Clustering with Cisco LD

Similar Messages

• CSA 5.1 Agent Installation on Microsoft Clusters with Teamed Broadcom NICs

  I'm searching all over Cisco.com for information on installing CSA 5.1 agent on Microsoft Clusters with Teamed Broadcom NICs, but I can't find any information other than "this is supported" in the installation guide.
  Does anyone know if there is a process or procedure that should be followed to install this? For example, some questions that come to mind are:
  - Do the cluster services are needed to be stopped?
  - Should the cluster be broken and then rebuilt?
  - Is there any documentation indicating this configuration is approved by Microsoft?
  - Are there case studies or other documentation on previous similar installations and/or lessons learned?
  Thanks in advance,
  Ken

  Ken, you might just end up being the case study! Do you have a non-production cluster to with?
  If not and you already completed pilot testing, you probably have an idea of what you want to do with the agent. Do you have to stop the cluster for other software installations? I guess you might ask MS about breaking the cluster it since it's their cluster.
  The only caveat I've seen with teamed NICs is when the agent tries to contact the MC it may timeout a few times. You could probably increase the polling time if this happens.
  I'd create an agent kit that belongs to a group in test mode with minimal or no policies attached to test first and install it on one of the nodes. If that works ok you could gradually increase the policies and rules until you are comfortable that it is tuned correctly and then switch to protect mode.
  Hope this helps...
  Tom S

• Hi Team, I wuold like to know if you have any app to make Firefox OS working with cisco Call Manager 10.5. Something like Cisco Jabber for Android or iOS.

  I'm interesting on buying a Firefox Smart Phone, but
  I would like to know if are any app to install on Firefox OS smart phone in order to work with cisco call manager 10.5.
  Something like Cisco Jabber for Android o iOS.
  Thanks,

  Hi Itech,
  If Cisco Jabber has a webapp, or mobile version of their website available, you should technically be able to access it through Firefox OS.
  You may also search Firefox Marketplace for an alternative solution:
  * [https://marketplace.firefox.com/]
  - Ralph

• Issue with cisco acs 4.2.Users unable to login aaa client but after restarting group policy able to login

  issue with cisco acs 4.2.Users unable to login aaa client but after restarting group policy able to login

  issue with cisco acs 4.2.Users unable to login aaa client but after restarting group policy able to login

• Directory Caching issue with Cisco Jabber client for Windows

  Hi ,
  I am facing cache issue with Cisco Jabber client for Windows. If I do any change related to modification or deletion of contacts in Active Directory/ Callmanager, it does not reflect in the Jabber. Because jabber takes the contacts from the locally stored cache file in the Windows system.
  Every time I have to remove the cache file to overcome this issue, practically it's not possible to do the same with all the Widows users. As, if any employee leaves the company and still I can see his contact appears in the "Cisco Jabber client". I have not seen this issue with Android/Apple iOS.
  Is there any automated way to remove the cache file? 
  Here is the detail of CUCM,Presence and Jabber.
  CUCM version: 9.1.x
  Presence          : 9.1.X
  Jabber              : 10.5 and 10.6

  Hello
  On our environment we had to install a dedicated Microsoft Certificate Authority "just for Cisco Jabber usage" to house the
  Network Device Enrollment Service.
  Our certificate for the CUPS were generated on this Certification Authority too.
  I discussed this certificate matter with my colleagues this afternoon and nobody seems to remember how these certificates were deployed into the
  Enterprise Trust store for the users.
  But I think they asked all 400 users to accept the 3 certificates by answering "yes" to the popup instead of using a script deployed by GPO...
  I wish you success with that deployment and really hope you have a technical partner that *Knows* this subject.
  Our partner left us alone with that unfortunately.
  Florent
  EDIT: If the "Certutil script method" works, please let me know. This could be useful in our own deployment.

