VWLC + ISE 1.2 = Randomly won't authenticate users until reboot?
Hello all!
I have an issue where authentications (dot1x) from the vWLC to ISE 1.2 will start to fail after a certain amount of up time. The certain amount I'm not sure about, because it just started to happen. ISE will either complain about the client having an issue with TLS or ISE will show a successful authentication.
The vWLC shows the client associated, but never authenticates the client (in the case of ISE showing successful authentication).
vWLC on version 7.6.110.0.
ISE on version 1.2.0.899.
Anyone else having or had this issue? I have a TAC case open, but they want me to do a webex with them when the issue is happening, and it's hard to leave it broken while users are complaining.
Thanks!
are you sure, the number of clients associating to you network is less than the maximum clients supported by this vWLC? can you post the details of Failed authentications of clients from Live authentications ( go to ISE > operations > Authentications > details)
Similar Messages
-
MacBook won't recognize firewire until reboot (no plug n play)
MacBook stopped recognize my "Mackie Onyx Satellite" FireWire-Audio-Interface until I reboot. Log Out doesn't help, only reboot works.
Does anyone have any ideas, how to make it plug-n-play(able) again?VLK, can you check which firewire chipset your macbook has. reboot with apple key + S I suppose. it should be either Lucent/Agere (the troublesome one) or TI (the good one).
if it is Agere then maybe this will help you:
http://www.rme-audio.de/forum/viewtopic.php?id=974
supposedly all the macbooks (pro and ordinary) have the Agere chipset now and that has given some trouble for firewire audio users. I am waiting for my white macbook to arrive on monday and to test it with RME fireface 400.
please report back, hope this helps -
HT6154 Iphone 5s randomly won't charge anymore and won't recover or go into DFU mode
My Iphone 5s randomly won't charge anymore and won't recover or go into DFU mode. It died and it only shows the bolt symbol with the charger on the screen. When I plug in my charger the screen lights up but doesnt charge. I bought another charger to be safe and that didnt work either. My phone was working fine and this randomly happened
Carefully clean iPhone charging port with clean dry toothbrush. If still problem, iPhone 5S has Warranty, make Genius reservation or set up service and take or send iPhone to Apple for resolution.
-
Some Wireless clients won't authenticate to 887VA-W
Hi folks
I've swapped over a few months ago from an 877w router to an 887VAw which has a separate AP in-built, and there are a few wireless clients that had no problem authenticating to the 877w but just refuse to communicate to the 887VA-W.
The clients in question are set top box type devices : (1)Now TV and (2) Sky Wireless Adapter.
They have no problem seeing the SSID's being broadcast, and for troubleshooting I've setup an open test SSID without any encryption, but the clients still won't authenticate and grab an ip address, or more accurately they just don't get a dhcp ip address so I don't think authentication is really the issue. I don't know why these clients aren't happy with dhcp on the guest vlan (vlan2) where other clients get an ip address and work fine. Perhaps the fact I'm using vlan1 (being used for the Eap-Fast home wlan) as the native untagged vlan might have something to do with it? If I use a static ip address on the guest vlan (vlan 2 / ip 10.1.1.n ) then the Sky Wireless Adapter can send and receive packets across the wlan.
Can anybody please suggest some debugs or config changes to try and nail the problem? The relevant configs from the AP is pasted below, and the router below that.
Brgds, Tim
aaa new-model
aaa group server radius rad_eap
server name rs-local
aaa authentication login default local
aaa authentication login eap_methods group rad_eap
aaa authentication ppp default local
aaa authorization exec default local
dot11 ssid home
vlan 1
authentication open eap eap_methods
authentication network-eap eap_methods
authentication key-management wpa version 2
dot11 ssid guest
vlan 2
authentication open
authentication key-management wpa
mbssid guest-mode
wpa-psk ascii 7 abcdef123
dot11 ssid test
vlan 3
authentication open
mbssid guest-mode
interface Dot11Radio0
no ip address
no ip route-cache
encryption vlan 1 mode ciphers aes-ccm
encryption vlan 2 mode ciphers aes-ccm
broadcast-key vlan 1 change 30
broadcast-key vlan 2 change 43200
ssid home
ssid guest
ssid test
antenna gain 0
mbssid
speed basic-1.0 basic-2.0 basic-5.5 basic-11.0 6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0
packet retries 64 drop-packet
no preamble-short
station-role root
interface Dot11Radio0.1
encapsulation dot1Q 1 native
no ip route-cache
no cdp enable
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
interface Dot11Radio0.2
encapsulation dot1Q 2
no ip route-cache
no cdp enable
bridge-group 2
bridge-group 2 subscriber-loop-control
bridge-group 2 spanning-disabled
bridge-group 2 block-unknown-source
no bridge-group 2 source-learning
no bridge-group 2 unicast-flooding
interface Dot11Radio0.3
encapsulation dot1Q 3
no ip route-cache
no cdp enable
bridge-group 3
bridge-group 3 subscriber-loop-control
bridge-group 3 spanning-disabled
bridge-group 3 block-unknown-source
no bridge-group 3 source-learning
no bridge-group 3 unicast-flooding
interface GigabitEthernet0
description the embedded AP GigabitEthernet 0 is an internal interface connecting AP with the host router
no ip address
no ip route-cache
interface GigabitEthernet0.1
encapsulation dot1Q 1 native
no ip route-cache
bridge-group 1
bridge-group 1 spanning-disabled
no bridge-group 1 source-learning
interface GigabitEthernet0.2
encapsulation dot1Q 2
no ip route-cache
bridge-group 2
bridge-group 2 spanning-disabled
no bridge-group 2 source-learning
interface GigabitEthernet0.3
encapsulation dot1Q 3
no ip route-cache
bridge-group 3
bridge-group 3 spanning-disabled
no bridge-group 3 source-learning
interface BVI1
ip address 172.27.44.2 255.255.255.0
no ip route-cache
ip default-gateway 172.27.44.1
****Router Config****
interface Wlan-GigabitEthernet0
description Internal switch interface connecting to the embedded AP
switchport mode trunk
no ip address
interface wlan-ap0
description Service module interface to manage the embedded AP
ip unnumbered BVI1Hi Sebastian
Please see ip dhcp debug from 887VA-W showing the Sky client requesting an ip address but failing to get one. Also a debug from an 877-W showing successful dhcp assignment. Also the dhcp config as requested.The successful trace shows 2 mac addresses from the Sky wireless adapter/ Sky box each getting a dhcp address. I don't know whether the failure is a bug in the 887 dhcp code or some config in the embedded AP that needs tweaking.
