Tacacs authentication request attributes
Hi ALL,
the authentication on a Router 2911 is done via tacacs (ACS 5.1). In the dashboard (or in the reports) of ACS the IP address of the "calling station" (client used for authentication activity) is not reported. If I use RADIUS I could configure the router to send attributes (such as the number 31 = calling-station-id). How can I solve with tacacs protocol instead?
Thanks in advance,
Davide
I've found this:
CSCth31525
Live authentication report does not show TACACS+ data.
Symptom: The TACACS+ live authentication report is missing data on some columns, including NAS and IP address.
Conditions: This problem occurs only on ACS 5.1.
Workaround: Use one of the other available reports to view this data.
at http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.2/release/notes/acs_52_rn.html
Unfortunately it's a bug of this specific version...
Davide
Similar Messages
-
Cisco ISE throws "11036 The Message-Authenticator RADIUS attribute is invalid "
Hello,
I am trying to authenticate my server(running an NMS) with an Cisco ISE with EAP-TLS protocol.
I am seeing "11036 The Message-Authenticator RADIUS attribute is invalid " in the ISE when the ACCESS-REQUEST is sent from NMSServer to ISE. The RADIUS shared secret key is same in both the NMS server and the ISE server .
Is the some java samples for Message authenticator attribute which I can refer. I think, I am missing something in Message authenticator attribute.
Any pointers or suggestions to overcome this ?To login to Prime GUI, the authentication will be done by ISE.
The flow goes like this, Admins will login to Prime GUI with default username/pwd and add the RADIUS/ISE details to it which will be used by prime for authentication/authorization.
Once its done, any other user who tries to login to Prime GUI with their own credentials will be validated against the Identity details in ISE. So even to login to Prime GUI, authentication should be successful in ISE. -
Tacacs+ authentication/authorization based on user's subnet
Hi Guys/Girls
We have number of production cisco gears, all of which are configured with Tacacs+ and all of them working just fine. But now I have a requirement to implement SSH-ver2 across whole network, comprise of about 8000 cisco gears.
I need to develop a proof of concept (POC), that enabling SSH on production gears will not affect existing Tacacs+ users authentication and authorization.
In our lab cisco gears, it has been already configured with production Tacacs+ server for authentication and authorization. Now I am allowed to test SSH on these lab-gears but I without disrupting others users who are using the same lab-gears.
So, I want to enable SSH version 2 on these lab-gears however, when user coming from a certain specific subnet, this particular user must be authenticated and authorized by LAB Tacacs+ but not from production Tacacs+, however please note that lab-gears I am testing with also already configured for production Tacacs+ server as well. These lab-gears must be able to do authentication and authorization to two different Tacacs+ server based on users subnet that he or she coming from.
Is this doable plan? I have been looking for a documentation to implement test this method, not being successful.
Your feedback will be appreciated and rated.
Thanks
Rizwan RafeekRiswan,
This will not work, tacacs authentication starts once the ssh connection is established, the NAD (switch or router) will open a tacacs connection and send the start flag to the tacacs server in which the message "getusername" is sent from the tacacs server to the device and to the user terminal. You can not create an acl in order to pick which tacacs servers you can authenticate to either. So when it comes to authenticating users from a specific subnet to a specific tacacs server that is not the intended design of tacacs, when you configure multiple servers in a group it is to insure high availability such that when one tacacs server goes down you have a secondary to continue with the authenticaiton requests.
Here is an example of how the tacacs authentication is performed.
http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a0080094e99.shtml#comp_traffic
thanks and I hope that helps,
Tarik Admani
*Please rate helpful posts* -
TACACS+ Authentication For Cisco NAM
Hi All,
I have an cisco ACS v5.1 and also a cisco NAM. Currently, I have configured TACACS+ on the NAM and the ACS v5.1 however when I try to access the NAM, the ACS v5.1 has an error message of "TACACS+ authentication ended with error" and I am not able to access the equipment.
For your information, I have no problem with others equipment TACACS+ authentication with the same ACS.
Please advise.
