802.1x MAB with Juniper EX switch.
Hi,
I tried to authenticate user from juniper EX switch to Cisco ACS Radius. The ACS can authenticate normal user via 802.1x but not MAB.
I set in the acs to authenticate any request using RADIUS IETF.
I also tried to connect to different ACS server using the same config and supprisingly it works. The only different is the ACS do not has my certificate installed.
I attached the log for reference packet capture for reference. It seems that the ACS replies encrpyted message to the EX switch
This is the log from EX switch ( i know, this is cisco forum, but i could give some clue.)
Feb 14 01:45:50.618026 Sending message to authentication client
Feb 14 01:45:50.622833 Received message from authentication client
Feb 14 01:45:50.622887 reply: 1cf7924 rply_hdr: 1cf9000 bytes_remnant len:28 reply_len:28
Feb 14 01:45:50.622917 hdr_bytes_read 0
Feb 14 01:45:50.622937 len read : 28 reply_len: 2983
Feb 14 01:45:50.622991 bytes_remnant 2955 tot_bytes_read 28
Feb 14 01:45:50.623028 bytes_read 2955
Feb 14 01:45:50.623048 Creating background job to process reply from authentication client
Feb 14 01:45:50.623117 Entering background job to process message from authentication client
Feb 14 01:45:50.623145 process_auth_reply len:2983
Feb 14 01:45:50.623182 Received Access-Challenge authentication message
Feb 14 01:45:50.623206 Invoking state machine for authentication response for mac address 00:1E:37:86:A2:04
Feb 14 01:45:50.623226 on intf ge-0/0/1.0
Feb 14 01:45:50.623259 ASIF: Handing over Server frame to Authenticator
Feb 14 01:45:50.623287 AUTH: Handling Server Frame
Feb 14 01:45:50.623318 SessNode got from SessIdtbl for Id 126 is : 1d1d000, Port: 67
Feb 14 01:45:50.623347 Code = 1, Id = 126, Len = 6
Feb 14 01:45:50.623375 ASIF: Handing over Server frame to Authenticator 67.
Feb 14 01:45:50.623403 PnacAsIfRecvFromServer : Rad Attr Statelen = 25
Feb 14 01:45:50.623421 Rad Attr Class Len = 0
Feb 14 01:45:50.623445 PnacAuthPrepareMD5Response Pkt type 25 is not MD5.
Feb 14 01:45:50.623473 PnacAuthMacRadiusReply : MD5 response prep failed.
Feb 14 01:45:50.623499 AuthHandleInServerFrame:MAC RADIUS RESP failed
Hi,
I tried to authenticate user from juniper EX switch to Cisco ACS Radius. The ACS can authenticate normal user via 802.1x but not MAB.
I set in the acs to authenticate any request using RADIUS IETF.
I also tried to connect to different ACS server using the same config and supprisingly it works. The only different is the ACS do not has my certificate installed.
I attached the log for reference packet capture for reference. It seems that the ACS replies encrpyted message to the EX switch
This is the log from EX switch ( i know, this is cisco forum, but i could give some clue.)
Feb 14 01:45:50.618026 Sending message to authentication client
Feb 14 01:45:50.622833 Received message from authentication client
Feb 14 01:45:50.622887 reply: 1cf7924 rply_hdr: 1cf9000 bytes_remnant len:28 reply_len:28
Feb 14 01:45:50.622917 hdr_bytes_read 0
Feb 14 01:45:50.622937 len read : 28 reply_len: 2983
Feb 14 01:45:50.622991 bytes_remnant 2955 tot_bytes_read 28
Feb 14 01:45:50.623028 bytes_read 2955
Feb 14 01:45:50.623048 Creating background job to process reply from authentication client
Feb 14 01:45:50.623117 Entering background job to process message from authentication client
Feb 14 01:45:50.623145 process_auth_reply len:2983
Feb 14 01:45:50.623182 Received Access-Challenge authentication message
Feb 14 01:45:50.623206 Invoking state machine for authentication response for mac address 00:1E:37:86:A2:04
Feb 14 01:45:50.623226 on intf ge-0/0/1.0
Feb 14 01:45:50.623259 ASIF: Handing over Server frame to Authenticator
Feb 14 01:45:50.623287 AUTH: Handling Server Frame
Feb 14 01:45:50.623318 SessNode got from SessIdtbl for Id 126 is : 1d1d000, Port: 67
Feb 14 01:45:50.623347 Code = 1, Id = 126, Len = 6
Feb 14 01:45:50.623375 ASIF: Handing over Server frame to Authenticator 67.
