Configure ADSSO with NAC
Hi Guys,
I need to configure my Cisco NAC (ADSSO) with Windows Server 2008 R2 Enterprise (64). For now we only can ADSSO with Windows XP. Windows 7 still using normal authentication. We are using KTPass to authenticate with NAC server. We are using Windows 2008 at 2003 functional level.
Anyone can help me regarding this?
Best Regards,
Azfar
Azfar,
There are a few things that you need to check/perform when configuring ADSSO. First you must check that proper version of ktpass is installed on the machine you generate the kerberos ticket for the CAS service account (I recommend using a different account for this just so you can roll back, also you can not run ktpass successfully more than once for the same service account, please delete the account first, recreate the account and try again):
http://www.cisco.com/en/US/docs/security/nac/appliance/support_guide/agntsprt.html#wp228565
After this you need to follow the steps to generate the kerberos ticket:
http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/49/cas/s_adsso.html#wp1301231
Here is an example more specific to your environment:
http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/49/cas/s_adsso.html#wp1277452
Since you are running in a mixed environment you must enable additional algorithms:
http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/49/cas/s_adsso.html#wp1277452
If it fails, then purchase ISE.
Thanks,
Tarik Admani
*Please rate helpful posts*
Similar Messages
-
NAC ADSSO with NAC Module isn't working for all modules
Hello,
We have a NAC OOB-L2-VG Deployment at the Central Site with VLAN Mapping and ADSSO which works just fine.
As part of the project we have implemented NAC Modules on ISR routers for the branch offices; same topology but as the documentation states no VLAN mapping was configured. The problem is that for some users in one branch office the ADSSO isn't working and in another branch office the ADSSO isn't working at all, all the users are getting authenticated with a local user we defined on the servers.
The configuration in both modules is exactly the same; they are using the same user to access the AD (the one used on the ktpass) the data links to the central site are both 1 Mbps and everything is pretty much the same thing.
I have checked the logs on the CAS-Module and it states that Windows SSO is running:
Nov 27, 2009 10:08:23 AM com.perfigo.wlan.jmx.admin.GSSRetrier$RetrierTask run
INFO: GSSR - Windows SSO is running
The interesting thing is that when the user goes thru the NAC process I see these logs:
Nov 27, 2009 8:55:13 AM com.perfigo.wlan.jmx.admin.SWissServer run
FINE: Sent Response to /172.19.5.11!
Nov 27, 2009 8:55:13 AM com.perfigo.wlan.jmx.admin.GSSServer$GSSThread run
INFO: accepted ADSSO socket ...Socket[addr=/172.19.5.11,port=1431,localport=8910]
Nov 27, 2009 8:55:13 AM com.perfigo.wlan.jmx.admin.GSSServer$GSSThread run
INFO: accepting ADSSO socket ...
Nov 27, 2009 8:55:13 AM com.perfigo.wlan.jmx.admin.GSSHandler run
INFO: processing socket ...Socket[addr=/172.19.5.11,port=1431,localport=8910]
Nov 27, 2009 8:55:13 AM com.perfigo.wlan.jmx.admin.GSSHandler run
INFO: TIMEOUT_SET FOR ADSSO SOCKET ... Socket[addr=/172.19.5.11,port=1431,localport=8910]
Nov 27, 2009 8:55:13 AM com.perfigo.wlan.jmx.admin.GSSHandler run
INFO: reading peer's token_length Socket[addr=/172.19.5.11,port=1431,localport=8910]
Nov 27, 2009 8:55:28 AM com.perfigo.wlan.jmx.admin.GSSHandler run
SEVERE: IO Error: Socket[addr=/172.19.5.11,port=1431,localport=8910]:Read timed out
Nov 27, 2009 8:56:18 AM com.perfigo.wlan.jmx.admin.SWissHandler processPacket
FINE: SWissServer: get request from : 1043@/172.19.5.11
Nov 27, 2009 8:56:18 AM com.perfigo.wlan.jmx.admin.SWissHandler processPacket
FINE: SWissServer: Client OS is WINDOWS_PRO_XP
Nov 27, 2009 8:56:18 AM com.perfigo.wlan.jmx.admin.SWissUtil parseClientAddrList
FINE: IP=/172.19.5.11, MAC=00:1E:4F:53:97:7D
Nov 27, 2009 8:56:18 AM com.perfigo.wlan.jmx.Shell writeToClick
FINE: /proc/click/intern_arpq/add_interest-->172.19.5.11
Nov 27, 2009 8:56:18 AM com.perfigo.wlan.jmx.Shell writeToClick
FINE: /proc/click/intern_arpq/remove_interest-->172.19.5.11
Nov 27, 2009 8:56:18 AM com.perfigo.wlan.jmx.admin.SWissUtil getOpProviderListData
FINE: IP=172.19.5.11, VLAN=19, OS=WINDOWS_PRO_XP
Nov 27, 2009 8:56:18 AM com.perfigo.wlan.jmx.admin.SWissUtil getOpProviderListData
FINE: Default Provider=Local DB
Nov 27, 2009 8:56:18 AM com.perfigo.wlan.jmx.admin.SWissUtil getOpProviderListData
FINE: Providers=Local DB;
Nov 27, 2009 8:56:18 AM com.perfigo.wlan.jmx.admin.SWissUtil getOpProviderListData
FINE: Number of providers=1
The IP address 172.19.5.11 is the IP of the PC during the unauthenticated role; what the user is finally seeing is the CCA Agent asking for user and password instead of using the ADSSO.
The version of the Agent is 4.1.10, the NAS and NAM are running 4.1.8 and the only ackword thing is that the Active Directory Servers are running Windows 2000 SP4.
Any assistance would be much appreciated.
Thanks,
DL.Hi,
I too have the same error , Any one knows how to resolve this
Socket[addr=/10.80.0.220,port=1583,localport=8910]
2010-09-28 10:57:38.028 +0530 DEBUG com.perfigo.wlan.jmx.adsso.GSSServer - accepting ADSSO socket ...
2010-09-28 10:57:38.041 +0530 DEBUG com.perfigo.wlan.jmx.adsso.GSSHandler - processing socket ... Socket[addr=/10.80.0.220,port=1583,localport=8910]
2010-09-28 10:57:38.041 +0530 DEBUG com.perfigo.wlan.jmx.adsso.GSSHandler - TIMEOUT_SET FOR ADSSO SOCKET ... Socket[addr=/10.80.0.220,port=1583,localport=8910]
2010-09-28 10:57:38.041 +0530 DEBUG com.perfigo.wlan.jmx.adsso.GSSHandler - reading peer's token_length from Socket[addr=/10.80.0.220,port=1583,localport=8910]
2010-09-28 10:57:38.670 +0530 ERROR com.perfigo.wlan.jmx.adsso.GSSHandler - IO Error: Socket[addr=/10.80.0.220,port=1583,localport=8910] null
2010-09-28 10:58:40.215 +0530 INFO com.perfigo.wlan.jmx.adsso.GSSRetrier - GSSR - Windows SSO is running
2010-09-28 10:59:26.308 +0530 WARN org.apache.commons.httpclient.HttpMethodBase - Going to buffer response body of large or unknown size. Using getResponseBodyAsStream instead is recommended.
