Bridging a WPA2 Enterprise Radius Server (Lion Server) to Apple TV

Similar Messages

• WPA2-Enterprise Radius Authentication Windows Server 2008 R2

  Hello,
  I have tried a few online tutorials for providing secure wireless access.  I currently have a server running Server 2008 R2 that has RRAS, NAP, and AD CS installed on it.  My goal is to create a wireless SSID that utilizes WPA2-Entperise for users
  to connect.  Their AD credentials would need to belong to my "Wireless Users" group.  I have seen tutorials that involved certificates, and some tutorials that simply added the RADIUS clients along with the network/connection policies,
  and then added the settings to the router.  When I've tried both ways, the wireless network never connects to the network.  If I un-check the "Use Windows login credentials" a username/password field pops up.  I enter the credentials
  (tried both username and domain\username) of an account that is part of "Wireless Users".  When I hit OK it sits for a few moments, and then pops back up again.  When I do check "Use Windows login credentials" it says it can't
  connect.
  I have tried different firmware on the router, and I know the router is not the issue.  This server is joined to my domain controller.  It feels like the NAP server is not reaching the domain to authenticate credentials.  Am I doing anything
  wrong that I should be made aware of?  In NAP if I right click the server, the "register in active directory" is greyed out, which I assume is because it's already joined to the domain.
  I appreciate any help you can provide.
  -Ken

  I've searched in "Event Viewer" on the NPS server, and came across an interesting error.  I have Google'd the error, and there are only a select few articles about it.  If I try to connect, often times I will get two information events:
  Event ID 4400 "A LDAP connection with domain controller DC-VPN-IIS-01.dc.cooper.org for domain COOPER is established."
  And now...the issue
  Event ID 6273
  Network Policy Server denied access to a user.
  Contact the Network Policy Server administrator for more information.
  User:
  Security ID: COOPER\LAPTOP3-W7$
  Account Name: host/laptop3-w7.dc.cooper.org
  Account Domain: COOPER
  Fully Qualified Account Name: COOPER\LAPTOP3-W7$
  Client Machine:
  Security ID: NULL SID
  Account Name: -
  Fully Qualified Account Name: -
  OS-Version: -
  Called Station Identifier: c0c1c074bfb6
  Calling Station Identifier: 00216a902b70
  NAS:
  NAS IPv4 Address: 172.16.4.2
  NAS IPv6 Address: -
  NAS Identifier: c0c1c074bfb6
  NAS Port-Type: Wireless - IEEE 802.11
  NAS Port: 11
  RADIUS Client:
  Client Friendly Name: CiscoAP
  Client IP Address: 172.16.4.2
  Authentication Details:
  Connection Request Policy Name: Use Windows authentication for all users
  Network Policy Name: Connections to other access servers
  Authentication Provider: Windows
  Authentication Server: dc-vpn-iis-01.dc.cooper.org
  Authentication Type: EAP
  EAP Type: -
  Account Session Identifier: -
  Logging Results: Accounting information was written to the local log file.
  Reason Code: 65
  Reason: The Network Access Permission setting in the dial-in properties of the user account in Active Directory is set to Deny access to the user. To change the Network Access Permission setting to either Allow access or Control access through NPS Network Policy, obtain the properties of the user account in Active Directory Users and Computers, click the Dial-in tab, and change Network Access Permission.
  Clearly, when I try to connect, it's completely bypassing the network policy I created, but going to the "Connections to other access servers", which by default denys access.  I've tried everything....removed and re-added the security policy...added
  2 network policies for wireless.  Does anyone know why the network policy I create for wireless is not being recognized?