Feb 14 01:45:50.623403 PnacAsIfRecvFromServer : Rad Attr Statelen = 25
Feb 14 01:45:50.623421 Rad Attr Class Len = 0
Feb 14 01:45:50.623445 PnacAuthPrepareMD5Response Pkt type 25 is not MD5.
Feb 14 01:45:50.623473 PnacAuthMacRadiusReply : MD5 response prep failed.
Feb 14 01:45:50.623499 AuthHandleInServerFrame:MAC RADIUS RESP failed
Similar Messages
-
802.1x MAB with Microsoft NPS ieee802Device object group
Hi,
according to http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6638/config_guide_c17-663759.pdf (MAC Authentication Bypass Deployment Guide as of May 2011), when you use Microsoft NPS, you cannot simply add MAC-Adresses as Active Directory user objects if your domain has strict password enforcement policies (because passwords are not allowed to match usernames under that circumstances). The guide mentions the use of the 'ieee802Device' class that is build into Windows Server 2003R2 and above. I have tried to get this working (with no success...), unfortunately I did not find any guidelines on the web how to accomplish this. What I did so far was:
- Created a new structural class"myieee802Device", based on the abstract class "ieee802Device"
- Created a new OU "ethers" in AD
- Created a simple objekt by means of an ldifde.exe import
dn: CN=001b21******,OU=ethers,DC=dot1x,DC=com
changetype: add
objectClass: myieee802Device
cn: 001b21******
macAddress: 00:1b:21:**:**:**
When I trigger 802.1x authentication at a supplicant, NPS does not find the device (MAC-Address) in AD.
Has anybody got this running so far?
StefanStefan,
Many thanks for your reply. in my test environment, what I have encountered is:
1. I created the user account and used the mac address as account and password, which can access into the AD.
2. I enabled the function of MD5-Challenge in Windows 2008 R2 NPS server. pls refer the link:
http://social.technet.microsoft.com/Forums/en/winserverNAP/thread/e801bdac-9347-4efb-9d7c-bcf4d64aa927
3. Created the network policy, which use the MD5 as the EAP type, and select PAP as the authentication method.
4. Enable the 802.1x and MAB function in the port of cisco 3750.
by test, 802.1x works fine, but when I try to let it authenticate with MAB, got the below error in NPS event log:
Network Policy Server denied access to a user.
Contact the Network Policy Server administrator for more information.
User:
Security ID: QBBB\002622c997ff
Account Name: 002622c997ff
Account Domain: QBBB
Fully Qualified Account Name: qbbb.net/Sales/002622c997ff
Client Machine:
Security ID: NULL SID
Account Name: -
Fully Qualified Account Name: -
OS-Version: -
Called Station Identifier: 3C-DF-1E-C6-48-13
Calling Station Identifier: 00-26-22-C9-97-FF
NAS:
NAS IPv4 Address: 10.197.40.2
NAS IPv6 Address: -
NAS Identifier: -
NAS Port-Type: Ethernet
NAS Port: 50219
RADIUS Client:
Client Friendly Name: Wired
Client IP Address: 10.197.40.2
Authentication Details:
Connection Request Policy Name: Secure Wired (Ethernet) Connections
Network Policy Name: Connections to other access servers
Authentication Provider: Windows
Authentication Server: QINGXXX1.QBBB.net
Authentication Type: PAP
EAP Type: -
Account Session Identifier: -
Logging Results: Accounting information was written to the local log file.
