Reg Re-authentication for Tcode access

Similar Messages

• Radius authentication for privileged access

  Hello,
            I have configured Cisco 6513 for radius authentication with following commands.
  aaa new-model
  aaa authentication login authradius group radius line
  aaa accounting exec acctradius start-stop group radius
  radius-server host <radius-ip> auth-port 1812 acct-port 1646 key 6912911
  line vty 0 4
  accounting exec acctradius
  login authentication authradius
       This is working pretty fine. I want to configure radius authentication for priviledged access / for enable access.
       I am using TeKRadius as Radius server.
       Please help.
  Thanks and Regards,
  Pratik

  Hi Pratik
  Sorry I mostly use only TACACS+ for AAA as it provides better granularity of access controls.
  You'll need to make some specific changes to your RADIUS config so that nominated users ( the ones you want to be able to go to enable mode ) get put straight into enable mode upon login.
  There's a guide here http://www.blindhog.net/cisco-aaa-login-authentication-with-radius-ms-ias/ which details the steps if you're using the Microsoft IAS radius server - you should be able to figure out that changes you need to make to your own server from there.
  Nick
  Message was edited by: NickNac79 - Spelt the OP's name wrong, sorry.

• User Authentication for Internet access

  Hi,
  Is it possible to configure authentication for internal (LAN) users to Authenticate (local/RADIUS/LDAP) for any kind of internet access through the ISA550/570? (like cut-through authentication proxy in ASA.)
  And Can the ISA550/570 act as a Web proxy?
  Thanks in advance.

  HI Sulu,
  You can configure captive portal for internal LAN users to authenticate (local/Radius/LDAP) for internet
  access through ISA500. (see attached screenshot)
  ISA500 cannot act as a web proxy. what is your use case ?
  Regards,
  Wei

