Wired Hotspot portal redirect fails

Similar Messages

• ISE Wired guest portal redirect even after authentication

  Hi
  I have configured both Wired and Wireless guest authentication via guest portal. Wireless is working fine, however the when trying with Wired, the redireciton page is keep getting even after user authenticated.
  I'm not seen the redirection authorization policy in my logs however I can see only the user authentication logs (successful). Attached is my configuration and logging output.
  Here is what I see on the interface
  ABQT-3FLR-ACC-01#sh authentication sessions interface gigabitEthernet 4/0/19
              Interface:  GigabitEthernet4/0/19
            MAC Address:  a0b3.ccca.2ab1
             IP Address:  10.1.3.16
              User-Name:  A0-B3-CC-CA-2A-B1
                 Status:  Authz Success
                 Domain:  DATA
         Oper host mode:  multi-auth
       Oper control dir:  both
          Authorized By:  Authentication Server
            Vlan Policy:  N/A
       URL Redirect ACL:  ACL-WEBAUTH-REDIRECT
           URL Redirect:  https://xxxx-TW-ISE-2.xxx.xxx.qa:8443/guestportal/gateway?sessionId=AC14011F000001571E52779F&action=cwa
        Session timeout:  N/A
           Idle timeout:  N/A
      Common Session ID:  AC14011F000001571E52779F
        Acct Session ID:  0x00000309
                 Handle:  0xE6000158
  Runnable methods list:
         Method   State
         dot1x    Failed over
         mab      Authc Success
  Here is the ACL
  Extended IP access list ACL-WEBAUTH-REDIRECT
      10 deny udp any any eq domain (1344 matches)
      20 deny ip any host 172.20.5.12 (8122 matches)
      30 deny ip any host 172.20.5.14
      40 permit tcp any any eq www (3124 matches)
      50 permit tcp any any eq 443 (202927 matches)
      60 permit tcp any any eq 8080 (114 matches)
      70 permit ip any any (8056 matches)

  Hi Mohannad,
  Thanks for your response.
  Actually the as per the configuration it should work, I'm still trying to find out what is what has gone wrong with this configuration. Infact I have tested with 3560 switch with the same config and it worked. only difference here is we used 2960S switch.
  We need to find out why the next Auth policy is not hitting once user is authenticated.
  Here is the port configuration and the authen status of the port.
  ABQT-3FLR-ACC-01#sh running-config interface gig4/0/19
  Building configuration...
  Current configuration : 427 bytes
  interface GigabitEthernet4/0/19
  switchport access vlan 103
  switchport mode access
  switchport voice vlan 135
  authentication event fail action next-method
  authentication host-mode multi-auth
  authentication order dot1x mab
  authentication priority dot1x mab webauth
  authentication port-control auto
  authentication violation restrict
  mab
  dot1x pae authenticator
  dot1x timeout tx-period 10
  spanning-tree portfast
  end
  ABQT-3FLR-ACC-01#
  Mar 31 12:32:14.127: %AAA-3-BADSERVERTYPEERROR: Cannot process accounting server type tacacs+ (UNKNOWN)
  ABQT-3FLR-ACC-01#
  ABQT-3FLR-ACC-01#sh atuh
  ABQT-3FLR-ACC-01#sh atu
  ABQT-3FLR-ACC-01#sh authe
  ABQT-3FLR-ACC-01#sh authentication se
  ABQT-3FLR-ACC-01#sh authentication sessions in
  ABQT-3FLR-ACC-01#sh authentication sessions interface gi
  ABQT-3FLR-ACC-01#sh authentication sessions interface gigabitEthernet 4/0/19
              Interface:  GigabitEthernet4/0/19
            MAC Address:  0015.c5b4.fd4a
             IP Address:  10.1.3.23
              User-Name:  00-15-C5-B4-FD-4A
                 Status:  Authz Success
                 Domain:  DATA
         Oper host mode:  multi-auth
       Oper control dir:  both
          Authorized By:  Authentication Server
            Vlan Policy:  N/A
       URL Redirect ACL:  ACL-WEBAUTH-REDIRECT
           URL Redirect:  https://ABQ-TW-ISE-2.abq.gov.qa:8443/guestportal/gateway?sessionId=AC14011F0000018A32B4D906&action=cwa
        Session timeout:  N/A
           Idle timeout:  N/A
      Common Session ID:  AC14011F0000018A32B4D906
        Acct Session ID:  0x00000394
                 Handle:  0x3E00018B
  Runnable methods list:
         Method   State
         dot1x    Failed over
         mab      Authc Success