• Azure multiple site-to-site VPNs (dynamic gateway) with Cisco ASA devices

  Hello
  I've been experimenting with moving certain on-premise servers to Azure however they would need a site-to-site VPN link to our many branch sites e.g. monitoring of nodes.
  The documentation says I need to configure a dynamic gateway to have multiple site-to-site VPNs. This is not a problem for our typical Cisco ISR's. However three of our key sites use Cisco ASA devices which are listed as 'Not Compatible' with dynamic routing.
  So I am stuck...
  What options are available to me? Is there any sort of tweak-configuration to make a Cisco ASA work with Azure and dynamic routing?
  I was hoping Azure's VPN solution would be very flexible.
  Thanks

  Hello RTF_Admin,
  1. Which is the Series of CISCO ASA device you are using?
  Thank you for your interest in Windows Azure. The Dynamic routing is not supported for the Cisco ASA family of devices.
  Unfortunately, a dynamic routing VPN gateway is required for Multi-Site VPN, VNet to VNet, and Point-to-Site.
  However, you should be able to setup a site-to-site VPN with Cisco ASA 5505 series security appliance as demonstrated in this blog:
  Step-By-Step: Create a Site-to-Site VPN between your network and Azure
  http://blogs.technet.com/b/canitpro/archive/2013/10/09/step-by-step-create-a-site-to-site-vpn-between-your-network-and-azure.aspx
  You can refer to this article for Cisco ASA templates for Static routing:
  http://msdn.microsoft.com/en-us/library/azure/dn133793.aspx
  If your requirement is only for Multi-Site VPN then there is no option but to upgrade the device as Multisite VPN requires dyanmic routing and unfortunately there is no tweak or workaround due to hardware compatibility issue.
  I hope that this information is helpful
  Thanks,
  Syed Irfan Hussain

• Azure Site to Site VPN with Cisco ASA 5505

  I have got Cisco ASA 5505 device (version 9.0(2)). And i cannot connect S2S with azure (azure network alway in "connecting" state). In my cisco log:
  IP = 104.40.182.93, Keep-alives configured on but peer does not support keep-alives (type = None)
  Group = 104.40.182.93, IP = 104.40.182.93, QM FSM error (P2 struct &0xcaaa2a38, mess id 0x1)!
  Group = 104.40.182.93, IP = 104.40.182.93, Removing peer from correlator table failed, no match!
  Group = 104.40.182.93, IP = 104.40.182.93,Overriding Initiator's IPSec rekeying duration from 102400000 to 4608000 Kbs
  Group = 104.40.182.93, IP = 104.40.182.93, PHASE 1 COMPLETED
  I have done all cisco s2s congiguration over standard wizard cos seems your script for 8.x version of asa only?
  (Does azure support 9.x version of asa?)
  How can i fix it?

  Hi,
  As of now, we do not have any scripts for Cisco ASA 9x series.
  Thank you for your interest in Windows Azure. The Dynamic routing is not supported for the Cisco ASA family of devices.
  Unfortunately, a dynamic routing VPN gateway is required for Multi-Site VPN, VNet to VNet, and Point-to-Site.
  However, you should be able to setup a site-to-site VPN with Cisco ASA 5505 series security appliance as
  demonstrated in this blog:
  Step-By-Step: Create a Site-to-Site VPN between your network and Azure
  http://blogs.technet.com/b/canitpro/archive/2013/10/09/step-by-step-create-a-site-to-site-vpn-between-your-network-and-azure.aspx
  You can refer to this article for Cisco ASA templates for Static routing:
  http://msdn.microsoft.com/en-us/library/azure/dn133793.aspx
  Did you download the VPN configuration file from the dashboard and copy the content of the configuration
  file to the Command Line Interface of the Cisco ASDM application? It seems that there is no specified IP address in the access list part and maybe that is why the states message appeared.
  According to the
  Cisco ASA template, it should be similar to this:
  access-list <RP_AccessList>
  extended permit ip object-group
  <RP_OnPremiseNetwork> object-group <RP_AzureNetwork>
  nat (inside,outside) source static <RP_OnPremiseNetwork>
  <RP_OnPremiseNetwork> destination static <RP_AzureNetwork>
  <RP_AzureNetwork>
  Based on my experience, to establish
  IPSEC tunnel, you need to allow the ESP protocol and UDP Port 500. Please make sure that the
  VPN device cannot be located behind a NAT. Besides, since Cisco ASA templates are not
  compatible for dynamic routing, please make sure that you chose the static routing.
  Since you configure the VPN device yourself, it's important that you would be familiar with the device and its configuration settings.
  Hope this helps you.
  Girish Prajwal

