Radius request source interface

Similar Messages

• SNMP inform request source-interface

  Instead of using SNMP TRAPS I would like to use INFORM requests. When I receive TRAPS everything is working correcty. When I receive INFORM requests, the source interface is reported wrong.
  My config:
  snmp-server trap-source Loopback0
  snmp-server source-interface informs Loopback0
  snmp-server enable traps snmp linkup
  snmp-server enable traps config
  snmp-server host 10.101.1.15 inform version 2c public
  snmp-server host 10.101.1.15 version 2c public
  The TRAPS report their source address as Loopback0 but the INFORMS report their source address as FastEthernet0.

  Hello,
  we are also migrating from traps to informs and I can see that this source-interface issue is still open. I can confirm it is happening on Cisco 7609-S with IOS: 12.2.(33)SRD5, SRD6 and SRE2.
  In bug toolkit I can see it opened for 6500 under CSCtc43231 (http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtc43231) but there is no any SR release under affected versions.
  If anyone knows any workaround, I would appreciate it a lot.
  Thanks in advance!

• RADIUS Requests not Populating Attribute 4 (NAS-IP-Address)

  I'm trying to get a Cisco 3120G configured for RADIUS authentication.  I have many other IOS devices with identical configuration lines working, however, this one is giving me a hard time.  The RADIUS server policy is configured by NAS-IP-Address.  The AAA and radius configuration is as follows:
  aaa new-model
  aaa authentication login default group radius local
  aaa authorization exec default group radius local
  radius-server host 10.x.x.x auth-port 1645 acct-port 1646
  radius-server source-ports 1645-1646
  radius-server key 7 XXXXXXXXXXXXXX
  See the following Radius debug information:
  indrc3120a#
  000284: Feb  8 14:05:15.447 PST: RADIUS: Pick NAS IP for u=0x5992EF4 tableid=0 cfg_addr=0.0.0.0
  000285: Feb  8 14:05:15.447 PST: RADIUS: ustruct sharecount=1
  000286: Feb  8 14:05:15.447 PST: Radius: radius_port_info() success=1 radius_nas_port=1
  000287: Feb  8 14:05:15.447 PST: RADIUS(00000000): Send Access-Request to 10.x.x.x:1645 id 1645/8, len 84
  000288: Feb  8 14:05:15.447 PST: RADIUS:  authenticator 12 5E 7E DF 01 B5 F1 D8 - 40 07 09 76 C5 88 C1 A4
  000289: Feb  8 14:05:15.447 PST: RADIUS:  NAS-IP-Address      [4]   6   0.0.0.0
  000290: Feb  8 14:05:15.447 PST: RADIUS:  NAS-Port            [5]   6   2
  000291: Feb  8 14:05:15.447 PST: RADIUS:  NAS-Port-Type       [61]  6   Virtual                   [5]
  000292: Feb  8 14:05:15.447 PST: RADIUS:  User-Name           [1]   13  "admin_user"
  000293: Feb  8 14:05:15.447 PST: RADIUS:  Calling-Station-Id  [31]  15  "10.y.y.y"
  000294: Feb  8 14:05:15.447 PST: RADIUS:  User-Password       [2]   18  *
  000295: Feb  8 14:05:15.505 PST: RADIUS: Received from id 1645/8 10.x.x.x:1645, Access-Reject, len 20
  000296: Feb  8 14:05:15.505 PST: RADIUS:  authenticator 4E EC 8F AB BB 8E F9 BB - 13 67 56 A3 5F F9 99 94
  000297: Feb  8 14:05:15.505 PST: RADIUS: saved authorization data for user 5992EF4 at 0
  Note the NAS-IP-Address attribute populated as 0.0.0.0
  Another switch with an identical configuration returns the following:
  tritc3120a#
  350554: Feb  8 14:11:00.916 PST: RADIUS/ENCODE(000155BC): ask "Username: "
  350555: Feb  8 14:11:10.605 PST: RADIUS/ENCODE(000155BC): ask "Password: "
