Switchport session remain authenticated
I am facing a problem during deployment. Customer is using Avaya IP phone. If an autheticated workstation/laptop shift from one phone to another, the old switchport session remain there. The laptop acquire IP from new phone but even fail to ping gateway. If I do old phone reset or do 'clear authen sess interface', then laptop ping gateway. 'Clear arp' or 'clear mac-add table dynam' doesnt solve the issue. How can the ISE detect removal of a workstation to clear the authentication.
two ways:
CDP enhancement for second port disconnect (Cisco phones)
Proxy EAPoL-Logoff + inactivity timer (non-Cisco phones)
http://www.cisco.com/en/US/docs/solutions/Enterprise/Security/TrustSec_1.99/Dot1X_Deployment/Dot1x_Dep_Guide.html
Similar Messages
-
ISE-switchport session remain authenticated
I am facing a problem during deployment. Customer is using Avaya IP phone. If an autheticated workstation/laptop shift from one phone to another, the old switchport session remain there. The laptop acquire IP from new phone but even fail to ping gateway. If I do old phone reset or do 'clear authen sess interface', then laptop ping gateway. 'Clear arp' or 'clear mac-add table dynam' doesnt solve the issue. How can the ISE detect removal of a workstation to clear the authentication.
two ways:
CDP enhancement for second port disconnect (Cisco phones)
Proxy EAPoL-Logoff + inactivity timer (non-Cisco phones)
http://www.cisco.com/en/US/docs/solutions/Enterprise/Security/TrustSec_1.99/Dot1X_Deployment/Dot1x_Dep_Guide.html -
How to know if user (session) is authenticated in other application (SSO)
Hi folks!
We've deployed various J2EE applications in some OC4J instances. So far the applications used SSO Authentication against OiD (LDAP), but we need a public access application.
The problem is the following: we need a different behaviour in this last application (without authentication characteristics) depending on one user is authenticated within other application that required SSO login.
How could check if current user (session) si authenticated against SSO, for example, in ADF-STRUTS DataAction class?
We tested the gerRemoteUser() method but is only works within the applications requering login.
Please, anyone could guide me?
Mike
Thanks!Hi,
Oracle AS Single Sign ON stores some of the attributes of an authenticated user in a browser cookie - the name of the Cookie is SSO_ID.
You cannot get any information from this Cookie. The Cookie is avaliable only to the Oracle AS Single Sign ON and is meant to be used only by it. You cannot read any useful information from the Cookie as it is higly encrypted.
If you need to know the name of the currently logged in user, your application should be a Partner Application or an External Applciation to Oracle AS Single Sign On.
The reason is simple - you can use your browser to connect to many Websites protected by Oracle AS Single Sign ON. Thus, if your application isn't a Partner or an External Application registered with SSO, your application can't establish a context.
Hence, your application needs to be registered as a Partner Application or an External Application with SSO.
An application which is nto registered with SSO cannot get the User information from SSO. The getRemoteUser() method would always return a null in such cases.
Regards,
Sandeep -
ABAP WebDynpro - Session remains open....
Hi Experts,
We have configured ABAP Webdynpro (SD Order Creation) iView in SAP Portal. When we test it from intranet, everything works fine and session in backend gets terminated when we leave that page on portal. But when we test it from internet, session remains open and not getting closed. How to terminate these onen sessions??
SAP Portal and backend SAP ECC are on same domain....
Helpful answer will be respected.....
Thanks
PRAMODHi Parmod,
are you accessing the application in exactly the same way in the two cases?
logging into portal from internet?
One thing that you might need to be wary of is a lack of pop-ups. The portal uses a pop-up window when a user closes the browser to terminate the session.
I've had plenty of problems with pop-up blockers that have prevented this pop-up from terminating the portal sessions. Sometime these pop-up blockers are configured to operate only on internet sites and not on internal intranet sites. That might be a possible cause.
Cheers,
Chris -
ABAP WebDynPro iView: Session remains open in backend.....
Hi Experts,
We have configured ABAP Webdynpro (SD Order Creation) iView in SAP Portal. When we test it from intranet, everything works fine and session in backend gets terminated when we leave that page on portal. But when we test it from internet, session remains open and not getting closed. How to terminate these onen sessions??
SAP Portal and backend SAP ECC are on same domain....
Helpful answer will be respected.....
Thanks
PRAMODHi Arun,
Thanks for the comment.
Let me try this and will get back with result.
Regards,
PRAMOD -
GnomeUI-WARNING While connecting to session manager:Authentication Rejected
Hi:
I was running Oracle eBusiness Suite R1211 on Enterprise Linux 5.3.
When I try to run HelloWorld on OA Framework tutorial I got the following error
(Gecko:6415): GnomeUI-WARNING **: While connecting to session manager: Authentication Rejected
Does any one has idea how to resolve the problem?
