Wiki auto-authentication
Hi all.
I am struggling to find a Mountain Lion solution to auto authenticate a wiki login.
In detail, I have a website hosted on a providers' server, and a wiki on my local Mountain Lion Server, both are perfectly reachable from outside. The wiki is integrated as a part of the external website.
Visitors of the external website have to authenticate against the OD server, the login credentials are stored in de website database for reuse. I'd like the visitors to be automatically logged on to the wiki server as well, to avoid them having to authenticate a second time.
Back in the Snow Leopard days, I had an XML-RPC procedure which auto authenticated the wiki. This was all working perfectly well, but since XML-RPC is depreciated in Mountain Lion, I'm looking for an alternative solution.
regards,
Cliff
Am 07.06.2014 14:52, schrieb Gotthard Anger:
> Hello, Mathias
> Am 06.06.2014 17:46, schrieb MFaust:
>> there are newer builds that fix the problem - eg. 115701 or 115905.
>> Open an SR and NTS should provide you with a newer build which fixes the
>> problem.
> Are these builds the client affecting only? I´m using at this time the
> 2012 client. Thats why I think needing a new po agent.
>
> Go
>
Update: Same behavior with the new 1400 client.
Go
Gotthard Anger
Anwenderbetreuung Netzwerkadministration
Landeskirchenamt der EKM
[email protected]
http://forums.novell.com/member.php?u=35038
Mails an diese Adresse werden nur nach vorheriger Ansage gelesen!
Mails for this address will only be read if you trigger me before.
Similar Messages
-
Wiki-Server, authentication fails with iPad
Hello everybody,
I have made a clean installation of OS X Server.
I see a strange behavior with Wiki. When I try to authenticate with the iPad it says: "Failed to log in sucessfully" ?? I can, however access the Wikis that are "publicly" available without any issue, but what about the "hidden" ones?!
When I use the Macbook, Firefox on a PC, or the iPhone then it's all fine. Authentication works as expected.
Am I missing here something?I have this exact issue in my school, massively annoying being as we have a 1:1 rollout of over a thousand iPads and had invested considerable time developing resources on the wiki, and now, the only device it doesn't work on, is the same device that we have given to all our pupils.
Charles -
Wiki mobile authentication issue
Having an odd issue with wiki authentication... Users can log in fine via any desktop browser, however if a user attempts to use an iPhone to log in via the mobile interface, the following error occurs:
"Error from server: No record found for that path: 'groups/list' (8002)"Having an odd issue with wiki authentication... Users can log in fine via any desktop browser, however if a user attempts to use an iPhone to log in via the mobile interface, the following error occurs:
"Error from server: No record found for that path: 'groups/list' (8002)" -
Hello Team,
I have been using OSx Servers (3.1.2 - Build 1354517) 'wiki' or Collaborative suite to host some personally created wiki's and documentation. Upon having this open to external (WAN) connections, as was my eventual goal; I noticed a potential problem. I found that I could continually attempt authenticate against the website, without any timeout or anything else to slow down my attempts.
To elaborate briefly, I don't mean authentication against .htpassword as maybe configured in OSX Servers Website hosting setup. I mean against the wiki software itself. The only way around this, that I can find, would be to use .htpassword for an additional layer of security.
Given that there are MANY ways to gain usernames against the wiki server (Profiles, default 'alias', activity logs - etc), and the fact that this authenticates against local system accounts, is this a genuine security threat?
I appreciate any feedback from other users or perhaps Apple.Hello Linc,
I appreciate your reply, though I feel it misses the core content of my enquiry. It's not unnecessary to expose this service, but I would like the ability to. I don't think the service accessibility limitations should be defined on whether the application is secure or not.
And either way, even if run in a secure environment; it's still a compromise.
In the end, I'm still not sure; Do you acknowledge that this is vulnerable to brute force?
Thanks, -
Wiki auto pdf pages files on upload?
I find that only pages files are turned into pdfs when uploaded using the wiki servers documents add.
Anyone confirm?
Is this doucmented somewhere. I noticed it zipped my numbers files.Look in the Pages preferences > General tab . Uncheck "save new documents a packages". For already saved documents my guess is that if you can "Save as copy" you would be able to get a "flat" document instead of a package. I can't test this as I am on Snow Leopard and always have it unchecked.
-
Auto-authentication using NT credentials?
I have the following piece of javascript to detect an intranet user's NT id by creating an ActiveX component (IE 5.5). How can I pass this to an authentication module/login URL so that users are logged into portal automatically when they request the portal login page?
<script
language="JavaScript"
type="text/javascript"
event="onload"
for="window">
var net = new ActiveXObject("Wscript.Network");
document.all.strUsername.value = net.UserName;
document.all.strDomain.value = net.UserDomain;
</script>
thx,
MurrayYou need to build a URL something like:
http://server:8080/login/Ldap?page=1&TOKEN0=<username>&TOKEN1=<password>&Submit=Login
Have a look at the authentication templates under /etc/opt/SUNWips/desktop/default/iwtLoginProvider/ and check the form variables that are passed in for the authentication module you are using.
