Server and search log on EventViewer.
This is My Logfile on Radius Win 2008 :
Network Policy Server denied access to a user.
NAS:
NAS IPv4 Address: 172.16.1.62
NAS IPv6 Address: -
NAS Identifier: Aironet2702i
NAS Port-Type: Async
NAS Port: -
RADIUS Client:
Client Friendly Name: Aironet2702i
Client IP Address: 172.16.1.62
Authentication Details:
Connection Request Policy Name: Use Windows authentication for all users
Network Policy Name: DTSWIRELESS
Authentication Provider: Windows
Authentication Server: xxxxxxxxxxxxxx
Authentication Type: PAP
EAP Type: -
Account Session Identifier: -
Logging Results: Accounting information was written to the local log file.
Reason Code: 66
Reason: The user attempted to use an authentication method that is not enabled on the matching network policy.
Im think ROOT CAUSE is :
PAP is the default authentication type for web-auth users on Aironet 2702i, so it can't combine with Radius Window 2008 because they just support PEAP (CHAPv1,CHAPv2....) => Please give me a tip how to change Authentication Type from PAP to PEAP for Web Authentication on Aironet

ADFS 3.0 - Web Application Proxy configuration Issue

Hi All,
We are in the process of implementing ADFS 3.0 published to the internet for o365 Federation purposes.
The setup consists of the following
- 2 x windows 2012 R2 running ADFS 3.0 ( only one server presently installed and configured though)
- 2 x Windows 2012 R2 Running Web Application Proxy ( only one server presently installed and configured though ).
There is an F5 Big-IP load-balancer for both internal and external interfaces and it has been configured after a lot of issues with the SNI part on the F5.
So, in short the setup is now a single server hosting ADFS 3.0 using SQL and a single WAP server, however the traffic to these servers are still going through the LB.
Now the issue is that i cannot complete the installation/configuration of the Web Application Proxy server. There is a firewall in between our DMZ and the internal network. I can reach the internal services via the following url and telnet on port 443
to the federation service as well. (ports for 443 and 80) are opened to internal network on the load balancer ip . I can reach https://fs.domain.com/adfs/ls/idpinitiatedsignon.aspx and federationmetadata/2007-06/federationmetadata.xml location as well
from the Web APplication proxy server without any issues or certificate prompts at all.
When i do the configuration for WAP, i use the same account which was used as a service account for the ADFS service internally. If i use a local admin account, it errors out with another message stating the connection was closed.
The certificate on the internal server along with its private key was exported and has been imported on the WAP server . This is not internal CA, instead we are using DIGICERT SSL with SAN Names for enterprise registration and work folders. Hence the CA Chain
issue is ruled out and also this is not a wild card certificate.
When the wizard starts configuring, it does establish the trust with the federation service which is shown up in the event viewer with EventID 391 within 15 seconds i get another event id 422 which states that it cannot retrieve the proxy configuration
and eventid 276 on the Federation server which states the authentication failure. this continues until the servers stops to try configuring the wizard.
I have read all the available threads on the 3.0 WAP installation /configuraiton problem and tried all the steps possible but i am still stuck with this issue.
There is one more part that i noticed on the ADFS server, that the self signed services for the token-encrypting and token decrypting are self-signed certificates. Also, in the certificates it was showing up as not trusted. and i installed them to the TRUSTED
ROOT CERTIFICATION STORE after wich i cannot see any private key showing up when viewing the certificate which means i cannot get the MANAGE PRIVATE keys option when right clicking on the cert to assign read permissions for the ADFS service account.
Should i assign the same SSL sertificate (SAN based for enterpriseregistration & Workfolders) to the token-encrypting and token-decrypting services in ADFS console or should i leave them as self signed ? I did read that self-signed is not recommended for
production environment ? If not the same certificate what are the requirements for the certificate ?
I am not sure what I am missing in the configuration that is causing this issue. The WAP servers are not part of the domain and have also ensured the time synchronization between the domain machine as well.
The service name is fs.domain.com on both the internal and external DNS ( we have domain.com as a zone in DNS internally as well ). I am able to Authenticate inside and from the WAP server when accessing the link.
Could it be a Load Balancer Configuration ? [i will try eliminating this from the configuration]
Let me know if there are any options that i can try to resolve this and get the configuration working.
Cheers,

