Configure ADSSO with NAC

Similar Messages

• NAC ADSSO with NAC Module isn't working for all modules

  Hello,
  We have a NAC OOB-L2-VG Deployment at the Central Site with VLAN Mapping and ADSSO which works just fine.
  As part of the project we have implemented NAC Modules on ISR routers for the branch offices; same topology but as the documentation states no VLAN mapping was configured. The problem is that for some users in one branch office the ADSSO isn't working and in another branch office the ADSSO isn't working at all, all the users are getting authenticated with a local user we defined on the servers.
  The configuration in both modules is exactly the same; they are using the same user to access the AD (the one used on the ktpass) the data links to the central site are both 1 Mbps and everything is pretty much the same thing.
  I have checked the logs on the CAS-Module and it states that Windows SSO is running:
  Nov 27, 2009 10:08:23 AM com.perfigo.wlan.jmx.admin.GSSRetrier$RetrierTask run
  INFO: GSSR - Windows SSO is running
  The interesting thing is that when the user goes thru the NAC process I see these logs:
  Nov 27, 2009 8:55:13 AM com.perfigo.wlan.jmx.admin.SWissServer run
  FINE: Sent Response to /172.19.5.11!
  Nov 27, 2009 8:55:13 AM com.perfigo.wlan.jmx.admin.GSSServer$GSSThread run
  INFO: accepted ADSSO socket ...Socket[addr=/172.19.5.11,port=1431,localport=8910]
  Nov 27, 2009 8:55:13 AM com.perfigo.wlan.jmx.admin.GSSServer$GSSThread run
  INFO: accepting ADSSO socket ...
  Nov 27, 2009 8:55:13 AM com.perfigo.wlan.jmx.admin.GSSHandler run
  INFO: processing socket ...Socket[addr=/172.19.5.11,port=1431,localport=8910]
  Nov 27, 2009 8:55:13 AM com.perfigo.wlan.jmx.admin.GSSHandler run
  INFO: TIMEOUT_SET FOR ADSSO SOCKET ... Socket[addr=/172.19.5.11,port=1431,localport=8910]
  Nov 27, 2009 8:55:13 AM com.perfigo.wlan.jmx.admin.GSSHandler run
  INFO: reading peer's token_length Socket[addr=/172.19.5.11,port=1431,localport=8910]
  Nov 27, 2009 8:55:28 AM com.perfigo.wlan.jmx.admin.GSSHandler run
  SEVERE: IO Error: Socket[addr=/172.19.5.11,port=1431,localport=8910]:Read timed out
  Nov 27, 2009 8:56:18 AM com.perfigo.wlan.jmx.admin.SWissHandler processPacket
  FINE: SWissServer: get request from : 1043@/172.19.5.11
  Nov 27, 2009 8:56:18 AM com.perfigo.wlan.jmx.admin.SWissHandler processPacket
  FINE: SWissServer: Client OS is WINDOWS_PRO_XP
  Nov 27, 2009 8:56:18 AM com.perfigo.wlan.jmx.admin.SWissUtil parseClientAddrList
  FINE: IP=/172.19.5.11, MAC=00:1E:4F:53:97:7D
  Nov 27, 2009 8:56:18 AM com.perfigo.wlan.jmx.Shell writeToClick
  FINE: /proc/click/intern_arpq/add_interest-->172.19.5.11
  Nov 27, 2009 8:56:18 AM com.perfigo.wlan.jmx.Shell writeToClick
  FINE: /proc/click/intern_arpq/remove_interest-->172.19.5.11
  Nov 27, 2009 8:56:18 AM com.perfigo.wlan.jmx.admin.SWissUtil getOpProviderListData
  FINE: IP=172.19.5.11, VLAN=19, OS=WINDOWS_PRO_XP
  Nov 27, 2009 8:56:18 AM com.perfigo.wlan.jmx.admin.SWissUtil getOpProviderListData
  FINE: Default Provider=Local DB
  Nov 27, 2009 8:56:18 AM com.perfigo.wlan.jmx.admin.SWissUtil getOpProviderListData
  FINE: Providers=Local DB;
  Nov 27, 2009 8:56:18 AM com.perfigo.wlan.jmx.admin.SWissUtil getOpProviderListData
  FINE: Number of providers=1
  The IP address 172.19.5.11 is the IP of the PC during the unauthenticated role; what the user is finally seeing is the CCA Agent asking for user and password instead of using the ADSSO.
  The version of the Agent is 4.1.10, the NAS and NAM are running 4.1.8 and the only ackword thing is that the Active Directory Servers are running Windows 2000 SP4.
  Any assistance would be much appreciated.
  Thanks,
  DL.

  Hi,
  I too have the same error , Any one knows how to resolve this
  Socket[addr=/10.80.0.220,port=1583,localport=8910]
  2010-09-28 10:57:38.028 +0530 DEBUG com.perfigo.wlan.jmx.adsso.GSSServer               - accepting ADSSO socket ...
  2010-09-28 10:57:38.041 +0530 DEBUG com.perfigo.wlan.jmx.adsso.GSSHandler              - processing socket ... Socket[addr=/10.80.0.220,port=1583,localport=8910]
  2010-09-28 10:57:38.041 +0530 DEBUG com.perfigo.wlan.jmx.adsso.GSSHandler              - TIMEOUT_SET FOR ADSSO SOCKET ... Socket[addr=/10.80.0.220,port=1583,localport=8910]
  2010-09-28 10:57:38.041 +0530 DEBUG com.perfigo.wlan.jmx.adsso.GSSHandler              - reading peer's token_length from Socket[addr=/10.80.0.220,port=1583,localport=8910]
  2010-09-28 10:57:38.670 +0530 ERROR com.perfigo.wlan.jmx.adsso.GSSHandler              - IO Error: Socket[addr=/10.80.0.220,port=1583,localport=8910] null
  2010-09-28 10:58:40.215 +0530 INFO  com.perfigo.wlan.jmx.adsso.GSSRetrier              - GSSR - Windows SSO is running
  2010-09-28 10:59:26.308 +0530 WARN  org.apache.commons.httpclient.HttpMethodBase       - Going to buffer response body of large or unknown size. Using getResponseBodyAsStream instead is recommended.
  2010-09-28 10:59:38.478 +0530 INFO  com.perfigo.wlan.jmx.admin.OOBDelayTask            - OOBDelayTask: remove temp user [00:01:80:53:67:75]/[10.80.0.220]
  Thanks in advacne