• Safari 5.1.2 not updating on SUS (Software Update Server) (Lion Server 10.7)

  If you see the screenshot attached, you can see that the Software Update Server has downloaded Safari 5.1.2
  However, the clients connecting to this software update server have Safari 5.1.1 and when I check for udpates it does not detect that the update for 5.1.2 is available.
  When I click on Choose Version, it shows two versions of 5.1.2, but I'm unable to choose the other version of 5.1.2 to see if it works. (see 2nd screenshot)
  Any ideas what I'm doing wrong and how to fix?
  Thanks in advance for any advice.
  Rishi

  I just noticed another thread that appears to have the answer to my question above.
  https://discussions.apple.com/message/16925138#16925138

• Cisco 1140AP using WPA2-enterprise with radius

  All,
  I am trying to configure an1140 AP to use WPA2-enterprise & radius. Ultimately I want to be able to connect to the SSID using my active directory credentials. I would like the AP to send authentication requests to our Network Policy Server. Here is a copy of the config; any help is appreciated.
  version 12.4
  no service pad
  aaa new-model
  aaa group server radius rad_eap
  server 172.16.16.101 auth-port 1812 acct-port 1813
  aaa group server radius rad_mac
  aaa group server radius rad_acct
  aaa group server radius rad_admin
  aaa group server tacacs+ tac_admin
  aaa group server radius rad_pmip
  aaa group server radius dummy
  aaa group server radius rad_eap1
  aaa authentication login myLogin local
  aaa authentication login eap_methods group rad_eap
  aaa authentication login mac_methods local
  aaa authentication dot1x rad_eap group radius
  aaa authorization exec default local
  aaa accounting network acct_methods start-stop group rad_acct
  aaa session-id common
  dot11 syslog
  dot11 ssid ITWireless
     authentication open eap rad_eap
     authentication key-management wpa version 2
     guest-mode
  username admin password 7 XXXXXXXXXXXXXXXXXXXXX
  bridge irb
  interface Dot11Radio0
  no ip address
  no ip route-cache
  encryption mode ciphers aes-ccm
  ssid ITWireless
  antenna gain 0
  interface Dot11Radio1
  no ip address
  no ip route-cache
  encryption mode ciphers aes-ccm
  ssid ITWireless
  interface BVI1
  ip address 172.16.42.21 255.255.0.0
  no ip route-cache
  ip default-gateway 172.16.16.198
  ip http server
  no ip http secure-server
  ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
  ip radius source-interface BVI1
  radius-server attribute 32 include-in-access-req format %h
  radius-server host 172.16.16.101 auth-port 1812 acct-port 1813 key 7 1427321938572903
  radius-server vsa send accounting
  bridge 1 route ip

  I did see those screenshots however that settings screen comes from selecting the Configure button next to the Authentication Method in the User Authentication section under Users.  In each of your screenshots, the RADIUS Server ID number is 1 so I would also ensure that I've configured RADIUS Server ID 1 which can only be configured by going to Users -> RADIUS Servers.
  All that said, I did see that your tests succeeded and I also don't understand the point of having RADIUS settings on the other screens and then having RADIUS ID info.  My thinking is that you would be able to configure RADIUS once in the Users -> RADIUS Servers screen and then select the RADIUS Server ID in all the remaining screens without having to enter the RADIUS info over and over again.  It would also think that you could skip the Users -> RADIUS Server screen and enter the RADIUS information over and over again and it should work...just like you set it up originally.  However, based on past experience of programmatic errors, I would recommend configuring the RADIUS Server ID 1 under Users -> RADIUS Servers if you haven't already...just in case. 
  Shawn Eftink
  CCNA/CCDA
  Please rate all helpful posts and mark correct answers to assist others searching for solutions in the community.

• I suddenly cannot add/edit users or groups!!! (Lion Server)

  I suddenly cannot add/edit users or groups!!! (Lion Server)
  On the latest Mac Mini Server Lion 10.7.2
  Everything was working fine at first, I'm pretty sure either since i've upgraded to 10.7.2 or since we try to connect Windows8 to the server, Lion Server is not working to good anymore, from that time I cannot add/edit users or groups & assign any users to any goups, the + sign looks desable, and everything seems pretty glichy. The other thing I have notice is that a huge amount of Users & Groups has been added without my consent.
  Do I have to ReInstall Lion Server??
  Why do I have all these random Users & Groups listed? (see screenshot)

  I had the same issue.  I opened the Workgroup Manager application and noticed the message "not authenticated as diradmin to directory: /LDAPv3/127.0.0.1" was under the icon bar at the top of the popup screen.  When I clicked on that bar I entered the diradmin username and my password.  After I exited the authentication dialogue box the message now read "Authenticated as diradmin to directory: /LDAPv3/127.0.0.1."
  At that point I had full privalages in both the Workgroup Manager and Server App to create users and groups.
  Not sure if this why the problem occurred in the first place but at least I resolved it without any major problems.

