Agentless host support in ACS
What version of ACS that support for agentless host (eg. IP phone, printer)?
I have ACS v3.1, is it support ?
Is there any solution to authenticate devices by MAC Address ?
thanks,
aw
Agentless Host Configuration is supported in ACS version 4.0,4.1 and 4.2. Many hosts that ACS authenticates run agent software that requests access to network resources and receives authorization from ACS. However, some hosts do not run agent software.ACS solves this problem by using the MAC address of the host device to identify and authenticate the host. This technique is called MAC authentication bypass (MAB).
Similar Messages
-
Remote host supports the use of SSL ciphers that offer weak encryption
Dear All,
Our Internal security audit suggests to avoid the use of Week SSL ciphers for our SAP PI 7.0 servers.
We have followed the SAP note 510007 - Setting up SSL on Web Application Server ABAP
as mentioned in the point 6 we have added below parameter in the instance profile of application server and restarted our server but still the issue is not resoved.
ssl/ciphersuites=MEDIUM:HIGH:EXPORT:!LOW:!eNULL
Clients are accessing our PI server through SAP Web dispatcher.
Kindly suggest the action to be taken to resolve the issue.
Please find the below comment from Audit.
The remote host supports the use of SSL ciphers that offer weak encryption.
Note: This is considerably easier to exploit if the attacker is on the same physical network
Regards,
Lalitha.Hi Jim,
The remote host is the PI(7.0) server.
PI server profile
FN_JSTART = jcontrol$(FT_EXE)
ssl/ciphersuites = HIGH:MEDIUM:!mMD5
jstartup/recorder = java -classpath ../j2ee/cluster/bootstrap/launcher.jar com.sap.engine.offline.OfflineToolStart com.sap.engine.flightrecorder.core.Collector ../j2ee/
cluster/bootstrap -node %nodeID% %startTime% -bz $(DIR_GLOBAL) âexitcode %exitcode%
login/accept_sso2_ticket = 1
SAPSYSTEMNAME = APQ
SAPSYSTEM = 00
INSTANCE_NAME = DVEBMGS00
DIR_CT_RUN = $(DIR_EXE_ROOT)/run
DIR_EXECUTABLE = $(DIR_INSTANCE)/exe
jstartup/trimming_properties = off
jstartup/protocol = on
jstartup/vm/home = /opt/IBMJava2-amd64-142
jstartup/max_caches = 500
jstartup/release = 700
jstartup/instance_properties = $(jstartup/j2ee_properties):$(jstartup/sdm_properties)
j2ee/dbdriver = /oracle/client/10x_64/instantclient/ojdbc14.jar
PHYS_MEMSIZE = 512
exe/saposcol = $(DIR_CT_RUN)/saposcol
rdisp/wp_no_dia = 10
rdisp/wp_no_btc = 3
exe/icmbnd = $(DIR_CT_RUN)/icmbnd
rdisp/j2ee_start_control = 1
rdisp/j2ee_start = 1
rdisp/j2ee_libpath = $(DIR_EXECUTABLE)
exe/j2ee = $(DIR_EXECUTABLE)/jcontrol$(FT_EXE)
rdisp/j2ee_timeout = 1800
rdisp/frfc_fallback = on
icm/HTTP/j2ee_0 = PREFIX=/,HOST=localhost,CONN=0-500,PORT=5$$00
icm/server_port_0 = PROT=HTTP,PORT=80$$
# SAP Messaging Service parameters are set in the DEFAULT.PFL
ms/server_port_0 = PROT=HTTP,PORT=81$$
rdisp/wp_no_enq = 1
rdisp/wp_no_vb = 1
rdisp/wp_no_vb2 = 1
rdisp/wp_no_spo = 1
# Jcontrol: Migrated Profile Parameter
# create at Wed Mar 25 20:20:02 2009
j2ee/instance_id = ID0079698
Web dispatcher profile
SAPSYSTEMNAME = WD0
SAPSYSTEM = 00
INSTANCE_NAME = W00
DIR_CT_RUN = $(DIR_EXE_ROOT)/run
DIR_EXECUTABLE = $(DIR_CT_RUN)
wdisp/shm_attach_mode = 6
