Mac-auth-bypass fails MAC: 0000.0000.0000

Similar Questions

• Error of groups based on MAC "it has no resources for this range.

  Hello

  I have a SG300-52. My goal is a facility, where a client can connect to all ports and is automatically placed in a vlan are dependent on its MAC address.

  For this I put up some VLAN.

  Ports created by virtual local network name

  ---- ----------------- --------------------------- ----------------

  1 1 article gi1-46, gi48-52, Po1-8 D

  10 10 article gi1-46, gi48, gi51 S

  20 20 section gi1-46, gi48, gi51 S

  30 30 article gi1-46, gi48, gi51 S

  All ports where customers can connect the VLAN configured as unmarked.

  I have about 40 MACs, I want to put in the VLANs dynamically. So I've set up a group of Mac mapping vlan:

  conf t

  Serial section gi1-46

  switchport mode general

  switchport map General Mac-group vlan 5 5

  switchport map General Mac-group vlan 10 10

  switchport map General Mac-group vlan 20 20

  switchport map General Mac-group vlan 30 30

  Now, I want to add addresses MAC Mac-groups:

  mac 0000.0000.2222 Mac host card - group 10

  But after a few Mac added, I get an error "there are no resources for that interval.

  Is there a limitation on the number of MAC addresses in a group of Mac?

  Please advice how to proceed or if there is another way to achieve the goal.

  Tobias

  Hello Tobias,.

  There is a limitation on the number of MAC addresses could be added to the mac group and applied to interfaces. Each entry/MAC interface contains a single configurable AAGR resource (max allowed is around 500 I think). So, if you have addresses MAC 10 applied through 48 ports, it's 480 entries AAGR. This assumes you have no any other rule (ACL, MAC ACL etc.) configured. If you have a large number of MAC addresses that need assignment of VLAN static, the best approach would be to use the dot1x base assignment authentication vlan. It would be an evolutionary approach.

  I hope this helps.

  Nana

• rejected mac addresses are not placed in vlan comments

  Hi all

  I'm kind of new to the switches and learned a lot by reading the documentation sites. My job is to activate authentication aaa on our Cisco switches, we have a 3750stack, a few 3560 s and some 3550 s. I test on one of the 3560, a WS-C3560G-48PS 12.2 (53) SE1-IP-BASE running. Next week I'll update of firmware for 12.2 (55), but with this version, everything should already work.

  Basically, the only thing I asked to do at the moment is Mac-Auth Bypass configuration. If the Mac address is accepted, RADIUS returns the VLAN, the device should be placed in, for the most part VLAN 4.

  If the radius (freeradius v 2.1.10) server sends a rejection (see below), the port is not set to the vlan comments, because I expected.

  1. 19

     12/21/10 4:23:19.000 PM

     Dec 21 16:23:19 10.1.1.207 37473: 2204830: .Dec 21 16:20:31.950 CET: %AUTHMGR-5-FAIL: Authorization failed for client (f0de.f119.9870) on Interface Gi0/29 AuditSessionID 0A0101CF0000086CF832980B Host=10.1.1.207 SourceType=syslog source=udp:514 client_mac=((f0de.f119.9870)) client_action=FAIL LINEPROTO_LINK=AUTHMGR-5

  2. 20

     12/21/10 4:23:19.000 PM

     Dec 21 16:23:19 10.1.1.207 37472: 2204808: .Dec 21 16:20:31.950 CET: %MAB-5-FAIL: Authentication failed for client (f0de.f119.9870) on Interface Gi0/29 AuditSessionID 0A0101CF0000086CF832980B Host=10.1.1.207   http://olsplunk:8000/en-US/app/search/flashtimeline?auto_pause=true&q=search%20host%3D%2210.1.1.207%22# SourceType=syslog source=udp:514 client_mac=((f0de.f119.9870)) client_action=NOT   http://olsplunk:8000/en-US/app/search/flashtimeline?auto_pause=true&q=search%20host%3D%2210.1.1.207%22# LINEPROTO_LINK=MAB-5

  3. 21

     12/21/10 4:23:18.000 PM

     Dec 21 16:23:18 10.1.1.207 37471: 2204776: .Dec 21 16:20:30.935 CET: %AUTHMGR-5-START: Starting 'mab' for client (f0de.f119.9870) on Interface Gi0/29 AuditSessionID 0A0101CF0000086CF832980B Host=10.1.1.207 SourceType=syslog source=udp:514   http://olsplunk:8000/en-US/app/search/flashtimeline?auto_pause=true&q=search%20host%3D%2210.1.1.207%22# client_mac=(f0de.f119.9870)   http://olsplunk:8000/en-US/app/search/flashtimeline?auto_pause=true&q=search%20host%3D%2210.1.1.207%22# client_action=START LINEPROTO_LINK=AUTHMGR-5

  Can someone tell me where I'm wrong?

  Thank you

  Chris

  Relevant parts of the running-config:
  AAA new-model
  !
  Group AAA dot1x default authentication RADIUS
  Group AAA authorization network default RADIUS
  AAA accounting delay start
  start-stop radius group AAA accounting dot1x default
  start-stop radius group AAA accounting network default
  !
  AAA - the id of the joint session

  !
  control-dot1x system-auth
  !
  interface GigabitEthernet0/29
  235 a description
  switchport mode access
  switchport voice vlan 2
  load-interval 30
  bandwidth share SRR-queue 10 10 60 20
  queue-series 2
  priority queue
  authentication event failure action allow vlan 7
  action of death event authentication server allow vlan 4
  living action of the server reset the authentication event
  multi-domain of host-mode authentication
  Auto control of the port of authentication
  MAB
  MLS qos trust device cisco-phone
  MLS qos trust cos
  Auto qos voip cisco-phone
  spanning tree portfast
  service-policy input AutoQoS-Police-CiscoPhone
  !
  interface Vlan1
  IP 10.1.1.207 255.255.255.0
  !
  interface Vlan2
  IP 10.1.10.207 255.255.255.0
  !
  default IP gateway - 10.1.1.201
  IP classless
  !
  activate the IP sla response alerts
  RADIUS-server host 10.1.1.24 auth-port 1812 acct-port 1813
  RADIUS timeout 10 Server
  Server RADIUS # 7 button wouldn't you know
  RADIUS vsa server send accounting
  RADIUS vsa server send authentication
  !
  end

  Information of VLAN:

  Ports of status for the name of VLAN
  ---- -------------------------------- --------- ------------------------------
  1 default active Gi0/6, Gi0/8, Gi0/14, Gi0/15
  Gi0/18, Gi0/21, Gi0/29, Gi0/30
  Gi0/34, Gi0/36, Gi0/37, Gi0/49
  Gi0/50, Gi0/51
  2 voice active Gi0/1, Gi0/2, Gi0/3, Gi0/4
  Gi0/5, Gi0/6, Gi0/7, Gi0/8
  Gi0/9, Gi0/10, Gi0/11, Gi0/12
  Gi0/13, Gi0/14, Gi0/15, Gi0/16
  Gi0/17, Gi0/18, Gi0/19, Gi0/20
  Gi0/21, Gi0/22, Gi0/23, Gi0/24
  Gi0/25, Gi0/26, Gi0/27, Gi0/28
  Gi0/29, Gi0/30, Gi0/31, Gi0/32
  Gi0/33, Gi0/34, Gi0/35, Gi0/36
  Gi0/37, Gi0/38, Gi0/39, Gi0/40
  Gi0/42, Gi0/43, Gi0/44, Gi0/45
  Gi0/46, Gi0/47, Gi0/49
  3 active video
  4 active DHCP Gi0/1 and Gi0/2, Gi0/3, Gi0/4
  Gi0/5, Gi0/7, Gi0/9, Gi0/10
  Gi0/11, Gi0/12, Gi0/13, Gi0/16
  Gi0/17, Gi0/19, Gi0/20, Gi0/22
  Gi0/23, Gi0/24, Gi0/25, Gi0/26
  Gi0/27, Gi0/28, Gi0/31, Gi0/32
  Gi0/33, Gi0/35, Gi0/38, Gi0/39
  Gi0/40, Gi0/41, Gi0/42, Gi0/43
  Gi0/44, Gi0/45, Gi0/46, Gi0/48
  5 active transfer
  6 active Test ESX
  7 COMMENTS-VLAN active
  999 native active
  1002 fddi-default law/unsup
  default trcrf 1003 act/unsup
  1004 default fddinet law/unsup
  1005 trbrf default law/unsup

  Network type VLAN SAID MTU Parent RingNo BridgeNo Men BrdgMode Trans1 Trans2
  ---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
  1 100001 1500 enet - 0 0
  2 enet 100002 1500 - 0 0
  3 100003 1500 enet - 0 0
  4 100004 1500 enet - 0 0
  5 enet 100005 1500 - 0 0
  6 100006 1500 enet - 0 0
  7 100007 1500 enet - 0 0
  999 100999 1500 enet - 0 0
  1002 101002 1500 fddi - 0 0
  1003 trcrf 101003 4472 1005 3276 - srb 0 0
  1004 etnbdf 101004 1500 - ieee - 0 0
  1005 trbrf 101005 4472 - 15 ibm - 0 0

  VLAN AREHops STEHops backup RTC
  ---- ------- ------- ----------
  1003 7 7 off

  VLAN SPAN remote
  ------------------------------------------------------------------------------

  Ports of secondary primary Type
  ------- --------- ----------------- ------------------------------------------

  Hello

  Just to the user the correct names, what you want is a vlan auth failure (that you configured correctly). VLAN comments is for PCs that do not have capacity dot1x (do not respond to dot1x packages) but for the avoidance of the mac, the event of "no-response" will never happen.

  Now that we have explained, your config seems therefore quite ok actually. I'd go with debugs to check what the problem is.

  Debug RADIUS

  debug all EMP

  debugging authentication feature mab all
  debugging authentication feature mda all

  Nicolas

  ===

  Remember responses of the rate that you find useful

• Dot1x comments Vlan / Auth Fail Vlan editions

  Hi all

  Configure dot1x on our access layer switch ports and I have a few problems with devices that fail authentication.  This is the current configuration on the way to the switch:

  switchport mode access

  switchport voice vlan 38

  dot1x mac-auth-bypass

  dot1x EAP authenticator

  self control-port dot1x

  multi-domain host-mode dot1x

  dot1x timeout server-timeout 10

  Server of reauth-dot1x timeout period

  dot1x tx-time 10

  dot1x timeout supp-timeout 3

  dot1x max - req 3

  dot1x max-reauth-req 3

  dot1x re-authentication

  criticism of dot1x

  critical recovery dot1x action reset

  dot1x auth failure vlan 7

  dot1x comments - vlan 7

  dot1x critical vlan 36

  spanning tree portfast

  spanning tree enable bpduguard

  When a non-employee connects they go through the authentication process and eventually fail dot1x and mab and placed in the vlan designated guest 7.  If you're doing a "show int gx / x status" on this port, switch-it shows the connected and to this vlan 7.  If you're doing a "show dot1x int gx / x details" it also shows the port as authorized (by Guest-Vlan) and politics of vlan is 7.  The problem is the user never gets a valid ip address - they receive only a 169.x.x.x.  Anyone has experience with this type of question or have any recommendations?

  Thank you

  Brian

  -First of all Eteinte, your switch orders tell me you are using old software on your switch, you must pass it first of all, there was a lot of correction of a bug and improvements to dot1x/mab in recent versions

  -Your problem is probably that the client dhcp of your comments is delay until you are finished with dot1x and mab, susally tx-period to a lower number of adjustment could help the time it takes before joining the vlan comments, but could also have an impact on your computers running dot1x, you should try some different values. Also, using Windows XP SP3 or Windows 7, also helps on your machines to dot1x, and finally using supplicant AnyConnect NAM he will operate properly without having any problems when setting the timers dot1x on your switch.

  -With the new software I go with default timers, perhaps change tx-5 second period and then use the "order mab dot1x authentication" and "authentication priority mab dot1x", also having your vlan comments like your vlan by default, will be generally also solve the problem of the guests have to do a new once-popular dhcp reqeust, however you can run into problems with stuff you wan't to use mab on.

• Cisco ASA 5510 - IOS upgrade 7.0 failing. Not found Flash BIOS

  Hello everyone

  I have a Cisco ASA 5510 in a lab with none of the configurations environment what so ever.

  Objective: upgrade the IOS current version 7.0 (8) to 7.1.1 (possibly go to 8.2 until memory upgrade on the SAA: 256 MB to 1 GB and then move to the latest version of 8.2 IOS).

  Output to see the attached Version.

  Output Flash attached show.

  asa711 - k8.bin is the file that has been copied from a TFTP server to flash.

  The following commands have been executed in order to update the IOS

  ciscoasa (config) # boot flash system: / asa711 - k8.bin
  INFO: Conversion of flash: / asa711 - k8.bin to disk0: / asa711 - k8.bin
  ciscoasa (config) #.
  ciscoasa (config) # end
  ciscoasa # write memory
  Cryptochecksum: aaaa08ce ccde38f2 19c42e08 dea24cbd
  2713 bytes copied in 1,450 dry (2713 bytes/s)
  [OK]
  ciscoasa # reload
  

  PROBLEM: the device ASA goes in an infinite loop (guard restart). This is the message on the console:

  The system boot, please wait...

  CISCO SYSTEMS
  Embedded BIOS Version 1.0 (11) 15:11:51.82 5 08/28/08
  Memory: 631ko
  Memory: 256 MB
  PCI device table.
  Bus Dev Func VendID DevID class Irq
  00 00 00 8086 2578 host Bridge
  00 01 00 8086 2579 PCI to PCI bridge
  00 03 00 8086 PCI bridge to PCI 257 b
  00 1 00 8086 PCI bridge to PCI 25AE
  1 d 00 00 8086 25A 9 Serial Bus 11
  1 00 01 8086 25AA Bus series 10 d
  1 d 00 04 8086 25AB system
  1 d 00 05 8086 25AC IRQ controller
  1 d 00 07 8086 25AD Bus series 9
  1E 00 00 8086 PCI bridge to 244th PCI
  1F 00 00 8086 25A 1 ISA Bridge
  1F 00 02 8086 25 IDE controller has 3 11
  1F 00 03 8086 25A 4 Bus series 5
  1F 00 05 8086 25A 6 Audio 5
  02 01 00 8086 1075 Ethernet 11
  03 01 00 177 D 0003 encrypt/decrypt 9
  03 02 00 8086 1079 Ethernet 9
  03 02 01 8086 1079 Ethernet 9
  03 03 00 8086 1079 Ethernet 9
  03 03 01 8086 1079 Ethernet 9
  04 02 00 8086 1209 Ethernet 11
  04 03 00 8086 1209 Ethernet 5
  Evaluate the BIOS Options...
  Launch of the BIOS Extension installation ROMMON
  Cisco Systems ROMMON Version (1.0 (11) 5) #0: Thu Aug 28 15:23:50 CDT 2008
  Platform ASA5510
  Use BREAK or ESC to interrupt the boot.
  Use the SPACE to start boot immediately.
  Start the program boot...
  Startup configuration file contains 1 entry.

