Users logging via PEAP-MSChapv2

Similar Messages

• Self Assigned IP even though I am Authenticated via PEAP(MSCHAPv2) to WPA2

  Help!
  After installing Snow Leopard 10.6.1 on my 2.16 GHz Core Duo MacBook Pro running OS 10.5, I can no longer connect to the WPA2 Enterprise network at the University of Ottawa. I can still connect to other encrypted networks, such as my home WEP encrypted network. Before the installation I was able to connect to the WPA2 enterprise network.
  When attempting to connect, under network preferences I can see that my computer is Authenticated via PEAP(MSCHAPv2) and a timer showing my time connected is running. However under status, it says that I have a self assigned IP and that I cannot connect to the internet. As a result I cannot connect to the internet.
  I have included a picture that describes my problem exactly:
  Does anyone have this problem? Can anyone help me?
  Thanks!

  The thing you and many others forget is that these forums are for those with problems. Those for whom the installs works without fault do not visit here. They do not post. There are about 9,000 topics in the Installation and Using forums (the largest two) and even if every topic were an unique fault, this would mean a small fraction of the installed base.
  According to AppleInsider the Q1 sales of SL would be circa 5 million copies, and other reports indicate these numbers have been surpassed in the early months. So lets go for one months sales at only 1.5 million copies. 9,000 faults in 1.5 million copies is only a 0.6% rate and that's if every topic is a different fault (which it plainly isn't).
  So I'm afraid your argument is even less convincing - a few people report your fault, and even if only 1% of the installed base uses it, its still infinitesimal. IMO, the vast majority of problems arise from an initial Leopard installation that had enough variability of build to make enhancements problematical. I'd be the first to admit its not Apples finest hour, but its certainly not bad for the overwhelming majority.
  Perhaps you could apply to be an Apple tester, to help solve this issue ? Its better than standing on the sidelines complaining about everyone elses work for certain.
  Or log a fault request as it will get looked at I can assure you, but only if there is a tester who is actually able and willing to test that particular piece of functionality.

