WISM Web Authentication against MS IAS

Does anybody know if Radius Web auth is supported with MS IAS radius server or is it working with cisco ACS only ?
Thanks

I've just readed in a previous post that the service-type must be login instead of framed in the remote access policies.
That was my issue with IAS
Thanks

Similar Messages

Web Authentication with MS IAS Server

I'm trying to configure my 2106 WLC to authenticate with an MS IAS Radius Server. I had this working, but my boss did not want to do any configuration on the client side and now wants to do all authentication through Web authentication with the Radius server. The wireless client connects and is redirected to the login page like they're supposed to, but when I enter my credentials the login fails. However, if I enter the login of a local user to the controller the authentication works.
I see in the logs the following error: AAA Authentication Failure for UserName:chevym User Type: WLAN USER. The authentication is reaching the server too, but the logs don't tell you much.
Here is what is in the server logs: 192.168.0.77,chevym,07/29/2008,05:58:16,IAS,TESTLAB1,25,311 1 192.168.0.221 07/28/2008 17:27:10 48,4127,2,4130,TESTLAB\chevym,4129,TESTLAB\chevym,4154,Use Windows authentication for all users,4155,1,4128,Wireless LAN Controller,4116,9,4108,192.168.0.77,4136,3,4142,19
I don't really understand any of that and I'm not really sure if I have the server itself configured correctly for what I want to do. Does anyone have instructions on how to do this?

I had another thread going on this, but since it appears to be an IAS problem, I've been posting on the MS forum instead of here.
I'm trying to set up wireless laptop-WLC-IAS authentication using PEAP.
The machine authenticates on boot, but any login by any user results in this message in the Windows Event log on the IAS server:
Event Type: Warning
Event Source: IAS
Event Category: None
Event ID: 2
Date: 9/3/2008
Time: 11:00:55 PM
User: N/A
Computer: DC1
Description:
User SCOTRNCPQ003.scdl.local was denied access.
Fully-Qualified-User-Name = SCDL\SCOTRNCPQ003.scdl.local
NAS-IP-Address = 10.10.10.10
NAS-Identifier = scohc0ciswlc
Called-Station-Identifier = 00-21-55-C0-7D-70:Domain Staff
Calling-Station-Identifier = 00-90-4B-4C-92-B7
Client-Friendly-Name = WLAN Controller
Client-IP-Address = 10.10.10.10
NAS-Port-Type = Wireless - IEEE 802.11
NAS-Port = 29
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server =
Policy-Name =
Authentication-Type = EAP
EAP-Type =
Reason-Code = 8
Reason = The specified user account does not exist.
The policy is the default connection policy created when installing IAS.
In ADUC, I've tried setting both the machine and users Dial-In properties to Allow Access or Control through policy, with the same result.
I've gone through the policy and there isn't anything there, other than the Day-Time rule which is set to allow access for all hours of the whole day, every day.
In the last few days, I've read about the Ignore User Dial In properties, but can't find where/how you set this.
It sounded to me as if this had been resolved in this thread, so I wanted to know how this had been accomplished.

BASIC web authentication against Oracle database?

Hello,
Here's what I want in a nutshell. When someone goes to one of my webpages
under WLS 8.1, I want them to be presented with a BASIC authentication
dialog. That part is configured between web.xml and weblogic.xml and I
think I'm OK with doing that. But the part I don't have quite figured out
is how to get do authentication against a table in an Oracle (or any other,
for that matter) database.
Can someone point me (or do you have) any examples that accomplish this?
I'm sure I'm not the only one who's tried to do this. As far as I can
tell, I need to create a custom Authenticator (and possibly a custom
Asserter) and my implementation of those would do the search against the
database. Correct?

