Radius Authentification Error
Hello,
I have installed and reinstalled Radius but couldn't connect any computer
Reason Code: 23
Reason: An error occurred during the Network Policy Server use of the Extensible Authentication Protocol (EAP). Check EAP log files for EAP errors.
Schannel
The following fatal alert was generated: 20. The internal error state is 960.
Thanks
Hi,
Based on the events which you provided, it seems that the two events were related to certificate. If you have installed a certificate on the RADIUS server, a possible cause is that the certificate has something wrong. So please check the configuration of
certificate in your RADIUS server and client.
And for a better analysis about this issue, please provide more details about the configuration in your environment. Such as, what are you deploying with RADIUS, the operating system of your RADIUS server
and RADIUS client, the network policy and other configurations in the NPS, the configuration of the client etc.
Here are some related threads and articles with similar events.
802.1x Authentication fails, Reason Code 23
https://social.technet.microsoft.com/Forums/windowsserver/en-US/07e14473-b597-4060-8fab-39d443cccb07/8021x-authentication-fails-reason-code-23?forum=winserverNAP
Event ID 6273 — NPS Authentication Status
http://technet.microsoft.com/en-us/library/cc735399(WS.10).aspx
The client could not be authenticated because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server.
https://social.technet.microsoft.com/Forums/en-US/5fb22134-c12b-4ff1-8764-b10aa37c8b9c/the-client-could-not-be-authenticated-because-the-extensible-authentication-protocol-eap-type?forum=winserverNAP
Best Regards,
Tina
Similar Messages
-
RADIUS Authentication Error Across the Subnet
Hi Guyz
I have configured Microsoft Server 2012 R2 as a RADIUS for Cisco IOS Devices
Server IP Address : 10.95.6.12
Router IP Address Fa 0/0.192 ---->>> 192.193.194.195
Router IP Address Fa 0/0.6 --->>> 10.95.6.1
Switch IP Address VLAN 192 ---->>> 192.193.194.2010.95.6.11
Switch IP Address VLAN 6 ---->>> 10.95.6.11
When i access the Cisco Devices RADIUS CLIENT with 10.95.6.x Subnet, It works fine
When i access the Cisco Devices through RADIUS CLIENT 192.193.194.x Subnet, It does not pass through the RADIUS Authentication.
Attached in the Picture i can not access the 192.193.194.20 Device but I can access 10.95.6.1 Device. As soon as I change the IP Address 10.95.6.11 I can access the Device.
Ping is successful across the Routers / Switches and Server as well. Below is unsuccessful debug details as well:
===
Home_Switch#
01:52:30: RADIUS/ENCODE(00000008): ask "Password: "
Home_Switch#
01:52:41: RADIUS/ENCODE(00000008):Orig. component type = EXEC
01:52:41: RADIUS: AAA Unsupported Attr: interface [171] 4
01:52:41: RADIUS: 74 74 [ tt]
01:52:41: RADIUS/ENCODE(00000008): dropping service type, "radius-server attribute 6 on-for-login-auth" is off
01:52:41: RADIUS(00000008): Config NAS IP: 0.0.0.0
01:52:41: RADIUS/ENCODE(00000008): acct_session_id: 8
01:52:41: RADIUS(00000008): sending
01:52:41: RADIUS/ENCODE: Best Local IP-Address 10.95.6.11 for Radius-Server 10.95.6.12
01:52:41: RADIUS(00000008): Send Access-Request to 10.95.6.12:1812 id 1645/6, len 85
Home_Switch#
01:52:41: RADIUS: authenticator 95 FB 3F FE 79 BB AA D6 - C9 26 F4 EC 95 32 80 06
01:52:41: RADIUS: User-Name [1] 7 "cisco"
01:52:41: RADIUS: User-Password [2] 18 *
01:52:41: RADIUS: NAS-Port [5] 6 2
01:52:41: RADIUS: NAS-Port-Id [87] 6 "tty2"
01:52:41: RADIUS: NAS-Port-Type [61] 6 Virtual [5]
01:52:41: RADIUS: Calling-Station-Id [31] 16 "192.193.194.50"
01:52:41: RADIUS: NAS-IP-Address [4] 6 10.95.6.11
01:52:41: RADIUS(00000008): Started 5 sec timeout
Home_Switch#
01:52:46: RADIUS(00000008): Request timed out
01:52:46: RADIUS: Retransmit to (10.95.6.12:1812,1813) for id 1645/6
01:52:46: RADIUS(00000008): Started 5 sec timeout
Home_Switch#
===
Any help will really appreciate.Duplicate posts.
