Erratic drive mapping - Vlan assignment

Similar Messages

• Drives mapped via GPO, NET USE shows mapping but doesn't show up in Explorer - Win 8.1

  Fresh install of Windows Enterprise 8.1
  Connected PC to domain, logged in, drive mapping worked as it should.
  Rebooted a few times after installing software that I normally install on my computers (from the same sources/locally from my file server, etc).  Rebooted a few more times all is well.
  A few reboots later, the only drive that is mapped is X: which is my user drive done via the user profile in AD.  The rest of the mappings that normally show up done by the GPO no longer show up.
  After some digging, and noticing no errors in any logs I ran NET USE in a CMD prompt window, low and behold the drives are actually mapped and I can access them via the CLI without issue.  I can navigate via their mapped drive letters, etc.
  They just don't show up in Windows Explorer at all and I cannot navigate to the drive letters via the address bar.  Strangely enough, it still kinda works since the Downloads start menu item is mapped to a network drive and that still works (Q:\) and
  Chrome can access it as well if I try to download something.
  I'm really not sure what else to check/try here. 
  Have other Windows 7 and Windows 8.1 machines (my laptop) and all works just fine, so it's only this specific install on my desktop that is showing this issue.

  Hi,
  There are several reasons causing the issue:
  First, The problematic client doesn't reconnect to the target share at logon. 
  Please follow the steps to re-configure the mapped driver on the client and then check if the issue will re-occur.
  Steps:
  a. Open "My Computer"
  b. Click on "Tools" and then select "Map Network Driver"
  c. input the \\ipaddressofserver\sharename to give the path of the share
  d. Check "Reconnect at logon"
  e. Drive gets mapped
  f. Double click on the drive to check.
  Second, Antivirus software or Windows Firewall may block the mapped share.
  If there is any Antivirus software and the Windows Firewall is enabled on the problematic client. If so, please disable them to check if the issue can be resolved.
  Third, Fast Logon Optimization is enabled on the clients.
  The fast logon feature may affect the display and drive letter assignment of a mapped network drive. As a result, the drive may have been mapped; however, the user on client cannot see it in Windows Explorer. He may recognize it as a failed network drive
  mapping. This is the reason why we usually suggest you to disable fast logon on the clients via a GPO, and please check if the mapped network drive will be occur under this circumstance.
  Please also configure the following group policy setting to disable Fast Logon Optimization to see if the issue still exists on the problematic clients.
  Computer Configuration\Administrative Templates\System\Logon\Always wait for the network at computer startup and logon
  If we cannot get this issue fixed, please post back the event log related to this issue.
  Kate Li
  TechNet Community Support

• WLC 5508: 802.1 AAA override; Authenication success no dynamic vlan assignment

  WLC 5508: software version 7.0.98.0
  Windows 7 Client
  Radius Server:  Fedora Core 13 / Freeradius with LDAP storage backend
  I have followed the guide at http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008076317c.shtml with respective to building the LDAP and free radius server.  802.1x authorization and authenication correctly work.  The session keys are returned from the radius server and the wlc send the appropriate information for the client to generate the WEP key.
  However, the WLC does not override the VLAN assignment, even though I was to believe I set everything up correctly.  From the packet capture, you can see that verfication of client is authorized to use the WLAN returns the needed attributes:
  AVP: l=4  t=Tunnel-Private-Group-Id(81): 10
  AVP: l=6  t=Tunnel-Medium-Type(65): IEEE-802(6)
  AVP: l=6  t=Tunnel-Type(64): VLAN(13)
  I attached a packet capture and wlc config, any guidance toward the attributes that may be missing or not set correctly in the config would be most appreciated.