  Load disk0: / asa711 - k8.bin... The starting...

  256 MB OF RAM
  Total of SSMs found: 0
  Total cards network found: 7
  mcwa i82557 Ethernet to irq 11 MAC: 0024.974a.65af
  mcwa i82557 Ethernet to the irq 5 MAC: 0000.0001.0001
  Not found BIOS flash.
  Reset...

  The only way for me to do things to normal is if I BREAK the sequence starting with ESC and go into ROMMON mode. I then issue a start command for the SAA to start with 7.0 (8) default IOS Image.

  Please can someone explain what is the problem here?

  Apologies if I'm missing something obvious that I'm not an expert of the SAA.

  Looks like that the ASA is hitting a field notice: fn62378. The FN, it's because of the incompatible version of hardware and software. Please upgrade to version 7.1.2 instead of 7.1.1. If you plan to spend in 8.2. So instead of going 7.1.2 you could go to 7.2.5 (recommanded), then 8.2.5

  http://www.Cisco.com/c/en/us/support/docs/field-notices/620/fn62378.html

  It will be useful.

  Kind regards

  Akshay Rouanet

  Remember messages useful rate.

• MAB authentication fails on the port of multi-domain: dead result of authentication "server."

  Hi all

  First of all, I have no experience with the configuration of Cisco switches (about half a year now) but I read loads and loads of documentation.

  I am trying to configure several areas (MDA) authentication on our Cisco switches using mab and spin into something strange. Currently, single mab is asked by my employer.

  Switch = 48-3560G IOS version 12.2 (55) SE1

  RADIUS = Freeradius (version 2.1.10)

  http://www.Cisco.com/en/us/docs/switches/LAN/catalyst3560/software/release/12.2_55_se/configuration/guide/swiosfs.html is my bible

  On port Gi0/29 a Cisco 7961 IP phone is connected and plugged into the phone that a laptop is connected

  The switch configuration:

  AAA new-model
  !
  Group AAA dot1x default authentication RADIUS
  Group AAA authorization network default RADIUS
  AAA accounting delay start
  start-stop radius group AAA accounting dot1x default
  start-stop radius group AAA accounting network default
  !

  interface GigabitEthernet0/29
  235 a description
  switchport access vlan 4
  switchport mode access
  switchport voice vlan 2
  load-interval 30
  bandwidth share SRR-queue 10 10 60 20
  queue-series 2
  priority queue
  action retry authentication event 0 failure allow vlan 7
  action of death event authentication server allow vlan 4
  living action of the server reset the authentication event
  multi-domain of host-mode authentication
  Auto control of the port of authentication
  restrict the authentication violation
  MAB
  Auto qos voip cisco-phone
  spanning tree portfast
  service-policy input AutoQoS-Police-CiscoPhone
  !

  dead-criteria 5 tent 5 times RADIUS server
  RADIUS-server host 10.1.1.24 auth-port 1812 acct-port 1813
  RADIUS server key 7 xxx
  RADIUS vsa server send accounting
  RADIUS vsa server send authentication

  Radius response: (for the full reply see attached RADIUS - response.txt)

  Sending acceptance of access to the port id 98 to 10.1.1.207 1645
  Cisco-AVPair = "Tunnel-Type = VLAN.
  Cisco-AVPair = "Tunnel-Medium-Type = 802.
  Cisco-AVPair = "Tunnel-private-Group-ID = 7.
  Cisco-AVPair = "Tunnel-preference.

  That's why access accept with assignment data VLAN

  Debugging on the switch :

  001776: * Mar 1 09:27:35.606: mab-ev(Gi0/29): context MAB received create from AuthMgr
  001777: * Mar 1 09:27:35.606: mab-ev(Gi0/29): MAB authorizing MACAddress
  001778: * Mar 1 09:27:35.606: mab-ev(Gi0/29): client context created MAB 0x2200000F
  001779: * 09:27:35.606 Mar 1: mab: State has original mab_initialize enter
  001780: * Mar 1 09:27:35.606: mab-ev(Gi0/29): sent to create a new context of EAP of MAB to 0x2200000F (MACAddress) event
  001781: * Mar 1 10:27:35.606 THIS: % AUTHMGR-5-START: start "mab" for the customer (MACAddress) on the Interface Gi0/29 AuditSessionID 0A0101CF0000007F0207A4AC
  001782: * Mar 1 09:27:35.606: mab-sm(Gi0/29): the event received 'MAB_CONTINUE' on the 0x2200000F handle
  001783: * 09:27:35.606 Mar 1: mab: during the mab_initialize State, had 1 (mabContinue) event
  001784: * 09:27:35.606 Mar 1: @ mab: mab_initialize-> mab_authorizing
  001785: * Mar 1 09:27:35.606: mab-ev(Gi0/29): MAC-AUTH-BYPASS boot for 0x2200000F (MACAddress)
  001786: * Mar 1 09:27:35.614: mab-ev(Gi0/29): MAB received a Reject Access for 0x2200000F (MACAddress)
  001787: * Mar 1 10:27:35.622 THIS: % MAB-5-FAIL: failure of authentication for the client (MACAddress) on the Interface Gi0/29 AuditSessionID 0A0101CF0000007F0207A4AC
  001788: * Mar 1 09:27:35.622: mab-sm(Gi0/29): the event received 'MAB_RESULT' on the 0x2200000F handle
  001789: * 09:27:35.622 Mar 1: mab: during the mab_authorizing State, had 5 (mabResult) event
  001790: * 09:27:35.622 Mar 1: @ mab: mab_authorizing-> mab_terminate
  001791: * Mar 1 09:27:35.622: mab-ev(Gi0/29): removed the credentials of 0x2200000F (dot1x_mac_auth_MACAddress) profile
  001792: * Mar 1 09:27:35.622: mab-ev(Gi0/29): AuthMGR for MACAddress sending event (2)
  001793: * Mar 1 10:27:35.622 THIS: % AUTHMGR-7-RESULT: result "dead server" authentication "mab" for the customer (MACAddress) on the Interface Gi0/29 AuditSessionID 0A0101CF0000007F0207A4AC
  001794: * Mar 1 10:27:35.622 THIS: % AUTHMGR-5-VLANASSIGN: VLAN 4 assigned to Interface Gi0/29 AuditSessionID 0A0101CF0000007F0207A4AC
  001795: * Mar 1 10:27:36.512 THIS: % AUTHMGR-5-SUCCESS: authorization succeeded for client (MACAddress) on the Interface Gi0/29 AuditSessionID 0A0101CF0000007F0207A4AC

  So RADIUS returns an Access_Accept and the switch treats it as a rejection of access and little esteem RADIUS as dead.