• Adaptiva Software Distribution not working with Cisco APs in Local Mode

  A worldwide customer would like to use a new Software distribution system called Adaptiva to replace SCCM within Windows environment. As far as I understand, Adaptiva is designed to work like a snowball system. A single PC at a remote side can be "infected" with new Software and will distribute the package to other PCs within the same IP-subnet, saving WAN bandwidth.
  First tests are showing that it is working well with Cisco WLAN solution as long as we are using Flexconnect WLAN APs.
  Customer locations with Local WLAN AP design create problems for this new software distribution method.
  The WLAN-PCs can be reached from outside, but the establishment of the Client/Server-model between the WLAN Clients is not working. The Port used by this software for communication between clients in each WLAN subnet is UDP Port 34329.
  Our WLCs are running at  7.4.130.0. The problem is appearing independently of AP Multicast settings or Broadcast Forwarding.  Enabling Broadcast forwarding without Reboot did not improve the situation.
  Global Multicast Mode and IGMP Snooping are also of no influence.
  P2P Blocking Action is "Disabled" within the WLAN setup.
  Who has any idea what might cause this communication problem between WLAN clients in Local Mode of APs ?
  Thank You for answers
  Wini

  I can think of two solutions. You could 1: turn the "auto-lock" to never, so that your phone never sleeps. Or, you could 2: jailbreak your iPhone and install "insomnia". I wish we had the Cisco Mobile app. I usually use wifi/insomnia and turn data off at work since we have wireless pretty much everywhere...
  Sent from Cisco Technical Support iPad App

• Ask the Expert: Scaling Data Center Networks with Cisco FabricPath

  With Hatim Badr and Iqbal Syed
  Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about the Cisco FabricPath with Cisco technical support experts Hatim Badr and Iqbal Syed. Cisco FabricPath is a Cisco NX-OS Software innovation combining the plug-and-play simplicity of Ethernet with the reliability and scalability of Layer 3 routing. Cisco FabricPath uses many of the best characteristics of traditional Layer 2 and Layer 3 technologies, combining them into a new control-plane and data-plane implementation that combines the immediately operational "plug-and-play" deployment model of a bridged spanning-tree environment with the stability, re-convergence characteristics, and ability to use multiple parallel paths typical of a Layer 3 routed environment. The result is a scalable, flexible, and highly available Ethernet fabric suitable for even the most demanding data center environments. Using FabricPath, you can build highly scalable Layer 2 multipath networks without the Spanning Tree Protocol. Such networks are particularly suitable for large virtualization deployments, private clouds, and high-performance computing (HPC) environments.
  This event will focus on technical support questions related to the benefits of Cisco FabricPath over STP or VPC based architectures, design options with FabricPath, migration to FabricPath from STP/VPC based networks and FabricPath design and implementation best practices.
  Hatim Badr is a Solutions Architect for Cisco Advanced Services in Toronto, where he supports Cisco customers across Canada as a specialist in Data Center architecture, design, and optimization projects. He has more than 12 years of experience in the networking industry. He holds CCIE (#14847) in Routing & Switching, CCDP and Cisco Data Center certifications.
  Iqbal Syed is a Technical Marketing Engineer for the Cisco Nexus 7000 Series of switches. He is responsible for product road-mapping and marketing the Nexus 7000 line of products with a focus on L2 technologies such as VPC & Cisco FabricPath and also helps customers with DC design and training. He also focuses on SP customers worldwide and helps promote N7K business within different SP segments. Syed has been with Cisco for more than 10 years, which includes experience in Cisco Advanced Services and the Cisco Technical Assistance Center. His experience ranges from reactive technical support to proactive engineering, design, and optimization. He holds CCIE (#24192) in Routing & Switching, CCDP, Cisco Data Center, and TOGAF (v9) certifications.
  Remember to use the rating system to let Hatim and Iqbal know if you have received an adequate response.  
  They might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the Data Center sub-community Unified Computing discussion forum shortly after the event. This event lasts through Dec 7, 2012.. Visit this support forum often to view responses to your questions and the questions of other Cisco Support Community members.