Hi
You probably need to develop a custom login module. WLS uses JAAS so do some JAAS
research the go to
http://dev2dev.bea.com/products/wlserver/security.jsp
then click
http://dev2dev.bea.com/codelibrary/code/security_prov.jsp and get and customize
the sample code.
The example code does NOT show how to use form based authentication with your
custom LoginModule, I'm still working on that, but I assume the WLS servlet container
creates and appropriate CallbackHandler so you can access the supplied username
and pw which you can then use to authenticate against your RDBMS
I need to create a custom LoginModule for Blockade and am going down this track,
still working on it.
"KissFan 1973" <[email protected]> wrote:
Hello,
Here's what I want in a nutshell. When someone goes to one of my webpages
under WLS 8.1, I want them to be presented with a BASIC authentication
dialog. That part is configured between web.xml and weblogic.xml and
I
think I'm OK with doing that. But the part I don't have quite figured
out
is how to get do authentication against a table in an Oracle (or any
other,
for that matter) database.
Can someone point me (or do you have) any examples that accomplish this?
I'm sure I'm not the only one who's tried to do this. As far as I
can
tell, I need to create a custom Authenticator (and possibly a custom
Asserter) and my implementation of those would do the search against
the
database. Correct?

WiSM and GUEST web authentication

I have a WiSM and we use Cisco open web
authentication with a user email address.
When performing this command via CLI:
>config network secureweb disable
>save config
> reset system
Will this make the web authentication come up HTTP instead of HTTPS ?

That command is in order that you manage the unit.
However there used to be a workaround that when you disable HTTPS and SSH and you reboot the WLC the web authentication will be showed as http and no https.
Let me know if it works for you

How can I tell if a user has already authenticated against AD?

Sorry to begin with if this has been dealt with in another thread already. Ive taken a look around and cant see something that answers my questions exactly. If such a thread exists, please point me in that direction.
We have a product that needs to be installed on a customer site. Its a windows based, web fronted application with a client program on the user's pc and a server side component that handles requests for data. What I need to do is to check if the user has already authenticated against active directory. If so then I dont need to ask for authentication (single sign on).
This is my first look at jndi so Im in the dark about how this should be done. Is there a way to use the user's credentials (is there a token?) to check or do I need a specific login for my application to access the customer AD?
Any tips would be very welcome,
Mark

You may want to refer to the Java Security forum at http://forum.java.sun.com/forum.jspa?forumID=545 for information on Kerberos & JAAS.
There is a also a post in this forum, outlining how to utilise Kerberos, JAAS with JNDI to access Active Directory. JNDI, Active Directory and Authentication (Part 1) (Kerberos)
at http://forum.java.sun.com/thread.jspa?threadID=579829&tstart=300
Possibly the part you are looking for is the functionality included in the class that implements java.security.PrivilegedAction
Good luck.

User authentication against LDAP - Non-AD

Hi,
We are trying to setup LDAP authentication against an LDAP, Oracle Unified Directory and below are the parameters of ldap.properties file:
ldapAuthentication.defaultRole = ROLE_AUTHENTICATED_PRINCIPAL
ldapAuthentication.enabled = true
ldapAuthentication.tryNextProviderIfNoAuthenticated = true
ldapAuthentication.stopIfCommunicationError = true
ldapAuthentication.url=ldap\://localhost:389/
ldapAuthentication.rootContext=DC=test,DC=com
ldapAuthentication.securityPrincipal=CN=Directory Manager
ldapAuthentication.securityCredential.encrypted=password
ldapAuthentication.keepContextPrefix=false
ldapAuthentication.isAD=false
ldapAuthentication.userAccountSearchKey=CN
ldapAuthentication.firstNameSearchKey=givenName
ldapAuthentication.lastNameSearchKey=sn
Still I am getting while I try to login to OIA as an OUD user:
WARN [UserManagerImpl] RbacxUser with username: 'cn=oiaadmin' not found
Please help