• Machine authentication not working with peap mschapv2

  I have installed ACS ver 4.1.1 trial downloaded from cisco web sites. I have configure 802.1x machine authentication using self generated certificate with unknown user policy configure for windows database authentication. I can authenticate user via peap authentication. but i can never get the machine authentication working. on failed attempted.psv, i found EAP-TLS or PEAP authentication failed during SSL handshake. in the auth.log i found below message:
  TH 03/02/2008 07:01:13 I 0143 6184 [PDE]: PolicyMgr::CreateContext: new context id=3
  AUTH 03/02/2008 07:01:13 I 0143 6184 [PDE]: PdeAttributeSet::addAttribute: User-Name=host/paul2.test.com
  AUTH 03/02/2008 07:01:13 I 0143 6184 [PDE]: PdeAttributeSet::addAttribute: Service-Type=2
  AUTH 03/02/2008 07:01:13 I 0143 6184 [PDE]: PdeAttributeSet::addAttribute: Framed-MTU=1500
  AUTH 03/02/2008 07:01:13 I 0143 6184 [PDE]: PdeAttributeSet::addAttribute: Called-Station-Id=00-11-93-69-C5-9A
  AUTH 03/02/2008 07:01:13 I 0143 6184 [PDE]: PdeAttributeSet::addAttribute: Calling-Station-Id=00-0E-7B-30-FA-08
  AUTH 03/02/2008 07:01:13 I 0143 6184 [PDE]: PdeAttributeSet::addAttribute: EAP-Message=(binary value)
  AUTH 03/02/2008 07:01:13 I 0143 6184 [PDE]: PdeAttributeSet::addAttribute: Message-Authenticator=(binary value)
  AUTH 03/02/2008 07:01:13 I 0143 6184 [PDE]: PdeAttributeSet::addAttribute: NAS-Port-Type=15
  AUTH 03/02/2008 07:01:13 I 0143 6184 [PDE]: PdeAttributeSet::addAttribute: NAS-Port=50024
  AUTH 03/02/2008 07:01:13 I 0143 6184 [PDE]: PdeAttributeSet::addAttribute: NAS-IP-Address=10.20.209.2
  AUTH 03/02/2008 07:01:13 I 0143 6184 [PDE]: PdeAttributeSet::addAttribute: PDE-NAS-Vendor-14=1
  AUTH 03/02/2008 07:01:13 I 0143 6184 [PDE]: PdeAttributeSet::addAttribute: PDE-Service-ID-0=0
  AUTH 03/02/2008 07:01:13 I 0143 6184 [PDE]: PolicyMgr::SelectService: context id=3; no profile was matched - using default (0)
  AUTH 03/02/2008 07:01:13 I 5081 6184 Done RQ1152, client 2, status 0
  AUTH 03/02/2008 07:01:13 I 5094 6448 Worker 1 processing message 7.
  AUTH 03/02/2008 07:01:13 I 5081 6448 Start RQ1026, client 50 (127.0.0.1)
  AUTH 03/02/2008 07:01:13 I 0143 6448 [PDE]: PolicyMgr::Process: request type=5; context id=3; applied default profiles (0) - do nothing
  AUTH 03/02/2008 07:01:13 I 5394 6448 Attempting authentication for Unknown User 'host/paul2.test.com'
  AUTH 03/02/2008 07:01:13 I 1645 6448 pvAuthenticateUser: authenticate 'host/paul2.test.com' against CSDB
  AUTH 03/02/2008 07:01:13 I 5081 6448 Done RQ1026, client 50, status -2046
  AUTH 03/02/2008 07:01:13 I 5094 6448 Worker 1 processing message 8.
  AUTH 03/02/2008 07:01:13 I 5081 6448 Start RQ1027, client 50 (127.0.0.1)
  AUTH 03/02/2008 07:01:13 I 0928 6448 AuthenProcessResponse: process response for 'host/paul2.test.com'
  AUTH 03/02/2008 07:01:13 I 5081 6448 Done RQ1027, client 50, status -2046
  AUTH 03/02/2008 07:01:13 I 5094 6448 Worker 1 processing message 9.
  AUTH 03/02/2008 07:01:13 I 5081 6448 Start RQ1027, client 50 (127.0.0.1)
  AUTH 03/02/2008 07:01:13 I 0928 6448 AuthenProcessResponse: process response for 'host/paul2.test.com'
  AUTH 03/02/2008 07:01:13 E 0381 6448 EAP: PEAP: ProcessResponse: invalid TLS data size received: 0
  AUTH 03/02/2008 07:01:13 I 0381 6448 EAP: PEAP: Second phase: 0 authentication FAILED
  AUTH 03/02/2008 07:01:13 I 5081 6448 Done RQ1027, client 50, status -2120
  AUTH 03/02/2008 07:01:13 I 5094 6184 Worker 0 processing message 36.
  If anyone can shed some light on this.
  Cheers,
  Andy

• Wireless Guest Access with 802.1X (PEAP/MSCHAPv2) and ISE?

  Hi,
  I have a setup based on WLC 5508, Catalyst 3750-X and AP3600i.
  The WLCs are running 7.3 and ISE is 1.1.1
  I'm trying to setup wireless guest access, where the guests connect to a SSID with 802.1X using PEAP/MSCHAPv2.
  They should receive their username/password either from a sponsor directly (corporate AD user which prints the credentials) or through a SMS.
  The credentials will be created by the sponsor, using the sponsor portal on the ISE.
  Now to the questions:
  Is it correct that the foreign WLC (i.e. the WLC within the internal corporate network), should be set to no L2 and L3 security on the guest WLAN, to avoid having the foreign WLC contact the ISE and all traffic be forwarded directly to the anchor WLC?
  Is it correct that the anchor WLC (i.e. the WLC in the DMZ), should be configured with 802.1X/WPA2 L2 security and the ISE servers as the RADIUS servers on the guest WLAN, to ensure that the client is correctly authenticated/authorized by the ISE?
  When a guest logs on, how can I ensure that only one device (MAC address) is allowed per user?
  As it is now, a guest is able to log on with (I assume) an unlimited number of devices, using the credentials they have received.
  Thankyou very much :-)
  Best Regards,
  Niels J. Larsen

