Radius Authentification Error

Similar Messages

• RADIUS Authentication Error Across the Subnet

  Hi Guyz
  I have configured Microsoft Server 2012 R2 as a RADIUS for Cisco IOS Devices
  Server IP Address :  10.95.6.12
  Router IP Address Fa 0/0.192                    ---->>>    192.193.194.195
  Router IP Address Fa 0/0.6                          --->>>    10.95.6.1
  Switch IP Address VLAN 192                     ---->>>    192.193.194.2010.95.6.11
  Switch IP Address VLAN 6                          ---->>>    10.95.6.11
  When i access the Cisco Devices RADIUS CLIENT with 10.95.6.x Subnet, It works fine 
  When i access the Cisco Devices through RADIUS CLIENT 192.193.194.x Subnet, It does not pass through the RADIUS Authentication.
  Attached in the Picture i can not access the 192.193.194.20 Device but I can access 10.95.6.1 Device.  As soon as I change the IP Address 10.95.6.11 I can access the Device.
  Ping is successful across the  Routers / Switches and Server as well.  Below is unsuccessful debug details as well:
  ===
  Home_Switch#
  01:52:30: RADIUS/ENCODE(00000008): ask "Password: "
  Home_Switch#
  01:52:41: RADIUS/ENCODE(00000008):Orig. component type = EXEC
  01:52:41: RADIUS:  AAA Unsupported Attr: interface         [171] 4   
  01:52:41: RADIUS:   74 74                [ tt]
  01:52:41: RADIUS/ENCODE(00000008): dropping service type, "radius-server attribute 6 on-for-login-auth" is off
  01:52:41: RADIUS(00000008): Config NAS IP: 0.0.0.0
  01:52:41: RADIUS/ENCODE(00000008): acct_session_id: 8
  01:52:41: RADIUS(00000008): sending
  01:52:41: RADIUS/ENCODE: Best Local IP-Address 10.95.6.11 for Radius-Server 10.95.6.12
  01:52:41: RADIUS(00000008): Send Access-Request to 10.95.6.12:1812 id 1645/6, len 85
  Home_Switch#
  01:52:41: RADIUS:  authenticator 95 FB 3F FE 79 BB AA D6 - C9 26 F4 EC 95 32 80 06
  01:52:41: RADIUS:  User-Name           [1]   7   "cisco"
  01:52:41: RADIUS:  User-Password       [2]   18  *
  01:52:41: RADIUS:  NAS-Port            [5]   6   2                         
  01:52:41: RADIUS:  NAS-Port-Id         [87]  6   "tty2"
  01:52:41: RADIUS:  NAS-Port-Type       [61]  6   Virtual                   [5]
  01:52:41: RADIUS:  Calling-Station-Id  [31]  16  "192.193.194.50"
  01:52:41: RADIUS:  NAS-IP-Address      [4]   6   10.95.6.11                
  01:52:41: RADIUS(00000008): Started 5 sec timeout
  Home_Switch#
  01:52:46: RADIUS(00000008): Request timed out 
  01:52:46: RADIUS: Retransmit to (10.95.6.12:1812,1813) for id 1645/6
  01:52:46: RADIUS(00000008): Started 5 sec timeout
  Home_Switch#
  ===
  Any help will really appreciate. 

  Duplicate posts.  
  Go here:  http://supportforums.cisco.com/discussion/12154866/radius-authentication-error-across-subnet

• Authentification errors and timeouts!

  Anybody else suffering again on the forum today?
  I'm getting authentification errors galore atm .....
  Will be bailing out soon methinks .... 

  Hi Guys
  Really sorry you are still having problems.  I'll send you both a PM so I can gather some specific info about this error and when you are seeing it.
  I haven't experienced it myself today so need to understand more about how and when it is happening so we can get it fixed.
  Appreciate your patience with this - I know it's frustrating to get errors and timeouts when you are posting responses etc. 
  Thx
  Kerry
  Retired BTCare Community Manager - StephanieG and SeanD are your new Community Managers
  If you like a post, or want to say thanks for a helpful answer, please click on the Ratings star on the left-hand side of the post.
  If someone answers your question correctly please let other members know by clicking on ’Mark as Accepted Solution’.

• Authentification error

  Hi,
  Suddenly, both my macs report an authentification error when joining any wifi network although no passwords have changed and the correct passwords have been entered. Any idea how to fix this? Thanks.

