802.1x MAB with Juniper EX switch.

Similar Messages

• 802.1x MAB with Microsoft NPS ieee802Device object group

  Hi,
  according to http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6638/config_guide_c17-663759.pdf (MAC Authentication Bypass Deployment Guide as of May 2011), when you use Microsoft NPS, you cannot simply add MAC-Adresses as Active Directory user objects if your domain has strict password enforcement policies (because passwords are not allowed to match usernames under that circumstances). The guide mentions the use of the 'ieee802Device' class that is build into Windows Server 2003R2 and above. I have tried to get this working (with no success...), unfortunately I did not find any guidelines on the web how to accomplish this. What I did so far was:
  - Created a new structural class"myieee802Device", based on the abstract class "ieee802Device"
  - Created a new OU "ethers" in AD
  - Created a simple objekt by means of an ldifde.exe import
  dn: CN=001b21******,OU=ethers,DC=dot1x,DC=com
  changetype: add
  objectClass: myieee802Device
  cn: 001b21******
  macAddress: 00:1b:21:**:**:**
  When I trigger 802.1x authentication at a supplicant, NPS does not find the device (MAC-Address) in AD.
  Has anybody got this running so far?
  Stefan

  Stefan,
  Many thanks for your reply. in my test environment, what I have encountered is:
  1. I created the user account and used the mac address as account and password, which can access into the AD.
  2. I enabled the function of  MD5-Challenge  in Windows 2008 R2 NPS server. pls refer the link:
  http://social.technet.microsoft.com/Forums/en/winserverNAP/thread/e801bdac-9347-4efb-9d7c-bcf4d64aa927
  3. Created the network policy, which use the  MD5 as the EAP type, and select PAP as the authentication method.
  4. Enable the 802.1x and MAB function in the port of cisco 3750.
  by test, 802.1x works fine, but when  I try to let it authenticate with MAB, got the below error in NPS event log:
  Network Policy Server denied access to a user.
  Contact the Network Policy Server administrator for more information.
  User:
      Security ID:            QBBB\002622c997ff
      Account Name:            002622c997ff
      Account Domain:            QBBB
      Fully Qualified Account Name:    qbbb.net/Sales/002622c997ff
  Client Machine:
      Security ID:            NULL SID
      Account Name:            -
      Fully Qualified Account Name:    -
      OS-Version:            -
      Called Station Identifier:        3C-DF-1E-C6-48-13
      Calling Station Identifier:        00-26-22-C9-97-FF
  NAS:
      NAS IPv4 Address:        10.197.40.2
      NAS IPv6 Address:        -
      NAS Identifier:            -
      NAS Port-Type:            Ethernet
      NAS Port:            50219
  RADIUS Client:
      Client Friendly Name:        Wired
      Client IP Address:            10.197.40.2
  Authentication Details:
      Connection Request Policy Name:    Secure Wired (Ethernet) Connections
      Network Policy Name:        Connections to other access servers
      Authentication Provider:        Windows
      Authentication Server:        QINGXXX1.QBBB.net
      Authentication Type:        PAP
      EAP Type:            -
      Account Session Identifier:        -
      Logging Results:            Accounting information was written to the local log file.
      Reason Code:            65
      Reason:                The Network Access Permission setting in the dial-in properties of the user account in Active Directory is set to Deny access to the user. To change the Network Access Permission setting to either Allow access or Control access through NPS Network Policy, obtain the properties of the user account in Active Directory Users and Computers, click the Dial-in tab, and change Network Access Permission.
  Just for you reference and hope can get you help, thanks a lot!
  --Scott

• 802.1q trunking with 3rd party switch

  I'm setting up a project that requires a cisco router, which is capable of doing 802.1q trunking. This is the only function I need to test with a 3rd party switch. What is the cheapest router that I can use to accomplish this.