• ISE Wired captive portal

  I've a new ISE Integration, I've implemented captive portal for wireless and wired guests, for Wireless all is working perfect
  For Wired I can see that ISE put the url captive on the interface of the switch but from the laptop of windows machine, I'm unable to see the link on browser, please advice

  In the same document you have
  Wired NAD Interaction for Central WebAuth
  If your client's machine is hard wired to a NAD, the guest service interaction takes the form of a failed MAB request that leads to a guest portal Central WebAuth login.
  The Central WebAuth triggered by a MAB failure flow follows these steps:
  1. The client connects to the NAD through a hard-wired connection. There is no 802.1X supplicant on the client.
  2. An authentication policy with a service type for MAB allows a MAB failure to continue and return a restricted network profile containing a URL-redirect for Central WebAuth user interface.
  3. The NAD is configured to post MAB requests to the Cisco ISE RADIUS server.
  4. The client machine connects and the NAD initiates a MAB request.
  5. The Cisco ISE server processes the MAB request and does not find an end point for the client machine. This MAB failure resolves to the restricted network profile and returns the URL-redirect value in the profile to the NAD in an access-accept. To support this function, ensure that an Authorization Policy exists featuring the appropriate "NetworkAccess:UseCase=Hostlookup" and "Session:Posture Status=Unknown" conditions.
  The NAD uses this value to redirect all client HTTP/HTTPS traffic on ports 8080 or 8443 to the URL-redirect value. The standard URL value in this case is:
  https://ip:port/guestportal/gateway?sessionId=NetworkSessionId&action=cwa.
  6. The client initiates an HTTP or HTTPS request to any URL using the client browser.
  7. The NAD redirects the request to the URL-redirect value returned from the initial access-accept.
  8. The gateway URL value with action CWA redirects to the guest portal login page.
  9. The client enters the username and password and submits the login form.
  10. The guest action server authenticates the user credentials provided.
  11. If the credentials are valid, the username and password are stored in the local session cache by the guest action server.
  12. If the guest portal is configured to perform Client Provisioning, the guest action redirects the client browser to the Client Provisioning URL. (You can also optionally configure the Client Provisioning Resource Policy to feature a "NetworkAccess:UseCase=GuestFlow" condition.)
  Since there is no Client Provisioning or Posture Agent for Linux, guest portal redirects to Client Provisioning, which in turn redirects back to a guest authentication servlet to perform optional IP release/renew and then CoA.
  13. If the guest portal is not configured to perform Client Provisioning, the guest action server sends a CoA to the NAD through an API call. This CoA will cause the NAD to reauthenticate the client using the RADIUS server. This reauthentication makes use of the user credentials stored in the session cache. A new access-accept is returned to the NAD with the configured network access. If Client Provisioning is not configured and the VLAN is in use, the guest portal performs VLAN IP renew.
  14. With redirection to the Client Provisioning URL, the Client Provisioning subsystem downloads a non-persistent web-agent to the client machine and perform posture check of the client machine. (You can optionally configure the Posture Policy with a "NetworkAccess:UseCase=GuestFlow" condition.)
  15. If the client machine is non-complaint, ensure you have configured an Authorization Policy that features "NetworkAccess:UseCase=GuestFlow" and "Session:Posture Status=NonCompliant" conditions.
  16. Once the client machine is compliant, ensure you have an Authorization policy configured with conditions "NetworkAccess:UseCase=GuestFlow" and "Session:Posture Status=Compliant" conditions), From here, the Client Provisioning issues a CoA to the NAD. This CoA will cause the NAD to reauthenticate the client using the RADIUS server. This reauthentication makes use of the user credentials stored in the session cache. A new access-accept is returned to the NAD with the configured network access.

• SubmitEditData() - redirect fails...

