Question on H-REAP local authentication
Hi Guys,
I am having some trouble understanding local authenticaiton for H-REAP APs with 802.1x authentication and wonder if this is a supported feature, when the AP enters into local auth/local switching mode when the WAN link is down or controller is not reachable.
in the configuration guide, it says:
==================================
When a hybrid-REAP access point enters standalone mode, WLANs that are configured for open, shared, WPA-PSK, or WPA2-PSK authentication enter the "local authentication, local switching" state and continue new client authentications. In controller software release 4.2 or later releases, this configuration is also correct for WLANs that are configured for 802.1X, WPA-802.1X, WPA2-802.1X, or CCKM, but these authentication types require that an external RADIUS server be configured. You can also configure a local RADIUS server on a HREAP access point to support 802.1X in a standalone mode or with local authentication.
=====================================
also from the diagram provided in the configuration guide, there is a RADIUS server on the remote site, which might indicate 802.1x authentication is supported when the link between H-REAP AP and controller fails.
however from the "enterprise mobility design guide 4.1". it seems 802.1x auth is not supported for H-REAP APs in local auth / local switching mode.
can you please clarify if this is a supported feature or not?
also with the latest WLC image 7.0.116.0, there is one more check box called "local auth" under "advanced" WLAN option, is this button introduing some new features compared with previous 7.0.98.0 release? what would be the difference compared with only "local switching" configured as in previous release?
when we use local authentication, under local switching / local auth mode, with H-REAP group configured, if 802.1x is supported under this mode, do I just add the local radius server information on the WLC and select it as primary radius server in the H-REAP group for local 802.1x authentication? and the authentication process would be local RADIUS --> local database?
thanks in advance for your help.
so if we need a local RADIUS server to do the authentication, we only
need to check the "enable AP local authentication" box under H-REAP
group configuration, and configure H-REAP APs as AAA clients in the
RADIUS server, and we add all H-REAP APs in RADIUS server? Right..also
I noticed there is one more button "H-REAP Local Auth" under WLAN
advanced tab, this button is not availabel in previous releases, so what
extra function does this option introduce compare with previous
releases? Unfortunately, I cant remember that one and I dont have a WLC at hand right now.Usually all new features are reported on the release notes for each version.Thanks in advance for your time and help.
Sorry fot my delay I forgot to answer you before :-s
Similar Messages
-
H-REAP Local Authentication eap-fast not working
Hi, I'm using a central Radius Server and have leap and eap-fast working fine, but when the wan link fail(local authentication) the new user that try to conect via leap get authenticated but eap-fast fail.
any ideas?. Im using wlc 5.01If your radius is centrally located and your WAN links goes down, any authentication thats need to go back centrally will fail, unless you have local authentication. Don't know why LEAP would still work if authentication to the radius server has stopped.
Howerver, if you are using local EAP configured on the WLC, then you still will fail authentication because your wlc is centrally located. -
Create users in OID or update FND_USER to do the local authentication
Hi,
We have changed the OID sever for an 11i instance
Hence I think some users who were in the old OID server are not present in the new one
And the FND users of 11i are not able to get authenticated
Shall I
- Create the user in new OID server - Configuration tab of http://server/oiddas doesnt allow me to do that
How ?
Any API ?
- Export / import from the old OID server to new one ?
If yes, which tables
- Can I update FND_USER to do the local authentication and not go thru OID/ SSO ?
Thanks
- Pooja
I have posted the question in Application Server - General forum alsoMetalink note 233436.1 and 186981.1 should be of some help.
You can change to local authentication by setting two profile options
Applications SSO Login Types set to Local
and Applications SSO Type to SSWA
You may have to reset the users password if it has been set to EXTERNAL -
WLC 5508 Local Authentication- need guidance
Hi formers'
i have the combo of WLC 5508 (ver 7.0) and AP1041n, just want to ask how i can do local authentication.
The environment don't have ACS, no directory services ( AD or LDAP).