• WPA2-Enterprise + EAP (PEAP) and 802.1x to authenticate to RADIUS server NPS

  I need to connect my iPhone and my iPad to the corporate wireless network using WPA2-Enterprise and 802.1x to authenticate against a RADIUS server with my corporate user. What is the procedure to configure the clients? Certificates is not necessary on the client. Radius server is a NPS of Microsoft and the WLC is a 5508 of Cisco.
  thanks !!!

  WPA and WPA2 are all actually interim protocols that are used until the standardization of IEEE 802.11i standard. Wi-fi appliance decided that ratification and standardization of 802.11i standards will take more time. So, they came up with WPA.
  Now, WPA2 is advanced version of WPA. WPA2 uses AES as encryption algorithm. Whereas, WPA use TKIP as encryption mode which in turn uses RC4 encryption algorithm.
  WPA and WPA2 are actually are of 2 types respectively.
  WPA/WPA2-PSK - This is mainly for small offices. This uses Pre-Shared Key for authentication.
  WPA/WPA2 -Enterprise - This uses a RADIUS Server for authentication. This is an extension to 802.1x authentication. But this uses stronger encryption scheme(WPA uses RC4 and WPA2 uses AES).
  Any authentication mechanism that involves a separation authentication server for authentication like ACS server is called 802.1x authentication.
  EAP stands for Extensible Authentication Protocol. It refers to the type or method of 802.1x Authentication by the RADIUS/Tacacs server. A RADIUS server can authenticate a wireless client with various EAP methods.
  LEAP is one type of EAP. It uses username and password for authenticating wireless clients. LEAP is cisco proprietory.
  There are also EAP types which uses other user credentials like Certificates, SIM etc for authentcation.
  The following document might clarify your doubts.
  http://www.cisco.com/en/US/tech/tk722/tk809/technologies_q_and_a_item09186a00805e8297.shtml

• Can I use Lion server to set-up a WPA2 wireless network in place of an AEBS?

  I'm contemplating replacing my Airport Extreme Base Station with my Core i5 Mac mini as the wireless network server, because this will get rid of a "box" (that I can sell!) and reduce power consumption, since my iMac is on all the time as my iTunes media source anyway. At present my AEBS creates a WPA2 LAN network connected in bridge mode to my Billion modem/router, so DHCP serving is performed by the Billion router. I could replace the AEBS with the Mac mini running Lion simply by using internet sharing, but this has low security (WEP) and I understand there are often connection problems when clients awake from sleep. (Furthermore, my Airport Extreme at the back of the house probably wouldn't connect to that WEP network?)
  So, I wonder.... If I upgraded to Lion Server (only $49), can I set-up the Mac mini as the WPA2 network host in place of the AEBS? My mini is right next to the AEBS anyway, so it's in a suitable position to distribute the radio signal. As I understand it, the Lion Server software would need to allow the Mac mini to connect to the Billion router via ethernet in bridge mode - just like the AEBs, but I can't find any info that tells me whether this is possible.
  Does anyone know if what I want to do is possible? A simple solution may be to turn off the DHCP server functions of my Billion router, letting Lion Server become the DHCP server, but I don't think that's possible. I also don't want to replace the Billion with a simple modem because my Billion router provides VoIP for my home phone (and has done so reliably since 2005).
  Of course, if it's all too hard, I'll leave things as they are, because I don't have any need for the other Server functions of Lion Server.
  thanks