  Help would be appreciated!

  Chris

  Hi Chris,

  In response to your last post, assignment of vlan dynamic could be achieved with the help of the IETF RADIUS attributes according to the link:
  http://Tools.Cisco.com/Squish/d1791

  or using the pair of cisco-av according to the link:
  http://Tools.Cisco.com/Squish/8Bd61

  As for free using the Radius and cisco-av pairs. Please can you activate debug on switch output and reproduce the problem with the attempt to authentiation of customer:
  Debug RADIUS
  Debug authentication of all the
  debug functionality of authentication all

  As a result the customer authentication event, also benefit from the following switch:
  display the interface authentication sessions

  I met problems with respect to the case of the pair of cisco-av. assignment of vlan for example work using the sensitive tiny "tunnel-private-group-id (# 81) = vlanid ' instead of ' tunnel-private-group-ID (# 81) = vlanid.

  When testing with the 'tunnel-private-group-ID(#81) = vlanid', I get an error:

  RADIUS/DECODE: parse cisco unknown vsa 'tunnel-private-group-ID' - FAIL

  So the 2nd link, with the changes:
  Cisco-avpair = "tunnel-type(#64) = VLAN (13).
  Cisco-avpair = "tunnel-medium-type(#65) = 802 media (6).
  Cisco-avpair = "tunnel-private-group-id(#81) = vlanid.

  If you still have a question, please include the output of debug/display above which will shed light on the problem.

  Thank you
  Alex

• ISE and WLC for CWA (Web Central Auth)

  Hi all

  As we know that WLC (i.e. 5508) is intolerant of MAB (MAC Auth Bypass) and it supports CWA in 7.2.x.

  CWA is the result of successful MAB. So, how CWA to work for the wireless? So that means WLC support MAB?

  Hello

  The term in the wireless world is mac filtering. When mac filtering is fired, you will return the CWA portal in the access-accept.

  Don't forget to set your condition in the authentication policy to continue if the user is not found, while the device can hit the CWA default rule.

  Thank you

  Tarik Admani
  * Please note the useful messages *.

• 12 c em connection failed.

  All users connection failed. I have connection the use of success of the same repository user name and password database, but failed to connect on em.

  eMoms.TRC shows that:

  2015-03-19 15:42:44, 173 [ExecuteThread [ASSET]: '21' for queue: "(self-adjusting) weblogic.kernel.Default"] WARN auth. EMRepLoginFilter doFilter.450 - InvalidEMUserException taken in EMRepLoginFilter: failed to connect using the repository for the user authentication: SYSMAN

  oracle.sysman.emSDK.sec.auth.InvalidEMUserException: failed to connect using the repository for the user authentication: SYSMAN

  at oracle.sysman.emSDK.sec.auth.EMLoginService._performLogin(EMLoginService.java:1289)

  at oracle.sysman.emSDK.sec.auth.EMLoginService._doEMLogin(EMLoginService.java:710)

  at oracle.sysman.emSDK.sec.auth.EMLoginService.doEMLogin(EMLoginService.java:640)

  at oracle.sysman.emSDK.sec.auth.EMLoginService.doLogin(EMLoginService.java:215)

  at oracle.sysman.emSDK.sec.auth.EMLoginService.doLogin(EMLoginService.java:261)

  at oracle.sysman.emSDK.sec.auth.EMLoginService.doLogin(EMLoginService.java:268)

  at oracle.sysman.eml.app.EMRepLoginFilter.doFilter(EMRepLoginFilter.java:427)

  at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)

  at oracle.sysman.eml.app.MBeanServerConnFilter.doFilter (MBeanServerConnFilter.java:43)

  at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)

  at oracle.adf.library.webapp.LibraryFilter.doFilter(LibraryFilter.java:180)

  at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)

  at oracle.sysman.eml.app.ContextInitFilter.doFilter(ContextInitFilter.java:561)

  at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)

  at oracle.adfinternal.view.faces.caching.filter.AdfFacesCachingFilter.doFilter(AdfFacesCachingFilter.java:137)

  at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)

  to oracle.security.jps.ee.http.JpsAbsFilter$ 1.run(JpsAbsFilter.java:119)

  at java.security.AccessController.doPrivileged (Native Method)

  at oracle.security.jps.util.JpsSubject.doAsPrivileged(JpsSubject.java:324)

  at oracle.security.jps.ee.util.JpsPlatformUtil.runJaasMode(JpsPlatformUtil.java:460)

  at oracle.security.jps.ee.http.JpsAbsFilter.runJaasMode(JpsAbsFilter.java:103)

  at oracle.security.jps.ee.http.JpsAbsFilter.doFilter(JpsAbsFilter.java:171)

  at oracle.security.jps.ee.http.JpsFilter.doFilter(JpsFilter.java:71)

  at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)

  at oracle.dms.servlet.DMSServletFilter.doFilter(DMSServletFilter.java:163)

  at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)

  at weblogic.servlet.internal.RequestEventsFilter.doFilter(RequestEventsFilter.java:27)

  at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)

  to weblogic.servlet.internal.WebAppServletContext$ ServletInvocationAction.wrapRun (WebAppServletContext.java:3730)

  to weblogic.servlet.internal.WebAppServletContext$ ServletInvocationAction.run (WebAppServletContext.java:3696)

  at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)

  at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:120)

  at weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:2273)

  at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:2179)

  at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1490)

  at weblogic.work.ExecuteThread.execute(ExecuteThread.java:256)

  at weblogic.work.ExecuteThread.run(ExecuteThread.java:221)

  Hello.

  + Has been the changed sysman password recently?

  + Ensure job_queue_processes parameter is set to non-zero, ideally, it should be a value of 1000

  If the value is 0 or low then proceed as follows

  + stop the SGD

  OMS_HOME/bin emctl stop who-all

  + Connection to the database of rest as a SYSDBA user and set the job_queue_processes for a value of 1000:

  SQL > ALTER SYSTEM SET job_queue_processes = 1000 SCOPE = BOTH SID ='* ';

  + Start the SGD

  OMS_HOME/bin emctl start SGD

  + Check the connection to the console.

  Kind regards

  Rahul

• vCenter does not start after the upgrade from 5.1 5.1 U1b (UNIQUE authentication failed)

  Hello

  We have upgrade to vCenter Server (build 880146) 5.1.0a to vCenter Server 5.1. U1b and now vcenter service does not start

  This is the log:

  2013 10-21 T 10: 58:40.221 + 02:00 [02800 info '[OSP]'] [UserDirectorySso] GetUserInfo (Administrators, true)

  2013 10-21 T 10: 58:40.221 + 02:00 [02800 info "[OSP] [SsoAdminFacadeImpl]"] [GetDomains]

  2013 10-21 T 10: 58:40.252 + 02:00 [02800 info "[OSP] [SsoAdminFacadeImpl]"] [LazyInitAdmin] initialization

  2013 10-21 T 10: 58:40.252 + 02:00 [02800 info "[OSP] [SsoAdminFacadeImpl]"] [InitSsoAdminServices]

  2013 10-21 T 10: 58:40.252 + 02:00 [02800 info "[OSP] [SsoAdminFacadeImpl]"] [CreateAdminSsoServiceContent] try to connect to the administration of the SSO server.