  Hi,
  I have a setup based on WLC 5508, Catalyst 3750-X and AP3600i.
  The WLCs are running 7.3 and ISE is 1.1.1
  I'm trying to setup wireless guest access, where the guests connect to a SSID with 802.1X using PEAP/MSCHAPv2.
  They should receive their username/password either from a sponsor directly (corporate AD user which prints the credentials) or through a SMS.
  The credentials will be created by the sponsor, using the sponsor portal on the ISE.
  Now to the questions:
  Is it correct that the foreign WLC (i.e. the WLC within the internal corporate network), should be set to no L2 and L3 security on the guest WLAN, to avoid having the foreign WLC contact the ISE and all traffic be forwarded directly to the anchor WLC?
  Is it correct that the anchor WLC (i.e. the WLC in the DMZ), should be configured with 802.1X/WPA2 L2 security and the ISE servers as the RADIUS servers on the guest WLAN, to ensure that the client is correctly authenticated/authorized by the ISE?
  When a guest logs on, how can I ensure that only one device (MAC address) is allowed per user?
  As it is now, a guest is able to log on with (I assume) an unlimited number of devices, using the credentials they have received.
  Thankyou very much :-)
  Best Regards,
  Niels J. Larsen

• 802.1x EAP PEAP MSCHAPv2 on Windows 7 Client.

  I have problems autenticate a w7 client at our Enterprice WiFi network. XP, Apple clients and all SmartPhones works fine...  We use Radius assigned Vlans based on username and ream routed on our Meru Network to Navis radius as centralied point of
  autentication. Navis proxes client autenticatinon recuest to the customers Radiuses based on the realm.
  Windows 7 32 client use the radius CA (installed and ticked) and EAP PEAP MSCHAPv2 in the SSID settings. The customer radius is an Freeradius. In autentication logs we se that the client sends the Maschinename, eg. Machine-x200/username@realm
  even we in the client settings, under SSID Propirties, Security, MS Protected EAP(PEAP), Settings and EAP-MSCAPv2 Configuration, have removed tick on the default setting:
  Use Autom. Windows-username... AND under Security Advanced (back one step), in the 802.1X Settings, choose User autentication only! (not user and maschine, mascine only or guest) and we have saved corectly username@reame =(username here) and password...
  in the username password Setting.
  Is it possible edit or change the way the client PC is sett up to prevent this?
  Is there any way make a policy setting? or is there other solutions?
  I have teste te Cisco: PEAP option too, but stil noe autenticatoin from Radius
  Thanks

  Hi,
  As I know, this goal cannot be achieved.
  Reference:
  Use the 802.1X Wizard to Configure NPS Network Policies
  For authentication using Extensible Authentication Protocol – Transport Layer Security (EAP-TLS), select
  Microsoft: Smart Card or other certificate, click
  Configure, click
  OK, and then click
  Next.
  For authentication using Protected Extensible Authentication Protocol – Transport Layer Security (PEAP-TLS), select
  Microsoft: Protected EAP (PEAP). In
  Eap Types, click
  Add, click
  Smart Card or other certificate, click the
  Move Up button to position a smart card or other certificate at the top of the list, click
  OK, and then click
  Next.
  For secure password authentication using Protected Extensible Authentication Protocol – Microsoft Challenge Handshake Authentication Protocol
  version 2 (PEAP-MS-CHAP v2), select Microsoft: Protected EAP (PEAP). In
  Eap Types, click
  Add, click
  Secured password (EPA-MSCHAP v2), click the
  Move Up button to position the secured password authentication type at the top of the list, click
  OK, and then click
  Next.
  Regards,
  Sabrina
  TechNet Subscriber Support
  in forum.
  If you have any feedback on our support, please contact
  [email protected]
  This posting is provided "AS IS" with no warranties or guarantees, and confers no rights. |Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question.
  This can be beneficial to other community members reading the thread.

