WLC with ISE as radius and also external web server

Similar Messages

• Cisco WLC with ISE - need to restrict access during non-business hours

  Hello,
  We have a requirement to turn off our wireless during non-business hours.  We have a 5508 WLC with ISE.  What is the best way to accomplish this task?  
  Thank you in advance.
  Beth

  Aside from Steve's respond, there are several methods of doing this and this will all depend on how complex your network is and how technical you want to do this.  
  1.  As what Steve said, use PI and you can define several schedules when to turn off/on the SSID; 
  2.  If you have corporate access, you can use AD to schedule non-business hours; 
  3.  If you have Cisco PoE switches, you can enable EnergyWise to power off the APs; 
  4.  If you manage your core network, you can enable time-based ACL to disable the default gateway of the dynamic interface which is attached to your SSID.  
  The most "destructive" method is option #3, because there are chances that your AP won't power up properly, if not power up at all.  

• I have a 2006 15" Macbook Pro with a broken Superdrive and my external USB one just quit working

  Why can my LG Portable Super Multi Drive (GP08NU6B) burn discs, but not read them? Right after I burn a DVD successfully, I stick it back in the drive and it says "The disk you have inserted is not readable by this computer"  I have a 2006 15" Macbook Pro with a broken Superdrive, and this external disk drive is the only optical drive that worked via USB.  This external drive was bought in 2010 and worked fine up until a month ago. This is supposed to be a Plug and Play device, and LG assures me the drivers are already included in Mac OSX,  yet it seems somehow my Macbook lost the drivers and it won't let me watch DVDs now or recognize any discs at all!
  How can I find and somehow reinstall the firmware for this optical drive?

  Sounds more like a hardware issue to me.

• I am having trouble with the Jpeg icons and also now thumbnails not being visable in bith teh Apple finder and now also Adobe Bridge. Can anyone shed any light on this ?

  I am having trouble with the Jpeg icons and also now thumbnails not being visable in bith teh Apple finder and now also Adobe Bridge. Can anyone shed any light on this ?

  Argh - once again, I find my solution right after posting this. Left out one modification to the SWIG script, now it runs in 29 seconds vs C 16 seconds, I can live with that.

• Using iTunes to put my CD collection on my computer and then to my iphone5, I have an older Optiplex with 40 Gb internal and an external 1.5Tb drive. Question is can I get itunes to point to the 1.5 Tb drive to store my music, and if so how?

  Using iTunes to put my CD collection on my computer and then to my iphone5, I have an older Optiplex with 40 Gb internal and an external 1.5Tb drive. Question is can I get itunes to point to the 1.5 Tb drive to store my music, and if so how?

  Looks like I solved my own problem by going to itunes, preferences, advanced, media folder location.

• TS3474 my i pod is still on a white screen after restoring with the two buttons and also restoring on i tunes and it still has a white screen

  my i pod is still on a white screen after restoring with the two buttons and also restoring on i tunes and it still has a white screen

  I've been struggling with mine all morning with the same issue.
  Mine would not wake up from sleep (will just white screen).
  It will boot using a hard reset (i.e. the power button and volume down button being held down for 8 or so secs). I restored and synced it multiple times but it still has a problem waking up and just just goes to white screen.
  I saw a post suggesting a loose connection which I had my doubts about (as it will wake with hard reset) - bit BINGO! If I wake mine (with index finger) whilst applying pressure to the top of the screen area (with my thumbs) it will wake up. When I become frustrated enough I'll take it apart and see if something has become loose.
  Hope this helps.