  Hi Sarah,
  Thank you for your question.
  Spanning Tree Protocol is used to build a loop-free topology. Although Spanning Tree Protocol serves a critical function in these Layer 2 networks, it is also frequently the cause of a variety of problems, both operational and architectural.
  One important aspect of Spanning Tree Protocol behavior is its inability to use parallel forwarding paths. Spanning Tree Protocol forms a forwarding tree, rooted at a single device, along which all data-plane traffic must flow. The addition of parallel paths serves as a redundancy mechanism, but adding more than one such path has little benefit because Spanning Tree Protocol blocks any additional paths
  In addition, rooting the forwarding path at a single device results in suboptimal forwarding paths, as shown below, Although a direct connection may exist, it cannot be used because only one active forwarding path is allowed.
  Virtual PortChannel (vPC) technology partially mitigates the limitations of Spanning Tree Protocol. vPC allows a single Ethernet device to connect simultaneously to two discrete Cisco Nexus switches while treating these parallel connections as a single logical PortChannel interface. The result is active-active forwarding paths and the removal of Spanning Tree Protocol blocked links, delivering an effective way to use two parallel paths in the typical Layer 2 topologies used with Spanning Tree Protocol.
  vPC provides several benefits over a standard Spanning Tree Protocol such as elimination of blocker ports and both vPC switches can behave as active default gateway for first-hop redundancy protocols such as Hot Standby Router Protocol (HSRP): that is, traffic can be routed by either vPC peer switch.
  At the same time, however, many of the overall design constraints of a Spanning Tree Protocol network remain even when you deploy vPC such as
  1.     Although vPC provides active-active forwarding, only two active parallel paths are possible.
  2.     vPC offers no means by which VLANs can be extended, a critical limitation of traditional Spanning Tree Protocol designs.
  With Cisco FabricPath, you can create a flexible Ethernet fabric that eliminates many of the constraints of Spanning Tree Protocol. At the control plane, Cisco FabricPath uses a Shortest-Path First (SPF) routing protocol to determine reachability and selects the best path or paths to any given destination in the Cisco FabricPath domain. In addition, the Cisco FabricPath data plane introduces capabilities that help ensure that the network remains stable, and it provides scalable, hardware-based learning and forwarding capabilities not bound by software or CPU capacity.
  Benefits of deploying an Ethernet fabric based on Cisco FabricPath include:
  • Simplicity, reducing operating expenses
  – Cisco FabricPath is extremely simple to configure. In fact, the only necessary configuration consists of distinguishing the core ports, which link the switches, from the edge ports, where end devices are attached. There is no need to tune any parameter to get an optimal configuration, and switch addresses are assigned automatically.
  – A single control protocol is used for unicast forwarding, multicast forwarding, and VLAN pruning. The Cisco FabricPath solution requires less combined configuration than an equivalent Spanning Tree Protocol-based network, further reducing the overall management cost.
  – A device that does not support Cisco FabricPath can be attached redundantly to two separate Cisco FabricPath bridges with enhanced virtual PortChannel (vPC+) technology, providing an easy migration path. Just like vPC, vPC+ relies on PortChannel technology to provide multipathing and redundancy without resorting to Spanning Tree Protocol.
  Scalability based on proven technology
  – Cisco FabricPath uses a control protocol built on top of the powerful Intermediate System-to-Intermediate System (IS-IS) routing protocol, an industry standard that provides fast convergence and that has been proven to scale up to the largest service provider environments. Nevertheless, no specific knowledge of IS-IS is required in order to operate a Cisco FabricPath network.
  – Loop prevention and mitigation is available in the data plane, helping ensure safe forwarding that cannot be matched by any transparent bridging technology. The Cisco FabricPath frames include a time-to-live (TTL) field similar to the one used in IP, and a Reverse Path Forwarding (RPF) check is also applied.
  • Efficiency and high performance
  – Because equal-cost multipath (ECMP) can be used the data plane, the network can use all the links available between any two devices. The first-generation hardware supporting Cisco FabricPath can perform 16-way ECMP, which, when combined with 16-port 10-Gbps port channels, represents a potential bandwidth of 2.56 terabits per second (Tbps) between switches.
  – Frames are forwarded along the shortest path to their destination, reducing the latency of the exchanges between end stations compared to a spanning tree-based solution.
      – MAC addresses are learned selectively at the edge, allowing to scale the network beyond the limits of the MAC addr

