[ ISSUE ] NCS / PI authentication using Microsoft NPS as a RADIUS server

Similar Messages

• Cisco Nexus to use Radius AAA authentication using Microsoft 2008 NPS

  I have a Nexus 7010 running
  Just wondering if you can help me with something. I'm having an issue with command authorization thru our aaa config. We don't have a problem authenticating its command authorization that is not working. From what I have seen and read Nexus NX-OS 6.x does not have any commands for aaa authorization unless you are configuring TACACS+. My basic config is below if you can help it would be much appreciated.
  >>ip radius source-interface mgmt 0
  >>radius-server key XXXXX
  >>radius-server host X.X.X.X key XXXXX authentication accounting
  >>radius-server host X.X.X.X key XXXXX authentication accounting aaa
  >>authentication login default group Radius_Group aaa authentication
  >>login console local aaa group server radius Radius_Group
  >>    server X.X.X.X
  >>    server X.X.X.X
  >>    source-interface mgmt0
  Also does anyone know how to configure Microsoft 2008 NPS as a Raduis server to work with Nexus? I have read a few post that suggest changing the
  shell:roles="vdc-admin" in the  Attribute Value field in the RADIUS server
  Does anyone know if this works????
  Thanks

  I have never done this before with ACS but not with NPS. However, you are in the right path. Nexus uses NX-OS which is different in some regards to regular IOS. One of those differences is the AAA setup. In NX-OS you assign users to roles. So for full access you will need to return the following attributes from your Radius server:
  Attribute: cisco-av-pair
  Requirement: Mandatory
  Value: shell:roles*"network-admin vdc-admin"
  For more information take a look at this link:
  http://www.cisco.com/c/en/us/support/docs/security/secure-access-control-system/115925-nexus-integration-acs-00.html
  Hope this helps
  Thank you for rating helpful posts!

• WLC 2504 - Issue with using Microsoft NPS for Radius Management Login

  Hello,
  In our environment we like to have our network admins and engineers use their Active Directory credentials when logging into devices so we can log who logged into which devices and if any changes were made. To do this we use a Server 2008 R2 NPS server with all our routers, switches and ASA's. We recently purchased a WLC to begin adding wireless to our environment. (See WLC_Radius_Config.png and NPS_Radius_Config.png)
  On the WLC, I am able to authenticate in using my AD credentials but when I go to apply any config changes I get a message saying "Authorization Failed. No sufficient privileges." (See error.png) I have a feeling I am missing something small but this is very important to us.
  I checked the Radius server and there are no login errors or NPS errors pointing to the WLC logins. Has anyone else run into this issue or know what I can do to solve it? 
  Thanks,

  Hi Kyujin,
  I wish I had finished my guide.  Didn't realize it would take this long.
  But what I meant is that when adding the attributes to my NPS (Microsoft's Network Policy Server) I only had to add the role and virtual domain if using Prime Infrastructure.
  If you use NCS, you have to add the role, all the tasks, and the virtual domain.
  See the screenshots and see if that helps explain it.  Not sure how TACACS will work as I'm not familiar with it.
  Microsoft NPS - Attributes for NCS
  Microsoft NPS - Attributes for PI

• Windows Authentication using Microsoft SQL Server 2005 JDBC Driver

  Hi,
  I am using Microsoft SQL Server 2005 JDBC Driver to connect to SQL Server 2000 database, can anyone tell me the connection URL for windows authentication. SQL authentication is working fine.
  DataDirect has drivers for windows authentication but I am not using it.
  Regards
  Arup

  You can't do it with the Microsoft driver. There's a free driver called jTDS that may be able to (I don't know).
  (edit) Looking at their FAQ it looks like it does:
  http://jtds.sourceforge.net/faq.html

• Web Service Authentication using Microsoft Active Directory

  Hi
  Is there a way to create Oracle Java Web Services that requires authentication using Active Directory?
  Regards,
  Néstor Boscán

  If you use the SOA Suite the Oracle Web Service Manager is included in there. Using this you can add steps that will authenticate against an AD.
  cu
  Andreas

• Trying to implement EAP/TLS using java (as part of RADIUS server)