Bregs, Tim
The Sky wired adapter (I think it's the mac of the sky box lan port) mac is 00:19:FB:A4:B2:1A
The Sky wireless mac is 18:28:61:99:7B:A8
887VA-W Debug - Failure:
887#term mon
887#sh deb
DHCP server packet debugging is on.
887#
887#
000141: Dec 16 07:03:02.082 London: DHCPD: ARP entry exists (10.1.1.10, e0c9.7ad6.24ee).
000142: Dec 16 07:03:02.082 London: DHCPD: unicasting BOOTREPLY to client e0c9.7ad6.24ee (10.1.1.10).
Denham_887#
000143: Dec 16 07:05:25.536 London: DHCPD: client's VPN is .
000144: Dec 16 07:05:25.536 London: DHCPD: No option 125
000145: Dec 16 07:05:25.536 London: DHCPD: DHCPDISCOVER received from client 0019.fba4.b21a on interface BVI1.
000146: Dec 16 07:05:25.536 London: DHCPD: Allocate an address without class information (10.1.1.0)
000147: Dec 16 07:05:25.536 London: DHCPD: Saving workspace (ID=0x4000009)
Denham_887#
000148: Dec 16 07:05:27.536 London: DHCPD: Reprocessing saved workspace (ID=0x4000009)
000149: Dec 16 07:05:27.536 London: DHCPD: DHCPDISCOVER received from client 0019.fba4.b21a on interface BVI1.
000150: Dec 16 07:05:27.536 London: DHCPD: Sending DHCPOFFER to client 0019.fba4.b21a (10.1.1.12).DHCPD: Setting only requested parameters
000151: Dec 16 07:05:27.536 London: DHCPD: no option 125
000152: Dec 16 07:05:27.536 London: DHCPD: broadcasting BOOTREPLY to client 0019.fba4.b21a.
Denham_887#
000153: Dec 16 07:05:32.468 London: DHCPD: New packet workspace 0x123EC554 (ID=0xC700000A)
000154: Dec 16 07:05:32.468 London: DHCPD: client's VPN is .
000155: Dec 16 07:05:32.468 London: DHCPD: No option 125
000156: Dec 16 07:05:32.468 London: DHCPD: DHCPDISCOVER received from client 0118.2861.997b.a8 on interface BVI1.
000157: Dec 16 07:05:32.468 London: DHCPD: Allocate an address without class information (10.1.1.0)
000158: Dec 16 07:05:32.472 London: DHCPD: Saving workspace (ID=0xC700000A)
Denham_887#
000159: Dec 16 07:05:34.080 London: DHCPD: New packet workspace 0x1240A47C (ID=0x5500000B)
000160: Dec 16 07:05:34.080 London: DHCPD: client's VPN is .
000161: Dec 16 07:05:34.080 London: DHCPD: No option 125
000162: Dec 16 07:05:34.080 London: DHCPD: DHCPDISCOVER received from client 0019.fba4.b21a on interface BVI1.
000163: Dec 16 07:05:34.080 London: DHCPD: Sending DHCPOFFER to client 0019.fba4.b21a (10.1.1.12).DHCPD: Setting only requested parameters
000164: Dec 16 07:05:34.080 London: DHCPD: no option 125
000165: Dec 16 07:05:34.080 London: DHCPD: broadcasting BOOTREPLY to client 0019.fba4.b21a.
Denham_887#
000166: Dec 16 07:05:34.468 London: DHCPD: Reprocessing saved workspace (ID=0xC700000A)
000167: Dec 16 07:05:34.468 London: DHCPD: DHCPDISCOVER received from client 0118.2861.997b.a8 on interface BVI1.
000168: Dec 16 07:05:34.468 London: DHCPD: Sending DHCPOFFER to client 0118.2861.997b.a8 (10.1.1.13).DHCPD: Setting only requested parameters
000169: Dec 16 07:05:34.468 London: DHCPD: no option 125
000170: Dec 16 07:05:34.468 London: DHCPD: broadcasting BOOTREPLY to client 1828.6199.7ba8.
Denham_887#
000171: Dec 16 07:05:35.476 London: DHCPD: client's VPN is .
000172: Dec 16 07:05:35.476 London: DHCPD: No option 125
000173: Dec 16 07:05:35.476 London: DHCPD: DHCPDISCOVER received from client 0118.2861.997b.a8 on interface BVI1.
000174: Dec 16 07:05:35.476 London: DHCPD: Sending DHCPOFFER to client 0118.2861.997b.a8 (10.1.1.13).DHCPD: Setting only requested parameters
000175: Dec 16 07:05:35.476 London: DHCPD: no option 125
000176: Dec 16 07:05:35.476 London: DHCPD: broadcasting BOOTREPLY to client 1828.6199.7ba8.
