Wired Hotspot portal redirect fails
I'm working on wired guest access from a 2960-X switch stack running 15.0(2)EX4. The ISE 1.3 policy delivers the access-accept with the redirect URL, but the switch doesn't seem to do anything with it. The client can do DNS resolution, so there is web traffic to redirect. What I get is "Connecting". The ISE can be reached directly from the client, so routing and ACL seem to be OK. It also doesn't make any difference whether the name or the IP address of the ISE policy server is used. Anyone else seen this behavior?
Here's the session info as seen by the switch
EF3211# sh auth sess int gi6/0/12
Interface: GigabitEthernet6/0/12
MAC Address: 28d2.440e.5662
IP Address: Unknown
User-Name: 28-D2-44-0E-56-62
Status: Authz Success
Domain: DATA
Oper host mode: single-host
Oper control dir: both
Authorized By: Authentication Server
Vlan Policy: 648
URL Redirect ACL: Blackhole
URL Redirect: https://DHISE1P2.hitchcock.org:8445/portal/gateway?sessionId=82bd783e000E38FF552FED1B&portal=59c60952-e443-11e4-a2a2-0050568a6a89&action=cwa&type=drw&token=36c5ae30b39dd01e8a6b9852096a3924
Session timeout: N/A
Idle timeout: N/A
Common Session ID: 82BDF8060004560D109E916F
Acct Session ID: 0x00048CA9
Handle: 0xD800088F
Runnable methods list:
Method State
dot1x Failed over
mab Authc Success
The ACL looks like this
Extended IP access list Blackhole
10 permit udp any any eq domain
20 permit tcp any any established
30 permit ip any host 130.189.120.62
40 permit ip any host 130.189.120.63
50 permit icmp any any echo
60 permit icmp any any echo-reply
70 permit udp any eq bootpc any eq bootps
80 deny ip any any
Problem I believe is the Redirect ACL. The ACL isn't used as access control, it's used as a filter to say which traffic is redirected. So you want HTTP and HTTPS traffic to be redirected. Should look more like the following:
deny ip any host <PSN_IP>
permit ip tcp any any eq www 443 8443
deny ip any any
So the Permit is actually saying "redirect this traffic" to ISE for CWA and the deny is saying "dont redirect". The first line is there because there used to be a bug where any traffic towards the ISE box turned into somekind of redirect loop so I've included it just to be sure.
Similar Messages
-
ISE Wired guest portal redirect even after authentication
Hi
I have configured both Wired and Wireless guest authentication via guest portal. Wireless is working fine, however the when trying with Wired, the redireciton page is keep getting even after user authenticated.
I'm not seen the redirection authorization policy in my logs however I can see only the user authentication logs (successful). Attached is my configuration and logging output.
Here is what I see on the interface
ABQT-3FLR-ACC-01#sh authentication sessions interface gigabitEthernet 4/0/19
Interface: GigabitEthernet4/0/19
MAC Address: a0b3.ccca.2ab1
IP Address: 10.1.3.16
User-Name: A0-B3-CC-CA-2A-B1
Status: Authz Success
Domain: DATA
Oper host mode: multi-auth
Oper control dir: both
Authorized By: Authentication Server
Vlan Policy: N/A
URL Redirect ACL: ACL-WEBAUTH-REDIRECT
URL Redirect: https://xxxx-TW-ISE-2.xxx.xxx.qa:8443/guestportal/gateway?sessionId=AC14011F000001571E52779F&action=cwa
Session timeout: N/A
Idle timeout: N/A
Common Session ID: AC14011F000001571E52779F
Acct Session ID: 0x00000309
Handle: 0xE6000158
Runnable methods list:
Method State
dot1x Failed over
mab Authc Success
Here is the ACL
Extended IP access list ACL-WEBAUTH-REDIRECT
10 deny udp any any eq domain (1344 matches)
20 deny ip any host 172.20.5.12 (8122 matches)
30 deny ip any host 172.20.5.14
40 permit tcp any any eq www (3124 matches)
50 permit tcp any any eq 443 (202927 matches)
60 permit tcp any any eq 8080 (114 matches)
70 permit ip any any (8056 matches)Hi Mohannad,
Thanks for your response.
Actually the as per the configuration it should work, I'm still trying to find out what is what has gone wrong with this configuration. Infact I have tested with 3560 switch with the same config and it worked. only difference here is we used 2960S switch.
We need to find out why the next Auth policy is not hitting once user is authenticated.
Here is the port configuration and the authen status of the port.
ABQT-3FLR-ACC-01#sh running-config interface gig4/0/19
Building configuration...