2010-09-28 10:59:38.478 +0530 INFO com.perfigo.wlan.jmx.admin.OOBDelayTask - OOBDelayTask: remove temp user [00:01:80:53:67:75]/[10.80.0.220]
Thanks in advacne -
I'm setting up this scenario today and have never done that and was wondering if there are any 'gotchas' i need to watch out for, or anything any of you have done/learned while implementing this.
I do have one specific question, the preshared key under vpn auth / vpn concentrators, where the wlc is to be added, where is the preshared key configured at the on wlc?
NAC is running 4.1.3.1, not sure about WLC.
I do have ADSSO working on the wired network, so at least that part is done.
TIAI am currently testing NAC for wired guests and AD SSO for staff. We are planning to offer wireless guest services using Cisco infrastructure once wired is working. I was wondering about NAC and wireless guest services. We are deploying in-band as it requires for wireless so is there anything I am missing or will need to integrate wireless with NAC.
-
ISe with NAC agent pop up and Posture waiting
Hi,
I have ISE running ver 1.1.1.268. We limited access certain services before authuenticate with ACL-DEFAULT(given below) as per the Trustsec desgin guide.
Now the issue is that when you have ACL-DEFAULT on the port NAC agent doest not pop-up and doest not start the posture part and saying waiting for Posture validation. When the ACL-DEFAULT removed from the access port NAC agent popup and do the posture validation.
However we do not want user to get access to network before the authorization and that is the reason we use the ACL-DEFAULT.
Please can someone advise me how to achieve the above both task. Why the NAC agent does not popup and do the posture when ACL-DEFAULT there in the switch.
Here is what I have configured on ACL-DEFAULT.
ip access-list extended ACL-DEFAULT
remark DHCP
permit udp any eq bootpc any eq bootps
remark DNS
permit udp any any eq domain
permit tcp any any eq domain
permit udp any any eq 389
permit tcp any any eq 135
permit tcp any any eq 445
permit udp any any eq 445
permit tcp any any range 135 139
permit tcp any any eq 389
permit tcp any any eq 3268
permit icmp any any
remark PXE / TFTP
permit udp any any eq tftp
permit tcp any host 172.xx.xx.xx eq 8443 (ISE-Pri)
permit tcp any host 172.xx.xx.xx eq 8443 (ISE-Sec)
remark Drop all the rest
deny ip any any log
Appreciate if someone can give a solid resolution and explanation to this.Hi Saurav,
We have already allowed those ports with another acl (ACL-POSTURE-REDIRECT). Our issue is not with the web nac agent.
The issue is with NAC agent installed on corperate PCs connecting via wired port. With the ACL-DEFAULT it does not pop-up and does not do the posturing, however once we removed the ACL-DEFAULT from the access port, everything works fine.
Since we do not want any user to access unwanted services before authorization we add this ACL on the access-port and as per the trustsec desgin this has to be there if you want to have ISE with closed mode.
thanks -
Best practice configure DHCP server NAC
hi all,
any idea how the best practice deploy dhcp on cas? i tired follow user guide configure dhcp on cas but still cannot running smoothly user just only grep ip authenticate.
- CCA agent very slow appear when user get ip dhcp on authenticate.any idea ?
- how to integrated profiler with nac appliance .?Hi ahmed,
You have configured your CAS to be your DHCP server, Thats well and good because you are using Real IP mode, Which Supports the CAS to be a DHCP server.
Remember
This Setting is only For your Authentication VLAN that your client gets an ip While Authentication ok.
When your Client switches to Access VLAN , your client trafiic no longer flows through the CAS so CAS is now not responsible for DHCP.
You'll have to configure another DHCP on the Trusted Side which can Lease IPs to the Acess VLAN Members.
As you have configured OOB then your client is in Acess VLAN and does not come in contact with the CAS so you need the Trusted side DHCP to give the Client an IP address.
Here in your Scenario your ACCESS VLANS are 2022,2044
Hope this helps, Do reply after Testing.
Thank You
Regards
Edward -
Authentication mac-move permit with NAC
Hi,
I have 2 switches with NAC configured on it. i also have "authentication mac-move permit" configured on my 2 switches that are connected togther. my understanding is authentication mac-move permit does not work with 802.1x enabled ports.
so i would like to verify i my understanding is correct that if i have authentication mac-move permit configured and a laptop moves to another port without logging off the switch will see that as a violation and block the user right?anyone run into this before?
-
Wired WebAuth with NAC Guest Server
Hi,
I am trying to get wired WebAuth working with NAC Guest Server. In the switch_login.html file example, what should be changed for this line:
ngsOptions.actionUrl = https://1.1.1.1/;
Should this be an IP address on the switch? Shoul I have this pointing to the success.html page like this:
ngsOptions.actionUrl = "https://1.1.1.1/success.html";
When I log on, and accept the AUP, my browser just sits there trying to access Https://1.1.1.1/?redirect-url=blah blah blah
Thanks,
PeterFYI,
In my case I WAS getting the switch_login.html web page being displayed, but after entering credentials and submitting the Acceptable Use Policy page, I did NOT 'see' any radius traffic between the switch (C2960S 12.2(55)SE3) and the ACS 5.3 radius server?!.
I used the sample .html docs that you can find on the NAC Guest Server in the 'samples' folder on that server. I used WCP app to copy them to my PC/laptop before modifying where relevant and copying to flash on switch and to the wireless 'hotspot' folders on the NGS.
I went through the following document in url below line by line, paragraph by paragraph and found that I had left out the following command in the configuration:
aaa authentication login default group radius
see doc at:
http://www.cisco.com/en/US/docs/solutions/Enterprise/Security/TrustSec_1.99/WebAuth/WebAuth_Dep_Guide.html#wp392553
So I added it in and I am now seeing the radius debug traffic being redirected to the ACS by the switch when a user submits the credentials.
