Configuration Network access on 10.4.11

Similar Messages

• Is it possible that network access permission control in acs 5.1

  Hello
  We have ACS5.1, WLC 7.0 and using 802.1x to authentication users.
  Anybody know how I can configure network access restriction with using internal user group information.
  For example, under the same SSID(like that "test") , same VLAN ID.
  But two different user group has a different network access permission.
  One group has full permission and the other has a limit network access permission.
  Is it possible?

  The equivalent of a NAR would be ACS 5.1 returning an authorization profile after authentication. Just configure your authorization policy to return one profile for one group of user and the other profile for the others.
  Now to restrict access to the network, I think you're best with an ACL ? So link ACLs to your profiles.
  Nicolas

• Network Access Account, used by only Workgroup Computers or Domain Computers also?

  Our environment has a few servers that are in a workgroup (not ideal, but is an application requirement on these few boxes) rather than being on the domain.  We have to patch these servers routinely and would like to use SCCM 2012 to do so.  As
  I understand it all that is needed is to configure the Network Access Account for the site and install the client manually on the workgroup computers, correct?  My next question is, do the domain computers continue to use their computer accounts to access
  network locations during content deployment or will they too use the newly configured  network access account?  Or, does the client first attempt to use its computer account and if that fails then results to using the SCCM Network Access Account?
   I've searched everywhere and can't seem to find this info.  Thanks in advance if you can point me in the right direction.

  Hi,
  I haven't seen any table like this for the Configuration Manager 2012 so this is for 2007, I haven't heard of any changes to this and the conclusion is that the account is used more often than you would think depending on what you are doing with the client.
  http://technet.microsoft.com/en-us/library/bb680398.aspx
  Regards,
  Jörgen
  -- My System Center blog ccmexec.com -- Twitter
  @ccmexec

• Network Access Module and Switching Users

  We are working on implementing 802.1x and plan to use AnyConnect NAM on the PCs. However, I’ve run into a problem where we have a few multi-user machines for employees who work in multiple locations throughout the day. It’s not uncommon for someone to lock the PC they are working on and walk away. Prior to NAM, a second user could come along and log in as themselves, leaving the initial user logged in. However, I’ve found that once NAM has been installed this user switching feature is disabled. This is understandable, as the initial user technically hasn’t logged out, so the port is still authenticated with their credentials, and we wouldn’t want to accidently break a connection stream just to reauthenticate the second user.
  I have spent quite a bit of time going through these forums and white papers trying to find an alternative solution for this situation, but haven’t had much luck. Does anyone have any suggestions on how I could proceed on this?

  wireman wrote:
  I run Access Connections 4.42 as default for configuring network access on a T61with XP SP2. When two users are logged in Access Connections fails with: Access Connections is being used by another user.
  A lurker reviewed this and sent back this message:
  "Fast User Switching.  Since the first user doesn't actually log off, any attempt to use Access Connections by the second user will result in the alert referenced in the post.  It's working as designed."
  English Community   Deutsche Community   Comunidad en Español   Русскоязычное Сообщество
  Jane
  2015 X1 Carbon, ThinkPad Slate, T410s, X301, X200 Tablet, T60p, HP TouchPad, iPad Air 2, iPhone 5S, IdeaTab A2107A, Yoga Tablet, Yoga 3 Pro
  I am not a Lenovo Employee.
  I AM one of those crazy ThinkPad zealots!
  If you find a post helpful and it answers your question, please mark it as an "Accepted Solution"!

• Cisco's AnyConnect Network Access Manager (NAM)

  Hi dears,
  I configurate EAP_FAST in Cisco ISE and want wired users authenticate from ISE. I install Network Access Manager Profile Editor and Cisco Anyconnect Security Mobility Client on PC. I configure Network Access Manager  when i want to save as that I did not see the . \newConfigFiles folder. Then I did that: Organize’, ‘Folder and Search Options’, ‘Show hidden files, folders, and drives. but in this case i did see the network access manager folder.
  I need a to install Cisco’s AnyConnect Network Access Manager (NAM) on PC. HOW  I get this soft? I have a smartnet for ISE. 
  Which email address(to cisco) i must be write to get this soft?
  Thanks.