• NAC ADSSO with WLC 4400

  I'm setting up this scenario today and have never done that and was wondering if there are any 'gotchas' i need to watch out for, or anything any of you have done/learned while implementing this.
  I do have one specific question, the preshared key under vpn auth / vpn concentrators, where the wlc is to be added, where is the preshared key configured at the on wlc?
  NAC is running 4.1.3.1, not sure about WLC.
  I do have ADSSO working on the wired network, so at least that part is done.
  TIA

  I am currently testing NAC for wired guests and AD SSO for staff. We are planning to offer wireless guest services using Cisco infrastructure once wired is working. I was wondering about NAC and wireless guest services. We are deploying in-band as it requires for wireless so is there anything I am missing or will need to integrate wireless with NAC.

• ISe with NAC agent pop up and Posture waiting

  Hi,
  I have ISE running ver 1.1.1.268. We limited access certain services before authuenticate with ACL-DEFAULT(given below) as per the Trustsec desgin guide.
  Now the issue is that when you have ACL-DEFAULT on the port NAC agent doest not pop-up and doest not start the posture part and saying waiting for Posture validation. When the ACL-DEFAULT removed from the access port NAC agent popup and do the posture validation.
  However we do not want user to get access to network before the authorization and that is the reason we use the ACL-DEFAULT.
  Please can someone advise me how to achieve the above both task. Why the NAC agent does not popup and do the posture when ACL-DEFAULT there in the switch.
  Here is what I have configured on ACL-DEFAULT.
  ip access-list extended ACL-DEFAULT
  remark DHCP
  permit udp any eq bootpc any eq bootps
  remark DNS
  permit udp any any eq domain
  permit tcp any any eq domain
  permit udp any any eq 389
  permit tcp any any eq 135
  permit tcp any any eq 445
  permit udp any any eq 445
  permit tcp any any range 135 139
  permit tcp any any eq 389
  permit tcp any any eq 3268
  permit icmp any any
  remark PXE / TFTP
  permit udp any any eq tftp
  permit tcp any host 172.xx.xx.xx eq 8443 (ISE-Pri)
  permit tcp any host 172.xx.xx.xx eq 8443 (ISE-Sec)
  remark Drop all the rest
  deny   ip any any log
  Appreciate if someone can give a solid resolution and explanation to this.

  Hi Saurav,
  We have already allowed those ports with another acl (ACL-POSTURE-REDIRECT). Our issue is not with the web nac agent.
  The issue is with NAC agent installed on corperate PCs connecting via wired port. With the ACL-DEFAULT it does not pop-up and does not do the posturing, however once we removed the ACL-DEFAULT from the access port, everything works fine.
  Since we do not want any user to access unwanted services before authorization we add this ACL on the access-port and as per the trustsec desgin this has to be there if you want to have ISE with closed mode.
  thanks

• Best practice configure DHCP server NAC

  hi all,
  any idea how the best practice deploy dhcp on cas? i tired follow user guide configure dhcp on cas but still cannot running smoothly user just only grep ip authenticate.
  - CCA agent very slow appear when user get ip dhcp on authenticate.any idea ?
  - how to integrated profiler with nac appliance .?

  Hi ahmed,
  You have configured your CAS to be your DHCP server, Thats well and good because you are using Real IP mode, Which Supports the CAS to be a DHCP server.
  Remember
  This Setting is only For your Authentication VLAN that your client gets an ip While Authentication ok.
  When your Client switches to Access VLAN , your client trafiic no longer flows through the CAS so CAS is now not responsible for DHCP.
  You'll have to configure another DHCP on the Trusted Side which can Lease IPs to the Acess VLAN Members.
  As you have configured OOB then your client is in Acess VLAN and does not come in contact with the CAS so you need the Trusted side DHCP to give the Client an IP address.
  Here in your Scenario your ACCESS VLANS are 2022,2044
  Hope this helps, Do reply after Testing.
  Thank You
  Regards
  Edward

• Authentication mac-move permit with NAC

  Hi,
  I have 2 switches with NAC configured on it. i also have "authentication mac-move permit" configured on my 2 switches that are connected togther. my understanding is authentication mac-move permit does not work with 802.1x enabled ports.
  so i would like to verify i my understanding is correct that if i have authentication mac-move permit configured and a laptop moves to another port without logging off the switch will see that as a violation and block the user right?

  anyone run into this before?