  Hi
  This is a cross port since I didn't know which forum to post in!
  I'm trying to implement a RADIUS server (EAP/TLS) as part of my master thesis. I'm not used to Java SSL libraries and can't get it to work. The server will respond to an accesspoint that uses 802.1x. I have created certificates using openssl and imported the "cert-clt.pl2"and "root.pem" to a laptop trying to connect to the accesspoint. On the server side i imported the "cacert.pem" and "cert-srv.der" using keytool to a keystore. In my code I read the keystore and create the SSLEngine with following code:
            KeyStore ksKeys = KeyStore.getInstance("JKS");
              ksKeys.load(new FileInputStream("certs/FeebeeCommunity.keystore"), passphrase);
              KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509");
              kmf.init(ksKeys, passphrase);
              KeyStore ksTrust = KeyStore.getInstance("JKS");
              ksTrust.load(new FileInputStream("FeebeeCommunity.keystore"), passphrase);
              TrustManagerFactory tmf = TrustManagerFactory.getInstance("SunX509");
              tmf.init(ksKeys);
              sslContext = SSLContext.getInstance("TLS");
              sslContext.init(kmf.getKeyManagers(), tmf.getTrustManagers(), null);
              sslEngine = sslContext.createSSLEngine();
              sslEngine.setUseClientMode(false);
              sslEngine.setNeedClientAuth(true);
              sslEngine.setWantClientAuth(true);
              sslEngine.setEnableSessionCreation(true);
              appBuffer = ByteBuffer.allocate(sslEngine.getSession().getApplicationBufferSize());
              appBuffer.clear();
              netBuffer = ByteBuffer.allocate(sslEngine.getSession().getPacketBufferSize());
              netBuffer.clear();All I want to do with TLS is a handshake.
  I'm not talking ssl using sockets instead I receive and send all TLS data encapsulated in EAP packet that are incapsulated in RADIUS packets. I start off with sending TLS-Start upon I recive TLS data. I handle it with the following code:
         SSLEngineResult result = null;
          SSLEngineResult.HandshakeStatus hsStatus = null;
          if( internalState != EAPTLSState.Handshaking ) {
              if( internalState == EAPTLSState.None ) {
                  TLSPacket tlsPacket = new TLSPacket( packet.getData() );
                  peerIdentity = tlsPacket.getData();
                  internalState = EAPTLSState.Starting;
                  try {
                      sslEngine.beginHandshake();
                  } catch (SSLException e) {
                      e.printStackTrace();
                  return;
              else if(internalState == EAPTLSState.Starting ) {
                  internalState = EAPTLSState.Handshaking;
                  try {
                      sslEngine.beginHandshake();
                  } catch (SSLException e) {
                      e.printStackTrace();
          TLSPacket tlsPacket = new TLSPacket( packet.getData() );
          netBuffer.put( tlsPacket.getData() );
          netBuffer.flip();
          while(true) {
              hsStatus = sslEngine.getHandshakeStatus();
              if(hsStatus == SSLEngineResult.HandshakeStatus.NEED_TASK) {
                  Runnable task;
                  while((task=sslEngine.getDelegatedTask()) != null) {
                      new Thread(task).start();
              else if(hsStatus == SSLEngineResult.HandshakeStatus.NEED_UNWRAP) {
                  try {
                      result = sslEngine.unwrap( netBuffer, appBuffer );
                  } catch (SSLException e) {
                      e.printStackTrace();
              else {
                  return;
          }When I try to send data I use the following code:
             SSLEngineResult.HandshakeStatus hsStatus = null;
              SSLEngineResult result = null;
  //            netBuffer = ByteBuffer.allocate(EAPTLSMethod.BUFFER_SIZE);
              netBuffer.clear();
              while(true) {
                  hsStatus = sslEngine.getHandshakeStatus();
                  if(hsStatus == SSLEngineResult.HandshakeStatus.NEED_TASK) {
                      Runnable task;
                      while((task=sslEngine.getDelegatedTask()) != null) {
                          new Thread(task).start();
                  else if(hsStatus == SSLEngineResult.HandshakeStatus.NEED_WRAP) {
                      try {
                          result = sslEngine.wrap( dummyBuffer, netBuffer );
                      } catch (SSLException e) {
                          e.printStackTrace();
                  else {
                      if( result != null && result.getStatus() == SSLEngineResult.Status.OK ) {
                          int size = Math.min(result.bytesProduced(),this.MTU);
                          byte [] tlsData = new byte[size];
                          netBuffer.flip();
                          netBuffer.get(tlsData,0,size);
                          TLSPacket tlsPacket = new TLSPacket((byte)0,tlsData);
                          if( size < result.bytesProduced() ) {
                              tlsPacket.setFlag(TLSFlag.MoreFragments);
                          return new EAPTLSRequestPacket( ID,
                                  (short)(tlsPacket.getData().length + 6),
                                  stateMachine.getCurrentMethod(), tlsPacket );
                      else {
                          return null;
                  }After I sent TLS-Start I receive data and manage to process it but when then trying to produce TLS data I get the following error:
  javax.net.ssl.SSLHandshakeException: no cipher suites in common
  at com.sun.net.ssl.internal.ssl.Handshaker.checkThrown(Handshaker.java:992)
  at com.sun.net.ssl.internal.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:459)
  at com.sun.net.ssl.internal.ssl.SSLEngineImpl.writeAppRecord(SSLEngineImpl.java:1054)
  at com.sun.net.ssl.internal.ssl.SSLEngineImpl.wrap(SSLEngineImpl.java:1026)
  at javax.net.ssl.SSLEngine.wrap(SSLEngine.java:411)
  at RadiusServerSimulator.EAPModule.EAPTLSMethod.buildReq(EAPTLSMethod.java:125)
  at RadiusServerSimulator.EAPModule.EAPStateMachine.methodRequest(EAPStateMachine.java:358)
  at RadiusServerSimulator.EAPModule.EAPStateMachine.run(EAPStateMachine.java:262)
  at java.lang.Thread.run(Thread.java:595)
  Caused by: javax.net.ssl.SSLHandshakeException: no cipher suites in common
  at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:150)
  at com.sun.net.ssl.internal.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1352)
  at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:176)
  at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:164)
  at com.sun.net.ssl.internal.ssl.ServerHandshaker.chooseCipherSuite(ServerHandshaker.java:638)
  at com.sun.net.ssl.internal.ssl.ServerHandshaker.clientHello(ServerHandshaker.java:450)
  at com.sun.net.ssl.internal.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:178)
  at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:495)
  at com.sun.net.ssl.internal.ssl.Handshaker$1.run(Handshaker.java:437)
  at java.security.AccessController.doPrivileged(Native Method)
  at com.sun.net.ssl.internal.ssl.Handshaker$DelegatedTask.run(Handshaker.java:930)
  Any help wold be most greatfull, if any questions or anything unclear plz let me know.
  add some additional information here is a debug output
  Before this I have sent a TLS-star package and this is when I receive new information and then try to create the answer
  [Raw read]: length = 5
  0000: 16 03 01 00 41 ....A
  [Raw read]: length = 65
  0000: 01 00 00 3D 03 01 41 A4 FC 16 A8 14 89 F0 59 81 ...=..A.......Y.
  0010: C8 C9 29 C2 09 D1 0A 70 18 58 DC 2E B0 C8 14 90 ..)....p.X......
  0020: D4 FD A4 C6 32 C9 00 00 16 00 04 00 05 00 0A 00 ....2...........
  0030: 09 00 64 00 62 00 03 00 06 00 13 00 12 00 63 01 ..d.b.........c.
  0040: 00 .
  Thread-2, READ: TLSv1 Handshake, length = 65
  *** ClientHello, TLSv1
  RandomCookie: GMT: 1084488726 bytes = { 168, 20, 137, 240, 89, 129, 200, 201, 4
  1, 194, 9, 209, 10, 112, 24, 88, 220, 46, 176, 200, 20, 144, 212, 253, 164, 198,
  50, 201 }
  Session ID: {}
  Cipher Suites: [SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH
  _3DES_EDE_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA, SSL_RSA_EXPORT1024_WITH_RC4_56_SHA,
  SSL_RSA_EXPORT1024_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_RSA_EX
  PORT_WITH_RC2_CBC_40_MD5, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_DE
  S_CBC_SHA, SSL_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA]
  Compression Methods: { 0 }
  [read] MD5 and SHA1 hashes: len = 65
  0000: 01 00 00 3D 03 01 41 A4 FC 16 A8 14 89 F0 59 81 ...=..A.......Y.
  0010: C8 C9 29 C2 09 D1 0A 70 18 58 DC 2E B0 C8 14 90 ..)....p.X......
  0020: D4 FD A4 C6 32 C9 00 00 16 00 04 00 05 00 0A 00 ....2...........
  0030: 09 00 64 00 62 00 03 00 06 00 13 00 12 00 63 01 ..d.b.........c.
  0040: 00 .
  Thread-5, fatal error: 40: no cipher suites in common
  javax.net.ssl.SSLHandshakeException: no cipher suites in common
  Thread-5, SEND TLSv1 ALERT: fatal, description = handshake_failure
  Thread-5, WRITE: TLSv1 Alert, length = 2
  Thread-2, fatal: engine already closed. Rethrowing javax.net.ssl.SSLHandshakeEx
  ception: no cipher suites in common
  javax.net.ssl.SSLHandshakeException: no cipher suites in common
  at com.sun.net.ssl.internal.ssl.Handshaker.checkThrown(Handshaker.java:9
  92)
  at com.sun.net.ssl.internal.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineI
  mpl.java:459)
  at com.sun.net.ssl.internal.ssl.SSLEngineImpl.writeAppRecord(SSLEngineIm
  pl.java:1054)
  at com.sun.net.ssl.internal.ssl.SSLEngineImpl.wrap(SSLEngineImpl.java:10
  26)
  at javax.net.ssl.SSLEngine.wrap(SSLEngine.java:411)
  at RadiusServerSimulator.EAPModule.EAPTLSMethod.buildReq(EAPTLSMethod.ja
  va:153)
  at RadiusServerSimulator.EAPModule.EAPStateMachine.methodRequest(EAPStat
  eMachine.java:358)
  at RadiusServerSimulator.EAPModule.EAPStateMachine.run(EAPStateMachine.j
  ava:262)
  at java.lang.Thread.run(Thread.java:595)
  Caused by: javax.net.ssl.SSLHandshakeException: no cipher suites in common
  at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:150)
  at com.sun.net.ssl.internal.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1
  352)
  at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:176)
  at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:164)
  at com.sun.net.ssl.internal.ssl.ServerHandshaker.chooseCipherSuite(Serve
  rHandshaker.java:638)
  at com.sun.net.ssl.internal.ssl.ServerHandshaker.clientHello(ServerHands
  haker.java:450)
  at com.sun.net.ssl.internal.ssl.ServerHandshaker.processMessage(ServerHa
  ndshaker.java:178)
  at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:4
  95)
  at com.sun.net.ssl.internal.ssl.Handshaker$1.run(Handshaker.java:437)
  at java.security.AccessController.doPrivileged(Native Method)
  at com.sun.net.ssl.internal.ssl.Handshaker$DelegatedTask.run(Handshaker.
  java:930)
  ... 1 more

