WLC Management Admin via RADIUS

I am trying to have a management user authenticate via radius and have full admin privileges.
For a WCS I can simply set the radius attribute of "Cisco-AVPair.attr|Wireless-WCS:role0=Admin" and that user will get full admin rights. I found this doc to grant a user lobby admin:
http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a0080871921.shtml
but, it is specific to the using the Cisco ACS as a radius server. What attributes do I need to set for a user to get full admin rights to a WLC when authenticating via radius? Thanks.

My problem: I have a local management user profile defined on my WLC and it works fine when the Priority Order is set to LOCAL. When I change the Priority Order to make RADIUS first and LOCAL second, I can't get logged into the WLC using CLI, GUI, or the console. The last time this happened I had to reset the WLC and start over. I don't want to do that again, so I need some way to get into the WLC.
Once I can get back into the WLI would prefer using Active Directory to authenticate the management user but that doesn't seem to work. My RADIUS acts as a front end for the Active Directory database and works well for many of our Cisco LAN switches andd Routers. Now I'm trying to set up the WLC to authenticate the management user with RADIUS. I have set the RADIUS (MS IAS) to return two attributes;
1. Vendor-Specific -Vendor Code 14179, Value=management
2. Service-Type - Value=Login
When I try to login using my AD account, the RADIUS server log shows an Access Request record, then an Access-Accept record that makes it appear RADIUS has successfully authenticated the user. But the login prompt for the GUI comes back as if it has failed. Same with the CLI login. Now I can't get logged into the WLC. How can I get into the box to manage it again?
Thanks

Similar Messages

Start managed servers via admin console

Hello,
I have installed weblogic server, created a domain, added a managed server. All working fine. Now I want to be able to start managed server through admin console.
According to this documentation (http://docs.oracle.com/cd/E13222_01/wls/docs81/adminguide/confignodemgr.html), it should all be pre-configured for development environment. But when i try start the managed server in admin console, it says "server does not have a machine associated with it." I added a machine and assigned that machine to the managed server, now it says "the Node Manager associated with machine m1 is not reachable.".
Can someone point to instructions on how to setup this on dev environment. In one of the instructions, it is suggested to change nodemanager.properties in common\nodemanager folder. But this file doesn't exist in my environment.
All i want is to start all admin and managed server with one script or with start the admin server and able to start the managed servers via console.
Thanks,

Hi,
Check from the console whether your node manager is reachable or not.
Console Path:
Machines -> <YOUR_MACHINE_NAME> -> Monitoring (tab) -> Node Manager Status (sub-tab) -> Status: Reachable
You Can follow the below link for "Node manager not reachable"
http://middlewaremagic.com/weblogic/?p=5205
Once done,check the status of the node manager.
Still even after this if the node manager is not reachable
Check the node manager logs,whether you get any exceptions
location $weblogic_home\wlserver_10.3\common\nodemanager\nodemanger.log
You can take help of the below link for trouble shooting the basic node manager exceptions.
http://middlewaremagic.com/weblogic/?p=2887
Or You can even paste the error's on this post itself,we will guide you .
Regards
FAbian

How can I use Windows IAS to validate WLC management users?

I am having a problem using my Windows IAS radius server to validate management users for my 2112 Wireless Lan Controller.
I have defined the radius server and it works ok with the policy for validating wireless clients but not for WLC management users.
The Remote access policy seems to be set up correctly as the event viewer on the server shows:-
Event Type: Information
Event Source: IAS
Event Category: None
Event ID: 1
Date: 09/02/2011
Time: 11:06:06
User: N/A
Computer: UK01DC07
Description:
User xxxxxx was granted access.
Fully-Qualified-User-Name = TRAVEL.OAG.com/Dunstable Admins/xxxxxx
NAS-IP-Address = 10.10.45.210
NAS-Identifier = UK03NM01
Client-Friendly-Name = UK03NM01
Client-IP-Address = 10.10.45.210
Calling-Station-Identifier = <not present>
NAS-Port-Type = <not present>
NAS-Port = <not present>
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server = <undetermined>
Policy-Name = UK03NM01 - login
Authentication-Type = PAP
EAP-Type = <undetermined>
But, the WLC log shows:
*Feb 09 11:06:06.612: %EMWEB-1-LOGIN_FAILED: ews_auth.c:2104 Login failed. User:xxxxxx. Service-Type is not present or it doesn't allow READ/WRITE permission..
The WLC just returns the login screen
Any thoughts?
Thanks in advance
Richard

Event viewer shows :
Event Type: Information
Event Source: IAS
Event Category: None
Event ID: 1
Date: 10/02/2011
Time: 08:49:39
User: N/A
Computer: UK01DC07
Description:
User xxxxxxxx was granted access.
Fully-Qualified-User-Name = TRAVEL.OAG.com/Dunstable Admins/xxxxxxxx
NAS-IP-Address = 10.10.45.210
NAS-Identifier = UK03NM01
Client-Friendly-Name = UK03NM01
Client-IP-Address = 10.10.45.210
Calling-Station-Identifier =
NAS-Port-Type =
NAS-Port =
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server =
Policy-Name = UK03NM01 - login
Authentication-Type = PAP
EAP-Type =
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 00 00 00 00 ....
and IAS log shows:
"UK01DC07","IAS",02/10/2011,08:49:39,1,"xxxxxxxx","TRAVEL.OAG.com/Dunstable Admins/xxxxxxxx",,,,,"UK03NM01","10.10.45.210",,0,"10.10.45.210","UK03NM01",,,,,,7,1,"UK03NM01 - login",0,"311 1 10.10.45.254 12/04/2010 23:56:59 1987",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"Use Windows authentication for all users",1,,,,
"UK01DC07","IAS",02/10/2011,08:49:39,2,,"TRAVEL.OAG.com/Dunstable Admins/xxxxxxxx",,,,,,,,0,"10.10.45.210","UK03NM01",,,,,,2,1,"UK03NM01 - login",0,"311 1 10.10.45.254 12/04/2010 23:56:59 1987",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"Use Windows authentication for all users",1,,,,
It appears to me that IAS checks and passes the username/password as being valid but this response is ignored by the WLC
Richard

Use Tacacs+ for Admin auth & Radius for user Auth?