Stephen -
An issue with authentication and authorization on ISE 1.2
Hi, I'm new to ISE.
I have an issue with authentication and authorization.
I have ISE 1.2 plus patch 6 installed on VMware.
I have built-in Windows XP supplicant and 2960 cisco switch with IOS c2960-lanbasek9-mz.150-2.SE5.bin
On supplicant I use EAP(PEAP) with EAP-MSCHAP v2.
I created authentication and authorization rules with Active Directory as External Identity Source. Also I applied authorization profile with DACL.I login on Windows XP machine under different Active Directory accounts. Everything works fine (authentication, authorization ), but only for several hours. After several hours passed , authentication and authorization stop working . I can see that ISE trying authenticate and authorize users, but ISE always use only one account for authentication and authorization . Even if I login under different accounts ISE continue to use only one last account.
I traied to reboot switch and PC,but it didn’t help. Only rebooting of ISE helps. After ISE rebooting, authentication and authorization start to work properly for several hours.
I don’t understand is it a glitch or I misconfigured ISE or switch, supplicant?
What should I do to resolve this issue?
Switch configuration:
testISE#sh runn
Building configuration...
Current configuration : 7103 bytes
! Last configuration change at 12:20:15Tue Apr 15 2014
! NVRAM config last updated at 10:35:02 Tue Apr 15 2014
version 15.0
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname testISE
boot-start-marker
boot-end-marker
no logging console
logging monitor informational
enable secret 5 ************
enable password ********
username radius-test password 0 ********
username admin privilege 15 secret 5 ******************
aaa new-model
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa authorization auth-proxy default group radius
aaa accounting update periodic 5
aaa accounting dot1x default start-stop group radius
aaa server radius dynamic-author
client 172.16.0.90 server-key ********
aaa session-id common
clock timezone 4 0
system mtu routing 1500
authentication mac-move permit
ip dhcp snooping vlan 1,22
ip dhcp snooping
ip domain-name elauloks
ip device tracking probe use-svi
ip device tracking
epm logging
crypto pki trustpoint TP-self-signed-1888913408
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1888913408
revocation-check none
rsakeypair TP-self-signed-1888913408
crypto pki certificate chain TP-self-signed-1888913408
dot1x system-auth-control
spanning-tree mode pvst
spanning-tree extend system-id
vlan internal allocation policy ascending
ip ssh version 2
interface FastEthernet0/5
switchport mode access
ip access-group ACL-ALLOW in
authentication event fail action next-method
authentication event server dead action reinitialize vlan 1
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication open
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
interface FastEthernet0/6
switchport mode access
ip access-group ACL-ALLOW in
authentication event fail action next-method
authentication event server dead action reinitialize vlan 1
authentication event server alive action reinitialize
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
interface FastEthernet0/7
interface Vlan1
ip address 172.16.0.204 255.255.240.0
no ip route-cache
ip default-gateway 172.16.0.1
ip http server
ip http secure-server
ip access-list extended ACL-ALLOW
deny icmp any host 172.16.0.1
permit ip any any
ip radius source-interface Vlan1
logging origin-id ip
logging source-interface Vlan1
logging host 172.16.0.90 transport udp port 20514
snmp-server community public RO
snmp-server community ciscoro RO
snmp-server trap-source Vlan1
snmp-server source-interface informs Vlan1
snmp-server enable traps snmp linkdown linkup
snmp-server enable traps mac-notification change move
snmp-server host 172.16.0.90 ciscoro
radius-server attribute 6 on-for-login-auth
radius-server attribute 6 support-multiple
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server dead-criteria time 5 tries 3
radius-server vsa send accounting
radius-server vsa send authentication
radius server ISE-Alex
address ipv4 172.16.0.90 auth-port 1812 acct-port 1813
automate-tester username radius-test idle-time 15
key ******
ntp server 172.16.0.1
ntp server 172.16.0.5
endYes. Tried that (several times) didn't work. 5 people in my office, all with vers. 6.0.1 couldn't access their gmail accounts. Kept getting error message that username and password invalid. Finally solved the issue by using Microsoft Exchange and "m.google.com" as server and domain and that the trick. Think there is an issue with imap.gmail.com and IOS 6.0.1. I'm sure the 5 of us suddently experiencing this issue aren't the only ones. Apple will figure it out. Thanks.
-
ISE 1.2 Authentication Failures at First time Connection
Hi,
I have a trouble with ISE 1.2 when trying to authenticate for first time an end-device, this device might be either a Workstation or IP Phone or Printer,etc. it fails or staying in running mode. The result is the same it can not access the network. hopefully I'm still in open mode :)
As i described in the beginning everything has status Running or Authz Failed. and after a time of period usually one day finally succeeds.
This happens mostly for workstations and printers, but in case of phones does not have the same behavior. I unplug plug the phones or I shut/ no shut the ports in order to trigger it to succeed. For some phones worked but other obstinately declined.