  Hi,
  This should be the one:
  http://cisco.com/en/US/prod/collateral/routers/ps380/ps6942/product_data_sheet0900aecd804b1b19.html
  Please rate if this helped.
  Regards,
  Daniel

• ISE mab authentication with Avaya/Nortel switches

  Currently using Cisco ISE 1.1 to authentication both dot1x and mab from Cisco switches. Both features are authenticating properly.
  When we use a Nortel/Avaya switch for the authenticator, we are unable to authenticate using mac bypass (non-eap (or neap) in Avaya talk..). The correct authentication policy is found in the ISE, but the mac address is not found in the database. We know it is there because the same mac is authenticating with the Cisco switch. Dot1x authenticates properly from both the Cisco and Avaya authenticators.
  Could this be an issues with the username/password format in the Radius packet from the Cisco?
  Thanks in advance for any assistance.
  -Kurt

  As requested...
  http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fet
  chBugDetails&bugId=CSCuc22732
  MAB works from a cisco switch because the cisco switch places the mac address in the calling-station-attribute and the user-name attribute. The Cisco ISE platform is looking at the calling-station attribute to find the user name.This is the problem.
  The radius RFC says the user name must be in the user-name attribute. The calling-station-attribute is not a required field and is used for the phone number of a voip phone. Basically, the ISE platform is looking at the wrong field for the mac address.

• 802.1x problems with Cat4510E-Sup6L, IOS 12.2.54

  Hi, all.
  I have a very strange problem when turning on 802.1x/MAB on Cisco IOS 12.2.54 running on Cat45xx switches.
  Here is a config sample of a port:
  interface GigabitEthernet9/48
  switchport access vlan xxx
  switchport mode access
  switchport voice vlan yyy
  no logging event link-status
  load-interval 60
  authentication event fail action next-method
  authentication event server dead action authorize vlan xxx
  authentication host-mode multi-domain
  authentication order mab dot1x
  authentication priority dot1x mab
  authentication port-control auto
  mab
  no snmp trap link-status
  dot1x pae authenticator
  dot1x timeout tx-period 10
  flowcontrol receive off
  storm-control broadcast level 5.00
  storm-control action shutdown
  spanning-tree portfast    
  Cisco ACS 5.1 is running as an radius/tacacs appliance in the network.
  Since we have many non-certificate-capable devices, MAB is used first to authenticate these devices, for many
  devices the radius server sends down a specific vlan id for that port.
  All of this works fine !!!!
  Now for the problem:
  Some devices authenticate fine with mab, but after a few minutes these devices stop responding to the network,
  pings are not answered anymore.
  "show authen sessions" for this port shows everything good:
  show authentication sessions int gig9/48
              Interface:  GigabitEthernet9/48
            MAC Address:  000d.1234.5678
             IP Address:  10.aa.bb.cc.dd
              User-Name:  00-0D-12-34-56-78
                 Status:  Authz Success
                 Domain:  DATA
         Oper host mode:  multi-domain
       Oper control dir:  both
          Authorized By:  Authentication Server
            Vlan Policy:  zzz
        Session timeout:  N/A
           Idle timeout:  N/A
      Common Session ID:  0A540423000015FE74510567
        Acct Session ID:  0x00001608
                 Handle:  0x34000609
  Runnable methods list:
         Method   State
         mab      Authc Success
         dot1x    Failed over
  When i shutdown and reenable the interface, show auth sessions changes to:
  show authentication sessions int gig9/48
              Interface:  GigabitEthernet9/48
            MAC Address:  Unknown
             IP Address:  Unknown
                 Status:  Running
                 Domain:  UNKNOWN
         Oper host mode:  multi-domain
       Oper control dir:  both
        Session timeout:  N/A
           Idle timeout:  N/A
      Common Session ID:  0A5404230000160676F62524
        Acct Session ID:  0x00001613
                 Handle:  0x24000610
  Runnable methods list:
         Method   State
         mab      Running
         dot1x    Not run
  After a variable time period (sometimes 2 minutes, sometimes 2 hours) the port learns or sees the
  mac address again, authenticates it and pings start to respond again, but also for a variable time period only
  and the whole thing starts over (pings lost, ......)
  I guess this is a .1x issue, because if I configure the port as a normal switchport (mode access, access vlan "zzz", span portfast),
  the devices show no problems at all, always reachable, no packets lost.
  Did I miss anything ??
  Anyone encountered any similar problems ???

