Send vlan via Radius with 802.1x Authentication

Hi all.
I am trying to set up 802.1x authentication using Windows XP Supplicant, Catalyst 2950 and FreeRadius as radius server.
I can login correctly so I have the port in Authorized mode, but I can't download the vlan id through the radius server.
Reading docs, I have found these attributes:
cisco-avpair="tunnel-type(#64)=VLAN(13)"
cisco-avpair="tunnel-medium-type(#65)=802 media(6)"
cisco-avpair="tunnel-private-group-ID(#81)=2" (2 is my vlan id)
but when I insert these into radius DB (I have also tryed with text file config...) I can see from Radius debugs that only the first one (cisco-avpair="tunnel-type(#64)=VLAN(13)" is passed in the access-accept packet.
Here are some outputs:
Sending Access-Challenge of id 80 to 128.0.0.21:1812
Cisco-AVPair = "tunnel-type=VLAN"
EAP-Message = 0x0101001604103ee52f729eb199689ef4fc77a18a6a08
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xf88b9673c199cb13def96563250cf8a7
I issued a "debug radius" on the switch Catalyst 2950 also, and the output is:
02:49:39: RADIUS: Received from id 73 128.0.0.243:1812, Access-Accept, len 129
02:49:39: Attribute 26 75 0000000901457475
02:49:39: Attribute 79 6 03010004
02:49:39: Attribute 80 18 1ABB3507
02:49:39: Attribute 1 10 74657374
02:49:39: RADIUS: EAP-login: length of eap packet = 4
02:49:39: RADIUS: EAP-login: radius didn't send any vlan
so I can see that radius is not sending anything about vlan...
Has anyone alredy tried this set up?
Thank you in advance.
Massimo Magnani.

OK, so I may have glossed over that before. From your debug post, you had:
Cisco-AVPair = "tunnel-type=VLAN"
Unless I'm missing something, that looks like a VSA (or RADIUS Attribute [26\9\1].
You don't need VSAs for VLAN Assignment. You can do this with three standard RADIUS Attributes. Here they are (and an example of what they should look like):
[64] Tunnel-Type – “VLAN” (13)
[65] Tunnel-Medium-Type – “802” (6)
[81] Tunnel-Private-Group-ID - "" OR ""
They are defined in RFC 2868.
Hope this helps,

Similar Messages

  • CCKM with 802.1x authentication

    Hi,
    Can we use CCKM authentication with 802.1x layer 2 authentication method. I read it one cisco article that we can't use CCKM with 802.1x authentication.  Please find the url below, its says that is you choose layer 2 authentication method is 802.1x, then we can't use cckm. Kindly suggest
    http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wlan-security/82135-wlc-authenticate.html
    Regards,
    Jubair.S

    Yes, You can. 
    Refer this document which clearly state it
    http://www.cisco.com/c/en/us/td/docs/wireless/controller/8-0/configuration-guide/b_cg80/b_cg80_chapter_01001110.html#ID963
    802.1X+CCKM—During normal operation, 802.1X-enabled clients mutually authenticate with a new access point by performing a complete 802.1X authentication, including communication with the main RADIUS server. However, when you configure your WLAN for 802.1X and CCKM fast secure roaming, CCKM-enabled clients securely roam from one access point to another without the need to reauthenticate to the RADIUS server. 802.1X+CCKM is considered optional CCKM because both CCKM and non-CCKM clients are supported when this option is selected.
    HTH
    Rasika
    **** Pls rate all useful responses ***

  • WPA with 802.1x authentication

    Hi experts,
    I need clarification in a fundamental concept.
    Is it possible to configure WPA with 802.1x authentication without external AAA / ACS server.
    If the username and password is configured in local device, is it possible to create 802.1x authentication without RADIUS server
    Thanks in advance
    regards,RB

    You can't do 802.1x without RADIUS. But you can use Local EAP on an Autonomous AP or on a LAP Controller. They can both act as RADIUS servers. Here's an example config for an autonomous AP:
    aaa group server radius rad_eap
    server 192.168.0.1 auth-port 1812 acct-port 1813
    aaa authentication login eap_methods group rad_eap
    dot11 ssid ccie
    authentication open eap eap_methods
    authentication network-eap eap_methods
    guest-mode
    radius-server local
    nas 192.168.0.1 key cisco
    user test password test
    radius-server host 192.168.0.1 auth-port 1812 acct-port 1813 key cisco
    LAP Controller local EAP is configurable through GUI

  • FT akm with 802.1x authentication failed at eapol key 2(invalid MIC)