  Hi,
  I've got a weird error.
  In the portlet customization code (JSP) I call the PortletRendererUtil.submitEditData() method. I managed to get it work before, and does work for all my other portlets, but doesn't for the recent one.
  Although, all the customization values are sent to and saved by the personalization manager, the browser doesn't get redirected to the edit renderer JSP page. It starts to display a kind of page with the logos etc. on the top of it instead.
  This portlet shares the provider with some other customizable portlets. I'd appreciate any ideas how I could track down this issue.
  Thanks,
  Peter
  Snippets of my provider.xml:
  <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
  <?providerDefinition version="2.0"?>
  <!DOCTYPE provider [
  <!ENTITY virtualRoot "/changeMe/">
  <!ENTITY physicalRoot "C:\Change\Me">
  ]>
  <provider class="oracle.portal.provider.v1.http.DefaultProvider">
  <session>true</session>
  <useOldStyleHeaders>false</useOldStyleHeaders>
  <portlet class="oracle.portal.provider.v1.http.DefaultPortlet">
  <id>5</id>
  <name>Number2Image</name>
  <title>Number2Image - JSP portlet</title>
  <description>This is a simple JSP portlet converting numbers to images.</d
  escription>
  <timeout>30</timeout>
  <timeoutMessage>JSP number2image portlet example timed out</timeoutMessage
  >
  <acceptContentType>text/html</acceptContentType>
  <showEdit>true</showEdit>
  <showEditDefault>false</showEditDefault>
  <showDetails>true</showDetails>
  <showPreview>true</showPreview>
  <hasHelp>true</hasHelp>
  <hasAbout>false</hasAbout>
  <renderer class="oracle.portal.provider.v1.RenderManager">
  <contentType>text/html</contentType>
  <appPath>/jspportlet</appPath>
  <appRoot>/private/oracle/9iAS_1022/Apache/Apache/htdocs/jportlets/ilt_demo/jsp/</appRoot>
  <showPage>number2image.jsp</showPage>
  <helpPage>number2image_help.html</helpPage>
  <editPage>number2image_edit.jsp</editPage>
  </renderer>
  <personalizationManager class="oracle.portal.provider.v1.FilePersonalizationManager" >
  <dataClass>portlets.demo.jsp.Number2ImagePersonalization</dataClass>
  </personalizationManager>
  </portlet>
  <provider>

  I have partial page rendering in all pages with af:showOneTab. So, to prove if redirect failure is related to PPR. I picked one page with af:showOneTab and got rid of all components with PPR so that it became PPR free. However, redirecting still fails if user clicks on any other tab of af:showOneTab after session has expired.
  If user clicks say on any of the crumbs presented on the page to navigate to parent pages, the redirect succeeds and he is successfully pushed to home page.
  Long story short, redirect fails whenever user clicks on any of the af:showOneTab tabs after session has expired no matter if page has or has no PPR components.
  I hope I answered your questions.
  I know that af:showOneTab uses PPR and that may explain why redirect isn't working, not sure. However, I wish we can have a workaround for this problem.
  Any thoughts ?
  Thanks
  Sam
  Message was edited by:
  samsam

• Error while retrieving data in VC model Portal Request Failed

  Hello,
  I'm trying to use a ES workplace Webservice but not getting any results. The error message is Portal Request Failed ( Index: 0 , Size: 0). I tested calling the service from  the esworkplace and it worked. Although I hade to use some NULL value as variables. Is it also possible to give a null value along while testing the webservice from VC ?
  I'm on release 7.0 sp08. The service I call is on HU2 800 , service is MaterialSimpleByIDAndDescriptionQueryResponse_In.
  If any one knows a solution for this problem i like to hear from you.
  Regards,
  Jasper

  Hi Jasper,
  Have you followed the steps mentioned in this document?- > https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/a160392c-0e01-0010-7784-9cc564d871d2
  and optionally
  https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/5e9ca25b-0e01-0010-bbaa-f3b963e89edd
  If not, these How-to documents will solve your problem
  With Best Regards,
  Swapnil

• Webmaster tools change of address 301 redirect failed using domain forward

  I'm having trouble with webmaster tools recognising our domain name change.
  We've recently updated website and done a name change from www.qldtshirt.com.au to www.qtco.com.au. I am using domain forwarding so qldtshirt.com.au forwards to qtco.com.au (aswell has with www.) and every thing works perfectly.
  www.qldtshirt.com.au/products/polo-shirts/cool-dry-fabric forwards to:
  http://www.qtco.com.au/products/clothing/polo-shirts/cool-dry-fabric
  We have about 4000 301 redirects setup in URL Redirects:
  /products/business-and-corporate/desk-and-office/100-organic-cotton-pencil-case to
  /products/gifts-incentives/desk-and-office/100-organic-cotton-pencil-case
  so on and so on....
  I've verified all sites in webmaster tools however when change of address from www.qldtshirt.com.au to www.qtco.com.au webmaster tools presents this error:
  "301 redirect failed. We detect that the root address of your old site (www.qldtshirt.com.au) does not yet redirect to the root address of your new site (www.qtco.com.au). For more information use the Fetch as Google tool."
  It works perfectly fine for the end user, anyone know why and how to fix please?

