Apple & Windows 7 Authentication Methods Cisco 1242AP EAP

Similar Messages

• Apple macosx machine authentication with ISE using EAP-TLS

  Hello,
  On a ongoing setup we are using eap-tls authentication with account validation against AD. We have our own CA (microsoft based). ISE version 1.2.1 patch 1.
  With windows machines all is working well. We are using computer authentication only.
  Now the problem is that we wish to do the same with MAC OSX machines.
  We are using casper software suite and are able to push certificates into macosx, and are doing machine authentication.
  in ISE the certificate authentication profile is being set to look at the subject alternative name - DNS name of the machines. Whenever we set it to the UPN (hostname$) windows accounts are not found in ad.
  When MAC OSX authenticate as machines (they have a computer account in AD) they present themselves with RADIUS-Username = hostname$ instead of host/hostname.
  The consequence is that by lacking the host/, ISE considers that this is a user authentication, instead of a computer one, and when it sets off to find the account, it searches in User class instead of Computer - which obviously returns no results.
  Is anybody aware of any way to force MAC OSX to present a host/hostname RADIUS-Username when authenticating?
  Any similar experiences of authenticating MAC OSX with ISE and machine/computer authentication are welcome.
  Thanks
  Gustavo Novais

  Additional information from the above question.
  I have the following setup;
  ACS 3.2(3) built 11 appliance
  -Cisco AP1200 wireless access point
  -Novell NDS to be used as an external database
  -Windows 2003 enterprise with standalone Certificate Authorithy Services Installed
  -Windows XP SP2 Client
  My Goal is to use Windows XP Native Wlan Utility to connect to AP using EAP-TLS authentication against Novell NDS.
  Tried to connect using Cisco compatible wlaN utility and authenticate using EAP-GTC against Novell NDS for for users, it works fine and perfectly.
  When connecting using EAP-TLS, I am getting an error from ACS failed attempt "Auth type Not supported by External DB". But in the ACS documentation says that it supports EAP-TLS. How true is this? Is there anybody have the same problem? Do I need to upgrade my ACS? What should I do? What other authentication type could be used to utilize native WinXP Wlan Utility?
  Please help...
  Thanks

• Establish Windows NT authentication

  Hi,
  I would be interested in establish a Windows NT authentication method my Hyperion EPM system. I have been checking the EPM Security Guide and I haven't foind any reference to this method. Do you know if it is possible configure this kind of authentication?

  Is your web/app java? Such as tomcat? There is no NT option in tomcat or other java app server. You must set up AD authentication and kerberos to use AD on a java/app.
  Migrating an existing istallaion from NT o AD is much simplier than i would seem. There are SAP notes on the subject or you can open a case with he authentication team. Basically rename your goups and remapp them into AD(using the original name). Then configure kerberos to login.
  Regards,
  Tim

• Cisco ISE multiple EAP authentication methods question

  With Cisco ISE can you have various clients each using different EAP methods, such as PEAP for Windows machines, MD5 for legacy and TLS for others?
  My current efforts seem to fail as if a device gets a request from the ISE for an EAP method it doesnt understand it just times out.
  Thanks in advance.

  Multiple EAP Methods work fine. If your Clients are being crap you could try forcing then to use a specific set of Allowed Authentication Method by creating more specific Authentication rules.
  Sent from Cisco Technical Support iPad App

• MacBookPro and Cisco's LEAP authentication method

  I am getting ready to get laptop in next couple of weeks.
  The Law School's wireless network standard is 802.11g. The network uses Cisco's LEAP authentication method. Only LEAP-enabled notebook computers may connect to all access points of the Law School wireless network.
  I googled this and at least last year in 2006, macbook pro's weren't working with the LEAP system because they woudln't assign an IP address. Do you know has this been resolved?
  MacG5 Mac OS X (10.4.10)

