Safari authentication with web filters

Similar Messages

• Basic Authentication with Web Service

  Hello,
  I am running S1AS7 on window XP. I have deployed the sample/jaxrpc/simple with basic authentication enabled. I have also changed to Client.java to set the USERNAME and PASSWORD (ie: stub._setProperty(javax.xml.rpc.Stub.USERNAME_PROPERTY, "j2ee");
  Once I have deployed the war file and run the client, I got access denied exception.
  I have checked the s1as7 log and here is the details:
  FINE: Logging in user [j2ee] into realm: file using JAAS module: fileRealm
  FINEST: Login module initialized: class com.iplanet.ias.security.auth.login.File
  LoginModule
  FINEST: File login succeeded for: j2ee
  FINEST: JAAS login complete.
  FINEST: JAAS authentication committed.
  FINE: Password login succeeded for : j2ee
  FINE: Set security context as user: j2ee
  FINE: Authenticator[jaxrpc-simple]: Authenticated 'j2ee' with type 'BASIC'
  FINE: SingleSignOn[server1]: Registering sso id '193F1461E0D9B982E6B4055C0134076
  9' for user 'j2ee' with auth type 'BASIC'
  FINE: Authenticator[jaxrpc-simple]: Calling accessControl()
  FINEST: PRINCIPAL : j2ee hasRole?: staffmember
  FINEST: PRINCIPAL TABLE: {}
  FINE: Authenticator[jaxrpc-simple]: Failed accessControl() test
  Please notice that the authentication worked, but the PRINCIPAL TABLE is null!!!! If I run the basic authentication sample, i can see from the log the PRINCIPAL TABLE is (...staff=[staffmember], j2ee=[staffmember],.....)
  so somehow the app server treats the two sample differently with the same user id (j2ee/password)
  any comments?
  thanks..

  Hello,
  I am running S1AS7 on window XP. I have deployed the
  sample/jaxrpc/simple with basic authentication
  enabled. I have also changed to Client.java to set
  the USERNAME and PASSWORD (ie:
  stub._setProperty(javax.xml.rpc.Stub.USERNAME_PROPERTY
  "j2ee");
  Once I have deployed the war file and run the client,
  I got access denied exception.
  I have checked the s1as7 log and here is the
  details:
  FINE: Logging in user [j2ee] into realm: file using
  JAAS module: fileRealm
  FINEST: Login module initialized: class
  com.iplanet.ias.security.auth.login.File
  LoginModule
  FINEST: File login succeeded for: j2ee
  FINEST: JAAS login complete.
  FINEST: JAAS authentication committed.
  FINE: Password login succeeded for : j2ee
  FINE: Set security context as user: j2ee
  FINE: Authenticator[jaxrpc-simple]: Authenticated
  'j2ee' with type 'BASIC'
  FINE: SingleSignOn[server1]: Registering sso id
  '193F1461E0D9B982E6B4055C0134076
  9' for user 'j2ee' with auth type 'BASIC'
  FINE: Authenticator[jaxrpc-simple]: Calling
  accessControl()
  FINEST: PRINCIPAL : j2ee hasRole?: staffmember
  FINEST: PRINCIPAL TABLE: {}
  FINE: Authenticator[jaxrpc-simple]: Failed
  accessControl() test
  Please notice that the authentication worked, but the
  PRINCIPAL TABLE is null!!!! If I run the basic
  authentication sample, i can see from the log the
  PRINCIPAL TABLE is (...staff=[staffmember],
  j2ee=[staffmember],.....)
  so somehow the app server treats the two sample
  differently with the same user id (j2ee/password)
  any comments?
  thanks..
  One more thing, here is my web.xml file:
  <web-app>
  <display-name>Hello World Application</display-name>
  <description>A web application containing a simple JAX-RPC endpoint</description>
  <session-config>
  <session-timeout>60</session-timeout>
  </session-config>
  <security-constraint>
  <web-resource-collection>
  <web-resource-name>basic secuity test</web-resource-name>
  <url-pattern>/*</url-pattern>
  <http-method>POST</http-method>
       <http-method>GET</http-method>
  </web-resource-collection>
  <auth-constraint>
  <role-name>staffmember</role-name>
  </auth-constraint>
  </security-constraint>
  <login-config>
  <auth-method>BASIC</auth-method>
  <realm-name>basic-file</realm-name>
  </login-config>
  </web-app>

• PEAP authentication with MAC filtering

  Hi,
  I have an SSID, which required mac filtering as first level of security and Radius authentication also. I have done necessary configuration in  ACS and WLC. In ACS, the rule for MAC filtering is taking a hit, but the users are not asked for credentials. The wireless association also fails. The mac addresses are saved in End station filter on ACS. 
  Attached document has the complete configuration which I performed. Please let me know what I am missing here. Thank you.
  Regards,
  Madhan kumar G

  Hi,
  as per maldehne you have to play with the service type.
  check this discussion: http://goo.gl/R9E8ae
  To the authentication policy you have to add a 'service type' attributes and check based on that attribute.
  based on maldehne as per the past discussion the service type value in the rule condition should be:
  For MAC filtering: value should be:  call check
  For 802.1x: value should be : Framed
  Note that the MAC filter rule should come first.
  Hope this helps.
  Regards,
  Amjad

