Wireless users getting disabled

Similar Messages

• WLC 4404 Wireless users getting disabled

  Currently Being Moderated
  Wireless users getting disabled
  Hi,
  I have WLC 4404 with 7.0.116.0 version. I was getting following messages for particular APs
  *Dec 20 14:11:13.875: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
  *Dec 20 14:11:13.908: %LINK-3-UPDOWN: Interface Dot11Radio0, changed state to up
  *Dec 20 14:11:29.383: %LWAPP-5-RLDP: RLDP stopped on slot 0.
  *Dec 20 14:11:29.674: %LINK-3-UPDOWN: Interface Dot11Radio0, changed state to down
  *Dec 20 14:11:29.678: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
  *Dec 20 14:11:29.700: %LWAPP-5-RLDP: RLDP started on slot 0.
  *Dec 20 14:11:29.707: %LINK-3-UPDOWN: Interface Dot11Radio0, changed state to up
  *Dec 20 14:11:29.752: %LINK-3-UPDOWN: Interface Dot11Radio0, changed state to down
  *Dec 20 14:11:29.757: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
  *Dec 20 14:11:29.790: %LINK-3-UPDOWN: Interface Dot11Radio0, changed state to up
  *Dec 20 14:11:45.396: %LWAPP-5-RLDP: RLDP stopped on slot 0. *Dec 20 14:11:13.875: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
  After seeing one of the cisco forum, I have disabled RLDP for that particular APs
  so above messages are rectified.
  But right now we are not able to identify Rogue IP and it is not contained.
  So please give any suggetion so that i can rectify the above messages as well as i can identify the rogue IP.
  Thanks & Regards
  Gaurav Pandya

  Hi Scott,
  You are right i am not able to detect rogue APs because i disabled the RLDP. but when i enable the RLDP for that particular AP. i got the following messages with interface go up and down
  *Dec 20 14:11:13.875: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
  *Dec 20 14:11:13.908: %LINK-3-UPDOWN: Interface Dot11Radio0, changed state to up
  *Dec 20 14:11:29.383: %LWAPP-5-RLDP: RLDP stopped on slot 0.
  *Dec 20 14:11:29.674: %LINK-3-UPDOWN: Interface Dot11Radio0, changed state to down
  *Dec 20 14:11:29.678: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
  *Dec 20 14:11:29.700: %LWAPP-5-RLDP: RLDP started on slot 0.
  So please suggest me the mid way so that i can enable the RLDP (Detect the rogue APs) with out interface going up and down frequently.
  Regards
  Gaurav

• Users getting disabled during Synchronization

  Hi All,
  We are running Plumtree 5.0.2 in Windows Environment under Tomcat and also used Sample Application "Auth_HelloWorld-Java" as the base and modified it as per the current needs for Authentication and Synchronization. When I run the Synchronization under "Partial Users Synchronization" all the groups and users get imported correctly for the first time. When it is run again the users which were imported during the first run gets disabled automatically and they need to be enabled manually. This is putting us under lots of issues as the number of users are getting more.
  Please do let me know how this can be solved.
  Thanks , Raghu

  Raghu,
  I appologize for the delayed response, our notification seem to have been down over the weekend.
  In so far as the problems you are having, the only reason that the users would get disabled is that they are not members of a group in the "Fully Synchronized Group List". This list is in the Authentication Source Editor, and should contain the groups from your remote Authentication Source that should be synchronized with the portal. Only users that are members of a group specified in that list will be imported.
  Do you have any groups choosen?
  Thanks,Akash

• Automatic tester user gets disabled in ISE

  We have ise1.2 working in our environment. For some reason the radius test user used for NAD device authentication gets disabled automatically. Though i couldnt get the frequency of it neither the timing of it. Any specific setting i am missing here to check or configure in NAD or in ISE?

  Hi Manmohan,
  In ISE there is an option which Specifies the number of times Cisco ISE records incorrect administrator passwords before locking the administrator out of Cisco ISE, and suspending or disabling account credentials.
  Can you check if there is any such password policy enabled for your radius user, and that might be getting locked/disabled after certain number of wrong tries.

• If anchor WLC fails, roaming wireless users get "stuck"

  I did a test in our lab where I roamed from an AP on WLC A to an AP on WLC B. My client kept its same IP address and connectivity remained. I'm running WLC 4.0.219, so the traffic at this point was not symetrical, but the connectivity was up. WLC A was the Anchor WLC.
  Then, I failed WLC A. My wireless client still had its original IP address from WLC, so I lost all connectivity. WLC B did not try to anything so that my client would get a new IP address (from WLC B) and regain connectivity.
  The only way I could get my client to work again was to go to WLC B and "Remove" the client. It looks like this forced the client to re-authenticate and get a new IP address.
  Is this the only way to get a client back on the network in this type of failure scenario?