  I found this: Finder>Help>Mac Help>Search: LEAP>
  "AirPort: How to configure Mac OS X 10.4 "Tiger" clients for LEAP authentication
  If you select LEAP authentication on a Mac OS X 10.4.2 or later computer on which the AirPort 4.2 or later update has been installed, your authentication settings may be lost after restart, sleep, or location change. As a workaround, you should use the steps shown here, which will have the effect of configuring LEAP, even though you will choose WEP from the menu.
  Go to the Network pane of the System Preferences, show AirPort, and click the AirPort tab.
  Be sure the "By default, join" menu is set to "Preferred networks."
  Note: If you don't have "Preferred networks" as a choice, this means that your 10.4 system was upgraded from 10.3, and that you're still using a Location imported from 10.3 (Panther). In this situation, you experience Panther behavior instead of new Tiger features. You will need to create a new location to utilize Tiger features and complete these steps.
  Click the "+" button.
  Enter the desired network name in the window that appears.
  From the Wireless Security pop-up menu, choose WEP Password.
  Replacing username and password with actual name and password, enter them exactly as show here, including both brackets and slash:
  <username/password>
  Note: Though there will not be any visible indication, this entry format sets the client to use LEAP rather than WEP.
  Click OK. Note: The network entry will appear in the table as "WEP," but LEAP will be used.
  Click Apply Now."
  Looks like it works when you know what to do (or where to search).

• NPS Authentication Methods - EAP Types

  We are moving from IAS to NPS and are configuring the policy like it was in IAS.  When we click on the Constraints tab > Authentication Methods > and then highlight Microsoft: Protected EAP (PEAP) and click Edit we get an error "The data is
  invalid".  How do we fix this error?  There are no errors in the event viewer for NPS.

  Hi MarkNDOR,
  Thanks for posting here.
  We’d suggest to smoothly migrate IAS to NPS with following the guide in the link below without manually recreate all polices, it was also included the
  Iasmigreader.exe utility which will help to transfer the IAS policies to NPS compatible file type:
  NPS Migration Guide
  http://technet.microsoft.com/en-us/library/ee791849(WS.10).aspx
  Thanks.
  Tiger Li
  Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

• How to migrate users, which have been using the Windows Authentication method

  Hi everybody,
  I have to migrate a productive SQL Server 2008 Database from one to another different server. The problem is that a lot of users have been using this DB throught the Windows Authentication method. Because the migration should be faster as possible, I would
  like to use a SQL script in order to streamline the process. Does anyone know if it is possible to do it?
  Thank you in advance,
  Regards

  Apart from transfer logins scripts Ashwin and Stan mentioned, I usually run following script in order to re-establish orphan users to establish if any SQL logins.
  set nocount on
  declare @username    sysname,
          @errcode     int
  select @errcode = 0
  select @username = min(name)
  from sysusers (nolock)
  where uid <> gid and
        name not in ('guest', 'sys', 'INFORMATION_SCHEMA') and
        suser_sname(sid) is null and
        issqlrole = 0
  while @username is not null
  begin
     if exists (select 1
                from master.dbo.syslogins (nolock)
                where name = @username)
     begin
        exec sp_change_users_login @Action = 'Update_One',
                                   @UserNamePattern = @username,
                                   @LoginName = @username
        select @errcode = @@error
        if @errcode = 0
           print 'The user ''' + @username + ''' was re-established in database!'
        else
           print 'Failed to re-establish user ''' + @username + ''' in database!'
     end
     else
     begin
        print 'The user ''' + @username + ''' does not have login ID. So, drop it from database!'
        exec sp_dropuser @username
     end
     select @username = min(name)
     from sysusers (nolock)
     where uid <> gid and
           name not in ('guest', 'sys', 'INFORMATION_SCHEMA') and
           suser_sname(sid) is null and
           issqlrole = 0 and
           name > @username
  end
  go

• Cisco ACS v4.1 - User Export incl. Authentication Method

  Hi,
  I wish to export a list of all our users, to include their group and more importantly, their password authentication method. We have a combination users that authenticate using both ACS internal database and also external RSA Secure ID database. Basically I need to identify all users who are NOT authenticating against Secure ID.
  I ran CSUtil.exe -u   , however this only gives me the user & group, doesn't list the authentication method per user.
  Thanks,
  Brian