Can I setup my Aironet 1200 to use TACACS+ for authentication back to the cisco ACS server and RADIUS back to same server for user authentication?
If I setup a server in Server Manager under Radius, then add that same server as a TACACS+ server, it deletes the RADIUS server, so I assume no.

dont know about 1200s but you can do this on 1130AGs. Create a aaa group for authentication via radius, and one for tacacs+ then use aaa groups to point console/vty to the tacacs+ aaa group, and EAP authentication to the radius group.
eg:
aaa group server radius rad-group
server x.x.x.x auth-port xxxx acct-port xxxx
aaa group server tacacs+ admin-access
server x.x.x.x
aaa authentication login eap-method group rad-group
aaa authentication login auth-admin-access group admin-access local
aaa authorization exec default group admin-access local
now under the ssid part of the config have:
dot11 ssid yyyyyy
authentication open (or whatever method you use) eap eap-method
under console/vty etc:
login authentication auth-admin-access
you need some more stuff like radius and tacacs server keys, but the above should get you started. On 1130AGs dont use aaa auth for http(s), looks like it overloads the aaa server at the moment - see field notices - probably doesnt apply to 1200s.

Using ISE guest store via RADIUS

I have a question concerning the guest store on the ISE.
I would like to establish a guest portal on a WLC (currently running version 7.0.220.0). The guest network shouldn’t have any connection to the company network. So I can’t redirect to the ISE guest portal and have to use the local portal on the WLC and pass the login data to the ISE via RADIUS. Nevertheless I want to use the guest store on the ISE.
On the ISE I can only select the internal user store as identity source. But this seems not to include the guest user store.
Has anyone already implemented a similar solution or any idea how to access the guest store?
Thanks
Thomas

I just created a simple setup and tested the login.
It doesn't work with a user created as a guest account.
If I create the user in the normal internal identity store I works fine.
Might there be a difference between ISE Versions?
We are currently using Version 1.1.0.665 on a VM for testing purpose.
This is what the details show:
11001 Received RADIUS Access-Request
11017 RADIUS created a new session
Evaluating Service Selection Policy
15048 Queried PIP
15048 Queried PIP
15004 Matched rule
Evaluating Identity Policy
15006 Matched Default Rule
15013 Selected Identity Store - Internal Users
24210 Looking up User in Internal Users IDStore - tuser001
24206 User disabled
22057 The advanced option that is configured for a failed authentication request is used
22061 The 'Reject' advanced option is configured in case of a failed authentication request
11003 Returned RADIUS Access-Reject
11001 Received RADIUS Access-Request
11017 RADIUS created a new session
Evaluating Service Selection Policy
15048 Queried PIP
15048 Queried PIP
15004 Matched rule
Evaluating Identity Policy
15006 Matched Default Rule
15013 Selected Identity Store - Internal Users
24210 Looking up User in Internal Users IDStore - tuser001
24212 Found User in Internal Users IDStore
22037 Authentication Passed
Evaluating Authorization Policy
15004 Matched rule
15016 Selected Authorization Profile - Guest
11022 Added the dACL specified in the Authorization Profile
11002 Returned RADIUS Access-Accept

Cisco 1602i + Authenticating users via RADIUS?

               Hello,
Our company recently purchased a Cisco 1602i standalone WAP to replace the WAP4410Ns that we were having issues with. I am now attempting to configure the RADIUS authentication, as we have a User network and a Guest connection. The Guest connection works fine, using WPA PSK. However, I can't seem to get the RADIUS authentication to work. Reading the documentation has got me a little confused, and I have tried turning on debugging (debug radius authentication, debug aaa) but those show nothing. Also, in the RADIUS server itself (Windows 2008 R2 NPS), I see nothing in the logs when I try to connect using a device or the "test aaa" command. Can someone guide me on what I'm doing wrong? I followed someone's advice on another forum and removed "authentication network-eap" from the SSID (phoenix_2), and now when I attempt to connect with a device it just asks me for a password, it doesn't prompt for a username anymore. I am very stumped. Here's the relevant config:
aaa new-model
aaa group server radius rad_eap
server 10.200.5.24
aaa group server radius rad_mac
aaa group server radius rad_acct
aaa group server radius rad_admin
aaa group server tacacs+ tac_admin
aaa group server radius rad_pmip
aaa group server radius dummy
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa authorization exec default local
aaa accounting network acct_methods start-stop group rad_acct
aaa session-id common
clock timezone EST -5 0
ip cef
ip domain name gst
dot11 syslog
dot11 vlan-name guest vlan 255
dot11 vlan-name user vlan 140
dot11 ssid phoenix_2
   vlan 140
   band-select
   authentication open eap eap_methods
   mbssid guest-mode
dot11 ssid walker_2
   vlan 255
   band-select
   authentication open
   authentication key-management wpa version 2
   mbssid guest-mode
   wpa-psk ascii 7 0353035E535879191B
interface BVI1
ip address 10.200.5.70 255.255.255.0
ip default-gateway 10.200.5.1
ip forward-protocol nd
no ip http server
ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
ip route 0.0.0.0 0.0.0.0 10.200.140.1
ip route 0.0.0.0 0.0.0.0 10.200.5.1
ip radius source-interface BVI1
access-list 111 permit tcp any any neq telnet
snmp-server community G!0bal RO
radius-server attribute 32 include-in-access-req format %h
radius-server host 10.200.5.24 key 7 01445E510E1C07032A495C0D0B0C011718190D3E2E767863
radius-server vsa send accounting
The NPS worked just fine with the WAP4410Ns, not sure why we're having so much trouble with the 1602i.