  350556: Feb  8 14:11:14.480 PST: RADIUS/ENCODE(000155BC):Orig. component type = EXEC
  350557: Feb  8 14:11:14.480 PST: RADIUS:  AAA Unsupported Attr: interface         [170] 4
  350558: Feb  8 14:11:14.480 PST: RADIUS:   74 74                [ tt]
  350559: Feb  8 14:11:14.480 PST: RADIUS/ENCODE(000155BC): dropping service type, "radius-server attribute 6 on-for-login-auth" is off
  350560: Feb  8 14:11:14.480 PST: RADIUS(000155BC): Config NAS IP: 0.0.0.0
  350561: Feb  8 14:11:14.480 PST: RADIUS/ENCODE(000155BC): acct_session_id: 87482
  350562: Feb  8 14:11:14.480 PST: RADIUS(000155BC): sending
  350563: Feb  8 14:11:14.480 PST: RADIUS/ENCODE: Best Local IP-Address 10.x.x.x for Radius-Server 10.y.y.y
  350564: Feb  8 14:11:14.480 PST: RADIUS(000155BC): Send Access-Request to 10.y.y.y:1645 id 1645/222, len 90
  350565: Feb  8 14:11:14.480 PST: RADIUS:  authenticator 5F B1 17 DF 72 4B A6 3D - B6 7C D8 5C 85 66 B9 8D
  350566: Feb  8 14:11:14.480 PST: RADIUS:  User-Name           [1]   13  "admin_user"
  350567: Feb  8 14:11:14.480 PST: RADIUS:  User-Password       [2]   18  *
  350568: Feb  8 14:11:14.480 PST: RADIUS:  NAS-Port            [5]   6   2
  350569: Feb  8 14:11:14.480 PST: RADIUS:  NAS-Port-Id         [87]  6   "tty2"
  350570: Feb  8 14:11:14.480 PST: RADIUS:  NAS-Port-Type       [61]  6   Virtual                   [5]
  350571: Feb  8 14:11:14.480 PST: RADIUS:  Calling-Station-Id  [31]  15  "10.z.z.z"
  350572: Feb  8 14:11:14.480 PST: RADIUS:  NAS-IP-Address      [4]   6   1.2.3.4
  350573: Feb  8 14:11:14.556 PST: RADIUS: Received from id 1645/222 10.y.y.y:1645, Access-Accept, len 83
  350574: Feb  8 14:11:14.556 PST: RADIUS:  authenticator 24 D9 F9 E2 BB A3 66 F6 - 73 E8 5D 42 8C A5 17 DA
  350575: Feb  8 14:11:14.556 PST: RADIUS:  Service-Type        [6]   6   Administrative            [6]
  350576: Feb  8 14:11:14.556 PST: RADIUS:  Class               [25]  32
  350577: Feb  8 14:11:14.556 PST: RADIUS:   59 6D 06 B1 00 00 01 37 00 01 0A DC 1E 18 01 CB C7 B8 82 D7 CA E2 00 00 00 00 00 00 00 0B               [ Ym7]
  350578: Feb  8 14:11:14.556 PST: RADIUS:  Vendor, Cisco       [26]  25
  350579: Feb  8 14:11:14.556 PST: RADIUS:   Cisco AVpair       [1]   19  "shell:priv-lvl=15"
  350580: Feb  8 14:11:14.556 PST: RADIUS(000155BC): Received from id 1645/222
  Note that in the example above, the NAS-IP-Address is populating properly (I've just changed it for security reasons)
  If anyone has any advice, it would be greatly appreciated.  Does the switch need a restart? A RADIUS server process kick?
  Thanks,

  Thanks Jatin, I believe you're correct.
  I tried this command
  radius-server attribute 4 10.2.1.1
  As specified in this document:
  http://www.cisco.com/en/US/docs/ios/12_3/12_3b/feature/guide/gt_siara.html
  Unfortunately, it doesn't seem to be available.  The only command I have is radius-server attribute 4 npr.
  The release notes which describe the bug here:
  http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/css11000series/v5.00.0.63/release/note/Reln5b63.html
  Also describe a workaround with the radius-server source-interface command.  This, too, is unavailable, unfortunately.
  I've been able to create a workaround policy tied to the "RADIUS-Client-IP" attribute, and have the functionality I require for the time being.
  Thanks again for your help.