  Hi, I have experiensed a similar problem, I have a C4506 sup 4, with gig interfaces. I have ACS5.1 and if I enable dot1X on a access-port it works fine in multi-host mode but when I switch to multi-domain it stops working, the pc and phone gets an IP address but they are not able to communicate, not even pinging the default GW. Directiy after the switch to multi-domain (from multi-host) the phone and pc works but if i do a shut no shut on the interface it stops working. I have logged a case with TAC and wating for an answer. I run the latest release 12.2(54)
  / Magnus

• ESW 520 802.1x MAB authentication problem

  Hello,
  I am having problem with 802.1x MAB authentication on ESW 520 switch, the authentication server is ACS 5.3.
  The Authentication method on ESW is 802.1x & MAC, and Host Authentication mode is Multi Session. When i plug ip phone it never authenticate the phone, and on ACS I get following error message:
  Radius authentication failed for USER: aa1effbb8fd4  MAC: aa-1E-FF-bb-8F-D4  AUTHTYPE:  Radius authentication failed
  RADIUS Status:Authentication failed    : 11509 Access Service does not allow any EAP protocols
  15004  Matched rule
  15012  Selected Access Service - MAB
  11507  Extracted EAP-Response/Identity
  11509  Access Service does not allow any EAP protocols
  11504  Prepared EAP-Failure
  11003  Returned RADIUS Access-Reject
  For that Access Service I have configured only Host Lookup.
  The same ACS configuration is working perfectly on Catalyst 3560G switche.
  It seems that ESW switch is not telling ACS that authentication is going to be by MAC address.
  Do you have any idea what can be the problem.

  Are you hitting the same selection rule? Also is "mab eap" configured globally on the switch, or on the port itself?
  Also can you post the port configuration and the show ver of the ESW?
  Thanks,
  Tarik Admani
  *Please rate helpful posts*

• Macs joined to AD Domain, and 802.1x/mab authentication problems

  Hello, I've got a situation where i have a small handful of Mac Pro's running OS 10.6 that are having some trouble with wired 802.1x/MAB (Mac Autehntication Bypass) on our cisco switches. We have our macs setup so that they autenticate to our windows domain for user login, plus, we have 802.1x authenciation (for our windows clients) and MAB bypass for our macs, printers, and assorted other equipment. Problem seems to be, the Mac boots up before the switch goes into MAB bypass and wont let the user login to the network. Has anyone ran across this problem before and found a solution?

  hello,
  in my organization we have multiple 3560/2960 series switches and some 4500 with MAB.
  the interfaces have the following config:
   authentication host-mode multi-auth
   authentication order mab dot1x
   authentication priority mab dot1x
   authentication port-control auto
   authentication periodic
   authentication timer restart 120
   authentication timer reauthenticate server
   authentication timer inactivity 600
   mab
   dot1x pae authenticator
  Good luck

• 802.1x RADIUS with EAP-TLS/EAP-TTLS & Dynamic VLAN Assignment

  Hello, My team is looking for switches supporting 802.1x authentication on either EAP-TTLS or EAP-TLS protocols with dynamic vlan assignment enabled for these. Looking at the data sheets of the Linksys desktop switches, I found only SLM224G4PS and SLM224G4S models to support EAP-TLS or EAP-TTLS. Am I right? Do they support Dynamic VLAN Assigment for either of those protocols? This is not explicitly mentioned in the data sheets, and I happen to find switches from other manufacturers that announce to support EAP-TLS/EAP-TTLS but no dynamic vlan assignment. Thank you for any help.

  SLM switches do support 802.1x RADIUS with EAP-TLS/EAP-TTLS unlike the SRW switches which support MD5. But I don't think that they support Dynamic VLAN.