Hi Jcorker,
According to your description, you need to access the SQL Serve Analysis Services database which is configured as cluster for SQL & SSAS from another domain, right?
In SSAS we can use the solution below achieve the requirement.
1.Create new domain account and impersonate the web site with that.
2.Create local user account on the analysis service with same exact username/password as like domain account created in the previous step.
However, you cannot create a local account with the same name on both servers. I have tested it on my local environemnt, we can create the same local account with the same name on both servers. In your scenario, if DB1 and DB2 on different server, you can
create a local account with the same name on both servers. Please post the detail errors, so that we can make further analysis.
Besides, SSAS only allows users of the same domain or trusted domains and it does not allow users from any domain except from these two. You can configure the trust relationship between the domains.
http://technet.microsoft.com/en-us/library/cc961481.aspx
Regards,
Charlie Liao
If you have any feedback on our support, please click
here.
Charlie Liao
TechNet Community Support

Cisco Auto Anchor Web Authentication - NAS IP Address

Hi,
I've setup auto anchor web authentication for my guest network. I want my Web Authentication requests to be authenticated by ISE however need the authenticating device to be the Anchor Controller.
I setup the WLAN to authenticate against ACS4.2 and it works correctly, the NAS IP address is the Anchor controller. When changing the WLAN to auth again my ISE 1.2 server, authentications are sourced from the foreign controller.
Has anyone come across this or know why ISE is seeing the NAS IP Address as the foreign wireless controller?
Thanks,

Hi,
I've setup auto anchor web authentication for my guest network. I want my Web Authentication requests to be authenticated by ISE however need the authenticating device to be the Anchor Controller.
I setup the WLAN to authenticate against ACS4.2 and it works correctly, the NAS IP address is the Anchor controller. When changing the WLAN to auth again my ISE 1.2 server, authentications are sourced from the foreign controller.
Has anyone come across this or know why ISE is seeing the NAS IP Address as the foreign wireless controller?
Thanks,

WCS and Guest account / limited usage web authentication

/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin-top:0in;
mso-para-margin-right:0in;
mso-para-margin-bottom:10.0pt;
mso-para-margin-left:0in;
line-height:115%;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:"Times New Roman";
mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;}
Here my problem I need to be able to limit my AD users to a 10min access to the WLAN. I see you can do this for guest accounts, but you have to manually enter a username and password. I would like the web authentication to use our ACS which is tied in to our AD. Is there a way to do this?

/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin-top:0in;
mso-para-margin-right:0in;
mso-para-margin-bottom:10.0pt;
mso-para-margin-left:0in;
line-height:115%;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:"Times New Roman";
mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;}
Weterry,
Here the whole story. I have a bookstore that going to have “Demo” pc for students to buy. The want to show the internet on these devices, but our security guy require all users to logon. I was hoping to find a way to let user logon quickly to test these devices.
I have already figure out the web auth and that great feature, but you have to manually enter each user. If I could get that to use AD and limit each to 10min that would be great. I would like to setup a SSID for the demo devices and limit users to 10 min.
I have 2 WiSM controllers running 6.0 also have WCS .
Thanks
Chappy

[ SOLVED] Authentication against two openldap servers.

Hi everyone.
Here is the deal. I have two openldap servers, used for user authentication (master and slave). I have all the clients to be able to authenticate users against the master openldap server, and that is working fine. I want to make them to be able to authenticate against the slave server, if the master is down for any reasons. Is there a way to configure the clients, and is that the way to manage this, or I have to use another software as heartbeat or something like heartbeat.
Regards.
PS: Sorry. I found it. It is written in the /etc/ldap.conf file. If you want authentication against several ldap servers, you have to specify them in the 'uri' row, separated by spaces.
Last edited by Gruntz (2009-03-10 08:57:31)

Hi,
Is there a possibility to configure somewhere an external LDAP just for authentication purposes (possibly PKI), leaving everything else in OID?
Yes, in our project we are using a third party LDAP server for authentication, whereas the rest of the user information is stored in the OID. I don't know the details about the implementation but we used DIP (Directory Integration Platform) to create and register a plugin. The plugin replaces the default 'ldapcompare' method that the SSO uses with our own method that makes a call to a third party ldap. Our code was written in PL/SQL and used the DBMS_LDAP package.
You should be able to find more info from OID developers guide. http://otn.oracle.com/docs/products/ias/doc_library/90200doc_otn/manage.902/a95193.pdf
Good luck!
/Rikard

