Cisco WLC with ISE - need to restrict access during non-business hours

Similar Messages

• HT201304 I need to restrict access to Settings on an iPad so settings like VoiceOver cannot be activated while letting them access multiple apps on the device. Is their any way to restrict access to settings without locking the device with a PIN?

  I need to restrict access to Settings on an iPad so settings like VoiceOver cannot be activated while letting them access multiple apps on the device. Is their any way to restrict access to settings without locking the device with a PIN?
  This is so our guests cannot tamper or disable the device. We are already using Apple Configurator but their does not seem to be a way to lock down settings without a PIN.

  There's a lot of restrictions information in Chapter 19 of the 4.2 User Guide.
  http://support.apple.com/manuals/#ipad
  By the way, a more extensive version of the User Manual is available at no charge through iBooks.

• Need to restrict access to XD02/XD03

  Hi All,
  I  need to restrict access to some acct group in the search screens for individuals who do not have access to this account group in transaction XD02/XD03.  Other than this group we should not allow to search the screens.
  Please guid me if any exit / badi....etc. where i can put this validation.
  Thanks.
  Raj.

  Hi,
  Try this link...
  Customer Master Maintenace - restriction general data tabs
  Regards,
  Guru

• Need to restrict access to multiple servlet applications on same box

  Hi!
  I have deployed two separate servlet applications to the same IAS. I need
  to restrict access to each application - that is requests from one source
  should only have access to one application and not the other. The web
  server we are using is IIS.
  Should I create a separate IAS to deploy the second application to? Can I
  restrict based on IP - that is port 80 is reserved to application 1 while
  port 81 is restricted to application 2? If so, how do I go about this? It
  appears that the web connector only receives on one port (default 80).
  Any help would be greatly appreciated.
  Sheila

  I see. So do you mean that I can override the port number in the proxy startup script itself? I can try doing that and see if it works fine.
  About Coherence 3.7, yes. I did see that it has some cool features about proxy discovery. But at this point I am stuck at using 3.6 and 3.6.1.
  Edited by: online19 on Jun 29, 2011 5:41 PM

• Hi guys I need to restrict access to the settings with a passcode but also need passcode for the screen lock due to MS Exchange. Can these codes be different?

  We are introducing iPhonse into the business but have a question regarding security. We need to restrict user access to the settings on the iphone  probably via a passcode. We also need the user to have access to their emails (which when using exchange enforces a passcode). Is this the same passcode that is used for both by default? Because if it is then by allowing the user access to their emails they would by default have access to the code that allows them to change the settings of the iphone?
  Does anyone have any knowledge of this or how I can achieve something similar.
  Thanks
  Paul

  Hi,
  Thanks for your reply
  Could you by any chance provide a few simple steps on how to do this as i not too sure how you differentiate creating a passcode for restrictions and creating a passcode for lock screen?
  Kind Regards,
  Paul

• Cisco WLC with Bonjor services - MSE 3310 compatibility

  Hi All,
  We have a Cisco WLC 5508 currently running on code 7.2. We have Cisco MSE 3310 appliance (which is EoS & EoS) and it is running on code 7.2 as well.
  Now, we want to implement Bonjor Gateway services to support Apple Services such as Apple TV, Apple Printer etc.
  My understanding is that in order to deploy Bonjour gateway the controller needs to be at least on version 7.4.
  I can upgrade the Controller Code, but I need to know the compatibility between Cisco WLC code 7.4 (7.4.100.0) with Cisco MSE 3310 code (7.3.101.0, as it the highest code available). MSE 3310 appliance compatibility with WLC Code 7.4 ?
  I checked the Cisco Software Compatibility Matrix, and it's not clear at all.
  http://www.cisco.com/c/en/us/td/docs/wireless/compatibility/matrix/compatibility-matrix.html#pgfId-148309
  Thanks and Regards,
  CJ

