Anyconnect NAM in VM host

Similar Messages

• Login scripts not running with AnyConnect NAM and ISE 1.2

  I am using AnyConnect 3.1 NAM as my 802.1x supplicant for ISE 1.2.  When users log in with EAP Chaining (User and Machine Auth), the login script seems hit or miss on if it runs to map their drives.  If I uninstall the NAM client, they map drives every time.  I would think that running a login script to map drives is a common scenario and I was wondering if anyone else using AnyConnect NAM was having similar issues or how they were dealing with it.

  I have the same issue and I solve the issue with change these parameters.
  1.- You must change on configuration profile "before user logon". I have 5 seconds
  2.- You must change on configuration profile  "port authentication Exception policy" and you must enable checkbox "enable port exceptions" and select "allow data traffic before authentication"
  3.- You must enable in the option of interface Ethernet Intel on PC "Wait for link" this option It's in "configured advanced of Intel. You must select "on" in this option.
  4.- (this recommendation it was by Cisco) 
  Active Direct GPO has a setting "Computer Configuration\Administrative
  Templates\System\Logon\ Always wait for the network at computer startup and logon" that
  can be enabled to make the logon scripts wait till 802.1x authentication is completed.
  With those changes the logon script run fine.
  Regards
  David.

• Apache, name based virtual hosts and multiple servers.

  Hi,
  Ive been playing with Apache and name-based virtual hosts for a while now, but, ive been doing it with one single server... now i have the need to forward a name-based request to another server inside the intranet (wich doesnt have a public IP, but a private)...
  Something like this:
  internet -----> Webserver (name based vhosts) ----> intranet-webserver
  Where "webserver" has several domains resolved via name based virtual hosting, and one of those needs to be redirected (or forwarded) to another server on the LAN.
  Any ideas on how to do this? i tryed searching the web, but i dont know under which keywords, so i always end on single server virtual hosting help sites.
  thanks in advance!

  you need to define a virtual server for it..but inside that definition.. define a proxy.
  Then the middle webserver, will actually handle the request to the intranet server, on behalf of the internet client..and then pass the traffic to the internet client.
  this looks like a reasonable example..
  http://www.linuxfocus.org/English/March … le147.html
  namely, the section "Mapping Virtual Servers"

• Asigning a name to a host without using hosts file

  Hi, we have developed a rich client application that connects to a websphere Appserver in order of using ejb. This app is intended to work in different places, connecting to a different Appserver in each place. When the service locator of our client app connects to the appserver to obtain the references to the ejbs, the server returns some kind of URL that contains the name of the machine defined
  in the hosts file of the server. The problem is that if this name is not in the host file of the client machine the application crashes because it cannot communicate with the appserver. We have a large number of client machines and we would like to avoid having to modify the host file of every one of them.
  Is there a way to tell the application to assign an IP to a hostname at runtime?

  I think that you can directly use IP addresses instead of the host names.
  If your are in a lan you will be able to use the compulter name of the hosts too.
  Also if you get proper DNS setup in your network you will be able to allocate domain names to your hosts and reffer them by their domain name. And the clients will be able to find the hosts through DNS lookup

• How to get service name and listening host to connect to oracle DB server?

  I have successfully installed oracle db client 10g release 2 on my winXP. But when I tried to use Net Congiguration Assistance to connect to oracle db server. I do not know what is the "service name" and listening "host" I supporse to enter. Where can I get the names?
  PLEASE HELP! THANKS!

  machine name or IP = machine name or IP address of the database server
  To know the service name do the following on the server :
  $ lsnrctl services
  LSNRCTL for Linux: Version 10.1.0.3.0 - Production on 30-DEC-2005 00:24:28
  Copyright (c) 1991, 2004, Oracle.  All rights reserved.
  Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=127.0.0.1)(PORT=1521)))
  Services Summary...
  Service "PLSExtProc" has 1 instance(s).
    Instance "PLSExtProc", status UNKNOWN, has 1 handler(s) for this service...
      Handler(s):
        "DEDICATED" established:0 refused:0
           LOCAL SERVER
  Service "test10" has 1 instance(s).
    Instance "test10", status READY, has 1 handler(s) for this service...
      Handler(s):
        "DEDICATED" established:0 refused:0 state:ready
           LOCAL SERVER
  The command completed successfully
  $The service name is test10 in my case. Of course you have to use yours.