• Wired WebAuth with NAC Guest Server

  Hi,
  I am trying to get wired WebAuth working with NAC Guest Server. In the switch_login.html file example, what should be changed for this line:
  ngsOptions.actionUrl = https://1.1.1.1/;
  Should this be an IP address on the switch? Shoul I have this pointing to the success.html page like this:
  ngsOptions.actionUrl = "https://1.1.1.1/success.html";
  When I log on, and accept the AUP, my browser just sits there trying to access Https://1.1.1.1/?redirect-url=blah blah blah
  Thanks,
  Peter

  FYI,
  In my case I WAS getting the switch_login.html web page being displayed, but after entering credentials and submitting the Acceptable Use Policy page, I did NOT 'see' any radius traffic between the switch (C2960S 12.2(55)SE3) and the ACS 5.3 radius server?!.
  I used the sample .html docs that you can find on the NAC Guest Server in the 'samples' folder on that server. I used WCP app to copy them to my PC/laptop before modifying where relevant and copying to flash on switch and to the wireless 'hotspot' folders on the NGS.
  I went through the following document in url below line by line, paragraph by paragraph and found that I had left out the following command in the configuration:
  aaa authentication login default group radius
  see doc at:
  http://www.cisco.com/en/US/docs/solutions/Enterprise/Security/TrustSec_1.99/WebAuth/WebAuth_Dep_Guide.html#wp392553
  So I added it in and I am now seeing the radius debug traffic being redirected to the ACS by the switch when a user submits the credentials.
  aaa new-model
  aaa authentication login default group radius
  aaa authentication login VTY-USER-LOGIN local
  aaa authentication dot1x default group radius
  aaa authorization console
  aaa authorization exec EXEC-LOCAL local
  aaa authorization network default group radius
  aaa authorization auth-proxy default group radius
  aaa accounting auth-proxy default start-stop group radius
  aaa accounting dot1x default start-stop group radius
  with debug radius enabled:
  Feb  1 13:36:09 PST: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/4, changed state to down
  TEST-802.1X#
  Feb  1 13:36:10 PST: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/4, changed state to down
  TEST-802.1X#
  Feb  1 13:36:18 PST: %AUTHMGR-5-START: Starting 'dot1x' for client (848f.69f0.fcc7) on Interface Gi1/0/4 AuditSessionID 0AA7404A0000054E16335518
  TEST-802.1X#
  Feb  1 13:36:20 PST: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/4, changed state to up
  Feb  1 13:36:21 PST: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/4, changed state to up
  TEST-802.1X#
  Feb  1 13:36:27 PST: %DOT1X-5-FAIL: Authentication failed for client (848f.69f0.fcc7) on Interface Gi1/0/4 AuditSessionID
  Feb  1 13:36:27 PST: %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'dot1x' for client (848f.69f0.fcc7) on Interface Gi1/0/4 AuditSessionID 0AA7404A0000054E16335518
  Feb  1 13:36:27 PST: %AUTHMGR-7-FAILOVER: Failing over from 'dot1x' for client (848f.69f0.fcc7) on Interface Gi1/0/4 AuditSessionID 0AA7404A0000054E16335518
  Feb  1 13:36:27 PST: %AUTHMGR-5-START: Starting 'mab' for client (848f.69f0.fcc7) on Interface Gi1/0/4 AuditSessionID 0AA7404A0000054E16335518
  Feb  1 13:36:27.367 PST: RADIUS/ENCODE(0000058E):Orig. component type = DOT1X
  Feb  1 13:36:27.367 PST: RADIUS(0000058E): Config NAS IP: 10.167.64.74
  Feb  1 13:36:27.367 PST: RADIUS/ENCODE(0000058E): acct_session_id: 1421
  Feb  1 13:36:27.367 PST: RADIUS(0000058E): sending
  Feb  1 13:36:27.367 PST: RADIUS(0000058E): Send Access-Request to 10.167.77.70:1645 id 1645/14, len 211
  Feb  1 13:36:27.372 PST: RADIUS:  authenticator 2E F0 62 2D 43 D9 7D 2A - 7C 88 0A 52 B9 6E 78 A8
  Feb  1 13:36:27.372 PST: RADIUS:  User-Name           [1]   14  "848f69f0fcc7"
  Feb  1 13:36:27.372 PST: RADIUS:  User-Password       [2]   18  *
  Feb  1 13:36:27.372 PST: RADIUS:  Service-Type        [6]   6   Call Check                [10]
  Feb  1 13:36:27.372 PST: RADIUS:  Framed-MTU          [12]  6   1500                     
  Feb  1 13:36:27.372 PST: RADIUS:  Called-Station-Id   [30]  19  "20-37-06-C8-68-84"
  Feb  1 13:36:27.372 PST: RADIUS:  Calling-Station-Id  [31]  19  "84-8F-69-F0-FC-C7"
  Feb  1 13:36:27.372 PST: RADIUS:  Message-Authenticato[80]  18 