Thanks Rasika, your link worked. I had the authentication key before, but i removed it while I was trying different things. My main issue was not applying the list name to the ssid, the documentation did not make it clear that when the radius server is specified using the "radius-server ...." command, that the radius group refers to that command when you configure the group. Once that clicked, it made sense that the method list name was specifed by the radius group, and that the authentication methods then referred to the radius group. It was a big question mark in my head how the radius server was applied to the SSID prior to reading your post.
I haven't tried the "erase startup-config" command yet, I will try that next.
Quick question, why are both authentication open and authentication network-eap needed? I would assume authentication network-eap would suffice, unless the authentication open command refers to the allowed devices and not just authentication via RADIUS?

HANDSHAKE_FAILURE problem when starting managed server via NOdeManager

hi all, i am trying to start a managed server using nodeManager, but i keep on
getting following exception:
weblogic.nodemanager.NodeManagerException: [Could not execute command start for
server managedServer via the Node Manager - reason: [CommandInvoker: Failed to
send command: 'online to server 'managedServer' to NodeManager at host: 'localhost:5555'
with exception FATAL Alert:HANDSHAKE_FAILURE - The handshake handler was unable
to negotiate an acceptable set of security parameters.. Please ensure that the
NodeManager is active on the target machine].] at weblogic.nodemanager.NodeManagerRuntime.executeCommand(NodeManagerRuntime.java:472)
at weblogic.nodemanager.NodeManagerRuntime.start(NodeManagerRuntime.java:76) at
java.lang.reflect.Method.invoke(Native Method) at
here is my script for starting nodemanager
set JAVA_HOME=c:\bea\jdk131
set WL_HOME=c:\bea\weblogic700
set PATH=%WL_HOME%\server\bin;%JAVA_HOME%\bin;%PATH%
set CLASSPATH=.;%WL_HOME%\server\lib\weblogic_sp.jar;%WL_HOME%\server\lib\weblogic.jar
java -hotspot -ms16m -mx16m -classpath %CLASSPATH% -Dbea.home=C:\bea\weblogic700
-Djava.security.policy=C:\bea\weblogic700\server\lib\weblogic.policy -Dweblogic.nodemanager.weblogicHome=C:\bea\weblogic700
-Dweblogic.nodemanager.listenAddress=172.21.73.94 -Dweblogic.nodemanager.listenPort=5555
-Dweblogic.nodemanager.trustedHosts=C:\bea\weblogic700\common\nodemanager\config\nodemanager.hosts
-Dweblogic.nodemanager.certificateFile=C:\bea\weblogic700\common\nodemanager\config\demo.crt
weblogic.nodemanager.NodeManager
i have created an admin server, called adminserver
then i have created in the same domain a server called managedserver
both servers run on the same machine,at different port number.
i have created a machine, and associated managedserver to it.
in the machine/configuration/nodemanager i have set listenaddress localhost and
listenport 5555.
my nodemanager starts automatically at htat port. however, when i try to start
the managed server via adminserver console, i got the exception mentioned in
the subject.
can anyone help?
regards
marco
can anyone point me to the right direction for solving this problem?
in the adminserver console i have defined a machine for teh managedserver, and
nodemanager is supposed to run at localhost:5555 (and indeed it does, because
ihave started it successfully).
thanx in advance and regards marco