Please help
semCheck the DBC file is updated one & are the connection is working or not.
Thanks
--Anil -
Automatic disconnection from AP when timed out (session or authentication) from captive portal
Captive portal implementation permits/blocks web traffic. When a user is timed out (authentication & session) it still occupies a channel as seen in the clients list. How can we disconnect a host that is timed out?
There is NO Failed Authenticated list.These are the only available tabs in the lapac1200Captive Portal Global Configuration Portal Profiles Local User Local Group Web Customization Profile Association Client Information
-
SAPKW35012. Session remains in SM04 in the BW system.
Hi Gurus!
I use Visual Basic to call Function:
SAP.Functions.Connection.Logon(0, False)
SAP.Functions.Connection.Logoff
It works.
But sometimes the session still remain (SM04).
How can it be after session idle time out?
Why?
Can anyone help me?
Thanks, best regards,
AndyML
P.S. There is no problem in SAPKW30B21.Warning!!!
There is the bug in SAP Automation ActiveX (OCX) Control:
Object: "Connection"
Property: "IsConnected"
"IsConnected" can be equal to "1" long time,
after maximum user idle time exceeded on the server side.
There are locked data and session has status "connected".
Server: SAPKW35012 = BW Version 3.5 + package 12
SAP GUI: 620
Solution (Visual Basic for Excel):
Public Function Check_Connection_Status (objFunc As Object) As Boolean
Dim objCall As Object
If objFunc.Connection.IsConnected <> "1" Then
Check_Connection_Status = False
Else
Set oSaveObj = objFunc.Add("Z_PING")
Check_Connection_Status = objCall.Call
End If
End Function
Where "Z_PING" is dummy empty ABAP-Function.
Best Regards.
AndyML
P.S.
SAP ActiveX user manual:
http://help.sap.com/saphelp_46c/helpdata/de/d8/44ca50ac3c11d189c60000e829fbbd/frameset.htm -
Do earlier iMessage sessions remain active if iMessage is turned off?
Hello,
I recently sent a message to a phone number that I entered manually. Later I realized that, for some reason that eludes me, the message was automatically sent as an iMessage instead of a text message. I'd rather all messages I send to phones in the future be sent as text messages, so I turned iMessage off in Settings. Nevertheless, do you think that the session I mentioned will remain active? Specifically, will I receive messages sent from this number in the future, despite the fact that the earlier conversation went through as iMessages, which option I have now turned off?
I appreciate any help or advice.Someone awhile back had problems SSHing to a Mac sitting at the Login prompt... I thought it should work that way, but turned out they fixed the problem and could do it, so I surmise the answer would be yes.
-
VPN session remains up but can no longer get to internal devices
Our remote users in Germany are provided with a mixture of Vodafone 3G Mobile Connect Cards (PCMCIA) and "USB sticks" for cellular broadband access. Installed on their laptops is Vodafone's Mobile Connect Client & Cisco VPN client version 5.
To connect, they first connect to Vodafone's "VPN access point" -- Vodafone's VPN only service offering. Once connected, they VPN into the network with the Cisco client. All users connect to a Cisco 3020 Concentrator.
Users are able to access network resources, however, they lose connectivity after 5-10min. What's unusual is, it doesn't look like the VPN session drops since the padlock in the right hand corner remains locked; they just can't access network resources.
To troubleshoot...
a) We had a user establish a VPN session then immediately start a continuous ping to an internal device's IP address. The connection stayed up for 20min before requests started timing out.
b) We enabled "IPSec over TCP" on the client and Concentrator side, no change.
What could possibly be causing this behavior?Does Vodafone use Venturi Transport Protocol clients for Windows like Verizon's does with their EvDO cards? If so, we had to turn off and eventually uninstall the Venturi client software because it detrimentally interfered with IPsec traffic.
-Gary -
Single Session per Authentication/MAC
Hi All
We are in process to deploy a wireless for a customer with ACS, where we want A single User/machine to have a login checked with External Identity store and have only one session at a time.
i.e. if User A logged in with Machine A, he should not be able to use Machine B for the same authentication even if the Machine B is having MAC authenticated, (please note that MAC Authentication is not necessory but one user should use only one machine)
I am a little new to the ACS/Wireless, any help would be highly appriciated.
Many thanks for reading me.Hi tarun,
I think you are looking for the new feature in ACS 5.3:
http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.3/release/notes/acs_53_rn.html#wp195861
Maximum user sessions
Allows you to restrict the user from too many concurrent user sessions. The permitted number of concurrent user sessions is between 1 and 65535.
For more information on this see:
http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.3/user/guide/access_policies.html#wp1176806
Hope this help -
The user session remains after a App Server reboot.
Hi,
In my configuration of Oracle Portal, when I perform a boot on the server, the users can use the Portal after the boot without the need to login again. How can we force a new login after a reboot in the server?