• 802.1x authetication with dynamic Vlan assignment by a radius server

  Hi
  At school I want to start using 802.1x authentication with dynamic Vlan assignment by a Windows Server 2012R2 Radius server.
  When a student logs in, I want it to be placed in the "Students" Vlan, when a Administrative employee logs in, I want it to be placed in the "Administative" vlan and when the client is unknown I want to place it in the "Guest" Vlan.
  I have several SG200 switches and I configured everything as mentioned in the administrative guide but I cannot get it to work as desired.
  What does work:
  - If the client is permitted, the switch changes to "authorized" state. (before anyone logs on to the domain with that client)
  - When a User logs on that is part of the Administrative employees, the switch changes to "authorized" and when a student logs on, it changes to "unauthorized". 
  So far so good.
  But what doesn't work:
  - it does not put the administrative employee in the Vlan "Administrative", it just enables the port on the switch but leaves it in the default vlan 1.
  - I can not find the Guest VLAN.
  Any help would be appriciated.

  Hi Wouter,
  Can you see in the packet capture Radius accept message VLAN attribute? Also please ensure you have the latest firmware and boot code:
  http://www.cisco.com/c/en/us/support/switches/sg200-26-26-port-gigabit-smart-switch/model.html#~rdtab1
  I would recommend you to open ticket with Small Business team so they can go with you through packet capture and configuration steps:
  http://www.cisco.com/c/en/us/support/web/tsd-cisco-small-business-support-center-contacts.html
  Regards,
  Aleksandra 

• Stacking with Cisco Blade Switches

  Hi,
  We have a HP p-class Blade System with two Cisco Gigabit Ethernet Switch Modules (Cisco IOS Release 12.2(25)SE) for every enclosure. My question is how I can stack the two blade switches (in the same enclosure) so that every HP blade server to be connected with the two switches in the active/standby state? In other words, can and how I make a port-channel which includes ports from the two switches?
  Unfortunately I couldn't found any documentation for the purpose.

  Hi,
  With the CGESM switches you have you cannot use 802.3ad teaming against the two blade switches. This is possible with the Cisco 3120 blade switches for HP c-class.
  Now, in your case, you can use standard Active/Standby NIC teaming, where the active NIC of each server connects to one switch and the standby NIC connects to the other switch. Should a blade switch completely fail, all of the servers with their active NIC connected to the failed switch should see the link go down and switch over to the standby NIC on the second switch. This should work very well.
  One problem that can happen however is that the blade switch itself does not completely fail. Instead maybe the blade switch uplink fails, or the upstream switch it is connected to fails. In this situation the server NIC does not experience a failure and continues to send traffic to the blade switch that does not have anywhere to send the traffic, a black hole. This is perhaps the problem you are seeing?
  The fortunate thing is that Cisco has a solution to this problem called Trunk Failover with Link State Tracking. What this allows you to do is to tell the blade switch that if it experiences a failure on its uplinks that it should also bring down the links to the servers as well. This will cause the servers to see a failure on their active NIC and perform a switchover to the second blade switch.
  I looked up your switch and found that your 12.2(25)SE1 code does not support this feature. You will need to upgrade to 12.2(25)SEE4 and you will be able to configure this on your switches.
  Here is a link to see how this configuration works:
  http://www.cisco.com/en/US/docs/switches/blades/3020/software/release/12.2_25_sef1/configuration/guide/swethchl.html#wp1346176
  Hope this helps.
  If so please rate my posts.
  Thanks,
  Brad

• Problems with Comodo Kill Switch, Windows Services & Bitlocker Encryption on Asus N56VZ