aaa new-model
aaa authentication login default group radius
aaa authentication login VTY-USER-LOGIN local
aaa authentication dot1x default group radius
aaa authorization console
aaa authorization exec EXEC-LOCAL local
aaa authorization network default group radius
aaa authorization auth-proxy default group radius
aaa accounting auth-proxy default start-stop group radius
aaa accounting dot1x default start-stop group radius
with debug radius enabled:
Feb 1 13:36:09 PST: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/4, changed state to down
TEST-802.1X#
Feb 1 13:36:10 PST: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/4, changed state to down
TEST-802.1X#
Feb 1 13:36:18 PST: %AUTHMGR-5-START: Starting 'dot1x' for client (848f.69f0.fcc7) on Interface Gi1/0/4 AuditSessionID 0AA7404A0000054E16335518
TEST-802.1X#
Feb 1 13:36:20 PST: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/4, changed state to up
Feb 1 13:36:21 PST: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/4, changed state to up
TEST-802.1X#
Feb 1 13:36:27 PST: %DOT1X-5-FAIL: Authentication failed for client (848f.69f0.fcc7) on Interface Gi1/0/4 AuditSessionID
Feb 1 13:36:27 PST: %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'dot1x' for client (848f.69f0.fcc7) on Interface Gi1/0/4 AuditSessionID 0AA7404A0000054E16335518
Feb 1 13:36:27 PST: %AUTHMGR-7-FAILOVER: Failing over from 'dot1x' for client (848f.69f0.fcc7) on Interface Gi1/0/4 AuditSessionID 0AA7404A0000054E16335518
Feb 1 13:36:27 PST: %AUTHMGR-5-START: Starting 'mab' for client (848f.69f0.fcc7) on Interface Gi1/0/4 AuditSessionID 0AA7404A0000054E16335518
Feb 1 13:36:27.367 PST: RADIUS/ENCODE(0000058E):Orig. component type = DOT1X
Feb 1 13:36:27.367 PST: RADIUS(0000058E): Config NAS IP: 10.167.64.74
Feb 1 13:36:27.367 PST: RADIUS/ENCODE(0000058E): acct_session_id: 1421
Feb 1 13:36:27.367 PST: RADIUS(0000058E): sending
Feb 1 13:36:27.367 PST: RADIUS(0000058E): Send Access-Request to 10.167.77.70:1645 id 1645/14, len 211
Feb 1 13:36:27.372 PST: RADIUS: authenticator 2E F0 62 2D 43 D9 7D 2A - 7C 88 0A 52 B9 6E 78 A8
Feb 1 13:36:27.372 PST: RADIUS: User-Name [1] 14 "848f69f0fcc7"
Feb 1 13:36:27.372 PST: RADIUS: User-Password [2] 18 *
Feb 1 13:36:27.372 PST: RADIUS: Service-Type [6] 6 Call Check [10]
Feb 1 13:36:27.372 PST: RADIUS: Framed-MTU [12] 6 1500
Feb 1 13:36:27.372 PST: RADIUS: Called-Station-Id [30] 19 "20-37-06-C8-68-84"
Feb 1 13:36:27.372 PST: RADIUS: Calling-Station-Id [31] 19 "84-8F-69-F0-FC-C7"
Feb 1 13:36:27.372 PST: RADIUS: Message-Authenticato[80] 18
Feb 1 13:36:27.372 PST: RADIUS: 11 20 B4 9A B6 E2 56 30 AC EC 43 CD 17 13 3E 14 [ V0C>]
Feb 1 13:36:27.372 PST: RADIUS: EAP-Key-Name [102] 2 *
Feb 1 13:36:27.372 PST: RADIUS: Vendor, Cisco [26] 49
Feb 1 13:36:27.372 PST: RADIUS: Cisco AVpair [1] 43 "audit-session-id=0AA7404A0000054E16335518"
Feb 1 13:36:27.372 PST: RADIUS: NAS-Port-Type [61] 6 Ethernet [15]
Feb 1 13:36:27.372 PST: RADIUS: NAS-Port [5] 6 50104
Feb 1 13:36:27.372 PST: RADIUS: NAS-Port-Id [87] 22 "GigabitEthernet1/0/4"
Feb 1 13:36:27.372 PST: RADIUS: NAS-IP-Address [4] 6 10.167.64.74
Feb 1 13:36:27.372 PST: RADIUS(0000058E): Started 5 sec timeout
Feb 1 13:36:27.377 PST: RADIUS: Received from id 1645/14 10.167.77.70:1645, Access-Reject, len 38
Feb 1 13:36:27.377 PST: RADIUS: authenticator 68 CE 3D C8 C3 BC B2 69 - DB 33 F5 C0 FF 30 D6 33
Feb 1 13:36:27.377 PST: RADIUS: Message-Authenticato[80] 18
Feb 1 13:36:27.377 PST: RADIUS: 82 3D 31 0A C7 A2 E0 62 D5 B7 6B 26 B8 A0 0B 46 [ =1bk&F]
Feb 1 13:36:27.377 PST: RADIUS(0000058E): Received from id 1645/14
Feb 1 13:36:27 PST: %MAB-5-FAIL: Authentication failed for client (848f.69f0.fcc7) on Interface Gi1/0/4 AuditSessionID 0AA7404A0000054E16335518
Feb 1 13:36:27 PST: %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'mab' for client (848f.69f0.fcc7) on Interface Gi1/0/4 AuditSessionID 0AA7404A0000054E16335518
Feb 1 13:36:27 PST: %AUTHMGR-7-FAILOVER: Failing over from 'mab' for client (848f.69f0.fcc7) on Interface Gi1/0/4 AuditSessionID 0AA7404A0000054E16335518
Feb 1 13:36:27 PST: %AUTHMGR-5-START: Starting 'webauth' for client (848f.69f0.fcc7) on Interface Gi1/0/4 AuditSessionID 0AA7404A0000054E16335518
Feb 1 13:36:27 PST: %AUTHMGR-7-RESULT: Authentication result 'success' from 'webauth' for client (848f.69f0.fcc7) on Interface Gi1/0/4 AuditSessionID 0AA7404A0000054E16335518
Feb 1 13:36:27 PST: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (848f.69f0.fcc7) on Interface Gi1/0/4 AuditSessionID 0AA7404A0000054E16335518
Feb 1 13:36:27.933 PST: RADIUS/ENCODE(0000058E):Orig. component type = DOT1X
Feb 1 13:36:27.933 PST: RADIUS(0000058E): Config NAS IP: 10.167.64.74
Feb 1 13:36:27.933 PST: RADIUS(0000058E): sending
Feb 1 13:36:27.933 PST: RADIUS(0000058E): Send Accounting-Request to 10.167.77.70:1646 id 1646/151, len 100
Feb 1 13:36:27.933 PST: RADIUS: authenticator D0 F0 04 F3 A5 08 90 BE - A9 07 8D 32 1B 0E 93 AC
Feb 1 13:36:27.933 PST: RADIUS: Acct-Session-Id [44] 10 "0000058D"
Feb 1 13:36:27.933 PST: RADIUS: Framed-IP-Address [8] 6 10.167.72.52
Feb 1 13:36:27.933 PST: RADIUS: Acct-Authentic [45] 6 RADIUS [1]
Feb 1 13:36:27.933 PST: RADIUS: Acct-Status-Type [40] 6 Start [1]
Feb 1 13:36:27.933 PST: RADIUS: NAS-Port-Type [61] 6 Ethernet [15]
Feb 1 13:36:27.933 PST: RADIUS: NAS-Port [5] 6 50104
Feb 1 13:36:27.933 PST: RADIUS: NAS-Port-Id [87] 22 "GigabitEthernet1/0/4"
Feb 1 13:36:27.933 PST: RADIUS: Service-Type [6] 6 Framed [2]
Feb 1 13:36:27.933 PST: RADIUS: NAS-IP-Address [4] 6 10.167.64.74
Feb 1 13:36:27.933 PST: RADIUS: Acct-Delay-Time [41] 6 0
TEST-802.1X#
Feb 1 13:36:27.938 PST: RADIUS(0000058E): Started 5 sec timeout
Feb 1 13:36:27.938 PST: RADIUS: Received from id 1646/151 10.167.77.70:1646, Accounting-response, len 20
Feb 1 13:36:27.938 PST: RADIUS: authenticator C2 DC 8D C7 B1 35 67 D9 - 28 2B 56 E4 4A 1E AD 65
At this point the user enters the credentials on the switch_login.html page and the clicks Submit on the Acceptable Use Policy splash page.