Thanks.Hi,
I have answered a similar question in How to logout an user when the browser is closed?
Thanks,
Sharmila -
Wired dot1X session termination
Hi all,
Question about wired dot1X session termination.
After a client successfully done on the wired dot1x authentication, my authZ rule is follow by the VLAN assignement whereby DHCP server will provision a client IP to the PC.
But when the client doing these 2 action:
01. after get connected, disable the IEEE 802.1x option on the PC Ethernet port setting
02. after get connected, disable, then enable the PC Ethernet port setting (bouncing)
I found out these 2 actions will still get the user in authorized state, because it is not link down or port-bounce action. Session still persist at client PC.
My question :
Anything i can configure either on the switch or ISE will automatic trigger an action like send an EAPOL-Logoff message, causing the switch port to change to the unauthorized state?
Thanks
Component in use:
client OS: window 7
PEAP-MsCHAP V2
authentication mode : iser or computer authetnication
no check on single sign on
no check remember credential for connection each time logged on
no check fallback to unauthorized network access
ISE 1.1.3 with patch 4
Switchport configuration
interface G0/1
switchporGt mode access
switchport access vlan 61
authentication port-control auto
dot1x pae authenticator
authentication host-mode multi-auth
authentication order dot1x
authentication priority dot1x mab
no shutdown
endFor #2 - The session should terminate and restart if the Ehternet adapter on the PC bounces. Are you saying that even though the user disables/enables the adapter, the session remains active in ISE/NAD?
For #1 - I am not really sure as I have never played with this before. My guess would be "No" because once ISE sends the "Access Accept" back to the NAD (your switch in this scenario), the NAD won't know if you are disabling 802.1x. The EAPoL conversation already took place so there is no more 802.1x type traffic coming in and out of the NAD/Client on that port.
I suppose you can set a re-autn and inactivity timer on both the NAD and ISE but keep in mind that it is not recommended for those timers to be set at low values (minimum 1 hour). Otherwise you could overwhelm your ISE servers depending on how large your environment is.
You will need to add the following commands on the switchport:
authentication periodic
authentication timer reauthenticate server
authentication timer inactivity server
Then in ISE you will need to set the re-auth and the idle timers under the "Authorization Profile"
Another thing to keep in mind is that you should control what your users can and cannot do on their workstations via GPO (Group Policy). In normal circumstances a regular user should not have the privileges to disable 802.1x or their Ethernet adapter :)
Hope this helps!
Thank you for rating helpful posts! -
802.1x port authentication failing after getting a access-accept packet
Hi all,
Im not 100% sure what the hell is going on here.
Any idea's or help will be appreciated.
Heres the topology.
1 x windows 2012 NPS
1x 3750X
1x Windows 7 x64
data flow
<laptop> - - [gi 1/0/13]<3750X>[gi 1/0/48]- -[gi 5/39]<6513>[po 1] - - [po 4]<6509><5/1> - - <VMWARE>[NPS Server]
The switch that is doing the authentication is the 3750X. Here is the IOS version.
Switch Ports Model SW Version SW Image
* 1 54 WS-C3750X-48 15.2(1)E C3750E-UNIVERSALK9-M
A wireshark trace on the NPS server shows that the packets are arriving and being sent back
Wireshark on a mirror of the trunk port connecting the 6513. It also shows packets being sent and arriving. access-accept packets are being recieved.
As you can see in the debug output, the switch is getting a access-accept, then it is stating a AAA failure.
here is a debug output as you plug in the laptop.