• IPad and iPhone Intermittent WiFi with Cisco

  I have around 35 iPhones and iPads that are at best intermittent with our internal wireless network. I have been working with Cisco for two days and they are unable to resolve the issue. The WiFi works perfectly with our notebooks so it is definetly narrowed down to the Apple hardware needing a special configuration other than the ones we have tried.
  I am currently using a Cisco WLC2106 controller with 1142N access points. The dhcp is working. I can forget the network or turn off the WiFi and back on and get an assigned address. At first it took several minutes to populate but Cisco helped me resolve that first problem. The iPhones and iPads will get the private IP but will not allow it to go out on the Internet. I get a good association (WiFi indicator in top-left is full strength.) At times one iPad will connect and another will stop working. For example: yesterday I had my iPad, laptop, and iPhone while I was working with Cisco. All three were connected to the WiFi network with seperate IP's. The laptop never stopped working. My iPhone worked for a few minutes and then I left the office with my phone for about 20 miinutes. When I returned the iPad worked but my iPhone did not, even after making sure the iPhone reconnected and gave it more than 10 minutes and a reboot. I have configured 1 iPad1, 2 iPad2's, and four iPhone 4's. They are all intermittent and I have yet to figure out any formula for why one might work while the others stop. I have done resets on them, statically assigned ip's, and changed DNS settings. Again, the laptop never missed a beat while the iPads just come and go. The way I have been testing is through using a website in Safari on the iPad or iPhone to check the external IP to make sure it is our ISP and not using ATT 3G. I also check the App Store which also fails on WiFi. The WiFi works fine at home with my linksys router. I have tried changing the WiFi encryption from WPA2 to WEP and even disabled the security for testing. Even with no encryption the same result prevails. Maybe one out of five tries to connect works and it alternates between devices. If I didn't know any better I would think it was an IP conflict or a maximum connection limit somewhere.
  Here is the general config:
  Cisco based wireless using no encryption. I will eventaully need to go WPA2 but for troubleshooting I have tried it as open. I am not broadcasting SSID. I CAN connect to WiFi network and receive IP, Gateway, DNS, and Domain Name consistently. I CANNOT access the Internet consistently. This is a business network with Cisco Catalyst Switches, Routers, and Firewalls. Again, the laptops that connect using WiFi are working as intended,
  Does Apple have publicly accessible engineers for these situations? I have left the case open with Cisco in order to provide as much information as possible to Apple.
  Thanks for any suggestions.