  You can download the Network Access Manager module from CCO.  This link should work if you have a CCO account.
  http://software.cisco.com/download/release.html?mdfid=283000185&softwareid=282364313&release=3.1.05160&relind=AVAILABLE&rellifecycle=&reltype=latest&i=rs
  The file name will be similar to anyconnect-win-3.1.05160-pre-deploy-k9.iso.  Just unzip the ISO with 7zip or Winrar and you will see the NAM msi file  anyconnect-nam-win-3.1.05149-k9.msi.

• LAN settings for HP LaserJet 500 Color MFP M575: printing OK, network access NO

  Printing OK but Network access NOI have a M575 in office LAN.IP 169.254.204.142Subnet 255.255.255.000Router 169.254.204.1Other computers 169.254.204.2-100Everything was good. But couple days ago I was not able to connect to my HP from browser. I was check settings and: IP address on screen HP - 0.0.0.0 I can printing on my HP!!! (destination of printing is: HPLaserJet500ColorMFPM575)but can’t to change settings. I can't change IP adres in JETDIRECT printer's menu. In command prompt PING of 169.254.204.142 is OK… Hand settings IP on start (1/8 click ), searching in administrative menu, cold reset… nothing I don’t know what I can to do else.

  This is my IPConfig screen:C:\>IPConfig /all
  Windows IP Configuration
  Host Name . . . . . . . . . . . . : T420
  Primary Dns Suffix . . . . . . . :
  Node Type . . . . . . . . . . . . : Peer-Peer
  IP Routing Enabled. . . . . . . . : No
  WINS Proxy Enabled. . . . . . . . : No
  Ethernet adapter Bluetooth Network Connection 2:
  Media State . . . . . . . . . . . : Media disconnected
  Connection-specific DNS Suffix . :
  Description . . . . . . . . . . . : Bluetooth Device (Personal Area Network)
  #2
  Physical Address. . . . . . . . . : 60-D8-19-D8-A4-3B
  DHCP Enabled. . . . . . . . . . . : Yes
  Autoconfiguration Enabled . . . . : Yes
  Ethernet adapter Local Area Connection 6:
  Connection-specific DNS Suffix . :
  Description . . . . . . . . . . . : Intel(R) 82579LM Gigabit Network Connecti
  on
  Physical Address. . . . . . . . . : 00-21-CC-66-CA-38
  DHCP Enabled. . . . . . . . . . . : Yes
  Autoconfiguration Enabled . . . . : Yes
  Link-local IPv6 Address . . . . . : fe80::385f:1def:62ae:8cd5%75(Preferred)
  IPv4 Address. . . . . . . . . . . : 169.254.204.2(Preferred)
  Subnet Mask . . . . . . . . . . . : 255.255.255.0
  Lease Obtained. . . . . . . . . . : 29 xxxxxxxxxxx 2015 15:25:46
  Lease Expires . . . . . . . . . . : 30 xxxxxxxxxxx 2015 15:25:46
  Default Gateway . . . . . . . . . : 169.254.204.1
  DHCP Server . . . . . . . . . . . : 169.254.204.1
  DHCPv6 IAID . . . . . . . . . . . : 1610621388
  DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-15-69-54-50-00-1E-37-1A-5A-E8
  DNS Servers . . . . . . . . . . . : fe80::5ef9:6aff:fedf:5f3b%75
  169.254.204.1
  169.254.204.1
  NetBIOS over Tcpip. . . . . . . . : Enabled
  Wireless LAN adapter Wireless Network Connection 2:
  Media State . . . . . . . . . . . : Media disconnected
  Connection-specific DNS Suffix . :
  Description . . . . . . . . . . . : Intel(R) Centrino(R) Advanced-N 6205
  Physical Address. . . . . . . . . : A0-88-B4-D2-3E-B0
  DHCP Enabled. . . . . . . . . . . : Yes
  Autoconfiguration Enabled . . . . : Yes
  Tunnel adapter Local Area Connection* 57:
  Media State . . . . . . . . . . . : Media disconnected
  Connection-specific DNS Suffix . :
  Description . . . . . . . . . . . : Microsoft 6to4 Adapter
  Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
  DHCP Enabled. . . . . . . . . . . : No
  Autoconfiguration Enabled . . . . : Yes
  Tunnel adapter isatap.{32EA8AA7-0304-411D-9B3C-9BE6D6E53F7D}:
  Media State . . . . . . . . . . . : Media disconnected
  Connection-specific DNS Suffix . :
  Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2
  Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
  DHCP Enabled. . . . . . . . . . . : No
  Autoconfiguration Enabled . . . . : Yes
  Tunnel adapter Local Area Connection* 135:
  Media State . . . . . . . . . . . : Media disconnected
  Connection-specific DNS Suffix . :
  Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
  Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
  DHCP Enabled. . . . . . . . . . . : No
  Autoconfiguration Enabled . . . . : Yes
  Tunnel adapter isatap.{0E880DF2-FD27-4BF8-BBD9-EA726316C1FE}:
  Media State . . . . . . . . . . . : Media disconnected
  Connection-specific DNS Suffix . :
  Description . . . . . . . . . . . : Microsoft ISATAP Adapter #4
  Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
  DHCP Enabled. . . . . . . . . . . : No
  Autoconfiguration Enabled . . . . : Yes
  Tunnel adapter isatap.{FFBD17DC-A12B-469A-8135-C63D9BBEBB31}:
  Media State . . . . . . . . . . . : Media disconnected
  Connection-specific DNS Suffix . :
  Description . . . . . . . . . . . : Microsoft ISATAP Adapter #6
  Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
  DHCP Enabled. . . . . . . . . . . : No
  Autoconfiguration Enabled . . . . : Yes
  C:\>