  Hi, I have found this same situation.  Did you have any luck finding a solution?
  Thank you

• Executing function module gives error "Portal request failed: Connection fa

  Dear Experts,
  I have a Function module  Z_SAT_CREDITLIMIT_CHANGE which in itself accesses the SAP Update Function module
  UPDATE/INSERT  of the credit limit(CREDITLIMIT_CHANGE)
  and writes the changed data to the Table KNKK(Customer Master Credit Management : Control Area Data).
  While executing this fn module Z_SAT_CREDITLIMIT_CHANGE
  from VC storyboard i received error "Portal request failed:
  Connection failed: Nested Exception: Native Connection to backend system is broken" . Z_SAT_CREDITLIMIT_CHANGE executes fine and updates data in ECC system.
  Than i noticed further that while commenting the part of code in Z_SAT_CREDITLIMIT_CHANGEwhere call to fn module CREDITLIMIT_CHANGE is made there's no error recieved and Z_SAT_CREDITLIMIT_CHANGE executes without error but obviously no data is updated.
  Appreciate if any one can please explain how can i use CREDITLIMIT_CHANGE  in Z_SAT_CREDITLIMIT_CHANGE
  without any errors.
  Kind Regards,
  Robin.

  Hi Robin,
  Also, check that the user with the one you're accessing to the backend have permissions to execute the Dataservice at the backend system.
  You should check the usermapping to know which is the user at backend.
  Best Regards,
  Luis

• Using Firefox 19.0 WIFI logon fails page redirect fails

  Attempting to use Firefox at a variety of airports and hotels fails. The initial logon page is displayed but then the following pages which are redirects fail. Usual message is "Page not Found" Using the captive IP address does not work. Various combinations of settings do not work. AP has been associated and an optimum MTU has been determined via ping to the default gateway.

  You should not need to disable antivirus to connect.
  I assume you are not having Firefox block all redirects. You can check that setting here:
  orange Firefox button ''or'' classic Tools menu > Options > Advanced > General > ''uncheck'' "Warn me when websites try to redirect or reload the page"
  What are your connection/proxy settings in Firefox? If you choose "Use system proxy settings" then Firefox should use IE's settings. Or if you choose "No proxy" then Firefox should default to your wi-fi connection.
  orange Firefox button ''or'' classic Tools menu > Options > Advanced > Network > "Settings" button
  Can you think of any add-on changes you might have made since the T-Mobile days? A standard diagnostic to bypass interference by extensions (and some custom settings) is to try Firefox's Safe Mode.
  First, I recommend backing up your Firefox settings in case something goes wrong. See [[Backing up your information]]. (You can copy your entire Firefox profile folder somewhere outside of the Mozilla folder.)
  Next, restart Firefox in Firefox's Safe Mode ([[Safe Mode]]) using
  Help > Restart with Add-ons Disabled
  In the dialog, click "Start in Safe Mode."
  If you can load sites normally, this points to one of your extensions or custom settings as the problem.

• Portal Request Failed (Fault returned {0})

  Hi All,
  I use WSDLs created from XI which inturn executes BAPI's in R3 and returns me the output/response. Two of such WSDLs are throwing this error.
  <b>Portal Request Failed (Fault returned )</b>
  Have any one of u come across this error in VC storyboard??.. Do let me know your experience and views on getting this resolved.
  Thanks,
  Kavitha

  Hi Mario,
  thank you for your response! But I can not solve my problem.
  - I am passing all the mandatory files in the right format
  - I executed the web service with the web service checker and the web service works fine.
  The only difference trough my other web services is, that I use also a list as input parameter. Can that be the reason?
  Thanks
  Stefan

• Portal Request Failed

  Hi all,
  When I deploy my VC application with flash I get a nice application in the Portal, but when I deploy my application in Webdynpro I get the following error:
  Portal Request Failed (incomplete input, no MainUnits Specified)
  How can I solve this error
  Richard

  Hi Richard,
  there are differents between flash and webdynpro. Some components for flash are not supported for WebDynpro. If you change the compiler in your settings, then the components in the task panel toolbar also change.
  I guess you use a component in your model, which is not supported from webdynpro.
  There are also some other limitations to WD, have a look into the VC wiki:
  <a href="https://wiki.sdn.sap.com/wiki/display/VC/LimitationsofWebDynpro">https://wiki.sdn.sap.com/wiki/display/VC/LimitationsofWebDynpro</a>
  Best Regards,
  Marcel

