Can't authenticate Mac VPN client from RADIUS server

Similar Messages

• ASA , Cisco VPN client with RADIUS authentication

  Hi,
  I have configured ASA for Cisco VPN client with RADIUS authentication using Windows 2003 IAS.
  All seems to be working I get connected and authenticated. However even I use user name and password from Active Directory when connecting with Cisco VPN client I still have to provide these credentials once again when accessing domain resources.
  Should it work like this? Would it be possible to configure ASA/IAS/VPN client in such a way so I enter user name/password just once when connecting and getting access to domain resources straight away?
  Thank you.
  Kind regards,
  Alex

  Hi Alex,
  It is working as it should.
  You can enable the vpn client to start vpn before logon. That way you login to vpn and then logon to the domain. However, you are still entering credentials twice ( vpn and domain) but you have access to domain resources and profiles.
  thanks
  John

• Can i restrict apple mail client from downloading all emails...and allow it to pick a start date for gmail mail to sync? i am flooded with old emails, thousands on them ...eating hard drive space of my macbook pro and un necessary overhead

  can i restrict apple mail client from downloading all emails...and allow it to pick a start date for gmail mail to sync? i am flooded with old emails, thousands on them ...eating hard drive space of my macbook pro and un necessary overhead

  The genius bar technicians can check your MBP for possible hardware problems and specific software issues that you may have.  The diagnosis will be free.  Any extensive repairs will not be free.
  If you have minor software problems, you essentially will have to deal with them yourself.  Examine these two comprehensive documents for possible problem definition and solutions.  If you encounter problems that you are unable to cope with, start a new discussion and there will be persons willing to assist you in solving them.
  https://discussions.apple.com/docs/DOC-3521
  https://discussions.apple.com/docs/DOC-3353
  Ciao.

• Async tcp client and server. How can I determine that the client or the server is no longer available?