Marco.
Sorry, this is not a solution to your problem but i am trying to solve the same
problem for a week now.
I have wl7.0 sp2, 1 admin server, 2 managed servers on the same box. I get the
same error. I know that the default certificate installed provides a hostname
verification of weblogic.com. I turned the hostname verification off, i put in
the Dweblogic.nodemanager.sslHostNameVerificationEnabled=false, i get the same
error when starting the managed server. I went ahead and created my own certificate
for machine called mallik, created my own passphrase, created a new keystore,
made the admin server view the keystore, used the same certificate for both the
admin server and the node manager. It still fails with the same error. I went
ahead and added the machine 'mallik' to nodeManager.hosts file. It fails. I am
totally confused now what needs to be done.
My nodeManger.hosts looks like this:
mallik 10.100.10.130
managedServer1 10.100.10.130
managedServer2 10.100.10.13
Below is the startNodeManager.cmd.
@echo off
@rem *************************************************************************
@rem This script can be used to start the WebLogic NodeManager
@rem
@rem This script sets the following variables before starting the NodeManager:
@rem
@rem WL_HOME - The root directory of your WebLogic installation.
@rem NODEMGR_HOME - The home directory for this NodeManager instance.
@rem JAVA_HOME - Location of the version of Java used to start WebLogic
@rem Server. This variable must point to the root directory of
@rem a JDK installation and will be set for you by the
@rem installer. See the WebLogic platform support page
@rem (http://e-docs.bea.com/wls/platforms/index.html) for an up-to-date
list of
@rem supported JVMs on Windows NT.
@rem PATH - Adds the JDK and WebLogic directories to the system path.
@rem CLASSPATH - Adds the JDK and WebLogic jars to the classpath.
@rem JAVA_OPTIONS - Java command-line options for running the server. (These
@rem will be tagged on to the end of the JAVA_VM and MEM_ARGS)
@rem JAVA_VM - The java arg specifying the VM to run. (i.e. -server,
@rem -client, etc.)
@rem MEM_ARGS - The variable to override the standard memory arguments
@rem passed to java
@rem
@rem *************************************************************************
SETLOCAL
set WL_HOME=C:\bea7.0\weblogic700
set NODEMGR_HOME=%WL_HOME%\common\nodemanager
set JAVA_HOME=C:\bea7.0\jdk131_06
Call %WL_HOME%\common\bin\commEnv.cmd
@rem If NODEMGR_HOME does not exist, create it
:checkNodeManagerHome
if exist %NODEMGR_HOME% goto checkJava
echo.
echo NODEMGR_HOME %NODEMGR_HOME% does not exist, creating it..
mkdir %NODEMGR_HOME%
@rem Check that java is where we expect it to be
:checkJava
if exist %JAVA_HOME%\bin\java.exe goto runNodeManager
echo The JDK wasn't found in directory %JAVA_HOME%.
echo Please edit this script so that the JAVA_HOME
echo variable points to the location of your JDK.
goto finish
:runNodeManager
if not "%JAVA_VM%" == "" goto noResetJavaVM
rem set JAVA_VM=-hotspot
set JAVA_VM=%COMM_VM%
:noResetJavaVM
if not "%MEM_ARGS%" == "" goto noResetMemArgs
set MEM_ARGS=-Xms32m -Xmx200m
:noResetMemArgs
@echo on
set CLASSPATH=.;%JAVA_HOME%\lib\tools.jar;%WL_HOME%\server\lib\weblogic_sp.jar;%WL_HOME%\server\lib\weblogic.jar;%CLASSPATH%
set PATH=%WL_HOME%\server\bin;%JAVA_HOME%\bin;%PATH%
cd %NODEMGR_HOME%
#"%JAVA_HOME%\bin\java.exe" %JAVA_VM% %MEM_ARGS% %JAVA_OPTIONS% -classpath "%CLASSPATH%"
"-Dbea.home=C:\bea7.0" "-Dweblogic.security.SSL.trustedCAKeyStore=%WL_HOME%\server\lib\cacerts"
"-Djava.security.policy=%WL_HOME%\server\lib\weblogic.policy" "-Dweblogic.nodemanager.reverseDnsEnabled=true"
"-Dweblogic.nodemanager.javaHome=%JAVA_HOME%" weblogic.nodemanager.NodeManager
"%JAVA_HOME%\bin\java.exe" %JAVA_VM% %MEM_ARGS% %JAVA_OPTIONS% -classpath "%CLASSPATH%"
"-Dbea.home=C:\bea7.0" "-Dweblogic.security.SSL.trustedCAKeyStore=%WL_HOME%\server\lib\cacerts"
"-Djava.security.policy=%WL_HOME%\server\lib\weblogic.policy" "-Dweblogic.nodemanager.certificateFile=C:\bea7.0\user_projects\myDomain\mallikcert.pem"
"-Dweblogic.nodemanager.sslHostNameVerificationEnabled=false" "-Dweblogic.nodemanager.javaHome=%JAVA_HOME%"
"-Dweblogic.ListenAddress=mallik" "-Dweblogic.nodemanager.nativeVersionEnabled=true"
"-Dweblogic.nodemanager.reverseDnsEnabled=true" "-Dweblogic.nodemanager.javaHome=%JAVA_HOME%"
"-Dweblogic.nodemanager.trustedHosts=%WL_HOME%\common\nodemanager\config\nodemanager.hosts"
"-Dweblogic.management.pkpassword=weblogic" weblogic.nodemanager.NodeManager
goto finish
:finish
ENDLOCAL
I would appreciate if anybody can help me.
Mallik.
"Marco" <[email protected]> wrote:
>
hi all, i am trying to start a managed server using nodeManager, but
i keep on
getting following exception:
weblogic.nodemanager.NodeManagerException: [Could not execute command
start for
server managedServer via the Node Manager - reason: [CommandInvoker:
Failed to
send command: 'online to server 'managedServer' to NodeManager at host:
'localhost:5555'
with exception FATAL Alert:HANDSHAKE_FAILURE - The handshake handler
was unable
to negotiate an acceptable set of security parameters.. Please ensure
that the
NodeManager is active on the target machine].] at weblogic.nodemanager.NodeManagerRuntime.executeCommand(NodeManagerRuntime.java:472)
at weblogic.nodemanager.NodeManagerRuntime.start(NodeManagerRuntime.java:76)
at
java.lang.reflect.Method.invoke(Native Method) at
here is my script for starting nodemanager
set JAVA_HOME=c:\bea\jdk131
set WL_HOME=c:\bea\weblogic700
set PATH=%WL_HOME%\server\bin;%JAVA_HOME%\bin;%PATH%
set CLASSPATH=.;%WL_HOME%\server\lib\weblogic_sp.jar;%WL_HOME%\server\lib\weblogic.jar
java -hotspot -ms16m -mx16m -classpath %CLASSPATH% -Dbea.home=C:\bea\weblogic700
-Djava.security.policy=C:\bea\weblogic700\server\lib\weblogic.policy
-Dweblogic.nodemanager.weblogicHome=C:\bea\weblogic700
-Dweblogic.nodemanager.listenAddress=172.21.73.94 -Dweblogic.nodemanager.listenPort=5555
-Dweblogic.nodemanager.trustedHosts=C:\bea\weblogic700\common\nodemanager\config\nodemanager.hosts
-Dweblogic.nodemanager.certificateFile=C:\bea\weblogic700\common\nodemanager\config\demo.crt
weblogic.nodemanager.NodeManager
i have created an admin server, called adminserver
then i have created in the same domain a server called managedserver
both servers run on the same machine,at different port number.
i have created a machine, and associated managedserver to it.
in the machine/configuration/nodemanager i have set listenaddress localhost
and
listenport 5555.
my nodemanager starts automatically at htat port. however, when i try
to start
the managed server via adminserver console, i got the exception mentioned
in
the subject.
can anyone help?
regards
marco
can anyone point me to the right direction for solving this problem?
in the adminserver console i have defined a machine for teh managedserver,
and
nodemanager is supposed to run at localhost:5555 (and indeed it does,
because
ihave started it successfully).
thanx in advance and regards marco