• Portal authentication failing intermittently post self registration

  We are in the process of upgrading from EP6 to EP7 and have hit a critical authentication problem that is proving difficult to diagnose and resolve.
  Our self registration process leads straight into user logon:
  1) the user fills in the registration form with their user ID, password etc and selects Submit which creates the user ID in our R/3 user store
  2) the user is presented with text informing them that their registration has been successful and a Proceed button which when selected authenticates them with the portal with their newly created user ID
  Step 2) above is working intermittently in our EP7 system - sometimes the process works exactly as expected others an exception is raised (com.sap.security.core.logon.imp.UMELoginException: USER_AUTH_FAILED).
  It seems as though the cause is that the user creation process has not completed fully before the logon step.
  We tried implementing a wait step (10 seconds) following selection of the Proceed button which reduced the incidence rate of the problem but didn't cure it entirely.
  A possible contributing factor is hardware performance as we are testing the upgrade on an impact analysis system which is not as efficient as our live portal landscape.
  I've pasted the code which performs the authentication and extracts from the DIAGTOOL portal logs below which show the login module configuration (SAP standard I believe).
  Any help/advice what to try next would be greatly appreciated as we are running out of ideas.
  Thanks,
  Alan
  The following code performs the authentication and redirection to the portal user's home page:
  public void onRedirect(Event event) throws PageException {
                 getBean();
                 //Get resource bundle
                 ResourceBundle rbSetup =
                      ResourceBundle.getBundle(
                           "setup",
                           ((IPortalComponentRequest) this.getRequest()).getLocale());
                 ILogonAuthentication logonAuthentication =
                      UMFactory.getLogonAuthenticator();
                 HttpServletRequest req =
                      ((IPortalComponentRequest) this.getRequest())
                           .getServletRequest();
                 HttpServletResponse res =
                           (IPortalComponentRequest) this
                                .getRequest())
                                .getServletResponse(
                           true);
                 req.setAttribute(
                      ILoginConstants.LOGON_UID_ALIAS,
                      SelfRegBean.getLogonUid());
                 req.setAttribute(
                      ILoginConstants.LOGON_PWD_ALIAS,
                      SelfRegBean.getPassword());
                 Subject subject = null;
                 try {
                      subject = logonAuthentication.logon(req, res, AUTHSCHEME);
                      if (null != subject) {
                           res.sendRedirect(rbSetup.getString("REDIRECT_URL"));
                 } catch (LoginException e) {
                      SelfRegBean.setError(rb.getString(LOGIN_FAILED));
                 } catch (IOException e) {
                      SelfRegBean.setError(rb.getString(REDIRECT_FAILED));
  Full exception thrown when the authentication process fails:
  com.sap.security.core.logon.imp.UMELoginException: USER_AUTH_FAILED at com.sap.security.core.logon.imp.SAPJ2EEAuthenticator.logon(SAPJ2EEAuthenticator.java:949) at uk.ac.ncl.SelfRegistration$SelfRegistrationDynPage.onRedirect(SelfRegistration.java:507) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:324) at com.sapportals.htmlb.page.DynPage.doProcessCurrentEvent(DynPage.java:172) at com.sapportals.htmlb.page.PageProcessor.handleRequest(PageProcessor.java:115) at com.sapportals.portal.htmlb.page.PageProcessorComponent.doContent(PageProcessorComponent.java:134) at com.sapportals.portal.prt.component.AbstractPortalComponent.serviceDeprecated(AbstractPortalComponent.java:209) at com.sapportals.portal.prt.component.AbstractPortalComponent.service(AbstractPortalComponent.java:114) at com.sapportals.portal.prt.core.PortalRequestManager.callPortalComponent(PortalRequestManager.java:328) at com.sapportals.portal.prt.core.PortalRequestManager.dispatchRequest(PortalRequestManager.java:136) at com.sapportals.portal.prt.core.PortalRequestManager.dispatchRequest(PortalRequestManager.java:189) at com.sapportals.portal.prt.component.PortalComponentResponse.include(PortalComponentResponse.java:215) at com.sapportals.portal.prt.pom.PortalNode.service(PortalNode.java:645) at com.sapportals.portal.prt.core.PortalRequestManager.callPortalComponent(PortalRequestManager.java:328) at com.sapportals.portal.prt.core.PortalRequestManager.dispatchRequest(PortalRequestManager.java:136) at com.sapportals.portal.prt.core.PortalRequestManager.dispatchRequest(PortalRequestManager.java:189) at com.sapportals.portal.prt.core.PortalRequestManager.runRequestCycle(PortalRequestManager.java:753) at com.sapportals.portal.prt.connection.ServletConnection.handleRequest(ServletConnection.java:240) at com.sapportals.portal.prt.dispatcher.Dispatcher$doService.run(Dispatcher.java:524) at java.security.AccessController.doPrivileged(Native Method) at com.sapportals.portal.prt.dispatcher.Dispatcher.service(Dispatcher.java:407) at javax.servlet.http.HttpServlet.service(HttpServlet.java:853) at com.sap.engine.services.servlets_jsp.server.servlet.InvokerServlet.service(InvokerServlet.java:156) at javax.servlet.http.HttpServlet.service(HttpServlet.java:853) at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:401) at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:266) at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:386) at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:364) at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:1039) at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:265) at com.sap.engine.services.httpserver.server.Client.handle(Client.java:95) at com.sap.engine.services.httpserver.server.Processor.request(Processor.java:175) at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33) at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41) at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37) at java.security.AccessController.doPrivileged(Native Method) at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:102) at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:172) -
  Key log extracts from DIAGTOOL:
  Exception on login: 
  [EXCEPTION]
  com.sap.security.core.server.userstore.UserstoreException: Could not refresh user postsp15p
  Caused by: com.sap.security.api.NoSuchUserAccountException: USER_AUTH_FAILED: User account for logonid "postsp15p" not found!
  LOGIN.FAILED
  User: N/A
  Authentication Stack: ticket
  Login Module                                                               Flag        Initialize  Login      Commit     Abort      Details
  1. com.sap.security.core.server.jaas.EvaluateTicketLoginModule             SUFFICIENT  ok          false                 true      
          #1 ume.configuration.active = true
  2. com.sap.engine.services.security.server.jaas.BasicPasswordLoginModule   REQUISITE   ok          exception             true       Authentication did not succeed.
  3. com.sap.security.core.server.jaas.CreateTicketLoginModule               OPTIONAL    ok                                true      
          #1 ume.configuration.active = true
  com.sap.security.core.logon.imp.UMELoginException:
  ObjectID handed over is 'null'!
  Guest | LOGIN.ERROR | null |  | Login Method=[uidpwdlogon], UserID=[null], IP Address=[10.64.65.191], Reason=[Authentication did not succeed.]
  USER_AUTH_FAILED