    My testing controller s/w version is 7.0.250.0, and testing clients were iphone5, iphone6 and macbook pro13, all debug inform showed failed because of invalid MIC, is this a bug or other reason ?
    WLAN configuration:
    (Cisco Controller) >show wlan 100
    WLAN Identifier.................................. 100
    Profile Name..................................... test-qh
    Network Name (SSID).............................. test-qh
    Status........................................... Enabled
    MAC Filtering.................................... Disabled
    Broadcast SSID................................... Enabled
    AAA Policy Override.............................. Disabled
    Network Admission Control
      Radius-NAC State............................... Disabled
      SNMP-NAC State................................. Disabled
      Quarantine VLAN................................ 0
    Maximum number of Associated Clients............. 10
    Number of Active Clients......................... 0
    Exclusionlist Timeout............................ 60 seconds
    Session Timeout.................................. 1800 seconds
    CHD per WLAN..................................... Enabled
    Webauth DHCP exclusion........................... Disabled
    Interface........................................ management
    Multicast Interface.............................. Not Configured
    --More-- or (q)uit
    WLAN ACL......................................... unconfigured
    DHCP Server...................................... Default
    DHCP Address Assignment Required................. Disabled
    Static IP client tunneling....................... Disabled
    Quality of Service............................... Silver (best effort)
    Scan Defer Priority.............................. 4,5,6
    Scan Defer Time.................................. 100 milliseconds
    WMM.............................................. Allowed
    WMM UAPSD Compliant Client Support............... Disabled
    Media Stream Multicast-direct.................... Disabled
    CCX - AironetIe Support.......................... Enabled
    CCX - Gratuitous ProbeResponse (GPR)............. Disabled
    CCX - Diagnostics Channel Capability............. Disabled
    Dot11-Phone Mode (7920).......................... Disabled
    Wired Protocol................................... None
    IPv6 Support..................................... Disabled
    Peer-to-Peer Blocking Action..................... Disabled
    Radio Policy..................................... All
    DTIM period for 802.11a radio.................... 1
    DTIM period for 802.11b radio.................... 1
    Radius Servers
       Authentication................................ Disabled
       Accounting.................................... Global Servers
    --More-- or (q)uit
       Dynamic Interface............................. Disabled
    Local EAP Authentication......................... Enabled (Profile 'test')
    Security
       802.11 Authentication:........................ Open System
       Static WEP Keys............................... Disabled
       802.1X........................................ Disabled
       Wi-Fi Protected Access (WPA/WPA2)............. Enabled
          WPA (SSN IE)............................... Disabled
          WPA2 (RSN IE).............................. Enabled
             TKIP Cipher............................. Disabled
             AES Cipher.............................. Enabled
                                                                   Auth Key Management
             802.1x.................................. Disabled
             PSK..................................... Disabled
             CCKM.................................... Disabled
             FT(802.11r)............................. Enabled
             FT-PSK(802.11r)......................... Disabled
    FT Reassociation Timeout......................... 20
    FT Over-The-Air mode............................. Enabled
    FT Over-The-Ds mode.............................. Disabled
    CCKM tsf Tolerance............................... 1000
       CKIP ......................................... Disabled
    --More-- or (q)uit
       IP Security................................... Disabled
       IP Security Passthru.......................... Disabled
       Web Based Authentication...................... Disabled
       Web-Passthrough............................... Disabled
       Conditional Web Redirect...................... Disabled
       Splash-Page Web Redirect...................... Disabled
       Auto Anchor................................... Disabled
       H-REAP Local Switching........................ Disabled
       H-REAP Local Authentication................... Disabled
       H-REAP Learn IP Address....................... Enabled
       Client MFP.................................... Optional
       Tkip MIC Countermeasure Hold-down Timer....... 60
    Call Snooping.................................... Disabled
    Roamed Call Re-Anchor Policy..................... Disabled
    SIP CAC Fail Send-486-Busy Policy................ Enabled
    SIP CAC Fail Send Dis-Association Policy......... Disabled
    Band Select...................................... Disabled
    Load Balancing................................... Disabled
     Mobility Anchor List
     WLAN ID     IP Address            Status
    debug info:
    Cisco Controller) >*apfMsConnTask_0: Apr 27 21:46:09.971: Processing assoc-req station:68:96:7b:cd:89:1b AP:00:27:0d:2e:d0:50-01 thread:333140024
    *apfMsConnTask_0: Apr 27 21:46:09.971: 68:96:7b:cd:89:1b Marking this mobile as TGr capable.
    *apfMsConnTask_0: Apr 27 21:46:09.971: 68:96:7b:cd:89:1b Processing RSN IE type 48, length 20 for mobile 68:96:7b:cd:89:1b
    *apfMsConnTask_0: Apr 27 21:46:09.971: 68:96:7b:cd:89:1b apfMsAssoStateInc
    *apfMsConnTask_0: Apr 27 21:46:09.971: Sending assoc-resp station:68:96:7b:cd:89:1b AP:00:27:0d:2e:d0:50-01 thread:333140024
    *apfMsConnTask_0: Apr 27 21:46:09.971: Adding MDIE, ID is:0x4e57
    *apfMsConnTask_0: Apr 27 21:46:09.971: 68:96:7b:cd:89:1b Including FT Mobility Domain IE (length 5) in Initial assoc Resp to mobile