Requirement:
say, i have one WLAN name "admin". Where-ever if user want to connect to this SSID, they need to prompt username/password,
user's entry is store at WLC.
i create the user at local net user, and map it to appropirate WLAN.
at the WLAN, i enable local EAP and select the profile that i create.
PROBLEM STATEMENT:
The moment i test, it always prompt to input EAP-TTLS domain\usename. password (token)
Question
a. any goes wrong with my setting? how really local authentication work with no ACS and directory services running at the back?
b. can please post any useful document URL or any supportive info, it will be very helpful
Thanks
NoelSurendra's document may refer to local authentication with ldap database but you could follow it without doing the LDAP part and the users will be stored in the local net users of the WLC.
You could also follow the WLC config guide in the "Local eap" chapter.
The concerning part in your description is that your laptop prompts for EAP-TTLS. That means that you configured your laptop for that method. The WLC is only with peap/eap-fast -
Policy agent 2.2 amfilter local authentication with session binding failed
Hi All,
I have policy agent 2.2 for weblogic 8.1 sp4 installed on redhat linux. All are working fine in my development box. But I was running all the process under user root, so today I decided to change it to a regular user, joe. I changed all the files' owner for weblogic server and policy agent from root to joe, and restart server as user Joe. After the change, I can not access the application on Weblogic server. I changed file ownership back to root and restart weblogic server as root, still same error.
Here is the error I got:
10.4.4 403 Forbidden
The server understood the request, but is refusing to fulfill it. Authorization will not help and the request SHOULD NOT be repeated. If the request method was not HEAD and the server wishes to make public why the request has not been fulfilled, it SHOULD describe the reason for the refusal in the entity. This status code is commonly used when the server does not wish to reveal exactly why the request has been refused, or when no other response is applicable.
Here is the error I found from agent log file, amFilter:
AmFilter: now processing: SSO Task Handler
05/24/2006 06:27:08:127 PM PDT: Thread[ExecuteThread: '14' for queue: 'weblogic.kernel.Default',5,Thread Group for Queue: 'weblogic.kernel.Default']
SSOTaskHandler: caching SSO Token for user uid=amAdmin,ou=People,dc=etouch,dc=net
05/24/2006 06:27:08:127 PM PDT: Thread[ExecuteThread: '14' for queue: 'weblogic.kernel.Default',5,Thread Group for Queue: 'weblogic.kernel.Default']
AmBaseSSOCache: cached the sso token for user principal : uid=amadmin,ou=people,dc=etouch,dc=net sso token: AQIC5wM2LY4Sfcx4XY/x/M7G1Y3ScVjFj8E3oT0BV45mh0Q=@AAJTSQACMDE=#, cache size = 1
05/24/2006 06:27:08:127 PM PDT: Thread[ExecuteThread: '14' for queue: 'weblogic.kernel.Default',5,Thread Group for Queue: 'weblogic.kernel.Default']
SSOTaskHandler: SSO Validation successful for uid=amAdmin,ou=People,dc=etouch,dc=net
05/24/2006 06:27:08:128 PM PDT: Thread[ExecuteThread: '14' for queue: 'weblogic.kernel.Default',5,Thread Group for Queue: 'weblogic.kernel.Default']
AmFilter: now processing: J2EE Local Logout Task Handler
05/24/2006 06:27:08:128 PM PDT: Thread[ExecuteThread: '14' for queue: 'weblogic.kernel.Default',5,Thread Group for Queue: 'weblogic.kernel.Default']
AmFilter: local logout skipped SSO User => amAdmin, principal =>null
05/24/2006 06:27:08:128 PM PDT: Thread[ExecuteThread: '14' for queue: 'weblogic.kernel.Default',5,Thread Group for Queue: 'weblogic.kernel.Default']
AmFilter: now processing: J2EE Local Auth Task Handler
05/24/2006 06:27:08:128 PM PDT: Thread[ExecuteThread: '14' for queue: 'weblogic.kernel.Default',5,Thread Group for Queue: 'weblogic.kernel.Default']