• Radius source-interface not working ?

  I'm running IOS 150-2.SE2 on 3750-X switches.
  In my config, I have the command:
  ip radius source-interface Loopback1
  but all radius requests still have the source IP address of the "nearest" interface, not the loopback interface.
  Interface Loopback1 is up and is pingable from the radius server.
  Any suggestions ?
  Thanks,
  GTG

  The only command I can see for controlling radius source address/interface is that global ip radius source-interface command.
  My full AAA configuration is:
  aaa new-model
  aaa authentication login default group radius local
  aaa authorization exec default group radius if-authenticated
  aaa authorization network default group radius
  aaa accounting exec default start-stop group radius
  aaa accounting system default start-stop group radius
  ip radius source-interface Loopback1
  radius server radius1
  address ipv4 192.168.1.1 auth-port 1812 acct-port 1813
  key 7
  GTG

• SQL access to interface port descriptions or via radius request?

  Does anyone know how to include port descriptions within a radius request or of a database that I can pull the information from a Using a SQL statement. We have Cisco CER, Cisco works, Cisco prime or am looking to populate my own database. Thanks

  Q: Do I simply install calls to the entry points in the RS-232 Library using COM6 as the port ID?
  A: Yes
  Q: I guess I also want to know if the RS232 Library functions all interface to the hardware through the Windows API?
  A: Yes
  Keep in mind that the objective of any Virtual COM Port Driver is to mimic a native com port. If you ever run into the situation where the native com port works, but your converter's com port doesn't, you should contact the manufacturer. This of course refers to calls to the Windows serial API, direct writes to memory are not included in this statement.

• WLC "radius server overwrite interface" setting

  Hello
  I'm looking at using "radius server overwrite interface" on a WLAN as a replacement for Called-Station-ID for Radius to match on SSID.
  When I enable "radius server overwrite interface" on a WLAN and join a client to the SSID I can see (via packet capture) that the WLC is correctly sourcing the Radius packets with the WLAN's "dynamic" interface IP Address. The problem is that the Radius server doesn't repond to these requests. Radius is configured with rules to match the new IP address but I see nothing (pass or fail) in the logs.
  Interestingly, the packet captures shows the correct NAS IP address (the WLAN interface IP Address) but always shows the WLC hostname as NAS-ID (regardless of NAS-ID settings on the WLAN or WLAN interface)
  I've tried WLC software 7.4.110.0, 7.4.121.0 and 7.6.100.0 with the same results but Radius never responds. Radius is Cisco ACS 5.5.0.46. Any ideas as to why this is happening?
  Thanks
  Andy

  Hi Scott
  installed ACS 5.4 0.46.6 and I still have the same problem - ACS doesn't respond to request from WLC when  "radius server overwrite interface" is enabled on WLAN and nothing appears in the logs. With  "radius server overwrite interface" disabled on the WLAN, authentication is a success and I can see this in the logs.
  I had a look a the packet captures I took earlier and the attributes in the Access-Request look ok - the only attribute I wasn't sure about was Message-Authenticator. Found this ietf document http://www.ietf.org/rfc/rfc2869.txt which mentions "silent discards" of Radius packets with non existent or incorrect Message-Authenticator attributes. I'm not sure if this is what I'm seeing on ACS when it receives the  "radius server overwrite interface" Access-Request packets. ACS is under contract so I will contact TAC about this.
  Mt production ACS cluster was upgraded from latest version of 5.3 to 5.5 with no loss of historic logs (logging after upgrade worked fine also). The upgrade did take a while with the log-collector. When it had completed I checked the Data Upgrade Status under Monitoring configuration and it showed that the upgrade was successful.
  Thanks for your help with this.
  Cheers
  Andy

• Flexconnect Radius Server Overwrite interface Question

  Hello All,
  Can someone confirm/comment on the following:
  In a flexconnect scenario, for site 1, i would like to source the radius requests to a remote radius (at the flexconnect site 1).  as i can understand i need to enable the RAdius Server Overwrite interface option. Is that all?
   Also, for flexconnect sites X this can also be done per WLAN X configuration. 
  Is this correct?
  Thanks