  Hello Chris,
  chrisfromnewtwon wrote:
  So, I wonder.... If I upgraded to Lion Server (only $49), can I set-up the Mac mini as the WPA2 network host in place of the AEBS?
  I don't know. I'm also looking for the same function because I want to
  make my iMac running Lion the router and the firewall of my personnal
  wireless network. The key advantage will be to have the firewall, its rules
  and its logging on the same server.
  What I already know is that turning the Internet sharing on turns a
  MacOS X Lion into a DHCP server on the wireless side.
  dan

• Using Lion Server Radius for authenticating "other" clients

  Hi I've been trying to get the Radius service in Lion Server to authenticate users of my SQUID web proxy. I have followed the squid wiki's instructions to configure the squid server as a radius client and pass authentication requests to the Lion Server Radius (I hope). However I'm trying to configure and test the Lion Server Radius. As Lions Server Admin GUI for radius only lets to add Airport Basestations, I've been trying to dig around for what underlying config files to edit.  I have tried 2 methods of adding the client details to radius:
  1. By editing the /etc/raddb/client.conf, and adding/changing (for example):
  client localhost {
       secret     = mysecretpassphrase
  client 192.168.0.0/24 {
       secret              = mysecretpassphrase
       shortname       = local-lan-clients
  and restarting squid. Nothing seems to get mentioned in the radius log file! So I'm not completely convinced that the Lion Radius took any notice of this!
  2. Instead of above, added the same client info using radiusconfig:
  $ sudo radiusconfig -addclient 192.168.0.0/24 local-lan-clients other <return>
  - then it prompts for the secret. With this command I notice the entry/event is recognised in the radius log file, and also looks like some SQL activity. If I dont specify "other" for the nas-type, it defaults to "Aiport Base Station" or similar.
  OK, so forgetting about SQUID for a minute, I can't even get that far as I'm just trying to test the config using the "radclient" utility from the Lion Server and the squid server:
  $ sudo radclient localhost auth mysecretpassphrase <return>
  and... no response, just hangs, nothing in radius log either.
  The Lion Firewall allows TCP and UDP requests into the Radius authentication port.
  Any ideas what else I need to do? Scratching my head, I'm wondering if it is anything to do with SSL? e.g. do I need to make the authentication using the self-signed certificate that Open Directory has? I presume any Airport Base Stations added to radius will use this certificate to establish a secure connection for authentication.

  The RADIUS server in OS X Server is a standard FreeRADIUS implementation with Apple's own custom GUI frontend for configuring it and which only allows adding AirPort base-stations. In Mountain Lion Server it is even limited to a specific configuration for the AirPort base-station.
  However if you follow the normal command-line instructions and steps for configuring FreeRADIUS then it will be possible to add any type of RADIUS client.
  While as far as I can see by manually configuring the FreeRADIUS server in OS X Server should enable you to do what you want, most people chose to configure Squid to use either a PAM or the LDAP modules for Squid to in this case authenticate directly to Open Directory (which is of course based on LDAP).
  I myself have used a PAM in the past with Squid to successfully configure Squid to authenticate users via Open Directory. I was even able to specific an Open Directory group and only allow members of that group access via the Squid Proxy Server. I then went a bit OTT and set up another open-source tool (which was discontinued and I had to fix to get working) to process the Squid logs and store them in MySQL, and then setup FileMaker Pro to connect to the MySQL database via ODBC to allow producing reports.
  Unfortunately the AFP458 website had a major redesign a while ago and many previous technical articles on it are now hard to find. I had used two articles on that site to guide me through setting up Squid and the PAM on a Mac server. I believe the two articles I used are the ones listed below.
  http://afp548.com/2004/09/08/using-os-x-open-directory-to-authenticate-squid-pro xy-server/
  http://afp548.com/2004/12/13/squid-server-using-ldap-authentication/

• Using root bridge as a fallback radius server for WPA and EAP

  From reading the different documentation out there, it seems that one should be able to configure a root bridge as a fallback radius server in case a primary radius server were to be unreachable. Has anyone encountered this situation? And could they share the steps and configuration statements to apply the bridges (1310 or 1410) in order to make this happen?
  Many Thanks and Regards,
  Giles -