• I need helping!!! configuring RDP access to my local server from a remote location on my Cisco ASA 5505 Firewall.

  I need helping configuring RDP access to my local server from a remote location on my Cisco ASA 5505 Firewall.
  I have attempted to configure rdp access but it does not seem to be working for me Could I please ask someone to help me modify my current configuration to allow this? Please do step by step as I could use all the help I could get.
  I need to allow the following IP addresses to have RDP access to my server:
  66.237.238.193-66.237.238.222
  69.195.249.177-69.195.249.190
  69.65.80.240-69.65.80.249
  My external WAN server info is - 99.89.69.333
  The internal IP address of my server is - 192.168.6.2
  The other server shows up as 99.89.69.334 but is working fine.
  I already added one server for Static route and RDP but when I try to put in same commands it doesnt allow me to for this new one. Please take a look at my configuration file and give me the commands i need in order to put this through. Also please tell me if there are any bad/conflicting entries.
  THE FOLLOWING IS MY CONFIGURATION FILE
  Also I have modified IP information so that its not the ACTUAL ip info for my server/network etc... lol for security reasons of course
  Also the bolded lines are the modifications I made but that arent working.
  ASA Version 7.2(4)
  hostname ciscoasa
  domain-name default.domain.invalid
  enable password DowJbZ7jrm5Nkm5B encrypted
  passwd 2KFQnbNIdI.2KYOU encrypted
  names
  interface Vlan1
  nameif inside
  security-level 100
  ip address 192.168.6.254 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address 99.89.69.233 255.255.255.248
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  ftp mode passive
  dns server-group DefaultDNS
  domain-name default.domain.invalid
  object-group network EMRMC
  network-object 10.1.2.0 255.255.255.0
  network-object 192.168.10.0 255.255.255.0
  network-object 192.168.11.0 255.255.255.0
  network-object 172.16.0.0 255.255.0.0
  network-object 192.168.9.0 255.255.255.0
  object-group service RDP tcp
  description RDP
  port-object eq 3389
  object-group service GMED tcp
  description GMED
  port-object eq 3390
  object-group service MarsAccess tcp
  description MarsAccess
  port-object range pcanywhere-data 5632
  object-group service MarsFTP tcp
  description MarsFTP
  port-object range ftp-data ftp
  object-group service MarsSupportAppls tcp
  description MarsSupportAppls
  port-object eq 1972
  object-group service MarsUpdatePort tcp
  description MarsUpdatePort
  port-object eq 7835
  object-group service NM1503 tcp
  description NM1503
  port-object eq 1503
  object-group service NM1720 tcp
  description NM1720
  port-object eq h323
  object-group service NM1731 tcp
  description NM1731
  port-object eq 1731
  object-group service NM389 tcp
  description NM389
  port-object eq ldap
  object-group service NM522 tcp
  description NM522
  port-object eq 522
  object-group service SSL tcp
  description SSL
  port-object eq https
  object-group service rdp tcp
  port-object eq 3389
  access-list outside_1_cryptomap extended permit ip 192.168.6.0 255.255.255.0 object-group EMRMC
  access-list inside_nat0_outbound extended permit ip 192.168.6.0 255.255.255.0 192.168.0.0 255.255.0.0
  access-list inside_nat0_outbound extended permit ip 192.168.6.0 255.255.255.0 object-group EMRMC
