Wiki auto-authentication

Hi all.
I am struggling to find a Mountain Lion solution to auto authenticate a wiki login.
In detail, I have a website hosted on a providers' server, and a wiki on my local Mountain Lion Server, both are perfectly reachable from outside. The wiki is integrated as a part of the external website.
Visitors of the external website have to authenticate against the OD server, the login credentials are stored in de website database for reuse. I'd like the visitors to be automatically logged on to the wiki server as well, to avoid them having to authenticate a second time.
Back in the Snow Leopard days, I had an XML-RPC procedure which auto authenticated the wiki. This was all working perfectly well, but since XML-RPC is depreciated in Mountain Lion, I'm looking for an alternative solution.
regards,
Cliff

Am 07.06.2014 14:52, schrieb Gotthard Anger:
> Hello, Mathias
> Am 06.06.2014 17:46, schrieb MFaust:
>> there are newer builds that fix the problem - eg. 115701 or 115905.
>> Open an SR and NTS should provide you with a newer build which fixes the
>> problem.
> Are these builds the client affecting only? I´m using at this time the
> 2012 client. Thats why I think needing a new po agent.
>
> Go
>
Update: Same behavior with the new 1400 client.
Go
Gotthard Anger
Anwenderbetreuung Netzwerkadministration
Landeskirchenamt der EKM
[email protected]
http://forums.novell.com/member.php?u=35038
Mails an diese Adresse werden nur nach vorheriger Ansage gelesen!
Mails for this address will only be read if you trigger me before.

Similar Messages

  • Wiki-Server, authentication fails with iPad

    Hello everybody,
    I have made a clean installation of OS X Server.
    I see a strange behavior with Wiki. When I try to authenticate with the iPad it says: "Failed to log in sucessfully" ?? I can, however access the Wikis that are "publicly" available without any issue, but what about the "hidden" ones?!
    When I use the Macbook, Firefox on a PC, or the iPhone then it's all fine. Authentication works as expected.
    Am I missing here something?

    I have this exact issue in my school, massively annoying being as we have a 1:1 rollout of over a thousand iPads and had invested considerable time developing resources on the wiki, and now, the only device it doesn't work on, is the same device that we have given to all our pupils.
    Charles

  • Wiki mobile authentication issue

    Having an odd issue with wiki authentication... Users can log in fine via any desktop browser, however if a user attempts to use an iPhone to log in via the mobile interface, the following error occurs:
    "Error from server: No record found for that path: 'groups/list' (8002)"

    Having an odd issue with wiki authentication... Users can log in fine via any desktop browser, however if a user attempts to use an iPhone to log in via the mobile interface, the following error occurs:
    "Error from server: No record found for that path: 'groups/list' (8002)"

  • OSx Server 3.1.2 - Wiki (collabd) Authentication Vulnerable to Brute Force?

    Hello Team,
         I have been using OSx Servers (3.1.2 - Build 1354517) 'wiki' or Collaborative suite to host some personally created wiki's and documentation. Upon having this open to external (WAN) connections, as was my eventual goal; I noticed a potential problem. I found that I could continually attempt authenticate against the website, without any timeout or anything else to slow down my attempts.
         To elaborate briefly, I don't mean authentication against .htpassword as maybe configured in OSX Servers Website hosting setup. I mean against the wiki software itself. The only way around this, that I can find, would be to use .htpassword for an additional layer of security.
         Given that there are MANY ways to gain usernames against the wiki server (Profiles, default 'alias', activity logs - etc), and the fact that this authenticates against local system accounts, is this a genuine security threat?
         I appreciate any feedback from other users or perhaps Apple.

    Hello Linc,
         I appreciate your reply, though I feel it misses the core content of my enquiry. It's not unnecessary to expose this service, but I would like the ability to. I don't think the service accessibility limitations should be defined on whether the application is secure or not.
         And either way, even if run in a secure environment; it's still a compromise.
         In the end, I'm still not sure; Do you acknowledge that this is vulnerable to brute force?
         Thanks,

  • Wiki auto pdf pages files on upload?

    I find that only pages files are turned into pdfs when uploaded using the wiki servers documents add.
    Anyone confirm?
    Is this doucmented somewhere. I noticed it zipped my numbers files.

    Look in the Pages preferences > General tab . Uncheck "save new documents a packages". For already saved documents my guess is that if  you can "Save as copy" you would be able to get a "flat" document instead of a package. I can't test this as I am on Snow Leopard and always have it unchecked.

  • Auto-authentication using NT credentials?

    I have the following piece of javascript to detect an intranet user's NT id by creating an ActiveX component (IE 5.5). How can I pass this to an authentication module/login URL so that users are logged into portal automatically when they request the portal login page?
    <script
    language="JavaScript"
    type="text/javascript"
    event="onload"
    for="window">
    var net = new ActiveXObject("Wscript.Network");
    document.all.strUsername.value = net.UserName;
    document.all.strDomain.value = net.UserDomain;
    </script>
    thx,
    Murray

    You need to build a URL something like:
    http://server:8080/login/Ldap?page=1&TOKEN0=<username>&TOKEN1=<password>&Submit=Login
    Have a look at the authentication templates under /etc/opt/SUNWips/desktop/default/iwtLoginProvider/ and check the form variables that are passed in for the authentication module you are using.
    Stephen