  Hi All,
  So recently I found myself stuck in a different scenario than before, and after many hours researching and efforts to fix this I still find myself stuck  yet with a few options still to fix.
  What is the problem?
  So as a security cautious user when i first got to Windows 8.1 Pro 64Bit I encrypted both the C and D drive (Split the main disk) to protect myself and my family. Unfortunately that has not been very helpful with the way in which booting and running from
  either external USB devices or CD/DVD works, not allowing myself to at all.
  My usual security suit I  use is Comodo Internet Security, which additionally comes with Comodo Kill Switch. Whilst using the application instead of stopping one of the TCP connections I was meant to I accidently stopped an Windows Explorer connection.
  For some reason since then Windows Explorer, nor most windows apps or services themselves will run. For example msconfig will run but sfc /scannow or mmc will not, whether in safe mode or normal mode.
  What Caused the Problem?
  Cannot 100% say
  What I Think Caused the Problem?
  Myself running Comodo Kill Switch stopping a vital server connection with Windows Explorer that messed up alot. Or a potential Virus unknown how cannot fully scan system as wont boot externally or run many apps.
  Additional Info
  Asus Webcam is Disabled on Purpose
  Laptop was fully customized to run latest games full graphics minus Anti Aliasing, works with Evolve + CoD Advanced Warfare
  Laptop does not boot if USB Keyboard plugged in, works with everything else normal (had this on other systems no problem for me)
  Ask me for more info if required to add here, braindead again
  Specifications of my system
  Intel® Core™ i7 3610QM Processor
  Windows 8.1 Pro 64Bit
  Intel® HM76 Chipset
  DDR3 1600 MHz SDRAM, 2 x SO-DIMM 8GB
  15.6" HD (1366x768)/Full HD (1920x1080)/Wide View Angle LED Backlight
  NVIDIA® GeForce® GT 650M with 2GB DDR3 VRAM
  1TB 5400RPM OR 750GB 5400/7200RPM (Cannot remember off top of head, braindead)
  Super-Multi DVD 
  Kensington lock (Security Feature)
  LoJack (Security Feature)
  BIOS Booting User Password Protection (Security Feature)
  HDD User Password Protection and Security (Security Feature)
  Pre-OS Authentication by programmable key code (Security Feature)
  What Can Run and Won't Run?
  ON BOOT:
  Bitlocker Encryption Password & Advanced Settings are accessible
  Bios (password protected) is accessible
  Windows Recovery Mode is accessible (Think it is F9 or F10)
  Windows Logon Password Screen is accessible
  ON NORMAL/SAFE-MODE START UP:
  After Log-In Windows Explorer will not run
  Task Manager will run, also allows me to browse the files when trying to start new task
  Can run Command prompt
  Cannot run any control panel items
  Cannot run services.msc
  Cannot run mmc
  Cannot run sfc
  Every time it metions windows drive is locked
  Start Error's when running certain applications (Will post codes soon)
  Rufus USB Tool does run
  Cannot boot Kali Linux off USB
  Cannot boot Windows 8.1 off USB
  Cannot boot Windows 8.1 off DVDRW
  Fixwin2 will not run
  Apps either work or don't whether in safe mode or normal
  Cannot use Windows Installer
  What Fixes I Have Tried So Far
  Ok so like any normal user I don't want to lose my files. So here are what I have tried so far:
  Repair MBR (Repair Completed, No Luck)
  SFC /SCANNOW (Returns Error 'Windows Resource Protection could not start the repair service')
  Tried sfc /SCANNOW /OFFBOOTDIR=c:\ /OFFWINDIR=c:\windows (Could not access drive)
  Fixwin2 (Will not run in either normal or safe mode)
  Booting using Windows 8.1 via USB (Cannot boot from extermal devices due to Bitlocker Encryption)
  Booting using Kali Linux Via DVD & USB (Cannot boot from external devices due to Bitlocker Encrytption)
  How do I know it is because of Bitlocker, because last time I disabled it, I could run from external devices
  Tried to run bitlocker to change settings (Will not run)
  Have used both password and recovery keys to unlock driver, they work but when applications are running on windows the drive is still locked?
  Tried windows Automatic Diagnostic and Repair (Could not repair anything, did make a log I am still to extract from the syste)
  There are No System Restore Points
  I'm sure there is much more information I could post however I will leave it on an ask to know basis, apart from the log files and further information to gather. Below is my list of trial and error fixes to try for today (need more ideas and help please!):
  Hiren's 15.2 Boot CD via DVD (NOT ABLE TO BOOT)
  Hiren's 15.2 Boot CD via USB (NOT ABLE TO BOOT)
  Research into the Bios and Possible Update in-case of implementation of Virus, can access flash utility (STILL NOT TESTED)
  Try and get a portable version or a working version of windows installer to try and re-install Comodo Internet Security (STILL NOT TESTED)
  Another way to disable Bitlocker
  Anti-Malware / Anti-Virus Scan If Possible to Run One
  Bitlocker Repair Tool, will try this also
  I have posted this as have not found much info online, usually find it and crack on but this time things are a little more tricky, my priority task I really need to do is remove the Bitlocker Encryption, but if the application will not run... what do I do
  then?
  Thanks for your time reading all, Sorry for any poor formatting or spelling.
  Update 1: MMC.exe Error Code
  Ok so now have the computer in safe mode, still same as before, no explorer.exe, no services etc... Just went into the Task Manager > Services (Tab) > Open Services (Option at bottom)
  This is the error I get:
  'The Instruction at 0x785a746c referenced memory at 0x000000a8. The memory could not be read.
  Any Ideas on what this error is and why?
  Update 2: CHKDSK Works with no Fix
  Update 3: Hiren's 15.2 Boot CD - USB Boot still no luck booting around Bitlocker Encryption
  Just to explain again, I already have unlocked the drive with correct bitlocker password or recovery key yet the drive remains locked not allowing windows refresh of files of complete install from the windows recovery menu as keeps saying drive is locked