  Internally I am not blocking any traffic. I have over 100 other Windows devices, cameras and printers on this single subnet. I'm not using any other Apple hardware at this time so I'm not sure what the Bonjour will do for me that TCP/IP can't do. I am also not using Bonjour at either of the homes I have done other testing on.
  One more tidbit. One of our goals is to use FaceTime between the iPads. I have successfully connected a few times between the devices but it's almost every time I connect two iPads to FaceTime they will not connect again. Without changing anything else on the WiFi or the Firewall I can come back the next day, reset the iPads, obtain Internet access and the FaceTime will work. Thanks gyrhead!

• Coa issue with Cisco ISE 1.2

  Hi, i am currently implementing webauth with Cisco ISE for self register, but i am having issue coa. I was able to get non-windows machine to work but with windows i can't push out the url redirection through coa.  I have enabled debug and i can see ISE trying to push out the url redirection to the port,  however the url was not show when i issue a show authentication session interface gi 1/0/x command.  The only issue i can see from the debugging is that the interface failed authorization first then a success authorization right after.  Again, the url redirection work on non-windows machine, i have even go as far as disable dot1x supplicant on windows and it still didnt fix the issue.
  please see attachment for the debugging i had mention above.  If anyone know or had this issue before please let me know how i can resolve this.

  finally figured it out.  redirection acl was mess up. 

• Ask the Expert: ISE 1.2: Configuration and Deployment with Cisco expert Craig Hyps

  Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about how to deploy and configure Cisco Identity Services Engine (ISE) Version 1.2 and to understand the features and enhanced troubleshooting options available in this version, with Cisco expert Craig Hyps.
  October 27, 2014 through November 7, 2014.
  The Cisco Identity Services Engine (ISE) helps IT professionals meet enterprise mobility challenges and secure the evolving network across the entire attack continuum. Cisco ISE is a security policy management platform that identifies users and devices using RADIUS, 802.1X, MAB, and Web Authentication methods and automates secure access controls such as ACLs, VLAN assignment, and Security Group Tags (SGTs) to enforce role-based access to networks and network resources. Cisco ISE delivers superior user and device visibility through profiling, posture and mobile device management (MDM) compliance validation, and it shares vital contextual data with integrated ecosystem partner solutions using Cisco Platform Exchange Grid (pxGrid) technology to accelerate the identification, mitigation, and remediation of threats.
  Craig Hyps is a senior Technical Marketing Engineer for Cisco's Security Business Group with over 25 years networking and security experience. Craig is defining Cisco's next generation Identity Services Engine, ISE, and concurrently serves as the Product Owner for ISE Performance and Scale focused on the requirements of the largest ISE deployments.
  Previously Craig has held senior positions as a customer Consulting Engineer, Systems Engineer and product trainer.   He joined Cisco in 1997 and has extensive experience with Cisco's security portfolio.  Craig holds a Bachelor's degree from Dartmouth College and certifications that include CISSP, CCSP, and CCSI.
  Remember to use the rating system to let Craig know if you have received an adequate response.
  Because of the volume expected during this event, Ali might not be able to answer each question. Remember that you can continue the conversation on the Security community, sub-community shortly after the event. This event lasts through November 7, 2014. Visit this forum often to view responses to your questions and the questions of other community members.
  (Comments are now closed)

