Radius user unkown / Radius deactivated in global list

Similar Messages

• Radius server 00.00.00.00 deactivated in global list

  Hi
  we unable to authenticate the users connecting to WLC over EAP-FAST from the ACS 5.1.
  AD is integrated with the acs....
  The error msg coming in wlc is :Radius server deactivated in global list
  Radius server failed to respond to request(ID:xx) for client xx:xx;xx:xx:xx:xx:xx
  I find that problem with time skew error happen between the AD and ACS. But after i configured ntp server in acs the problem
  still exist.
  I removed the controller from the acs and added back, same thing done in controller(reconfigured aaa settings).
  But the problem not resolved
  Thanks
  Subhash

  After working with TAC, I resolved this issue recently.  Increasing the timeout value did not help. On the WLC, try:
  config radius aggressive-failover disable
  As per http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a0080665d18.shtml :
  If the aggressive failover feature is enabled in WLC, the WLC is too aggressive to mark the AAA server as not responding. But, this should not be done because the AAA server is possibly not responsive only to that particular client, if you do silent discard. It can be a response to other valid clients with valid certificates. But, the WLC can still mark the AAA server as not responding and not functional.
  In order to overcome this, disable the aggressive failover feature. Issue the config radius aggressive-failover disable command from the controller GUI in order to perform this. If this is disabled, then the controller only fails over to the next AAA server if there are three consecutive clients that fail to receive a response from the RADIUS server.

• ISE: test-radius user check fails

  The ISE user guides suggest to use a username called 'test-radius' as option to the 'radius-server host' commands. This will cause the respective NAD (a Cat3560 in my case) to make an authentication check on each configured ISE every 60 minutes.
  The problem is that every hour I see an authentication failure for this user, but ONLY on my second ISE (I'm running a Standalone HA deployment). Since both hosts should replicate the same user DB, why would it only fail on the second ISE? When I direct end-user login authentications to the second ISE exclusively, they will be passed normally.
  See the attached screenshot of the failed authentication attempt for the test-radius user. I've been seeing this with ISE 1.1 as well as 1.1.1.
  The relevant config on the switch is:
  username test-radius secret 5 <snipped>
  radius-server host 172.26.10.35 auth-port 1812 acct-port 1813 test username test-radius key 7 <snipped>
  radius-server host 172.26.10.36 auth-port 1812 acct-port 1813 test username test-radius key 7 <snipped>
  Questions:
  - How can I get rid of that error?
  - Is that test-radius option of much use at all in an ISE setup? As far as I could find out, it would be a measure to figure out if the second ISE policy server is running at all as long as the first one hasn't failed.
  Thanks for any help.
  Toni

  Hi Toni,
  I believe you do not see any Access-Requests with the 'test-radius' on your primary ISE PDP server at all. The reason is simply that this server is already known as alive due to the regular Access-Requests for user authentication, so there is really no reason for checking its availability.
  Obviously this does not explain the behavior why the test request is failing. Anyhow,sniffing the RADIUS request packets from your switch towards the ISE should bring light into the darkness.
  If you are having a switch with software version 12.2X (Test switch: WS-C3560G-48PS, C3560-IPBASEK9-M, 12.2(53)SE2) the encrypted password contained does not match the one that you have locally configured on the switch (You may want to use Wireshark as proof).
  On the other hand, if you are having a switch with software version 15.0X (Test switch: WS-C3560X-48P, C3560E-UNIVERSALK9-M, 15.0(1)SE3) the encrypted password contained does match the one that you have locally configured. Side node: It will not work with an MD5 encrypted password, so you have to use 'username test-radius password '.
  However, this whole behavior does not affect user authentication at all and is hence only cosmetic. For the switches itself it only matters if it gets a response from the ISE (RADIUS) to know if it is alive or not.
  Hi Tarik,
  Testing with the 'test aaa...' command does not result in the 'Authentication Failure', that Toni had mentioned.
  Kind regards and hth,
  Stephan
  *Please rate helpful posts*

• WCS setup RADIUS users Lobby Ambassador Defaults

  Hi
  I'm using RADIUS so my users can use their active directory credentials to login WCS and generate guest users accounts...
  But I would like to setup some Lobby Ambassador Defaults, I can easily do ths for local users on the WCS system, but how to setup defaults for RADIUS users?
  Best Regards,
  Steffen.