  Brian,
  Unfortunately, CSUtil.exe will only list the users & group they are a member of. So the simple answer is no.
  If the goal is to set everyone to use token authentication, you could get export a list of all users with CSUtil.exe, then use the client import option to update database used for authentication of all users. Here is the url for documentation on this and other CSUtil.exe options.
  =====================
  Via Csutil
  Created a file in text format
  ONLINE
  UPDATE::EXT_SDI
  ADD::EXT_SDI:PROFILE:
  DELETE:
  csutil -i
  =====================
  If you feel adventerous, you could explore the contents of the dump.txt. by running csutil -d
  This file does contain the information you are looking for. However, there is no documentation or support available for reading or decrypt it.,
  Regards,
  Jatin
  Do rate helpful posts-

• Cisco ISE - eap-peap and eap-tls

  Hi,
  Does anybody have an example of an ISE authentication policy where authentication requests coming from a WLC can be handled by TLS and PEAP?
  I dont seem to get that working, I do however make the ISE application crash with my config which is not the idea.
  If peap use this identity source, if tls use 'this certificate authentication profile'.
  Thx

  OK,
  so I have just fired up my lab and I actually created an Identity Sequence which contained my AD & my certificate profile.
  The authentication policy was allowing EAP-TLS & EAP-PEAP.
  I then created 2 authorization rules, 1 for users and 1 for machines permitting access based on windows AD group.
  What i found out was that the Windows 802.1x supplicant can only support 1 method of authentication, so if you want this to work properly, you need a different supplicant. I think Cisco do a more advanced one, not sure. You can then specifically choose that for machine auth you use EAP-TLS and for User Auth you use EAP-PEAP.
  In my setup. Machine auth ONLY happens when the user logs off the machine and it is sitting at Ctrl+alt+del so that it can still talk to the network and get all relevant updates etc. I found that not only did the machine authenticate using EAP-PEAP, it also authenticated using TLS... I think that is because of the wireless settings I had. I chose EAP-PEAP for wireless settings
  When the user then logs in, the user account authenticates using EAP-PEAP. I dont think you can authenticate both the logged on user and the machine at the same time. Not with the native windows supplicant anyway. Windows either sends authentication request for the user or the machine but not both.
  Hope that helps.
  Mario

• User Authentication Method not found?

  I'm using OSX but a co-worker is running 9.2.2 and is having trouble accessing a server on the corporate Microsoft network.
  I can get to the server using OSX but when she selects the server (which does show up in the Chooser list) she gets an error message saying that "the User Authentication Method could not be found" and she should check the AppleTalk folder in her extensions folder. AppleTalk folder? Check it for what?
  What must we do to get access to the new server?
  Thanks.

  For OS 9 to talk to an MS server requires that the server has Client Services for Macintosh fired up and yes, sometimes also that the client Mac has a Microsoft User Authentication Module installed and configured.
  Microsoft says that without the MS UAM, she should still be able to
  Log on to the special Microsoft UAM Volume on the computer running Windows 2000 Server to access the MS UAM file.
  If she can't get that far and there are no other symptoms, the network administrator needs adjust the security settings on the server, or reinstall Client Services for Macintosh…
  Then drag the MS UAM file to your AppleShare(c) Folder in your System Folder. Instructions follow. (Users outside North America, see the "International Concerns" section later in the Release Notes before proceeding.)
  To gain access to the Microsoft Authentication files on the computer running Windows 2000 Server
  1. On the Macintosh Apple menu, click Chooser.
  2. Double-click the AppleShare icon, and then click the AppleTalk(c) zone in which the computer running Windows 2000 Server, with Services for Macintosh, resides. (Ask your system administrator if you're not sure of the zone.)
  3. From the list of file servers, select the Windows 2000 Server computer, and then click OK.
  4. Click the Registered User or Guest option, as appropriate, and then click OK.
  5. Click the Microsoft UAM Volume, and then click OK.
  6. Close the Chooser dialog box.
  To install the authentication files on the Macintosh workstation
  1. On the Macintosh Desktop, double-click the Microsoft UAM Volume.
  2. Locate the "MS UAM Installer" file on the Microsoft UAM Volume, then double-click it.
  3. Click Continue in the installer welcome screen.
  The installer will report whether the installation succeeded.
  If the installation has succeeded, when Macintosh users of this workstation connect to the Windows 2000 Server computer, they will be offered Microsoft Authentication.