  access-list outside_access_in extended permit tcp 69.16.158.128 255.255.255.128 host 99.89.69.334 eq pcanywhere-data
  access-list outside_access_in extended permit udp 69.16.158.128 255.255.255.128 host 99.89.69.334 eq pcanywhere-status
  access-list outside_access_in extended permit tcp 69.16.158.128 255.255.255.128 host 99.89.69.334 object-group RDP
  access-list outside_access_in extended permit tcp 69.16.158.128 255.255.255.128 192.168.6.0 255.255.255.0 eq ftp
  access-list outside_access_in extended permit tcp 69.16.158.128 255.255.255.128 192.168.6.0 255.255.255.0 eq ldap
  access-list outside_access_in extended permit tcp 69.16.158.128 255.255.255.128 192.168.6.0 255.255.255.0 eq h323
  access-list outside_access_in extended permit tcp 69.16.158.128 255.255.255.128 192.168.6.0 255.255.255.0 eq telnet
  access-list outside_access_in extended permit tcp 69.16.158.128 255.255.255.128 192.168.6.0 255.255.255.0 eq www
  access-list outside_access_in extended permit tcp 69.16.158.128 255.255.255.128 host 99.89.69.334 object-group SSL
  access-list outside_access_in extended permit tcp 69.16.158.128 255.255.255.128 192.168.6.0 255.255.255.0 object-group NM522
  access-list outside_access_in extended permit tcp 69.16.158.128 255.255.255.128 192.168.6.0 255.255.255.0 object-group NM1731
  access-list outside_access_in extended permit tcp 173.197.144.48 255.255.255.248 host 99.89.69.334 object-group RDP
  access-list outside_access_in extended permit tcp any interface outside eq 3389
  access-list outside_access_in extended permit tcp host 66.237.238.194 host 99.89.69.333
  access-list outside_access_in extended permit tcp host 66.237.238.194 host 99.89.69.333 object-group rdp
  access-list outside_access_in extended permit tcp any host 99.89.69.333 object-group rdp
  access-list out_in extended permit tcp any host 192.168.6.2 eq 3389
  pager lines 24
  logging enable
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  icmp unreachable rate-limit 1 burst-size 1
  asdm image disk0:/asdm-524.bin
  no asdm history enable
  arp timeout 14400
  global (outside) 1 interface
  nat (inside) 0 access-list inside_nat0_outbound
  nat (inside) 1 0.0.0.0 0.0.0.0
  static (inside,outside) tcp 99.89.69.334 3389 192.168.6.1 3389 netmask 255.255.255.255
  static (inside,outside) tcp interface 3389 192.168.6.2 3389 netmask 255.255.255.255
  access-group outside_access_in in interface outside
  route outside 0.0.0.0 0.0.0.0 99.89.69.338 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  http server enable
  http 192.168.6.0 255.255.255.0 inside
  http 0.0.0.0 0.0.0.0 outside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto map outside_map 1 match address outside_1_cryptomap
  crypto map outside_map 1 set peer 68.156.148.5
  crypto map outside_map 1 set transform-set ESP-3DES-MD5
  crypto map outside_map interface outside
  crypto isakmp enable outside
  crypto isakmp policy 10
  authentication pre-share
  encryption 3des
  hash md5
  group 1
  lifetime 86400
  crypto isakmp policy 30
  authentication pre-share
  encryption 3des
  hash md5
  group 2
  lifetime 86400
  telnet timeout 5
  ssh timeout 5
  console timeout 0
  dhcpd auto_config outside
  tunnel-group 68.156.148.5 type ipsec-l2l
  tunnel-group 68.156.148.5 ipsec-attributes
  pre-shared-key *
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
  service-policy global_policy global
  prompt hostname context
  Cryptochecksum:f47dfb2cf91833f0366ff572eafefb1d
  : end
  ciscoasa(config-network)#

