WLC 4400 issue on "user login policies" parameter.
Hi,
I'm using a Cisco Wireless controller in my company.
(the model is a AIR-WLC4402-50-K9 in 4.2.207.0 version).
The WLAN is configured with WPAv2 AES and 802.1X (PEAP MS-CHAPv2) authentication on an external Microsoft IAS server (2003 R2).
the authentication rely on Active Directory login and password.
The user authentication works fine and the WLAN too.
But it's possible for a single user to log on different laptops with the same AD login and password and use the wireless network.
And it has to be forbiden by "user login policies" parameter set to 1 on the WLC (in security parameters).
Does anybody says if it's a known issue and how to solve this problem?
thanks,
raphael Paviot.
Dancampb,
Many thanks , you're right, I have to find the solution on IAS server side.
In fact, I have also applied these commands on the controller and the max-user login works (in the case of an externan radius server).
I have seen it in the "message logs".
(Cisco Controller) config>advanced eap max-login-ignore-identity-response disable
(Cisco Controller) config> netuser maxuserLogin 1
But the problem still remain , because the IAS server is not case sensitive for user logins instead of the Wireless Controller.
For exemple:
raphaelpaviot login and RaphaelPAVIOT login are:
-one user for the IAS server.
-two different users on the WLC.
cordially.
Similar Messages
-
Filtering report data based on user login and Parameter fields
Post Author: mronquillo
CA Forum: General
Hi,I am running a report that filters data based on the user login. To do this, I created a formula called @user that compares the login name (using the CurrentCEUserName field) and returns the user's name. If the user login is not a login specified in the if statements, it returns the parameter field "user_name":For example: if CurrentCEUserName = "loginname1" then "User's Name 1"else if CurrentCEUserName = "loginname2" then "User's Name 2" else if CurrentCEUserName = "loginname3" then "User's Name 3" else if CurrentCEUserName = "loginname4" then "User's Name 4".. .else {?user_name} In select expert, I have a condition which filters data based on the string returned from that formula:{Table.Name} = {@user} This works fine and when the users run the report they only their own data. However, they are still prompted to choose a parameter field regardless if of the value returned by the @user formula. Oddly enough, regardless of what parameter field they choose, they will still only see their own data (i.e. if John chooses "Bob" from the parameter list, he will still only see John's data.)If I remove the "else {?user_name}" line from the @user formula, then the users are not prompted anymore. However, if they are not a "valid" user - that is, if any of the if statements in the formula are not true for their login name - then they will see no data. What I want to do is make the report ONLY prompt the user to choose a parameter field if their login name is not "valid". That is, if the @user formula is able to return a string value for their login name, then they will jump right into the report without being prompted to choose a parameter - otherwise, the user will be prompted to choose a name from the parameter list. I thought my formula would allow this (hence the "else" clause), but it seems that if a parameter field is present in any formula, then the report automatically prompts the user to choose a parameter. Is what I am trying to accomplish possible in CR (I'm using CR v10.0) or is there a better way to do what I am trying to do?Thanks in advance.Post Author: sharonmtowler
CA Forum: General
try, or something like that
(if CurrentCEUserName ={?user_name} then true else ({Table.Name} = {@user}) ) -
802.1X wirelss restriction on User Login policies
Hi all,
Seeking some technical idea on Wireless 802.1x setup.
Business requirement is:
"User login policy: to limit the number of concurrent login by a single user only apply to one device at any given time. "
There is no problem on PEAP/MSCHAPv2 login, only thing is the same user credential able to be use and login on multiple device, in the same time.
On the NAD part, we configure these on WLC but still cannot achieve our objective
- advanced eap max-login-ignore-identity-response disable
- netuser maxuserLogin 1
Seeking technical solution on this case, please advice. Is there anything need to tweak on the directory server or ACS part?
