WPA2 security with EAP-TLS user cert auth
I am investigating the use of EAP-TLS for authenticating clients through a MS NPS radius server for WLC WLAN using WPA-WPA2 for security with 802.1x for auth-key managment. We're trying to decide whether to use PEAP and AD account authentication or require client certificates issued by AD certifcate services. PEAP is working fine if we choose that auth method in our NPS radius network policy, but if we switch this to "smart card or other certificate" for client cert auth it does not work. The wireless profile on the Windows client is set up for WPA2/AES with "Microsoft: smart card or other certificate" for network auth. The 802.1x settings specify "User Authentication" and a user cert for the logged in user from ADCS is installed on the machine. The failure to connect reports "The certificate required to connect to this network can't be found on your computer". When I switch to Computer Authentication the error changes to "Network authentication failed due to a problem with the user account," though a valid machine cert also exists on the computer.
When I attempt to use cert auth I see no auth requests logged on the RADIUS server. I ran MS netmon on both the client and NPS server and I also see no requests coming in from the WLC to NPS. When using PEAP I do see EAP requests and responses between NPS and the WLC and radius requests logged. On the client end I do see an EAP request to the WAP when attempting cert auth, but no messages between the WLC and NPS.
It's also interesting that when I change the WLAN to use 802.1x and WEP encryption for layer 2 auth the cert auth worked first time, though I haven't been able to get that working since. Windows now complains I am missing a cert for that. In any case, what I really want is WPA2/AES with 802.1x cert auth and would like to get this working.
Is anyone using EAP-TLS with MS NPS radius and a WLC successfully? Any ideas on how to troubleshoot this or why I'm not seeing any traffic between WLC and NPS radius when attempting cert auth?
Well Well
WLC or any AAA client acts in pass through mode after initialy generating EAP-identity request so it has nothing to with EAP type. AAA client will behave the same no matter if you use PEAP , EAP-TLS or LEAP .....
The error message that you have reported is clearly sayign that your client doesn't have certificate to submit agains the back-end authentication server and accordingly the process fails . If you are not saying anything sent from WLC to NPS , it makes sense , because when the WLC initialy generate eap-identity request your client fails to answer and accordingly nothing is being sent to NPS server.
In order to verify that we need ' debug client < mac address of the client > ' from the WLC while trying to connect to make sure that is the case.
Also make sure that your client has certificate that is binded to a user account defined on your AD in away or another to have it working.
Please make sure to rate correct answers
Similar Messages
-
ISE 1.1.1 - EAP-TLS / User Cert - Determine if corporate laptop?
Greets. Is there a way to determine if the machine a user has authenticated from via EAP-TLS / user cert (or PEAP / mschapV2) is an active directory computer or not. I understand that EAP-Chaining using EAP-FAST and the Anyconnect client would work for this, but what about using the native windows supplicant and a user cert (or PEAP / mschapv2)?
Long story short, what I'd like to do is:
User authenticates to ISE via EAP-TLS / user cert (or PEAP / mschapV2)
Authorization based on whether it's a personally owned device or a corporate laptop (different AuthZ rule/ACL's based on this)
personally owned devices only allowed to do ICA,
corporate device can use SQL, RDP, etc...
Thoughts, ideas?Not sure i understand your response, or perhaps my original question isn't clear.
User authenticates with EAP-TLS / User cert
User is authorized based on user cert CN Name, Active Directory lookup, group membership matched, and proper ACL applied
Unable to determine if the machine that the user is authenticating from is an active directory computer or not which would need to be determine in order to allow further ACL refinement (permit/deny certain protocol's based on if it is a personally owned device or a domained device, etc...).
My question is, is it possible to do this using the native windows suplicant and EAP-TLS / user? I am only able to look up details based on the user cert (since this is what the supplicant is using), and not sure how to validate the PC as being a member of the domain or not (since the machine cert wasn't used in EAP-TLS). -
IEEE 802.1x with EAP-TLS issue in cisco 2960
In My Cisco 2960 switch is not working with EAP-TLS mechanism of 802.1x but its works well with other protocols like EAP-PEAP or MAC Address authentication.
Below is the configuration
aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authentication dot1x default group radius
aaa authorization commands 15 default group tacacs+ local
aaa authorization network default group radius
aaa authorization configuration default group radius
aaa accounting update periodic 30
aaa accounting dot1x default start-stop group radius
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 0 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting network default start-stop group tacacs+
aaa accounting connection default start-stop group tacacs+
aaa accounting system default start-stop group tacacs+
interface FastEthernet0/1
switchport access vlan 11
switchport mode access
speed 100
duplex full
authentication order dot1x mab webauth
authentication port-control auto
mab
dot1x pae authenticator
dot1x timeout tx-period 3
dot1x timeout supp-timeout 3
spanning-tree portfast
spanning-tree bpduguard enable
Can anyone suggest me ?Thanks for the reply jatin.
I have a client on the interface fa0/1 with a valid client certificate. And have a debug logs as below
*Mar 8 00:03:06.266: dot1x-ev(Fa0/1): Interface state changed to UP
*Mar 8 00:03:06.266: AAA/BIND(000001C7): Bind i/f
*Mar 8 00:03:06.266: dot1x_auth Fa0/1: initial state auth_initialize has enter
*Mar 8 00:03:06.266: dot1x-sm(Fa0/1): 0xB0000DBA:auth_initialize_enter called
*Mar 8 00:03:06.266: dot1x_auth Fa0/1: during state auth_initialize, got event 0(cfg_auto)
*Mar 8 00:03:06.266: @@@ dot1x_auth Fa0/1: auth_initialize -> auth_disconnected
*Mar 8 00:03:06.266: dot1x-sm(Fa0/1): 0xB0000DBA:auth_disconnected_enter called
*Mar 8 00:03:06.266: dot1x_auth Fa0/1: idle during state auth_disconnected
*Mar 8 00:03:06.266: @@@ dot1x_auth Fa0/1: auth_disconnected -> auth_restart
*Mar 8 00:03:06.266: dot1x-sm(Fa0/1): 0xB0000DBA:auth_restart_enter called
*Mar 8 00:03:06.266: dot1x-ev(Fa0/1): Sending create new context event to EAP for 0xB0000DBA (0000.0000.0000)
*Mar 8 00:03:06.266: dot1x_auth_bend Fa0/1: initial state auth_bend_initialize has enter
*Mar 8 00:03:06.266: dot1x-sm(Fa0/1): 0xB0000DBA:auth_bend_initialize_enter called
*Mar 8 00:03:06.266: dot1x_auth_bend Fa0/1: initial state auth_bend_initialize has idle
*Mar 8 00:03:06.266: dot1x_auth_bend Fa0/1: during state auth_bend_initialize, got event 16383(idle)
*Mar 8 00:03:06.266: @@@ dot1x_auth_bend Fa0/1: auth_bend_initialize -> auth_bend_idle
*Mar 8 00:03:06.266: dot1x-sm(Fa0/1): 0xB0000DBA:auth_bend_idle_enter called
*Mar 8 00:03:06.266: dot1x-ev(Fa0/1): Created a client entry (0xB0000DBA)
*Mar 8 00:03:06.266: dot1x-ev(Fa0/1): Dot1x authentication started for 0xB0000DBA (0000.0000.0000)
*Mar 8 00:03:06.266: dot1x-ev:DOT1X Supplicant not enabled on FastEthernet0/1
*Mar 8 00:03:06.266: dot1x-sm(Fa0/1): Posting !EAP_RESTART on Client 0xB0000DBA
*Mar 8 00:03:06.266: dot1x_auth Fa0/1: during state auth_restart, got event 6(no_eapRestart)
*Mar 8 00:03:06.266: @@@ dot1x_auth Fa0/1: auth_restart -> auth_connecting
*Mar 8 00:03:06.266: dot1x-sm(Fa0/1): 0xB0000DBA:auth_connecting_enter called
*Mar 8 00:03:06.274: dot1x-sm(Fa0/1): 0xB0000DBA:auth_restart_connecting_action called
*Mar 8 00:03:06.274: dot1x-sm(Fa0/1): Posting RX_REQ on Client 0xB0000DBA
*Mar 8 00:03:06.274: dot1x_auth Fa0/1: during state auth_connecting, got event 10(eapReq_no_reAuthMax)
*Mar 8 00:03:06.274: @@@ dot1x_auth Fa0/1: auth_connecting -> auth_authenticating
*Mar 8 00:03:06.274: dot1x-sm(Fa0/1): 0xB0000DBA:auth_authenticating_enter called
*Mar 8 00:03:06.274: dot1x-sm(Fa0/1): 0xB0000DBA:auth_connecting_authenticating_action called
*Mar 8 00:03:06.274: dot1x-sm(Fa0/1): Posting AUTH_START for 0xB0000DBA
*Mar 8 00:03:06.274: dot1x_auth_bend Fa0/1: during state auth_bend_idle, got event 4(eapReq_authStart)
*Mar 8 00:03:06.274: @@@ dot1x_auth_bend Fa0/1: auth_bend_idle -> auth_bend_request
*Mar 8 00:03:06.274: dot1x-sm(Fa0/1): 0xB0000DBA:auth_bend_request_enter called
*Mar 8 00:03:06.274: dot1x-ev(Fa0/1): Sending EAPOL packet to group PAE address
*Mar 8 00:03:06.274: dot1x-ev(Fa0/1): Role determination not required