Denham_887#
000177: Dec 16 07:05:37.520 London: DHCPD: client's VPN is .
000178: Dec 16 07:05:37.520 London: DHCPD: No option 125
000179: Dec 16 07:05:37.520 London: DHCPD: DHCPDISCOVER received from client 0118.2861.997b.a8 on interface BVI1.
000180: Dec 16 07:05:37.520 London: DHCPD: Sending DHCPOFFER to client 0118.2861.997b.a8 (10.1.1.13).DHCPD: Setting only requested parameters
000181: Dec 16 07:05:37.524 London: DHCPD: no option 125
000182: Dec 16 07:05:37.524 London: DHCPD: broadcasting BOOTREPLY to client 1828.6199.7ba8.
Denham_887#
000183: Dec 16 07:05:40.532 London: DHCPD: client's VPN is .
000184: Dec 16 07:05:40.532 London: DHCPD: No option 125
000185: Dec 16 07:05:40.532 London: DHCPD: DHCPDISCOVER received from client 0118.2861.997b.a8 on interface BVI1.
000186: Dec 16 07:05:40.532 London: DHCPD: Sending DHCPOFFER to client 0118.2861.997b.a8 (10.1.1.13).DHCPD: Setting only requested parameters
000187: Dec 16 07:05:40.532 London: DHCPD: no option 125
000188: Dec 16 07:05:40.532 London: DHCPD: broadcasting BOOTREPLY to client 1828.6199.7ba8.
Denham_887#
000189: Dec 16 07:05:43.540 London: DHCPD: client's VPN is .
000190: Dec 16 07:05:43.540 London: DHCPD: No option 125
000191: Dec 16 07:05:43.540 London: DHCPD: DHCPDISCOVER received from client 0118.2861.997b.a8 on interface BVI1.
000192: Dec 16 07:05:43.540 London: DHCPD: Sending DHCPOFFER to client 0118.2861.997b.a8 (10.1.1.13).DHCPD: Setting only requested parameters
000193: Dec 16 07:05:43.540 London: DHCPD: no option 125
000194: Dec 16 07:05:43.540 London: DHCPD: broadcasting BOOTREPLY to client 1828.6199.7ba8.
Denham_887#
000195: Dec 16 07:05:48.884 London: DHCPD: client's VPN is .
000196: Dec 16 07:05:48.884 London: DHCPD: No option 125
000197: Dec 16 07:05:48.884 London: DHCPD: DHCPDISCOVER received from client 0019.fba4.b21a on interface BVI1.
000198: Dec 16 07:05:48.884 London: DHCPD: Sending DHCPOFFER to client 0019.fba4.b21a (10.1.1.12).DHCPD: Setting only requested parameters
000199: Dec 16 07:05:48.884 London: DHCPD: no option 125
000200: Dec 16 07:05:48.884 London: DHCPD: broadcasting BOOTREPLY to client 0019.fba4.b21a.
887VA-W dhcp config:
887#sh run | section dhcp
no ip dhcp use vrf connected
ip dhcp binding cleanup interval 10
no ip dhcp conflict logging
ip dhcp pool home
network 172.27.44.0 255.255.255.0
dns-server 208.67.222.222 208.67.220.220
default-router 172.27.44.1
ip dhcp pool test
import all
network 11.1.1.0 255.255.255.0
default-router 11.1.1.1
dns-server 208.67.222.222 208.67.220.220
ip dhcp pool guest
import all
network 10.1.1.0 255.255.255.0
default-router 10.1.1.1
dns-server 208.67.222.222 208.67.220.220
877-W Debug - Success:
877#deb ip dhcp se
877#deb ip dhcp server pa
DHCP server packet debugging is on.
877#deb ip dhcp server ev
DHCP server event debugging is on.
877#
000258: *Jun 23 22:20:07.087 BST: DHCPD: checking for expired leases.
000259: *Jun 23 22:20:14.684 BST: %DOT11-6-ASSOC: Interface Dot11Radio0, Station 1828.6199.7ba9 Associated SSID[guest] AUTH_TYPE[OPEN] KEY_MGMT[WPAv2 PSK]
000260: *Jun 23 22:20:16.289 BST: DHCPD: Sending notification of DISCOVER:
000261: *Jun 23 22:20:16.289 BST: DHCPD: htype 1 chaddr 1828.6199.7ba8
000262: *Jun 23 22:20:16.289 BST: DHCPD: remote id 020a00000a010101f2000000
000263: *Jun 23 22:20:16.289 BST: DHCPD: circuit id 00000000
000264: *Jun 23 22:20:16.289 BST: DHCPD: DHCPDISCOVER received from client 0118.2861.997b.a8 on interface BVI2.
000265: *Jun 23 22:20:16.289 BST: DHCPD: Seeing if there is an internally specified pool class:
000266
*Jun 23 22:20:16.289 BST: DHCPD: htype 1 chaddr 1828.6199.7ba8
000267: *Jun 23 22:20:16.289 BST: DHCPD: remote id 020a00000a010101f2000000
000268: *Jun 23 22:20:16.289 BST: DHCPD: circuit id 00000000
000269: *Jun 23 22:20:16.289 BST: DHCPD: Sending DHCPOFFER to client 0118.2861.997b.a8 (10.1.1.9).
000270: *Jun 23 22:20:16.289 BST: DHCPD: broadcasting BOOTREPLY to client 1828.6199.7ba8.
000271: *Jun 23 22:20:16.493 BST: DHCPD: DHCPREQUEST received from client 0118.2861.997b.a8.
