RDP with 802.1x, machine and user auth and dynamic VLAN

Similar Messages

• 802.1x Machine and User Auth Vlan assignments

  I have machine and user auth working between Win2K PC and ACS 3.3 but not sure how to best use the Vlan assignment feature. I use Vlans for different departments and if I assign a vlan in ACS to a machine when it authenticates but the user is assigned to a different Vlan, I don't get a renewed IP.
  Here is how it's working now:
  1. Machine authenticates to ACS and assigned to a Vlan
  2. User logs in and if they are assigned to the same Vlan as the machine, works fine. If assigned to another vlan, the switchport does get changed but the PC still has an IP from the initial Vlan it was assigned to. Releasing and renewing doesn't work but I really don't expect it to.
  So, I figure the solution to this is just not set a per user vlan and only set it per machine. But, the group mapping in ACS looked like a great way to assign Vlans based on a user's Active Directory group but it doesn't appear to recognize the different computer OU's we have. So I can assign vlan's based on user groups but not computer groups. As machines are added to ACS, I could change them to an ACS group with the Vlan set but this would be a lot more work than an automated method like unknown user policy.
  So, how are others assigning machines to vlans in large multi-vlan networks using ACS and 802.1x?

  By default users and computers belong to different global groups. "Domain Users" vs. "Domain Cmpouters" for example.
  As for your example, it seems like you have a misbehaving supplicant, and authentication is attempting and then timing out and starting over .. that never actually gets to fail, so the auth-fail stuff won't help.
  Note: A good way to troubleshoot this is to notice it in action via show command:
  Here's an example of what you should see on a switch port.
  AuthSM State = State of the 802.1X Authenticator PAE state machine
  VALUES:
  AUTHENTICATED -- Auth Succeeded
  AUTHENTICATING -- Auth is attempting
  CONNECTING -- Dot1x is up and configured and trying to locate a supplicant.
  HELD -- Auth probably failed.
  BendSM State = State of the 802.1X back-end authentication state machine
  VALUES:
  IDLE -- Nothing is happening.
  REQUEST -- Switch sent some EAP data to AAA, and is waiting to get something back.
  RESPONSE -- AAA sent the switch back some data, and the switch in turn asked the supplicant for more data.
  NOTE: You should rarely see the RESPONSE state above. If you see it for more than a second or so i nthe middle of an auth attempt, that's a smoking gun that you might have a mis-behaving supplicant, b/c it shouldn't take that long to send an EAPOL frame. The switch will eventually time out, and start auth over.
  Hope this helps,

• After power down and a cold restart, I automatically restart in my Administrator Account.  Running 10.8.4 with one Administrator account, one user account and one guest account.  Recently downloaded and installed 3rd party software (Panorama).

  After power down and a cold restart, I automatically restart in my Administrator Account.  Running 10.8.4 with one Administrator account, one user account and one guest account.  Recently downloaded and installed 3rd party software (Panorama).  Installation required that I create a super user named Other with root privileges. I did so and successfully installed the 3rd party software.  I powered down a few days late and when I restarted, I went automatically to my Administrator account with no login password required.  I deleted the Other account, powered down and restarted with the same result - opened in Administrator.   I then followed the steps to disable root user, powered down, cold restart - same result, opened in Administrator account.
  Any suggestions?  Any thoughts?  Much appreciate any help you might offer.
  jtsinphl

  Welcome to Apple Support Communities
  Disable automatic login. Open System Preferences > Users and Groups > Login Options, press the padlock at the bottom left corner, and select "Off" next to "Automatic login"

• Win 7 client with machine and user auth stuck in 802.1x_REQD

  Hi everybody
  we have a WLC 5508 with 7.2.110.0 and an ACS 5.3 and do the following:
  - Win 7 client gets a GPO object with the wlan configuration for "Machine and User authentication" with PEAP
  - On ACS 5.3 I configured correctly the authentication and authorization for first machine authentication and then user authentication ("Was machine authenticated = true)
  - First when machine authentication happens, the client is configured into a quarantine VLAN, where it is only allowed to communicate with the domain controllers
  - When the user authenication happens, the client is moved into the productive client vlan with no restrictions.
  Everything works fine, except that after the user loggs in, it takes about 3 minutes until the client answers the EAP Identity Request and loggs in, see attached screenshot or the screenshot below:
  In the client status on WLC i can see that the client is stuck in the 802.1x_REQD state for these 3 minutes, until suddenly it authenticates (but then very often, about 5 times - see screenshot).
  We tried the following to find the problem spot. but we were not able to locate the problem:
  - Configure the machine and user authentication into the same vlan all the time
  - ONLY user authentication on the client
  - Played with the Win 7 settings (timers, and so on)
  - When we manually configured the WLAN profile on the Win 7 client and saved it, the Win 7 client connected to the SSID without any problems and without any delay (about 5 seconds after the save)
  Did someone ever had the same issue?
  Thanks a lot and best regards
  Dominic