  I am developing a simple client/server SSL app using sdk 1.4 (no SSLEngine) and am faced with the same problem. Could anybody track down the problem further?

• Issues with client authentication using certificates

  We have upgraded from sun-one directory server 5.1 sp4 to odsee 11g. We were using client certificates for authenticating connections to the directory server and it is no longer working. We had a certmap.conf that worked fine on 5.1 but it no longer seems to work on 11g. We are getting the following errors in the access log:
  [04/Apr/2011:16:41:17 -0400] conn=1692 op=-1 msgId=-1 - SSL failed to map client certificate to LDAP DN (User's LDAP entry doesn't have any certificates to compare)
  [04/Apr/2011:16:41:17 -0400] conn=1692 op=0 msgId=1 - BIND dn="" method=sasl version=3 mech=EXTERNAL
  [04/Apr/2011:16:41:17 -0400] conn=1692 op=0 msgId=1 - RESULT err=49 tag=97 nentries=0 etime=0.099660, client certificate mapping failed
  I checked and there is a usercertificate;binary entry which contains the certificate.
  Also, it does seem to find the entry for the cn, as shown by these two lines:
  [04/Apr/2011:16:41:17 -0400] conn=-1 op=-1 msgId=-1 - ENTRY dn="cn=XXXXXXXX, ou=certs, ou=yyyy,dc=zzzzzzz,dc=net"
  [04/Apr/2011:16:41:17 -0400] conn=-1 op=-1 msgId=-1 - RESULT err=0 tag=101 nentries=1 etime=0.001150
  All we did was to install the upgraded server software and migrate the data. Is there something more required for this version in order to implement client certificate authentication? I thought I saw something about a directory server proxy, which we aren't running. Is that necessary for this to work?
  Any help you can provide would be greatly appreciated.
  Thanks.
  dean

  I am using verifycert set to on. We want to verify the certificate.
  I am not using CmapLdapAttr. I saw a reference in one other post regarding using that attribute. I am hesitant to go there because while it seems to be a fix, I was unsure whether it was something which happened to work but was not part of standard implementation of using client certificates or whether it was a requirement in order for it to work and it was just serendipitous that it wasn't needed in 5.1. I wouldn't want to start using, apply a patch, and have it stop working again because that was a workaround.
  Thanks.