  Hi pana,
  Answers below :
  Meaning that, even if i configure the Flexconnect groups with local authentication, then how does the Flexconnect ap reach the local radius?
  When you are working with local authentication, the AP will communicate with the local RADIUS Server using the local routing in the branch office without the 802.1X traffic being sending to the WLC......the AP will communicate directly to the local radius server using it IP address and the local routing. (This communication is transparent if you see from the WLC because the WLC will not intermediate the authentication between the client and RADIUS, who will intermediate is the AP. The WLC will receive informations when the AP is in connected mode about the client and the authentication method and etc after the user was authenticated).
  Example :
                                                                                                             RADIUS SERVER
  WLC ----SWITCH L3------ROUTER----(MPLS Link)-----ROUTER---SWITCH L3---AP
  The WLC continues managing the Access Point but will  not"talk" to the RADIUS Server, who will "talk" to the RADIUS Server is the AP in the branch office using the SWITCH L3 (Asumming that you have the RADIUS in one network and the AP in another network in the same branch office)
  Understand now ?
  As i can understand, in a local switching/local authentication scenario the Flexconnect ap can only map a WLAN to local VLAN( route-able network on the remote site) that serves for the users-data plane. Then in conjunction with the radius server override option, how can this FlexconnectAP send requests to the local radius? I can only suppose that it will do so using the users locally mapped VLAN/WLAN but i cant reference this anywhere. 
  The AP will only send the requests do the local radius only if you configure the FlexConnect Local Auth and FlexConnect Group. Enabling this option the AP will use it IP Address to communicate with RADIUS without the WLC intermedianting this communication.
  Without the FlexConnect Local Auth enable in the WLAN the AP will continue directing the 802.1X requests to the WLC and the WLC will send to the RADIUS Server and in this situation if you enabled the radius overwrite interface the WLC will try to reach the RADIUS Server using the WLAN interface and not the management the interface. (You do not need the radius overwrite interface option to work with Local Auth if you want to use the AP as a Authenticatior, you only use this interface if you want that the WLC with central authentication direct the 802.1X authentications to the RADIUS)
  One information about the VLAN/WLAN is really mapped statically but you can manipulate it using the RADIUS Atrributes, changing the VLANs from the USERs based in the AD Group and after the authentication. It can work in local auth scenario or central auth scenario.
  http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Mobility/emob73dg/emob73/ch7_HREA.html#pgfId-1103070
  I hope it helps and if not helps i think i am not understanding the real question.

• ISE 1.3 not receiving Radius requests from WLC 5508 ver 8.0.110.0

  Hello all. I just implemented ISE 1.3 at a customer site. added a WLC running 8.0.110.0 using its mgmt address with a RADIUS preshared key. On the WLC, I created to SSIDs, corp and guest.
  For corp I configured WPA2 and AES and forwarded Radius requests to my 2 ISE node PSN interfaces
  For the guest I configured MAC filter with advanced features AAA overide and Radius NAC - per Cisco's documents
  The corp forwards Radius requests to ISE, the guest does not. I get nothing from the guest.
  I configured the WLC step by step from the Cisco document. I have completed over 10 ISE implementations in the last year using ISE 1.2 and WLC 7.x and have never run into this issue before.
  Any help will be much appreciated.

  This issue has been resolved. The issue was that for the guest SSID MAC filtering was enabled as required, but they had the test PCs on a mac filter bypass list for that SSID in the WLC. This was automatically authenticating the PC, and therefore not forwarding the RADIUS to ISE.
  Once we removed the PC from the MAC filter list in the WLC, the authentications were forwarded to ISE as desired.

• CCS 11501 Tacacs Source Interface.

  Hello all,
  I am trying to use the management interface of a CCS11501 as the source interface of any Tacacs+ authentication.
  I have added a managment route for the subnet where the tacacas servers are but authentication is still going via circuit VLAN1.
  It will not allow me to add a "normal" route due to the overlap with the management interface.
  What I really want is a tacacs source interface equivalant.
  Any and all help appreciated,
  Andrew.