  Hello. I would like to write async tcp client and server. I wrote this code but a have a problem, when I call the disconnect method on client or stop method on server. I can't identify that the client or the server is no longer connected.
  I thought I will get an exception if the client or the server is not available but this is not happening.
  private async void Process()
  try
  while (true)
  var data = await this.Receive();
  this.NewMessage.SafeInvoke(Encoding.ASCII.GetString(data));
  catch (Exception exception)
  How can I determine that the client or the server is no longer available?
  Server
  public class Server
  private readonly Dictionary<IPEndPoint, TcpClient> clients = new Dictionary<IPEndPoint, TcpClient>();
  private readonly List<CancellationTokenSource> cancellationTokens = new List<CancellationTokenSource>();
  private TcpListener tcpListener;
  private bool isStarted;
  public event Action<string> NewMessage;
  public async Task Start(int port)
  this.tcpListener = TcpListener.Create(port);
  this.tcpListener.Start();
  this.isStarted = true;
  while (this.isStarted)
  var tcpClient = await this.tcpListener.AcceptTcpClientAsync();
  var cts = new CancellationTokenSource();
  this.cancellationTokens.Add(cts);
  await Task.Factory.StartNew(() => this.Process(cts.Token, tcpClient), cts.Token, TaskCreationOptions.LongRunning, TaskScheduler.Default);
  public void Stop()
  this.isStarted = false;
  foreach (var cancellationTokenSource in this.cancellationTokens)
  cancellationTokenSource.Cancel();
  foreach (var tcpClient in this.clients.Values)
  tcpClient.GetStream().Close();
  tcpClient.Close();
  this.clients.Clear();
  public async Task SendMessage(string message, IPEndPoint endPoint)
  try
  var tcpClient = this.clients[endPoint];
  await this.Send(tcpClient.GetStream(), Encoding.ASCII.GetBytes(message));
  catch (Exception exception)
  private async Task Process(CancellationToken cancellationToken, TcpClient tcpClient)
  try
  var stream = tcpClient.GetStream();
  this.clients.Add((IPEndPoint)tcpClient.Client.RemoteEndPoint, tcpClient);
  while (!cancellationToken.IsCancellationRequested)
  var data = await this.Receive(stream);
  this.NewMessage.SafeInvoke(Encoding.ASCII.GetString(data));
  catch (Exception exception)
  private async Task Send(NetworkStream stream, byte[] buf)
  await stream.WriteAsync(BitConverter.GetBytes(buf.Length), 0, 4);
  await stream.WriteAsync(buf, 0, buf.Length);
  private async Task<byte[]> Receive(NetworkStream stream)
  var lengthBytes = new byte[4];
  await stream.ReadAsync(lengthBytes, 0, 4);
  var length = BitConverter.ToInt32(lengthBytes, 0);
  var buf = new byte[length];
  await stream.ReadAsync(buf, 0, buf.Length);
  return buf;
  Client
  public class Client
  private TcpClient tcpClient;
  private NetworkStream stream;
  public event Action<string> NewMessage;
  public async void Connect(string host, int port)
  try
  this.tcpClient = new TcpClient();
  await this.tcpClient.ConnectAsync(host, port);
  this.stream = this.tcpClient.GetStream();
  this.Process();
  catch (Exception exception)
  public void Disconnect()
  try
  this.stream.Close();
  this.tcpClient.Close();
  catch (Exception exception)
  public async void SendMessage(string message)
  try
  await this.Send(Encoding.ASCII.GetBytes(message));
  catch (Exception exception)
  private async void Process()
  try
  while (true)
  var data = await this.Receive();
  this.NewMessage.SafeInvoke(Encoding.ASCII.GetString(data));
  catch (Exception exception)
  private async Task Send(byte[] buf)
  await this.stream.WriteAsync(BitConverter.GetBytes(buf.Length), 0, 4);
  await this.stream.WriteAsync(buf, 0, buf.Length);
  private async Task<byte[]> Receive()
  var lengthBytes = new byte[4];
  await this.stream.ReadAsync(lengthBytes, 0, 4);
  var length = BitConverter.ToInt32(lengthBytes, 0);
  var buf = new byte[length];
  await this.stream.ReadAsync(buf, 0, buf.Length);
  return buf;

  Hi,
  Have you debug these two applications? Does it go into the catch exception block when you close the client or the server?
  According to my test, it will throw an exception when the client or the server is closed, just log the exception message in the catch block and then you'll get it:
  private async void Process()
  try
  while (true)
  var data = await this.Receive();
  this.NewMessage.Invoke(Encoding.ASCII.GetString(data));
  catch (Exception exception)
  Console.WriteLine(exception.Message);
  Unable to read data from the transport connection: An existing   connection was forcibly closed by the remote host.
  By the way, I don't know what the SafeInvoke method is, it may be an extension method, right? I used Invoke instead to test it.
  We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
  Click
  HERE to participate the survey.

• Waiting ACK from Radius Server before sending traffic

  Hello,
  After receiving the access accept from the Radus, the AS give the IP address to the client/user and send a Accounting Start to the Radus Server.
  I just want to know if is possible for the AS to wait the Ack of the Accounting Start from the Radius Server, before forwarding the client traffic to the destination.
  I see some documentation in the web and I find:
  aaa dnis map xxx accounting network wait-start group YYY..
  Is this the right thing to do? If I use ? after network this option doesn't appear.
  The IOS is: 5300-j-mz.122-11.T2.bin
  Thanks a lot
  Ira
  Ira

  Yes, I think its possible to start the accounting after receiving ack from radius server.For this, the command will be,
  router(config)#aaa accounting "what-to-track info" wait-start "where-to-send info".
  This wait-start cmd says that wait for receiving the ack from server before staring the accounting process.