Thks and RgdsSteven
I would first suggest that you verify that your ACS has an appropriate and correct entry configured for the NAM as a client. Assuming that is correct then I would suggest that you check and verify that the NAM is originating its TACACS requests from the address that you configured for the client on the ACS and that the shared secret is the same on both devices.
If those are correct then I would suggest to look in the Failed Attempts report of ACS and see if it provides a better identification of the problem.
HTH
Rick -
[Cisco ACS] 11036 The Message-Authenticator RADIUS attribute is invalid
Hi,
I got many Cisco AP which are linked to 2 Cisco WLC.
On each WLC, I configured a primary and a secondary RADIUS Server.
RADIUS servers are Cisco ACS 5.2.0.26 (patch 10)
Primary and secondary ACS configurations are synchronized.
There are no problem between primary WLC and Cisco ACS (primary and secondary).
When secondary WLC requests primary Cisco ACS, I get this error "11036 The Message-Authenticator RADIUS attribute is invalid"
Secondary WLC automatically contacts secondary Cisco ACS and it works fine.
Cisco ACS description for this error: "This maybe because of mismatched Shared Secrets."
The two Cisco ACS are synchronized so I should have same error on them...
Why does primary ACS generate this error?
Thanks for your help,
PatrickTarik Admani wrote:Amjad,That is a good observation, shouldnt 7.3 (which recently released) help put these types of issues to rest? I hear that the configuration can now be replicated from one controller to the next in a failover setup.Thanks,Tarik Admani
*Please rate helpful posts*
Yes. That is a good point.
With 7.3 you can use high availability (HA) between two WLCs and you can configure only one WLC (the primary) and all the configuraiotn can be replicated and synched to the other WLC (the secondary).
The two WLCs in the HA must be on same subnet though. Otherwise hot-standby HA between WLCs can't be used.
Rating useful replies is more useful than saying "Thank you" -
Request attribute vs parameter
Hi all,
I am getting confused of request attribute and request parameter. What i understand is that a parameter is a piece of info that send with the request. Such that infomation (parameter) come from a form component (text field, radiobuttion,selection...). By using servlet.getParameter("my text filed") i can retrieve what user enter into the form.
In the similar maner, if from one servlet, i use request.setAttribute("a message","content of a message") i can also retrive the content of the message from another servlet using getAttribute.
In short, parameter is for form-servlet communication and attribute is for servlet-servlet communication, am i correct? Can I change the parameter of the request from a servlet?
Is there any other different between these 2?
Thai
Message was edited by:
lnthai2002I still dont get it. You said
HttpServletRequest doesnt have get/setAttribute(arg0, arg1) method.
But it does. http://java.sun.com/javaee/5/docs/api/
Again, my concern is whether i can exchange value of parameter and attribute. Assuming the following scenario:
a user want to access a protected servlet /financial. This servlet notice that the user has not been login yet. Thus, it record the url of the request as a attribute:
//inside /financial servlet
if((req.getSession(false).getAttribute("curUser")) == null)
dest="/WEB-INF/docs/authentication/login.jsp";
req.setAttribute("oriUrl",req.getRequestURL());
} then it forward the request to login.jsp. After user input his infomation, the login.jsp send a NEW request with the user's credential to the /authentication servlet. Now, as you can see, when the authentication servlet receive the request, it doesnt know that the user was trying to access the /financial servlet before because the oriUrl attribute is lost. What i getting at here is how I can retain the oriUrl attribute over requests? I need to capure that attribute and associate it with a new request as a parameter. But HOW?
Hope you can help
Message was edited by:
lnthai2002 -
Problem setting 7606 router for TACACS+ authentication
Hello Support Community,
I have two Cisco 7606 routers which I have tried in vain to have users authenticated using TACACS+ servers. As shown below, I have two servers (1.1.1.1 and 2.2.2.2) reachable via vrf OAM which is reachable from desktops for ssh login. The true IP addresses and vrf have been altered because it's a company router.
I use the two servers to authenticate many other Cisco devices in the network they are working fine.
I can reach the servers from the vrf and the source interface in use. I can also telnet port 49 if the servers from the source interface and the vrf.