Current configuration : 427 bytes
interface GigabitEthernet4/0/19
switchport access vlan 103
switchport mode access
switchport voice vlan 135
authentication event fail action next-method
authentication host-mode multi-auth
authentication order dot1x mab
authentication priority dot1x mab webauth
authentication port-control auto
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
end
ABQT-3FLR-ACC-01#
Mar 31 12:32:14.127: %AAA-3-BADSERVERTYPEERROR: Cannot process accounting server type tacacs+ (UNKNOWN)
ABQT-3FLR-ACC-01#
ABQT-3FLR-ACC-01#sh atuh
ABQT-3FLR-ACC-01#sh atu
ABQT-3FLR-ACC-01#sh authe
ABQT-3FLR-ACC-01#sh authentication se
ABQT-3FLR-ACC-01#sh authentication sessions in
ABQT-3FLR-ACC-01#sh authentication sessions interface gi
ABQT-3FLR-ACC-01#sh authentication sessions interface gigabitEthernet 4/0/19
Interface: GigabitEthernet4/0/19
MAC Address: 0015.c5b4.fd4a
IP Address: 10.1.3.23
User-Name: 00-15-C5-B4-FD-4A
Status: Authz Success
Domain: DATA
Oper host mode: multi-auth
Oper control dir: both
Authorized By: Authentication Server
Vlan Policy: N/A
URL Redirect ACL: ACL-WEBAUTH-REDIRECT
URL Redirect: https://ABQ-TW-ISE-2.abq.gov.qa:8443/guestportal/gateway?sessionId=AC14011F0000018A32B4D906&action=cwa
Session timeout: N/A
Idle timeout: N/A
Common Session ID: AC14011F0000018A32B4D906
Acct Session ID: 0x00000394
Handle: 0x3E00018B
Runnable methods list:
Method State
dot1x Failed over
mab Authc Success -
I've a new ISE Integration, I've implemented captive portal for wireless and wired guests, for Wireless all is working perfect
For Wired I can see that ISE put the url captive on the interface of the switch but from the laptop of windows machine, I'm unable to see the link on browser, please adviceIn the same document you have
Wired NAD Interaction for Central WebAuth
If your client's machine is hard wired to a NAD, the guest service interaction takes the form of a failed MAB request that leads to a guest portal Central WebAuth login.
The Central WebAuth triggered by a MAB failure flow follows these steps:
1. The client connects to the NAD through a hard-wired connection. There is no 802.1X supplicant on the client.
2. An authentication policy with a service type for MAB allows a MAB failure to continue and return a restricted network profile containing a URL-redirect for Central WebAuth user interface.
3. The NAD is configured to post MAB requests to the Cisco ISE RADIUS server.
4. The client machine connects and the NAD initiates a MAB request.
5. The Cisco ISE server processes the MAB request and does not find an end point for the client machine. This MAB failure resolves to the restricted network profile and returns the URL-redirect value in the profile to the NAD in an access-accept. To support this function, ensure that an Authorization Policy exists featuring the appropriate "NetworkAccess:UseCase=Hostlookup" and "Session:Posture Status=Unknown" conditions.
The NAD uses this value to redirect all client HTTP/HTTPS traffic on ports 8080 or 8443 to the URL-redirect value. The standard URL value in this case is:
https://ip:port/guestportal/gateway?sessionId=NetworkSessionId&action=cwa.
6. The client initiates an HTTP or HTTPS request to any URL using the client browser.
7. The NAD redirects the request to the URL-redirect value returned from the initial access-accept.
8. The gateway URL value with action CWA redirects to the guest portal login page.
9. The client enters the username and password and submits the login form.
10. The guest action server authenticates the user credentials provided.
11. If the credentials are valid, the username and password are stored in the local session cache by the guest action server.
12. If the guest portal is configured to perform Client Provisioning, the guest action redirects the client browser to the Client Provisioning URL. (You can also optionally configure the Client Provisioning Resource Policy to feature a "NetworkAccess:UseCase=GuestFlow" condition.)
Since there is no Client Provisioning or Posture Agent for Linux, guest portal redirects to Client Provisioning, which in turn redirects back to a guest authentication servlet to perform optional IP release/renew and then CoA.
13. If the guest portal is not configured to perform Client Provisioning, the guest action server sends a CoA to the NAD through an API call. This CoA will cause the NAD to reauthenticate the client using the RADIUS server. This reauthentication makes use of the user credentials stored in the session cache. A new access-accept is returned to the NAD with the configured network access. If Client Provisioning is not configured and the VLAN is in use, the guest portal performs VLAN IP renew.
14. With redirection to the Client Provisioning URL, the Client Provisioning subsystem downloads a non-persistent web-agent to the client machine and perform posture check of the client machine. (You can optionally configure the Posture Policy with a "NetworkAccess:UseCase=GuestFlow" condition.)
15. If the client machine is non-complaint, ensure you have configured an Authorization Policy that features "NetworkAccess:UseCase=GuestFlow" and "Session:Posture Status=NonCompliant" conditions.