  Hi Amjad
  very good point on this, thanks a lot. In this case, I did not even think about the client firmware side, thought that I should be the WLC or the client settings, but not the driver. We will give a shot on this next week, maybe this will help us to solve the problem.
  It is normal to have the clietn in 802.1x_REQD if it is not yet authenticated and that is the expected state to be at in your situation untlil the client fully authenticates.
  Absolutely correct that the client is associated and in the 802.1x_REQD state as long as the authenticator did not get the EAP identity Response, but that the client takes such a long time to answer is not normal ;-)
  - What is the supplicant that is used on the windows machines? default WLAN supplicant? or you use some commercial supplicants?
  WZC.
  - what is the result when testing with user auth only?
  The same, it takes such a long time.
  - what ist he result when testing with machine auth only?
  Machine authentication works as expected, fast and as soon as the client is booted, the client gets authenticated.
  Regards and have a nice weekend
  Dominic

• 802.1x with machine and user auth

  Q: What happens if a user passes machine authentication but fails user authentication when performing 802.1x?
  A: In AOS dot1x profile, we have an option to enforce machine authentication.
  When enabled, we can be in more control of the devices that have passed/failed machine/user authentication.
  Once a user has passed machine authentication, by default the client will fall under the role configured in "Machine Authentication: Default Machine Role" under dot1x profile.  
  Below is an example which shows the client has passed only machine authentication but user authentication is not yet initiated. 
  (Aruba3400) #show user-table
  Users
      IP             MAC            Name     Role      Age(d:h:m)  Auth        VPN link  AP name            Roaming   Essid/Bssid/Phy               Profile  Forward mode  Type  Host Name
  10.17.169.92  3c:a9:f4:7f:84:54  test      guest     00:00:00    8021x-Machine            18:64:72:c6:d7:28  Wireless  akhil/18:64:72:ed:72:80/g-HT  akhil    tunnel  
  There are scenarios where the clients will pass machine authentication, but for some reason will fail user authentication. In this scenario, clients will not be present in the user-table of the controller anymore. 
  When a client fails user authentication irrespective of passing/failing machine authentication, controller will send a deauth to the client and remove the entry from the user-table.

  Hi Amjad
  very good point on this, thanks a lot. In this case, I did not even think about the client firmware side, thought that I should be the WLC or the client settings, but not the driver. We will give a shot on this next week, maybe this will help us to solve the problem.
  It is normal to have the clietn in 802.1x_REQD if it is not yet authenticated and that is the expected state to be at in your situation untlil the client fully authenticates.
  Absolutely correct that the client is associated and in the 802.1x_REQD state as long as the authenticator did not get the EAP identity Response, but that the client takes such a long time to answer is not normal ;-)
  - What is the supplicant that is used on the windows machines? default WLAN supplicant? or you use some commercial supplicants?
  WZC.
  - what is the result when testing with user auth only?
  The same, it takes such a long time.
  - what ist he result when testing with machine auth only?
  Machine authentication works as expected, fast and as soon as the client is booted, the client gets authenticated.
  Regards and have a nice weekend
  Dominic

• Windows 7 Wireless Logon - Problems with 802.1X Machine & User Authentication

  Hello All,
  We’ve had difficulty with our Windows 7 clients authenticating to our wireless network. I’m hoping someone out there has experienced the same thing and can offer some help.
  Some info about our environment:
  Single Windows 2008 R2 domain with 6 DCs
  MS Radius server
  Aruba wireless controllers
  The Problem:
  The client computer boots,
  Auths as machine (802.1X successful)
  User enters creds
  User auth (802.1X successful)
  To this point, everything is working normally. Next is where it gets weird.
  During the logon process, there is another machine auth
  2-5 minutes later another User auth
  OS is up and usable (connected to wireless network); however, no homefolder is mapped and GPP didn’t apply properly.
  From what I understand, after the user has logged in, Windows never attempts another machine authentication. When the user logs out, Windows can attempt it.
  Can anyone offer some insight to what is causing this? I have logs available if anyone is interested.
  Thanks in advance for any help you can offer!
  Brett
  -- Brett

