Flex connect with a per user ACL with APs locally switched

Similar Messages

• 802.1x NAC and per-user ACLs

  Can 802.1x NAC and per-user ACLs be used together on the same port? I know some of the NAC documentation says that 802.1x NAC does not support downloadable ACLs but it looks like it might be outdated and according to http://cisco.com/en/US/products/ps7077/products_configuration_guide_chapter09186a0080817284.html , it appears that there is not preventing this.
  Also, when will URL redirection to a remediation server be supported with 802.1x NAC?

  You just need to configure it differently on ACS. "Downloadable IP ACLs" used to be "Downloadable PIX ACLs" on ACS. It changed to "IP" when VPN concentrators started supporting this with ACLs too. You saw this with NAC, if I remember .. and EOU does it this way as well.
  802.1X with per-user ACLs was already shipping at the time though (has been for some time) and the mechanism is opertionally the same .. just functionally different.
  With per-user ACLs, you'd configure a VSA like:
  ip:inacl#1=deny ip any host 10.1.8.3
  ip:inacl#2=permit ip any any
  The "downloadable IP ACL" config would look like:
  deny ip any host 10.1.8.3
  permit ip any any
  In the end, both techniques use the same VSA. This VSA is 026\009\001. In "per-user-ACLs, there's no sort of handshake though to see if the ACL is already there, etc. It slaps the ACL on for you unconditionally as an authorization rule b/c you told it to. (hence the "ip:inacl" stuff above). With "downloadable", there's a handshake before actually applying the ACL .. to see if there's an earlier copy of the ACL, and it'll only update what changed, etc.
  So, it really boils down to semantics. Both techniques work. AAA config is subtely different on the backend. Look for this to get consistently deployed soon, but in the meantime, it's still supported ;-).
  Hope this helps,

• No of Concurrent Sessions Per User  Mismatch with profile settings

  Hi
  DB Version Oracle Database 11g Enterprise Edition Release 11.2.0.1.0 - 64bit Production
  OS RHES 5U2
  I created a profile MYPROFILE and set the value of Concurrent Sessions (Per User) to 30. DB was bounced after creating the profile. I made this profile default for a particular user "MYUSER". I verified that by querying DBA_USERS (select profile from dba_users where username like 'MYUSER') I checked v$session with that particular user after sometime and noticed that it was showing 34 sessions. Some ACTIVE and some INACTIVE.
  My question is, if I have set the maximum limit of concurrent sessions per user to 30 in myprofile and made this the default profile for MYUSER, then how come i am still able to see more than 34 sessions of myuser regardless of the status? I am not sure if this is relevant or not but the IDLE TIME is set to 15 minutes.
  Thank you for your help
  Edited by: user560883 on Jul 4, 2010 12:45 AM

  user560883 wrote:
  Hi
  DB Version Oracle Database 11g Enterprise Edition Release 11.2.0.1.0 - 64bit Production
  OS RHES 5U2
  I created a profile MYPROFILE and set the value of Concurrent Sessions (Per User) to 30. DB was bounced after creating the profile. I made this profile default for a particular user "MYUSER". I verified that by querying DBA_USERS (select profile from dba_users where username like 'MYUSER';) I checked v$session with that particular user after sometime and noticed that it was showing 34 sessions. Some ACTIVE and some INACTIVE.
  My question is, if I have set the maximum limit of concurrent sessions per user to 30 in myprofile and made this the default profile for MYUSER, then how come i am still able to see more than 34 sessions of myuser regardless of the status? I am not sure if this is relevant or not but the IDLE TIME is set to 15 minutes.
  Thank you for your helpDid you set the parameter resource_limit=true ? You must do it before you test sessions_per_user. You can do so like the following,
  alter system set resource_limit=true;After this again try and post the feedback.
  HTH
  Aman....