  Thanks again iFelix but didn't work. I type correct passwords but I get an error message saying it's not the right password. The airport recog the networks (home, office, cybercafe...) but no way to join these networks!

• RADIUS authentification via RDBMS authentification

  Does anybody know whether RADIUS can used Oracle RDBMS authentification for RADIUS authentification.
  The idea is to use Oracle DB users list and passwords for RADIUS users management. In other words - is it possible RADIUS and Oracle DB users to be the same?

  Yes...it's about OAS - Oracle Advanced Security...(from 8.1.7). You can use even Cistron Radius Server (a free radius server from ftp://ftp.radius.cistron.nl/pub/radius/ or http://www.freeradius.org/)
  and minimal changes:
  sqlnet.authentication = IP-address-of-RADIUS-server
  Regards,
  Paul Breniuc
  Message was edited by:
  user468540
  Message was edited by:
  user468540

• Authentication via RADIUS : MSCHAPv2 Error 691

  Hello All,
  I am working on setting up authentication into an Acme Packet Net-Net 3820 (SBC) via RADIUS. The accounting side of things is working just fine with no issues. The authentication side of things is another matter. I can see from a packet capture that the access-request
  messages are in fact getting to the RADIUS server at which point the RADIUS server starts communicating with the domain controllers. I then see the chain of communication going back to the RADIUS and then finally back to the SBC. The problem is the response
  I get back is always an access-reject message with a reason code of 16 (Authentication failed due to a user credentials mismatch. Either the user name provided does not match an existing user account or the password was incorrect). This is confirmed by looking
  at the security event logs where I can see events 4625 and 6273. See the events below (Note: The names and IPs have been changed to protect the innocent):
  Event ID: 6273
  Network Policy Server denied access to a user.
  Contact the Network Policy Server administrator for more information.
  User:
  Security ID:
  NULL SID
  Account Name:
  real_username
  Account Domain:
  real_domain
  Fully Qualified Account Name:
  real_domain\real_username
  Client Machine:
  Security ID:
  NULL SID
  Account Name:
  Fully Qualified Account Name:
  OS-Version:
  Called Station Identifier:
  Calling Station Identifier:
  NAS:
  NAS IPv4 Address:
  10.0.0.10
  NAS IPv6 Address:
  NAS Identifier:
  radius1.real_domain
  NAS Port-Type:
  NAS Port:
  101451540
  RADIUS Client:
  Client Friendly Name:
  sbc1mgmt
  Client IP Address:
  10.0.0.10
  Authentication Details:
  Connection Request Policy Name:
  SBC Authentication
  Network Policy Name:
  Authentication Provider:
  Windows
  Authentication Server:
  RADIUS1.real_domain
  Authentication Type:
  MS-CHAPv2
  EAP Type:
  Account Session Identifier:
  Logging Results:
  Accounting information was written to the SQL data store and the local log file.
  Reason Code:
  16
  Reason:
  Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect.
  Event ID: 4625
  An account failed to log on.
  Subject:
  Security ID:
  SYSTEM
  Account Name:
  RADIUS1$
  Account Domain:
  REAL_DOMAIN
  Logon ID:
  0x3E7
  Logon Type: 3
  Account For Which Logon Failed:
  Security ID:
  NULL SID
  Account Name:
  real_username
  Account Domain:
  REAL_DOMAIN
  Failure Information:
  Failure Reason:
  Unknown user name or bad password.
  Status:
  0xC000006D
  Sub Status:
  0xC000006A
  Process Information:
  Caller Process ID:
  0x2cc
  Caller Process Name:
  C:\Windows\System32\svchost.exe
  Network Information:
  Workstation Name:
  Source Network Address:
  Source Port:
  Detailed Authentication Information:
  Logon Process:
  IAS
  Authentication Package:
  MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
  Transited Services:
  Package Name (NTLM only):
  Key Length:
  0
  This event is generated when a logon request fails. It is generated on the computer where access was attempted.
  The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
  The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).
  The Process Information fields indicate which account and process on the system requested the logon.
  The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
  The authentication information fields provide detailed information about this specific logon request.
  - Transited services indicate which intermediate services have participated in this logon request.