  2013 10-21 T 10: 58:40.330 + 02:00 [02800 info "[OSP] [SsoAdminFacadeImpl]"] [InitSsoAdminServices] successfully.

  2013 10-21 T 10: 58:40.330 + 02:00 [02800 info "[OSP] [SsoAdminFacadeImpl]"] [LoginToAdmin]

  2013 10-21 T 10: 58:40.330 + 02:00 [02800 info "[OSP] [SsoAdminFacadeImpl]"] [CheckTokenValidity]

  2013 10-21 T 10: 58:40.330 + 02:00 [02800 info "[OSP] [SsoAdminFacadeImpl]"] [CheckTokenValidity] refreshing SSO token...

  2013 10-21 T 10: 58:40.330 + 02:00 [02800 info "[OSP] [SsoAdminFacadeImpl]"] [RefreshSsoToken]

  2013 10-21 T 10: 58:40.408 + 02:00 [02800 error "[OSP] [SsoAdminFacadeImpl]"] AcquireToken [RefreshSsoToken] exception: failed authentication: authentication failed

  2013 10-21 T 10: 58:40.408 + 02:00 [02800 info '[OSP]'] [UserDirectorySso] GetUserInfo NormalizationException: RemoteGetDomainNames RuntimeServiceFault exception: sso.fault.RuntimeServiceFault

  2013 10-21 T 10: 58:40.408 + 02:00 [02800 error '[OSP]'] [UserDirectorySso] NormalizeUserName AuthException: allow exceptions

  2013 10-21 T 10: 58:40.408 + 02:00 [02800 error '[OSP]'] [UserDirectorySso] GetDefaultPrincipal AuthException: allow exceptions

  2013 10-21 T 10: 58:40.408 + 02:00 [02800 info '[OSP]'] GetDefaultPrincipal(, true) [UserDirectorySso]

  2013 10-21 T 10: 58:40.408 + 02:00 [02800 info '[OSP]'] GetUserInfo(, true) [UserDirectorySso]

  2013 10-21 T 10: 58:40.408 + 02:00 [02800 info "[OSP] [SsoAdminFacadeImpl]"] [GetDomains]

  2013 10-21 T 10: 58:40.408 + 02:00 [02800 info "[OSP] [SsoAdminFacadeImpl]"] [LazyInitAdmin] initialization

  2013 10-21 T 10: 58:40.408 + 02:00 [02800 info "[OSP] [SsoAdminFacadeImpl]"] [InitSsoAdminServices]

  2013 10-21 T 10: 58:40.408 + 02:00 [02800 info "[OSP] [SsoAdminFacadeImpl]"] [CreateAdminSsoServiceContent] try to connect to the administration of the SSO server.

  2013 10-21 T 10: 58:40.439 + 02:00 [02800 info "[OSP] [SsoAdminFacadeImpl]"] [InitSsoAdminServices] successfully.

  2013 10-21 T 10: 58:40.439 + 02:00 [02800 info "[OSP] [SsoAdminFacadeImpl]"] [LoginToAdmin]

  2013 10-21 T 10: 58:40.439 + 02:00 [02800 info "[OSP] [SsoAdminFacadeImpl]"] [CheckTokenValidity]

  2013 10-21 T 10: 58:40.439 + 02:00 [02800 info "[OSP] [SsoAdminFacadeImpl]"] [CheckTokenValidity] refreshing SSO token...

  2013 10-21 T 10: 58:40.439 + 02:00 [02800 info "[OSP] [SsoAdminFacadeImpl]"] [RefreshSsoToken]

  2013 10-21 T 10: 58:40.502 + 02:00 [02800 error "[OSP] [SsoAdminFacadeImpl]"] AcquireToken [RefreshSsoToken] exception: failed authentication: authentication failed

  2013 10-21 T 10: 58:40.502 + 02:00 [02800 info '[OSP]'] [UserDirectorySso] GetUserInfo NormalizationException: RemoteGetDomainNames RuntimeServiceFault exception: sso.fault.RuntimeServiceFault

  2013 10-21 T 10: 58:40.502 + 02:00 [02800 error '[OSP]'] [UserDirectorySso] NormalizeUserName AuthException: allow exceptions

  2013 10-21 T 10: 58:40.502 + 02:00 [02800 info '[OSP]'] GetUserInfo(, true) [UserDirectorySso]

  2013 10-21 T 10: 58:40.502 + 02:00 [02800 info "[OSP] [SsoAdminFacadeImpl]"] [GetDomains]

  2013 10-21 T 10: 58:40.502 + 02:00 [02800 info "[OSP] [SsoAdminFacadeImpl]"] [LazyInitAdmin] initialization

  2013 10-21 T 10: 58:40.502 + 02:00 [02800 info "[OSP] [SsoAdminFacadeImpl]"] [InitSsoAdminServices]

  2013 10-21 T 10: 58:40.502 + 02:00 [02800 info "[OSP] [SsoAdminFacadeImpl]"] [CreateAdminSsoServiceContent] try to connect to the administration of the SSO server.

  2013 10-21 T 10: 58:40.533 + 02:00 [02800 info "[OSP] [SsoAdminFacadeImpl]"] [InitSsoAdminServices] successfully.

  2013 10-21 T 10: 58:40.533 + 02:00 [02800 info "[OSP] [SsoAdminFacadeImpl]"] [LoginToAdmin]

  2013 10-21 T 10: 58:40.533 + 02:00 [02800 info "[OSP] [SsoAdminFacadeImpl]"] [CheckTokenValidity]

  2013 10-21 T 10: 58:40.533 + 02:00 [02800 info "[OSP] [SsoAdminFacadeImpl]"] [CheckTokenValidity] refreshing SSO token...

  2013 10-21 T 10: 58:40.533 + 02:00 [02800 info "[OSP] [SsoAdminFacadeImpl]"] [RefreshSsoToken]

  2013 10-21 T 10: 58:40.595 + 02:00 [02800 error "[OSP] [SsoAdminFacadeImpl]"] AcquireToken [RefreshSsoToken] exception: failed authentication: authentication failed

  2013 10-21 T 10: 58:40.595 + 02:00 [02800 info '[OSP]'] [UserDirectorySso] GetUserInfo NormalizationException: RemoteGetDomainNames RuntimeServiceFault exception: sso.fault.RuntimeServiceFault

  2013 10-21 T 10: 58:40.595 + 02:00 [error 02800 "Default"] cannot add the default permission: user not found

  2013 10-21 T 10: 58:40.595 + 02:00 [error 02800 "Default"] cannot start allow - system has no access rule

  2013 10-21 T 10: 58:40.595 + 02:00 [error 02800 'Default'] [Auth] initialization failed: < class Vmacore::Authorize:AuthException(Authorize_Exception) >

  2013 10-21 T 10: 58:40.595 + 02:00 [02800 error 'authvpxdAuthorize'] could not initialize security

  2013 10-21 T 10: 58:40.595 + 02:00 [02800 WARNING "VpxProfiler"] ServerApp::Start [TotalTime] took ms 27456

  2013 10-21 T 10: 58:40.595 + 02:00 [02800 info 'Default'] judgment of VMware VirtualCenter.