  Yes, you have to first configure a root bridge as a fallback radius server in case a primary radius server were to be unreachable

• WPA2 and Radius server configuration

  On the page: http://cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008054339e.shtml
  is described how to setup a WPA2 and Radius server.
  If I follow this, the Radius server does not work. In the document they descibe that I need to use 10.0.0.1 as the IP, but my AP has a 192.168.1.251 address. Even if I enter that adres, or the 10.0.0.1, it does not work.
  Normal WPA2 personal, without Radius does work.
  I use a 1100 series AP, (AIR-AP1120B-E-K9) with a AIR-MP21G and the firmware of the radio module is 5.90.11.
  The IOS version is 12.3(8)JA2.
  Does anyone know what to do?
  Haik

  Hello,
  I understand that. I have given the AP a fixed address, 192.168.1.251. This is outside the DHCP pool, from the router.
  Even if I use this address in th Radius configuration, it still does not work. My client (laptop with Intel Pro Wireless 2200 card), detects that there is a Radius server, and asks for a username / password.
  But even if I fill it in correctly (copy / paste) it does not work.
  So what can be wrong with this configuration?
  Haik

• Airport Express bridge mode over WPA2 Enterprise?

  I have an Airport Extreme running WPA2 Enterprise with RADIUS on a Snow Leopard Server. Is it possible to have the Express join the WPA2 Enterprise network as an ethernet bridge? I can't seem to set it up. Something tells me this only works with WPA2 Personal?

  When you set up the APExtreme through Server Admin, it takes care of all the secret passwords and what-have-you. I did some digging on Apple's site, and it looks like the APExpress can only act as a bridge on WPA2 Personal networks and below. No worries; I am just temporarily running an engineer's SIP phone over wireless, so I brought an old Buffalo router I had kicking around at home into the office; set it up as a WPA2 Personal access point, and have him running off of that with the APExpress as the bridge. This is just a stopgap until I can get him a proper ethernet drop. Thanks for the help regardless.

• Radius setup of Server 3.1.2 and Airport Extreme

  I'm using an Airport Extreme and Mavericks Server 3.1.2. I've enable the Radius setting "Require user name and password login over Wi-Fi" in the Server application, and the wireless mode is showing use WPA2 Enterprise, and the Configurew Radius button is pointing to my Open Directory master at the right IP address. However, my wireless clients can still access the wireless network using a passphrase. No one has to login using credentials.
  Any ideas on what's gone wrong?
  One - I posted a similar message in the Airport Extreme thread not knowing which was right.
  Two - I've seen many threads that deal with Radius on different access points, but none targeting this type of issue. Those have referenced creating a com.apple.radius SACL but does that apply here; since I'm using an Apple Airport Extreme?
  Thanks in advance.

  You know, it is funny.  You post has made me realized that I have never done a multiple Airport setup on RADIUS.  Usually, I will do one Airport and a SonicWall or a bunch of third party access points that allow you to define the shared secret.
  So, I am not sure you can use -addclient on Airports that are configured in WDS. I simply have been lucky enough never to run across this requirements.  I suspect you may need to run the:
  sudo radiusconfig --capture-base-station <airport> <server>
  Then run the -addclient.
  Strange that I have not run across this.  But I am guessing the reason is that ever since Apple dropped the PoE Airport, we have found alternative products.  Only small installations (one base station) are using Apple's wireless tech.
  Reid
  Apple Consultants Network
  Apple Professional Services
  Author "Mavericks Server – Foundation Services" :: Exclusively available in the Apple iBooks Store