• Need Authentication for SMTP Access

  I have this Java program (SendMail.java) for sending email; however, my ISP requires authentication for SMTP server access, i.e. I receive a 550 Authentication Required error. Does anyone know how to go about coding authentication into a program like SendMail so that the userID and password can be sent back to the server?
  * SendMail.java
  * Created on July 13, 2005, 8:09 PM
  * To change this template, choose Tools | Options and locate the template under
  * the Source Creation and Management node. Right-click the template and choose
  * Open. You can then make changes to the template in the Source Editor.
  * @author Owner
  // SendMail by Tony Swain.
  // Send mail via SMTP
  // To do Appletisize it.
  import java.io.BufferedReader;
  import java.io.FileInputStream;
  import java.io.InputStreamReader;
  import java.io.PrintStream;
  import java.net.Socket;
  import java.util.StringTokenizer;
  import java.net.Authenticator;
  import java.net.*;
  // To do. Finish multiThreading &| write que Thread.
  // this programs sends mail Via SMTP as defined in RFC 821.
  // ftp://ftp.isi.edu/in-notes/rfc821.txt
  public class SendMail   
  Object mailLock              = null;  //In case we want a multi-threaded mailer
  public String mailServerHost = "";
  public String from           = "";
  public String to             = "";
  public String replyTo        = "";
  public String subject        = "Java is Fun";
  public String mailData       =
     "HyperSendMail";
  public String errorMsg = "";
  public Socket mailSendSock = null;
  public  BufferedReader inputStream = null;
  public PrintStream outputStream    =  null;
  public String serverReply          = "";
  SendMail()
     // Doesn't do anything but we need this for extension purposes.
  // Server, from,to,subject, data
  SendMail(String server,String tFrom,String tTo,String sub,String sendData)
     mailServerHost = server;
     mailLock=this; // Thread Monitor passed constructor later. Default this Monitor.
     from = tFrom;
     to   = tTo;
     if(sendData != null)
        mailData = sendData; 
  /*  Just a note to remind myself to add this for cross app./Applet & Runnable.
     & Threadsafe readLine()  I'm too lazy ATM
  SendMail()
     if(mailLock != null)
        if(mailLock instanceof Applet)
           Applet app = (Applet)
  public void send()
     if(!open())          //Yikes! get out of here.
        return;    
     try
        outputStream.println("HELO sendMail");
        serverReply = inputStream.readLine(); 
     catch(Exception e0)
        e0.printStackTrace();
     try
        outputStream.println("MAIL FROM: "+from);
        serverReply = inputStream.readLine();
          // I cheat and don't look for the whole 550
          // we know 5 is an error anyway. Add it in if you want.
        if(serverReply.startsWith("5"))
           close("FROM: Server error :"+serverReply);
           return;
     // Note the switch here. we could get mail from somewhere and by
     // pre setting replyTo reply somewhere else :)
        if(replyTo == null)
           replyTo = from;
        outputStream.println("RCPT TO: <"+to+">");
         // Ya got me! I didn't look for any  250 OK messages. Add it in if you really want.
         // A real programmer will spend 30 hours writing self modifying code in order
         // to save 90 nano seconds ;)  we assume if it did't give an error it must be OK.
        serverReply = inputStream.readLine();
        if(serverReply.startsWith("5"))
           close("Reply error:"+serverReply);
           return;
        outputStream.println("DATA");
        serverReply = inputStream.readLine();
        if(serverReply.startsWith("5"))
           close("DATA Server error : "+serverReply);
           return;
        outputStream.println("From: "+from);
        outputStream.println("To: "+to);
        if(subject != null)
           outputStream.println("Subject: "+subject);
        if(replyTo != null)
           outputStream.println("Reply-to: "+replyTo);
        outputStream.println("");
        outputStream.println(mailData);
        outputStream.print("\r\n.\r\n");
        outputStream.flush();
        serverReply = inputStream.readLine();
        if(serverReply.startsWith("5"))
           close("DATA finish server error: "+serverReply);
           return;
        outputStream.println("quit");
        serverReply = inputStream.readLine();
        if(serverReply.startsWith("5"))
           close("Server error on QUIT: "+serverReply);
           return;
        inputStream.close();
        outputStream.close();
        mailSendSock.close();
     catch(Exception any)
        any.printStackTrace();
        close("send() Exception");
     close("Mail sent");
  public boolean open()
     synchronized(mailLock)
        try
           mailSendSock = new Socket(mailServerHost, 25);
           outputStream = new PrintStream(mailSendSock.getOutputStream());
           inputStream = new BufferedReader(new InputStreamReader(
            mailSendSock.getInputStream()));
           serverReply = inputStream.readLine();
           if(serverReply.startsWith("4"))
              errorMsg = "Server refused the connect message : "+serverReply;
              return false;
        catch(Exception openError) 
           openError.printStackTrace();
           close("Mail Socket Error");
           return false;
        System.out.println("Connected to "+mailServerHost);
        return true;
  public void close(String msg)
            //try to close the sockets
     System.out.println("Close("+msg+")");
     try
        outputStream.println("quit");
        inputStream.close();
        outputStream.close();
        mailSendSock.close();
     catch(Exception e)
        System.out.println("Close() Exception");
       // We are closing so see ya later anyway
  public static void main(String Args[])
  SendMail sm = new
  // * NOTE:
  // Erase these values right away! Just to show you how it is done.
  // Whatever you do don' release it with my mail server hardcoded.
  // last thing I need is 10 million Java mail test spams :)
  SendMail(
            "outgoing.myISP.net",         //Mail Server
            "[email protected]",       // sender
            "[email protected]",       // Recipient
            "Java mail test",               // Subject
            "test test test!");             // Message Data
            sm.send();                      // Send it!
  }

  There is no one in the forum who can shed some light on my problem?

• Smartcard authentication for Clean Access SSO

  Is anyone doing smartcard authentication into clean access via SSO? I have an issue where the UPN is not the username and the domain suffix is different from the AD domain so the agent is appending  @domain.com to the $user$ variable and so it is failing to authenticate.

