SG300 won't authenticate via Radius

Similar Messages

• WLC Management Admin via RADIUS

  I am trying to have a management user authenticate via radius and have full admin privileges.
  For a WCS I can simply set the radius attribute of "Cisco-AVPair.attr|Wireless-WCS:role0=Admin" and that user will get full admin rights. I found this doc to grant a user lobby admin:
  http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a0080871921.shtml
  but, it is specific to the using the Cisco ACS as a radius server. What attributes do I need to set for a user to get full admin rights to a WLC when authenticating via radius?  Thanks.

  My problem: I have a local management user profile defined on my WLC and it works fine when the Priority Order is set to LOCAL.  When I change the Priority Order to make RADIUS first and LOCAL second, I can't get logged into the WLC using CLI, GUI, or the console.  The last time this happened I had to reset the WLC and start over.  I don't want to do that again, so I need some way to get into the WLC.
  Once I can get back into the WLI would prefer using Active Directory to authenticate the management user but that doesn't seem to work.  My RADIUS acts as a front end for the Active Directory database and works well for many of our Cisco LAN switches andd Routers. Now I'm trying to set up the WLC to authenticate the management user with RADIUS.  I have set the RADIUS (MS IAS) to return two attributes;
  1. Vendor-Specific -Vendor Code 14179, Value=management
  2. Service-Type - Value=Login
  When I try to login using my AD account, the RADIUS server log shows an Access Request record, then an Access-Accept record that makes it appear RADIUS has successfully authenticated the user.  But the login prompt for the GUI comes back as if it has failed.  Same with the CLI login.  Now I can't get logged into the WLC.  How can I get into the box to manage it again?
  Thanks

• Services won't allow users to authenticate via Open Directory

  Greetings! I have been pulling my hair out for a long time over this and wondering if anyone has seen something similar or has anything I can try.
  It's a bit confusing so I'll try to lay it out so it's not to crazy.
  *The setup:*
  Leopard server hosing services including Podcast Producer, AFP, SMB and iCal
  External OpenLDAP directory server
  *The problem:*
  I have setup our test Leopard server and got services all working. While this server is setup as an OD master I can authenticate and use the services without problem. However, we have an external LDAP server using OpenLDAP. If I try to authenticate with any of these users from the external ldap server they are not able to login on any service except afp!!!
  *What I've Done:*
  I've setup the server trying two methods: Magic triangle and augmented records. Both seem to yield the same thing. I can see the ldap users in workgroup manager and I can even nest them into groups on the local leopard ldap server. Some other possible info:
  A log entry in the Podcast producer log dealing with authentication:
  [error] [client xxx.xxx.11.122] moddigestapple: Unable to authenticate for URI "/podcastproducer/workflows" from user "testuser" for realm "PodcastProducer" at location "/LDAPv3/ldap.ourschool.edu" from the directory because user's password type is not compatible with digest authentication.
  If I edit /etc/smb.conf and delete the line : passdb backend = opendirectorysam guest windows users can successfully authenticate via smb.
  On our old Tiger server, we had a magic triangle setup. That machine only ran SMB and AFP and it experienced the same problem with SMB and needing to delete that line.
  I think these things may be related, but I'm not sure where to look next. Any help would be greatly appreciated! Thank you for any suggestions you can provide.
  Steve

  I've followed the apple kb articles for enabling WIKI access and Podcast Producer access. Users can now authenticate.

• Authentication via RADIUS : MSCHAPv2 Error 691

  Hello All,
  I am working on setting up authentication into an Acme Packet Net-Net 3820 (SBC) via RADIUS. The accounting side of things is working just fine with no issues. The authentication side of things is another matter. I can see from a packet capture that the access-request
  messages are in fact getting to the RADIUS server at which point the RADIUS server starts communicating with the domain controllers. I then see the chain of communication going back to the RADIUS and then finally back to the SBC. The problem is the response
  I get back is always an access-reject message with a reason code of 16 (Authentication failed due to a user credentials mismatch. Either the user name provided does not match an existing user account or the password was incorrect). This is confirmed by looking
  at the security event logs where I can see events 4625 and 6273. See the events below (Note: The names and IPs have been changed to protect the innocent):
  Event ID: 6273
  Network Policy Server denied access to a user.
  Contact the Network Policy Server administrator for more information.
  User:
  Security ID:
  NULL SID
  Account Name:
  real_username
  Account Domain:
  real_domain
  Fully Qualified Account Name:
  real_domain\real_username
  Client Machine:
  Security ID:
  NULL SID
  Account Name:
  Fully Qualified Account Name:
  OS-Version:
  Called Station Identifier:
  Calling Station Identifier:
  NAS:
  NAS IPv4 Address:
  10.0.0.10
  NAS IPv6 Address:
  NAS Identifier:
  radius1.real_domain
  NAS Port-Type:
  NAS Port:
  101451540
  RADIUS Client:
  Client Friendly Name:
  sbc1mgmt
  Client IP Address:
  10.0.0.10
  Authentication Details:
  Connection Request Policy Name:
  SBC Authentication
  Network Policy Name:
  Authentication Provider:
  Windows
  Authentication Server:
  RADIUS1.real_domain
  Authentication Type:
  MS-CHAPv2
  EAP Type:
  Account Session Identifier:
  Logging Results:
  Accounting information was written to the SQL data store and the local log file.
  Reason Code:
  16
  Reason:
  Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect.
  Event ID: 4625
  An account failed to log on.
  Subject:
  Security ID:
  SYSTEM
  Account Name:
  RADIUS1$
  Account Domain:
  REAL_DOMAIN
  Logon ID:
  0x3E7
  Logon Type: 3
  Account For Which Logon Failed:
  Security ID:
  NULL SID
  Account Name:
  real_username
  Account Domain:
  REAL_DOMAIN
  Failure Information:
  Failure Reason:
  Unknown user name or bad password.
  Status:
  0xC000006D
  Sub Status:
  0xC000006A
  Process Information:
  Caller Process ID:
  0x2cc
  Caller Process Name:
  C:\Windows\System32\svchost.exe
  Network Information:
  Workstation Name:
  Source Network Address:
  Source Port:
  Detailed Authentication Information:
  Logon Process:
  IAS
  Authentication Package:
  MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
  Transited Services:
  Package Name (NTLM only):
  Key Length:
  0
  This event is generated when a logon request fails. It is generated on the computer where access was attempted.
  The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
  The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).
  The Process Information fields indicate which account and process on the system requested the logon.
  The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
  The authentication information fields provide detailed information about this specific logon request.
  - Transited services indicate which intermediate services have participated in this logon request.
  - Package name indicates which sub-protocol was used among the NTLM protocols.
  - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
  So at first glance it would seem that the issue is merely a case of an invalid username or mismatched password. This is further confirmed in the packet capture where I can see the MSCHAPv2 response has an error code of 691 (Access denied because username or
  password, or both, are not valid on the domain). The thing is I know I am using a valid username and I have tried many usernames including new ones I created just for troubleshooting. I don't know how many times I have reset the password in an attempt to ensure
  it is not a mismatch password. I have even made sure to use passwords that are fairly short and contain only letters to ensure there was no terminal encoding issues (we connect to the SBC via SSH clients). I have also done this same thing with the shared secret
  used during communication between the SBC and the RADIUS server. I have tried prefixing the username with the domain name at login (though I don't think that should be necessary). I have also tried using the full UPN of the user to login. I have tried several
  RADIUS testing clients (NTRadPing, RadiusTest, etc.), but they either don't support MSCHAPv2 or only support EAP-MSCHAPv2. I have even created my own client using PHP's PECL RADIUS module. Still it always seems to fail with the MSCHAPv2 authentication with
  an error code of 691. Does anyone have any ideas as to why I always get an invalid username or bad password response when I have done everything possible to ensure that is not the case?
  Here are the specs for our RADIUS configuration:
  Windows Server 2012 R2
  SQL Server 2012 Back End Database for accounting.
  The server has been authorized on the domain and is a member of the "RAS and IAS Servers" group. For which that group does have access to the accounts we are testing with.
  The accounts we are testing with do have the "Control access through NPS Network Policy" option checked under their "Dial-in" property tab.
  RADIUS clients configured to simply match on the IP address which you can see from the events above that it is applying the client friendly name.
  Connection Request Policy: The "SBC Authenication" policy is being applied as seen above. The only condition is a regex expression that does successfully match the friendly name.
  Network Policy: As seen in events above, none are getting applied. For troubleshooting purposes I have created a Network Policy that is set to "1" for the processing order and its only condition is a Day and Time Restriction currently set to any
  time, any day.
  The authentication method is set to only MSCHAPv2 or MSCHAPv2 (User can change password after it has expired). I have tried adding this to just the Network Policy and I have also tried adding this to the Connection Request Policy and setting it to override
  the authentication method of the Network Policy.
  We do have other RADIUS servers in our domain that use PEAP to authenticate wireless clients and they all work fine. However, we need this to work with MSCHAPv2 only (No EAP).
  All other configurations are set to the defaults.
  The only other things of note to consider is the fact that in the events above you can see that the Security ID is "NULL SID". Now I know this is common especially among failed logons but given that this issue is stating an invalid username or
  bad password, perhaps it matters in this case. Also, this server has been rebuilt using the same computer account in Active Directory. I do not know if it would have worked before the rebuild. Essentially we built this server and only got as far as authorizing
  the server to the domain and adding SQL when we decided to separate out the SQL role onto another server. Rather than uninstalling SQL we just rebuilt the machine. However, before reinstalling Windows I did do a reset on the computer account. I don't think
  this should matter but thought I would point it out if there is some weird quirk where reusing the same SID of a previously authorized NPS server would cause an issue.
  All in all it is a fairly basic setup and hopefully I have provided enough information for someone to get an idea of what might be going on. I hope this was the right forum to post this too, I figured there would be a higher number of RADIUS experts here than
  any of the other categories. Apologies if my understanding of this seems a bit basic, after all, when it comes to RADIUS servers I guess you could say I'm the new guy here.