    *apfMsConnTask_0: Apr 27 21:46:09.971: 68:96:7b:cd:89:1b Sending R0KH-ID as:192.168.20.244
    *apfMsConnTask_0: Apr 27 21:46:09.971: 68:96:7b:cd:89:1b Sending R1KH-ID as 00:24:14:7e:74:c0
    *apfMsConnTask_0: Apr 27 21:46:09.971: 68:96:7b:cd:89:1b Including FT IE (length 98) in Initial Assoc Resp to mobile
    *spamReceiveTask: Apr 27 21:46:09.973: 68:96:7b:cd:89:1b Sent 1x initiate message to multi thread task for mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:09.974: 68:96:7b:cd:89:1b Station 68:96:7b:cd:89:1b setting dot1x reauth timeout = 1800
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:09.974: 68:96:7b:cd:89:1b Sending EAP-Request/Identity to mobile 68:96:7b:cd:89:1b (EAP Id 1)
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.037: 68:96:7b:cd:89:1b Received EAPOL EAPPKT from mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.037: 68:96:7b:cd:89:1b Received Identity Response (count=1) from mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.117: 68:96:7b:cd:89:1b Processing Access-Challenge for mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.117: 68:96:7b:cd:89:1b Sending EAP Request from AAA to mobile 68:96:7b:cd:89:1b (EAP Id 2)
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.133: 68:96:7b:cd:89:1b Received EAPOL EAPPKT from mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.133: 68:96:7b:cd:89:1b Received EAP Response from mobile 68:96:7b:cd:89:1b (EAP Id 2, EAP Type 25)
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.135: 68:96:7b:cd:89:1b Processing Access-Challenge for mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.135: 68:96:7b:cd:89:1b Sending EAP Request from AAA to mobile 68:96:7b:cd:89:1b (EAP Id 3)
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.139: 68:96:7b:cd:89:1b Received EAPOL EAPPKT from mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.139: 68:96:7b:cd:89:1b Received EAP Response from mobile 68:96:7b:cd:89:1b (EAP Id 3, EAP Type 25)
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.140: 68:96:7b:cd:89:1b Processing Access-Challenge for mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.140: 68:96:7b:cd:89:1b Sending EAP Request from AAA to mobile 68:96:7b:cd:89:1b (EAP Id 4)
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.200: 68:96:7b:cd:89:1b Received EAPOL EAPPKT from mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.201: 68:96:7b:cd:89:1b Received EAP Response from mobile 68:96:7b:cd:89:1b (EAP Id 4, EAP Type 25)
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.309: 68:96:7b:cd:89:1b Processing Access-Challenge for mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.309: 68:96:7b:cd:89:1b Sending EAP Request from AAA to mobile 68:96:7b:cd:89:1b (EAP Id 5)
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.312: 68:96:7b:cd:89:1b Received EAPOL EAPPKT from mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.313: 68:96:7b:cd:89:1b Received EAP Response from mobile 68:96:7b:cd:89:1b (EAP Id 5, EAP Type 25)
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.314: 68:96:7b:cd:89:1b Processing Access-Challenge for mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.314: 68:96:7b:cd:89:1b Sending EAP Request from AAA to mobile 68:96:7b:cd:89:1b (EAP Id 6)
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.321: 68:96:7b:cd:89:1b Received EAPOL EAPPKT from mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.321: 68:96:7b:cd:89:1b Received EAP Response from mobile 68:96:7b:cd:89:1b (EAP Id 6, EAP Type 25)
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.322: 68:96:7b:cd:89:1b Processing Access-Challenge for mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.322: 68:96:7b:cd:89:1b Sending EAP Request from AAA to mobile 68:96:7b:cd:89:1b (EAP Id 7)
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.325: 68:96:7b:cd:89:1b Received EAPOL EAPPKT from mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.325: 68:96:7b:cd:89:1b Received EAP Response from mobile 68:96:7b:cd:89:1b (EAP Id 7, EAP Type 25)
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.326: 68:96:7b:cd:89:1b Processing Access-Challenge for mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.326: 68:96:7b:cd:89:1b Sending EAP Request from AAA to mobile 68:96:7b:cd:89:1b (EAP Id 8)
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.329: 68:96:7b:cd:89:1b Received EAPOL EAPPKT from mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.329: 68:96:7b:cd:89:1b Received EAP Response from mobile 68:96:7b:cd:89:1b (EAP Id 8, EAP Type 25)
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.331: 68:96:7b:cd:89:1b Processing Access-Accept for mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.331: 68:96:7b:cd:89:1b Setting re-auth timeout to 1800 seconds, got from WLAN config.
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.332: 68:96:7b:cd:89:1b Station 68:96:7b:cd:89:1b setting dot1x reauth timeout = 1800
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.332: 68:96:7b:cd:89:1b Creating a PKC PMKID Cache entry for station 68:96:7b:cd:89:1b (RSN 2)
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.332: 68:96:7b:cd:89:1b Adding BSSID 00:27:0d:2e:d0:5e to PMKID cache for station 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.332: New PMKID: (16)
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.332:      [0000] 80 a9 e3 16 d9 c8 28 9a 37 11 bd 56 ca 01 d5 ce
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.332: 68:96:7b:cd:89:1b Disabling re-auth since PMK lifetime can take care of same.
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.332: 68:96:7b:cd:89:1b Created PMK Cache Entry for TGr AKM:802.1x 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.332: 68:96:7b:cd:89:1b   R0KH-ID:192.168.20.244   R1KH-ID:00:24:14:7e:74:c0  MSK Len:48
                                                                                                                                  pmkValidTime:1772
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.333: 68:96:7b:cd:89:1b PMK sent to mobility group
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.333: 68:96:7b:cd:89:1b Sending EAP-Success to mobile 68:96:7b:cd:89:1b (EAP Id 8)