The server key is hidden but at the time of configuration, I can ascertain that it's correct.
The problem is that after confuring for TACACS authentication, the router still uses the enable password instead of TACACS. While the debug output shows 'bad password', why is the router not authenticating using TACACS? Why is it using the enable password?
Please study the outputs below and help point out what I may need to change.
PS: I have tried out many other combinations, including deprecated ones without success including the method suggested in this page;
http://www.cisco.com/en/US/docs/ios/sec_user_services/configuration/guide/sec_vrf_tacas_svrs.html
Please help I'm stuck.
ROUTER#sh running-config | sec aaa
aaa new-model
aaa group server tacacs+ admin
server name admin
server name admin1
ip vrf forwarding OAM
ip tacacs source-interface GigabitEthernet1
aaa authentication login admin group tacacs+ local enable
aaa session-id common
ROUTER#sh running-config | sec tacacs
aaa group server tacacs+ admin
server name admin
server name admin1
ip vrf forwarding OAM
ip tacacs source-interface GigabitEthernet1
aaa authentication login admin group tacacs+ local enable
tacacs server admin
address ipv4 1.1.1.1
key 7 XXXXXXXXXXXXXXXXXXXX
tacacs server admin1
address ipv4 2.2.2.2
key 7 XXXXXXXXXXXXXXXXxxxx
line vty 0 4
login authentication admin
ROUTER#sh tacacs
Tacacs+ Server - public :
Server name: admin
Server address: 1.1.1.1
Server port: 49
Socket opens: 15
Socket closes: 15
Socket aborts: 0
Socket errors: 0
Socket Timeouts: 0
Failed Connect Attempts: 0
Total Packets Sent: 0
Total Packets Recv: 0
Tacacs+ Server - public :
Server name: admin1
Server address: 2.2.2.2
Server port: 49
Socket opens: 15
Socket closes: 15
Socket aborts: 0
Socket errors: 0
Socket Timeouts: 0
Failed Connect Attempts: 0
Total Packets Sent: 0
Total Packets Recv: 0
Oct 22 12:38:57.587: AAA/BIND(0000001A): Bind i/f
Oct 22 12:38:57.587: AAA/AUTHEN/LOGIN (0000001A): Pick method list 'admin'
Oct 22 12:38:57.587: AAA/AUTHEN/ENABLE(0000001A): Processing request action LOGIN
Oct 22 12:38:57.587: AAA/AUTHEN/ENABLE(0000001A): Done status GET_PASSWORD
Oct 22 12:39:02.327: AAA/AUTHEN/ENABLE(0000001A): Processing request action LOGIN
Oct 22 12:39:02.327: AAA/AUTHEN/ENABLE(0000001A): Done status FAIL - bad password
Oct 22 12:39:04.335: AAA/AUTHEN/LOGIN (0000001A): Pick method list 'admin'
Oct 22 12:39:04.335: AAA/AUTHEN/ENABLE(0000001A): Processing request action LOGIN
Oct 22 12:39:04.335: AAA/AUTHEN/ENABLE(0000001A): Done status GET_PASSWORD
Oct 22 12:39:08.675: AAA/AUTHEN/ENABLE(0000001A): Processing request action LOGIN
Oct 22 12:39:08.675: AAA/AUTHEN/ENABLE(0000001A): Done status FAIL - bad password
Oct 22 12:39:10.679: AAA/AUTHEN/LOGIN (0000001A): Pick method list 'admin'
Oct 22 12:39:10.683: AAA/AUTHEN/ENABLE(0000001A): Processing request action LOGIN
Oct 22 12:39:10.683: AAA/AUTHEN/ENABLE(0000001A): Done status GET_PASSWORD
Oct 22 12:39:14.907: AAA/AUTHEN/ENABLE(0000001A): Processing request action LOGIN
Oct 22 12:39:14.907: AAA/AUTHEN/ENABLE(0000001A): Done status FAIL - bad password
ROUTER#sh ver
Cisco IOS Software, c7600rsp72043_rp Software (c7600rsp72043_rp-ADVIPSERVICESK9-M), Version 15.1(3)S3, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2012 by Cisco Systems, Inc.