16. Once the client machine is compliant, ensure you have an Authorization policy configured with conditions "NetworkAccess:UseCase=GuestFlow" and "Session:Posture Status=Compliant" conditions), From here, the Client Provisioning issues a CoA to the NAD. This CoA will cause the NAD to reauthenticate the client using the RADIUS server. This reauthentication makes use of the user credentials stored in the session cache. A new access-accept is returned to the NAD with the configured network access. -
SubmitEditData() - redirect fails...
Hi,
I've got a weird error.
In the portlet customization code (JSP) I call the PortletRendererUtil.submitEditData() method. I managed to get it work before, and does work for all my other portlets, but doesn't for the recent one.
Although, all the customization values are sent to and saved by the personalization manager, the browser doesn't get redirected to the edit renderer JSP page. It starts to display a kind of page with the logos etc. on the top of it instead.
This portlet shares the provider with some other customizable portlets. I'd appreciate any ideas how I could track down this issue.
Thanks,
Peter
Snippets of my provider.xml:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<?providerDefinition version="2.0"?>
<!DOCTYPE provider [
<!ENTITY virtualRoot "/changeMe/">
<!ENTITY physicalRoot "C:\Change\Me">
]>
<provider class="oracle.portal.provider.v1.http.DefaultProvider">
<session>true</session>
<useOldStyleHeaders>false</useOldStyleHeaders>
<portlet class="oracle.portal.provider.v1.http.DefaultPortlet">
<id>5</id>
<name>Number2Image</name>
<title>Number2Image - JSP portlet</title>
<description>This is a simple JSP portlet converting numbers to images.</d
escription>
<timeout>30</timeout>
<timeoutMessage>JSP number2image portlet example timed out</timeoutMessage
>
<acceptContentType>text/html</acceptContentType>
<showEdit>true</showEdit>
<showEditDefault>false</showEditDefault>
<showDetails>true</showDetails>
<showPreview>true</showPreview>
<hasHelp>true</hasHelp>
<hasAbout>false</hasAbout>
<renderer class="oracle.portal.provider.v1.RenderManager">
<contentType>text/html</contentType>
<appPath>/jspportlet</appPath>
<appRoot>/private/oracle/9iAS_1022/Apache/Apache/htdocs/jportlets/ilt_demo/jsp/</appRoot>
<showPage>number2image.jsp</showPage>
<helpPage>number2image_help.html</helpPage>
<editPage>number2image_edit.jsp</editPage>
</renderer>
<personalizationManager class="oracle.portal.provider.v1.FilePersonalizationManager" >
<dataClass>portlets.demo.jsp.Number2ImagePersonalization</dataClass>
</personalizationManager>
</portlet>
<provider>I have partial page rendering in all pages with af:showOneTab. So, to prove if redirect failure is related to PPR. I picked one page with af:showOneTab and got rid of all components with PPR so that it became PPR free. However, redirecting still fails if user clicks on any other tab of af:showOneTab after session has expired.
If user clicks say on any of the crumbs presented on the page to navigate to parent pages, the redirect succeeds and he is successfully pushed to home page.
Long story short, redirect fails whenever user clicks on any of the af:showOneTab tabs after session has expired no matter if page has or has no PPR components.
I hope I answered your questions.
I know that af:showOneTab uses PPR and that may explain why redirect isn't working, not sure. However, I wish we can have a workaround for this problem.
Any thoughts ?
Thanks
Sam
Message was edited by:
samsam -
Error while retrieving data in VC model Portal Request Failed
Hello,
I'm trying to use a ES workplace Webservice but not getting any results. The error message is Portal Request Failed ( Index: 0 , Size: 0). I tested calling the service from the esworkplace and it worked. Although I hade to use some NULL value as variables. Is it also possible to give a null value along while testing the webservice from VC ?
I'm on release 7.0 sp08. The service I call is on HU2 800 , service is MaterialSimpleByIDAndDescriptionQueryResponse_In.
If any one knows a solution for this problem i like to hear from you.
Regards,
JasperHi Jasper,
Have you followed the steps mentioned in this document?- > https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/a160392c-0e01-0010-7784-9cc564d871d2
and optionally
https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/5e9ca25b-0e01-0010-bbaa-f3b963e89edd
If not, these How-to documents will solve your problem
With Best Regards,
Swapnil -
Webmaster tools change of address 301 redirect failed using domain forward
I'm having trouble with webmaster tools recognising our domain name change.
We've recently updated website and done a name change from www.qldtshirt.com.au to www.qtco.com.au. I am using domain forwarding so qldtshirt.com.au forwards to qtco.com.au (aswell has with www.) and every thing works perfectly.
www.qldtshirt.com.au/products/polo-shirts/cool-dry-fabric forwards to:
http://www.qtco.com.au/products/clothing/polo-shirts/cool-dry-fabric
We have about 4000 301 redirects setup in URL Redirects:
/products/business-and-corporate/desk-and-office/100-organic-cotton-pencil-case to
/products/gifts-incentives/desk-and-office/100-organic-cotton-pencil-case
so on and so on....