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.333: Including PMKID in M1  (16)
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.333:      [0000] 80 a9 e3 16 d9 c8 28 9a 37 11 bd 56 ca 01 d5 ce
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.333: 68:96:7b:cd:89:1b Starting key exchange to mobile 68:96:7b:cd:89:1b, data packets will be dropped
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.333: 68:96:7b:cd:89:1b Sending EAPOL-Key Message to mobile 68:96:7b:cd:89:1b
                                                                                                                        state INITPMK (message 1), replay counter 00.00.00.00.00.00.00.00
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.333: 68:96:7b:cd:89:1b Received Auth Success while in Authenticating state for mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.336: 68:96:7b:cd:89:1b Received EAPOL-Key from mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.336: 68:96:7b:cd:89:1b Received EAPOL-key in PTK_START state (message 2) from mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.337: 68:96:7b:cd:89:1b Received EAPOL-key M2 with invalid MIC from mobile 68:96:7b:cd:89:1b
    *osapiBsnTimer: Apr 27 21:46:10.560: 68:96:7b:cd:89:1b 802.1x 'timeoutEvt' Timer expired for station 68:96:7b:cd:89:1b and for message = M2
    *dot1xMsgTask: Apr 27 21:46:10.562: 68:96:7b:cd:89:1b Retransmit 1 of EAPOL-Key M1 (length 121) for mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.565: 68:96:7b:cd:89:1b Received EAPOL-Key from mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.565: 68:96:7b:cd:89:1b Received EAPOL-key in PTK_START state (message 2) from mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.566: 68:96:7b:cd:89:1b Received EAPOL-key M2 with invalid MIC from mobile 68:96:7b:cd:89:1b
    *osapiBsnTimer: Apr 27 21:46:10.960: 68:96:7b:cd:89:1b 802.1x 'timeoutEvt' Timer expired for station 68:96:7b:cd:89:1b and for message = M2
    *dot1xMsgTask: Apr 27 21:46:10.960: 68:96:7b:cd:89:1b Retransmit 2 of EAPOL-Key M1 (length 121) for mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:11.048: 68:96:7b:cd:89:1b Received EAPOL-Key from mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:11.048: 68:96:7b:cd:89:1b Received EAPOL-key in PTK_START state (message 2) from mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:11.048: 68:96:7b:cd:89:1b Received EAPOL-key M2 with invalid MIC from mobile 68:96:7b:cd:89:1b
    *osapiBsnTimer: Apr 27 21:46:11.360: 68:96:7b:cd:89:1b 802.1x 'timeoutEvt' Timer expired for station 68:96:7b:cd:89:1b and for message = M2
    *dot1xMsgTask: Apr 27 21:46:11.360: 68:96:7b:cd:89:1b Retransmit 3 of EAPOL-Key M1 (length 121) for mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:11.364: 68:96:7b:cd:89:1b Received EAPOL-Key from mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:11.364: 68:96:7b:cd:89:1b Received EAPOL-key in PTK_START state (message 2) from mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:11.364: 68:96:7b:cd:89:1b Received EAPOL-key M2 with invalid MIC from mobile 68:96:7b:cd:89:1b
    *osapiBsnTimer: Apr 27 21:46:11.760: 68:96:7b:cd:89:1b 802.1x 'timeoutEvt' Timer expired for station 68:96:7b:cd:89:1b and for message = M2
    *dot1xMsgTask: Apr 27 21:46:11.760: 68:96:7b:cd:89:1b Retransmit 4 of EAPOL-Key M1 (length 121) for mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:11.763: 68:96:7b:cd:89:1b Received EAPOL-Key from mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:11.764: 68:96:7b:cd:89:1b Received EAPOL-key in PTK_START state (message 2) from mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:11.764: 68:96:7b:cd:89:1b Received EAPOL-key M2 with invalid MIC from mobile 68:96:7b:cd:89:1b
    *osapiBsnTimer: Apr 27 21:46:12.160: 68:96:7b:cd:89:1b 802.1x 'timeoutEvt' Timer expired for station 68:96:7b:cd:89:1b and for message = M2
    *dot1xMsgTask: Apr 27 21:46:12.161: 68:96:7b:cd:89:1b Retransmit failure for EAPOL-Key M1 to mobile 68:96:7b:cd:89:1b, retransmit count 5, mscb deauth count 0
    *dot1xMsgTask: Apr 27 21:46:12.162: 68:96:7b:cd:89:1b Removing PMK cache entry for station 68:96:7b:cd:89:1b
    *apfMsConnTask_0: Apr 27 21:46:12.185: Processing assoc-req station:68:96:7b:cd:89:1b AP:00:27:0d:2e:d0:50-01 thread:333140024
    *apfMsConnTask_0: Apr 27 21:46:12.185: 68:96:7b:cd:89:1b Marking this mobile as TGr capable.
    *apfMsConnTask_0: Apr 27 21:46:12.185: 68:96:7b:cd:89:1b Processing RSN IE type 48, length 20 for mobile 68:96:7b:cd:89:1b
    *apfMsConnTask_0: Apr 27 21:46:12.185: Sending assoc-resp station:68:96:7b:cd:89:1b AP:00:27:0d:2e:d0:50-01 thread:333140024
    *apfMsConnTask_0: Apr 27 21:46:12.185: Adding MDIE, ID is:0x4e57
    *apfMsConnTask_0: Apr 27 21:46:12.185: 68:96:7b:cd:89:1b Including FT Mobility Domain IE (length 5) in Initial assoc Resp to mobile
    *apfMsConnTask_0: Apr 27 21:46:12.185: 68:96:7b:cd:89:1b Sending R0KH-ID as:192.168.20.244
    *apfMsConnTask_0: Apr 27 21:46:12.185: 68:96:7b:cd:89:1b Sending R1KH-ID as 00:24:14:7e:74:c0
    *apfMsConnTask_0: Apr 27 21:46:12.185: 68:96:7b:cd:89:1b Including FT IE (length 98) in Initial Assoc Resp to mobile
    *spamReceiveTask: Apr 27 21:46:12.187: 68:96:7b:cd:89:1b Sent 1x initiate message to multi thread task for mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:12.188: 68:96:7b:cd:89:1b Station 68:96:7b:cd:89:1b setting dot1x reauth timeout = 1800
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:12.188: 68:96:7b:cd:89:1b Sending EAP-Request/Identity to mobile 68:96:7b:cd:89:1b (EAP Id 1)
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:12.191: 68:96:7b:cd:89:1b Received EAPOL EAPPKT from mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:12.191: 68:96:7b:cd:89:1b Received Identity Response (count=1) from mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:12.271: 68:96:7b:cd:89:1b Processing Access-Challenge for mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:12.271: 68:96:7b:cd:89:1b Sending EAP Request from AAA to mobile 68:96:7b:cd:89:1b (EAP Id 2)
    *apfMsConnTask_0: Apr 27 21:46:12.563: Processing assoc-req station:68:96:7b:cd:89:1b AP:00:27:0d:2e:d0:50-01 thread:333140024