  Update 1:
  In an attempt to further troubleshoot this issue I have tried bringing up additional servers for testing. Here are the additional tests I have performed.
  Multiple Domains
  I have now tried this in 3 different isolated domains. Both our test and production domains as well as my private home domain which has very little in the way of customizations aside from the modifications made for Exchange and ConfigMgr. All have the same
  results described above.
  VPN Service
  Using Windows Server 2012 R2 we brought up a separate server to run a standard VPN setup. The intent was to see if we could use RADIUS authentication with the VPN and if that worked we would know the issue is with the SBCs. However, before we could even
  configure it to use RADIUS we just attempted to make sure it worked with standard Windows Authentication on the local VPN server. Interestingly, it too fails with the same events getting logged as the RADIUS servers. The client machine being a Windows 8.1
  workstation. Again I point out that we have working RADIUS servers used specifically for our wireless environment. The only difference between those RADIUS servers and the ones I am having problems with is that the working wireless servers are using PEAP instead
  of MSCHAPv2.
  FreeRADIUS
  Now I'm no Linux guru but I believe I have it up and running. I am able to use ntlm_auth to authenticate users when logged on to the console. However, when the radiusd service tries to use ntlm_auth to do essentially the same thing it fails and returns the
  same message I've been getting with the Windows server (E=691). I have the radiusd service running in debug mode so I can see more of what is going on. I can post the debug info I am getting if requested. The lines I am seeing of particular interest however
  are as follows:
  (1) ERROR: mschap : Program returned code (1) and output 'Logon failure (0xc000006d)'
  (1) mschap : External script failed.
  (1) ERROR: mschap : External script says: Logon Failure (0xc000006d)
  (1) ERROR: mschap : MS-CHAP2-Response is incorrect
  The thing to note here is that while we are essentially still getting a "wrong password" message, the actual status code (0xc000006d) is slightly different than what I was getting on the Windows Servers which was (0xc000006a). From this document
  you can see what these codes mean:
  NTSTATUS values . The good thing about this FreeRADIUS server is that I can see all of the challenge responses when it is in debug mode. So if I can wrap my head around how a MSCHAPv2 response is computed I can compare it to see if this is simply a miscomputed
  challenge response. Update: Was just noticing that the 6a code is just the sub-status code for the 6d code. So nothing different from the Windows Servers, I still wonder if there is a computation error with the challenge responses though.
  Currently, I am working on bringing up a Windows Server 2008 R2 instance of a RADIUS server to see if that helps at all. However, I would be surprised if something with the service broke between W2K8 R2 and W2K12 R2 without anyone noticing until now. If this
  doesn't work I may have to open a case with Microsoft. Update: Same results with W2K8 R2.

• MAC Filtering via Radius not working

  Hi Folks,
  I'm having problems with MAC filtering via RADIUS.  I have a combination of a local database on the controllers and remote MAC addresses provisioned on a Cisco ACS.  My problem is that even when I've set the controllers to use Radius and I've configured the order to be local and then radius the controllers never sent an auth request to the Radius servers.  I know that Radius can work because I have another WLAN (the guest WLAN) on the same hardware that is configured to authenticate first against the local database and then against Radius and this is working fine. 
  (WiSM-slot9-1) >debug aaa all enable
  *Oct 09 08:01:44.518:       AVP[14] Called-Station-Id........................X.X.X.X (9 bytes)
  *Oct 09 08:03:21.677: Unable to find requested user entry for 6cc26b5990e5
  *Oct 09 08:03:21.677: ReProcessAuthentication previous proto 8, next proto 40000001
  *Oct 09 08:03:21.677: AuthenticationRequest: 0x18cc933c
  *Oct 09 08:03:21.677:   Callback.....................................0x10112bc4
  *Oct 09 08:03:21.677:   protocolType.................................0x40000001
  *Oct 09 08:03:21.677:   proxyState...................................6C:C2:6B:59:90:E5-00:00
  *Oct 09 08:03:21.677:   Packet contains 14 AVPs (not shown)
  *Oct 09 08:03:21.678: 6c:c2:6b:59:90:e5 Returning AAA Error 'No Server' (-7) for mobile 6c:c2:6b:59:90:e5
  *Oct 09 08:03:21.678: AuthorizationResponse: 0x38f71958
  *Oct 09 08:03:21.678:   structureSize................................32
  *Oct 09 08:03:21.678:   resultCode...................................-7
  *Oct 09 08:03:21.678:   protocolUsed.................................0xffffffff
  *Oct 09 08:03:21.678:   proxyState...................................6C:C2:6B:59:90:E5-00:00
  *Oct 09 08:03:21.678:   Packet contains 0 AVPs:
  *Oct 09 08:03:21.680: Looking up local blacklist 98d6bbde785f
  *Oct 09 08:03:21.754: Looking up local blacklist 0013ce73a9e0
  *Oct 09 08:03:21.754: Looking up local blacklist 0013ce73a9e0
  *Oct 09 08:03:21.778: Looking up local blacklist 0013ce73a9e0
  *Oct 09 08:03:21.846: Unable to find requested user entry for 6cc26b5990e5
  *Oct 09 08:03:21.847: ReProcessAuthentication previous proto 8, next proto 40000001
  *Oct 09 08:03:21.847: AuthenticationRequest: 0x18c6dcc4
  *Oct 09 08:03:21.847:   Callback.....................................0x10112bc4
  *Oct 09 08:03:21.847:   protocolType.................................0x40000001
  *Oct 09 08:03:21.847:   proxyState...................................6C:C2:6B:59:90:E5-00:00
  *Oct 09 08:03:21.847:   Packet contains 14 AVPs (not shown)
  *Oct 09 08:03:21.847: 6c:c2:6b:59:90:e5 Returning AAA Error 'No Server' (-7) for mobile 6c:c2:6b:59:90:e5
  *Oct 09 08:03:21.847: AuthorizationResponse: 0x38f71958
  *Oct 09 08:03:21.847:   structureSize................................32
  *Oct 09 08:03:21.847:   resultCode...................................-7
  *Oct 09 08:03:21.847:   protocolUsed.................................0xffffffff
  *Oct 09 08:03:21.847:   proxyState...................................6C:C2:6B:59:90:E5-00:00
  *Oct 09 08:03:21.848:   Packet contains 0 AVPs:
  I'm assuming thaty the line - Returning AAA Error 'No Server' - is significant but I have configured the Radius servers correctly but a packet trace shows no auth requests whatsoever from the controllers.  Has anyone seen this?  Anything I should be looking at?
  Thanks in advance,
  Shane.