*Mar 8 00:03:06.274: dot1x-registry:registry:dot1x_ether_macaddr called
*Mar 8 00:03:06.274: dot1x-ev(Fa0/1): Sending out EAPOL packet
*Mar 8 00:03:06.274: EAPOL pak dump Tx
*Mar 8 00:03:06.274: EAPOL Version: 0x3 type: 0x0 length: 0x0005
*Mar 8 00:03:06.274: EAP code: 0x1 id: 0x1 length: 0x0005 type: 0x1
*Mar 8 00:03:06.274: dot1x-packet(Fa0/1): EAPOL packet sent to client 0xB0000DBA (0000.0000.0000)
*Mar 8 00:03:06.274: dot1x-sm(Fa0/1): 0xB0000DBA:auth_bend_idle_request_action called
*Mar 8 00:03:06.794: dot1x-ev(Fa0/1): Role determination not required
*Mar 8 00:03:06.794: dot1x-packet(Fa0/1): queuing an EAPOL pkt on Auth Q
*Mar 8 00:03:06.794: dot1x-ev:Enqueued the eapol packet to the global authenticator queue
*Mar 8 00:03:06.794: EAPOL pak dump rx
*Mar 8 00:03:06.794: EAPOL Version: 0x1 type: 0x1 length: 0x0000
*Mar 8 00:03:06.794: dot1x-ev:
dot1x_auth_queue_event: Int Fa0/1 CODE= 0,TYPE= 0,LEN= 0
*Mar 8 00:03:06.794: dot1x-packet(Fa0/1): Received an EAPOL frame
*Mar 8 00:03:06.794: dot1x-ev(Fa0/1): Received pkt saddr =d43d.7e65.4fc1 , daddr = 0180.c200.0003,
pae-ether-type = 888e.0101.0000
*Mar 8 00:03:06.794: dot1x-ev(Fa0/1): Couldn't find the supplicant in the list
*Mar 8 00:03:06.794: dot1x-ev(Fa0/1): New client detected, notifying AuthMgr
*Mar 8 00:03:06.794: dot1x-ev(Fa0/1): Sending event (0) to Auth Mgr for d43d.7e65.4fc1
*Mar 8 00:03:06.794: dot1x-packet(Fa0/1): Received an EAPOL-Start packet
*Mar 8 00:03:06.794: EAPOL pak dump rx
*Mar 8 00:03:06.794: EAPOL Version: 0x1 type: 0x1 length: 0x0000
*Mar 8 00:03:06.794: dot1x-sm(Fa0/1): Posting EAPOL_START on Client 0xB0000DBA
*Mar 8 00:03:06.794: dot1x_auth Fa0/1: during state auth_authenticating, got event 4(eapolStart)
*Mar 8 00:03:06.794: @@@ dot1x_auth Fa0/1: auth_authenticating -> auth_aborting
*Mar 8 00:03:06.794: dot1x-sm(Fa0/1): 0xB0000DBA:auth_authenticating_exit called
*Mar 8 00:03:06.794: dot1x-sm(Fa0/1): 0xB0000DBA:auth_aborting_enter called
*Mar 8 00:03:06.794: dot1x-ev(Fa0/1): 802.1x method gets the go ahead from Auth Mgr for 0xB0000DBA (d43d.7e65.4fc1)
*Mar 8 00:03:06.794: %AUTHMGR-5-START: Starting 'dot1x' for client (d43d.7e65.4fc1) on Interface Fa0/1 AuditSessionID 0A1AED0B000000EE240F5BAB
*Mar 8 00:03:06.794: dot1x-sm(Fa0/1): Posting AUTH_ABORT for 0xB0000DBA
*Mar 8 00:03:06.794: dot1x_auth_bend Fa0/1: during state auth_bend_request, got event 1(authAbort)
*Mar 8 00:03:06.794: @@@ dot1x_auth_bend Fa0/1: auth_bend_request -> auth_bend_initialize
*Mar 8 00:03:06.794: dot1x-sm(Fa0/1): 0xB0000DBA:auth_bend_initialize_enter called
*Mar 8 00:03:06.794: dot1x_auth_bend Fa0/1: idle during state auth_bend_initialize
*Mar 8 00:03:06.794: @@@ dot1x_auth_bend Fa0/1: auth_bend_initialize -> auth_bend_idle
*Mar 8 00:03:06.794: dot1x-sm(Fa0/1): 0xB0000DBA:auth_bend_idle_enter called
*Mar 8 00:03:06.794: dot1x-sm(Fa0/1): Posting !AUTH_ABORT on Client 0xB0000DBA
*Mar 8 00:03:06.794: dot1x_auth Fa0/1: during state auth_aborting, got event 20(no_eapolLogoff_no_authAbort)
*Mar 8 00:03:06.794: @@@ dot1x_auth Fa0/1: auth_aborting -> auth_restart
*Mar 8 00:03:06.794: dot1x-sm(Fa0/1): 0xB0000DBA:auth_aborting_exit called
*Mar 8 00:03:06.794: dot1x-sm(Fa0/1): 0xB0000DBA:auth_restart_enter called
*Mar 8 00:03:06.794: dot1x-ev(Fa0/1): Resetting the client 0xB0000DBA (d43d.7e65.4fc1)
*Mar 8 00:03:06.794: dot1x-ev(Fa0/1): Sending create new context event to EAP for 0xB0000DBA (d43d.7e65.4fc1)
*Mar 8 00:03:06.802: dot1x-sm(Fa0/1): 0xB0000DBA:auth_aborting_restart_action called
*Mar 8 00:03:06.802: dot1x-sm(Fa0/1): Posting !EAP_RESTART on Client 0xB0000DBA
*Mar 8 00:03:06.802: dot1x_auth Fa0/1: during state auth_restart, got event 6(no_eapRestart)
*Mar 8 00:03:06.802: @@@ dot1x_auth Fa0/1: auth_restart -> auth_connecting
*Mar 8 00:03:06.802: dot1x-sm(Fa0/1): 0xB0000DBA:auth_connecting_enter called
*Mar 8 00:03:06.802: dot1x-sm(Fa0/1): 0xB0000DBA:auth_restart_connecting_action called
*Mar 8 00:03:06.811: dot1x-sm(Fa0/1): Posting RX_REQ on Client 0xB0000DBA
*Mar 8 00:03:06.811: dot1x_auth Fa0/1: during state auth_connecting, got event 10(eapReq_no_reAuthMax)
*Mar 8 00:03:06.811: @@@ dot1x_auth Fa0/1: auth_connecting -> auth_authenticating
*Mar 8 00:03:06.811: dot1x-sm(Fa0/1): 0xB0000DBA:auth_authenticating_enter called
*Mar 8 00:03:06.811: dot1x-sm(Fa0/1): 0xB0000DBA:auth_connecting_authenticating_action called
*Mar 8 00:03:06.811: dot1x-sm(Fa0/1): Posting AUTH_START for 0xB0000DBA
*Mar 8 00:03:06.811: dot1x_auth_bend Fa0/1: during state auth_bend_idle, got event 4(eapReq_authStart)
*Mar 8 00:03:06.811: @@@ dot1x_auth_bend Fa0/1: auth_bend_idle -> auth_bend_request
*Mar 8 00:03:06.811: dot1x-sm(Fa0/1): 0xB0000DBA:auth_bend_request_enter called
*Mar 8 00:03:06.811: dot1x-ev(Fa0/1): Sending EAPOL packet to group PAE address
*Mar 8 00:03:06.811: dot1x-ev(Fa0/1): Role determination not required
*Mar 8 00:03:06.811: dot1x-registry:registry:dot1x_ether_macaddr called
*Mar 8 00:03:06.811: dot1x-ev(Fa0/1): Sending out EAPOL packet
*Mar 8 00:03:06.811: EAPOL pak dump Tx
*Mar 8 00:03:06.811: EAPOL Version: 0x3 type: 0x0 length: 0x0005
*Mar 8 00:03:06.811: EAP code: 0x1 id: 0x1 length: 0x0005 type: 0x1
*Mar 8 00:03:06.811: dot1x-packet(Fa0/1): EAPOL packet sent to client 0xB0000DBA (d43d.7e65.4fc1)
*Mar 8 00:03:06.811: dot1x-sm(Fa0/1): 0xB0000DBA:auth_bend_idle_request_action called
*Mar 8 00:03:06.811: dot1x-ev(Fa0/1): Role determination not required
*Mar 8 00:03:06.811: dot1x-packet(Fa0/1): Queuing an EAPOL pkt on Authenticator Q
*Mar 8 00:03:06.811: dot1x-ev:Enqueued the eapol packet to the global authenticator queue
*Mar 8 00:03:06.811: EAPOL pak dump rx
*Mar 8 00:03:06.811: EAPOL Version: 0x1 type: 0x0 length: 0x0022
*Mar 8 00:03:06.811: dot1x-ev:
dot1x_auth_queue_event: Int Fa0/1 CODE= 2,TYPE= 1,LEN= 34
*Mar 8 00:03:06.811: dot1x-packet(Fa0/1): Received an EAPOL frame
*Mar 8 00:03:06.811: dot1x-ev(Fa0/1): Received pkt saddr =d43d.7e65.4fc1 , daddr = 0180.c200.0003,
pae-ether-type = 888e.0100.0022
*Mar 8 00:03:06.811: dot1x-packet(Fa0/1): Received an EAP packet
*Mar 8 00:03:06.811: EAPOL pak dump rx
*Mar 8 00:03:06.811: EAPOL Version: 0x1 type: 0x0 length: 0x0022
*Mar 8 00:03:06.811: dot1x-packet(Fa0/1): Received an EAP packet from d43d.7e65.4fc1
*Mar 8 00:03:06.811: dot1x-sm(Fa0/1): Posting EAPOL_EAP for 0xB0000DBA
*Mar 8 00:03:06.811: dot1x_auth_bend Fa0/1: during state auth_bend_request, got event 6(eapolEap)
*Mar 8 00:03:06.811: @@@ dot1x_auth_bend Fa0/1: auth_bend_request -> auth_bend_response
*Mar 8 00:03:06.811: dot1x-sm(Fa0/1): 0xB0000DBA:auth_bend_response_enter called
*Mar 8 00:03:06.811: dot1x-ev(Fa0/1): dot1x_sendRespToServer: Response sent to the server from 0xB0000DBA (d43d.7e65.4fc1)
*Mar 8 00:03:06.811: dot1x-sm(Fa0/1): 0xB0000DBA:auth_bend_request_response_action called
*Mar 8 00:03:06.811: AAA/AUTHEN/8021X (000001C7): Pick method list 'default'
*Mar 8 00:03:06.819: RADIUS/ENCODE(000001C7):Orig. component type = DOT1X
*Mar 8 00:03:06.819: RADIUS(000001C7): Config NAS IP: 0.0.0.0
*Mar 8 00:03:06.819: RADIUS/ENCODE(000001C7): acct_session_id: 724
*Mar 8 00:03:06.819: RADIUS(000001C7): sending
*Mar 8 00:03:06.819: RADIUS/ENCODE: Best Local IP-Address 10.26.237.11 for Radius-Server 10.26.13.59
*Mar 8 00:03:06.819: RADIUS(000001C7): Send Access-Request to 10.26.13.59:1812 id 1645/83, len 251
*Mar 8 00:03:06.819: RADIUS: authenticator A1 79 FA E5 F4 B7 7F 4F - 2B 73 3A 0D 1F D8 89 20
*Mar 8 00:03:06.819: RADIUS: User-Name [1] 31 "host/D0902MALL005.IN.intranet"
*Mar 8 00:03:06.819: RADIUS: Service-Type [6] 6 Framed [2]
*Mar 8 00:03:06.819: RADIUS: Framed-MTU [12] 6 1500
*Mar 8 00:03:06.819: RADIUS: Called-Station-Id [30] 19 "D4-A0-2A-EE-14-81"
*Mar 8 00:03:06.819: RADIUS: Calling-Station-Id [31] 19 "D4-3D-7E-65-4F-C1"
*Mar 8 00:03:06.819: RADIUS: EAP-Message [79] 36
*Mar 8 00:03:06.819: RADIUS: 02 01 00 22 01 68 6F 73 74 2F 44 30 39 30 32 4D 41 4C 4C 30 ["host/D0902MALL0]
*Mar 8 00:03:06.819: RADIUS: 30 35 2E 49 4E 2E 69 6E 74 72 61 6E 65 74 [ 05.IN.intranet]
*Mar 8 00:03:06.819: RADIUS: Message-Authenticato[80] 18
*Mar 8 00:03:06.819: RADIUS: D6 6F 7B CD 36 46 5E F6 90 6F 85 A8 BD BD AE D8 [ o{6F^o]
*Mar 8 00:03:06.819: RADIUS: EAP-Key-Name [102] 2 *
*Mar 8 00:03:06.819: RADIUS: Vendor, Cisco [26] 49
*Mar 8 00:03:06.819: RADIUS: Cisco AVpair [1] 43 "audit-session-id=0A1AED0B000000EE240F5BAB"
*Mar 8 00:03:06.819: RADIUS: NAS-Port-Type [61] 6 Ethernet [15]
*Mar 8 00:03:06.819: RADIUS: NAS-Port [5] 6 50001
*Mar 8 00:03:06.819: RADIUS: NAS-Port-Id [87] 17 "FastEthernet0/1"
*Mar 8 00:03:06.819: RADIUS: NAS-IP-Address [4] 6 10.26.237.11
*Mar 8 00:03:06.819: RADIUS: Acct-Session-Id [44] 10 "000002D4"
*Mar 8 00:03:06.819: RADIUS(000001C7): Started 3 sec timeout
*Mar 8 00:03:06.861: %LINK-3-UPDOWN: Interface FastEthernet0/1, changed state to up
*Mar 8 00:03:06.903: RADIUS: Received from id 1645/83 10.26.13.59:1812, Access-Challenge, len 76
*Mar 8 00:03:06.903: RADIUS: authenticator 7B 1C DC CA A8 92 E9 34 - 17 86 25 2F 9D 7E 63 96