  Did you run KTPASS correctly?
  I had the same problem, (very undocumented 'feature', I would say) the KTPASS command must be run slightly different when running against a DC, versus running it against a AD Domain.
  For Domain Authentication:
  ktpass.exe -princ cleanaccess/domain_in_lower_case.co.za@DOMAIN_IN_UPPER_CASE.CO.ZA -mapuser cleanaccess -pass mypassword -out c:\cleanaccess.keytab -ptype KRB5_NT_PRINCIPAL +DesOnly
  For AD Server Authentication:
  ktpass.exe -princ cleanaccess/SERVERNAME.domain_in_lower_case.co.za@DOMAIN_IN_UPPER_CASE.CO.ZA -mapuser cleanaccess -pass mypassword -out c:\cleanaccess.keytab -ptype KRB5_NT_PRINCIPAL +DesOnly
  NOTE: SERVERNAME need to be exactly as indicated under My Computer > Properties. (ie, correct UPPERCASE and lowercase letters in the right places)
  Another thing to look out for is the cleanaccess AD account you have created, make sure that the display name matches the account name, and do not specify anything for the Firstname, Lastname fields. This seems to break things ans gets the authentication to fail for some reason.
  O, and if you have set up the account at first for DC Server Authentication, delete it and recreate it for the AD Domain Authentication, because that breaks it too, when you run the KTPASS.EXE again.
  Another thing, try using ADSSO without the lookup account configured to see that the machine authenticates first, then ad the Lookup Account, maybe the problem lies there.
  Hope this helps.

• Open Authentication for Wireless Access

  Hello,
  The standalone implementation of an existing wireless network is configured as Open Authentication with a TKIP Cipher. The client key management is set to WPA PSK.
  What exacly is the authentication for? I see that MAC and EAP are available options. Would these options be used to block or authorize the actual wireless devices that connect to the AP?
  The next thing I see is Client Authenticated Key management and I am using WPA PSK. What exactly happens once I enter thsi PSK from the client? Is it only used to encrypt the data?
  Thanks,
  Kevin

  Hi Kevin,
  Using WPA we can configure  either Enterprise or pre shared key.. Enterprise comprises of EAP and pre shared key is just the PSK..
  if we are using EAP then auth will be done by the RADIUS and the encryotion will still be TKIP.. now coming back to PSK, this is shared key which will authenticate the users locally...
  EAP is more secured auth compared to PSK..
  Now regarding the "auth open" line.. see there are 2 kinds of auth in 802.11.. here while using wireless we need to auth twice, dot11 authentication and followed by the psk or EAP auth.. the auth open statement will force us to get the dot11 auth successful and then we move towards needed auth like PSK or EAP.. and another is Shared auth is very similar to WEP using open auth!!
  in the nut shel we have 3 kinds of auth..
  1> open - Dot11 auth
  2> Shared - Nothing but WEP
  3> 802.1X suite - EAP
  again, the below link may give you some insights as well!!
  http://www.cisco.com/en/US/docs/wireless/access_point/12.2_13_JA/configuration/guide/s13auth.html#wp1035025
  Lemme know if this answered ur question and please dont forget to rate the usefull posts!!
  Regards
  Surendra

• ISE - AAA radius authentication for NAD access

  Hi ,
  I have configured the switches to use the ISE as the Radius server to authenticate with , on the ISE i've configured an authentication policy
  for the "NADs" using the "Wired Devices" group which points to the AD indentity source to authenticate against .
  While testing the login access to the switches we've come up with 2 results :
  1.A domain user can indeed login to the switch as intended.
  2.Every domain user which exists in the AD indentity source can login , this is an undesired result .
  So I am trying to search for a way to restrict access to the NADs to only a particular group belonging to the AD , for example the group/ou
  of the IT_department only .
  I haven't been successfull , would appreciate any ideas on how to accomplish this .
  Switch configurations :
  =================
  aaa new-model
  aaa authentication login default group radius local
  ISE Authentication policy
  ==================
  Policy Name : NADs Authentication
  Condition:  "DEVICE:Device Type Equals :All Device Types#Wired"
  Allowed Protocol : Default Network Access
  use identity source : AD1