• LACP with a Cisco 2960G and an IBM I7 Server

  I am attempting to get LACP working with a Cisco 2960 and an IBM I7 server.
  The connection seems redundant.  I can unplug GI0/8 and traffic still flows and clients are not disconnected from the IBM I7.  I can do the same with GI0/9 once GI0/8 is plugged back in.
  Two issues.
  1.  How can I change the LACP timer from slow to fast?
  2.  Why does my port Gi0/8 show as INDEP in the show lacp detail command?
  Port: Gi0/8
  Port state    = Up Sngl-port-Bndl Mstr Not-in-Bndl
  Channel group = 3           Mode = Active          Gcchange = -
  Port-channel  = null        GC   =   -             Pseudo port-channel = Po3
  Port index    = 0           Load = 0x00            Protocol =   LACP
  Flags:  S - Device is sending Slow LACPDUs   F - Device is sending fast LACPDUs.
          A - Device is in active mode.        P - Device is in passive mode.
  Local information:
                              LACP port     Admin     Oper    Port        Port
  Port      Flags   State     Priority      Key       Key     Number      State
  Gi0/8     SA      indep     32768         0x3       0x3     0x8         0x7D
  Age of the port in the current state: 2d:17h:20m:08s
  Port: Gi0/9
  Port state    = Up Mstr Assoc In-Bndl
  Channel group = 3           Mode = Active          Gcchange = -
  Port-channel  = Po3         GC   =   -             Pseudo port-channel = Po3
  Port index    = 0           Load = 0x00            Protocol =   LACP
  Flags:  S - Device is sending Slow LACPDUs   F - Device is sending fast LACPDUs.
          A - Device is in active mode.        P - Device is in passive mode.
  Local information:
                              LACP port     Admin     Oper    Port        Port
  Port      Flags   State     Priority      Key       Key     Number      State
  Gi0/9     SA      bndl      32768         0x3       0x3     0x9         0x3D
  Partner's information:
                    LACP port                        Admin  Oper   Port    Port
  Port      Flags   Priority  Dev ID          Age    key    Key    Number  State
  Gi0/9     SA      0         40f2.e95c.f433  25s    0x0    0x8102 0x1     0x3D
  Age of the port in the current state: 2d:17h:27m:44s
                  Port-channels in the group:
  Port-channel: Po3    (Primary Aggregator)
  Age of the Port-channel   = 365d:21h:06m:46s
  Logical slot/port   = 2/3          Number of ports = 1
  HotStandBy port = null
  Port state          = Port-channel Ag-Inuse
  Protocol            =   LACP
  Port security       = Disabled
  Ports in the Port-channel:
  Index   Load   Port     EC state        No of bits
  ------+------+------+------------------+-----------
    0     00     Gi0/9    Active             0
  Time since last port bundled:    2d:17h:26m:07s    Gi0/8
  Time since last port Un-bundled: 2d:17h:25m:02s    Gi0/8

  Hi,
  With IBMi7 the support for LACP starts to my knowledge since i7.1 TR7. If that is your case will you please post the DSPLIND (with AGGRSCL option) command output.
  As for the LACP fast timer setting while it can be configured on various Cisco boxes I am affraid it cannot be done with Cat2960.
  Thanks & Regards,
  Antonin

• Disabling Weblogic's http server port - Using an external web server

  Hi,
  We are using Weblogic 8.1 as application server and IWS as web server. We have
  siteminder web agent configured on the web server for implementing authentication
  and authorization.
  All our requests first go to the web server which redirects them to the application
  server.
  Since Weblogic itself has a http listen port, user can still send requests directly
  to the application server(which does not have any siteminder configuration on
  it). Is it possible to ensure that all http requests made directly to the application
  server are not processed so that the user is forced to hit the web server first.
  Thanks,
  Akash

  When you say redirect, do you mean you use an HTTP redirect to send it to your
  WLS servers URL? Or do you mean you proxy the requests from the webserver to
  the WLS instance? In the former case, you must expose WLS's HTTP server to the
  clients in order to redirect them to the address and you will not be able to
  stop them from going directly there. In the case of the latter, you can put
  your WLS instance behind the firewall so external users can't get to it. If you
  also need to protect it from internal users you should probably not use
  siteminder as your authentication mechanism. You may be able to configure
  siteminder so that it has to authenticate itself to send requests to weblogic
  and then protect all weblogic resources with that role requirement.
  Sam
  [email protected] wrote:
  Hi,
  We are using Weblogic 8.1 as application server and IWS as web server. We have
  siteminder web agent configured on the web server for implementing authentication
  and authorization.
  All our requests first go to the web server which redirects them to the application
  server.
  Since Weblogic itself has a http listen port, user can still send requests directly
  to the application server(which does not have any siteminder configuration on
  it). Is it possible to ensure that all http requests made directly to the application
  server are not processed so that the user is forced to hit the web server first.
  Thanks,
  Akash

• Web Dynpro application calling external web server using HTTPS giving error

  Hello,
  I don't know whether this is the right question in this forum but my ABAP web-dynpro applicaiton is expected to call another HTTP application on external web server through HTTPS. Presently it is calling through plain HTTP but we want to have HTTPS.
  Here are the steps that we followed based on the link from help.sap.com
  1] Received the certificate files from external web server
  2] Created SSL Anonymous client
  3] Imported the certificate files under this client and added into the certificate list
  4] Re-started ICM
  5] Created RFC Destination of type HTTP to connect to external server with SSL option and basic authentication. This RFC destination was working under plain HTTP.
  When tried with Test connection it gave error "ICM_HTTP_CONNECTION_FAILED".
  Any idea what might be missing. Thanks in advance.
  Regards
  Rajeev

  Used proper certificate after which the error went away

• Can data be passed to an external web server using the "in-course web browsing" feature in ver. 7?