  Yes good catch, so I had one setting left off in freeradius that allowed the inner reply attributes back to the outer tunneled accept.  I wrote up a medium high level config for any future viewers of this thread:
  The following was tested and verified on a fedora 13 installation.   This is a minimal setup; not meant for a "live" network (security issues  with cleartext passwords, ldap not indexed properly for performance)
  Install Packages
  1.  Install needed packages.
  yum install openldap*
  yum install freeradius*
  2.  Set the services to automatically start of system startup
  chkconfig --level 2345 slapd on
  chkconfig --level 2345 radiusd on
  Configure and start LDAP
  1.  Copy the needed ladp schemas for radius.  Your path may vary a bit
  cp /usr/share/doc/freeradius*/examples/openldap.schema /etc/openldap/schema/radius.schema
  2.  Create a admin password for slapd.  Record this password for later use when configuring the slapd.conf file
  slappasswd
  3.  Add the ldap user and group; if it doesn't exisit.  Depending on the install rpm, it may have been created
  useradd ldap
  groupadd ldap
  4.  Create the directory and assign permissions for the database files
  mkdir /var/lib/ldap
  chmod 700 /var/lib/ldap
  chown ldap:ldap /var/lib/ldap
  5.  Edit the slapd.conf file.
  cd /etc/openldap
  vi slapd.conf
  # See slapd.conf(5) for details on configuration options.
  # This file should NOT be world readable.
  #Default needed schemas
  include        /etc/openldap/schema/corba.schema
  include        /etc/openldap/schema/core.schema
  include        /etc/openldap/schema/cosine.schema
  include        /etc/openldap/schema/duaconf.schema
  include        /etc/openldap/schema/dyngroup.schema
  include        /etc/openldap/schema/inetorgperson.schema
  include        /etc/openldap/schema/java.schema
  include        /etc/openldap/schema/misc.schema
  include        /etc/openldap/schema/nis.schema
  include        /etc/openldap/schema/openldap.schema
  include        /etc/openldap/schema/ppolicy.schema
  include        /etc/openldap/schema/collective.schema
  #Radius include
  include        /etc/openldap/schema/radius.schema
  #Samba include
  #include        /etc/openldap/schema/samba.schema
  # Allow LDAPv2 client connections.  This is NOT the default.
  allow bind_v2
  # Do not enable referrals until AFTER you have a working directory
  # service AND an understanding of referrals.
  #referral    ldap://root.openldap.org
  pidfile        /var/run/openldap/slapd.pid
  argsfile    /var/run/openldap/slapd.args
  # ldbm and/or bdb database definitions
  #Use the berkely database
  database    bdb
  #dn suffix, domain components read in order
  suffix        "dc=cisco,dc=com"
  checkpoint    1024 15
  #root container node defined
  rootdn        "cn=Manager,dc=cisco,dc=com"
  # Cleartext passwords, especially for the rootdn, should
  # be avoided.  See slappasswd(8) and slapd.conf(5) for details.
  # Use of strong authentication encouraged.
  # rootpw        secret
  rootpw      
  {SSHA}
  cVV/4zKquR4IraFEU7NTG/PIESw8l4JI  
  # The database directory MUST exist prior to running slapd AND
  # should only be accessible by the slapd and slap tools. (chown ldap:ldap)
  # Mode 700 recommended.
  directory    /var/lib/ldap
  # Indices to maintain for this database
  index objectClass                       eq,pres
  index uid,memberUid                     eq,pres,sub
  # enable monitoring
  database monitor
  # allow onlu rootdn to read the monitor
  access to *
           by dn.exact="cn=Manager,dc=cisco,dc=com" read
           by * none
  6.  Remove the slapd.d directory
  cd /etc/openldap
  rm -rf slapd.d
  7.  Hopefully if everything is correct, should be able to start up slapd with no problem
  service slapd start
  8.  Create the initial database in a text file called /tmp/initial.ldif
  dn: dc=cisco,dc=com
  objectClass: dcobject
  objectClass: organization
  o: cisco
  dc: cisco
  dn: ou=people,dc=cisco,dc=com
  objectClass: organizationalunit
  ou: people
  description: people
  dn: uid=jonatstr,ou=people,dc=cisco,dc=com
  objectClass: top
  objectClass: radiusprofile
  objectClass: inetOrgPerson
  cn: jonatstr
  sn: jonatstr
  uid: jonatstr
  description: user Jonathan Strickland
  radiusTunnelType: VLAN
  radiusTunnelMediumType: 802
  radiusTunnelPrivateGroupId: 10
  userPassword: ggsg
  9.  Add the file to the database
  ldapadd -h localhost -W -D "cn=Manager, dc=cisco,dc=com" -f /tmp/initial.ldif
  10.  Issue a basic query to the ldap db, makes sure that we can request and receive results back
  ldapsearch -h localhost -W -D cn=Manager,dc=cisco,dc=com -b dc=cisco,dc=com -s sub "objectClass=*"
  Configure and Start FreeRadius
  1. Configure ldap.attrmap, if needed.  This step is only needed if we  need to map and pass attributes back to the authenicator (dynamic vlan  assignments as an example).  Below is an example for dynamic vlan  addresses
  cd /etc/raddb
  vi ldap.attrmap
  For dynamic vlan assignments, verify the follow lines exist:
  replyItem    Tunnel-Type                                   radiusTunnelType
  replyItem    Tunnel-Medium-Type                   radiusTunnelMediumType
  replyItem    Tunnel-Private-Group-Id              radiusTunnelPrivateGroupId
  Since we are planning to use the userpassword, we will let the mschap  module perform the NT translations for us.  Add the follow line to  check ldap object for userpassword and store as Cleartext-Password:
  checkItem    Cleartext-Password    userPassword
  2.  Configure eap.conf.  The following sections attributes below  should be verified.  You may change other attributes as needed, they are  just not covered in this document.
  eap
  {      default_eap_type = peap      .....  }
  tls {
      #I will not go into details here as this is beyond scope of  setting up freeradisu.  The defaults will work, as freeradius comes with  generated self signed certificates.
  peap {
      default_eap_type = mschapv2
      #you will have to set this to allowed the inner tls tunnel  attributes into the final accept message
      use_tunneled_reply = yes
  3.  Change the authenication and authorization modules and order.
  cd /etc/raddb/sites-enabled
  vi default
  For the authorize section, uncomment the ldap module.
  For the authenicate section, uncomment the ldap module
  vi inner-tunnel
  Very importants, for the authorize section, ensure the ldap module is first, before mschap.  Thus authorize will look like:
  authorize
  {      ldap      mschap      ......  }
  4.  Configure ldap module
  cd /etc/raddb/modules
  ldap
  {        server=localhost       identify = "cn=Manager,dc=cisco,dc=com"        password=admin       basedn="dc=cisco,dc=com"       base_filter =  "(objectclass=radiusprofile)"       access_attr="uid"       ............   }
  5.  Start up radius in debug mode on another console
  radiusd -X
  6.  radtest localhost 12 testing123
  You should get a Access-Accept back
  7.  Now to perform an EAP-PEAP test.  This will require a wpa_supplicant test libarary called eapol_test
  First install openssl support libraries, required to compile
  yum install openssl*
  yum install gcc
  wget http://hostap.epitest.fi/releases/wpa_supplicant-0.6.10.tar.gz 
  tar xvf wpa_supplicant-0.6.10.tar.gz
  cd wpa_supplicant-0.6.10/wpa_supplicant
  vi defconfig
  Uncomment CONFIG_EAPOL_TEST = y and save/exit
  cp defconfig .config
  make eapol_test
  cp eapol_test /usr/local/bin
  chmod 755 /usr/local/bin/eapol_test
  8.  Create a test config file named eapol_test.conf.peap
  network=
  {   eap=PEAP  eapol_flags=0  key_mgmt=IEEE8021X  identity="jonatstr"   password="ggsg"  \#If you want to verify the Server certificate the  below would be needed   \#ca_cert="/root/ca.pem"  phase2="auth=MSCAHPV2"   }
  9.  Run the test
  eapol_test -c ~/eapol_test.conf.peap -a 127.0.0.1 -p 1812 -s testing123