  Hello

  VMware support solve my problem:

  We have seen two issues after the update.

  First of all, there is no user of the solution for the virtual center when I checked the application users with SSO to the webclient service administration page.

  Solve us this problem of repointing Virtual Centre to the next according to the kb SSO instance;

  http://KB.VMware.com/kb/2033620

  1. repoint.cmd configure vc - search server https://vcenter.com:7444/lookupservice/sdk - password "laquesea" - openssl-path of the user "admin@System-Domain"-"C:\Program Files\VMware\Infrastructure\Inventory Service\bin."

  After that, the modules in the vpxd.cfg solution was not properly updated and an operation manual.

  C:\ProgramData\VMware\VMware VirtualCenter\SSL\sso.crt

  vCenterServer_251703

  C:\ProgramData\VMware\VMware VirtualCenter\SSL\sso.key

  Above is the corrected version having replaced "null" with the correct path to the files of certificate and key.

  This allowed vcenter service start successfully.

• HSRP authentication problem.

  Hello

  We have 2 devices configured with HSRP in a single interface. Associated with a vlan.

  Switch 1:

  !
  interface Vlan16
  Description HSRP for VMware HA - November 13, 2015
  IP 10.10.10.5 255.255.255.128
  no ip redirection
  no ip unreachable
  no ip proxy-arp
  Watch 11 ip 10.10.10.7
  standby priority 11 110
  11 standby preempt
  Watch 11 authentication md5 key ring globo123
  !

  Switch 2:

  !
  interface Vlan16
  Description HSRP for VMware HA - November 13, 2015
  IP 10.10.10.6 255.255.255.128
  no ip redirection
  no ip unreachable
  no ip proxy-arp
  Watch 11 ip 10.10.10.7
  11 standby preempt
  Watch 11 authentication md5 key ring globo123
  !

  The thing is that we have the following message from switch 1:

  370222: 02:29:20.439 Jan 19 UTC: % HSRP-4-BADAUTH: bad 10.10.10.6 authentication, Group 11, remote Active state

  And the switch 2:

  1308504: 02:30:11.823 Jan 19 UTC: % HSRP-4-BADAUTH: bad authentication of 10.10.10.5, Group 11, remote Active state

  And also, switch 1:

  370242: 02:29:39.290 Jan 19 UTC: HSRP: Vl16 Grp 11 Hello in 10.10.10.6 active pri 100 vIP 10.10.10.7
  370243: 02:29:39.290 Jan 19 UTC: HSRP: Vl16 Grp 11 Auth failed for Hello 129.39.189.3 pkt, no key for this key ID
  370244: 02:29:39.354 Jan 19 UTC: HSRP: Vl16 Grp 11 Hello on 10.10.10.2 pri Active 110 vIP 10.10.10.7
  370245: 02:29:40.946 Jan 19 UTC: HSRP: Vl16 Grp 11 ARP CBC 129.39.189.36 tgt 10.10.10.7, answer with mac 0000.0c07.ac0b
  370246: 02:29:42.058 Jan 19 UTC: HSRP: Vl166 Grp 11 Hello in 10.10.10.6 active pri 100 vIP 10.10.10.7
  370247: 02:29:42.058 Jan 19 UTC: HSRP: Vl16 Grp 11 Auth failed for Hello 129.39.189.3 pkt, no key for this key ID
  370248: 02:29:42.110 Jan 19 UTC: HSRP: Vl16 Grp 11 Hello to 10.10.10.5 pri Active 110 vIP 10.10.10.7
  370249: 02:29:44.682 Jan 19 UTC: HSRP: Vl16 Grp 11 Hello to 10.10.10.5 pri Active 110 vIP 10.10.10.7
  370250: 02:29:44.858 Jan 19 UTC: HSRP: Vl16 Grp 11 Hello in 10.10.10.6 active pri 100 vIP 10.10.10.7
  370251: 02:29:44.858 Jan 19 UTC: HSRP: Vl16 Grp 11 Auth failed for Hello 10.10.10.6 pkt, no key for this key ID
  370252: 02:29:47.306 Jan 19 UTC: HSRP: Vl16 Grp 11 Hello to 10.10.10.5 pri Active 110 vIP 10.10.10.7
  370253: 02:29:47.318 Jan 19 UTC: HSRP: Vl16 Grp 11 Hello in 10.10.10.6 active pri 100 vIP 10.10.10.7
  370254: 02:29:47.318 Jan 19 UTC: HSRP: Vl16 Grp 11 Auth failed for Hello 10.10.10.6 pkt, no key for this key ID
  370255: 02:29:47.630 Jan 19 UTC: HSRP: Vl16 Grp 11 ARP CBC 172.16.1.41 tgt 10.10.10.7, answer with mac 0000.0c07.ac0b

  and also to 2:

  1308614: 02:31:47.308 Jan 19 UTC: HSRP: Vl16 Grp 11 Hello 10.10.10.6 pri Active 100 vIP 10.10.10.7
  1308615: 02:31:48.668 Jan 19 UTC: HSRP: Vl16 Grp 11 Hello 10.10.10.5 pri Active 110 vIP 10.10.10.7
  1308616: 02:31:48.668 Jan 19 UTC: HSRP: Vl16 Grp 11 Auth failed for Hello 10.10.10.5 pkt, no key for this key ID
  1308617: 02:31:48.668 Jan 19 UTC: % HSRP-4-BADAUTH: bad authentication of 10.10.10.5, Group 11, remote Active state
  1308618: 02:31:50.276 Jan 19 UTC: HSRP: Vl16 Grp 11 Hello 129.39.189.3 pri activates 10.10.10.6 100 vIP
  1308619: 02:31:51.280 Jan 19 UTC: HSRP: Vl16 Grp 11 Hello in 129.39.189.2 pri activates 10.10.10.6 110 vIP
  1308620: 02:31:51.280 Jan 19 UTC: HSRP: Vl16 Grp 11 Auth failed for Hello 129.39.189.2 pkt, no key for this key ID
  1308621: 02:31:51.892 Jan 19 UTC: HSRP: Vl16 Grp 11 ARP CBC 172.16.1.48 tgt 10.10.10.6, answer with mac 0000.0c07.ac0b
  1308622: 02:31:52.916 Jan 19 UTC: HSRP: Vl16 Grp 11 Hello 129.39.189.3 pri activates 10.10.10.6 100 vIP
  1308623: 02:31:53.856 Jan 19 UTC: HSRP: Vl16 Grp 11 Hello in 129.39.189.2 pri activates 10.10.10.6 110 vIP
  1308624: 02:31:53.856 Jan 19 UTC: HSRP: Vl16 Grp 11 Auth failed for Hello 10.10.10.5 pkt, no key for this key ID

  The command "Display sleep" I have to switch 1:

  Vlan16 - Group 11
  The State is active
  2 state changes, last status change 9w3d
  Virtual IP address is 10.10.10.7
  Active virtual MAC address is 0000.0c07.ac0b
  Local virtual MAC address is 0000.0c07.ac0b (the default value of the v1)
  Hello time 3 sec, hold time 10 sec
  Next morning sent in 0,560 seconds
  Authentication MD5, key 'GSNIFri13unh4ck4bl3 '.
  Preemption enabled
  Active router is local
  Standby router is unknown
  Priority 110 (110 configured)
  The group name is 'hsrp-Vl16-11' (default)

  And to pass 2:

  Vlan16 - Group 11
  The State is active
  2 state changes, last status change 9w3d
  Virtual IP address is 10.10.10.7
  Active virtual MAC address is 0000.0c07.ac0b
  Local virtual MAC address is 0000.0c07.ac0b (the default value of the v1)
  Hello time 3 sec, hold time 10 sec
  Next morning sent in 0,832 sec
  Authentication MD5, key 'GSNIFri13unh4ck4bl3 '.
  Preemption enabled
  Active router is local
  Standby router is unknown
  Priority 100 (default value 100)
  The group name is 'hsrp-Vl16-11' (default)

  Could someone tell me if this situation could cause the network to stop working?
  Alternatively, what kind of problem do I have?

