WLC4402 and ACS receives double authentication request with MS client

Similar Messages

• HT201363 I am receiving an authentication request at launch on my desktop. I am unable to satisfy the password and then it freezes. Uninstalled and re-installed yesterday and have same issue. I think it is a podcast feed, but cannot delete

  I am locked out of my Itunes. When I launch on the desktop I receive an authentication request from www.podshow.com that I cannot satisfy with password. Actually i don't ever remember giving them a password. When I cannot satisfy the password it locks up my screen. When I went to the website listed I could not satisfy the password to even get onto the site. I am pretty sure it is a feed, how can I delete it and get back into my itunes? I uninstalled and re-installed yesterday- same issue

  Hi,
  This forum is for general questions and feedback related to Outlook for Windows. Since your question is more related to Outlook for Mac, I'd recommend you post your question to the Outlook for Mac forum:
  http://answers.microsoft.com/en-us/mac/forum/macoutlook?tab=Threads
  The reason why we recommend posting appropriately is you will get the most qualified pool of respondents, and other partners who read the forums regularly can either share their knowledge or learn from your interaction with us. Thank you for your understanding.
  Steve Fan
  TechNet Community Support
  It's recommended to download and install
  Configuration Analyzer Tool (OffCAT), which is developed by Microsoft Support teams. Once the tool is installed, you can run it at any time to scan for hundreds of known issues in Office
  programs.
  Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact
  [email protected]

• I have the old ipod touch without the camera and i received a new one with camera as a gift how do I transfer eveything to new ipod from old?

  I have the old ipod touch(without camera) and I received the new one (with camera) as a gift. How do I transfer everything from old one to new one?

  Make one final USB sync with the old iPod. The sync includes a backup. Then connect the new iPod to the same computer/iTunes library and restore from the backup of the old iPOd. All the synced media like apps and music have to be in the iTunes library since synced media is not included in the backup that iTunes makes. For how to restore see:
  iTunes: Backing up, updating, and restoring iOS software

• ACS 5.2 Authentication Issue with Local & Global ADs

  Hi I am facing authentication issue with ACS 5.2. Below is AAA flow (EAP-TLS),
  - Wireless Users >> Cisco WLC >> ADs <-- everything OK
  - Wireless Users >> Cisco WLC >> ACS 5.2 >> ADs <-- problem
  Last time I tested with ACS, it worked but didn't do migration as there'll be changes from ADs.
  Now my customer wants ACS migration by creating new Group in AD, I also update ACS config.
  For the user from the old group, authentication is ok.
  For the user from the new group, authentication fails. With subject not found error, showing the user is from the old group.
  Seems like ACS is querying from old records (own cache or database). Already restared the ACS but still the same error.
  Can anyone advice to troubleshoot the issue?
  Note: My customer can only access their local ADs (trusted by Global ADs). Local ADs & ACS are in the same network, ACS should go to local AD first.
  How can we check or make sure it?
  Thanks ahead,
  Ye

  Hello,
  There is an enhacement request open already:
  http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCte92062
  ACS should be able to query only desired DCs
  Symptom:
  Currently on 5.0 and 5.1, the ACS queries the  DNS with the domain, in order to get a list of all the DCs in the domain  and then tries to communicate with all of them.If the connection to even one DC fails, then the ACS connection to the domain is declared as failed.A lot of customers are asking for a change on this behavior.
  It  should be possible to define which DCs to contact and/or make ACS to  interpret  DNS Resource Records Registered by the Active Directory  Domain Controller to facilitate the location of domain controllers.  Active Directory uses service locator, or SRV, records. An SRV record is  a new type of DNS record described in RFC 2782, and is used to identify  services located on a Transmission Control Protocol/Internet Protocol  (TCP/IP) network.
  Conditions:
  Domain with multiple DCs were some are not accessible from the ACS due to security/geographic constraints.
  Workaround:
  Make sure ALL DCs are UP and reachable from the ACS.
  At the moment, we cannot determine which Domain Controller on the AD the ACS will contact. The enhacement request will include a feature on which we can specify the appropriate the Domain Controllers the ACS should contact on a AD Domain.
  Hope this clarifies it.
  Regards.