  The bug I ran into was CSCta53985 on the WLCs.  I upgraded to 7.0 and it fixed it. The fix is available in 6.0.188. Depending on your WLC hardware, I would go to at least 7.0.116 for newer AP support, and CleanAir support.

• Access Point Radios trying to authenticate via PEAP against ISE

  I have a working installation including a 5508 controller with ISE. The ISE is configured for EAP Chaining and clients are authenticating fine.
  We are seeing some weird behavior from the Access Points. We see authentication failures from devices trying to authenticate via PEAP, the funny thing is that the username and endpoint ID are the MAC addresses of our APs. we see it once or twice a day from several of the APs.
  Any ideas on what would cause this and what function of the AP is causing this?

  Hi Rasika,
  kindly advice. running on 7.6.130 and Cisco ISE 1.2.1.198, but my case is rejected the authentication, why radio base mac address is try to authenticating to ISE?
  Manufacturer's Name.............................. Cisco Systems Inc.
  Product Name..................................... Cisco Controller
  Product Version.................................. 7.6.130.0
  Bootloader Version............................... 1.0.20
  Field Recovery Image Version..................... 7.6.101.1
  Firmware Version................................. FPGA 1.7, Env 1.8, USB console 2.2
  Build Type....................................... DATA + WPS
  (Cisco Controller) >show radius summary
  Vendor Id Backward Compatibility................. Disabled
  Call Station Id Case............................. lower
  Acct Call Station Id Type........................ Mac Address
  Auth Call Station Id Type........................ Mac Address
  Aggressive Failover.............................. Enabled
  Keywrap.......................................... Disabled
  Fallback Test:
      Test Mode.................................... Off
      Probe User Name.............................. Radius_KeepAlive
      Interval (in seconds)........................ 300
  MAC Delimiter for Authentication Messages........ hyphen
  MAC Delimiter for Accounting Messages............ hyphen
  Authentication Servers
  Idx  Type      Server Address        Port    State     Tout  MgmtTout  RFC3576  IPSec - AuthMode/Phase1/Group/Lifetime/Auth/Encr
  1    NM    x.x.x.x              1645    Enabled   2     2         Disabled  Disabled - none/unknown/group-0/0 none/none
  2    NM  x.x.x.x               1812    Enabled   2     2         Enabled   Disabled - none/unknown/group-0/0 none/none <-- ISE
  3    NM    x.x.x.x             1645    Enabled   2     2         Disabled  Disabled - none/unknown/group-0/0 none/none
  4    NM    x.x.x.x               1812    Enabled   2     2         Enabled   Disabled - none/unknown/group-0/0 none/none <-- ISE
  Accounting Servers
  Idx  Type      Server Address        Port    State     Tout  MgmtTout  RFC3576  IPSec - AuthMode/Phase1/Group/Lifetime/Auth/Encr
  2      N    x.x.x.x               1813    Enabled   2     2         N/A       Disabled - none/unknown/group-0/0 none/none
  3      N     x.x.x.x               1813    Enabled   2     2         N/A       Disabled - none/unknown/group-0/0 none/none

• Users not able to authenticate via short names

  First it was VPN and now it's happening to my radius server. Users aren't able to authenticate via their short names/usernames. The only way they are able to authenticate to these two services is by using their full name as entered in the LDAP directory. Previously "jsmith" would work, but now you have to enter "John Smith" This is very frustrating. Other services like calendar, mail, addressbook, webdav are unaffected by this issue. Any reccomendations? Thanks

  Hi JFWX5,
  I recently experienced a very similar problem myself, all services was running fine with no problem with authentication except for the calendar service; namely the webcal.
  Throug the Server Admin tool (not the Server app) I checked the log for Open Directory server and then explicitly for Kerberos which was comlaining that it didn't find the database for looking up users trying to authenicate themselfs.
  I found this article in the Apple knowledge base discussing a similiar problem: http://support.apple.com/kb/TS2938
  By executing that terminal command Open Directory and Kerboros was up and running for my webcal.
  PS: REALM_NAME should be in all caps and it is the DNS hostname for your server ex. SERVER.EXAMPLE.COM.

• Some Wireless clients won't authenticate to 887VA-W

  Hi folks
  I've swapped over a few months ago from an 877w router to an 887VAw which has a separate AP in-built, and there are a few wireless clients that had no problem authenticating to the 877w but just refuse to communicate to the 887VA-W.
  The clients in question are set top box type devices : (1)Now TV and (2) Sky Wireless Adapter.
  They have no problem seeing the SSID's being broadcast, and for troubleshooting I've setup an open test SSID without any encryption, but the clients still won't authenticate and grab an ip address, or more accurately they just don't get a dhcp ip address so I don't think authentication is really the issue. I don't know why these clients aren't happy with dhcp on the guest vlan (vlan2) where other clients get an ip address and work fine. Perhaps the fact I'm using vlan1 (being used for the Eap-Fast home wlan) as the native untagged vlan might have something to do with it? If I use a static ip address on the guest vlan (vlan 2 / ip 10.1.1.n ) then the Sky Wireless Adapter can send and receive packets across the wlan.
  Can anybody please suggest some debugs or config changes to try and nail the problem? The relevant configs from the AP is pasted below, and the router below that.
  Brgds, Tim
  aaa new-model
  aaa group server radius rad_eap
   server name rs-local
  aaa authentication login default local
  aaa authentication login eap_methods group rad_eap
  aaa authentication ppp default local
  aaa authorization exec default local
  dot11 ssid home
     vlan 1
     authentication open eap eap_methods
     authentication network-eap eap_methods
     authentication key-management wpa version 2
  dot11 ssid guest
     vlan 2
     authentication open
     authentication key-management wpa
     mbssid guest-mode
     wpa-psk ascii 7 abcdef123
  dot11 ssid test
     vlan 3
     authentication open
     mbssid guest-mode
  interface Dot11Radio0
   no ip address
   no ip route-cache
   encryption vlan 1 mode ciphers aes-ccm
   encryption vlan 2 mode ciphers aes-ccm
   broadcast-key vlan 1 change 30
   broadcast-key vlan 2 change 43200
   ssid home
   ssid guest
   ssid test
   antenna gain 0
   mbssid
   speed  basic-1.0 basic-2.0 basic-5.5 basic-11.0 6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0
   packet retries 64 drop-packet
   no preamble-short
   station-role root
  interface Dot11Radio0.1
   encapsulation dot1Q 1 native
   no ip route-cache
   no cdp enable
   bridge-group 1
   bridge-group 1 subscriber-loop-control
   bridge-group 1 spanning-disabled
   bridge-group 1 block-unknown-source
   no bridge-group 1 source-learning
   no bridge-group 1 unicast-flooding
  interface Dot11Radio0.2
   encapsulation dot1Q 2
   no ip route-cache
   no cdp enable
   bridge-group 2
   bridge-group 2 subscriber-loop-control
   bridge-group 2 spanning-disabled
   bridge-group 2 block-unknown-source
   no bridge-group 2 source-learning
   no bridge-group 2 unicast-flooding
  interface Dot11Radio0.3
   encapsulation dot1Q 3
   no ip route-cache
   no cdp enable
   bridge-group 3
   bridge-group 3 subscriber-loop-control
   bridge-group 3 spanning-disabled
   bridge-group 3 block-unknown-source
   no bridge-group 3 source-learning
   no bridge-group 3 unicast-flooding
  interface GigabitEthernet0
   description the embedded AP GigabitEthernet 0 is an internal interface connecting AP with the host router
   no ip address
   no ip route-cache
  interface GigabitEthernet0.1
   encapsulation dot1Q 1 native
   no ip route-cache
   bridge-group 1
   bridge-group 1 spanning-disabled
   no bridge-group 1 source-learning
  interface GigabitEthernet0.2
   encapsulation dot1Q 2
   no ip route-cache
   bridge-group 2
   bridge-group 2 spanning-disabled
   no bridge-group 2 source-learning
  interface GigabitEthernet0.3
   encapsulation dot1Q 3
   no ip route-cache
   bridge-group 3
   bridge-group 3 spanning-disabled
   no bridge-group 3 source-learning
  interface BVI1
   ip address 172.27.44.2 255.255.255.0
   no ip route-cache
  ip default-gateway 172.27.44.1
  ****Router Config****
  interface Wlan-GigabitEthernet0
   description Internal switch interface connecting to the embedded AP
   switchport mode trunk
   no ip address
  interface wlan-ap0
   description Service module interface to manage the embedded AP
   ip unnumbered BVI1