  Thank you for the quick replys , and now  ok , I've configured the following authorization policy :
  Rule Name : Nad Auth
  Conditions
  if: Any
  AND : AD1:ExternalGroups EQUALS IT_Departments
  Permissions , then PermitAccess
  What I don't understand is that it needs to match an "identity group" which can be either "Endpoint Identity group" or "Users Identity group" , I am limited with the if statement and cannot chose the same device group a choose before .
  How can i do that , i am thinking ahead an asking myself if in other cases a user might match this policy rule and can interfer ?

• ACS/ASA authentication for vpn access vs. console management access

  I have an ACS 4.2 Server and an ASA 5540. I have setup AnyConnect SSL VPN on the ASA and want to authenticate users using AAA tacacs+ authentication with the ACS and an external Windows AD database. I have done this successfully. I also want to use the ACS for authenticating SSH management sessions into the ASA. I have setup a group in AD and on the ACS called VPNUSERS and NETADMINS. The problem is, I want the VPN users to ONLY be able to authenticate for VPN but not have access to logging into the ASA CLI or ASDM. The NETADMINS should be able to do both. The question I have is how do I setup the VPNUSER group in ACS to have access to connect to the ASA for VPN but not for the management console? It seems that if they can authenticate for vpn, they can also ssh the firewall which is what I want to prevent.

  Try using Network Access Restrictions (NAR)where you can restrict the administrative access on per device or on NDG basis.
  By default user accounts from external database such as AD in ACS will get authenticated through telnet on network device or a AAA client which can be restricted by enabling NAR in ACS.
  In your case it should be VPNUSERS group in ACS.
  HTH
  Ahmed

• Authentication for Guest Access

  Hi, we are looking for a solution for either automated daily creation of guest user accounts or a console for clients enter their details which in turn creates the guest account on the controller.
  If we go down the path of automation, policy requires a single username/password for each day, unfortuntely WLC scheduled guest account creation is not an option as the reocurrence doesn't change the password, but it would be a handy feauture if Cisco would like to introduce it in a future release
  The CLI has the option to create 'config netuser add [name] [password] WLANID [X] userType guest lifetime [seconds]' - Can we schedule and email this from the CLI on the controller?
  Appreciate your time.
  Brendan

  Brendan,
  Currently there is no way to automate this process. The process that has been developed is either an admin on the wlc/wcs creates the account or the use of the lobby admin feature. WCS has the lobby admin feature also to create accounts but it isn't intended for guest users to create their own account.
  The wlc doesn't have a schedule to enter a command via the cli, but I bet you can developer some web base guest creation that would send the command to the wlc and remember that command to remove it later.
  Sent from Cisco Technical Support iPhone App

• AAA authentication for IDS access?

  I've been implementing a new SSM-20 I haven't found anything that indicates we can use RADIUS to authenticate users logging into the GUI or telnet/ssh. Am I missing something here?

  You expectations are quite reasonable but regretably, Cisco ONLY supports local authentication on the IPS Sensor platform (4200 series, CIDS, IDSM-2 and SSM).
  This has been discussed in the past:
  http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Security&topic=Intrusion%20Prevention%20Systems/IDS&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.1ddef483

• Aaa authentication for https access

  I have several Catalyst 3750 switches that I'm running Tacacs on. I set the switch up to be an http server so that some of our admins could administer the switches through the web gui. Is it possible to login to the web console via your Tacacs login (in our case, our Windows username/password)? I found the "ip http authentication aaa" command but this doesn't seem to do it. I just don't want to share the local passwords if I don't have to.
  Thanks in advance,
  Eric