  • An issue with authentication and authorization on ISE 1.2

    Hi, I'm new to ISE.
    I have an issue with authentication and authorization.
    I have ISE 1.2 plus patch 6 installed on VMware.
    I have built-in Windows XP supplicant and 2960 cisco switch with IOS c2960-lanbasek9-mz.150-2.SE5.bin
    On supplicant I use EAP(PEAP) with EAP-MSCHAP v2.
    I created  authentication and authorization rules with Active Directory  as External Identity Source. Also I applied  authorization profile with DACL.I login on Windows XP machine under different Active Directory accounts. Everything works fine (authentication, authorization ), but only for several hours. After several hours passed , authentication and authorization stop working . I can see that ISE trying authenticate and authorize users, but ISE always use only one account for  authentication and authorization . Even if I login under different accounts ISE continue to use only one last account.
    I traied to reboot switch and PC,but it didn’t help. Only rebooting of ISE helps. After ISE rebooting, authentication and authorization start to work properly for several hours.
    I don’t understand is it a glitch or I misconfigured ISE or switch, supplicant?
    What  should I do to resolve this issue?
    Switch configuration:
     testISE#sh runn
    Building configuration...
    Current configuration : 7103 bytes
    ! Last configuration change at 12:20:15Tue Apr 15 2014
    ! NVRAM config last updated at 10:35:02  Tue Apr 15 2014
    version 15.0
    no service pad
    service timestamps debug datetime msec
    service timestamps log datetime msec
    no service password-encryption
    hostname testISE
    boot-start-marker
    boot-end-marker
    no logging console
    logging monitor informational
    enable secret 5 ************
    enable password ********
    username radius-test password 0 ********
    username admin privilege 15 secret 5 ******************
    aaa new-model
    aaa authentication dot1x default group radius
    aaa authorization network default group radius
    aaa authorization auth-proxy default group radius
    aaa accounting update periodic 5
    aaa accounting dot1x default start-stop group radius
    aaa server radius dynamic-author
     client 172.16.0.90 server-key ********
    aaa session-id common
    clock timezone 4 0
    system mtu routing 1500
    authentication mac-move permit
    ip dhcp snooping vlan 1,22
    ip dhcp snooping
    ip domain-name elauloks
    ip device tracking probe use-svi
    ip device tracking
    epm logging
    crypto pki trustpoint TP-self-signed-1888913408
     enrollment selfsigned
     subject-name cn=IOS-Self-Signed-Certificate-1888913408
     revocation-check none
     rsakeypair TP-self-signed-1888913408
    crypto pki certificate chain TP-self-signed-1888913408
    dot1x system-auth-control
    spanning-tree mode pvst
    spanning-tree extend system-id
    vlan internal allocation policy ascending
    ip ssh version 2
    interface FastEthernet0/5
     switchport mode access
     ip access-group ACL-ALLOW in
     authentication event fail action next-method
     authentication event server dead action reinitialize vlan 1
     authentication event server alive action reinitialize
     authentication host-mode multi-auth
     authentication open
     authentication order dot1x mab
     authentication priority dot1x mab
     authentication port-control auto
     authentication periodic
     authentication timer reauthenticate server
     authentication violation restrict
     mab
     dot1x pae authenticator
     dot1x timeout tx-period 10
     spanning-tree portfast
    interface FastEthernet0/6
     switchport mode access
     ip access-group ACL-ALLOW in
     authentication event fail action next-method
     authentication event server dead action reinitialize vlan 1
     authentication event server alive action reinitialize
     authentication order dot1x mab
     authentication priority dot1x mab
     authentication port-control auto
     authentication periodic
     authentication timer reauthenticate server
     authentication violation restrict
     mab
     dot1x pae authenticator
     dot1x timeout tx-period 10
     spanning-tree portfast
    interface FastEthernet0/7
    interface Vlan1
     ip address 172.16.0.204 255.255.240.0
     no ip route-cache
    ip default-gateway 172.16.0.1
    ip http server
    ip http secure-server
    ip access-list extended ACL-ALLOW
     deny   icmp any host 172.16.0.1
     permit ip any any
    ip radius source-interface Vlan1
    logging origin-id ip
    logging source-interface Vlan1
    logging host 172.16.0.90 transport udp port 20514
    snmp-server community public RO
    snmp-server community ciscoro RO
    snmp-server trap-source Vlan1
    snmp-server source-interface informs Vlan1
    snmp-server enable traps snmp linkdown linkup
    snmp-server enable traps mac-notification change move
    snmp-server host 172.16.0.90 ciscoro
    radius-server attribute 6 on-for-login-auth
    radius-server attribute 6 support-multiple
    radius-server attribute 8 include-in-access-req
    radius-server attribute 25 access-request include
    radius-server dead-criteria time 5 tries 3
    radius-server vsa send accounting
    radius-server vsa send authentication
    radius server ISE-Alex
     address ipv4 172.16.0.90 auth-port 1812 acct-port 1813
     automate-tester username radius-test idle-time 15
     key ******
    ntp server 172.16.0.1
    ntp server 172.16.0.5
    end

    Yes. Tried that (several times) didn't work.  5 people in my office, all with vers. 6.0.1 couldn't access their gmail accounts.  Kept getting error message that username and password invalid.  Finally solved the issue by using Microsoft Exchange and "m.google.com" as server and domain and that the trick.  Think there is an issue with imap.gmail.com and IOS 6.0.1.  I'm sure the 5 of us suddently experiencing this issue aren't the only ones.  Apple will figure it out.  Thanks.