  Hi Sebastian
  Please see ip dhcp debug from 887VA-W showing the Sky client requesting an ip address but failing to get one. Also a debug from an 877-W showing successful dhcp assignment. Also the dhcp config as requested.The successful trace shows 2 mac addresses from the Sky wireless adapter/ Sky box each getting a dhcp address. I don't know whether the failure is a bug in the 887 dhcp code or some config in the embedded AP that needs tweaking.
  Bregs, Tim
  The Sky wired adapter (I think it's the mac of the sky box lan port) mac is 00:19:FB:A4:B2:1A
  The Sky wireless mac is 18:28:61:99:7B:A8
  887VA-W Debug - Failure:
  887#term mon
  887#sh deb
  DHCP server packet debugging is on.
  887#
  887#
  000141: Dec 16 07:03:02.082 London: DHCPD: ARP entry exists (10.1.1.10, e0c9.7ad6.24ee).
  000142: Dec 16 07:03:02.082 London: DHCPD: unicasting BOOTREPLY to client e0c9.7ad6.24ee (10.1.1.10).
  Denham_887#
  000143: Dec 16 07:05:25.536 London: DHCPD: client's VPN is .
  000144: Dec 16 07:05:25.536 London: DHCPD: No option 125
  000145: Dec 16 07:05:25.536 London: DHCPD: DHCPDISCOVER received from client 0019.fba4.b21a on interface BVI1.
  000146: Dec 16 07:05:25.536 London: DHCPD: Allocate an address without class information (10.1.1.0)
  000147: Dec 16 07:05:25.536 London: DHCPD: Saving workspace (ID=0x4000009)
  Denham_887#
  000148: Dec 16 07:05:27.536 London: DHCPD: Reprocessing saved workspace (ID=0x4000009)
  000149: Dec 16 07:05:27.536 London: DHCPD: DHCPDISCOVER received from client 0019.fba4.b21a on interface BVI1.
  000150: Dec 16 07:05:27.536 London: DHCPD: Sending DHCPOFFER to client 0019.fba4.b21a (10.1.1.12).DHCPD: Setting only requested parameters
  000151: Dec 16 07:05:27.536 London: DHCPD: no option 125
  000152: Dec 16 07:05:27.536 London: DHCPD: broadcasting BOOTREPLY to client 0019.fba4.b21a.
  Denham_887#
  000153: Dec 16 07:05:32.468 London: DHCPD: New packet workspace 0x123EC554 (ID=0xC700000A)
  000154: Dec 16 07:05:32.468 London: DHCPD: client's VPN is .
  000155: Dec 16 07:05:32.468 London: DHCPD: No option 125
  000156: Dec 16 07:05:32.468 London: DHCPD: DHCPDISCOVER received from client 0118.2861.997b.a8 on interface BVI1.
  000157: Dec 16 07:05:32.468 London: DHCPD: Allocate an address without class information (10.1.1.0)
  000158: Dec 16 07:05:32.472 London: DHCPD: Saving workspace (ID=0xC700000A)
  Denham_887#
  000159: Dec 16 07:05:34.080 London: DHCPD: New packet workspace 0x1240A47C (ID=0x5500000B)
  000160: Dec 16 07:05:34.080 London: DHCPD: client's VPN is .
  000161: Dec 16 07:05:34.080 London: DHCPD: No option 125
  000162: Dec 16 07:05:34.080 London: DHCPD: DHCPDISCOVER received from client 0019.fba4.b21a on interface BVI1.
  000163: Dec 16 07:05:34.080 London: DHCPD: Sending DHCPOFFER to client 0019.fba4.b21a (10.1.1.12).DHCPD: Setting only requested parameters
  000164: Dec 16 07:05:34.080 London: DHCPD: no option 125
  000165: Dec 16 07:05:34.080 London: DHCPD: broadcasting BOOTREPLY to client 0019.fba4.b21a.
  Denham_887#
  000166: Dec 16 07:05:34.468 London: DHCPD: Reprocessing saved workspace (ID=0xC700000A)
  000167: Dec 16 07:05:34.468 London: DHCPD: DHCPDISCOVER received from client 0118.2861.997b.a8 on interface BVI1.
  000168: Dec 16 07:05:34.468 London: DHCPD: Sending DHCPOFFER to client 0118.2861.997b.a8 (10.1.1.13).DHCPD: Setting only requested parameters
  000169: Dec 16 07:05:34.468 London: DHCPD: no option 125
  000170: Dec 16 07:05:34.468 London: DHCPD: broadcasting BOOTREPLY to client 1828.6199.7ba8.
  Denham_887#
  000171: Dec 16 07:05:35.476 London: DHCPD: client's VPN is .
  000172: Dec 16 07:05:35.476 London: DHCPD: No option 125
  000173: Dec 16 07:05:35.476 London: DHCPD: DHCPDISCOVER received from client 0118.2861.997b.a8 on interface BVI1.
  000174: Dec 16 07:05:35.476 London: DHCPD: Sending DHCPOFFER to client 0118.2861.997b.a8 (10.1.1.13).DHCPD: Setting only requested parameters
  000175: Dec 16 07:05:35.476 London: DHCPD: no option 125
  000176: Dec 16 07:05:35.476 London: DHCPD: broadcasting BOOTREPLY to client 1828.6199.7ba8.
  Denham_887#
  000177: Dec 16 07:05:37.520 London: DHCPD: client's VPN is .
  000178: Dec 16 07:05:37.520 London: DHCPD: No option 125
  000179: Dec 16 07:05:37.520 London: DHCPD: DHCPDISCOVER received from client 0118.2861.997b.a8 on interface BVI1.
  000180: Dec 16 07:05:37.520 London: DHCPD: Sending DHCPOFFER to client 0118.2861.997b.a8 (10.1.1.13).DHCPD: Setting only requested parameters
  000181: Dec 16 07:05:37.524 London: DHCPD: no option 125
  000182: Dec 16 07:05:37.524 London: DHCPD: broadcasting BOOTREPLY to client 1828.6199.7ba8.
  Denham_887#
  000183: Dec 16 07:05:40.532 London: DHCPD: client's VPN is .
  000184: Dec 16 07:05:40.532 London: DHCPD: No option 125
  000185: Dec 16 07:05:40.532 London: DHCPD: DHCPDISCOVER received from client 0118.2861.997b.a8 on interface BVI1.
  000186: Dec 16 07:05:40.532 London: DHCPD: Sending DHCPOFFER to client 0118.2861.997b.a8 (10.1.1.13).DHCPD: Setting only requested parameters
  000187: Dec 16 07:05:40.532 London: DHCPD: no option 125
  000188: Dec 16 07:05:40.532 London: DHCPD: broadcasting BOOTREPLY to client 1828.6199.7ba8.
  Denham_887#
  000189: Dec 16 07:05:43.540 London: DHCPD: client's VPN is .
  000190: Dec 16 07:05:43.540 London: DHCPD: No option 125
  000191: Dec 16 07:05:43.540 London: DHCPD: DHCPDISCOVER received from client 0118.2861.997b.a8 on interface BVI1.
  000192: Dec 16 07:05:43.540 London: DHCPD: Sending DHCPOFFER to client 0118.2861.997b.a8 (10.1.1.13).DHCPD: Setting only requested parameters
  000193: Dec 16 07:05:43.540 London: DHCPD: no option 125
  000194: Dec 16 07:05:43.540 London: DHCPD: broadcasting BOOTREPLY to client 1828.6199.7ba8.
  Denham_887#
  000195: Dec 16 07:05:48.884 London: DHCPD: client's VPN is .
  000196: Dec 16 07:05:48.884 London: DHCPD: No option 125
  000197: Dec 16 07:05:48.884 London: DHCPD: DHCPDISCOVER received from client 0019.fba4.b21a on interface BVI1.
  000198: Dec 16 07:05:48.884 London: DHCPD: Sending DHCPOFFER to client 0019.fba4.b21a (10.1.1.12).DHCPD: Setting only requested parameters
  000199: Dec 16 07:05:48.884 London: DHCPD: no option 125