• Serious problem with TSCAL per user Licensing (Event 4105 on Licenseserver)

  Hello,
  i've got a problem with Terminalservice-Licensing: We migrated our AD from W2003 to W2008. At the same time, we updated our Terminalservice-Licenseserver to W2008 (Memberserver, no DC). We are using per-user TSCAL licensing. The problem is, that for (nearly) every user that logs on to a W2008 Terminalserver, an event 4105 is generated in the eventlog of the Licenseserver, that  means that the licence server cannot update the ad user properties when he delivers the cals.
  We have discovered that the terminalserver-licenceserver group is under the security properties of the user listed but has no rights. For new created users the rights "terminalserver-licenceserver read/write" are correctly set and for those users no event 4105 is generated. The problem is, that License-reporting (usage) is only working for those newly created accounts and not for old ones. Why doesn't the terminalserver-licenceserver group have the rights to modify the Terminalserver-AD attributes for older accounts (these accounts were created when the domain-level was W2003)??? Is there a workaround or hotfix from Microsoft to correct the securitysettings ??
  Many thanks
  Ralf

  Hello Ralf,
  Thanks for your post in our forum.
  Based on my understanding on your post, you have met the following issue:
  You have migrated the Active Directory domain from Windows Server 2003 to Windows Server 2008; You have also upgraded the Terminal Server License Server from Windows Server 2003 to Windows Server 2008. After that, when the existing terminal users access the Terminal Server, an Event ID 4105 is logged to claim that the License Server fails to update the AD user’s properties.
  According to the analysis on the second paragraph of your post, I think it is a known issue caused by insufficient permissions of the migrated users created in Windows Server 2003 domain environment. As you’ve found, the permissions required are for the Terminal Services Licensing Servers
  group:
  ·          Read Terminal Server license server
  ·          Write Terminal Server license server
  To fix this issue, please give these two permissions to the existing users.
  After that, please confirm if the License Usage Report is working for the old users.
  For more information about Event ID 4105, please refer to:
  Event ID 4105 — Terminal Services Per User Client Access License Tracking and Reporting
  http://technet.microsoft.com/en-us/library/cc775179(WS.10).aspx
  Please feel free to let me know if I can provide any further assistance. Thank you for your cooperation.
  Lionel Chen
  TechNet Subscriber Support in forum
  If you have any feedback on our support, please contact [email protected]

• Limit bandwidth per user/computer using Catalyst 3560 switch

  Hi -
  Can someone help me getting started (if at all possible...) with enabling controll of used bandwidth at a "per-user"-level.
  I wonder if it possible to do this dynamicly with respect to the overall demand from other users.
  I've searching a lot, but I'm missing the terminology :) 
  Sincerly
  Nicholas

  Disclaimer
  The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
  Liability Disclaimer
  In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
  Posting
  To my knowledge, what you want to accomplish isn't possible on a 3560.
  You can police at ingress, and if you use a policy map, you can police different "known" IPs.
  What you could do, is police user ports ingress at some nomimal bandwidth, and if exceeded, mark the packets.  Then on egress, you could direct those packets to an different egress queue with a lower bandwidth guarantee than the normal queue.

• VLAN assignement per user group with WDS

  I have configured an EAP-TLS wlan. I have configured the radius server to assign a vlan to the user depending of the user group.
  In this way I avoid that an user with a valid certificate that discover another SSID can change the VLAN changing his SSID (so I control what vlan connects every user)
  But when I have configured WDS in the wlan it stops to work. Because (I suppose) when the user reauthenticates (not the firt time) the WDS don't ask the radius server (it uses his cache) so it doesn't use the radius configuration and applies the vlan deppending of the user SSID.
  How can I resolve this problem?
  Thanks

  I think that the WDS configuration is not working as intended. Thats the reason the WDS is not caching the credentials and authenticating the user. Under Wireless Services > WDS status tab do you see the the infrastructure devices as Registered. if not check the authentication server for authentication stats. The first thing is that the WDS AP should register the infrasrtructure devices. Only then things will work.

• Is there known issues with a CRM user working with 2 concurrent sessions?

  Hello,
  This is in regards to CRM 6.0 - Web Client.  I'm wondering if anyone has heard of issues coming up if 1 user operates 2 CRM sessions / browsers at the same time?
  For example, the user is in the middle of a BP change in 1 browser and gets a phone call.   The user wants to have a second CRM session opened so that they don't have to exit the current one while they speak to the BP and maybe even edit this second BP as well. 
  I'm wondering if anyone has seen or heard of problems with these scenarios such as edits ending up on the wrong BP or information  exchanged between browsers, etc.

  Hello
  For your current CRM version, multisession is not supported for the following scenarios:
  - Telephony
  - Alerts
  - Broadcasting
  As of CRM7.01, multi session is supported. For instance, in your exemple, there is a tab navigation that allows several browsers with and without a call.
  [SAP Note 1597836|https://service.sap.com/sap/support/notes/1597836] contains details on multi session.
  Regards
  Joaquin

• Windows domain how to get full user name with last name.