  • ISE 1.2 Authentication Failures at First time Connection

    Hi,
     I have a trouble with ISE 1.2 when trying to authenticate for first time an end-device, this device might be either a Workstation or IP Phone or Printer,etc. it fails or staying in running mode. The result is the same it can not access the network.  hopefully I'm still in open mode :)
    As i described in the beginning everything has status Running or Authz Failed. and after a time of period usually one day finally succeeds.
    This happens mostly for workstations and printers, but in case of phones does not have the same behavior. I unplug plug the phones or I shut/ no shut the ports in order to trigger it to succeed. For some phones worked but other obstinately declined.
    The phones which are not Cisco phones authenticated with MD5 (a simple username and pass  ) i think the problem should not related with the auth protocol.
    Below are some logs from one phone. For me coming to a short conclusion this must be related with the switches which are 3750e (15.02 SE 4 IOS)
    or with the same the ISE, why because i have almost the same behavior for all end-devices.
    I kindly remain your comments...
    2169669: Apr 16 18:02:20.573 EEST: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/35, changed state to up
    2169670: Apr 16 18:02:20.783 EEST: %DOT1X-5-FAIL: Authentication failed for client (0080.9f7d.3ddf) on Interface Gi1/0/34 AuditSessionID 0A114D0D0000D5E8855C01DE
    2169671: Apr 16 18:02:20.791 EEST: %AUTHMGR-7-RESULT: Authentication result 'timeout' from 'dot1x' for client (0080.9f7d.3ddf) on Interface Gi1/0/34 AuditSessionID 0A114D0D0000D5E8855C01DE
    S301#
    2169672: Apr 16 18:02:20.992 EEST: %AUTHMGR-5-START: Starting 'dot1x' for client (0080.9f7d.3ddf) on Interface Gi1/0/34 AuditSessionID 0A114D0D0000D5F0855DE0EF
    2169673: Apr 16 18:02:21.580 EEST: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/35, changed state to up
    S301#
    2169674: Apr 16 18:02:24.289 EEST: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/35, changed state to down
    S301#
    2169675: Apr 16 18:02:25.288 EEST: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/35, changed state to down
    2169676: Apr 16 18:02:26.269 EEST: %AUTHMGR-5-START: Starting 'dot1x' for client (0080.9f7d.3e6f) on Interface Gi1/0/35 AuditSessionID 0A114D0D0000D5F1855DF3BE
    2169677: Apr 16 18:02:26.294 EEST: %DOT1X-5-FAIL: Authentication failed for client (0080.9f7d.3e6f) on Interface Gi1/0/35 AuditSessionID 0A114D0D0000D5F1855DF3BE
    2169678: Apr 16 18:02:26.294 EEST: %AUTHMGR-7-RESULT: Authentication result 'fail' from 'dot1x' for client (0080.9f7d.3e6f) on Interface Gi1/0/35 AuditSessionID 0A114D0D0000D5F1855DF3BE
    2169679: Apr 16 18:02:26.303 EEST: %DOT1X-5-FAIL: Authentication failed for client (0080.9f7d.3e6f) on Interface Gi1/0/35 AuditSessionID 0A114D0D0000D5F1855DF3BE
    2169680: Apr 16 18:02:26.303 EEST: %AUTHMGR-7-RESULT: Authentication result 'fail' from 'dot1x' for client (0080.9f7d.3e6f) on Interface Gi1/0/35 AuditSessionID 0A114D0D0000D5F1855DF3BE
    2169681: Apr 16 18:02:26.319 EEST: %DOT1X-5-FAIL: Authentication failed for client (0080.9f7d.3e6f) on Interface Gi1/0/35 AuditSessionID 0A114D0D0000D5F1855DF3BE
    2169682: Apr 16 18:02:26.319 EEST: %AUTHMGR-7-RESULT: Authentication result 'fail' from 'dot1x' for client (0080.9f7d.3e6f) on Interface Gi1/0/35 AuditSessionID 0A114D0D0000D5F1855DF3BE
    2169683: Apr 16 18:02:26.319 EEST: %AUTHMGR-7-FAILOVER: Failing over from 'dot1x' for client (0080.9f7d.3e6f) on Interface Gi1/0/35 AuditSessionID 0A114D0D0000D5F1855DF3BE
    2169684: Apr 16 18:02:26.319 EEST: %AUTHMGR-5-START: Starting 'mab' for client (0080.9f7d.3e6f) on Interface Gi1/0/35 AuditSessionID 0A114D0D0000D5F1855DF3BE
    2169685: Apr 16 18:02:26.328 EEST: %MAB-5-FAIL: Authentication failed for client (0080.9f7d.3e6f) on Interface Gi1/0/35 AuditSessionID 0A114D0D0000D5F1855DF3BE
    2169686: Apr 16 18:02:26.328 EEST: %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'mab' for client (0080.9f7d.3e6f) on Interface Gi1/0/35 AuditSessionID 0A114D0D0000D5F1855DF3BE
    2169687: Apr 16 18:02:26.328 EEST: %AUTHMGR-7-FAILOVER: Failing over from 'mab' for client (0080.9f7d.3e6f) on Interface Gi1/0/35 AuditSessionID 0A114D0D0000D5F1855DF3BE
    2169688: Apr 16 18:02:26.328 EEST: %AUTHMGR-7-NOMOREMETHODS: Exhausted all authentication methods for client (0080.9f7d.3e6f) on Interface Gi1/0/35 AuditSessionID 0A114D0D0000D5F1855DF3BE
    S301#
    2169689: Apr 16 18:02:26.336 EEST: %AUTHMGR-5-FAIL: Authorization failed or unapplied for client (0080.9f7d.3e6f) on Interface Gi1/0/35 AuditSessionID 0A114D0D0000D5F1855DF3BE
    S301#
    2169690: Apr 16 18:02:27.737 EEST: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/35, changed state to up
    2169691: Apr 16 18:02:28.744 EEST: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/35, changed state to up
    Regards
    T.C