• Trusted Authentication with Web Services SDK

  Hi,
  I have just configured my BO server to use Trusted Authentication (REMOTE_USER) and It works with Infoview so I don't need the logon page to enter user and password.
  I also have an .NET application that uses Web Services SDK and I would like to use Trusted Authentication on it.
  Is there any code to access to BO using Web Services SDK?
  Before the configuration, I was using this code:
  string m_strURL="http://server:8080/dswsbobje/services/Session";
  BusinessObjects.DSWS.Connection oConnection = new BusinessObjects.DSWS.Connection(m_strURL);
  BusinessObjects.DSWS.Session m_wiSession = new Session(oConnection);
  BusinessObjects.DSWS.Session.EnterpriseCredential oEC = new EnterpriseCredential();
  oEC.Login = strLogin;
  oEC.Password = strPassword;
  oEC.AuthType = "secLDAP";
  SessionInfo oSI = m_wiSession.Login(oEC);
  Now, I want to use Trusted Authentication in my .NET application so I wouldn't have to enter user and password.
  I have looking for some code, but I haven't found it yet. I hope you could help me.
  Thanks,
  Sandra

  Hi, Ted,
  I'm trying to use Trusted Authentication to access QaaWS (via WSDL/Axis, NOT Xcelsius).  I enabled it from CMC, put the shared secret in a correct location (win32_x86 directory) and made the change to dsws.properties file, then I restarted tomcat.  However, the system failed to login.  Below is the trace log.  Is Trusted Authentication supported for QaaWS?  Thanks!
  <br/>
  =======
  <br/>
  2010-02-18 14:09:20,781 [http-8080-Processor25] ERROR com.businessobjects.qaaws.internal.transport.QaaWSServlet () 297906 - invoke()
  java.lang.Exception: com.crystaldecisions.sdk.exception.SDKServerException: Enterprise authentication could not log you on. Please make sure your logon information is correct. (FWB 00008)
  cause:com.crystaldecisions.enterprise.ocaframework.idl.OCA.oca_abuse: IDL:img.seagatesoftware.com/OCA/oca_abuse:3.2
  detail:Enterprise authentication could not log you on. Please make sure your logon information is correct. (FWB 00008)
  The server supplied the following details: OCA_Abuse exception 10498 at [.\secpluginent.cpp : 832]  42040 {}
       ...Invalid password
       at com.businessobjects.qaaws.internal.webi.WISessionMgr.makeSession(Unknown Source)
       at com.businessobjects.qaaws.internal.transport.QaaWSServlet.invoke(Unknown Source)
       at com.businessobjects.qaaws.internal.transport.QaaWSServlet.doPost(Unknown Source)
       at javax.servlet.http.HttpServlet.service(HttpServlet.java:647)
       at javax.servlet.http.HttpServlet.service(HttpServlet.java:729)
       at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:269)
       at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188)
       at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:213)
       at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:172)
       at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
       at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:117)
       at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:108)
       at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:174)
       at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:873)
       at org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection(Http11BaseProtocol.java:665)
       at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:528)
       at org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWorkerThread.java:81)
       at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:689)
       at java.lang.Thread.run(Thread.java:595)
  Caused by: com.crystaldecisions.sdk.exception.SDKServerException: Enterprise authentication could not log you on. Please make sure your logon information is correct. (FWB 00008)
  cause:com.crystaldecisions.enterprise.ocaframework.idl.OCA.oca_abuse: IDL:img.seagatesoftware.com/OCA/oca_abuse:3.2
  detail:Enterprise authentication could not log you on. Please make sure your logon information is correct. (FWB 00008)
  The server supplied the following details: OCA_Abuse exception 10498 at [.\secpluginent.cpp : 832]  42040 {}
       ...Invalid password
       at com.crystaldecisions.sdk.exception.SDKServerException.map(SDKServerException.java:107)
       at com.crystaldecisions.sdk.exception.SDKException.map(SDKException.java:196)
       at com.crystaldecisions.sdk.occa.security.internal.LogonService.doUserLogon(LogonService.java:710)
       at com.crystaldecisions.sdk.occa.security.internal.LogonService.userLogon(LogonService.java:295)
       at com.crystaldecisions.sdk.occa.security.internal.SecurityMgr.userLogon(SecurityMgr.java:162)
       at com.crystaldecisions.sdk.framework.internal.SessionMgr.logon(SessionMgr.java:425)
       ... 19 more
  Caused by: com.crystaldecisions.enterprise.ocaframework.idl.OCA.oca_abuse: IDL:img.seagatesoftware.com/OCA/oca_abuse:3.2
       at com.crystaldecisions.enterprise.ocaframework.idl.OCA.oca_abuseHelper.read(oca_abuseHelper.java:106)
       at com.crystaldecisions.enterprise.ocaframework.idl.OCA.OCAs._LogonEx4Stub.UserLogonEx4(_LogonEx4Stub.java:80)
       at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
       at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
       at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
       at java.lang.reflect.Method.invoke(Method.java:585)
       at com.crystaldecisions.enterprise.ocaframework.ManagedService.invoke(ManagedService.java:424)
       at com.crystaldecisions.sdk.occa.security.internal._LogonEx4Proxy.UserLogonEx4(_LogonEx4Proxy.java:222)
       at com.crystaldecisions.sdk.occa.security.internal.LogonService.doLogon(LogonService.java:347)
       at com.crystaldecisions.sdk.occa.security.internal.LogonService.doUserLogon(LogonService.java:684)
       ... 22 more
  org.apache.axis2.AxisFault: org.apache.axis2.databinding.ADBException: Unexpected subelement table
       at org.apache.axis2.AxisFault.makeFault(AxisFault.java:430)
       at service.wsdl.heartFailure.HFReliabilityScoreStub.fromOM(HFReliabilityScoreStub.java:4131)
       at service.wsdl.heartFailure.HFReliabilityScoreStub.runQueryAsAService(HFReliabilityScoreStub.java:201)
       at org.apache.jsp.AuthTest_jsp._jspService(AuthTest_jsp.java:78)
       at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:98)
       at javax.servlet.http.HttpServlet.service(HttpServlet.java:729)
       at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:331)
       at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:329)
       at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:265)
       at javax.servlet.http.HttpServlet.service(HttpServlet.java:729)
       at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:269)
       at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188)
       at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:213)
       at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:172)
       at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
       at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:117)
       at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:108)
       at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:174)
       at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:873)
       at org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection(Http11BaseProtocol.java:665)
       at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:528)
       at org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWorkerThread.java:81)
       at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:689)
       at java.lang.Thread.run(Thread.java:595)