The phones which are not Cisco phones authenticated with MD5 (a simple username and pass ) i think the problem should not related with the auth protocol.
Below are some logs from one phone. For me coming to a short conclusion this must be related with the switches which are 3750e (15.02 SE 4 IOS)
or with the same the ISE, why because i have almost the same behavior for all end-devices.
I kindly remain your comments...
2169669: Apr 16 18:02:20.573 EEST: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/35, changed state to up
2169670: Apr 16 18:02:20.783 EEST: %DOT1X-5-FAIL: Authentication failed for client (0080.9f7d.3ddf) on Interface Gi1/0/34 AuditSessionID 0A114D0D0000D5E8855C01DE
2169671: Apr 16 18:02:20.791 EEST: %AUTHMGR-7-RESULT: Authentication result 'timeout' from 'dot1x' for client (0080.9f7d.3ddf) on Interface Gi1/0/34 AuditSessionID 0A114D0D0000D5E8855C01DE
S301#
2169672: Apr 16 18:02:20.992 EEST: %AUTHMGR-5-START: Starting 'dot1x' for client (0080.9f7d.3ddf) on Interface Gi1/0/34 AuditSessionID 0A114D0D0000D5F0855DE0EF
2169673: Apr 16 18:02:21.580 EEST: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/35, changed state to up
S301#
2169674: Apr 16 18:02:24.289 EEST: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/35, changed state to down
S301#
2169675: Apr 16 18:02:25.288 EEST: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/35, changed state to down
2169676: Apr 16 18:02:26.269 EEST: %AUTHMGR-5-START: Starting 'dot1x' for client (0080.9f7d.3e6f) on Interface Gi1/0/35 AuditSessionID 0A114D0D0000D5F1855DF3BE
2169677: Apr 16 18:02:26.294 EEST: %DOT1X-5-FAIL: Authentication failed for client (0080.9f7d.3e6f) on Interface Gi1/0/35 AuditSessionID 0A114D0D0000D5F1855DF3BE
2169678: Apr 16 18:02:26.294 EEST: %AUTHMGR-7-RESULT: Authentication result 'fail' from 'dot1x' for client (0080.9f7d.3e6f) on Interface Gi1/0/35 AuditSessionID 0A114D0D0000D5F1855DF3BE
2169679: Apr 16 18:02:26.303 EEST: %DOT1X-5-FAIL: Authentication failed for client (0080.9f7d.3e6f) on Interface Gi1/0/35 AuditSessionID 0A114D0D0000D5F1855DF3BE
2169680: Apr 16 18:02:26.303 EEST: %AUTHMGR-7-RESULT: Authentication result 'fail' from 'dot1x' for client (0080.9f7d.3e6f) on Interface Gi1/0/35 AuditSessionID 0A114D0D0000D5F1855DF3BE
2169681: Apr 16 18:02:26.319 EEST: %DOT1X-5-FAIL: Authentication failed for client (0080.9f7d.3e6f) on Interface Gi1/0/35 AuditSessionID 0A114D0D0000D5F1855DF3BE
2169682: Apr 16 18:02:26.319 EEST: %AUTHMGR-7-RESULT: Authentication result 'fail' from 'dot1x' for client (0080.9f7d.3e6f) on Interface Gi1/0/35 AuditSessionID 0A114D0D0000D5F1855DF3BE
2169683: Apr 16 18:02:26.319 EEST: %AUTHMGR-7-FAILOVER: Failing over from 'dot1x' for client (0080.9f7d.3e6f) on Interface Gi1/0/35 AuditSessionID 0A114D0D0000D5F1855DF3BE
2169684: Apr 16 18:02:26.319 EEST: %AUTHMGR-5-START: Starting 'mab' for client (0080.9f7d.3e6f) on Interface Gi1/0/35 AuditSessionID 0A114D0D0000D5F1855DF3BE
2169685: Apr 16 18:02:26.328 EEST: %MAB-5-FAIL: Authentication failed for client (0080.9f7d.3e6f) on Interface Gi1/0/35 AuditSessionID 0A114D0D0000D5F1855DF3BE
2169686: Apr 16 18:02:26.328 EEST: %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'mab' for client (0080.9f7d.3e6f) on Interface Gi1/0/35 AuditSessionID 0A114D0D0000D5F1855DF3BE
2169687: Apr 16 18:02:26.328 EEST: %AUTHMGR-7-FAILOVER: Failing over from 'mab' for client (0080.9f7d.3e6f) on Interface Gi1/0/35 AuditSessionID 0A114D0D0000D5F1855DF3BE
2169688: Apr 16 18:02:26.328 EEST: %AUTHMGR-7-NOMOREMETHODS: Exhausted all authentication methods for client (0080.9f7d.3e6f) on Interface Gi1/0/35 AuditSessionID 0A114D0D0000D5F1855DF3BE
S301#
2169689: Apr 16 18:02:26.336 EEST: %AUTHMGR-5-FAIL: Authorization failed or unapplied for client (0080.9f7d.3e6f) on Interface Gi1/0/35 AuditSessionID 0A114D0D0000D5F1855DF3BE
S301#
2169690: Apr 16 18:02:27.737 EEST: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/35, changed state to up
2169691: Apr 16 18:02:28.744 EEST: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/35, changed state to up
Regards
T.CI'm not using authentication method with certificates for none end-devices
Workstations with the windows default authentication protocol EAP/MSCHAPv2
In front of them there are non Cisco IP-phones with auth. method EAP/MD5
Finally I also have some printers again with option EAP/MD5
For all of these devices I received the same behavior, after many hours finally the authenticated with ISE. But is this the expected behavior?
