I am running 802.1x using a cluster of ACS 5.2 appliances and Windows XP hosts using EAP-MSCHAPv2 over a PEAP tunnel.The PC are set to perform machine authentication and if authentication is successful,they are mapped to a specific VLAN based on their AD group memberships.The problem that I am encountering is when the machine password expires while a user has their laptop off the LAN. When they bring the laptop back to work and put it on the LAN, authentication fails and the laptop does not run through the authorization policy to determine what action to take. Looking at the microsoft site, I found this:
http:[url].....
This basically states that Microsoft is aware that Windows XP is not able to change machine passwords on login after the expiry period. They offer two solutions for a workaround:
1. Use EAP-TLS - I don't want to use certificates for machine authentication due to PCs dropping off the network when they are renamed due to the PC name on the certificate not matching the PCs actual name
2. Perform user based auth - Windows XP doesn't pause the netlogon process during bootup, therefore if the user VLAN changes when user authentication is performed, all statup scripts will fail.
This brings me to trying to perform a workaround directly on the ACS appliances after authentication fails.I have an access service setup that matches any machine authentication packets from PCs configured for machine based authentication.This service then maps the VLAN upon successful authentication. Since the authentication will not be successful, the process will fail before getting to the authorization policy.I have looked into forcing the policy to continue upon failure, however this advanced option is not available for PEAP authentication.Now,I am trying to determine if there is anyway to perform VLAN mapping for a host that fails machine authentication using a rule based result selection on my identity policy for the machine authentication, but this is not working. There really needs to be a way to force a policy to continue processing even when authentication to the domain fails for PEAP authentication.
I am looking to add a new wireless network for our customers to use.I would like to cover multiple areas of the site. And if cheap enough the whole site.Ideally I would like a control panel I can use to create new passwords for every customer that wants to connect. I can then set an expiry date on the password after that it deletes the password.An extra would be if the person would have to sign an e-policy before being allowed to browse.
I have two xp pro machines that im trying to share an accounting system on one machine is the sage accounting and i want to join another machine to it the sage is working on both machines except the one is not allowing reports, comes up with an erro when i map drives i have to put in a user name and password (only once) then it works but im suspecting this is causing a problem for the reports on the previous two machines that worked fine...(we have just upgraded both) it asked for a windows password but you just pressed enter and it logged in.how do you get two xp machines to talk without password prompt i have run the networking wizard on both, and they are both on the same workgroup
I have 2 windows 7 laptops running wireless and a windows xp desktop connected by wire to linksys router. The desktop has no problems accessing the other computers.One laptop has no problem accessing the other computers on the network. The other laptop has trouble with the windows XP machine. It asks for login info, which there is none. I tested with the laptop wired and it seemed to access it normally. Also, it is not consistant. It sometimes works and sometimes doesn't. I have gone through other posts and made sure that password requirement was off
We have installed ACS 4.1 as authentication server for wireless SSID. Need to create list of ACS user expired on specific date.Is it possible to create report in ACS 4.1 as per user account expiry date?
I have a strange error on my home network that I cannot find a solution to.I have an Huawei SmartAX MT882 from TalkTalk acting as a modem connected to a D-Link DSL-G624T acting as a router/switch. Connected to the D-Link I have a Windows 7 Pro machine (64-bit, SP1) and an XP (home i think) machine (sp 2 i think).The SmartAX modem is set up to perform DHCP and DNS relaying and the D-Link has DHCP turned off and DNS relay turned off.The Win7 machine can access the network, get an IP address and access the internet without problems, regardless as to the status of the XP machine.The XP machine can access the network, get an IP address and access the internet with no problems ONLY of the win7 is powered up. When the win7 machine is off, the XP machine seems to drop about 25% of the ping packets between it and the D-Link router and has no internet access (because of this i assume). [code]
New Win-7 machine set up. I used the printer set-up wizard to install a networked printer in the new machine with absolutely no problem. Proved it would print from that machine.Now, I get a call informing me that her old XP machine, which had been printing to the network printer with no problems, will no longer print.Documents go into the print queue, but they don't get printed.No error messages show up.I did some messing around via remote access, and finally removed the printer with the intention of reinstalling it.Scanning for network printers turned up several redundant instances of the same printer with different names. Some are identified as "invalid" some a "access denied". Bottom line. I can't get any of the selections to install.On the Win-7 machine I did find a window that indicated that the printer is designated as being shared, but I didn't explicitly set it for sharing when I installed it. Also, I somehow got to a window that told me that for printers that were to be shared with other versions of windows I could optionally install drivers to support such machines. Didn't have the driver disk handy and took the window down. Now I can't even find it again.I need sorting this all out.Part of the problem is that out there in "network land" there are redundant remnants of previous installations that are being remembered inappropriately.