Compiled Fri 30-Mar-12 08:34 by prod_rel_team
ROM: System Bootstrap, Version 12.2(33r)SRE, RELEASE SOFTWARE (fc1)
BOOTLDR: Cisco IOS Software, c7600rsp72043_rp Software (c7600rsp72043_rp-ADVIPSERVICESK9-M), Version 15.1(3)S3, RELEASE SOFTWARE (fc1)
ROUTER uptime is 7 weeks, 5 days, 16 hours, 48 minutes
Uptime for this control processor is 7 weeks, 5 days, 16 hours, 49 minutes
System returned to ROM by reload (SP by reload)
System restarted at 20:00:59 UTC Wed Aug 28 2013
System image file is "sup-bootdisk:c7600rsp72043-advipservicesk9-mz.151-3.S3.bin"
Last reload type: Normal Reload
Last reload reason: power-on
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to
[email protected].
Cisco CISCO7606-S (M8500) processor (revision 1.1) with 3670016K/262144K bytes of memory.
Processor board ID FOX1623G61B
BASEBOARD: RSP720
CPU: MPC8548_E, Version: 2.1, (0x80390021)
CORE: E500, Version: 2.2, (0x80210022)
CPU:1200MHz, CCB:400MHz, DDR:200MHz,
L1: D-cache 32 kB enabled
I-cache 32 kB enabled
Last reset from power-on
3 Virtual Ethernet interfaces
76 Gigabit Ethernet interfaces
8 Ten Gigabit Ethernet interfaces
3964K bytes of non-volatile configuration memory.
500472K bytes of Internal ATA PCMCIA card (Sector size 512 bytes).
Configuration register is 0x2102In order to resolve this issue. Please replace the below listed command
aaa authentication login admin group tacacs+ local enable
with;
aaa authentication login default group admin local enable
You defined the server group name as method list and instead of using admin as a server-group, you used tacacs+
Note: Please ensure you have local user and enable password configured in case of tacacs server unreachable.
~BR
Jatin Katyal
**Do rate helpful posts** -
Javax.servlet.forward.request_uri request attribute
Hi,
I have declared a security-constraint on my web application, which redirects to a page with a form.
I want to know the initial request. It usually can be retrieved in the javax.servlet.forward.request_uri request attribute, so by doing
request.getAttribute("javax.servlet.forward.request_uri")
But this always returns me null.
If I test the same thing on Tomcat, it works fine.
This attribute come with Servlet 2.4, and Weblogic 11g is JEE 5 compliant (so Servlet 2.5). So it should work.
Is there a particularity for Weblogic ?
Regards>
This attribute come with Servlet 2.4, and Weblogic 11g is JEE 5 compliant (so Servlet 2.5). So it should work.
Is there a particularity for Weblogic ?This attribute does exist and has to be filled when a forward is done. However there's no strict requirement that the j_security_check is handled internally by a forward. If it's not, then that request attribute wouldn't come into play.
I've never used it, so caveat emptor, but there is a public class we have which does appear to have some methods that may be helpful to you.
http://download.oracle.com/docs/cd/E17904_01/apirefs.1111/e13941/weblogic/servlet/security/ServletAuthentication.html
ServletAuthentication allows both form-based authentication and programmatic authentication in servlets. It performs the authentication call through the Realm and sets the user information into the session.And the static getTargetURLFromFormAuthentication method:
http://download.oracle.com/docs/cd/E17904_01/apirefs.1111/e13941/weblogic/servlet/security/ServletAuthentication.html#getTargetURLForFormAuthentication(HttpSession)
-steve- -
Software to test RADIUS/TACACS authentication to ACS server
Hi experts,
Is anyone aware of a software that will test RADIUS and/or TACACS authentication to an ACS server from a PC? Same as what you can do on the Cisco VPN concentrator from the page Configuration | System | Servers | Authentication | Test Screen.