  Hi Scott
  Tanks for your reply.
  I've allready read the article, but I can't see that it says anything about setting up Defaults for the users, only which task the should be able to do...
  I would like to setup defaults for the radius users, so when they are authenticated as lobby abassadors the do not need to select which SSID the a generating a guest user account for and so on...
  This is possible for local WCS users, but i need to setup these defaults for my RADIUS authenticated users.
  Best Reards
  Steffen
  And btw.. this dicussion was started by me.. https://supportforums.cisco.com/thread/2115616

• Error in displaying the Global List of entries

  Hi,
     I VC 7.0 i defined a Global List of Products for a Combo Box and written a Formula for filter based on user Selected Values...
     Filter is working good...
  WHen the user selected drop down box on Product insted of displaying Text Values of the entres i defined in Global List it is displaying Key Values of the entries i defined in Global List
  How can i correct this error
  Thanks

  Hi,
  for this use this function module.so that it can display it full.
  PARAMETER P_FILE LIKE  IBIPPARMS-PATH.
    CALL FUNCTION 'F4_FILENAME'
      EXPORTING
        PROGRAM_NAME  = SYST-CPROG
        DYNPRO_NUMBER = SYST-DYNNR
        FIELD_NAME    = 'P_FILE'
      IMPORTING
        FILE_NAME     = P_FILE.

• How do i turn off TFS adding bulds to Global List? and or to the "Found In" drop down in work items?

  We do not use the standard TFS build definitions in our drop downs, and have scripted updating the global list with our standard build numbers. However, we get both the TFS builds and our build numbers in the "Found In" field of work items. How
  do I disable TFS automatically adding the "Builds - " list into the "Found In" field Rules? and or updating the Global List?

  Hi CRHill,  
  Thanks for your post.
  What’s the version of your TFS Server?
  What’s the “not use the standard TFS Build definitions in our drop downs” mean? 
  You’re using the TFS Build Definition to build your solution but not use the default TFS build process template in it?
  If you don’t use TFS build definitions to build  your solution, how the TFS builds’ numbers be generated and added in team project Global list?
  As far as I know all the completed TFS build numbers will be added in to team project Global list by default, and there’s no a default way to turn off that in TFS Server. Please refer to the workaround in this article:
  http://readcommit.blogspot.com/2008/04/found-in-build-team-build-list-make-it.html.
  We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
  Click
  HERE to participate the survey.

• Allow user to select each item in list item only once.

  Hi,
  What is the best way to go to stop the user selecting the same item in a list item more than one.
  I have a multi record block, the user can select values 1-10 for each record, but they should not be allowed to select duplicates.
  Thanks for any help!

  Hi,
  Suppose you have 4 list items A,B,C,D in block "test" and same 4 values in each list item. Now you want that, no two values selected by user in list item should be same.
  On when-validate-item of list item B write code like :
  If :test.A is null then
  Message('First A must be enter");
  Raise form_trigger_failure;
  end if;
  If :test.B = :test.A then
  Message('value already in list item A');
  Raise form_trigger_failure;
  end if;
  Now, for C same code with a addition of condition for B with OR operator like:
  If :test.C = :test.A or then :test.C = :test.B
  Like that.... you can achive your functionality.
  But one restriction is that user has to enter values in list item in a pre-defined order only....
  Hope that it would work for you.....

• Unknown user appears in get info permissions list

  unknown user appears in get info permissions list of a lot of folders. I cant remove the user, change the permission level of that user. Is there a way of getting over this problem?
  Here is a screenshot of the unknown user...
  http://i228.photobucket.com/albums/ee151/cosmac2007/Picture5.png

  pzeitler, i tried your fix. it worked but only partly. i had to go to an admin account and do the sudo because my non-admin account that was affected does not allow me to sudo from it. so i do it from admin account and it seems i add my non-admin user to all admin files\folders with full permissions and no admin account user. so i open the home folder in get info, add admin user and set permission, apply recursively to all inside it. How ever, i couldnt remove the non-admin user from admin user folder permissions.
  now i go to non-admin user account and find that unknown grp is gone for all except three folders (public/sites/downloads). i also checked a third, non-admin user and it seems unaffected by all the operations that i have performed. but it has the unknown grp in it.
  I guess i have to wait for apple to fix it rather than mess up the system myself.

• Error occurred in deployment step 'Uninstall app for SharePoint': Only users who can View Pages can list Apps

  While deploying the SharePoint Hosted App I am facing the issue  'Uninstall app for SharePoint': Only users who can View Pages can list Apps"
  - Provided the permissions for App Management and Subscription Services as well as DB.
  - Added into Host web as SC Administrator
  Thanks in Advance.