    I'm not using authentication method with certificates for none end-devices
    Workstations with the windows default authentication protocol EAP/MSCHAPv2
    In front of them there are non Cisco IP-phones with auth. method EAP/MD5
    Finally I also have some printers again with option EAP/MD5
    For all of these devices I received the same behavior, after many hours finally the authenticated with ISE. But is this the expected behavior?
    What I understand is that if the devices finally authenticated then it means that there isn’t anything wrong with the method.
    The misunderstanding points are 3
    Why there is so much delay for all devices to authenticate?
    Why some devices, mostly IP phones (not all) continuing to fail to the authentication method. All my devices are identical with the same software / patch, same model etc.
    I have noticed randomly some devices one moment to succeed and the next moment to failed
    So for my understanding there is an abnormal behavior and i cannot find the way /pattern to correct it or to understand the reason :)
    Port config
    switchport access vlan xxx
     switchport mode access
     switchport voice vlan yyy
     ip access-group ACL-ALLOW in
     authentication event fail action next-method
     authentication event server dead action reinitialize vlan xxx
     authentication event server dead action authorize voice
     authentication event server alive action reinitialize
     authentication host-mode multi-domain
     authentication open
     authentication order dot1x mab
     authentication priority dot1x mab
     authentication port-control auto
     authentication periodic
     authentication timer reauthenticate server
     authentication violation restrict
     mab
     dot1x pae authenticator
     no cdp enable
     spanning-tree portfast
    result template
    Switch#sh auth sess int g1/0/46
                Interface:  GigabitEthernet1/0/46
              MAC Address:  xxxx.xxxx.xxxx
               IP Address:  xx.xxx.xx.xxx
                User-Name:  xxxxxxxxxxxx
                   Status:  Authz Failed
                   Domain:  DATA
          Security Policy:  Should Secure
          Security Status:  Unsecure
           Oper host mode:  multi-domain
         Oper control dir:  both
          Session timeout:  N/A
             Idle timeout:  N/A
        Common Session ID:  0A114D0A00001972016208E1
          Acct Session ID:  0x00001BB7
                   Handle:  0x6D0009B6
    Runnable methods list:
           Method   State
           dot1x    Failed over
           mab      Failed over

  • ISE Wired guest portal redirect even after authentication

    Hi
    I have configured both Wired and Wireless guest authentication via guest portal. Wireless is working fine, however the when trying with Wired, the redireciton page is keep getting even after user authenticated.
    I'm not seen the redirection authorization policy in my logs however I can see only the user authentication logs (successful). Attached is my configuration and logging output.
    Here is what I see on the interface
    ABQT-3FLR-ACC-01#sh authentication sessions interface gigabitEthernet 4/0/19
                Interface:  GigabitEthernet4/0/19
              MAC Address:  a0b3.ccca.2ab1
               IP Address:  10.1.3.16
                User-Name:  A0-B3-CC-CA-2A-B1
                   Status:  Authz Success
                   Domain:  DATA
           Oper host mode:  multi-auth
         Oper control dir:  both
            Authorized By:  Authentication Server
              Vlan Policy:  N/A
         URL Redirect ACL:  ACL-WEBAUTH-REDIRECT
             URL Redirect:  https://xxxx-TW-ISE-2.xxx.xxx.qa:8443/guestportal/gateway?sessionId=AC14011F000001571E52779F&action=cwa
          Session timeout:  N/A
             Idle timeout:  N/A
        Common Session ID:  AC14011F000001571E52779F
          Acct Session ID:  0x00000309
                   Handle:  0xE6000158
    Runnable methods list:
           Method   State
           dot1x    Failed over
           mab      Authc Success
    Here is the ACL
    Extended IP access list ACL-WEBAUTH-REDIRECT
        10 deny udp any any eq domain (1344 matches)
        20 deny ip any host 172.20.5.12 (8122 matches)
        30 deny ip any host 172.20.5.14
        40 permit tcp any any eq www (3124 matches)
        50 permit tcp any any eq 443 (202927 matches)
        60 permit tcp any any eq 8080 (114 matches)
        70 permit ip any any (8056 matches)