Thanks in advance!If you look in the ACS utils folder you'll see radtest and tactest.exe
These can be used to generate test packets. If you install ACS on another PC you can fire requests from that other PC too.
I think Vasco (token card vendor) had a really nice GUI based RADIUS client too.
Darran -
I am locked out of my Itunes. When I launch on the desktop I receive an authentication request from www.podshow.com that I cannot satisfy with password. Actually i don't ever remember giving them a password. When I cannot satisfy the password it locks up my screen. When I went to the website listed I could not satisfy the password to even get onto the site. I am pretty sure it is a feed, how can I delete it and get back into my itunes? I uninstalled and re-installed yesterday- same issue
Hi,
This forum is for general questions and feedback related to Outlook for Windows. Since your question is more related to Outlook for Mac, I'd recommend you post your question to the Outlook for Mac forum:
http://answers.microsoft.com/en-us/mac/forum/macoutlook?tab=Threads
The reason why we recommend posting appropriately is you will get the most qualified pool of respondents, and other partners who read the forums regularly can either share their knowledge or learn from your interaction with us. Thank you for your understanding.
Steve Fan
TechNet Community Support
It's recommended to download and install
Configuration Analyzer Tool (OffCAT), which is developed by Microsoft Support teams. Once the tool is installed, you can run it at any time to scan for hundreds of known issues in Office
programs.
Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact
[email protected] -
Tacacs authentication fails for one user account for only one switch
Hi,
I am having an scenario, where as Tacacs authentication fails for one user account for only one switch.
The same user account works well for other devices.
The AAA configs are same on every devices in the network.
Heres the show tacacs output from the switch where only one user account fails;
Socket opens: 157
Socket closes: 156
Socket aborts: 303
Socket errors: 1
Socket Timeouts: 2
Failed Connect Attempts: 0
Total Packets Sent: 1703
Total Packets Recv: 1243
Expected Replies: 0
What could be the reason ?
No errors on ACS server; same rights had been given to the user account.
Thanks to advise.
PraseyHi there,
Does the user get authenticated in the ACS logs?
reports and activity----> failed attempts
ro
reports and activity-----> passed authentications
That will help narrow it down.
Brad -
HI
we have a sharepoint farm and in domain controller server, this error is in event viewer
Log Name: System
Source: Microsoft-Windows-Kerberos-Key-Distribution-Center
Date: 9/15/2014 10:44:15 PM
Event ID: 11
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: XXXAPP01.xxxportal.com
Description:
The KDC encountered duplicate names while processing a Kerberos authentication request. The duplicate name is HTTP/XXXWFE01.xxxportal.com (of type DS_SERVICE_PRINCIPAL_NAME). This may result in authentication failures or downgrades to NTLM. In order to prevent
this from occuring remove the duplicate entries for HTTP/XXXWFE01.xxxportal.com in Active Directory.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Kerberos-Key-Distribution-Center" Guid="{3FD9DA1A-5A54-46C5-9A26-9BD7C0685056}" EventSourceName="KDC" />
<EventID Qualifiers="49152">11</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2014-09-15T19:44:15.000000000Z" />
<EventRecordID>131824</EventRecordID>
<Correlation />
<Execution ProcessID="0" ThreadID="0" />
<Channel>System</Channel>
<Computer>XXXAPP01.xxxportal.com</Computer>
<Security />
</System>
<EventData>
<Data Name="Name">HTTP/XXXWFE01.xxxportal.com</Data>
<Data Name="Type">DS_SERVICE_PRINCIPAL_NAME</Data>
<Binary>
</Binary>
</EventData>
</Event>
adilHi adil,
Service principal names (SPNs) are stored as a property of the associated account object in Active Directory
Domain Services (AD DS). I noticed that you have used setpn –X to identify the duplicate SPN. Please refer to following articles and check if help you to solve this issue.
Event ID 11 — Service Principal
Name Configuration
Event ID 11 in the System log of domain controllers
Please also refer to following article and check if can help you.
The problem with duplicate SPNs
Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft
does not guarantee the accuracy of this information.
If any update, please feel free to let me know.
Hope this helps.