• Dynamic VLAN assignment with WLC and ACS for

  Currently, using our autonomous APs and ACS, our users get separate VLANs per building based on their security level (students or staff). Basically, the student VLAN in one building is different from that of the student VLANs in other buildings on campus. Currently, we do this by filling the Tunnel-Private-Group-ID IETF RADIUS attribute with the VLAN name. This all works because each individual AP can map VLAN names to different VLANs like this:
  dot11 vlan-name STUDENT vlan 2903
  dot11 vlan-name FACSTAF vlan 2905
  As we are working on our WiSM deployment, we see that the document below shows how to do the dynamic VLAN assignment on our WLAN controllers:
  http://www.cisco.com/en/US/customer/products/sw/secursw/ps2086/products_configuration_example09186a00808c9bd1.shtml
  However, we haven't figured out if it's possible to still provide our users with different VLANs for each building they're in.
  With the instructions above, it looks like ACS uses a Cisco RADIUS Attribute to indicate the Air-Interface-Name, mapping an ACS/AD group to a single WLC interface which can only have one VLAN/subnet associated with it.
  Does anybody know if what we're trying to accomplish is possible, or if we're really stuck with only one VLAN/subnet per mapped ACS group?

  We only have the one WiSM for all of campus, so it's handling everything. This Cisco docs do indicate how to put differnet users in different Vlans, but we don't currently see a way to also put them in different subnets per building.
  This being the case, any suggestions on how best to handle more than a Class C subnet's worth of users? Should we just subnet larger than Class C, or is there a more elegant way of handling this?

• Flexconnect dynamic VLAN assignment doubt

  Hi, all,
  I am trying to understand how FlexConnect with dynamic VLAN assignment works. We have the need to dynamically put people in different VLANs based on their AD groups (all employees use the same SSID), I can understand that in traditional CAPWAP mode, AP just tunnels all traffic to WLC, WLC is the authenticator and it knows  what users' identities are and can encapsulate user traffic to different VLANs before send the traffic to the switch it connects. Here is the part I don't understand:
  1) If APs are operating in Flexconnect mode (APs are trunking to switches), how does each AP know what VLAN tag to put a specific user traffic on? AP is not authenticator, it knows nothing about associated client's AD identify. How does WLC convey the dynamical VLAN information to APs?
  2) I want to eliminate WLCs in remote offices by letting all remote office APs join HQ WLC with FlexConnect mode, I can keep the same VLAN mapping scheme in remote office switching environment, in some offices I want to do local authentication (Domain controller + Radius Server), looks like I can specify Radius server in FlexConnect group, in this case will APs become authenticator? Since Radius clients have to be explicitly configured on NPS/Radius server side, does this means I have to statically configure each AP's IP?
  3) I have over a dozen APs in HQ which are operating at FlexConnect mode, but the SSID's "local central authentication" checkbox is not checked, if I want to have local authentication in remote office,  seems that I have to turn on "local authentication" on this SSID, does that mean I have to add each and everyone of those HQ APs to Radius/NPS server client list?
  Thanks,