• Authentication with Web Accees managment through Headervariable

  Hi All
  We have configured External WEb Access Management Product (reverse proxy, passthrough) for authentication to access our BI Java 7.0 Application using Header variable.We have configured authschemes.xml and UME Properties
  When we are trying to access our BI Java 7.0 Application then get the below Error
  " Cannot logon user defined in header variable"
  Please help me on this if anyone have faced these type of issue
  Waiting for your fast immediate response on this
  Thanks with Regards
  Deelip Kumar

  Hi Patrick
  I have doubt on onething, in visual Administrator the below Login module stacks are available,
    SAP-J2EE-Engine – this is a default configured login module stack that can be used by everyone.
  ·        Basic – allows for Basic Authentication, supported by the Web container.
  ·        Client – allows for client certificate authentication, supported by the Web container.
  ·        Digest – allows for digest authentication, supported by the Web container.
  ·        Form  – allows for form authentication, supported by the Web container.
  ·        Ticket – used for creating and verifying logon tickets.
  ·        Evaluation assertion ticket – used for verifying assertion tickets (tickets used between systems).
  I have selected SAP J2EE Engine and then defined the below Logon stack
  EvaluateTicketLoginModule  SUFFICIENT  {ume.configuration.active=true}
  HeaderVariableLoginModule  REQUIRED  {ume.configuration.active=true, Header=}
  CreateTicketLoginModule  SUFFICIENT  {ume.configuration.active=true}
  BasicPasswordLoginModule  REQUISITE {}
  CreateTicketLoginModule  OPTIONAL  {ume.configuration.active=true}
  it do not understand whether it is right or we should create new policy under policy configuration and the define the above stack.now i am also facing problem in loggin to Visual adminstrator
  Please suggest
  Thanks with Regards
  Deelip Kumar

• VPN remote site tunnel-all with web and email filtering at core

  I'm helping a client setup a 'tunnel-all' VPN from remotes to the core.  That's not difficult - there's enough commentary in the community and I can set it up in the lab.  The rub comes with the location of the web filter box in particular - it's currently in-line with the inside interface of the ASA.
  What does the topology for a typical tunnel-all VPN with web filtering at the core look like?  Can't put my hands on any quickly.
  We only have one ISP conn at this time.  I have a layer-3 switch at the core too.
  Thx

  Hi,
  Thats a good question.
  I haven't thought about this part of VPN filtering much as I've usually had to open only a few ports. But if you really need to open all traffic from local to remote, you will also be doing the same for the other direction in the same ACL ACE rule.
  The only thing I can come up with right now is to stop using VPN Filter list and change the "sysopt" setting so that ASA wont let VPN traffic past the outside interface without checing the outside interface ACL
  The Configuration command (8.2) is the following:
  sysopt connection permit-vpn
  For traffic that enters the adaptive security appliance through a VPN tunnel and is then decrypted, use the sysopt connection permit-vpn command  in global configuration mode to allow the traffic to bypass interface  access lists. Group policy and per-user authorization access lists still  apply to the traffic. To disable this feature, use the no form of this command. sysopt connection permit-vpn no sysopt connection permit-vpn
  Though if you change this setting, you will have to take this into account with every VPN Client or L2L VPN you have configured so far.
  After this you can create rules on your outside interface access-list to limit remote user access to your local network. From local to remote networks you can use the access-lists assigned to each interface in question.
  Hope this helps
  - Jouni

• Global Web Filtering Options

  I am looking for a global web filtering solution for our business but am having trouble finding a solution that will work acceptably for us globally.
  The problem is that our campany has hundreds of very small offices (mostly only 2-3 users with the odd larger office) located in remote locations all around the world where WAN links are very expensive and slow.
  We use all small office type cisco routers in our remote offices of various types (such as 800 series) and are rolling out WAAS/WAVE solutions to optimise our slow WAN links as much as possible, and all sites have site-to-site VPNs from the routers to our UK-based data centres.
  Currently we use Websense configured on the local routers at a few of our offices with a regional server in places such as the UK for most of Europe, and Mobile for most of the US for example.
  We could expand this to all locations, including Australasia, Middle East, Far East and Africa etc. but due to the remote locations we would need many local servers in many countries as the infrastructure to have just one regional Websense server isn't good enough in these areas and web performance would be too slow to be useable due to the latency to the Websense server location. It simply isn't financially feasible to put in hundreds of servers at lots of 2-3 man offices in the middle of no-where so I've been looking at other options.
  I was hoping a hosted solution would be the answer, but I've looked at WebSense's hosted service and it doen't appear to cover all regions (just has server farms in US/Europe which is no good for Africa etc.) I've also looked at Symantec MessageLabs but this has the same problem as there is no coverage in the Middle East/Asia/Africa etc and it proxies all web traffic so performance at these sites would probably be appaling with the limited bandwidth on top of the latency to the closest MessageLabs servers.
  I've now seen that Cisco have a new IOS Content Filter which uses Trend database servers. This sounded promising as it appears to cache the URL checks on the router making the server location less of an issue. But I'd still like to know where in the world they cover (I've seen reference to only 4 data centres globally). My other concern with this solution is whether it integrates into AD, so we can apply policies based on the user accounts like we do currently with the WebSense solution. The last thing is the price of this solution as it appears to be licensed based on the number of routers rather than the number of users. As our users are so spread out with only 2-3 users per router on average this is likely to mean for us this solution will be ridiculously expensive, can anyone advise if this is the case?
  My question therefore is can anyone advise on a solution for this that will work with our Cisco infrastructure in all our offices without having to purchase lots of servers for remote locations? I've seen that other vendors such as the Astaro Security Gateway have web filtering built into their products without the need for external servers, but I'd prefer to stick with Cisco if at all possible.
  Many thanks for any advice/help anyone can give me in this area.
  Paul