• Anyconnect NAM, does not disable windows wireless supplicant

  I am having some issues with anyconnect nam for wireless. When i install nam with a profile, my wireless works fine, and authenticates as it should, no problem there. I can however not figure out how to get nam to remove the built-in windows supplicant in the tray, which shows me a tray icon, where a user can browse the list of SSID's currently broadcasted, i only want the nam supplicant's own list of ssid's to be shown. Any suggestion on how to accomplish this ?

  Jan,
  http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect31/administration/guide/ac04namconfig.html
  Windows Network Status Task Tray Icon
  Network Access Manager overrides Windows network management. After  installing Network Access Manager,  the Windows networking icon in the  task bar may confuse users, because the user can no longer use the  network status icon to connect to networks.
  You can remove the Windows network icon from the task bar by setting  'Remove the networking icon' in a Windows group policy. This setting  only affects the tray icon, the user can still create native wireless  networks using  the Control Panel.
  **Share your knowledge. It’s a way to achieve immortality.
  --Dalai Lama**
  Please Rate if helpful.
  Regards
  Ed

• Specifying Client Auth Cert in Anyconnect NAM

  Hi guys,
  Currently i have set up an SSID which uses EAP-FAST to perform user certificate authentication against an Identity store in ISE connected to AD. On the client devices I have install the Anyconnect NAM to act as the dot1x supplicant and have been in the process of setting up the profile using the Anyconnect Profile Editor.
  The issue that I am having is users on the network have several certs assigned to them from AD. Orindarily it the NAM just prompts the user to select the correct certificate when they attempt to connect, which is not feasible.
  Can I configure the NAM to use a specific user Cert to authenticate to the SSID (without prompting the user on connection)? And if so how?
  Thanks

  Hello Evan,
  Please check the following Cisco doc for specifying client auth cert in anyconnect. Hope it helps!
  http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect24/administration/guide/ac02asaconfig.html

• Alerting or logging from AnyConnect NAM

  We are planning to use Cisco AnyConnect Network Access Manager as a 802.1x supplicant for our wired network as we ran into issues with  Microsoft
  native supplicant. There are certain advantages in using inbuilt supplicant on Windows as one can get desired information from event log about the dot1x events and use them to alert in case of failures. I however don't see a similar logging available in Cisco AnyConnect NAM. We can of course use DART bundle, but we would like to have a detailed dynamic logs from the client to build automation to alert NOC on any dot1x failure in the network.
  Thanks,
  Vijay

  You should use "live authentication" logs from ISE. You can also configure to switch to send the switch logs to ISE, that way when you click the details of ISE "live authentication" you will see in the same screen both the ISE logs and the switch logs.
  If you want alerts, you can go to "Operations > Alarms > Rules" and set alarms. You can configure ISE to send the alarms by email or by using syslog.
  Please rate if this helps

• Using Name-based Virtual Hosts on Apache

  Hi!
  We have Novell SBS 6.5, a tree with 3 servers:
  1. Border Manager sp1
  2. GroupWise (NAT) sp1
  3. WEB (NAT) sp6 - Apache 2, MySQL, PHP.
  My site is at http://www.kalmanovitz.co.il.
  I want to try to add a new sub domain and\ or a Domain using Name-based Virtual Hosts (2 or more domains on same IP number).
  1. My BM server use SSL. Will it influence SSL? How?
  2. What I need to change on my servers?
  3. What my ISP need to update\change on his system?
  4. Can i try to experience the changes without my ISP intervention?
  Please help.
  TIA
  Nanu