Go here: http://supportforums.cisco.com/discussion/12154866/radius-authentication-error-across-subnet -
Authentification errors and timeouts!
Anybody else suffering again on the forum today?
I'm getting authentification errors galore atm .....
Will be bailing out soon methinks ....Hi Guys
Really sorry you are still having problems. I'll send you both a PM so I can gather some specific info about this error and when you are seeing it.
I haven't experienced it myself today so need to understand more about how and when it is happening so we can get it fixed.
Appreciate your patience with this - I know it's frustrating to get errors and timeouts when you are posting responses etc.
Thx
Kerry
Retired BTCare Community Manager - StephanieG and SeanD are your new Community Managers
If you like a post, or want to say thanks for a helpful answer, please click on the Ratings star on the left-hand side of the post.
If someone answers your question correctly please let other members know by clicking on ’Mark as Accepted Solution’. -
Hi,
Suddenly, both my macs report an authentification error when joining any wifi network although no passwords have changed and the correct passwords have been entered. Any idea how to fix this? Thanks.Thanks again iFelix but didn't work. I type correct passwords but I get an error message saying it's not the right password. The airport recog the networks (home, office, cybercafe...) but no way to join these networks!
-
RADIUS authentification via RDBMS authentification
Does anybody know whether RADIUS can used Oracle RDBMS authentification for RADIUS authentification.
The idea is to use Oracle DB users list and passwords for RADIUS users management. In other words - is it possible RADIUS and Oracle DB users to be the same?Yes...it's about OAS - Oracle Advanced Security...(from 8.1.7). You can use even Cistron Radius Server (a free radius server from ftp://ftp.radius.cistron.nl/pub/radius/ or http://www.freeradius.org/)
and minimal changes:
sqlnet.authentication = IP-address-of-RADIUS-server
Regards,
Paul Breniuc
Message was edited by:
user468540
Message was edited by:
user468540 -
Authentication via RADIUS : MSCHAPv2 Error 691
Hello All,
I am working on setting up authentication into an Acme Packet Net-Net 3820 (SBC) via RADIUS. The accounting side of things is working just fine with no issues. The authentication side of things is another matter. I can see from a packet capture that the access-request
messages are in fact getting to the RADIUS server at which point the RADIUS server starts communicating with the domain controllers. I then see the chain of communication going back to the RADIUS and then finally back to the SBC. The problem is the response
I get back is always an access-reject message with a reason code of 16 (Authentication failed due to a user credentials mismatch. Either the user name provided does not match an existing user account or the password was incorrect). This is confirmed by looking
at the security event logs where I can see events 4625 and 6273. See the events below (Note: The names and IPs have been changed to protect the innocent):
Event ID: 6273
Network Policy Server denied access to a user.
Contact the Network Policy Server administrator for more information.
User:
Security ID:
NULL SID
Account Name:
real_username
Account Domain:
real_domain
Fully Qualified Account Name:
real_domain\real_username
Client Machine:
Security ID:
NULL SID
Account Name:
Fully Qualified Account Name:
OS-Version:
Called Station Identifier:
Calling Station Identifier:
NAS:
NAS IPv4 Address:
10.0.0.10
NAS IPv6 Address:
NAS Identifier:
radius1.real_domain
NAS Port-Type:
NAS Port:
101451540
RADIUS Client:
Client Friendly Name:
sbc1mgmt
Client IP Address:
10.0.0.10
Authentication Details:
Connection Request Policy Name:
SBC Authentication
Network Policy Name:
Authentication Provider:
Windows
Authentication Server:
RADIUS1.real_domain
Authentication Type:
MS-CHAPv2
EAP Type:
Account Session Identifier:
Logging Results:
Accounting information was written to the SQL data store and the local log file.
Reason Code:
16
Reason:
Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect.
Event ID: 4625
An account failed to log on.
Subject:
Security ID:
SYSTEM
Account Name:
RADIUS1$
Account Domain:
REAL_DOMAIN
Logon ID:
0x3E7
Logon Type: 3
Account For Which Logon Failed:
Security ID:
NULL SID
Account Name:
real_username
Account Domain:
REAL_DOMAIN
Failure Information:
Failure Reason:
Unknown user name or bad password.