  My experience of the web interface is that it uses the local password on the device and not the aaa authentication IDs and passwords.
  HTH
  Rick

• LDAP vs local login for remote access

  Hi Team,
  I am evaluating the best means for single factor authentication for remote access (client to site or SSL VPN). The options I see are creating local usernames and password or integration with Active Directory via LDAP. What are the pros and cons of these solutions.
  I feel local logins are more secure comparitavely because the user first login using local login and password and then has to use the domain credentials for accessing corporate resources. Of course, this comes at an admistrator overload and local management of user names and passwords. Do you have any opinion on this? Any acknowledgement will be highly appreciated.

  Hello Manoj,
  IMO, I would never consider the LOCAL DB as an option for a corporate deployment. It does not scale and it is not easy to manage.
  Local DB is used in case you need to manage a number of 15 users for instance, so in this case it is managable, but when it comes to a higher number it is not an option.
  Active Directory is a better solution since it is meant to handle hundred of users and allows password-management for instance. Also you can have many ASA devices, performing DB bindings and queries to check the users credentials to the AD servers, so you don't need to deal with tons of user accounts on each ASA, for instance.
  If you are looking for a more secure way to authenticate your users you can consider two-factor authentication using certificates for instance:
  AnyConnect Certificate Based Authentication.
  Why to use AD:
  Pros
  Scalable.
  Easy to manage.
  Allows password-management.
  Cons:
  Expensive (not open AD solution).
  HTH.
  Please rate helpful posts.

• Best authentication method for controlling access to wlan

  What is the best method for controlling access to a wlan with a 5508 wlan controller
  The requirments are
  -Needs to support all types of clients (Mac, PC, smartphones, tablets)
  -Clients need to be able to connect easily and without errors or installing certs or wireless profiles etc..
  -Secure
  This doesn't seem like alot to ask but I keep running into problems.
  What are people using?
  Thanks