  Nanu Kalmanovitz,
  > 1. My BM server use SSL. Will it influence SSL? How?
  Not protocol wise, but you will get asecurity warning that certificate
  and host names do not match.
  > 2. What I need to change on my servers?
  Httpd.conf
  > 3. What my ISP need to update\change on his system?
  DNS, pointers to the domains
  > 4. Can i try to experience the changes without my ISP intervention?
  >
  Yes. Add the names to the workstation's hosts-file
  - Anders Gustafsson, Engineer, CNE6, ASE
  NSC Volunteer Sysop
  Pedago, The Aaland Islands (N60 E20)
  Novell does not monitor these forums officially.
  Enhancement requests for all Novell products may be made at
  http://support.novell.com/enhancement
  Using VA 5.51 build 315 on Windows 2000 build 2600

• Windows 7 -How to authenticate to WiFi (home or public) with AnyConnect NAM installed

  Hello,
  We are deploying ISE and connecting to the company's WiFi using a "machine" login (active directory laptop) works fine on Windows 7 or 8 - both wired and wireless. But, here is a scenario that I can't seem to find a good answer for. All my searches result in answers for corporate wifi; but not what I need.
  So, an employee checks out a laptop to use on a trip. It has AnyConnect 4.0.x VPN and NAM installed (SBL - GINA needs to be added). Windows 8 allows a user who has never used a Win8 laptop to connect to WiFi and authenticate before attempting to login and get their desktop. If the Win 7 or 8 laptop is connecting to a corporate AP, ISE automatically authenticates the "machine" so when they enter their user credentials, they will be logging into the Windows domain (GPO's, drive mappings, etc.). Once a Windows 7 laptop has been authenticated with ISE, it doesn't matter which user logs in, the device will already have a connection. Essentially, the user does not have to log in while within the corporate network in order to get their profile created (locally cached credentials).
  But, what if the user has no local profile and tries to use a Windows 7 laptop from their home? They need to be able to connect and authenticate to their home WiFi before AnyConnect can automatically bring up the VPN tunnel. The GINA module will do an SBL for a VPN connection but that's not going to work if they don't have a WiFi connection. This scenario is possible in my environment.
  So, can AnyConnect GINA also manage a WiFi login before a user tries to get to a desktop for the first time?
  The perfect scenario would be where we hand out emergency laptops to first time users, they connect to whatever WiFi they have access to (non-corporate), the VPN tunnel comes up and when they login, they login into the Windows domain, not locally.
  Thanks!

  Just so everyone knows...
  Please take note of the specific processor which is included with your HP Pro 3130 MT.
  HP Pro 3130 MT motherboards with specific processors do not have any onboard (integrated) graphics, although they still have the VGA and DVI connectors. This means that although you may remove the PCIe Graphics Card, you will not be able to be able to use a monitor with the onboard VGA or DVI (because there is no integrated graphics).  This also means that you will not be able change your bios to onboard graphics (because there is no integrated graphics).
  "NOTE: HP Pro 3130 with Intel Core i5 750 processor or any Intel i7 processor has no integrated
  graphics."(1)
  (1) Source: http://h18000.www1.hp.com/products/quickspecs/13640_ca/13640_ca.PDF
  If you would like to know why, let me know. Thanks!
  -Dave

• How to find domain name for the host

  I have found the hostname but I am not able to find the domain name , how can I do that?? From the forums I was able to understand why the BSP Application was not displaying but unable to execute the same as I was unaware of the domain name.
  Thanks in advance.
  Regards,
  Narayani

  Hi Narayani,
  What about doing something like this?
  data: urls type tihttpurls2,wa type IHTTPURLS2, host type string.
  call method cl_http_server=>get_extension_info
  EXPORTING
  extension_class = 'cl_http_ext_bsp'
  IMPORTING
  urls = urls.
  concatenate sy-sysid '.' into host.
  translate host to lower case.
  loop at urls into wa.
  replace host in wa-host with ''.
  endloop.
  The idea is that you get all the possible URLs and then delete the host part of it. Then you get the domain.
  Eddy

• Setting a proper domain name and adding hosts for quick name resolution

  I have 3 other computers in my house.
  Two run linux at this time.
  I want to do 2 things. Right now my machine says Steve.local for its hostname right? I want to change that so it reads Steve.mydomain.net.
  Am I correct that I need to
  sudo /etc/hostconfig
  And change the hostname line from -Automatic- to =
  HOSTNAME=Steve.mydomain.net
  And for quicker resolution of the small number of hosts on my network (primarily so I can use hostname instead of IP for ssh) can I add static hosts to the /etc/hosts file on my machine ala:
  sudo /etc/hosts
  Is this the proper way to do these things in Mac OS X?
  Also to change my workgroup for Samba:
  Open the Directory Access utility (under Applications -> Utilities)
  I highlight SMB and click configure and just change the Workgroup entry there. Is that correct as well?
  Just checking before I go tooling up my machine tonight for better integration into my home network.