I have a network problem. My windows 7 machine is not detecting win xp machine whereas win xp machine is detecting win 7 machine. They are in the same workgroup named Home. And the networking system is set to work. I have left the homegroup I was previously in. I enabled file sharing for devices that use 40 bit and 50 bit encryption. On XP I have enabled NetBios over TCP/IP. File sharing is enabled on both computers. I think it's something obvious as both instalations on different computers are really fresh and both windows haven't been tampered with.
I have set up an ACS (5.2) to do EAP-TLS Machine and User Authentication.I am getting intermittent results with the machine authentication using the same laptop as a test client.When the machine authentication succeeds the RADIUS name shows as host/xxx-yyy.When the machine authentication fails the RADIUS name shows as xxx-yyy without the host/.
I want to install a windows operating system in my machine but my machine dont have a CD-ROM. so i want to install an OS from using my another PC(Laptop)'s CD-ROM. So is it possible to install OS into my one machine from another different machine(windows-7) via sharing the drive .
I am trying to configure a NIC IPv4 with IPv6 disabled on a virtual machine (win server 2008)The instructions I got say that I need to use IP 192.168.210.0/24.However when I enter this IP and use subnet mask 255.255.255.0 I get the following error. Why this is and if there is a way to resolve the error?
Switch: WS-C3750X-48P (Stack with 2 Members) IOS: 12.2(58)SE2 Lic: IPBASEK9
[Code]....
Since i added another Member to the Stack, i'm facing the following problem: When i login with my tacacs user account, i will not be asked for the password. The same thing is for the tacacs account of my colleague, after entering the username he is logged in. It seems for me, that the passwords are cached only for this Switch.
I have just reimaged one of my ACS appliances as it was completely corrupted.Now I have done this I have connected it to the network via DHCP so I can patch it from v4.2 to the latest version.The machines is now on the same VLAN as my workstation. When I try to login I get the message
"This machine cannot be used for administration"
The box is a vanilla install with only the passwords set on the machine - my workstation has its local firewall turned off and is not using a proxy server. as I can't log into the gui I can't change any settings there?
I have 802.1x/peap authentication in my wireless network with ACS 4.2 as the authentication server. I enabled PEAP machine authentication under the Unknown user policy --->database configuration sub-menu. I discovered that I was still able to access the wireless network on my android phone with my domain logon. I later discovered that there is an option in Group policy to force Windows XP clients to perform computer authentication. Now the problem is that windows 7 clients do not have the EAPOL option in the registry, hence the group policy object may not work. How to enforce machine authentication and stop unwanted devices without having to purchase a NAC server.
I am currently authenticating wireless clients using PEAP User Authentication through a Cisco Wireless LAN Controller and Cisco ACS 4.2, which points to a Microsoft Active Directory external database. This does not keep users from configuring thier personal devices with thier Active Directory login information and connecting to the corporate wireless network. I can setup a client to use a certificate, machine authentication and user authentication, but I havent been able to REQUIRE the certificate and or machine authentication to authenticate to my wireless network.
>I now have the Windows External Database Configuration, ACS External Database setup with Enable PEAP Machine Authentication and Enable machine access restrictions. With the client configuration set to use Computer Authentication, it passes the authentication through ACS (and AD), but the client can also be configured for User Authentication and also pass authenticaiton. Is there a way to only require Computer Authentication through a Cisco WLCCisco ACS?
I'm planning migration from ACS 3.3 to a new machine, so I'm thinking about new Cisco ISE.I have the following question: ACS 3.3 acts as AAA RADIUS with LDAP repositoriy for wireless deployment, using PEAP-GTC. Is possible, with ISE, to use a different EAP method, such as PEAP-MsCHAPv2 or EAP-TTLS?
In ACS 5.X I think it's only supported PEAP-GTC and EAP-TLS when identity repository is LDAP. Is the same in Cisco ISE?
I have configured ACS 5.1 to check AD domain computer accounts then permit access, the next rule authenticates AD domain users and checks machine accounts with WAS MACHINE AUTHENTICATED "TRUE" permit.
My dilemma - Windows XP supplicant work fine and I can see the host/machine (Wireless device) authenticating followed by user credentials, but when I use the Intel Pro/set supplicant version 12.1 the same device fails authentication due to ACS not being able to verify a good previous machine authentication?
Is this problem ACS related or down to the Intel supplicant.
I am working on a project at my company. In short, there is one PC in the office to which other user must remotely connect to perform certain tasks. The stuff they do must be done from the machine with the specific IP, the IP of that machine, as this is specified in agreements with the companies we work with. So far, we have been using Remote Desktop (our machines are Windows-XP-based PC's), but this is quite annoying when more than one person needs to use the machine at the same time
If i want to send a packet from one host to another host through a router, how will the packet be sent? I mean what are the stages that a packet can reach to the destination.