  Andrew,
  The CSS management interface is not designed to be used for user traffic flow or for tacacs, radius, syslog, ntp etc. Therefore there is no way to force tacacs traffic to use this interface. Also there is no equivelent to "ip tacacs source-interface" in IOS.
  The management interface was designed to be used only for telnet, ssh and web GUI access to the CSS.
  Peter

• ASA IPSEC Source Interface

  Hi...
  There is a way to configure an IPSEC VPN with a source-interface like in a router,? This is for a site to site VPN. I want to use a loopback interface.
  When I configured one VPN, the only option is the IP from the interface where the traffic is going out.
  Thanks.

  Whatever interface you enable ipsec on is the source interface.
  crypto map MyMap interface [interface name]
  ASA's don't support loopbacks so that is not possible.

• Setting the source-interface in a tcl script for email.

  So once again I am trying to figure this out and failing miserably. The only thin I can think of at the moment is that I need to tell it to source from a specific vrf interface. I've tried looking through possible enviornment variables. Hoping I could set it that way but have yet to find one. I have read varios settings for source-interface and attempted them. But fail every time with:
  vpn_failure.tcl: smtp_send_email: error connecting to mail server:
  EEM Version:
  sho event manager version
  Embedded Event Manager Version 4.00
  Component Versions:
  eem: (rel4)1.0.4
  eem-gold: (rel1)1.0.2
  eem-call-home: (rel2)1.0.0
  Below is the stock format for sending the email from the script. If someone could guide me in the correct way to set this up to source the interface that would be awesome.
  # create mail form
    action_syslog msg "Creating mail header for vpn_failure.tcl script..."
    set body [format "Mailservername: %s" "$_email_server"]
    set body [format "%s\nFrom: %s" "$body" "$_email_from"]
    set body [format "%s\nTo: %s" "$body" "$_email_to"]
    set _email_cc ""
    set body [format "%s\nCc: %s" "$body" ""]
    set body [format "%s\nSubject: %s\n" "$body" "VPN Failure Detected: Router $routername Crypto tunnel is DOWN. Peer $remote_peer"]
    set body [format "%s\n%s" "$body" "Report Summary:"]
    set body [format "%s\n%s" "$body" "   - syslog message"]
    set body [format "%s\n%s" "$body" "   - summary of interface(s) in an up/down state"]
    set body [format "%s\n%s" "$body" "   - show ip route $remote_peer"]
    set body [format "%s\n%s" "$body" "   - show crypto isakmp sa"]
    set body [format "%s\n%s" "$body" "   - show crypto session detail"]
    set body [format "%s\n%s" "$body" "   - show crypto engine connection active"]
    set body [format "%s\n%s" "$body" "   - show ip nhrp detail (DMVPN only)"]
    set body [format "%s\n%s" "$body" "   - show log"]
    set body [format "%s\n\n%s" "$body" "---------- syslog message ----------"]
    set body [format "%s\n%s" "$body" "$syslog_msg"]
    set body [format "%s\n\n%s" "$body" "---------- summary of interface(s) in an up/down state ----------"]
    set body [format "%s\n\n%s" "$body" "$show_ip_interface_brief_up_down"]
    set body [format "%s\n\n%s" "$body" "---------- show ip route $remote_peer ----------"]
    set body [format "%s\n\n%s" "$body" "$show_ip_route"]
    set body [format "%s\n\n%s" "$body" "---------- show crypto isakmp sa ----------"]
    set body [format "%s\n\n%s" "$body" "$show_crypto_isakmp_sa"]
    set body [format "%s\n\n%s" "$body" "---------- show crypto session detail ----------"]
    set body [format "%s\n\n%s" "$body" "$show_crypto_session_detail"]
    set body [format "%s\n\n%s" "$body" "---------- show crypto engine connection active ----------"]
    set body [format "%s\n\n%s" "$body" "$show_crypto_engine_connection_active"]
    set body [format "%s\n\n%s" "$body" "---------- show ip nhrp detail (DMVPN only) ----------"]
    set body [format "%s\n\n%s" "$body" "$show_ip_nhrp_detail"]
    set body [format "%s\n\n%s" "$body" "---------- show log ----------"]
    set body [format "%s\n\n%s" "$body" "$show_log"]
    if [catch {smtp_send_email $body} result] {
      action_syslog msg "smtp_send_email: $result"