The components using as below:
Supplicant 1: Window 7, authentication method using PEAP/MSCHAPv2
Supplicant 2: iPhone iOS version 6.x
Authenticator: Cisco Wireless Controller 5800 Series on code version 7.2
Authentication server: Cisco secure server ACS 5.3.0.40
Identity Source : Microsoft server 2008 R2 ADDS, single forest single domain.
attached the network diagram: topo1.pnghttp://www.cisco.com/c/en/us/support/docs/wireless/5500-series-wireless-controllers/112175-acs51-peap-deployment-00.html
-
Cisco WLC 5508 simultaneous Web Auth Users logins?
Hi there,
We have 2 WLC5508 (7.2.111.3) with several SSID's.
One of them is configured as Passthrough with an external splash server. Works fine.
Now we want to use the "On MAC Filter failure".
If the client MAC-adresse is configured under MAC Filtering on the WLC, the authentication is done without WebAuth.
If MAC-adress is not known, the client will be redirect to the external WebAuth server for authentication.
To keep the Passthrough functionality for the user, we hardcoded an username&password in the splash-page.
So, every client WebAuth uses the same username&password for authentication against the WLC.
User Login Policies is set to unlimited.
So far so good, it seems to work, but I have read, that Cisco 5500 controllers supports only 150 simultaneous Web Auth Users logins.
The two WLC's have abount 100-170 clients connected.
Question:
- Will these be an issue with the 150 simultaneous logins, despited when usin only one user for all Wifi-clients?
- Can the user WebAuth be done with a Cisco ISE like Passthrough, no username&password should be entered by the user.
If yes, some guide information wolud be great.
- When successfully authenticated, a logout screen shows on the Windows client. Can this be hidden some how?
Thanks for the answers ;-)
Kind regards,
NorbertQuestion:
- Will these be an issue with the 150 simultaneous logins, despited when usin only one user for all Wifi-clients?
> I believe this means at the same time... I have clients doing the same thing with hundreds or more of guest users
- Can the user WebAuth be done with a Cisco ISE like Passthrough, no username&password should be entered by the user.
If yes, some guide information would be great.
> ISE is really used to login with a username and password and to be able to profile. You would need to ask that on the Security forum to get their input if this is something then would do or just leave it on the WLC
- When successfully authenticated, a logout screen shows on the Windows client. Can this be hidden some how?
> Not really... some machines with popup blocker does block this and you don't see the logout, but you can't remove this.
Thanks,
Scott
*****Help out other by using the rating system and marking answered questions as "Answered"***** -
Up until now, my experience has been with 5500 controllers and ISE.
My customer is using 4400 controller, on 7.0.240 code.
I cannot locate any documents referencing 4400 controller configuration for webauth, named ACLs, posturing, etc...
Does anyone know of any documents, or have experience that can assist with this configuration?Michael,
Depending on the version of ISE software you are running, you may be in luck. The information below is for 1.1.x. If you are using v 1.2, you may have to tweak a bit.
In this first document, you can see the WLC 4400 is supported and Local Web Auth is supported, with the following caveat: “Wireless (An ISE Inline Posture node is required if the WLC does not support CoA as discussed in Footnote #4. WLCs with the code specified in this table do support CoA without an ISE Inline Posture node)”
http://www.cisco.com/en/US/docs/security/ise/1.1/compatibility/ise_sdt.html#wp55038
Of course, with an IPN, your posturing (and CoA) is handled here.
DACLs are also supported on the WLC 4400.
Per User ACLs are covered in the following document:
http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a00808b041e.shtml
I think you will find that if you substitute the ACS pages with the corresponding ISE interface pages, this can be done.
Please feel free to ask any additional or follow-up questions.
Also, please let me know if this fixes your issue. If it does, please rate this answer and mark your question as Answered.
Charles Moreton -
Production site is not functioning due to an User Login Password expire.