  I did a network trace to gain more insight. I don’t understand why after 802.1X auth is successful on port 1, it then initiates 802.1X auth on port 2.
  Can you offer any insight?
  10487    3:50:19 PM 8/23/2012    63.0340126                                                         
  ONEX_MicrosoftWindowsOneX                ONEX_MicrosoftWindowsOneX:Port(1 (0x1)): Authentication Starting   {ONEX_MicrosoftWindowsOneX:126, NetEvent:5}
  10867    3:50:19 PM 8/23/2012    63.3403904                                                         
  ONEX_MicrosoftWindowsOneX                ONEX_MicrosoftWindowsOneX:Port(1 (0x1)): Time taken for this authentication = 281 (0x119) ms               
  {ONEX_MicrosoftWindowsOneX:126, NetEvent:5}
  Then >>>
  11718    3:50:35 PM 8/23/2012    79.3196653                                                         
  ONEX_MicrosoftWindowsOneX                ONEX_MicrosoftWindowsOneX:OneXDestroySupplicantPort     {ONEX_MicrosoftWindowsOneX:126, NetEvent:5}
  11938    3:50:36 PM 8/23/2012    80.0530315                                                         
  ONEX_MicrosoftWindowsOneX                ONEX_MicrosoftWindowsOneX:Finished initializing a new port with id=2 (0x2) and friendly name=Dell Wireless 1504 802.11b/g/n (2.4GHz)         
  {ONEX_MicrosoftWindowsOneX:126, NetEvent:5}
  11959    3:50:36 PM 8/23/2012    80.0556734                                                         
  ONEX_MicrosoftWindowsOneX                ONEX_MicrosoftWindowsOneX:OneXStartAuthentication           {ONEX_MicrosoftWindowsOneX:126,
  NetEvent:5}
  11964 3:50:36 PM 8/23/2012
  80.0557074 svchost.exe (1036)
  ONEX_MicrosoftWindowsOneX ONEX_MicrosoftWindowsOneX:Port(2 (0x2)): Starting a new 802.1X authentication (MSM initiated)
  11965 3:50:36 PM 8/23/2012
  80.0557333 svchost.exe (1036)
  ONEX_MicrosoftWindowsOneX ONEX_MicrosoftWindowsOneX:Port(2 (0x2)): Authentication Starting
  -- Brett

• 802.1x machine vs user authentication

  In the process of depolying 802.1x on wired LAN. What is the difference between machine authentication and user authentication? Thanks in advance.

  OK, so assuming we're still talking the MSFT supplicant, you have some options:
  1) USe EAP-TLS and mark any certs deployed to your corporate-owned assets and non-exportable. This solves the issue by brute force. You don't exactly need machine-authentication to do this. You may need machine-auth for other reasons (as I believe we've discussed here).
  2) If PEAP is in use, use the machine-auth and the Machine-Access-Restriction feature in ACS. What this does is a coupling of the notions of machine-auth as a preceeding policy decision for user-auth. Example: It is technically possible that anyone with a valid NT account may be able to 802.1x-authenticate from "any" machine. But with the machine-access-restriction feature, they will only be able to do so if ACS has also authenticated a valid machine-auth session prior to the login attempt.
  3) Use a NAR in ACS. A NAR is a Network Access Restriction. If for example, you have a database of all the MAC Addresses you have (or an OID wildcard) you can configure further checking of a MAC address from an otherwise valid 802.1x authentication attempt. This effectively tells ACS to only allow authentication attempts from MAC Addresses it knows about.
  Hope this helps.

• 802.1x, Machine Authentication, Active Directory and eDirectory

  Does anyone think this is feasible as a solution...
  Problem Definition.
  1) Machines all use the netware Client and authenticate to eDirectory initially, then to AD.
  2) I want to use ACS, not Free Radius.
  3) I don't want to use a 3rd party supplicant.
  Possible solution...
  Does anyone think it might be possible to authenticate a machine using a certificate into AD before the user logs in using the netware client. My thinking being this... the user (or machine in this case) will have already been identified as trusted (through AD), will be connected to the network when the user submits their netware credentials. This would mean that netware could be left out of the 802.1x process completely and yet the user would still get a single sign on experience.