• Issue with SAP Authentication in a Windows 2003 64 Bits Server

  Hi Experts
      I have an issue in a Windows 2003 64 Bits Server in CMC when i'm in the authentication section i choose SAP the Role Import works fine and I can see the Users Group from SAP BW but the users don't appear.
      I try the same thing in a Windows 2003 32 Bits with the same parameters and works fine i can see de User Groups and The Users from the same BW Server.
  I Think i could be a problem with the 64 bits server the issue is the users from SAP BW are not imported.
  Regards Marvin Soto.

  Hi Ingo,
                we have some thing similar issue. can you please help us out.
  We Imported users and in options we selected concurrent and every thing worked fine up to 1 month and then automatically our license key say you have only 2 named users. we have a license key for 100 named users now. do we need to delete all the concurrent users from sap now and we need to re-import them by selecting named in options tab of sap. what is the work around for this. i tested by changing the one of the sap user profile to named instead of concurrent, then i am able to login to infoview using sap credentials but when i open a report its says you don't have enough license to perform this operation. can i know why is this happening.
              Environment:
                                     BOBJ XI 3.1, SUN SOLARIS, SAP INTEGRATION KIT.
  Thanks,
  SK.
  Edited by: Siva Vallabhaneni on May 27, 2009 3:28 PM

• How to use Microsoft Excel dll in SQL Server Reporting Services

  Hi,
  Can you please explain me the steps to use excel .dll in ssrs

  Hi PrakashThandra,
  Based on my understanding, you have created a chart in Excel, then you want to use this chart in Reporting Services, right?
  In Reporting Services, it’s not supported to use a chart which created in Excel directly. But we can use Excel as datasource to create a report, please refer to this article:
  Create SSRS report using Excel Data Source Step by Step. In your scenario, since you want to use the Excel chart in Reporting Services, you could create a same report in Reporting Services refer to this article:
  Charts (Report Builder and SSRS)
  If you have any question, please feel free to ask.
  Best regards,
  Qiuyun Yu
  Qiuyun Yu
  TechNet Community Support

• Using a BM 3.8 RADIUS Server to Assign Users to VLANs

  I'm trying to use Bordermanager 3.8 RADIUS to assign VLANs to users. The
  users are accessing the network via Cisco 1100 Aironet Wireless Access
  Points. We have defined two VLANs on the network. One goes directly to
  the internet for GUEST, VLAN1, and the other goes to our private network
  MEMBERS, VLAN2. The problem I'm having is getting the RADIUS to assign
  attributes to the user accounts. I need attribute: IETF 64 (Tunnel Type)
  set to VLAN, IETF 54 (Tunnel Medium Type) set to 802, and IETF (Tunnel
  Private Group ID) set the VLAN-ID which is 1 or 2. These attribute are
  not available in the RADIUS.ATR file. Is there some way of editing the
  ATR file to add these attributes? Is there another solution to assign
  VLANs with Bordermanager?

  > I need attributes: IETF 64 (Tunnel Type) set to VLAN, IETF 65 (Tunnel
  Medium Type) set to 802, and IETF 81 (Tunnel Private Group ID) set the
  VLAN-ID which is 1 or 2. These attribute are not available in the
  RADIUS.ATR file. Is there some way of editing the ATR file to add these
  attributes? Is there another solution to assign VLANs with Bordermanager?

• ACS for 802.1x Authentication using RSA Tokens and Microsoft PEAP

  Has anyone been able to configure 802.1x authentication on Windows XP machines using RSA tokens using Cisco ACS as the RADIUS server?
  I have come up with bunch of incompatibilities between the offered support e.g.
  1. Microsoft PEAP does not support anything but smartcard/certificate or MSCHAP2.
  2. Cisco support PEAP and inside it MSCHAP2 or EAP-GTC
  We tried using RSA provided EAP client both the EAP security and EAP-OTP options within Microsoft PEAP but ACS rejects that as "EAP type not configured"
  I know it works with third party EAP software like Juniper Odyssey client and the Cisco Aegis Client but we need to make it work with the native Windows XP EAP client.