What I understand is that if the devices finally authenticated then it means that there isn’t anything wrong with the method.
The misunderstanding points are 3
Why there is so much delay for all devices to authenticate?
Why some devices, mostly IP phones (not all) continuing to fail to the authentication method. All my devices are identical with the same software / patch, same model etc.
I have noticed randomly some devices one moment to succeed and the next moment to failed
So for my understanding there is an abnormal behavior and i cannot find the way /pattern to correct it or to understand the reason :)
Port config
switchport access vlan xxx
switchport mode access
switchport voice vlan yyy
ip access-group ACL-ALLOW in
authentication event fail action next-method
authentication event server dead action reinitialize vlan xxx
authentication event server dead action authorize voice
authentication event server alive action reinitialize
authentication host-mode multi-domain
authentication open
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication violation restrict
mab
dot1x pae authenticator
no cdp enable
spanning-tree portfast
result template
Switch#sh auth sess int g1/0/46
Interface: GigabitEthernet1/0/46
MAC Address: xxxx.xxxx.xxxx
IP Address: xx.xxx.xx.xxx
User-Name: xxxxxxxxxxxx
Status: Authz Failed
Domain: DATA
Security Policy: Should Secure
Security Status: Unsecure
Oper host mode: multi-domain
Oper control dir: both
Session timeout: N/A
Idle timeout: N/A
Common Session ID: 0A114D0A00001972016208E1
Acct Session ID: 0x00001BB7
Handle: 0x6D0009B6
Runnable methods list:
Method State
dot1x Failed over
mab Failed over -
ISE Wired guest portal redirect even after authentication
Hi
I have configured both Wired and Wireless guest authentication via guest portal. Wireless is working fine, however the when trying with Wired, the redireciton page is keep getting even after user authenticated.
I'm not seen the redirection authorization policy in my logs however I can see only the user authentication logs (successful). Attached is my configuration and logging output.
Here is what I see on the interface
ABQT-3FLR-ACC-01#sh authentication sessions interface gigabitEthernet 4/0/19
Interface: GigabitEthernet4/0/19
MAC Address: a0b3.ccca.2ab1
IP Address: 10.1.3.16
User-Name: A0-B3-CC-CA-2A-B1
Status: Authz Success
Domain: DATA
Oper host mode: multi-auth
Oper control dir: both
Authorized By: Authentication Server
Vlan Policy: N/A
URL Redirect ACL: ACL-WEBAUTH-REDIRECT
URL Redirect: https://xxxx-TW-ISE-2.xxx.xxx.qa:8443/guestportal/gateway?sessionId=AC14011F000001571E52779F&action=cwa
Session timeout: N/A
Idle timeout: N/A
Common Session ID: AC14011F000001571E52779F
Acct Session ID: 0x00000309
Handle: 0xE6000158
Runnable methods list:
Method State
dot1x Failed over
mab Authc Success
Here is the ACL
Extended IP access list ACL-WEBAUTH-REDIRECT
10 deny udp any any eq domain (1344 matches)
20 deny ip any host 172.20.5.12 (8122 matches)
30 deny ip any host 172.20.5.14
40 permit tcp any any eq www (3124 matches)
50 permit tcp any any eq 443 (202927 matches)
60 permit tcp any any eq 8080 (114 matches)
70 permit ip any any (8056 matches)Hi Mohannad,
Thanks for your response.
Actually the as per the configuration it should work, I'm still trying to find out what is what has gone wrong with this configuration. Infact I have tested with 3560 switch with the same config and it worked. only difference here is we used 2960S switch.
We need to find out why the next Auth policy is not hitting once user is authenticated.
Here is the port configuration and the authen status of the port.
ABQT-3FLR-ACC-01#sh running-config interface gig4/0/19
Building configuration...