  If you really want to keep everything compatible, you might want to look at another route, like using Avahi as an mDNS gateway.  Take a look at this document... there are other mDNS gateways out there which can work, but this doc is strictly for the Avahi:
  http://www.cisco.com/c/en/us/support/docs/wireless/aironet-1100-series-access-point/113443-cuwn-apple-bonjour-dg-00.html
  http://www.timabbott.com/computers/multi-vlan-airplay-with-avahi/
  Thanks,
  Scott
  *****Help out other by using the rating system and marking answered questions as "Answered"*****

• Problems with Serv.Behav. Restrict Access Level

  Hi,
  I hope you can help - can't find an answer to this one. Been
  going nuts on this! Thank you very much for anything help you can
  provide.
  1) Using DW 8.0, PHP 4.4.7, MySQL 4.1.22
  2) Set up log in page, everything works if the LogIn Server
  Behavior is set to "Restrict Access" to only Username &
  Password. If set to Username, Password & Access Level get a
  MySQL error page:
  "You have an error in your SQL syntax; check the manual that
  corresponds to your MySQL server version for the right syntax to
  use near 'Privileges FROM tbl_users WHERE Username=%s AND
  Password=%s' at line 1"
  3) Here's the code:
  <?php require_once('Connections/conn_MemberList.php');
  ?>
  <?php
  if (!function_exists("GetSQLValueString")) {
  function GetSQLValueString($theValue, $theType,
  $theDefinedValue = "", $theNotDefinedValue = "")
  $theValue = get_magic_quotes_gpc() ? stripslashes($theValue)
  : $theValue;
  $theValue = function_exists("mysql_real_escape_string") ?
  mysql_real_escape_string($theValue) :
  mysql_escape_string($theValue);
  switch ($theType) {
  case "text":
  $theValue = ($theValue != "") ? "'" . $theValue . "'" :
  "NULL";
  break;
  case "long":
  case "int":
  $theValue = ($theValue != "") ? intval($theValue) : "NULL";
  break;
  case "double":
  $theValue = ($theValue != "") ? "'" . doubleval($theValue) .
  "'" : "NULL";
  break;
  case "date":
  $theValue = ($theValue != "") ? "'" . $theValue . "'" :
  "NULL";
  break;
  case "defined":
  $theValue = ($theValue != "") ? $theDefinedValue :
  $theNotDefinedValue;
  break;
  return $theValue;
  ?>
  <?php
  // *** Validate request to login to this site.
  if (!isset($_SESSION)) {
  session_start();
  $loginFormAction = $_SERVER['PHP_SELF'];
  if (isset($_GET['accesscheck'])) {
  $_SESSION['PrevUrl'] = $_GET['accesscheck'];
  if (isset($_POST['textfield'])) {
  $loginUsername=$_POST['textfield'];
  $password=$_POST['textfield2'];
  $MM_fldUserAuthorization = "Privileges";
  $MM_redirectLoginSuccess = "MemberList.php";
  $MM_redirectLoginFailed = "MemberDeny.php";
  $MM_redirecttoReferrer = false;
  mysql_select_db($database_conn_MemberList, $conn_MemberList);
  $LoginRS__query=sprintf("SELECT Username, Password,
  Privileges FROM tbl_users WHERE Username=%s AND Password=%s",
  GetSQLValueString($loginUsername, "text"),
  GetSQLValueString($password, "text"));
  $LoginRS = mysql_query($LoginRS__query, $conn_MemberList) or
  die(mysql_error());
  $loginFoundUser = mysql_num_rows($LoginRS);
  if ($loginFoundUser) {
  $loginStrGroup = mysql_result($LoginRS,0,'Privileges');
  //declare two session variables and assign them
  $_SESSION['MM_Username'] = $loginUsername;
  $_SESSION['MM_UserGroup'] = $loginStrGroup;
  if (isset($_SESSION['PrevUrl']) && false) {
  $MM_redirectLoginSuccess = $_SESSION['PrevUrl'];
  header("Location: " . $MM_redirectLoginSuccess );
  else {
  header("Location: ". $MM_redirectLoginFailed );
  ?>
  <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0
  Transitional//EN" "
  http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
  <html xmlns="
  http://www.w3.org/1999/xhtml">
  <head>
  <meta http-equiv="Content-Type" content="text/html;
  charset=iso-8859-1" />
  <title>Untitled Document</title>
  <style type="text/css">
  <!--
  .style3 {font-family: Verdana, Arial, Helvetica, sans-serif;
  font-size: small; }
  -->
  </style>
  </head>
  <body>
  <p> </p>
  <form id="LogOn" name="LogOn" method="POST"
  action="<?php echo $loginFormAction; ?>">
  <table width="100%" border="0" cellspacing="2"
  cellpadding="2">
  <tr>
  <th scope="col"><div align="right"><span
  class="style3">User:</span></div></th>
  <th scope="col"><label>
  <div align="left">
  <input type="text" name="textfield" />
  </div>
  </label></th>
  </tr>
  <tr>
  <td><div align="right"><span
  class="style3">Password:</span></div></td>
  <td><label>
  <div align="left">
  <input type="text" name="textfield2" />
  </div>
  </label></td>
  </tr>
  <tr>
  <td> </td>
  <td><label>
  <input type="submit" name="Submit" value="Submit" />
  </label></td>
  </tr>
  </table>
  </form>
  <p> </p>
  </body>
  </html>
  Thank you