  We are in the process of upgrading from EP6 to EP7 and have hit a critical authentication problem that is proving difficult to diagnose and resolve.
  Our self registration process leads straight into user logon:
  1) the user fills in the registration form with their user ID, password etc and selects Submit which creates the user ID in our R/3 user store
  2) the user is presented with text informing them that their registration has been successful and a Proceed button which when selected authenticates them with the portal with their newly created user ID
  Step 2) above is working intermittently in our EP7 system - sometimes the process works exactly as expected others an exception is raised (com.sap.security.core.logon.imp.UMELoginException: USER_AUTH_FAILED).
  It seems as though the cause is that the user creation process has not completed fully before the logon step.
  We tried implementing a wait step (10 seconds) following selection of the Proceed button which reduced the incidence rate of the problem but didn't cure it entirely.
  A possible contributing factor is hardware performance as we are testing the upgrade on an impact analysis system which is not as efficient as our live portal landscape.
  I've pasted the code which performs the authentication and extracts from the DIAGTOOL portal logs below which show the login module configuration (SAP standard I believe).
  Any help/advice what to try next would be greatly appreciated as we are running out of ideas.
  Thanks,
  Alan
  The following code performs the authentication and redirection to the portal user's home page:
  public void onRedirect(Event event) throws PageException {
                 getBean();
                 //Get resource bundle
                 ResourceBundle rbSetup =
                      ResourceBundle.getBundle(
                           "setup",
                           ((IPortalComponentRequest) this.getRequest()).getLocale());
                 ILogonAuthentication logonAuthentication =
                      UMFactory.getLogonAuthenticator();
                 HttpServletRequest req =
                      ((IPortalComponentRequest) this.getRequest())
                           .getServletRequest();
                 HttpServletResponse res =
                           (IPortalComponentRequest) this
                                .getRequest())
                                .getServletResponse(
                           true);
                 req.setAttribute(
                      ILoginConstants.LOGON_UID_ALIAS,
                      SelfRegBean.getLogonUid());
                 req.setAttribute(
                      ILoginConstants.LOGON_PWD_ALIAS,
                      SelfRegBean.getPassword());
                 Subject subject = null;
                 try {
                      subject = logonAuthentication.logon(req, res, AUTHSCHEME);
                      if (null != subject) {
                           res.sendRedirect(rbSetup.getString("REDIRECT_URL"));
                 } catch (LoginException e) {
                      SelfRegBean.setError(rb.getString(LOGIN_FAILED));
                 } catch (IOException e) {
                      SelfRegBean.setError(rb.getString(REDIRECT_FAILED));
  Full exception thrown when the authentication process fails:
  com.sap.security.core.logon.imp.UMELoginException: USER_AUTH_FAILED at com.sap.security.core.logon.imp.SAPJ2EEAuthenticator.logon(SAPJ2EEAuthenticator.java:949) at uk.ac.ncl.SelfRegistration$SelfRegistrationDynPage.onRedirect(SelfRegistration.java:507) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:324) at com.sapportals.htmlb.page.DynPage.doProcessCurrentEvent(DynPage.java:172) at com.sapportals.htmlb.page.PageProcessor.handleRequest(PageProcessor.java:115) at com.sapportals.portal.htmlb.page.PageProcessorComponent.doContent(PageProcessorComponent.java:134) at com.sapportals.portal.prt.component.AbstractPortalComponent.serviceDeprecated(AbstractPortalComponent.java:209) at com.sapportals.portal.prt.component.AbstractPortalComponent.service(AbstractPortalComponent.java:114) at com.sapportals.portal.prt.core.PortalRequestManager.callPortalComponent(PortalRequestManager.java:328) at com.sapportals.portal.prt.core.PortalRequestManager.dispatchRequest(PortalRequestManager.java:136) at com.sapportals.portal.prt.core.PortalRequestManager.dispatchRequest(PortalRequestManager.java:189) at com.sapportals.portal.prt.component.PortalComponentResponse.include(PortalComponentResponse.java:215) at com.sapportals.portal.prt.pom.PortalNode.service(PortalNode.java:645) at com.sapportals.portal.prt.core.PortalRequestManager.callPortalComponent(PortalRequestManager.java:328) at com.sapportals.portal.prt.core.PortalRequestManager.dispatchRequest(PortalRequestManager.java:136) at com.sapportals.portal.prt.core.PortalRequestManager.dispatchRequest(PortalRequestManager.java:189) at com.sapportals.portal.prt.core.PortalRequestManager.runRequestCycle(PortalRequestManager.java:753) at com.sapportals.portal.prt.connection.ServletConnection.handleRequest(ServletConnection.java:240) at com.sapportals.portal.prt.dispatcher.Dispatcher$doService.run(Dispatcher.java:524) at java.security.AccessController.doPrivileged(Native Method) at com.sapportals.portal.prt.dispatcher.Dispatcher.service(Dispatcher.java:407) at javax.servlet.http.HttpServlet.service(HttpServlet.java:853) at com.sap.engine.services.servlets_jsp.server.servlet.InvokerServlet.service(InvokerServlet.java:156) at javax.servlet.http.HttpServlet.service(HttpServlet.java:853) at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:401) at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:266) at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:386) at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:364) at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:1039) at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:265) at com.sap.engine.services.httpserver.server.Client.handle(Client.java:95) at com.sap.engine.services.httpserver.server.Processor.request(Processor.java:175) at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33) at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41) at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37) at java.security.AccessController.doPrivileged(Native Method) at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:102) at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:172) -
  Key log extracts from DIAGTOOL:
  Exception on login: 
  [EXCEPTION]
  com.sap.security.core.server.userstore.UserstoreException: Could not refresh user postsp15p
  Caused by: com.sap.security.api.NoSuchUserAccountException: USER_AUTH_FAILED: User account for logonid "postsp15p" not found!
  LOGIN.FAILED
  User: N/A
  Authentication Stack: ticket
  Login Module                                                               Flag        Initialize  Login      Commit     Abort      Details
  1. com.sap.security.core.server.jaas.EvaluateTicketLoginModule             SUFFICIENT  ok          false                 true      
          #1 ume.configuration.active = true
  2. com.sap.engine.services.security.server.jaas.BasicPasswordLoginModule   REQUISITE   ok          exception             true       Authentication did not succeed.
  3. com.sap.security.core.server.jaas.CreateTicketLoginModule               OPTIONAL    ok                                true      
          #1 ume.configuration.active = true
  com.sap.security.core.logon.imp.UMELoginException:
  ObjectID handed over is 'null'!
  Guest | LOGIN.ERROR | null |  | Login Method=[uidpwdlogon], UserID=[null], IP Address=[10.64.65.191], Reason=[Authentication did not succeed.]
  USER_AUTH_FAILED