Current configuration : 427 bytes
interface GigabitEthernet4/0/19
switchport access vlan 103
switchport mode access
switchport voice vlan 135
authentication event fail action next-method
authentication host-mode multi-auth
authentication order dot1x mab
authentication priority dot1x mab webauth
authentication port-control auto
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
end
ABQT-3FLR-ACC-01#
Mar 31 12:32:14.127: %AAA-3-BADSERVERTYPEERROR: Cannot process accounting server type tacacs+ (UNKNOWN)
ABQT-3FLR-ACC-01#
ABQT-3FLR-ACC-01#sh atuh
ABQT-3FLR-ACC-01#sh atu
ABQT-3FLR-ACC-01#sh authe
ABQT-3FLR-ACC-01#sh authentication se
ABQT-3FLR-ACC-01#sh authentication sessions in
ABQT-3FLR-ACC-01#sh authentication sessions interface gi
ABQT-3FLR-ACC-01#sh authentication sessions interface gigabitEthernet 4/0/19
Interface: GigabitEthernet4/0/19
MAC Address: 0015.c5b4.fd4a
IP Address: 10.1.3.23
User-Name: 00-15-C5-B4-FD-4A
Status: Authz Success
Domain: DATA
Oper host mode: multi-auth
Oper control dir: both
Authorized By: Authentication Server
Vlan Policy: N/A
URL Redirect ACL: ACL-WEBAUTH-REDIRECT
URL Redirect: https://ABQ-TW-ISE-2.abq.gov.qa:8443/guestportal/gateway?sessionId=AC14011F0000018A32B4D906&action=cwa
Session timeout: N/A
Idle timeout: N/A
Common Session ID: AC14011F0000018A32B4D906
Acct Session ID: 0x00000394
Handle: 0x3E00018B
Runnable methods list:
Method State
dot1x Failed over
mab Authc Success -
Not Working-central web-authentication with a switch and Identity Service Engine
on the followup the document "Configuration example : central web-authentication with a switch and Identity Service Engine" by Nicolas Darchis, since the redirection on the switch is not working, i'm asking for your help...
I'm using ISE Version : 1.0.4.573 and WS-C2960-24PC-L w/software 12.2(55)SE1 and image C2960-LANBASEK9-M for the access.
The interface configuration looks like this:
interface FastEthernet0/24
switchport access vlan 6
switchport mode access
switchport voice vlan 20
ip access-group webauth in
authentication event fail action next-method
authentication event server dead action authorize
authentication event server alive action reinitialize
authentication order mab
authentication priority mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication violation restrict
mab
spanning-tree portfast
end
The ACL's
Extended IP access list webauth
10 permit ip any any
Extended IP access list redirect
10 deny ip any host 172.22.2.38
20 permit tcp any any eq www
30 permit tcp any any eq 443
The ISE side configuration I follow it step by step...
When I conect the XP client, e see the following Autenthication session...
swlx0x0x#show authentication sessions interface fastEthernet 0/24
Interface: FastEthernet0/24
MAC Address: 0015.c549.5c99
IP Address: 172.22.3.184
User-Name: 00-15-C5-49-5C-99
Status: Authz Success
Domain: DATA
Oper host mode: single-host
Oper control dir: both
Authorized By: Authentication Server
Vlan Group: N/A
URL Redirect ACL: redirect
URL Redirect: https://ISE-ip:8443/guestportal/gateway?sessionId=AC16011F000000510B44FBD2&action=cwa
Session timeout: N/A
Idle timeout: N/A
Common Session ID: AC16011F000000490AC1A9E2
Acct Session ID: 0x00000077
Handle: 0xB7000049
Runnable methods list:
Method State
mab Authc Success
But there is no redirection, and I get the the following message on switch console:
756005: Mar 28 11:40:30: epm-redirect:IP=172.22.3.184: No redirection policy for this host
756006: Mar 28 11:40:30: epm-redirect:IDB=FastEthernet0/24: In epm_host_ingress_traffic_qualify ...
I have to mention I'm using an http proxy on port 8080...
Any Ideas on what is going wrong?
Regards
NunoOK, so I upgraded the IOS to version
SW Version: 12.2(55)SE5, SW Image: C2960-LANBASEK9-M
I tweak with ACL's to the following:
Extended IP access list redirect
10 permit ip any any (13 matches)
and created a DACL that is downloaded along with the authentication
Extended IP access list xACSACLx-IP-redirect-4f743d58 (per-user)
10 permit ip any any
I can see the epm session
swlx0x0x#show epm session ip 172.22.3.74
Admission feature: DOT1X
ACS ACL: xACSACLx-IP-redirect-4f743d58
URL Redirect ACL: redirect
URL Redirect: https://ISE-ip:8443/guestportal/gateway?sessionId=AC16011F000000510B44FBD2&action=cwa
And authentication
swlx0x0x#show authentication sessions interface fastEthernet 0/24
Interface: FastEthernet0/24
MAC Address: 0015.c549.5c99
IP Address: 172.22.3.74
User-Name: 00-15-C5-49-5C-99
Status: Authz Success
Domain: DATA
Oper host mode: multi-auth
Oper control dir: both
Authorized By: Authentication Server
Vlan Group: N/A
ACS ACL: xACSACLx-IP-redirect-4f743d58
URL Redirect ACL: redirect
URL Redirect: https://ISE-ip:8443/guestportal/gateway?sessionId=AC16011F000000510B44FBD2&action=cwa
Session timeout: N/A
Idle timeout: N/A
Common Session ID: AC16011F000000160042BD98
Acct Session ID: 0x0000001B
Handle: 0x90000016
Runnable methods list:
Method State
mab Authc Success
on the logging, I get the following messages...