    Hi Mohannad,
    Thanks for your response.
    Actually the as per the configuration it should work, I'm still trying to find out what is what has gone wrong with this configuration. Infact I have tested with 3560 switch with the same config and it worked. only difference here is we used 2960S switch.
    We need to find out why the next Auth policy is not hitting once user is authenticated.
    Here is the port configuration and the authen status of the port.
    ABQT-3FLR-ACC-01#sh running-config interface gig4/0/19
    Building configuration...
    Current configuration : 427 bytes
    interface GigabitEthernet4/0/19
    switchport access vlan 103
    switchport mode access
    switchport voice vlan 135
    authentication event fail action next-method
    authentication host-mode multi-auth
    authentication order dot1x mab
    authentication priority dot1x mab webauth
    authentication port-control auto
    authentication violation restrict
    mab
    dot1x pae authenticator
    dot1x timeout tx-period 10
    spanning-tree portfast
    end
    ABQT-3FLR-ACC-01#
    Mar 31 12:32:14.127: %AAA-3-BADSERVERTYPEERROR: Cannot process accounting server type tacacs+ (UNKNOWN)
    ABQT-3FLR-ACC-01#
    ABQT-3FLR-ACC-01#sh atuh
    ABQT-3FLR-ACC-01#sh atu
    ABQT-3FLR-ACC-01#sh authe
    ABQT-3FLR-ACC-01#sh authentication se
    ABQT-3FLR-ACC-01#sh authentication sessions in
    ABQT-3FLR-ACC-01#sh authentication sessions interface gi
    ABQT-3FLR-ACC-01#sh authentication sessions interface gigabitEthernet 4/0/19
                Interface:  GigabitEthernet4/0/19
              MAC Address:  0015.c5b4.fd4a
               IP Address:  10.1.3.23
                User-Name:  00-15-C5-B4-FD-4A
                   Status:  Authz Success
                   Domain:  DATA
           Oper host mode:  multi-auth
         Oper control dir:  both
            Authorized By:  Authentication Server
              Vlan Policy:  N/A
         URL Redirect ACL:  ACL-WEBAUTH-REDIRECT
             URL Redirect:  https://ABQ-TW-ISE-2.abq.gov.qa:8443/guestportal/gateway?sessionId=AC14011F0000018A32B4D906&action=cwa
          Session timeout:  N/A
             Idle timeout:  N/A
        Common Session ID:  AC14011F0000018A32B4D906
          Acct Session ID:  0x00000394
                   Handle:  0x3E00018B
    Runnable methods list:
           Method   State
           dot1x    Failed over
           mab      Authc Success

  • Not Working-central web-authentication with a switch and Identity Service Engine

    on the followup the document "Configuration example : central web-authentication with a switch and Identity Service Engine" by Nicolas Darchis, since the redirection on the switch is not working, i'm asking for your help...
    I'm using ISE Version : 1.0.4.573 and WS-C2960-24PC-L w/software 12.2(55)SE1 and image C2960-LANBASEK9-M for the access.
    The interface configuration looks like this:
    interface FastEthernet0/24
    switchport access vlan 6
    switchport mode access
    switchport voice vlan 20
    ip access-group webauth in
    authentication event fail action next-method
    authentication event server dead action authorize
    authentication event server alive action reinitialize
    authentication order mab
    authentication priority mab
    authentication port-control auto
    authentication periodic
    authentication timer reauthenticate server
    authentication violation restrict
    mab
    spanning-tree portfast
    end
    The ACL's
    Extended IP access list webauth
        10 permit ip any any
    Extended IP access list redirect
        10 deny ip any host 172.22.2.38
        20 permit tcp any any eq www
        30 permit tcp any any eq 443
    The ISE side configuration I follow it step by step...
    When I conect the XP client, e see the following Autenthication session...
    swlx0x0x#show authentication sessions interface fastEthernet 0/24
               Interface:  FastEthernet0/24
              MAC Address:  0015.c549.5c99
               IP Address:  172.22.3.184
                User-Name:  00-15-C5-49-5C-99
                   Status:  Authz Success
                   Domain:  DATA
           Oper host mode:  single-host
         Oper control dir:  both
            Authorized By:  Authentication Server
               Vlan Group:  N/A
         URL Redirect ACL:  redirect
             URL Redirect: https://ISE-ip:8443/guestportal/gateway?sessionId=AC16011F000000510B44FBD2&action=cwa
          Session timeout:  N/A
             Idle timeout:  N/A
        Common Session ID:  AC16011F000000490AC1A9E2
          Acct Session ID:  0x00000077
                   Handle:  0xB7000049
    Runnable methods list:
           Method   State
           mab      Authc Success
    But there is no redirection, and I get the the following message on switch console:
    756005: Mar 28 11:40:30: epm-redirect:IP=172.22.3.184: No redirection policy for this host
    756006: Mar 28 11:40:30: epm-redirect:IDB=FastEthernet0/24: In epm_host_ingress_traffic_qualify ...
    I have to mention I'm using an http proxy on port 8080...
    Any Ideas on what is going wrong?
    Regards
    Nuno

    OK, so I upgraded the IOS to version
    SW Version: 12.2(55)SE5, SW Image: C2960-LANBASEK9-M
    I tweak with ACL's to the following:
    Extended IP access list redirect
        10 permit ip any any (13 matches)
    and created a DACL that is downloaded along with the authentication
    Extended IP access list xACSACLx-IP-redirect-4f743d58 (per-user)
        10 permit ip any any
    I can see the epm session
    swlx0x0x#show epm session ip 172.22.3.74
         Admission feature:  DOT1X
         ACS ACL:  xACSACLx-IP-redirect-4f743d58
         URL Redirect ACL:  redirect
         URL Redirect:  https://ISE-ip:8443/guestportal/gateway?sessionId=AC16011F000000510B44FBD2&action=cwa
    And authentication
    swlx0x0x#show authentication sessions interface fastEthernet 0/24
         Interface:  FastEthernet0/24
         MAC Address:  0015.c549.5c99
         IP Address:  172.22.3.74
         User-Name:  00-15-C5-49-5C-99
         Status:  Authz Success
         Domain:  DATA
         Oper host mode:  multi-auth
         Oper control dir:  both
         Authorized By:  Authentication Server
         Vlan Group:  N/A
         ACS ACL:  xACSACLx-IP-redirect-4f743d58
         URL Redirect ACL:  redirect
         URL Redirect:  https://ISE-ip:8443/guestportal/gateway?sessionId=AC16011F000000510B44FBD2&action=cwa
         Session timeout:  N/A
         Idle timeout:  N/A
         Common Session ID:  AC16011F000000160042BD98
         Acct Session ID:  0x0000001B
         Handle:  0x90000016
         Runnable methods list:
         Method   State
         mab      Authc Success
    on the logging, I get the following messages...
    017857: Mar 29 11:27:04: epm-redirect:IDB=FastEthernet0/24: In epm_host_ingress_traffic_qualify ...
    017858: Mar 29 11:27:04: epm-redirect:epm_redirect_cache_gen_hash: IP=172.22.3.74 Hash=271
    017859: Mar 29 11:27:04: epm-redirect:IP=172.22.3.74: CacheEntryGet Success
    017860: Mar 29 11:27:04: epm-redirect:IP=172.22.3.74: Ingress packet on [idb= FastEthernet0/24] matched with [acl=redirect]
    017861: Mar 29 11:27:04: epm-redirect:IDB=FastEthernet0/24: Enqueue the packet with if_input=FastEthernet0/24
    017862: Mar 29 11:27:04: epm-redirect:IDB=FastEthernet0/24: In epm_host_ingress_traffic_process ...
    017863: Mar 29 11:27:04: epm-redirect:IDB=FastEthernet0/24: Not an HTTP(s) packet
    What I'm I missing?