  I got this far, saw the MAXRUN error, bumped that out and then turned on debugging. I am still not connecting to the mail server. So I don't think I am reaching the mail server yet. I don't think it is using the sourceinterface. In debugging everyting in the script works except for the mail portion.
  Jul 29 16:01:00.334: %HA_EM-6-LOG: vpn_failure.tcl: Creating mail header for vpn_failure.tcl script...
  Jul 29 16:02:36.464: %HA_EM-6-LOG: vpn_failure.tcl: Process Forced Exit- MAXRUN timer expired.
  Jul 29 16:02:36.464: %HA_EM-6-LOG: vpn_failure.tcl:     while executing
  Jul 29 16:02:36.464: %HA_EM-6-LOG: vpn_failure.tcl: "action_syslog msg "smtp_send_email: $result""
  Jul 29 16:02:36.464: %HA_EM-6-LOG: vpn_failure.tcl:     invoked from within
  Jul 29 16:02:36.464: %HA_EM-6-LOG: vpn_failure.tcl: "$slave eval $Contents"
  Jul 29 16:02:36.464: %HA_EM-6-LOG: vpn_failure.tcl:     (procedure "eval_script" line 7)
  Jul 29 16:02:36.464: %HA_EM-6-LOG: vpn_failure.tcl:     invoked from within
  Jul 29 16:02:36.464: %HA_EM-6-LOG: vpn_failure.tcl: "eval_script slave $scriptname"
  Jul 29 16:02:36.464: %HA_EM-6-LOG: vpn_failure.tcl:     invoked from within
  Jul 29 16:02:36.464: %HA_EM-6-LOG: vpn_failure.tcl: "if {$security_level == 1} {       #untrusted script
  Jul 29 16:02:36.464: %HA_EM-6-LOG: vpn_failure.tcl:      interp create -safe slave
  Jul 29 16:02:36.464: %HA_EM-6-LOG: vpn_failure.tcl:      interp share {} stdin slave
  Jul 29 16:02:36.464: %HA_EM-6-LOG: vpn_failure.tcl:      interp share {} stdout slave
  Jul 29 16:02:36.464: %HA_EM-6-LOG: vpn_failure.tcl: ..."
  Jul 29 16:02:36.464: %HA_EM-6-LOG: vpn_failure.tcl:     (file "tmpsys:/lib/tcl/base.tcl" line 50)
  Jul 29 16:02:36.465: %HA_EM-6-LOG: vpn_failure.tcl: Tcl policy execute failed:
  Jul 29 16:02:36.465: %HA_EM-6-LOG: vpn_failure.tcl: Process Forced Exit- MAXRUN timer expired.
  Debugging On:
  Jul 29 16:28:51.471: [fh_smtp_debug_cmd]
  Jul 29 16:28:51.472: %HA_EM-6-LOG: vpn_failure.tcl : DEBUG(smtp_lib) : smtp_connect : attempt 2
  Jul 29 16:29:24.473: [fh_smtp_debug_cmd]
  Jul 29 16:29:24.473: %HA_EM-6-LOG: vpn_failure.tcl : DEBUG(smtp_lib) : smtp_connect : attempt 3
  Jul 29 16:29:57.475: [fh_smtp_debug_cmd]
  Jul 29 16:29:57.475: %HA_EM-6-LOG: vpn_failure.tcl : DEBUG(smtp_lib) : smtp_connect : attempt 4
  Jul 29 16:30:30.478: [fh_smtp_debug_cmd]
  Jul 29 16:30:30.479: %HA_EM-6-LOG: vpn_failure.tcl : DEBUG(smtp_lib) : smtp_connect : attempt 5
  Jul 29 16:31:00.482: %HA_EM-6-LOG: vpn_failure.tcl: smtp_send_email: error connecting to mail server:
  cannot connect to all the candidate mail servers
  Jul 29 16:31:00.483: %HA_EM-6-LOG: vpn_failure.tcl: vpn_failure.tcl script completed
  event manager environment _email_server 10.79.1.126
  event manager environment _email_from [email protected]
  event manager environment _email_to [email protected]
  interface Port-channel1.101
  description MGMT-1
  encapsulation dot1Q 101