  Did both WLC's have dynamic interfaces on the same subnet or did each WLC have interfaces on different subnets. I have tried this failure before with no issues, as long as the WLC have interfaces on the same subnet for the users.

• Wireless users getting ACL errors when no ACL is in place

  We have around a hundred users, many using Powerbooks and MacBook Pros via a third-party wireless. Recently, a few users are reporting errors when connecting saying that they are not on the Access Control List, but we don't use one. I think these users may have updated to the Airport Extreme Update 2007-001, but that is the only possibly similarity I can find. Any ideas?

  Hi,
  Try to configure the virtual memory in the system configuration of the operating system
  Tamir

• User gets disabled after 3 login failure

  I just realized this problem. I don't want users to buzz a helpdesk because of failed login. Where and how can I turn it off?
  Just wonder if Is it not possible, for example disable a user after 3 failed attempts, and enable it after 2 hours?

  Never mind. I found the solution.
  Solution:
  1. Log into the Admin interface.
  2. Navigate to Configure
  3. Navigate to Policies
  4. Select "Default Lighthouse Account Policy "
  5. Under the "Identity Manager Password Policy Options" label.
  A. Find the "Password policy" and select from the drop down list the password policy that applies to your system. I chose "Windows 2000 Password Policy" because we are using ActiveDirectory pass through authentication.
  B. In the text box labled "Maximum Number of Failed Login Attempts" enter an number. We entered 3.
  C. Save the change.

• User is getting disabled in EBus when Account Id is changed

  Hello All !
  We have 2 Ebus Instance which have a dependency on a OID instance. When ever there is a change in AcountID the change propeagtes to OIM but the user gets disabled on the EBus instances.
  I see that from the process definition for the Ebus instances the changeAccount id is attached to a custom adapter whcih copys value and where are OID is attached to a deleteuser.
  Not sure of the OID process tack is causing the same. How can I make sure the user is not end dated.
  Thanks in Advance

  Does anybody know a reason why the user is getting disabled

• NAC IB with wireless users

  I have a problem here guys, I will deploy cisco NAC with wireless users
  My scenario is IB-VG , the access points are autonomous there is no WLC
  the AP is connected to the switch on a trunk port and I have configured the AP
  with different SSIDs each one with different vlan (s) on the NAC i have
  configured the vlan mapping and the managed subnets but it doesn't work.
  i wanna know where is the problem or is there anu configuration example to configure \
  autonomous AP in In-Band virtual gateway mode

  Hi,
  Can you please be more specific about what does not work?
  What were you expecting to see and what are you seeing?
  Do the wireless users get IP address?
  If, yes, are they getting the IP you would expect?
  After getting IP address, if you open a web browser dod you get redirected to the NAC login page?
  If yes, do you enter the credentials and fail autentication?
  Please note that you will need to make sure that the VLAN on the clients is allowed on the untrusted interface of the CAS, and that the VLAN mapping maps this VLAN to a vlan where a DHCP server can be reachable.
  Also, please make sure that the traffic on the VLAn configured on the SSID has the only path as the path going through the CAS.
  HTH,
  Tiago
  If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

• User not getting disabled

  A particular user is not getting disabled. This is happening when it tries to disable one of the provisioned resources.
  Logs:
  2012-09-29 23:39:23,100 ERROR QuartzWorkerThread-3 XELLERATE.SERVER - Class/Method: tcProcessUtilities/disableProcess encounter some problems: {1}
  2012-09-29 23:39:23,100 ERROR QuartzWorkerThread-3 XELLERATE.SERVER - Class/Method: tcOIU/disableObjectInstance Error :Unable to disable the object instance.
  2012-09-29 23:39:23,100 INFO QuartzWorkerThread-3 XELLERATE.DATABASE - DB read: select err_key, err_code, err_desc, err_rowver, err_remedy, err_count, err_last_occurance, err_action, err_help_url, err_severity from err where err_code='DOBJ.RESOURCE_NOTCONFIGURED_PROPERLY'
  2012-09-29 23:39:23,102 ERROR QuartzWorkerThread-3 XELLERATE.JAVACLIENT - Class/Method: tcTriggerUserProcesses/disableOrcs Error :Unable to disable the object instance.
  2012-09-29 23:39:23,102 INFO QuartzWorkerThread-3 XELLERATE.DATABASE - DB read: select err_key, err_code, err_desc, err_rowver, err_remedy, err_count, err_last_occurance, err_action, err_help_url, err_severity from err where err_code='DOBJ.RESOURCE_NOTCONFIGURED_PROPERLY'
  Please let me know what might be the problem. Thanks.

  Hi Gyanprakash,
  Thanks for your response.
  1. Disable triggers are defined in that object and multiple instances enabled for that disable trigger task.
  2. Object is still in provisioned state not disabled
  3. Two of its tasks in that process instance are manually completed. Some prob has occured during completion of that task and they have manually completed it. So is that same problem hindering the disable flow also?