  • 'authentication control-direction in' in authentication CLOSED mode

    Switch: 4510R+E, running a DEV version based off 3.6.0
    ISE: 1.2.0.899 patch 7
    Hi, I have been working on a weird issue where some of my clients would randomly drop their IP address and the only way I could get it back was to move their port to authentication open mode. I need to run in closed mode because I change VLANs via MAB. 
    I have been working with TAC, and they suggested I add the command 'authentication control-direction in' to my switchport config (below). With the couple tests Ive done, this seems to help. But I would like to understand why. Doesn't the control-direction command somewhat nullify the premise of running in closed mode? I.E. It allows some communication before the device is authorized. Thanks.
    interface GigabitEthernet2/18
     switchport access vlan 34
     switchport mode access
     switchport voice vlan 66
     logging event link-status
     authentication event fail action next-method
     authentication event server dead action authorize vlan 34
     authentication event server dead action authorize voice
     authentication event server alive action reinitialize 
     authentication host-mode multi-auth
     authentication order mab dot1x
     authentication priority dot1x mab
     authentication port-control auto
     authentication violation restrict
     mab
     dot1x pae authenticator
     dot1x timeout tx-period 10
     service-policy input QoS-Input-Policy
     service-policy output QoS-Host-Port-Output-Policy
    end

    I also needed to use this command to keep devices authenticated. It was happening with a CCTV system that was an embedded Linux OS. It was on MAB and because it wasn't transmitting any traffic (unlike a noisy windows box) then the switch wouldn't be able to reauth it as it had no mac address to be able to auth, so would show up with an 'unknown' in the MAC field.
    Basically it allows traffic to flow out of the port. This enabled the device to be able to receive HTTP traffic and made it respond and then the switch could auth it again once the device sent a frame.
    when you do a show authentication sessions you will notice a Oper control dir: both will change to Oper control dir: in

  • Dot1x clients not authenticated after reload

    Hi all,
    I have a switch setup with dynamic vlan assignment. Everything works fine until the switch is rebooted. Then none of the pc's are authenticated anymore. I have to do a shut/no shut of all the user ports to start the re-authentication of the pc's.
    This is the config I have so far. Am I missing something?
    Thanks,
    Best Regards,
    Joris
    Global commands
    aaa new-model
    aaa authentication dot1x default group radius
    aaa authorization network default group radius
    aaa accounting dot1x default start-stop group radius
    aaa accounting system default start-stop group radius
    aaa authorization exec default local if-authenticated
    aaa authorization commands 1 default local if-authenticated
    aaa authorization commands 15 default local if-authenticated
    dot1x system-auth-control
    dot1x guest-vlan supplicant
    dot1x critical eapol
    radius-server host x.x.x.x auth-port 1645 acct-port 1646 key *****
    radius-server vsa send accounting
    radius-server vsa send authentication
    Interface-specific commands
    switchport mode access
    switchport nonegotiate
    switchport port-security maximum 5
    switchport port-security
    switchport port-security violation restrict
    authentication event fail action authorize vlan 200
    authentication event server dead action authorize vlan 110
    authentication event no-response action authorize vlan 200
    authentication order mab dot1x
    authentication priority dot1x mab
    authentication port-control auto
    authentication periodic
    mab
    no snmp trap link-status
    dot1x pae authenticator
    dot1x timeout quiet-period 3
    dot1x timeout tx-period 3
    dot1x max-req 1
    storm-control broadcast level 1.00
    storm-control multicast level 1.00
    storm-control action shutdown
    storm-control action trap
    no cdp enable
    no cdp tlv server-location
    no cdp tlv app
    spanning-tree portfast

    I believe you will need to tell your ports what action to take when the AAA server becomes available. It knows what to do when it's dead or unavailable, but has the default setting when it is returned to service. Likely the switch is tripping AAA dead or non-responsive for a bit during boot and its a race. You want the port to reauth when the AAA server becomes avail.
    Sent from Cisco Technical Support iPhone App