LocalAuthTaskHandler: No principal found. Initiating local authentication for amAdmin
05/24/2006 06:27:08:128 PM PDT: Thread[ExecuteThread: '14' for queue: 'weblogic.kernel.Default',5,Thread Group for Queue: 'weblogic.kernel.Default']
LocalAuthTaskHandler: doing local authentication with session binding
05/24/2006 06:27:08:129 PM PDT: Thread[ExecuteThread: '14' for queue: 'weblogic.kernel.Default',5,Thread Group for Queue: 'weblogic.kernel.Default']
LocalAuthTaskHandler: Local authentication failed, invalidating session.05/24/2006 06:27:08:129 PM PDT: Thread[ExecuteThread: '14' for queue: 'weblogic.kernel.Default',5,Thread Group for Queue: 'weblogic.kernel.Default']
WARNING: LocalAuthTaskHandler: Local authentication failed for : /portal/index.jsp, SSO Token: AQIC5wM2LY4Sfcx4XY/x/M7G1Y3ScVjFj8E3oT0BV45mh0Q=@AAJTSQACMDE=#
05/24/2006 06:27:08:129 PM PDT: Thread[ExecuteThread: '14' for queue: 'weblogic.kernel.Default',5,Thread Group for Queue: 'weblogic.kernel.Default']
AmFilter: result =>
FilterResult:
Status : FORBIDDEN
RedirectURL : null
RequestHelper:
null
Data:
null
-----------------------------------------------------------Hi,
I'm having the exact same problem in the Prod environment, but on a Sun App Server. In development all is fine, in prod we now have:
ERROR: AmFilter: Error while delegating to inbound handler: J2EE Local Auth Task Handler, access will be denied
java.lang.IllegalStateException: invalidate: Session already invalidated
at org.apache.catalina.session.StandardSession.invalidate(StandardSession.java:1258)
at org.apache.catalina.session.StandardSessionFacade.invalidate(StandardSessionFacade.java:164)
at com.sun.identity.agents.filter.LocalAuthTaskHandler.doLocalAuthWithSessionBinding(LocalAuthTaskHandler.java:289)
at com.sun.identity.agents.filter.LocalAuthTaskHandler.authenticate(LocalAuthTaskHandler.java:159)
at com.sun.identity.agents.filter.LocalAuthTaskHandler.process(LocalAuthTaskHandler.java:106)
at com.sun.identity.agents.filter.AmFilter.processTaskHandlers(AmFilter.java:185)
at com.sun.identity.agents.filter.AmFilter.isAccessAllowed(AmFilter.java:152)
at com.sun.identity.agents.filter.AmAgentBaseFilter.doFilter(AmAgentBaseFilter.java:38)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:210)
at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:55)
at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:161)
at java.security.AccessController.doPrivileged(Native Method)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:157)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:263)
at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:551)
at org.apache.catalina.core.StandardContextValve.invokeInternal(StandardContextValve.java:225)
FilterResult:
Status : FORBIDDEN
RedirectURL : null
RequestHelper:
null
Data:
null
Also, we I debug I see:
LocalAuthTaskHandler: No principal found. Initiating local authentication for ...
Did you receive any solution for this?
Many, many thanks,
Philip -
EAP-FAST, local Authentication and PAC provisioning
Hi everybody,
I have a litte understanding problem with the deployment of EAP-FAST.
So here's the deal:
I want to the deploy EAP-FAST with autonomous APs with an ACS as Authentication server. So far so good.
When the ACS is not reachable, the autonomous AP should act as local Authenticator for the clients as backup. Is this possible when doing manual PAC provisioning? I guess not, because the PAC master key is not synced between ACS and the AP local Authenticator.
Would automatic PAC provisioning resolve that issue? If the ACS server fails, the local Authenticator AP will create new PACs for the clients, right?
But - I have doubts regarding automatic provisioning of PACs. From my understanding the Phase-0 is just performed in MS-CHAPv2, which is dictionary attackable. Furthermore a MITM attack could be possible during phase-0.
Would server sided certificates resolve my concerns here?