  - Package name indicates which sub-protocol was used among the NTLM protocols.
  - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
  So at first glance it would seem that the issue is merely a case of an invalid username or mismatched password. This is further confirmed in the packet capture where I can see the MSCHAPv2 response has an error code of 691 (Access denied because username or
  password, or both, are not valid on the domain). The thing is I know I am using a valid username and I have tried many usernames including new ones I created just for troubleshooting. I don't know how many times I have reset the password in an attempt to ensure
  it is not a mismatch password. I have even made sure to use passwords that are fairly short and contain only letters to ensure there was no terminal encoding issues (we connect to the SBC via SSH clients). I have also done this same thing with the shared secret
  used during communication between the SBC and the RADIUS server. I have tried prefixing the username with the domain name at login (though I don't think that should be necessary). I have also tried using the full UPN of the user to login. I have tried several
  RADIUS testing clients (NTRadPing, RadiusTest, etc.), but they either don't support MSCHAPv2 or only support EAP-MSCHAPv2. I have even created my own client using PHP's PECL RADIUS module. Still it always seems to fail with the MSCHAPv2 authentication with
  an error code of 691. Does anyone have any ideas as to why I always get an invalid username or bad password response when I have done everything possible to ensure that is not the case?
  Here are the specs for our RADIUS configuration:
  Windows Server 2012 R2
  SQL Server 2012 Back End Database for accounting.
  The server has been authorized on the domain and is a member of the "RAS and IAS Servers" group. For which that group does have access to the accounts we are testing with.
  The accounts we are testing with do have the "Control access through NPS Network Policy" option checked under their "Dial-in" property tab.
  RADIUS clients configured to simply match on the IP address which you can see from the events above that it is applying the client friendly name.
  Connection Request Policy: The "SBC Authenication" policy is being applied as seen above. The only condition is a regex expression that does successfully match the friendly name.
  Network Policy: As seen in events above, none are getting applied. For troubleshooting purposes I have created a Network Policy that is set to "1" for the processing order and its only condition is a Day and Time Restriction currently set to any
  time, any day.
  The authentication method is set to only MSCHAPv2 or MSCHAPv2 (User can change password after it has expired). I have tried adding this to just the Network Policy and I have also tried adding this to the Connection Request Policy and setting it to override
  the authentication method of the Network Policy.
  We do have other RADIUS servers in our domain that use PEAP to authenticate wireless clients and they all work fine. However, we need this to work with MSCHAPv2 only (No EAP).
  All other configurations are set to the defaults.
  The only other things of note to consider is the fact that in the events above you can see that the Security ID is "NULL SID". Now I know this is common especially among failed logons but given that this issue is stating an invalid username or
  bad password, perhaps it matters in this case. Also, this server has been rebuilt using the same computer account in Active Directory. I do not know if it would have worked before the rebuild. Essentially we built this server and only got as far as authorizing
  the server to the domain and adding SQL when we decided to separate out the SQL role onto another server. Rather than uninstalling SQL we just rebuilt the machine. However, before reinstalling Windows I did do a reset on the computer account. I don't think
  this should matter but thought I would point it out if there is some weird quirk where reusing the same SID of a previously authorized NPS server would cause an issue.
  All in all it is a fairly basic setup and hopefully I have provided enough information for someone to get an idea of what might be going on. I hope this was the right forum to post this too, I figured there would be a higher number of RADIUS experts here than
  any of the other categories. Apologies if my understanding of this seems a bit basic, after all, when it comes to RADIUS servers I guess you could say I'm the new guy here.