WLC Client excluded - web authentication failed 3 times

Is there any more I can do with the following? The customer only has 4400 controllers and WCS' both on the highest firmware currently available...
An example of the alert generated in the event of an excessive authentication failure is as follows:
Client '08:60:6e:35:7c:29 (172.16.235.133)' which was associated with interface '802.11b/g/n' of AP '25CS-AP21-24SE' is excluded. The reason code is '5(Web Authentication failed 3 times.)'.
E-mail will be suppressed up to 30 minutes for these alarms.
I need clarification of the following so that a process can be put in place to show if it is possible to deal with potential threats/attempts to hack into the network as the customers security are not accepting notification only. Therefore please advise:
- What does ‘excluded’ mean in this scenario? Is the client permanently excluded or only temporarily?
- If the client is not permanently excluded - if there are multiple occurrences of this alert for the same client can the client be disabled via the WCS console?
- If necessary could e-mail suppression be turned off - for this alert only?
Hope you can help but I think they need Prime and ISE to satisfy their security concerns myself!
BR
Rockford

There is a command line syntax which will also allow you to export and import an IAS config to other IAS servers. Then you will be sure they are identical...
http://support.microsoft.com/kb/883619

Web Authentication on HTTP Instead of HTTPS in WLC 5700 and WS-C3650-48PD (IOS XE)

Hello,
I have configured a Guest SSID with web authentication (captive portal).
wlan XXXXXXX 2 Guest
aaa-override
client vlan YYYYYYYYY
no exclusionlist
ip access-group ACL-Usuarios-WIFI
ip flow monitor wireless-avc-basic input
ip flow monitor wireless-avc-basic output
mobility anchor 10.181.8.219
no security wpa
no security wpa akm dot1x
no security wpa wpa2
no security wpa wpa2 ciphers aes
security web-auth
security web-auth parameter-map global
session-timeout 65535
no shutdown
The configuration of webauth parameter map is :
service-template webauth-global-inactive
inactivity-timer 3600
service-template DEFAULT_CRITICAL_VOICE_TEMPLATE
voice vlan
parameter-map type webauth global
type webauth
virtual-ip ipv4 1.1.1.1
redirect on-success http://www.google.es
I need to login on web authentication on HTTP instead of HTTPS.
If I login on HTTP, I will not receive certificate alerts that prevent the users connections.
I saw how to configure it with 7.x relesae but I have IOS XE Version 03.03.05SE and I don´t know how to configure it.
Web Authentication on HTTP Instead of HTTPS
You can login on web authentication on HTTP instead of HTTPS. If you login on HTTP, you do not receive certificate alerts.
For earlier than WLC Release 7.2 code, you must disable HTTPS management of the WLC and leave HTTP management. However, this only allows the web management of the WLC over HTTP.
For WLC Release 7.2 code, use the config network web-auth secureweb disable command to disable. This only disables HTTPS for the web authentication and not the management. Note that this requires a reboot of the controller !
On WLC Release 7.3 and later code, you can enable/disable HTTPS for WebAuth only via GUI and CLI.
Can anyone tell me how to configure web authentication on HTTP instead of HTTPS with IOS XE?
Thanks in advance.
Regards.

The documentation doesn't provide very clear direction, does it?
To download the WLC's default webauth page, browse to the controller's Security > Web Login Page. Make sure the web authentication type is Internal (Default). Hit the Preview button. Then use your browser's File > Save As... menu item to save the HTML into a file. Edit this to your liking and bundle it and any graphics images up into a TAR archive, then upload via the controller's COMMAND page.