I've verified all sites in webmaster tools however when change of address from www.qldtshirt.com.au to www.qtco.com.au webmaster tools presents this error:
"301 redirect failed. We detect that the root address of your old site (www.qldtshirt.com.au) does not yet redirect to the root address of your new site (www.qtco.com.au). For more information use the Fetch as Google tool."
It works perfectly fine for the end user, anyone know why and how to fix please?Hi, I have found this same situation. Did you have any luck finding a solution?
Thank you -
Executing function module gives error "Portal request failed: Connection fa
Dear Experts,
I have a Function module Z_SAT_CREDITLIMIT_CHANGE which in itself accesses the SAP Update Function module
UPDATE/INSERT of the credit limit(CREDITLIMIT_CHANGE)
and writes the changed data to the Table KNKK(Customer Master Credit Management : Control Area Data).
While executing this fn module Z_SAT_CREDITLIMIT_CHANGE
from VC storyboard i received error "Portal request failed:
Connection failed: Nested Exception: Native Connection to backend system is broken" . Z_SAT_CREDITLIMIT_CHANGE executes fine and updates data in ECC system.
Than i noticed further that while commenting the part of code in Z_SAT_CREDITLIMIT_CHANGEwhere call to fn module CREDITLIMIT_CHANGE is made there's no error recieved and Z_SAT_CREDITLIMIT_CHANGE executes without error but obviously no data is updated.
Appreciate if any one can please explain how can i use CREDITLIMIT_CHANGE in Z_SAT_CREDITLIMIT_CHANGE
without any errors.
Kind Regards,
Robin.Hi Robin,
Also, check that the user with the one you're accessing to the backend have permissions to execute the Dataservice at the backend system.
You should check the usermapping to know which is the user at backend.
Best Regards,
Luis -
Using Firefox 19.0 WIFI logon fails page redirect fails
Attempting to use Firefox at a variety of airports and hotels fails. The initial logon page is displayed but then the following pages which are redirects fail. Usual message is "Page not Found" Using the captive IP address does not work. Various combinations of settings do not work. AP has been associated and an optimum MTU has been determined via ping to the default gateway.
You should not need to disable antivirus to connect.
I assume you are not having Firefox block all redirects. You can check that setting here:
orange Firefox button ''or'' classic Tools menu > Options > Advanced > General > ''uncheck'' "Warn me when websites try to redirect or reload the page"
What are your connection/proxy settings in Firefox? If you choose "Use system proxy settings" then Firefox should use IE's settings. Or if you choose "No proxy" then Firefox should default to your wi-fi connection.
orange Firefox button ''or'' classic Tools menu > Options > Advanced > Network > "Settings" button
Can you think of any add-on changes you might have made since the T-Mobile days? A standard diagnostic to bypass interference by extensions (and some custom settings) is to try Firefox's Safe Mode.
First, I recommend backing up your Firefox settings in case something goes wrong. See [[Backing up your information]]. (You can copy your entire Firefox profile folder somewhere outside of the Mozilla folder.)
Next, restart Firefox in Firefox's Safe Mode ([[Safe Mode]]) using
Help > Restart with Add-ons Disabled
In the dialog, click "Start in Safe Mode."
If you can load sites normally, this points to one of your extensions or custom settings as the problem. -
Portal Request Failed (Fault returned {0})
Hi All,
I use WSDLs created from XI which inturn executes BAPI's in R3 and returns me the output/response. Two of such WSDLs are throwing this error.
<b>Portal Request Failed (Fault returned )</b>
Have any one of u come across this error in VC storyboard??.. Do let me know your experience and views on getting this resolved.
Thanks,
KavithaHi Mario,
thank you for your response! But I can not solve my problem.
- I am passing all the mandatory files in the right format
- I executed the web service with the web service checker and the web service works fine.
The only difference trough my other web services is, that I use also a list as input parameter. Can that be the reason?
Thanks
Stefan -
Hi all,
When I deploy my VC application with flash I get a nice application in the Portal, but when I deploy my application in Webdynpro I get the following error:
Portal Request Failed (incomplete input, no MainUnits Specified)
How can I solve this error
RichardHi Richard,
there are differents between flash and webdynpro. Some components for flash are not supported for WebDynpro. If you change the compiler in your settings, then the components in the task panel toolbar also change.
I guess you use a component in your model, which is not supported from webdynpro.
There are also some other limitations to WD, have a look into the VC wiki:
<a href="https://wiki.sdn.sap.com/wiki/display/VC/LimitationsofWebDynpro">https://wiki.sdn.sap.com/wiki/display/VC/LimitationsofWebDynpro</a>
Best Regards,
Marcel -
Portal authentication failing intermittently post self registration
We are in the process of upgrading from EP6 to EP7 and have hit a critical authentication problem that is proving difficult to diagnose and resolve.