I would prefer PEAP, but the autonomous APs don't support this EAP type as local authenticator method, right?
Btw. .... is there any good document regarding FAST on CCO? I couldn't find anything. The Q&A page is just scratching the surface. The best document I could find so far is the ACS user configuration page. But I'm not 100% happy with this. Is there some kind of EAP-FAST deployment guide out there? I need best practices regarding PAC provisioning and so on :-)
Thanks in advance!From what I understand a Internet proxy PAC and a eap-fast PAC are two different purposes.
Is that what you are trying to get clarification on.
Basically eap fast PAC provisioning is a PAC that s provisioned when a client authenticates successfully. The client provides this PAC for network authentication and not proxy authentication.
Sent from Cisco Technical Support iPad App -
Cisco 871W as Radius Local Authenticator
We are tring to configure an Cisco 871w as an access point and also as an local authenticator.The NAS would be the same server. The sample config is as below
aaa group server radius rad_eap
server 10.10.200.1 auth-port 1645 acct-port 1646
aaa group server radius rad_mac
aaa group server radius rad_acct
aaa group server radius rad_admin
aaa group server tacacs+ tac_admin
aaa group server radius rad_pmip
aaa group server radius dummy
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa authorization ipmobile default group rad_pmip
aaa accounting network acct_methods start-stop group rad_acct
aaa session-id common
ip dhcp excluded-address 10.10.200.1
ip dhcp excluded-address 10.10.200.31 10.10.200.254
ip dhcp pool <pool_name>
import all
network 10.10.200.0 255.255.255.0
dns-server 141.x.x.6 141.198.136.12
default-router 10.10.200.1
lease 0 2
interface Dot11Radio0
ip address 10.10.200.1 255.255.255.0
ssid <SSID Name>
authentication network-eap eap_methods
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
ip classless
ip http server
ip http secure-server
radius-server local
nas 10.10.200.1 key 0 <key>
user test nthash xxx
radius-server attribute 32 include-in-access-req format %h
radius-server host 10.10.200.1 auth-port 1645 acct-port 1646 key <key>
radius-server vsa send accounting
By the above config, we are trying to make the clients to authenticate with username created in the RADIUS which is this router and get an ip address through DHCP pool configured for the same. Will the above config does the same. Kindly let me know.
Thanking You
Regards
Anantha Subramanian NatarajanHi,
Thanks .
Worked with cipher mode tkip and used WPA for key management.
Once again,Thanks for the repsonse
Regards
Anantha Subramanian Natarajan -
Hi, I am facing some problems configuring an AP1240AG as local authenticator with microsoft win200\xp clients. Is it possible to use this that type of authentication also with non-cisco clients? Thanks a lot for ant response.
I think you need to filter these clients by mac-address.
-
I'd like to know the exactly configuration of local authenticator on a AP1100.
I try the configuration found on cisco documents, but it dosen't work.
In particulary i use a AP like a RADIUS SERVER.
Thanks
NPI tried it on a 1200 and it worked. Also, you can use the help from the web page related to configuring the local RADIUS server.