• Wireless Security & Authentication methods

  Hi,
  I've some experience on WLAN Networks, but I would like to have your opinion around Wireless Security implemenations.
  We have several sites where we have some Cisco Access points running IOS. We are currently doing WEP 128b, with Mac-Authentication against a central ACS Server.
  But having fixed WEP, and mac registrations is not very practical.
  Do you know about any method to have authentication against Active Directory (passing through the Cisco ACS), and Dynamic WEP Keys ?
  Any recommendation is welcome.
  Of course with this we would like to bring up our level of security.
  Thanks a lot for all,
  Best Regards,
  Jorge

  802.1x/EAP authentication is the most popular authentication method in wireless. The following documents explain how to configure EAP authentication.
  http://www.cisco.com/en/US/products/hw/wireless/ps4570/products_configuration_example09186a00801bd035.shtml
  http://www.cisco.com/en/US/products/hw/wireless/ps4570/products_configuration_example09186a00801c0912.shtml
  http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00805e7a13.shtml

• One SSID with muptiple authentication methods

  Have received a request from a customer to run both TKIP and AES encryption on the same SSID
  From reading I believe this is not possible but can anyone confirm this please
  Currently the config looks thus
  dot11 ssid HELP
  vlan 20
  authentication open eap eap_methods
  authentication network-eap eap_mtheods
  authentication key-management wpa
  authentication key-management wpa version 2  <<<<<<<<<<<<<<<<<<
  <<<<< Trying to add wpa version 2 overwrites uithentication key-management wpa so presume this confirms it can't be done >>>>>
  Interface Dot11Radio0
  encryption mode ciphers tkip
  encrytption vlan 20 mode ciphers aes-ccm tkip
  Many Thanks

  Hello
  Cisco wireless products have the option to offer to the wireless clients both encryption methods, TKIP and AES and even WEP on the same SSID. This can be configured on the GUI and CLI but what you have to be aware and be careful is that this is not the standard. Even though Cisco can offer this, some clients won't understand that, they will get confused and disconnect or just not be able ro connect at all.
  We are talking about encryption here not authentication so to answer your question: yes, you can configure several encryption methods on the same vlan but it is not a best practice and regarding authentication, it is not possible to configure different authentication methods on the same SSID.
  Regards,
  Sent from Cisco Technical Support Android App

• 4G LTE Data-stick Mac/Linux/Windows-other authentication information.