TEST-802.1X#
Feb 1 13:36:41.413 PST: RADIUS/ENCODE(0000058F):Orig. component type = AUTH_PROXY
Feb 1 13:36:41.413 PST: RADIUS(0000058F): Config NAS IP: 10.167.64.74
Feb 1 13:36:41.413 PST: RADIUS/ENCODE(0000058F): acct_session_id: 1422
Feb 1 13:36:41.413 PST: RADIUS(0000058F): sending
Feb 1 13:36:41.413 PST: RADIUS(0000058F): Send Access-Request to 10.167.77.70:1645 id 1645/15, len 176
Feb 1 13:36:41.413 PST: RADIUS: authenticator 6D 34 7E D6 34 B5 CB AC - 09 1F AC 5A 34 97 7D 6B
Feb 1 13:36:41.413 PST: RADIUS: User-Name [1] 11 "testuser1"
Feb 1 13:36:41.413 PST: RADIUS: User-Password [2] 18 *
Feb 1 13:36:41.413 PST: RADIUS: Calling-Station-Id [31] 14 "ip|G
Feb 1 13:36:41.413 PST: RADIUS: Service-Type [6] 6 Outbound [5]
Feb 1 13:36:41.413 PST: RADIUS: Message-Authenticato[80] 18
Feb 1 13:36:41.413 PST: RADIUS: F8 4D 85 64 05 5E C9 1D D8 11 B2 A3 1A 3A 76 E0 [ Md^:v]
Feb 1 13:36:41.413 PST: RADIUS: Vendor, Cisco [26] 49
Feb 1 13:36:41.418 PST: RADIUS: Cisco AVpair [1] 43 "audit-session-id=0AA7404A0000054E16335518"
Feb 1 13:36:41.418 PST: RADIUS: NAS-Port-Type [61] 6 Ethernet [15]
Feb 1 13:36:41.418 PST: RADIUS: NAS-Port [5] 6 50104
Feb 1 13:36:41.418 PST: RADIUS: NAS-Port-Id [87] 22 "GigabitEthernet1/0/4"
Feb 1 13:36:41.418 PST: RADIUS: NAS-IP-Address [4] 6 10.167.64.74
Feb 1 13:36:41.418 PST: RADIUS(0000058F): Started 5 sec timeout
Feb 1 13:36:41.424 PST: RADIUS: Received from id 1645/15 10.167.77.70:1645, Access-Accept, len 173
Feb 1 13:36:41.424 PST: RADIUS: authenticator 28 48 DE B5 1A 0A 71 5A - 3B 8B 7A 12 FB EA 01 58
Feb 1 13:36:41.424 PST: RADIUS: User-Name [1] 11 "testuser1"
Feb 1 13:36:41.424 PST: RADIUS: Class [25] 28
Feb 1 13:36:41.424 PST: RADIUS: 43 41 43 53 3A 78 62 63 2D 61 63 73 2F 31 31 36 [CACS:xbc-acs/116]
Feb 1 13:36:41.424 PST: RADIUS: 34 37 33 32 33 39 2F 31 36 36 [ 473239/166]
Feb 1 13:36:41.424 PST: RADIUS: Session-Timeout [27] 6 3600
Feb 1 13:36:41.424 PST: RADIUS: Termination-Action [29] 6 1
Feb 1 13:36:41.424 PST: RADIUS: Message-Authenticato[80] 18
Feb 1 13:36:41.424 PST: RADIUS: 10 80 26 5D 02 C5 15 0C A8 16 AA 35 14 C9 4F 14 [ &]5O]
Feb 1 13:36:41.424 PST: RADIUS: Vendor, Cisco [26] 19
Feb 1 13:36:41.429 PST: RADIUS: Cisco AVpair [1] 13 "priv-lvl=15"
Feb 1 13:36:41.429 PST: RADIUS: Vendor, Cisco [26] 65
Feb 1 13:36:41.429 PST: RADIUS: Cisco AVpair [1] 59 "ACS:CiscoSecure-Defined-ACL=#ACSACL#-IP-GuestACL-4eefc9a0"
Feb 1 13:36:41.429 PST: RADIUS(0000058F): Received from id 1645/15
Feb 1 13:36:41.439 PST: RADIUS/ENCODE(0000058F):Orig. component type = AUTH_PROXY
Feb 1 13:36:41.439 PST: RADIUS(0000058F): Config NAS IP: 10.167.64.74
Feb 1 13:36:41.439 PST: RADIUS(0000058F): sending
Feb 1 13:36:41.439 PST: RADIUS/ENCODE(00000000):Orig. component type = INVALID
Feb 1 13:36:41.444 PST: RADIUS(00000000): Config NAS IP: 10.167.64.74
Feb 1 13:36:41.444 PST: RADIUS(00000000): sending
Feb 1 13:36:41.450 PST: RADIUS(0000058F): Send Accounting-Request to 10.167.77.70:1646 id 1646/152, len 119
Feb 1 13:36:41.450 PST: RADIUS: authenticator 23 E3 DA C3 06 5B 37 20 - 67 E2 96 C5 90 1C 71 33
Feb 1 13:36:41.450 PST: RADIUS: Acct-Session-Id [44] 10 "0000058E"
Feb 1 13:36:41.450 PST: RADIUS: Calling-Station-Id [31] 14 "10.167.72.52"
Feb 1 13:36:41.450 PST: RADIUS: User-Name [1] 11 "testuser1"
Feb 1 13:36:41.450 PST: RADIUS: Acct-Authentic [45] 6 RADIUS [1]
Feb 1 13:36:41.455 PST: RADIUS: Acct-Status-Type [40] 6 Start [1]
Feb 1 13:36:41.455 PST: RADIUS: NAS-Port-Type [61] 6 Ethernet [15]
Feb 1 13:36:41.455 PST: RADIUS: NAS-Port [5] 6 50104
Feb 1 13:36:41.455 PST: RADIUS: NAS-Port-Id [87] 22 "GigabitEthernet1/0/4"
Feb 1 13:36:41.455 PST: RADIUS: Service-Type [6] 6 Outbound [5]
Feb 1 13:36:41.455 PST: RADIUS: NAS-IP-Address [4] 6 10.167.64.74
Feb 1 13:36:41.455 PST: RADIUS: Acct-Delay-Time [41] 6 0
Feb 1 13:36:41.455 PST: RADIUS(0000058F): Started 5 sec timeout
Feb 1 13:36:41.455 PST: RADIUS(00000000): Send Access-Request to 10.167.77.70:1645 id 1645/16, len 137
Feb 1 13:36:41.455 PST: RADIUS: authenticator 02 B0 50 47 EE CC FB 54 - 2A B6 14 23 63 86 DE 18
Feb 1 13:36:41.455 PST: RADIUS: NAS-IP-Address [4] 6 10.167.64.74
Feb 1 13:36:41.455 PST: RADIUS: User-Name [1] 31 "#ACSACL#-IP-GuestACL-4eefc9a0"
Feb 1 13:36:41.455 PST: RADIUS: Vendor, Cisco [26] 32