Oct 24 10:53:44.653: dot1x-ev:[Gi1/0/13] Interface state changed to DOWN
Oct 24 10:53:44.653: dot1x-ev:[Gi1/0/13] No DOT1X subblock found for port down
Oct 24 10:53:45.643: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/13, changed state to down
Oct 24 10:53:46.641: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/13, changed state to down
Oct 24 10:53:47.538: dot1x-ev:[Gi1/0/13] Interface state changed to UP
Oct 24 10:53:47.564: dot1x-packet:[6431.500e.9b00, Gi1/0/13] queuing an EAPOL pkt on Auth Q
Oct 24 10:53:47.572: dot1x-ev:DOT1X Supplicant not enabled on GigabitEthernet1/0/13
Oct 24 10:53:47.572: dot1x-packet:EAPOL pak rx - Ver: 0x1 type: 0x1
Oct 24 10:53:47.572: dot1x-packet: length: 0x0000
Oct 24 10:53:47.572: dot1x-ev:[Gi1/0/13] Dequeued pkt: Int Gi1/0/13 CODE= 0,TYPE= 0,LEN= 0
Oct 24 10:53:47.572: dot1x-ev:[Gi1/0/13] Received pkt saddr =6431.500e.9b00 , daddr = 0180.c200.0003, pae-ether-type = 888e.0101.0000
Oct 24 10:53:47.572: dot1x-ev:[Gi1/0/13] Couldn't find the supplicant in the list
Oct 24 10:53:47.572: dot1x-ev:[6431.500e.9b00, Gi1/0/13] New client detected, sending session start event for 6431.500e.9b00
Oct 24 10:53:47.572: AAA/BIND(00000047): Bind i/f
Oct 24 10:53:47.580: dot1x-ev:[6431.500e.9b00, Gi1/0/13] Sending create new context event to EAP for 0x15000045 (6431.500e.9b00)
Oct 24 10:53:47.580: EAP-EVENT: Received context create from LL (Dot1x-Authenticator) (0x15000045)
Oct 24 10:53:47.580: EAP-AUTH-EVENT: Received AAA ID 0x00000047 from LL
Oct 24 10:53:47.580: EAP-AUTH-AAA-EVENT: Assigning AAA ID 0x00000047
Oct 24 10:53:47.580: EAP-AUTH-AAA-EVENT: CTS not enabled on interface Gi1/0/13
Oct 24 10:53:47.580: EAP-AUTH-EVENT: Received Session ID "C0A846660000004700DF6030" from LL
Oct 24 10:53:47.580: EAP-AUTH-EVENT: Setting authentication mode: Passthrough
Oct 24 10:53:47.580: eap_authen : initial state eap_auth_initialize has enter
Oct 24 10:53:47.580: EAP-EVENT: Allocated new EAP context (handle = 0xE8000047)
Oct 24 10:53:47.580: dot1x-ev:[6431.500e.9b00, Gi1/0/13] Created a client entry (0x15000045)
Oct 24 10:53:47.580: dot1x-ev:[6431.500e.9b00, Gi1/0/13] Dot1x authentication started for 0x15000045 (6431.500e.9b00)
Oct 24 10:53:47.580: %AUTHMGR-5-START: Starting 'dot1x' for client (6431.500e.9b00) on Interface Gi1/0/13 AuditSessionID C0A846660000004700DF6030
Oct 24 10:53:47.580: EAP-EVENT: Received EAP event 'EAP_AUTHENTICATOR_START' on handle 0xE8000047
Oct 24 10:53:47.580: eap_authen : during state eap_auth_initialize, got event 25(eapStartTmo)
Oct 24 10:53:47.580: @@@ eap_authen : eap_auth_initialize -> eap_auth_select_action
Oct 24 10:53:47.580: eap_authen : during state eap_auth_select_action, got event 20(eapDecisionPropose)
Oct 24 10:53:47.580: @@@ eap_authen : eap_auth_select_action -> eap_auth_propose_method
Oct 24 10:53:47.580: eap_authen : idle during state eap_auth_propose_method
Oct 24 10:53:47.580: @@@ eap_authen : eap_auth_propose_method -> eap_auth_method_request
Oct 24 10:53:47.580: eap_authen : idle during state eap_auth_method_request
Oct 24 10:53:47.580: @@@ eap_authen : eap_auth_method_request -> eap_auth_tx_packet
Oct 24 10:53:47.580: EAP-AUTH-EVENT: Current method = Identity
Oct 24 10:53:47.580: EAP-EVENT: Sending LL (Dot1x-Authenticator) event 'EAP_CUSTOMIZE_ID_REQUEST' on handle 0xE8000047
Oct 24 10:53:47.580: eap_authen : idle during state eap_auth_tx_packet
Oct 24 10:53:47.580: @@@ eap_authen : eap_auth_tx_packet -> eap_auth_idle
Oct 24 10:53:47.589: EAP-AUTH-TX-PAK: Code:REQUEST ID:0x1 Length:0x0005 Type:IDENTITY