  I tried this and get the same error message.
  ERROR at line 1:
  ORA-28545: error diagnosed by Net8 when connecting to an agent
  NCRO: Failed to make RSLV connection
  ORA-02063: preceding 2 lines from ALPACWOBF
  listener.ora:
  LISTENER =
  (DESCRIPTION_LIST =
  (DESCRIPTION =
  (ADDRESS_LIST =
  (ADDRESS = (PROTOCOL = TCP)(HOST = spruce)(PORT = 1521))
  (ADDRESS_LIST =
  (ADDRESS = (PROTOCOL = IPC)(KEY = EXTPROC0))
  SID_LIST_LISTENER =
  (SID_LIST =
  (SID_DESC =
  (SID_NAME = alpacwobf)
  (ORACLE_HOME = C:\oracle\ora92)
  (PROGRAM = hsodbc)
  tnsnames.ora
  alpacwobf.3LOG.COM =
  (DESCRIPTION =
  (ADDRESS_LIST =
  (ADDRESS = (PROTOCOL = TCP)(HOST = SPRUCE)(PORT = 1521))
  (CONNECT_DATA =
  (SID_NAME = alpacwobf)
  (HS=ok)
  initalpacwobf.ora:
  HS_FDS_CONNECT_INFO = AlpacWOBF
  HS_FDS_TRACE_LEVEL = 4
  HS_FDS_TRACE_FILE_NAME = alpacwobf.log
  ODBC setting is ok. odbc name is alpacwobf, db is access 2000.
  restart the listener.
  tnsping alpacwobf is ok.
  database link creating is ok.
  but when query,I got error.
  alpac > create database link alpacwobf using 'alpacwobf';
  Database link created.
  alpac > select count(*) from test@alpacwobf;
  select count(*) from test@alpacwobf
  ERROR at line 1:
  ORA-28545: error diagnosed by Net8 when connecting to an agent
  NCRO: Failed to make RSLV connection
  ORA-02063: preceding 2 lines from ALPACWOBF
  Any help will be appreciated.
  Thanks a lot.
  Richard

• Restrict data to after Business hours only...

  hi all,
  I am trying to ascertain how many services calls are logged to a particular workgroup made after business hours i.e. after 6.00 pm(18:00hrs) and before 7am (07:00hrs), each day for past 2 months.
  so how do i restrict the data only between these times.
  i am confused as 7.00am fall on the next day early morning.??? thus data is restricted to from 6 in evening to 7:00 hrs next day in morning.
  any inputs or ideas will be highly appreciated mate..
  regards
  abhi.

  Use a record selection formula that ONLY pulls times (hopefully you have a date time field) that are between 6pm and midnight OR between midnight and 7am.