  Hi,
  We have tried to do the exact same setup as you and we also failed.
  When we tried to authenticate the user with PEAP-MSCHAPv2 (WinXP native) ACS gives "external DB password invalid", and does not even try (!) to send the login to the RSA server. No traffic is seen between RSA and ACS.
  MS-PEAP relies on hashing the password with MS-CHAPv2 encoding. This is not reversible. RSA, on the other hand, does not require hashing of the password due to the one time nature of it. So they (RSA) don't.
  When we authenticate using e.g. a 3rd party Dell-client, we can successfully authenticate using either PEAP-GTC (Cisco peap), EAP-FAST and EAP-FAST-GTC.
  A list with EAP protocols supported by the RSA is in attach.
  Also below is the link which says the MS-PEAP is NOT supported with the RSA, please check the
  table "EAP Authentication Protocol and User Database Compatibility "
  http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs33/user/o.htm#wp792699
  What we are trying to do now in the project is leaving the AP authentication open and try to authenticate it using RADIUS through a firewall or Cisco router authentication proxy.

• 802.1x MAB with Microsoft NPS ieee802Device object group

  Hi,
  according to http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6638/config_guide_c17-663759.pdf (MAC Authentication Bypass Deployment Guide as of May 2011), when you use Microsoft NPS, you cannot simply add MAC-Adresses as Active Directory user objects if your domain has strict password enforcement policies (because passwords are not allowed to match usernames under that circumstances). The guide mentions the use of the 'ieee802Device' class that is build into Windows Server 2003R2 and above. I have tried to get this working (with no success...), unfortunately I did not find any guidelines on the web how to accomplish this. What I did so far was:
  - Created a new structural class"myieee802Device", based on the abstract class "ieee802Device"
  - Created a new OU "ethers" in AD
  - Created a simple objekt by means of an ldifde.exe import
  dn: CN=001b21******,OU=ethers,DC=dot1x,DC=com
  changetype: add
  objectClass: myieee802Device
  cn: 001b21******
  macAddress: 00:1b:21:**:**:**
  When I trigger 802.1x authentication at a supplicant, NPS does not find the device (MAC-Address) in AD.
  Has anybody got this running so far?
  Stefan

  Stefan,
  Many thanks for your reply. in my test environment, what I have encountered is:
  1. I created the user account and used the mac address as account and password, which can access into the AD.
  2. I enabled the function of  MD5-Challenge  in Windows 2008 R2 NPS server. pls refer the link:
  http://social.technet.microsoft.com/Forums/en/winserverNAP/thread/e801bdac-9347-4efb-9d7c-bcf4d64aa927
  3. Created the network policy, which use the  MD5 as the EAP type, and select PAP as the authentication method.
  4. Enable the 802.1x and MAB function in the port of cisco 3750.
  by test, 802.1x works fine, but when  I try to let it authenticate with MAB, got the below error in NPS event log:
  Network Policy Server denied access to a user.
  Contact the Network Policy Server administrator for more information.
  User:
      Security ID:            QBBB\002622c997ff
      Account Name:            002622c997ff
      Account Domain:            QBBB
      Fully Qualified Account Name:    qbbb.net/Sales/002622c997ff
  Client Machine:
      Security ID:            NULL SID
      Account Name:            -
      Fully Qualified Account Name:    -
      OS-Version:            -
      Called Station Identifier:        3C-DF-1E-C6-48-13
      Calling Station Identifier:        00-26-22-C9-97-FF
  NAS:
      NAS IPv4 Address:        10.197.40.2
      NAS IPv6 Address:        -
      NAS Identifier:            -
      NAS Port-Type:            Ethernet
      NAS Port:            50219
  RADIUS Client:
      Client Friendly Name:        Wired
      Client IP Address:            10.197.40.2
  Authentication Details:
      Connection Request Policy Name:    Secure Wired (Ethernet) Connections
      Network Policy Name:        Connections to other access servers
      Authentication Provider:        Windows
      Authentication Server:        QINGXXX1.QBBB.net
      Authentication Type:        PAP
      EAP Type:            -
      Account Session Identifier:        -
      Logging Results:            Accounting information was written to the local log file.
      Reason Code:            65
      Reason:                The Network Access Permission setting in the dial-in properties of the user account in Active Directory is set to Deny access to the user. To change the Network Access Permission setting to either Allow access or Control access through NPS Network Policy, obtain the properties of the user account in Active Directory Users and Computers, click the Dial-in tab, and change Network Access Permission.
  Just for you reference and hope can get you help, thanks a lot!
  --Scott