Ubuntu Karmic authentication against Snow leopard open directory server

Hi,
I'm looking for help. I've tried to configure an installation of Karmic to authenticate against our office's open directory server running on an osx snow leopard server. Currently `getent password` show all users including those from the open directory server when running the command as both root and normal users. However authentication against the open directry users fails with the following messages in the /var/log/auth.log:-
Dec 7 22:42:05 [hostname] getent: nss_ldap: failed to bind to LDAP server ldap://server.domain.com: Invalid credentials
Dec 7 22:42:05 [hostname] getent: nss_ldap: could not search LDAP server - Server is unavailable
(I've changed the hostname and ldap url)
/etc/ldap.conf has:-
base dc=server,dc=domain,dc=com
ldap_version 3
rootbinddn cn=diradmin,dc=server,dc=domain,dc=com
bind_policy soft
pam_password md5
/etc/ldap.secret is set to the password of the diradmin user and has a permission mask of 600
/etc/pam.d/common-passwd :-
password sufficient pam_ldap.so md5
password required pam_unix.so nullok obscure md5
password optional pam_smbpass.so nullok use_authtok tryfirstpass missingok
/etc/pam.d/common-auth:-
auth [success=2 default=ignore] pam_unix.so nullok_secure
auth [success=1 default=ignore] pam_ldap.so usefirstpass
auth requisite pam_deny.so
auth required pam_permit.so
/etc/pam.d/common-account:-
account [success=2 newauthtokreqd=done default=ignore] pam_unix.so
account [success=1 default=ignore] pam_ldap.so
account requisite pam_deny.so
account required pam_permit.so
/etc/pam.d/common-session
session [default=1] pam_permit.so
session requisite pam_deny.so
session required pam_permit.so
session required pam_unix.so
session optional pam_ldap.so
session optional pamckconnector.so nox11
Does anyone have any ideas where to go from here?
Message was edited by: zebardy

Hi
It's easy enough to 'connect' any version of OS X Server to any other version of OS X Server. Use the Join button in the Users & Groups Preferences Pane. Alternatively use the Directory Utility itself.
You seem to be misunderstanding what an Open Directory Master and Replica are? They are not what I think you think they are. They are not a 'back-up' of each other if you're providing more than the shared Directory Service.
An OD Replica maintains a read-only copy of the LDAP Database (Usernames, Passwords and Policies etc) that's stored on the OD Master and nothing more. If the Master was to go offline for any reason the Replica can be quickly promoted to a Master Role and continue to provide information for the shared directory. This assumes it has easy and quick access to the Volume storing networked home folders? The LDAP Database in that case would then become writable. Later on and whenever you've fixed the problem with the old Master it can quickly be demoted and made a Replica of the now new Master.
Although this is for 10.6 Server (it is nevertheless still applicable) everything you need to know about Master and Replica relationships is here:
http://manuals.info.apple.com/en_US/OpenDirAdmin_v10.6.pdf
Page 55 onwards.
From Page 64:
"The Open Directory master and its replicas must use the same version of Mac OS X Server. . ."
If your OD Master is also providing Mail, Calendar and Contact Services then none of these will be replicated. You will have to maintain a backup of these databases yourself using whatever method you deem fit for your needs.
HTH?
Tony

Error (WIS 10901) while creating a webi report against SAP data source

Hi,
While creating a webi report against a universe created using Infocube/Bex query (basically SAP data source) get a error message -
A database error occured. The database error text is: A runtime exception has occured. (License key check failed. Check that you are licensed to access SAP data sources). (WIS 10901).
Any clues whether this is a license issue or something else?
Thanks,
-Purav.

>
George Pertea wrote:
> Does your connection in the Universe test ok on the server if you are on Win? Did you install the Java Connector properly?
I am having the same problem. I checked and double checked everything, including deleting and recreating the Universe and the Connection. No improvement. On a whim, I deleted the hierarchy from the query on which the Universe was based, and recreated the Universe on the query without the hierarchy. The problem went away.
Now, the question is, why do I get the WIS 10901 error when a hierarchy is present in the query/Universe?