Hi All,
SQL Server 2005
We have an issue with user login password expire. Generally we create logins without password expire but the user is unable to login to the server and getting password expire error.
a) What would be the reasons behind this scenario.
b) How to resolve this issue.
c) How can we avoid this issue in future.
I'm really grateful to your valuable suggestions on this. Thank You.
Regards,
Kalyan.
----Learners Curiosity Never Ends----Hi,
In addition, you can use
ALTER LOGIN (Transact-SQL) to configure the enforcement of password policy options of a SQL Server login.
When CHECK_POLICY is changed to OFF, CHECK_EXPIRATION will also be set to OFF. The following combinations of policy options are not supported:
If MUST_CHANGE is specified, CHECK_EXPIRATION and CHECK_POLICY must be set to ON. Otherwise, the statement will fail.
If CHECK_POLICY is set to OFF, CHECK_EXPIRATION cannot be set to ON. An ALTER LOGIN statement that has this combination of options will fail.
More information, please see policy enforcement section in the following TechNet article:
http://technet.microsoft.com/en-us/library/ms161959.aspx
Thanks.
Tracy Cai
TechNet Community Support -
unable to bootup after Yosemite install. have to keep shutting down from rear button. it does come on after a few times but then hangs at user login again. If you get in it is great. Seems faster than Mavericks but there is some sort of issue, bootup /login.
Knock on wood, this seems to have been my problem as well. I stumbled on this thread after dealing with this ridiculously-long boot times for the past several weeks.
I just reinstalled McAfee Antivirus and my Macbook Air booted up in less than 1 minute. No more hanging on the boot-up progress bar. No more hanging after I click on my user's avatar on the log-in screen. Bootup would often take 5+ minutes and sometimes never complete.
This has been SUPREMELY frustrating.
THANK YOU SO MUCH FOR POSTING YOUR RESPONSE!!! -
Hello,
I am experiencing an issue with my model 4404 Wireless controllers that has plagued me for some time now. I have two controllers with 106 AP's split evenly between the two controllers. One of my SSID's is setup with web authentication. I have one Radius server (Cisco ACS v 4.1). The problem only exists for the SSID that uses web authentication. Reports begin to come in that students cannot login to the wireless using the student SSID that uses web authentication. The student can get to the web authentication page, but when they put in their username and password both fields go blank. You can do this over and over with no errors, and the logs in the controller show nothing to indicate any issues (you don't even see the attempted login). I obtain one of the student logins for testing and here is what I have found. I attempt to login to the student wireless with this account and recieve the same results as the student. I have an AP in my office that I use for testing so I force it on to the other controller. At that point the account in question works. I can login without any issues. I force the AP back to the initial controller and experience the same issue, I cannot login. No error of bad username and password, just login fields that go blank. More reports come in that students cannot login and I find that all issues are related to this controller. The next morning I reboot the controller and everything works for a week or more and then it all starts over again. The next time it may be the other controller that is experienceing this issue. A reboot of the controller always fixes the issue for the short term. The issue appears to be controller related but I cannot pin it down. I recently upgraded my controller code from 4.2.61.0 to 6.0.188.0 at Cisco's recommendation. Unfortunately the issue still exists. Scouring the forums produces a few other people encountering the same issue but none seem to have found a fix. Does anyone know if this is a known issue with this model controller?
Thanks much for any help.Thank you for your response Dennis, it is greatly appreciated. I do not find any mount errors in the crash log. However I did finally find something in the message logs that I was unable to find before. I did not copy this message so it is not verbatim. The error message states that the user cannot be logged in possibly due to being logged in somewhere else. At that point I pour over every client on the controller even filtering by mac address. I see no evidence of the client being associated or authenticated. On a side note I can see the client as associated if the wireless card is enabled. Checking the ACS does not show a failed authentication. Again, rebooting the controller seems to clear some sort of radius accounting on the controller that I am unable to clear manually without a reboot. Thanks again for your response.
