Network Access Module and Switching Users

Similar Messages

• Anyconnect Secure Mobility Client, Network Access Module, wired PEAP

  Hello there,
  I am testing AnyConnect Secure Mobility Client, Network Access Module as supplicant with PEAP authentication for wired network users. With default configuration it is working well.  With default configuration it is Trusting any Root CA certificates installed on the OS.  Do you know how to configure NAM that it will validate ACS certificate with specific Root CA Certificate ?
  In Network Access Module profile editor it has two options about Certificates:
  One is Certificate Trusted Authority which has two options by its self  first is too trust any Root CA certificate that is installed on OS, and second is to import Root CA certificate in Profile. Potentially Second option can help in my case, I can manually import Root CA certificates in each profile. But I think it will be hard to update Root CA certificates in future  in that way.
  Second is Certificate Trusted Server Rules,  this option have matching capability by certificate Common Name.  For what can be used this option ?

  Normally the way it works is that you set up your Enterprise Root CA, and then have it issue a certifcate for the AAA server (ie ACS, ISE, etc). You then install this certificate on the AAA server and (in an Active Directory environment) add the Root CA certificate to the client systems local certificate store. What that means is that any certificates (such as the one installed on the AAA server) that are presented to the client that are signed by the root are automatically trusted.
  Server validation is an extra step in terms of proving the identity of the AAA server to the authenticating client. As such, when you build the policy in the NAM editor, it would look similar to the image below:
  I like to use the CN (Common Name) as the match criteria and build my CA issuance policy to always include the FQDN in the certificate for identity purposes.
  Hope this helps!

• Network Access Manager and WiFi

                     I have a computer that is a member of a domain.  The computer has Network Access Manager and Cisco Secure Mobility Client VPN  modules loaded.  I have the computer setup to authenticate to the network before it connects to the domain.  This is working fine.
  When a user brings their computer home, they are unable to connect to their wireless network.  I tried adding some wifi authentication in Network Access Manager, but that did not fix the issue.  I am still going to do some reading up on this issue, but I was hoping that somebody could give me some input if they have any experience?
  I need for people to be able to authenticate to the network when they are at work, and VPN when they are at home.
  Thanks,
  Alex Pfeil

  You mean you have start before feature (SBL) enabled and its working fine as long as you're at work. I guess I have seen this before. 
  What I read in an internal enhancement request that Cisco AnyConnect 3.0 Start Before Logon (SBL) does not work with user created personal networks.  NAM establishes connections with user created network profiles only after user logon, and consequently there will be no network connectivity at the time Start Before Logon executes.
  What version of NAM are you using?
  Jatin Katyal
  - Do rate helpful posts -

• Plse...help me on the communicating between CLEAN ACCESS MANAGER and Switch 3560E-24Ps by snmp

  Dear All,
  I try to configure in both Clean Access Manager and Switch 3560E-24Ps on SNMP Version 2 protocol but I can't make it working together (For CAM and Switch 3560G-48Ps I can do that). Plse give me any suggestion to solve that problem. All configuration is as below:

  http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/412/cam/412_cam_book.html

• Access Connections and 2 users

  I run Access Connections 4.42 as default for configuring network access on a T61with XP SP2. When two users are logged in Access Connections fails with: Access Connections is being used by another user... If I click ok,then I'm unable to set any network settings. When I log out second user it takes some minutes because some programs won't stop: The Message appears LPManager has no reaction and then ACWLIconWnd has no reaction.. If I abort immeadiatly by task manager log out proceeds. Then log in to the first user will crash function of ThinkVantage key and you cant start any Lenovo ThinkVantage Programs (Access Connections too). To get proper function you need to reboot.
  Is there any way to make Access Connections working with two users like windows XP manage network connections when several user are loged (Registry settings...)?
  Otherwise how can I stop running Access Connections temporaly when working with two users?
  Is there any  program with quite similar functions for maniging network profiles....?