000272: *Jun 23 22:20:16.493 BST: DHCPD: Sending notification of ASSIGNMENT:
000273: *Jun 23 22:20:16.493 BST: DHCPD: address 10.1.1.9 mask 255.255.255.0
000274: *Jun 23 22:20:16.493 BST: DHCPD: htype 1 chaddr 1828.6199.7ba8
000275: *Jun 23 22:20:16.493 BST: DHCPD: lease time remaining (secs) = 86400
000276: *Jun 23 22:20:16.493 BST: DHCPD: Appending system default domain
000278: *Jun 23 22:20:16.493 BST: DHCPD: Sending DHCPACK to client 0118.2861.997b.a8 (10.1.1.9).
000279: *Jun 23 22:20:16.493 BST: DHCPD: broadcasting BOOTREPLY to client 1828.6199.7ba8.
000280: *Jun 23 22:20:17.089 BST: DHCPD: checking for expired leases.
000281: *Jun 23 22:20:18.097 BST: %SYS-5-CONFIG_I: Configured from console by vty0
Denham#
000282: *Jun 23 22:20:21.314 BST: DHCPD: Sending notification of DISCOVER:
000283: *Jun 23 22:20:21.314 BST: DHCPD: htype 1 chaddr 0019.fba4.b21a
000284: *Jun 23 22:20:21.314 BST: DHCPD: remote id 020a00000a010101f2000000
000285: *Jun 23 22:20:21.314 BST: DHCPD: circuit id 00000000
000286: *Jun 23 22:20:21.314 BST: DHCPD: DHCPDISCOVER received from client 0019.fba4.b21a on interface BVI2.
000287: *Jun 23 22:20:21.314 BST: DHCPD: Seeing if there is an internally specified pool class:
000288: *
Jun 23 22:20:21.314 BST: DHCPD: htype 1 chaddr 0019.fba4.b21a
000289: *Jun 23 22:20:21.314 BST: DHCPD: remote id 020a00000a010101f2000000
000290: *Jun 23 22:20:21.314 BST: DHCPD: circuit id 00000000
000291: *Jun 23 22:20:21.314 BST: DHCPD: Sending DHCPOFFER to client 0019.fba4.b21a (10.1.1.8).
000292: *Jun 23 22:20:21.314 BST: DHCPD: broadcasting BOOTREPLY to client 0019.fba4.b21a.
000293: *Jun 23 22:20:21.406 BST: DHCPD: DHCPREQUEST received from client 0019.fba4.b21a.
000294: *Jun 23 22:20:21
406 BST: DHCPD: Sending notification of ASSIGNMENT:
000295: *Jun 23 22:20:21.406 BST: DHCPD: address 10.1.1.8 mask 255.255.255.0
000296: *Jun 23 22:20:21.406 BST: DHCPD: htype 1 chaddr 0019.fba4.b21a
000297: *Jun 23 22:20:21.406 BST: DHCPD: lease time remaining (secs) = 86400
000298: *Jun 23 22:20:21.406 BST: DHCPD: Can't find any hostname to update
000299: *Jun 23 22:20:21.406 BST: DHCPD: Sending DHCPACK to client 0019.fba4.b21a (10.1.1.8).
000300: *Jun 23 22:20:21.406 BST: DHCPD: broadcasting
BOOTREPLY to client 0019.fba4.b21a.
000302: *Jun 23 22:20:33.049 BST: DHCPD: Sending notification of DISCOVER:
000303: *Jun 23 22:20:33.049 BST: DHCPD: htype 1 chaddr 1828.6199.7ba8
000304: *Jun 23 22:20:33.049 BST: DHCPD: remote id 020a00000a010101f2000000
000305: *Jun 23 22:20:33.049 BST: DHCPD: circuit id 00000000
000306: *Jun 23 22:20:33.049 BST: DHCPD: DHCPDISCOVER received from client 0118.2861.997b.a8 on interface BVI2.
000307: *Jun 23 22:20:33.049 BST: DHCPD: Seeing if there is an internally specified pool class:
000308
Denham#: *Jun 23 22:20:33.049 BST: DHCPD: htype 1 chaddr 1828.6199.7ba8
000309: *Jun 23 22:20:33.049 BST: DHCPD: remote id 020a00000a010101f2000000
000310: *Jun 23 22:20:33.049 BST: DHCPD: circuit id 00000000
000311: *Jun 23 22:20:33.049 BST: DHCPD: Sending DHCPOFFER to client 0118.2861.997b.a8 (10.1.1.9).
000312: *Jun 23 22:20:33.053 BST: DHCPD: broadcasting BOOTREPLY to client 1828.6199.7ba8.
000313: *Jun 23 22:20:33.081 BST: DHCPD: DHCPREQUEST received from client 0118.2861.997b.a8.
000314: *Jun 23
Denham# 22:20:33.081 BST: DHCPD: Sending notification of ASSIGNMENT:
000315: *Jun 23 22:20:33.081 BST: DHCPD: address 10.1.1.9 mask 255.255.255.0
000316: *Jun 23 22:20:33.081 BST: DHCPD: htype 1 chaddr 1828.6199.7ba8
000317: *Jun 23 22:20:33.081 BST: DHCPD: lease time remaining (secs) = 86400
000318: *Jun 23 22:20:33.081 BST: DHCPD: Appending system default domain
000319: *Jun 23 22:20:33.085 BST: DHCPD: Using hostname 'skywirelessconnector.indahouse.dyndns.org.' for dynamic update (from hostname opti
indahouse#uon)
000320: *Jun 23 22:20:33.085 BST: DHCPD: Sending DHCPACK to client 0118.2861.997b.a8 (10.1.1.9).