Oct 24 10:53:47.589: EAP-EVENT: Started 'Authenticator ReqId Retransmit' timer (30s) for EAP sesion handle 0xE8000047
Oct 24 10:53:47.589: EAP-EVENT: Started EAP tick timer
Oct 24 10:53:47.589: EAP-EVENT: Sending LL (Dot1x-Authenticator) event 'EAP_TX_PACKET' on handle 0xE8000047
Oct 24 10:53:47.597: dot1x-ev:[Gi1/0/13] Sending EAPOL packet to group PAE address
Oct 24 10:53:47.597: dot1x-ev:[Gi1/0/13] Sending out EAPOL packet
Oct 24 10:53:47.597: dot1x-packet:EAPOL pak Tx - Ver: 0x3 type: 0x0
Oct 24 10:53:47.597: dot1x-packet: length: 0x0005
Oct 24 10:53:47.597: dot1x-packet:EAP code: 0x1 id: 0x1 length: 0x0005
Oct 24 10:53:47.597: dot1x-packet: type: 0x1
Oct 24 10:53:47.597: dot1x-packet:[6431.500e.9b00, Gi1/0/13] EAPOL packet sent to client 0x15000045
Oct 24 10:53:47.606: dot1x-packet:[6431.500e.9b00, Gi1/0/13] Queuing an EAPOL pkt on Authenticator Q
Oct 24 10:53:47.606: dot1x-packet:EAPOL pak rx - Ver: 0x1 type: 0x0
Oct 24 10:53:47.606: dot1x-packet: length: 0x001F
Oct 24 10:53:47.606: dot1x-ev:[Gi1/0/13] Dequeued pkt: Int Gi1/0/13 CODE= 2,TYPE= 1,LEN= 31
Oct 24 10:53:47.606: dot1x-ev:[Gi1/0/13] Received pkt saddr =6431.500e.9b00 , daddr = 0180.c200.0003, pae-ether-type = 888e.0100.001f
Oct 24 10:53:47.606: dot1x-packet:EAPOL pak rx - Ver: 0x1 type: 0x0
Oct 24 10:53:47.606: dot1x-packet: length: 0x001F
Oct 24 10:53:47.606: dot1x-ev:[6431.500e.9b00, Gi1/0/13] Response sent to the server from 0x15000045
Oct 24 10:53:47.606: EAP-EVENT: Received LL (Dot1x-Authenticator) event 'EAP_RX_PACKET' on handle 0xE8000047
Oct 24 10:53:47.606: EAP-AUTH-RX-PAK: Code:RESPONSE ID:0x1 Length:0x001F Type:IDENTITY
Oct 24 10:53:47.606: Payload: 47454E4552414C5C72616E64792E636F ...
Oct 24 10:53:47.606: eap_authen : during state eap_auth_idle, got event 1(eapRxPacket)
Oct 24 10:53:47.606: @@@ eap_authen : eap_auth_idle -> eap_auth_received
Oct 24 10:53:47.606: EAP-AUTH-EVENT: EAP Response received by context 0xE8000047
Oct 24 10:53:47.606: EAP-AUTH-EVENT: EAP Response type = Identity
Oct 24 10:53:47.606: EAP-EVENT: Stopping 'Authenticator ReqId Retransmit' timer for EAP sesion handle 0xE8000047
Oct 24 10:53:47.606: eap_authen : during state eap_auth_received, got event 10(eapMethodData)
Oct 24 10:53:47.606: @@@ eap_authen : eap_auth_received -> eap_auth_method_response
Oct 24 10:53:47.606: EAP-AUTH-EVENT: Received peer identity: GENERAL\randy.coburn.admin
Oct 24 10:53:47.606: EAP-EVENT: Sending LL (Dot1x-Authenticator) event 'EAP_IDENTITY' on handle 0xE8000047
Oct 24 10:53:47.606: eap_authen : during state eap_auth_method_response, got event 13(eapMethodEnd)
Oct 24 10:53:47.606: @@@ eap_authen : eap_auth_method_response -> eap_auth_select_action
Oct 24 10:53:47.606: eap_authen : during state eap_auth_select_action, got event 19(eapDecisionPass)
Oct 24 10:53:47.606: @@@ eap_authen : eap_auth_select_action -> eap_auth_passthru_init
Oct 24 10:53:47.606: eap_authen : during state eap_auth_passthru_init, got event 22(eapPthruIdentity)
Oct 24 10:53:47.614: @@@ eap_authen : eap_auth_passthru_init -> eap_auth_aaa_req
Oct 24 10:53:47.614: EAP-EVENT: Sending LL (Dot1x-Authenticator) event 'EAP_GET_PEER_MAC_ADDRESS' on handle 0xE8000047
Oct 24 10:53:47.614: EAP-AUTH-AAA-EVENT: Adding Audit-Session-ID "C0A846660000004700DF6030" to RADIUS Req
Oct 24 10:53:47.614: EAP-AUTH-AAA-EVENT: Added Audit-Session-ID
Oct 24 10:53:47.614: EAP-AUTH-AAA-EVENT: Adding IDB "0x070B90F8" to RADIUS Req
Oct 24 10:53:47.614: EAP-AUTH-AAA-EVENT: Added IDB