  Hi:
  I hope someone find the answer, I wrote this question before in the old forum http://forums.sun.com/thread.jspa?threadID=5450216, but I didn't get an answer so I am migrating my question.
  Is there a way to get the full user name from a windows domain? Like the one that you see in the windows start menu on the top.
  I have an application that needs to print a report with the full user name with last name and everything (Example: John F. Doe, not jdoe), so they can sign above the name. Please tell me if there's an api or jar, because the only thing I can get right now is the username. One more thing, it's a stand alone java swing application.
  I will appreciate your help.
  Regards,
  j2gl

  JAAS with the Windows Login Module is about as close as you can get. I don't know exactly how close that is.

• How to change the maximum number of process per user in BW ?

  Hi,
  Do you know how to change the maximum number of process allowed per user ?
  With RSRT we can customize the number of process per query but I don't know where we can customize the maximum number of process per user.
  In fact, my production environment reach always the max number of process available in SM50...
  Thanks a lot

  Hi,
  A user is not have the No. of processor but a work process can handle N No. of users. If a user hit any transaction v acn say from  a list of N worl proceesor which has been taken the work.
  Correct if I am wrong.
  Regards
  Syed.

• RDS (2012 R2, Per User) client issues after moving from TS Licesning (Win 2K3, Per Device)

  I run a XenApp environment (mixed Presentation Server 4.5, XA6.5, XA7.6... I know).
  I've somewhat recently moved our RDS/TS licensing from an old 2K3 TS licensing vm that needed to go to a 2012 R2 RDS licensing vm.
  The 2K3 vm ran with a Per Device mode, and the 2012 R2 vm is using a Per User model.
  RDS is working fine as far as I can tell - handing out licenses to their RD Session hosts, in the proper security group which has the ability to Read/Write the MSLicensing user attributes (Terminal Server License Servers). By GPO, I am telling (and they are
  applying) my XenApp servers to use their new RDS Licensing server and with a Per User model. The issue I
  am seeing is this:
  On a give XenApp server, the eventID 1011 - TerminalServicesRemoteConnectionManager
  The remote session could not be established from remote desktop client
  computername because its temporary license has expired.
  When I hit the Details tab,
  Windows Server 2003 - Terminal Server Per Device CAL Token.
  Which then results in having to remove the MSLicensing registry key. Which is annoying. Anyone else run into this after moving licensing servers and/or models? Feedback would be awesome, danke!

  Hi,
  According to your description, it sounds like a known issue. The workwgoup is to delete the MSLicensing key under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSLicensing. (Note: please create a backup of the MSLicensing registry key and its subkeys on the
  client before you remove the original key and subkeys.)
  For more detailed information, you can refer to the similar thread below:
  https://social.technet.microsoft.com/Forums/windowsserver/en-US/9eb42798-e75e-4693-9a5d-9e96895e16c8/remote-desktop-license-server-problem?forum=winserverTS
  Best regards,
  Ssie
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]

• Centrally Switched and Flex Local Switched WLAN - same SSID

  Hi All
  I am currently working on a WLAN migration from lightweight to autonomous and would like advice on whether the following scenario is possible.
  We've deployed an 8500HA pair at the customer's central HQ with the plan that SSIDs at the central HQ will centrally switch with SSIDs at branch sites locally switching.  AP and Flex groups have been configured for the HQ and branch sites.  There is a legacy SSID at HQ that will need to break out locally so a flex group is required for HQ.
  My original plan was to do this with one WLAN Profile per SSID, configured to locally switch.  The HQ AP group will map WLAN to the relevant IP interface with the SSID omitted from the HQ Flex Group so that the SSID will centrally switch.  The branch AP groups will be configured with the SSIDs required for branch and Flex groups will be configured to break out the SSIDs  into the relevant local VLAN.
  My question is, is it possible for an SSID to be configured as locally switched for branches but also centrally switched for HQ, by configuring it in the HQ AP Group but omitting it from the HQ Flex group?
  Configured as above a client debug gives the below which seems to suggest that it isn't possible, unless I've configured something incorrectly...
  *apfMsConnTask_5: Oct 03 15:48:51.012: c0:18:85:48:c0:5d Central switch is FALSE
  My alternative option is to create a second WLAN profile for each SSID with the same SSID name but centrally switched and then apply that accordingly in the AP groups.
  If someone can verify the above I'd be very grateful.
  Many thanks in advance
  Mark