ISE 1.2 - 24492 Machine authentication against AD has failed

Currently experiencing a machine authentication problem between ISE 1.2 patch 2 and a customer AD installation.
AuthZ policy is set to match agains /Users/Domain Computers and /Users Domain Users. User authentication works, machine auth doesnt.
Machine authentication box is ticked.
If you try to disable an AD machine, or try a machine not in the domain you get the appropriate different response in the ISE logs which sugests it has the right access into AD to check this info.
This happens on all computers, both WinXP and Win7 corporate builds.
I know its not an ISE policy configuration as I have resorted to testing the same ISE against a vanilla lab AD environment with the same AD domain name (just by changing the DNS servers ISE uses) and the computer lookup works!
Anybody got any ideas?
thanks.

24492
External-Active-Directory
Machine authentication against Active Directory has failed
Machine authentication against Active Directory has failed.
Error
Please check NTP is in sync or not ISE

ISE 1.2 web authentication problem with wired clients

Hello,
i am having problems with centralized web authentication using a Catalyst 3650X with IOS 15.0.2 SE01 and ISE 1.2.
Redirecting the client works fine, but as soon the client opens a web browser and ISE websites open to authenticate the client, the switch port resets, the authentication process restarts and the session ID changes. After the client enters the credentials a session expired messages appears on the client and i get an 86017 Session Missing message in ISE.
here the output form the debug aaa coa log.
Any ideas
thanks in advanced
Alex
! CLIENT CONNECT TO SWITCHPORT
ISE-TEST-SWITCH#show authentication sessions interface gi0/3
Interface: GigabitEthernet0/3
MAC Address: 001f.297b.bd82
IP Address: 10.2.12.45
User-Name: 00-1F-29-7B-BD-82
Status: Authz Success
Domain: DATA
Security Policy: Should Secure
Security Status: Unsecure
Oper host mode: multi-auth
Oper control dir: both
Authorized By: Authentication Server
Vlan Policy: N/A
ACS ACL: xACSACLx-IP-PERMIT_ALL_TRAFFIC-537cb1d6
URL Redirect ACL: ACL-WEBAUTH-REDIRECT
URL Redirect: https://nos-ch-wbn-ise1.nosergroup.lan:8443/guestportal/gateway?sessionId=AC1484640000026B28C02CDC&action=cwa
Session timeout: N/A
Idle timeout: N/A
Common Session ID: AC1484640000026B28C02CDC
Acct Session ID: 0x0000029C
Handle: 0x8C00026C
Runnable methods list:
Method State
dot1x Failed over
mab Authc Success
! CLIENT OPENS INTERNETEXPLORER -> REDIRECTS TO ISE
! SWITCHPORT GOES IN ADMINISTRATIVE DOWN STARTS AUTHENTICATION AGAIN
ISE-TEST-SWITCH#
191526: .Jun 24 10:42:24.340 UTC: COA: 10.0.128.38 request queued
191527: .Jun 24 10:42:24.340 UTC: RADIUS: authenticator 7F A9 85 AB F6 4A D0 F3 - B4 E6 F2 56 74 C6 2D 33
191528: .Jun 24 10:42:24.340 UTC: RADIUS: NAS-IP-Address [4] 6 172.20.132.100
191529: .Jun 24 10:42:24.340 UTC: RADIUS: Calling-Station-Id [31] 19 "00:1F:29:7B:BD:82"
191530: .Jun 24 10:42:24.340 UTC: RADIUS: Acct-Terminate-Cause[49] 6 admin-reset [6]
191531: .Jun 24 10:42:24.340 UTC: RADIUS: Event-Timestamp [55] 6 1403606529
191532: .Jun 24 10:42:24.340 UTC: RADIUS: Message-Authenticato[80] 18