URGENT: weblogic.management.admin in weblogic 9.2 API

Hi,
Does anyone know what replaced "weblogic.management.admin" in Weblogic 9.2?. It shows in list of deprecated APIs. But does nt specify the replacement.
http://edocs.bea.com/wls/docs92/javadocs/deprecated-list.html

Can't you get it via the System property, 'weblogic.Name'? If this is not set in the classpath, you would need to lookup the runtime mbeanserver and get it from there.
HTH,
-satya
BEA Blog:
http://dev2dev.bea.com/blog/sghattu/
Get Involved in CodeShare:
https://wls-console-extensions.projects.dev2dev.bea.com/
https://wlnav.projects.dev2dev.bea.com/
https://eclipse-wlst.projects.dev2dev.bea.com/
https://wlst.projects.dev2dev.bea.com/

MAC Filtering via Radius not working

Hi Folks,
I'm having problems with MAC filtering via RADIUS. I have a combination of a local database on the controllers and remote MAC addresses provisioned on a Cisco ACS. My problem is that even when I've set the controllers to use Radius and I've configured the order to be local and then radius the controllers never sent an auth request to the Radius servers. I know that Radius can work because I have another WLAN (the guest WLAN) on the same hardware that is configured to authenticate first against the local database and then against Radius and this is working fine.
(WiSM-slot9-1) >debug aaa all enable
*Oct 09 08:01:44.518:       AVP[14] Called-Station-Id........................X.X.X.X (9 bytes)
*Oct 09 08:03:21.677: Unable to find requested user entry for 6cc26b5990e5
*Oct 09 08:03:21.677: ReProcessAuthentication previous proto 8, next proto 40000001
*Oct 09 08:03:21.677: AuthenticationRequest: 0x18cc933c
*Oct 09 08:03:21.677:   Callback.....................................0x10112bc4
*Oct 09 08:03:21.677:   protocolType.................................0x40000001
*Oct 09 08:03:21.677:   proxyState...................................6C:C2:6B:59:90:E5-00:00
*Oct 09 08:03:21.677:   Packet contains 14 AVPs (not shown)
*Oct 09 08:03:21.678: 6c:c2:6b:59:90:e5 Returning AAA Error 'No Server' (-7) for mobile 6c:c2:6b:59:90:e5
*Oct 09 08:03:21.678: AuthorizationResponse: 0x38f71958
*Oct 09 08:03:21.678:   structureSize................................32
*Oct 09 08:03:21.678:   resultCode...................................-7
*Oct 09 08:03:21.678:   protocolUsed.................................0xffffffff
*Oct 09 08:03:21.678:   proxyState...................................6C:C2:6B:59:90:E5-00:00
*Oct 09 08:03:21.678:   Packet contains 0 AVPs:
*Oct 09 08:03:21.680: Looking up local blacklist 98d6bbde785f
*Oct 09 08:03:21.754: Looking up local blacklist 0013ce73a9e0
*Oct 09 08:03:21.754: Looking up local blacklist 0013ce73a9e0
*Oct 09 08:03:21.778: Looking up local blacklist 0013ce73a9e0
*Oct 09 08:03:21.846: Unable to find requested user entry for 6cc26b5990e5
*Oct 09 08:03:21.847: ReProcessAuthentication previous proto 8, next proto 40000001
*Oct 09 08:03:21.847: AuthenticationRequest: 0x18c6dcc4
*Oct 09 08:03:21.847:   Callback.....................................0x10112bc4
*Oct 09 08:03:21.847:   protocolType.................................0x40000001
*Oct 09 08:03:21.847:   proxyState...................................6C:C2:6B:59:90:E5-00:00
*Oct 09 08:03:21.847:   Packet contains 14 AVPs (not shown)
*Oct 09 08:03:21.847: 6c:c2:6b:59:90:e5 Returning AAA Error 'No Server' (-7) for mobile 6c:c2:6b:59:90:e5
*Oct 09 08:03:21.847: AuthorizationResponse: 0x38f71958
*Oct 09 08:03:21.847:   structureSize................................32
*Oct 09 08:03:21.847:   resultCode...................................-7
*Oct 09 08:03:21.847:   protocolUsed.................................0xffffffff
*Oct 09 08:03:21.847:   proxyState...................................6C:C2:6B:59:90:E5-00:00
*Oct 09 08:03:21.848:   Packet contains 0 AVPs:
I'm assuming thaty the line - Returning AAA Error 'No Server' - is significant but I have configured the Radius servers correctly but a packet trace shows no auth requests whatsoever from the controllers. Has anyone seen this? Anything I should be looking at?
Thanks in advance,
Shane.