  1. Without more specifics it is hard to determine actual issue. It may be possible that if configured in same subnet that asymmetric traffic caused connections to fail. A key enhancement in ISE 1.3 is to make sure traffic received on a given interface is sent out same interface.
  2. Common use cases for using different interfaces include separation of management traffic from user traffic such as web portal access or to support dedicated profiling interfaces. For example, you may want employees to use a different interface for sponsor portal access. For profiling, you may want to use a specific interface for HTTP SPAN traffic or possibly configure IP Anycast to simplify reception and redundancy of DHCP IP Helper traffic. Another use case is simple NIC redundancy.
  a. Management traffic is restricted to eth0, but standalone node will also have PSN persona so above use cases can apply for interfaces eth1-eth3.
  b. For dedicated PAN / MnT nodes it usually does not make sense to configure multiple interfaces although ISE 1.3 does add support for SNMP on multiple interfaces if needed to separate out. It may also be possible to support NIC redundancy but I need to do some more testing to verify. 
  For PSNs, NIC redundancy for RADIUS as well as the other use cases for separate profiling and portal services apply.
  Regarding Supplicant Provisioning issue, the flows are the same whether wireless or wired. The same identity stores are supported as well. The key difference is that wireless users are directed to a specific auth method based on WLAN configuration and Cisco wired switches allow multiple auth methods to be supported on same port. 
  If RADIUS Proxy is required to forward requests to a foreign RADIUS server, then decision must be made based on basic RADIUS attributes or things like NDG. ISE does not terminate the authentication requests and that is handled by foreign server. ISE does support advanced relay functions such as attribute manipulation, but recommend review with requirements with local Cisco or partner security SE if trying to implement provisioning for users authenticated via proxy. Proxy is handled at Authentication Policy level. CWA and Guest Flow is handled in Authorization Policy.  If need to authenticate a CWA user via external RADIUS, then need to use RADIUS Token Server, not RADIUS Proxy.
  A typical flow for a wired user without 802.1X configured would be to hit default policy for CWA.  Based on successful CWA auth, CoA is triggered and user can then match a policy rule based on guest flow and CWA user identity (AD or non-AD) and returned an authorization for NSP.
  Regarding AD multi-domain support...
  Under ISE 1.2, if need to authenticate users across different forests or domains, then mutual trusts must exist, or you can use multiple LDAP server definitions if the EAP protocol supports LDAP. RADIUS Proxy is another option  to have some users authenticated to different AD domains via foreign RADIUS server.
  Under ISE 1.3, we have completely re-architected our AD connector and support multiple AD Forests and Domains with or without mutual trusts.
  When you mention the use of RADIUS proxy, it is not clear whether you are referring to ISE as the proxy or another RADIUS server proxying to ISE.  If you had multiple ISE deployments, then a separate RADIUS Server like ACS could proxy requests to different ISE 1.2 deployments, each with their own separate AD domain connection.  If ISE is the proxy, then you could have some requests being authenticated against locally joined AD domain while others are sent to a foreign RADIUS server which may have one or more AD domain connections.
  In summary, if the key requirement is ability to join multiple AD domains without mutual trust, then very likely ISE 1.3 is the solution.  Your configuration seems to be a bit involved and I do not want to provide design guidance on a paper napkin, so recommend consult with local ATP Security SE to review overall requirements, topology, AD structure, and RADIUS servers that require integration.
  Regards,
  Craig

• Cisco ip phones authenticate 802.1x with cisco ise 1.3

  Dear all,
  I want to configure cisco ise 1.3 with 802.1x , to authenticate cisco ip phones ( CUCM 10.5.2 ) with LSC certificate. 
  How I have to configure cisco ise authentication rules for 802.1x with cisco ip phones? Are there any configuration examples ? 
  Thanks

  following are ISE 802.1x  sample authentication rules..you can change the protocol (Policy -> policy elements - > results -> authentication and you can select the proctocal)

• SAP ECC 6.0 installation in windows 2008 clustering with db2 ERROR DB21524E

  Dear Sir.,
  Am installing sap ECC 6.0 on windows 2008 clustering with db2.
  I got one error in the phase of Configure the database for mscs. The error is  DB21524E 'FAILED TO CREATE THE RESOURCE DB2 IP PRD' THE CLUSTER NETWORK WAS NOT FOUND .
  DB2_INSTANCE=DB2PRD
  DB2_LOGON_USERNAME=iil\db2prd
  DB2_LOGON_PASSWORD=XXXX
  CLUSTER_NAME=mscs
  GROUP_NAME=DB2 PRD Group
  DB2_NODE=0
  IP_NAME = DB2 IP PRD
  IP_ADDRESS=192.168.16.27
  IP_SUBNET=255.255.0.0
  IP_NETWORK=public
  NETNAME_NAME=DB2 NetName PRD
  NETNAME_VALUE=dbgrp
  NETNAME_DEPENDENCY=DB2 IP PRD
  DISK_NAME=Disk M::
  TARGET_DRVMAP_DISK=Disk M
  Best regards.,
  please help me since am already running late with this installation to run the db2mscs utility to Create resource.
  Best regards.,
  Manjunath G
  Edited by: Manjug77 on Oct 29, 2009 2:45 PM