Status:
0xC000006D
Sub Status:
0xC000006A
Process Information:
Caller Process ID:
0x2cc
Caller Process Name:
C:\Windows\System32\svchost.exe
Network Information:
Workstation Name:
Source Network Address:
Source Port:
Detailed Authentication Information:
Logon Process:
IAS
Authentication Package:
MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Transited Services:
Package Name (NTLM only):
Key Length:
0
This event is generated when a logon request fails. It is generated on the computer where access was attempted.
The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).
The Process Information fields indicate which account and process on the system requested the logon.
The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The authentication information fields provide detailed information about this specific logon request.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
So at first glance it would seem that the issue is merely a case of an invalid username or mismatched password. This is further confirmed in the packet capture where I can see the MSCHAPv2 response has an error code of 691 (Access denied because username or
password, or both, are not valid on the domain). The thing is I know I am using a valid username and I have tried many usernames including new ones I created just for troubleshooting. I don't know how many times I have reset the password in an attempt to ensure
it is not a mismatch password. I have even made sure to use passwords that are fairly short and contain only letters to ensure there was no terminal encoding issues (we connect to the SBC via SSH clients). I have also done this same thing with the shared secret
used during communication between the SBC and the RADIUS server. I have tried prefixing the username with the domain name at login (though I don't think that should be necessary). I have also tried using the full UPN of the user to login. I have tried several
RADIUS testing clients (NTRadPing, RadiusTest, etc.), but they either don't support MSCHAPv2 or only support EAP-MSCHAPv2. I have even created my own client using PHP's PECL RADIUS module. Still it always seems to fail with the MSCHAPv2 authentication with
an error code of 691. Does anyone have any ideas as to why I always get an invalid username or bad password response when I have done everything possible to ensure that is not the case?
Here are the specs for our RADIUS configuration:
Windows Server 2012 R2
SQL Server 2012 Back End Database for accounting.
The server has been authorized on the domain and is a member of the "RAS and IAS Servers" group. For which that group does have access to the accounts we are testing with.
The accounts we are testing with do have the "Control access through NPS Network Policy" option checked under their "Dial-in" property tab.
RADIUS clients configured to simply match on the IP address which you can see from the events above that it is applying the client friendly name.
Connection Request Policy: The "SBC Authenication" policy is being applied as seen above. The only condition is a regex expression that does successfully match the friendly name.
Network Policy: As seen in events above, none are getting applied. For troubleshooting purposes I have created a Network Policy that is set to "1" for the processing order and its only condition is a Day and Time Restriction currently set to any
time, any day.
The authentication method is set to only MSCHAPv2 or MSCHAPv2 (User can change password after it has expired). I have tried adding this to just the Network Policy and I have also tried adding this to the Connection Request Policy and setting it to override
the authentication method of the Network Policy.
We do have other RADIUS servers in our domain that use PEAP to authenticate wireless clients and they all work fine. However, we need this to work with MSCHAPv2 only (No EAP).
All other configurations are set to the defaults.
The only other things of note to consider is the fact that in the events above you can see that the Security ID is "NULL SID". Now I know this is common especially among failed logons but given that this issue is stating an invalid username or
bad password, perhaps it matters in this case. Also, this server has been rebuilt using the same computer account in Active Directory. I do not know if it would have worked before the rebuild. Essentially we built this server and only got as far as authorizing
the server to the domain and adding SQL when we decided to separate out the SQL role onto another server. Rather than uninstalling SQL we just rebuilt the machine. However, before reinstalling Windows I did do a reset on the computer account. I don't think
this should matter but thought I would point it out if there is some weird quirk where reusing the same SID of a previously authorized NPS server would cause an issue.
All in all it is a fairly basic setup and hopefully I have provided enough information for someone to get an idea of what might be going on. I hope this was the right forum to post this too, I figured there would be a higher number of RADIUS experts here than
any of the other categories. Apologies if my understanding of this seems a bit basic, after all, when it comes to RADIUS servers I guess you could say I'm the new guy here.Update 1:
In an attempt to further troubleshoot this issue I have tried bringing up additional servers for testing. Here are the additional tests I have performed.
Multiple Domains
I have now tried this in 3 different isolated domains. Both our test and production domains as well as my private home domain which has very little in the way of customizations aside from the modifications made for Exchange and ConfigMgr. All have the same
results described above.