The bug I ran into was CSCta53985 on the WLCs. I upgraded to 7.0 and it fixed it. The fix is available in 6.0.188. Depending on your WLC hardware, I would go to at least 7.0.116 for newer AP support, and CleanAir support.

WLC & Remote AP via WAN link

Hi Team,
During centralized WLC 7500 controller connectivity with branch office AP , can we use the public IP address in WLC management , in case we are not having VPN connectivity between Remote to branch location & only had a internet in both end . Will my remote end AP associate with the centralized WLC controller via public IP ( not a private local IP ) or VPN / MPLS solution is must for communication between WLC & Remote AP.

You can configure OfficeExtend on those AP's. You would enable NAT address on the management and put your public address there. Then you would open udp 5246 and udp 5247 from the public side to the WLC management. Then enable data encryption on the AP after it joins. The AP can be in local FlexConnect mode. Here are some links to look at.
http://jenniferhuber.blogspot.com/2011/11/configuring-3500-series-access-point-as.html?m=1
http://www.cisco.com/en/US/docs/wireless/controller/7.0/configuration/guide/c70lwap.html#wp1502674
Sent from Cisco Technical Support iPhone App

Can not see the report in report manager/admin tab

Hi,
in 8.49 on Win 2003 some users can not see the reports in report manager/admin tab. PS user can see them.
Should we add some grants in user profile ? Which ? Any query to compare that user profile with PS ?
Thank you.

On the administration page, you will be able to see "View Reports For" header on the top.
Under that header you will see the following fields:
User ID/Type/Last/Status/Folder /Instance
Above values will be used by PeopleSoft to filter and display the list of reports
If the user has selected Status as Processing and saved the page, PeopleSoft will only show reports which are in Processing status.
If user runs a report and it has been posted, it will not show up in report manager coz the filter value is set to Processing.
Hope this helps. I dont think Permissions has anything to do with this since user is able to view the page.

Authentication via RADIUS : MSCHAPv2 Error 691

Hello All,
I am working on setting up authentication into an Acme Packet Net-Net 3820 (SBC) via RADIUS. The accounting side of things is working just fine with no issues. The authentication side of things is another matter. I can see from a packet capture that the access-request
messages are in fact getting to the RADIUS server at which point the RADIUS server starts communicating with the domain controllers. I then see the chain of communication going back to the RADIUS and then finally back to the SBC. The problem is the response
I get back is always an access-reject message with a reason code of 16 (Authentication failed due to a user credentials mismatch. Either the user name provided does not match an existing user account or the password was incorrect). This is confirmed by looking
at the security event logs where I can see events 4625 and 6273. See the events below (Note: The names and IPs have been changed to protect the innocent):
Event ID: 6273
Network Policy Server denied access to a user.
Contact the Network Policy Server administrator for more information.
User:
Security ID:
NULL SID
Account Name:
real_username
Account Domain:
real_domain
Fully Qualified Account Name:
real_domain\real_username
Client Machine:
Security ID:
NULL SID
Account Name:
Fully Qualified Account Name:
OS-Version:
Called Station Identifier:
Calling Station Identifier:
NAS:
NAS IPv4 Address:
10.0.0.10
NAS IPv6 Address:
NAS Identifier:
radius1.real_domain
NAS Port-Type:
NAS Port:
101451540
RADIUS Client:
Client Friendly Name:
sbc1mgmt
Client IP Address:
10.0.0.10
Authentication Details:
Connection Request Policy Name:
SBC Authentication
Network Policy Name:
Authentication Provider:
Windows
Authentication Server:
RADIUS1.real_domain
Authentication Type:
MS-CHAPv2
EAP Type:
Account Session Identifier:
Logging Results:
Accounting information was written to the SQL data store and the local log file.
Reason Code:
16
Reason:
Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect.
Event ID: 4625
An account failed to log on.
Subject:
Security ID:
SYSTEM
Account Name:
RADIUS1$
Account Domain:
REAL_DOMAIN
Logon ID:
0x3E7
Logon Type: 3
Account For Which Logon Failed:
Security ID:
NULL SID
Account Name:
real_username
Account Domain:
REAL_DOMAIN
Failure Information:
Failure Reason:
Unknown user name or bad password.
Status:
0xC000006D
Sub Status:
0xC000006A
Process Information:
Caller Process ID:
0x2cc
Caller Process Name:
C:\Windows\System32\svchost.exe
Network Information:
Workstation Name:
Source Network Address:
Source Port:
Detailed Authentication Information:
Logon Process:
IAS
Authentication Package:
MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Transited Services:
Package Name (NTLM only):
Key Length:
0
This event is generated when a logon request fails. It is generated on the computer where access was attempted.
The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).
The Process Information fields indicate which account and process on the system requested the logon.
The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The authentication information fields provide detailed information about this specific logon request.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
So at first glance it would seem that the issue is merely a case of an invalid username or mismatched password. This is further confirmed in the packet capture where I can see the MSCHAPv2 response has an error code of 691 (Access denied because username or
password, or both, are not valid on the domain). The thing is I know I am using a valid username and I have tried many usernames including new ones I created just for troubleshooting. I don't know how many times I have reset the password in an attempt to ensure
it is not a mismatch password. I have even made sure to use passwords that are fairly short and contain only letters to ensure there was no terminal encoding issues (we connect to the SBC via SSH clients). I have also done this same thing with the shared secret
used during communication between the SBC and the RADIUS server. I have tried prefixing the username with the domain name at login (though I don't think that should be necessary). I have also tried using the full UPN of the user to login. I have tried several
RADIUS testing clients (NTRadPing, RadiusTest, etc.), but they either don't support MSCHAPv2 or only support EAP-MSCHAPv2. I have even created my own client using PHP's PECL RADIUS module. Still it always seems to fail with the MSCHAPv2 authentication with
an error code of 691. Does anyone have any ideas as to why I always get an invalid username or bad password response when I have done everything possible to ensure that is not the case?
Here are the specs for our RADIUS configuration:
Windows Server 2012 R2
SQL Server 2012 Back End Database for accounting.
The server has been authorized on the domain and is a member of the "RAS and IAS Servers" group. For which that group does have access to the accounts we are testing with.
The accounts we are testing with do have the "Control access through NPS Network Policy" option checked under their "Dial-in" property tab.
RADIUS clients configured to simply match on the IP address which you can see from the events above that it is applying the client friendly name.
Connection Request Policy: The "SBC Authenication" policy is being applied as seen above. The only condition is a regex expression that does successfully match the friendly name.
Network Policy: As seen in events above, none are getting applied. For troubleshooting purposes I have created a Network Policy that is set to "1" for the processing order and its only condition is a Day and Time Restriction currently set to any
time, any day.
The authentication method is set to only MSCHAPv2 or MSCHAPv2 (User can change password after it has expired). I have tried adding this to just the Network Policy and I have also tried adding this to the Connection Request Policy and setting it to override
the authentication method of the Network Policy.
We do have other RADIUS servers in our domain that use PEAP to authenticate wireless clients and they all work fine. However, we need this to work with MSCHAPv2 only (No EAP).
All other configurations are set to the defaults.
The only other things of note to consider is the fact that in the events above you can see that the Security ID is "NULL SID". Now I know this is common especially among failed logons but given that this issue is stating an invalid username or
bad password, perhaps it matters in this case. Also, this server has been rebuilt using the same computer account in Active Directory. I do not know if it would have worked before the rebuild. Essentially we built this server and only got as far as authorizing
the server to the domain and adding SQL when we decided to separate out the SQL role onto another server. Rather than uninstalling SQL we just rebuilt the machine. However, before reinstalling Windows I did do a reset on the computer account. I don't think
this should matter but thought I would point it out if there is some weird quirk where reusing the same SID of a previously authorized NPS server would cause an issue.
All in all it is a fairly basic setup and hopefully I have provided enough information for someone to get an idea of what might be going on. I hope this was the right forum to post this too, I figured there would be a higher number of RADIUS experts here than
any of the other categories. Apologies if my understanding of this seems a bit basic, after all, when it comes to RADIUS servers I guess you could say I'm the new guy here.