  Can data be passed to an external web server using the "in-course web browsing" feature in ver. 7? I would like to display a simple web page, and I would like to pass to that web page the answers to all the quiz questions, quiz score, etc. In other words, instead of passing quiz results to a SCORM-compliant LMS like Moodle, I'd like to pass that data to a Drupal Webform using a URL like:
  https://www.example.com/my-drupal-webform?param1=value1&param2=value2...&paramn=valuen
  Is this possible?
  Thanks,
  John

  You have to make sure every step in MOS Document ID 726414.1 that is applicable to your E-Business Suite 12.1.x release is performed. Enabling ASADMIN is just one of the steps. In spite of following all the steps in this Document you continue to get the error when clicking "Generate WSDL", please log a Service Request with Oracle Support.I will check all steps again. Maybe I missed one... Thanks!

• Help for Installing PHP and Sun One Web Server

  Hi
  I tried to install PHP 5.1.4 and Sun One Web Server 6.1. I am not able to complete this and got stuck. All the available materials in net seems to flow above my head.
  It will be very helpful if someone could let me know the step by step configuration a bit brief for the same.
  Thanks in advance
  Kathirvel Balakrishnan

  Hi Craig
  I am following these steps,
  1st step : Installing PHP on the WindowsNT server (NT users only)
  Copy the php files on your server
  Get the php zip file
  Copy the php files under a directory (for example : d:php4)
  (be careful don't use c:Program Filesphp because of the space between Program and Files
  copy php4ts.dll to c:winnt and msvcrt.dll if you don't already have it on your system
  Edit php.ini-dist
  rename php.ini-dist to php.ini
  Edit php.ini : Indicate in which directory you have copied youre php files. (extension_dir = d:php4extensions ; directory in which the loadable extensions (modules) reside.)
  copy php.ini in winnt directory (php.ini is parsed in my config)
  Matthias Kramer told me that he had to move php.ini to <path-to-netscape-server>/https-servername/config for it to be parsed
  Make a file association under Windows NT
  In a DOS Window, type assoc .php=PHPScript
  ftype PHPScript=d:php4php.exe %1 %*
  Test the 1st step
  Create a C:test.php file with a single line like <? echo("Nothing to write"); ?>
  Create a C:test.bat file with 2 lines test.php
  pause
  double-clic on test.bat
  If you see something like X-Powered-By: PHP/4.0.3
  Content-type: text/html
  Nothing to write
  then the NT association works!!
  2nd step : Configuring Netscape Enterprise Server or iPlanet for PHP4 with nsapi (NT & UNIX)
  Unix users only
  Compile PHP as follows: ./configure --with-nsapi=/usr/local/netscape/server4 --enable-libgcc
  make
  make install
  Add LD_LIBRARY_PATH=<libdir> to your Netscape server startup script
  where <libdir> is the full path to the directory where libstdc++.so.2.10.0 is located (usually /usr/local/lib)
  Add a mime-type to the Netscape Server
  In the Netscape Administration console chose Preferences|Mime Types
  Add a new type called magnus-internal/x-httpd-php for exts=php
  Click here for screenshot
  Stop your Web Server
  Make a copy of obj.conf located in: <path-to-netscape-server>/https-servername/config
  Modify obj.conf
  There are several section in obj.conf
  At the end of the Init section of obj.conf (necessarely after mime type init),
  place this two lines For NT users
  Init fn="load-modules" funcs="php4_init,php4_close,php4_execute,php4_auth_trans" shlib="d:/php4/sapi/php4nsapi.dll"
  Init fn="php4_init" errorString="Failed to initialise PHP!"
  For Unix users
  Init fn="load-modules" funcs="php4_init,php4_close,php4_execute,php4_auth_trans" shlib="/usr/local/netscape/server4/bin/libphp4.so"
  Init fn="php4_init" errorString="Failed to initialise PHP!"
  In The < Object name="default" > section,
  place this line (necessarely after all 'ObjectType' and before all 'AddLog' lines) Service fn="php4_execute" type="magnus-internal/x-httpd-php"
  Add a new object called x-httpd-php <Object name="x-httpd-php">
  ObjectType fn="force-type" type="magnus-internal/x-httpd-php"
  Service fn=php4_execute
  </Object>
  Restart your Web Server
  Test the 2nd step
  Put the test.php file in the document root of your server
  Then type http://server/test.php
  If you can see "nothing to write" in your browser then it works!
  AS mentioned in step 1,
  I am not getting the PHP message.
  I am installing it in my laptop, it has no IP, is that has to do something with this.
  Please guide me from here.
  Thanks in advance
  Kathirvel