VPN Service
Using Windows Server 2012 R2 we brought up a separate server to run a standard VPN setup. The intent was to see if we could use RADIUS authentication with the VPN and if that worked we would know the issue is with the SBCs. However, before we could even
configure it to use RADIUS we just attempted to make sure it worked with standard Windows Authentication on the local VPN server. Interestingly, it too fails with the same events getting logged as the RADIUS servers. The client machine being a Windows 8.1
workstation. Again I point out that we have working RADIUS servers used specifically for our wireless environment. The only difference between those RADIUS servers and the ones I am having problems with is that the working wireless servers are using PEAP instead
of MSCHAPv2.
FreeRADIUS
Now I'm no Linux guru but I believe I have it up and running. I am able to use ntlm_auth to authenticate users when logged on to the console. However, when the radiusd service tries to use ntlm_auth to do essentially the same thing it fails and returns the
same message I've been getting with the Windows server (E=691). I have the radiusd service running in debug mode so I can see more of what is going on. I can post the debug info I am getting if requested. The lines I am seeing of particular interest however
are as follows:
(1) ERROR: mschap : Program returned code (1) and output 'Logon failure (0xc000006d)'
(1) mschap : External script failed.
(1) ERROR: mschap : External script says: Logon Failure (0xc000006d)
(1) ERROR: mschap : MS-CHAP2-Response is incorrect
The thing to note here is that while we are essentially still getting a "wrong password" message, the actual status code (0xc000006d) is slightly different than what I was getting on the Windows Servers which was (0xc000006a). From this document
you can see what these codes mean:
NTSTATUS values . The good thing about this FreeRADIUS server is that I can see all of the challenge responses when it is in debug mode. So if I can wrap my head around how a MSCHAPv2 response is computed I can compare it to see if this is simply a miscomputed
challenge response. Update: Was just noticing that the 6a code is just the sub-status code for the 6d code. So nothing different from the Windows Servers, I still wonder if there is a computation error with the challenge responses though.
Currently, I am working on bringing up a Windows Server 2008 R2 instance of a RADIUS server to see if that helps at all. However, I would be surprised if something with the service broke between W2K8 R2 and W2K12 R2 without anyone noticing until now. If this
doesn't work I may have to open a case with Microsoft. Update: Same results with W2K8 R2. -
Unknown RADIUS Client error again with NMAS RADIUS
I had this problem before and it seemed to be related to the FDN being
assigned at the container level. Now (for some reason) it's come back
and the previous fix doesn't work.
Running NW 6.5SP5
NMAS.NLM ver 2.65
RADIUS.NLM ver 4.15
GAMS.NLM ver 1.30
NMASGPXY.NLM ver 1.04
When I use NTRADPING to query the RADIUS server, it times out. The
following is the debug output from RADIUS:
[2006-05-08 05:27:21 PM] 2) [(ip) 172.22.105.81:1944], Received 46
Bytes (Access-Request (1))
[2006-05-08 05:27:21 PM] [(total=2) (p=1) (d=0) (r=0) (acc=0)
(rej=0)]
[2006-05-08 05:27:21 PM] <4> Done GetNextMessage [(ip)
172.22.105.81:1944]: time:1608203
[2006-05-08 05:27:21 PM] -------- START : (Access-Request (1)) [(ip)
172.22.105.81:1944]: time:891983657---
[2006-05-08 05:27:21 PM] CACHE:
CacheDomainListExist(testdas1.radius.mc), using cache
[2006-05-08 05:27:21 PM] AuthRequestHandler(), Calling
RequestHandler.
[2006-05-08 05:27:21 PM] CACHE:
CacheReadSecretForNASAddress(testdas1.radius.mc), using cache
[2006-05-08 05:27:21 PM] HandleLocalRequest(),
CacheReadSecretForNASAddress failed, no such RADIUS client (-822),
Packet Dropped
[2006-05-08 05:27:21 PM] -------- END : (Access-Request (1)) [(ip)
172.22.105.81:1944]: time:891983668---
However, the client is configured in the DAS as a generic radius
client.
This is a newly created DAS and Profile for test purposes. The user has
been configured for this DAS and profile but the properties have NOT
been added to avoid conflict.