  Unclear what did not work.  In your original post you include said some commands were added but don't work:
  static (inside,outside) tcp interface 3389 192.168.6.2 3389 netmask 255.255.255.255
  and later you state you add another command that gets an error:
  static (inside,outside) tcp 99.89.69.333 3389 192.168.6.2 3389 netmask 255.255.255.255
  You also stated that 99.89.69.333 (actually 99.89.69.233, guessing from the rest of your config and other posts) is your WAN IP address.
  The first static statement matches Cisco's documentation, which states that a static statement must use the 'interface' directive when you are trying to do static PAT utilizing the IP address of the interface.  Since 99.89.69.333 is the assigned IP address of your WAN interface, that may explain why the second statement fails.
  Any reason why you are using static PAT (including the port number 3389) instead of just skipping that directive?  Static PAT usually makes sense when you need to change the TCP port number.  In your example, you are not changing the TCP port 3389.

• Acs 5.3 and wlc 2504 config with restricted network access

  Hello,
  i submit you the following issue that i'm actually facing:
  i must configure a secured wireless network with access restriction based on SSID. the equipements are : cisco wlc 2504 (soft 7.3) cisco secure acs aplliance 1121 (soft 5.4) .
  the users that will connect to the network are regrouped by identity groups, each identity group having it's own SSID. Clearly each group of users must access only one SSID.
  i followed the procedure below to configure it:
  -- creating user identity groups;
  -- creating users and assigning them to the groups;
  --- creating authorization profiles for each SSID under policy element/ authorization and permission/network access/authorization profiles and putting the Airespace-Wlan-Id(the SSID number) in the radius tab.
  --- assigning the authorization profiles to the identity groups under access policies.
  after all these config the users can access the network using there userid/password configured. But the problem is Every user can access every SSID, seems like the restriction is so not very well configured.
  i found some documentation on this kind of config but the version of ACS used seems older than the one that i use, so menu are very different.
  Please can someone provide with the right steps to follow to achieve this kind of config.
  tkx in advance

  Yes.. you only have to add the end filter like what I posted... as far as the calling station id in the WLC security tab, it doesn't matter because that is not used when using 802.1x.  I would also try to not enable everything that you have just to start from the basic and make sure it works first.  The WAP Authentication Method might or might not work for you.  Uncheck that for now and when you have a successful authentication, look at the monitor log and see what radius attributes are being sent, because those attributes is what you can use to build your policies.
  Thanks,
  Scott
  Help out other by using the rating system and marking answered questions as "Answered"

• ACS 5.3 cannot create default network access authorization rule

  Hi, when I click 'Create...' under Access Policies > Default Network Access > Authorization, and then press the 'OK' button, it says 'Please configure at least 1 condition.' However I have no way to configure conditions as the 'Conditions' text is just bold text and not a link or any sort of configurable area. If I go to 'Customize' on the bottom right and add conditions to the right list box, I still have no options when I press Create. Also, the 'green light' next to Default Network Access is grey with a line through it. This is the most cryptic system I have ever used.. anyone have an idea? Thank you!

  Looks like you are using chrome amd it's not a supported browser.
  Supported Web Client/Browsers
  You can access ACS 5.3 administrative user interface using the following Web Client/Browsers:
  •Windows 7 32 bit
  •Windows XP Professional (Service Pack 2 and 3)
  •Windows Vista
  •Internet Explorer version 7.x
  •Internet Explorer version 8.x
  •Internet Explorer version 9.x
  •Mozilla Firefox version 3.x
  •Mozilla Firefox version 4.x
  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.3/release/notes/acs_53_rn.html#wp222016
  Jatin Katyal
  - Do rate helpful posts -

• Airport Extreme 802.11AC + 5th Gen and guest network access

  I have the current gen Airport Extreme 802.11AC with a 5th Gen extending the network. With this setup, I am unable to login using our guest network setup. I have tried using guest network with a password and one without but its the same results. When a guest logins, it stuck attempting to login with no error messages.
  So is it possible to have this configuration and still have guest network access?