• Kicking out a client from rmi server

  I have a few clients on a rmi server .
  how can I disconnect a client from the server?
  the client is an applet.
  I treid calling a method containning System.exit(0)
  from the server on to the client but it throws a
  java.securtiy .. exception?
  so how can I close down the client applet from the server?
  thanks

  please help
  shall I throw a remote exception on the server

• How can i get all the users from weblogic server?

  how can i get all the users from weblogic server?
  i have configurated a LDAP server using iPlanet and
  in weblogic server console i see those users from LDAP
  server. but how can i get all the users in my program
  from weblogic server instead of LDAP server?
  BTW,how to configure a RDBMSAuthenticator and what should i do
  in Oracle? which tables should i create? and how are their architectures?
  Thanks
  Daniel

  BTW, i use weblogic platform 8.1
  "Daniel" <[email protected]> дÈëÓʼþ
  news:[email protected]..
  how can i get all the users from weblogic server?
  i have configurated a LDAP server using iPlanet and
  in weblogic server console i see those users from LDAP
  server. but how can i get all the users in my program
  from weblogic server instead of LDAP server?
  BTW,how to configure a RDBMSAuthenticator and what should i do
  in Oracle? which tables should i create? and how are their architectures?
  Thanks
  Daniel

• Is it possible to lock the keyboard of a client from a server using java

  please explain wheterit is possible to lock the keyboard of a client from a server using java

  You want to process code on one machine, and thereby lock the keyboard on another machine? No, that's not possible. It is extremely far from possible.
  Of course, if the client is running software with security holes in it you might hack into it and crash the thing. This will lock up the keyboard pretty good. I hope that's not what you want ...
  Or are you talking about a setup where you already have code running on the client, and some sort of communication between client and server? In that case what you need to know is whether it is possible to lock the keyboard at all. Once you have figured that out, it is trivial to add the communication code to have the server software tell the client software to lock the keyboard.
  So what do you mean with "lock the keyboard"? It's pretty easy to remove/disable all keyboard related listeners in your own application. It's a lot harder (and AFAIK impossible with pure java) to disable alt-tabbing out of the application. And impossible, except from exploiting security holes, to lock the ctrl-alt-delete-combination on windows machine.

• Can we reconcile secondary group name from unix server

  Hi,
  Can we reconcile secondary group name from unix server using some own Customise code?

  Using JNDI this should not be very hard.
  Are you planning to store the secondary groups as a child table to a unix RO?
  Int hat case It might actually be easier and quicker to sidestep the recon system entirely and interact directly with the child form.
  Best regards
  /Martin

• VPN client and radius or CAR

  Hello:
  I am trying to setup remote access vpn on IOS router with cisco Radius or CAR.
  the vpn client user needs to be authenticated by group id and password, and user id and password.
  How should I setup CAR, could someone provides me an example?
  I saw this sample, but there is no relationship between user and group.
  Any suggestions?
  thx
  [ //localhost/RADIUS/UserLists/Default/joe-coke ]
  Name = joe-coke
  Description =
  Password = <encrypted>
  AllowNullPassword = FALSE
  Enabled = TRUE
  Group~ =
  BaseProfile~ =
  AuthenticationScript~ =
  AuthorizationScript~ =
  UserDefined1 =
  [ //localhost/RADIUS/UserLists/Default/group1 ]
  Name = group1
  Description =
  Password = <encrypted> (would be "cisco")
  AllowNullPassword = FALSE
  Enabled = TRUE
  Group~ =
  BaseProfile~ = group1profile
  AuthenticationScript~ =
  AuthorizationScript~ =
  UserDefined1 =
  Define the group attributes such as pre-shared key, IP address pool name, etc. using Cisco
  AV-pairs:
  [ //localhost/RADIUS/Profiles/group1profile/Attributes ]
  cisco-avpair = ipsec:key-exchange=ike
  cisco-avpair = ipsec:tunnel-password=cisco123
  cisco-avpair = ipsec:addr-pool=pool1
  Service-Type = Outbound

  you can define the group locally on the router to define the values which the client will use to build the tunnel (pre-shared key, etc). The client's username/pw can then be defined within AAA server to allow access to the network once the tunnel has been established.
  The link below should show how to setup the group config in IOS and you should change the AAA method to point to radius instead of local to authenticate the client at your AAA server.
  http://www.cisco.com/en/US/partner/products/sw/secursw/ps2308/products_configuration_example09186a00801c4246.shtml