• Apache and Java System Web server

  Is it possible to run Apache Web Server and Java System Web Server on the same computer or is one of them which has to run.

  Sure it can be run simultaneously as long as they don�t share the same Socket (pair of IP-Address/TCP-Port).
  But the question is does it make sense at all - what would you get from Apache which is not there in SJS WS?

• Client Exclusion Policies on WLC not working with ISE as RADIUS Server

  Hi,
  for our Guest WLAN (Security Setting for this SSID:Layer2: MAC filtering, Layer3:none) we use ISE as RADIUS Server. On WLC I enabled client exclusion polices and checked all options (Excessive 802.11 Auth. Failures etc..).. But even if a client fails 20times at authentication, it is not excluded on the wlc. It works with other SSIDs, where security settings are set to 802.1x.
  Am I missing any settings here or do you have some tipps on how to troubleshoot this?
  Thanks very much!

  Hi Renata,
  If those guest failures are not associated with valid guest users (i.e. people who have forgotten their account or entering the wrong password) there isn't anything that can be done. The main point of Guest WLAN is to make it as easy as possible for Guests - individuals with device configurations you don't want to deal with or know about, to connect your network for internet access. From a WiFi/802.11 perspective, the standard Guest WLAN setup means its easy for any device to connect.
  If your Guest WLAN has the following:
  SSID is broadcast enabled, Security = OPEN, Encryption = none, then any 802.11 device can find the WLAN via passive scanning and connect. And any device that connects will get the ISE portal. Once recieveing that portal they can guess away at valid username/password.
  I would suspect that unless your Guest WiFi is adjacent to a Mall, school, hotel or other hi-density area of individuals  with time and electronics on their hands, other than alerts in your ops window and logs, resources associated with this (WLC & ISE) are very low.
  You can try and dull the noise a few ways.
  Option 1. create and ISE log filter on those alerts so they don't cluter the console.
  Option 2. Stop broadcasting the SSID.  This is not a security measure, but will cut volume of people connecting to the SSID significantly. You will have to tell your guests what SSID or include it in their credential communication.
  Option 3. Put a very simple PSK on the SSID. The PSK will become a public secret - shared with valid guests, doesn't have change as it's purpose is not security.  You will have to include this information on their credential communication.
  Option 4 - both 2 and 3
  The most effective option would be 3.
  Good Luck!

• Is RADIUS and other external auth unsecure?

  I just finished setting up RADIUS on our database. As best as I can tell, the client is the one doing the authentication...I'm guessing this because if I have my SID setup for the RADIUS controlled database (with user identified externally) with the sqlnet.ora that has the radius settings, then I can connect.
  If I try to connect from another machine that has the TNSNAMES.ORA entry for the database, but a standard sqlnet.ora (ie. no radius entries) it tells me invalid login.
  To me, this says that it is not the database doing the actual RADIUS calls and authentication, but instead the client, which would then make it easy for someone to setup their own radius server with their own sqlnet.ora that would let them "authenticate" for a particular user against their own controlled passwords and trick the database server.
  If this is not the case, then how come I can not just do, from anywhere with the proper tnsnames.ora, sqlplus userid/password@TNSNAME??? Should the server not also read sqlnet.ora at startup and then itself use BEQ or RADIUS for authentication methods?
  Thanks for any pointers...sorry if it seems a little run on, but it's late and I'm tired.

  server is doing the authentication. client setup is needed because somebody needs to hint to server the connection is supposed to use radius.

• Packet inspector and also external hard drive enquiry

  I am looking for a packet inspector (measures what's going out and what's coming in via the net?) and also an external hard drive, both compatible with OS9.
  Any ideas, anyone, would be greatly appreciated.

  Thank you I also think this it the reliable solution. I do not want to play with soe modifications or use some app for it.