  Update 1:
  In an attempt to further troubleshoot this issue I have tried bringing up additional servers for testing. Here are the additional tests I have performed.
  Multiple Domains
  I have now tried this in 3 different isolated domains. Both our test and production domains as well as my private home domain which has very little in the way of customizations aside from the modifications made for Exchange and ConfigMgr. All have the same
  results described above.
  VPN Service
  Using Windows Server 2012 R2 we brought up a separate server to run a standard VPN setup. The intent was to see if we could use RADIUS authentication with the VPN and if that worked we would know the issue is with the SBCs. However, before we could even
  configure it to use RADIUS we just attempted to make sure it worked with standard Windows Authentication on the local VPN server. Interestingly, it too fails with the same events getting logged as the RADIUS servers. The client machine being a Windows 8.1
  workstation. Again I point out that we have working RADIUS servers used specifically for our wireless environment. The only difference between those RADIUS servers and the ones I am having problems with is that the working wireless servers are using PEAP instead
  of MSCHAPv2.
  FreeRADIUS
  Now I'm no Linux guru but I believe I have it up and running. I am able to use ntlm_auth to authenticate users when logged on to the console. However, when the radiusd service tries to use ntlm_auth to do essentially the same thing it fails and returns the
  same message I've been getting with the Windows server (E=691). I have the radiusd service running in debug mode so I can see more of what is going on. I can post the debug info I am getting if requested. The lines I am seeing of particular interest however
  are as follows:
  (1) ERROR: mschap : Program returned code (1) and output 'Logon failure (0xc000006d)'
  (1) mschap : External script failed.
  (1) ERROR: mschap : External script says: Logon Failure (0xc000006d)
  (1) ERROR: mschap : MS-CHAP2-Response is incorrect
  The thing to note here is that while we are essentially still getting a "wrong password" message, the actual status code (0xc000006d) is slightly different than what I was getting on the Windows Servers which was (0xc000006a). From this document
  you can see what these codes mean:
  NTSTATUS values . The good thing about this FreeRADIUS server is that I can see all of the challenge responses when it is in debug mode. So if I can wrap my head around how a MSCHAPv2 response is computed I can compare it to see if this is simply a miscomputed
  challenge response. Update: Was just noticing that the 6a code is just the sub-status code for the 6d code. So nothing different from the Windows Servers, I still wonder if there is a computation error with the challenge responses though.
  Currently, I am working on bringing up a Windows Server 2008 R2 instance of a RADIUS server to see if that helps at all. However, I would be surprised if something with the service broke between W2K8 R2 and W2K12 R2 without anyone noticing until now. If this
  doesn't work I may have to open a case with Microsoft. Update: Same results with W2K8 R2.