• Wirelss AP1140 Radius authentication with Microsoft IAS

  Hi,
  I have a Cisco C1140 Ap. I have cnfigured the device. Initially for testing i used WPA and authenticated locally. I have now setup a radius server and added my AP in as a client etc. I have changed my SSID's to authenticate with the radius server and i am having issues authenticating.
  I can connect via a PC and an iphone. They say that i am connected but i get no ip address and the debugs state that the authentication fails:
  000466: Sep 5 14:33:07.074 AEST: %DOT11-7-AUTH_FAILED: Station 40a6.d967.8b13 Authentication failed
  000467: Sep 5 14:33:28.368 AEST: %DOT11-7-AUTH_FAILED: Station bc77.3771.b15f Authentication failed
  000468: Sep 5 14:33:39.837 AEST: %DOT11-7-AUTH_FAILED: Station 40a6.d967.8b13 Authentication failed
  I can see the Radius server as connected
  imc-syd-ap1#show aaa servers
  RADIUS: id 4, priority 1, host 10.10.0.2, auth-port 1645, acct-port 1646
  State: current UP, duration 4337s, previous duration 0s
  Dead: total time 0s, count 0
  Authen: request 0, timeouts 0
  Response: unexpected 0, server error 0, incorrect 0, time 0ms
  Transaction: success 0, failure 0
  Author: request 0, timeouts 0
  Response: unexpected 0, server error 0, incorrect 0, time 0ms
  Transaction: success 0, failure 0
  Account: request 0, timeouts 0
  Response: unexpected 0, server error 0, incorrect 0, time 0ms
  Transaction: success 0, failure 0
  Elapsed time since counters last cleared: 1h12m
  The debugs show:
  000474: Sep 5 14:36:00.969 AEST: %DOT11-7-AUTH_FAILED: Station bc77.3771.b15f Authentication failed
  000475: Sep 5 14:36:01.485 AEST: AAA/BIND(00000109
  show dot11 associations:
  imc-syd-ap1#show dot11 associations
  802.11 Client Stations on Dot11Radio0:
  SSID [IMC-Wireless-Data] :
  MAC Address IP address Device Name Parent State
  bc77.3771.b15f 0.0.0.0 ccx-client DAVID self AAA_Auth
  Any ideas or recomendations would be greatly appreciated
  Thanks
  Below is a copy of my wireless config:
  version 12.4
  no service pad
  service timestamps debug datetime msec localtime show-timezone
  service timestamps log datetime msec localtime show-timezone
  service password-encryption
  service sequence-numbers
  hostname xxxxxxxxxxxxxx
  logging buffered 40960 debugging
  enable secret 5 xxxxxxxxxxxxx
  aaa new-model
  aaa group server tacacs+ IMC
  server 172.16.100.3
  aaa group server radius AUTHVPN
  server 10.10.0.2 auth-port 1645 acct-port 1646
  server 10.11.0.24 auth-port 1645 acct-port 1646
  aaa authentication login default group IMC local enable
  aaa authorization exec default group IMC local if-authenticated
  aaa session-id common
  clock timezone AEST 10
  clock summer-time AEDT recurring 1 Sun Oct 2:00 1 Sun Apr 3:00
  no ip domain lookup
  ip domain name imc.net.au
  dot11 syslog
  dot11 ssid IMC-Wireless-Data
  vlan 10
  authentication open eap AUTHVPN
  authentication network-eap AUTHVPN
  guest-mode
  mbssid guest-mode
  infrastructure-ssid optional
  information-element ssidl
  dot11 ssid IMC-Wireless-Voice
  vlan 14
  authentication open eap AUTHVPN
  authentication network-eap AUTHVPN
  mbssid guest-mode
  information-element ssidl
  dot11 aaa authentication attributes service login-only
  bridge irb
  interface Dot11Radio0
  no ip address
  no ip route-cache
  encryption mode wep mandatory
  ssid IMC-Wireless-Data
  ssid IMC-Wireless-Voice
  antenna gain 0
  mbssid
  station-role root
  interface Dot11Radio0.10
  encapsulation dot1Q 10 native
  no ip route-cache
  bridge-group 1
  bridge-group 1 subscriber-loop-control
  bridge-group 1 block-unknown-source
  no bridge-group 1 source-learning
  no bridge-group 1 unicast-flooding
  bridge-group 1 spanning-disabled
  interface Dot11Radio0.14
  encapsulation dot1Q 14
  no ip route-cache
  bridge-group 14
  bridge-group 14 subscriber-loop-control
  bridge-group 14 block-unknown-source
  no bridge-group 14 source-learning
  no bridge-group 14 unicast-flooding
  bridge-group 14 spanning-disabled
  interface Dot11Radio1
  no ip address
  no ip route-cache
  encryption mode wep mandatory
  ssid IMC-Wireless-Data
  ssid IMC-Wireless-Voice
  antenna gain 0
  no dfs band block
  mbssid
  channel dfs
  station-role root
  interface Dot11Radio1.10
  encapsulation dot1Q 10 native
  no ip route-cache
  bridge-group 1
  bridge-group 1 subscriber-loop-control
  bridge-group 1 block-unknown-source
  no bridge-group 1 source-learning
  no bridge-group 1 unicast-flooding
  bridge-group 1 spanning-disabled
  interface Dot11Radio1.14
  encapsulation dot1Q 14
  no ip route-cache
  bridge-group 14
  bridge-group 14 subscriber-loop-control
  bridge-group 14 block-unknown-source
  no bridge-group 14 source-learning
  no bridge-group 14 unicast-flooding
  bridge-group 14 spanning-disabled
  interface GigabitEthernet0
  description IMC-Wireless-Data
  no ip address
  no ip route-cache
  duplex auto
  speed auto
  no keepalive
  interface GigabitEthernet0.10
  description IMC-Wireless-Data
  encapsulation dot1Q 10 native
  no ip route-cache
  bridge-group 1
  no bridge-group 1 source-learning
  bridge-group 1 spanning-disabled
  interface GigabitEthernet0.14
  description IMC-Wireless-Voice
  encapsulation dot1Q 14
  no ip route-cache
  bridge-group 14
  no bridge-group 14 source-learning
  bridge-group 14 spanning-disabled
  interface BVI1
  description IMC-Wireless-Data
  ip address 10.10.0.245 255.255.255.0
  no ip route-cache
  ip default-gateway 10.10.0.254
  ip http server
  ip http authentication local
  no ip http secure-server
  ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
  ip radius source-interface BVI1
  access-list 111 permit tcp any any eq telnet
  access-list 111 permit tcp any any eq www
  access-list 111 permit tcp any any eq 22
  snmp-server community public RO
  snmp-server enable traps tty
  tacacs-server host 172.16.100.3 key 7 xxxxxxxxxxxxxxxxxxx
  tacacs-server directed-request
  radius-server host 10.10.0.2 auth-port 1645 acct-port 1646 key 7 xxxxxxxxxxxxxxxxxxx
  bridge 1 route ip
  wlccp wds aaa authentication attributes service login-only
  line con 0
  line vty 0 4
  access-class 111 in
  exec-timeout 5 0
  line vty 5 15
  access-class 111 in
  exec-timeout 5 0
  sntp server 10.10.0.254
  end