  • Cisco ISE 1.3 MAB authentication.. switch drop packet

    Hello All,
    I have C3560 Software (C3560-IPSERVICESK9-M), Version 12.2(55)SE9, RELEASE SOFTWARE (fc1) switch..
    and ISE 1.3 versoin..
    MAB authentication is working perfectly at ISE end.. but while seeing the same at switch end.. I am seeing switch is droping packet on some ports..
    while some ports are working perfectly..
    Same switch configuration is working perfectly on another switch without any issue..
    Switch configuration for your suggestion..!!
    aaa new-model
    aaa authentication fail-message ^C
    **** Either ACS or ISE is DOWN / Use ur LOCAL CREDENTIALS / Thank You ****
    ^C
    aaa authentication login CONSOLE local
    aaa authentication login ACS group tacacs+ group radius local
    aaa authentication dot1x default group radius
    aaa authorization config-commands
    aaa authorization commands 0 default group tacacs+ local
    aaa authorization commands 1 default group tacacs+ local
    aaa authorization commands 15 default group tacacs+ local
    aaa authorization network default group radius
    aaa accounting dot1x default start-stop group radius
    aaa accounting exec default start-stop group tacacs+
    aaa accounting commands 0 default start-stop group tacacs+
    aaa accounting commands 15 default start-stop group tacacs+
    aaa accounting network default start-stop group tacacs+
    aaa accounting connection default start-stop group tacacs+
    aaa accounting system default start-stop group tacacs+ group radius
    aaa server radius dynamic-author
     client 172.16.95.x server-key 7 02050D480809
     client 172.16.95.x server-key 7 14141B180F0B
    aaa session-id common
    clock timezone IST 5 30
    system mtu routing 1500
    ip routing
    no ip domain-lookup
    ip domain-name EVS.com
    ip device tracking
    epm logging
    dot1x system-auth-control
    interface FastEthernet0/1
     switchport access vlan x
     switchport mode access
     switchport voice vlan x
     authentication event fail action next-method
     --More--         authentication host-mode multi-auth
     authentication order mab dot1x
     authentication priority mab dot1x
     authentication port-control auto
     authentication violation restrict
     mab
     snmp trap mac-notification change added
     snmp trap mac-notification change removed
     dot1x pae authenticator
     dot1x timeout tx-period 10
     spanning-tree portfast
    ip tacacs source-interface Vlan10
    ip radius source-interface Vlan10 vrf default
    logging trap critical
    logging origin-id ip
    logging 172.16.5.95
    logging host 172.16.95.x transport udp port 20514
    logging host 172.16.95.x transport udp port 20514
    snmp-server group SNMP-Group v3 auth read EVS-view notify *tv.FFFFFFFF.FFFFFFFF.FFFFFFFF.FFFFFFFF7F access 15
    snmp-server view EVS-view internet included
    snmp-server community S1n2M3p4$ RO
    snmp-server community cisco RO
    snmp-server trap-source Vlan10
    snmp-server source-interface informs Vlan10
    snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
     --More--         snmp-server enable traps tty
    snmp-server enable traps cluster
    snmp-server enable traps entity
    snmp-server enable traps cpu threshold
    snmp-server enable traps vtp
    snmp-server enable traps vlancreate
    snmp-server enable traps vlandelete
    snmp-server enable traps flash insertion removal
    snmp-server enable traps port-security
    snmp-server enable traps envmon fan shutdown supply temperature status
    snmp-server enable traps config-copy
    snmp-server enable traps config
    snmp-server enable traps bridge newroot topologychange
    snmp-server enable traps stpx inconsistency root-inconsistency loop-inconsistency
    snmp-server enable traps syslog
    snmp-server enable traps mac-notification change move threshold
    snmp-server enable traps vlan-membership
    snmp-server host 172.16.95.x version 2c cisco
    snmp-server host 172.16.95.x version 2c cisco
    snmp-server host 172.16.5.x version 3 auth evsnetadmin
    tacacs-server host 172.16.5.x key 7 0538571873651D1D4D26421A4F
    tacacs-server directed-request
     --More--         tacacs-server key 7 107D580E573E411F58277F2360
    tacacs-server administration
    radius-server attribute 6 on-for-login-auth
    radius-server attribute 25 access-request include
    radius-server host 172.16.95.y auth-port 1812 acct-port 1813 key 7 060506324F41
    radius-server host 172.16.95.x auth-port 1812 acct-port 1813 key 7 110A1016141D
    radius-server host 172.16.95.y auth-port 1645 acct-port 1646 key 7 110A1016141D
    radius-server host 172.16.95.x auth-port 1645 acct-port 1646 key 7 070C285F4D06
    radius-server timeout 2
    radius-server key 7 060506324F41
    radius-server vsa send accounting
    radius-server vsa send authentication
    line con 0
     exec-timeout 5 0
     privilege level 15
     logging synchronous
     login authentication CONSOLE
    line vty 0 4
     access-class telnet_access in
     exec-timeout 0 0
     logging synchronous
     --More--         login authentication ACS
     transport input ssh

     24423  ISE has not been able to confirm previous successful machine authentication  
    Judging by that line and what your policy says, it appears that your authentication was rejected as your machine was not authenticated prior to this connection.
    first thing to check is whether MAR has been enabled on the identity source. second thing to check is whether your machine is set to send a certificate for authentication. there are other things you can look at but I'd do those two first.
    log off and on  or reboot and then see if you at least get a failed machine auth on the operations>authentication page and we can go from there. 