• WLC with ISE as radius and also external web server

  Hi friends,
  I am biulding a wireless network with 5508 WLC and trying to use ISE as radius server and also to redirect the web-login to it.
  I was trying to understand that to achieve the external web-login, do i need to use the raduius-nac option under advanced on the guest wireless where i am trying this out. and if not, where do i actually use it?
  So far what i have understood that i do need to have preauth ACL on the Layer 3 security, but the issue is there is no hit reaching the ISE.
  any suggestions would be higly appreciated guys!
  Regards,
  Mohit

  Hi mohit,
  Please make sure the below steps for guest auth thru ISE,
  1)Add the WLC in your ISE as netork devices.
  2)In Guest SSID you need to choose the pre authentication acl.That acl should allow the below traffic
      a. any to ISE
      b.ISE to any
      c.any to dns server
      d.dns to any
  3)The external redirect url will be 
  https://ip address:8443/guestportal/Login.action
  4)AAA server for that SSId would be your ISE ip with port number 1812.
  5)In advanced tab please choose the AAA override. No need of radius nac.
  6)Create appropriate authorization profile in ISE for guest.Example is below ,

• Firefox MAC v30 with proxy needs authenticate"Cache Access Denied" sorry, you are not currently allowed to request: from this cache until you have authenticated

  Firefox was working perfectly before we've updated it to version 30.0. It seems that the new version does not like our Proxy setting which needs users to auth with their AD accounts.
  In the past version, Firefox will pop-up a box that allow you to type in the username and password, which works perfect. However, it does not pop-up anymore and gives me this error message.
  The following error was encountered:
  Cache Access Denied.
  Sorry, you are not currently allowed to request:
  http://www.google.com.au/url?
  from this cache until you have authenticated yourself.
  I try to manually set up the username in key chain and allow firefox to access it but Firefox seems do not access that key chain at all.
  Is anyone have the issue with the proxy which needs authenticate in Firefox30.0? Does anyone know the possible solutions?
  Many thanks!
  Shuopan
  ------------------------------------trouble shoot update-----------------------------------------
  Quite interestingly, Firefox will work for 1 minute after I am using Safari with that Auth proxy. However, if I am not touching Safari for 1 or 2 minutes, Firefox will stop working and pop up the similar error message.
  tried network.http.use-cache = false but not work
  Thanks

  Quite interestingly, Firefox will work for 1 minute after I am using Safari with that Auth proxy. However, if I am not touching Safari for 1 or 2 minutes, Firefox will stop working and pop up the similar error message.
  Thanks

• Help needed in restricting access

  Hi all,
  Please recommend me a procedure to remove an access from a transaction code.
  The scenario is for transaction CC31-Create Change Request i need to remove the access for a set of users the "Approve ECR" status that which appears in the Set Status page.
  Kindly send me your valid advice.
  Expecting your kind response
  Vineeth

  Hi Ashok,
  Thanks for your quick reply, but my problem is not solved yet.
  I created a role with the T-Code CC31, searched for the field "RLKEY".
  When trying to remove the CHECK from the GlobalReleases option the option is not working. I am neither able to choose any of the options or remove the checked option.
  Hope you understand.
  Though the field "Release Key for Change Master" is kept open, the user assigned has the access to the "APPROVE ECR" task.
  I am not able to understand the concept of RLKEY's is there further need for options through customization?
  Can you please explain.
  Expecting your kind response.
  Vineeth

• How do you restrict access to a business process structure in Solution Mngr

  We have set up a business process structure in Solution Manager that includes Finance to Manage and Hire to Retire.
  Although it is Ok for people to display the documentation in each area, we do have the requirement that the people owning Finance to Manage should not able to change the documentation in Hire to Retire and visa versa. Is there a security object that restrict this access? Are there other ways doing this?
  Thanks
  Paul

  I am not a security person, but we have the following details in the profile. You can change these if you click on these areas changing it to display or change mode
  SAP Solution Manager Tab AI_SA_TAB
  --> SAP Solution Manager Tab 
      ---> Activity 02, 90
      ---> Tab in SAP Solution Manager BCSETS, CONFIG, CUSTDOCU, GRAPHIC, IMG, ISSUE, (ETC.)
  > Transaction Type in SAP Solution Manager  1
  Hope this helps
  Paul