# Accesssability of Message Server
#rdisp/mshost = asapq00.b.com
#ms/http_port = 8100
#ms/https_port = 8101
wdisp/system_0 = MSHOST=asapq00.b.com, MSPORT=8100, SID=APQ
# Configuration for medium scenario
icm/max_conn = 16350
icm/max_sockets = 32768
wdisp/HTTPS/max_pooled_con = 16350
icm/req_queue_len = 8000
icm/min_threads = 100
icm/max_threads = 500
mpi/total_size_MB = 700
mpi/buffer_size = 32768
mpi/max_pipes = 21000
wdisp/HTTP/max_pooled_con = 8192
wdisp/HTTPS/max_pooled_con = 8192
# SAP Web Dispatcher Ports
icm/server_port_0 = PROT=HTTP,PORT=80,EXTBIND=1
icm/server_port_1 = PROT=ROUTER,PORT=443,EXTBIND=1
#icm/host_name_full= asapq00.b.com
icm/host_name_full= qtyh2h.k.co.in
icm/HTTP/admin_0 = PREFIX=/sap/wdisp/admin,DOCROOT=./admin,AUTHFILE=/sapmnt/WD0/global/security/data/icmauth.txt
ssl/ssl_lib=/usr/sap/WD0/W00/sec/libsapcrypto.so
wdisp/HTTPS/dest_logon_group = PUBLIC
wdisp/HTTPS/max_client_ip_entries = 100000
wdisp/HTTPS/sticky_mask = 255.255.255.0
#Additional Parameters
wdisp/add_client_protocol_header = true
wdisp/auto_refresh = 120
wdisp/max_servers = 100
wdisp/handle_webdisp_ap_header = 1
#Registering SAP Web Dispatcher in the SLD
#wdisp/system_0 = HOST=asapq00.b.com, PORT=8100, SID=APQ, NR=00
#Parameter to avoid week SSL ciphers
ssl/ciphersuites=HIGH:MEDIUM:!mMD5
Regards,
Lalitha -
I want a Web hosting supports OC4J
Hi
I have a oracle developer suit 10g application(.FMX) with Oracle 10g database engine and I want to upload it on web server,
I`m tiring searching for web hosting support oracle application server witch supports(OC4J) ?
please,can you suggest me web hosting sits support OC4J or alternative solutions.
thank you.You can set Firefox to open with the internet log-in page, and have
another page as your home page. The password manager will take
care of the rest.
Press the '''<Alt>''' or '''<F10>''' key to bring up the tool bar.
Followed by;
Windows; '''Tools > Options'''
Linux; '''Edit > Preferences'''
Mac; ''application name'' '''> Preferences'''
Then '''General.'''
There are two settings;
* '''When Firefox Starts'''
When the browser is started, what page do you want to
display. Many of us choose '''Show My Home Page.'''
* '''Home Page'''
When a new page is opened, what do you want displayed.
# '''Use Current Page'''. Use what ever page(s) are open at that time.
# '''Use Bookmark'''
# '''Restore To Default.''' about:home shows a Mozilla page with tools.
You can use any of these that you wish;
'''about:home''' (Firefox default home page),
'''about:newtab''' (shows the sites most visited),
'''about:blank''' (a blank page),
or you can enter any '''web page''' or '''about: ''page''''' you want. -
IdeaPad A1 USB OTG/Host Support
Hey everyone,
Has anyone found a way to get USB Host (USB OTG) to work on a tablet that is not supported? I have a Lenovo IdeaPad A1 which was upgraded from Android 2.0.3 to ICS (4.0.4) which is also rooted. I was under the impression that all Android devices had the support for USB OTG as I bought a $70 tablet off of eBay and it did. I found out the hard way today that not all support it. I really hope someone has some insight to this as I just bought this Lenovo and am kind of disappointed to find it doesn't have something a $70 tablet does.