-
Logon issues - 2 users (G4 + G5) migrated to MacBookPro = 3 login profiles
So have finally upgraded to a MacBook Pro 17" i7 and have migrated user info from my previous models (PowerBook G4 17" and a PowerG5 - both separate users/logins).
My new MacBook Pro has a separate identity.
I've been using Microsoft for Mac 04 on both the G4 + G5 since 2004 and I understand that this should still be usable on the MacBook Pro (yes Microsoft Office for Mac, including Rosetta, is installed on MacBook Pro).
I have loaded Microsoft Office onto the MacBook Pro login - but Microsoft does not work - it just freezes mid loading of software application i.e. Word, Excel, Entourage or PowerPoint! When I attempted to open Entourage it came up with "unable to use with this identity".
Am I right in assuming that this is because my Microsoft office software is not licenced for "another Mac"?
If so I guess I would need to delete Microsoft from the G4 + G5 user environments thereby allowing only the MacBook Pro authority to access the software?
I really want/need to import user info from all previous Macs esp Entourage Project Centre (contacts, related client work files etc).
Have saved all data (and preferences) from G4 + G5 onto an external Hard Drive as well. So just would like some pointers on how to best sort the above issues.
*Is there a better solution?* - other than switching to iWork
(I know, I know - switch to iWork instead is clearly an option. I do have that loaded as well but I still need to access Microsoft Office when clients send their 40pg documents to me in Word and all their formatting is out of whack in Pages!!! In order to open in word I currently have to switch user logons and access document separately.
Is the following a plausible option?
Delete/remove/uninstall Office from G4 + G5 login environments thereby allowing only the MacBook Pro environment the authority to use Microsoft Office.
If so, how do I integrate my G4 + G5 user preferences (i.e. Entourage mail, client contacts, project info and linked documents) into my MacBook Pro User ID?
Would really appreciate some guidance ...
ThanksHave you tried simply running disk utility and repairing permissions?
-
GRC AC 10.1 - End User Login - Request issue
Hi experts!
Im working in GRC AC 10.1 SP07. I have configured END USER LOGIN services; the idea is that end user from ECC system could submit request without having user in GRC box, this is working fine but i´m experimenting next problem.
When i go to search request, those request submited by end user appears like created by Z_END_USER, this is the user in GRC that i have configured in services GRAC_UIBB_END_USER_LOGIN and GRAC_OIF_REQUEST_SUBMISSION_EU.
¿Is possible to configure that request appears "Created By" the requester and not the service´s user? I don´t think so, but if not, ¿is there any way to add the column User ID in Result screen? because it is avaible in parameters search but im not being able to add this in result screen (it´s not like hidden neither).
Parameters "Created by user ID" would be service´s user and "User ID" would be the requester.
Thanks!
EmilianoHi Emiliano,
Your understanding is correct, request created by UserID will always show GUEST UserID configured in the End User Logon service.
In search requests there is option to search requests by UserID but the same field has not been enabled to be available in Search Request result screen. This is as per standard functionality. You can check with SAP or can work with ABAPer to make the UserID column as display field in Search Request results.
Regards,
Madhu. -
Amazon has a refurbed I pad Air with this remark. Item cannot be activated because of cloud lock previous user login unknown. Is there a work around or is it best to forget this one and move on?
You are welcome, at least the seller was honest enough to let potential buyers know that the device is useless to anyone who would try to buy it.
-
ABAP dump when user login in to PRD system
Hi Experts,
From today morning our users are facing one severe issue.The users when ever they login into the system the ABAP dump is occuring like "Database inconsistency: Start transaction SICK ",when i execute the SICK t-code it is showing errors.
SAP System Check
no application server offers an VB service
Severe problems were detected during initial system check.