  Please review what I said originally.......that the guest network function on the AirPort Extreme is designed to work with a simple modem......so the AirPort acts as the main router for the network..
  Another way of saying the same thing is that the AirPort needs to be "in charge" of your network for the guest feature to work correctly. The AirPort cannot be in charge if it is connected to another device that is already configured to be the main router on your network.....your Actiontec modem/router.
  The Actiontec device combines the functions of a separate modem and a separate router in one package. This type of device is known as a modem/router, or also known as a gateway.
  Some folks call a modem/router or a gateway......a modem. So, things can get confusing.
  I do not know if it is possible for the Actiontec device that you have to be configured to act as a simple modem.....so the routing functions of the device are completely turned off. (Turning off the wireless on the Actiotec does not turn off the routing function).
  If you turn off the wireless on the Actionec, it becomes a modem and a wired router. And that wired router is still in charge of your network.
  The guest network feature will not work correctly unless the AirPort is in charge of your network.
  My suggestion was for you to ask your Internet Service Provider (ISP), if they could supply you with a simple modem.  That is all that you need. You don't need two routers....and the Actiontec that you have now is not allowing the guest feature to work correctly.

• Can not access CRM from outside the office network - Access denied You do not have sufficient access rights or privileges to perform this action.

  Hi,
  I can not access CRM from outside the office network - Access denied You do not have sufficient access rights or privileges to perform this action.  I can access CRM with same user id and password from our office inside the network.  I can get
  the page to give login details once I have login details I got below error. Please help me to solve this issue.  It was working before.
  Access denied You do not have sufficient access rights or privileges to perform this action. 
  Regards,
  Noushad
  [email protected]

  On Premise system Configured with AD FS server for claims-based authentication you need to update your host file with server url to access it from outside office network.
  Refer
  this on how to update host file.
  Regards, Saad

• SCCM 2012 R2 - Distribution Point untrusted domain - Not acknowledging Network Access Account (FYI)