  I did. Basically the scenrio I described in the original post worked.
  The only caveat is that user auth still occurs through 802.1x once you submit the user credentials. There are regestry hacks which disable this if you solely want to use machine auth.
  hope this helps

• I try to sign with the right pass word and user name and I don't get anything

  I have a new computer (hp) I put icloud on it now I am trying to sign in on icloud but when I put my user name and pass word in nothing happens.

  No error message?

• OD settings and users backup and restore

  Hi,
  due a bug found on MacOS 10.4.9 (confirmed to me by Apple Italy) I need to reinstall a clean 10.4.7 server and to restore all the entire settings and users of the previous server. How I can backup on the old server the entire server settings, and all the user/password database, and restore it easy?
  I have OD running, with no Kerberos, and a lot of preferences for the remote user's desktop.
  Is possible?
  TIA
  MacBookPro 2.33 Ghz   Mac OS X (10.4.9)  

  Ciao Gianluca
  due a bug found on MacOS 10.4.9 (confirmed to me by
  Apple Italy) I need to reinstall a clean 10.4.7
  server and to restore all the entire settings and
  users of the previous server. How I can backup on the
  old server the entire server settings, and all the
  user/password database, and restore it easy?
  Not sure what you mean by this but if Apple Italy have confirmed it then who am I to argue? Server Admin allows you to save property lists (.plists) from the GUI itself. On each service settings that is configured and running just above the save button is a small icon, click and hold and drag it to the desktop or a memory stick etc. You can then use these property lists to configure your server later on. Alternatively if you are planning to deploy a second server you can make this a replica of the first one and when the first one is decommissioned promote it to Master. If you have made changes to host files and config files manually or using terminal then these too can be copied over, just stop the services first.
  I have OD running, with no Kerberos, and a lot of
  preferences for the remote user's desktop.
  You can archive the LDAP Directory and Authentication database anywhere you like. Users (not diradmin) and Groups can be exported (passwords do not carry over). Likewise home folders can be transferred although this could be a problem later on especially if the path name does not match exactly so make a note of the existing one. One thing you should not do is to transfer the property list for Open Directory as this does not work. You really need to promote the new server to Open Directory Master and work from there. Managed Preferences do not transfer over either, but these can easily be applied later on, take snap shots of any pertinent settings and use these for reference. One more tip: take your time, have a fallback position just in case ie: invest in a firewire drive or better still a second internal drive and clone the existing server to that. You can use CarbonCopyCloner (www.bombich.com) or apple’s own disk utility using the restore feature. Hope this helps
  Is possible?
  ma certo e possibile come no?

• WLC 5508: 802.1 AAA override; Authenication success no dynamic vlan assignment

  WLC 5508: software version 7.0.98.0
  Windows 7 Client
  Radius Server:  Fedora Core 13 / Freeradius with LDAP storage backend
  I have followed the guide at http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008076317c.shtml with respective to building the LDAP and free radius server.  802.1x authorization and authenication correctly work.  The session keys are returned from the radius server and the wlc send the appropriate information for the client to generate the WEP key.
  However, the WLC does not override the VLAN assignment, even though I was to believe I set everything up correctly.  From the packet capture, you can see that verfication of client is authorized to use the WLAN returns the needed attributes:
  AVP: l=4  t=Tunnel-Private-Group-Id(81): 10
  AVP: l=6  t=Tunnel-Medium-Type(65): IEEE-802(6)
  AVP: l=6  t=Tunnel-Type(64): VLAN(13)
  I attached a packet capture and wlc config, any guidance toward the attributes that may be missing or not set correctly in the config would be most appreciated.