  Hi Mark
  My question is, is it possible for an SSID to be configured as locally switched for branches but also centrally switched for HQ, by configuring it in the HQ AP Group but omitting it from the HQ Flex group?
  When you configure an SSID for local switching, it is only applicable if AP in Flexconnnect mode. So as long as your HQ APs are in Local mode then all those users traffic will be central switch for the given SSID. At branch those AP are in Flex mode, they will locally switched.
  Pls do not forget to rate our responses if that is useful to you
  HTH
  Rasika

• Limit the number of session per user in the Wired dot1x environment with ISE 1.2

  Hello,
  I need to check if there is any configuration/workaround to limit the number of sessions/access per user in the Wired dot1x configuration.
  I need to check if this feature is available or not to solve the following scenario:
  I have 2 SW ports configured to use dot1x authentication with ISE 1.2 server.
  If user A connects to the 1st port and authenticated then he will placed on a VLAN based on the authorization profile.
  The case, that I need to deny the same user to connect on a different machine with the same credentials.
  The ISE itself does not have this feature currently,  the only feature available is to limit the number of sessions for the guest user.
  Is there any workaround on the Cisco switches to solve this? Cisco WLC has this feature and for the VPN we can limit the number of sessions also from the ASA itself.
  Thanks.

  limit number of session per user using wired dot1x is not available in 1.3

• Cisco ISE with Flex Connect ios 7.4

  Hello my name is Ivan
  I have a question:
  Is possible to do a deployment with cisco ise (trust sec 2.0)  and flex connect and web authentication to a cluster of cisco wlc (ios 7.4)?
  There are a features or requeriments to configure this?
  Regards
  Ivan

  By "cluster of cisco wlc" are you referring to the HA features for the 5508?  HA or not should be irrelevant to the configuration of ISE w/ 7.4 WLC on flex connect.
  Configuring CWA (central web auth) via L2/Mac-Filter and RADIUS NAC will require that you have a FlexConnect group built with the desired AP within the group.  You will need to build FlexConnect ACLs and apply them to the FlexConnect group that correspond with the various NAC states the client will be in during the CWA process. 
  You will probably need 1 or 2 Web Policy ACLs
  1. allow traffic to/from dns and ISE PSN
  2. allow traffic to/from dns, ise and other resources (for instance for posturing/remediation)
  Please note that you cannot "dynamically" assign ACLs to FlexConnect APs/Groups as part of the transition from central webauth reqd to RUN.  The WebPolicies ACLs are the only ones that can override (think of them like pre-auth acls).  Once you finally send back the access-accept for the client you can not apply dynamic acls to the particular wlan/vlan.
  For instance if you needed differentiated access on a single network between guest and vendors, you couldn't send an access-accept back with an ACL for vendors vs an ACL for guests - in a FlexConnect environment.  They would have to be placed on separate networks with their respective access.
  It's possible this type of configuration (much desired) will be allowed in 7.5 whenever it rears its head.

• Single Corporate SSID + Single Guest SSID across 200 sites over VPN with Flex Connect