• Cisco Jabber Client for Windows 9.7 Can't Connect IPSec VPN Clients over two ASAs

  Environment:
  2 x ASA 5540s (at two different data centers) configured as a VPN Load Balancing Cluster
  Both ASAs are at version 8.4(5)6
  IPSec VPN Client version: 5.0.07.440 (64-bit)
  Jabber for Windows v9.7.0 build 18474
  Issue:
    If I am an IPSec VPN user…
     I can use Jabber to another IPSec VPN user that is connected to the same ASA appliance.
     I can’t use Jabber to another IPSec VPN user that is connected to the different ASA appliance that I am connected to.
  In the hub-and-spoke design, where the VPN ASA is a hub, and the VPN client is a spoke; if you have two hubs clustered together, how does one spoke communicate with another spoke on the other hub in the cluster? (How to allow hairpinning to the other ASA)

  Portu,
  Thanks for your quick reply.
  Unfortunately, I do not have access to the ASA logs nor would I be permitted to turn on the debug settings asked for above.  I might be able to get the logs but it will take awhile and I suspect they wouldn't be helpful as this ASA supports thousands of clients, therefore, separating out my connection attempts from other clients would be difficult.
  I can, though, do whatever you want on the Linux router.  Looking over the firewall logs at the time of this problem, I don't see anything that looks suspicious such as dropped packets destined for the Windows client.
  As I said in my original post, I'm not a networking expert - by any means - but I am willing to try anything to resolve this.  (But I might need a bit of handholding if I need to set up a  wireshark andor tcpdump.)
  Thanks again.

• VPN Client and Terminal Server

  We have several clients that allow us to vpn into their systems and it has come to the point that we are getting software incompatabilities. What I am trying to do is set up "compatable" connections on a Terminal server box and let our people access this from their workstations. The problem is when the acuall connection thru the vpn client is made they loose connection to the terminal server. I have tried putting in 2 nic's into the terminal server and am able to allocate one for the terminal server but can not find a way to allocate the other to the VPN CLient. Is this possable or is there another way to accomplish this?
  Thanks

  Close,
  What I have is one machine with 2 nic's
  NIC #1 = Terminal Server Access (local lan only) Locked in via registry settings to use ONLY this NIC
  NIC #2 = I would like to "LOCK" the Client software to use ONLY this nic (has a dynamic IP for local lan and access to the Inet via a router.
  Problem: When you connect to the T-Server all is fine UNTIL you start up the client software to access our clients systems via the web connection to the T-Server on the local side stops and gives the appearance of a frozen screen.
  manualy disconnect person from the T-Server and kill the cisco client software then you can re-connect to the T-Server (and it all starts over again)
  The Cisco software acualy makes the connection to our clients system but we can not tell because it want BOTH the NIC's for itself and stops access via NIC#1 to the T-Server.

• How to enable traffic between VPN clients in Windows Server 2012 R2?

  Hello, 
  I installed Remote Access role with VPN.
  IPv4 Router is enabled: http://snag.gy/UAMY2.jpg
  VPN clients should use static ip pool: http://snag.gy/REjkB.jpg
  One VPN user is configured to have static ip: http://snag.gy/TWwq0.jpg
  VPN server uses Windows Authentication and Windows Accounting.
  With this setup, VPN clients can connect to server, get ip addresses and can see server via server's vpn ip. Server can connect to VPN clients too (Using client's vpn ips). But VPN clients can't communicate with each other.
  For example, VPN server has ip 192.168.99.5
  VPN Client 1 - 192.168.99.6
  VPN Client 2 - 192.168.99.7
  I am able to ping 192.168.99.5 from both clients, and able to ping 192.168.99.6 and 192.168.99.7 from server via remote desktop. But I am not able to ping 192.168.99.7 from client 1 and 192.168.99.6 from client 2.
  If I trace route from 192.168.99.6 to 192.168.99.7 - I can see that packets goes to server (192.168.99.5) and next hop - request timeout.
  What else should I configure to allow network traffic between VPN clients?