  I can't find an errors in any area of the event viewer.
  Here is these files cat'd together.
  GeoTrustGlobalCA
  GeoTrustDVSSLCA
  corp-vs-ca2.########-export
  -----BEGIN CERTIFICATE-----
  MIIDVDCCAjygAwIBAgIDAjRWMA0GCSqGSIb3DQEBBQUAMEIxCzAJBgNVBAYTAlVT
  MRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMRswGQYDVQQDExJHZW9UcnVzdCBHbG9i
  YWwgQ0EwHhcNMDIwNTIxMDQwMDAwWhcNMjIwNTIxMDQwMDAwWjBCMQswCQYDVQQG
  EwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjEbMBkGA1UEAxMSR2VvVHJ1c3Qg
  R2xvYmFsIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2swYYzD9
  9BcjGlZ+W988bDjkcbd4kdS8odhM+KhDtgPpTSEHCIjaWC9mOSm9BXiLnTjoBbdq
  fnGk5sRgprDvgOSJKA+eJdbtg/OtppHHmMlCGDUUna2YRpIuT8rxh0PBFpVXLVDv
  iS2Aelet8u5fa9IAjbkU+BQVNdnARqN7csiRv8lVK83Qlz6cJmTM386DGXHKTubU
  1XupGc1V3sjs0l44U+VcT4wt/lAjNvxm5suOpDkZALeVAjmRCw7+OC7RHQWa9k0+
  bw8HHa8sHo9gOeL6NlMTOdReJivbPagUvTLrGAMoUgRx5aszPeE4uwc2hGKceeoW
  MPRfwCvocWvk+QIDAQABo1MwUTAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBTA
  ephojYn7qwVkDBF9qn1luMrMTjAfBgNVHSMEGDAWgBTAephojYn7qwVkDBF9qn1l
  uMrMTjANBgkqhkiG9w0BAQUFAAOCAQEANeMpauUvXVSOKVCUn5kaFOSPeCpilKIn
  Z57QzxpeR+nBsqTP3UEaBU6bS+5Kb1VSsyShNwrrZHYqLizz/Tt1kL/6cdjHPTfS
  tQWVYrmm3ok9Nns4d0iXrKYgjy6myQzCsplFAMfOEVEiIuCl6rYVSAlk6l5PdPcF
  PseKUgzbFbS9bZvlxrFUaKnjaZC2mqUPuLk/IH2uSrW4nOQdtqvmlKXBx4Ot2/Un
  hw4EbNX/3aBd7YdStysVAq45pmp06drE57xNNB6pXE0zX5IJL4hmXXeXxx12E6nV
  5fEWCRE11azbJHFwLJhWC9kXtNHjUStedejV0NxPNO3CBWaAocvmMw==
  -----END CERTIFICATE-----
  -----BEGIN CERTIFICATE-----
  MIID+jCCAuKgAwIBAgIDAjbSMA0GCSqGSIb3DQEBBQUAMEIxCzAJBgNVBAYTAlVT
  MRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMRswGQYDVQQDExJHZW9UcnVzdCBHbG9i
  YWwgQ0EwHhcNMTAwMjI2MjEzMjMxWhcNMjAwMjI1MjEzMjMxWjBhMQswCQYDVQQG
  EwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjEdMBsGA1UECxMURG9tYWluIFZh
  bGlkYXRlZCBTU0wxGzAZBgNVBAMTEkdlb1RydXN0IERWIFNTTCBDQTCCASIwDQYJ
  KoZIhvcNAQEBBQADggEPADCCAQoCggEBAKa7jnrNpJxiV9RRMEJ7ixqy0ogGrTs8
  KRMMMbxp+Z9alNoGuqwkBJ7O1KrESGAA+DSuoZOv3gR+zfhcIlINVlPrqZTP+3RE
  60OUpJd6QFc1tqRi2tVI+Hrx7JC1Xzn+Y3JwyBKF0KUuhhNAbOtsTdJU/V8+Jh9m
  cajAuIWe9fV1j9qRTonjynh0MF8VCpmnyoM6djVI0NyLGiJOhaRO+kltK3C+jgwh
  w2LMpNGtFmuae8tk/426QsMmqhV4aJzs9mvIDFcN5TgH02pXA50gDkvEe4GwKhz1
  SupKmEn+Als9AxSQKH6a9HjQMYRX5Uw4ekIR4vUoUQNLIBW7Ihq28BUCAwEAAaOB
  2TCB1jAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFIz02ZMKR7wAoErOS3VuoLaw
  sn78MB8GA1UdIwQYMBaAFMB6mGiNifurBWQMEX2qfWW4ysxOMBIGA1UdEwEB/wQI
  MAYBAf8CAQAwOgYDVR0fBDMwMTAvoC2gK4YpaHR0cDovL2NybC5nZW90cnVzdC5j