On a RADIUS REFRESHCACHE, the debug output is as follows:
[2006-05-08 05:27:03 PM] Cacher: Console initiated rebuild of cache
[2006-05-08 05:27:03 PM] (->)Cacher:
NWDSReadObjectInfo(testdas1.radius.mc), succeeded, time:3
[2006-05-08 05:27:03 PM] Cacher: Rebuilding cache, mod time different,
[2006-05-08 05:27:03 PM]
(->)NDSReadData:NWDSRead(testdas1.radius.mc,RADIUS:D AS Version)
succeeded, time:5
[2006-05-08 05:27:03 PM]
(->)NDSReadData:NWDSRead(testdas1.radius.mc,RADIUS:P assword Policy)
failed, no such attribute (-603), time:4
[2006-05-08 05:27:03 PM]
(->)NDSReadData:NWDSRead(testdas1.radius.mc,RADIUS:C ommon Name
Resolution) succeeded, time:4
[2006-05-08 05:27:03 PM]
(->)NDSReadData:NWDSRead(testdas1.radius.mc,RADIUS:C oncurrent Limit)
failed, no such attribute (-603), time:3
[2006-05-08 05:27:03 PM]
(->)NDSReadData:NWDSRead(testdas1.radius.mc,RADIUS:I nterim Accting
Timeout) failed, no such attribute (-603), time:3
[2006-05-08 05:27:03 PM]
(->)NDSReadData:NWDSRead(testdas1.radius.mc,RADIUS:A ged Interval)
failed, no such attribute (-603), time:3
[2006-05-08 05:27:03 PM]
(->)NDSReadData:NWDSRead(testdas1.radius.mc,RADIUS:M aximum History
Record) failed, no such attribute (-603), time:4
[2006-05-08 05:27:03 PM] CACHE: Use Netware Password for
"testdas1.radius.mc": Enabled
[2006-05-08 05:27:03 PM] CACHE: CN Login for "testdas1.radius.mc":
Enabled
[2006-05-08 05:27:03 PM] CACHE: Concurrent Limit for
"testdas1.radius.mc": 0x80000000
[2006-05-08 05:27:03 PM] CACHE: Interim Timeout for
"testdas1.radius.mc": 10 minutes
[2006-05-08 05:27:03 PM] CACHE: Interval For Aging for
"testdas1.radius.mc": 7 days
[2006-05-08 05:27:03 PM] CACHE: Max History Record for
"testdas1.radius.mc": 30
[2006-05-08 05:27:03 PM] tag extracted: 172.22.105.81, size: 14,
tagLength: 28
[2006-05-08 05:27:03 PM] (->)NDSSetUpClientTable(testdas1.radius.mc)
failed, no such entry (-601)
[2006-05-08 05:27:03 PM] Cache: Error from NDSSetUpClientTable: failed,
no such entry (-601)
[2006-05-08 05:27:03 PM] Cache: Successfully set up client table
[2006-05-08 05:27:03 PM] Cache: Successfully set up context list
[2006-05-08 05:27:04 PM] NDSSetUpDomainList(testdas1.radius.mc),
Invalid Proxy Authentication Secret entry found, type = 00000000,
Skipped, failed, no such entry (-601)
[2006-05-08 05:27:04 PM] (->)NDSSetUpDomainList(), failed, -826
(0xfffffcc6)
[2006-05-08 05:27:04 PM] NDSSetUpDomainList failed. Error: failed,
-826 (0xfffffcc6)
[2006-05-08 05:27:04 PM] Cache: Successfully set up search domain list
[2006-05-08 05:27:04 PM] Cache: Successfully build context list
[2006-05-08 05:27:04 PM] CACHE: Cache reloaded at [2006-05-08
05:27:04 PM], current reload count is 4
[2006-05-08 05:27:04 PM] Cacher: RefreshCache(), succeeded
[2006-05-08 05:27:04 PM] CACHE: Cache loaded at [2006-05-08 05:26:17
PM] has been discarded , current reload count is 4
Suggestions?
WayneFixed by updating eDir to 8.7.3.8 and applying ssp201
Regards,
Wayne -
Sims3 DVD authentification error after installing PSE 6
I have a strange problem with my MacBook Pro 15". I bought Sims3 and played it some weeks, then I bought PSE 6 for my photo editing needs. Now, the first time I wanted to start Sims 3 after installing PSE 6, the Sims 3 game starts, but when launching the city where to chose from my families, the error message occurs: "Disc-Authentification failed. Check of the Sims 3 Disc has failed, it could not be checked whether the disk is a valid disk."
Before asking the EA support, I checked updates (none), repaired access rights, checked my disc and reinstalled Sims3.
The EA Support hotline asked me to do a firmware update for my superdrive, but i don't find an available download.
Can someone help me?Put the first disk in again, and set it to just install the DVD SP content, livetype, and motion content disks... if it fails, call Apple, as you might have a bad disk there.