• ISSUE: Wifi and Enterprise Networks - No PEAP-MSCHAPv2 & PEAP-GTC support.

  Since owning my HP Touchpad i have not been able to connect to my schools Wifi network making the unit a digital photo frame.
  The issues seems to be well documented across many forums with no aknowledgement from hp/webOS.
   A post from another forum
  Davegarbs Wrote:
  At least for me, importing the cert did nothing, as WiFi appears to be broken with both PEAP-GTC and PEAP-MSCHAPv2. I have had a bug report open with HP for 3 weeks now and haven't heard a single word. I even captured a ton of logs from the device that I thought would help get things taken care of.
  The only way I found to fix this is to use wpa_cli to reconfigure wpa_supplicant with the proper config for your network. This HAS to be done right as you log into the network in the WiFi app. Judging by the following link, this has been a problem for a long time:
  Advanced Wifi - WebOS Internals
  I'll be really surprised if HP gets back to me, but I'll update this thread if/when I hear from them. 
  So there seems to be a fix, but some users might find that a little bit difficult.
  Can HP/PALM/webOS/OBAMA/Astronaught please fix this issue?, it also seems to effect webOS phones.
  I can confirm both android and apple ipad/iphone/imac do not have this issue.
  I would like to be able to use my HP Touchpad to its full potential rather than just slide showing photos.
  Cheers
  Post relates to: HP TouchPad (WiFi)
  Post relates to: HP TouchPad (WiFi)

  I'm in the exact same boat at Texas A&M Health Science Center. I seriously wonder if this is part of the reason they dropped the line. They released a product that can't function in business/school environments.

• Multiple users logged into one server, each users printer has a different name, application needs ONE name to print to.

  Multiple users logged into one server, each users printer has a different name, application needs ONE name to print to. 
  I'm NOT in any way a Terminal Services expert and I need help trying to get an application program working in a multi-user environment.
  The issue is that the printer changes for every user that is logged in. The application needs to print NOT to the default printer, but to a "special" printer which is selected in the application... let's call it a label printer to simplify the explanation.
  You have your default regular printer, easy for the application to find that one, and then you have a special printer that labels get printed onto. The application needs to know what printer is the label printer. So we allow the user to select that in the
  application and the selection is stored in a config file in 
  C:\ProgramData\mfgr\prog\setting files
  I don't have access to the application so I can't change how this works.  
  In the "regular" world, selecting the label printer driver to use should be per machine, NOT per user. When a new user logs into a machine, the physical printer doesn't go "poof" and a new printer suddenly appear. Same printer for all
  users.
  Yet in terminal services, the physical machine is "merged" with the virtual machine on the server. And there can be many users logged in at the same time. So each users real machine (and real printer) is injected into the "fake" terminal
  services machine. The name of the printers is made unique for each user. So the printers DO go "poof" and change names depending on the user logged into terminal services.
  So user "A" logs in and sets up the application to print to "LabelPrinterForUserA" (or whatever the name of the printer happens to be), that setting is stored in the ProgramData subfolder, and all is well. Later, user "B" logs
  in, and when they print, the application tries to print to "LabelPrinterForUserA" which doesn't exist for user B or is only accessible by user A. If user B re-configures, that breaks it for user A. 
  SOLUTION 1: The way that /should/ work (in my mind) is that you define one "generic" printer in Terminal Services... call it "Virtual Label printer" and when the user wants to print to it, the print job gets re-directed back to whatever
  physical printer is actually connected to their local workstation. There is a map of virtual printer to actual printer depending on the current user. The application is told once to print to "Virtual Label Printer" for all users.
  SOLUTION 2: Or... there should be some way to make the ProgramData sub folders separate per user. E.g. when user "A" tries to access:
  C:\ProgramData\mfgr\prog\setting files
  they actually get 
  C:\UserData\UserA\AppData\mfgr\prog\setting files
  and user "B" gets
  C:\UserData\UserB\AppData\mfgr\prog\setting files
  So the question I have is: Does either of those solutions exist hidden somewhere in the setup of terminal server? Or is there another way around this issue that I don't know?