Update 1:
In an attempt to further troubleshoot this issue I have tried bringing up additional servers for testing. Here are the additional tests I have performed.
Multiple Domains
I have now tried this in 3 different isolated domains. Both our test and production domains as well as my private home domain which has very little in the way of customizations aside from the modifications made for Exchange and ConfigMgr. All have the same
results described above.
VPN Service
Using Windows Server 2012 R2 we brought up a separate server to run a standard VPN setup. The intent was to see if we could use RADIUS authentication with the VPN and if that worked we would know the issue is with the SBCs. However, before we could even
configure it to use RADIUS we just attempted to make sure it worked with standard Windows Authentication on the local VPN server. Interestingly, it too fails with the same events getting logged as the RADIUS servers. The client machine being a Windows 8.1
workstation. Again I point out that we have working RADIUS servers used specifically for our wireless environment. The only difference between those RADIUS servers and the ones I am having problems with is that the working wireless servers are using PEAP instead
of MSCHAPv2.
FreeRADIUS
Now I'm no Linux guru but I believe I have it up and running. I am able to use ntlm_auth to authenticate users when logged on to the console. However, when the radiusd service tries to use ntlm_auth to do essentially the same thing it fails and returns the
same message I've been getting with the Windows server (E=691). I have the radiusd service running in debug mode so I can see more of what is going on. I can post the debug info I am getting if requested. The lines I am seeing of particular interest however
are as follows:
(1) ERROR: mschap : Program returned code (1) and output 'Logon failure (0xc000006d)'
(1) mschap : External script failed.
(1) ERROR: mschap : External script says: Logon Failure (0xc000006d)
(1) ERROR: mschap : MS-CHAP2-Response is incorrect
The thing to note here is that while we are essentially still getting a "wrong password" message, the actual status code (0xc000006d) is slightly different than what I was getting on the Windows Servers which was (0xc000006a). From this document
you can see what these codes mean:
NTSTATUS values . The good thing about this FreeRADIUS server is that I can see all of the challenge responses when it is in debug mode. So if I can wrap my head around how a MSCHAPv2 response is computed I can compare it to see if this is simply a miscomputed
challenge response. Update: Was just noticing that the 6a code is just the sub-status code for the 6d code. So nothing different from the Windows Servers, I still wonder if there is a computation error with the challenge responses though.
Currently, I am working on bringing up a Windows Server 2008 R2 instance of a RADIUS server to see if that helps at all. However, I would be surprised if something with the service broke between W2K8 R2 and W2K12 R2 without anyone noticing until now. If this
doesn't work I may have to open a case with Microsoft. Update: Same results with W2K8 R2.