  The following information has been released publicly by VZW advanced support so I feel I can share this now:
  If you want to use the UML290 on the Mac/Linux/UNIX/other-platforms you can now do so if you have the engineering knowledge or a little know-how:
  Quick Notes: Verizon 4G LTE uses the GSM APN authentication method through a GGSN (similar to AT&T) and 3G (1X/EVDO) traditional uses the HA CDMA method. The old CDMA authentication method has been posted years before so I won't repost that.
  You WILL NOT GET SUPPORT UNTIL THE OFFICIAL VZACCESS Software comes out on the Mac.
  4G LTE GSM General Device Settings-
  Phone Number: PhoneNumber
  Account name: [email protected]
  Password: vzw
  Advanced Settings-
  Carrier: Generic
  Model: GPRS (GSM/3G)
  APN: vzwinternet
  CID: 1
  Click OK, then connect and enjoy.
  So on the Mac connection manager (generic apple), make a profile for your UML290 hardware, should be a modem. Make a GSM connection profile with the above. Phone number is your data-stick phone number (fake phone number, used for system identification, get it from VZAccess or your account page online). Account name is "[email protected]". (Basically add @vzw4g.com to your phonenumber. Password is "vzw", same as 3g CDMA. In GSM/3G/4G carrier use generic (no special parameters). Model is GPRS (GSM/3G, same as 4G). GSM APN is "vzwinternet". CID is 1 if your drivers need it.
  Enjoy 4G LTE GSM technology by VZW on your Mac! I will be running this on my Linux engineering dev machine soon. Finally I LOVE YOU VZW!
  Oh and if you're just installing it without a Windows machine using it at least once, your SIM card has to be provisioned by VZW support or a store...
  If you want a visual Mac guide:
  http://homepage.mac.com/jrc/contrib/tzones/
  Official VZW support (replace the inetgsm.vzw3g.com APN used for overseas roaming with the 4g APN used domestically as listed above):
  Mac: http://support.vzw.com/clc/devices/knowledge_base.html?id=30063
  Windows XP/Vista/7 (If you don't want to use VZAccess): http://support.vzw.com/clc/devices/knowledge_base.html?id=29355
  Username/Password/Everything as said above applies, replace as needed.
  NO VZAccess on Mac yet, check your data usage on vzw.com my account... The SMS warning messages should work since it's a standard GSM 3G/4G implementation by VZW if you can get a Mac/Linux app that watches for SMS from the data modem driver interface.
  Verizon will probably add a second APN for smart-phones when they come out with LTE chips. Example: The "vzwinternet" APN gives you a public IP address as that's mean't for data-sticks. They will probably use something (I'm just guessing here) like "advdevice" for smart-phones and that will give the smart-phone a private IP address (10.x.x.x) like the current CDMA HA's do. With APN data traffic separation VZW with 4G GSM tech. can manage traffic volumes better with bandwidth limits, etc. AT&T/T-Mobile are doing the same now and it has recently been implemented on the legacy CDMA HA's also. Also firewalling, security.

  Oh on the Mac, Apple's GSM (3G/4G/LTE) dialer should work automatically with the above settings. If not try telling Apple's OSX native dialer to dial "#777" for the LTE modem. So far my reports on this engineering fix is that ONLY THE UML290 WORKS WITH OSX! VL600 is using some proprietary LG chipset (aka NON-QUALCOMM which works with OSX LTE) that I can't figure out until VZW fixes it officially with LG.

• Issue with SharePoint foundation 2010 to use Claims Based Auth with Certificate authentication method with ADFS 2.0