000321: *Jun 23 22:20:33.085 BST: DHCPD: broadcasting BOOTREPLY to client 1828.6199.7ba8. -
Can you authenticate users from 2 different AAA-servers for one specific tunnel-group?
I need to authenticate users from two separate AD LDAP databases on the same tunnel-group. I would like them to use the same tunnel-group and thereby using the same group-alias. I tried creating a new aaa-server group and putting both LDAP servers into group but apparently the ASA does not roll through the separate servers in the aaa-server group and will stop if the first server states that the authentication failed.
I also tried assigning multiple aaa-server groups into the tunnel-group authentication-server-group but that also did not work. I finally tried to create a separate tunnel-group and assigning it the same group-alias but the ASA will not allow me to assign the same group-alias to different tunnel-group. What is the best way to accomplish this without having to create a new group-alias that will show up and possible confuse the dumb users requiring this access? Please help.If you don't want ANY drop down I believe you can do it in a kludgy sort of way.
Eliminate all the group aliases (which are used to populate the dropdown) and make a local database of the users for the sole purpose of assigning / restricting them to a non-default tunnel-group which authenticates to the secondary LDAP server.
You can also send out a non-published URL that points to a second tunnel-group not in the dropdown.
Of course, we can accomplish this if the AAA server is ISE. ISE 1.3 can authenticate users to multiple AD domains (with or without trust relationships) or a single domain with multiple join points in the Forest.
The ISE answer makes me wonder - could you establish trust between the domains and authenticate users that way? -
How to use CSACS 3.3 to authenticate users from multiple windows domain?
Can Cisco Secure ACS 3.3 be used to authenticate users from another Windows domain that is not a child nor a trusted domain???
hello, here is my scenario:
ACS 3.3 was installed on a member server on domain1. I need to authenticate and ultimately populate the users into ACS from another domain. The service already works perfect on just domain1, but now I need to authenticate users from another domain.
And adding those domains as trusted domains in domain1 is not an option.
Is Generic LDAP my only other option? Any config guides that you guys know with regard to doing this?
Any input is much appreciated.Hi Betcy,
I am not familiar with sharepoint solutions, but as you mentioned about windows credentials I believe it refers to kerberos tokens. On this case you can take advantage of SPNego authentication.
You can find more details on following SAP note:
#[1488409|https://service.sap.com/sap/support/notes/1488409] - New SPNego Implementation
I hope it helps.
Kind regards,
Lisandro Magnus -
I forgot the answers to my security questions and I wanna purchase an app but it won't let me until I answer them can someone help me ?
The Three Best Alternatives for Security Questions and Rescue Mail
If you do not have success with one, then try another:
1. Send Apple an email request at: Apple - Support - iTunes Store - Contact Us.
2. Call Apple Support in your country: Customer Service: Contact Apple support.
3. Rescue email address and how to reset Apple ID security questions.
A substitute for using the security questions is to use 2-step verification:
Two-step verification FAQ Get answers to frequently asked questions about two-step verification for Apple ID. -
OC4J Security fails to authenticate users on a 64 bit solarisx86 machine
Hi,
I am using a database login module to authenticate users. The login module I use is DBTableLoginModule. On 32 bit windows based machine, the module functions perfectly fine. When I deployed my project on a 64 bit solarisx86 machine, users are no longer able to login. On debugging the DBTableLoginModule, the authentication shows success and the commit method is return true to the OC4J security. But OC4J is redirecting to error page and I have no clue as to why it is doing so. The problem is I am not able to debug OC4J security for I have no source code for that. My question is how can i turn on debugging for OC4J Security
so I can watch out for any errors or anything that OC4J complains about so I can have better chances to overcome this problem.
Thanks
SamHi,
sounds like a OC4J bug to me (or issue at least). You may want to check
OC4J
Frank -
after upgraded to windows 2008 server, our mac os x wiki server can't authenticate user password anymore. How can I re-bind the wiki server to the AD again? thanks in advance.
Solved it by deleting the user and creating a new one with the same userID.
Maybe it occured because I marked the "user has to change password after first login" box when resetting the password but didn't yet allow him to do so in the webpages menu?!? -
Hi,
So I have been trying to write some code that will
prompt users to authenticate to AD and use that authentication to map the next 2 available drive letter to two network shares.
I have adopted using the HAT format as this provides me with the ability to prompt for a username and password and authenitcate to AD.
<script language="vbscript">
Function setSize()
window.resizeTo 350,300
Window.moveTo (screen.width-240)/2, (screen.height-600)/2
End Function
Function cmdSubmit_OnClick()
Dim strUser 'User Name variable
Dim strPW 'User Password variable
if auth.username.value = "" Then
msgbox ("ERROR: No User account information provided. Please Try Again!")
cmdSubmit_OnClick = False
Elseif auth.password.value = "" Then
msgbox ("ERROR: No User account information provided. Please Try Again!")