• Unknown RADIUS Client error again with NMAS RADIUS

  I had this problem before and it seemed to be related to the FDN being
  assigned at the container level. Now (for some reason) it's come back
  and the previous fix doesn't work.
  Running NW 6.5SP5
  NMAS.NLM ver 2.65
  RADIUS.NLM ver 4.15
  GAMS.NLM ver 1.30
  NMASGPXY.NLM ver 1.04
  When I use NTRADPING to query the RADIUS server, it times out. The
  following is the debug output from RADIUS:
  [2006-05-08 05:27:21 PM] 2) [(ip) 172.22.105.81:1944], Received 46
  Bytes (Access-Request (1))
  [2006-05-08 05:27:21 PM] [(total=2) (p=1) (d=0) (r=0) (acc=0)
  (rej=0)]
  [2006-05-08 05:27:21 PM] <4> Done GetNextMessage [(ip)
  172.22.105.81:1944]: time:1608203
  [2006-05-08 05:27:21 PM] -------- START : (Access-Request (1)) [(ip)
  172.22.105.81:1944]: time:891983657---
  [2006-05-08 05:27:21 PM] CACHE:
  CacheDomainListExist(testdas1.radius.mc), using cache
  [2006-05-08 05:27:21 PM] AuthRequestHandler(), Calling
  RequestHandler.
  [2006-05-08 05:27:21 PM] CACHE:
  CacheReadSecretForNASAddress(testdas1.radius.mc), using cache
  [2006-05-08 05:27:21 PM] HandleLocalRequest(),
  CacheReadSecretForNASAddress failed, no such RADIUS client (-822),
  Packet Dropped
  [2006-05-08 05:27:21 PM] -------- END : (Access-Request (1)) [(ip)
  172.22.105.81:1944]: time:891983668---
  However, the client is configured in the DAS as a generic radius
  client.
  This is a newly created DAS and Profile for test purposes. The user has
  been configured for this DAS and profile but the properties have NOT
  been added to avoid conflict.
  On a RADIUS REFRESHCACHE, the debug output is as follows:
  [2006-05-08 05:27:03 PM] Cacher: Console initiated rebuild of cache
  [2006-05-08 05:27:03 PM] (->)Cacher:
  NWDSReadObjectInfo(testdas1.radius.mc), succeeded, time:3
  [2006-05-08 05:27:03 PM] Cacher: Rebuilding cache, mod time different,
  [2006-05-08 05:27:03 PM]
  (->)NDSReadData:NWDSRead(testdas1.radius.mc,RADIUS:D AS Version)
  succeeded, time:5
  [2006-05-08 05:27:03 PM]
  (->)NDSReadData:NWDSRead(testdas1.radius.mc,RADIUS:P assword Policy)
  failed, no such attribute (-603), time:4
  [2006-05-08 05:27:03 PM]
  (->)NDSReadData:NWDSRead(testdas1.radius.mc,RADIUS:C ommon Name
  Resolution) succeeded, time:4
  [2006-05-08 05:27:03 PM]
  (->)NDSReadData:NWDSRead(testdas1.radius.mc,RADIUS:C oncurrent Limit)
  failed, no such attribute (-603), time:3
  [2006-05-08 05:27:03 PM]
  (->)NDSReadData:NWDSRead(testdas1.radius.mc,RADIUS:I nterim Accting
  Timeout) failed, no such attribute (-603), time:3
  [2006-05-08 05:27:03 PM]
  (->)NDSReadData:NWDSRead(testdas1.radius.mc,RADIUS:A ged Interval)
  failed, no such attribute (-603), time:3
  [2006-05-08 05:27:03 PM]
  (->)NDSReadData:NWDSRead(testdas1.radius.mc,RADIUS:M aximum History
  Record) failed, no such attribute (-603), time:4
  [2006-05-08 05:27:03 PM] CACHE: Use Netware Password for
  "testdas1.radius.mc": Enabled
  [2006-05-08 05:27:03 PM] CACHE: CN Login for "testdas1.radius.mc":
  Enabled
  [2006-05-08 05:27:03 PM] CACHE: Concurrent Limit for
  "testdas1.radius.mc": 0x80000000
  [2006-05-08 05:27:03 PM] CACHE: Interim Timeout for
  "testdas1.radius.mc": 10 minutes
  [2006-05-08 05:27:03 PM] CACHE: Interval For Aging for
  "testdas1.radius.mc": 7 days
  [2006-05-08 05:27:03 PM] CACHE: Max History Record for
  "testdas1.radius.mc": 30
  [2006-05-08 05:27:03 PM] tag extracted: 172.22.105.81, size: 14,
  tagLength: 28
  [2006-05-08 05:27:03 PM] (->)NDSSetUpClientTable(testdas1.radius.mc)
  failed, no such entry (-601)
  [2006-05-08 05:27:03 PM] Cache: Error from NDSSetUpClientTable: failed,
  no such entry (-601)
  [2006-05-08 05:27:03 PM] Cache: Successfully set up client table
  [2006-05-08 05:27:03 PM] Cache: Successfully set up context list
  [2006-05-08 05:27:04 PM] NDSSetUpDomainList(testdas1.radius.mc),
  Invalid Proxy Authentication Secret entry found, type = 00000000,
  Skipped, failed, no such entry (-601)
  [2006-05-08 05:27:04 PM] (->)NDSSetUpDomainList(), failed, -826
  (0xfffffcc6)
  [2006-05-08 05:27:04 PM] NDSSetUpDomainList failed. Error: failed,
  -826 (0xfffffcc6)
  [2006-05-08 05:27:04 PM] Cache: Successfully set up search domain list
  [2006-05-08 05:27:04 PM] Cache: Successfully build context list
  [2006-05-08 05:27:04 PM] CACHE: Cache reloaded at [2006-05-08
  05:27:04 PM], current reload count is 4
  [2006-05-08 05:27:04 PM] Cacher: RefreshCache(), succeeded
  [2006-05-08 05:27:04 PM] CACHE: Cache loaded at [2006-05-08 05:26:17
  PM] has been discarded , current reload count is 4
  Suggestions?
  Wayne

  Fixed by updating eDir to 8.7.3.8 and applying ssp201
  Regards,
  Wayne

• Sims3 DVD authentification error after installing PSE 6

  I have a strange problem with my MacBook Pro 15". I bought Sims3 and played it some weeks, then I bought PSE 6 for my photo editing needs. Now, the first time I wanted to start Sims 3 after installing PSE 6, the Sims 3 game starts, but when launching the city where to chose from my families, the error message occurs: "Disc-Authentification failed. Check of the Sims 3 Disc has failed, it could not be checked whether the disk is a valid disk."
  Before asking the EA support, I checked updates (none), repaired access rights, checked my disc and reinstalled Sims3.
  The EA Support hotline asked me to do a firmware update for my superdrive, but i don't find an available download.
  Can someone help me?