Problems starting managed server via nodemanager

Hello,
I have a WebLogic 6.1 SP2 installation on two Solaris 8 maschines.
One hosts the admin server and the seconds hosts a managed server.
I installed the nodemanager on both maschines. They seems to run
normally.
I configured the "Remot Start" for the managed server as mentioned in
the manual. I didn't specified any values in that panel because the
nodemanager uses the same environment as the WLS so these values should
fit the managed WLS too.
But as I try to start the managed server I got the following error
message:
Starting WebLogic Server ....
Child exited
The WebLogic Server did not start up properly.
Exception raised:
java.lang.NoClassDefFoundError: java/lang/reflect/InvocationHandler
at weblogic.management.Admin.initialize(Admin.java:279)
at weblogic.t3.srvr.T3Srvr.initialize(T3Srvr.java:362)
at weblogic.t3.srvr.T3Srvr.run(T3Srvr.java:202)
at weblogic.Server.main(Server.java:35)
Reason: Fatal initialization exception
So I specified some basic values on the "Remote Start" panel:
BEA_HOME: /www/apps/bea/
ROOT_DIR: /www/apps/bea/wlserver6.1
CLASSPATH:
/www/apps/bea/wlserver6.1/lib/weblogic_sp.jar:/www/apps/bea/wlserver6.1/lib/weblogic.jar
No I got this message:
Starting WebLogic Server ....
The WebLogic Server did not start up properly.
Exception raised:
java.lang.NoClassDefFoundError: java/lang/reflect/InvocationHandler
at weblogic.management.Admin.initialize(Admin.java:279)
at weblogic.t3.srvr.T3Srvr.initialize(T3Srvr.java:362)
at weblogic.t3.srvr.T3Srvr.run(T3Srvr.java:202)
at weblogic.Server.main(Server.java:35)
Reason: Fatal initialization exception
Child exited
What did I wrong?
Has anybody experiences on this problem?
Thanks !
Falko Zurell - Webmaster
Pixelpark AG
Germany

nodemanager must be using the old jvm (1.2.2 or whatever comes by
default with 2.8). set up the environment or modify
startNodeManager.sh so that it uses java 1.3.1 that ships with WLS6.1
o.
Falko Zurell <[email protected]> wrote in message news:<[email protected]>...
Hello,
I have a WebLogic 6.1 SP2 installation on two Solaris 8 maschines.
One hosts the admin server and the seconds hosts a managed server.
I installed the nodemanager on both maschines. They seems to run
normally.
I configured the "Remot Start" for the managed server as mentioned in
the manual. I didn't specified any values in that panel because the
nodemanager uses the same environment as the WLS so these values should
fit the managed WLS too.
But as I try to start the managed server I got the following error
message:
Starting WebLogic Server ....
Child exited
The WebLogic Server did not start up properly.
Exception raised:
java.lang.NoClassDefFoundError: java/lang/reflect/InvocationHandler
at weblogic.management.Admin.initialize(Admin.java:279)
at weblogic.t3.srvr.T3Srvr.initialize(T3Srvr.java:362)
at weblogic.t3.srvr.T3Srvr.run(T3Srvr.java:202)
at weblogic.Server.main(Server.java:35)
Reason: Fatal initialization exception
So I specified some basic values on the "Remote Start" panel:
BEA_HOME: /www/apps/bea/
ROOT_DIR: /www/apps/bea/wlserver6.1
CLASSPATH:
/www/apps/bea/wlserver6.1/lib/weblogic_sp.jar:/www/apps/bea/wlserver6.1/lib/weblogic.jar
No I got this message:
Starting WebLogic Server ....
The WebLogic Server did not start up properly.
Exception raised:
java.lang.NoClassDefFoundError: java/lang/reflect/InvocationHandler
at weblogic.management.Admin.initialize(Admin.java:279)
at weblogic.t3.srvr.T3Srvr.initialize(T3Srvr.java:362)
at weblogic.t3.srvr.T3Srvr.run(T3Srvr.java:202)
at weblogic.Server.main(Server.java:35)
Reason: Fatal initialization exception
Child exited
What did I wrong?
Has anybody experiences on this problem?
Thanks !

WLC Management Page not responding

Hi,
I'm facing a weird problem which's the WLC management page will not be responding after a certain periods say about 2weeks. Then i've to reset the WLC system in order to get it works.Internet surfing will not be affected when the management page not responding but the local web authentication page yes as the local system held the GUI files. I'm thinking whether this's a software bug or what. Anyone has the idea?
Btw, the WLC system that i had is an integrated machine with 3750G switches.
regards.

i had the same problem when im upgrade software 4402 to 5.2 version.
try with this:
There can be several reasons associated with this issue. One common reason can be related to the virtual interface configuration of the controller. In order to resolve this problem, remove the virtual interface and then re-generate it with this command:
WLC>config interface address virtual 1.1.1.1
Then, reboot the controller. After the controller is rebooted, re-generate the webauth certificate locally on the controller with this command:
WLC>config certificate generate webauth
In the ouput of this command, you should see this message: Web Authentication certificate has been generated.
Now, you should be able to access the secure web mode of the controller upon reboot.
Regards
Antonio.

Error Message: You muyst have IE 5.5 or higher to use the Contact Center Manager Admin.

Trying to download an application for work, Tried on the IE 8, 10 & 11 with no add ons and in the compatibility mode and it will not work. I continue to get the error message: You must have IE 5.5 or higher to use the Contact Center
Manager Admin. I do have the credentials and the admin over me to try and neither one of us can do this. I have a windows 7 computer and I didn't have this problem with my other one, but since Feb or March we have had major issues with IE.
We need help as others are having this same issue.
Thanks

Trying to download an application for work, Tried on the IE 8, 10 & 11 with no add ons and in the compatibility mode and it will not work.
Hi,
Did you mean that this problem occurs when downloading an application from a website? Would you please provide a screenshot for your problem?
Roger Lu
TechNet Community Support

WLC Management Admin via RADIUS

Similar Messages

Maybe you are looking for