  Feb  1 13:36:27.372 PST: RADIUS:   11 20 B4 9A B6 E2 56 30 AC EC 43 CD 17 13 3E 14             [  V0C>]
  Feb  1 13:36:27.372 PST: RADIUS:  EAP-Key-Name        [102] 2   *
  Feb  1 13:36:27.372 PST: RADIUS:  Vendor, Cisco       [26]  49 
  Feb  1 13:36:27.372 PST: RADIUS:   Cisco AVpair       [1]   43  "audit-session-id=0AA7404A0000054E16335518"
  Feb  1 13:36:27.372 PST: RADIUS:  NAS-Port-Type       [61]  6   Ethernet                  [15]
  Feb  1 13:36:27.372 PST: RADIUS:  NAS-Port            [5]   6   50104                    
  Feb  1 13:36:27.372 PST: RADIUS:  NAS-Port-Id         [87]  22  "GigabitEthernet1/0/4"
  Feb  1 13:36:27.372 PST: RADIUS:  NAS-IP-Address      [4]   6   10.167.64.74             
  Feb  1 13:36:27.372 PST: RADIUS(0000058E): Started 5 sec timeout
  Feb  1 13:36:27.377 PST: RADIUS: Received from id 1645/14 10.167.77.70:1645, Access-Reject, len 38
  Feb  1 13:36:27.377 PST: RADIUS:  authenticator 68 CE 3D C8 C3 BC B2 69 - DB 33 F5 C0 FF 30 D6 33
  Feb  1 13:36:27.377 PST: RADIUS:  Message-Authenticato[80]  18 
  Feb  1 13:36:27.377 PST: RADIUS:   82 3D 31 0A C7 A2 E0 62 D5 B7 6B 26 B8 A0 0B 46            [ =1bk&F]
  Feb  1 13:36:27.377 PST: RADIUS(0000058E): Received from id 1645/14
  Feb  1 13:36:27 PST: %MAB-5-FAIL: Authentication failed for client (848f.69f0.fcc7) on Interface Gi1/0/4 AuditSessionID 0AA7404A0000054E16335518
  Feb  1 13:36:27 PST: %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'mab' for client (848f.69f0.fcc7) on Interface Gi1/0/4 AuditSessionID 0AA7404A0000054E16335518
  Feb  1 13:36:27 PST: %AUTHMGR-7-FAILOVER: Failing over from 'mab' for client (848f.69f0.fcc7) on Interface Gi1/0/4 AuditSessionID 0AA7404A0000054E16335518
  Feb  1 13:36:27 PST: %AUTHMGR-5-START: Starting 'webauth' for client (848f.69f0.fcc7) on Interface Gi1/0/4 AuditSessionID 0AA7404A0000054E16335518
  Feb  1 13:36:27 PST: %AUTHMGR-7-RESULT: Authentication result 'success' from 'webauth' for client (848f.69f0.fcc7) on Interface Gi1/0/4 AuditSessionID 0AA7404A0000054E16335518
  Feb  1 13:36:27 PST: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (848f.69f0.fcc7) on Interface Gi1/0/4 AuditSessionID 0AA7404A0000054E16335518
  Feb  1 13:36:27.933 PST: RADIUS/ENCODE(0000058E):Orig. component type = DOT1X
  Feb  1 13:36:27.933 PST: RADIUS(0000058E): Config NAS IP: 10.167.64.74
  Feb  1 13:36:27.933 PST: RADIUS(0000058E): sending
  Feb  1 13:36:27.933 PST: RADIUS(0000058E): Send Accounting-Request to 10.167.77.70:1646 id 1646/151, len 100
  Feb  1 13:36:27.933 PST: RADIUS:  authenticator D0 F0 04 F3 A5 08 90 BE - A9 07 8D 32 1B 0E 93 AC
  Feb  1 13:36:27.933 PST: RADIUS:  Acct-Session-Id     [44]  10  "0000058D"
  Feb  1 13:36:27.933 PST: RADIUS:  Framed-IP-Address   [8]   6   10.167.72.52             
  Feb  1 13:36:27.933 PST: RADIUS:  Acct-Authentic      [45]  6   RADIUS                    [1]
  Feb  1 13:36:27.933 PST: RADIUS:  Acct-Status-Type    [40]  6   Start                     [1]
  Feb  1 13:36:27.933 PST: RADIUS:  NAS-Port-Type       [61]  6   Ethernet                  [15]
  Feb  1 13:36:27.933 PST: RADIUS:  NAS-Port            [5]   6   50104                    
  Feb  1 13:36:27.933 PST: RADIUS:  NAS-Port-Id         [87]  22  "GigabitEthernet1/0/4"
  Feb  1 13:36:27.933 PST: RADIUS:  Service-Type        [6]   6   Framed                    [2]
  Feb  1 13:36:27.933 PST: RADIUS:  NAS-IP-Address      [4]   6   10.167.64.74             
  Feb  1 13:36:27.933 PST: RADIUS:  Acct-Delay-Time     [41]  6   0                        
  TEST-802.1X#
  Feb  1 13:36:27.938 PST: RADIUS(0000058E): Started 5 sec timeout
  Feb  1 13:36:27.938 PST: RADIUS: Received from id 1646/151 10.167.77.70:1646, Accounting-response, len 20
  Feb  1 13:36:27.938 PST: RADIUS:  authenticator C2 DC 8D C7 B1 35 67 D9 - 28 2B 56 E4 4A 1E AD 65
  At this point the user enters the credentials on the switch_login.html page and the clicks Submit on the Acceptable Use Policy splash page.
  TEST-802.1X#
  Feb  1 13:36:41.413 PST: RADIUS/ENCODE(0000058F):Orig. component type = AUTH_PROXY
  Feb  1 13:36:41.413 PST: RADIUS(0000058F): Config NAS IP: 10.167.64.74
  Feb  1 13:36:41.413 PST: RADIUS/ENCODE(0000058F): acct_session_id: 1422
  Feb  1 13:36:41.413 PST: RADIUS(0000058F): sending
  Feb  1 13:36:41.413 PST: RADIUS(0000058F): Send Access-Request to 10.167.77.70:1645 id 1645/15, len 176