  wireman wrote:
  I run Access Connections 4.42 as default for configuring network access on a T61with XP SP2. When two users are logged in Access Connections fails with: Access Connections is being used by another user.
  A lurker reviewed this and sent back this message:
  "Fast User Switching.  Since the first user doesn't actually log off, any attempt to use Access Connections by the second user will result in the alert referenced in the post.  It's working as designed."
  English Community   Deutsche Community   Comunidad en Español   Русскоязычное Сообщество
  Jane
  2015 X1 Carbon, ThinkPad Slate, T410s, X301, X200 Tablet, T60p, HP TouchPad, iPad Air 2, iPhone 5S, IdeaTab A2107A, Yoga Tablet, Yoga 3 Pro
  I am not a Lenovo Employee.
  I AM one of those crazy ThinkPad zealots!
  If you find a post helpful and it answers your question, please mark it as an "Accepted Solution"!

• Mounted Network Drives dismount when switching users

  I have a local ReadyNAS with multiple shares running AFP, and am using Bonjour Mounter to automatically attach to the shares when they are available (i.e. - when I boot up on my home network from my laptop).  Under Lion, everything worked well - when I switched accounts on the laptop to another user, the mounts remained avaialble, even if they were inacssessable to the new user on the Mac - when I swapped back to the first user account, the mounted shares were still there.
  Since upgrading to Mountatin Lion, I've noticed that when I switch accounts on my Mac to another user, the Mac seems to dismount the shares, making them unavailable.  This means that when I switch back to the original user profile on my Mac, the drives need to be manually re-mounted (since Bonjour Mounter doesn't see them as "new" and pick them up automatically).  This is annoying when I am hopping between multiple accounts on my Mac - is there a way to prevent the dismounting behavior when switching accounts?
  Bonjour Mounter has not been updated in some time, so I am fairly certain it is not the cause of the issue.  The behavior started with Mountain Lion 10.8.0, and is persisting in 10.8.1
  Thank you!

  Hi Geoffrey,
  This won't be much help, but I'm having the exact same issue. I'm mounting AFP shares from a ReadyNAS, but I'm not using Bonjour Mounter. And this happens whether I script the volumes to mount, or if I mount them manually. For whatever reason, they dismount when I switch users, lock the screen, etc.
  Have you tried mounting non-ReadyNAS volumes to see if the same issue occurs?  I'm curious.
  Hope someone replies that can help. :-)

• Deploying Custom Windows 7 Logon page and switch user button

  I am trying to use ZCM 11 Group Policy management to do two things. 1). Turn off the Windows 7 switch user feature that exists in the start menu and at the initial logon screen, and 2). Add a policy statement graphic to the initial logon screen in Windows 7.
  Feature 1 above is done by changing 'Hide entry points for 'Fast User Switching' in Computer Configuration=>Administrative Templates=>System=>Logon. But in order to get rid of the 'Switch User' button on the initial logon screen you also have to enable 'Interactive logon: Do not display last user name' in Computer Configuration=>Windows Settings=>Security Settings=>Local Policies=>Security Options and we only want this enabled for students. There are only two options for this setting - 'enabled' and 'disabled'.
  Feature 2, adding a graphic to the initial logon screen, is turned on by enabling 'Always use custom logon background' in Computer Configuration=>Administrative Templates=>System=>Logon and creating a custom bmp file placed in C:\Windows\System32\oobe\info\.
  Because the 'Interactive logon: Do not display last user name' setting only has enable/disable options (the default is disable) and because user associated settings overwrite workstation associations Im using two policies, one workstation and one user as inidcated below:
  User GPO :
  Enable 'Interactive logon: Do not display last user name' in Computer Configuration=>Windows Settings=>Security Settings=>Local Policies=>Security Options
  NOTE: This allows me to differentiate between student and staff users.
  Workstation GPO:
  Enable 'Hide entry points for 'Fast User Switching' in Computer Configuration=>Administrative Templates=>System=>Logon
  Enable 'Always use custom logon background' in Computer Configuration=>Administrative Templates=>System=>Logon
  Bundle:
  Deploys the bmp file to C:\Windows\System32\oobe\info\.
  Unfortunately, this setup only works as intended when the user is set up with a volatile DLU policy. When the user associated DLU is non-volatile it doesnt display the graphic and it does not remove the switch user button on the main logon screen. If I logon/logoff as a non-volatile user I get the generic Windows 7 logon page with the switch user button visible, when I logon/logoff as a volatile user I get the custom graphic logon page without the switch user button. Whats even stranger is that when I go into gpedit.msc and look at the settings after I log in, theyre correct for each type of user.
  Does anyone have any insight on why I might be seeing this problem?
  Ive tried to be complete as possible describing the problem but if didnt describe something correctly or someone needs additional info, please let me know.
  Thanks for any assistance.
  Dan