• LMS 3.2 and ACS 5.1 authentication issues

  Hi all,
  Installed LMS 3.2 (running Common Services 3.3.0) and i'm having problems authenticating. I get the error :-
  -Tacacs+ Connectivity - Reachable
  -HTTP/HTTPS Connectivity - Not Reachable...Protocol mismatch detected.
  AAA client - Not Applicable
  Secret Key Verification - Not Applicable
  System Identity User - Not Applicable
  Note Verification failed for ACS server. Please check your settings.
  Ive tried both http and https with the same result. Now i understand that integration as we know it is no longer supported but still having issues with authentication which should work. See links to other threads below. Any suggestions welcome.
  Regards
  https://supportforums.cisco.com/message/675371#675371
  https://supportforums.cisco.com/message/3106459

  LMS cannot integrate with ACS 5.x.  You must set the AAA mode to local, then you can configure the TACACS+ login module to do authentication only with the ACS 5.x server.  This will not get you customer roles nor device level access, but you can at least centralize your user credentials on the ACS server.

• FIxing "nag" authentication request with Adobe

  Hi all,
  I have a user who keeps receiving an admin password authentication request whenever she tries to open Acrobat, Reader, or CS4. I've run permissions repair from Disk Utility, and I've used my admin logon to clear the screen once. It seems to go away for a bit, but then it's back. Any ideas? It's a Mac Pro Quad-Core running Snow Leopard.

  http://www.adobe.com/support/contact/

• 802.1x between Switch 3750 and ACS 4.2 Authentication faild --need help

  I configured the Switch 3750 and ACS for 802.1x authentication.
  when I used the windows as the 802.1x client, it prompted "click here to enter user name and pasword for the network " as normal.
  The problem is that after I entered username and password (i am sure i enter the identical username and password as in ACS) the authentication failed,
  What is the most possibly problem?
  Thx in advance!!!
  The configuration is Sw3750 is:
  aaa new-model
  aaa authentication login default local
  aaa authentication enable default line
  aaa authentication dot1x default group radius
  aaa authorization network default group radius
  dot1x system-auth-control
  interface GigabitEthernet1/0/18
  description Link to test 802.1x
  switchport access vlan 119
  switchport mode access
  dot1x pae authenticator
  dot1x port-control auto
  spanning-tree portfast
  radius-server host 10.1.1.333 auth-port 1645 acct-port 1646
  radius-server source-ports 1645-1646
  radius-server key keepopen0
  In the ACS:
  Network Configuration -->aaa client ip address: 10.1.119.1(the vlan 119's ip address), shared secret: keepopen0
  user setup -->real name:test1, password: test1.
  Attached is the debug information

  What do you see in acs failed attempts?