Thanks in advance,
Benben12334 wrote:
I just bought this Lenovo and am kind of disappointed to find it doesn't have something a $70 tablet does.
I think this is a matter of building it into the Adroid/linux kernel and not all companys build it in for some reason. I have built plenty of kernels and its not that big of a deal especially for a high tech company. They must not have the time or can not pay the engineer.
Anyway, since you are rooted and the source is available you can actually do this yourself if you have the time and skills. -
802.1x with AD support via ACS 4
Hello ,
I have been trying to configure 802.1x Authentication on a test switch . Authentication will be provided by the ACS server . This worked when I had the client setup for EAP-MD5 and had local user accounts on the ACS server . However this is impractical if we were to deploy this on a large scale. How can i configure 802.1X authentication to occur via the ACS with the ACS looking at the AD database . The trouble is AD does not support EAP-MD5. It supports PEAP but the problem I am having is "EAP-TLS or PEAP authentication failed during SSL handshake "
Has anyone here setup 802.1x with AD integration via ACS 4.0 . Please help.
Thanks.
KarthikHi Karthik,
The SSL handshake will fail in our experience for any of the following reasons:
- The supplicant cannot access the private key corresponding to it's certificate - check that the system a/c has pemissions over the private key found in c:\documents and settings\all users\application data\microsoft\crypto\rsa\machine keys
- The ACS sever does not trust the Root Certificate for the PKI that issued the supplicants certificate - Is the Supplicants Root CA present in the ACS Certificate Trust List?
- CRL checking is enabled and the CRL has expired or is inaccessible
If you up the logging levels to full and examine the csauth log closely you should get more detail as to the reason
Hope that helps
Andy -
Is Multiple SDM agents in one Host supported?
Hi Experts
I know about the rule of one SDM agent per host. Is it possible to install 2 different SDM agents in one host...
Does SAP supports this? Is there any documentation supporting this.
For Example...
I want my Development systems connected to my both Solution Managers ( Production and Development ). I want to have the possibility to start monitoring from either one of them.
Or, I want an SDM agent pointing to an external service provider to monitor my landscape throught their SolMan, And I want to keep one SDM agent configured to my own Solman Server.
Again
Should/Can I install an additional SDM agent in every system?
Do you have a particular documentation that support this scenario?
Regards and thanks
Henry LopezHi,
first, if you mean SMD Agent, then yes, the diagnostics concept from SAP needs only one diagnostics agent per host.
Big negativ impact on this SAP concept is, that if you implement monitoring with SAP Solution Manager, you have a single point of failure = the SAP Solution Manager itself,
In former days, there was CCMS and primary / secondary target servers possible.
Now with SMD you may have a agent with instance 98 (older versions had 97 as default) which "reacts" to the prod Sol Man and an additional agent with a diffent number which "reacts" to the non-prod Sol Man and so on.
This "single point of failure" in the E2E / SMD concept is for me not acceptable.
Everytime there is a Sol Man downtime, you and your complete "monitoring" will be BLIND.
Sometimes the Java Agent turns from Green to Yellow, then the blindness is for all compontents on that host.
If any alerts (MAI) etc come up, the SolMan down, you will not know / auto-react it until SolMan downtime is over or you restarted the Yellow agent.
That's the reason and solution why the making a SPOF to a "halt/two point of failure" might be better on larger landscapes.
Raymond -
LG G4 USB Host support - & green spot issue
Hi - using my new LG G4 on the weekend. I noted two disasters. I have the dreaded green spot on my camera. Sneding back for replacement on this issue. See photo below. Also - I noted that USB Host Mode does not support 3rd party apps. What this means is an important app I have used on Samsung S3 and S4 does not work. Its called RccDroidPro and is used to shoot tethered to Sony Alpha and other Cameras. Bummer. XDA developers have patches for custom ROMSs - not one for G4 yet. I am not keen to root my phone - anyone know another way of making this work - or where do we report feature requests for future ROM releases to Telstra?