  000200: Dec 16 07:05:48.884 London: DHCPD: broadcasting BOOTREPLY to client 0019.fba4.b21a.
  887VA-W dhcp config:
  887#sh run | section dhcp
  no ip dhcp use vrf connected
  ip dhcp binding cleanup interval 10
  no ip dhcp conflict logging
  ip dhcp pool home
   network 172.27.44.0 255.255.255.0
   dns-server 208.67.222.222 208.67.220.220  
   default-router 172.27.44.1
  ip dhcp pool test
   import all
   network 11.1.1.0 255.255.255.0
   default-router 11.1.1.1
   dns-server 208.67.222.222 208.67.220.220
  ip dhcp pool guest
   import all
   network 10.1.1.0 255.255.255.0
   default-router 10.1.1.1
   dns-server 208.67.222.222 208.67.220.220
  877-W Debug - Success:
  877#deb ip dhcp se
  877#deb ip dhcp server pa
  DHCP server packet debugging is on.
  877#deb ip dhcp server ev
  DHCP server event debugging is on.
  877#
  000258: *Jun 23 22:20:07.087 BST: DHCPD: checking for expired leases.
  000259: *Jun 23 22:20:14.684 BST: %DOT11-6-ASSOC: Interface Dot11Radio0, Station   1828.6199.7ba9 Associated SSID[guest] AUTH_TYPE[OPEN] KEY_MGMT[WPAv2 PSK]
  000260: *Jun 23 22:20:16.289 BST: DHCPD: Sending notification of DISCOVER:
  000261: *Jun 23 22:20:16.289 BST:   DHCPD: htype 1 chaddr 1828.6199.7ba8
  000262: *Jun 23 22:20:16.289 BST:   DHCPD: remote id 020a00000a010101f2000000
  000263: *Jun 23 22:20:16.289 BST:   DHCPD: circuit id 00000000
  000264: *Jun 23 22:20:16.289 BST: DHCPD: DHCPDISCOVER received from client 0118.2861.997b.a8 on interface BVI2.
  000265: *Jun 23 22:20:16.289 BST: DHCPD: Seeing if there is an internally specified pool class:
  000266
   *Jun 23 22:20:16.289 BST:   DHCPD: htype 1 chaddr 1828.6199.7ba8
  000267: *Jun 23 22:20:16.289 BST:   DHCPD: remote id 020a00000a010101f2000000
  000268: *Jun 23 22:20:16.289 BST:   DHCPD: circuit id 00000000
  000269: *Jun 23 22:20:16.289 BST: DHCPD: Sending DHCPOFFER to client 0118.2861.997b.a8 (10.1.1.9).
  000270: *Jun 23 22:20:16.289 BST: DHCPD: broadcasting BOOTREPLY to client 1828.6199.7ba8.
  000271: *Jun 23 22:20:16.493 BST: DHCPD: DHCPREQUEST received from client 0118.2861.997b.a8.
  000272: *Jun 23 22:20:16.493 BST: DHCPD: Sending notification of ASSIGNMENT:
  000273: *Jun 23 22:20:16.493 BST:  DHCPD: address 10.1.1.9 mask 255.255.255.0
  000274: *Jun 23 22:20:16.493 BST:   DHCPD: htype 1 chaddr 1828.6199.7ba8
  000275: *Jun 23 22:20:16.493 BST:   DHCPD: lease time remaining (secs) = 86400
  000276: *Jun 23 22:20:16.493 BST: DHCPD: Appending system default domain
  000278: *Jun 23 22:20:16.493 BST: DHCPD: Sending DHCPACK to client 0118.2861.997b.a8 (10.1.1.9).
  000279: *Jun 23 22:20:16.493 BST: DHCPD: broadcasting BOOTREPLY to client 1828.6199.7ba8.
  000280: *Jun 23 22:20:17.089 BST: DHCPD: checking for expired leases.
  000281: *Jun 23 22:20:18.097 BST: %SYS-5-CONFIG_I: Configured from console by vty0
  Denham#
  000282: *Jun 23 22:20:21.314 BST: DHCPD: Sending notification of DISCOVER:
  000283: *Jun 23 22:20:21.314 BST:   DHCPD: htype 1 chaddr 0019.fba4.b21a
  000284: *Jun 23 22:20:21.314 BST:   DHCPD: remote id 020a00000a010101f2000000
  000285: *Jun 23 22:20:21.314 BST:   DHCPD: circuit id 00000000
  000286: *Jun 23 22:20:21.314 BST: DHCPD: DHCPDISCOVER received from client 0019.fba4.b21a on interface BVI2.
  000287: *Jun 23 22:20:21.314 BST: DHCPD: Seeing if there is an internally specified pool class:
  000288: *
  Jun 23 22:20:21.314 BST:   DHCPD: htype 1 chaddr 0019.fba4.b21a
  000289: *Jun 23 22:20:21.314 BST:   DHCPD: remote id 020a00000a010101f2000000
  000290: *Jun 23 22:20:21.314 BST:   DHCPD: circuit id 00000000
  000291: *Jun 23 22:20:21.314 BST: DHCPD: Sending DHCPOFFER to client 0019.fba4.b21a (10.1.1.8).
  000292: *Jun 23 22:20:21.314 BST: DHCPD: broadcasting BOOTREPLY to client 0019.fba4.b21a.
  000293: *Jun 23 22:20:21.406 BST: DHCPD: DHCPREQUEST received from client 0019.fba4.b21a.
  000294: *Jun 23 22:20:21
  406 BST: DHCPD: Sending notification of ASSIGNMENT:
  000295: *Jun 23 22:20:21.406 BST:  DHCPD: address 10.1.1.8 mask 255.255.255.0
  000296: *Jun 23 22:20:21.406 BST:   DHCPD: htype 1 chaddr 0019.fba4.b21a
  000297: *Jun 23 22:20:21.406 BST:   DHCPD: lease time remaining (secs) = 86400
  000298: *Jun 23 22:20:21.406 BST: DHCPD: Can't find any hostname to update
  000299: *Jun 23 22:20:21.406 BST: DHCPD: Sending DHCPACK to client 0019.fba4.b21a (10.1.1.8).
  000300: *Jun 23 22:20:21.406 BST: DHCPD: broadcasting
  BOOTREPLY to client 0019.fba4.b21a.
  000302: *Jun 23 22:20:33.049 BST: DHCPD: Sending notification of DISCOVER:
  000303: *Jun 23 22:20:33.049 BST:   DHCPD: htype 1 chaddr 1828.6199.7ba8
  000304: *Jun 23 22:20:33.049 BST:   DHCPD: remote id 020a00000a010101f2000000
  000305: *Jun 23 22:20:33.049 BST:   DHCPD: circuit id 00000000
  000306: *Jun 23 22:20:33.049 BST: DHCPD: DHCPDISCOVER received from client 0118.2861.997b.a8 on interface BVI2.
  000307: *Jun 23 22:20:33.049 BST: DHCPD: Seeing if there is an internally specified pool class:
  000308
  Denham#: *Jun 23 22:20:33.049 BST:   DHCPD: htype 1 chaddr 1828.6199.7ba8
  000309: *Jun 23 22:20:33.049 BST:   DHCPD: remote id 020a00000a010101f2000000
  000310: *Jun 23 22:20:33.049 BST:   DHCPD: circuit id 00000000
  000311: *Jun 23 22:20:33.049 BST: DHCPD: Sending DHCPOFFER to client 0118.2861.997b.a8 (10.1.1.9).
  000312: *Jun 23 22:20:33.053 BST: DHCPD: broadcasting BOOTREPLY to client 1828.6199.7ba8.
  000313: *Jun 23 22:20:33.081 BST: DHCPD: DHCPREQUEST received from client 0118.2861.997b.a8.
  000314: *Jun 23
  Denham# 22:20:33.081 BST: DHCPD: Sending notification of ASSIGNMENT:
  000315: *Jun 23 22:20:33.081 BST:  DHCPD: address 10.1.1.9 mask 255.255.255.0
  000316: *Jun 23 22:20:33.081 BST:   DHCPD: htype 1 chaddr 1828.6199.7ba8
  000317: *Jun 23 22:20:33.081 BST:   DHCPD: lease time remaining (secs) = 86400
  000318: *Jun 23 22:20:33.081 BST: DHCPD: Appending system default domain
  000319: *Jun 23 22:20:33.085 BST: DHCPD: Using hostname 'skywirelessconnector.indahouse.dyndns.org.' for dynamic update (from hostname opti
  indahouse#uon)
  000320: *Jun 23 22:20:33.085 BST: DHCPD: Sending DHCPACK to client 0118.2861.997b.a8 (10.1.1.9).
  000321: *Jun 23 22:20:33.085 BST: DHCPD: broadcasting BOOTREPLY to client 1828.6199.7ba8.