  Put the first disk in again, and set it to just install the DVD SP content, livetype, and motion content disks... if it fails, call Apple, as you might have a bad disk there.
  But the applications themselves are already installed. What you're missing is the templates on those disks onlly.
  Seems to me you can also just put the other disks in and install them one at a time.
  Also, if this is an upgrade from a previous installation (FCP 5 or whatever) you really should do it as a clean install... all you need to have is your previous serial number.
  Jerry
  Message was edited by: Jerry Hofmann

• Radius Passowrd error

  I am having the following issue with authentication to MS IAS. I get connected to the ASA no problem. I then get asked for my credentials, and I add my domain user and password. I receive unknown username or password error in the event log of the Radius server. This si a first time install and I am so close. I must either be missing something or have misconfigured something. Any help would be appreciated!
  Event Type: Failure Audit
  Event Source: Security
  Event Category: Logon/Logoff
  Event ID: 529
  Date: 9/19/2007
  Time: 1:11:02 AM
  User: NT AUTHORITY\SYSTEM
  Computer: SERVERNAME
  Description:
  Logon Failure:
  Reason: Unknown user name or bad password
  User Name: ndorobek
  Domain: MYDOMAIN
  Logon Type: 3
  Logon Process: IAS
  Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
  Workstation Name:
  Caller User Name: SERVERNAME$
  Caller Domain: MYDOMAIN
  Caller Logon ID: (0x0,0x3E7)
  Caller Process ID: 824
  Transited Services: -
  Source Network Address: -
  Source Port: -

  Hi,
  Might have something to with the selected authentication protocols on the IAS server. See http://www.cisco.com/en/US/customer/products/hw/vpndevc/ps2030/products_configuration_example09186a00806de37e.shtml
  Also, you have to enable dial-in for the users in Active Directory and 'grant remote access' in the IAS policy.
  Regards, Frank

• VPN3k Radius authentication Error

  I dont know what i am doing wrong, but everytime i try to setup a VPN3k for radius authentication get the following error:
  An error has occurred while attempting to perform the operation.
  Authentication Error: No active server found
  The server is correctly configured on the vpn3k and also i setup the vpn3k as a client to ACS. The radius server works fine with any other routers.
  Can anybody please share some tips.
  Thanks

  I can suggest several things to check about this issue. Are you sure that you have correct IP connectivity between the devices? (check this by pinging from the vpn3k to the server and ping from the server to the vpn3k) Are you sure that you have configured the correct key for cummunication from the vpn3k to the server? Does the server see any connection attempt from the vpn3k? (check logs and failed attempt reports on the server) Is there any access list on any router along the path from the vpn3k to the server which might be denying the request or the response?
  HTH
  Rick

• Unknown RADIUS client errors

  We are running Novell Netware 6.0 SP4 and eDirectory 8.6.2. We have set up
  iChain 2.3 with the included NMAS and RADIUS services. iChain with NDS
  password authentication works properly. Now we are trying to add token
  authentication, and it is not working. The RADIUS screen keeps showing
  "Access Request Dropped", "<ip address>, <user>, Unknown RADIUS client".
  I have turned on debug mode, refreshed the cache, tried logging in again,
  and checked the debug file. The error I am getting I have not seen
  referenced in previous newsgroup posts. The important section shows this:
  Context Lookup List set to:
  [2004-08-05 09:42:21 AM] 1) DEN.RJL
  [2004-08-05 09:42:21 AM] 2) RJL
  [2004-08-05 09:42:21 AM] Number of contexts = 2
  [2004-08-05 09:42:21 AM] tag extracted: 10.1.1.242, size: 11, tagLength: 22
  [2004-08-05 09:42:21 AM] (->)NDSSetUpClientTable(DAS_RJL.RJL) failed, no
  such entry (-601)
  [2004-08-05 09:42:21 AM] Cache: Error from NDSSetUpClientTable: failed, no
  such entry (-601)
  [2004-08-05 09:42:21 AM] Cache: Successfully set up client table
  It looks like it is not reading the client table properly, but I don't know
  how to fix it. We have recreated the DAS object, removed and re-added the
  client address in the DAS object, etc.
  If anyone has any ideas on what else we can try, I would really appreciate
  it. Thanks.