  Hello!
  Scenario
  Built a single primary site server in one domain with multiple distribution points. All site servers are member of this one site.
  The distribution points in the primary site servers' domain function as expected. The distribution point deployed to an untrusted domain does not. The primary site server can see all objects in the domain, publishes successfully, and CCM client on the
  DP in the untrusted domain knows its part of the site, knows its AD site (according to locationservices.log). The DP role is installed properly, logs are populating, queries are being made for application lists and updates. nfortuantely authentication
  errors indicate that this software can'tbe downloaded.
  In essence the DP in the untrusted domain can't pull down content from the primary site server. The role uses BITS to download content from IIS on the primary site server, but the requests each throw a 401 error. Unauthorised. This should be an easy fix.
  Create a Network Access Account in the primary site server's domain, assign it to the site (Software Distribution setting), wait for the DP to pick up the setting and watch it retrieve its content. The DP in the untrusted domain is configured as a Pull DP,
  implying it has to use a Network Access Account to download content. It knows the content is available and makes every effort to download it.
  Problem
  The DP in the untrusted domain doesn't know a Network Access Account (NAA) has been defined for the site.
  The account does exist, created in the primary site server's domain and assigned to the site. Its not a password issue. IIS has not been set for Anonymous access as this isn't needed - the NAA should provide the credentials it requires to pull down content.
  A manual check using the URL of the package confirms the package is accessible from the DP when using the NAA's credentials. I've allowed enough time (i think) for the DP to acknowledge the NAA. For fun the DP role was removed, and the CCM agent removed. Both
  were reinstalled. A fresh install didn't detect the NAA.
  Solution
  After some soul searching and a little frustration, it came down to this: A Pull DP always uses the Network Access Account. If the DP can't find a Network Access account it will fail to pull down content. This is undisputed. Found an article that states
  the Pull DP always uses the CCM client configuration to do its dirty work. At that point the CCM client was checked. It had the classic problem of only displaying two Actions - Machine Policy Retrieval & Evaluation Cycle, User policy Retrieval & Evaluation
  Cycle. Most components were installed but not enabled. This is fairly common. Looked at the console, found the device, added the Approval column. Turns out it wasn't auto-approved. Reason being that the client is in an untrusted domain and clients in untrusted
  domains aren't approved automatically (by default).
  In this case something as simple as an Approving the client fixed these issues. 
  The DataTransferService.log highlights the issue:
  <![LOG[CDTSJob::JobError: DTS Job ID='{17E0B672-F699-434D-B063-87CC2ACF715C}' BITS Job ID='{38B81ADE-55B5-4BD7-A881-DBFF13943EDE}' ErrorCode=0x80190191]LOG]!><time="18:25:54.264+00" date="02-19-2015" component="DataTransferService"
  context="" type="1" thread="3136" file="dtsjob.cpp:3501">
  <![LOG[CDTSJob::JobError: DTS Job ID='{17E0B672-F699-434D-B063-87CC2ACF715C}' URL='http://PRIMARYSERVER.A.B.COM:80/SMS_DP_SMSPKG$/5af1680e-4a14-4dc5-8a60-bda7370e6d68'
  ProtType=1]LOG]!><time="18:25:54.264+00" date="02-19-2015" component="DataTransferService" context="" type="1" thread="3136" file="dtsjob.cpp:3504">
  <![LOG[Authentication required by the proxy, DTS Job ID='{17E0B672-F699-434D-B063-87CC2ACF715C}' BITS Job ID='{38B81ADE-55B5-4BD7-A881-DBFF13943EDE}'.]LOG]!><time="18:25:54.264+00" date="02-19-2015" component="DataTransferService"
  context="" type="3" thread="3136" file="dtsjob.cpp:3513">
  <![LOG[DTSJob {8814E9A1-3D26-4089-83CF-3C7D17BCEC6E} in state 'Cancelled'.]LOG]!><time="18:25:54.264+00" date="02-19-2015" component="DataTransferService" context="" type="1" thread="3688"
  file="dtsjob.h:166">
  <![LOG[DTS job {17E0B672-F699-434D-B063-87CC2ACF715C} BITS job
  {38B81ADE-55B5-4BD7-A881-DBFF13943EDE} encountered Access Denied error during download.  Will retry using Network Access Account.]LOG]!><time="18:25:54.264+00" date="02-19-2015" component="DataTransferService"
  context="" type="2" thread="3136" file="dtsjob.cpp:3652">
  <![LOG[DTSJob {8814E9A1-3D26-4089-83CF-3C7D17BCEC6E} cancelled by client.]LOG]!><time="18:25:54.280+00" date="02-19-2015" component="DataTransferService" context="" type="1" thread="3688"
  file="dtsjob.cpp:3205">
  <![LOG[No network access account info found.]LOG]!><time="18:25:54.327+00" date="02-19-2015" component="DataTransferService" context="" type="1"
  thread="3136" file="netaccessaccount.cpp:288">
  <![LOG[The network access account is not defined.]LOG]!><time="18:25:54.327+00" date="02-19-2015" component="DataTransferService" context=""
  type="1" thread="3136" file="netaccessaccount.cpp:858">
  <![LOG[DTSJob {17E0B672-F699-434D-B063-87CC2ACF715C} encountered error setting BITS job to use Network Access Account
  (0x00000000).]LOG]!><time="18:25:54.327+00" date="02-19-2015" component="DataTransferService" context="" type="3" thread="3136" file="dtsjob.cpp:1885">
  The IIS server logs u_ex150219.log captures the request:
  2015-02-19 123.11.12.13 GET /SMS_DP_SMSPKG$/5af1680e-4a14-4dc5-8a60-bda7370e6d68/sccm /windows6.1-kb3021917-x64.cab 80 - 9.10.11.12 Microsoft+BITS/7.7 -
  401 2 5 1509 2
  2015-02-19 123.11.12.13 GET /SMS_DP_SMSPKG$/5af1680e-4a14-4dc5-8a60-bda7370e6d68/sccm /windows6.1-kb3021917-x64.cab 80 - 9.10.11.12 Microsoft+BITS/7.7 -
  401 1 3221225581 1509 4
  2015-02-19 123.11.12.13 GET /SMS_DP_SMSPKG$/5af1680e-4a14-4dc5-8a60-bda7370e6d68/sccm /windows6.1-kb3021917-x64.cab 80 - 9.10.11.12 Microsoft+BITS/7.7 -
  401 1 3221225581 1509 3
  2 x Domains: DomainA and DomainX
  - Single domain forests
  - No trusts between domains/forests
  DomainA\PRIMARYSERVER
  - Primary Site Server, MP, DP, IIS, all roles
  DomainX\DP1
  - Distribution Point, IIS, etc
  - CCM client installed