Oct 24 10:53:47.614: EAP-EVENT: Sending LL (Dot1x-Authenticator) event 'EAP_CUSTOMIZE_AAA_REQUEST' on handle 0xE8000047
Oct 24 10:53:47.614: EAP-AUTH-AAA-EVENT: eap_auth_aaa_authen_request_shim aaa_service 19, eap aaa_list handle 0, mlist handle 0
Oct 24 10:53:47.614: AAA/AUTHEN/8021X (00000000): Pick method list 'default'
Oct 24 10:53:47.614: EAP-AUTH-AAA-EVENT: Request sent successfully
Oct 24 10:53:47.614: eap_authen : during state eap_auth_aaa_req, got event 24(eapAAAReqOk)
Oct 24 10:53:47.614: @@@ eap_authen : eap_auth_aaa_req -> eap_auth_aaa_idle
Oct 24 10:53:47.614: RADIUS/ENCODE(00000000):Orig. component type = Invalid
Oct 24 10:53:47.614: RADIUS/ENCODE(00000000): Unsupported AAA attribute hwidb
Oct 24 10:53:47.614: RADIUS/ENCODE(00000000): Unsupported AAA attribute aaa-authen-type
Oct 24 10:53:47.614: RADIUS/ENCODE(00000000): Unsupported AAA attribute aaa-authen-service
Oct 24 10:53:47.614: RADIUS/ENCODE(00000000): Unsupported AAA attribute clid-mac-addr
Oct 24 10:53:47.614: RADIUS/ENCODE(00000000): Unsupported AAA attribute target-scope
Oct 24 10:53:47.614: RADIUS/ENCODE(00000000): Unsupported AAA attribute aaa-unique-id
Oct 24 10:53:47.614: RADIUS(00000000): Config NAS IP: 0.0.0.0
Oct 24 10:53:47.614: RADIUS(00000000): sending
Oct 24 10:53:47.614: RADIUS/ENCODE: Best Local IP-Address 192.168.70.102 for Radius-Server 192.168.19.121
Oct 24 10:53:47.614: RADIUS(00000000): Send Access-Request to 192.168.19.121:1645 id 1645/21, len 288
Oct 24 10:53:47.614: RADIUS: authenticator F1 BA E5 31 71 54 BF 1A - A2 B1 5E 1A 63 72 1E 72
Oct 24 10:53:47.614: RADIUS: User-Name [1] 28 "GENERAL\randy.coburn.admin"
Oct 24 10:53:47.614: RADIUS: Service-Type [6] 6 Framed [2]
Oct 24 10:53:47.614: RADIUS: Vendor, Cisco [26] 27
Oct 24 10:53:47.614: RADIUS: Cisco AVpair [1] 21 "service-type=Framed"
Oct 24 10:53:47.614: RADIUS: Framed-MTU [12] 6 1500
Oct 24 10:53:47.614: RADIUS: Called-Station-Id [30] 19 "AC-F2-C5-75-7D-0D"
Oct 24 10:53:47.614: RADIUS: Calling-Station-Id [31] 19 "64-31-50-0E-9B-00"
Oct 24 10:53:47.614: RADIUS: EAP-Message [79] 33
Oct 24 10:53:47.614: RADIUS: 02 01 00 1F 01 47 45 4E 45 52 41 4C 5C 72 61 6E 64 79 2E 63 6F [GENERAL\randy.co]
Oct 24 10:53:47.622: RADIUS: 62 75 72 6E 2E 61 64 6D 69 6E [ burn.admin]
Oct 24 10:53:47.622: RADIUS: Message-Authenticato[80] 18
Oct 24 10:53:47.622: RADIUS: EE 52 4D ED B9 06 F3 CE 63 AC 9D 73 24 1B A7 ED [ RMcs$]
Oct 24 10:53:47.622: RADIUS: EAP-Key-Name [102] 2 *
Oct 24 10:53:47.622: RADIUS: Vendor, Cisco [26] 49
Oct 24 10:53:47.622: RADIUS: Cisco AVpair [1] 43 "audit-session-id=C0A846660000004700DF6030"
Oct 24 10:53:47.622: RADIUS: Vendor, Cisco [26] 20
Oct 24 10:53:47.622: RADIUS: Cisco AVpair [1] 14 "method=dot1x"
Oct 24 10:53:47.622: RADIUS: NAS-IP-Address [4] 6 192.168.70.102
Oct 24 10:53:47.622: RADIUS: NAS-Port [5] 6 60000
Oct 24 10:53:47.622: RADIUS: NAS-Port-Id [87] 23 "GigabitEthernet1/0/13"
Oct 24 10:53:47.622: RADIUS: NAS-Port-Type [61] 6 Ethernet [15]
Oct 24 10:53:47.622: RADIUS(00000000): Sending a IPv4 Radius Packet
Oct 24 10:53:47.622: RADIUS(00000000): Started 10 sec timeout
Oct 24 10:53:47.622: RADIUS: Received from id 1645/21 192.168.19.121:1645, Access-Accept, len 66
Oct 24 10:53:47.622: RADIUS: authenticator 92 F6 07 AF C1 AB 0B 4C - 1D 9E A0 D1 01 36 27 26
Oct 24 10:53:47.622: RADIUS: Class [25] 46
Oct 24 10:53:47.622: RADIUS: 76 E3 06 66 00 00 01 37 00 01 02 00 C0 A8 13 79 00 00 00 00 00 00 00 00 00 00 00 00 01 CE CF F8 1F 7B 75 41 00 00 00 00 00 00 00 50 [ vf7y{uAP]