• Cisco WLC 2500 - 802.1x with Vasco Radius SMS OTP

  Hello folks,
  I have what seems to be a complex implementation with many things that need to be done on a customers network and I wanted to be pointed in the right direction.
  The current scenario is such, the customer has a Cisco WLC 2500 device that has 3 access points(these are in the same AP group) connected to it. There is one SSID that I will call PRODUCTION here that some domain users use to connect to the local network. The customer has requested to have a GUEST SSID added to the WLC where guest users will connect to and recieve a SMS OTP for authentication.
  Correct me if I am wrong, but I will obviously need to segment the SSIDs to have them running on different subnets to ensure that guest users do not have access to the production network once they authenticate. In order to do this I will need to configure Dynamic VLAN assignment for the Cisco WLC and connect it to a 802.1x port on the switch.
  Now what is not clear is I am not interested in authenticating the users that connect via "Production SSID" and want to bypass authentication for those users and have them assigned to the default vlan (or maybe perhaps have them authenticate via LDAP on the AD), however I want to force the "GUEST" SSID users to authenticate so that they may recieve an SMS OTP (reason for this is to force guests to register their phone numbers to use the internet so that Illegal activity may be tracked).
  1)So would it be possible to bypass authentication(or authenticate them via LDAP) for the PRODUCTION SSID as only domain users would know the SSID password to log on and have them by default assigned to the production subnet (default vlan) but force the GUEST SSID users to another VLAN via 802.1x sms otp?
  2)*Important* Another issue that is not clear is will I be able to directly configure AAA Radius settings on the Cisco WLC to directly authenticate with the VASCO Radius OTP and recieve a challenge-response(required for OTP) during authentication? As I have seen from Ciscos Dynamic VLAN assignment docuementation (http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008076317c.shtml) additional IETF Radius Perimeters are used such as Tunnel-Private-Group-ID etc are used which I can't seem to configure on the Vasco.
  I do beileve this is a great project in helping me understand the INs and OUTs of CISCO WLC as well as Wireless NAC, If anyone could enlighten me and point me in the right direction I would be forever in debt. Much appreciated.
  Best Regards
  Sinan Barghouthi - JNCIA-FWV , JNCIA-IDP , CCA-NS , TCSM-8.0

  On your WLAN you can enable AES and TKIP. Just know that some clients mau have issue when they see both TKIP and AES. Ive had pretty good success with this in the past. Dont forget, you also need to enable WMM allowed to get N rates.
  But you will need to configure AES on the client as well to support N rates.
  "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
  ‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."

• How to restrict access to views for some users in the app?

  Hi SDN!
  I have an WD application wich embedded in the portal. Appication has 2 iViews (and 2  pages respectively). These iViews consist several views connected with each other (e.g. one view provide list data, second view is add/edit form for this data). I need to restrict access for some users for view with add/edit form. I can't make separate page for this view.
  What I've done:
  1) create yet another UIContainer for this view in main window and embed view to this container. It was be done for create separate iView for form.
  2) in the portal I create iView for this form but don't embedd in any page.
  When I try to call my form from list data (that is one iView from another) I get exception:
  <b>com.sap.tc.webdynpro.services.exceptions.WDRuntimeException: duplicate usage of view .MyCarRentalAddCity</b>
  Is there a way to get needed functional?
  Thanks,
  Lev