cmdSubmit_OnClick= False
Else
strUser = auth.username.value
strPW = auth.password.value
Authenticate strUser, strPW
End If
End Function
Public Sub Authenticate (Byref strUser, Byref strPW)
On Error Resume Next
Const ADS_SECURE_AUTHENTICATION = &H1
Const ADS_SERVER_BIND = &H200
Dim strPath 'LDAP path where the Users accounts are listed
Dim LDAP 'Directory Service Object reference variable
Dim strAuth 'Parses the User Name and Password through the DSObject
strPath = "LDAP://fanzldap.au.fjanz.com/rootDSE"
Set LDAP = GetObject("LDAP://company/rootDSE")
Set strAuth = LDAP.OpenDSObject(strPath, strUser, strPW, ADS_SECURE_AUTHENTICATION Or ADS_SERVER_BIND)
If Err.number <> 0 Then
intTemp = msgbox(strUser & " could not be authenticated", vbYES)
if intTemp = vbYes Then
'window.location.reload()
End If
Else
For Each obj in strAuth
If obj.Class = "user" Then
If obj.Get("samAccountName") = strUser Then
msgbox ("Success! " & strUser & " has been authenticated with Active Directory")
window.close()
Set wShell = CreateObject("Wscript.shell")
wShell.run "Firstletterali.vbs"
End If
End If
Next
End If
End Sub
</script>
<head>
<body style="background-color:#B0C4DE">
<img src=Title.jpg><br>
<HTA:APPLICATION
APPLICATIONNAME="User Login"
BORDER="thin"
SCROLL="no"
SINGLEINSTANCE="yes"
WINDOWSTATE="normal">
<title>NAS Authentication</title>
<body onload="vbs:setSize()">
<div class="style2">
<h3>NAS Archive Authentication</h3>
</div>
<form method="post" id="auth" name="auth">
<span class="style3"><strong>User Name: </strong></span>
<input id="Username" name="Username" type="text" style="width: 150px" /><br>
<span class="style3">
<strong>Password: </strong></span>
<input id="password" name="password" type="password" style="width: 150px" /><br><br>
<input type="submit" value="Submit" name="cmdSubmit" />
<input type="button" value="Exit" onclick="self.close()">
</form>
</body>
</html>
using the above I can succefully authenticate users but I cant work out how to then use that authenticattion to map the next to available drive letters to a network source.
The code I have for that is
Option Explicit
Dim strDriveLetter, strRemotePath, strRemotePath1, strDriveLetter1
Dim objNetwork, objShell
Dim CheckDrive, DriveExists, intDrive
Dim strAlpha, strExtract, intAlpha, intCount
' The section sets the variables
strRemotePath = "\\mel\groups\Team\general"
strRemotePath1 = "\\mel\groups\Team\specific"
strDriveLetter = "B:"
strDriveLetter1 = "H:"
strAlpha = "BHIJKLMNOPQRSTUVWXYZ"
intAlpha = 0
intCount = 0
err.number= vbEmpty
' This sections creates two objects:
' objShell and objNetwork and then counts the drives
Set objShell = CreateObject("WScript.Shell")
Set objNetwork = CreateObject("WScript.Network")
Set CheckDrive = objNetwork.EnumNetworkDrives()
' This section operates the For ... Next loop
' See how it compares the enumerated drive letters
' With strDriveLetter
On Error Resume Next
DriveExists = False
' Sets the Outer loop to check for 24 letters in strAlpha
For intCount = 1 To 24
DriveExists = False
' CheckDrive compares each Enumerated network drive
' with the proposed drive letter held by strDriveLetter
For intDrive = 0 To CheckDrive.Count - 1 Step 2
If CheckDrive.Item(intDrive) = strDriveLetter _
Then DriveExists = True
Next
intAlpha = intAlpha + 1
' Logic section if strDriveLetter does not = DriveExist
' Then go ahead and map the drive
'Wscript.Echo strDriveLetter & " exists: " & DriveExists
If DriveExists = False Then objNetwork.MapNetworkDrive _
strDriveLetter, strRemotePath
call ShowExplorer ' Extra code to take you to the mapped drive
' Appends a colon to drive letter. 1 means number of letters
strDriveLetter = Mid(strAlpha, intAlpha,1) & ":"
' If the DriveExists, then it is necessary to
' reset the variable from true --> false for next test loop
If DriveExists = True Then DriveExists = False
Next
WScript.Echo "Out of drive letters. Last letter " & strDriveLetter
WScript.Quit(1)
'Sub ShowExplorer()
'If DriveExists = False Then Wscript.Echo strDriveLetter & " Has been mapped for archiving"
'If DriveExists = False Then objShell.run _
'("Explorer" & " " & strDriveLetter & "\" )
'If DriveExists = False Then WScript.Quit(0)
'End Sub
On Error Resume Next
DriveExists = False
' Sets the Outer loop to check for 24 letters in strAlpha
For intCount = 1 To 24
DriveExists = False
' CheckDrive compares each Enumerated network drive
' with the proposed drive letter held by strDriveLetter1
For intDrive = 0 To CheckDrive.Count - 1 Step 2
If CheckDrive.Item(intDrive) = strDriveLetter1 _
Then DriveExists = True
Next
intAlpha = intAlpha + 1
' Logic section if strDriveLetter1 does not = DriveExist
' Then go ahead and map the drive
'Wscript.Echo strDriveLetter1 & " exists: " & DriveExists
If DriveExists = False Then objNetwork.MapNetworkDrive _
strDriveLetter1, strRemotePath1
call ShowExplorer ' Extra code to take you to the mapped drive
' Appends a colon to drive letter. 1 means number of letters
strDriveLetter1 = Mid(strAlpha, intAlpha,1) & ":"
' If the DriveExists, then it is necessary to
' reset the variable from true --> false for next test loop
If DriveExists = True Then DriveExists = False
Next
WScript.Echo "Out of drive letters. Last letter " & strDriveLetter1
WScript.Quit(1)
Sub ShowExplorer()
If DriveExists = False Then Wscript.Echo strDriveLetter & " Has been mapped for archiving"
If DriveExists = False Then objShell.run _
("Explorer" & " " & strDriveLetter & "\" )
If DriveExists = False Then WScript.Quit(0)
End Sub
Now the above script will find the next availabe letter and map one location to it...I still havent worked out to create another loop for it to do it again. It obviously also requires that you already be authenticated to map to that location.
I looking for some help on how to marry these to scripts together.