Does the load balancer pass the certificate session through to the ADFS server or are you offloading SSL. SSL offload does not work with WAP/ADFS integration (at least at the time of writing it does not).
Can you try through the load balancer with SSL pass through turned off please.
Also as ADFS 3.0 (Server 2012 R2) uses Server Name Indication (SNI) then any health checks that run on the load balancer must support this, so if they do not then you need to use TCP 443 checks for a listening port, as doing a standard HTTPS check will fail,
and if the load balancer fails its checks whilst you are configuring ADFS that might be a reason why it has gone offline for you (error 442 is to do with failure to swap client certificates between WAP and ADFS).
Finally, check the June update to Server 2012 R2 (http://support.microsoft.com/kb/2964735) as that has fixed some certificate issues with multiple servers for WAP and ADFS when you don't have the
2012 R2 AD schema in place.
Brian Reid
Exchange MVP and Exchange and Office 365 Certified Master
www.c7solutions.com
Brian Reid C7 Solutions Ltd (www.c7solutions.com)

Web Application Proxy and Safari

Morning, all.
I've installed and configured the new Windows Server 2012 R2 AD FS and Web Application Proxy, and I've run into some strange problems. I had some initial problems getting it to work, the documentation is a bit thin, but I now have Sharepoint and Webmail
published to the Internet.
I'm using x.509 Certificate Authentication for Extranet.
In IE on a Windows 8.1 Surface Pro everything works. I can log in using ether a softcert or a SmartCard.
On my OS X Mac I can log in using Chrome, but Safari won't work.
Same thing on my iPad running iOS 7.0.4, Safari won't work. Interestingly enough, on my 7.0.4 iPhone it DOES work. Even more interestingly, I CAN Workplace Join the iPad using the URL https://<adfs fqdn>/enrollmentserver/otaprofile but
I can't authenticate using the URL https://<adfs fqdn>/adfs/ls/IdpInitiatedSignon.aspx.
I get to select my certificate, but after that I'm getting this error message: "Safari cannot open the page because too many redirects occurred." In the Event log on the AD FS server I'm getting this:
Encountered error during federation passive request.
Additional Data
Protocol Name:
Saml
Relying Party:
http://<adfs fqdn>/adfs/services/trust
Exception details:
Microsoft.IdentityServer.Web.InvalidRequestException: MSIS7042: The same client browser session has made '6' requests in the last '0' seconds. Contact your administrator for details.
at Microsoft.IdentityServer.Web.Protocols.PassiveProtocolHandler.UpdateLoopDetectionCookie(WrappedHttpListenerContext context)
at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.SendSignInResponse(SamlContext context, MSISSignInResponse response)
at Microsoft.IdentityServer.Web.PassiveProtocolListener.ProcessProtocolRequest(ProtocolContext protocolContext, PassiveProtocolHandler protocolHandler)
at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)
Since it does work on an iPhone running the same browser, and Workplace Join does work on the iPad even if nothing else does I'm thinking there's some UserAgent voodoo going on in parts of the Web Application Proxy. It's no big deal that Safari in OS X doesn't
work, we can always run Chrome, but the iPad is a major problem and a total deal breaker if I can't fix it.
I would appreciate some good advice.

Hi,
As both IE and Chrome work, I think it’s more a client side issue.
Maybe you need to clear you browser cache and cookies.
This also worth a try:
http://stackoverflow.com/questions/2640030/adfs-v2-0-error-msis7042-the-same-client-browser-session-has-made-6-request
Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.
Hope this helps.

Profiling Problem & Web Authentication Proxy

Similar Messages

Maybe you are looking for