Reason Code: 65
Reason: The Network Access Permission setting in the dial-in properties of the user account in Active Directory is set to Deny access to the user. To change the Network Access Permission setting to either Allow access or Control access through NPS Network Policy, obtain the properties of the user account in Active Directory Users and Computers, click the Dial-in tab, and change Network Access Permission.
Just for you reference and hope can get you help, thanks a lot!
--Scott -
802.1q trunking with 3rd party switch
I'm setting up a project that requires a cisco router, which is capable of doing 802.1q trunking. This is the only function I need to test with a 3rd party switch. What is the cheapest router that I can use to accomplish this.
Hi,
This should be the one:
http://cisco.com/en/US/prod/collateral/routers/ps380/ps6942/product_data_sheet0900aecd804b1b19.html
Please rate if this helped.
Regards,
Daniel -
ISE mab authentication with Avaya/Nortel switches
Currently using Cisco ISE 1.1 to authentication both dot1x and mab from Cisco switches. Both features are authenticating properly.
When we use a Nortel/Avaya switch for the authenticator, we are unable to authenticate using mac bypass (non-eap (or neap) in Avaya talk..). The correct authentication policy is found in the ISE, but the mac address is not found in the database. We know it is there because the same mac is authenticating with the Cisco switch. Dot1x authenticates properly from both the Cisco and Avaya authenticators.
Could this be an issues with the username/password format in the Radius packet from the Cisco?
Thanks in advance for any assistance.
-KurtAs requested...
http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fet
chBugDetails&bugId=CSCuc22732
MAB works from a cisco switch because the cisco switch places the mac address in the calling-station-attribute and the user-name attribute. The Cisco ISE platform is looking at the calling-station attribute to find the user name.This is the problem.
The radius RFC says the user name must be in the user-name attribute. The calling-station-attribute is not a required field and is used for the phone number of a voip phone. Basically, the ISE platform is looking at the wrong field for the mac address. -
802.1x problems with Cat4510E-Sup6L, IOS 12.2.54
Hi, all.
I have a very strange problem when turning on 802.1x/MAB on Cisco IOS 12.2.54 running on Cat45xx switches.
Here is a config sample of a port:
interface GigabitEthernet9/48
switchport access vlan xxx
switchport mode access
switchport voice vlan yyy
no logging event link-status
load-interval 60
authentication event fail action next-method
authentication event server dead action authorize vlan xxx
authentication host-mode multi-domain
authentication order mab dot1x
authentication priority dot1x mab
authentication port-control auto
mab
no snmp trap link-status
dot1x pae authenticator
dot1x timeout tx-period 10
flowcontrol receive off
storm-control broadcast level 5.00
storm-control action shutdown
spanning-tree portfast
Cisco ACS 5.1 is running as an radius/tacacs appliance in the network.
Since we have many non-certificate-capable devices, MAB is used first to authenticate these devices, for many
devices the radius server sends down a specific vlan id for that port.
All of this works fine !!!!
Now for the problem:
Some devices authenticate fine with mab, but after a few minutes these devices stop responding to the network,
pings are not answered anymore.
"show authen sessions" for this port shows everything good:
show authentication sessions int gig9/48
Interface: GigabitEthernet9/48
MAC Address: 000d.1234.5678
IP Address: 10.aa.bb.cc.dd
User-Name: 00-0D-12-34-56-78
Status: Authz Success
Domain: DATA
Oper host mode: multi-domain
Oper control dir: both
Authorized By: Authentication Server
Vlan Policy: zzz
Session timeout: N/A
Idle timeout: N/A
Common Session ID: 0A540423000015FE74510567
Acct Session ID: 0x00001608
Handle: 0x34000609
Runnable methods list:
Method State
mab Authc Success
dot1x Failed over
When i shutdown and reenable the interface, show auth sessions changes to:
show authentication sessions int gig9/48
Interface: GigabitEthernet9/48
MAC Address: Unknown
IP Address: Unknown
Status: Running
Domain: UNKNOWN
Oper host mode: multi-domain
Oper control dir: both
Session timeout: N/A
Idle timeout: N/A
Common Session ID: 0A5404230000160676F62524
Acct Session ID: 0x00001613
Handle: 0x24000610
Runnable methods list:
Method State
mab Running
dot1x Not run
After a variable time period (sometimes 2 minutes, sometimes 2 hours) the port learns or sees the
mac address again, authenticates it and pings start to respond again, but also for a variable time period only
and the whole thing starts over (pings lost, ......)