  Feb  1 13:36:41.413 PST: RADIUS:  authenticator 6D 34 7E D6 34 B5 CB AC - 09 1F AC 5A 34 97 7D 6B
  Feb  1 13:36:41.413 PST: RADIUS:  User-Name           [1]   11  "testuser1"
  Feb  1 13:36:41.413 PST: RADIUS:  User-Password       [2]   18  *
  Feb  1 13:36:41.413 PST: RADIUS:  Calling-Station-Id  [31]  14  "ip|G
  Feb  1 13:36:41.413 PST: RADIUS:  Service-Type        [6]   6   Outbound                  [5]
  Feb  1 13:36:41.413 PST: RADIUS:  Message-Authenticato[80]  18 
  Feb  1 13:36:41.413 PST: RADIUS:   F8 4D 85 64 05 5E C9 1D D8 11 B2 A3 1A 3A 76 E0             [ Md^:v]
  Feb  1 13:36:41.413 PST: RADIUS:  Vendor, Cisco       [26]  49 
  Feb  1 13:36:41.418 PST: RADIUS:   Cisco AVpair       [1]   43  "audit-session-id=0AA7404A0000054E16335518"
  Feb  1 13:36:41.418 PST: RADIUS:  NAS-Port-Type       [61]  6   Ethernet                  [15]
  Feb  1 13:36:41.418 PST: RADIUS:  NAS-Port            [5]   6   50104                    
  Feb  1 13:36:41.418 PST: RADIUS:  NAS-Port-Id         [87]  22  "GigabitEthernet1/0/4"
  Feb  1 13:36:41.418 PST: RADIUS:  NAS-IP-Address      [4]   6   10.167.64.74             
  Feb  1 13:36:41.418 PST: RADIUS(0000058F): Started 5 sec timeout
  Feb  1 13:36:41.424 PST: RADIUS: Received from id 1645/15 10.167.77.70:1645, Access-Accept, len 173
  Feb  1 13:36:41.424 PST: RADIUS:  authenticator 28 48 DE B5 1A 0A 71 5A - 3B 8B 7A 12 FB EA 01 58
  Feb  1 13:36:41.424 PST: RADIUS:  User-Name           [1]   11  "testuser1"
  Feb  1 13:36:41.424 PST: RADIUS:  Class               [25]  28 
  Feb  1 13:36:41.424 PST: RADIUS:   43 41 43 53 3A 78 62 63 2D 61 63 73 2F 31 31 36  [CACS:xbc-acs/116]
  Feb  1 13:36:41.424 PST: RADIUS:   34 37 33 32 33 39 2F 31 36 36        [ 473239/166]
  Feb  1 13:36:41.424 PST: RADIUS:  Session-Timeout     [27]  6   3600                     
  Feb  1 13:36:41.424 PST: RADIUS:  Termination-Action  [29]  6   1                        
  Feb  1 13:36:41.424 PST: RADIUS:  Message-Authenticato[80]  18 
  Feb  1 13:36:41.424 PST: RADIUS:   10 80 26 5D 02 C5 15 0C A8 16 AA 35 14 C9 4F 14              [ &]5O]
  Feb  1 13:36:41.424 PST: RADIUS:  Vendor, Cisco       [26]  19 
  Feb  1 13:36:41.429 PST: RADIUS:   Cisco AVpair       [1]   13  "priv-lvl=15"
  Feb  1 13:36:41.429 PST: RADIUS:  Vendor, Cisco       [26]  65 
  Feb  1 13:36:41.429 PST: RADIUS:   Cisco AVpair       [1]   59  "ACS:CiscoSecure-Defined-ACL=#ACSACL#-IP-GuestACL-4eefc9a0"
  Feb  1 13:36:41.429 PST: RADIUS(0000058F): Received from id 1645/15
  Feb  1 13:36:41.439 PST: RADIUS/ENCODE(0000058F):Orig. component type = AUTH_PROXY
  Feb  1 13:36:41.439 PST: RADIUS(0000058F): Config NAS IP: 10.167.64.74
  Feb  1 13:36:41.439 PST: RADIUS(0000058F): sending
  Feb  1 13:36:41.439 PST: RADIUS/ENCODE(00000000):Orig. component type = INVALID
  Feb  1 13:36:41.444 PST: RADIUS(00000000): Config NAS IP: 10.167.64.74
  Feb  1 13:36:41.444 PST: RADIUS(00000000): sending
  Feb  1 13:36:41.450 PST: RADIUS(0000058F): Send Accounting-Request to 10.167.77.70:1646 id 1646/152, len 119
  Feb  1 13:36:41.450 PST: RADIUS:  authenticator 23 E3 DA C3 06 5B 37 20 - 67 E2 96 C5 90 1C 71 33
  Feb  1 13:36:41.450 PST: RADIUS:  Acct-Session-Id     [44]  10  "0000058E"
  Feb  1 13:36:41.450 PST: RADIUS:  Calling-Station-Id  [31]  14  "10.167.72.52"
  Feb  1 13:36:41.450 PST: RADIUS:  User-Name           [1]   11  "testuser1"
  Feb  1 13:36:41.450 PST: RADIUS:  Acct-Authentic      [45]  6   RADIUS                    [1]
  Feb  1 13:36:41.455 PST: RADIUS:  Acct-Status-Type    [40]  6   Start                     [1]
  Feb  1 13:36:41.455 PST: RADIUS:  NAS-Port-Type       [61]  6   Ethernet                  [15]
  Feb  1 13:36:41.455 PST: RADIUS:  NAS-Port            [5]   6   50104                    
  Feb  1 13:36:41.455 PST: RADIUS:  NAS-Port-Id         [87]  22  "GigabitEthernet1/0/4"
  Feb  1 13:36:41.455 PST: RADIUS:  Service-Type        [6]   6   Outbound                  [5]
  Feb  1 13:36:41.455 PST: RADIUS:  NAS-IP-Address      [4]   6   10.167.64.74             
  Feb  1 13:36:41.455 PST: RADIUS:  Acct-Delay-Time     [41]  6   0                        
  Feb  1 13:36:41.455 PST: RADIUS(0000058F): Started 5 sec timeout
  Feb  1 13:36:41.455 PST: RADIUS(00000000): Send Access-Request to 10.167.77.70:1645 id 1645/16, len 137
  Feb  1 13:36:41.455 PST: RADIUS:  authenticator 02 B0 50 47 EE CC FB 54 - 2A B6 14 23 63 86 DE 18