Our self registration process leads straight into user logon:
1) the user fills in the registration form with their user ID, password etc and selects Submit which creates the user ID in our R/3 user store
2) the user is presented with text informing them that their registration has been successful and a Proceed button which when selected authenticates them with the portal with their newly created user ID
Step 2) above is working intermittently in our EP7 system - sometimes the process works exactly as expected others an exception is raised (com.sap.security.core.logon.imp.UMELoginException: USER_AUTH_FAILED).
It seems as though the cause is that the user creation process has not completed fully before the logon step.
We tried implementing a wait step (10 seconds) following selection of the Proceed button which reduced the incidence rate of the problem but didn't cure it entirely.
A possible contributing factor is hardware performance as we are testing the upgrade on an impact analysis system which is not as efficient as our live portal landscape.
I've pasted the code which performs the authentication and extracts from the DIAGTOOL portal logs below which show the login module configuration (SAP standard I believe).
Any help/advice what to try next would be greatly appreciated as we are running out of ideas.
Thanks,
Alan
The following code performs the authentication and redirection to the portal user's home page:
public void onRedirect(Event event) throws PageException {
getBean();
//Get resource bundle
ResourceBundle rbSetup =
ResourceBundle.getBundle(
"setup",
((IPortalComponentRequest) this.getRequest()).getLocale());
ILogonAuthentication logonAuthentication =
UMFactory.getLogonAuthenticator();
HttpServletRequest req =
((IPortalComponentRequest) this.getRequest())
.getServletRequest();
HttpServletResponse res =
(IPortalComponentRequest) this
.getRequest())
.getServletResponse(
true);
req.setAttribute(
ILoginConstants.LOGON_UID_ALIAS,
SelfRegBean.getLogonUid());
req.setAttribute(
ILoginConstants.LOGON_PWD_ALIAS,
SelfRegBean.getPassword());
Subject subject = null;
try {
subject = logonAuthentication.logon(req, res, AUTHSCHEME);
if (null != subject) {
res.sendRedirect(rbSetup.getString("REDIRECT_URL"));
} catch (LoginException e) {
SelfRegBean.setError(rb.getString(LOGIN_FAILED));
} catch (IOException e) {
SelfRegBean.setError(rb.getString(REDIRECT_FAILED));
Full exception thrown when the authentication process fails:
com.sap.security.core.logon.imp.UMELoginException: USER_AUTH_FAILED at com.sap.security.core.logon.imp.SAPJ2EEAuthenticator.logon(SAPJ2EEAuthenticator.java:949) at uk.ac.ncl.SelfRegistration$SelfRegistrationDynPage.onRedirect(SelfRegistration.java:507) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:324) at com.sapportals.htmlb.page.DynPage.doProcessCurrentEvent(DynPage.java:172) at com.sapportals.htmlb.page.PageProcessor.handleRequest(PageProcessor.java:115) at com.sapportals.portal.htmlb.page.PageProcessorComponent.doContent(PageProcessorComponent.java:134) at com.sapportals.portal.prt.component.AbstractPortalComponent.serviceDeprecated(AbstractPortalComponent.java:209) at com.sapportals.portal.prt.component.AbstractPortalComponent.service(AbstractPortalComponent.java:114) at com.sapportals.portal.prt.core.PortalRequestManager.callPortalComponent(PortalRequestManager.java:328) at com.sapportals.portal.prt.core.PortalRequestManager.dispatchRequest(PortalRequestManager.java:136) at com.sapportals.portal.prt.core.PortalRequestManager.dispatchRequest(PortalRequestManager.java:189) at com.sapportals.portal.prt.component.PortalComponentResponse.include(PortalComponentResponse.java:215) at com.sapportals.portal.prt.pom.PortalNode.service(PortalNode.java:645) at com.sapportals.portal.prt.core.PortalRequestManager.callPortalComponent(PortalRequestManager.java:328) at com.sapportals.portal.prt.core.PortalRequestManager.dispatchRequest(PortalRequestManager.java:136) at com.sapportals.portal.prt.core.PortalRequestManager.dispatchRequest(PortalRequestManager.java:189) at com.sapportals.portal.prt.core.PortalRequestManager.runRequestCycle(PortalRequestManager.java:753) at com.sapportals.portal.prt.connection.ServletConnection.handleRequest(ServletConnection.java:240) at com.sapportals.portal.prt.dispatcher.Dispatcher$doService.run(Dispatcher.java:524) at java.security.AccessController.doPrivileged(Native Method) at com.sapportals.portal.prt.dispatcher.Dispatcher.service(Dispatcher.java:407) at javax.servlet.http.HttpServlet.service(HttpServlet.java:853) at com.sap.engine.services.servlets_jsp.server.servlet.InvokerServlet.service(InvokerServlet.java:156) at javax.servlet.http.HttpServlet.service(HttpServlet.java:853) at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:401) at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:266) at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:386) at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:364) at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:1039) at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:265) at com.sap.engine.services.httpserver.server.Client.handle(Client.java:95) at com.sap.engine.services.httpserver.server.Processor.request(Processor.java:175) at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33) at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41) at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37) at java.security.AccessController.doPrivileged(Native Method) at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:102) at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:172) -
Key log extracts from DIAGTOOL:
Exception on login:
[EXCEPTION]
com.sap.security.core.server.userstore.UserstoreException: Could not refresh user postsp15p
Caused by: com.sap.security.api.NoSuchUserAccountException: USER_AUTH_FAILED: User account for logonid "postsp15p" not found!