  Hi ,
  1) Aps knows about Vlans as we can define them inside the Flex connect groups. This is the same way we define flex connect ACLs which are pushed to the Flex APs and are returned by the Radius server later on.
  2) If you are going for Central authentication + local switching ....WLCs will always act like central authenticator and would talk to the radius server. If you have some radius servers at the local site and you want them to use without going through the central authentication..you can do that using (local authentication + local switching). Yes, In this case AP will be authenticator and would be AAA client to be added in the Radius server.
  3)yes ,,you are correct. If you want that your AP should do authentication and talk to the local radius server at the site , it has to be added in the Radius server.
  Regards
  Dhiresh
  **Please rate helpful posts**

• Cisco WLC5508 Dynamic VLAN assignment error

  Hi All,
  We have a HA (SSO) WLC controller pair in two DC's with the Management Interface managing the AP's. The AP's are located in the Campus LAN and the Campus and DC networks are seperated by a L3 boundary.
  The plan is for one of the WLAN's to provide Dynamic VLAN Assignment via radius as a test I wanted to use the existing Management interface to bind to the WLAN, but since working through the following Document ID: 71683 one thing I noticed whilst working through the the document states that "it is required that the VLAN-ID configured under the IETF 81 (Tunnel-Private-Group-ID) field of the RADIUS server exist on the WLC"
  If the above statement is true and we don't stretch VLAN's between the Campus LAN and the DC network due to the L3 boundary does this mean that Dynamic VLAN assignment won't be achievable?  When testing a client connection and debugging the result I receive the following:-
  *radiusTransportThread: Jan 15 13:26:23.115: [PA] 10:40:f3:84:a2:2a [BE-resp] AAA response 'Success'
  *radiusTransportThread: Jan 15 13:26:23.115: [PA] 10:40:f3:84:a2:2a [BE-resp] Returning AAA response
  *radiusTransportThread: Jan 15 13:26:23.115: [PA] 10:40:f3:84:a2:2a AAA Message 'Success' received for mobile 10:40:f3:84:a2:2a
  *Dot1x_NW_MsgTask_2: Jan 15 13:26:23.115: [PA] 10:40:f3:84:a2:2a processing avps[0]: attribute 11, vendorId 0, valueLen 11
  *Dot1x_NW_MsgTask_2: Jan 15 13:26:23.115: [PA] 10:40:f3:84:a2:2a processing avps[1]: attribute 64, vendorId 0, valueLen 4
  *Dot1x_NW_MsgTask_2: Jan 15 13:26:23.115: [PA] 10:40:f3:84:a2:2a processing avps[2]: attribute 65, vendorId 0, valueLen 4
  *Dot1x_NW_MsgTask_2: Jan 15 13:26:23.115: [PA] 10:40:f3:84:a2:2a processing avps[3]: attribute 81, vendorId 0, valueLen 2
  *Dot1x_NW_MsgTask_2: Jan 15 13:26:23.115: [PA] 10:40:f3:84:a2:2a processing avps[4]: attribute 8, vendorId 0, valueLen 4
  *Dot1x_NW_MsgTask_2: Jan 15 13:26:23.115: [PA] 10:40:f3:84:a2:2a processing avps[5]: attribute 79, vendorId 0, valueLen 40
  *Dot1x_NW_MsgTask_2: Jan 15 13:26:23.115: [PA] 10:40:f3:84:a2:2a Received EAP Attribute (code=2, length=40,id=64) for mobile 10:40:f3:84:a2:2a
  *Dot1x_NW_MsgTask_2: Jan 15 13:26:23.115: [PA] 00000000: xxxxxx
  *Dot1x_NW_MsgTask_2: Jan 15 13:26:23.115: [PA] 00000010: xxxxxx
  *Dot1x_NW_MsgTask_2: Jan 15 13:26:23.115: [PA] 00000020: xxxxxx
  *Dot1x_NW_MsgTask_2: Jan 15 13:26:23.115: [PA] 10:40:f3:84:a2:2a processing avps[6]: attribute 1, vendorId 9, valueLen 16
  *Dot1x_NW_MsgTask_2: Jan 15 13:26:23.115: [PA] 10:40:f3:84:a2:2a processing avps[7]: attribute 25, vendorId 0, valueLen 25
  *Dot1x_NW_MsgTask_2: Jan 15 13:26:23.115: [PA] 10:40:f3:84:a2:2a processing avps[8]: attribute 80, vendorId 0, valueLen 16
  *Dot1x_NW_MsgTask_2: Jan 15 13:26:23.115: [PA] 10:40:f3:84:a2:2a AAA override: Dot1x Authentication PMIP Client AAA Override Enable
  *Dot1x_NW_MsgTask_2: Jan 15 13:26:23.115: [PA] 10:40:f3:84:a2:2a AAA override: Dot1x Authentication, default MPC configuration
  *Dot1x_NW_MsgTask_2: Jan 15 13:26:23.115: [PA] 10:40:f3:84:a2:2a Tunnel-Type 16777229 should be 13 for STA 10:40:f3:84:a2:2a
  *Dot1x_NW_MsgTask_2: Jan 15 13:26:23.116: [PA] 10:40:f3:84:a2:2a Tunnel-Group-Id 9 is not a valid VLAN ID for STA 10:40:f3:84:a2:2a
  *Dot1x_NW_MsgTask_2: Jan 15 13:26:23.116: [PA] 10:40:f3:84:a2:2a Received Session Key from AAA Server for STA 10:40:f3:84:a2:2a.
  I've sanitised some of the debug output to protect the username but the net result is no IP address assigned to the client and unable to connect to the network.
  Would appreciate any guidance as to whether the Wireless Client VLAN's need to be interfaces on the WLC in order to work or whether the likes of Flexconnect could alleviate the L3 boundary?
  Thanks in advance.
  Kind regards,
  Mark