  Feb  1 13:36:41.455 PST: RADIUS:  NAS-IP-Address      [4]   6   10.167.64.74             
  Feb  1 13:36:41.455 PST: RADIUS:  User-Name           [1]   31  "#ACSACL#-IP-GuestACL-4eefc9a0"
  Feb  1 13:36:41.455 PST: RADIUS:  Vendor, Cisco       [26]  32 
  Feb  1 13:36:41.455 PST: RADIUS:   Cisco AVpair       [1]   26  "aaa:service=ip_admission"
  Feb  1 13:36:41.455 PST: RADIUS:  Vendor, Cisco       [26]  30 
  Feb  1 13:36:41.455 PST: RADIUS:   Cisco AVpair       [1]   24  "aaa:event=acl-download"
  Feb  1 13:36:41.455 PST: RADIUS:  Message-Authenticato[80]  18 
  Feb  1 13:36:41.455 PST: RADIUS:   15 EC 10 E7 2F 67 33 DD BC B5 AE 11 E3 C3 19 E1               [ /g3]
  Feb  1 13:36:41.455 PST: RADIUS(00000000): Started 5 sec timeout
  Feb  1 13:36:41.455 PST: RADIUS: Received from id 1646/152 10.167.77.70:1646, Accounting-response, len 20
  Feb  1 13:36:41.455 PST: RADIUS:  authenticator AB 0F 81 95 71 A9 61 E0 - 5B B5 D3 2E 8D A2 68 98
  Feb  1 13:36:41.460 PST: RADIUS: Received from id 1645/16 10.167.77.70:1645, Access-Accept, len 560
  Feb  1 13:36:41.460 PST: RADIUS:  authenticator 64 53 94 79 CF CD 05 B0 - ED 12 5C 5B A0 AB 4F FA
  Feb  1 13:36:41.460 PST: RADIUS:  User-Name           [1]   31  "#ACSACL#-IP-GuestACL-4eefc9a0"
  Feb  1 13:36:41.460 PST: RADIUS:  Class               [25]  28 
  Feb  1 13:36:41.460 PST: RADIUS:   43 41 43 53 3A 78 62 63 2D 61 63 73 2F 31 31 36  [CACS:xbc-acs/116]
  Feb  1 13:36:41.460 PST: RADIUS:   34 37 33 32 33 39 2F 31 36 38        [ 473239/168]
  Feb  1 13:36:41.460 PST: RADIUS:  Message-Authenticato[80]  18 
  Feb  1 13:36:41.460 PST: RADIUS:   A1 E6 37 EB 60 3A 28 35 92 56 C5 A9 27 7D 2C E9         [ 7`:(5V'},]
  Feb  1 13:36:41.460 PST: RADIUS:  Vendor, Cisco       [26]  38 
  Feb  1 13:36:41.460 PST: RADIUS:   Cisco AVpair       [1]   32  "ip:inacl#1=remark **Allow DHCP"
  Feb  1 13:36:41.460 PST: RADIUS:  Vendor, Cisco       [26]  57 
  Feb  1 13:36:41.460 PST: RADIUS:   Cisco AVpair       [1]   51  "ip:inacl#2=permit udp any eq bootpc any eq bootps"
  Feb  1 13:36:41.460 PST: RADIUS:  Vendor, Cisco       [26]  37 
  Feb  1 13:36:41.460 PST: RADIUS:   Cisco AVpair       [1]   31  "ip:inacl#3=remark **Allow DNS"
  Feb  1 13:36:41.460 PST: RADIUS:  Vendor, Cisco       [26]  47 
  Feb  1 13:36:41.460 PST: RADIUS:   Cisco AVpair       [1]   41  "ip:inacl#4=permit udp any any eq domain"
  Feb  1 13:36:41.460 PST: RADIUS:  Vendor, Cisco       [26]  61 
  Feb  1 13:36:41.460 PST: RADIUS:   Cisco AVpair       [1]   55  "ip:inacl#5=remark **Deny access to Corporate Networks"
  Feb  1 13:36:41.460 PST: RADIUS:  Vendor, Cisco       [26]  53 
  Feb  1 13:36:41.460 PST: RADIUS:   Cisco AVpair       [1]   47  "ip:inacl#6=deny ip any 10.0.0.0 0.255.255.255"
  Feb  1 13:36:41.460 PST: RADIUS:  Vendor, Cisco       [26]  45 
  Feb  1 13:36:41.460 PST: RADIUS:   Cisco AVpair       [1]   39  "ip:inacl#7=remark **Permit icmp pings"
  Feb  1 13:36:41.460 PST: RADIUS:  Vendor, Cisco       [26]  38 
  Feb  1 13:36:41.460 PST: RADIUS:   Cisco AVpair       [1]   32  "ip:inacl#8=permit icmp any any"
  Feb  1 13:36:41.460 PST: RADIUS:  Vendor, Cisco       [26]  50 
  TEST-802.1X#
  Feb  1 13:36:41.460 PST: RADIUS:   Cisco AVpair       [1]   44  "ip:inacl#9=remark **Permit everything else"
  Feb  1 13:36:41.460 PST: RADIUS:  Vendor, Cisco       [26]  37 
  Feb  1 13:36:41.460 PST: RADIUS:   Cisco AVpair       [1]   31  "ip:inacl#10=permit ip any any"
  Feb  1 13:36:41.465 PST: RADIUS(00000000): Received from id 1645/16
  TEST-802.1X#
  TEST-802.1X#
  TEST-802.1X# 
  interface config looks like:
  interface GigabitEthernet1/0/4
  description **User/IPphone/Guest
  switchport access vlan 702
  switchport mode access
  switchport voice vlan 704
  ip access-group PRE-AUTH in
  srr-queue bandwidth share 1 30 35 5
  queue-set 2
  priority-queue out
  authentication event fail action next-method
  authentication event server dead action authorize
  authentication host-mode multi-auth
  authentication open
  authentication order dot1x mab webauth
  authentication priority dot1x mab webauth
  authentication port-control auto
  authentication fallback WEB_AUTH_PROFILE
  mab
  mls qos trust device cisco-phone
  mls qos trust cos
  dot1x pae authenticator
  dot1x timeout tx-period 3
  auto qos voip cisco-phone
  spanning-tree portfast
  service-policy input AUTOQOS-SRND4-CISCOPHONE-POLICY