I am trying to link a Windows 7 machine with a laptop running Windows XP. The workgroup on both computers is the same. On the Win7 machine, I have a couple of folders set to be shared. The first is the C Drive and the share name is C-drive. The second is Quickbooks that I have named Quickbooks. On the XP machine, I went to map network drive and in the blank typed \Remote1C-drive. It asked for username and password and just like that we were connected. But I can't see all of the files on this drive. I don't even see all of the folders - one of which is Quickbooks. So I tried \Remote1Quickbooks and Windows XP couldn't find that path even though I'm positive that folder is shared on Win7. So no matter what I try, I can't see this folder on the XP machine, I even tried copying this folder to other locations around the computer and setting up shares in hope that something would work, but it never did. So I went back to the C Drive share on the XP machine. I tried to go in reverse, creating a file and putting it on the root of the c drive (I did this on the XP machine, but the file should have actually been located on the Win7 machine. When I check Win7, the file didn't exist. So I tried the other way. I right clicked on the c drive in Win7 and created a new bitmap image file. Back to the XP laptop, that file doesn't show. But if I look at the c-drive on Win7 from the xp machine, I see several other folders and some of them like Program Files contains actual files. But some of them are just empty such as \Remote1C.
I have two routers in my office, each one having wireless extensions and its own DSL connection.I want machine on A subnet communicate with machine on B,I'll need some sort of physical connection (a cable? a new device?).Router A and B are typical home router with wifi extension: they only have a WAN port,I won't be able to let them talk to each other simpy by plugging an Ethernet cable between two LAN ports, since the two routers are on different subnets.
Basically, I am swapping my Atom/ION nettop (that I use as a file server, game server, torrent server etc. etc.) for one that has no fans and no mechanical HDD. I control it primarily via RDP, so I don't need to plug a keyboard or display into the nettop itself.
The new one I'm getting should be a step up due to the whole no moving parts thing, as well as the much faster CPU. But Intel, in their infinite wisdom, have not provided (and don't plan on providing) a 64bit graphics driver for the GMA 3650.
If I were to install 64bit Windows on this new machine without installing a driver for the graphics, would I have any issues using RDP? I'm not sure if the visuals are generated on the host or the client and whether it would matter either way.
I have connected fax machine with line card, line card with Modem (MT5656SMI), and with modem is connected to PC UART. i want to pause the fax machine from PC, while scanning. i gave AT+FTS=10 command. but it did not worked.
I have two Win XP machines and a Linux Mint. I can access the shared folders of my Win machines from Linux but Win machines, in the Workgroup, shows the Linux connection as "MyMint server (Samba, Linux Mint)(MyMint)" but I can't access files on that machine. "MyMint" is the computer name.
I have a Windows 7 machine connected to my TV set. I want this machine to act as much as an appliance and as little as a PC as possible. To that end, I want it to be able to access my NAS disk, but not the Internet. Internet = annoying update messages (think Adobe), viruses, crap.I don't know if this is a setting that I can do in Win7 or in the DI-Link AirPlusG router thing
I have 2 NIC cards on the same machine running Redhat 9.I need to setup the machine in such a way that both cards are in the same subnet but card on port eth1 can be reached through card on port eth0.I tried modifying the iptables (with the limited knowledge that I have on it,used google) and even tried turning it off.I also tried setting files /proc/sys/net/ipv4/ip_forward and /proc/sys/net/ipv4/conf/all/proxy_arp to 1 but was unable to ping from IP address on port 0 to IP address on port 1 and vice-versa
Everything in the house can connect to the internet aside from my windows 7 machine. It was working fine acouple days ago. it was connecting via a wireless network adapter through a USB. I tried switching the USB ports, hardwiring, re-ownloading/installing the drivers and even reformatting the machine. i still cannot get an internet connection. Only logical thing to do would be to replace the NIC ?
We have a Cisco 886 configured with two WAN's (ATM0 connected to a DSL line and Fa3 connected to a CMTS modem).We're running DMVPN over the Cable network and GetVPN over the DSL line. When the DSL line is down we see a lot of CPU peaks up to 90%.The CPU peaks are caused by the process "DSL state machine". As soon as the DSL line has sync and the ATM0 interface goes UP the CPU peaks disappear. What we'd like to know is if this constant extra CPU load will have an impact on other resources like normal routing & switching or more specific IPSEC handling. Is it for example possible that establishing an IPSEC tunnel will fail because of the CPU peaks?
Having a strange issue with RDP to a XP machine through a L2L tunnel.Tunnel is between an ASA5505 and ASA5510. Site A 5510, Site B 5505 I have a handful of Win7 and XP Dev machines running on ESXi 4.1 within Site A.Site B to Site A I can RDP to all Server 2008 and W7 machines(physical and virtual).I can also RDP to a physical XP machine.I can ping the XP VMs by name and IP successfully.I cannot RDP to the 5 XP VMs running on the ESXi 4.1 host Site A to Site B I can RDP from the XP VMs on the ESXi 4.1 host to any machine within Site B.Within Site A I can RDP to these XP VMs AnyConnect I can AnyConnect into Site A and RDP to the XP VMs I have tried to Telnet on 3389 to the XP VMs with no success.