  Hi Paul,
  IOS Content filtering is licensed on a per router basis, you are right. So, probably that would not scale for you.
  Cisco has other solutions with Web Filtering and Ironport engines. The challenge in your setup is that each remote site would need to "call" to a central web filtering location that will be making the decision on allowing or no. Or you would need a service that scales well on a per contintent basis. There are some new Cisco web filtering options that could scale with servers almost everywhere in the world. But I don't think you can get a consice answer from this forum about your potential choices here.
  You local Cisco team will be able to provide you with these options. You are welcome to give them my email if they need to talk to me internally.
  I hope it helps a little.
  PK

• How to web filtering via two network cards?

  I have Installed Server 2008 and two network cards
  on my pc. One LAN card for clients access and one for internet router. I need to share internet connection to my client computers with
  web filtering. So how to do that? I need to block some sites to client access.

  Hi,
  According to your description, my understanding is that you want to use the WS 2008 to share Internet connection and provide web filtering function for internal clients.
  Internal clients –(NIC1) WS 2008(NIC2) – Internet router – Internet network
  Manually assign IP address, default gateway, DNS server, etc. on NIC2. Manually assign IP address, DNS server, etc. on NIC1.
  Install Network Policy and Access Services – Routing and Remote Access Services. Detailed steps reference:
  Install and Enable the Routing and Remote Access Service
  https://technet.microsoft.com/en-us/library/cc770798(v=ws.10).aspx
  Then open Routing and Remote Access and start configuration. Enable NAT on NIC2 to transfer IP address. Detailed steps reference:
  Enable and Configure NAT
  https://technet.microsoft.com/en-us/library/dd469812.aspx
  Windows Server itself does not support web-based filter, third-party tools with application-layer firewall might be needed to realize this function. Configure WS as a router, it supports IP packet filtering, which specifies which type of traffic is allowed
  into and out of the router. Reference：
  https://technet.microsoft.com/en-us/library/cc732746(v=ws.10).aspx
  Best Regards,
  Eve Wang
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

• HT1688 On my iphone 4 below the search window, I have three greyed out safari icons with different web links attached

  I have a iPhone 4 8GB. I have three greyed out safari icons that doesn't say safari but a web link. It's like a bookmark to your homepage but not in your homepage.   I noticed it when I deleted all my web pages and on that one web page where it says "search or type in a address" right below it where it's just all white, there's three grey looking safari icons with each one with a different web site that's attached to it. When I tap on it it goes to a specific website. For ex one if them says www.longchamp.com, the other macys.com. There's no way to delete it. The wired thing is each one in color it like three shades of grey . Light, med and darker grey icons. When I hold down the icon you can move it around but can't delete, nothing just nothing. It's been there for the longest time I can remember. Do you know what this is? I took a pic of it. I don't know how to attach it to this discussion. Thank you for your patience and understanding.

  I seem to have fixed it by putting <div  class="clearfloat"></div> after the navigation bar?

• Not Working-central web-authentication with a switch and Identity Service Engine

  on the followup the document "Configuration example : central web-authentication with a switch and Identity Service Engine" by Nicolas Darchis, since the redirection on the switch is not working, i'm asking for your help...
  I'm using ISE Version : 1.0.4.573 and WS-C2960-24PC-L w/software 12.2(55)SE1 and image C2960-LANBASEK9-M for the access.
  The interface configuration looks like this:
  interface FastEthernet0/24
  switchport access vlan 6
  switchport mode access
  switchport voice vlan 20
  ip access-group webauth in
  authentication event fail action next-method
  authentication event server dead action authorize
  authentication event server alive action reinitialize
  authentication order mab
  authentication priority mab
  authentication port-control auto
  authentication periodic
  authentication timer reauthenticate server
  authentication violation restrict
  mab
  spanning-tree portfast
  end
  The ACL's
  Extended IP access list webauth
      10 permit ip any any
  Extended IP access list redirect
      10 deny ip any host 172.22.2.38
      20 permit tcp any any eq www
      30 permit tcp any any eq 443
  The ISE side configuration I follow it step by step...
  When I conect the XP client, e see the following Autenthication session...
  swlx0x0x#show authentication sessions interface fastEthernet 0/24
             Interface:  FastEthernet0/24
            MAC Address:  0015.c549.5c99
             IP Address:  172.22.3.184
              User-Name:  00-15-C5-49-5C-99
                 Status:  Authz Success
                 Domain:  DATA
         Oper host mode:  single-host
       Oper control dir:  both
          Authorized By:  Authentication Server
             Vlan Group:  N/A
       URL Redirect ACL:  redirect
           URL Redirect: https://ISE-ip:8443/guestportal/gateway?sessionId=AC16011F000000510B44FBD2&action=cwa
        Session timeout:  N/A
           Idle timeout:  N/A
      Common Session ID:  AC16011F000000490AC1A9E2
        Acct Session ID:  0x00000077
                 Handle:  0xB7000049
  Runnable methods list:
         Method   State
         mab      Authc Success
  But there is no redirection, and I get the the following message on switch console:
  756005: Mar 28 11:40:30: epm-redirect:IP=172.22.3.184: No redirection policy for this host
  756006: Mar 28 11:40:30: epm-redirect:IDB=FastEthernet0/24: In epm_host_ingress_traffic_qualify ...
  I have to mention I'm using an http proxy on port 8080...
  Any Ideas on what is going wrong?
  Regards
  Nuno