LOGIN.FAILED
User: N/A
Authentication Stack: ticket
Login Module Flag Initialize Login Commit Abort Details
1. com.sap.security.core.server.jaas.EvaluateTicketLoginModule SUFFICIENT ok false true
#1 ume.configuration.active = true
2. com.sap.engine.services.security.server.jaas.BasicPasswordLoginModule REQUISITE ok exception true Authentication did not succeed.
3. com.sap.security.core.server.jaas.CreateTicketLoginModule OPTIONAL ok true
#1 ume.configuration.active = true
com.sap.security.core.logon.imp.UMELoginException:
ObjectID handed over is 'null'!
Guest | LOGIN.ERROR | null | | Login Method=[uidpwdlogon], UserID=[null], IP Address=[10.64.65.191], Reason=[Authentication did not succeed.]
USER_AUTH_FAILEDWe are in the process of upgrading from EP6 to EP7 and have hit a critical authentication problem that is proving difficult to diagnose and resolve.
Our self registration process leads straight into user logon:
1) the user fills in the registration form with their user ID, password etc and selects Submit which creates the user ID in our R/3 user store
2) the user is presented with text informing them that their registration has been successful and a Proceed button which when selected authenticates them with the portal with their newly created user ID
Step 2) above is working intermittently in our EP7 system - sometimes the process works exactly as expected others an exception is raised (com.sap.security.core.logon.imp.UMELoginException: USER_AUTH_FAILED).
It seems as though the cause is that the user creation process has not completed fully before the logon step.
We tried implementing a wait step (10 seconds) following selection of the Proceed button which reduced the incidence rate of the problem but didn't cure it entirely.
A possible contributing factor is hardware performance as we are testing the upgrade on an impact analysis system which is not as efficient as our live portal landscape.
I've pasted the code which performs the authentication and extracts from the DIAGTOOL portal logs below which show the login module configuration (SAP standard I believe).
Any help/advice what to try next would be greatly appreciated as we are running out of ideas.
Thanks,
Alan
The following code performs the authentication and redirection to the portal user's home page:
public void onRedirect(Event event) throws PageException {
getBean();
//Get resource bundle
ResourceBundle rbSetup =
ResourceBundle.getBundle(
"setup",
((IPortalComponentRequest) this.getRequest()).getLocale());
ILogonAuthentication logonAuthentication =
UMFactory.getLogonAuthenticator();
HttpServletRequest req =
((IPortalComponentRequest) this.getRequest())
.getServletRequest();
HttpServletResponse res =
(IPortalComponentRequest) this
.getRequest())
.getServletResponse(
true);
req.setAttribute(
ILoginConstants.LOGON_UID_ALIAS,
SelfRegBean.getLogonUid());
req.setAttribute(
ILoginConstants.LOGON_PWD_ALIAS,
SelfRegBean.getPassword());
Subject subject = null;
try {
subject = logonAuthentication.logon(req, res, AUTHSCHEME);
if (null != subject) {
res.sendRedirect(rbSetup.getString("REDIRECT_URL"));
} catch (LoginException e) {
SelfRegBean.setError(rb.getString(LOGIN_FAILED));
} catch (IOException e) {
SelfRegBean.setError(rb.getString(REDIRECT_FAILED));
Full exception thrown when the authentication process fails:
com.sap.security.core.logon.imp.UMELoginException: USER_AUTH_FAILED at com.sap.security.core.logon.imp.SAPJ2EEAuthenticator.logon(SAPJ2EEAuthenticator.java:949) at uk.ac.ncl.SelfRegistration$SelfRegistrationDynPage.onRedirect(SelfRegistration.java:507) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:324) at com.sapportals.htmlb.page.DynPage.doProcessCurrentEvent(DynPage.java:172) at com.sapportals.htmlb.page.PageProcessor.handleRequest(PageProcessor.java:115) at com.sapportals.portal.htmlb.page.PageProcessorComponent.doContent(PageProcessorComponent.java:134) at com.sapportals.portal.prt.component.AbstractPortalComponent.serviceDeprecated(AbstractPortalComponent.java:209) at com.sapportals.portal.prt.component.AbstractPortalComponent.service(AbstractPortalComponent.java:114) at com.sapportals.portal.prt.core.PortalRequestManager.callPortalComponent(PortalRequestManager.java:328) at com.sapportals.portal.prt.core.PortalRequestManager.dispatchRequest(PortalRequestManager.java:136) at