  You should always administer NMAS from a Windows workstation, Unfortunately
  you can't administer NMAS, and therefore NMAS RADIUS, on any other platform
  right now. The NMAS ConsoleOne snapins make native calls to nmaswrap.dll,
  and this module is only available on Windows.
  You can map a drive to your server from a Windows box and run ConsoleOne
  from the mapped drive to see if this works. However, for best results with
  RADIUS, you will want to install ConsoleOne locally on a Windows box. When
  run over a mapped drive, the RADIUS snapin can take a very long time (5-15
  minutes in my experience) to load the RADIUS attribute file.
  You mentioned that you've been running ConsoleOne from a workstation, so I
  assume that you've tried setting the DAS client information from a Windows
  box already. If you have not tried this yet, then please do so.
  The -601 you're getting from NMAS_GetLoginConfig is interesting.
  Unfortunately this method is implemented in NMAS.NLM, which is maintained by
  a different team, so I'm not sure how much more help I can provide with
  this. However, I do have a few ideas:
  1) When RADIUS calls NMAS_GetLoginConfig, its asking NMAS to read encrypted
  data that is stored in attributes on the DAS object. If I remember
  correctly, NMAS.NLM cannot go off the box when it does this. Does your
  RADIUS server have a local replica that contains the DAS object? If it does
  not, then this might be your problem.
  2) If putting the DAS in a local replica does not work, then a DS Trace with
  the NMAS and Resolve Name options turned on may provide some insight. (I
  can't remember if NMAS is a DS Trace option in eDir 8.6 - if you don't see
  the NMAS option, then don't worry about it.) Start DSTrace while RADIUS is
  running and issue a "radius refreshcache" command like you did before.
  If neither of the above suggestions is helpful, then tell the support
  engineer you're working with that the -601 error is coming from
  NMAS_GetLoginConfig and which version of NMAS.NLM you have. Please also tell
  the support engineer that you've been working with me (Scott Kiester) on
  this, and that he/she may call me they have any questions.
  >>> Stephen Taylor<[email protected]> 08/06/04 12:38 PM >>>
  Hi Scott,
  Thank you for the follow-up. Based on suggestions from some of your other
  posts, I had already run ConsoleOne with the debug window, and I did not
  see
  any errors when I added a DAS client. I ran the SDIDiag utility and went
  through the three recommended steps. There were no errors, and the tree key
  looked the same on all our servers. I did not know about the NMAS log file.
  I followed your directions, and this is all that the log file shows:
  0: Screen and file output started at Fri Aug 6 10:49:53 2004
  GetLoginConfig: -601
  NMAS_GetLoginConfig: -601
  Based on a couple of other posts, I decided to try deleting the DAS object
  and recreating it using ConsoleOne from the NMAS server instead of from a
  workstation. It asks me for the password when creating the object, then
  immediately abends the serve and locks up ConsoleOne. This has happened
  three times now, even after reloading the snap-ins. I don't know what to
  try
  next. We have run dsrepair and it runs cleanly.
  "Scott Kiester" <[email protected]> wrote in message
  news:_uOQc.4698$8%[email protected]...
  > Hi Stephen,
  >
  > Based on the log snippet that you posted, it appears that an NMAS call is
  > failing and returning the -601 error. NMAS RADIUS makes a call to NMAS to
  > obtain the client shared secrets because NMAS will encrypt them before
  > storing them in eDirectory. It looks like your server is able to read the
  > client IP address off of the DAS object, but is unable to obtain the
  > corresponding shared secret from NMAS.
  >
  > I can think of a couple of things that might cause this:
  >
  > 1) Perhaps ConsoleOne is not storing the shared secret. Unfortunately,
  the
  > ConsoleOne snapin will not report errors it encounters while storing
  entries
  > in the client table. ConsoleOne must make an NMAS call to store the
  shared
  > secret, and if this call fails it will not report the error. You can
  usually
  > tell if this call failed by closing the DAS "Properties" dialog and
  > re-opening it after adding a new entry. If your new entry is not there
  when
  > the dialog is re-opened, then the call failed.
  >
  > To find out if this call is failing, please start ConsoleOne with the
  > following command line: "consoleone -debug -windowout". This will make
  > ConsoleOne display a debug window in the top-left portion of your screen.
  If
  > an error occurs when you add a DAS client, you will see an error code and
  > stack dump in this window. If this happens, please post the error code
  and
  > stack dump.
  >
  > Problems with the tree key are the most common reason for this call to
  fail.
  > You can resolve tree key issues using the SDIDIAG utility, which is
  > available from the support site.
  >
  > 2) It is unusual to get a -601 ("object not found" - this is _not_ the
  same
  > as "attribute not found") error when RADIUS attempts to make this NMAS
  call.
  > RADIUS must set up and log in a new DS context before it calls NMAS here.
  > It's possible that this is where the failure is, but I think it's
  unlikely.
  > The -601 error is probably coming from the NMAS call. If you determine
  that
  > ConsoleOne is storing this data properly using the instructions in step
  1,
  > then it would be helpful to see a log file from NMAS when this call is
  made.
  > To get this log file, please do the following:
  >
  > A) Load RADIUS and provide the DAS name and password
  > B) At the server console, type "nmasmon * sys:\etc\nmasmon.log"
  > C) At the server console, type "radius refreshcache"
  > D) At the server console, type "unload nmasmon"
  >
  > This will cause NMAS log information to be written to
  sys:\etc\nmasmon.log.
  > Please post this file here, or send it to me at [email protected].
  >