  Thank you

  Rui Capao

  Don't blame IOS for space, blame Windows copy and paste.

  It would be awesome if you mark my answer as correct if you think this has helped you.

• Cisco ASA5505 Gigabit?

  Hi all

  Checked the POST on an ASA5505 (9.1 (3)) one it shows 2 Gigabit NIC:

  Total network cards found: 10

  88E6095 rev 2 Gigabit Ethernet @ index 09 MAC: 0000.0003.0002

  88E6095 rev 2 Ethernet @ index 08 MAC: 885a.92d9.f938

  88E6095 rev 2 Ethernet @ index 07 MAC: 885a.92d9.f937

  88E6095 rev 2 Ethernet @ index 06 MAC: 885a.92d9.f936

  88E6095 rev 2 Ethernet @ index 05 MAC: 885a.92d9.f935

  88E6095 rev 2 Ethernet @ index 04 MAC: 885a.92d9.f934

  88E6095 rev 2 Ethernet @ index 03 MAC: 885a.92d9.f933

  88E6095 rev 2 Ethernet @ index 02 MAC: 885a.92d9.f932

  88E6095 rev 2 Ethernet @ index 01 MAC: 885a.92d9.f931

  y88acs06 Gigabit Ethernet rev16 @ index MAC 00: 885a.92d9.f939

  Is there a Gigabit licenses on the roadmap?

  Kind regards

  Norbert

  Hello

  I doubt that it has nothing to do with subsequent changes, as the device is specced for only 150Mbps throughput.

  I saw Cisco release any model replacement, even if I asked a few times.

  I think that 2 GigabitEthernet interfaces refer to the internal-Data0 and Data1 internal interfaces

  It is the output of my own ASA

  The internal-Data0/0 interface ' ' is in place, line protocol is up

  The material is y88acs06, BW 1000 Mbit/s, 10 DLY usec

  (Full-duplex), (1000 Mbps)

  Internal-Data0/1 interface ' ' is in place, line protocol is up

  The material is 88E6095, BW 1000 Mbit/s, 10 DLY usec

  (Full-duplex), (1000 Mbps)

  Also, here is a picture of a Cisco Live! presentation on the architecture of the ASA5505 model (click to enlarge)

  

  Hope this helps

  -Jouni

• 3850 catalyst, MAB and RADIUS

  Hello

  This a 3850 catalyst drivers to speak (C3750 MAB auth works like a charm) and the strange thing is that I don't see RAIUS client sending packets button anywhere:

  Statistics of RADIUS #show
  Auth.      ACCT.       Both
  Length maximum inQ: NA NA 0
  Length maximum waitQ: NA NA 0
  Length maximum doneQ: NA NA 0
  Total number of responses seen: 0 0 0
  Packages with answers: 0 0 0
  Packages without answers: 0 0 0
  Access releases: 0
  Average answer delay (ms): 0 0 0
  Maximum response delay (ms): 0 0 0
  Number of timeouts RADIUS: 0 0 0
  Detects duplicate IDS: 0 0 0
  Buffer allocation failed: 0 0 0
  Memory (bytes) maximum buffer size: 0 0 0
  Malformed responses: 0 0 0
  Authenticators: 0 0 0
  Unknown answers: 0 0 0
  Source Port range: (2 ports only)
  1645 - 1646
  Used in last Port Source / ID:
  1645/0
  1646/0

  Time passed since the last reset of counters: 6h44m
  Distribution of radius of latency:
  <= 2ms="" :         ="" 0         ="">
  3-5ms  :          0          0
  5 10ms: 0 0
  10 20ms: 0 0
  20 50ms: 0 0
  50-100 m: 0 0
  > 100ms: 0 0

  Current length of the NQI: 0
  Current length of the doneQ: 0

  #debug talkative RADIUS

  All mac addresses are unable to authenticate

  #sh newspaper

  03007: 3 August 17:55:20.239 UTC: % MAB-5-FAIL: failure of authentication for the client (XXXX. XXXX. XXXX) on the Interface item in gi1/0/7 AuditSessionID XXXXXXXXXXXXXXXXXXXXXXXXXX
  003008: 3 August 17:55:20.239 UTC: % MAB-5-FAIL: failure of authentication for the client (XXXX. XXXX.XXX) on the Interface item in gi1/0/7 AuditSessionID XXXXXXXXXXXXXXXXXXXXXXXXX

  There entry context very log in debugging MAB invalid EVT 9 of the EAP (I don't know what it could be)

  MAB #debug all

  003085: 3 August 18:04:26.146 UTC: mab - ev: [XXXX. XXXX. XXXX, item in gi1/0/48] context MAB received create from AuthMgr
  003086: 3 August 18:04:26.146 UTC: mab - ev: MAB authorizing XXXX. XXXX. XXXX
  003087: 3 August 18:04:26.146 UTC: mab - ev: client context created MAB 0x1B00004B
  003088: 3 August 18:04:26.146 UTC: mab: State has original mab_initialize enter
  003089: 3 August 18:04:26.146 UTC: mab - ev: [XXXX. XXXX. XXXX, item in gi1/0/48] sent to create a new event in context of EAP of MAB to 0x1B00004B (XXXX. XXXX. XXXX)
  003090: 3 August 18:04:26.147 UTC: mab - ev: [XXXX. XXXX. XXXX, gi1/0/48 article] authenticating MAB began to 0x536EE850 (XXXX. XXXX. XXXX)
  003091: 3 August 18:04:26.147 UTC: mab - ev: [XXXX. XXXX. XXXX, item in gi1/0/48] Invalid EVT 9 of the EAP
  003092: 3 August 18:04:26.147 UTC: mab - sm: [XXXX. XXXX. XXXX, item in gi1/0/48] received event 'MAB_CONTINUE' on the 0x1B00004B handle
  003093: 3 August 18:04:26.147 UTC: mab: during the mab_initialize State, had 1 (mabContinue) event
  003094: 3 August 18:04:26.147 UTC: @ mab: mab_initialize-> mab_authorizing
  003095: 3 August 18:04:26.147 UTC: mab - ev: [XXXX. XXXX. XXXX] formatted mac = XXXXXXXXXXXX
  003096: 3 August 18:04:26.147 UTC: mab - ev: [XXXX. XXXX. XXXX] created mab nickname dot1x profile dot1x_mac_auth_XXXX. XXXX. XXXX
  003097: 3 August 18:04:26.148 UTC: mab - ev: [XXXX. XXXX. XXXX, item in gi1/0/48] from MAC-AUTH-BYPASS to 0x1B00004B (XXXX. XXXX. XXXX)
  003098: 3 August 18:04:26.148 UTC: mab - ev: [XXXX. XXXX. XXXX, item in gi1/0/48] Invalid EVT 9 of the EAP
  003099: 3 August 18:04:26.148 UTC: mab - ev: [XXXX. XXXX. XXXX, item in gi1/0/48] MAB received an Access-Reject for 0x1B00004B (XXXX. XXXX. XXXX)
  003100: 3 August 18:04:26.148 UTC: % MAB-5-FAIL: failure of authentication for the client (XXXX. XXXX. XXXX) on the Interface 0A48021200000FD1007B87DE AuditSessionID item in gi1/0/48
  003101: 3 August 18:04:26.148 UTC: mab - sm: [XXXX. XXXX. XXXX, item in gi1/0/48] received event 'MAB_RESULT' on the 0x1B00004B handle
  003102: 3 August 18:04:26.148 UTC: mab: during the mab_authorizing State, had 5 (mabResult) event
  003103: 3 August 18:04:26.148 UTC: @ mab: mab_authorizing-> mab_terminate
  003104: 3 August 18:04:26.149 UTC: mab - ev: [XXXX. XXXX. XXXX, item in gi1/0/48] delete profile of credentials for 0x1B00004B (dot1x_mac_auth_XXXX. XXXX. XXXX)
  003105: 3 August 18:04:26.150 UTC: mab - sm: [XXXX. XXXX. XXXX, item in gi1/0/48] received event 'MAB_DELETE' on the 0x1B00004B handle