• My mail won't load via iCloud on my desktop.  It comes up with the message "Missing resources".  How do I correct this?

  My mail won't load via iCloudonmy desktop.  It comes up with the message "Missing resources".  My network is working properly and I've checked Apple's reporting system to see if any systems are down (they are not). I am asked to submit the report to Apple (which I have)...but how do I correct this error sothat I can access my mail via iCloud on my desktop iMac?

  Here is the error message information:  DOES THIS HELP ANYONE FIGURE OUT WHAT IS HAPPENING?  All other iCloud Services work.
  IS FATAL
  true
  APPLICATION NAME
  mail
  TITLE
  Mail could not be loaded
  MESSAGE
  There was a problem loading the application due to a possible network error or missing resources. Please try again.
  LOG
  Tue, 17 Mar 2015 15:35:30 GMT:  DEBUG: MAIL in main()
  Tue, 17 Mar 2015 15:35:30 GMT:  DEBUG: Creating local CK.User object
  Tue, 17 Mar 2015 15:35:30 GMT:  DEBUG: Creating local CK.AccountPreferences object
  Tue, 17 Mar 2015 15:35:30 GMT:  DEBUG: -->  Request 1:   POST to https://p04-mailws.icloud.com:443/wm/preference?clientBuildNumber=15B.9bb3ce9&cl ientId=548F3122-7920-4BB0-8988-1F5BFD99D289&dsid=1018646875,  headers: Content-Type=text/plain,  body: (omitted)
  Tue, 17 Mar 2015 15:35:30 GMT:  DEBUG: ----------------> Request out: /wm/preference-list-->1426606530328/1
    wmsid: null
    params: {"locale":"en-us","timeZone":"US/Eastern"}
  Tue, 17 Mar 2015 15:35:30 GMT:  DEBUG: SC.Object:sc1473:dispatch('load content')
  Tue, 17 Mar 2015 15:35:30 GMT:  DEBUG: "2.0 Waiting for Content" handled event 'load content' (no transition)
  Tue, 17 Mar 2015 15:35:30 GMT:  DEBUG: SC.Object:sc2647:dispatch('noContent')
  Tue, 17 Mar 2015 15:35:30 GMT:  DEBUG:   "6.2 pop up View" handled event 'noContent' with a transition to "6.2.2 No Content"
  Tue, 17 Mar 2015 15:35:30 GMT:  DEBUG:     -> entering "6.2.2 No Content"
  Tue, 17 Mar 2015 15:35:30 GMT:  WARN:  REJECTING SERVER RESPONSE CoreMail.MailRequest.willReceive:
    Status:0
    Request:/wm/preference
    Wmsid:null
    Redirect Count:1
    Timeout Redirect Count:1
    ResponseText:
  Tue, 17 Mar 2015 15:35:30 GMT:  DEBUG: -->  Request 2:   POST to https://p04-mailws.icloud.com:443/wm/preference?clientBuildNumber=15B.9bb3ce9&cl ientId=548F3122-7920-4BB0-8988-1F5BFD99D289&dsid=1018646875,  headers: Content-Type=text/plain,  body: (omitted)
  Tue, 17 Mar 2015 15:35:30 GMT:  DEBUG: ----------------> Request out: /wm/preference-list-->1426606530328/1
    wmsid: null
    params: {"locale":"en-us","timeZone":"US/Eastern"}
  Tue, 17 Mar 2015 15:35:30 GMT:  ERROR: GIVING UP ON RETRIES, CoreMail.MailRequest.willReceive:
  responseText: ,
  this._redirectCount: 1
  Tue, 17 Mar 2015 15:35:30 GMT:  DEBUG: <--  Response 2:  0  (84ms),  headers:   body: (empty)
  Tue, 17 Mar 2015 15:35:30 GMT:  DEBUG: <---------------- Request in: /wm/preference-list-->1426606530328/1,httpStatus: 0,round trip time: 85ms, wmsid: null
  Tue, 17 Mar 2015 15:35:30 GMT:  ERROR: retrieveResponseError:
    ServerPreferencesDataSource.retrieveResponse
    error:-1/0
    guid:serverPrefsGuid
  Tue, 17 Mar 2015 15:35:30 GMT:  ERROR: Bootstrap error: Preferences.RefreshError
  TYPE
  server
  APP STATECHART
  SC.Statechart:sc1031
    initialized: true
    name: cloudos-statechart
    current-states: [
      active.application.displayingCurrentApp
    state-transition:
      active: false
      suspended: false
    handling-event: false
  BUILD NUMBER
  15B.169e9f7
  TIME
  Tue Mar 17 2015 11:35:32 GMT-0400 (EDT)        (1426606532298)
  HOST
  www.icloud.com
  USER AGENT
  Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_2) AppleWebKit/600.3.18 (KHTML, like Gecko) Version/8.0.3 Safari/600.3.18
  DSID
  1018646875
  ENVIRONMENT
  PROD
  RECENT LOG MESSAGES
  Tue, 17 Mar 2015 15:35:30 GMT:  DEBUG: MAIL in main()
  Tue, 17 Mar 2015 15:35:30 GMT:  DEBUG: Creating local CK.User object
  Tue, 17 Mar 2015 15:35:30 GMT:  DEBUG: Creating local CK.AccountPreferences object
  Tue, 17 Mar 2015 15:35:30 GMT:  DEBUG: -->  Request 1:   POST to https://p04-mailws.icloud.com:443/wm/preference?clientBuildNumber=15B.9bb3ce9&cl ientId=548F3122-7920-4BB0-8988-1F5BFD99D289&dsid=1018646875,  headers: Content-Type=text/plain,  body: (omitted)
  Tue, 17 Mar 2015 15:35:30 GMT:  DEBUG: ----------------> Request out: /wm/preference-list-->1426606530328/1
    wmsid: null
    params: {"locale":"en-us","timeZone":"US/Eastern"}
  Tue, 17 Mar 2015 15:35:30 GMT:  DEBUG: SC.Object:sc1473:dispatch('load content')
  Tue, 17 Mar 2015 15:35:30 GMT:  DEBUG: "2.0 Waiting for Content" handled event 'load content' (no transition)
  Tue, 17 Mar 2015 15:35:30 GMT:  DEBUG: SC.Object:sc2647:dispatch('noContent')
  Tue, 17 Mar 2015 15:35:30 GMT:  DEBUG:   "6.2 pop up View" handled event 'noContent' with a transition to "6.2.2 No Content"
  Tue, 17 Mar 2015 15:35:30 GMT:  DEBUG:     -> entering "6.2.2 No Content"
  Tue, 17 Mar 2015 15:35:30 GMT:  WARN:  REJECTING SERVER RESPONSE CoreMail.MailRequest.willReceive:
    Status:0
    Request:/wm/preference
    Wmsid:null
    Redirect Count:1
    Timeout Redirect Count:1
    ResponseText:
  Tue, 17 Mar 2015 15:35:30 GMT:  DEBUG: -->  Request 2:   POST to https://p04-mailws.icloud.com:443/wm/preference?clientBuildNumber=15B.9bb3ce9&cl ientId=548F3122-7920-4BB0-8988-1F5BFD99D289&dsid=1018646875,  headers: Content-Type=text/plain,  body: (omitted)
  Tue, 17 Mar 2015 15:35:30 GMT:  DEBUG: ----------------> Request out: /wm/preference-list-->1426606530328/1
    wmsid: null
    params: {"locale":"en-us","timeZone":"US/Eastern"}
  Tue, 17 Mar 2015 15:35:30 GMT:  ERROR: GIVING UP ON RETRIES, CoreMail.MailRequest.willReceive:
  responseText: ,
  this._redirectCount: 1
  Tue, 17 Mar 2015 15:35:30 GMT:  DEBUG: <--  Response 2:  0  (84ms),  headers:   body: (empty)
  Tue, 17 Mar 2015 15:35:30 GMT:  DEBUG: <---------------- Request in: /wm/preference-list-->1426606530328/1,httpStatus: 0,round trip time: 85ms, wmsid: null
  Tue, 17 Mar 2015 15:35:30 GMT:  ERROR: retrieveResponseError:
    ServerPreferencesDataSource.retrieveResponse
    error:-1/0
    guid:serverPrefsGuid
  Tue, 17 Mar 2015 15:35:30 GMT:  ERROR: Bootstrap error: Preferences.RefreshError