• ISE 1.2 web authentication problem with wired clients

  Hello,
  i am having problems with centralized web authentication using a Catalyst 3650X with IOS 15.0.2 SE01 and ISE 1.2.
  Redirecting the client works fine, but as soon the client opens a web browser and ISE websites open to authenticate the client, the switch port resets, the authentication process restarts and the session ID changes. After the client enters the credentials a session expired messages appears on the client and i get an 86017 Session Missing message in ISE.
  here the output form the debug aaa coa log.
  Any ideas
  thanks in advanced
  Alex
  ! CLIENT CONNECT TO SWITCHPORT
  ISE-TEST-SWITCH#show authentication sessions interface gi0/3
              Interface:  GigabitEthernet0/3
            MAC Address:  001f.297b.bd82
             IP Address:  10.2.12.45
              User-Name:  00-1F-29-7B-BD-82
                 Status:  Authz Success
                 Domain:  DATA
        Security Policy:  Should Secure
        Security Status:  Unsecure
         Oper host mode:  multi-auth
       Oper control dir:  both
          Authorized By:  Authentication Server
            Vlan Policy:  N/A
                ACS ACL:  xACSACLx-IP-PERMIT_ALL_TRAFFIC-537cb1d6
       URL Redirect ACL:  ACL-WEBAUTH-REDIRECT
           URL Redirect:  https://nos-ch-wbn-ise1.nosergroup.lan:8443/guestportal/gateway?sessionId=AC1484640000026B28C02CDC&action=cwa
        Session timeout:  N/A
           Idle timeout:  N/A
      Common Session ID:  AC1484640000026B28C02CDC
        Acct Session ID:  0x0000029C
                 Handle:  0x8C00026C
  Runnable methods list:
         Method   State
         dot1x    Failed over
         mab      Authc Success
  ! CLIENT OPENS INTERNETEXPLORER -> REDIRECTS TO ISE 
  ! SWITCHPORT GOES IN ADMINISTRATIVE DOWN STARTS AUTHENTICATION AGAIN
  ISE-TEST-SWITCH#
  191526: .Jun 24 10:42:24.340 UTC: COA: 10.0.128.38 request queued
  191527: .Jun 24 10:42:24.340 UTC: RADIUS:  authenticator 7F A9 85 AB F6 4A D0 F3 - B4 E6 F2 56 74 C6 2D 33
  191528: .Jun 24 10:42:24.340 UTC: RADIUS:  NAS-IP-Address      [4]   6   172.20.132.100
  191529: .Jun 24 10:42:24.340 UTC: RADIUS:  Calling-Station-Id  [31]  19  "00:1F:29:7B:BD:82"
  191530: .Jun 24 10:42:24.340 UTC: RADIUS:  Acct-Terminate-Cause[49]  6   admin-reset               [6]
  191531: .Jun 24 10:42:24.340 UTC: RADIUS:  Event-Timestamp     [55]  6   1403606529
  191532: .Jun 24 10:42:24.340 UTC: RADIUS:  Message-Authenticato[80]  18
  191533: .Jun 24 10:42:24.340 UTC: RADIUS:   E0 3C B2 8C 89 47 67 A8 69 F5 3D 08 61 FF 53 6E          [ <Ggi=aSn]
  191534: .Jun 24 10:42:24.340 UTC: RADIUS:  Vendor, Cisco       [26]  43
  191535: .Jun 24 10:42:24.340 UTC: RADIUS:   Cisco AVpair       [1]   37  "subscriber:command=bounce-host-port"
  191536: .Jun 24 10:42:24.340 UTC: COA: Message Authenticator decode passed
  191537: .Jun 24 10:42:24.340 UTC:  ++++++ CoA Attribute List ++++++
  191538: .Jun 24 10:42:24.340 UTC: 06D96C58 0 00000001 nas-ip-address(600) 4 172.20.132.100
  191539: .Jun 24 10:42:24.349 UTC: 06D9AC18 0 00000081 formatted-clid(37) 17 00:1F:29:7B:BD:82
  191540: .Jun 24 10:42:24.349 UTC: 06D9AC4C 0 00000001 disc-cause(434) 4 admin-reset
  191541: .Jun 24 10:42:24.349 UTC: 06D9AC80 0 00000001 Event-Timestamp(445) 4 1403606529(53A95601)
  191542: .Jun 24 10:42:24.349 UTC: 06D9ACB4 0 00000081 ssg-command-code(490) 1 33
  191543: .Jun 24 10:42:24.349 UTC:
  191544: .Jun 24 2014 10:42:24.365 UTC: %EPM-6-IPEVENT: IP 10.2.12.45| MAC 001f.297b.bd82| AuditSessionID AC1484640000026B28C02CDC| AUTHTYPE DOT1X| EVENT IP-RELEASE
  191545: .Jun 24 2014 10:42:24.382 UTC: %EPM-6-IPEVENT: IP 10.2.12.45| MAC 001f.297b.bd82| AuditSessionID AC1484640000026B28C02CDC| AUTHTYPE DOT1X| EVENT IP-WAIT
  191546: .Jun 24 2014 10:42:24.382 UTC: %EPM-6-POLICY_REQ: IP 0.0.0.0| MAC 001f.297b.bd82| AuditSessionID AC1484640000026B28C02CDC| AUTHTYPE DOT1X| EVENT REMOVE
  191547: .Jun 24 2014 10:42:24.390 UTC: %EPM-6-AUTH_ACL: POLICY Auth-Default-ACL-OPEN| EVENT DETACH-SUCCESS
  191548: .Jun 24 2014 10:42:26.353 UTC: %LINK-5-CHANGED: Interface GigabitEthernet0/3, changed state to administratively down
  191549: .Jun 24 2014 10:42:27.359 UTC: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/3, changed state to down
  ISE-TEST-SWITCH#
  191550: .Jun 24 2014 10:42:36.366 UTC: %LINK-3-UPDOWN: Interface GigabitEthernet0/3, changed state to down
  191551: .Jun 24 10:42:40.592 UTC: AAA/BIND(000002A7): Bind i/f
  191552: .Jun 24 2014 10:42:41.129 UTC: %AUTHMGR-5-START: Starting 'dot1x' for client (001f.297b.bd82) on Interface Gi0/3 AuditSessionID AC1484640000026C28C2FA05
  191553: .Jun 24 2014 10:42:42.580 UTC: %LINK-3-UPDOWN: Interface GigabitEthernet0/3, changed state to up
  191554: .Jun 24 2014 10:42:43.586 UTC: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/3, changed state to up
  ! SESSION ID CHANGES, USER ENTERS CREDENTIALS 
  ! ERROR MESSAGE AT CLIENT "YOUR SESSION HAS EXPIRED"
  ! ERROR MESSAGE IN ISE "86017 SESSION MISSING"
  ISE-TEST-SWITCH#show authentication sessions interface gi0/3
              Interface:  GigabitEthernet0/3
            MAC Address:  001f.297b.bd82
             IP Address:  10.2.12.45
                 Status:  Running
                 Domain:  UNKNOWN
        Security Policy:  Should Secure
        Security Status:  Unsecure
         Oper host mode:  multi-auth
       Oper control dir:  both
        Session timeout:  N/A
           Idle timeout:  N/A
      Common Session ID:  AC1484640000026C28C2FA05
        Acct Session ID:  0x0000029D
                 Handle:  0x2C00026D
  Runnable methods list:
         Method   State
         dot1x    Running
         mab      Not run