  Hi,
  The user you are running with Visual Studio should have read permission on the pages of SharePoint web you are trying to deploying your app.
  I suggest you add the login user to the SharePoint web in the “Site Settings”->”People and Group”.
  Here is a similar thread for your reference:
  http://sharepoint.stackexchange.com/questions/68590/error-occurred-in-deployment-step-uninstall-app-for-sharepoint-only-users-who
  More reference:
  Step by step How to configure environment for app development:
  http://gianespo.wordpress.com/2014/01/30/step-by-step-how-to-configure-environment-for-sharepoint-app-development/
  Best regards
  Zhengyu Guo
  TechNet Community Support

• How to prevent users to create their own private list ?

  Hello,
  Is there a way to prevent users to create their own private list ?
  Or to perform their own queries ?
  Thanks for your help.

  Any list or search will always query the database regardless of volume. For example, a user has access to just 1 account record. This record could be one of 10 million other account records. To allow the user to see this record, the entire account pool will be queried. That's where indexes help and queries are really fast.
  Turning off search is not the solution. Ensuring queries are optimized is the solution. For example, manager visibility always slows down the search because the nature of a manager visibility search requires compex search patterns. So you could turn off manager visibility for your company and use alternate means like books. Manager visibility search is a feature that's primarily used by small-to-medium-business (SMBs). Large enterprises should never use it.

• Javascript: Query all users with read permission to specific list

  Is it possible to use javascript to retrieve all users with read permissions to specific list? This (http://www.c-sharpcorner.com/UploadFile/anavijai/how-to-get-all-the-users-from-site-group-in-sharepoint-2013/) shows how to get users from group but what
  about list. All users in list may not exist in spgoups.

  Hi,
  If with Server Object Model which is executed in server side, in the
  SPList object, there is a
  RoleAssignments property can help to get what you want without looping through all the users in site:
  public static void getPermissionsOfList()
  using (SPSite site = new SPSite("http://sp"))
  using (SPWeb web = site.RootWeb)
  SPList list = web.GetList("/Lists/List1");
  SPRoleAssignmentCollection roles = list.RoleAssignments;
  foreach (SPRoleAssignment role in roles)
  Console.WriteLine("~");
  Console.WriteLine("Name: " + role.Member.Name);
  SPRoleDefinitionBindingCollection bindings = role.RoleDefinitionBindings;
  XmlDocument doc = new XmlDocument();
  doc.LoadXml(bindings.Xml);
  //Console.WriteLine(doc.InnerXml);
  XmlNodeList itemList = doc.DocumentElement.SelectNodes("Role");
  foreach (XmlNode currNode in itemList)
  string s = currNode.Attributes["Name"].Value.ToString();
  Console.WriteLine("Permission Level: " + s);
  However, when comes to JavaScript Client Object Model, as there is no such property provided, I suggest you take the solution provided in my previous post for a try.
  Thanks 
  Patrick Liang
  TechNet Community Support
  Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact
  [email protected]

• Cisco 1602i + Authenticating users via RADIUS?

                 Hello,
  Our company recently purchased a Cisco 1602i standalone WAP to replace the WAP4410Ns that we were having issues with.  I am now attempting to configure the RADIUS authentication, as we have a User network and a Guest connection.  The Guest connection works fine, using WPA PSK.  However, I can't seem to get the RADIUS authentication to work.  Reading the documentation has got me a little confused, and I have tried turning on debugging (debug radius authentication, debug aaa) but those show nothing.  Also, in the RADIUS server itself (Windows 2008 R2 NPS), I see nothing in the logs when I try to connect using a device or the "test aaa" command.  Can someone guide me on what I'm doing wrong?  I followed someone's advice on another forum and removed "authentication network-eap" from the SSID (phoenix_2), and now when I attempt to connect with a device it just asks me for a password, it doesn't prompt for a username anymore.  I am very stumped.  Here's the relevant config:
  aaa new-model
  aaa group server radius rad_eap
  server 10.200.5.24
  aaa group server radius rad_mac
  aaa group server radius rad_acct
  aaa group server radius rad_admin
  aaa group server tacacs+ tac_admin
  aaa group server radius rad_pmip
  aaa group server radius dummy
  aaa authentication login eap_methods group rad_eap
  aaa authentication login mac_methods local
  aaa authorization exec default local
  aaa accounting network acct_methods start-stop group rad_acct
  aaa session-id common
  clock timezone EST -5 0
  ip cef
  ip domain name gst
  dot11 syslog
  dot11 vlan-name guest vlan 255
  dot11 vlan-name user vlan 140
  dot11 ssid phoenix_2
     vlan 140
     band-select
     authentication open eap eap_methods
     mbssid guest-mode
  dot11 ssid walker_2
     vlan 255
     band-select
     authentication open
     authentication key-management wpa version 2
     mbssid guest-mode
     wpa-psk ascii 7 0353035E535879191B
  interface BVI1
  ip address 10.200.5.70 255.255.255.0
  ip default-gateway 10.200.5.1
  ip forward-protocol nd
  no ip http server
  ip http secure-server
  ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
  ip route 0.0.0.0 0.0.0.0 10.200.140.1
  ip route 0.0.0.0 0.0.0.0 10.200.5.1
  ip radius source-interface BVI1
  access-list 111 permit tcp any any neq telnet
  snmp-server community G!0bal RO
  radius-server attribute 32 include-in-access-req format %h
  radius-server host 10.200.5.24 key 7 01445E510E1C07032A495C0D0B0C011718190D3E2E767863
  radius-server vsa send accounting
  The NPS worked just fine with the WAP4410Ns, not sure why we're having so much trouble with the 1602i. 