Best regards,
Justin Gu -
'Requested attribute is invalid' error
I'm attempting to programmatically get (and ultimately set) camera attributes with CVI. I can get some attribute values, such as ROI_WIDTH using the imgGetAttribute function, but not all, and not the ones that I really need to access, which are 'Exposure Time' and 'Gain Value'. I can see and set these exposure time and gain value camera attributes in MAX. However, when I attempt to use the imgGetCameraAttributeString function in IMAQ to get these attributes, I get the error 'The requested attribute in invalid'. My camera is the Basler acA2040-180km. In all other respects - snapping, grabbing, etc. the camera interface works fine.
I cannot see what I am doing wrong or what piece I am missing, but it is obviously something. I took the NI example 'Analog attributes' as a starting point but that yields the same errors. How can MAX manipulate these camera attributes but I cannot in CVI? Is there some setup piece that is missing?
I'm kinda new to this environment, but would much appreciate any help anyone has.
Thanks in advance,
Wayne Showalter
Solved!
Go to Solution.Hi Wayne,
IMAQ differerentiates in behavior and API with respect to 'IMAQ attributes' (defined by the IMAQ driver) and 'Camera Attributes' (defined by the camera file). All the ones with fixed constants (like ROI_WIDTH) are IMAQ attributes while the ones that specifically set something in the camera are camera attributes. You'll need to use the Get/SetCameraAttribute API for those. There are different functions for String vs Numeric attributes. I suspect if you call it with imgSetCameraAttributeNumeric() it will work.
Eric -
Set request attributes from the request attributes
Using struts chaining actions.
When using chaining the requestAttributes are lost.
Is there a way to get all the request attributes and set them back to the request again?
if so how to do this?
Thanks.Looks like nobody knows :(
It seems odd that nobody's tried to get InputSelectLOV or DataHandler working with a Struts app...
... anyway, on to finding out why the thing's throwing my releasemode away. This really is very like swimming through treacle :( -
Is there a way we can pass data from one form bean to the other using request attributes insted of session attributes?
I am able to work with session attributes using
HttpSession mySession = (HttpSession) FacesContext.getCurrentInstance().getExternalContext().getSession(true); and setting attributes to it, but getting null pointers(occassionally) when I retrieve the atribute and work with it.
getSession(false) isnt helping either.
Looks like facesServlet is creating a new request when it forwards to next page. Any idea on how to get the Faces Servlet do something like request despatcher forward, for navigation so I can work with request attributes?
Appreciate your input.Can I have just one backing bean and use it for all jsps in the app? App has 4 flows from home page and mutiple jsps in each flow. Each jsp has multiple form fields. Is that OK?
Any way to passing data/objects between different backing beans - other than using session attributes? I had similar problems working on Struts app as well.
Maybe you are looking for
-
Copying of Batch Number and Characteristics not copying in GI
Dear SAP Gurus, I have created a Stock transport order (STO). Against that STO I have created the delivery. In the delivery I enter the Batch Number/Characteristics(MM). When I do the Goods Issue against that delivery the Batch number is not being co
-
How to use a subscribed IMAP folder list in Mail?
Macbook, 10.8.2 (upgraded from 10.6.8.), WU-IMAPd, Unix host. Multiple IMAP clients from OSX and other devices, but this is a query about the Macbook. I used mail filtering tools (e.g. procmail for inbound stuff) to auto-magically file much stuff in
-
The possible scratches on the mount
Please, may anybody help me? I was going to buy a canon rebel t3i in a shop but found these scratches on the mount. Is it the serious problem? Does it mean that the camera was used by somebody or it is normal?
-
Please help, thank you in advance!!!
I downloaded some Podcast files then I changed their genre as Podcast... now those files disappear under my iPod main menu "Podcast" unless when I go to Music -> Genre -> Podcast, so how can I change them back as Podcast files not Music files. If any
-
I have installed SQL on a Small Business Server 2003 running as a virtual server. When I try to install CRM 3.0 I get the error message: "[DBNETLIB][ConnectionOpen (Invalid Instance()).]Invalid connection" One of the suggested reasons is that "Micros