• Access Point Switchport configuration for OOB NAC

  Hello.
  Here we have to implement Out of Band with WLC and NAC, I have already checked this guide:
  http://www.cisco.com/en/US/products/ps6128/products_configuration_example09186a0080a138cc.shtml
  But I have a little doubt. On the document showed above does not specific which vlan should be configured on switch's access port facing access points. Should I configure this with trusted or untrusted VLAN? I know all traffic from wireless clients go to WLC through a CAPWAP tunnel, but I am not really sure on the Out of Band deployment which access vlan should be for access points.
  Greettings.

  Just to add again to another one of Steve's post:)  You don't want to put the AP traffic through NAC, but only the traffic for the wireless clients which egress out of the WLC.  So if your wireless clients are being placed in VLAN30 (just an example), you can have an untrusted layer 2 vlan VLAN29 which hit the NAC untrusted and if remediation id good, then placed in VLAN30.  Makes sense?
  Thanks,
  Scott
  Help out other by using the rating system and marking answered questions as "Answered"

• Access switch lost contact with nac profiler

  hi all,
  We have implement HA for nac profiler using version 3.1.1_18 .My problem is we need manually update for all access switch to connected with nac profiler server and then endpoint detect if i'm don't click button update for all access switch not see the new endpoint .On the acceess switch we configure SNMP cisconac RO and cisconac1 RW .For the SNMP is it needed manually update or automatic if new endpoint connect to the network ?here i'm attach on the my configuration SNMP ..

  Hi Larry,
  I had the same problem with iTune 10.6.5, and one cannot uninstall it. I was on the phone with Apple wireless support. The solution is to upgrae firmware on the Express, whihc cannot be doen with the latest airport utilities. HOwever, Apple re-posted Airport utility 5.6 for lion, which will then allow you to upgrade the firmware on older Aplle Express Units. This in turn will allow iTune 10.6 to communicate properly wit the Express. Doing so  restored my connection to the speakesr without any further issues.
  Give it a try...
  the utility i sloctaed at:
  http://support.apple.com/kb/DL1482?viewlocale=en_US&locale=en_US
  Best,
  rk007

• 10g - how to configure sso with iis-

  hi, experts, I have followed Oracle® Business Intelligence Enterprise Edition Deployment Guide to configure SSO with IIS.
  but I always meet this message.
  Not Logged In
  You are not currently logged in to the Oracle BI Server.
  If you have already logged in, your connection might have timed out, or a communications or server error may have occurred
  what steps are missing?
  how to check?

  hi, experts,
  I checked C:\OracleBIData\web\log\sawlog0.log on the obi server (windows server 2003 standard).
  at Thu Feb 17 14:48:46 2011 , I logined OBI on another machine (not via the browser on the obi server).
  however, the log shows the login user is the administrator of the obiserver (obiserver\administrator ).
  any setup on IIS are wrong? thank you very much!
  =========================================================================================
  Running job 'MinutelyMonitor' took 7422 milliseconds, 12.3% of job's frequency (60 seconds).
  Type: Error
  Severity: 40
  Time: Thu Feb 17 14:48:46 2011
  File: project/webodbcaccess/odbcconnectionimpl.cpp Line: 371
  Properties: ConnId-1,1;ThreadID-1796
  Location:
       saw.odbc.connection.open
       saw.connectionPool.getConnection
       saw.subsystem.security.checkAuthenticationImpl
       saw.threadPool
       saw.threads
  Odbc driver returned an error (SQLDriverConnectW).
  State: 08004. Code: 10018. [NQODBC] [SQL_STATE: 08004] [nQSError: 10018] Access for the requested connection is refused.
  [nQSError: 43001] Authentication failed for obiserver\administrator in repository Star: invalid user/password. (08004)
  Type: Error
  Severity: 42
  Time: Thu Feb 17 14:48:46 2011
  File: project/webconnect/connection.cpp Line: 276
  Properties: ThreadID-1796
  Location:
       saw.connectionPool.getConnection
       saw.subsystem.security.checkAuthenticationImpl
       saw.threadPool
       saw.threads
  Authentication Failure.
  Odbc driver returned an error (SQLDriverConnectW).
  ---------------------------------------