  We have two main sites (East Building as DR + West Building as BDR) + 100 remote sites / all connection between the sites based on VPN / OSPF
  East building has 1 WLC 5508 with a license of 500 AP
  West building has 1 WLC 5508 with a license of 500 AP
  50 remote sites in East
  Each East remote site have 5 AP (AIR-LAP1142N + AIR-CAP2602I)
  Total AP in all the 50 remote site in East is 250 AP
  50 remote site in West
  Each West remote site have 5 AP (AIR-LAP1142N + AIR-CAP2602I)
  Total AP in all the 50 remote site in West is 250 AP
  Hardware available are:
  2 * WLC 5508
  2 * ACS 5.2
  Most of the switches that connect to the AP are 2960G
  All the AP are
  AIR-LAP1142N-E-K9
  AIR-CAP2602I-E-K9
  Requirements in Brief:-
  1 SSID for Internal user across all the sites
  1 SSID for Guest user across all the sites
  All IP for all the sites based on their local subnet
  All the remote sites need to be Flex connect
  The 2 WLC need to configure as failover
  Requirements in Details:-
  One Corporate ABC-SSID for all the sites
  One Guest ABC-SSID for all the sites
  The WLC in East building is the primary which control all the East remote site (250 AP)
  The WLC in West building is the secondary which control all the West remote site (250 AP)
  A fail over between the two WLC as below:
  If the WLC in east fail then all the AP in east (250 AP) will connect to WLC in West
  If the WLC in West fail then all the AP in west (250 AP) will connect to WLC in East
  Each Remote site behaving as Flex connect to reduce the overhead over the WAN/VPN
  Each site must have their own AP groups for the ease of management
  All the AP MGMT IP based on their local subnet
  Each remote site, West building, and East building must obtain their IP based on their local VLAN Example:- site-1 in East:
  Corporate ABC-SSID take 10.204.0.0/24
  Guest ABC-SSID take 192.168.0.0/24
  Example:- site-2 in East:
  Corporate ABC-SSID take 10.204.1.0/24
  Guest ABC-SSID take 192.168.1.0/24
  Example:- site-3 in East:
  Corporate ABC-SSID take 10.204.2/24
  Guest ABC-SSID take 192.168.2.0/24
  And so on…….
  Example:- site-1 in West:
  Corporate ABC-SSID take 10.204.100.0/24
  Guest ABC-SSID take 192.168.100.0/24
  Example:- site-2 in West:
  Corporate ABC-SSID take 10.204.101.0/24
  Guest ABC-SSID take 192.168.101.0/24
  Example:- site-3 in West:
  Corporate ABC-SSID take 10.204.102.0/24
  Guest ABC-SSID take 192.168.102.0/24
  And so on…….
  Reference that I found
  https://supportforums.cisco.com/thread/2039215
  Expert I'm really stuck here, so please any help will do.
  Thanks in advance

  What are you stuck on? What you have mentioned is possible.
  When you setup FlexConnect and also when AP's night failover, you need to make sure that the WLAN ID are in the same order in bother WLC's. also the AP Groups have the same information and have the same AP Group names and WLAN to vlan mapping. So as long as the WLC's are configured exactly the same except for IP addresses and hostname a, failover for FlexConnect will work fine.
  Now the FlexConnect WLAN to vlan mapping is done on the access point itself. So each AP will have to configured. AP Groups will not help here as you can really just create one since you will have the same WLAN's broadcasting at each site. You can make is simple though:) and this is a good tip.....
  If all your vlans are the same in every site including your DR and BDR, then the WLAN to vlan mapping will use the vlan if you have specified in the the WLAN under the I terrace mapping. So if in your corporate WLAN it is mapped to I terrace vlan 100, all you FlexConnect AP's will have that mapping set to vlan 100. If your guest at WLAN is mapped to vlan 999 interface on the WLC then the FlexConnect WLAN to vlan mapping for the guest will be set to vlan 999.
  Now if you have different vlan id's for each site or it might be the same for some and not the others, well you will have to tough each AP and configure the WLAN to vlan mapping.
  The WLAN to vlan mapping appears only when you have enabled FlexConnect local swit hung in the WLAN and you have the access point in FlexConnect mode.
  Sent from Cisco Technical Support iPhone App

• Lync 2013 commands shell to get the report which user is connecting to which pool in coexistence with Legacy version

  HI,
  We have LYNC 2013 in coexistence with OCS 2007 R2 and setup is like that user can connect to any pool  either sip is exist on OCS 2007 or on LYNC 2013
  Do we have any command shell to get the details about which user is connecting to which pool?
  lync 2013 commands to get the report which user is connecting to legacy pool in coexistence with ocs 2007
  Thanks
  jitender

  HI Holger,
  Thanks for reply!!
  But the above link will not work as per scenrio.
  The SIP addresses has been migrated to LYNC server. ther is no user host on OCS server. However in communicator client the manual entry is done and OCS pool name is given. OCS pool just redirect the query to LYNC pool.
  And we need to idenfy the SIP user request on OCS which are redirecting by ocs pool to lync pool
  In other word we can say this question like:  How to collect the number of SIP users connections coming on OCS Direct  server?
  Thanks
  jitender
  As all users are migrated to Lync Server, all users will be redirected to their home pool.
  You want to collect the number of SIP connections coming from OCS server that means you want to count the number of Lync client with manual configuration pointing to OCS server.
  This information is stored in SIP session. There is no Lync command to get this kind of information natively.
  Lisa Zheng
  TechNet Community Support