  OK, so I upgraded the IOS to version
  SW Version: 12.2(55)SE5, SW Image: C2960-LANBASEK9-M
  I tweak with ACL's to the following:
  Extended IP access list redirect
      10 permit ip any any (13 matches)
  and created a DACL that is downloaded along with the authentication
  Extended IP access list xACSACLx-IP-redirect-4f743d58 (per-user)
      10 permit ip any any
  I can see the epm session
  swlx0x0x#show epm session ip 172.22.3.74
       Admission feature:  DOT1X
       ACS ACL:  xACSACLx-IP-redirect-4f743d58
       URL Redirect ACL:  redirect
       URL Redirect:  https://ISE-ip:8443/guestportal/gateway?sessionId=AC16011F000000510B44FBD2&action=cwa
  And authentication
  swlx0x0x#show authentication sessions interface fastEthernet 0/24
       Interface:  FastEthernet0/24
       MAC Address:  0015.c549.5c99
       IP Address:  172.22.3.74
       User-Name:  00-15-C5-49-5C-99
       Status:  Authz Success
       Domain:  DATA
       Oper host mode:  multi-auth
       Oper control dir:  both
       Authorized By:  Authentication Server
       Vlan Group:  N/A
       ACS ACL:  xACSACLx-IP-redirect-4f743d58
       URL Redirect ACL:  redirect
       URL Redirect:  https://ISE-ip:8443/guestportal/gateway?sessionId=AC16011F000000510B44FBD2&action=cwa
       Session timeout:  N/A
       Idle timeout:  N/A
       Common Session ID:  AC16011F000000160042BD98
       Acct Session ID:  0x0000001B
       Handle:  0x90000016
       Runnable methods list:
       Method   State
       mab      Authc Success
  on the logging, I get the following messages...
  017857: Mar 29 11:27:04: epm-redirect:IDB=FastEthernet0/24: In epm_host_ingress_traffic_qualify ...
  017858: Mar 29 11:27:04: epm-redirect:epm_redirect_cache_gen_hash: IP=172.22.3.74 Hash=271
  017859: Mar 29 11:27:04: epm-redirect:IP=172.22.3.74: CacheEntryGet Success
  017860: Mar 29 11:27:04: epm-redirect:IP=172.22.3.74: Ingress packet on [idb= FastEthernet0/24] matched with [acl=redirect]
  017861: Mar 29 11:27:04: epm-redirect:IDB=FastEthernet0/24: Enqueue the packet with if_input=FastEthernet0/24
  017862: Mar 29 11:27:04: epm-redirect:IDB=FastEthernet0/24: In epm_host_ingress_traffic_process ...
  017863: Mar 29 11:27:04: epm-redirect:IDB=FastEthernet0/24: Not an HTTP(s) packet
  What I'm I missing?

• ISE Web Authentication with Profile

     Hi,
     I'm using Web Authentication with Cisco ISE 1.2.1 without problems.
     The Cisco ISE didn't find the endpoint in my internal endpoint store and continue with Web Authentication
     But when I enable the PSN with the Profile Server, the Cisco ISE populate dynamically the internal endpoint store and I cannot use
     the Web Authentication cause the endpoint is already in the internal endpoint store.
     What's the better way to solve this problem ?
     Thanks in Advanced
     Andre Gustavo Lomonaco

      Hi Neno, let me clarify my question
      I'm already using my internal endpoints to permit authenticate via MAB my IP Phones, Access Points and Printers.  I'm using Profile to be able to populate this ISE internet database.
      Now imagine that I wanna use the Web Authentication to permit authenticate guest workstations without 802.1x.If the profile put the guest workstation mac in the endpoints database, those workstation always will be authenticate using the MAC authentication and not the Web Authentication. Remember that for the Web authentication works we need to configure the continue options if the mac are not found in the endpoints database. But when the profile is on, the news (guest workstations) macs are inserted in endpoints database before I have chance to use the Web Authentication.