com.sapportals.portal.prt.core.PortalRequestManager.dispatchRequest(PortalRequestManager.java:189) at com.sapportals.portal.prt.component.PortalComponentResponse.include(PortalComponentResponse.java:215) at com.sapportals.portal.prt.pom.PortalNode.service(PortalNode.java:645) at com.sapportals.portal.prt.core.PortalRequestManager.callPortalComponent(PortalRequestManager.java:328) at com.sapportals.portal.prt.core.PortalRequestManager.dispatchRequest(PortalRequestManager.java:136) at com.sapportals.portal.prt.core.PortalRequestManager.dispatchRequest(PortalRequestManager.java:189) at com.sapportals.portal.prt.core.PortalRequestManager.runRequestCycle(PortalRequestManager.java:753) at com.sapportals.portal.prt.connection.ServletConnection.handleRequest(ServletConnection.java:240) at com.sapportals.portal.prt.dispatcher.Dispatcher$doService.run(Dispatcher.java:524) at java.security.AccessController.doPrivileged(Native Method) at com.sapportals.portal.prt.dispatcher.Dispatcher.service(Dispatcher.java:407) at javax.servlet.http.HttpServlet.service(HttpServlet.java:853) at com.sap.engine.services.servlets_jsp.server.servlet.InvokerServlet.service(InvokerServlet.java:156) at javax.servlet.http.HttpServlet.service(HttpServlet.java:853) at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:401) at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:266) at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:386) at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:364) at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:1039) at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:265) at com.sap.engine.services.httpserver.server.Client.handle(Client.java:95) at com.sap.engine.services.httpserver.server.Processor.request(Processor.java:175) at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33) at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41) at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37) at java.security.AccessController.doPrivileged(Native Method) at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:102) at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:172) -
Key log extracts from DIAGTOOL:
Exception on login:
[EXCEPTION]
com.sap.security.core.server.userstore.UserstoreException: Could not refresh user postsp15p
Caused by: com.sap.security.api.NoSuchUserAccountException: USER_AUTH_FAILED: User account for logonid "postsp15p" not found!
LOGIN.FAILED
User: N/A
Authentication Stack: ticket
Login Module Flag Initialize Login Commit Abort Details
1. com.sap.security.core.server.jaas.EvaluateTicketLoginModule SUFFICIENT ok false true
#1 ume.configuration.active = true
2. com.sap.engine.services.security.server.jaas.BasicPasswordLoginModule REQUISITE ok exception true Authentication did not succeed.
3. com.sap.security.core.server.jaas.CreateTicketLoginModule OPTIONAL ok true
#1 ume.configuration.active = true
com.sap.security.core.logon.imp.UMELoginException:
ObjectID handed over is 'null'!
Guest | LOGIN.ERROR | null | | Login Method=[uidpwdlogon], UserID=[null], IP Address=[10.64.65.191], Reason=[Authentication did not succeed.]
USER_AUTH_FAILED -
Clientless SSL VPN Portal Customizaiton fails on 5510
I am trying to customize a web VPN portal on my 5510 but I get errors whenever I try to add a customization object. Running ADSM 6.1(5)51 on ASA 8.0(5). The error I get when I try to apply a newly created customization object is:
[ERROR] export webvpn customization DfltCustomization disk0:/tmpAsdmImportFile2090698426
export webvpn customization DfltCustomization disk0:/tmpAsdmImportFile2090698426 ^
% Invalid input detected at '^' marker.
[ERROR] import webvpn customization test disk0:/tmpAsdmImportFile2090698426
% copying 'disk0:/tmpAsdmImportFile2090698426' to a temporary ramfs file failed
[ERROR] delete /noconfirm disk0:/tmpAsdmImportFile2090698426
%Error deleting disk0:/tmpAsdmImportFile2090698426 (No such file or directory)
Tried revert webvpn all but I get error on that as well:
Result of the command: "revert webvpn all"
%ERROR: ifs_rm_dir_rec: unknown type of file `disk0:/csco_config/97/customization/86D3828A0A0EB0FFA3B55870AAA43E4F'
Any ideas?
JoeHi,
As mentioned by Guru, the recommended action is to format the flash: memory.
Sometimes some webvpn files get corrupted resulting in missing DfltCustomization objects or import errors.
Once you format it, it should work fine.
Thanks.