Oct 24 10:53:47.622: RADIUS(00000000): Received from id 1645/21
Oct 24 10:53:47.622: EAP-EVENT: eap_aaa_reply
Oct 24 10:53:47.622: EAP-AUTH-AAA-EVENT: Reply received session_label 72000033
Oct 24 10:53:47.622: EAP-EVENT: Received AAA event 'EAP_AAA_FAIL' on handle 0xE8000047
Oct 24 10:53:47.622: eap_authen : during state eap_auth_aaa_idle, got event 8(eapAAAFail)
Oct 24 10:53:47.622: @@@ eap_authen : eap_auth_aaa_idle -> eap_auth_failure
Oct 24 10:53:47.631: EAP-EVENT: Received get canned status from lower layer (0xE8000047)
Oct 24 10:53:47.631: EAP-AUTH-TX-PAK: Code:FAILURE ID:0x1 Length:0x0004
Oct 24 10:53:47.631: EAP-AUTH-EVENT: FAIL for EAP method ID: 1, name: , on handle 0xE8000047
Oct 24 10:53:47.631: EAP-EVENT: Sending LL (Dot1x-Authenticator) event 'EAP_FAIL' on handle 0xE8000047
Oct 24 10:53:47.631: dot1x-ev:[6431.500e.9b00, Gi1/0/13] Received an EAP Fail
Oct 24 10:53:47.639: %DOT1X-5-FAIL: Authentication failed for client (6431.500e.9b00) on Interface Gi1/0/13 AuditSessionID C0A846660000004700DF6030
Oct 24 10:53:47.639: dot1x-packet:[6431.500e.9b00, Gi1/0/13] Added username in dot1x
Oct 24 10:53:47.639: dot1x-packet:[6431.500e.9b00, Gi1/0/13] Dot1x did not receive any key data
Oct 24 10:53:47.639: dot1x-ev:[6431.500e.9b00, Gi1/0/13] Processing client delete for hdl 0x15000045 sent by Auth Mgr
Oct 24 10:53:47.639: dot1x-ev:[6431.500e.9b00, Gi1/0/13] 6431.500e.9b00: sending canned failure due to method termination
Oct 24 10:53:47.639: EAP-EVENT: Received get canned status from lower layer (0xE8000047)
Oct 24 10:53:47.639: dot1x-ev:[Gi1/0/13] Sending EAPOL packet to group PAE address
Oct 24 10:53:47.639: dot1x-ev:[Gi1/0/13] Sending out EAPOL packet
Oct 24 10:53:47.639: dot1x-packet:EAPOL pak Tx - Ver: 0x3 type: 0x0
Oct 24 10:53:47.639: dot1x-packet: length: 0x0004
Oct 24 10:53:47.639: dot1x-packet:EAP code: 0x4 id: 0x1 length: 0x0004
Oct 24 10:53:47.639: dot1x-packet:[6431.500e.9b00, Gi1/0/13] EAPOL canned status packet sent to client 0x15000045
Oct 24 10:53:47.639: dot1x-ev:[6431.500e.9b00, Gi1/0/13] Deleting client 0x15000045 (6431.500e.9b00)
Oct 24 10:53:47.639: %AUTHMGR-7-STOPPING: Stopping 'dot1x' for client 6431.500e.9b00 on Interface Gi1/0/13 AuditSessionID C0A846660000004700DF6030
Oct 24 10:53:47.639: %AUTHMGR-5-FAIL: Authorization failed or unapplied for client (6431.500e.9b00) on Interface Gi1/0/13 AuditSessionID C0A846660000004700DF6030
Oct 24 10:53:47.648: dot1x-ev:[6431.500e.9b00, Gi1/0/13] Delete auth client (0x15000045) message
Oct 24 10:53:47.648: EAP-EVENT: Received free context (0xE8000047) from LL (Dot1x-Authenticator)
Oct 24 10:53:47.648: dot1x-ev:Auth client ctx destroyed
Oct 24 10:53:47.648: EAP-EVENT: Received LL (Dot1x-Authenticator) event 'EAP_DELETE' on handle 0xE8000047
Oct 24 10:53:47.648: EAP-AUTH-EVENT: Freed EAP auth context
Oct 24 10:53:47.648: EAP-EVENT: Freed EAP context
Oct 24 10:53:48.621: EAP-EVENT: Stopped EAP tick timer
Oct 24 10:53:49.485: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/13, changed state to up
Oct 24 10:53:50.491: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/13, changed state to up
Oct 24 10:53:53.528: dot1x-ev:[Gi1/0/13] Interface state changed to DOWN
Oct 24 10:53:53.528: dot1x-ev:[Gi1/0/13] No DOT1X subblock found for port down
Oct 24 10:53:54.518: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/13, changed state to down
Oct 24 10:53:55.524: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/13, changed state to downHi Jatin,
See below the data that you have requested.