Thanks
AliHi Ali
Here is some code that will enumerate two free adjacent drive letters. It starts searching from "C" all the way to "Z" for two drives letters that are adjacent and returns the results in an array then echos the results. You can easily adapt this code to
map your network drives to each drive letter. Hope that helps
Cheers Matt :)
Option Explicit
Dim objFSO
On Error Resume Next
Set objFSO = CreateObject("Scripting.FileSystemObject")
ProcessScript
If Err.Number <> 0 Then
WScript.Quit
End If
On Error Goto 0
'Functions Processing Section
'Name : ProcessScript -> Primary Function that controls all other script processing.
'Parameters : None ->
'Return : None ->
Function ProcessScript
Dim driveLetters, driveLetter
If Not GetFreeDrives(driveLetters) Then
Exit Function
End If
For Each driveLetter In driveLetters
MsgBox driveLetter, vbInformation
Next
End Function
'Name : GetFreeDrives -> Searches for a pair of free adjacent drive letters.
'Parameters : adjacentDrives -> Input/Output : variable assigned to an array containing the first two free adjacent drives.
'Return : GetFreeDrives -> Returns True if Successful otherwise returns False.
Function GetFreeDrives(adjacentDrives)
GetFreeDrives = False
Dim drive, driveLetter, drivesDict, i
Set drivesDict = NewDictionary
driveLetter = "C"
'Add the drives collection into the dictionary.
For Each drive In objFSO.drives
drivesDict(drive.DriveLetter) = ""
Next
'Check drive letters C: to Z: for two free adjacent drive letters and set the "driveLetter" variable to the first one.
For i = Asc(driveLetter) To Asc("Z")
If Not drivesDict.Exists(Chr(i)) And Not drivesDict.Exists(Chr(i + 1)) Then
driveLetter = Chr(i)
Exit For
End If
Next
'If two free adjacent drive letters were not found then exit.
If driveLetter = "" Then
Exit Function
End If
adjacentDrives = Array(driveLetter, Chr(Asc(driveLetter) + 1))
GetFreeDrives = True
End Function
'Name : NewDictionary -> Creates a new dictionary object.
'Parameters : None ->
'Return : NewDictionary -> Returns a dictionary object.
Function NewDictionary
Dim dict
Set dict = CreateObject("scripting.Dictionary")
dict.CompareMode = vbTextCompare
Set NewDictionary = dict
End Function -
How to authenticate user when accessing a servlet in WLS6.0
In my current project , i need to authenticate user when accessing(executing) a
servlet deployed in WLS6.0. I tried to add
<auth-method>
BASIC
</auth-method>
in the web.xml.
Also in the default fileRealmProperties file, i set up the ACL for
acl.execute.weblogic.Servlet.myServlet = the user
also i have disabled guest access in my config.xml.
after all these, the servlet can still be accessed freely.
do i miss something ? what is the right way to set up it in wls6.0
thanks a lot
hyliu
The steps required are documented at:
http://e-docs.bea.com/wls/docs60/quickstart/quick_start.html
mark
narendra wrote:
> hi all,
> I had written a simple servlet. I would like to know the steps to
> be followed to run the servlet.
> What i did is i kept that servlet class file in the default directory
> and added the servlet path in the web.XML.
> but when i try to run the servlet its giing me 404 error.
> Can any one help me out by giving the detailed steps to be followed as I
> am new to Weblogic6.0
>
> Thanks in Advance,
-
Install Sun ONE Directory Server 5,2 & how to use it for authenticate user
Good afternoon, Excuse, are newbie in the scope I am learning and putting desire to him, this in my situation I am trying to install Sun ONE Directory Server 5,2 since I understand that this it is application LDAP for Solaris, ok I want to install it to authenticate user against the system, that is to say, to be able to acces the server entering with a created user from the data base of LDAP and make think user that his created in the system. But the documentation that I finds indicates the installation of Sun ONE Directory Server 5,2 but it not clearly about how to use it for authentication. Some one have any manual step by step of Sun ONE Directory Server 5,2 installation and how to make it for authentication systems users.
I read the forum seeking for anwser and i get confuse
Thanks for the help and sorry for any inconvenient
Message was edited by:
Aku_28
Message was edited by:
Aku_28I think that I found the Sun endorsed book locations for using LDAP accounts that don't use authentication besides "crypt". I now can use an account with a "ssha" password. It can be more than 8 characters long.
Chapter 14 System Administration Guide: Naming and Directory Services
Read page 201 which is the pam.conf file pam_ldap setups. I edited my "/etc/pam.conf" file to reflect this
Chapter 7 Directory Server 5.2 2005Q4 - Administration Guide
Read page 316-318 which has a graphical technique to specify password syntax. I set it up and then tried the password by running "su - brahms". It now requires a longer password than 8 characters and it is set up to use "ssha" for that UID entry "brahms". -
Hi,
We have installed DAC server in Linux machine and client on windows. By using DAC client we restored the backup of DAC repository, DAC client was working fine still restoration and after restoring it’s not logging in. It throws error like "Can't authenticate user"
while starting DAC services in Unix server it throws an error like
ANOMALY INFO An exception occurred. Shutting down server...
MESSAGE:::/u01/DAC/jdk/jre/lib/i386/xawt/libmawt.so: libXext.so.6: cannot open shared object file: No such file or directory
EXCEPTION CLASS::: java.lang.UnsatisfiedLinkError
Note: since DAC client is not separately available for windows we have installed dac server also and while installing and after installing we never configured to connect to the dac server which is in Linux, we have configured only DB.
we have successfully installed OBIEE, Informatica, and DAC version is 10.1.3.4.1.