  Hi Dan,
  are you using Novell CLient?
  The Tiles on the Login Screen also depend on the Client configuration. If there is only Novell CLient active Windows cannot display other tiles or switch user.
  regards
  MArkus
  Originally Posted by dlietz
  I am trying to use ZCM 11 Group Policy management to do two things. 1). Turn off the Windows 7 switch user feature that exists in the start menu and at the initial logon screen, and 2). Add a policy statement graphic to the initial logon screen in Windows 7.
  Feature 1 above is done by changing 'Hide entry points for 'Fast User Switching' in Computer Configuration=>Administrative Templates=>System=>Logon. But in order to get rid of the 'Switch User' button on the initial logon screen you also have to enable 'Interactive logon: Do not display last user name' in Computer Configuration=>Windows Settings=>Security Settings=>Local Policies=>Security Options and we only want this enabled for students. There are only two options for this setting - 'enabled' and 'disabled'.
  Feature 2, adding a graphic to the initial logon screen, is turned on by enabling 'Always use custom logon background' in Computer Configuration=>Administrative Templates=>System=>Logon and creating a custom bmp file placed in C:\Windows\System32\oobe\info\.
  Because the 'Interactive logon: Do not display last user name' setting only has enable/disable options (the default is disable) and because user associated settings overwrite workstation associations Im using two policies, one workstation and one user as inidcated below:
  User GPO :
  Enable 'Interactive logon: Do not display last user name' in Computer Configuration=>Windows Settings=>Security Settings=>Local Policies=>Security Options
  NOTE: This allows me to differentiate between student and staff users.
  Workstation GPO:
  Enable 'Hide entry points for 'Fast User Switching' in Computer Configuration=>Administrative Templates=>System=>Logon
  Enable 'Always use custom logon background' in Computer Configuration=>Administrative Templates=>System=>Logon
  Bundle:
  Deploys the bmp file to C:\Windows\System32\oobe\info\.
  Unfortunately, this setup only works as intended when the user is set up with a volatile DLU policy. When the user associated DLU is non-volatile it doesnt display the graphic and it does not remove the switch user button on the main logon screen. If I logon/logoff as a non-volatile user I get the generic Windows 7 logon page with the switch user button visible, when I logon/logoff as a volatile user I get the custom graphic logon page without the switch user button. Whats even stranger is that when I go into gpedit.msc and look at the settings after I log in, theyre correct for each type of user.
  Does anyone have any insight on why I might be seeing this problem?
  Ive tried to be complete as possible describing the problem but if didnt describe something correctly or someone needs additional info, please let me know.
  Thanks for any assistance.
  Dan

• Openbox: Lock screen and switch user?

  I've started using Openbox a bit recently and I quite enjoy it, but I would like it if I could add options to switch user and to lock the screen, like in KDE or Gnome.  Is there a way to do this?