Feb 1 13:36:41.455 PST: RADIUS: Cisco AVpair [1] 26 "aaa:service=ip_admission"
Feb 1 13:36:41.455 PST: RADIUS: Vendor, Cisco [26] 30
Feb 1 13:36:41.455 PST: RADIUS: Cisco AVpair [1] 24 "aaa:event=acl-download"
Feb 1 13:36:41.455 PST: RADIUS: Message-Authenticato[80] 18
Feb 1 13:36:41.455 PST: RADIUS: 15 EC 10 E7 2F 67 33 DD BC B5 AE 11 E3 C3 19 E1 [ /g3]
Feb 1 13:36:41.455 PST: RADIUS(00000000): Started 5 sec timeout
Feb 1 13:36:41.455 PST: RADIUS: Received from id 1646/152 10.167.77.70:1646, Accounting-response, len 20
Feb 1 13:36:41.455 PST: RADIUS: authenticator AB 0F 81 95 71 A9 61 E0 - 5B B5 D3 2E 8D A2 68 98
Feb 1 13:36:41.460 PST: RADIUS: Received from id 1645/16 10.167.77.70:1645, Access-Accept, len 560
Feb 1 13:36:41.460 PST: RADIUS: authenticator 64 53 94 79 CF CD 05 B0 - ED 12 5C 5B A0 AB 4F FA
Feb 1 13:36:41.460 PST: RADIUS: User-Name [1] 31 "#ACSACL#-IP-GuestACL-4eefc9a0"
Feb 1 13:36:41.460 PST: RADIUS: Class [25] 28
Feb 1 13:36:41.460 PST: RADIUS: 43 41 43 53 3A 78 62 63 2D 61 63 73 2F 31 31 36 [CACS:xbc-acs/116]
Feb 1 13:36:41.460 PST: RADIUS: 34 37 33 32 33 39 2F 31 36 38 [ 473239/168]
Feb 1 13:36:41.460 PST: RADIUS: Message-Authenticato[80] 18
Feb 1 13:36:41.460 PST: RADIUS: A1 E6 37 EB 60 3A 28 35 92 56 C5 A9 27 7D 2C E9 [ 7`:(5V'},]
Feb 1 13:36:41.460 PST: RADIUS: Vendor, Cisco [26] 38
Feb 1 13:36:41.460 PST: RADIUS: Cisco AVpair [1] 32 "ip:inacl#1=remark **Allow DHCP"
Feb 1 13:36:41.460 PST: RADIUS: Vendor, Cisco [26] 57
Feb 1 13:36:41.460 PST: RADIUS: Cisco AVpair [1] 51 "ip:inacl#2=permit udp any eq bootpc any eq bootps"
Feb 1 13:36:41.460 PST: RADIUS: Vendor, Cisco [26] 37
Feb 1 13:36:41.460 PST: RADIUS: Cisco AVpair [1] 31 "ip:inacl#3=remark **Allow DNS"
Feb 1 13:36:41.460 PST: RADIUS: Vendor, Cisco [26] 47
Feb 1 13:36:41.460 PST: RADIUS: Cisco AVpair [1] 41 "ip:inacl#4=permit udp any any eq domain"
Feb 1 13:36:41.460 PST: RADIUS: Vendor, Cisco [26] 61
Feb 1 13:36:41.460 PST: RADIUS: Cisco AVpair [1] 55 "ip:inacl#5=remark **Deny access to Corporate Networks"
Feb 1 13:36:41.460 PST: RADIUS: Vendor, Cisco [26] 53
Feb 1 13:36:41.460 PST: RADIUS: Cisco AVpair [1] 47 "ip:inacl#6=deny ip any 10.0.0.0 0.255.255.255"
Feb 1 13:36:41.460 PST: RADIUS: Vendor, Cisco [26] 45
Feb 1 13:36:41.460 PST: RADIUS: Cisco AVpair [1] 39 "ip:inacl#7=remark **Permit icmp pings"
Feb 1 13:36:41.460 PST: RADIUS: Vendor, Cisco [26] 38
Feb 1 13:36:41.460 PST: RADIUS: Cisco AVpair [1] 32 "ip:inacl#8=permit icmp any any"
Feb 1 13:36:41.460 PST: RADIUS: Vendor, Cisco [26] 50
TEST-802.1X#
Feb 1 13:36:41.460 PST: RADIUS: Cisco AVpair [1] 44 "ip:inacl#9=remark **Permit everything else"
Feb 1 13:36:41.460 PST: RADIUS: Vendor, Cisco [26] 37
Feb 1 13:36:41.460 PST: RADIUS: Cisco AVpair [1] 31 "ip:inacl#10=permit ip any any"
Feb 1 13:36:41.465 PST: RADIUS(00000000): Received from id 1645/16
TEST-802.1X#
TEST-802.1X#
TEST-802.1X#
interface config looks like:
interface GigabitEthernet1/0/4
description **User/IPphone/Guest
switchport access vlan 702
switchport mode access
switchport voice vlan 704
ip access-group PRE-AUTH in
srr-queue bandwidth share 1 30 35 5
queue-set 2
priority-queue out
authentication event fail action next-method
authentication event server dead action authorize
authentication host-mode multi-auth
authentication open
authentication order dot1x mab webauth
authentication priority dot1x mab webauth
authentication port-control auto
authentication fallback WEB_AUTH_PROFILE
mab
mls qos trust device cisco-phone
mls qos trust cos
dot1x pae authenticator
dot1x timeout tx-period 3
auto qos voip cisco-phone
spanning-tree portfast
service-policy input AUTOQOS-SRND4-CISCOPHONE-POLICY -
Access Point Switchport configuration for OOB NAC
Hello.
Here we have to implement Out of Band with WLC and NAC, I have already checked this guide:
http://www.cisco.com/en/US/products/ps6128/products_configuration_example09186a0080a138cc.shtml
But I have a little doubt. On the document showed above does not specific which vlan should be configured on switch's access port facing access points. Should I configure this with trusted or untrusted VLAN? I know all traffic from wireless clients go to WLC through a CAPWAP tunnel, but I am not really sure on the Out of Band deployment which access vlan should be for access points.