  I don't really have a "for sure" answer to this, but because people here can't seem to deal with a question that hasn't been answered I'll provide the best answer I did receive from ServerFault.com user Nathan:
  I can feel your pain with using old software on terminal servers ...the solution I've come up with definitely won't scale as it requires some manual configuration, but I've gotten this method to work with our label printers (which require to be
  printed to an LPT port...yep, that old).
  Share your USB-connected printers to the network on each machine. Then, have the user log in on aunique session for each of them
  (a TS account cannot be shared among computers for this to work) and install a network printer pointing to the USB one they shared. Try to use a DNS name to account for possible DHCP movements.
  After, it should work. Each user can do this since display names can be identical as long as the ports are different (which they are).
  This was clarified by the following series of comments:
  I think you are on to something here, and I originally advised the admin to do this. The problem he ran into is that it setup the printer names in the TS as "printer on usersworkstation"
  and he could not rename it except to change the "printer" to whatever. E.g. the "on userworkstation" remained. I believe there is another way of installing the printer which avoids this, but I can't find it. Ages ago, one used to do NET
  USE LPT2 \\computer\printer password /USER:domain\user /PERSISTENT:YES and then tell the driver to print to LPT2 –  James
  Newton Mar
  17 at 16:21   
  @JamesNewton That's actually the exact method we used. The way around the "network printer" part is to install it as local printer and map it to a TCP/IP port that way. –  Nathan
  C Mar
  17 at 16:28
  You mean in the case where the printers are TCP/IP connected and not local USB / LPT to the users workstation? That makes sense. Wonder if this will work for USB connected printers... –  James
  NewtonMar
  17 at 16:35   
  @JamesNewton You'd share the local printer on the client's PC then on the server connect via TCP/IP to it. You'd need static addresses or use DNS names if DHCP, though. –  Nathan
  C Mar
  17 at 16:51
  Ah. Yes. I see. Looks like the LPT thing should work even with a USB connected printer:superuser.com/questions/182655/… –  James
  Newton Mar
  17 at 17:09   

• How to enable multiple users logging in to the same client machine?

  Hi,
  We have our home directories shared from the server (using AFP) and this allows our users to log in to any machine via the normal console login.
  But if you try to remotely login to a machine with ssh, and another user is already logged in at the machine, then you get the error message:
  Could not chdir to home directory /Network/Servers/machinename/Users/keith: No such file or directory
  I can connect (via) ssh, only if no user is logged in at the console. If I connect with ssh when no users are logged in, and then a user logs in at the console, then this unmounts the home directory for the ssh user.
  I have read about the mnthome command, and if I try running this (from my ssh login whilst there is a console login) then I get the error message:
  Error: Mount failed with error 1 Operation not permitted
  I'm assuming that multiple ssh logins must be allowed somehow? Can you only do this if you share your home directories with NFS (in this case, I understand that all home directories always appear mounted on each client)???
  Any help appreciated,
  Keith
  Server and all clients running 10.4.3
  iBook & PowerMac G5   Mac OS X (10.4.3)  

  Thanks for the info. I really thought that this would be a fixable problem. I also thought that it might work when two different users both logged in using ssh only (i.e. when there is no console login). But this also causes problems for the second ssh login.
  What practical work-arounds have people tried? The respondent to your other post (linked to above) suggested that NFS sharing might work, only that ssh logins still don't mount the home directory. Is this the case?
  Thanks for the speedy answer.
  Keith