  Hi All,
  After playing with Flexconnect I managed to get the dynamic vlan assignment working.
  Need to create the Flexconnect Group add in the AP's to the gorup and then select the ACL Mapping tab > AAA VLAN-ACL mapping and added in the VLAN of my VLAN that my Tunnel-Group-ID (VLAN ID) had assigned to me.
  Client connected and received the correct IP configuration.
  Thanks
  Mark

• FlexConnect VLAN assignment changes by itself

  About a year ago I changed the VLAN assignment of a WLAN for LWAPs in a particular AP Group.  The LWAPs in this group are in 5 different locations. All LWAPs are joined to the same controller  Ocassionally I'll get a call saying this WLAN isn't working and when I investigate the issue, I notice that the VLAN assignment has changed.  I change the VLAN assignment and the WLAN works again.  This seems to happen about every 3 months or so.  Whats odd is that it doesn't happen to all of the LWAPs in the AP Group.  It seems to only affect the LWAPs at one site or the other at a time.  Any clues on what could be causing this behavior?
  1142LAPs
  software version 7.3.101.0
  5508WLC
  software version 7.3.101.0
  Cisco Prime Infrastructure
  software version 1.2 (1.2.0.103)

  We can create a command -line to set the WLAN to VLAN mapping and create .Or we can create a script that also uses CLI and simply paste the commands to all AP's.We can check the AP connectivity statistics by looking at the monitor AP.
  For FlexConnect access points, the interface mapping at the controller for WLANs configured for FlexConnect local switching is inherited at the access point as the default VLAN tagging. This can be easily changed per SSID and per FlexConnect access point. Non-FlexConnect access points tunnel all traffic back to the controller, and VLAN tagging is dictated by each interface mapping of the WLAN
  By default, a VLAN is not enabled on the FlexConnect access point. When FlexConnect is enabled, the access point inherits the VLAN ID associated to the WLAN. This configuration is saved in the access point and received after the successful join response.
  By default, the native VLAN is 1. One native VLAN must be configured per FlexConnect access point in a VLAN-enabled domain. Otherwise, the access point cannot send and receive packets to and from the controller. When the client is assigned a VLAN from the RADIUS server, that VLAN is associated to the locally switched WLAN.

• Dynamic VLAN Assignment with RADIUS Server and Aironet Access Points

  Hi Guys,
  I would like to go for "Dynamic VLAN Assignment with RADIUS Server and Aironet Access Points 1300". I want the AP to broadcast only 1 SSID. The client find the SSID ->put in his user credential->Raudius athentication->assign him to an specific vlan based on his groupship.
  The problem here is that I don't have a AP controller but only configurable Aironet Access Points 1300. I can connect to the radius server, but I am not sure how to confirgure the AP's port, radio port, vlan and SSID.
  http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008076317c.shtml#switch
  I go through some references:
  3.5  RADIUS-Based VLAN Access Control
  As discussed earlier, each SSID is mapped to a default VLAN-ID on the wired side. The IT administrator may wish to impose back end (such as RADIUS)-based VLAN access control using 802.1X or MAC address authentication mechanisms. For example, if the WLAN is set up such that all VLANs use 802.1X and similar encryption mechanisms for WLAN user access, then a user can "hop" from one VLAN to another by simply changing the SSID and successfully authenticating to the access point (using 802.1X). This may not be preferred if the WLAN user is confined to a particular VLAN.
  There are two different ways to implement RADIUS-based VLAN access control features:
  1. RADIUS-based SSID access control: Upon successful 802.1X or MAC address authentication, the RADIUS server passes back the allowed SSID list for the WLAN user to the access point or bridge. If the user used an SSID on the allowed SSID list, then the user is allowed to associate to the WLAN. Otherwise, the user is disassociated from the access point or bridge.
  2. RADIUS-based VLAN assignment: Upon successful 802.1X or MAC address authentication, the RADIUS server assigns the user to a predetermined VLAN-ID on the wired side. The SSID used for WLAN access doesn't matter because the user is always assigned to this predetermined VLAN-ID.
  extract from: Wireless Virtual LAN Deployment Guide
  http://www.cisco.com/en/US/products/hw/wireless/ps430/prod_technical_reference09186a00801444a1.html
  ==============================================================
  Dynamic VLAN Assignment with RADIUS Server and Wireless LAN Controller Configuration Example
  http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008076317c.shtml#switch
  ==============================================================
  Controller: Wireless Domain Services Configuration
  http://www.cisco.com/en/US/products/hw/wireless/ps4570/products_configuration_example09186a00801c951f.shtml
  Any help on this issue is appreicated.
  Thanks.