I guess this is a .1x issue, because if I configure the port as a normal switchport (mode access, access vlan "zzz", span portfast),
the devices show no problems at all, always reachable, no packets lost.
Did I miss anything ??
Anyone encountered any similar problems ???Hi, I have experiensed a similar problem, I have a C4506 sup 4, with gig interfaces. I have ACS5.1 and if I enable dot1X on a access-port it works fine in multi-host mode but when I switch to multi-domain it stops working, the pc and phone gets an IP address but they are not able to communicate, not even pinging the default GW. Directiy after the switch to multi-domain (from multi-host) the phone and pc works but if i do a shut no shut on the interface it stops working. I have logged a case with TAC and wating for an answer. I run the latest release 12.2(54)
/ Magnus -
ESW 520 802.1x MAB authentication problem
Hello,
I am having problem with 802.1x MAB authentication on ESW 520 switch, the authentication server is ACS 5.3.
The Authentication method on ESW is 802.1x & MAC, and Host Authentication mode is Multi Session. When i plug ip phone it never authenticate the phone, and on ACS I get following error message:
Radius authentication failed for USER: aa1effbb8fd4 MAC: aa-1E-FF-bb-8F-D4 AUTHTYPE: Radius authentication failed
RADIUS Status:Authentication failed : 11509 Access Service does not allow any EAP protocols
15004 Matched rule
15012 Selected Access Service - MAB
11507 Extracted EAP-Response/Identity
11509 Access Service does not allow any EAP protocols
11504 Prepared EAP-Failure
11003 Returned RADIUS Access-Reject
For that Access Service I have configured only Host Lookup.
The same ACS configuration is working perfectly on Catalyst 3560G switche.
It seems that ESW switch is not telling ACS that authentication is going to be by MAC address.
Do you have any idea what can be the problem.Are you hitting the same selection rule? Also is "mab eap" configured globally on the switch, or on the port itself?
Also can you post the port configuration and the show ver of the ESW?
Thanks,
Tarik Admani
*Please rate helpful posts* -
Macs joined to AD Domain, and 802.1x/mab authentication problems
Hello, I've got a situation where i have a small handful of Mac Pro's running OS 10.6 that are having some trouble with wired 802.1x/MAB (Mac Autehntication Bypass) on our cisco switches. We have our macs setup so that they autenticate to our windows domain for user login, plus, we have 802.1x authenciation (for our windows clients) and MAB bypass for our macs, printers, and assorted other equipment. Problem seems to be, the Mac boots up before the switch goes into MAB bypass and wont let the user login to the network. Has anyone ran across this problem before and found a solution?
hello,
in my organization we have multiple 3560/2960 series switches and some 4500 with MAB.
the interfaces have the following config:
authentication host-mode multi-auth
authentication order mab dot1x
authentication priority mab dot1x
authentication port-control auto
authentication periodic
authentication timer restart 120
authentication timer reauthenticate server
authentication timer inactivity 600
mab
dot1x pae authenticator
Good luck -
802.1x RADIUS with EAP-TLS/EAP-TTLS & Dynamic VLAN Assignment
Hello, My team is looking for switches supporting 802.1x authentication on either EAP-TTLS or EAP-TLS protocols with dynamic vlan assignment enabled for these. Looking at the data sheets of the Linksys desktop switches, I found only SLM224G4PS and SLM224G4S models to support EAP-TLS or EAP-TTLS. Am I right? Do they support Dynamic VLAN Assigment for either of those protocols? This is not explicitly mentioned in the data sheets, and I happen to find switches from other manufacturers that announce to support EAP-TLS/EAP-TTLS but no dynamic vlan assignment. Thank you for any help.
SLM switches do support 802.1x RADIUS with EAP-TLS/EAP-TTLS unlike the SRW switches which support MD5. But I don't think that they support Dynamic VLAN.