• HT204387 My iphone4 and my iPad mini won't connect via blue tooth just continues to search

  My iphone4 and my iPad mini won't connect via blue tooth just continues to search

  What are you trying to do?
  The Bluetooth is meant for earplug, headset, keyboard, car hands-free set, and speakers.
  You need a 3rd party app to do BT file transfer or other functions between iDevices.

• Using ISE guest store via RADIUS

  I have a question concerning the guest store on the ISE.
  I would like to establish a guest portal on a WLC (currently running version 7.0.220.0). The guest network shouldn’t have any connection to the company network. So I can’t redirect to the ISE guest portal and have to use the local portal on the WLC and pass the login data to the ISE via RADIUS. Nevertheless I want to use the guest store on the ISE.
  On the ISE I can only select the internal user store as identity source. But this seems not to include the guest user store.
  Has anyone already implemented a similar solution or any idea how to access the guest store?
  Thanks
  Thomas

  I just created a simple setup and tested the login.
  It doesn't work with a user created as a guest account.
  If I create the user in the normal internal identity store I works fine.
  Might there be a difference between ISE Versions?
  We are currently using Version 1.1.0.665 on a VM for testing purpose.
  This is what the details show:
  11001  Received RADIUS Access-Request
  11017  RADIUS created a new session
  Evaluating Service Selection Policy
  15048  Queried PIP
  15048  Queried PIP
  15004  Matched rule
  Evaluating Identity Policy
  15006  Matched Default Rule
  15013  Selected Identity Store - Internal Users
  24210  Looking up User in Internal Users IDStore - tuser001
  24206  User disabled
  22057  The advanced option that is configured for a failed authentication request is used
  22061  The 'Reject' advanced option is configured in case of a failed authentication request
  11003  Returned RADIUS Access-Reject
  11001  Received RADIUS Access-Request
  11017  RADIUS created a new session
  Evaluating Service Selection Policy
  15048  Queried PIP
  15048  Queried PIP
  15004  Matched rule
  Evaluating Identity Policy
  15006  Matched Default Rule
  15013  Selected Identity Store - Internal Users
  24210  Looking up User in Internal Users IDStore - tuser001
  24212  Found User in Internal Users IDStore
  22037  Authentication Passed
  Evaluating Authorization Policy
  15004  Matched rule
  15016  Selected Authorization Profile - Guest
  11022  Added the dACL specified in the Authorization Profile
  11002  Returned RADIUS Access-Accept

• Cisco 1602i + Authenticating users via RADIUS?

                 Hello,
  Our company recently purchased a Cisco 1602i standalone WAP to replace the WAP4410Ns that we were having issues with.  I am now attempting to configure the RADIUS authentication, as we have a User network and a Guest connection.  The Guest connection works fine, using WPA PSK.  However, I can't seem to get the RADIUS authentication to work.  Reading the documentation has got me a little confused, and I have tried turning on debugging (debug radius authentication, debug aaa) but those show nothing.  Also, in the RADIUS server itself (Windows 2008 R2 NPS), I see nothing in the logs when I try to connect using a device or the "test aaa" command.  Can someone guide me on what I'm doing wrong?  I followed someone's advice on another forum and removed "authentication network-eap" from the SSID (phoenix_2), and now when I attempt to connect with a device it just asks me for a password, it doesn't prompt for a username anymore.  I am very stumped.  Here's the relevant config:
  aaa new-model
  aaa group server radius rad_eap
  server 10.200.5.24
  aaa group server radius rad_mac
  aaa group server radius rad_acct
  aaa group server radius rad_admin
  aaa group server tacacs+ tac_admin
  aaa group server radius rad_pmip
  aaa group server radius dummy
  aaa authentication login eap_methods group rad_eap
  aaa authentication login mac_methods local
  aaa authorization exec default local
  aaa accounting network acct_methods start-stop group rad_acct
  aaa session-id common
  clock timezone EST -5 0
  ip cef
  ip domain name gst
  dot11 syslog
  dot11 vlan-name guest vlan 255
  dot11 vlan-name user vlan 140
  dot11 ssid phoenix_2
     vlan 140
     band-select
     authentication open eap eap_methods
     mbssid guest-mode
  dot11 ssid walker_2
     vlan 255
     band-select
     authentication open
     authentication key-management wpa version 2
     mbssid guest-mode
     wpa-psk ascii 7 0353035E535879191B
  interface BVI1
  ip address 10.200.5.70 255.255.255.0
  ip default-gateway 10.200.5.1
  ip forward-protocol nd
  no ip http server
  ip http secure-server
  ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
  ip route 0.0.0.0 0.0.0.0 10.200.140.1
  ip route 0.0.0.0 0.0.0.0 10.200.5.1
  ip radius source-interface BVI1
  access-list 111 permit tcp any any neq telnet
  snmp-server community G!0bal RO
  radius-server attribute 32 include-in-access-req format %h
  radius-server host 10.200.5.24 key 7 01445E510E1C07032A495C0D0B0C011718190D3E2E767863
  radius-server vsa send accounting
  The NPS worked just fine with the WAP4410Ns, not sure why we're having so much trouble with the 1602i. 