  I would love some help with this issue.  I have configured my SharePoint foundation 2010 site to use Claims Based Auth with Certificate authentication method with ADFS 2.0  I have a test account set up with lab.acme.com to use the ACS.
  When I log into my site using Windows Auth, everything is great.  However when I log in and select my ACS token issuer, I get sent, to the logon page of the ADFS, after selected the ADFS method. My browser prompt me which Certificate identity I want
  to use to log in   and after 3-5 second
   and return me the logon page with error message “Authentication failed” 
  I base my setup on the technet article
  http://blogs.technet.com/b/speschka/archive/2010/07/30/configuring-sharepoint-2010-and-adfs-v2-end-to-end.aspx
  I validated than all my certificate are valid and able to retrieve the crl
  I got in eventlog id 300
  The Federation Service failed to issue a token as a result of an error during processing of the WS-Trust request.
  Request type: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
  Additional Data
  Exception details:
  Microsoft.IdentityModel.SecurityTokenService.FailedAuthenticationException: MSIS3019: Authentication failed. ---> System.IdentityModel.Tokens.SecurityTokenValidationException:
  ID4070: The X.509 certificate 'CN=Me, OU=People, O=Acme., C=COM' chain building failed. The certificate that was used has a trust chain that cannot be verified. Replace the certificate or change the certificateValidationMode. 'A certification chain processed
  correctly, but one of the CA certificates is not trusted by the policy provider.
  at Microsoft.IdentityModel.X509CertificateChain.Build(X509Certificate2 certificate)
  at Microsoft.IdentityModel.Tokens.X509NTAuthChainTrustValidator.Validate(X509Certificate2 certificate)
  at Microsoft.IdentityModel.Tokens.X509SecurityTokenHandler.ValidateToken(SecurityToken token)
  at Microsoft.IdentityModel.Tokens.SecurityTokenElement.GetSubject()
  at Microsoft.IdentityServer.Service.SecurityTokenService.MSISSecurityTokenService.GetOnBehalfOfPrincipal(RequestSecurityToken request, IClaimsPrincipal callerPrincipal)
  --- End of inner exception stack trace ---
  at Microsoft.IdentityServer.Service.SecurityTokenService.MSISSecurityTokenService.GetOnBehalfOfPrincipal(RequestSecurityToken request, IClaimsPrincipal callerPrincipal)
  at Microsoft.IdentityServer.Service.SecurityTokenService.MSISSecurityTokenService.BeginGetScope(IClaimsPrincipal principal, RequestSecurityToken request, AsyncCallback callback, Object state)
  at Microsoft.IdentityModel.SecurityTokenService.SecurityTokenService.BeginIssue(IClaimsPrincipal principal, RequestSecurityToken request, AsyncCallback callback, Object state)
  at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract.DispatchRequestAsyncResult..ctor(DispatchContext dispatchContext, AsyncCallback asyncCallback, Object asyncState)
  at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract.BeginDispatchRequest(DispatchContext dispatchContext, AsyncCallback asyncCallback, Object asyncState)
  at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract.ProcessCoreAsyncResult..ctor(WSTrustServiceContract contract, DispatchContext dispatchContext, MessageVersion messageVersion, WSTrustResponseSerializer responseSerializer, WSTrustSerializationContext
  serializationContext, AsyncCallback asyncCallback, Object asyncState)
  at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract.BeginProcessCore(Message requestMessage, WSTrustRequestSerializer requestSerializer, WSTrustResponseSerializer responseSerializer, String requestAction, String responseAction, String
  trustNamespace, AsyncCallback callback, Object state)
  System.IdentityModel.Tokens.SecurityTokenValidationException: ID4070: The X.509 certificate 'CN=Me, OU=People, O=acme., C=com' chain building
  failed. The certificate that was used has a trust chain that cannot be verified. Replace the certificate or change the certificateValidationMode. 'A certification chain processed correctly, but one of the CA certificates is not trusted by the policy provider.
  at Microsoft.IdentityModel.X509CertificateChain.Build(X509Certificate2 certificate)
  at Microsoft.IdentityModel.Tokens.X509NTAuthChainTrustValidator.Validate(X509Certificate2 certificate)
  at Microsoft.IdentityModel.Tokens.X509SecurityTokenHandler.ValidateToken(SecurityToken token)
  at Microsoft.IdentityModel.Tokens.SecurityTokenElement.GetSubject()
  at Microsoft.IdentityServer.Service.SecurityTokenService.MSISSecurityTokenService.GetOnBehalfOfPrincipal(RequestSecurityToken request, IClaimsPrincipal callerPrincipal)
  thx
  Stef71