Hey Jeff, that's bad luck there with the G4, from all reports they seem overall to be a great looking unit, especially in the camera department. Looks like you might have got the odd one out though. I'm not overly familiar with the RccDroidPro, but it was my understanding that in the first place this was a Sony app developed for use with Sony devices etc. primarilly for usb teethering of DSLR cameras. Actually LG would have to make your hardware compatible, USB wise to run this app.
-
Maximum "Internal Hosts accounts" on ACS 5.2
Is there a maximum number of "Internal Hosts account" IDs that the local database in a ACS 5.2 can handle?
Thanks....I hope you're right, jrabinow
Because I have 7,000 hosts that I need to add. I dont want to find out that max number of host is less than 7,000..that would be really frustrating..lol
@ ewood2624
you are referring to max number to import using csv, not max number of hosts that could reside internally. -
EAP-TTLS support in ACS v4?
Hi,
Does anyone know if there are any support for EAP-TTLS in the upcoming release 4 of ACS? We have invested heavilly in ACS but now we really need EAP-TTLS support (both auth and proxing).
Cheers
Anders Nilsson
UMDACHi,
EAP-TTLS along with PEAP is one of the prefered EAP:s used for EduRoam (www.eduroam.org) which is gaining more and more acceptance around the educational community. I'm really suprized that Cisco isn't up to date on whats going on around the many Universities. I estimate the only in Europe there will be more than 1000 universities using Radius servers and proxies. Australia is online and soon the US will join in. Here in Sweden (SUNET) we are now locking at but ACS product but if EAP-TTLS and Radius Proxing of all the protocols (PEAP, EAP-TLS, EAP-TTLS) are not supported we will have to look elseware (Freeraduis or Radiator). :(
We here in Sweden strongly suggest that Cisco implements EAP-TTLS and better Raduis Proxy functionallity. (Version 4.1 maybe? ;) )
Best Regards
Anders Nilsson
UMDAC -
Why doesn't Apple host "support communities" with Apple representatives?
I'm a big Apple fan. I've been using Macs for more than 25 years, and luckily for me I bought Apple stock at a good price. But there are times when it seems to me that Apple has chosen saving moneny over providing good service to its customers.
Case in point: a few days ago, I had a couple of problems with purchases on iTunes. I wanted to give iTunes money, but I was prevented from doing so, and I couldn't get through to iTunes support.
It turns out the support problem was caused by a Safari extension called Ghostery. It was blocking Adobe Analytics, and that stopped the support link from working. Why couldn't I just 800-MY-APPLE and connect to support? iTunes is the world's largest music retailer, and Apple has long been in the top 2 or 3 most profitable companies. It currently has $150 BILLION in cash reserves. Why do they have to save pennies on customer support?
When Ghostery (an approved Safari extension) caused problems with the Apple website, there should have been other ways to get to the support.This is one of the problems with this kind of support: helpful people being helpful inadvertantly give the wrong information, and then you either have to correct them (which comes across as being negative) or the thread goes down the wrong tracks.
Ghostery makes the link you gave not work
I did not give you the wrong information; that link works both in FF and Safari here.
When you install third party addons you have to expect unexpected behavior. Add ons are not guaranteed. If you will read any SLA, you will note that such things can happen and Apple does not guarantee uninterrupted use. So, instead of telling me that I gave you the wrong information, disable or uninstall Ghostery.
— iTunes is part of Apple selling things and "MY APPLE"—what logical reason is there to make it innaccessible to 800-MY-APPLE?
Sales and support are generally two separate entities in a large corporation. The hardware sales and iTunes stores are two separate entities.
Good luck. -
Does anyone know of a hosting server that offers MS SQL 2008?
The complete System requirements are
Windows hosting environment.
Coldfusion 8
Microsoft SQL Server 2008
I am told we need SQL Server 2008 because we need to be able
to store polygon and polyline data."DC_Eric2" <[email protected]> wrote in
message
news:go6vk0$946$[email protected]..