  b20vY3Jscy9ndGdsb2JhbC5jcmwwNAYIKwYBBQUHAQEEKDAmMCQGCCsGAQUFBzAB
  hhhodHRwOi8vb2NzcC5nZW90cnVzdC5jb20wDQYJKoZIhvcNAQEFBQADggEBADOR
  NxHbQPnejLICiHevYyHBrbAN+qB4VqOC/btJXxRtyNxflNoRZnwekcW22G1PqvK/
  ISh+UqKSeAhhaSH+LeyCGIT0043FiruKzF3mo7bMbq1vsw5h7onOEzRPSVX1ObuZ
  lvD16lo8nBa9AlPwKg5BbuvvnvdwNs2AKnbIh+PrI7OWLOYdlF8cpOLNJDErBjgy
  YWE5XIlMSB1CyWee0r9Y9/k3MbBn3Y0mNhp4GgkZPJMHcCrhfCn13mZXCxJeFu1e
  vTezMGnGkqX2Gdgd+DYSuUuVlZzQzmwwpxb79k1ktl8qFJymyFWOIPllByTMOAVM
  IIi0tWeUz12OYjf+xLQ=
  -----END CERTIFICATE-----
  -----BEGIN CERTIFICATE-----
  MIIFaDCCBFCgAwIBAgIDBo5UMA0GCSqGSIb3DQEBBQUAMGExCzAJBgNVBAYTAlVT
  MRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMR0wGwYDVQQLExREb21haW4gVmFsaWRh
  dGVkIFNTTDEbMBkGA1UEAxMSR2VvVHJ1c3QgRFYgU1NMIENBMB4XDTEzMDQyNTA4
  NTEzNVoXDTE1MDQxNTA0NDcyOVowgdQxKTAnBgNVBAUTIHNZbkoyTG0tb2dGZnZC
  aFlodWRqWVZIMndEek43MGdOMRMwEQYDVQQLEwpHVDU3NDYxMTU1MTEwLwYDVQQL
  EyhTZWUgd3d3Lmdlb3RydXN0LmNvbS9yZXNvdXJjZXMvY3BzIChjKTEzMTcwNQYD
  VQQLEy5Eb21haW4gQ29udHJvbCBWYWxpZGF0ZWQgLSBRdWlja1NTTChSKSBQcmVt
  aXVtMSYwJAYDVQQDEx1jb3JwLXZzLWNhMi5wb3BtdWx0aW1lZGlhLmNvbTCCASIw
  DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAM4jgpKBeo8rtM/zJIEyho3HppeU
  tZeK+wmLfPeBTJxr2UmQFOmcniQblgsHREAGyJR0KT5yrYzxx6wpZaqCUcZlxl1Z
  lUz5mfxHnL5Oc14sUnqwaJuxprXV5Rnclci6W6BMFjI4QoxXjQwSa+3A1enf+ZsO
  sXUojQbQx62MX8rINuQ+srgdDielK/mJqTAMt11x6+NqIpwlGAgOxKd7vjG6aKRf
  a2efvS/hK4Pi0ieWPGn1GXz/AlYpHQv0cppUr8huL/+2+9cEvd1sp8XN/ASN3YTm
  WWo//fVpbXIlzp8mU4Q7t8+7LglxFQabhl4eMBarMi8SnNuh2zYKQxJRPvsCAwEA
  AaOCAbMwggGvMB8GA1UdIwQYMBaAFIz02ZMKR7wAoErOS3VuoLawsn78MA4GA1Ud
  DwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwKAYDVR0R
  BCEwH4IdY29ycC12cy1jYTIucG9wbXVsdGltZWRpYS5jb20wQQYDVR0fBDowODA2
  oDSgMoYwaHR0cDovL2d0c3NsZHYtY3JsLmdlb3RydXN0LmNvbS9jcmxzL2d0c3Ns
  ZHYuY3JsMB0GA1UdDgQWBBSODVVgPunABo61x13N20tEP66egDAMBgNVHRMBAf8E
  AjAAMHUGCCsGAQUFBwEBBGkwZzAsBggrBgEFBQcwAYYgaHR0cDovL2d0c3NsZHYt
  b2NzcC5nZW90cnVzdC5jb20wNwYIKwYBBQUHMAKGK2h0dHA6Ly9ndHNzbGR2LWFp
  YS5nZW90cnVzdC5jb20vZ3Rzc2xkdi5jcnQwTAYDVR0gBEUwQzBBBgpghkgBhvhF
  AQc2MDMwMQYIKwYBBQUHAgEWJWh0dHA6Ly93d3cuZ2VvdHJ1c3QuY29tL3Jlc291
  cmNlcy9jcHMwDQYJKoZIhvcNAQEFBQADggEBAC2Kadfzc6X/3dI//J5SGR9fnCa7
  6NVl8SV5aAYAvmOdkZBiurIYa1eHYYaDUGmOO8awTOXTfc4QzX75QwBUmcZeZKdj
  ZMPiJlm7Bsz/3Q1eolxHCqkAiDZIEohoT0o8Spw6+Eq8KcPnhf+K5+rIzJnWBZ9P
  tmpS4SEtrGHIfj3+638eqTydxuOCZ0Be9EanVK0ERav25fTRgRoZ+yEDiFP/MjQd
  rAgW7SyLOjm4I6bTmzjugmXf2Axm2kFuoyyZdrvdrJ+GBku5F6DOufGdGu13j80S
  lp148qh7gCREWrCqn3pH14qPKeHwC47jAQ3+ikRDfB090h9HGRi/8+w7Tx4=
  -----END CERTIFICATE-----