  Guest authentication failed: 86017: Session cache entry missing
  try adjusting the UTC timezone during the guest creation in the sponsor portal.
  86017
  Guest
  Session Missing
  Session ID missing. Please contact your System Administrator.
  Info

• Cisco ACS 5.2 authentication against multiple LDAP servers

  Hi Folks,
  I have a wireless network that uses ACS 5.2 to handle authentication.   The ACS is integrated with an Active Directory LDAP server (my_ldap) and is working correctly at the moment.    The authentication flow looks like this:
   - User tries to associate to WLAN
   - Authentication request is sent to ACS
   - Service selection rule chooses an access-policy (wireless_access_policy)
   - wireless_access_policy is configured to use my_ldap as identity source.
  A sister company is about to move into our offices, and will need access to the same WLAN.    Users in the sister company are members of a separate AD domain (sister_company_ldap).    I would like to modify the wireless_access_policy so that when it receives an authentication request it will query both my_ldap and sister_company_ldap, and return a passed authentication if either attempt is successful.     Is this possible?

  Assuming you're already authenticating using your AD binding and AD1 as your identity source, you can add a further LDAP server as another identity source and add this to your identity store sequence in your access policy to authenticate against both.
  You can also add multiple LDAP servers and add them both to the identity store sequence (if you're not using AD1).

• Configuring Double Authentication to support OTP for Multilink

  I am having difficulties implemanting double authentication to support one time passwords (ACE Token Server). Has anyone successfully implememented this to support ppp multilink?
  Does the user also have to open a telnet connection once they connect?
  Any help would be greatly appreciated. I have been using the following doc as a guideline with little satisfaction to date:
  http://www.cisco.com/en/US/products/hw/iad/ps497/products_tech_note09186a0080093c43.shtml
  Thanks,
  Jim

  As per the RFC for RADIUS, a RADIUS Server receiving an Access-Request with a Message- Authenticator Attribute present MUST calculate the correct value of the Message-Authenticator and silently discard the packet if it does not match the value sent. A RADIUS Client receiving an Access-Accept, Access-Reject or Access-Challenge with a Message-Authenticator Attribute present MUST calculate the correct value of the Message-Authenticator and silently discard the packet if it does not match the value sent.