*Mar 8 00:03:06.903: RADIUS: EAP-Message [79] 8
*Mar 8 00:03:06.903: RADIUS: 01 02 00 06 0D 20 [ ]
*Mar 8 00:03:06.903: RADIUS: Message-Authenticato[80] 18
*Mar 8 00:03:06.903: RADIUS: DD F3 7B 33 37 6D 40 BD F3 D2 78 DF F1 14 4D E4 [ {37m@xM]
*Mar 8 00:03:06.903: RADIUS: State [24] 30
*Mar 8 00:03:06.903: RADIUS: 00 7D 00 9B 00 C1 00 40 ED B8 45 00 FC DD 50 2E DC 0E E6 03 FC 7B AD 4C B7 E7 B1 70 [ }@EP.{Lp]
*Mar 8 00:03:06.911: RADIUS(000001C7): Received from id 1645/83
*Mar 8 00:03:06.911: RADIUS/DECODE: EAP-Message fragments, 6, total 6 bytes
*Mar 8 00:03:06.911: dot1x-sm(Fa0/1): Posting EAP_REQ for 0xB0000DBA
*Mar 8 00:03:06.911: dot1x_auth_bend Fa0/1: during state auth_bend_response, got event 7(eapReq)
*Mar 8 00:03:06.911: @@@ dot1x_auth_bend Fa0/1: auth_bend_response -> auth_bend_request
*Mar 8 00:03:06.911: dot1x-sm(Fa0/1): 0xB0000DBA:auth_bend_response_exit called
*Mar 8 00:03:06.911: dot1x-sm(Fa0/1): 0xB0000DBA:auth_bend_request_enter called
*Mar 8 00:03:06.911: dot1x-ev(Fa0/1): Sending EAPOL packet to group PAE address
*Mar 8 00:03:06.911: dot1x-ev(Fa0/1): Role determination not required
*Mar 8 00:03:06.911: dot1x-registry:registry:dot1x_ether_macaddr called
*Mar 8 00:03:06.911: dot1x-ev(Fa0/1): Sending out EAPOL packet
*Mar 8 00:03:06.911: EAPOL pak dump Tx
*Mar 8 00:03:06.911: EAPOL Version: 0x3 type: 0x0 length: 0x0006
*Mar 8 00:03:06.911: EAP code: 0x1 id: 0x2 length: 0x0006 type: 0xD
*Mar 8 00:03:06.911: dot1x-packet(Fa0/1): EAPOL packet sent to client 0xB0000DBA (d43d.7e65.4fc1)
*Mar 8 00:03:06.911: dot1x-sm(Fa0/1): 0xB0000DBA:auth_bend_response_request_action called
*Mar 8 00:03:06.920: dot1x-ev(Fa0/1): Role determination not required
*Mar 8 00:03:06.920: dot1x-packet(Fa0/1): Queuing an EAPOL pkt on Authenticator Q
*Mar 8 00:03:06.920: dot1x-ev:Enqueued the eapol packet to the global authenticator queue
*Mar 8 00:03:06.920: EAPOL pak dump rx
*Mar 8 00:03:06.920: EAPOL Version: 0x1 type: 0x0 length: 0x0069
*Mar 8 00:03:06.920: dot1x-ev:
dot1x_auth_queue_event: Int Fa0/1 CODE= 2,TYPE= 13,LEN= 105
*Mar 8 00:03:06.920: dot1x-packet(Fa0/1): Received an EAPOL frame
*Mar 8 00:03:06.920: dot1x-ev(Fa0/1): Received pkt saddr =d43d.7e65.4fc1 , daddr = 0180.c200.0003,
pae-ether-type = 888e.0100.0069
*Mar 8 00:03:06.920: dot1x-packet(Fa0/1): Received an EAP packet
*Mar 8 00:03:06.920: EAPOL pak dump rx
*Mar 8 00:03:06.920: EAPOL Version: 0x1 type: 0x0 length: 0x0069
*Mar 8 00:03:06.920: dot1x-packet(Fa0/1): Received an EAP packet from d43d.7e65.4fc1
*Mar 8 00:03:06.920: dot1x-sm(Fa0/1): Posting EAPOL_EAP for 0xB0000DBA
*Mar 8 00:03:06.920: dot1x_auth_bend Fa0/1: during state auth_bend_request, got event 6(eapolEap)
*Mar 8 00:03:06.920: @@@ dot1x_auth_bend Fa0/1: auth_bend_request -> auth_bend_response
*Mar 8 00:03:06.920: dot1x-sm(Fa0/1): 0xB0000DBA:auth_bend_response_enter called
*Mar 8 00:03:06.920: dot1x-ev(Fa0/1): dot1x_sendRespToServer: Response sent to the server from 0xB0000DBA (d43d.7e65.4fc1)
*Mar 8 00:03:06.920: dot1x-sm(Fa0/1): 0xB0000DBA:auth_bend_request_response_action called
*Mar 8 00:03:06.920: AAA/AUTHEN/8021X (000001C7): Pick method list 'default'
*Mar 8 00:03:06.920: RADIUS/ENCODE(000001C7):Orig. component type = DOT1X
*Mar 8 00:03:06.920: RADIUS(000001C7): Config NAS IP: 0.0.0.0
*Mar 8 00:03:06.920: RADIUS/ENCODE(000001C7): acct_session_id: 724
*Mar 8 00:03:06.920: RADIUS(000001C7): sending
*Mar 8 00:03:06.920: RADIUS/ENCODE: Best Local IP-Address 10.26.237.11 for Radius-Server 10.26.13.59
*Mar 8 00:03:06.920: RADIUS(000001C7): Send Access-Request to 10.26.13.59:1812 id 1645/84, len 352
*Mar 8 00:03:06.920: RADIUS: authenticator 41 72 8D 6A B4 72 19 84 - 1B C8 33 F7 95 DD 07 BC
*Mar 8 00:03:06.928: RADIUS: User-Name [1] 31 "host/D0902MALL005.IN.intranet"
*Mar 8 00:03:06.928: RADIUS: Service-Type [6] 6 Framed [2]
*Mar 8 00:03:06.928: RADIUS: Framed-MTU [12] 6 1500
*Mar 8 00:03:06.928: RADIUS: Called-Station-Id [30] 19 "D4-A0-2A-EE-14-81"
*Mar 8 00:03:06.928: RADIUS: Calling-Station-Id [31] 19 "D4-3D-7E-65-4F-C1"
*Mar 8 00:03:06.928: RADIUS: EAP-Message [79] 107
*Mar 8 00:03:06.928: RADIUS: 02 02 00 69 0D 80 00 00 00 5F 16 03 01 00 5A 01 00 00 56 03 01 52 C5 45 4F 07 CA B3 29 50 A7 CE 40 76 B6 BD F0 50 D4 CE 9A 8A 02 C4 3D 40 35 B5 F0 E1 E2 75 [i_ZVREO)P@vP=@5u]
*Mar 8 00:03:06.928: RADIUS: 50 00 00 18 00 2F 00 35 00 05 00 0A C0 13 C0 14 C0 09 C0 0A 00 32 00 38 00 13 00 04 01 00 00 15 FF 01 00 01 00 00 0A 00 06 00 04 00 17 00 18 00 0B 00 02 01 00 [ P/528]
*Mar 8 00:03:06.928: RADIUS: Message-Authenticato[80] 18
*Mar 8 00:03:06.928: RADIUS: A3 28 CE 27 20 C0 D6 2C 11 01 D6 61 1F C3 6F 03 [ (' ,ao]
*Mar 8 00:03:06.928: RADIUS: EAP-Key-Name [102] 2 *
*Mar 8 00:03:06.928: RADIUS: Vendor, Cisco [26] 49
*Mar 8 00:03:06.928: RADIUS: Cisco AVpair [1] 43 "audit-session-id=0A1AED0B000000EE240F5BAB"
*Mar 8 00:03:06.928: RADIUS: NAS-Port-Type [61] 6 Ethernet [15]
*Mar 8 00:03:06.928: RADIUS: NAS-Port [5] 6 50001
*Mar 8 00:03:06.928: RADIUS: NAS-Port-Id [87] 17 "FastEthernet0/1"
*Mar 8 00:03:06.928: RADIUS: State [24] 30
*Mar 8 00:03:06.928: RADIUS: 00 7D 00 9B 00 C1 00 40 ED B8 45 00 FC DD 50 2E DC 0E E6 03 FC 7B AD 4C B7 E7 B1 70 [ }@EP.{Lp]
*Mar 8 00:03:06.928: RADIUS: NAS-IP-Address [4] 6 10.26.237.11
*Mar 8 00:03:06.928: RADIUS: Acct-Session-Id [44] 10 "000002D4"
*Mar 8 00:03:06.928: RADIUS(000001C7): Started 3 sec timeout
*Mar 8 00:03:07.004: RADIUS: Received from id 1645/84 10.26.13.59:1812, Access-Challenge, len 1188
*Mar 8 00:03:07.004: RADIUS: authenticator 7B 52 29 05 7E C3 EF 8E - 13 38 30 03 4B 65 64 0F
*Mar 8 00:03:07.004: RADIUS: EAP-Message [79] 255
*Mar 8 00:03:07.004: RADIUS: 01 03 04 56 0D C0 00 00 05 78 16 03 01 00 51 02 00 00 4D 03 01 52 C5 45 4F 0F 04 37 77 A0 C2 68 66 4E 45 92 AB 3D 7F 94 70 AF 36 [VxQMREO7whfNE=p6]
*Mar 8 00:03:07.004: RADIUS: 1D C5 17 23 5C F1 FA CA 60 B0 20 A5 48 16 D5 3F F9 B0 FF 38 1D D5 13 B3 88 13 06 EF DC 87 5C AE 17 E7 7E 80 84 21 58 64 F7 A6 36 00 35 00 00 05 FF 01 00 01 00 16 03 01 02 1C 0B 00 02 18 00 02 15 00 02 12 30 82 02 0E 30 [#\` H?8\~!Xd6500]
*Mar 8 00:03:07.004: RADIUS: 82 01 77 A0 03 02 01 02 02 09 00 88 7A CB 35 3F 1E 3E 62 30 0D 06 09 2A 86 48 86 F7 0D 01 01 05 05 00 30 2F 31 15 30 13 06 03 55 04 03 13 0C 53 50 [wz5?>b0*H0/10USP]
*Mar 8 00:03:07.004: RADIUS: 49 4E 41 56 44 30 30 30 30 34 31 16 30 14 06 03 55 04 0A 13 0D 50 6F 6C [INAVD0000410UPol]
*Mar 8 00:03:07.004: RADIUS: 69 63 79 4D 61 6E 61 67 65 72 30 1E 17 0D 31 33 30 38 32 [icyManager013082]
*Mar 8 00:03:07.004: RADIUS: 37 30 37 32 34 33 30 5A 17 0D 31 34 30 38 32 37 30 37 [7072430Z14082707]
*Mar 8 00:03:07.004: RADIUS: 32 34 33 30 5A 30 2F 31 15 30 13 06 03 55 04 03 13 0C 53 50 49 4E 41 56 [2430Z0/10USPINAV]
*Mar 8 00:03:07.004: RADIUS: 44 30 30 [ D00]
*Mar 8 00:03:07.004: RADIUS: EAP-Message [79] 255
*Mar 8 00:03:07.004: RADIUS: 30 30 34 31 16 30 14 06 03 55 04 0A 13 0D 50 6F 6C 69 63 79 4D 61 6E 61 [00410UPolicyMana]
*Mar 8 00:03:07.004: RADIUS: 67 65 72 30 81 9F 30 0D 06 09 2A 86 48 86 F7 0D 01 01 01 05 00 03 81 8D 00 30 81 89 02 81 81 00 C9 B9 03 65 83 EB 39 86 14 BC 95 7B DB 07 7E C5 8A D7 DA C7 8A CA 5A 88 6E 0B 93 06 35 57 [ger00*H0e9{~Zn5W]
*Mar 8 00:03:07.012: RADIUS: 6E DE 93 CD C9 FE 8E 9F E1 5F A9 04 5C BD A9 AD 5A 04 6E 35 47 76 A1 58 E5 C4 32 D7 49 9E 17 75 20 C6 6F 45 40 [n_\Zn5GvX2Iu oE@]
*Mar 8 00:03:07.012: RADIUS: AC EF 40 6D 15 38 F9 C2 28 7E C9 68 37 52 3B BF F4 C1 5E B8 BA 46 68 43 79 B1 65 66 [@m8(~h7R;^FhCyef]
*Mar 8 00:03:07.012: RADIUS: 9E 58 ED EC 8C 95 A2 D8 BF AA 77 AC 85 90 E3 AB C6 27 3A A2 22 AC 1C 48 B3 BF BE F7 85 CF 5C BB 2D 02 03 01 00 01 A3 32 30 30 30 0F 06 03 55 1D 11 04 08 30 06 87 04 0A 1A 0D 3B 30 [Xw':"H\-2000U0;0]
*Mar 8 00:03:07.012: RADIUS: 1D 06 03 55 1D 25 04 16 30 14 06 08 2B 06 01 05 05 07 03 01 06 08 2B 06 01 05 05 07 03 03 30 0D 06 09 2A 86 48 86 F7 0D 01 01 [ U?0++0*H]
*Mar 8 00:03:07.012: RADIUS: EAP-Message [79] 255
*Mar 8 00:03:07.012: RADIUS: 05 05 00 03 81 81 00 C4 46 3E 38 3D 53 0F 28 34 C1 A6 ED DC 70 76 9B 70 6B A8 95 7C 44 8E 7D 6E D6 8B 6D [F>8=S(4pvpk|D}nm]
*Mar 8 00:03:07.012: RADIUS: 90 49 83 06 E4 BF 68 2F 9D 77 78 A3 76 76 19 84 AD 26 3F F3 ED AA 88 52 35 0E 35 DD 00 E5 96 88 44 30 79 A0 71 [Ih/wxvv&?R55D0yq]
*Mar 8 00:03:07.012: RADIUS: 8D 25 3E 77 A0 E0 43 92 33 55 40 E1 C8 EE 88 11 25 E2 70 28 11 6C 5A 4E 3D F1 93 57 0A 6F [?>wC3U@?p(lZN=Wo]
*Mar 8 00:03:07.012: RADIUS: 36 51 72 04 08 C0 C0 DF F0 94 A9 F7 A1 05 C8 37 D6 F8 D4 9C 20 1A 7B CD 2C 17 83 7B 8E 20 F7 2D B6 16 03 01 02 FC 0D 00 02 F4 03 01 02 40 02 EE 00 63 30 61 31 0B 30 [6Qr7 {,{ -@c0a10]
*Mar 8 00:03:07.012: RADIUS: 09 06 03 55 04 06 13 02 55 53 31 15 30 13 06 03 55 04 0A 13 0C 44 69 67 69 43 65 72 74 20 49 [UUS10UDigiCert I]
*Mar 8 00:03:07.012: RADIUS: 6E 63 31 19 30 17 06 03 55 04 0B 13 10 77 77 77 2E 64 69 67 69 63 65 72 [nc10Uwww.digicer]
*Mar 8 00:03:07.012: RADIUS: 74 2E 63 6F 6D 31 20 30 1E 06 03 55 04 03 13 17 44 69 67 69 43 65 72 [t.com1 0UDigiCer]