Please, do not use that system before fixing these problems.
our go live was before one month only,now we are facing this issue.our kernel release is 740 and DB sybase ASE 15.7.0.1010. please suggest us what can we do.
regards,
Patan Thavaheer.|15.05.2014 Active parameters 12:47:40 |
|Parameter Name |Parameter value Parameter Value - Continued |
|login/disable_multi_gui_login |1 |
|rdisp/wp_no_enq |1 |
|login/no_automatic_user_sapstar |0 |
|SAPSYSTEMNAME |XXX |
|SAPGLOBALHOST |XXXXXX |
|SAPSYSTEM |00 |
|INSTANCE_NAME |DVEBMGS00 |
|DIR_CT_RUN |$(DIR_EXE_ROOT)\$(OS_UNICODE)\NTAMD64 |
|DIR_EXECUTABLE |$(DIR_INSTANCE)\exe |
|DIR_PROFILE |\\XXXXXX\sapmnt\XXX\SYS\profile |
|_PF |$(DIR_PROFILE)\XXX_DVEBMGS00_XXXXXX |
|SETENV_00 |PATH=$(DIR_EXECUTABLE);%PATH% |
|Start_Program_00 |immediate $(DIR_CT_RUN)\sapcpe$(FT_EXE) pf=$(_PF) |
|_CPARG0 |list:$(DIR_GLOBAL)/syb/NTAMD64/cpe_sybjdbc.lst |
|_CPARG1 |source:$(DIR_GLOBAL)/syb/NTAMD64 |
|Start_Program_01 |immediate $(DIR_CT_RUN)\sapcpe$(FT_EXE) pf=$(_PF) $(_CPARG0) $(_CPARG1) |
|Start_Program_02 |immediate $(DIR_CT_RUN)\sapcpe$(FT_EXE) pf=$(_PF) |
|_CPARG2 |list:$(DIR_GLOBAL)/syb/NTAMD64/cpe_sybodbc.lst |
|_CPARG3 |source:$(DIR_GLOBAL)/syb/NTAMD64/sybodbc |
|Start_Program_03 |immediate $(DIR_CT_RUN)\sapcpe$(FT_EXE) pf=$(_PF) $(_CPARG2) $(_CPARG3) |
|_CPARG4 |list:$(DIR_CT_RUN)/sapcrypto.lst |
|Start_Program_04 |immediate $(DIR_CT_RUN)\sapcpe$(FT_EXE) pf=$(_PF) $(_CPARG4) |
|SAPJVM_VERSION |6.1.048 |
|DIR_SAPJVM |$(DIR_EXECUTABLE)$(DIR_SEP)sapjvm_6 |
|jstartup/vm/home |$(DIR_SAPJVM) |
|Start_Program_05 |immediate $(DIR_CT_RUN)\strdbs.cmd XXX |
|sec/libsapsecu |$(ssl/ssl_lib) |
|ssf/ssfapi_lib |$(ssl/ssl_lib) |
|rdisp/wp_no_dia |10 |
|rdisp/wp_no_btc |3 |
|_DW |$(DIR_EXECUTABLE)\disp+work$(FT_EXE) |
|Start_Program_06 |local $(_DW) pf=$(_PF) |
|_IG |$(DIR_EXECUTABLE)\igswd$(FT_EXE) |
|Start_Program_07 |local $(_IG) -mode=profile pf=$(_PF) |
|rdisp/wp_no_vb |1 |
|rdisp/wp_no_vb2 |1 |
|rdisp/wp_no_spo |1 |
|ssl/ssl_lib |$(DIR_EXECUTABLE)$(DIR_SEP)$(FT_DLL_PREFIX)sapcrypto$(FT_DLL) |
|SETENV_01 |SECUDIR=$(DIR_INSTANCE)/sec | -
Run NAC agent before user login - Win7?
Greetings all and thx in advance for any advice! Environment details - ISE 1.2. Patch 5 and cisco NAC agent 4.9.3.