• Aironet 2702i Autonomous - Web-Authentication with Radius Window 2008

  Hi Guys,
  I have a problems with case, i have diagrams sample like then : AD(Win2008) - Radius(Win2008) - Aironet 2702i => Use methods Web-Auth for EndUser  
  This is my Configure file on Aironet 2702i
  Aironet2702i#show run
  Building configuration...
  Current configuration : 8547 bytes
  ! Last configuration change at 05:08:25 +0700 Fri Oct 31 2014 by admin
  version 15.3
  no service pad
  service timestamps debug datetime msec
  service timestamps log datetime msec
  service password-encryption
  hostname Aironet2702i
  logging rate-limit console 9
  aaa new-model
  aaa group server radius rad_mac
  aaa group server radius rad_acct
  aaa group server radius rad_admin
  aaa group server tacacs+ tac_admin
  aaa group server radius rad_pmip
  aaa group server radius dummy
  aaa authentication login default local
  aaa authentication login DTSGROUP group radius
  aaa authentication login webauth group radius
  aaa authentication login weblist group radius
  aaa authentication dot1x default group radius
  aaa authorization exec default local 
  aaa session-id common
  clock timezone +0700 7 0
  no ip source-route
  no ip cef 
  ip admission name webauth proxy http
  ip admission name webauth method-list authentication weblist 
  no ip domain lookup
  ip domain name dts.com.vn
  dot11 syslog
  dot11 activity-timeout unknown default 1000
  dot11 activity-timeout client default 1000
  dot11 activity-timeout repeater default 1000
  dot11 activity-timeout workgroup-bridge default 1000
  dot11 activity-timeout bridge default 1000
  dot11 vlan-name DTSGroup vlan 46
  dot11 vlan-name L6-Webauthen-test vlan 45
  dot11 vlan-name NetworkL7 vlan 43
  dot11 vlan-name SGCTT vlan 44
  dot11 ssid DTS-Group
     vlan 46
     authentication open eap DTSGROUP 
     authentication key-management wpa version 2
     mbssid guest-mode
  dot11 ssid DTS-Group-Floor7
     vlan 43
     authentication open 
     authentication key-management wpa version 2
     mbssid guest-mode
     wpa-psk ascii 7 013D03104C0414040D4D5B5E392559
  dot11 ssid L6-Webauthen-test
     vlan 45
     web-auth
     authentication open 
     dot1x eap profile DTSGROUP
     mbssid guest-mode
  dot11 ssid SaigonCTT-Public
     vlan 44
     authentication open 
     authentication key-management wpa version 2
     mbssid guest-mode
     wpa-psk ascii 7 04480A0F082E424D1D0D4B141D06421224
  dot11 arp-cache optional
  dot11 adjacent-ap age-timeout 3
  eap profile DTSGROUP
   description testwebauth-radius
   method peap
   method mschapv2
   method leap
  username TRIHM privilege 15 secret 5 $1$y1J9$3CeHRHUzbO.b6EPBmNlFZ/
  username ADMIN privilege 15 secret 5 $1$IvtF$EP6/9zsYgqthWqTyr.1FB0
  ip ssh version 2
  bridge irb
  interface Dot11Radio0
   no ip address
   encryption vlan 44 mode ciphers aes-ccm 
   encryption vlan 46 mode ciphers aes-ccm 
   encryption mode ciphers aes-ccm 
   encryption vlan 43 mode ciphers aes-ccm 
   encryption vlan 1 mode ciphers aes-ccm 
   ssid DTS-Group
   ssid DTS-Group-Floor7
   ssid L6-Webauthen-test
   ssid SaigonCTT-Public
   countermeasure tkip hold-time 0
   antenna gain 0
   stbc
   mbssid
   packet retries 128 drop-packet
   channel 2412
   station-role root
   rts threshold 2340
   rts retries 128
   ip admission webauth
  interface Dot11Radio0.1
   encapsulation dot1Q 1 native
   bridge-group 1
   bridge-group 1 subscriber-loop-control
   bridge-group 1 spanning-disabled
   bridge-group 1 block-unknown-source
   no bridge-group 1 source-learning
   no bridge-group 1 unicast-flooding
  interface Dot11Radio0.43
   encapsulation dot1Q 43
   bridge-group 43
   bridge-group 43 subscriber-loop-control
   bridge-group 43 spanning-disabled
   bridge-group 43 block-unknown-source
   no bridge-group 43 source-learning
   no bridge-group 43 unicast-flooding
  interface Dot11Radio0.44
   encapsulation dot1Q 44
   bridge-group 44
   bridge-group 44 subscriber-loop-control
   bridge-group 44 spanning-disabled
   bridge-group 44 block-unknown-source
   no bridge-group 44 source-learning
   no bridge-group 44 unicast-flooding
   ip admission webauth
  interface Dot11Radio0.45
   encapsulation dot1Q 45
   bridge-group 45
   bridge-group 45 subscriber-loop-control
   bridge-group 45 spanning-disabled
   bridge-group 45 block-unknown-source
   no bridge-group 45 source-learning
   no bridge-group 45 unicast-flooding
   ip admission webauth
  interface Dot11Radio0.46
   encapsulation dot1Q 46
   bridge-group 46
   bridge-group 46 subscriber-loop-control
   bridge-group 46 spanning-disabled
   bridge-group 46 block-unknown-source
   no bridge-group 46 source-learning
   no bridge-group 46 unicast-flooding
  interface Dot11Radio1
   no ip address
   shutdown
   encryption vlan 46 mode ciphers aes-ccm 
   encryption vlan 44 mode ciphers aes-ccm 
   encryption vlan 1 mode ciphers aes-ccm 
   encryption vlan 43 mode ciphers aes-ccm 
   encryption vlan 45 mode ciphers ckip-cmic 
   ssid DTS-Group
   ssid DTS-Group-Floor7
   ssid SaigonCTT-Public
   countermeasure tkip hold-time 0
   antenna gain 0
   peakdetect
   dfs band 3 block
   stbc
   mbssid
   packet retries 128 drop-packet
   channel 5745
   station-role root
   rts threshold 2340
   rts retries 128
  interface Dot11Radio1.1
   encapsulation dot1Q 1 native
   bridge-group 1
   bridge-group 1 subscriber-loop-control
   bridge-group 1 spanning-disabled
   bridge-group 1 block-unknown-source
   no bridge-group 1 source-learning
   no bridge-group 1 unicast-flooding
  interface Dot11Radio1.43
   encapsulation dot1Q 43
   bridge-group 43
   bridge-group 43 subscriber-loop-control
   bridge-group 43 spanning-disabled
   bridge-group 43 block-unknown-source
   no bridge-group 43 source-learning
   no bridge-group 43 unicast-flooding
  interface Dot11Radio1.44
   encapsulation dot1Q 44
   bridge-group 44
   bridge-group 44 subscriber-loop-control
   bridge-group 44 spanning-disabled
   bridge-group 44 block-unknown-source
   no bridge-group 44 source-learning
   no bridge-group 44 unicast-flooding
   ip admission webauth
  interface Dot11Radio1.45
   encapsulation dot1Q 45
   bridge-group 45
   bridge-group 45 subscriber-loop-control
   bridge-group 45 spanning-disabled
   bridge-group 45 block-unknown-source
   no bridge-group 45 source-learning
   no bridge-group 45 unicast-flooding
   ip admission webauth
  interface Dot11Radio1.46
   encapsulation dot1Q 46
   bridge-group 46
   bridge-group 46 subscriber-loop-control
   bridge-group 46 spanning-disabled
   bridge-group 46 block-unknown-source
   no bridge-group 46 source-learning
   no bridge-group 46 unicast-flooding
  interface GigabitEthernet0
   no ip address
   duplex auto
   speed auto
   dot1x pae authenticator
   dot1x authenticator eap profile DTSGROUP
   dot1x supplicant eap profile DTSGROUP
  interface GigabitEthernet0.1
   encapsulation dot1Q 1 native
   bridge-group 1
   bridge-group 1 spanning-disabled
   no bridge-group 1 source-learning
  interface GigabitEthernet0.43
   encapsulation dot1Q 43
   bridge-group 43
   bridge-group 43 spanning-disabled
   no bridge-group 43 source-learning
  interface GigabitEthernet0.44
   encapsulation dot1Q 44
   bridge-group 44
   bridge-group 44 spanning-disabled
   no bridge-group 44 source-learning
  interface GigabitEthernet0.45
   encapsulation dot1Q 45
   bridge-group 45
   bridge-group 45 spanning-disabled
   no bridge-group 45 source-learning
  interface GigabitEthernet0.46
   encapsulation dot1Q 46
   bridge-group 46
   bridge-group 46 spanning-disabled
   no bridge-group 46 source-learning
  interface GigabitEthernet1
   no ip address
   shutdown
   duplex auto
   speed auto
  interface GigabitEthernet1.1
   encapsulation dot1Q 1 native
   bridge-group 1
   bridge-group 1 spanning-disabled
   no bridge-group 1 source-learning
  interface GigabitEthernet1.43
   encapsulation dot1Q 43
   bridge-group 43
   bridge-group 43 spanning-disabled
   no bridge-group 43 source-learning
  interface GigabitEthernet1.44
   encapsulation dot1Q 44
   bridge-group 44
   bridge-group 44 spanning-disabled
   no bridge-group 44 source-learning
  interface GigabitEthernet1.45
   encapsulation dot1Q 45
   bridge-group 45
   bridge-group 45 spanning-disabled
   no bridge-group 45 source-learning
  interface GigabitEthernet1.46
   encapsulation dot1Q 46
   bridge-group 46
   bridge-group 46 spanning-disabled
   no bridge-group 46 source-learning
  interface BVI1
   mac-address 58f3.9ce0.8038
   ip address 172.16.1.62 255.255.255.0
   ipv6 address dhcp
   ipv6 address autoconfig
   ipv6 enable
  ip forward-protocol nd
  ip http server
  ip http authentication aaa
  no ip http secure-server
  ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
  ip radius source-interface BVI1 
  radius-server attribute 32 include-in-access-req format %h
  radius server 172.16.50.99
   address ipv4 172.16.50.99 auth-port 1645 acct-port 1646
   key 7 104A1D0A4B141D06421224
  bridge 1 route ip
  line con 0
   logging synchronous
  line vty 0 4
   exec-timeout 0 0
   privilege level 15
   logging synchronous
   transport input ssh
  line vty 5 15
   exec-timeout 0 0
   privilege level 15
   logging synchronous
   transport input ssh
  end
  This is My Logfile on Radius Win 2008 : 
  Network Policy Server denied access to a user.
  Contact the Network Policy Server administrator for more information.
  User:
  Security ID: S-1-5-21-858235673-3059293199-2272579369-1162
  Account Name: xxxxxxxxxxxxxxxx
  Account Domain: xxxxxxxxxxx
  Fully Qualified Account Name: xxxxxxxxxxxxxxxxxxx
  Client Machine:
  Security ID: S-1-0-0
  Account Name: -
  Fully Qualified Account Name: -
  OS-Version: -
  Called Station Identifier: -
  Calling Station Identifier: -
  NAS:
  NAS IPv4 Address: 172.16.1.62
  NAS IPv6 Address: -
  NAS Identifier: Aironet2702i
  NAS Port-Type: Async
  NAS Port: -
  RADIUS Client:
  Client Friendly Name: Aironet2702i
  Client IP Address: 172.16.1.62
  Authentication Details:
  Connection Request Policy Name: Use Windows authentication for all users
  Network Policy Name: DTSWIRELESS
  Authentication Provider: Windows
  Authentication Server: xxxxxxxxxxxxxx
  Authentication Type: PAP
  EAP Type: -
  Account Session Identifier: -
  Logging Results: Accounting information was written to the local log file.
  Reason Code: 66
  Reason: The user attempted to use an authentication method that is not enabled on the matching network policy.
  So i will explain problems what i have seen:
  SSID: DTS-Group using authentication EAP with RADIUS and it working great (Authentication Type from Aironet to RADIUS is PEAP)
  SSID:L6-Webauthen-test using web-auth and i had try to compare with RADIUS but ROOT CAUSE is AUTHENTICATION TYPE from Aironet to RADIUS default is PAP. (Reason Code : 66)
  => I had trying to find how to change Authentication Type of Web-Auth on Cisco Aironet from PAP to PEAP or sometime like that for combine with RADIUS.
  Any idea or recommend for me ?
  Thanks for see my case  