  Based on the above, you are using a PullDP. If so, have you installed the client agent on this system? The client agent is required on PullDPs in untrusted domains so that they can acquire the NAA.
  Jason | http://blog.configmgrftw.com | @jasonsandys

• "wake for network access" not working

  Hi guys,
  I enabled System Preferences > Energy saver > Wake for network access
  and
  System Preferences > Sharing > remote Login
  These are the exact settings I had under Snow Leopard and it used to wake my iMac via 5GHz WiFi. I use a AirPort Extreme and didn't change a thing on its side. But neither with VNC nor with my iPad app "Screens" I am able to wake it under Lion. Screens tells me "Computer in sleep mode"...
  Any help?
  Thanks in advance,
  Bado

  I've been having problems with wake for network access on Lion as well. Similarly to others, if my iMac has recently gone into sleep mode, then it will wake up for Apple TV use or for file and screen sharing from another computer. After an extended period of time, however, all such functionality disappears.
  I've been rooting around in System Profile and have found something that may be of interest. Under the Hardware section, in the Power menu, there is a parameter called 'PrioritizeNetworkReachabilityOverSleep'. On both my iMac and Macbook this is set to zero (i.e. 'no').
  Does anybody have any idea what it means? And if there is any way to change it? If I had to guess, it sounds as though there is a setting somewhere in the system configuration (thought apparently not visible from the GUI) that sets the computer to remain in sleep mode rather than briefly waking to maintain its registration with the relevant Bonjour sleep proxies.
  Hopefully we'll be able to get to the bottom of this, as over six months after Lion's release the problem has yet to be resolved by Apple through version updates, something that is especially frustrating given how excellent a feature wake on network access is when it can be reliably coupled with an Apple TV or Back to my Mac.

• Cisco ACS 4.2.1.15 for Windows and Network Access Profiles

  We are attempting to configure ACS 4.2.1.15 on Windows Server 2008 Member Server. Initially I only have the need to authenticate Network Admins for device administration and authenticate Windows AD groups using PEAP authentication. The general problem that I am having is that if I configure a Cisco 1200 Access Point  for PEAP and also setup The Access Point for Radius authentication pointed to the ACS server it always maps to the the first Network Access Profile and rather than it trying the second it will error sayiing some condition is not met depending on what changes I make. Can someone tell me what the criteria that is used to determine what NAP is used? According to the manual if all 4 criteria are not met then the Profile will not apply.
  I am using one ACS group that is mapped to an AD group for Wireless Access and a Second ACS group mapped to an AD group that includes the Net Admins. This group mapping appers to be working as the user group name seems to mapped correctly in the logs.  In short I have tried only configuring the Wireless NAP to only Allow EAP authentication using PEAP EAP-MSCHAPv2 and the Netadmins profile to include all protocols. Bascially what happens is if I have the Wireless NAP first it works fine for PEAP authentication on Wireless but if I try to administer the access point and provide credentials I get a message in the failed log that the authentication profile is not allowed in this Network Access Profile. Why does this not just go onto the next Network Access profile?
  I am familiar with version 3.2 but it does not seem to work the same.
  Any help would be appreciated on what I am missing.
  Thanks

  Hi Surenda,
                     Thanks for your reply. Nop, there is no WLC yet, but the WLC will be installed shortly.
  Thanks,
  Jean Paul

• How to configure network on Oracle Solaris 10

  Hi All,
  I have created a new virtual machine on Windows Server 2003 and installed Oracle Solaris 10 on VMWare. Now I need to configure network on my Solaris virtual machine, So that i can access Solaris machine outside the VMWare. Can somebody help me out?
  Regards,
  S.Rizi

  Hi,
  I have created a new virtual machine on Windows Server 2003 and installed Oracle Solaris 10 on VMWare. Now I need to configure network on my Solaris virtual machine, So that i can access Solaris machine outside the VMWare. Can somebody help me out?Refer below thread.
  Hope helps :)
  http://www.linuxquestions.org/questions/solaris-opensolaris-20/configure-solaris-network-on-vmware-847849/
  thanks,
  X A H E E R