*Mar 8 00:03:07.012: RADIUS: 74 20 47 6C 6F 62 61 6C 20 52 6F 6F 74 20 43 41 [t Global Root CA]
*Mar 8 00:03:07.012: RADIUS: 00 48 [ H]
*Mar 8 00:03:07.012: RADIUS: EAP-Message [79] 255
*Mar 8 00:03:07.012: RADIUS: 30 46 31 18 30 16 06 0A 09 92 26 89 93 F2 2C 64 01 19 16 08 69 6E 74 72 61 6E 65 74 31 [0F10&,dintranet1]
*Mar 8 00:03:07.020: RADIUS: 12 30 10 06 0A 09 92 26 89 93 F2 2C 64 01 19 16 02 49 4E 31 16 30 14 06 03 55 04 03 13 0D 49 6E 64 69 61 20 52 [0&,dIN10UIndia R]
*Mar 8 00:03:07.020: RADIUS: 6F 6F 74 20 43 41 00 4A 30 48 31 18 30 16 06 0A 09 92 26 89 93 F2 2C 64 01 19 16 08 69 6E [oot CAJ0H10&,din]
*Mar 8 00:03:07.020: RADIUS: 74 72 61 6E 65 74 31 12 30 10 06 0A 09 92 26 89 93 F2 2C 64 01 19 16 02 49 4E 31 18 30 16 06 03 55 [tranet10&,dIN10U]
*Mar 8 00:03:07.020: RADIUS: 04 03 13 0F 45 6E 74 65 72 70 72 69 73 65 20 43 41 2D 31 00 4D [Enterprise CA-1M]
*Mar 8 00:03:07.020: RADIUS: 30 4B 31 18 30 16 06 0A 09 92 26 89 93 F2 2C 64 01 19 16 08 69 6E 74 72 61 6E 65 74 31 [0K10&,dintranet1]
*Mar 8 00:03:07.020: RADIUS: 12 30 10 06 0A 09 92 26 89 93 F2 2C 64 01 19 16 02 49 4E 31 1B 30 19 06 03 55 04 03 13 12 49 4E 2D 53 50 49 4E [0&,dIN10UIN-SPIN]
*Mar 8 00:03:07.020: RADIUS: 43 52 54 30 30 30 30 33 2D 43 41 00 D5 30 81 D2 31 0B 30 09 06 03 55 04 06 13 02 55 [CRT00003-CA010UU]
*Mar 8 00:03:07.020: RADIUS: 53 31 13 30 11 06 03 55 04 [ S10U]
*Mar 8 00:03:07.020: RADIUS: EAP-Message [79] 100
*Mar 8 00:03:07.020: RADIUS: 08 0C 0A 43 61 6C 69 66 6F 72 6E 69 61 31 12 30 10 06 03 55 04 07 0C 09 53 75 6E [California10USun]
*Mar 8 00:03:07.020: RADIUS: 6E 79 76 61 6C 65 31 17 30 15 06 03 55 04 0A 0C 0E 41 72 75 62 61 20 4E [nyvale10UAruba N]
*Mar 8 00:03:07.020: RADIUS: 65 74 77 6F 72 6B 73 31 40 30 3E 06 03 55 04 03 0C 37 43 6C 65 [etworks1@0>U7Cle]
*Mar 8 00:03:07.020: RADIUS: 61 72 50 61 73 73 20 4F 6E 62 6F 61 72 64 20 4C [arPass Onboard L]
*Mar 8 00:03:07.020: RADIUS: 6F 63 61 6C 20 43 65 72 74 69 [ ocal Certi]
*Mar 8 00:03:07.020: RADIUS: Message-Authenticato[80] 18
*Mar 8 00:03:07.020: RADIUS: 12 75 40 41 6F 40 6B 6F A5 FE AB 85 F3 B3 CF A4 [ u@Ao@ko]
*Mar 8 00:03:07.020: RADIUS: State [24] 30
*Mar 8 00:03:07.020: RADIUS: 00 6F 00 51 00 4B 00 6E EE B8 45 00 4B AA 6B A9 B6 D6 C8 CC 48 1A 91 99 7F 77 D3 C1 [ oQKnEKkHw]
*Mar 8 00:03:07.029: RADIUS(000001C7): Received from id 1645/84
*Mar 8 00:03:07.029: RADIUS/DECODE: EAP-Message fragments, 253+253+253+253+98, total 1110 bytes
*Mar 8 00:03:07.037: dot1x-sm(Fa0/1): Posting EAP_REQ for 0xB0000DBA
*Mar 8 00:03:07.037: dot1x_auth_bend Fa0/1: during state auth_bend_response, got event 7(eapReq)
*Mar 8 00:03:07.037: @@@ dot1x_auth_bend Fa0/1: auth_bend_response -> auth_bend_request
*Mar 8 00:03:07.037: dot1x-sm(Fa0/1): 0xB0000DBA:auth_bend_response_exit called
*Mar 8 00:03:07.037: dot1x-sm(Fa0/1): 0xB0000DBA:auth_bend_request_enter called
*Mar 8 00:03:07.037: dot1x-ev(Fa0/1): Sending EAPOL packet to group PAE address
*Mar 8 00:03:07.037: dot1x-ev(Fa0/1): Role determination not required
*Mar 8 00:03:07.037: dot1x-registry:registry:dot1x_ether_macaddr called
*Mar 8 00:03:07.037: dot1x-ev(Fa0/1): Sending out EAPOL packet
*Mar 8 00:03:07.037: EAPOL pak dump Tx
*Mar 8 00:03:07.037: EAPOL Version: 0x3 type: 0x0 length: 0x0456
*Mar 8 00:03:07.037: EAP code: 0x1 id: 0x3 length: 0x0456 type: 0xD
*Mar 8 00:03:07.037: dot1x-packet(Fa0/1): EAPOL packet sent to client 0xB0000DBA (d43d.7e65.4fc1)
*Mar 8 00:03:07.037: dot1x-sm(Fa0/1): 0xB0000DBA:auth_bend_response_request_action called
*Mar 8 00:03:07.037: dot1x-ev(Fa0/1): Role determination not required
*Mar 8 00:03:07.037: dot1x-packet(Fa0/1): Queuing an EAPOL pkt on Authenticator Q
*Mar 8 00:03:07.037: dot1x-ev:Enqueued the eapol packet to the global authenticator queue
*Mar 8 00:03:07.037: EAPOL pak dump rx
*Mar 8 00:03:07.037: EAPOL Version: 0x1 type: 0x0 length: 0x0006
*Mar 8 00:03:07.037: dot1x-ev:
dot1x_auth_queue_event: Int Fa0/1 CODE= 2,TYPE= 13,LEN= 6
*Mar 8 00:03:07.037: dot1x-packet(Fa0/1): Received an EAPOL frame
*Mar 8 00:03:07.037: dot1x-ev(Fa0/1): Received pkt saddr =d43d.7e65.4fc1 , daddr = 0180.c200.0003,
pae-ether-type = 888e.0100.0006
*Mar 8 00:03:07.037: dot1x-packet(Fa0/1): Received an EAP packet
*Mar 8 00:03:07.037: EAPOL pak dump rx
*Mar 8 00:03:07.037: EAPOL Version: 0x1 type: 0x0 length: 0x0006
*Mar 8 00:03:07.037: dot1x-packet(Fa0/1): Received an EAP packet from d43d.7e65.4fc1
*Mar 8 00:03:07.037: dot1x-sm(Fa0/1): Posting EAPOL_EAP for 0xB0000DBA
*Mar 8 00:03:07.037: dot1x_auth_bend Fa0/1: during state auth_bend_request, got event 6(eapolEap)
*Mar 8 00:03:07.037: @@@ dot1x_auth_bend Fa0/1: auth_bend_request -> auth_bend_response
*Mar 8 00:03:07.037: dot1x-sm(Fa0/1): 0xB0000DBA:auth_bend_response_enter called
*Mar 8 00:03:07.037: dot1x-ev(Fa0/1): dot1x_sendRespToServer: Response sent to the server from 0xB0000DBA (d43d.7e65.4fc1)
*Mar 8 00:03:07.037: dot1x-sm(Fa0/1): 0xB0000DBA:auth_bend_request_response_action called
*Mar 8 00:03:07.037: AAA/AUTHEN/8021X (000001C7): Pick method list 'default'
*Mar 8 00:03:07.046: RADIUS/ENCODE(000001C7):Orig. component type = DOT1X
*Mar 8 00:03:07.046: RADIUS(000001C7): Config NAS IP: 0.0.0.0
*Mar 8 00:03:07.046: RADIUS/ENCODE(000001C7): acct_session_id: 724
*Mar 8 00:03:07.046: RADIUS(000001C7): sending
*Mar 8 00:03:07.046: RADIUS/ENCODE: Best Local IP-Address 10.26.237.11 for Radius-Server 10.26.13.59
*Mar 8 00:03:07.046: RADIUS(000001C7): Send Access-Request to 10.26.13.59:1812 id 1645/85, len 253
*Mar 8 00:03:07.046: RADIUS: authenticator 1C D7 6D 40 A3 D6 BA B1 - A7 E6 70 DA 32 83 2E 19
*Mar 8 00:03:07.046: RADIUS: User-Name [1] 31 "host/D0902MALL005.IN.intranet"
*Mar 8 00:03:07.046: RADIUS: Service-Type [6] 6 Framed [2]
*Mar 8 00:03:07.046: RADIUS: Framed-MTU [12] 6 1500
*Mar 8 00:03:07.046: RADIUS: Called-Station-Id [30] 19 "D4-A0-2A-EE-14-81"
*Mar 8 00:03:07.046: RADIUS: Calling-Station-Id [31] 19 "D4-3D-7E-65-4F-C1"
*Mar 8 00:03:07.046: RADIUS: EAP-Message [79] 8
*Mar 8 00:03:07.046: RADIUS: 02 03 00 06 0D 00
*Mar 8 00:03:07.046: RADIUS: Message-Authenticato[80] 18
*Mar 8 00:03:07.046: RADIUS: 73 1D 89 5C 66 19 32 B6 63 C2 64 C1 04 42 A9 F9 [ s\f2cdB]
*Mar 8 00:03:07.046: RADIUS: EAP-Key-Name [102] 2 *
*Mar 8 00:03:07.046: RADIUS: Vendor, Cisco [26] 49
*Mar 8 00:03:07.046: RADIUS: Cisco AVpair [1] 43 "audit-session-id=0A1AED0B000000EE240F5BAB"
*Mar 8 00:03:07.046: RADIUS: NAS-Port-Type [61] 6 Ethernet [15]
*Mar 8 00:03:07.046: RADIUS: NAS-Port [5] 6 50001
*Mar 8 00:03:07.046: RADIUS: NAS-Port-Id [87] 17 "FastEthernet0/1"
*Mar 8 00:03:07.046: RADIUS: State [24] 30
*Mar 8 00:03:07.046: RADIUS: 00 6F 00 51 00 4B 00 6E EE B8 45 00 4B AA 6B A9 B6 D6 C8 CC 48 1A 91 99 7F 77 D3 C1 [ oQKnEKkHw]
*Mar 8 00:03:07.046: RADIUS: NAS-IP-Address [4] 6 10.26.237.11
*Mar 8 00:03:07.046: RADIUS: Acct-Session-Id [44] 10 "000002D4"
*Mar 8 00:03:07.046: RADIUS(000001C7): Started 3 sec timeout
*Mar 8 00:03:07.113: RADIUS: Received from id 1645/85 10.26.13.59:1812, Access-Challenge, len 378
*Mar 8 00:03:07.113: RADIUS: authenticator 1A 85 26 09 58 84 BC D4 - E0 A9 E3 C0 25 31 2D 31
*Mar 8 00:03:07.113: RADIUS: EAP-Message [79] 255
*Mar 8 00:03:07.121: RADIUS: 01 04 01 32 0D 00 66 69 63 61 74 65 20 41 75 74 68 6F 72 69 74 [2ficate Authorit]
*Mar 8 00:03:07.121: RADIUS: 79 20 28 53 69 67 6E 69 6E 67 29 31 3F 30 3D 06 09 2A [y (Signing)1?0=*]
*Mar 8 00:03:07.121: RADIUS: 86 48 86 F7 0D 01 09 01 16 30 64 36 62 62 34 66 37 30 2D 66 34 31 32 2D [H0d6bb4f70-f412-]
*Mar 8 00:03:07.121: RADIUS: 34 35 35 32 2D 61 65 65 32 2D 63 37 61 30 32 36 [4552-aee2-c7a026]
*Mar 8 00:03:07.121: RADIUS: 66 62 61 32 31 38 40 65 78 61 6D 70 6C 65 2E 63 [[email protected]]
*Mar 8 00:03:07.121: RADIUS: 6F 6D 00 CB 30 81 C8 31 0B 30 09 06 03 55 04 06 13 02 55 53 31 13 30 11 06 03 55 04 08 0C 0A 43 61 6C 69 66 [om010UUS10UCalif]
*Mar 8 00:03:07.121: RADIUS: 6F 72 6E 69 61 31 12 30 10 06 03 55 04 07 0C 09 53 75 6E 6E 79 76 61 6C [ornia10USunnyval]
*Mar 8 00:03:07.121: RADIUS: 65 31 17 30 15 06 03 55 04 0A 0C 0E 41 72 75 62 61 20 4E 65 74 77 6F 72 [e10UAruba Networ]
*Mar 8 00:03:07.121: RADIUS: 6B 73 31 36 30 34 06 03 55 04 03 0C 2D 43 6C 65 61 72 50 61 73 [ks1604U-ClearPas]
*Mar 8 00:03:07.121: RADIUS: 73 20 4F 6E 62 6F 61 72 64 20 4C 6F 63 61 6C 20 [s Onboard Local ]
*Mar 8 00:03:07.121: RADIUS: 43 65 72 74 69 66 69 63 61 74 65 20 41 75 74 68 [Certificate Auth]
*Mar 8 00:03:07.121: RADIUS: 6F 72 69 74 79 31 3F 30 3D 06 09 2A 86 48 86 F7 0D 01 09 01 16 [ ority1?0=*H]
*Mar 8 00:03:07.121: RADIUS: EAP-Message [79] 55
*Mar 8 00:03:07.121: RADIUS: 30 64 36 62 62 34 66 37 30 2D 66 34 31 32 2D 34 [0d6bb4f70-f412-4]
*Mar 8 00:03:07.121: RADIUS: 35 35 32 2D 61 65 65 32 2D 63 37 61 30 32 36 66 [552-aee2-c7a026f]
*Mar 8 00:03:07.121: RADIUS: 62 61 32 31 38 40 65 78 61 6D 70 6C 65 2E 63 6F [[email protected]]
*Mar 8 00:03:07.121: RADIUS: 6D 0E 00 00 00 [ m]
*Mar 8 00:03:07.121: RADIUS: Message-Authenticato[80] 18
*Mar 8 00:03:07.121: RADIUS: 4C 46 AA B9 A5 D5 DF EA DB E7 2B 7B 51 7E 58 3F [ LF+{Q~X?]