-
802.1x authetication with dynamic Vlan assignment by a radius server
Hi
At school I want to start using 802.1x authentication with dynamic Vlan assignment by a Windows Server 2012R2 Radius server.
When a student logs in, I want it to be placed in the "Students" Vlan, when a Administrative employee logs in, I want it to be placed in the "Administative" vlan and when the client is unknown I want to place it in the "Guest" Vlan.
I have several SG200 switches and I configured everything as mentioned in the administrative guide but I cannot get it to work as desired.
What does work:
- If the client is permitted, the switch changes to "authorized" state. (before anyone logs on to the domain with that client)
- When a User logs on that is part of the Administrative employees, the switch changes to "authorized" and when a student logs on, it changes to "unauthorized".
So far so good.
But what doesn't work:
- it does not put the administrative employee in the Vlan "Administrative", it just enables the port on the switch but leaves it in the default vlan 1.
- I can not find the Guest VLAN.
Any help would be appriciated.Hi Wouter,
Can you see in the packet capture Radius accept message VLAN attribute? Also please ensure you have the latest firmware and boot code:
http://www.cisco.com/c/en/us/support/switches/sg200-26-26-port-gigabit-smart-switch/model.html#~rdtab1
I would recommend you to open ticket with Small Business team so they can go with you through packet capture and configuration steps:
http://www.cisco.com/c/en/us/support/web/tsd-cisco-small-business-support-center-contacts.html
Regards,
Aleksandra -
Stacking with Cisco Blade Switches
Hi,
We have a HP p-class Blade System with two Cisco Gigabit Ethernet Switch Modules (Cisco IOS Release 12.2(25)SE) for every enclosure. My question is how I can stack the two blade switches (in the same enclosure) so that every HP blade server to be connected with the two switches in the active/standby state? In other words, can and how I make a port-channel which includes ports from the two switches?
Unfortunately I couldn't found any documentation for the purpose.Hi,
With the CGESM switches you have you cannot use 802.3ad teaming against the two blade switches. This is possible with the Cisco 3120 blade switches for HP c-class.
Now, in your case, you can use standard Active/Standby NIC teaming, where the active NIC of each server connects to one switch and the standby NIC connects to the other switch. Should a blade switch completely fail, all of the servers with their active NIC connected to the failed switch should see the link go down and switch over to the standby NIC on the second switch. This should work very well.
One problem that can happen however is that the blade switch itself does not completely fail. Instead maybe the blade switch uplink fails, or the upstream switch it is connected to fails. In this situation the server NIC does not experience a failure and continues to send traffic to the blade switch that does not have anywhere to send the traffic, a black hole. This is perhaps the problem you are seeing?
The fortunate thing is that Cisco has a solution to this problem called Trunk Failover with Link State Tracking. What this allows you to do is to tell the blade switch that if it experiences a failure on its uplinks that it should also bring down the links to the servers as well. This will cause the servers to see a failure on their active NIC and perform a switchover to the second blade switch.
I looked up your switch and found that your 12.2(25)SE1 code does not support this feature. You will need to upgrade to 12.2(25)SEE4 and you will be able to configure this on your switches.
Here is a link to see how this configuration works:
http://www.cisco.com/en/US/docs/switches/blades/3020/software/release/12.2_25_sef1/configuration/guide/swethchl.html#wp1346176
Hope this helps.
If so please rate my posts.
Thanks,
Brad -
Problems with Comodo Kill Switch, Windows Services & Bitlocker Encryption on Asus N56VZ
Hi All,
So recently I found myself stuck in a different scenario than before, and after many hours researching and efforts to fix this I still find myself stuck yet with a few options still to fix.
What is the problem?
So as a security cautious user when i first got to Windows 8.1 Pro 64Bit I encrypted both the C and D drive (Split the main disk) to protect myself and my family. Unfortunately that has not been very helpful with the way in which booting and running from
either external USB devices or CD/DVD works, not allowing myself to at all.
My usual security suit I use is Comodo Internet Security, which additionally comes with Comodo Kill Switch. Whilst using the application instead of stopping one of the TCP connections I was meant to I accidently stopped an Windows Explorer connection.