  Inside the ssid, when you put "authentication open" it's an eap_method that follows. You put your AUTHVPN aaa server group name. that's wrong.
  aaa authentication login  group AUTHVPN
  and adjust your "authentication open eap " to match with that method name.
  Also your group authvpn contains a 2nd server that is undefined in yoru global config ...
  Nicolas

• Can I use Microsoft Office with Lion?

  I am working with someone who has a PC computer using the windows VISTA operating system.
  My computer is the original flat panel iMac with MAC OX 10.4.11.
  I would like to purchase another MAC but most importantly I need to be able to  run Microsoft Office.
  Knowledgeable guidance and advice is requested.

  Be aware of one issue, if you are using Microsoft Exchange and the version is 2007R1 sp3 or earlier you must use Office 2008 as 2011 only supports R1 sp4 or later.

• Receive Original Email Whenever I Reply to an Email Using Microsoft Outlook Exchange Server

  This is a problem I've seen other people post about, but I haven't found a solution.  Whenever I reply to an email using Microsoft Outlook 2007 with Exchange Server on my computer, I receive a copy of the original email (not the reply, but the original email that I replied to) on my Curve.  My BB email is set up with BIS and my carrier is Verizon, but I've seen people post about this with other carriers.
  Apparently there is some kind of incompatibility between Microsoft Exchange Server and BIS that is causing this problem.
  This is a huge pain, because everytime I reply to an email, I have to delete a copy of the original email on my blackberry. 
  Does anyone know the solution to this?

  Under "tools", "Options" , "applications" on my computer there isn't a "mailto". so these instructions don't work. Any other ideas?