  Hi Dhiresh Yadav,
  Many thanks for your reply me,
  I will explain again for clear my problems.
  At this case, i had setup complete SSID DTS-Group use authentication with security as PEAP combine Radius Server running on Window 2008.
  I had login SSID by Account create in AD =>  It's work okay with me. Done
  Problems occurs when i try to use Web-authentication on Vlan45 With SSID :
  dot11 ssid L6-Webauthen-test
     vlan 45
     web-auth
     authentication open 
     dot1x eap profile DTSGROUP
     mbssid guest-mode
  After configured on Aironet and Window Radius , i had try to login with Account create in AD by WebBrowser but it Fail ( i have see mini popup said: Authentication Fail" . So i go to Radius Server and search log on EventViewer.
  This is My Logfile on Radius Win 2008 : 
  Network Policy Server denied access to a user.
  NAS:
  NAS IPv4 Address: 172.16.1.62
  NAS IPv6 Address: -
  NAS Identifier: Aironet2702i
  NAS Port-Type: Async
  NAS Port: -
  RADIUS Client:
  Client Friendly Name: Aironet2702i
  Client IP Address: 172.16.1.62
  Authentication Details:
  Connection Request Policy Name: Use Windows authentication for all users
  Network Policy Name: DTSWIRELESS
  Authentication Provider: Windows
  Authentication Server: xxxxxxxxxxxxxx
  Authentication Type: PAP
  EAP Type: -
  Account Session Identifier: -
  Logging Results: Accounting information was written to the local log file.
  Reason Code: 66
  Reason: The user attempted to use an authentication method that is not enabled on the matching network policy.
  Im  think ROOT CAUSE is :
  PAP is the default authentication type for web-auth users on Aironet 2702i, so it can't combine with Radius Window 2008 because they just support PEAP (CHAPv1,CHAPv2....) => Please give me a tip how to change Authentication Type from PAP to PEAP for Web Authentication on Aironet