    *apfMsConnTask_0: Apr 27 21:46:12.563: 68:96:7b:cd:89:1b Marking this mobile as TGr capable.
    *apfMsConnTask_0: Apr 27 21:46:12.563: 68:96:7b:cd:89:1b Processing RSN IE type 48, length 20 for mobile 68:96:7b:cd:89:1b
    *apfMsConnTask_0: Apr 27 21:46:12.563: Sending assoc-resp station:68:96:7b:cd:89:1b AP:00:27:0d:2e:d0:50-01 thread:333140024
    *apfMsConnTask_0: Apr 27 21:46:12.563: Adding MDIE, ID is:0x4e57
    *apfMsConnTask_0: Apr 27 21:46:12.563: 68:96:7b:cd:89:1b Including FT Mobility Domain IE (length 5) in Initial assoc Resp to mobile
    *apfMsConnTask_0: Apr 27 21:46:12.563: 68:96:7b:cd:89:1b Sending R0KH-ID as:192.168.20.244
    *apfMsConnTask_0: Apr 27 21:46:12.563: 68:96:7b:cd:89:1b Sending R1KH-ID as 00:24:14:7e:74:c0
    *apfMsConnTask_0: Apr 27 21:46:12.563: 68:96:7b:cd:89:1b Including FT IE (length 98) in Initial Assoc Resp to mobile
    *spamReceiveTask: Apr 27 21:46:12.565: 68:96:7b:cd:89:1b Sent 1x initiate message to multi thread task for mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:12.566: 68:96:7b:cd:89:1b Sending EAP-Request/Identity to mobile 68:96:7b:cd:89:1b (EAP Id 1)
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:12.571: 68:96:7b:cd:89:1b Received EAPOL EAPPKT from mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:12.571: 68:96:7b:cd:89:1b Received Identity Response (count=1) from mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:12.572: 68:96:7b:cd:89:1b Processing Access-Reject for mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:12.573: 68:96:7b:cd:89:1b Removing PMK cache due to EAP-Failure for mobile 68:96:7b:cd:89:1b (EAP Id -1)
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:12.573: 68:96:7b:cd:89:1b Sending EAP-Failure to mobile 68:96:7b:cd:89:1b (EAP Id -1)
    (Cisco Controller) >*Dot1x_NW_MsgTask_0: Apr 27 21:46:12.573: 68:96:7b:cd:89:1b Setting quiet timer for 5 seconds for mobile 68:96:7b:cd:89:1b
    *osapiBsnTimer: Apr 27 21:46:17.560: 68:96:7b:cd:89:1b 802.1x 'quiteWhile' Timer expired for station 68:96:7b:cd:89:1b and for message = M0
    *dot1xMsgTask: Apr 27 21:46:17.561: 68:96:7b:cd:89:1b quiet timer completed for mobile 68:96:7b:cd:89:1b
    *dot1xMsgTask: Apr 27 21:46:17.561: 68:96:7b:cd:89:1b Sending EAP-Request/Identity to mobile 68:96:7b:cd:89:1b (EAP Id 1)
    (Cisco Controller) >*apfMsConnTask_0: Apr 27 21:46:19.793: Processing assoc-req station:68:96:7b:cd:89:1b AP:00:27:0d:2e:d0:50-01 thread:333140024
    *apfMsConnTask_0: Apr 27 21:46:19.793: 68:96:7b:cd:89:1b Marking this mobile as TGr capable.
    *apfMsConnTask_0: Apr 27 21:46:19.793: 68:96:7b:cd:89:1b Processing RSN IE type 48, length 20 for mobile 68:96:7b:cd:89:1b
    *apfMsConnTask_0: Apr 27 21:46:19.793: Sending assoc-resp station:68:96:7b:cd:89:1b AP:00:27:0d:2e:d0:50-01 thread:333140024
    *apfMsConnTask_0: Apr 27 21:46:19.793: Adding MDIE, ID is:0x4e57
    *apfMsConnTask_0: Apr 27 21:46:19.793: 68:96:7b:cd:89:1b Including FT Mobility Domain IE (length 5) in Initial assoc Resp to mobile
    *apfMsConnTask_0: Apr 27 21:46:19.793: 68:96:7b:cd:89:1b Sending R0KH-ID as:192.168.20.244
    *apfMsConnTask_0: Apr 27 21:46:19.793: 68:96:7b:cd:89:1b Sending R1KH-ID as 00:24:14:7e:74:c0
    *apfMsConnTask_0: Apr 27 21:46:19.793: 68:96:7b:cd:89:1b Including FT IE (length 98) in Initial Assoc Resp to mobile
    *spamReceiveTask: Apr 27 21:46:19.796: 68:96:7b:cd:89:1b Sent 1x initiate message to multi thread task for mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:19.798: 68:96:7b:cd:89:1b Sending EAP-Request/Identity to mobile 68:96:7b:cd:89:1b (EAP Id 1)
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:19.825: 68:96:7b:cd:89:1b Received EAPOL EAPPKT from mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:19.826: 68:96:7b:cd:89:1b Received Identity Response (count=1) from mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:19.905: 68:96:7b:cd:89:1b Processing Access-Challenge for mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:19.905: 68:96:7b:cd:89:1b Sending EAP Request from AAA to mobile 68:96:7b:cd:89:1b (EAP Id 2)
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:19.918: 68:96:7b:cd:89:1b Received EAPOL EAPPKT from mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:19.918: 68:96:7b:cd:89:1b Received EAP Response from mobile 68:96:7b:cd:89:1b (EAP Id 2, EAP Type 25)
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:19.920: 68:96:7b:cd:89:1b Processing Access-Challenge for mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:19.920: 68:96:7b:cd:89:1b Sending EAP Request from AAA to mobile 68:96:7b:cd:89:1b (EAP Id 3)
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:19.923: 68:96:7b:cd:89:1b Received EAPOL EAPPKT from mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:19.924: 68:96:7b:cd:89:1b Received EAP Response from mobile 68:96:7b:cd:89:1b (EAP Id 3, EAP Type 25)
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:19.924: 68:96:7b:cd:89:1b Processing Access-Challenge for mobile 68:96:7b:cd:89:1b
    d*Dot1x_NW_MsgTask_0: Apr 27 21:46:19.925: 68:96:7b:cd:89:1b Sending EAP Request from AAA to mobile 68:96:7b:cd:89:1b (EAP Id 4)
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:19.964: 68:96:7b:cd:89:1b Received EAPOL EAPPKT from mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:19.964: 68:96:7b:cd:89:1b Received EAP Response from mobile 68:96:7b:cd:89:1b (EAP Id 4, EAP Type 25)
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:20.073: 68:96:7b:cd:89:1b Processing Access-Challenge for mobile 68:96:7b:cd:89:1b
    e*Dot1x_NW_MsgTask_0: Apr 27 21:46:20.073: 68:96:7b:cd:89:1b Sending EAP Request from AAA to mobile 68:96:7b:cd:89:1b (EAP Id 5)
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:20.076: 68:96:7b:cd:89:1b Received EAPOL EAPPKT from mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:20.076: 68:96:7b:cd:89:1b Received EAP Response from mobile 68:96:7b:cd:89:1b (EAP Id 5, EAP Type 25)
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:20.077: 68:96:7b:cd:89:1b Processing Access-Challenge for mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:20.077: 68:96:7b:cd:89:1b Sending EAP Request from AAA to mobile 68:96:7b:cd:89:1b (EAP Id 6)