  I'm not sure if the Autonomous APs have the option for AAA Override.  On the WLC, I can go into the BSSID, Security, Advanced, and there's a checkbox that I would check to allow a Radius server to send back the VLAN.
  I did a little research and it looks like the 1300 may give this option but instead is defined as "VLAN Override".  I've found the release notes for 12.3(7)JA5 (not sure what version you're running) that give mention and a link to configuring EAP on page 4: http://www.ciscosystems.ch/en/US/docs/wireless/access_point/1300/release/notes/o37ja5rn.pdf
  Hope this helps

• Drive Map to DFS Folder Getting Lost

  We had a problem yesterday morning with every user (about a dozen) in one of our small branch offices being unable to access a certain network share.
  Their T: drive, which is the one they had a problem with, is mapped to this:
  \\domain.com\namespace\OfficeShare1
  which is a DFS folder that simply points to:
  \\2012FileServer\OfficeShare1
  That is a Server 2012 R2 server.
  This share is only a few weeks old, and has been working fine for them until today. We have other offices that have their own shares on the same server, and mapped to a DFS folder the same way, and those have been working OK (as far as I know).
  The PCs are all running Windows 7.
  Their S: drive is mapped to
  \\2003FileServer\CompanyShare
  which is a MS Server 2003 server. They had no problems with accessing this, ever.
  Going to Computer > Map network drive, I could see the label for \OfficeShare1 was still attached to T:, but the path was empty. The T: drive appeared in the Computer window, but was showing as disconnected, and double-clicking it would throw an error about
  the path being unavailable.
  Typing \\domain.com\namespace\OfficeShare1 in the address bar would cause the Computer window to hang before erroring-out. Thus, re-creating the drive map would not work.
  After trying that, a user could go to \\domain.com\namespace and that would work fine. From there, they could go to the \OfficeShare1 folder without any errors.
  If they then went back into Computer, their T: drive would again be working, without having to re-create the mapping.
  Also, even though users couldn't browse directly to \\domain.com\namespace\OfficeShare1,without first browsing \\domain.com\namespace, they could browse directly to \\2012FileServer\OfficeShare1.
  I've seen a few other users outside the aforementioned office who had the issue, but this is the first opportunity I've had to get more information on it before the client PC was rebooted. Some of those users who have had this issue, also have an X: drive,
  which is mapped to:
  \\domain.com\namespace\DeptShare1
  But this is a CIFS share. And like the share on the 2003 server, no user has experienced the issue with this share.
  It has only happened with the shares on the Server 2012 system. And it has been kinda rare (currently less than 75 users who could potentially experience it).
  All drives are mapped via Group Policy. Users do have a script they can run to re-create drive maps.
  It's probably some connectivity issue that causes the drive to get disconnected (wifi signal drops, VPN gets disconnected, etc). But I'm not sure why the problem persists after connectivity is restored, why the path disappears from the mapping, and why only
  with this one drive. The servers hosting those shares are all in the same subnet, same data center.
  I'm about to migrate about a share accessed by 500 users to this 2012 system, and I can't until I get this figured out. My hunch is that something in the Windows 7 client PC is getting... lost. It's only happening to drives that map to DFS folders in that namespace
  that point to shares on that 2012 server (no one has a drive that maps directly to the shares on that server). The share itself doesn't appear  to actually go offline or anything like that. And this morning is the first time I've seen it happen to multiple
  people at once.
  Weird.
  Any help is appreciated.
  Thanks!

  Hi,
  Is there any error message in the Event Log? Do you add more than one namespace server in the DFS namespace? Since the server hangs when you access the DFS link, you could refer to the article below to establish connectivity with the target computer and shared
  folder.
  Troubleshooting Dfs Problems
  http://technet.microsoft.com/en-us/library/cc962144.aspx
  Best Regards,
  Mandy
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]

• How can I change the BlackBerry Link Network Drive mapping from Z: to something else?