ME -
Help with configuring AP-1240AG as local authenticator for EAP-FAST client
Hi,
I am trying to configure an AP-1240AG as a local authenticator for a Windows XP client with no success. Here is a part of the AP configuration:
dot11 lab_test
authentication open eap eap_methods
authentication network-eap eap_methods
guest-mode
infrastructure-ssid
radius-server local
eapfast authority id 0102030405060708090A0B0C0D0E0F10
eapfast authority info lab
eapfast server-key primary 7 211C7F85F2A6056FB6DC70BE66090DE351
user georges nthash 7 115C41544E4A535E2072797D096466723124425253707D0901755A5B3A370F7A05
Here is the Windows XP client configuration:
Authentication: Open
Encrpytion WEP
Disable Cisco ccxV4 improvements
username: georges
password: georges
Results: The show radius local-server statistics does not show any activity for the user georges and the debug messages are showing the following:
*Mar 4 01:15:58.887: %DOT11-7-AUTH_FAILED: Station 0016.6f68.b13b Authentication failed
*Mar 4 01:16:28.914: %DOT11-7-AUTH_FAILED: Station 0016.6f68.b13b Authentication failed
*Mar 4 01:16:56.700: RADIUS/ENCODE(00001F5C):Orig. component type = DOT11
*Mar 4 01:16:56.701: RADIUS: AAA Unsupported Attr: ssid [263] 19
*Mar 4 01:16:56.701: RADIUS: [lab_test]
*Mar 4 01:16:56.701: RADIUS: 65 [e]
*Mar 4 01:16:56.701: RADIUS: AAA Unsupported Attr: interface [156] 4
*Mar 4 01:16:56.701: RADIUS: 38 32 [82]
*Mar 4 01:16:56.701: RADIUS(00001F5C): Storing nasport 8275 in rad_db
*Mar 4 01:16:56.702: RADIUS(00001F5C): Config NAS IP: 10.5.104.22
*Mar 4 01:16:56.702: RADIUS/ENCODE(00001F5C): acct_session_id: 8026
*Mar 4 01:16:56.702: RADIUS(00001F5C): sending
*Mar 4 01:16:56.702: RADIUS/DECODE: parse response no app start; FAIL
*Mar 4 01:16:56.702: RADIUS/DECODE: parse response; FAIL
It seems that the radius packet that the AP receive is not what is expected. Do not know if the problem is with the client or with the AP configuration. Try many things but running out of ideas. Any suggestions would be welcome
ThanksHi Stephen,
I do not want to create a workgroup bridge, just want to have the wireless radio bridge with the Ethernet port. I will remove the infrastructure command.
Thanks for your help
Stephane
Here is the complete configuration:
version 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname Lab
ip subnet-zero
aaa new-model
aaa group server radius rad_eap
aaa group server radius rad_mac
aaa group server radius rad_admin
aaa group server tacacs+ tac_admin
aaa group server radius rad_pmip
aaa group server radius dummy
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa authorization exec default local
aaa accounting network acct_methods start-stop group rad_acct
aaa session-id common
dot11 lab_test
authentication open eap eap_methods
authentication network-eap eap_methods
guest-mode
infrastructure-ssid
power inline negotiation prestandard source
bridge irb
interface Dot11Radio0
no ip address
no ip route-cache
ssid lab_test
traffic-metrics aggregate-report
speed basic-54.0
no power client local
channel 2462
station-role root
antenna receive right
antenna transmit right
no dot11 extension aironet
bridge-group 1
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
interface Dot11Radio1
no ip address
no ip route-cache
shutdown
dfs band 3 block
speed basic-6.0 9.0 basic-12.0 18.0 basic-24.0 36.0 48.0 54.0
channel dfs
station-role root
no dot11 extension aironet
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
interface FastEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
hold-queue 160 in
interface BVI1
ip address 10.5.104.22 255.255.255.0
ip default-gateway 10.5.104.254
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
ip radius source-interface BVI1
radius-server local
eapfast authority id 000102030405060708090A0B0C0D0E0F
eapfast authority info LAB
eapfast server-key primary 7 C7AC67E296DF3437EB018F73BE00D822B8
user georges nthash 7 14424A5A555C72790070616C03445446212202080A75705F513942017A76057007
control-plane
bridge 1 route ip
line con 0
line vty 0 4
end -
Weather Channel HD question...no local weather?
So quick question - why is there local weather on the SD version but not the HD version? That's just strange. I searched on the board and found a question on this over a year old, and I find it hard that they haven't found a solution in all this time, especially with the new upgrades. How would you get local weather warnings on the HD feed?
Weather channel uses a specialized computer called IntelliStar at each of the cable company's local head end to overlay graphics when the "Weather on the 8's" comes up. There is currently a HD version out, but it is still being tested in select markets. Here's the wikipedia link if you want to read more about it...