• Clientless SSL VPN Portal Customizaiton fails on 5510

  I am trying to customize a web VPN portal on my 5510 but I get errors whenever I try to add a customization object.  Running ADSM 6.1(5)51 on ASA 8.0(5).  The error I get when I try to apply a newly created customization object is:
  [ERROR] export webvpn customization DfltCustomization disk0:/tmpAsdmImportFile2090698426
  export webvpn customization DfltCustomization disk0:/tmpAsdmImportFile2090698426                            ^
  % Invalid input detected at '^' marker.
  [ERROR] import webvpn customization test disk0:/tmpAsdmImportFile2090698426
      % copying 'disk0:/tmpAsdmImportFile2090698426' to a temporary ramfs file failed
  [ERROR] delete /noconfirm disk0:/tmpAsdmImportFile2090698426
  %Error deleting disk0:/tmpAsdmImportFile2090698426 (No such file or directory)
  Tried revert webvpn all but I get error on that as well:
  Result of the command: "revert webvpn all"
  %ERROR: ifs_rm_dir_rec: unknown type of file `disk0:/csco_config/97/customization/86D3828A0A0EB0FFA3B55870AAA43E4F'
  Any ideas?
  Joe

  Hi,
  As mentioned by Guru, the recommended action is to format the flash: memory.
  Sometimes some webvpn files get corrupted resulting in missing DfltCustomization objects or import errors.
  Once you format it, it should work fine.
  Thanks.
  Portu.

• ESS for R/3 4.6C on new NetWeaver Portal -- deployment fails!

  Hi ESS Experts,
  We're having problems deploying the older BP for ESS R/3 4.6C to our Netweaver Portal. Our Software Deployment Manager canu2019t install the file. Normally, BPs are .sca files but the BP for ESS 4.6C is a .zip file. We can manually rename the .zip to .sca, which is then shown in the SDM but the deployment always fails.
  How can we install this BP for ESS 4.6C on our newer SAP NW Portal used for our BW system?
  Many thanks,
  Andrew

  Hi Andrew
  Have you tried to unzip the file and identify the required deployment files?
  Further to this -->
  If you go to /swdc it states BP ESS 4.6C-4.7 50.4 (no longer in maintenance) - this product is no longer in
  mainstream maintainence
  Also there are no guarantees that 46C products will work with Enterprise Portal versions from other SAP product families
  e.g NW 700 with ESS 46C
  If you have extended maintainence for 46C perhaps you could open a CSS/OSS message in component BC-CTS-SDM
  to investigate why the installation fails and whether there is any workaround
  Hope this helps
  Stuart

• 5760 v3.6 guest portal redirect to ISE

  I'm testing a new set of 5760 controllers for a future production rollout, running software version 3.6.  Our current production setup consists of older WISM-1 and 4402 controllers running CUWN 7.0.  Our guest network has an anchor in the DMZ, redirecting to ISE.
  In the recent thread (https://supportforums.cisco.com/discussion/12319151/3850-ise-guestportal-no-redirect-v-334), one of the posters said that guest redirection in 3.6 works similarly to redirection in CUWN, while in 3.3 it is very different.  I found the documentation for 3.3 (http://www.cisco.com/c/en/us/support/docs/wireless/5700-series-wireless-lan-controllers/117717-config-wlc-00.html), which I have to say I don't like very much.  However, I find the configuration and command reference guides for 3.6 are less than helpful on this point. 
  So the question I have is whether guest networking with an external redirect to ISE looks like the following in 3.6?  Or does it work like CUWN, where the SSID is configured with layer 3 security?  If it uses layer 3 security like CUWN, does anybody have a quick configuration sample for how it can work end to end in 3.6?
  ------ From the document http://www.cisco.com/c/en/us/support/docs/wireless/5700-series-wireless-lan-controllers/117717-config-wlc-00.html ---------
  The flow includes these steps:
  The user associates to the web authentication Service Set Identifier (SSID), which is in fact open+macfiltering and no Layer 3 security.
  The user opens the browser.
  The WLC redirects to the guest portal.
  The user authenticates on the portal.
  The ISE sends a RADIUS Change of Authorization (CoA - UDP Port 1700) in order to indicate to the controller that the user is valid, and eventually pushes RADIUS attributes such as the Access Control List (ACL).
  The user is prompted to retry the original URL.

  I have a project with a 5760 running 3.6 working to a 5508 anchor controller in a DMZ.
  I have web authentication working to an ISE OK.
  Regards
  Roger

• ISE Guest Portal redirection not working

  I have built a lab at home. I have a Win2008 Server for AD/DNS, ISE 1.2 (VM trial), a 3560-cg switch, 2500 WLC and 2602i AP. I have configured everything as per the documentations online. My issue is that when I connect to the open SSID, it gets connected and has the dns server populated as well, but the redirection never takes place. I can search for google or cnn.com but it just stays at looking up host or something. However, if i take the redirect URL from the WLC and then do it on the browser, it does go to the guest portal. Let me know what issues I can see and if there is any other information I can provide.

  Issue resolved.
  Since my lab environment didnt have access to the internet and hence dns servers 8.8.8.8 would not resolve any public ips. But when an address is resolvable by a dns then it redirects nicely. For test I created a dns entry on the dns server itself and tested it.
  Sent from Cisco Technical Support Android App