• How to get user 'logged in' to ironport web filter without launching IE

  We have an issue with some employees who use third party programs that traverse the Internet.  These programs are 100% allowed by the organization as they are required for day to day business.  Some programs go over the Internet to communicate for certain reasons, such as a live chat help support, or ordering products, etc..
  The problem is that some of these users log in and never even touch Internet Explorer for awhile.  They will go on and start working right away.  Well if they don't try to access an Internet site via IE, then the Ironport does not 'log them in', and they are known as unauthenticated.  Of course this doesn't happen with everyone.  There's nothing wrong with people coming in a little early and checking the local news online.
  We were thinking up if it's possible to have each user 'touch' the ironport web filter in some way during a logon script, unbeknown to the end user, so that they are 'signed in' and whatever Internet connected application they launch has access through to the Internet.  Right now they need to at least launch IE and go to some site (say Google or MSN) and via NTLM credentials transparently passed through IE7, 8 or 9, they can simply close the page and go about their business.  Note: they MUST go to an external site.... not an internally hosted one (such as our Intranet, time clock or HR self service pages).
  So is there any commands we can put in via kix or bat or something that will say "Hey Ironport, %username% just logged in at 10.x.x.x".  Then maybe to make it more advanced, a logoff script that says "Hey Ironport, %username% just logged OFF of 10.x.x.x".  This way when our hourly timeout happens, they aren't immediately booted from their Internet applications (if they don't keep an IE window open that is).
  Right now our ASA Firewall uses WCCP to forward port 80 to the ironport web filter.  The Ironport is a transparent proxy.
  Thanks!

  So it looks like you are moving the authentication from the Ironport S160 to the ASA5500 series firewall?
  I guess we are looking at something simpler, like a way to 'touch' the internet and pass NTLM credentials, because then the Ironport knows who the user is.
  If the user does not 'touch' the internet with IE, and say they use some other program that does not pass NTLM credentials (say Firefox or live chat program, or an ftp program, etc...) They are likely to be blocked, because the Ironport doesn't know who they are.
  Your link seems to lead to a complicated setup for something that seems so simple.  I'm not sure how that relates to an Ironport S160.. it seems to focus on the ASA5500. Also we want it to be completely 100% transparent to the end user.
  This is how it worked with a Barracuda web filter appliance...
  A DCAgent program sat on each domain controller. As users logged in or out of the domain, this agent passed this current activity to the Barracuda web filter appliance.
  The Barracuda appliance knew exactly who was logged in because of this little program on the domain controller(s) that kept it updated. Based on this, policies could be assigned based on Active Directory group memberships. ie) HR and Marketing can access Facebook, while others cannot.
  I guess I'm looking for similar functionality with the Ironport S160. If there's any way the domain controller, or even the client PC can say "Hey Ironport, %username% is logged on here at %ip_address%". That way the Ironport would know who they are, and there would be no unnecessary authentication boxes (besides the user logging into the windows domain). They could use internet connected apps that do not pass NTLM authentication. I guess the client PC or the domain controller would also have to tell the IronPort when they signed off, just so we don't have to deal with authentication timeouts. This way, say they are in our internet chat help program... after an hour, it will cut out and disconnect them - because the IronPort forgets who they are (unless they are actively using the internet with IE).
  So for now, we just use the bypass option for the affected internet services.  The default browser is IE, so the reality is that we are not suffering any tremendous inconvienence.  It's just that we want to ensure we have the best robust solution, and we can handle these types of situations with programs other than IE accessing internet resources.

• Message "another program on your computer would like to modify Firefox with the following add-on" appears every time a new user logs in... Bad problem

  I have just deployed an image to over 500 workstations, and they are all deep frozen using deepfreeze.
  When users are logging in, and open Firefox they are getting the message "another program on your computer would like to modify firefox with the following add-on:" Adobe Acrobat - Create PDF 1.2
  Yes I know u can do a one-time click and allow, but we have potentially 50,000+ students logging into these PCs and it is unacceptable that they are greeted with this message rather than the Homepage.
  This is very dissapointing, as we upgraded to the latest version of firefox in preperation for rollout, and then added some software like adobe.
  The profile is kept in the default user, so everytime a user logs in, they will get prompted with the message, and this will always happen because we use deepfreeze.
  I need a FIX ASAP from mozilla on how to disable this pop-up via Group Policy...
  Not at all happy,
  Sharpy