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:20.083: 68:96:7b:cd:89:1b Received EAPOL EAPPKT from mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:20.083: 68:96:7b:cd:89:1b Received EAP Response from mobile 68:96:7b:cd:89:1b (EAP Id 6, EAP Type 25)
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:20.084: 68:96:7b:cd:89:1b Processing Access-Challenge for mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:20.084: 68:96:7b:cd:89:1b Sending EAP Request from AAA to mobile 68:96:7b:cd:89:1b (EAP Id 7)
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:20.087: 68:96:7b:cd:89:1b Received EAPOL EAPPKT from mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:20.087: 68:96:7b:cd:89:1b Received EAP Response from mobile 68:96:7b:cd:89:1b (EAP Id 7, EAP Type 25)
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:20.088: 68:96:7b:cd:89:1b Processing Access-Challenge for mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:20.088: 68:96:7b:cd:89:1b Sending EAP Request from AAA to mobile 68:96:7b:cd:89:1b (EAP Id 8)
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:20.090: 68:96:7b:cd:89:1b Received EAPOL EAPPKT from mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:20.090: 68:96:7b:cd:89:1b Received EAP Response from mobile 68:96:7b:cd:89:1b (EAP Id 8, EAP Type 25)
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:20.091: 68:96:7b:cd:89:1b Processing Access-Accept for mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:20.091: 68:96:7b:cd:89:1b Setting re-auth timeout to 1800 seconds, got from WLAN config.
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:20.091: 68:96:7b:cd:89:1b Station 68:96:7b:cd:89:1b setting dot1x reauth timeout = 1800
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:20.091: 68:96:7b:cd:89:1b Creating a PKC PMKID Cache entry for station 68:96:7b:cd:89:1b (RSN 2)
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:20.091: 68:96:7b:cd:89:1b Adding BSSID 00:27:0d:2e:d0:5e to PMKID cache for station 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:20.092: New PMKID: (16)
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:20.092:      [0000] 16 3d 85 48 73 81 21 c9 dc 14 19 2e 40 65 7c 74
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:20.092: 68:96:7b:cd:89:1b Disabling re-auth since PMK lifetime can take care of same.
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:20.092: 68:96:7b:cd:89:1b Created PMK Cache Entry for TGr AKM:802.1x 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:20.092: 68:96:7b:cd:89:1b   R0KH-ID:192.168.20.244   R1KH-ID:00:24:14:7e:74:c0  MSK Len:48
                                                                                                                                  pmkValidTime:1813
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:20.092: 68:96:7b:cd:89:1b PMK sent to mobility group
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:20.092: 68:96:7b:cd:89:1b Sending EAP-Success to mobile 68:96:7b:cd:89:1b (EAP Id 8)
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:20.093: Including PMKID in M1  (16)
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:20.093:      [0000] 16 3d 85 48 73 81 21 c9 dc 14 19 2e 40 65 7c 74
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:20.093: 68:96:7b:cd:89:1b Starting key exchange to mobile 68:96:7b:cd:89:1b, data packets will be dropped
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:20.093: 68:96:7b:cd:89:1b Sending EAPOL-Key Message to mobile 68:96:7b:cd:89:1b
                                                                                                                        state INITPMK (message 1), replay counter 00.00.00.00.00.00.00.00
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:20.093: 68:96:7b:cd:89:1b Received Auth Success while in Authenticating state for mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:20.096: 68:96:7b:cd:89:1b Received EAPOL-Key from mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:20.096: 68:96:7b:cd:89:1b Received EAPOL-key in PTK_START state (message 2) from mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:20.096: 68:96:7b:cd:89:1b Received EAPOL-key M2 with invalid MIC from mobile 68:96:7b:cd:89:1b
    *osapiBsnTimer: Apr 27 21:46:20.360: 68:96:7b:cd:89:1b 802.1x 'timeoutEvt' Timer expired for station 68:96:7b:cd:89:1b and for message = M2
    *dot1xMsgTask: Apr 27 21:46:20.361: 68:96:7b:cd:89:1b Retransmit 1 of EAPOL-Key M1 (length 121) for mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:20.364: 68:96:7b:cd:89:1b Received EAPOL-Key from mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:20.364: 68:96:7b:cd:89:1b Received EAPOL-key in PTK_START state (message 2) from mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:20.364: 68:96:7b:cd:89:1b Received EAPOL-key M2 with invalid MIC from mobile 68:96:7b:cd:89:1b
    bug *osapiBsnTimer: Apr 27 21:46:20.760: 68:96:7b:cd:89:1b 802.1x 'timeoutEvt' Timer expired for station 68:96:7b:cd:89:1b and for message = M2
    *dot1xMsgTask: Apr 27 21:46:20.760: 68:96:7b:cd:89:1b Retransmit 2 of EAPOL-Key M1 (length 121) for mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:20.763: 68:96:7b:cd:89:1b Received EAPOL-Key from mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:20.764: 68:96:7b:cd:89:1b Received EAPOL-key in PTK_START state (message 2) from mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:20.764: 68:96:7b:cd:89:1b Received EAPOL-key M2 with invalid MIC from mobile 68:96:7b:cd:89:1b
    *osapiBsnTimer: Apr 27 21:46:21.160: 68:96:7b:cd:89:1b 802.1x 'timeoutEvt' Timer expired for station 68:96:7b:cd:89:1b and for message = M2
    *dot1xMsgTask: Apr 27 21:46:21.160: 68:96:7b:cd:89:1b Retransmit 3 of EAPOL-Key M1 (length 121) for mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:21.164: 68:96:7b:cd:89:1b Received EAPOL-Key from mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:21.164: 68:96:7b:cd:89:1b Received EAPOL-key in PTK_START state (message 2) from mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:21.164: 68:96:7b:cd:89:1b Received EAPOL-key M2 with invalid MIC from mobile 68:96:7b:cd:89:1b
    =============================
    qh
    thanks in advance!