  Hello,
  I generally have a mapping to my NFS server on Z:, and my iTunes library has a relative path to Z: for all of my music - the fact that Link is automatically picking Z: as my network sync target for my device does not work for me to sync music, or anything really. I can't figure out how to change this value to something else.
  I found the registry key: \HKEY_CURRENT_USER\Software\Research In Motion\Device Manager\Device Settings\<DEVICENAME>\VolumeMapping with a default blank REG_SZ - can I use this key at all to manually change drive mappings for my device? If so, what is the key/value pair I need and will this mess up any assumptions taken inside the Link software for synching?
  ... Also, I have a Feature Enhancement Request to go along with this issue: Add a "Change drive map letter" button beside the "Turn on wireless connections to my computer" button in Link, and add the same option in the context menu to the 'Device Manager' for the mapping (which currently just says 'Explore').
  Thanks for the help,
   - Jeff

  I do not know a lot about this subject but since Device Manager is not a Device and the BlackBerry Phone is not recognized as a Device in Disk management unless Mass Storage is turned ON it looks as if by design you cannot change the Drive Letter.
  Also if Mass Storage is turned On in the Phone Settings File Manager and BB link will not work but the BB Phone will then be recognized as a Device in Disk Management and the Drive Letter can be changed, this has no effect on the Drive Letters for Device Manager.
  Normally to change the Drive Letter and Paths of a Device once the Device is plugged you would go to Administrative Tools, Computer Management, Disk Management, right click the Device and choose "Change Drive Letter and Paths"
  Changing the Registry or Uninstalling Device Manager but keeping BB Link or looking for a Utility that can change the Drive Letter such as the one that many XP users had called TweakUI (only worked in XP) or changing the Drive Letter for your Network may be the only way.

• Creating a new folder and drive map with Preferences

  So I am trying to set things up using GPP so that users of a particular security group get a U:\ drive at the following location:
  \\server\share\%username%
  I have set up the drive map preference & also a folders preference (to create the user's folder).  The problem is that it works BACKWARDS and the drive tries to map prior to folder creation and thus fails, THEN the folder gets created.  So
  that the 2nd time the user logs in they actually get the U:\ drive at the correct location.  The goal is to have the folder created and mapped to on the 1st try for the user.
  How can I get this working WITHOUT resorting to scripts, folder redirection, or manually setting the U drive on the AD Profile?  I just want that folder to be created for only users in the proper security group, and then have the drive map
  to it.
  # When I wrote this script only God and I knew what I was doing. # Now, only God Knows!

  > How can I get this working WITHOUT resorting to scripts, folder
  > redirection, or manually setting the U drive on the AD Profile?  I just
  > want that folder to be created for only users in the proper security
  > group, and then have the drive map to it.
  You cannot. The execution order of GPO parts (called Client Side
  Extensions) cannot be changed, so you're stuck with this error if you
  don't resort to a script :)
  Greetings/Grüße,
  Martin
  Mal ein
  gutes Buch über GPOs lesen?
  Good or bad GPOs? - my blog…
  And if IT bothers me -
  coke bottle design refreshment (-:

• 802.1X and automatic vlan assignment

  Hello,
  I'm testing a 802.1X infrastructure :
  Switch : Try with Netgear Prosafe GS728TPS and Cisco SF300
  Radius Server  : Microsoft NPS
  DHCP Relay for address assignement by Vlan
  I have created some policies with simple authentication for testing (MSCHAP V2) and vlan assignement or not (depend on Active Directory Group).
  All work fine on a Windows 7 Pro. The user 1 is authenticated whithout vlan and the user 2 is authenticated with a vlan.
  The DHCP works fine and the 2 users have an IP.
  When I try on MAC OS X (ver. 10.7.2 and ver. 10.9.2) the user 1 (whithout vlan) work fine. I have an IP and access to the LAN. But the user 2 (with vlan) don't work. The Mac don't get an IP and I'm not on the VLAN. If i push manually an IP of the vlan, I have no access to the VLAN.
  There are some specifics parameters to add for enable vlan on Mac OS X ?
  Thanks for reply
  Ben

  Edit : It's for wired connections

• Client Drive Mapping (Windows) not working in SGD 4.6

  I've upgrade your sgd 4.5 to 4.6. Currently we are using Virtual Desktop Connector 1.0 with VMware.
  Now I'm ran into a problem with client drive mapping for Windows. CDM has changed in 4.6 from smb to rdp-protocol. So there ist no need for the Enhancement Module on the client.
  CDM works well with Windows Server 2003 R2 Terminal Services, but not with Windows XP SP3. In XP there are not clientdrives in explorer. Opening \\tsclient I can see the clientdrives e.g. +\\tsclient\F (rw)+. But when I try to open the folder I get an error, telling me that I didn't have enough rights to access this share.
  This happens with a regular VDI-VM (in domain) and to a fresh standalone VM. Also a direct rdp-connect to the vm from Win XP and Win 7 Remote Desktop Client works (local drives are mapped).
  Is there any known problem with sgd 4.6 cdm and win xp?
  I didn't find any error in the logfiles, but perhaps I didn't look in the right logs. :-)
  Thomas

  We've just encountered this issue on a SGD 4.6 & Oracle VDI 3.2.1 deployment (XP Desktops), disappointed because we moved from 4.5 to 4.6 due to the expired Verisign cert therein.
  Connecting to a 2008R2 Domain controller is fine, no problem and drives mapped as expected.
  Have logged a service request, hopefully I've missed something obvious.