  Ok update changing the hostname in the field does NOT allow me to edit the .local part. In fact it converts Steve.mydomain.net.local to Steve-mydomain-net.local.
  But I got my windows workgroup changed and I am showing up with the correct workgroup name from my other servers.
  Also, lets say you only have a couple of computers on your home network right? So dedicated dns is kind of overkill especially when most of them are laptops rebooting all the time.
  Well, your mac os x box has a hosts file. /etc/hosts as in if you want to edit sudo vi /etc/hosts. So you keep the computers pretty much in sync from those files.
  I was afraid the information would not be persistent across a reboot. It was.
  So, two out of three ain't bad. I read in the server forum its a pain in the ***. I was almost thinking of doing the hostconfig trick but I saw an Apple bulletin saying do NOT do that.

• Using AnyConnect NAM for wireless and AD password changes

  Hi,
  I am having a problem with AD password changes and wireless profiles in AnyConnect. Once a user changes their password from their PC and then tries to connect to our WPA2 802.1x wireless it fails to authenticate and I cannot find a way to update the password that works. So we currently delete the wireless profile and create a new one. Is there a way that NAM could pull user/password from login or any other fix. We are also using ACS 4.1. AnyConnect version 3 to 3.0.5080.
  Thanks!                 

  In your anyconnect profile did you set the "use single sign on credentials"? Also did you try the repair option to see if it works after that (I am not suggesting a solution but for troubleshooting). Does logging on and off the machine help resolve the issue? Does this happen on all workstations?
  http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect30/administration/guide/ac04namconfig.html#wp1166170
  Even though this is for user authentication this bug seems like a candidate:
  http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtx03814&from=summary
  Thanks,
  Tarik Admani
  *Please rate helpful posts*

• Domain name within iweb & hosting

  *I recently purchased a domain name for a site that I will be working on.*
  *There are two things that I would like to do:*
  *1. Host the web site on my mac which is running OS X 10.5.6*
  *2. Use iWeb '09 to develop the site*
  *I would like to know how to go about hosting the site off my mac without having to run OS X 10.5 server.*
  and
  *How to set my registered domain (.com) address within iweb so when I publish the site it will only contain the domain name of the site in the URL field.*
  Many thanks

  This article may help:
  _WWW FAQs: How do I host a real domain name at home?_
  ...which is a sub-article of this one:
  _How do I host my own website at home?_
  ...which asks the qstn:
  _Should I host my own web server?_.

• IWeb - pointing domain name to MobileMe host

  Hi - I have been working to direct a domain name purchased through godaddy (mygodaddydomainname.com) to my mobileme website (web.me.com/myname/myblogblogname), where I'm publishing a page using iweb.
  The goal is for someone to look under the (mygodaddydomainname.com) name and see the site built with iWeb and hosted at (web.me.com/myname/myblogblogname).
  You would think it was simple but I am having difficulties.
  I followed the cname instructions in support at Apple & at GoDaddy but it isn't working. Does anyone have any good ideas?
  Gratefully,
  Lillian

  This Apple document tells how to configure your MMe account for CNAME forwarding: Setting up MobileMe to use a personal domain name. Then follow GoDaddy's instructions for their end.
  If you don't want to use CNAME forwarding but just the standard forwarding you don't need to do anything on MobileMe's end. At GoDaddy it will look this this:
  Click to view full size
  You can either choose with masking or not. Masking will only display mygodaddydomainname.com in the URL window of each page. The downside to that is that visitors can only bookmark the first page of your site. That may or may not be a problem with your site. My tutorial site is set up that way: http://toadstutorials.info.
  OT