• Reauthencation of Wireless User does not get prompt

  Hi Sir,
  I set up a Radius server(Cisco ACS) to authenticate wireless users via 802.1x. The EAP protocol deployed is Microsoft PEAP as most of the clients OS is XP. The users might be sharing the same laptops. When a user select the wireless network to connect to, he was prompted a window for him to enter the Username, Password and Domain field. After successful authentication, he was able to access the network resources.
  However, the user is not prompted the Username, Password and Domain after he has done so the first time. I understand that XP cached the user credentials in the registry. But my customer would like the window prompt to appear when the following scenario happens to reauthenticate
  a) Session timeout (Notice options in Group profile in ACS but didnt seem to work). What is this session timeout in ACS?
  b) Idle timeout to reauthenticate the current wireless user as the user might leave his workspace for a short period of time and someone might have use his credential to access the network illegitimately
  c) When he shuts down the PC and the laptop is passed to another user but the previous user credential is used rather than the second user credentioal is used.
  How can I disable the automatic cached user credentials? Is there a way to prompt the user after a period of time for him to enter Username, Password and Domain field again? Is the option available in the XP client? I search through the AP configuration options but found none.
  Please advise. Thank you
  Delon

  Try this link
  http://www.cisco.com/en/US/tech/tk59/technologies_configuration_example09186a0080094671.shtml#cswin

• Getting Wireless Users onto LAN

  Hello All,
  We currently purchased 2 AP's and a 2106 WLC and I am having some trouble getting the wireless users to communicate to the network on the other side of the WLC. Here is a very simple diagram on how this is all connected.
  3750X L3 Switch --> 2106 WLC --> AP
  LAN Network - 10.10.0.0/16           Wireless Users Network - 10.100.21.0/24
  So with a laptop, I can get a DHCP reservation from the WLC to the 10.100.21.0/24 network. From there though, I cannot ping anything in the 10.10.0.0/16 network. I know that I am talking across two different networks so by default they shouldnt be able to communicate, but I feel like I am missing a setting on the WLC that will allow the two networks to communicate.
  Management Interface:
  IP Address: 10.10.20.100
  Netmask: 255.255.0.0
  Gateway: 10.10.0.1
  DHCP Info: 10.10.20.100
  Here is the config for my test interface (which may be the problem):
  IP Address: 10.100.21.2
  Netmask: 255.255.255.0
  Gateway: 10.100.21.1
  DHCP Info: 10.10.20.100
  Thanks in advance for taking a look.

  Hello George,
  Thanks for the reply. I believe I have routes that allow both these networks to talk, currently we are redesigning our network so bear with me as the setup is a little goofy.
  The way our devices are connected in terms of the wireless configuration:
  Internet <-> ASA <-> 3750 switch <-> WLC <-> AP <-> Laptop
                                        |
                                    My PC    
  So, currently our default gateway for our LAN (10.10.0.1) is the inside interface of the ASA (like i said, working on changing this). On the ASA I also have a static route configured so any traffic destined for 10.100.21.0/24 send to 10.10.20.2 which is our 3750 Switch.
  On the 3750 switch I set a default gateway for our wireless network of 10.100.21.1. I also configured the trunk from the post above so there is a trunk between the 3750 and the WLC allowing the LAN VLAN and Wireless VLAN to send data across it.
  On our WLC I have this configured:
  Management Interface:
  IP Address: 10.10.20.100
  Netmask: 255.255.0.0
  Gateway: 10.10.0.1
  DHCP Info: 10.10.20.100
  Here is the config for my test interface (which may be the problem):
  IP Address: 10.100.21.2
  Netmask: 255.255.255.0
  Gateway: 10.100.21.1
  DHCP Info: 10.10.20.100
  From my LAN I can ping 10.100.21.1
  Our host on the wireless can get an IP, but when it attempts to ping anything (even its gateway) i get no replies.
  Going back to your question of if we have routes for both networks to talk, I believe we do, unless I am missing something.
  Thanks again for your reply and taking the time to look at this.

• Can location services get disabled automatically? Or does it always require a user to disable it?

  Can location services get disabled automatically? Or does it always require a user to disable it?
  I was repeatedly trying to Find my iPhone  when it came up with "Location Services Disabled".
  Later I was able to find my iPhone again.  This has happend severally times lately?
  Cold this happen automatically, like a "time out" function?

  Can location services get disabled automatically? Or does it always require a user to disable it?
  I was repeatedly trying to Find my iPhone  when it came up with "Location Services Disabled".
  Later I was able to find my iPhone again.  This has happend severally times lately?
  Cold this happen automatically, like a "time out" function?