017857: Mar 29 11:27:04: epm-redirect:IDB=FastEthernet0/24: In epm_host_ingress_traffic_qualify ...
017858: Mar 29 11:27:04: epm-redirect:epm_redirect_cache_gen_hash: IP=172.22.3.74 Hash=271
017859: Mar 29 11:27:04: epm-redirect:IP=172.22.3.74: CacheEntryGet Success
017860: Mar 29 11:27:04: epm-redirect:IP=172.22.3.74: Ingress packet on [idb= FastEthernet0/24] matched with [acl=redirect]
017861: Mar 29 11:27:04: epm-redirect:IDB=FastEthernet0/24: Enqueue the packet with if_input=FastEthernet0/24
017862: Mar 29 11:27:04: epm-redirect:IDB=FastEthernet0/24: In epm_host_ingress_traffic_process ...
017863: Mar 29 11:27:04: epm-redirect:IDB=FastEthernet0/24: Not an HTTP(s) packet
What I'm I missing? -
'authentication control-direction in' in authentication CLOSED mode
Switch: 4510R+E, running a DEV version based off 3.6.0
ISE: 1.2.0.899 patch 7
Hi, I have been working on a weird issue where some of my clients would randomly drop their IP address and the only way I could get it back was to move their port to authentication open mode. I need to run in closed mode because I change VLANs via MAB.
I have been working with TAC, and they suggested I add the command 'authentication control-direction in' to my switchport config (below). With the couple tests Ive done, this seems to help. But I would like to understand why. Doesn't the control-direction command somewhat nullify the premise of running in closed mode? I.E. It allows some communication before the device is authorized. Thanks.
interface GigabitEthernet2/18
switchport access vlan 34
switchport mode access
switchport voice vlan 66
logging event link-status
authentication event fail action next-method
authentication event server dead action authorize vlan 34
authentication event server dead action authorize voice
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication order mab dot1x
authentication priority dot1x mab
authentication port-control auto
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 10
service-policy input QoS-Input-Policy
service-policy output QoS-Host-Port-Output-Policy
endI also needed to use this command to keep devices authenticated. It was happening with a CCTV system that was an embedded Linux OS. It was on MAB and because it wasn't transmitting any traffic (unlike a noisy windows box) then the switch wouldn't be able to reauth it as it had no mac address to be able to auth, so would show up with an 'unknown' in the MAC field.
Basically it allows traffic to flow out of the port. This enabled the device to be able to receive HTTP traffic and made it respond and then the switch could auth it again once the device sent a frame.
when you do a show authentication sessions you will notice a Oper control dir: both will change to Oper control dir: in -
Dot1x clients not authenticated after reload
Hi all,
I have a switch setup with dynamic vlan assignment. Everything works fine until the switch is rebooted. Then none of the pc's are authenticated anymore. I have to do a shut/no shut of all the user ports to start the re-authentication of the pc's.
This is the config I have so far. Am I missing something?
Thanks,
Best Regards,
Joris
Global commands
aaa new-model
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa accounting dot1x default start-stop group radius
aaa accounting system default start-stop group radius
aaa authorization exec default local if-authenticated
aaa authorization commands 1 default local if-authenticated
aaa authorization commands 15 default local if-authenticated
dot1x system-auth-control
dot1x guest-vlan supplicant
dot1x critical eapol
radius-server host x.x.x.x auth-port 1645 acct-port 1646 key *****
radius-server vsa send accounting
radius-server vsa send authentication
Interface-specific commands
switchport mode access
switchport nonegotiate
switchport port-security maximum 5
switchport port-security
switchport port-security violation restrict
authentication event fail action authorize vlan 200
authentication event server dead action authorize vlan 110
authentication event no-response action authorize vlan 200
authentication order mab dot1x
authentication priority dot1x mab
authentication port-control auto
authentication periodic
mab
no snmp trap link-status
dot1x pae authenticator
dot1x timeout quiet-period 3
dot1x timeout tx-period 3
dot1x max-req 1
storm-control broadcast level 1.00
storm-control multicast level 1.00
storm-control action shutdown
storm-control action trap
no cdp enable
no cdp tlv server-location
no cdp tlv app
spanning-tree portfastI believe you will need to tell your ports what action to take when the AAA server becomes available. It knows what to do when it's dead or unavailable, but has the default setting when it is returned to service. Likely the switch is tripping AAA dead or non-responsive for a bit during boot and its a race. You want the port to reauth when the AAA server becomes avail.
Sent from Cisco Technical Support iPhone App -
Cisco ISE 1.3 MAB authentication.. switch drop packet
Hello All,
I have C3560 Software (C3560-IPSERVICESK9-M), Version 12.2(55)SE9, RELEASE SOFTWARE (fc1) switch..
and ISE 1.3 versoin..