• Web Authentication with MS IAS Server

  I'm trying to configure my 2106 WLC to authenticate with an MS IAS Radius Server. I had this working, but my boss did not want to do any configuration on the client side and now wants to do all authentication through Web authentication with the Radius server. The wireless client connects and is redirected to the login page like they're supposed to, but when I enter my credentials the login fails. However, if I enter the login of a local user to the controller the authentication works.
  I see in the logs the following error: AAA Authentication Failure for UserName:chevym User Type: WLAN USER. The authentication is reaching the server too, but the logs don't tell you much.
  Here is what is in the server logs: 192.168.0.77,chevym,07/29/2008,05:58:16,IAS,TESTLAB1,25,311 1 192.168.0.221 07/28/2008 17:27:10 48,4127,2,4130,TESTLAB\chevym,4129,TESTLAB\chevym,4154,Use Windows authentication for all users,4155,1,4128,Wireless LAN Controller,4116,9,4108,192.168.0.77,4136,3,4142,19
  I don't really understand any of that and I'm not really sure if I have the server itself configured correctly for what I want to do. Does anyone have instructions on how to do this?

  I had another thread going on this, but since it appears to be an IAS problem, I've been posting on the MS forum instead of here.
  I'm trying to set up wireless laptop-WLC-IAS authentication using PEAP.
  The machine authenticates on boot, but any login by any user results in this message in the Windows Event log on the IAS server:
  Event Type: Warning
  Event Source: IAS
  Event Category: None
  Event ID: 2
  Date: 9/3/2008
  Time: 11:00:55 PM
  User: N/A
  Computer: DC1
  Description:
  User SCOTRNCPQ003.scdl.local was denied access.
  Fully-Qualified-User-Name = SCDL\SCOTRNCPQ003.scdl.local
  NAS-IP-Address = 10.10.10.10
  NAS-Identifier = scohc0ciswlc
  Called-Station-Identifier = 00-21-55-C0-7D-70:Domain Staff
  Calling-Station-Identifier = 00-90-4B-4C-92-B7
  Client-Friendly-Name = WLAN Controller
  Client-IP-Address = 10.10.10.10
  NAS-Port-Type = Wireless - IEEE 802.11
  NAS-Port = 29
  Proxy-Policy-Name = Use Windows authentication for all users
  Authentication-Provider = Windows
  Authentication-Server =
  Policy-Name =
  Authentication-Type = EAP
  EAP-Type =
  Reason-Code = 8
  Reason = The specified user account does not exist.
  The policy is the default connection policy created when installing IAS.
  In ADUC, I've tried setting both the machine and users Dial-In properties to Allow Access or Control through policy, with the same result.
  I've gone through the policy and there isn't anything there, other than the Day-Time rule which is set to allow access for all hours of the whole day, every day.
  In the last few days, I've read about the Ignore User Dial In properties, but can't find where/how you set this.
  It sounded to me as if this had been resolved in this thread, so I wanted to know how this had been accomplished.

• How to use Web Filters methodology  with Internal ITS with NW2004s

  ITS 6.2 will no longer be supported going forward with the upcoming NW2004s. Only internal ITS will be supported with 2004s. However, since PAS APIs are not available with Internal ITS, Can any one give some clue on how we can use the Web Filters methodology for use with Internal ITS with 2004s.

  A long time ago, but yesterday i have had time to try again to setup the MacMini server properly. But no luck.
  sudo changeip -checkhostname
  gives me:
  Primary address          = 192.168.1.** (i don't know it's save enough to put this IP complete on the net)
  Current HostName      = server.beeldenstorm.be
  The DNS hostname is not available, please repair DNS and re-run this tool.
  dirserv:success           = "success"
  So their is something wrong. But how to repair the DNS?
  MacMini server is working properly on our local network, but outside not. I have done the port forwarding.
  Another problem is that i have read that for the server to work properly we have to use fix IP address.
  So, that's what i am doing. But in that way their is no internet connection at all.
  So, no updates and ... .
  Lookup and Ping test, outside our local network:
  http://beeldenstorm.be/doc/lookup-and-ping.pdf
  Why is this so irritating and are there soo many problems on forums?
  I know: because most of us are not network/server specialists.
  But Apple sells this server app like a app for everybody, easy to install?
  Thanks for help.

• Is dynamic VLAN assignment supported with web-authentication?

  The 7.6.130.0 WLC configuration guides says this:
  "Dynamic VLAN assignment is not supported for web authentication from a controller with Access Control Server (ACS)"
  How should we interpret this, exactly? Does this mean that dynamic VLAN assignment is supported with web authentication from a controller if some other RADIUS server is used (Eg: FreeRadius, ISE)?

  It is not supported with any kind of radius server. The radius attributes ACS uses for pushing those settings (64,65,81) are the same for every other radius implementation. Pushing a QoS profile does work.