Greettings.Just to add again to another one of Steve's post:) You don't want to put the AP traffic through NAC, but only the traffic for the wireless clients which egress out of the WLC. So if your wireless clients are being placed in VLAN30 (just an example), you can have an untrusted layer 2 vlan VLAN29 which hit the NAC untrusted and if remediation id good, then placed in VLAN30. Makes sense?
Thanks,
Scott
Help out other by using the rating system and marking answered questions as "Answered" -
Access switch lost contact with nac profiler
hi all,
We have implement HA for nac profiler using version 3.1.1_18 .My problem is we need manually update for all access switch to connected with nac profiler server and then endpoint detect if i'm don't click button update for all access switch not see the new endpoint .On the acceess switch we configure SNMP cisconac RO and cisconac1 RW .For the SNMP is it needed manually update or automatic if new endpoint connect to the network ?here i'm attach on the my configuration SNMP ..Hi Larry,
I had the same problem with iTune 10.6.5, and one cannot uninstall it. I was on the phone with Apple wireless support. The solution is to upgrae firmware on the Express, whihc cannot be doen with the latest airport utilities. HOwever, Apple re-posted Airport utility 5.6 for lion, which will then allow you to upgrade the firmware on older Aplle Express Units. This in turn will allow iTune 10.6 to communicate properly wit the Express. Doing so restored my connection to the speakesr without any further issues.
Give it a try...
the utility i sloctaed at:
http://support.apple.com/kb/DL1482?viewlocale=en_US&locale=en_US
Best,
rk007 -
10g - how to configure sso with iis-
hi, experts, I have followed Oracle® Business Intelligence Enterprise Edition Deployment Guide to configure SSO with IIS.
but I always meet this message.
Not Logged In
You are not currently logged in to the Oracle BI Server.
If you have already logged in, your connection might have timed out, or a communications or server error may have occurred
what steps are missing?
how to check?hi, experts,
I checked C:\OracleBIData\web\log\sawlog0.log on the obi server (windows server 2003 standard).
at Thu Feb 17 14:48:46 2011 , I logined OBI on another machine (not via the browser on the obi server).
however, the log shows the login user is the administrator of the obiserver (obiserver\administrator ).
any setup on IIS are wrong? thank you very much!
=========================================================================================
Running job 'MinutelyMonitor' took 7422 milliseconds, 12.3% of job's frequency (60 seconds).
Type: Error
Severity: 40
Time: Thu Feb 17 14:48:46 2011
File: project/webodbcaccess/odbcconnectionimpl.cpp Line: 371
Properties: ConnId-1,1;ThreadID-1796
Location:
saw.odbc.connection.open
saw.connectionPool.getConnection
saw.subsystem.security.checkAuthenticationImpl
saw.threadPool
saw.threads
Odbc driver returned an error (SQLDriverConnectW).
State: 08004. Code: 10018. [NQODBC] [SQL_STATE: 08004] [nQSError: 10018] Access for the requested connection is refused.
[nQSError: 43001] Authentication failed for obiserver\administrator in repository Star: invalid user/password. (08004)
Type: Error
Severity: 42
Time: Thu Feb 17 14:48:46 2011
File: project/webconnect/connection.cpp Line: 276
Properties: ThreadID-1796
Location:
saw.connectionPool.getConnection
saw.subsystem.security.checkAuthenticationImpl
saw.threadPool
saw.threads
Authentication Failure.
Odbc driver returned an error (SQLDriverConnectW).
--------------------------------------- -
How to configure sso with SSL step by step
Purpose
In this document, you can learn how to configure SSO with SSL. After user have certificate installed in browser, he can login without input username and password.
Overview
In this document we will demonstrate:
1. How to configure OHS support SSL
2. How to Register SSO with SSL
3. Configure SSO for certificates
Prerequisites
Before start this document, you should have:
1. Oracle AS 10g infrastructure installed (10.1.2)
2. OCA installed
Note:
1. “When you install Oracle infrastructure, please make sure you have select OCA.
2. How Certificate-Enabled Authentication Works:
a. The user tries to access a partner application.
b. The partner application redirects the user to the single sign-on server for authentication. As part of this redirection, the browser sends the user's certificate to the login URL of the server (2a). If it is able to verify the certificate, the server returns the user to the requested application.
c. The application delivers content. Users whose browsers are configured to prompt for a certificate-store password may only have to present this password once, depending upon how their browser is configured. If they log out and then attempt to access a partner application, the browser passes their certificate to the single sign-on server automatically. This means that they never really log out. To effectively log out, they must close the browser.
Enable SSL on the Single Sign-On Middle Tier
The following steps involve configuring the Oracle HTTP Server. Perform them on the single sign-on middle tier. In doing so, keep the following in mind:
l You must configure SSL on the computer where the single sign-on middle tier is running.
l You are configuring one-way SSL.
l You may enable SSL for simple network encryption; PKI authentication is not required. Note though that you must use a valid wallet and server certificate. The default wallet location is ORACLE_HOME/Apache/Apache/conf/ssl.wlt/default.
1. Back up the opmn.xml file, found at ORACLE_HOME/opmn/conf
2. In opmn.xml, change the value for the start-mode parameter to ssl-enabled. This parameter appears in boldface in the xml tag immediately following.
<ias-component id="HTTP_Server">
<process-type id="HTTP_Server" module-id="OHS">
<module-data>
<category id="start-parameters">
<data id="start-mode" value="ssl-enabled"/>
</category>
</module-data>
<process-set id="HTTP_Server" numprocs="1"/>
</process-type>
</ias-component>
3. Update the distributed cluster management database with the change: ORACLE_HOME/dcm/bin/dcmctl updateconfig -ct opmn
4. Reload the modified opmn configuration file:
ORACLE_HOME/opmn/bin/opmnctl reload
5. Keep a non-SSL port active. The External Applications portlet communicates with the single sign-on server over a non-SSL port. The HTTP port is enabled by default. If you have not disabled the port, this step requires no action.
6. Apply the rule mod_rewrite to SSL configuration. This step involves modifying the ssl.conf file on the middle-tier computer. The file is at ORACLE_HOME/Apache/Apache/conf. Back up the file before editing it.
Because the Oracle HTTP Server has to be available over both HTTP and HTTPS, the SSL host must be configured as a virtual host. Add the lines that follow to the SSL Virtual Hosts section of ssl.conf if they are not already there. These lines ensure that the single sign-on login module in OC4J_SECURITY is invoked when a user logs in to the SSL host.
<VirtualHost ssl_host:port>
RewriteEngine on
RewriteOptions inherit
</VirtualHost>
Save and close the file.
7. Update the distributed cluster management database with the changes:
ORACLE_HOME/dcm/bin/dcmctl updateconfig -ct ohs
8. Restart the Oracle HTTP Server:
ORACLE_HOME/opmn/bin/opmnctl stopproc process-type=HTTP_Server
ORACLE_HOME/opmn/bin/opmnctl startproc process-type=HTTP_Server
9. Verify that you have enabled the single sign-on middle tier for SSL by trying to access the OracleAS welcome page, using the format https://host:ssl_port.