MAB authentication is working perfectly at ISE end.. but while seeing the same at switch end.. I am seeing switch is droping packet on some ports..
while some ports are working perfectly..
Same switch configuration is working perfectly on another switch without any issue..
Switch configuration for your suggestion..!!
aaa new-model
aaa authentication fail-message ^C
**** Either ACS or ISE is DOWN / Use ur LOCAL CREDENTIALS / Thank You ****
^C
aaa authentication login CONSOLE local
aaa authentication login ACS group tacacs+ group radius local
aaa authentication dot1x default group radius
aaa authorization config-commands
aaa authorization commands 0 default group tacacs+ local
aaa authorization commands 1 default group tacacs+ local
aaa authorization commands 15 default group tacacs+ local
aaa authorization network default group radius
aaa accounting dot1x default start-stop group radius
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 0 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting network default start-stop group tacacs+
aaa accounting connection default start-stop group tacacs+
aaa accounting system default start-stop group tacacs+ group radius
aaa server radius dynamic-author
client 172.16.95.x server-key 7 02050D480809
client 172.16.95.x server-key 7 14141B180F0B
aaa session-id common
clock timezone IST 5 30
system mtu routing 1500
ip routing
no ip domain-lookup
ip domain-name EVS.com
ip device tracking
epm logging
dot1x system-auth-control
interface FastEthernet0/1
switchport access vlan x
switchport mode access
switchport voice vlan x
authentication event fail action next-method
--More-- authentication host-mode multi-auth
authentication order mab dot1x
authentication priority mab dot1x
authentication port-control auto
authentication violation restrict
mab
snmp trap mac-notification change added
snmp trap mac-notification change removed
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
ip tacacs source-interface Vlan10
ip radius source-interface Vlan10 vrf default
logging trap critical
logging origin-id ip
logging 172.16.5.95
logging host 172.16.95.x transport udp port 20514
logging host 172.16.95.x transport udp port 20514
snmp-server group SNMP-Group v3 auth read EVS-view notify *tv.FFFFFFFF.FFFFFFFF.FFFFFFFF.FFFFFFFF7F access 15
snmp-server view EVS-view internet included
snmp-server community S1n2M3p4$ RO
snmp-server community cisco RO
snmp-server trap-source Vlan10
snmp-server source-interface informs Vlan10
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
--More-- snmp-server enable traps tty
snmp-server enable traps cluster
snmp-server enable traps entity
snmp-server enable traps cpu threshold
snmp-server enable traps vtp
snmp-server enable traps vlancreate
snmp-server enable traps vlandelete
snmp-server enable traps flash insertion removal
snmp-server enable traps port-security
snmp-server enable traps envmon fan shutdown supply temperature status
snmp-server enable traps config-copy
snmp-server enable traps config
snmp-server enable traps bridge newroot topologychange
snmp-server enable traps stpx inconsistency root-inconsistency loop-inconsistency
snmp-server enable traps syslog
snmp-server enable traps mac-notification change move threshold
snmp-server enable traps vlan-membership
snmp-server host 172.16.95.x version 2c cisco
snmp-server host 172.16.95.x version 2c cisco
snmp-server host 172.16.5.x version 3 auth evsnetadmin
tacacs-server host 172.16.5.x key 7 0538571873651D1D4D26421A4F
tacacs-server directed-request
--More-- tacacs-server key 7 107D580E573E411F58277F2360
tacacs-server administration
radius-server attribute 6 on-for-login-auth
radius-server attribute 25 access-request include
radius-server host 172.16.95.y auth-port 1812 acct-port 1813 key 7 060506324F41
radius-server host 172.16.95.x auth-port 1812 acct-port 1813 key 7 110A1016141D
radius-server host 172.16.95.y auth-port 1645 acct-port 1646 key 7 110A1016141D
radius-server host 172.16.95.x auth-port 1645 acct-port 1646 key 7 070C285F4D06
radius-server timeout 2
radius-server key 7 060506324F41
radius-server vsa send accounting
radius-server vsa send authentication
line con 0
exec-timeout 5 0
privilege level 15
logging synchronous
login authentication CONSOLE
line vty 0 4
access-class telnet_access in
exec-timeout 0 0
logging synchronous
--More-- login authentication ACS
transport input ssh24423 ISE has not been able to confirm previous successful machine authentication
Judging by that line and what your policy says, it appears that your authentication was rejected as your machine was not authenticated prior to this connection.
first thing to check is whether MAR has been enabled on the identity source. second thing to check is whether your machine is set to send a certificate for authentication. there are other things you can look at but I'd do those two first.
log off and on or reboot and then see if you at least get a failed machine auth on the operations>authentication page and we can go from there. -
AD Machine Authentication with Cisco ISE problem
Hi Experts,
I am new with ISE, I have configured ISE & Domain computers for PEAP authentication. initially machine gets authenticated and then starts going MAB.