• LION SERVER - DO NOT UPGRADE - NO APPLE SUPPORT

  I run a small independent business and use OS-X Server to support both my company and my family.  I had participated in the beta testing as part of the developer program (at my own expense) and filed my bugs and stayed quiet as I was supposed to do.  When Lion was finally released this week, I again did everything I was supposed to do - I made a complete back image of my SL server, I followed all of the instructions and preparations.  I knew what issues to exepct from my testing.  Everything should be good, right?
  NO.  The final build behaved in a completely unpredictable way.  I even had to restore from back up and install again.  After hours of fighting the server.app tool I finally got mail back up for my users.  Thats the only sevice that runs.  All web based services are down.  iCal services are down.
  I fought this for hours last night, finally giving up at about 1 AM.  I scheduled an express lane call with Apple at 9:15 this morning.  The people I talked to would and could do nothing except ask me to run the EDC and call back at some time next week, maybe engineering would have an answer then.  They would not even halpp me in trying to decode some of the cryptic console messages.  Nothing.
  What makes this even worse is that Apple robbed me of all of the tools to try and troubleshoot the system myslef and affect the configuration.  All web, ical, and address book tools are gone from Server Admin.  This despite months of devforums posts begging Server Foundations for them.  I cant alter the files manually because Lion automatically rewries them on reboot or even opening server.app.
  What am I left with?  A useless server that I can't administer.
  Whats Apple Supports recommendation after being on the phone and trying to get someone to do anything other than blow me off:  Pay them for a $799 enterprise support ticket.  Seems they are an enterprise company finally - Forget the user unless they have an enterprise level bank account.
  So finally, heres my technical issue:
  7/23/11 9:16:23.496 AM org.apache.httpd: httpd: Syntax error on line 156 of /private/etc/apache2/httpd.conf: Cannot load /usr/libexec/apache2/mod_auth_user_host_apple.so into server: dlopen(/usr/libexec/apache2/mod_auth_user_host_apple.so, 10): Library not loaded: /usr/lib/libproxyauth.dylib\n  Referenced from: /usr/libexec/apache2/mod_auth_user_host_apple.so\n  Reason: image not found
  I have seen other users have this issue.  Anyone know what options I need to use to recompile everything for apache?  Anyway to hack lion to add the web tool back to server admin?
  I have seen other users in my internet searches

  Ok so this is the best forum.
  This is specifically to anyone at apple from an enterprise mac admin
  osx server 10.6 is amazing.  It is the closest thing to a truely awesome server software package.
  osx -server 10.7 is about 20 thousand steps back.  I updated two of my dev servers and absolutely struggled for two days with zero success.
  it started going down hill right when i found out that you can no longer get media. Needs to be downloaded and installed via app store.  Insanity! What motived that decision.  question? what happens when i need to reinstall software on a corporate network with proxy servers between you and internet?  That little recovery partition is smart until you go to restore a server and you realize that you cant because that boot partition is not configured to get through your proxy servers.  So now your stuck unless you had the foresight to copy the installer from the app store.
  ok so you go to install the software and it goes well.(heads up:  that is the last time im saying that) Server boots up in a record five minutes(what).you log in and are instantly lost with the server.app.  Couldnt find a thing, i saw this menu that had everything but what i was looking for.  so after hunting around, then i found out that I needed to download the server admin tools.  so after i find, download and instal the tools, I connect to the server and notice some things are missing, like apf, smb, nfs, etc.  Netboot is off and pointed a different disk, open directory is off.  What happened?  So im upset that i now have to reconfigure my services. so i start out with directory services.  i recreate my OD master and restore my directory, but when i go to create my replica, i hit yet another snag.I am now getting an error message telling me that i cant create a replica because i am using the wrong account. nope im using the directory admin account that i just created.  long story, short i had to roll back to osx-server to 10.6.
  now after reading a ton of post and articles and found out that you have dumbed everything down soo much that the server is useless.
  Why have all of the tools that enterprise use, removed?I found that i have lost functionality.
  have any other admins experienced osx server 10.7?