  The configuration is below:

  RADIUS AAA Server Group XXX-XXXXXX
  Server 10.XX. XX.30
  Server 10.x.x.x. XX.30

  AAA authorization network default Group XXX-XXXXXX no
  accounting dot1x default start-stop group AAA-XXX-XXXXXX

  radius of the IP source-interface Loopback0

  RADIUS-server host 10.XX. XX.30 touches 7 XXXXXXXXXXXXXXXXXXXXXXX
  RADIUS-server host 10.x.x.x. XX.30 touches 7 XXXXXXXXXXXXXXXXXXXXXXX
  RADIUS server retransmit 0
  RADIUS 3 server timeout

  interface GigabitEthernet1/0/6
  XXXX XXXXX description
  switchport access vlan XXX
  switchport mode access
  switchport voice vlan XXX
  the host-mode multi-auth authentication
  authentication order mab
  Auto control of the port of authentication
  authentication timer restart 180
  MAB
  no link-status of snmp trap
  Storm-control broadcasts 0.50
  spanning tree portfast
  end

  #sh worm

  Model switch SW Version SW Image Mode ports
  ------ ----- -----              ----------        ----------            ----
  * 1 56 WS-C3850 - 48P INSTALL 03.07.02E cat3k_caa-universalk9
  2 56 WS-C3850 - 48P INSTALL 03.07.02E cat3k_caa-universalk9

  Any ideas?

  P.

  Your authentication dot1x missing "aaa".

• Rogue Hub/Switch blocks?

  Hello

  I noticed MAC addresses with a 0000.0000.0000 on some of our switch ports in a particular building.  It turns out that some end users have been connect hubs personal/no authorized and/or cheap 5 ports switches in our network on these interfaces.  We have disabled the ports manually, then of course end users called the helpdesk informing us that they have lost network connectivity.

  PortFast and BPDU guard is enabled all leading edge devices.  However, given that these are switches and concentrators cheap I don't think they make same STP.  In order to have custody BPDU err - disable the port isn't our fix.

  So, is there another way to block these devices?  ACL?  MAC filtering?  Can you just block MAC 0000.0000.0000?  Maybe someone can explain what that means MAC 0000.0000.0000?

  I am aware of the port security, and which is currently in the works, but there the hope of a quick solution in the meantime.

  Thank you!

  -Brett

  Depending on what type of switch you have, you have dynamic inspection of arp, where you record only trust mac on the database of the switch and the switch will reject any other mac connection. Port security is another option, allow a maximum of 1 mac on the port, but the problem will persist that connect a hub + computers, the port will be closed and you will need to reactivate the suspended port each time.

  Also here is a good post to review an ACL

  https://supportforums.Cisco.com/message/3727181#3727181

  -Tom
  Please evaluate the useful messages

• Determine the NIF port used by the HEART when it is configured in a port channel

  I recently saw an excellent video of live Cisco UCS troubleshooting performance that showed how to track traffic network within Cisco UCS. The speaker made a comment however, to determine that NIF is used by a high HEAT when port-channels are used between the FEX and FI there are different commands to run. You will need to determine the outcome of hash-load balancing. Unfortunately, he never entered what were these commands.

  Then when we have pinned port-channel instead of HIFs and NIFs veths, what commands will indicate which way is used?

  Matt,

  You can use this command:

  B (nxos) # sh port-channel - balance load< this="" will="" tell="" you="" the="" load="" balance="" method="">

  If you use source-dest-ip as in my case, you can use this command:

  B (nxos) # sh port-channel - the balance of the charge-transfer interface port-channel ID vlan ID x.x.x.x y.y.y.y dst - ip, src - ip and it will show you something like this:

  Lack of params will be substituted by 0.

  Algorithm to balance the load on the switch: source-dest-ip
  crc8_hash: 109 port id coming out: EthernetX / Y  < this="" is="" what="" you="" are="" looking="" for="">
  Param (s) used to balance the load to calculate:
  DST - ip: y.y.y.y
  SRC - ip: x.x.x.x
  DST - mac: 0000.0000.0000
  CBC - mac: 0000.0000.0000

  For the blade, depends on which the active vNIC is, for the FEX, depends on pinning, based on the server is located in the blade slot.  Strange servers go through odd links and same servers through the same ports.

  Remember to rate helpful answers.

  -Kenny

• 802.1 x Switch IOS Bug?

  Seems to me IOS does not work as documentation States during the dot1x authentication management. In my view, that the last IOS 12.2 should not authenticate a client if the MAC address has not changed (with dot1x reauth off of course). However, I've tested this and it seems that the switch always sends EAPOL, even if I use the same PC on the same port. Is this a bug?

  There is nothing that can be done about it. I don't know yet what means 'History of MAC', but if the port goes down, it is still deleted.

  Now, I might have a work around for you here. MAC-Auth-Bypass (MAB). MAB authenticates the machines that cannot speak 1 X be their MAC address. If it fails and you have also the Guest-VLAN on, the port is being Guest-VLAN anyway (to support backward compatibility). From a treatment perspective, MAB is attempted after 1 X, but before the comments - VLAN (who just allow a port blindly).

  What it means for your scenario here is that if you enable MAB, you can put a machine to sleep that will bounce the port). 802. 1 X expires (as your computer is idle). Then, MAB will kick and initiate. However, it will be hung there until the device is sending traffic, and while it is asleep, it will not pass the. In this way, the port does not in the comments - VLAN when go to sleep and you can wake the computer that upward of a VLAN is configured in native mode on the port.

  Hope this helps,