• Portal WebService User Authentification error

  Hello all,
  I created a portal webservice similar to the one described in tutorial "Creating a Web Service in Enterprise Portal 6.0".
  When I tried to test it in Enterprise Portal Web Services Checker I got the error below:
  <b>The User Authentification is not correct to access to the Portal Service com.sap.portal.prt.soap.ContentService or the service was not found.</b>
  I already added group Everyone to my service in Portal Permissions and it still does not work.
  I read weblogs below but none helped me:
  1 - Unable to access portal service from web service..........urgent
  2 - IllegalAccessError when calling a WebService
  I checked the proxy settings and it seems to be ok.
  Does anyone have another suggestion?
  Regards,
  Mauricio

  I found the reason.
  I did not check End User checkbox for the Everyone group we inserted into Permissions of the Web Service.
  Regards,
  Mauricio

• HTTP Authentification Error after upgrading CRM 4.0 to Oracle 10g

  Hi all,
  after upgrading our CRM 4.0 Server from Oracle 9i to 10g, it isn't possible to connect from a local PC via EP 7 to the PCUI applications.
  [Browser running on local PC] -> [EP7] -> [CRM4 with Oracle 10g]
  no authentification possible
  [Browser running on local PC] -> [EP7] -> [CRM4 with Oracle 9i]
  works fine.
  [Browser running on local PC] -> [CRM4 with Oracle 10g]
  works fine.
  [Browser running on EP7 server(!)] -> [EP7] -> [CRM4 with Oracle 10g]
  works fine.
  It looks like a network security feature of Oracle 10g which blocks "man-in-the-middle" attacks?!?
  Anyone any idea?!
  Regards,
  Sven

  Hi Stephanie
  Did you find a resultion to your genstatus issue.
  We are in a similar issue currently - we have the following errors
  CNBCCPSAP00070            CG
  CNBCCPSAP00070            CG
  DOC_HEADER                CG
  S000000290CG 98FBC48FBE4A0040888E14E1C27C7262
  CAMPAIGN_WRITE            CG
  Look forward to your response on this
  Regards
  Eddie

• SSL authentification error -5938

  Hi All,
  can someone help me with this problem?
  We are receiving this error more then two years at various instances of Netscape/iPlanet/SunOne Enterprise WWW server.
  We tried find the explanation in documentation, in the Internet newsgroups but no luck ...
  Exact error log:
  ... for host x.x.x.x trying GET /xxx, Client-Auth reports: Unexpected error receiving data: -5938
  ... get_auth_user_ssl: client passed no certificate.
  Can someone explain this problem ?
  Thanks in advance
  Ivo(sh) Musil
  ivo at corpus.cz

  The browser disconnected before sending its client cert.

• Radius authentication error.

  I have radius configured to authentication a cisco switch. The ACS is V5.3.  The login worked fine, but the enable doesn’t work. It came back saying “
  22056 Subject not found in the   applicable identity store(s).
  Any idea?
  Thanks,
  Han

  Hi Han,
  A first hint would be to check if the authentication protocol you are using (PAP, CHAP, MS-CHAPv1/2, etc.) is compatible with the database configured on ACS:
  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2.1/User_Guide/Overvw.html#wpxref846
  This table is from the ACS 4.2.1 configuration guide, but it is generally true for all types of databases and ACS versions.
  Regards,
  Fede
  If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.