• External Web authentication server for Guest access

  I have a guest wireless wlan setup. When guest users attach to our guest wireless they are prompted by the built in web security on the WLC's.
  Cisco talks about how to setup the WLC to route web authentication to an external web server, but they don't say what kind of web server to use or examples.
  I need some help on getting an external web server to do web authentication. With the server we would like to get some basic info from the user. name, email, pupose of using wlan, and some background info they don't see like, computer name, mac address. This is all for tracking purposes.
  Hotels do this type of web authentication for example.
  Any help would be great.

  Hi Patrick,
  I'm having the same problem here. I configured my WLC that redirect the login page to WEB Server, but I don't know how configure the Web Server to back the credentials to WLC. Did you can solve this problem?
  thanks!
  Claudio

• "Team Foundation Server" is preventing authentication for whole team !!

  I am getting 2 errors through the event viewer that prevents TFS 2013 authentication for local domain users, also this error started appearing after having TFS upgraded to [ 12.0.30723.0 (Tfs2013.Update3) ].
  1st
  Error (from administrative events):
  The Execute method of job definition Microsoft.SharePoint.Administration.SPUsageImportJobDefinition (ID a51a0244-765d-433b-8502-0bb0540ad1fd) threw an exception.
  More information is included below.
  Access to the path 'C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\15\LOGS' is denied.
  Tried so far:-
  - changed the path to another folder from "Diagnostic Logging" in another drive, but still getting the same error.
  2nd
  Error (from application server):
  DistributedCOM error
  The application-specific permission settings do not grant
  Local Activation permission for the COM Server application with CLSID 
  {000C101C-0000-0000-C000-000000000046}
   and APPID 
  {000C101C-0000-0000-C000-000000000046}
   to the user NT AUTHORITY\NETWORK SERVICE SID (S-1-5-20)
  from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool.
  Which I already got fixed using the following steps on a thread I opened before (but still getting the same error).
  https://social.technet.microsoft.com/Forums/windows/en-US/3896e35c-b99a-4d30-b662-f92d337c8d6f/windows-servers-components-services-and-regedit-permissions-are-grayed-out-for-my-admin-account?forum=winservergen
  Other
  Fixes I tried
  - Found on another topic that it is not sharepoint that is causing the problem, but it is the generated ASP.NET web pages used for testing is causing the memory to fill up due to cashing on RAM, the fix suggested to change IIS cashing from RAM to HD to prevent
  loading up using w3wp.exe from processes. 
  Concern
  - by checking other topics for people having the same problem, it was mentioned that this error appeared after the lastest TFS update, is there is a fix for it ?

  Hi Amr,
  For your first error, you can change the "Diagnostic Logging" path, aslo change the path of the usage and health data connection the same with your ULS log location. Check this
  blog for more detils and make sure you follow the instructions. Restart SharePoint tracing service after the operations. You can also check this
  thread for more references. If you still have any other concerns about SharePoint, you can open a new thread in SharePoint forum for a better response.
  About the second error, seems it's not related to TFS. You can also run TFS best practice analyzer to check if there any configuation issues on your application tier server. However, you can also refer to this
  blog
  to get this issue resolved. If the problem persists, you can elaborate more details about your scenario and the reproduce steps or open a new thread related forum.
  Best regards,