Reconfigure the Identity Management Infrastructure Database
Change all references of http in single sign-on URLs to https within the identity management infrastructure database. When you change single sign-on URLs in the database, you must also change these URLs in the targets.xml file on the single sign-on middle tier. targets.xml is the configuration file for the various "targets" that Oracle Enterprise Manager monitors. One of these targets is OracleAS Single Sign-On.
1. Change Single Sign-On URLs
Run the ssocfg script, taking care to enter the command on the computer where the single sign-on middle tier is located. Use the following syntax:
UNIX:
$ORACLE_HOME/sso/bin/ssocfg.sh protocol host ssl_port
Windows:
%ORACLE_HOME%\sso\bin\ssocfg.bat protocol host ssl_port
In this case, protocol is https. (To change back to HTTP, use http.) The parameter host is the host name, or server name, of the Oracle HTTP listener for the single sign-on server.
Here is an example:
ssocfg.sh https login.acme.com 4443
2. Restart OC4J_SECURITY instance and verify the configuration
To determine the correct port number, examine the ssl.conf file. Port 4443 is the port number that the OracleAS installer assigns during installation.
If you run ssocfg successfully, the script returns a status 0. To confirm that you were successful, restart the OC4J_SECURITY instance:
ORACLE_HOME/opmn/bin/opmnctl restartproc process-type=OC4J_SECURITY
Then try logging in to the single sign-on server at its SSL address:
https://host:ssl_port/pls/orasso/
3. Back up the file targets.xml:
cp ORACLE_HOME/sysman/emd/targets.xml ORACLE_HOME/sysman/emd/targets.xml.backup
4. Open the file and find the target type oracle_sso_server. Within this target type, locate and edit the three attributes that you passed to ssocfg:
· HTTPMachine—the server host name
· HTTPPort—the server port number
· HTTPProtocol—the server protocol
If, for example, you run ssocfg like this:
ORACLE_HOME/sso/bin/ssocfg.sh http sso.mydomain.com:4443
Update the three attributes this way:
<Property NAME="HTTPMachine" VALUE="sso.mydomain.com"/>
<Property NAME="HTTPPort" VALUE="4443"/>
<Property NAME="HTTPProtocol" VALUE="HTTPS"/>
5.Save and close the file.
6. Reload the OracleAS console:
ORACLE_HOME/bin/emctl reload
7. Issue these two commands:
ORACLE_HOME/opmn/bin/opmnctl restartproc process-type=HTTP_Server
ORACLE_HOME/opmn/bin/opmnctl restartproc process-type=OC4J_SECURITY
Registering mod_osso
1. This command sequence that follows shows a mod_osso instance being reregistered with the single sign-on server.
$ORACLE_HOME/sso/bin/ssoreg.sh
-oracle_home_path $ORACLE_HOME
-config_mod_osso TRUE
-mod_osso_url https://myhost.mydomain.com:4443
2. Restarting the Oracle HTTP Server
After running ssoreg, restart the Oracle HTTP Server:
ORACLE_HOME/opmn/bin/opmnctl restartproc process-type=HTTP_Server
Configuring the Single Sign-On System for Certificates
1. Configure policy.properties with the Default Authentication Plugin
Update the DefaultAuthLevel section of the policy.properties file with the correct authentication level for certificate sign-on. This file is at ORACLE_HOME/sso/conf. Set the default authentication level to this value:
DefaultAuthLevel = MediumHighSecurity
Then, in the Authentication plugins section, pair this authentication level with the default authentication plugin:
MediumHighSecurity_AuthPlugin = oracle.security.sso.server.auth.SSOX509CertAuth
2. Restart the Single Sign-On Middle Tier
After configuring the server, restart the middle tier:
ORACLE_HOME/opmn/bin/opmnctl restartproc process-type=HTTP_Server
ORACLE_HOME/opmn/bin/opmnctl restartproc process-type=OC4J_SECURITY
Bringing the SSO Users to OCA User Certificate Request URL
The OCA server reduces the administrative and maintenance cost of provisioning a user certificate. The OCA server achieves this by authenticating users by using OracleAS SSO server authentication. All users who have an Oracle AS SSO server account can directly get a certificate by using the OCA user interface. This reduces the time normoally requidred to provision a certificate by a certificate authority.
The URL for the SSO certificate Request is:
https://<Oracle_HTTP_host>:<oca_ssl_port>/oca/sso_oca_link
You can configure OCA to provide the user certificate request interface URL to SSO server for display whenever SSO is not using a sertificate to authenticate a user. After the OracleAS SSO server authenticates a user, it then display the OCA screen enabling that user to request a certificate.
To link the OCA server to OracleAS SSO server, use the following command:
ocactl linksso
opmnctl stoproc type=oc4j instancename=oca
opmnctl startproc type=oc4j instancename=oca
You also can use ocactl unlinksso to unlink the OCA to SSO.I have read the SSO admin guide, and performed the steps for enabling SSL on the SSO, and followed the steps to configure mod_osso with virtual host on port 4443 as mentioned in the admin guide.
The case now is that when I call my form (which is developed by forms developer suite 10g and deployed on the forms server which is SSO enabled) , it calls the SSO module on port 7777 using http (the default behaviour).
on a URL that looks like this :
http://myhostname:7777/pls/orasso/orasso.wwsso_app_admin.ls_login?Site2pstoreToken=.......
and gives the error :
( Forbidden
You don't have permisission to access /sso/auth on this server at port 7777)
when I manually change the URL to :
https://myhostname:4443/pls/orasso/orasso.wwsso_app_admin.ls_login?Site2pstoreToken=.......
the SSO works correctly.
The question is :
How can I change this default behaviour and make it call SSO on port 4443 using https instead ?
Any ideas ?
Thanks in advance -
Non-configurable materials with EK02 costing
Hi all,
We have a range of non configurable manufactured materials which, when used in standard sales orders, generate a production order and BOM. Presently the cost is automatically generated from the material master and is populated as a VPRS cost.
As these materials have a BOM we want the cost to pick up from the BOM instead, ie as an EK02 cost. If we enter such a material and do a manual recost the EK02 populates in the sales order item conditions but we cannot get it to populate automatically as it does with configurable materials with BOMs.
In the define item categories section in SPRO we have removed the determine cost tick. This has the desired effect of removing the VPRS cost but the EK02 cost still doesn't pull through. In the Bill of Material / Configuration section of the item category we tried setting the structure scope to A (Explode single-level bill of material) and B (Explode multi-level bill of material) but this didn't work. If we set it to D (Configuration, poss. with BOM explosion), then we get the "item can be configured but there is no configuration" error when used in a sales order which is expected as these products have no configuration.
We also tried deleting the standard cost held in the material master to see if, as that value was now blank, it would pick up the EK02 instead but, alas, this also ddn't work.
Any help / suggestions would be most appreciated.
Kind regards, RobHI,
We are maintaining the Service masters for the services we render, there is no valuation of Inventory as only service is being rendered.
But we have maintained BOM and Routings for the services we render.
Even there is no valuation class in the serivice masters as this is non valuated.