  vrf forwarding MGMT-1
  ip address 10.79.1.252 255.255.255.0
  ip nat inside
  ip virtual-reassembly
  redundancy rii 101
  redundancy group 2 ip 10.79.1.254 exclusive decrement 10
  end
  #----------------------- send mail ----------------------
  # create mail form
    action_syslog msg "Creating mail header for vpn_failure.tcl script..."
    set body [format "Mailservername: %s" "$_email_server"]
    set body [format "%s\nFrom: %s" "$body" "$_email_from"]
    set body [format "%s\nTo: %s" "$body" "$_email_to"]
    set _email_cc ""
    set body [format "%s\nCc: %s" "$body" "[email protected]"]
    set body [format "%s\nSourceintf: %s" "$body" "port-channel1.101"]
    set body [format "%s\nSubject: %s\n" "$body" "VPN Failure Detected: Router $routername Crypto tunnel is DOWN. Peer $remote_peer"]
    set body [format "%s\n%s" "$body" "Report Summary:"]
    set body [format "%s\n%s" "$body" "   - syslog message"]
    set body [format "%s\n%s" "$body" "   - summary of interface(s) in an up/down state"]
    set body [format "%s\n%s" "$body" "   - show ip route $remote_peer"]
    set body [format "%s\n%s" "$body" "   - show crypto isakmp sa"]
    set body [format "%s\n%s" "$body" "   - show crypto session detail"]
    set body [format "%s\n%s" "$body" "   - show crypto engine connection active"]
    set body [format "%s\n%s" "$body" "   - show ip nhrp detail (DMVPN only)"]
    set body [format "%s\n%s" "$body" "   - show log"]
    set body [format "%s\n\n%s" "$body" "---------- syslog message ----------"]
    set body [format "%s\n%s" "$body" "$syslog_msg"]
    set body [format "%s\n\n%s" "$body" "---------- summary of interface(s) in an up/down state ----------"]
    set body [format "%s\n\n%s" "$body" "$show_ip_interface_brief_up_down"]
    set body [format "%s\n\n%s" "$body" "---------- show ip route $remote_peer ----------"]
    set body [format "%s\n\n%s" "$body" "$show_ip_route"]
    set body [format "%s\n\n%s" "$body" "---------- show crypto isakmp sa ----------"]
    set body [format "%s\n\n%s" "$body" "$show_crypto_isakmp_sa"]
    set body [format "%s\n\n%s" "$body" "---------- show crypto session detail ----------"]
    set body [format "%s\n\n%s" "$body" "$show_crypto_session_detail"]
    set body [format "%s\n\n%s" "$body" "---------- show crypto engine connection active ----------"]
    set body [format "%s\n\n%s" "$body" "$show_crypto_engine_connection_active"]
    set body [format "%s\n\n%s" "$body" "---------- show ip nhrp detail (DMVPN only) ----------"]
    set body [format "%s\n\n%s" "$body" "$show_ip_nhrp_detail"]
    set body [format "%s\n\n%s" "$body" "---------- show log ----------"]
    set body [format "%s\n\n%s" "$body" "$show_log"]
    if [catch {smtp_send_email $body} result] {
      action_syslog msg "smtp_send_email: $result"
    action_syslog msg "vpn_failure.tcl script completed"
  #------------------ end of send mail --------------------