*Mar 8 00:03:07.121: RADIUS: State [24] 30
*Mar 8 00:03:07.121: RADIUS: 00 EF 00 B9 00 0A 00 00 EF B8 45 00 EF D2 C4 3C 81 6C 72 0E 23 FE 11 EA 12 17 50 A1 [ E
*Mar 8 00:03:07.121: RADIUS(000001C7): Received from id 1645/85
*Mar 8 00:03:07.121: RADIUS/DECODE: EAP-Message fragments, 253+53, total 306 bytes
*Mar 8 00:03:07.130: dot1x-sm(Fa0/1): Posting EAP_REQ for 0xB0000DBA
*Mar 8 00:03:07.130: dot1x_auth_bend Fa0/1: during state auth_bend_response, got event 7(eapReq)
*Mar 8 00:03:07.130: @@@ dot1x_auth_bend Fa0/1: auth_bend_response -> auth_bend_request
*Mar 8 00:03:07.130: dot1x-sm(Fa0/1): 0xB0000DBA:auth_bend_response_exit called
*Mar 8 00:03:07.130: dot1x-sm(Fa0/1): 0xB0000DBA:auth_bend_request_enter called
*Mar 8 00:03:07.130: dot1x-ev(Fa0/1): Sending EAPOL packet to group PAE address
*Mar 8 00:03:07.130: dot1x-ev(Fa0/1): Role determination not required
*Mar 8 00:03:07.130: dot1x-registry:registry:dot1x_ether_macaddr called
*Mar 8 00:03:07.130: dot1x-ev(Fa0/1): Sending out EAPOL packet
*Mar 8 00:03:07.130: EAPOL pak dump Tx
*Mar 8 00:03:07.130: EAPOL Version: 0x3 type: 0x0 length: 0x0132
*Mar 8 00:03:07.130: EAP code: 0x1 id: 0x4 length: 0x0132 type: 0xD
*Mar 8 00:03:07.130: dot1x-packet(Fa0/1): EAPOL packet sent to client 0xB0000DBA (d43d.7e65.4fc1)
*Mar 8 00:03:07.130: dot1x-sm(Fa0/1): 0xB0000DBA:auth_bend_response_request_action called
*Mar 8 00:03:07.138: dot1x-ev(Fa0/1): Role determination not required
*Mar 8 00:03:07.138: dot1x-packet(Fa0/1): Queuing an EAPOL pkt on Authenticator Q
*Mar 8 00:03:07.138: dot1x-ev:Enqueued the eapol packet to the global authenticator queue
*Mar 8 00:03:07.138: EAPOL pak dump rx
*Mar 8 00:03:07.138: EAPOL Version: 0x1 type: 0x0 length: 0x05D4
*Mar 8 00:03:07.138: dot1x-ev:
dot1x_auth_queue_event: Int Fa0/1 CODE= 2,TYPE= 13,LEN= 1492
*Mar 8 00:03:07.138: dot1x-packet(Fa0/1): Received an EAPOL frame
*Mar 8 00:03:07.138: dot1x-ev(Fa0/1):
^Z
Malleswaram_2960#
*Mar 8 00:03:07.180: RADIUS: State [24] 30
*Mar 8 00:03:07.180: RADIUS: 00 EF 00 B9 00 0A 00 00 EF B8 45 00 EF D2 C4 3C 81 6C 72 0E 23 FE 11 EA 12 17 50 A1 [ E
*Mar 8 00:03:07.180: RADIUS: NAS-IP-Address [4] 6 10.26.237.11
*Mar 8 00:03:07.180: RADIUS: Acct-Session-Id [44] 10 "000002D4"
*Mar 8 00:03:07.180: RADIUS(000001C7): Started 3 sec timeout
Malleswaram_2960#
*Mar 8 00:03:07.893: %SYS-5-CONFIG_I: Configured from console by jameela on vty0 (10.26.20.5)
Malleswaram_2960#
*Mar 8 00:03:10.225: RADIUS(000001C7): Request timed out
*Mar 8 00:03:10.225: RADIUS: Retransmit to (10.26.13.59:1812,1813) for id 1645/86
*Mar 8 00:03:10.225: RADIUS(000001C7): Started 3 sec timeout
Malleswaram_2960#
*Mar 8 00:03:13.354: RADIUS(000001C7): Request timed out
*Mar 8 00:03:13.354: RADIUS: Retransmit to (10.26.13.59:1812,1813) for id 1645/86
*Mar 8 00:03:13.354: RADIUS(000001C7): Started 3 sec timeout
Malleswaram_2960#
*Mar 8 00:03:16.307: RADIUS(000001C7): Request timed out
*Mar 8 00:03:16.307: RADIUS: Retransmit to (10.26.13.59:1812,1813) for id 1645/86
*Mar 8 00:03:16.307: RADIUS(000001C7): Started 3 sec timeout
Malleswaram_2960#
*Mar 8 00:03:19.369: RADIUS(000001C7): Request timed out
*Mar 8 00:03:19.369: RADIUS: Retransmit to (10.26.13.59:1812,1813) for id 1645/86
*Mar 8 00:03:19.369: RADIUS(000001C7): Started 3 sec timeout
Malleswaram_2960#
*Mar 8 00:03:22.456: RADIUS(000001C7): Request timed out
*Mar 8 00:03:22.456: RADIUS: Fail-over denied to (10.26.13.59:1812,1813) for id 1645/86
*Mar 8 00:03:22.456: RADIUS: No response from (10.26.13.59:1812,1813) for id 1645/86
*Mar 8 00:03:22.456: RADIUS/DECODE: parse response no app start; FAIL
*Mar 8 00:03:22.456: RADIUS/DECODE: parse response; FAIL
*Mar 8 00:03:22.456: dot1x-ev(Fa0/1): Received an EAP Fail
*Mar 8 00:03:22.456: dot1x-sm(Fa0/1): Posting EAP_FAIL for 0xB0000DBA
*Mar 8 00:03:22.456: dot1x_auth_bend Fa0/1: during state auth_bend_response, got event 10(eapFail)
*Mar 8 00:03:22.456: @@@ dot1x_auth_bend Fa0/1: auth_bend_response -> auth_bend_fail
*Mar 8 00:03:22.456: dot1x-sm(Fa0/1): 0xB0000DBA:auth_bend_response_exit called
*Mar 8 00:03:22.456: dot1x-sm(Fa0/1): 0xB0000DBA:auth_bend_fail_enter called
*Mar 8 00:03:22.456: dot1x-sm(Fa0/1): 0xB0000DBA:auth_bend_response_fail_action called
*Mar 8 00:03:22.456: dot1x_auth_bend Fa0/1: idle during state auth_bend_fail
*Mar 8 00:03:22.456: @@@ dot1x_auth_bend Fa0/1: auth_bend_fail -> auth_bend_idle
*Mar 8 00:03:22.456: dot1x-sm(Fa0/1): 0xB0000DBA:auth_bend_idle_enter called
*Mar 8 00:03:22.456: dot1x-sm(Fa0/1): Posting AUTH_FAIL on Client 0xB0000DBA
*Mar 8 00:03:22.456: dot1x_auth Fa0/1: during state auth_authenticating, got event 15(authFail)
*Mar 8 00:03:22.456: @@@ dot1x_auth Fa0/1: auth_authenticating -> auth_authc_result
*Mar 8 00:03:22.456: dot1x-sm(Fa0/1): 0xB0000DBA:auth_authenticating_exit called
*Mar 8 00:03:22.456: dot1x-sm(Fa0/1): 0xB0000DBA:auth_authc_result_enter called
*Mar 8 00:03:22.456: %DOT1X-5-FAIL: Authentication failed for client (d43d.7e65.4fc1) on Interface Fa0/1 AuditSessionID
*Mar 8 00:03:22.456: dot1x-ev(Fa0/1): Sending event (2) to Auth Mgr for d43d.7e65.4fc1
*Mar 8 00:03:22.456: %AUTHMGR-7-RESULT: Authentication result 'fail' from 'dot1x' for client (d43d.7e65.4fc1) on Interface Fa0/1 AuditSessionID 0A1AED0B000000EE240F5BAB
*Mar 8 00:03:22.456: %AUTHMGR-5-FAIL: Authorization failed for client (d43d.7e65.4fc1) on Interface Fa0/1 AuditSessionID 0A1AED0B000000EE240F5BAB
*Mar 8 00:03:22.456: dot1x-redundancy: State for client d43d.7e65.4fc1 successfully retrieved
*Mar 8 00:03:22.456: dot1x-ev(Fa0/1): Received Authz fail for the client 0xB0000DBA (d43d.7e65.4fc1)
*Mar 8 00:03:22.456: dot1x-sm(Fa0/1): Posting_AUTHZ_FAIL on Client 0xB0000DBA
*Mar 8 00:03:22.456: dot1x_auth Fa0/1: during state auth_authc_result, got event 22(authzFail)
*Mar 8 00:03:22.456: @@@ dot1x_auth Fa0/1: auth_authc_result -> auth_held
*Mar 8 00:03:22.456: dot1x-sm(Fa0/1): 0xB0000DBA:auth_held_enter called
*Mar 8 00:03:22.464: dot1x-ev(Fa0/1): Sending EAPOL packet to group PAE address
*Mar 8 00:03:22.464: dot1x-ev(Fa0/1): Role determination not required
*Mar 8 00:03:22.464: dot1x-registry:registry:dot1x_ether_macaddr called
*Mar 8 00:03:22.464: dot1x-ev(Fa0/1): Sending out EAPOL packet
*Mar 8 00:03:22.464: EAPOL pak dump Tx
*Mar 8 00:03:22.464: EAPOL Version: 0x3 type: 0x0 length: 0x0004
*Mar 8 00:03:22.464: EAP code: 0x4 id: 0x4 length: 0x0004
*Mar 8 00:03:22.464: dot1x-packet(Fa0/1): EAPOL packet sent to client 0xB0000DBA (d43d.7e65.4fc1)
*Mar 8 00:03:22.464: dot1x-sm(Fa0/1): Posting FAILOVER_RETRY on Client 0xB0000DBA
*Mar 8 00:03:22.464: dot1x_auth Fa0/1: during state auth_held, got event 21(failover_retry)
*Mar 8 00:03:22.464: @@@ dot1x_auth Fa0/1: auth_held -> auth_restart
*Mar 8 00:03:22.464: dot1x-sm(Fa0/1): 0xB0000DBA:auth_held_exit called
*Mar 8 00:03:22.464: dot1x-sm(Fa0/1): 0xB0000DBA:auth_restart_enter called
*Mar 8 00:03:22.464: dot1x-ev(Fa0/1): Sending create new context event to EAP for 0xB0000DBA (d43d.7e65.4fc1)
*Mar 8 00:03:22.464: dot1x-sm(Fa0/1): 0xB0000DBA:auth_held_restart_action called
*Mar 8 00:03:22.464: dot1x-sm(Fa0/1): Posting !EAP_RESTART on Client 0xB0000DBA
*Mar 8 00:03:22.464: dot1x_auth Fa0/1: during state auth_restart, got event 6(no_eapRestart)
*Mar 8 00:03:22.464: @@@ dot1x_auth Fa0/1: auth_restart -> auth_connecting
*Mar 8 00:03:22.464: dot1x-sm(Fa0/1): 0xB0000DBA:auth_connecting_enter called
*Mar 8 00:03:22.464: dot1x-sm(Fa0/1): 0xB0000DBA:auth_restart_connecting_action called
*Mar 8 00:03:22.464: dot1x-sm(Fa0/1): Posting REAUTH_MAX on Client 0xB0000DBA
*Mar 8 00:03:22.464: dot1x_auth Fa0/1: during state auth_connecting, got event 11(reAuthMax)
*Mar 8 00:03:22.464: @@@ dot1x_auth Fa0/1: auth_connecting -> auth_disconnected
*Mar 8 00:03:22.464: dot1x-sm(Fa0/1): 0xB0000DBA:auth_disconnected_enter called
*Mar 8 00:03:22.464: dot1x-sm(Fa0/1): d43d.7e65.4fc1:auth_disconnected_enter sending canned failure to version 1 supplicant
*Mar 8 00:03:22.464: dot1x-ev(Fa0/1): Sending EAPOL packet to group PAE address
*Mar 8 00:03:22.464: dot1x-ev(Fa0/1): Role determination not required
*Mar 8 00:03:22.464: dot1x-registry:registry:dot1x_ether_macaddr called
*Mar 8 00:03:22.464: dot1x-ev(Fa0/1): Sending out EAPOL packet
*Mar 8 00:03:22.464: EAPOL pak dump Tx
*Mar 8 00:03:22.464: EAPOL Version: 0x3 type: 0x0 length: 0x0004
*Mar 8 00:03:22.464: EAP code: 0x4 id: 0x5 length: 0x0004
*Mar 8 00:03:22.464: dot1x-packet(Fa0/1): dot1x_auth_txCannedStatus: EAPOL packet sent to client 0xB0000DBA (d43d.7e65.4fc1)
*Mar 8 00:03:22.464: dot1x-sm(Fa0/1): 0xB0000DBA:auth_connecting_disconnected_reAuthMax_action called
*Mar 8 00:03:22.464: dot1x_auth Fa0/1: idle during state auth_disconnected
*Mar 8 00:03:22.464: @@@ dot1x_auth Fa0/1: auth_disconnected -> auth_restart
*Mar 8 00:03:22.464: dot1x-ev(Fa0/1): Sending event (1) to Auth Mgr for d43d.7e65.4fc1
*Mar 8 00:03:22.464: dot1x-ev:Delete auth client (0xB0000DBA) message
*Mar 8 00:03:22.464: dot1x-ev:Auth client ctx destroyed
*Mar 8 00:03:22.674: AAA/BIND(000001C8): Bind i/f
*Mar 8 00:03:22.674: dot1x_auth Fa0/1: initial state auth_initialize has enter
*Mar 8 00:03:22.674: dot1x-sm(Fa0/1): 0x4A000DBB:auth_initialize_enter called
*Mar 8 00:03:22.674: dot1x_auth Fa0/1: during state auth_initialize, got event 0(cfg_auto)
*Mar 8 00:03:22.674: @@@ dot1x_auth Fa0/1: auth_initialize -> auth_disconnected
*Mar 8 00:03:22.674: dot1x-sm(Fa0/1): 0x4A000DBB:auth_disconnected_enter called
*Mar 8 00:03:22.674: dot1x_auth Fa0/1: idle during state auth_disconnected
*Mar 8 00:03:22.674: @@@ dot1x_auth Fa0/1: auth_disconnected -> auth_restart
*Mar 8 00:03:22.674: dot1x-sm(Fa0/1): 0x4A000DBB:auth_restart_enter called
*Mar 8 00:03:22.674: dot1x-ev(Fa0/1): Sending create new context event to EAP for 0x4A000DBB (0000.0000.0000)
*Mar 8 00:03:22.674: dot1x_auth_bend Fa0/1: initial state auth_bend_initialize has enter
*Mar 8 00:03:22.674: dot1x-sm(Fa0/1): 0x4A000DBB:auth_bend_initialize_enter called
*Mar 8 00:03:22.674: dot1x_auth_bend Fa0/1: initial state auth_bend_initialize has idle
*Mar 8 00:03:22.674: dot1x_auth_bend Fa0/1: during state auth_bend_initialize, got event 16383(idle)
*Mar 8 00:03:22.674: @@@ dot1x_auth_bend Fa0/1: auth_bend_initialize -> auth_bend_idle
*Mar 8 00:03:22.674: dot1x-sm(Fa0/1): 0x4A000DBB:auth_bend_idle_enter called
*Mar 8 00:03:22.674: dot1x-ev(Fa0/1): Created a client entry (0x4A000DBB)
*Mar 8 00:03:22.674: dot1x-ev(Fa0/1): Dot1x authentication started for 0x4A000DBB (0000.0000.0000)
*Mar 8 00:03:22.674: dot1x-sm(Fa0/1): Posting !EAP_RESTART on Client 0x4A000DBB
*Mar 8 00:03:22.674: dot1x_auth Fa0/1: during state auth_restart, got event 6(no_eapRestart)
*Mar 8 00:03:22.674: @@@ dot1x_auth Fa0/1: auth_restart -> auth_connecting
*Mar 8 00:03:22.674: dot1x-sm(Fa0/1): 0x4A000DBB:auth_connecting_enter called
*Mar 8 00:03:22.674: dot1x-sm(Fa0/1): 0x4A000DBB:auth_restart_connecting_action called
*Mar 8 00:03:22.674: dot1x-sm(Fa0/1): Posting RX_REQ on Client 0x4A000DBB