  Hi,
  do you need to remove the IView from the portal menu or do you just want to make a View container in your WD application invisible if the user doesn't have the rights to see it.
  If so, you could create your own roles on the app server:
  You need to create a new class that extends NamePermission like:
  import com.sap.security.api.permissions.NamePermission;
  public class ApplicationAccessPermission extends NamePermission {
             * @param name
            public ApplicationAccessPermission(String name) {
                 super(name);
             * @param name
             * @param action
            public ApplicationAccessPermission(String name, String action) {
                 super(name, action);
  Also, you have to create an Action.XML file that looks like this:
  <BUSINESSSERVICE
       NAME="com.vendor.administration">
       <DESCRIPTION
            LOCALE="en"
            VALUE="actions view usage"/>
       <ACTION
            NAME="View Permission">
            <DESCRIPTION
                 LOCALE="en"
                 VALUE="Show view"
                 />
            <PERMISSION
                 CLASS="com.vendor.utilities.ApplicationAccessPermission"
                 NAME="ShowView"
                 />
       </ACTION>
  </BUSINESSSERVICE>
  If you have created these to files in your packages, you can access this function like:
  IUser user ;
  try {
            user = WDClientUser.getCurrentUser().getSAPUser();
            if(user.hasPermission(new ApplicationAccessPermission("Show view"))){
                 wdContext.currentV_UIElement().setViewVisibility(WDVisibility.VISIBLE);
            }else{
                 wdContext.currentV_UIElement().setViewVisibility(WDVisibility.NONE);
       }catch (WDUMException e1) {
            wdContext.currentV_UIElement().setViewVisibility(WDVisibility.NONE);
                  e1.printStacktrace();
  You have to bind the ViewVisibility attribute of the context to the View Container you want to hide.
  The applicationAccessPermission you defined in the XML File will be visible in the UME Manager of you J2EE engine. With this action you can create a new role and group that you can map to the users that should see you view.
  But, the exception you get is because you have embedded one view twice, which is not possible.
  Hope this helps.
  Regards,
  Dennis

• Understanding statistics from a Cisco WLC?

  Hello,
  From the "Monitor" page on our Cisco WLC.  If you go to "Access Points" from the left side then choose one of the Radios like 802.11b/g/n.  That will list all the APs connected with your controller.
  1) First question, some of the APs listed show the "Interference Profile" as "Failed".  What does this mean?  It has connected clients and no one is reporting an issue.  So what does that really mean?
  2) Second question, if you go to the "Details" for one of the APs I can see the "802.11 MAC Counters" showing things like Tx Fragments, Tx Failed Count, FCS Error Count, etc.  Below is what I see.
  Can someone explain what these statistics are saying?  Again there are no issues reported by our users, but some of these values seem high and I don't understand what they are saying or if there is anything I should be considered with.
  Any help on this would be great!
  Thank you!
  -rya

  For your convenience:
  The details of the " 802.11 MAC Counters " :
  Counters
  Tx Fragment Count
  This counter is incremented for an acknowledged MPDU with an individual address in the address 1 field.
  Tx Failed Count
  This counter increments when an MSDU is successfully transmitted after one or more retransmissions.
  Multiple Retry Count (Graphics view only)
  This counter shall increment when an MSDU is successfully transmitted after more than one retransmission.
  RTS Success Count
  This counter increments when a CTS is received in response to an RTS.
  ACK Failure Count
  This counter increments when an ACK is not received when expected.
  Multicast Rx Frame Count
  This counter increments when a MSDU is received with the multicast bit set in the destination MAC address.
  Tx Frame Count
  This counter increments for each successfully transmitted MSDU.
  Multicast Tx Frame Count
  This  counter increments only when the multicast bit is set in the  destination MAC address of a successfully transmitted MSDU. When  operating as a STA in an ESS, where these frames are directed to the  access point, this implies having received an acknowledgment to all  associated MPDUs.
  Retry Count
  This counter increments when an MSDU is successfully transmitted after one or more retransmissions.
  Frame Duplicate Count
  This counter increments when a frame is received that the Sequence Control field indicates is a duplicate.
  RTS Failure Count
  This counter increments when a CTS is not received in response to an RTS.
  Rx Fragment Count
  This counter shall be incremented for each successfully received MPDU of type Data or Management.
  FCS Error Count
  This counter increments when an FCS error is detected in a received MPDU.
  WEP Undecryptable Count
  This  counter increments when a frame is received with the WEP subfield of  the Frame Control field set to one and the WEPOn value for the key  mapped to the TA's MAC address indicates that the frame should not have  been encrypted or that frame is discarded due to the receiving STA not  implementing the privacy option.
  Band Select statistics
  When  the feature is activated, the WLC doesn't immediately reply to probe  requests on 11b/g. If immediately a probe is also seen on 11a, then the  client is detected as dual band. Then WLC only replies on 11a. After  some time, this "categorization" expires and WLC will again try to see  if the client is present on both bands.