• ISE v1.2 - Status-Server - 5405 RADIUS Request dropped

  Just a note:
  Some devices send regular RADIUS status messages;
  The ISE drops these as 
  Event: 5405 RADIUS Request dropped
  Failure Reason: 11031 RADIUS packet type is not a valid Request
  Root cause: RADIUS packet type is not a valid Request.
  Wireshark shows:-
  Code: Status-Server (12)
  Attribute Value Pairs:
  AVP: l=6  t=Service-Type(6): Shell-User(6)
  AVP: l=18  t=Message-Authenticator(80): df48bb4b50f0a772bd7c891ef6548c68
  AVP: l=6  t=NAS-IP-Address(4): 10.1.1.1
  I believe that ISE should accept and respond to these messages RFC5997  up2866.
  A RADIUS server or proxy implementing this specification SHOULD respond to a Status-Server packet with an Access-Accept (authentication port) or Accounting-Response (accounting port).  An Access-Challenge response is NOT RECOMMENDED.  An Access-Reject response MAY be used.

  Neno
  Nothing to do with that,
  The devices will use RADIUS to authenticate fine; databass, credentials, etc fine.
  However they send keepalives to validate the RADIUS server is still there.  ISE doesn't implement this and ISE logs get full of rejections.  The end devices are unable to prioritise which ISE to used based on up/down.  But still work.
  This was just a note to everyone so they are aware of the issue,

• HT4059 Failed to load book because requested source is missing

  My books won't open. The following error keeps coming up when I try to open the "failed to load book because requested source is missing."
  How do I fix this?

  Hello Akiva 1959,
  It sounds like you have made some purchases in iBooks, and when you try to download them you get this error message that the resource cannot be found. I would report this issue to our iTunes Store support directly with this article:
  How to report an issue with your iTunes Store, App Store, Mac App Store, or iBooks Store purchase
  http://support.apple.com/kb/ht1933
  To report an issue with your iTunes Store, App Store, Mac App Store, or iBooks Store purchase, follow these steps:
  Find the email receipt for your purchase.
  Click Report a Problem under the app that is having the issue.
  When prompted, enter the Apple ID and password you used to purchase the item, then click Report a Problem.
  Click Report a Problem next to the item you are having an issue with.
  From the Choose Problem dropdown menu, choose the appropriate issue.
  Follow the onscreen instructions and—if prompted—type a description of the problem into the text field.
  Click Submit to have your issue reviewed.
  Thank you for using Apple Support Communities.
  All the best,
  Sterling

• Problem in ACS5.1 : "EAP session timed out", "RADIUS Request dropped "

  Hi .
  Part of my access points do not want to authenticate wi-fi users (through Radius server and Microsoft AD) .
  The scheme is: wi-fi PC-access point -ACS server 5.1 (Radius)-Microsoft AD
  After I  configured some AP, next logs we can see :
  EAP session timed out (many)
  RADIUS Request dropped (many)
  Could not establish connection with ACS Active Directory agent
  User's Groups retrieval from Active Directory failed
  The user is not found in the internal users identity store.
  Another part of devices (AP) works well.
  Anyone can help me to solve this problem please?

  Hi Nicolas.
  In logs usually we see some steps of beginning relations between devices. But here we see only one log line:
  What can it mean?
  The other messages seem to indicate that there is a problem with your AD. Did you test the bind ? Can you retrieve the AD groups list from ACS ?
  Yes, we tested relations between AD and ACS, AD groups list retrieve fine from AD. In addition half of devices in network works fine: wi-fi devices authenticates excellent .
  Do you use AD with the ACS for another part of your network that would be working fine ?
  Yes, there is single AD and ACS.

• ISE PSN rejecting RADIUS request

  Hi,
  We have a distributed ISE infrastructure version 1.3.
  We begin noticing the following problem.
  Randomly the PSN's started dropping radius requests.
  Basically they didn't serviced any client.
  It looked like this bug:
  ISE PSN rejecting RADIUS request; deadlocks found @ catalina.out
  CSCur43427
  Symptom:
  ++ CU runs distributed deployment; 2PSN +MnT +PMN;
  ++ PSN "node status were up during the issue;
  ++ PSNs were rejecting RADIUS request; ICMP reachability to PSN were OK;
  ++ both wired and wireless are affected
  ++ removing accounting from both foreign/anchor did not fix the issue;
  Conditions:
  ++ ISE 1.2.0.p10
  ++ happens every 2-3 weeks;
  Workaround:
  ++ restart ISE services;
  So we installed patch 2.
  But now we got the same problem and there is no newer patch.
  Did anyone encountered this also?
  thanks,
  laszlo

  We've also encountered this with 1.3 and logged a TAC case but unfortunately they weren't able to determine the cause due to not enough detail. They suggested changing the log level for runtime-AAA and prrt-JNI to debug temporarily and when it happens again, before restarting the PSN, download the logs from it to supply to TAC.