  This is perfectly correct on my case I was not adding the root properly you must add the CA and the ADFS as well, which is twice you can see below my results.
  on my case was :
  PS C:\Users\administrator.domain> $root = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2("C:\
  cer\SP2K10\ad0001.cer")
  PS C:\Users\administrator.domain> New-SPTrustedRootAuthority -Name "domain.ad0001" -Certificate $root
  Certificate                 : [Subject]
                                  CN=domain.AD0001CA, DC=domain, DC=com
                                [Issuer]
                                  CN=domain.AD0001CA, DC=portal, DC=com
                                [Serial Number]
                                  blablabla
                                [Not Before]
                                  22/07/2014 11:32:05
                                [Not After]
                                  22/07/2024 11:42:00
                                [Thumbprint]
                                  blablabla
  Name                        : domain.ad0001
  TypeName                    : Microsoft.SharePoint.Administration.SPTrustedRootAuthority
  DisplayName                 : domain.ad0001
  Id                          : blablabla
  Status                      : Online
  Parent                      : SPTrustedRootAuthorityManager
  Version                     : 17164
  Properties                  : {}
  Farm                        : SPFarm Name=SharePoint_Config
  UpgradedPersistedProperties : {}
  PS C:\Users\administrator.domain> $cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2("C:\
  cer\SP2K10\ADFS_Signing.cer")
  PS C:\Users\administrator.domain> New-SPTrustedRootAuthority -Name "Token Signing Cert" -Certificate $cert
  Certificate                 : [Subject]
                                  CN=ADFS Signing - adfs.domain
                                [Issuer]
                                  CN=ADFS Signing - adfs.domain
                                [Serial Number]
                                  blablabla
                                [Not Before]
                                  23/07/2014 07:14:03
                                [Not After]
                                  23/07/2015 07:14:03
                                [Thumbprint]
                                  blablabla
  Name                        : Token Signing Cert
  TypeName                    : Microsoft.SharePoint.Administration.SPTrustedRootAuthority
  DisplayName                 : Token Signing Cert
  Id                          : blablabla
  Status                      : Online
  Parent                      : SPTrustedRootAuthorityManager
  Version                     : 17184
  Properties                  : {}
  Farm                        : SPFarm Name=SharePoint_Config
  UpgradedPersistedProperties : {}
  PS C:\Users\administrator.PORTAL>

• How to set two radius servers one is window NPS another is cisco radius server

  how to set two radius servers one is window NPS another is cisco radius server
  when i try the following command, once window priority is first , i type cisco radius user name, it authenticated fail
  i can not use both at the same time
  radius-server host 192.168.1.3  is window NPS
  radius-server host 192.168.1.1 is cisco radius
  http://blog.skufel.net/2012/06/how-to-integrating-cisco-devices-access-with-microsoft-npsradius/
  conf t
  no aaa authentication login default line
  no aaa authentication login local group radius
  no aaa authorization exec default group radius if-authenticated
  no aaa authorization network default group radius
  no aaa accounting connection default start-stop group radius
  aaa new-model
  aaa group server radius IAS
   server 192.168.1.1 auth-port 1812 acct-port 1813
   server 192.168.1.3 auth-port 1812 acct-port 1813
  aaa authentication login userAuthentication local group IAS
  aaa authorization exec userAuthorization local group IAS if-authenticated
  aaa authorization network userAuthorization local group IAS
  aaa accounting exec default start-stop group IAS
  aaa accounting system default start-stop group IAS
  aaa session-id common
  radius-server host 192.168.1.1 auth-port 1812 acct-port 1813
  radius-server host 192.168.1.2 auth-port 1812 acct-port 1813
  radius-server host 192.168.1.3 auth-port 1645 acct-port 1646
  radius-server host 192.168.1.3 auth-port 1812 acct-port 1813
  privilege exec level 1 show config
  ip radius source-interface Gi0/1
  line vty 0 4
   authorization exec userAuthorization
   login authentication userAuthentication
   transport input telnet
  line vty 5 15
   authorization exec userAuthorization
   login authentication userAuthentication
   transport input telnet
  end
  conf t
  aaa group server radius IAS
   server 192.168.1.3 auth-port 1812 acct-port 1813
   server 192.168.1.1 auth-port 1812 acct-port 1813
  end

  The first AAA server listed in your config will always be used unless/until it becomes unavailable. At that point the NAD would move down to the next AAA server defined on the list and use that one until it becomes unavailable and then move to third one, and so on. 
  If you want to use two AAA servers at the same time then you will need to put a load balancer in front of them. Then the virtual IP (vip) will be listed in the NADs vs the individual AAA servers' IPs. 
  I hope this helps!
  Thank you for rating helpful posts!