But the applications themselves are already installed. What you're missing is the templates on those disks onlly.
Seems to me you can also just put the other disks in and install them one at a time.
Also, if this is an upgrade from a previous installation (FCP 5 or whatever) you really should do it as a clean install... all you need to have is your previous serial number.
Jerry
Message was edited by: Jerry Hofmann -
I am having the following issue with authentication to MS IAS. I get connected to the ASA no problem. I then get asked for my credentials, and I add my domain user and password. I receive unknown username or password error in the event log of the Radius server. This si a first time install and I am so close. I must either be missing something or have misconfigured something. Any help would be appreciated!
Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
Date: 9/19/2007
Time: 1:11:02 AM
User: NT AUTHORITY\SYSTEM
Computer: SERVERNAME
Description:
Logon Failure:
Reason: Unknown user name or bad password
User Name: ndorobek
Domain: MYDOMAIN
Logon Type: 3
Logon Process: IAS
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Workstation Name:
Caller User Name: SERVERNAME$
Caller Domain: MYDOMAIN
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 824
Transited Services: -
Source Network Address: -
Source Port: -Hi,
Might have something to with the selected authentication protocols on the IAS server. See http://www.cisco.com/en/US/customer/products/hw/vpndevc/ps2030/products_configuration_example09186a00806de37e.shtml
Also, you have to enable dial-in for the users in Active Directory and 'grant remote access' in the IAS policy.
Regards, Frank -
VPN3k Radius authentication Error
I dont know what i am doing wrong, but everytime i try to setup a VPN3k for radius authentication get the following error:
An error has occurred while attempting to perform the operation.
Authentication Error: No active server found
The server is correctly configured on the vpn3k and also i setup the vpn3k as a client to ACS. The radius server works fine with any other routers.
Can anybody please share some tips.
ThanksI can suggest several things to check about this issue. Are you sure that you have correct IP connectivity between the devices? (check this by pinging from the vpn3k to the server and ping from the server to the vpn3k) Are you sure that you have configured the correct key for cummunication from the vpn3k to the server? Does the server see any connection attempt from the vpn3k? (check logs and failed attempt reports on the server) Is there any access list on any router along the path from the vpn3k to the server which might be denying the request or the response?
HTH
Rick -
We are running Novell Netware 6.0 SP4 and eDirectory 8.6.2. We have set up
iChain 2.3 with the included NMAS and RADIUS services. iChain with NDS
password authentication works properly. Now we are trying to add token
authentication, and it is not working. The RADIUS screen keeps showing
"Access Request Dropped", "<ip address>, <user>, Unknown RADIUS client".
I have turned on debug mode, refreshed the cache, tried logging in again,
and checked the debug file. The error I am getting I have not seen
referenced in previous newsgroup posts. The important section shows this:
Context Lookup List set to:
[2004-08-05 09:42:21 AM] 1) DEN.RJL
[2004-08-05 09:42:21 AM] 2) RJL
[2004-08-05 09:42:21 AM] Number of contexts = 2
[2004-08-05 09:42:21 AM] tag extracted: 10.1.1.242, size: 11, tagLength: 22
[2004-08-05 09:42:21 AM] (->)NDSSetUpClientTable(DAS_RJL.RJL) failed, no
such entry (-601)
[2004-08-05 09:42:21 AM] Cache: Error from NDSSetUpClientTable: failed, no
such entry (-601)
[2004-08-05 09:42:21 AM] Cache: Successfully set up client table
It looks like it is not reading the client table properly, but I don't know
how to fix it. We have recreated the DAS object, removed and re-added the
client address in the DAS object, etc.
If anyone has any ideas on what else we can try, I would really appreciate
it. Thanks.You should always administer NMAS from a Windows workstation, Unfortunately
you can't administer NMAS, and therefore NMAS RADIUS, on any other platform
right now. The NMAS ConsoleOne snapins make native calls to nmaswrap.dll,
and this module is only available on Windows.
You can map a drive to your server from a Windows box and run ConsoleOne
from the mapped drive to see if this works. However, for best results with
RADIUS, you will want to install ConsoleOne locally on a Windows box. When
run over a mapped drive, the RADIUS snapin can take a very long time (5-15
minutes in my experience) to load the RADIUS attribute file.
You mentioned that you've been running ConsoleOne from a workstation, so I
assume that you've tried setting the DAS client information from a Windows
box already. If you have not tried this yet, then please do so.