Can you guide me more on this pls.
Thanks,
Ravi -
Create a configurable material with reference to another config material
Hi,
I want to create a configurable material with reference to another configurable material from different system.
Please tell me what data i need to check to see if that material has been created (copied manually) successfully.
Thanks.Hi,
In case of configurable material most important thing is configuration so please check weather the configuration is copied perfectly with all characteristics or not. Similarly check the valuation class and price control is proper or not.
Regards,
Umesh -
Configuring php5 with enable XML on OAS 10.1.3.x
My requirement is to enable XML on OAS 10.1.3.5.
I am not sure how to configure it, so I stated using separate PHP5.2 to configure with XML enable on the server. After installation, when I am starting the opmn services I am getting below error. I think the error with platform. Which means current OS version is 64bit and php5.2 stage is 32bit version I guess.
OAS_HOME=/u20/app/MSRV1P/apmsrv1p/oracle/product/OAS
URL : http://nacisdell277.us.oracle.com:10330/phpinfo.php
I used below command to configure :
./configure prefix=$ORACLE_HOME/php with-config-file-path=$ORACLE_HOME/Apache/Apache/conf --with-apxs=$ORACLE_HOME/Apache/Apache/bin/apxs
with-oci8=instantclient,/u20/app/MSRV1P/apmsrv1p/oracle/product/instantclient_10_2 with-config-file-path=/u20/app/MSRV1P/apmsrv1p/oracle/product/OAS/Apache/Apache/php5--enable-sigchild enable-xml enable-simplexml enable-libxml enable-dom enable-simplexml enable-xml enable-xmlreader enable-xmlwriter enable-simplexml –with-xsl -with-zlib with-xml --with-libxml-dir
Error :
/u20/app/MSRV1P/apmsrv1p/oracle/product/OAS/Apache/Apache/bin/apachectl startssl: execing httpd
Syntax error on line 247 of /u20/app/MSRV1P/apmsrv1p/oracle/product/OAS/Apache/Apache/conf/httpd.conf:
Cannot load /u20/app/MSRV1P/apmsrv1p/oracle/product/OAS/Apache/Apache/libexec/libphp5.so into server: /u20/app/MSRV1P/apmsrv1p/oracle/product/OAS/Apache/Apache/libexec/libphp5.so: wrong ELF class: ELFCLASS64
I checked in the Metalink for “configuring php5 with enable XML on OAS 10.1.3.x” but I couldn’t find anything.
Please advise me on this.
ThanksHello;
You can try installing glibc-devel to fix this.
However on my version :
Application Server Control Release 10.1.2.3.0 - PHP 5 does not seem to work. The conflict on mine is that PHP 4 came wrapped in the Oracle install and they don't play well together.
Make sure your httpd.conf does not have this in it :
LoadModule php4_module libexec/libphp4.soI'm NOT advising you to remove it if its there, I'm merely pointing to a possible conflict.
Best Regards
mseberg
Later
Glad you don't have the same version as me. Hard to find anything on this, found these ( Not exact matches )
http://php.net/manual/en/oci8.installation.php ( Search for ELF )
http://enlinea.creaelicita.cl/guia/oci8.setup.html
http://docs.oracle.com/cd/E17390_01/doc.650/e17370.pdf
Found this in the pdf : ( Similar )
If the following error is received:
*ERROR* - obssocookie: could not dlopen()
/opt/netpoint/AccessServerSDK//oblix/lib/libobaccess.so:
/opt/netpoint/AccessServerSDK//oblix/lib/libobaccess.so: wrong ELF class:
ELFCLASS32
This indicates that the 32-bit version of the Access Gate SDK was installed instead of
the required 64-bit version. Edited by: mseberg on Feb 4, 2012 5:53 AM
Still later
Another thought is the PHP forum :
PHP
Also you need the 32bit Instant Client to be able run PHP. See http://blogs.oracle.com/opal/entry/using_php_oci8_with_32-bit_php
Same OS message :
ORA-03106: fatal two-task communication protocol error
Edited by: mseberg on Feb 4, 2012 7:03 PM
Rogue Notes from my Fusion Middleware on Red Hat 5 64 bit
I downloaded php-5.3.5.tar.gz from http://www.php.net/downloads.php.
Download the OCI headers http://www.oracle.com/technetwork/middleware/ias/ociheaders-134541.tar
environment
export ORACLE_HOME=/u01/app/oracle/product/fmw/oracle_pfrd
export ORACLE_INSTANCE=/u01/app/oracle/product/fmw/fr_inst
export CONFIG_FILE_PATH=$ORACLE_INSTANCE/config/OHS/ohs1
export LD_LIBRARY_PATH=$ORACLE_HOME/lib:$ORACLE_HOME/ohs/lib:$LD_LIBRARY_PATH
Configure with Oracle Database (OCI8) support:
./configure with-apxs2=$ORACLE_HOME/ohs/bin/apxs prefix=$ORACLE_HOME with-config-file-path=$CONFIG_FILE_PATH with-oci8=$ORACLE_HOME --disable-rpath
httpd.conf
# And for PHP 5.x use:
AddType application/x-httpd-php .php .phtml
Edited by: mseberg on Feb 4, 2012 7:19 PM
Edited by: mseberg on Feb 5, 2012 11:48 AM -
Server app : random errors in configuration applied with configuration profile
When I verify the informations contained in the user configuration profile with both the profile manager and textmate everything is ok. When i installs the configuration profile on a computer there are errors in the configuration of Mail app the email address is configured as follows: [email protected] instead of: [email protected] and username is: [email protected] instead of : user1 . Both server and client computers are on running mac os x 10.8.
thanks for the help !When I verify the informations contained in the user configuration profile with both the profile manager and textmate everything is ok. When i installs the configuration profile on a computer there are errors in the configuration of Mail app the email address is configured as follows: [email protected] instead of: [email protected] and username is: [email protected] instead of : user1 . Both server and client computers are on running mac os x 10.8.
thanks for the help !
Maybe you are looking for
-
Print Issue with Adobe Acrobat standard/Distiller 9.0
Hi we got this problem : if we print with customized options --> means size of print document is like 2000mm x 1500mm it fail and this erros is shown Acrobat Distiller 9.0 Start: Donnerstag, 22. Juli 2010 um 16:29:37 Adobe PostScript Softwareversion:
-
Just got a new Sony NEX 20 camcorder which records still photos as Raw files in the .awr format. Can't seem to open in Photoshop CS5, even with Camera Raw 6.5 plug-in installed. Any ideas?
-
If we have an Idoc number how we can get the po number on the basis of that ? Mostly we use WE21 to check the port and to know - where the port is pointing to production or testing environment. And suppose we want to change it so that it will point t
-
i downloaded Mountain lion, but now i can't access all the info that was in my notes. Where can I locate them?
-
Hi, I'm facing a problem with import/export xls files. Once I selected the file the system doesn't return any response even if the file has very small size (about 70 KB). It happens both from workbench and web. Furthermore I can't to export something