> Does anyone know of a hosting server that offers MS SQL
2008?
>
> The complete System requirements are
> Windows hosting environment.
> Coldfusion 8
> Microsoft SQL Server 2008
>
> I am told we need SQL Server 2008 because we need to be
able to store
> polygon
> and polyline data.
http://www.hostmysite.com/hosting/coldfusion/
Massimo Foti, web-programmer for hire
Tools for ColdFusion, JavaScript and Dreamweaver:
http://www.massimocorner.com -
Hi, I have been trying to get the proper definition of "observable" in the Java Language Specifications 2. However, it seems that a package is "observable" if its compilation units are "observable". Compilation units' observability depends on the host system! ??? How can I determine whether a compilation unit is observable and what is the difference between "observable" and "accessible".
Thank you!
LukaIts not as tough as you feel. Consider you have 2 classes , one extends Observable , another implements Observer. Both are linked by the Observer implementation "public void update(Observable o, Object arg) ". Whenever the instance of the Observable object changes, it will notify the Observer implementation through the update method.
Following lines are taken from the API :
" An observable object can have one or more observers. An observer may be any object that implements interface Observer. After an observable instance changes, an application calling the Observable's notifyObservers method causes all of its observers to be notified of the change by a call to their update method. "
Hope this has given a start for your understanding this concept.
Rajesh -
Enterprise Wireless 802.1x WEP EAP-PEAP Support with ACS Certificate
Hi,
Do BB10 support this type of connection?.
Thanks.Hi,
Do BB10 support this type of connection?.
Thanks. -
How to support ACS format into an ebook reader
Hi,
we are developing an ebook reader for iphone and ipad (using XCode) and we have already implemented functions for reading free epub and pdf files.
We'd like to add support for ACS files.
Where can we find technical informations about this task?
Kind regards.You will want to be looking at the Reader Mobile SDK: http://www.adobe.com/devnet/readermobile.html
This is the client side code that works with ACS4 -
Does ACS 1120 5.0 version support RSA?
Hi all,
We are using Cisco ACS 1120 with 5.0 base licenced for TACACS , does ACS 5.0 support RSA server as external database for authenticating the users as we do in the previous versions of 4.2,4.0.
If so kindly let me know how we can do it ? or do we have any document?
Regards
SreekanthThis is supported in ACS 5.1. ACS 5.1 can be downloaded from CCO and can upgrade ACS 5.0 to ACS 5.1
The RSA SecurID Agent is built in to ACS 5.1. Through the ACS GUI you can perform all the required configuration items to activate and configure the agent. This includes setting the:
agent record (sdconf.rec)
load balancing data (sdopts.rec)
node secret (securid)
agent status file (sdstatus.12)
For more details, see http://www.cisco.com/en/US/partner/docs/net_mgmt/cisco_secure_access_control_system/5.1/user/guide/users_id_stores.html#wp1134728
Maybe you are looking for
-
How do I transfer data from Mac Mini to Macbook Pro
How do I transfer data from a Mac Mini (10.6.8) to a Macbook Pro (10.7)?
-
Hello ppl, Currently the MAIN window of my SAPscript is coded as below: /: IF condition = 'L' /* Qty = &RESBD-MENGE(C)& /: ENDIF now i want to print it as Qty = &RESBD-MENGE& minus &RESBD-DENMNG&. Both the values are present in the sapscript at
-
Unable to turn off as the defaut Printer.
When I downloaded the Printer, information stated to use as a default Printer. I am unable.to turn the defaut off. I have tried a number of ways.
-
My phone constantly turns it self on and off, it won't let my messages load I carnt text or receive and texts or calls, I have updated the new iso7, can anyone help?
-
Install Sun Java Web System on Fedora / Registering in Netbeans
Hi, I am trying to install Sun Java System Webserver onto Fedora 64 bit - I am not bothered about running a server locally, I have a development server for testing before deployment - however, I need to get a working install to let Netbeans recognise