  Regardless of your login manager, you should be able to use Xscreensaver to lock the screen, but I do believe the switch user feature is only possible with GDM/KDM. 
  http://wiki.archlinux.org/index.php/Xscreensaver
  Have a look at above wiki for basic information.  Then, for openbox you can manually lock your machine with a menu item like this:
  <item label="Lock"> <action name="Execute"> <execute>xscreensaver-command -lock</execute> </action> </item>
  Here's my shutdown menu in its entirety:
  <menu id="64" label="Shutdown">
  <item label="Lock"> <action name="Execute"> <execute>xscreensaver-command -lock</execute> </action> </item>
  <item label="Logout"> <action name="Exit"/> </item>
  <item label="Reboot"> <action name="Execute"> <execute>sudo shutdown -r now</execute> </action> </item>
  <item label="Suspend"> <action name="Execute"> <execute>sudo pm-suspend</execute> </action> </item>
  <item label="Hibernate"> <action name="Execute"> <execute>sudo pm-hibernate</execute> </action> </item>
  <item label="Poweroff"> <action name="Execute"> <execute>sudo shutdown -h now</execute> </action> </item>
  </menu>
  Of course, you can also bind the xscreensaver to a keystroke, such as Win+L:
  <keybind key="W-l">
  <action name="Execute">
  <startupnotify>
  <enabled>false</enabled>
  <name>Lock Screen</name>
  </startupnotify>
  <command>xscreensaver-command -lock</command>
  </action>
  </keybind>
  Last edited by thayer.w (2007-10-06 15:27:12)

• Connection between lightweight access point and switch?

  Hello everybody,
  I am a bit confused about cisco 1000 series access point connection. On wireless lan controller and lightweight access point basic configuration example document id 69719 (http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a0080665cdf.shtml), I understood the access point has two vlans associated with (vlan 3 and 4). Am I correct?
  Why is connection between access point and catalyst port just access port rather 802.1q trunk? How vlan traffic can traverse from the access point to controller?
  Please advice.
  Many thanks,
  Nitass

  Nitass,
  The AP itself does not need to be a trunked port, but the uplink to the controller does. When using a Lightweight enviroment, all the traffic passes thru an encrypted LWAPP tunnel from the AP to the controller, and then gets sent out the correct VLAN interface on the controller.

• Problem with application modules and switching from 2 tier to 3 tier mode

  Hello,
  I've got an application in 2 tier mode. Now I wanted to switch to 3 tier mode but get a class cast exception. It has turned out, that panelBinding.getApplication().getApplicationModule().findApplicationModule returns in 2 tier mode <ModuleName>Impl and in 3 tier mode oracle.jbo.client.remote.ApplicationModuleImpl. But searching for modul name with panelBinding.getApplication().getApplicationModule().getApplicationModuleNames() returns the right in names in 2 tier and in 3 tier mode. Does anybody know a way to access <ModulName>Impl in 3 tier mode?

  This is the reason that the BC4J project will create an <appmodulename>AM interface and a <appmodulename>AMClient Implementation that you include on the client side if you expose any methods in your app module. You should access them by casting it to the interface, NOT the appModuleImpl class. If you stick to using the interface, then you should be fine.
  So to keep your implementation flexible, you should do this on the client to access your custom methods on your app module:
  The BC4J project should generate the following classes:
  AppModule Name = MyCustomAM.xml
  AppModule Implementation = MyCustomAMImpl.java
  Custom AppModule Interface = /common/MyCustomAM.java
  Custom clientside AppModule Implementation = /client/MyCustomAMClient.java
  On the client, do the following:
  import my.bc4j.model.package.common.MyCustomAM;
  // Call custom method on App module
    MyCustomAM am = (MyCustomAM) panelBinding.getDataControl().getApplicationModule();
    am.myCustomMethod(someParams);Hope this helps.
  Erik

• Clean access server and wireless users

  Hi,
  The AP has several vlans (employee, guest). There is a trunk up to the switch and all l3 vlan interfaces are created on the switch.
  I would like to add a clean access server.
  1) Besides the configuration of the clean access server, do I just need to move the l3 vlan interface from the switch to the clan access server untrusted interface?
  2) Is the ip address of the trusted interface on the clean access server a trunk too?
  Thank you,
  Best regards,
  Pascal

  I think yes. The ip address of the trusted interface on the clean access server needs to be configured as a trunk too. This is upto my knowledge.