• A stable, fast reliable VNC connection to Lion or Lion server

  I hope this post help people with VNC setup from non Mac machines to a Mac running Lion or Lion Server 10.7.4.
  Apple has changed quite a few things in Lion regrading VNC and screen sharing. As a consequence many VNC viewers are no longer compatible until the VNC software is upgraded to be Lion compatible. You will find many posts about this topic in this forum, eg
  https://discussions.apple.com/thread/3289794?start=0&tstart=0
  Often, the result is that  the user can't proceed beyond the gray login screen (screen locks up etc).
  This post describes how configure Real VNCs VNC server on Lion Server 10.7.4 to work in conjunction! with ARD, thus allowing you to keep screen sharing enabled and still use ARD from client if that is desired)
  Download the VNC server at (Version 5! necessary)
  http://www.realvnc.com/download/vnc/latest/
  and install the VNC server on the host (the computer you want to login to via VNC)
  Single User Host setup
  ==================
  - Install the VNC server and follow the intsruction
  (If you your Mac is configured for remote management, screen sharing, remote apple events the installation may complete with error stating to contact the manufacturer....ignore the error as it most likely caused by a port conflict because VNC server and ARD (or apple scrren sgaring both use port 5900 per default), the software was still completely and correctly installed.
  - start VNC Server by opening Finder -> Applications -> Real VNC -> VNC Server (User Mode)
  You will see a small VNC icon in the top tsak bar of the screen.
  (if you open the "information Center" the issues tab will show a port 5900 conflict)
  - open VNCserver Options and select the connections tab:
  +Change the default port from 5900 to 5901 and serve Java viewer on Port from 5800 to 5801
  + Change Authetication to "Mac password"
  + Select Encryption "always on"
  - Selct the expert tab
  +scroll down to the bottom of the list and change "StopUserModeOnSwitchOut" to "no"
  (this settings prevents the VNC server to be stopped automatically if you have Fast Switching User Mode enabled on the host.)
  - select "Apply"
  (now if you open the Information Center" again, the port conflict problem should be solved.
  - select "open" from the VNC server menu:
  If the configuration was succesful, thw window will show a check mark in a green box stating everything is ok.
  - In addition you will find the address that the client user will need to connect to the VNC server on the host
  it will say something like "VNC viewer user can connect using the address 192.168.x.y:1"
  Note: If you start several VNC servers, each session will need a dedicated port (like 5902, 5903 etc)
  Router/Firewall Settings:
  ===================
  Depending on the router/firewall you use your ports may have been automatically configured for you (airPort extreme for example).
  You need to open port 5901 and 5801 and forward these ports to the IP address of the host. If ARD was alredy working in your setup, you can copy the port coniguration for ports 5900, 3283 and 3306 that are used by ARD and implement the same rules for the new port used by VNC 5901.
  Review the settings of your firewall/router.
  VNC client
  ========
  - download the VNC client for your OS from
  http://www.realvnc.com/download/viewer/
  and follow the install instructions.
  - Start the VNC client on your client PC (Windows for example) and enter the address that the VNC server reported to you earlier (192.168.x.y:1)
  - Encryption : "Let VNC Server choose"
  - select "connect"
  - enter your Mac username and password that was setup on your host
  you are now connected via VNC to your host.
  You can also configure the VNC server to allow other users to login to the same! VNC session using their user credentials (friends/family or serverAdmins that want to share access to the host)
  To do this open the options dialog box on the VNC server host computer and select "configure" next to authentication.
  - add the users that are supposed to get access to your VNC session using their own credentials. (make sure this is what you really want, otherwise read on in the multi user section of this post)
  Multi User Host Setup
  =================
  If multiple users are supposed to access the host computer using their own credentials logging into their own! desktop, follow these instructions:
  - first enable Fast User Switching on your host computer by going to
  System preferences -> User/Groups -> Login Options and select the check box  "show fast user switching menu as..."
  - For each user on the host that should be reached via a VNC session start VNC server (user) as described before and assign a new port number to the new user like 5902 etc.
  - repeat the configuration outlined above for each user (eg. "StopUserModeOnSwitchOut" to "no")
  (note initilally when you start the VNC server for the first time again, you will get notified that a port conflict exists again....this disappears as soon as the new port is configured)
  now another user can login via VNC into his own desktop using the server address : "191.168..x.y.:2"
  Final notes:
  =========
  I spent hours trying to get a variety of VNC viewers to work with the new screen sharing/VNC implementation in Lion and finally gave up. I called Apple Enterprise support and they confirmed that "a majority of the existing VNC products are not compatible with the new VNC implementation in Lion yet and that Apple recommends ARD". The discussion on what other non Mac users (Windows, Linux) should do did not go anywhere....
  I have tested the above configuration with the free version VNC server 5 on the host and the free version VNC viewer 5 on a client. It worked flawlessly, fast, reproducable and very stable. You need to be aware that depending on the features you want (number of desktops, users etc) that you may have to purchase the personal or enterprise edition for the server.
  The featurs are described here:
  http://www.realvnc.com/products/vnc/
  I personally installed the enterprise edition after I verified that the free editions worked stable and reliably as I needed them to work.
  I hope you now have a stable VNC link into your Lion host from the platform of your choice !