  Thanks Rasika, your link worked.  I had the authentication key before, but i removed it while I was trying different things.  My main issue was not applying the list name to the ssid, the documentation did not make it clear that when the radius server is specified using the "radius-server ...." command, that the radius group refers to that command when you configure the group.  Once that clicked, it made sense that the method list name was specifed by the radius group, and that the authentication methods then referred to the radius group.  It was a big question mark in my head how the radius server was applied to the SSID prior to reading your post.
  I haven't tried the "erase startup-config" command yet, I will try that next. 
  Quick question, why are both authentication open and authentication network-eap needed?  I would assume authentication network-eap would suffice, unless the authentication open command refers to the allowed devices and not just authentication via RADIUS?

• Since installing Mavericks, my HP Printer adds an extra page to every print job, and iCal won't synch via iTunes with the Calendar on my iPhone 4s. Can Mavericks be uninstalled?

  Can Mavericks be uninstalled? Don't know if the discussion title pulled in all of my problem, so here it is again. Since installing Mavericks, my HP Printer adds an extra page to every print job, and iCal won't synch via iTunes with the Calendar on my iPhone 4s.
  And no, I was a bad boy and had not been Time Machining. Guess I will now.
  So, can Mavericks be uninstalled?

  Uninstall CleanMyMac2 >  How To Uninstall CleanMyMac
  Uninstall Cocktail > Uninstall Cocktail for Mac OS X
  Third party cleaning utilities are not necessary on a Mac and can only cause problems.
  Your Mac runs maintenance in the background for you >  Mac OS X: About background maintenance tasks
  Growl is un necessary and can slow  the system down > Growl - Removing Growl
  If you want to monitor the system, use the pre installed Activity Monitor app located in HD > Applications > Utilities
  Then restart your Mac.

• Assign QoS Service Policy via RADIUS to Catalyst 45k/37k?

  hi,
  is there a way to assigen a QoS service policy via Radius to an Caltalyst 4500/3750 Switchport?
  in detail, we would like to assign this policy
      policy-map SET_EF
       class class-default
         set dscp ef
  to an interface. All traffic should be marked with a defined DSCP value.
  This works find when doing it statically with
      interface FastEthernet2/1
           service-policy input SET_EF
  but we would need to assign such a policy via Radius during the 802.1x Authentication. different users should get differnt policies. We use Cisco ACS 5.2 as Radius Server and there actually is a field for
  that in the Authorization Profile Common Tasks Configuration. in detail, this uses the cisco-av-pair "sub-policy-In=<policy name>" attribute to assign a service policy to an NAS.
  we found also two other attributes "sub-qos-policy-in" and "ip:sub-qos-polcy-in" for that. CCO says that "ip:sub-qos-polcy-in" works with Catalyst 65k (http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/qos.html#wp1926523)
  unfortunately this seems to not work on Catalyst 45k and 37k.
  In the ACS Logs we can see that these attributes are attached to the Radius Reply, but unfortunately they are ignored by the switch.
  it is interesing that when entering "show aaa attributes" on the Catalyst 45k, these attributes are displayd - so for my understanding the switch should understand these attibutes (?)
      4503-E#sh aaa attributes
      AAA ATTRIBUTE LIST:
          Type=1     Name=disc-cause-ext                 Format=Enum
          Type=2     Name=Acct-Status-Type               Format=Enum
      <snip>
          Type=345   Name=sub-policy-In                  Format=String
          Type=346   Name=sub-qos-policy-in              Format=String
          Type=347   Name=sub-policy-Out                 Format=String
          Type=348   Name=sub-qos-policy-out             Format=String
  any input is welcome :-))
  best reagrds

  additionally to this discussion, i've just opened a service request with TAC.
  unfortunately the engineer told me that by now per-User QoS is definitely no supported on this two plattforms but it's listed on the roadmap and will be possibly availabe mid 2012......

• I have an Ipad and an Ipod Touch 5th gen both on the latest firmwares but they won't connect via bluetooth whenever I try even though both shows that the devices are discoverable. I need help!

  I have an Ipad and an Ipod Touch 5th gen both on the latest firmwares but they won't connect via Bluetooth whenever I try even though both shows that the devices are discoverable. I also tried connecting them with my Bluetooth enabled laptop but it also didn't worked. Because of the Bluetooth not working I also can't enable airdrop.

  What model iPad?
  What model computer and OS version>
  AirDrop requires:
  What you need
  To share content with AirDrop, both people need one of these devices using iOS 7 or later, or a Mac with OS X Yosemite:
  iPhone 5 or later
  iPad (4th generation or later)
  iPad mini
  iPod touch (5th generation)
  You also need to turn on Wi-Fi and Bluetooth. If you want to share with your contacts, sign in to your iCloud account.
  Learn more about using AirDrop to share with people using a Mac with Yosemite.
  Use AirDrop to wirelessly share content - Apple Support
  System Requirements
  To see if your Mac works with AirDrop, make sure you’re in the Finder by clicking the desktop (the background area of your screen), or by clicking the Finder icon in the Dock. Then, check to see if AirDrop is listed as an option in the Go menu. If you don't see AirDrop listed, your Mac doesn't support this feature.
  In order to transfer files between a Mac and and an iPhone, iPad or iPod touch
  your iOS device needs to include a lightning connector
  your iOS device needs iOS 7 or later installed
  your Mac needs to be a 2012 or later model with OS X Yosemite installed
  Your Mac and iOS device both need bluetooth and Wi-Fi turned on. You do not have to be connected to a specific Wi-Fi network.
  To transfer files between two Mac computers, you need the Mac models listed below with Wi-Fi turned on and OS X Lion or later installed.
  MacBook Pro (Late 2008 or newer)*
  MacBook Air (Late 2010 or newer)
  MacBook (Late 2008 or newer)*
  iMac (Early 2009 or newer)
  Mac Mini (Mid 2010 or newer)
  Mac Pro (Early 2009 with AirPort Extreme card, or Mid 2010)
  *The MacBook Pro (17-Inch Late 2008) and the white MacBook (Late 2008) do not support AirDrop.
  For help identifying your Mac, choose About This Mac from the Apple menu. You can refer to the Apple Support website to find out if your iPhone, iPad or iPod Touch includes a lightning connector.
  Mac Basics: AirDrop lets you send files from your Mac to nearby Macs and iOS devices - Apple Support
  Otherwise you need an app to pair via BT one iOS device to another iOS device. There may be apps that allow pairing with a Mac computer. The iOS devioces do not have the BT profiles necessary natively to pair with a computer or another iOS device except for AirDrop