*Mar 8 00:03:22.674: dot1x_auth Fa0/1: during state auth_connecting, got event 10(eapReq_no_reAuthMax)
*Mar 8 00:03:22.674: @@@ dot1x_auth Fa0/1: auth_connecting -> auth_authenticating
*Mar 8 00:03:22.674: dot1x-sm(Fa0/1): 0x4A000DBB:auth_authenticating_enter called
*Mar 8 00:03:22.674: dot1x-sm(Fa0/1): 0x4A000DBB:auth_connecting_authenticating_action called
*Mar 8 00:03:22.674: dot1x-sm(Fa0/1): Posting AUTH_START for 0x4A000DBB
*Mar 8 00:03:22.674: dot1x_auth_bend Fa0/1: during state auth_bend_idle, got event 4(eapReq_authStart)
*Mar 8 00:03:22.674: @@@ dot1x_auth_bend Fa0/1: auth_bend_idle -> auth_bend_request
*Mar 8 00:03:22.674: dot1x-sm(Fa0/1): 0x4A000DBB:auth_bend_request_enter called
*Mar 8 00:03:22.674: dot1x-ev(Fa0/1): Sending EAPOL packet to group PAE address
*Mar 8 00:03:22.674: dot1x-ev(Fa0/1): Role determination not required
Malleswaram_2960#
*Mar 8 00:03:22.674: dot1x-registry:registry:dot1x_ether_macaddr called
*Mar 8 00:03:22.674: dot1x-ev(Fa0/1): Sending out EAPOL packet
*Mar 8 00:03:22.674: EAPOL pak dump Tx
*Mar 8 00:03:22.674: EAPOL Version: 0x3 type: 0x0 length: 0x0005
*Mar 8 00:03:22.674: EAP code: 0x1 id: 0x1 length: 0x0005 type: 0x1
*Mar 8 00:03:22.674: dot1x-packet(Fa0/1): EAPOL packet sent to client 0x4A000DBB (0000.0000.0000)
*Mar 8 00:03:22.674: dot1x-sm(Fa0/1): 0x4A000DBB:auth_bend_idle_request_action called
*Mar 8 00:03:22.791: dot1x-ev(Fa0/1): New client notification from AuthMgr for 0x4A000DBB - d43d.7e65.4fc1
*Mar 8 00:03:22.791: %AUTHMGR-5-START: Starting 'dot1x' for client (d43d.7e65.4fc1) on Interface Fa0/1 AuditSessionID 0A1AED0B000000EF240F9BC3
Malleswaram_2960#
*Mar 8 00:03:25.761: dot1x-sm(Fa0/1): Posting EAP_REQ for 0x4A000DBB
*Mar 8 00:03:25.761: dot1x_auth_bend Fa0/1: during state auth_bend_request, got event 7(eapReq)
*Mar 8 00:03:25.761: @@@ dot1x_auth_bend Fa0/1: auth_bend_request -> auth_bend_request
*Mar 8 00:03:25.761: dot1x-sm(Fa0/1): 0x4A000DBB:auth_bend_request_request_action called
*Mar 8 00:03:25.761: dot1x-sm(Fa0/1): 0x4A000DBB:auth_bend_request_enter called
*Mar 8 00:03:25.761: dot1x-ev(Fa0/1): Sending EAPOL packet to group PAE address
*Mar 8 00:03:25.761: dot1x-ev(Fa0/1): Role determination not required
*Mar 8 00:03:25.761: dot1x-registry:registry:dot1x_ether_macaddr called
Malleswaram_2960#n
*Mar 8 00:03:25.761: dot1x-ev(Fa0/1): Sending out EAPOL packet
*Mar 8 00:03:25.761: EAPOL pak dump Tx
*Mar 8 00:03:25.761: EAPOL Version: 0x3 type: 0x0 length: 0x0005
*Mar 8 00:03:25.761: EAP code: 0x1 id: 0x1 length: 0x0005 type: 0x1
*Mar 8 00:03:25.761: dot1x-packet(Fa0/1): EAPOL packet sent to client 0x4A000DBB (d43d.7e65.4fc1)
Malleswaram_2960#no debu
Malleswaram_2960#no debug
*Mar 8 00:03:28.848: dot1x-sm(Fa0/1): Posting EAP_REQ for 0x4A000DBB
*Mar 8 00:03:28.848: dot1x_auth_bend Fa0/1: during state auth_bend_request, got event 7(eapReq)
*Mar 8 00:03:28.848: @@@ dot1x_auth_bend Fa0/1: auth_bend_request -> auth_bend_request
*Mar 8 00:03:28.848: dot1x-sm(Fa0/1): 0x4A000DBB:auth_bend_request_request_action called
*Mar 8 00:03:28.848: dot1x-sm(Fa0/1): 0x4A000DBB:auth_bend_request_enter called
*Mar 8 00:03:28.848: dot1x-ev(Fa0/1): Sending EAPOL packet to group PAE address
*Mar 8 00:03:28.848: dot1x-ev(Fa0/1): Role determination not required
*Mar 8 00:03:28.848: dot1x-registry:registry:dot1x_ether_macaddr called
Malleswaram_2960#no debug all
*Mar 8 00:03:28.848: dot1x-ev(Fa0/1): Sending out EAPOL packet
*Mar 8 00:03:28.848: EAPOL pak dump Tx
*Mar 8 00:03:28.848: EAPOL Version: 0x3 type: 0x0 length: 0x0005
*Mar 8 00:03:28.848: EAP code: 0x1 id: 0x1 length: 0x0005 type: 0x1
*Mar 8 00:03:28.848: dot1x-packet(Fa0/1): EAPOL packet sent to client 0x4A000DBB (d43d.7e65.4fc1)
Malleswaram_2960#no debug all
All possible debugging has been turned off
Malleswaram_2960#
*Mar 8 00:03:31.180: AAA: parse name=tty1 idb type=-1 tty=-1
*Mar 8 00:03:31.180: AAA: name=tty1 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=1 channel=0
*Mar 8 00:03:31.180: AAA/MEMORY: create_user (0x21D1684) user='jameela' ruser='Malleswaram_2960' ds0=0 port='tty1' rem_addr='10.26.20.5' authen_type=ASCII service=NONE priv=15 initial_task_id='0', vrf= (id=0) key=C9A1F1D1
*Mar 8 00:03:31.389: TAC+: (-1901802859): received author response status = PASS_ADD
*Mar 8 00:03:31.389: AAA/MEMORY: free_user (0x21D1684) user='jameela' ruser='Malleswaram_2960' port='tty1' rem_addr='10.26.20.5' authen_type=ASCII service=NONE priv=15
*Mar 8 00:03:31.935: %DOT1X-5-FAIL: Authentication failed for client (d43d.7e65.4fc1) on Interface Fa0/1 AuditSessionID
*Mar 8 00:03:31.935: %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'dot1x' for client (d43d.7e65.4fc1) on Interface Fa0/1 AuditSessionID 0A1AED0B000000EF240F9BC3
*Mar 8 00:03:31.935: %AUTHMGR-7-FAILOVER: Failing over from 'dot1x' for client (d43d.7e65.4fc1) on Interface Fa0/1 AuditSessionID 0A1AED0B000000EF240F9BC3
*Mar 8 00:03:31.935: %AUTHMGR-7-NOMOREMETHODS: Exhausted all authentication methods for client (d43d.7e65.4fc1) on Interface Fa0/1 AuditSessionID 0A1AED0B000000EF240F9BC3
Malleswaram_2960#
*Mar 8 00:03:31.935: %AUTHMGR-5-FAIL: Authorization failed for client (d43d.7e65.4fc1) on Interface Fa0/1 AuditSessionID 0A1AED0B000000EF240F9BC3
Malleswaram_2960#no deb
Malleswaram_2960#no debug al
Malleswaram_2960#no debug all
All possible debugging has been turned off
Malleswaram_2960#
*Mar 8 00:04:32.677: %AUTHMGR-5-START: Starting 'dot1x' for client (d43d.7e65.4fc1) on Interface Fa0/1 AuditSessionID 0A1AED0B000000EF240F9BC3
Malleswaram_2960#
*Mar 8 00:04:41.938: %DOT1X-5-FAIL: Authentication failed for client (d43d.7e65.4fc1) on Interface Fa0/1 AuditSessionID
*Mar 8 00:04:41.938: %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'dot1x' for client (d43d.7e65.4fc1) on Interface Fa0/1 AuditSessionID 0A1AED0B000000EF240F9BC3
*Mar 8 00:04:41.938: %AUTHMGR-7-FAILOVER: Failing over from 'dot1x' for client (d43d.7e65.4fc1) on Interface Fa0/1 AuditSessionID 0A1AED0B000000EF240F9BC3
*Mar 8 00:04:41.938: %AUTHMGR-7-NOMOREMETHODS: Exhausted all authentication methods for client (d43d.7e65.4fc1) on Interface Fa0/1 AuditSessionID 0A1AED0B000000EF240F9BC3
Malleswaram_2960#
*Mar 8 00:04:41.938: %AUTHMGR-5-FAIL: Authorization failed for client (d43d.7e65.4fc1) on Interface Fa0/1 AuditSessionID 0A1AED0B000000EF240F9BC3
Malleswaram_2960#
*Mar 8 00:05:42.654: %AUTHMGR-5-START: Starting 'dot1x' for client (d43d.7e65.4fc1) on Interface Fa0/1 AuditSessionID 0A1AED0B000000EF240F9BC3
Malleswaram_2960#
*Mar 8 00:05:51.915: %DOT1X-5-FAIL: Authentication failed for client (d43d.7e65.4fc1) on Interface Fa0/1 AuditSessionID
*Mar 8 00:05:51.915: %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'dot1x' for client (d43d.7e65.4fc1) on Interface Fa0/1 AuditSessionID 0A1AED0B000000EF240F9BC3
*Mar 8 00:05:51.915: %AUTHMGR-7-FAILOVER: Failing over from 'dot1x' for client (d43d.7e65.4fc1) on Interface Fa0/1 AuditSessionID 0A1AED0B000000EF240F9BC3
*Mar 8 00:05:51.915: %AUTHMGR-7-NOMOREMETHODS: Exhausted all authentication methods for client (d43d.7e65.4fc1) on Interface Fa0/1 AuditSessionID 0A1AED0B000000EF240F9BC3
Malleswaram_2960#
*Mar 8 00:05:51.915: %AUTHMGR-5-FAIL: Authorization failed for client (d43d.7e65.4fc1) on Interface Fa0/1 AuditSessionID 0A1AED0B000000EF240F9BC3
Pls dont worry about day and time. -
Trouble with EAP-TLS with Wireless before Windows logon
Ill start with a list of equipment;
5508 WLC
3502i AP's
Cisco ACS 5.3
Windows 7 clients
WLAN is configure with WPA2/AES with 802.1x for key management.
Client is configure with WPA2/AES, auth method is Microsoft: Smart Card or other certificate on computer. Auth mode is User or Computer authentication. The client is configured to use a certificate on the computer. "It only works if user or computer auth is seected." If i use Computer Authenticate option......its says it cant find a certificate to use for EAP.
ACS is configured to only allow for protocol EAP-TLS.
We have created a standalone CA server and have distributed the CA root and client authentication certificates to all test systems.
This whole process with EAP-TLS works great if you are already logged in to the machine, with cache credentials. Once I log off the Windows 7 client, I lose connection to the WLAN. We would like to stay logged on to the WLAN. PEAP w/ MSCHAPV2 works great with staying connected to the WLAN but we want to use EAP-TLS.
Any ideas??
Thanks in advanced,
RyanHi Ryan,
You actually answer your own question :) The reason for the fault is because the Machine Account doesn't have a Certificate, so when your User logs off the Machine Account can't login to keep the session going, and thus you get disconnected. Provide the Machine Account with a Certificate and your problem will be resolved.
Richard -
EAP-TLS User and machine authentication question
Hello,
i have a question regarding EAP TLS authentication in a wireless environment. We use Cisco AnyConnect NAM client and an ACS 5.1 to do EAP-TLS authentification. The Laptop and the user can be successfully authenticated using a certificate from our internal CA. i can also check the in our corporate AD if the user and machine are member of a certain group and based on the membership a can grant access to the network.
i can see in the ACS when the laptops after a reboot logs on to the network, but i don't see a log when the laptop comes back from hibernate mode, i guess this is normal because the laptop sends only the autentication equest after rebooting.
What i'd like to achive is, when a user logs on the it should always be checked if the machine was authenticated prior the user can get access to the network. Is there a way to do this with EAP-TLS and a LDAP connection to Active Directory.
thanks in advanced
alexSounds like you rather want to use PEAP/MSChapV2
-
802.1x RADIUS with EAP-TLS/EAP-TTLS & Dynamic VLAN Assignment
Hello, My team is looking for switches supporting 802.1x authentication on either EAP-TTLS or EAP-TLS protocols with dynamic vlan assignment enabled for these. Looking at the data sheets of the Linksys desktop switches, I found only SLM224G4PS and SLM224G4S models to support EAP-TLS or EAP-TTLS. Am I right? Do they support Dynamic VLAN Assigment for either of those protocols? This is not explicitly mentioned in the data sheets, and I happen to find switches from other manufacturers that announce to support EAP-TLS/EAP-TTLS but no dynamic vlan assignment. Thank you for any help.
SLM switches do support 802.1x RADIUS with EAP-TLS/EAP-TTLS unlike the SRW switches which support MD5. But I don't think that they support Dynamic VLAN.
-
'Could not find user' with EAP-TLS in ACS
Hi all,
we are running ACS 4.2(1) Build 15 on a Win2003 member server and use the ACS for EAP-TLS with certificates (Microsoft-PKI) for WLAN authentication (WLC 4402, 6.0 and 4.2). We are using both machine and user authentication.