For some reason since then Windows Explorer, nor most windows apps or services themselves will run. For example msconfig will run but sfc /scannow or mmc will not, whether in safe mode or normal mode.
What Caused the Problem?
Cannot 100% say
What I Think Caused the Problem?
Myself running Comodo Kill Switch stopping a vital server connection with Windows Explorer that messed up alot. Or a potential Virus unknown how cannot fully scan system as wont boot externally or run many apps.
Additional Info
Asus Webcam is Disabled on Purpose
Laptop was fully customized to run latest games full graphics minus Anti Aliasing, works with Evolve + CoD Advanced Warfare
Laptop does not boot if USB Keyboard plugged in, works with everything else normal (had this on other systems no problem for me)
Ask me for more info if required to add here, braindead again
Specifications of my system
Intel® Core™ i7 3610QM Processor
Windows 8.1 Pro 64Bit
Intel® HM76 Chipset
DDR3 1600 MHz SDRAM, 2 x SO-DIMM 8GB
15.6" HD (1366x768)/Full HD (1920x1080)/Wide View Angle LED Backlight
NVIDIA® GeForce® GT 650M with 2GB DDR3 VRAM
1TB 5400RPM OR 750GB 5400/7200RPM (Cannot remember off top of head, braindead)
Super-Multi DVD
Kensington lock (Security Feature)
LoJack (Security Feature)
BIOS Booting User Password Protection (Security Feature)
HDD User Password Protection and Security (Security Feature)
Pre-OS Authentication by programmable key code (Security Feature)
What Can Run and Won't Run?
ON BOOT:
Bitlocker Encryption Password & Advanced Settings are accessible
Bios (password protected) is accessible
Windows Recovery Mode is accessible (Think it is F9 or F10)
Windows Logon Password Screen is accessible
ON NORMAL/SAFE-MODE START UP:
After Log-In Windows Explorer will not run
Task Manager will run, also allows me to browse the files when trying to start new task
Can run Command prompt
Cannot run any control panel items
Cannot run services.msc
Cannot run mmc
Cannot run sfc
Every time it metions windows drive is locked
Start Error's when running certain applications (Will post codes soon)
Rufus USB Tool does run
Cannot boot Kali Linux off USB
Cannot boot Windows 8.1 off USB
Cannot boot Windows 8.1 off DVDRW
Fixwin2 will not run
Apps either work or don't whether in safe mode or normal
Cannot use Windows Installer
What Fixes I Have Tried So Far
Ok so like any normal user I don't want to lose my files. So here are what I have tried so far:
Repair MBR (Repair Completed, No Luck)
SFC /SCANNOW (Returns Error 'Windows Resource Protection could not start the repair service')
Tried sfc /SCANNOW /OFFBOOTDIR=c:\ /OFFWINDIR=c:\windows (Could not access drive)
Fixwin2 (Will not run in either normal or safe mode)
Booting using Windows 8.1 via USB (Cannot boot from extermal devices due to Bitlocker Encryption)
Booting using Kali Linux Via DVD & USB (Cannot boot from external devices due to Bitlocker Encrytption)
How do I know it is because of Bitlocker, because last time I disabled it, I could run from external devices
Tried to run bitlocker to change settings (Will not run)
Have used both password and recovery keys to unlock driver, they work but when applications are running on windows the drive is still locked?
Tried windows Automatic Diagnostic and Repair (Could not repair anything, did make a log I am still to extract from the syste)
There are No System Restore Points
I'm sure there is much more information I could post however I will leave it on an ask to know basis, apart from the log files and further information to gather. Below is my list of trial and error fixes to try for today (need more ideas and help please!):
Hiren's 15.2 Boot CD via DVD (NOT ABLE TO BOOT)
Hiren's 15.2 Boot CD via USB (NOT ABLE TO BOOT)
Research into the Bios and Possible Update in-case of implementation of Virus, can access flash utility (STILL NOT TESTED)
Try and get a portable version or a working version of windows installer to try and re-install Comodo Internet Security (STILL NOT TESTED)
Another way to disable Bitlocker
Anti-Malware / Anti-Virus Scan If Possible to Run One
Bitlocker Repair Tool, will try this also
I have posted this as have not found much info online, usually find it and crack on but this time things are a little more tricky, my priority task I really need to do is remove the Bitlocker Encryption, but if the application will not run... what do I do
then?