I have all of the authen/authz policies working and functioning properly, however, I have run into an issue with the NAC agent running posture only after user login. This is causing some grief, mainly that users required login scripts can't run successfully until posture is compliant and the more permissive dACL is applied. I was hoping that posture would complete long before windows login was even an option for the user but for some reason I appear to require an interactive login to get the NAC agent to run posturing. Any thoughts or ideas on this? I tried the NAC agent installation with a couple of different user accounts on the windows hosts but without success, it will only posture once I have interactive login. I went pretty deep on the removal of the posture conditions to simply checking a single windows service but it didn't make any difference. Thanks for any advice!!
IAThanks for the reply Saurav, I should have clarified a design point. I am not doing any user authentication, only doing a machine authen. As I mentioned I can't seem to posture pre-user authentication even though I am not doing any user authentication.
IA -
Concurrent user logins using same user ID- Is it Possible?
Hi Experts,
I want to know how can I make the configuration for user ID in SAP to login in to the system at once through different machings. Basically concurrent user logins using same user ID.
Is this is possible? whats the configuaration? Am I violating any SAP license policies?
Please help me with this.just for the knowledge, it is possible and via following parameter
login/disable_multi_gui_login
http://help.sap.com/saphelp_nw04s/helpdata/en/22/41c43ac23cef2fe10000000a114084/content.htm
However, it is not permitted to use in Production at all. But sometimes, only in critical situations, for eg. we have only a few basis IDs and some maintenance task is to be carried out involving more resources, multiple gui login can be utilized in sandbox to for that ID.
But, it is for sure that, USMM report will be sent to SAP for the sandbox too. So client is subjectable. If you, as a basis guy, are going to try it, then please do it only after the confirmation from the client and only if client needs it. -
Hi ,
I have wlc 4400 with 1010 AP's wireless set-up.
Everything is working fine but unfortunately , I am coming across with one issue that, clients are not getting authenticated.
If I see the status of respective client in WLC :
status : Associated
Auth : No
Policy manager : 802.1X REQD
I read about PEM ( Policy enforcement Module ) , as it is going through same procedure but policy manager should in " RUN " condition , Unfortunately it is not.
how do i resolve this issue ?Hi Vinod,
The 802.1X_REQD state would suggest that the client cannot complete L2 authentication.
If possible, it would be helpful to collect the following debugs from the WLC while trying to connect the client:
debug client
debug aaa event enable
Also, please attach the full text output of the command "show run-config" and let us know the WLAN through which the client should be connecting.
Regards,
Fede
If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it.
Maybe you are looking for
-
How to resolve Invalid Classpath Entry error in Oracle Jdeveloper 11g
I receive the following error in JDeveloper when I try to create a new JSF page in ViewController project - Dec 27, 2009 9:47:11 PM oracle.adfdt.library.loader.ProjectLibraryManager SEVERE: Invalid Classpath Entry: <unknown> Active Project: C:\JDevel
-
Mismatch between Employee Org Unit and HRP1001
Hi, I am facing one peculiar issue. The Org Assignment for a person is showing a set of Position, Job and Org Unit. But when I check the HRP1001 table for that position, the OU Relation shown is different. On prodding, user told me that, they have de
-
Run Crystal Report from URL includes username and password
Hello, I've downloaded CR 2008, and CR Server 2008 demo's. I'm trying to use a feature I've used with CR10 enterprise, and XI report server, where I can run a report direct from the URL. Something like: HTTP://scada-ho/crystal/enterprise/admin/en/vie
-
JBO-25005: Object name 1 for type Variable is invalid(help please)
Hi Guys, when i connect my application to the DB locally, everything works fine. however, once i deploy my application to the server by connecting to the same DB, i tried 10 users which i already tested loaclly and work fine, i got the following prob
-
My phone is a 4S, software version 6.1.3. My phone syncs fine, but it won't make a new backup. I get this error now, every time I try. The error simply says: iTunes could not back up the iPhone "iPhone" because an error occurred. Anybody?