  Hi,
  To better analyze this issue, would you please post the routing tables on the two VPN clients? You can run "route print" at the command prompt to get the routing table.
  Best regards,
  Susie
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]

• Configure IP pool from radius server

  Hi, all
  My ADSL system's using a ERX-700 (juniper) as a BRAS and 7206 for backup.
  Everything is alright except assigning name of pool to BRAS.
  ERX-700 use frame-pool attr to provide pool name instead of addr-pool attr as 7206.
  IOS can unsupport this attr but I can't configure both attr on radius.
  Can you help to overcome this problem
  Thanks a lot.

  This is a radius issue. It does depends on the AAA server you're using how to configure both NASes independently.
  For instance, if you would be using NavisRadius product as AAA server to configure which attributes to send back per NAS is really piece of cake:
  1) First, you have you to define how to identify separately both NASes, either by IP, technology, by checking the calling-station-id, or whatever.
  Supposing you do use IP, which maybe is easier, you do have to define a clients file, for instance:
  10.0.0.1 secret_key ERX700
  10.0.0.2 secret_key2 Cisco7200
  10.0.0.3 secret_key3 AS5800
  2) Depending on who's sending the request define what to do next and what attributes send back. With NavisRadius you make this thru a Policy Flow, which is like a set of instructions to configure it, either manually or thru a GUI. Thru this set you could do for instance:
  checkClientClass Method-Type="Branch"
  Branch-Case = "Cisco7200\tsetIPAdressPoolA"
  Branch-Case = "ERX700\tsetIPforERX"
  Branch-Case = "AS5800\tsetIpsecService"
  Branch-Case = "*\tUnknownClient"
  Branch-SelectMode = "KEY"
  Branch-SearchKey = "${client.Client-Class}"
  3) And finally depending on the tag used go to another method which sends the needed attributes back to the NAS or do whatever you want to do depending on the case.
  This is a very brief example, since the product is really flexible and allows many other possibilities, like getting the IP pools from another server, etc.
  Good luck!

• VPN conversion (from OSX Server 10.2)

  I am trying to implement VPN in 10.4. However, we had used the workaround in 10.2 to set up VPN (using PPTP), this involved editing /etc/hostconfig (to include VPN SERVER=-YES-,VPN_ARGS=" ",IPFORWARDING=-YES-) and setting up valid IP numbers in /etc/ppp/pptp_address. Finally, you "created" the file /etc/ppp/chap-secrets which stored the VPN usernames, passwords, server address, etc.
  I am trying to use the VPN features in 10.4, but they don't seem to work. I've taken out the added edits in /etc/hostconfig, but no luck. I can't even find the pptp_addresses or the chap-secrets files! But, that version of VPN still works! Anybody have any good advice?
  Ray

  So when you are outside your network, and try to ping your address "mydomain.com", does it actually resolve to your domain?
  At your router, do you have the VPN ports forwarded to your server's internal IP address?
  On the server, you need to use server admin to define users (or groups of users) and grant them VPN priveledges.  Then use one of these users to attempt to login.  For me, I've consistently used their unix shortname as the userid when logging in, and had no troubles.
  The VPN config asks what IP address range to assign to the clients.  From what I've read, you want to use a range that is distinctively different from your default internal IP address range.  Otherwise, some things won't work.  For example, if your internal network IP addresses are in the range 192.168.1.xxx, you'd configure the VPN options to assign VPN clients addresses in the range 192.168.2.xxx, so that they are differentiated.