Thanks for your time reading all, Sorry for any poor formatting or spelling.
Update 1: MMC.exe Error Code
Ok so now have the computer in safe mode, still same as before, no explorer.exe, no services etc... Just went into the Task Manager > Services (Tab) > Open Services (Option at bottom)
This is the error I get:
'The Instruction at 0x785a746c referenced memory at 0x000000a8. The memory could not be read.
Any Ideas on what this error is and why?
Update 2: CHKDSK Works with no Fix
Update 3: Hiren's 15.2 Boot CD - USB Boot still no luck booting around Bitlocker Encryption
Just to explain again, I already have unlocked the drive with correct bitlocker password or recovery key yet the drive remains locked not allowing windows refresh of files of complete install from the windows recovery menu as keeps saying drive is lockedOk so attempt number two to write this update via bloody phone! (Just refreshed page whilst writing!)
Update 4:
Problem - cannot run from bootable devices (DVD/USB)
Cause - bitlocker fully encrypted drive stops this working
Repair - Boot up holding F9 to enter windows recovery Input Bitlocker recovery keys to unlock drives
Navigate to Command Prompt in advanced settings Execute following code:
Repair-bde c: d: -rp 000111-222333-444555-etc...
(Code found from https://technet.microsoft.com/en-us/library/ee523219%28v=ws.10%29.aspx)
Note for those using this: It is common while unlocking certain drives to get errors such as: Quote from http://www.benjaminathawes.com/2013/03/17/resolving-partial-encryption-problems-with-bitlocker/
"LOG INFO: 0x0000002aValid metadata at offset 8832512000 found at scan level
1.LOG INFO: 0x0000002b Successfully created repair context.
LOG ERROR: 0xc0000037 Failed to read sector at offset 9211592704.
(0×00000017) LOG ERROR: 0xc0000037 Failed to read sector at offset 9211593216.
(0×00000017) …followed by around 20 similar entries that differed only by the offset value"
Repair Status for Update 4: COMPLETED - However over wrote D drive data so now need to recover that
Problem 2 - windows services corrupted along with windows files
Cause - Unknown
Repair - wait until system is fully decrypted Once fully decrypted ensure boot from USB/DVD
Re-do fixes that would not work before if this has fixed boot issue Confirm fix / update post Hope anything I put here helps others also -
Windows XP see blank screen when remote desktop to Windows 7 with fast user switching disabled
All computers are in workgroup environment, no AD.
Windows 7 pro are configured with fast user switching mode disabled so that only one login session can run at a time. When a Windows 7 machine remote desktop to another Windows 7 machine, the remote desktop 'server' will give 30 seconds count-down for the
console logged in user to accept remote connection, or when timeout expires it kicks out the console logged in user. This is completely ok.
This become a problem when a Windows XP rd client try to remote desktop to these Windows 7 machines, Windows XP see a blank screen if the remote Windows 7 machine has a user logged in, as it is waiting for the user to log off first. This is not desirable
as our administrators want the console session to be logged out automatically if they (administrators) want to remote desktop in.
Is this a configuration problem? Is this a OS design, can't be changed?
Valuable skills are not learned, learned skills aren't valuable.Hi,
As I know, for RDP session in Windows 7, you don't need to configure the fast user switch option disabled. Windows 7 doesn’t support multiple Remote Desktop sessions by design, that means only one RDP session at a time.
I remote into my Windows 7 machine (which has a user logged in) from my XP machine, all work fine, the user logged in Windows 7 machine is automatically "kicked off".
May I ask a question? Does this issue happen in all XP machines? If you leave Windows 7 machine started and no user logged in, the RDP session in Windows XP established quickly?