  Ok so attempt number two to write this update via bloody phone! (Just refreshed page whilst writing!)
  Update 4:
  Problem - cannot run from bootable devices (DVD/USB)
  Cause - bitlocker fully encrypted drive stops this working
  Repair - Boot up holding F9 to enter windows recovery Input Bitlocker recovery keys to unlock drives
  Navigate to Command Prompt in advanced settings Execute following code:
  Repair-bde c: d: -rp 000111-222333-444555-etc...
  (Code found from https://technet.microsoft.com/en-us/library/ee523219%28v=ws.10%29.aspx)
  Note for those using this: It is common while unlocking certain drives to get errors such as: Quote from http://www.benjaminathawes.com/2013/03/17/resolving-partial-encryption-problems-with-bitlocker/
  "LOG INFO: 0x0000002aValid metadata at offset 8832512000 found at scan level
  1.LOG INFO: 0x0000002b Successfully created repair context.
  LOG ERROR: 0xc0000037 Failed to read sector at offset 9211592704.
  (0×00000017) LOG ERROR: 0xc0000037 Failed to read sector at offset 9211593216.
  (0×00000017) …followed by around 20 similar entries that differed only by the offset value"
  Repair Status for Update 4: COMPLETED - However over wrote D drive data so now need to recover that
  Problem 2 - windows services corrupted along with windows files
  Cause - Unknown
  Repair - wait until system is fully decrypted Once fully decrypted ensure boot from USB/DVD
  Re-do fixes that would not work before if this has fixed boot issue Confirm fix / update post Hope anything I put here helps others also

• Windows XP see blank screen when remote desktop to Windows 7 with fast user switching disabled

  All computers are in workgroup environment, no AD.
  Windows 7 pro are configured with fast user switching mode disabled so that only one login session can run at a time. When a Windows 7 machine remote desktop to another Windows 7 machine, the remote desktop 'server' will give 30 seconds count-down for the
  console logged in user to accept remote connection, or when timeout expires it kicks out the console logged in user. This is completely ok.
  This become a problem when a Windows XP rd client try to remote desktop to these Windows 7 machines, Windows XP see a blank screen if the remote Windows 7 machine has a user logged in, as it is waiting for the user to log off first. This is not desirable
  as our administrators want the console session to be logged out automatically if they (administrators) want to remote desktop in.
  Is this a configuration problem? Is this a OS design, can't be changed?
  Valuable skills are not learned, learned skills aren't valuable.