  I'm using the free VNC edition from RealVNC on Mt. Lion (10.8.5) and the basic information is in this article for Lion is confirmed for the VNC Server 5.0.6 (r113416) on Mt. Lion.
  The main Options... window shows the Connections tab and I just changed my port to something other than 5900 and the port conflict went away.
  The Free edition does not allow Mac password and encryption can't be enabled. (Ya gotta pay for that.)
  Connected to it from my iPod Touch using Mocha VNC with no problems.

• Lion Server setup & Time Capsule

  Greetings,
  I am new to lion server so please bear with me. Some of my question me seem dumb to some of you. But to me the only dumb question is one not asked. So please bear with me.
  Server and time capsule will both do NAT, DHCP. Which should I use for the network Server or Time Capsule. I am connecting with a Brighthouse cable modem with a Dynamic IP. I have the Time Capsule in Bridge Mode with a static IP 192.168.0.6. The server is Static with 192.168.0.5. Brighthouse wireless is disabled as I like the time capsule wireless. Time capsule is providing WI-FI. Brighthouse router/Modem provides the Router at 192.168.0.1.
  I have a domain name abc.net. Should I set up lion server first and then set up Time Capsule after it is working? Do I set this up as a .local, .private or .net account during server setup? I want to be able to get to my computer from my domain name and handle my mail.
  I set this up once and it worked for about 2 hours. After that it would never see my computer. So I am setting up server again but wanted to see if I could get a little first time guidence this time. I also signed up with DYNDNS for DNS updating and that just seemed to throw a whole new batch of problems in.
  So any help would be great... Not dumb with computers, but new to apple servers. And I don't do geek well!!
  I think all the IP numbers, what I need to change on Netfirms to get to my computer get me confused in the setup.
  Thanks

  Server and time capsule will both do NAT, DHCP
  Sure.
  Which should I use for the network Server or Time Capsule
  Why do you think you need to use either of them?
  Ideally, you should have ONE device on your network running NAT, and ONE device running DHCP.
  From your description it sounds like your Brighthouse router is running NAT therefore there is no need to run NAT anywhere else.
  The chances are that the Brighthouse router is also running a DHCP server for your LAN, therefore there is also no need to run DHCP off the Time Capsule or the Server. You've already got those bases covered.
  So, at least without more information, I'd be inclined to say: neither.
  Should I set up lion server first and then set up Time Capsule after it is working?
  Probably. It depends on what your plans are for the Time Capsule. If you're using the TC as a wireless base station then it doesn't need to be running until you're ready to connect wireless clients.
  If you're using the TC for backup, you don't need it until your server and/or clients are setup and ready to backup.
  Since the TC is not (as per the above) running either NAT or DHCP, there's not much else to do with it.
  So focus on the server.
  Do I set this up as a .local, .private or .net account during server setup?
  That's entirely up to you, although there are a couple of options. First off, though, realize that there is no, zip, nada connection between the hostname you use on your internal LAN and any public domain. It's 100% valid for your server to be called foo.bar while serving web content for abc.net and getting email for xzy.com, all at the same time.
  Personally, I tend to set them the same (e.g. abc.net in this case), but others will recommend a different approach. It's largely personal preference.
  I want to be able to get to my computer from my domain name and handle my mail.
  If you're talking about getting to your computer/mail from an external locale, that's 100% down to DNS and completely independent of what the server thinks its own name is.