Authentication policy:
Allowed protocol = PEAP & TLS
Authorization Policy:
Condition for computer to be checked in external identity store (AD) = Permit access
Condition for users to be checked in external identity store (AD) plus WasMachineAuthenticated = permit access
All of the above policies do match and download the ACL from ISE but computer starts to mab authentication again...
Switchport configuration:
===============================================
ip access-list extended ACL-DEFAULT
remark Allow DHCP
permit udp any eq bootpc any eq bootps
remark Allow DNS
permit udp any any eq domain
permit ip any host (AD)
permit icmp any any
permit ip any host (ISE-1)
permit ip any host (ISE-2)
permit udp any host (CUCM-1) eq tftp
permit udp any host (CUCM-2)eq tftp
deny ip any any
===============================================
switchport config
===============================================
Switchport Access vlan 10
switchport mode access
switchport voice vlan 20
ip access-group ACL-DEFAULT in
authentication open
authentication event fail action next-method
authentication event server dead action authorize vlan 1
authentication event server alive action reinitialize
authentication host-mode multi-domain
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication timer inactivity 180
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 100
====================================================
One more problem about the "authentication open" and default ACL. Once the authentication succeeds and per user is ACL pushed though ISE to the switch. The default ACL still blocks communication on this switchprort.
Your help will highly appreciated.
Regards,You need to watch the switch during an authentication, see if the machine is passing authentication and the user may be failing authentication causing the switch to fail to mab. If your switch configuration is on auth failure continue to next method, then this makes sense. The question is why is the user failing auth but the machine is passing, could be something in the policy. Make sure your AD setup has machine authentciation checked or it may not tie the machine and user auth together and the user may be failing because ISE can't make that relationship so the machinewasauth=true is not beeing matched. Easy way to check is remove that rule from your policy and see if the same thing happens.
I've also seen this happen when clients want to use EAP-TLS on the wired, machines passes auth, then the user logs into a machine for the first time. The user auth kicks off before the user gets a cert and fails auth with a null certificate, since this is a auth failure the switchport kicks over to MAB.
I don't think wasmachineauth=true is that great, I prefer to use EAP-FASTv2 using Cisco Anyconnect NAM with eap-chaining. This is great because you can do two part authentication. EAP-FAST outer with EAP-TLS inner for the machine auth, and MSCHAPv2 for the inner of the user auth. You get your EAP-TLS auth for the machine and don't have to worry about a user logging into a machine for the first time and switching to MAB because the user doesn't have a cert yet. I also do my rule to say if machine pass and user fail, then workstaion policy, if machine and user pass then corp policy. -
Hi,
I have a setup ISE 1.1.1. Users are getting authenticate against AD. Everything is working fine except some users report disconnection. I see in the ISE that (Authentication failed: 24415 User authentication against Active Directory failed since user's account is locked out). Users are using Windows 7 OS.
Error is enclosed & here is the port configuration.
Port Configuration.
interface GigabitEthernet0/2
switchport access vlan 120
switchport mode access
switchport voice vlan 121
authentication event fail action next-method
authentication event server dead action reinitialize vlan 120
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication order mab dot1x
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
mab
dot1x pae authenticator
dot1x timeout tx-period 60
spanning-tree portfast
ip dhcp snooping limit rate 30 interface GigabitEthernet0/2
switchport access vlan 120
switchport mode access
switchport voice vlan 121
authentication event fail action next-method
authentication event server dead action reinitialize vlan 120
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication order mab dot1x
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
mab
dot1x pae authenticator
dot1x timeout tx-period 60
spanning-tree portfast
ip dhcp snooping limit rate 30
Please help.The error message means that Active Directory server Reject the authentication attempt
as for some reasons the user account got locked.I guess, You should ask your AD Team to check in the AD
Event Logs why did the user account got locked.
Under Even Viewers, You can find it out
Regards
Minakshi (Do rate the helpful posts)
Maybe you are looking for
-
How to display a JPanel of JButtons on ImagePanel?
Hi From the Swing Hacks examples, I can display a JButton on an ImagePanel no problem. But when I put this JButton in JPanel, then add the JPanel to the ImagePanel, the JPanel with the JButton is not displayed. Can someone please explain why this is?
-
Populating the screen area with color
Please help me how could i populate the screen area with color based on the x,y position values getting from the database table x,y positions are saved in the database already i want to use those values
-
Dear Friends, I need your help for the following scenario. I want to create a invoice like proforma invoice. eg I am having a sale order for 50 Tones.I want to take 50 % advance from the customer.Hence I want to create invoice only for these 50 %.How
-
Hi, We have ESS deployed on EP7.0, so we are using the WebDynpro version of ESS. Now we want to redirect the navigation to our own customized iView when click "Exit" button on any of the ESS iView, for example , address iView. I guess this should be
-
Adobe Cs6 compatibility with mavericks
I want to upgrade to Mavericks and i'm using Adobe CS6 suite I am worried about compatibily with Mavericks. Any similar examples as mine?