I would suggest you keep latest drivers graphic card and latest updates paches for both Windows XP (Windows XP has come to its end of the lifecycle)and Windows 7.
Yolanda Zhu
TechNet Community Support -
User activity with fast user switching
what actually continues with one user when another user logs on with fast user switching?
Does any activity continue, such as downloading, calculating, getting mail, or playing movies? Or does everything go into limbo until that user logs back on?Audio output is squelched when fast user switching. Under Panther, audio playing in one user account would continue to play after fast user switching to another account. Under Tiger, the actual process continues, but the sound is muted.
Same thing goes for audio input. I learned this the hard way by setting up an app to record a two hour radio program through the built-in audio input jack. During the recording I switched to another account for an hour. When I later went to listen to the recording, there was an hour of silence corresponding to the time I was in the other account.
I really wish Apple would fix this. -
Solarwinds Netflow products what will work with a 3850-switch
Does anybody know….what Solar winds product will do Net Flow with Cisco 3850-switches? I know Net Flow Configurator will not work….but what about Net Flow Real-time for a Cisco 3850 switch?
For a lot of people, it is not neccessary. I used to ask myself that question until I came across a need for things that iLife and the Finder would not do.
Toast is a great program with a lot of features that just are not standard on a Mac.
You can make music DVDs. You can span a HD backup over multiple disks. You can make hybrid PC/Mac disks. It has DVD compression tools to fit a 8.5GB dual-layer DVD onto a single layer 4.7GB DVD.It suppoprts OGG and FLAC audio formats. You can turn your iMovie and iDVD projects into DivX disks.
It also has lots of nice tools to clean up audio that is imported from a noisy source - like vinyl.
It is all in all a very useful program, but not unless you need any of those features of course. -
Ap521 - 802.1x LEAP - with IAS ?
Hi there,
I wanted to do 802.1x PEAP with my AP521 in standalone access-point. unfortunetely.. in the data sheet it seems to support only LEAP with AP521.
http://www.cisco.com/en/US/prod/collateral/wireless/ps7306/ps7319/ps7338/product_data_sheet0900aecd8060c220.html
LEAP
Dynamic-WEP
Open-EAP Network-EAP
So, as I have Microsoft IAS, I was trying to figure out if LEAP is supported ... it seems that officialy not :
http://www.cisco.com/en/US/tech/tk722/tk809/technologies_q_and_a_item09186a00805e8297.shtml
and from microsoft also
http://technet.microsoft.com/en-us/library/cc785368(WS.10).aspx
But, some people on forum said there is some things you can do to make it work...
https://supportforums.cisco.com/message/1295984#1295984
By default, the access point sends reauthentication requests to the authentication server with the service-type attribute set to authenticate-only. However, some Microsoft IAS servers do not support the authenticate-only service-type attribute. Changing the service-type attribute to login-only ensures that Microsoft IAS servers recognize reauthentication requests from the access point. Use the dot11 aaa authentication attributes service-type login-only global configuration command to set the service-type attribute in reauthentication requests to login-only.
http://www.cisco.com/en/US/products/hw/wireless/ps4570/products_configuration_guide_chapter09186a00802091b1.html
What Do you Think ?? did you guys done that ?
thanksPhillippe,
PEAP is supported through the APs which is most likely what you will use in a Microsoft environment. This is covered under the Open-EAP heading.
--Jesse
Maybe you are looking for
-
i have flagged BPM but it doesnt appear?????? help
-
How do I find image processor? It does not appear when I go to, tools, photoshop, image processor?
-
Hi everybody! We are trying to find the way to complete the iimplementation for the process of the iView Create Requisition Request. Does somebody have a customizing manual for the ECC System? Thanks in advance. Jesús.
-
Since I updated to Lion iTunes does not start (launch) automatically when i connect my iPhone. I have ticked in the box. I have reinstalled iTunes. I have Mac OS X 10.7.2 I have iTune 10.5.2 Any ideas?
-
Only 0 EA of material available - Error
Dear Friends, I am facing a problem, which I do not know is a standard way in which the system behaves or is there some customization involved in my client which is letting the system behave that way. Please clear my doubt and help me on the same for