Portu. -
ESS for R/3 4.6C on new NetWeaver Portal -- deployment fails!
Hi ESS Experts,
We're having problems deploying the older BP for ESS R/3 4.6C to our Netweaver Portal. Our Software Deployment Manager canu2019t install the file. Normally, BPs are .sca files but the BP for ESS 4.6C is a .zip file. We can manually rename the .zip to .sca, which is then shown in the SDM but the deployment always fails.
How can we install this BP for ESS 4.6C on our newer SAP NW Portal used for our BW system?
Many thanks,
AndrewHi Andrew
Have you tried to unzip the file and identify the required deployment files?
Further to this -->
If you go to /swdc it states BP ESS 4.6C-4.7 50.4 (no longer in maintenance) - this product is no longer in
mainstream maintainence
Also there are no guarantees that 46C products will work with Enterprise Portal versions from other SAP product families
e.g NW 700 with ESS 46C
If you have extended maintainence for 46C perhaps you could open a CSS/OSS message in component BC-CTS-SDM
to investigate why the installation fails and whether there is any workaround
Hope this helps
Stuart -
5760 v3.6 guest portal redirect to ISE
I'm testing a new set of 5760 controllers for a future production rollout, running software version 3.6. Our current production setup consists of older WISM-1 and 4402 controllers running CUWN 7.0. Our guest network has an anchor in the DMZ, redirecting to ISE.
In the recent thread (https://supportforums.cisco.com/discussion/12319151/3850-ise-guestportal-no-redirect-v-334), one of the posters said that guest redirection in 3.6 works similarly to redirection in CUWN, while in 3.3 it is very different. I found the documentation for 3.3 (http://www.cisco.com/c/en/us/support/docs/wireless/5700-series-wireless-lan-controllers/117717-config-wlc-00.html), which I have to say I don't like very much. However, I find the configuration and command reference guides for 3.6 are less than helpful on this point.
So the question I have is whether guest networking with an external redirect to ISE looks like the following in 3.6? Or does it work like CUWN, where the SSID is configured with layer 3 security? If it uses layer 3 security like CUWN, does anybody have a quick configuration sample for how it can work end to end in 3.6?
------ From the document http://www.cisco.com/c/en/us/support/docs/wireless/5700-series-wireless-lan-controllers/117717-config-wlc-00.html ---------
The flow includes these steps:
The user associates to the web authentication Service Set Identifier (SSID), which is in fact open+macfiltering and no Layer 3 security.
The user opens the browser.
The WLC redirects to the guest portal.
The user authenticates on the portal.
The ISE sends a RADIUS Change of Authorization (CoA - UDP Port 1700) in order to indicate to the controller that the user is valid, and eventually pushes RADIUS attributes such as the Access Control List (ACL).
The user is prompted to retry the original URL.I have a project with a 5760 running 3.6 working to a 5508 anchor controller in a DMZ.
I have web authentication working to an ISE OK.
Regards
Roger -
ISE Guest Portal redirection not working
I have built a lab at home. I have a Win2008 Server for AD/DNS, ISE 1.2 (VM trial), a 3560-cg switch, 2500 WLC and 2602i AP. I have configured everything as per the documentations online. My issue is that when I connect to the open SSID, it gets connected and has the dns server populated as well, but the redirection never takes place. I can search for google or cnn.com but it just stays at looking up host or something. However, if i take the redirect URL from the WLC and then do it on the browser, it does go to the guest portal. Let me know what issues I can see and if there is any other information I can provide.
Issue resolved.
Since my lab environment didnt have access to the internet and hence dns servers 8.8.8.8 would not resolve any public ips. But when an address is resolvable by a dns then it redirects nicely. For test I created a dns entry on the dns server itself and tested it.
Sent from Cisco Technical Support Android App
Maybe you are looking for
-
Hi, as it says above, my wife and I have an iphone each with different content on each. How do I upgrade the IOS on my wife's phone without syncing all the content on my phone? Do I need a separate apple ID for my phone? If so, how do I set this up w
-
Hi Folks, Love the concept of InContext editing but I don't think it actually works! I am only working on a simply HTML page with one other user. It takes forever to do anything. clicking the edit page button: 23 seconds clicking the done button: 56
-
Support for Shared Variables in Third Party XP embedded based TPC's?
I have deployed an application in an XP embedded based Touch Panel (Third party). The application is working fine, but the shared variables hosted on an RT (sbRIO Board) are not getting updated in the application on TPC 1. The TPC is part of the proj
-
Error: The XML page cannot be displayed
Hello, I'm beginning to investigate XML output and XML Publisher. In order to generate XML output of an existing report, I changed the output type on to XML in the program definition. When I run the report with English data the XML output displays ju
-
Please help uploading new site
How do i overwrite an old site? My old website got wiped out when i installed the new iweb..now i made a new one but it would not overwrite the old one..Please help!!