• Deleting AD users vs Disabling. What is the difference? If an account is disabled, can it still be setup for mail forwarding to another user? If an account is deleted, what files get deleted?

  Deleting AD users vs Disabling.  What is the difference?  If an account is disabled, can it still be setup for mail forwarding to another user? If an account is deleted, what files get deleted?  Thanks.

  Hi,
  Disable Users: Nobody can log in to the mailbox, but the data is safe and it can receive email. Once it is enabled, it is back to normal.
  Delete Users: when the user is deleted all the services are removed and all data is erased. The user is deleted from our Active Directory. If you create a user with the same Name and Emial address again, no data or services are recovered.
  If you disable a user, the Active Directory object remains untouched together with the mailbox data and properties, but you will not be able to access any mailbox data.
  If you delete a user, the Active Directory object is removed together with all data and properties of the user.
  Hope it helps.
  Regards,
  Blair Deng
  Blair Deng
  TechNet Community Support

• Problem authenticating Wireless users with peap

  Good afternoon,
  I am currently trying to authenticate wireless users using PEAP and an external RADIUS server. The problem is when I try to authenticate I get this error :
  AAA/AUTHEN/PPP : Pick method list 'Permanent Local'
  DOT11-7-AUTH_FAILED : Station ... Authentication failed
  It shouldn't use local authentication, but the aaa server I configured.
  I looked on the internet but didn't find a working solution.
  Does anyone know why it is not working ?
  Here is my running configuration :
  Current configuration : 4276 bytes
  ! Last configuration change at 00:45:40 UTC Mon Mar 1 1993
  ! NVRAM config last updated at 16:38:23 UTC Thu Jul 24 2014
  ! NVRAM config last updated at 16:38:23 UTC Thu Jul 24 2014
  version 15.2
  no service pad
  service timestamps debug datetime msec
  service timestamps log datetime msec
  service password-encryption
  hostname ap
  logging rate-limit console 9
  enable secret 5 $1$QVC3$dIVAarlXOo52rN3ceZm1k0
  aaa new-model
  aaa group server radius rad_eap
   server 192.168.2.2 auth-port 1812 acct-port 1813
  aaa group server radius rad_mac
  aaa group server radius rad_acct
  aaa group server radius rad_admin
  aaa group server tacacs+ tac_admin
  aaa group server radius rad_pmip
  aaa group server radius dummy
  aaa authentication login eap_methods group rad_eap
  aaa authentication login mac_methods local
  aaa authorization exec default local
  aaa accounting network acct_methods start-stop group rad_acct
  aaa session-id common
  no ip routing
  no ip cef
  dot11 syslog
  dot11 ssid test
     authentication open eap eap_list
     authentication key-management wpa version 2
     guest-mode
  eap profile peap
   method peap
  crypto pki token default removal timeout 0
  bridge irb
  interface Dot11Radio0
   no ip address
   no ip route-cache
   encryption mode ciphers aes-ccm
   ssid test
   antenna gain 0
   stbc
   beamform ofdm
   station-role root
   bridge-group 1
   bridge-group 1 subscriber-loop-control
   bridge-group 1 spanning-disabled
   bridge-group 1 block-unknown-source
   no bridge-group 1 source-learning
   no bridge-group 1 unicast-flooding
  interface Dot11Radio1
   no ip address
   no ip route-cache
   shutdown
   antenna gain 0
   no dfs band block
   channel dfs
   station-role root
   bridge-group 1
   bridge-group 1 subscriber-loop-control
   bridge-group 1 spanning-disabled
   bridge-group 1 block-unknown-source
   no bridge-group 1 source-learning
   no bridge-group 1 unicast-flooding
  interface GigabitEthernet0
   no ip address
   no ip route-cache
   duplex auto
   speed auto
   dot1x pae authenticator
   bridge-group 1
   bridge-group 1 spanning-disabled
   no bridge-group 1 source-learning
  interface BVI1
   ip address 192.168.3.10 255.255.255.0
   no ip route-cache
  ip default-gateway IP
  ip forward-protocol nd
  ip http server
  ip http secure-server
  ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
  ip radius source-interface BVI1
  radius-server attribute 32 include-in-access-req format %h
  radius-server host 192.168.2.2 auth-port 1812 acct-port 1813 key 7 140441081E501F0B7D
  radius-server vsa send accounting
  bridge 1 route ip
  line con 0
  line vty 0 4
   transport input all
  end
  Thank you

  I haven't setup autonomous APs before but I think I might see the problem. You are defining an authentication list called "eap_methods" but you never call for it in your SSID settings. Instead there you call a list named "eap_list" In addition, I think you might be missing one more command. So perhaps try this:
  dot11 ssid test
  authentication open eap eap_methods
  authentication network-eap eap_methods
  authentication key-management wpa version 2
  guest-mode
  Hope this helps!
  Thank you for rating helpful posts!