  Yes good catch, so I had one setting left off in freeradius that allowed the inner reply attributes back to the outer tunneled accept.  I wrote up a medium high level config for any future viewers of this thread:
  The following was tested and verified on a fedora 13 installation.   This is a minimal setup; not meant for a "live" network (security issues  with cleartext passwords, ldap not indexed properly for performance)
  Install Packages
  1.  Install needed packages.
  yum install openldap*
  yum install freeradius*
  2.  Set the services to automatically start of system startup
  chkconfig --level 2345 slapd on
  chkconfig --level 2345 radiusd on
  Configure and start LDAP
  1.  Copy the needed ladp schemas for radius.  Your path may vary a bit
  cp /usr/share/doc/freeradius*/examples/openldap.schema /etc/openldap/schema/radius.schema
  2.  Create a admin password for slapd.  Record this password for later use when configuring the slapd.conf file
  slappasswd
  3.  Add the ldap user and group; if it doesn't exisit.  Depending on the install rpm, it may have been created
  useradd ldap
  groupadd ldap
  4.  Create the directory and assign permissions for the database files
  mkdir /var/lib/ldap
  chmod 700 /var/lib/ldap
  chown ldap:ldap /var/lib/ldap
  5.  Edit the slapd.conf file.
  cd /etc/openldap
  vi slapd.conf
  # See slapd.conf(5) for details on configuration options.
  # This file should NOT be world readable.
  #Default needed schemas
  include        /etc/openldap/schema/corba.schema
  include        /etc/openldap/schema/core.schema
  include        /etc/openldap/schema/cosine.schema
  include        /etc/openldap/schema/duaconf.schema
  include        /etc/openldap/schema/dyngroup.schema
  include        /etc/openldap/schema/inetorgperson.schema
  include        /etc/openldap/schema/java.schema
  include        /etc/openldap/schema/misc.schema
  include        /etc/openldap/schema/nis.schema
  include        /etc/openldap/schema/openldap.schema
  include        /etc/openldap/schema/ppolicy.schema
  include        /etc/openldap/schema/collective.schema
  #Radius include
  include        /etc/openldap/schema/radius.schema
  #Samba include
  #include        /etc/openldap/schema/samba.schema
  # Allow LDAPv2 client connections.  This is NOT the default.
  allow bind_v2
  # Do not enable referrals until AFTER you have a working directory
  # service AND an understanding of referrals.
  #referral    ldap://root.openldap.org
  pidfile        /var/run/openldap/slapd.pid
  argsfile    /var/run/openldap/slapd.args
  # ldbm and/or bdb database definitions
  #Use the berkely database
  database    bdb
  #dn suffix, domain components read in order
  suffix        "dc=cisco,dc=com"
  checkpoint    1024 15
  #root container node defined
  rootdn        "cn=Manager,dc=cisco,dc=com"
  # Cleartext passwords, especially for the rootdn, should
  # be avoided.  See slappasswd(8) and slapd.conf(5) for details.
  # Use of strong authentication encouraged.
  # rootpw        secret
  rootpw      
  {SSHA}
  cVV/4zKquR4IraFEU7NTG/PIESw8l4JI  
  # The database directory MUST exist prior to running slapd AND
  # should only be accessible by the slapd and slap tools. (chown ldap:ldap)
  # Mode 700 recommended.
  directory    /var/lib/ldap
  # Indices to maintain for this database
  index objectClass                       eq,pres
  index uid,memberUid                     eq,pres,sub
  # enable monitoring
  database monitor
  # allow onlu rootdn to read the monitor
  access to *
           by dn.exact="cn=Manager,dc=cisco,dc=com" read
           by * none
  6.  Remove the slapd.d directory
  cd /etc/openldap
  rm -rf slapd.d
  7.  Hopefully if everything is correct, should be able to start up slapd with no problem
  service slapd start
  8.  Create the initial database in a text file called /tmp/initial.ldif
  dn: dc=cisco,dc=com
  objectClass: dcobject
  objectClass: organization
  o: cisco