The -601 you're getting from NMAS_GetLoginConfig is interesting.
Unfortunately this method is implemented in NMAS.NLM, which is maintained by
a different team, so I'm not sure how much more help I can provide with
this. However, I do have a few ideas:
1) When RADIUS calls NMAS_GetLoginConfig, its asking NMAS to read encrypted
data that is stored in attributes on the DAS object. If I remember
correctly, NMAS.NLM cannot go off the box when it does this. Does your
RADIUS server have a local replica that contains the DAS object? If it does
not, then this might be your problem.
2) If putting the DAS in a local replica does not work, then a DS Trace with
the NMAS and Resolve Name options turned on may provide some insight. (I
can't remember if NMAS is a DS Trace option in eDir 8.6 - if you don't see
the NMAS option, then don't worry about it.) Start DSTrace while RADIUS is
running and issue a "radius refreshcache" command like you did before.
If neither of the above suggestions is helpful, then tell the support
engineer you're working with that the -601 error is coming from
NMAS_GetLoginConfig and which version of NMAS.NLM you have. Please also tell
the support engineer that you've been working with me (Scott Kiester) on
this, and that he/she may call me they have any questions.
>>> Stephen Taylor<[email protected]> 08/06/04 12:38 PM >>>
Hi Scott,
Thank you for the follow-up. Based on suggestions from some of your other
posts, I had already run ConsoleOne with the debug window, and I did not
see
any errors when I added a DAS client. I ran the SDIDiag utility and went
through the three recommended steps. There were no errors, and the tree key
looked the same on all our servers. I did not know about the NMAS log file.
I followed your directions, and this is all that the log file shows:
0: Screen and file output started at Fri Aug 6 10:49:53 2004
GetLoginConfig: -601
NMAS_GetLoginConfig: -601
Based on a couple of other posts, I decided to try deleting the DAS object
and recreating it using ConsoleOne from the NMAS server instead of from a
workstation. It asks me for the password when creating the object, then
immediately abends the serve and locks up ConsoleOne. This has happened
three times now, even after reloading the snap-ins. I don't know what to
try
next. We have run dsrepair and it runs cleanly.
"Scott Kiester" <[email protected]> wrote in message
news:_uOQc.4698$8%[email protected]...
> Hi Stephen,
>
> Based on the log snippet that you posted, it appears that an NMAS call is
> failing and returning the -601 error. NMAS RADIUS makes a call to NMAS to
> obtain the client shared secrets because NMAS will encrypt them before
> storing them in eDirectory. It looks like your server is able to read the
> client IP address off of the DAS object, but is unable to obtain the
> corresponding shared secret from NMAS.
>
> I can think of a couple of things that might cause this:
>
> 1) Perhaps ConsoleOne is not storing the shared secret. Unfortunately,
the
> ConsoleOne snapin will not report errors it encounters while storing
entries
> in the client table. ConsoleOne must make an NMAS call to store the
shared
> secret, and if this call fails it will not report the error. You can
usually
> tell if this call failed by closing the DAS "Properties" dialog and
> re-opening it after adding a new entry. If your new entry is not there
when
> the dialog is re-opened, then the call failed.
>
> To find out if this call is failing, please start ConsoleOne with the
> following command line: "consoleone -debug -windowout". This will make
> ConsoleOne display a debug window in the top-left portion of your screen.
If
> an error occurs when you add a DAS client, you will see an error code and
> stack dump in this window. If this happens, please post the error code
and
> stack dump.
>
> Problems with the tree key are the most common reason for this call to
fail.
> You can resolve tree key issues using the SDIDIAG utility, which is
> available from the support site.
>
> 2) It is unusual to get a -601 ("object not found" - this is _not_ the
same
> as "attribute not found") error when RADIUS attempts to make this NMAS
call.
> RADIUS must set up and log in a new DS context before it calls NMAS here.
> It's possible that this is where the failure is, but I think it's
unlikely.
> The -601 error is probably coming from the NMAS call. If you determine
that
> ConsoleOne is storing this data properly using the instructions in step
1,
> then it would be helpful to see a log file from NMAS when this call is
made.
> To get this log file, please do the following:
>
> A) Load RADIUS and provide the DAS name and password
> B) At the server console, type "nmasmon * sys:\etc\nmasmon.log"
> C) At the server console, type "radius refreshcache"
> D) At the server console, type "unload nmasmon"
>
> This will cause NMAS log information to be written to
sys:\etc\nmasmon.log.