Sometimes machine authentications fail with following message in AUTH.log:
AUTH 11/01/2010 09:11:28 E 1395 1904 0x31cb External DB [NTAuthenDLL.dll]: Could not find user host/<xxxxxxxx>.com (0x5012)
But some minutes/hours later the same machine can authenticate successful. Other machines never have this problem, no problems at all with user authentications.
Does anyone have an idea where I can proceed with troubleshooting? I haven't found any related messages in server event logs. Are there any other logs where I can find reasons for these problems that are occuring only sometimes?
Thanks
KaiAUTH.log and RDS.log are two log file you need to look into on ACS side. Make sure the log level is set to "Full"
You might need to check the log on AD side to see why it could not find this host.
Comparing the logs between the working and non-working cases might be helpful. -
8021.x EAP-TLS "User" vs "System" profile problems
Hello. I have a macbook using EAP-TLS (wired) with digital certificate authentication. Finally, it's working but I have the following workarounds/questions.
1. I have had to set the Username field to "HOST/<machine FQDN>". Other systems (ie: Windows) prepend "HOST/" automatically. Is this a known limitation or is there something I can/should do to have OS/X pull out the certificate identity and put it in as "host/identity" in response to the Identity EAP request?
2. This works fine for USER profiles, but I cannot get a SYSTEM profile to work. When I setup a SYSTEM profile, it screws with the keychain (my root CA has to be explicitly trusted, and the SYSTEM profile only turns on Trust for eapolclient), and the auth fails. There's not enough logging detail (LogLevel=1 only gives you a network trace...) to see what's going on, so I'll ask the experts here - what's going on?
I concede that I have played around with System profiles quite a bit, so maybe I need to delete the system profile and restart but I don't know how to do that.
Thanks!Assuming you're using the stock XP wifi client.
When running XPSP3, you need to set two things:
1) force one registry setting.
According to
http://technet.microsoft.com/en-us/library/cc755892%28WS.10%29.aspx#w2k3tr_wir_tools_uzps
You need to force usage of machine cert-store certificate:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EAPOL\Parameters\General\Global]
"AuthMode"=dword:00000002
2) add the ACS certificate signing CA to the specific SSID profile "trusted CA".
- show available wireless networks
- change advanced settings
- wireless networks tab
- select your SSID, and then hit the "properties" button
- select authentication tab, and then hit "properties" button
- search for your signing CA, and check the box.
I did with a not-so-simple autoIT script, using the "native wifi functions" addon.
Unfortunately I'm not allowed to share the script outside the company, but I'll be more than happy to review yours.
please cross reference to
https://supportforums.cisco.com/message/3280232
for a better description of the whole setup.
Ivan -
Hi,
i'm looking to enable 802.1x on the wired network using EAP-TLS. The radius server will be an ACS5.2 running on the appliance. We'd also need some authorization for different machines - we'd like to use dACLs for that so that machine A will get full access while machine B will get restricted access (both client machines are related to different business units). So machine based auth (clients run XP SP3 or Vista).
I'm not very clear about the following...based on the presented client machine certificate, we should be able to apply an authorization policy (dACL). How can we set this up...anyone else tried this before?
in 'worst' case we could do machine auth (EAP-TLS) to validate it's a corporate machine connecting, followed by user authentication & authorization (EAP-PEAP) to apply access policies based on the user id..with PEAP is see it might be easier to extract user info out of AD to make policy decision...?
Thanks,
GuyHi Guy,
provided that the dACL is just part of the Authorization profile that you return to the client, you need to make sure that you have the correct attributes so to allow the authorization policy evaluation.
In ACS 5 when you configure a "Certificate Authentication Profile", the basic option is just to validate the client certificate.
So as long as ACS can validate the cert using the trusted CA certificates installed on ACS, the authentication is successful.
However, if you do so the only attributes you can base your authorization policy evaluation are the non-binary attributes of the certificate itself, as there's no query done to any backend DB in this case.
If you want to evaluate the authorization policy where you want to check for additional attributes that are stored on an external DB (e.g. Active Directory), you can do it in two ways:
1) enable certificate binary comparison on the "Certificate Authentication Profile": this will both perform the binary comparison of the cert and it will fetch the user attributes from AD; this of course requires that the certificate for the user is also stored on the "userCertificate" attribute in Active Directory.
2) configure an "Indentity Store Sequence" where you select:
- Authentication Method List : Certificate based : "Certificate Authentication Profile"
- Additional Attribute Retrieval Search List : Add "AD1" among the selected Identity Stores
In this case ACS won't perform binary comparison of the cert, but it will look for the corresponding user account in AD so to fetch additional attributes (group membership, etc..)
You can find relevant documentation about this on the ACS user guide:
- Configuring "Certificate Authentication Profile"
http://www.cisco.com/en/US/customer/docs/net_mgmt/cisco_secure_access_control_system/5.2/user/guide/users_id_stores.html#wp1054057
- Configuring "Identity Store Sequence"
http://www.cisco.com/en/US/customer/docs/net_mgmt/cisco_secure_access_control_system/5.2/user/guide/users_id_stores.html#wp1054132
- Managing policy elements:
http://www.cisco.com/en/US/customer/docs/net_mgmt/cisco_secure_access_control_system/5.2/user/guide/pol_elem.html
I hope this helps.
Regards,
Federico
If this answers your question please mark the question as "answered" and rate it, so other users can easily find it. -
EAP-TLS User Certificate Question
I've setup a test ACS server and have everything functioning correctly including the WLAN. However, is there anyway for EAP-TLS to use ONLY the machine certificate and not the user certificate? We are not currently setup with per-user certificates. I'm guessing not on this... My primary question then is with User Certificates, how do you handle the following scenerio:
I have many CoW's (computer on wheels) through out the hospital that nurses use for inputting patient information. They all have a simple generic username/password (BADDD!!!!) so with this user it won't be hard to have default_user certificate install on the machines. But what if Doctor X decideds to walk up to one of these CoW's and wants to logout and log back in with his user/password on a machine he's never used before. How do we handle making sure he's able to connect if doesn't already have a cert on this computer? I'm quite mistified by this.
Thanks
-RaunIf you are using the MS Supplicant, you need the following registry settings:
"HKLM\SOFTWARE\Microsoft\EAPOL\Parameters\General\Global\AuthMode", 2, "REG_DWORD"
"HKLM\SOFTWARE\Microsoft\EAPOL\Parameters\General\Global\SupplicantMode", 3, "REG_DWORD"
This forces it to only use hardware certificates and sets the authentication to do the correct RFC polling.
As for the other issue, MS CA user certs do not "roam". Yet. There is discussion of roaming credentials being in Windows 7, but not entirely what that means. Roaming certificates can be easier with a product like Venafi. There "Encryption Management" tools are certificate management suites. The do have roaming management, or at least did when we talked to them.
Oh, and if you use two CAs (hardware and user), the separation keeps it straight too. -
802.1X EAP-TLS User Certificate Errors
I'm trying to implement 802.1x using EAP-TLS to authenticate our wireless users/clients (Windows 7 computers). I did a fair amount of research on how to implement this solution and everything seems to work fine when authentication mode is set to: Computer
Authentication. However, when authentication mode is set to "User or Computer" or just "User" it fails. I get a "certificate is required to connect" pop up and it's unable to connect.
No errors on the NPS side but I enabled logging on the client (netsh ras set tracing * ENABLED) and this is what I can see. It seems as if there is a problem with the client certificate:
[236] 06-04 09:26:35:704: EAP-TLS using All-purpose cert
[236] 06-04 09:26:35:720: Self Signed Certificates will not be selected.
[236] 06-04 09:26:35:720: EAP-TLS will accept the All-purpose cert
[236] 06-04 09:26:35:720: EapTlsInitialize2: PEAP using All-purpose cert
[236] 06-04 09:26:35:720: PEAP will accept the All-purpose cert
[236] 06-04 09:26:35:720: EapTlsInvokeIdentityUI
[236] 06-04 09:26:35:720: GetCertInfo flags: 0x40082
[236] 06-04 09:26:35:720: FCheckUsage: All-Purpose: 1
[236] 06-04 09:26:35:720: DwGetEKUUsage
[236] 06-04 09:26:35:720: Number of EKUs on the cert are 3
[236] 06-04 09:26:35:720: FCheckSCardCertAndCanOpenSilentContext
[236] 06-04 09:26:35:720: DwGetEKUUsage
[236] 06-04 09:26:35:720: Number of EKUs on the cert are 3
[236] 06-04 09:26:35:720: FCheckUsage: All-Purpose: 1
[236] 06-04 09:26:35:720: Acquiring Context for Container Name: le-8021xUsers-84adbdd0-a706-4c71-b74a-61a1bd702839, ProvName: Microsoft Software Key Storage Provider, ProvType 0x0
[236] 06-04 09:26:35:720: CryptAcquireContext failed. This CSP cannot be opened in silent mode. skipping cert.Err: 0x80090014
[236] 06-04 09:26:35:720: FCheckUsage: All-Purpose: 1
[236] 06-04 09:26:35:720: DwGetEKUUsage
[236] 06-04 09:26:35:720: Number of EKUs on the cert are 1
[236] 06-04 09:26:35:720: No Certs were found in the Certificate Store. (A cert was needed for the following purpose: UserAuth) Aborting search for certificates.
Also, in the event viewer I get the following:
Wireless 802.1x authentication failed.
Network Adapter: Dell Wireless 1510 Wireless-N WLAN Mini-Card
Interface GUID: {64191d46-0ea6-4251-86bb-7d6de5701025}
Local MAC Address: C4:17:FE:48:F2:79
Network SSID: *****
BSS Type: Infrastructure
Peer MAC Address: 00:12:17:01:F7:2F
Identity: NULL
User: presentation
Domain: ****
Reason: Explicit Eap failure received
Error: 0x80420014
EAP Reason: 0x80420100
EAP Root cause String: Network authentication failed\nThe user certificate required for the network can't be found on this computer.
I created user and computer certificates by duplicating the "User" and "Computer" templates in AD CS. I modified the "Subject Name" to "Build from Active Directory information". "Subject Name Format" is set to "Fully Distinguished Name" and "User
Principal Name (UPN) is checked. All other boxes are cleared. I verified that certificates for both user, computer , and root CA are all correctly auto enrolled. I also verified that the user certificate
exists in the "Personal" user certificate store on the client.
There is clearly something wrong with the user certificate but what? I'm at wits ends as I have tried everything. Please help!Hey,
I am precisely in the same situation now. I have a win7 client with server2008R2(having AD, and DNS) with NPS running. I have certificate templates and auto enrollment configured. My Win7 machine is able to authenticate using its certificate but
when I use the user certificate it doesn't work. Both user/computer certificates are coming from the AD root CA enterprise. NPS has the right certificate. I have verified on client user/local machine , both have their respective certificates in their
personal stores.
I have tried all possible combination and even tried changing the key provider but no use.[6472] 12-10 13:39:04:327: Number of EKUs on the cert are 1
[6472] 12-10 13:39:04:327: FCheckSCardCertAndCanOpenSilentContext
[6472] 12-10 13:39:04:327: DwGetEKUUsage
[6472] 12-10 13:39:04:327: Number of EKUs on the cert are 1
[6472] 12-10 13:39:04:327: FCheckUsage: All-Purpose: 1
[6472] 12-10 13:39:04:327: Acquiring Context for Container Name: le-LM-USER-4aa6cf55-b6b7-491e-ad5b-735e44eaf3c7, ProvName: Microsoft Software Key Storage Provider, ProvType 0x0
[6472] 12-10 13:39:04:327: CryptAcquireContext failed. This CSP cannot be opened in silent mode. skipping cert.Err: 0x80090014
[6472] 12-10 13:39:04:327: No Certs were found in the Certificate Store. (A cert was needed for the following purpose: UserAuth) Aborting search for certificates.
[6472] 12-10 13:39:04:327: EAP-TLS using All-purpose cert
[6472] 12-10 13:39:04:327: Self Signed Certificates will not be selected.
[6472] 12-10 13:39:04:327: EAP-TLS will accept the All-purpose cert
I am stuck at it for last few days with no real cause known as yet.!
Any help will be thoroughly appreciated!!! -
Adf security with upper case user results in 500-internal server error
Hello
JDev 11.1.1.0.2, Integrated WLS
I'v set up ADF security as explained in the documentation.
The only difference being that the role test-all has been removed.
I have one user 'paul' with a password of 'password'
I have one application role 'myrole'
'paul' is a member of 'myrole'
I have one unbounded task flow with one view (view1).
Via the janz-data.xml 'View1' has been granted to 'myrole' (view action)
When running View1 I get the login.html page which is correct.
The fun starts when playing around with the user/password.