  Hi,
  One way you could try is to install Firefox on a fresh PC/image which has the same Adobe software versions installed as the clients. You may also have to install the same extensions as well as software for any additional plugins as on the clients. Start Firefox and make sure everything is okay. After that you can copy and overwrite the '''extensions.ini''', '''extensions.sqlite''' and '''pluginreg.dat''' files and probably the '''extensions''' folder and any supporting files of the extensions from this fresh profile, onto a client profile after temporarily disabling/unfreezing Deep Freeze. If everything is okay you can then push the changes onto the other clients via a logon/startup script after temporarily disabling Deep Freeze and then re-enable Deep Freeze.
  [http://kb.mozillazine.org/Profile_folder Firefox Profile Folder]
  [http://kb.mozillazine.org/Profile_folder_-_Firefox Firefox Profile Folder & Files]

• Lumia 520 "Remote wipe of user data via Internet"

  I'm interested in purchasing a Lumia 520 and read on the spec site that it can do "Remote wipe of user data via Internet" (http://www.nokia.com/in-en/phones/phone/lumia-520/specifications/).
  Is there any special software that I need to be able to do this (like have it connected to a BlackBerry server in the case of enterprise BlackBerry devices) or is it as simple as stated on (http://www.noknok.tv/2013/05/02/how-to-find-your-lost-nokia-lumia-running-windows-phone-8/) where all you have to do is log into windowsphone.com where you can erase a linked phone?
  This phone will be used for business so in case it is lost I need the ability te remote wipe it. Our company currently has a BB server and we all have BB devices, but with BB not doing so well I was thinking of getting a Nokia.
  Thanks.
  Solved!
  Go to Solution.

  WHNOKLUM520 wrote:
  So far so good. That's great news. If I could ask one follow up question though:
  Would it matter if the same SIM is installed on the phone? Lets say the 'thief' was able to get into the phone with a different SIM (if the security was not setup correctly) - would the phone be erased based on the SIM that's installed or on the IMEI number of the device?
  Thanks
  If there's no data connection, windowsphone.com cannot access your phone to send push notifications and if push notifications fail, then it will try to send SMS to your phone.
  I just tried to ring my phone after taking out the SIM card, it was connected to wi-fi and I could ring it.
  The silence will fall

• Pix 501 user logging report

  I am running a pix 501 ver 6.1 with tacacs 3.0 server runninfg on a NT box.
  I have all the user authenticated via tacacs going inbound and outbound
  and have setup accounting as well.
  I would like to find a EASY way to compile a report to find out what the users
  are accessing both application and source and destination ip address.
  If i check reports option through tacacs it only shows me what time the
  user is validated and the application type not the source or dest address.
  If i setup syslog server and setup logging console debug it shows me the source and destination and user sent to the syslog server.
  Is their any way to manipulate this syslog report or is their another feature
  within tacacs.
  thanks

  You might look at www.opensystems.com. They are a Cisco partner that developed a reporting program called Private I. They have an eval available to take a look at.

• Can not control / observe when no user logged in

  Been fighting this for weeks. Searched the forum but found no relief.
  Using ARD 3.2 we can control / observe from our office to several workstations both in our same building and in other offices around the country. On all but one we can control / observe regardless of whether or not a user is logged in. On those, when a user is not logged in, we see the workstations' login window. We can login, etc. On only one machine, which is running 10.4.11, we can control / observe ONLY when a user is logged into it. If no user is logged in we get an "unable to connect" from ARD. Call someone in that office, ask them to login, and immediately we can control / observe that workstation. We highly doubt a port forwarding / router / firewall issue since if it were, we suspect that we'd never be able to observe / control. It appears as though ARD ON THE WORKSTATION is getting disabled at user log out... BUT ONLY ON THIS ONE WORKSTATION! Any ideas, folks? Your help would be appreciated.
  Thanks,
  BB