> Please post this file here, or send it to me at [email protected].
> -
Portal WebService User Authentification error
Hello all,
I created a portal webservice similar to the one described in tutorial "Creating a Web Service in Enterprise Portal 6.0".
When I tried to test it in Enterprise Portal Web Services Checker I got the error below:
<b>The User Authentification is not correct to access to the Portal Service com.sap.portal.prt.soap.ContentService or the service was not found.</b>
I already added group Everyone to my service in Portal Permissions and it still does not work.
I read weblogs below but none helped me:
1 - Unable to access portal service from web service..........urgent
2 - IllegalAccessError when calling a WebService
I checked the proxy settings and it seems to be ok.
Does anyone have another suggestion?
Regards,
MauricioI found the reason.
I did not check End User checkbox for the Everyone group we inserted into Permissions of the Web Service.
Regards,
Mauricio -
HTTP Authentification Error after upgrading CRM 4.0 to Oracle 10g
Hi all,
after upgrading our CRM 4.0 Server from Oracle 9i to 10g, it isn't possible to connect from a local PC via EP 7 to the PCUI applications.
[Browser running on local PC] -> [EP7] -> [CRM4 with Oracle 10g]
no authentification possible
[Browser running on local PC] -> [EP7] -> [CRM4 with Oracle 9i]
works fine.
[Browser running on local PC] -> [CRM4 with Oracle 10g]
works fine.
[Browser running on EP7 server(!)] -> [EP7] -> [CRM4 with Oracle 10g]
works fine.
It looks like a network security feature of Oracle 10g which blocks "man-in-the-middle" attacks?!?
Anyone any idea?!
Regards,
SvenHi Stephanie
Did you find a resultion to your genstatus issue.
We are in a similar issue currently - we have the following errors
CNBCCPSAP00070 CG
CNBCCPSAP00070 CG
DOC_HEADER CG
S000000290CG 98FBC48FBE4A0040888E14E1C27C7262
CAMPAIGN_WRITE CG
Look forward to your response on this
Regards
Eddie -
SSL authentification error -5938
Hi All,
can someone help me with this problem?
We are receiving this error more then two years at various instances of Netscape/iPlanet/SunOne Enterprise WWW server.
We tried find the explanation in documentation, in the Internet newsgroups but no luck ...
Exact error log:
... for host x.x.x.x trying GET /xxx, Client-Auth reports: Unexpected error receiving data: -5938
... get_auth_user_ssl: client passed no certificate.
Can someone explain this problem ?
Thanks in advance
Ivo(sh) Musil
ivo at corpus.czThe browser disconnected before sending its client cert.
-
Radius authentication error.
I have radius configured to authentication a cisco switch. The ACS is V5.3. The login worked fine, but the enable doesn’t work. It came back saying “
22056 Subject not found in the applicable identity store(s).
Any idea?
Thanks,
HanHi Han,
A first hint would be to check if the authentication protocol you are using (PAP, CHAP, MS-CHAPv1/2, etc.) is compatible with the database configured on ACS:
http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2.1/User_Guide/Overvw.html#wpxref846
This table is from the ACS 4.2.1 configuration guide, but it is generally true for all types of databases and ACS versions.
Regards,
Fede
If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it.
Maybe you are looking for
-
Storage Location for NON valuated material in MIGO
Hi friends , I have created a purchase order for NON-Valuated material (UNBW) with Account Assignment "K".I did check the material type UNBW configuration where only Value Update is checked for my Plant. Now at the time of MIGO , system is asking for
-
Iphone 4s activation- 2 phones on the same itunes account
My son has used my Itunes account and I thought he started his own when he got his Iphone. But, he didn't. He was able to activate his phone under my account. Now, my Iphone needed a reset and I can't re-activate it. It keeps telling me that I ca
-
Can't create a pdf, or see preview, from print function in Filemaker
I recently bought a 24" imac with 10.5.6 installed. I transferred everything over from my old G5. Everything works well except one function that I really need. I Filemaker (8.5), in the print function, if I click on "pdf", the "save as pdf" choice do
-
How to delete Guest User Account
I just got my Mac book Pro and I'm new to Mac. I created a Guest User Account and now I want to delete it. But the - (minus) option is grey out. How can I delete the Guest User Account? I have two accounts listed right now. The Admin and the Guest Ac
-
My friend cant remember the password. Can I change it from inside the iPod settings or something?