  dc: cisco
  dn: ou=people,dc=cisco,dc=com
  objectClass: organizationalunit
  ou: people
  description: people
  dn: uid=jonatstr,ou=people,dc=cisco,dc=com
  objectClass: top
  objectClass: radiusprofile
  objectClass: inetOrgPerson
  cn: jonatstr
  sn: jonatstr
  uid: jonatstr
  description: user Jonathan Strickland
  radiusTunnelType: VLAN
  radiusTunnelMediumType: 802
  radiusTunnelPrivateGroupId: 10
  userPassword: ggsg
  9.  Add the file to the database
  ldapadd -h localhost -W -D "cn=Manager, dc=cisco,dc=com" -f /tmp/initial.ldif
  10.  Issue a basic query to the ldap db, makes sure that we can request and receive results back
  ldapsearch -h localhost -W -D cn=Manager,dc=cisco,dc=com -b dc=cisco,dc=com -s sub "objectClass=*"
  Configure and Start FreeRadius
  1. Configure ldap.attrmap, if needed.  This step is only needed if we  need to map and pass attributes back to the authenicator (dynamic vlan  assignments as an example).  Below is an example for dynamic vlan  addresses
  cd /etc/raddb
  vi ldap.attrmap
  For dynamic vlan assignments, verify the follow lines exist:
  replyItem    Tunnel-Type                                   radiusTunnelType
  replyItem    Tunnel-Medium-Type                   radiusTunnelMediumType
  replyItem    Tunnel-Private-Group-Id              radiusTunnelPrivateGroupId
  Since we are planning to use the userpassword, we will let the mschap  module perform the NT translations for us.  Add the follow line to  check ldap object for userpassword and store as Cleartext-Password:
  checkItem    Cleartext-Password    userPassword
  2.  Configure eap.conf.  The following sections attributes below  should be verified.  You may change other attributes as needed, they are  just not covered in this document.
  eap
  {      default_eap_type = peap      .....  }
  tls {
      #I will not go into details here as this is beyond scope of  setting up freeradisu.  The defaults will work, as freeradius comes with  generated self signed certificates.
  peap {
      default_eap_type = mschapv2
      #you will have to set this to allowed the inner tls tunnel  attributes into the final accept message
      use_tunneled_reply = yes
  3.  Change the authenication and authorization modules and order.
  cd /etc/raddb/sites-enabled
  vi default
  For the authorize section, uncomment the ldap module.
  For the authenicate section, uncomment the ldap module
  vi inner-tunnel
  Very importants, for the authorize section, ensure the ldap module is first, before mschap.  Thus authorize will look like:
  authorize
  {      ldap      mschap      ......  }
  4.  Configure ldap module
  cd /etc/raddb/modules
  ldap
  {        server=localhost       identify = "cn=Manager,dc=cisco,dc=com"        password=admin       basedn="dc=cisco,dc=com"       base_filter =  "(objectclass=radiusprofile)"       access_attr="uid"       ............   }
  5.  Start up radius in debug mode on another console
  radiusd -X
  6.  radtest localhost 12 testing123
  You should get a Access-Accept back
  7.  Now to perform an EAP-PEAP test.  This will require a wpa_supplicant test libarary called eapol_test
  First install openssl support libraries, required to compile
  yum install openssl*
  yum install gcc
  wget http://hostap.epitest.fi/releases/wpa_supplicant-0.6.10.tar.gz 
  tar xvf wpa_supplicant-0.6.10.tar.gz
  cd wpa_supplicant-0.6.10/wpa_supplicant
  vi defconfig
  Uncomment CONFIG_EAPOL_TEST = y and save/exit
  cp defconfig .config
  make eapol_test
  cp eapol_test /usr/local/bin
  chmod 755 /usr/local/bin/eapol_test
  8.  Create a test config file named eapol_test.conf.peap
  network=
  {   eap=PEAP  eapol_flags=0  key_mgmt=IEEE8021X  identity="jonatstr"   password="ggsg"  \#If you want to verify the Server certificate the  below would be needed   \#ca_cert="/root/ca.pem"  phase2="auth=MSCAHPV2"   }
  9.  Run the test
  eapol_test -c ~/eapol_test.conf.peap -a 127.0.0.1 -p 1812 -s testing123