  Hello Manjunath.
  This looks like a configuration problem.
  Please check if IP_NETWORK is set to the name of your network adapter and
  if your IP_ADDRESS and IP_SUBNET are set to the correct values.
  Note:
  - IP_ADDRESS is a new IP address that is not used by any machine in the network.
  - IP_NETWORK is optional
  If you still get the same error debug your db2mscs.exe-call:
  See the answer from  Adam Wilson:
  Can you run the following and check the output:
  db2mscs -f <path>\db2mscs.cfg -d <path>\debug.txt
  I suspect you may see the following error in the debug.txt:
  Create_IP_Resource fnc_errcode 5045
  If you see the fnc_errcode 5045
  In that case, error 5045 which is a windows error, means
  ERROR_CLUSTER_NETWORK_NOT_FOUND. This error is occuring because windows
  couldn't find the "public network" as indicated by IP_NETWORK.
  Windows couldn't find the MSCS network called "public network". The
  IP_NETWORK parameter must be set to an MSCS Network., so running the
  Cluster Admin GUI and expanding the Cluster Configuration->Network to
  view all MSCS networks that were available and if "public network" was
  one of them.
  However, the parameter IP_NETWORK is optional and you could be commented
  out. In that case the first MSCS network detected by the system was used.
  Best regards,
  Hinnerk Gildhoff

• MacBook and MacBook Pro with 10.6:  Wireless Airport Issues with Cisco

  Long Story but please bear with me:
  Loaded SL on my daughters MacBook and my MacBook Pro. Internet worked flawlessly at our house (WEP encrypted) and on other public wifi. When my daughter went back to her sorority house at college 24 hours later, she could not access the internet using the sorority house network (Cisco Aironet 1800 router and Cisco Airo Access Points).
  Her Airport on the MacBook appeared connected at full strength yet no internet. Two calls to Apple support (they were very nice) did not help. All the following were tried:
  1. Reset PRAM
  2. Deleted Airport and Safari plists
  3. Edited locations
  4. Removed Battery
  5. Others I cannot now remember
  Still no net. However, she could 'pirate' and hop on line with other identified public wifi adjacent to the sorority house. I drove to the sorority house today and tried to get on the network wirelessly using my MacBook Pro with SL. Same identical results to hers. Another MacBook without SL works great and gets right on the network.
  Is this some SL influenced issue with the Airport card and the Cisco system? Weird that both of our laptops work great with several other wifi networks but not the one at the sorority house.
  Could much of what we all our seeing with the internet access problem lie not with issues within our software or computers but with the routers and access points not being compatible? I have very little understanding of this stuff (as you all can probably tell) but the Apple Support people acted like it was a old firmware issue with Cisco and not with SL. Not actually what I wanted to hear.
  Any ideas or suggestions?

  Your description there, particularly the last part, sounds like my problem. At home, we connect using Airport and ADSL which was OK, once SL had sorted out passwords.
  At my office, where there are two wifi systems, I could not get on either, although did have IP numbers on both. The link to the outside world is via a proxy which uses a PAC file. Network Diagnostics reported each time (whatever I did) that the link to the server was OK, but the Internet was not.
  I created a new Location with identical settings (typing them in and not copying) and the only visible difference is that the new location has no DNS numbers -- I had not noticed that before. The moment I pressed, Apply, the computer was online.
  I was guessing that there was a conflict in a .plist file somewhere; but now I wonder if DNS might have been the reason (the DNS number usually used is the one from the router itself).