  Hi,
  As I know, for RDP session in Windows 7, you don't need to configure the fast user switch option disabled. Windows 7 doesn’t support multiple Remote Desktop sessions by design, that means only one RDP session at a time.
  I remote into my Windows 7 machine (which has a user logged in) from my XP machine, all work fine, the user logged in Windows 7 machine is automatically "kicked off".
  May I ask a question? Does this issue happen in all XP machines? If you leave Windows 7 machine started and no user logged in, the RDP session in Windows XP established quickly?
  I would suggest you keep latest drivers graphic card and latest updates paches for both Windows XP (Windows XP has come to its end of the lifecycle)and Windows 7.
  Yolanda Zhu
  TechNet Community Support

• User activity with fast user switching

  what actually continues with one user when another user logs on with fast user switching?
  Does any activity continue, such as downloading, calculating, getting mail, or playing movies? Or does everything go into limbo until that user logs back on?

  Audio output is squelched when fast user switching. Under Panther, audio playing in one user account would continue to play after fast user switching to another account. Under Tiger, the actual process continues, but the sound is muted.
  Same thing goes for audio input. I learned this the hard way by setting up an app to record a two hour radio program through the built-in audio input jack. During the recording I switched to another account for an hour. When I later went to listen to the recording, there was an hour of silence corresponding to the time I was in the other account.
  I really wish Apple would fix this.

• Solarwinds Netflow products what will work with a 3850-switch

  Does anybody know….what Solar winds product will do Net Flow with Cisco 3850-switches? I know Net Flow Configurator will not work….but what about Net Flow Real-time for a Cisco 3850 switch?

  For a lot of people, it is not neccessary. I used to ask myself that question until I came across a need for things that iLife and the Finder would not do.
  Toast is a great program with a lot of features that just are not standard on a Mac.
  You can make music DVDs. You can span a HD backup over multiple disks. You can make hybrid PC/Mac disks. It has DVD compression tools to fit a 8.5GB dual-layer DVD onto a single layer 4.7GB DVD.It suppoprts OGG and FLAC audio formats. You can turn your iMovie and iDVD projects into DivX disks.
  It also has lots of nice tools to clean up audio that is imported from a noisy source - like vinyl.
  It is all in all a very useful program, but not unless you need any of those features of course.

• Ap521 - 802.1x LEAP - with IAS ?

  Hi there,
  I wanted to do 802.1x PEAP with my AP521 in standalone access-point. unfortunetely.. in the data sheet it seems to support only LEAP with AP521.
  http://www.cisco.com/en/US/prod/collateral/wireless/ps7306/ps7319/ps7338/product_data_sheet0900aecd8060c220.html
  LEAP
  Dynamic-WEP
  Open-EAP Network-EAP
  So,  as I have Microsoft IAS, I was trying to figure out if LEAP is supported ... it seems that officialy not :
  http://www.cisco.com/en/US/tech/tk722/tk809/technologies_q_and_a_item09186a00805e8297.shtml
  and from microsoft also
  http://technet.microsoft.com/en-us/library/cc785368(WS.10).aspx
  But, some people on forum said there is some things you can do to make it work...
  https://supportforums.cisco.com/message/1295984#1295984
  By default, the access point sends reauthentication requests to the authentication server with the service-type attribute set to authenticate-only. However, some Microsoft IAS servers do not support the authenticate-only service-type attribute. Changing the service-type attribute to login-only ensures that Microsoft IAS servers recognize reauthentication requests from the access point. Use the dot11 aaa authentication attributes service-type login-only global configuration command to set the service-type attribute in reauthentication requests to login-only.
  http://www.cisco.com/en/US/products/hw/wireless/ps4570/products_configuration_guide_chapter09186a00802091b1.html
  What Do you Think ?? did you guys done that ?
  thanks

  Phillippe,
       PEAP is supported through the APs which is most likely what you will use in a Microsoft environment.  This is covered under the Open-EAP heading.
  --Jesse