-
Wlc flexconnect wlan local authentication and central web authentication maximum rtt
Hi
From the below link below it mentioned that "Round-trip latency must not exceed 300 milliseconds (ms) between the AP and the controller. If the 300 milliseconds round-trip latency cannot be achieved, configure the AP to perform local authentication."
http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Mobility/emob73dg/emob73/ch7_HREA.html#wp1094148.
Is this limitation refer to web authentication also?
Thanks
Anyone???Central Web Auth (CWA) works different on controllers/APs running in FlexConnect mode. Please check this guide and confirm that you have similar setup.
http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/116087-configure-cwa-wlc-ise-00.html
If so, please post screen shots with your configs (Redirect ACLs, policies in ISE and the WLC SSD settings).
Also, the version of code that you are running in ISE and your controller.
Thank you for rating helpful posts! -
Hi all,
I have configured my remote switch with the following AAA local authentication configuration.
no enable secret
no username hotel
no aaa new-model
username s1umb3r password p3ac3fully
enable secret tryt0h@ckth!S!s1umb3r
aaa new-model
exit
wr
After I have saved the configuration, I am not able to login to switch remotely. Please advice me ASAP.
Now how would I get into router is there any possibility to get into router remotely?
IOS version 12.0(5)WC8
Your early response will be highly appreciated.
Regards,
KhanWhat does the VTY line have for config?
-
PPTP + Local Authentication
I am trying to setup our concentrator to allow PPTP VPN sessions using local authentication. I setup a pptp group on our concentrator and setup a local user which is associated with the group. I set the tunneling protocols to PPTP on both the group and user levels. I also set the respective PPTP Authentication Protocols under the PPTP/L2TP tab for the group. The problem I am running into is when I attempt to establish a connection from a Windows XP machine using the local user account I am not able to ever establish a connection. When I watch the Live Event Viewer it shows the following message ( User [pptpuser]disconnected.. failed authentication (MSCHAP-V2) ). What I take from this is as if the concentrator is still looking for Radius auth. Anyone have any suggestions on this?
I tried these 2 suggestions and the outcome is not as I expected. I think the issue I am having is due to how this concentrator was originally deployed and setup. If I move the Internal Authentication to the top of the list then Radius authentication fails. If I move Radius back to the top then Internal will fail. Historically the way users access VPN is the use radius and authenticate to the Base-Group which by default is set to Radius authentication. In previous implementations I have seen were the Base-Group is set to internal for authentication and then various groups are created in the concentrator and within those groups you specify them to auth via Radius server.
-
Question regarding LDAP and SSO Authentication
Hello,
We have Oracle Portal as our intranet and by default all users are authenicated against OID when the access intranet page.
My question how I make use of the OID authentication in apex application? I do not want users to re-enter their login credentials if they want to access the apex application.
How can I acheive this?
ThanksWhat exactly do you mean by "the apex application", the development and administration interface to Application Express, or the applications you develop?
For the former case, you cannot change the way authentication is done. For your own apps, that's up to you.
Scott
Maybe you are looking for
-
How to turn a doc designed for spread into a page ordered pdf?
I am a relative InDesign newbie, so please excuse my ignorance. I have document of installation instructions that is printed on a single double-sided piece of paper, which is then folded. So in InDesign, there are two layout spreads. The first one in
-
Purchase order to pdf conertion
Hi, I am working on 4.7 version. I need to generate pdf file for po fom. My senario is when i am executing in me9f in back ground at the end of the day it should genarate po forms in pdf files in application server.
-
Hi, Does anybody know how to generate a IDOC of message type CODCMT do you have some doc about it? Thanks alot Regards, Zheng Edited by: zhengliu on Jun 16, 2009 12:09 PM Edited by: zhengliu on Jun 16, 2009 12:10 PM
-
How do I set and use variables in jsp,which is accessible from one jsp to the another,inspite of the jsp passing through servlet or event process handling in between each other?
-
So the calibration feature lets you do a calibration of up to 1.25 miles. Using a treadmill, I did a one mile calibration as a warmup, and then did my real workout, a 17 mile run. As the run went on, the nano fell further and further behind the total