• AnyConnect Network Access Manager and Windows 10

  Hello,
  I'm currently testing Windows 10 for a client that use AnyConnect NAM (without VPN) to manage his wired and wireless corporate networks.
  After some tests with the latest 3.1 version, it seems that NAM is breaking something in Windows 10 Tech Preview.
  Immediately after the installation, trying to start an application as an Administrator doesn't allow me to enter user credentials anymore and at the logon screen, I can only use a Microsoft Account. I'm unable to enter my Domain credentials.
  Any idea on how to prevent this?
  Regards,
  Gerald

  For info, newest version 3.1.07021 fixed the problem.
  NAM is now working correctly on Windows 10 Tech Preview.

• Cisco ACS 4.2.1.15 for Windows and Network Access Profiles

  We are attempting to configure ACS 4.2.1.15 on Windows Server 2008 Member Server. Initially I only have the need to authenticate Network Admins for device administration and authenticate Windows AD groups using PEAP authentication. The general problem that I am having is that if I configure a Cisco 1200 Access Point  for PEAP and also setup The Access Point for Radius authentication pointed to the ACS server it always maps to the the first Network Access Profile and rather than it trying the second it will error sayiing some condition is not met depending on what changes I make. Can someone tell me what the criteria that is used to determine what NAP is used? According to the manual if all 4 criteria are not met then the Profile will not apply.
  I am using one ACS group that is mapped to an AD group for Wireless Access and a Second ACS group mapped to an AD group that includes the Net Admins. This group mapping appers to be working as the user group name seems to mapped correctly in the logs.  In short I have tried only configuring the Wireless NAP to only Allow EAP authentication using PEAP EAP-MSCHAPv2 and the Netadmins profile to include all protocols. Bascially what happens is if I have the Wireless NAP first it works fine for PEAP authentication on Wireless but if I try to administer the access point and provide credentials I get a message in the failed log that the authentication profile is not allowed in this Network Access Profile. Why does this not just go onto the next Network Access profile?
  I am familiar with version 3.2 but it does not seem to work the same.
  Any help would be appreciated on what I am missing.
  Thanks

  Hi Surenda,
                     Thanks for your reply. Nop, there is no WLC yet, but the WLC will be installed shortly.
  Thanks,
  Jean Paul

• Time Capsule Access Control and Extended Network Question

  I have a Time Capsule where I have set up a wireless network access list…and extended the network using an Airport Express unit. The Airport Express unit also has settings for an Access Control list. Do these need to be the same as the those for the network from TC that it is extending…or does that happen automatically…and if not what on earth are they for?
  Thanks for any help…this doesn't seem clear from what I've read/seen.
  James

  I have a Time Capsule where I have set up a wireless network access list…and extended the network using an Airport Express unit. The Airport Express unit also has settings for an Access Control list. Do these need to be the same as the those for the network from TC that it is extending…or does that happen automatically…and if not what on earth are they for?
  Unfortunately, they are not automatically applied to each base station in an extended network. You would have to manually enter the exact same list in each base station.

• Switching users and get white screen

  I have now had this happen twice, and it seems to be a mountain lion flaw.  I am either logged in and switch users; or I am logged in, it goes to sleep, I wake it, and then switch users.  I cannot isolate it completely, but I get a white screen. I am able to move my mouse, but everything is white. I eventually have to just shut it down.  I have reset my PRAM, and at a later time even unplugged my computer for a little and rebooted.  It takes a few days to get it to reoccur.  I think it is isolated to the following scenario, but not positive:  I am working on my user, leave my computer, come back and it is a sleep, wake it from sleep, and then switch user, and then WHITE SCREEN where mouse cursor can be moved.  I am using a Mid 2010 imac.
  Please Help,
  Sam

  The 10.8.1 seems to have fixed it from locking up completely, but the transitions between usres is still slower than Lion.  At least no freezing up yet.