  Thanks Rasika, your link worked.  I had the authentication key before, but i removed it while I was trying different things.  My main issue was not applying the list name to the ssid, the documentation did not make it clear that when the radius server is specified using the "radius-server ...." command, that the radius group refers to that command when you configure the group.  Once that clicked, it made sense that the method list name was specifed by the radius group, and that the authentication methods then referred to the radius group.  It was a big question mark in my head how the radius server was applied to the SSID prior to reading your post.
  I haven't tried the "erase startup-config" command yet, I will try that next. 
  Quick question, why are both authentication open and authentication network-eap needed?  I would assume authentication network-eap would suffice, unless the authentication open command refers to the allowed devices and not just authentication via RADIUS?

• Viewing Users Activity - Radius

  Hello,
  With TACACS+  we can have  (TACACS+ Administration) Logfile on ACS that shows users activity. but with radius there is no such logfile to show usres activity.    i want to know is anyother way how to check users activity while using radius-server ?
  Regards,

  Hi Waheed,
  I now understand what you are looking for..But unfortunately Radius does not provide this function :-(
  Even though Radius and TACACS+ are main protocol typically used for AAA services on network devices, RADIUS was designed to authenticate and log dial-up remoe users to a network and TACACS+ is used mostly commonly for administrator access to network devices.
  RADIUS doesn't log the commands used by the administrator. It will only log the start,stop,time/date, username, type of connection, amount of time logged in, and bytes transferred. The TACACS+ protocol was developed to resolve these issues. With TACACS+ each command enter by the user is sent back to ACS for authorization, which then check the command against an authorized list of commands for each user or group.
  In short RADIUS does not offer any command logging and hence you will not be able to see them on any report like what you are seeing for TACACS
  Hope this helps.
  Regards
  Najaf
  Please rate when applicable or helpful !!!

• ACS 5.3 Stripping Radius User Prefix

  Hi,
  I have configure my ACS 5.3 to strip the prefix of the radius username (Domain\weekwang) it received and I also configured my ACS as the External Radius Server. However, this does not seem to work. The authentication protocol that I am using is PEAP Mschap v2.
  I have read inside this forum that due to the fact that the radius username and password is transited inside the TLS tunnel of the PEAP MsChap v2 thus ACS is not able to do the stripping as it is not allow to touch anything inside the TLS tunnel. Please advice if I have get the concept correctly.
  Rgds

  Hi Steven,
  this is unfortunately correct. Using yourself as radius proxy is a great workaround to strip things.
  However, by design if you use an external database (LDAP or proxy radius server), the mschapv2 encryption of the password makes it impossible to authenticate the user since the tunnel is ended on the first ACS. It will work with PEAP-GTC but all mschapv2 methods will fail.
  Nicolas

• WLC integration with LDAP to authenticate domain users without Radius

  Dear All,
       I have a WLC 4404 with LWAPs, the customer has a microsoft LDAP and all users are joined to the domain and he wants the users to be authenticated against their domain accounts and this should be done automatically so that when users login to windows they are also authenticated and joined the WLAN.
  so how we can do that with the simplest way, without Radius server using only the LDAP and wwithout envolving any certificates.
  also i need to know when i add LDAP server to the WLC, how can i know that this LDAP is properly inegrated with the WLC ?
  thanks and BR

  Hi,
       I have followed the following document to make users authenticate against their AD domain accounts:
  http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a008093f1b9.shtml
  the device and the root of PKI certificates for the WLC were generated and installed successfully on the WLC, and now we are in the client (end user) part starting from the section "Generating a device certificate for the client" page 17, which as per the document to be done from the client PC using the client domain account, which consequently means this process is to be repeated for each end user separately, so my question is there any way to generate some sort of general certificate for all clients to be pushed through group policy to all client instead of making it PC by PC ?