    Can anyone help me?

  • Trouble with 802.1x authentication

    Hello. I live in a dorm, and we connect to the Net over 802.1x authentication. Everything worked OK, until two days ago. Now I can no longer authenticate my Mac on the network and connect to the Net.
    I get the following error:
    "802.1X is unable to authenticate. It is possible that the configuration you have provided is invalid. If you are unsure about what configuration to connect with, check with your network administrator.
    (Error: 1 on port en0)"
    My configuration seems to be ok (I didn't change anything about it, it just stopped working), username and password are also correct. Also other computers can connect to the network, and my LAN card works normally otherwise, only it can't pass the 802.1x authentication :S I'm connected now over my LinuxBox which shares the connection to my Mac, so obviously my LAN card is not broken...
    What could be the problem?
    cheers!

    hi, if the problem still persists, have you tried clearing out any 802.1x profiles you have saved?
    Go to System Preferences > Network, click on Airport, choose Advanced, go to the 802.1x tab, look at the section on the left side that has User Profiles. Select the profile and hit the minus button at the bottom of the pane.
    A lot of these issues seem to be helped by clearing out any saved data about the wireless network, and setting it up manually again. We have seen many issues here at Notre Dame with Macs vs 802.1x. Hoping Apple makes it more reliable soon.

  • Sending PO via email with pdf file extension

    Good afternoon everyone. We are successfully (in testing) sending out Purchase Orders via External Send to an Outlook email address.  When the user receives the email, it appears that SAPConnect (SCOT) is correctly coverting the file to a pdf (I can open it in Adobe Acrobat), yet the file attachment still shows a ".dat" file extension.
    Where in the process do I need to set up SAP not to send the file out with a .dat file extension (in PDF format), but rather with a .pdf file extension (in PDF format).
    Points awarded for good suggestions/comments

    You can use Transaction SCOT to trigger the output manually. The prerequisite for a correct sending is that the node is set correctly.
    To be able to display, for example, the e-mail in Outlook, enter PDF as the format in the node.
    Regards,
    Ashok

  • ASA - logging via radius with group name passed.

    Hi,
    I'm trying to setup ASA5520 with Radius to authenticate users with group
    privileges.
    Useing Radius with ASA to authenticate users is quite simple. When I try
    to pass from asa tunnel-group name (with group-policy and attributes
    attached) there is a problem that ASA dosn't pass any group name to
    radius.
    Is there any way to overcome it?
    What I want to do is to apply different policies to username depending
    with what tunnel-group name he logs in to webvpn. I assume one user may
    be member of different groups.
    br
    Marcin

    It's possible.
    Differentiate your privileges and restrictions based off of group-policy, not the tunnel-group. Keep your default WebVPN tunnel-group, and do not specify a default group policy for this tunnel-group.
    Create separate group-policies that differentiate what links different groups of users should be presented with. If you're using ACS, link your Cisco Secure Groups to groups in Active Directory (or other method of directory services). The Cisco Secure Groups should then be configured to pass specific RADIUS attributes, such as the "Class" attribute #25. ACS will then tell the ASA to place the user (from Active Directory) into a specific group-policy, which you can then limit URL's shown with the url-list command.
    Long winded, I know...any questions, please ask.

  • Can I send pictures via MMs with £10 everything pack from Iphone5

    I am having problems sending pictures with my Iphone 5,  I have a £10 everything pack I should be able to send pictures using MMs with this pack shouldnt I.

    Hi 
    No Problem that's what we're here for!
    Yeah if you plug your device in to iTunes and back-up all your data. For Apple help & support on backing up Click Here.
    Once it's all backed if you go into Settings > General > Reset > Erase All Content and Settings this will then take you to the initial set-up.
    To save you having to call you can register your replacement SIM Here.
    I'll keep my fingers and toes crossed that this works!
    Let me know how you get on. 

  • AAA using Radius with 802.1x

    Hello there,
    We're going to be implementing 802.1x on our network of some reaallly old switches (6509 Cat OS with MSFC 2).  We use radius for AAA authentication and I've been reading that .1x uses radius.  How is that going to work?  Do I just add another radius server in my radius server command and, more importantly, will .1x work on Cat OS running 8.2.1?  I've been trowling the forums and I can't seem to find anyone who's actually running .1x on the old Cat OS switches to see what kind of gotchas I can expect to run into.
    Any advise, assistance would be greatly appreciated!
    Thanks
    Kiley

    Salodh,
    Thanks but that document is for a 2950 and we have a 6509 but, the good thing is I just found out our Tier 3 engineers will not be adding dot1x to the 6509 since it has only trunks - no access ports.  Thanks very much for your reply!

  • Cannot send message via iCloud with movie

    Email is sent if I remove my embedded/attached 23MB Quicktime movie is removed but not with the movie - via iCloud.
    and my other (non-iCloud) account doesn't send any mail at all. 
    What is problem(s), please?  How to trouble shoot?  TIA

    Thank you for info, but I am struggling with using it. 
    I went into #3 stmp.me.com.myname[STMP] and made changes I wanted to be in conformity with instructions of  iCloud: Mail server information.
         So now the Account info reads 1:  Description = my email address at [email protected]
                                                          2:   Server name = stmp.me.com
                                                           3:  Default port 587 was already active
                                                           4:  Authentication = Password (my iCloud password from Keychain                                                                                                                                              access)
                                                            5: Username = my name
                                                            6:  Password = (my iCloud password from Keychain access)
    But got this alert:  "Could not save changes.  The servers marked  with alert icons are in conflict and cannopt be saved.  Two servers cannot share the same address and authentication settings.   Resolve the conflicts and try again."
    I think (look but guessing) that my changes to #3 become in conflict with #4 -- and I don't see how to get out of the conflict (other than not saving the changes I made to #3 in accordance with iCloud: Mail server information.)
    I am lost!  Should I delete #4?  confused and anxious . ....
    (Sorry about confusing formatting of post but Apple won't let me show it like I want)
    Message was edited by: pwwwayne

  • Enable Session Timeout with 802.1X authentication help

    I have a scenario where there are 3 controllers with flex connect enabled.  I am broadcasting an 802.1x WLAN through all 3 controllers, "WLAN A". WLAN A on Controller 1 and Controller 2 have "enable session timeout" checked and set for 1800s.  Controller 3 does not have this feature enabled.  In my deployment, I am connecting tablet PC's to the wireless network.  All the tablets between the sites using Controllers 1, 2 and 3 were functioning fine while connecting to the 802.1x, but just recently, the tablets conneting to AP's on Controller 3 are not able to connect anymore. Is this an issue with the tablets not renewing authentication encryption? Not really sure why the tablets originally connecting to WLAN A are no longer doing so. Other WLAN's are functioning fine and the tablets are able to connect to the PSK WLAN's. Thanks
    Best Regards,
    Sean

    it's hard to tell from the description, you'll need to do some troubleshooting to find out.
    Does this only happen when a user roams to Controller 3?
          You'll want to debug the client, and the mobility handoff
    Does this happen on a new connection on Controller 3?
       debug the client and the aaa process.
    I'd also take a look at the logs on your AAA server and see if it is showing an error when Controller 3 tries to auth a user.
    Steve