• Mapping between Sync sender and Async Receiver

  Hi Experts,
  How to do mapping between Sync sender and Async Receiver?
  Flow: Sync SOAP Sender Client -> First Async webservice call -> Second Sync webservice call
  1. I have to send some input/request details to first webservice call. It will just update the database.If I do mapping with SOAP Sender client and first Async webservice.. I am getting timeout, because it expects response mapping too.
  2. Only Second webservice call return the response back to SOAP Sender client.Here mapping between SOAP Sender client and Second Sync webservice call. I don't have any problem here.
  I have to pass the same request info to both webservice calls, Please tell me how to do the async mapping in BPM?
  Regards
  Sara

  Hello Sara,
  Hope these blogs are useful to you..
  /people/siva.maranani/blog/2005/05/25/understanding-message-flow-in-xi - Message Flow in XI
  /people/krishna.moorthyp/blog/2005/06/09/walkthrough-with-bpm - Walk through BPM
  /people/siva.maranani/blog/2005/05/22/schedule-your-bpm - Schedule BPM
  /people/sriram.vasudevan3/blog/2005/01/11/demonstrating-use-of-synchronous-asynchronous-bridge-to-integrate-synchronous-and-asynchronous-systems-using-ccbpm-in-sap-xi - Use of Synch - Asynch bridge in
  ccBPM
  https://www.sdn.sap.com/irj/sdn/weblogs?blog=/pub/wlg/1403 [original link is broken] [original link is broken] [original link is broken] - Use of Synch - Asynch bridge in
  ccBPM
  Thanks,
  Satya Kumar

• Creating a debit memo request with reference to an invoice

  Hi,
  An invoice shows wrong MWST value because of incorrect customer tax classification as Tax exempt. I corrected the cust tax classification to "Liable for Tax". Then I tried to create a debit memo request with reference to the incorrect invoice. Thats a requirement by the customer. Invoices with incorrect VAT are not to be cancelled. A specially created VAT only sales order (Debit memo request) is used to create a sales order with 0 net value and correct MWST . But while trying to create the debit memo request, the system picks up the same old condition record for the MWST. How to overcome this situation ?
  The copy control for the item category from billing doc to debit memo request is set to "B" that is  new pricing. I even tried to update pricing. But it does not work. Changing the Service rendered date or the pricing date to current date also does not help.
  Please help.
  Regards.

  This is working fine. What I did was
  1: create a new pricing procedure
  2: made the PR00 condition statistical
  3: using a routine calculate the MWST based on the PR00. But PR00 itself does not contribute to the net value. This part is working fine. I could create debit memos successfully.
  The problem is if we change either the customer or the material tax classification after creating the invoice, and then create a debit request with reference to the incorrect invoice, the system still considers the old tax classfication and therefore the old MWST rate. If I create a debit request without reference, the new rate is applicable.
  I hope I have made clear.
  Regards.

• Will OS X Mountain Lion Server work full feature with PC Clients?

  I have a small business with mixed PC and MACs, I want to purchase a Mac Mini Server and launch it in our company, we are about 25 employees that might increase to about 40 so I wonder if sevices like Calendar, VPN, Messages, Chat, Mail, Contacts, wiki, profile manager.. etc work with PC Clients, what will and what will not?
  I would like if at least, contacts, calendar, mail, wiki, open directory, VPN and iChat work, the basic things one needs in business to work with PC clients, will they work seemlessly, do I need to install certain software on PC clients... any thoughts or pointers?