• Cisco WLC + ACS + AD for Machine AND User auth...

  So I am trying to implement an SSID that requires a machine to be a domain member, AND require the user to provide username/password credentials before being allowed on that SSID.
  I am reading that it is possible, but can't find a clear config on how it is supposed to be setup... read about Machine Access Restrictions as being part of the config.
  Any help here?
  WLC 7.6 and ACS 5.5
  -g

  We are testing ISE with EAP chaining. It allows you to validate the company device (laptop) is joined to the domain and then the user credentials. However this requires EAP-FAST and the Cisco Anyconnect client. There is a group set up to look at EAP-TEAP. This will allow for standardize "chaining"
  http://tools.ietf.org/html/draft-ietf-emu-eap-tunnel-method-01#page-5

• Time Machine Restore - User Profile and System on two drives

  Hello,
  I need some help and I think here's the best place to get it.  I need to do a restore from Time Machine to a new system.
  My old (2008) Mac Pro as "died" and after having the nice people at the Mac Store look at it, I realized that it would be cheaper to buy a used system than to repair mine.  My CPUs are dead (2000$ to get them replaced) and one of my Raid 0 drive is dead too.   
  Old system:
  2008 Mac Pro 2.8 ghz (with Raid Card)
  Drive 1:  OCZ  (SSD drive) ---> System
  Drive 2:  Raid 0 (wiht Apple Raid card) ---> User profile
  New system:
  2008 Mac Pro 3.2 ghz (NO raid card)
  Drive 1: OCZ (Same from previous)
  Drive 2: 500 Gb (which came with the new system)
  Now I have done the Time Machine already but it only brought me back to the same point.   I have renamed the Drive 2 in the "new" system to "Raid 0" as it was the name it had in the previous system and it allowed me to logging to the system but I do not have any of my data on it.
  How could I restore my User Profile to Drive 2 on the New system ?
  Hopefully this isn't too confusing.
  Thanks for all the help.
  Richard

  The "full restore" from Time Machine is only for OSX drives.
  For data-only drives, use the Time Machine browser (the "Star Wars" display).  See Time Machine - Frequently Asked Question #15.
  Depending on your setup, you may also want to review Transferring Home Folders not on a Startup volume.

• How to Create a connection and User Seesion and Authentificate Session

  Hi
      I would like that someone provide my the code to set a connection with MDM through the MDM Java APIS SP6 Patch2. I need to connect with the repository, and authentificate the User and the Password. Furthermore I would need the code to pick up events like add record and modified record. When a record is added or modified is neccesary to pick up the value of a lookup field in the main table to check that this value is a specific value in order to syndicate this record. That´s possible that someone provide this code to me.
  thanks in advance.  If the reply is useful there will be rewards Points.

  Hi,
  Check this out
  ConnectionAccessor simpleConnection=null;
  RepositorySchema repSchema=null;
  RepositoryIdentifier repIdentifier=null;
  DBMSType dbmsType = DBMSType.MS_SQL;
  String session=null;
  String connection = "MDM_SERVER_PROD";
  String repository  = "TEST_REP";
  simpleConnection = SimpleConnectionFactory.getInstance(connection);
  repIdentifier = new RepositoryIdentifier(repository, connection, dbmsType);
  RegionProperties dataRegion = getRegion();
  CreateUserSessionCommand createUSesCmd = new CreateUserSessionCommand(simpleConnection);
  createUSesCmd.setDataRegion(dataRegion);
  createUSesCmd.setRepositoryIdentifier(repIdentifier);
  createUSesCmd.execute();
  session = createUSesCmd.getUserSession();
  AuthenticateUserSessionCommand authUSesCmd = new AuthenticateUserSessionCommand(simpleConnection);
  authUSesCmd.setSession(session);
  authUSesCmd.setUserName("Admin");
  authUSesCmd.setUserPassword("pass123");
  authUSesCmd.execute();
  GetRepositorySchemaCommand getRepSchCmd = new GetRepositorySchemaCommand(simpleConnection);
  getRepSchCmd.setSession(session);
  getRepSchCmd.execute();
  Just put all the execute statements within try catch block
  Regards,
  Jitesh Talreja

• Unable to authorize user using AccessControlService and user.roles and user.privileges are not set properly

  Hi,
  I am trying to enable/disable a feature based on user.roles.
  Added a constraint for that feature as below,
      <adfmf:constraints>
        <adfmf:constraint property="user.roles" operator="contains" value="manager" id="c1"/>
      </adfmf:constraints>
  In this case, Users have manager role should be able to access this feature.
  My AccessControlService response is
  {"userId" : "sales_mgr","roles" : [ "manager","MOO_OPPORTUNITY_SALES_MANAGER_DUTY","ZBS_ENT_SALES_MANAGER_DUTY"],"privileges" : [ "managerPriv","ZSF_DEFINE_SALES_FORECAST_PRIV","MOO_MANAGE_OPPORTUNITY_GROUP_SPACE_PRIV"]}
  Repsonse has "manager" as one such role.
  After adding constraint to the feature, am unable to access it.
  I tried many possibilities like  operator="contains" or "not" or "equal", but no use.
  I don't know what is going wrong. Appreciate you help.
  Thanks.

  If you are on 11.5.10 or greater or standalone 2.6.4 if you pass the responder value to wf_notification.respond API it should be updated in wf_notifications.responder column. The comments is now updated in wf_comments table against the notification id and not wf_notifications.user_comment column.
  Thanks, Vijay