  • AD Machine Authentication with Cisco ISE problem

    Hi Experts,
    I am new with ISE, I have configured ISE & Domain computers for PEAP authentication. initially machine gets authenticated and then starts going MAB.
    Authentication policy:
    Allowed protocol = PEAP & TLS
    Authorization Policy:
    Condition for computer to be checked in external identity store (AD) = Permit access
    Condition for users to be checked in external identity store (AD) plus WasMachineAuthenticated = permit access
    All of the above policies do match and download the ACL from ISE but computer starts to mab authentication again...
    Switchport configuration:
    ===============================================
    ip access-list extended ACL-DEFAULT
    remark Allow DHCP
    permit udp any eq bootpc any eq bootps
    remark Allow DNS
    permit udp any any eq domain
    permit ip any host (AD)
    permit icmp any any
    permit ip any host (ISE-1)
    permit ip any host  (ISE-2)
    permit udp any host (CUCM-1) eq tftp
    permit udp any host (CUCM-2)eq tftp
    deny ip any any
    ===============================================
    switchport config
    ===============================================
    Switchport Access vlan 10
    switchport mode access
    switchport voice vlan 20
    ip access-group ACL-DEFAULT in
    authentication open
    authentication event fail action next-method
    authentication event server dead action authorize vlan 1
    authentication event server alive action reinitialize
    authentication host-mode multi-domain
    authentication order dot1x mab
    authentication priority dot1x mab
    authentication port-control auto
    authentication periodic
    authentication timer reauthenticate server
    authentication timer inactivity 180
    authentication violation restrict
    mab
    dot1x pae authenticator
    dot1x timeout tx-period 100
    ====================================================
    One more problem about the "authentication open" and default ACL. Once the authentication succeeds and per user is ACL pushed though ISE to the switch. The default ACL still blocks communication on this switchprort.
    Your help will highly appreciated.
    Regards,

    You need to watch the switch during an authentication, see if the machine is passing authentication and the user may be failing authentication causing the switch to fail to mab.  If your switch configuration is on auth failure continue to next method, then this makes sense.  The question is why is the user failing auth but the machine is passing, could be something in the policy.  Make sure your AD setup has machine authentciation checked or it may not tie the machine and user auth together and the user may be failing because ISE can't make that relationship so the machinewasauth=true is not beeing matched.  Easy way to check is remove that rule from your policy and see if the same thing happens.
    I've also seen this happen when clients want to use EAP-TLS on the wired, machines passes auth, then the user logs into a machine for the first time.  The user auth kicks off before the user gets a cert and fails auth with a null certificate, since this is a auth failure the switchport kicks over to MAB.
    I don't think wasmachineauth=true is that great, I prefer to use EAP-FASTv2 using Cisco Anyconnect NAM with eap-chaining.  This is great because you can do two part authentication.  EAP-FAST outer with EAP-TLS inner for the machine auth, and MSCHAPv2 for the inner of the user auth. You get your EAP-TLS auth for the machine and don't have to worry about a user logging into a machine for the first time and switching to MAB because the user doesn't have a cert yet.  I also do my rule to say if machine pass and user fail, then workstaion policy, if machine and user pass then corp policy.

  • Cisco ISE (Authentication failed: 24415 User authentication against Active Directory failed since user's account is locked out)

    Hi,
    I have a setup ISE 1.1.1. Users are getting authenticate against AD. Everything is working fine except some users report disconnection. I see in the ISE that (Authentication failed: 24415 User authentication against Active Directory failed since user's account is locked out). Users are using Windows 7 OS.
    Error is enclosed & here is the port configuration.
    Port Configuration.
    interface GigabitEthernet0/2
    switchport access vlan 120
    switchport mode access
    switchport voice vlan 121
    authentication event fail action next-method
    authentication event server dead action reinitialize vlan 120
    authentication event server alive action reinitialize
    authentication host-mode multi-auth
    authentication order mab dot1x
    authentication priority dot1x mab
    authentication port-control auto
    authentication periodic
    authentication timer reauthenticate server
    mab
    dot1x pae authenticator
    dot1x timeout tx-period 60
    spanning-tree portfast
    ip dhcp snooping limit rate 30 interface GigabitEthernet0/2
    switchport access vlan 120
    switchport mode access
    switchport voice vlan 121
    authentication event fail action next-method
    authentication event server dead action reinitialize vlan 120
    authentication event server alive action reinitialize
    authentication host-mode multi-auth
    authentication order mab dot1x
    authentication priority dot1x mab
    authentication port-control auto
    authentication periodic
    authentication timer reauthenticate server
    mab
    dot1x pae authenticator
    dot1x timeout tx-period 60
    spanning-tree portfast
    ip dhcp snooping limit rate 30
    Please help.

    The error message means that Active Directory server Reject the authentication attempt
    as for some reasons the user account got locked.I guess, You should ask your AD Team to check in the AD
    Event Logs why did the user account got locked.
    Under Even Viewers, You can find it out
    Regards
    Minakshi (Do rate the helpful posts)

Maybe you are looking for

  • How to display a JPanel of JButtons on ImagePanel?

    Hi From the Swing Hacks examples, I can display a JButton on an ImagePanel no problem. But when I put this JButton in JPanel, then add the JPanel to the ImagePanel, the JPanel with the JButton is not displayed. Can someone please explain why this is?

  • Populating the screen area with color

    Please help me how could i populate the screen area with color based on the x,y position values getting from the database table x,y positions are saved in the database already i want to use those values

  • Creation of Invoice

    Dear Friends, I need your help for the following scenario. I want to create a invoice like proforma invoice. eg I am having a sale order for 50 Tones.I want to take 50 % advance from the customer.Hence I want to create invoice only for these 50 %.How

  • Exit button on ESS iViews

    Hi, We have ESS deployed on EP7.0, so we are using the WebDynpro version of ESS. Now we want to redirect the navigation to our own customized iView when click "Exit" button on any of the ESS iView, for example , address iView. I guess this should be

  • Adobe Cs6 compatibility with mavericks

    I want to upgrade to Mavericks and i'm using Adobe CS6 suite I am worried about compatibily with Mavericks. Any similar examples as mine?