  • Cant send mail via applescript with mail rule

    I created a script that would work as follows:
    I send myself an email. The mail rule opens up an apple script that will take a picture using the isight camera and then email it back to me. It works fine in script editor. When i run it via mail.app it takes the picture but it wont email it back to me.
    Here is my script:
    do shell script "~/Documents/EmailScripts/isightcapture ~/Documents/EmailScripts/snap.jpg"
    tell application "Mail"
    set addrVar to "[email protected]"
    set subjectvar to "Macbook Pic"
    tell application "Finder"
    set the target_file to alias "Macintosh HD:Users:ak406:Documents:EmailScripts:snap.jpg"
    set bodyvar to "Picture from Macbook"
    end tell
    set composeMessage to (make new outgoing message)
    tell composeMessage
    make new recipient at beginning of to recipients with properties {address:addrVar}
    set the subject to subjectvar
    set the content to bodyvar
    tell content
    make new attachment with properties {file name:target_file} at after the last word of the last paragraph
    end tell
    end tell
    send composeMessage
    end tell
    Thanks for the help.

    Hi ak406
    Just tested your script here, less the do shell script part and it worked perfectly from my mail app.
    Budgie

  • Sending XML via Email with Dynamic Receiver

    Hi,
    I have following problem.
    We use PI 7.1
    And i want to send the XI Payload as XML File to an Email Adress.
    This is easy when i set the E-Mail adress in the communication Channel.
    Is it possible to use dynamic mail receiver adress without Mail Package.
    Because when i use mail Package the XML isn't longer in the right structure.
    any idea?
    regards,
    robin

    Hi,
    i know this way with mail package... as i wrote this is no problem.
    My problem is that i have a xml structure which i want to send as email.
    Just an email with and XML attachment of the XI Message. No Mail Content like in your given Weblogs.
    for example:
    <root>
    <receivermail>mailadress</receivermail>
    <tag1>value</tag1>
    <tag2>value</tag2>
    <tag3>value</tag3>
    </root>
    an on email i want just an xml attached like:
    <root>
    <tag1>value</tag1>
    <tag2>value</tag2>
    <tag3>value</tag3>
    <root>
    when i set the mail adress in CC its no problem, but how i do this with dynamic mail reciever?
    regards,
    robin

  • NAC Framework with 802.1x authentication

    I am having trouble getting support and information on NAC framework. According to the cisco web NAC framework is in Phase 2 and is useable. According to Cisco representitives it is not supported yet. I have ACS 4.1, CTA 2.0, Symantec 10.1.4, and CSA 4.5. I can get NAC to work Layer 2, 802.1x to authenticate, but I cannot get both to work at the same time. Also, I have found no support for Symantec being checked even after I loaded the posture plugin, adf, etc. Is it time to give up on NAC framework? Thanks.

    My friend, i have a customer with whis configuration and worki fine.
    symantec need antivirus version 10 (8 or 9 no !!!!), the symantec posture plug installed in the clients.
    work fine wiht w2k and xp
    cta 2.x work fine. 1.x only work with L3 ip, no 802.1x.
    csa i don?t have experience.
    take care, it is hard to configure, if you need something more ask me to.
    Leo.

  • Can't send mail via iCloud with my iMac after creating a new account

    Hi,
    yesterday I created my account on Icloud.
    I've Lion on my Imac, so I registered the account directly from settings on my Imac.
    Now I can receive mail, but I can't send them, because the imap smtp server won't recognize my password.
    If I access on icloud.com, I can do everything correctly.
    Thank you for your support.
    <Email Edited by Host>

    It's a bad idea to post your email address - it's an invitation to spam - and I've aasked the Hosts to remove it.
    The first thing to try would be to sign out in System Preferences>iCloud, then sign back in again and check 'Mail' and any other data types you need in the list. This will set Mail up, hopefully correctly.
    If you are still having problems accessing or sending mail go to http://appleid.apple.com and change your password, making sure that it complies with Apple's requirements: at least eight characters, of which at least one must be a numeral and one a capital letter.
    Note that iCloud does not interact with any other email service. You cannot use it to check other email accounts, and you cannot send using its smtp server with any address other than your @me.com one as the 'From' address.
    You should be able to set up other accounts separately in the Mail application: these would be unaffected by iCloud in any way.

Maybe you are looking for

  • How to set a variable in portal session using web dynpro java.

    Hi, I have created a web dynpro application, which is running inside portal. I have created a role called "R1". Inside role R1, i have created 3 workset W1, W2 and W3. and inside each workset i have some pages and iviews. My requirement is when user

  • [SOLVED] ATI Catalyst / Xorg issue with Multihead (3monitor)

    i'm having problems for a long time, with different versions of the ATI Catalyst driver and Xorg, right now i'm using this versions, catalyst-hook 11.2-2 catalyst-utils 11.2-1 lib32-catalyst-utils 11.2-1 xorg-server 1.9.4.901-1 xorg-server-common 1.9

  • MacBook Hard Drive Problems?

    I've used this MacBook for a few years without any issues. It has always had very snappy response and very few problems. Earlier this week, I noticed that it takes about 4 minutes to boot up now as opposed to the 30 seconds it used to take just a wee

  • ACE http probe "request method type" mandatory on A3(2.6)?

    Hi people, I recently upgraded to A3(2.6) from A3(2.0) and I don't see the N/A option on the http probe "request method type". It also has an asterisk * which means it's mandatory. I tried to set up a new http probe for another farm I am creating and

  • HR ALE error 'Object locked'

    Hi, I am using PFAL transaction to transfer HR master data from source to target partner. After collecting the IDOCs (process idocs using a backgroup program in partner profile)   I am scheduling a backgroup job of RBDAPP01 program to post the IDOCS.