  Hello,
  YamenQ wrote:
  I wonder if sevices like Calendar, VPN, Messages, Chat, Mail, Contacts, wiki, profile manager.. etc work with PC Clients, what will and what will not?
  I recommend using eM Client for windows. The software is not free however I find that windows users seem to like it better then the free software because its more like Outlook with everything in built in.
  I would setup both PPTP and L2TP VPN. PPTP for your windows clients and L2TP for your Mac Users. The VPN service on the Mac Server is pretty solid and I have very little problems with windows clients.
  Thanks,
  ebrind

• I forgot my iCloud password, and i can not reset it with email authentication, when i do it, i don't receive any mail from Apple

  I forgot my iCloud password, and i can not reset it with email authentication, when i do it, i don't receive any mail from Apple

  If you don't know your password, don't know your security questions and don't have a rescue address or don't receive a reset email, you should contact AppleCare who will initially try to assist you with a reset email or if unsuccessful will pass you to the security team to reset your security questions for you.
  If you are in a region that doesn't have international telephone support try contacting Apple through iTunes Store Support.

• Machine authentication with MAR and ACS - revisited

  I'm wondering if anyone else has overcame the issue I'm about to describe.
  The scenario:
  We are happily using ACS 4.1 to authenticate wireless PEAP clients to an external Windows AD database.
  We do have machine authentication via PEAP enabled, but at this time we are not using Machine Access Restrictions as part of the external database authentication configuration.
  The clients (we care about) are using the native XP ZWC supplicant and are configured to "authenticate as machine when available".
  The passed authentications log does successfully show the machines authenticating.
  The challege:
  We only want to permit users on our PEAP protected WLAN if the machine they are using has an account in the domain (and they are a Windows XP box - the currents standard corporate image).
  In a testing lab, we enable Machine Access Restrictions, with the access mapped to "No Access" if there is no machine auth, or if machine auth fails.  If a machine is shut down and boots fresh, or if the logged on user chooses to logoff while on that WLAN - we see the Windows box sends its machine authentication.  As I understand it - a windows XP box will only attempt to authenticate as a machine when a user logs off, or upon initial boot.
  In our environment (and I'm sure many others) - if a user comes into the office and docks their laptop and is attached to the wired LAN and boots or logs on - the machine maybe authenticating - but it is authenticating directly to the AD as our wired LAN is not using 802.1x or ACS radius.
  So the user maybe logged on and working on the network - and then choose to undock which activates the wireless.
  The problem then - the machine does NOT attempt to authenticate as a machine and only processes the user credentials - which get passed onto ACS vial the WLC - and when MAR is enabled with the No Access mapping for no machine auth - the user auth obviously fails.
  Has anyone seen / over come this ?
  Our goal is to enforce that only standard XP imaged machines get on the wireless PEAP network (where the configuration is maintained by GPO).

  Here's the only thing I could find on extending the schema (I'm not a schema expert):
  http://msdn.microsoft.com/en-us/library/ms676900%28VS.85%29.aspx
  If all of your clients are Windows machines, it's easier to stick with PEAP for machine auth, user auth, or both.  However, your RADIUS (ACS) server should have a certificate that the clients trust.  You can configure the clients to ignore the RADIUS server cert, but then your clients will trust any network that looks/works like yours.  Get a cert/certs for your RADIUS server(s).
  You can have PEAP and EAP-TLS configured on your ACS server without causing problems for your PEAP clients (be aware that most of my experience is with 4.1/4.2.  Earlier versions may not work the same way).  Your comment about what you're testing is confusing me.  Let's say you have (only) PEAP configured for machine auth on both the client and the ACS server (no user auth is configured on the client, or in ACS).  Your client will offer it's machine account AD credentials to the ACS server in order to authenticate to the network.  Those credentials will be validated against AD by your ACS server, and then the machine will get an IP address and connect to your network.  Once your machine is on the network, and a user tries to log on, then the user's AD credentials will be validated against AD (without any involvement of ACS).  You should not need PEAP and EAP-TLS together.  Both are used for the same purpose: 802.1X authentication for network access.  PEAP only uses AD to validate machine credentials (or user credentials), because you configured your ACS server to use AD as a user database for validating 802.1X credentials.  You could just have easily used PEAP on the client side, but told ACS to an LDAP connection to a Linux box with a user/machine database. Validating credentials for network access (802.1X) is not the same thing as authenticating to AD for server/printer/email/whatever access.  I wish I could explain this better...