  Silly me! This one workstation connects via wireless connection, only. We had set, "Disconnect from wireless networks when I log out" in the wireless network's connection settings. All is well now.
  Thank you

• Cannot view workflow log via Services for Object Workflow Overview

  We recently had an upgrade of R3/ECC and discovered a new issue.  For some reason we can no longer view workflow log via Services for Object > Workflow Overview for Material Master (transaction MM03).  We get the message "There are no workflows that have already worked with this object".  However, we have confirmed via SWEL and other t-codes that the workflow and log do exist.  This seems to be the only object we have this issue for after the upgrade.
  Anyone know what issue is and how to fix?   Or at least path to config in SPRO for "generic object services" where we can see if anything changed via upgrade for this object?
  Thanks,
  Matt
  Edited by: Matthew Huth on Apr 22, 2008 9:23 PM

  Found the solution.  See OSS note 553246.  This has been tested and works for us.   -Matt
  Note 553246
  Summary
  Symptom
  In the material master, the system no longer displays the attachments for the material or workflow items in the Generic Object Services.
  Other terms
  MM01, MM02, MM03
  Reason and Prerequisites
  As of Release 4.6B, business object BUS1001006 is valid for the material master. Until you have implemented Note 452424, the Generic Object Services is still published for the old BUS1001 business object. After implementing the note, all attachments, relationships, notes and workflow items that are assigned to business object BUS1001 are no longer displayed.
  Instead, all new attachments are assigned to business object BUS1001006. As a result, attachments cannot exist for both systems.
  For workflow items, the assignment to the business object occurs in the respective tasks. It may be very time consuming to convert the business object, depending on whether an individual subtype (assigned to BUS1001) is created.
  In other words, after you implement the note, the workflow items for business object BUS1001 can no longer be displayed in the material master.
  Solution
  With the following correction you can call the Generic Object Services for both business objects. When it is called, the system displays a dialog box in which you can choose the required business object, that is, BUS1001 ('Material') or BUS1001006 ('Standard material').
  This correction is delivered as a modification supported by SAP only. This is because the additional option means that attachments can be maintained as required in either of the business objects and users may therefore require extra training.
  However, the corrections enable you to display attachments and workflow items for both business objects without the need for a major conversion; this means that you do not get the impression that these have been lost.
  Alternatively, as of Release 4.70 (or Basis 6.20) you can, without making a modification, implement method ADD_OBJECTS of BAdI GOS_MULT_PUBLISH for filter attribute WF_OVERVIEW ('Workflow overview'), SRELATIONS ('Relationships') and VIEW_ATTA ('Attachment list'). The implementation should be similar to the following:
  METHOD if_ex_gos_mult_publish~add_objects .
    DATA:
      ls_lporb TYPE sibflporb.
    READ TABLE ct_lporb INTO ls_lporb INDEX 1.
    if ls_lporb-typeid = 'BUS1001006'.
      ls_lporb-typeid = 'BUS1001'.
      append ls_lporb to ct_lporb.
    endif.
  endmethod.

• LDAP import users - restrictions reset after user logs in

  Using ice I imported my users in to a container with a password. With admin rights I checked
  Required a password
  Force periodic password changes
  Required password changes
  Limit grace logins
  User logs in all fields return back to unchecked.
  I gave NDS rights WRITE & add self to the container with inheritable.
  What else do I need to manage users accounts?

  On Wed, 30 Nov 2011 19:56:02 +0000, dcampisi wrote:
  > Using ice I imported my users in to a container with a password. With
  > admin rights I checked
  > Required a password
  > Force periodic password changes
  > Required password changes
  > Limit grace logins
  >
  > User logs in all fields return back to unchecked.
  If you have a password policy (Universal Password), then those attributes
  are updated to reflect the values from your policy when the user logs in.
  You cannot change them to something other than what the policy is
  configured for, they revert back as the policy is enforced.
  David Gersic dgersic_@_niu.edu
  Novell Knowledge Partner http://forums.novell.com
  Please post questions in the forums. No support provided via email.