How to start the DAC services?
How to configure dac client to connect to DAC server and how to solve this "Can't authenticate user" issue?
Pls help in this regard.After your config try to restart dac11g server
dac10g is only desktop mode
~ http://cool-bi.com -
Hi there
I have recently setup a windows 2012 R2 NPS server (for WIFI auth) in our resource forest to replace an aging 2003 RADIUS server.
The problem I am having is users logging in with their UPNs.
To give some background our user forest and domains look like company.local and a few child domains department.company.local etc.
Our resource domain is companyresources.com
As we use office 365 we had to add UPNs to our users called company.com and set them.
The NPS cannot authenticate users when they use their [email protected] UPN.
From logs
Network Policy Server denied access to a user.
Contact the Network Policy Server administrator for more information.
User:
Security ID: NULL SID
Account Name: [email protected]
Account Domain: -
Fully Qualified Account Name: -
Followed by event ID 4402
There is no domain controller available for domain DOMAIN.
I believe its cannot translate the Account name into an Account domain when using the UPN we need for office 365 ([email protected]).
If I set a test user to a UPN of [email protected] it does (however we cannot do this because it will affect our office 365 users)
Network Policy Server granted access to a user.
User:
Security ID: DOMAIN\user1
Account Name: [email protected]
Account Domain: DOMAIN
Fully Qualified Account Name: DOMAIN\user1
or if I use DOMAIN\username
Network Policy Server granted full access to a user because the host met the defined health policy.
User:
Security ID: DOMAIN\user1
Account Name: DOMAIN\user1
Account Domain: DOMAIN
Fully Qualified Account Name: DOMAIN\user1
Is there any way I can get my UPN authentication working form the resource domain s I would prefer my users logging into WiFi with their UPNs as we have moved away from the DOMAIN\username method.
ThanksHi,
According to your description, my understanding is that client using UPN can’t be authenticated by NPS server, event ID 4402.
In general, when NPS is configured as a RADIUS server with the default connection request policy, NPS processes connection requests for the domain in which the NPS server is a member and for trusted domains.
You may try to use realm names configured in connection request policies to ensure that connection requests are routed from RADIUS clients to RADIUS servers that can authenticate and authorize the connection request.
You may reference the link below for detailed information:
Realm Names
https://technet.microsoft.com/en-us/library/cc731342(v=ws.10).aspx
Using Pattern-Matching Syntax in NPS
https://technet.microsoft.com/en-us/library/dd197583%28v=ws.10%29.aspx?f=255&MSPPError=-2147217396
Best Regards,
Eve Wang
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected] -
Cisco WLC 2504 and ways to authenticate users
Hi All,
What is the ways to make user authenticate to WLC 2504 and what is the best and simple way and what is the differences btw each method _i mean for example need radius server or something else to be exist_ ?
and any one can give me case study for this issue
System consist of Cisco 2504 and Cisco LAP 1140
ThanksTo implement radius based authentication is the best practice for the small & enterprise environment.
Information About RADIUS
Remote Authentication Dial-In User Service (RADIUS) is a client/server protocol that provides centralized security for users attempting to gain management access to a network. It serves as a backend database similar to local and TACACS+ and provides authentication and accounting services:
•Authentication—The process of verifying users when they attempt to log into the controller.
Users must enter a valid username and password in order for the controller to authenticate users to the RADIUS server. If multiple databases are configured, you can specify the sequence in which the backend database must be tired.
•Accounting—The process of recording user actions and changes.
Whenever a user successfully executes an action, the RADIUS accounting server logs the changed attributes, the user ID of the person who made the change, the remote host where the user is logged in, the date and time when the command was executed, the authorization level of the user, and a description of the action performed and the values provided. If the RADIUS accounting server becomes unreachable, users are able to continue their sessions uninterrupted.
RADIUS uses User Datagram Protocol (UDP) for its transport. It maintains a database and listens on UDP port 1812 for incoming authentication requests and UDP port 1813 for incoming accounting requests. The controller, which requires access control, acts as the client and requests AAA services from the server. The traffic between the controller and the server is encrypted by an algorithm defined in the protocol and a shared secret key configured on both devices.
You can configure multiple RADIUS accounting and authentication servers.For example, you may want to have one central RADIUS authentication server but several RADIUS accounting servers in different regions. If you configure multiple servers of the same type and the first one fails or becomes unreachable, the controller automatically tries the second one, then the third one if necessary, and so on.
For more Information : http://www.cisco.com/en/US/docs/wireless/controller/7.2/configuration/guide/cg_security_sol.html#wp2149947
Maybe you are looking for
-
Why not there a "Find/replace in Grep style" inside the Para style?
Whenever I type a digit in my text, it should be colored red as per style. I do this by grep style inside the para style, but now I need to insert brackets before and after of the digit(s), i realize that there is no replace option in grep style in t
-
1. How to check the performance of Xi system? 2. How to Scedule the Scenarios in Xi? 3. Why Idoc and Http adapters dont have sender agreement ? 4. How to test Xi scenario? 5. What is moduling concept in XI?
-
SELECT data based on partitions
I know we have PARTITION clause in SELECT statement. My requirement is i need to select data from Last two partitions in which data is available. If we know the name of the 2 partitions then we can select and UNION ALL. But In my case, i dont know th
-
Right, i connected my iphone 4 to my mac and it said there was an update in software for it. I updated it but then the iphone went into recovery mode. On the screen it has a symbol for itunes and a usb. ON itunes it said i had to restore it. It nearl
-
Arabic support in Adobe Premiere CS6 v6.0.3
Ex.: If I want to write a word in arabic like: يوسف , it will be written like: ي و س ف Any help?