show run bits.
aaa new-model
aaa authentication dot1x default group radius
aaa session-id common
clock timezone BST 0 0
clock summer-time UTC recurring last Sun Mar 1:00 last Sun Oct 2:00
dot1x system-auth-control
interface GigabitEthernet1/0/13
switchport access vlan 80
switchport mode access
authentication port-control auto
dot1x pae authenticator
spanning-tree portfast
interface GigabitEthernet1/0/48
switchport trunk encapsulation dot1q
switchport trunk native vlan 70
switchport mode trunk
radius server NPS1
address ipv4 192.168.19.121 auth-port 1645 acct-port 1646
timeout 10
key thesecret
ip default-gateway 192.168.70.1
SW1-randy#show auth sessions interface gig 1/0/13
Interface MAC Address Method Domain Status Fg Session ID
Gi1/0/13 803f.5d09.189e N/A UNKNOWN Unauth C0A846660000002F00251DBC
SW1-randy#Show mac address-table Interface GigabitEthernet1/0/13
Mac Address Table
Vlan Mac Address Type Ports
80 803f.5d09.189e DYNAMIC Drop
SW1-randy#ping 192.168.19.121
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.19.121, timeout is 2 seconds:
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/8 ms
Here is a wireshark of the accept packet.
Message was edited by: randy coburn
Added wireshark trace -
802.1X Port Based Authentication Security Violation
I have configured 802.1X authentication on selected ports of a Cisco Catalyst 2960S with Micorsoft NPS Radius authentication on a test LAN. I have tested the authentication with a windows XP laptop, a windows 7 laptop with 802.1X, eap-tls authentication and a Mitel 5330 IP Phone using EAP-MD5 aithentication. All the above devices work with with the MS NPS server. However in MDA mode when the 802.1x compliant windows 7 laptop is connected to the already authenticated Mitel IP Phone, the port experiences a security violation and the goes into error sdisable mode.
Feb 4 19:16:16.571: %AUTHMGR-5-START: Starting 'dot1x' for client (24b6.fdfa.749b) on Interface Gi1/0/1 AuditSessionID AC10A0FE0000002F000D3CED
Feb 4 19:16:16.645: %DOT1X-5-SUCCESS: Authentication successful for client (24b6.fdfa.749b) on Interface Gi1/0/1 AuditSessionID AC10A0FE0000002F000D3CED
Feb 4 19:16:16.645: %PM-4-ERR_DISABLE: security-violation error detected on Gi1/0/1, putting Gi1/0/1 in err-disable state
Feb 4 19:16:17.651: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/1, changed state to down
Feb 4 19:16:18.658: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/1, changed state to down
If the port config is changed to "authentication host-mode multi-auth", and the laptop is connected to the phone the port does not experience the security violation but the 802.1x authentication for the laptop fails.
The ports GI1/0./1 & Gi1/02 are configured thus:
interface GigabitEthernet1/0/1
switchport mode access
switchport voice vlan 20
authentication event fail action authorize vlan 4
authentication event no-response action authorize vlan 4
authentication event server alive action reinitialize
authentication host-mode multi-domain
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
mab
mls qos trust cos
dot1x pae authenticator
spanning-tree portfast
sh ver
Switch Ports Model SW Version SW Image
* 1 52 WS-C2960S-48FPS-L 15.2(1)E1 C2960S-UNIVERSALK9-M
Full config attached. Assistance will be grately appreciated.
DonfricoI believe , you need to configure re-authentication on this switch port:
! Enable re-authentication
authentication periodic
! Enable re-authentication via RADIUS Session-Timeout
authentication timer reauthenticate server
Maybe you are looking for
-
I want to delete my duplicate songs, but I have thousands of songs and cannot realistically go through and review and delete them one at a time. Can I do it all at once?
-
My iphone 4s is no longer making sound when i have an incoming call or message after installing ios7.... any help? It still vibrates but no calling sounds or message sounds. It's not on mute and the speakers are working... I can hear music etc. Oh ye
-
Problem with installer of jar file....!!!
Hi All, I had created a installer of my java application. after the installation when i click on jar file,jar file will execute but not locating to installed program files folder. But if i set the Startin property of shortcut (Start-->Programs-->Fold
-
Not sure about the protocol, because I found the problem, the question above, and have already solved it, and wanted to get the info out. If a "<a ...>" link has the pathname split across lines, the link no longer displays correctly. Oddly, if you ri
-
H:commandLink avoiding auto submit
I have onclick defined on <h:commandLink> the onclick handler is being called but the form is automatically getting submitted how to avoid this behavior ? I don't want the form being submitted.