If I login with 'paul' and 'password' view1 is display, this is correct
If I login with an unknown user or an incorrect password Windows Explorer 7 shows a generic HTTP 403 error page and not the error.html
If I login with 'PAUL' and 'password' (or Paul, or any mixed cased version of Paul with the correct password) I get the following stack trace :
oracle.adf.controller.security.AuthorizationException: ADFC-0619: Echec de la vérification des autorisations : '/view1.jspx' 'VIEW'.
at oracle.adf.controller.internal.security.AuthorizationEnforcer.handleFailure(AuthorizationEnforcer.java:145)
at oracle.adf.controller.internal.security.AuthorizationEnforcer.checkPermission(AuthorizationEnforcer.java:124)
at oracle.adfinternal.controller.state.ControllerState.initializeUrl(ControllerState.java:639)
at oracle.adfinternal.controller.state.ControllerState.synchronizeStatePart2(ControllerState.java:449)
at oracle.adfinternal.controller.application.SyncNavigationStateListener.afterPhase(SyncNavigationStateListener.java:44)
at oracle.adfinternal.controller.lifecycle.ADFLifecycleImpl$PagePhaseListenerWrapper.afterPhase(ADFLifecycleImpl.java:529)
at oracle.adfinternal.controller.lifecycle.LifecycleImpl.internalDispatchAfterEvent(LifecycleImpl.java:118)
at oracle.adfinternal.controller.lifecycle.LifecycleImpl.dispatchAfterPagePhaseEvent(LifecycleImpl.java:166)
at oracle.adfinternal.controller.faces.lifecycle.ADFPhaseListener$PhaseInvokerImpl.dispatchAfterPagePhaseEvent(ADFPhaseListener.java:122)
at oracle.adfinternal.controller.faces.lifecycle.ADFPhaseListener.afterPhase(ADFPhaseListener.java:68)
at oracle.adfinternal.controller.faces.lifecycle.ADFLifecyclePhaseListener.afterPhase(ADFLifecyclePhaseListener.java:51)
at oracle.adfinternal.view.faces.lifecycle.LifecycleImpl._executePhase(LifecycleImpl.java:354)
at oracle.adfinternal.view.faces.lifecycle.LifecycleImpl.execute(LifecycleImpl.java:175)
at javax.faces.webapp.FacesServlet.service(FacesServlet.java:265)
at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:227)
at weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelper.java:125)
at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:292)
at weblogic.servlet.internal.TailFilter.doFilter(TailFilter.java:26)
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:42)
at oracle.adf.model.servlet.ADFBindingFilter.doFilter(ADFBindingFilter.java:181)
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:42)
at oracle.adfinternal.view.faces.webapp.rich.RegistrationFilter.doFilter(RegistrationFilter.java:85)
at org.apache.myfaces.trinidadinternal.webapp.TrinidadFilterImpl$FilterListChain.doFilter(TrinidadFilterImpl.java:279)
at org.apache.myfaces.trinidadinternal.webapp.TrinidadFilterImpl._invokeDoFilter(TrinidadFilterImpl.java:239)
at org.apache.myfaces.trinidadinternal.webapp.TrinidadFilterImpl._doFilterImpl(TrinidadFilterImpl.java:196)
at org.apache.myfaces.trinidadinternal.webapp.TrinidadFilterImpl.doFilter(TrinidadFilterImpl.java:139)
at org.apache.myfaces.trinidad.webapp.TrinidadFilter.doFilter(TrinidadFilter.java:92)
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:42)
at oracle.security.jps.wls.JpsWlsFilter$1.run(JpsWlsFilter.java:85)
at java.security.AccessController.doPrivileged(Native Method)
at oracle.security.jps.util.JpsSubject.doAsPrivileged(JpsSubject.java:257)
at oracle.security.jps.wls.JpsWlsSubjectResolver.runJaasMode(JpsWlsSubjectResolver.java:250)
at oracle.security.jps.wls.JpsWlsFilter.doFilter(JpsWlsFilter.java:100)
at oracle.security.jps.ee.http.JpsFilter.doFilter(JpsFilter.java:65)
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:42)
at weblogic.servlet.internal.RequestEventsFilter.doFilter(RequestEventsFilter.java:27)
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:42)
at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletContext.java:3496)
at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
at weblogic.security.service.SecurityManager.runAs(Unknown Source)
at weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:2180)
at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:2086)
at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1406)
at weblogic.work.ExecuteThread.execute(ExecuteThread.java:201)
at weblogic.work.ExecuteThread.run(ExecuteThread.java:173)
The questions are :
- Why do I get the generic HTTP 403 error instead of the error.html (its not the end of the world but I would like to understand) ?
- Why do I get the error 500 if the case of the username is incorrect but the password is correct ?
Best Regards
PaulNope nothing in there that looks out of place...
Here's the contents of the web.xml file ..
<?xml version = '1.0' encoding = 'windows-1252'?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" version="2.5" xmlns="http://java.sun.com/xml/ns/javaee">
<description>Empty web.xml file for Web Application</description>
<context-param>
<param-name>javax.faces.STATE_SAVING_METHOD</param-name>
<param-value>client</param-value>
</context-param>
<context-param>
<description>If this parameter is true, there will be an automatic check of the modification date of your JSPs, and saved state will be discarded when JSP's change. It will also automatically check if your skinning css files have changed without you having to restart the server. This makes development easier, but adds overhead. For this reason this parameter should be set to false when your application is deployed.</description>
<param-name>org.apache.myfaces.trinidad.CHECK_FILE_MODIFICATION</param-name>
<param-value>false</param-value>
</context-param>
<context-param>
<description>Whether the 'Generated by...' comment at the bottom of ADF Faces HTML pages should contain version number information.</description>
<param-name>oracle.adf.view.rich.versionString.HIDDEN</param-name>
<param-value>false</param-value>
</context-param>
<filter>
<filter-name>JpsFilter</filter-name>
<filter-class>oracle.security.jps.ee.http.JpsFilter</filter-class>
<init-param>
<param-name>enable.anonymous</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>remove.anonymous.role</param-name>
<param-value>false</param-value>
</init-param>
<init-param>
<param-name>addAllRoles</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>jaas.mode</param-name>
<param-value>doasprivileged</param-value>
</init-param>
</filter>
<filter>
<filter-name>trinidad</filter-name>
<filter-class>org.apache.myfaces.trinidad.webapp.TrinidadFilter</filter-class>
</filter>
<filter>
<filter-name>adfBindings</filter-name>
<filter-class>oracle.adf.model.servlet.ADFBindingFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>JpsFilter</filter-name>
<servlet-name>Faces Servlet</servlet-name>
<dispatcher>FORWARD</dispatcher>
<dispatcher>REQUEST</dispatcher>
<dispatcher>INCLUDE</dispatcher>
</filter-mapping>
<filter-mapping>
<filter-name>trinidad</filter-name>
<servlet-name>Faces Servlet</servlet-name>
<dispatcher>FORWARD</dispatcher>
<dispatcher>REQUEST</dispatcher>
</filter-mapping>
<filter-mapping>
<filter-name>adfBindings</filter-name>
<servlet-name>Faces Servlet</servlet-name>
<dispatcher>FORWARD</dispatcher>
<dispatcher>REQUEST</dispatcher>
</filter-mapping>
<servlet>
<servlet-name>Faces Servlet</servlet-name>
<servlet-class>javax.faces.webapp.FacesServlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet>
<servlet-name>resources</servlet-name>
<servlet-class>org.apache.myfaces.trinidad.webapp.ResourceServlet</servlet-class>
</servlet>
<servlet>
<servlet-name>adfAuthentication</servlet-name>
<servlet-class>oracle.adf.share.security.authentication.AuthenticationServlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>Faces Servlet</servlet-name>
<url-pattern>/faces/*</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>resources</servlet-name>
<url-pattern>/adf/*</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>resources</servlet-name>
<url-pattern>/afr/*</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>adfAuthentication</servlet-name>
<url-pattern>/adfAuthentication/*</url-pattern>
</servlet-mapping>
<session-config>
<session-timeout>35</session-timeout>
</session-config>
<mime-mapping>
<extension>html</extension>
<mime-type>text/html</mime-type>
</mime-mapping>
<mime-mapping>
<extension>txt</extension>
<mime-type>text/plain</mime-type>
</mime-mapping>
<security-constraint>
<web-resource-collection>
<web-resource-name>adfAuthentication</web-resource-name>
<url-pattern>/adfAuthentication</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>valid-users</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/login.html</form-login-page>
<form-error-page>/error.html</form-error-page>
</form-login-config>
</login-config>
<security-role>
<role-name>valid-users</role-name>
</security-role>
</web-app>
Regards
Paul -
ISE problem with EAP-TLS Supplicant Provisioning
Hi All,
I have a demo built using ISE v1.1.3 patch 1 and a WLC using v7.4.100.0 software. The aim of the demo is to provision a device's supplicant with an EAP-TLS Certificate... 'device on-boarding'
The entire CWA / Device Registration process is all fine and works well. I'm using a publically signed Cert on ISE that is built from [Root CA + Intermediate CA + Host Cert] which is used for both HTTPS and EAP and I also have SCEP operating against my Win 2k8 Enterprise Edition CA that is part of my Active Directory. All of this works fine.
The problem is that when ISE pushes the WLAN config down to the device, it instructs the Client to check for the Root CA, but the RADIUS processes within ISE are bound to the Intermediate CA. This leads to a problem where the Client doesn't trust the Certificate presented to it from ISE. There doesn't seem to be any way to configure this behaviour within ISE.
Has anybody else encountered this? Know a solution? Have suggestions for a workaround?
Cheers,
Richard
PS - Also using WinSPWizard 1.0.0.28Hi Richard,
This is a misbehavior that ISE is provisioning the intermediate CA certificate during the BYOD registration process in similar (hierarchical certificate authority) scenarios. It is going to be fixed soon. Engineering is almost ready with the fix.
Istvan Segyik
Systems Engineer
Global Virtual Engineering
WW Partner Organization
Cisco Systems, Inc
Email: [email protected]
Work: +36 1 2254604
Monday - Friday, 8:30 am-17:30 pm - UTC+1 (CET) -
802.1x with EAP-TLS Fails on Wired
Dear Colleagues,
I am currently encountering an issue which does not seem to make sense to me and hence checking if anyone of you have come across the same or can provide further input on how to proceed...
Setup :
1. Radius Server - Cisco ACS 1113 Engine
2. Authenticator - Cisco 6509 Switch
3. Supplicant - Windows XP SP2/3
Problem:
1. Supplicants fail to authenticate using EAP-TLS as the authentication method.
Errors Seen:
1. Cisco ACS Reports - Authen session timed out: Supplicant did not respond to ACS correctly. Check supplicant configuration.
2. Cisco Switch Reports - dot1x-err(Gi3/39): Invalid Eapol packet length = 1490
3. Supplicant Reports when Trace enabled in the RASTLS file - â>> Received Failure (Code: 4) packet: Id: 8, Length: 4, Type: 0, TLS blob length: 0. Flags:â and âCode 4 unexpected in state SentFinishedâ
Other Information:
1. Wireless Clients using the windows supplicant and EAP-TLS connect without any issue.
2. ACS has certificates issued by 3rd Party Root CA - Geotrust.
3. Clients have Certs issued by clients own CA infrastructure.
4. ACS has the clients Root CA cert in the trust list and hence why the wireless users work.
5. PEAP works fine on wired.
Any pointers appreciated. Happy to share logs from Switch / Supplicant and ACS if needed.
Thanks
VolvenDear Colleagues,
I am currently encountering an issue which does not seem to make sense to me and hence checking if anyone of you have come across the same or can provide further input on how to proceed...
Setup :
1. Radius Server - Cisco ACS 1113 Engine
2. Authenticator - Cisco 6509 Switch
3. Supplicant - Windows XP SP2/3
Problem:
1. Supplicants fail to authenticate using EAP-TLS as the authentication method.
Errors Seen:
1. Cisco ACS Reports - Authen session timed out: Supplicant did not respond to ACS correctly. Check supplicant configuration.
2. Cisco Switch Reports - dot1x-err(Gi3/39): Invalid Eapol packet length = 1490
3. Supplicant Reports when Trace enabled in the RASTLS file - â>> Received Failure (Code: 4) packet: Id: 8, Length: 4, Type: 0, TLS blob length: 0. Flags:â and âCode 4 unexpected in state SentFinishedâ
Other Information:
1. Wireless Clients using the windows supplicant and EAP-TLS connect without any issue.
2. ACS has certificates issued by 3rd Party Root CA - Geotrust.
3. Clients have Certs issued by clients own CA infrastructure.
4. ACS has the clients Root CA cert in the trust list and hence why the wireless users work.
5. PEAP works fine on wired.
Any pointers appreciated. Happy to share logs from Switch / Supplicant and ACS if needed.
Thanks
Volven -
Possible to select self-signed certificate for client validation when connecting to VPN with EAP-TLS
In windows 8.2, I have a VPN connection configured with PPTP as the outer protocol and EAP : "Smart card or other certificate ..." as the inner protocol. Under properties, in the "When connecting" section I've selected "Use a certificate
on this computer" and un-checked "Use simple certificate selection".
My preference would be to use separate self-signed certificates for all clients rather than having a common root certificate that signed all of the individual client certificates. I've tried creating the self-signed certificate both with and without the
client authentication EKU specified, and I've added the certificate to the trusted root certificate authority store on the client. But when I attempt to connect to the VPN I can not get the self signed certificate to appear on the "Choose a certificate"
drop down.
Are self signed certificates supported for this use in EAP-TLS? If it makes a difference, I'm working with makecert (not working with a certificate server).
TIA,
-RickHi Rick,
Thank you for your patience.
According to your description, would you please let me know what command you were using to make a self-signed certificate by tool makecert? I would like to try to reproduce this issue. Also based on my experience, please let me
know if the certificate has private key associated and be present in the local machine store. Hence, please move the certificate from the trusted root certificate authority store to personal store.
Best regards,
Steven Song
Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
Maybe you are looking for
-
Elements 7 install fails on vista 64 bit
I, too am 1 of the many foolish enough to try to upgrade a program in Vista. I was foolish enough to think that if elements 5 would install in vista 64 bit, 7 would. That's what I get for thinking- I bought and downloaded PE7(which installed fine)
-
MBP 15' i5 2010 Model + vga adapter and projector issue
Dear All, my MBP always got screen crash (green / purple screen) when i use a VGA adapter in miniport to projector, I have to hard reset. it's strange that, after rebooting, it doesn't crash when I connect to the projector again. but next time when i
-
Much to my surprise, there is no audio input jack on the W520. I must have been dazzled by all of the good things about this laptop, not to notice there is no audio input. The big question is what is the best way to feed audio to the hard disk so t
-
GroupWise 2012 SP2 Windows Client - Windows 8.1 x64
I have installed GroupWise 2012 SP2 Windows Client on a Windows 8.1 x64 laptop. I can run GW for the first time, and it works fine. When I close GW, and then reopen it I get the following error: GroupWise is not properly installed. The GroupWise comp
-
Rotate object to match path or another object
How do I rotate an object to either make one of its sides match another object, or become totally horizontal/vertical. Let's say I want to rotate rectangle A in the picture so that its red line has the same angle as the horizontal path B, or the same