191533: .Jun 24 10:42:24.340 UTC: RADIUS: E0 3C B2 8C 89 47 67 A8 69 F5 3D 08 61 FF 53 6E [ <Ggi=aSn]
191534: .Jun 24 10:42:24.340 UTC: RADIUS: Vendor, Cisco [26] 43
191535: .Jun 24 10:42:24.340 UTC: RADIUS: Cisco AVpair [1] 37 "subscriber:command=bounce-host-port"
191536: .Jun 24 10:42:24.340 UTC: COA: Message Authenticator decode passed
191537: .Jun 24 10:42:24.340 UTC: ++++++ CoA Attribute List ++++++
191538: .Jun 24 10:42:24.340 UTC: 06D96C58 0 00000001 nas-ip-address(600) 4 172.20.132.100
191539: .Jun 24 10:42:24.349 UTC: 06D9AC18 0 00000081 formatted-clid(37) 17 00:1F:29:7B:BD:82
191540: .Jun 24 10:42:24.349 UTC: 06D9AC4C 0 00000001 disc-cause(434) 4 admin-reset
191541: .Jun 24 10:42:24.349 UTC: 06D9AC80 0 00000001 Event-Timestamp(445) 4 1403606529(53A95601)
191542: .Jun 24 10:42:24.349 UTC: 06D9ACB4 0 00000081 ssg-command-code(490) 1 33
191543: .Jun 24 10:42:24.349 UTC:
191544: .Jun 24 2014 10:42:24.365 UTC: %EPM-6-IPEVENT: IP 10.2.12.45| MAC 001f.297b.bd82| AuditSessionID AC1484640000026B28C02CDC| AUTHTYPE DOT1X| EVENT IP-RELEASE
191545: .Jun 24 2014 10:42:24.382 UTC: %EPM-6-IPEVENT: IP 10.2.12.45| MAC 001f.297b.bd82| AuditSessionID AC1484640000026B28C02CDC| AUTHTYPE DOT1X| EVENT IP-WAIT
191546: .Jun 24 2014 10:42:24.382 UTC: %EPM-6-POLICY_REQ: IP 0.0.0.0| MAC 001f.297b.bd82| AuditSessionID AC1484640000026B28C02CDC| AUTHTYPE DOT1X| EVENT REMOVE
191547: .Jun 24 2014 10:42:24.390 UTC: %EPM-6-AUTH_ACL: POLICY Auth-Default-ACL-OPEN| EVENT DETACH-SUCCESS
191548: .Jun 24 2014 10:42:26.353 UTC: %LINK-5-CHANGED: Interface GigabitEthernet0/3, changed state to administratively down
191549: .Jun 24 2014 10:42:27.359 UTC: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/3, changed state to down
ISE-TEST-SWITCH#
191550: .Jun 24 2014 10:42:36.366 UTC: %LINK-3-UPDOWN: Interface GigabitEthernet0/3, changed state to down
191551: .Jun 24 10:42:40.592 UTC: AAA/BIND(000002A7): Bind i/f
191552: .Jun 24 2014 10:42:41.129 UTC: %AUTHMGR-5-START: Starting 'dot1x' for client (001f.297b.bd82) on Interface Gi0/3 AuditSessionID AC1484640000026C28C2FA05
191553: .Jun 24 2014 10:42:42.580 UTC: %LINK-3-UPDOWN: Interface GigabitEthernet0/3, changed state to up
191554: .Jun 24 2014 10:42:43.586 UTC: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/3, changed state to up
! SESSION ID CHANGES, USER ENTERS CREDENTIALS
! ERROR MESSAGE AT CLIENT "YOUR SESSION HAS EXPIRED"
! ERROR MESSAGE IN ISE "86017 SESSION MISSING"
ISE-TEST-SWITCH#show authentication sessions interface gi0/3
Interface: GigabitEthernet0/3
MAC Address: 001f.297b.bd82
IP Address: 10.2.12.45
Status: Running
Domain: UNKNOWN
Security Policy: Should Secure
Security Status: Unsecure
Oper host mode: multi-auth
Oper control dir: both
Session timeout: N/A
Idle timeout: N/A
Common Session ID: AC1484640000026C28C2FA05
Acct Session ID: 0x0000029D
Handle: 0x2C00026D
Runnable methods list:
Method State
dot1x Running
mab Not run

Guest authentication failed: 86017: Session cache entry missing
try adjusting the UTC timezone during the guest creation in the sponsor portal.
86017
Guest
Session Missing
Session ID missing. Please contact your System Administrator.
Info

WISM Web Authentication against MS IAS

Similar Messages

Maybe you are looking for