• Drive Mapping not showing up in Explorer Drive Listing

  Hi, I am having a strange problem.
  I have a unc path that I want to map to and everything works fine.
  Apart from one user.
  When I try to map the drive under the probmatic account, I cant see anything in my drive list.
  I can go to Computer and map the location by using the Map Network Drive button. (This works fine and the mapping appears.)
  But the mapping doesn't appear if I use Net Use. (It says the command completed successfully but it doesn't show in my drive listing)
  I have added the account to the local administrators group and turned off UAC.
  It's really strange.
  I need it to be able to map using Net Use because I have a batch file with a command in.
  Have you come across anything like this?

  Hi,
  No multiple connection to the share using the same credentials. It's basically saying that I can't connect to the share as more than one instance of the same user.
  But it's showing that no sessions exist. It's like it's not cleaning up the connections properly when you close them.
  I have found some other articles.
  This post sounds similar to what I am describing. It's from the following thread
  http://social.technet.microsoft.com/Forums/en-US/4b736ba5-268a-4dcb-a3ee-cc2abff0bb01/issue-with-group-policy-drive-mapping?forum=W8ITProPreRel
  Run command "net use" in command line with administrator privilege and see if the drive is mapped.
  If you can see the mapped drive in the result of net use but cannot see it in Windows Explorer, the issue may be caused by UAC. Are you the domain adminsitrator?
  Similar issues occurred since Windows Vista. See:
  http://technet.microsoft.com/en-us/library/cc766208(WS.10).aspx
  It said:
  UAC may prevent Group Policy logon scripts from appearing to work properly. For example, a domain environment contains a GPO that includes a logon script to map network drives. A nonadministrative user logs on to the domain from a Windows Vista computer.
  After Windows Vista loads the desktop, the nonadministrative user starts Windows Explorer. The user sees their mapped drives. Under the same environment, an administrative user logs on to the domain from a Windows Vista computer. After Windows Vista loads
  the desktop, the administrative user starts Windows Explorer. The user does not see their mapped drives.
  When the administrative user logs on, Windows processes the logon scripts using the elevated token. The script actually works and maps the drive. However, Windows blocks the view of the mapped network drives because the desktop uses the limited token while
  the drives were mapped using the elevated token.
  Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. ”
  <input id="1f32e2ec-e0e3-481d-90b8-7fcc52f488fa_attachments" type="hidden" value="" />                
  Marked as answer by                            
  Arthur Xie<abbr class="affil">Microsoft contingent staff, Moderator</abbr>                        
  Friday, June 29, 2012 9:15 AM                    
  Unmarked as answer by                            
  GraffitiK<abbr class="affil"></abbr>                        
  Wednesday, December 19, 2012 3:58 PM                    
  Thursday, June 07, 2012 6:48 AM
  Arthur Xie
  Arthur Xie
  MSFT CSG
  32,950 Points               
  12               
  4               
  2                       
  Recent Achievements           
  New Gallery Rater                                           
  Thread Mover II                                           
  Proposed Answerer I                                                           
  Arthur Xie's threads                               
  View Profile           
                                      (MSFT CSG)                               
  32,950 Points               

• Network drive mapping Issue in WINDOWS 8 Client

  HI,<o:p></o:p>
  We have 2 Win2k8 R2 Domain controller. & around 100 Windows XP & Windows 7 Client. All the network mapping which was mapped through Group policy
  is worked fine.<o:p></o:p>
  Recently we have added 5 machines of WINDOWS 8 Client in our Network. We have observed that in none of the Windows 8 client machines,  Network drives are not
  getting automatically mapped. I checked through Gpresulr/r to confirm that whether the policy get applied or not, All the Windows 8 client machines has GP Applied.<o:p></o:p>
  I have run gpupdate & restart the machine, I have slow the network logging of Windows 8 Client,but it couldn't help me.
  <o:p>Regards,</o:p>
  <o:p>Chetan</o:p>

  Hi,
  In Group Policy Preferences,is "Reconnect" option ticked? If yes, please un-tick this option and check the result. Meanwhile, please check the below post which is discussing the same problem in Windows 8.
  Group Policy Preferences Drive Maps Not Working in Windows 8 RTM When "Reconnect" Option is Active
  http://social.technet.microsoft.com/Forums/en-US/winserverGP/thread/64e01325-9b2f-477c-ab51-7b10692b583a
  If this post does not help solve the problem, I suggest you ask in Group Policy forum.