• How to configure sso with SSL step by step

  Purpose
  In this document, you can learn how to configure SSO with SSL. After user have certificate installed in browser, he can login without input username and password.
  Overview
  In this document we will demonstrate:
  1.     How to configure OHS support SSL
  2.     How to Register SSO with SSL
  3.     Configure SSO for certificates
  Prerequisites
  Before start this document, you should have:
  1.     Oracle AS 10g infrastructure installed (10.1.2)
  2.     OCA installed
  Note:
  1.     “When you install Oracle infrastructure, please make sure you have select OCA.
  2.     How Certificate-Enabled Authentication Works:
  a.     The user tries to access a partner application.
  b.     The partner application redirects the user to the single sign-on server for authentication. As part of this redirection, the browser sends the user's certificate to the login URL of the server (2a). If it is able to verify the certificate, the server returns the user to the requested application.
  c.     The application delivers content. Users whose browsers are configured to prompt for a certificate-store password may only have to present this password once, depending upon how their browser is configured. If they log out and then attempt to access a partner application, the browser passes their certificate to the single sign-on server automatically. This means that they never really log out. To effectively log out, they must close the browser.
  Enable SSL on the Single Sign-On Middle Tier
  The following steps involve configuring the Oracle HTTP Server. Perform them on the single sign-on middle tier. In doing so, keep the following in mind:
  l     You must configure SSL on the computer where the single sign-on middle tier is running.
  l     You are configuring one-way SSL.
  l     You may enable SSL for simple network encryption; PKI authentication is not required. Note though that you must use a valid wallet and server certificate. The default wallet location is ORACLE_HOME/Apache/Apache/conf/ssl.wlt/default.
  1.     Back up the opmn.xml file, found at ORACLE_HOME/opmn/conf
  2.     In opmn.xml, change the value for the start-mode parameter to ssl-enabled. This parameter appears in boldface in the xml tag immediately following.
  <ias-component id="HTTP_Server">
  <process-type id="HTTP_Server" module-id="OHS">
  <module-data>
  <category id="start-parameters">
  <data id="start-mode" value="ssl-enabled"/>
  </category>
  </module-data>
  <process-set id="HTTP_Server" numprocs="1"/>
  </process-type>
  </ias-component>
  3.     Update the distributed cluster management database with the change: ORACLE_HOME/dcm/bin/dcmctl updateconfig -ct opmn
  4.     Reload the modified opmn configuration file:
  ORACLE_HOME/opmn/bin/opmnctl reload
  5.     Keep a non-SSL port active. The External Applications portlet communicates with the single sign-on server over a non-SSL port. The HTTP port is enabled by default. If you have not disabled the port, this step requires no action.
  6.     Apply the rule mod_rewrite to SSL configuration. This step involves modifying the ssl.conf file on the middle-tier computer. The file is at ORACLE_HOME/Apache/Apache/conf. Back up the file before editing it.
  Because the Oracle HTTP Server has to be available over both HTTP and HTTPS, the SSL host must be configured as a virtual host. Add the lines that follow to the SSL Virtual Hosts section of ssl.conf if they are not already there. These lines ensure that the single sign-on login module in OC4J_SECURITY is invoked when a user logs in to the SSL host.
  <VirtualHost ssl_host:port>
  RewriteEngine on
  RewriteOptions inherit
  </VirtualHost>
  Save and close the file.
  7.     Update the distributed cluster management database with the changes:
  ORACLE_HOME/dcm/bin/dcmctl updateconfig -ct ohs
  8.     Restart the Oracle HTTP Server:
  ORACLE_HOME/opmn/bin/opmnctl stopproc process-type=HTTP_Server
  ORACLE_HOME/opmn/bin/opmnctl startproc process-type=HTTP_Server
  9.     Verify that you have enabled the single sign-on middle tier for SSL by trying to access the OracleAS welcome page, using the format https://host:ssl_port.
  Reconfigure the Identity Management Infrastructure Database
  Change all references of http in single sign-on URLs to https within the identity management infrastructure database. When you change single sign-on URLs in the database, you must also change these URLs in the targets.xml file on the single sign-on middle tier. targets.xml is the configuration file for the various "targets" that Oracle Enterprise Manager monitors. One of these targets is OracleAS Single Sign-On.
  1.     Change Single Sign-On URLs
  Run the ssocfg script, taking care to enter the command on the computer where the single sign-on middle tier is located. Use the following syntax:
  UNIX:
  $ORACLE_HOME/sso/bin/ssocfg.sh protocol host ssl_port
  Windows:
  %ORACLE_HOME%\sso\bin\ssocfg.bat protocol host ssl_port
  In this case, protocol is https. (To change back to HTTP, use http.) The parameter host is the host name, or server name, of the Oracle HTTP listener for the single sign-on server.
  Here is an example:
  ssocfg.sh https login.acme.com 4443
  2. Restart OC4J_SECURITY instance and verify the configuration
  To determine the correct port number, examine the ssl.conf file. Port 4443 is the port number that the OracleAS installer assigns during installation.
  If you run ssocfg successfully, the script returns a status 0. To confirm that you were successful, restart the OC4J_SECURITY instance:
  ORACLE_HOME/opmn/bin/opmnctl restartproc process-type=OC4J_SECURITY
  Then try logging in to the single sign-on server at its SSL address:
  https://host:ssl_port/pls/orasso/
       3. Back up the file targets.xml:
  cp ORACLE_HOME/sysman/emd/targets.xml ORACLE_HOME/sysman/emd/targets.xml.backup
  4. Open the file and find the target type oracle_sso_server. Within this target type, locate and edit the three attributes that you passed to ssocfg:
  ·     HTTPMachine—the server host name
  ·     HTTPPort—the server port number
  ·     HTTPProtocol—the server protocol
  If, for example, you run ssocfg like this:
  ORACLE_HOME/sso/bin/ssocfg.sh http sso.mydomain.com:4443
  Update the three attributes this way:
  <Property NAME="HTTPMachine" VALUE="sso.mydomain.com"/>
  <Property NAME="HTTPPort" VALUE="4443"/>
  <Property NAME="HTTPProtocol" VALUE="HTTPS"/>
  5.Save and close the file.
  6.     Reload the OracleAS console:
       ORACLE_HOME/bin/emctl reload
  7. Issue these two commands:
  ORACLE_HOME/opmn/bin/opmnctl restartproc process-type=HTTP_Server
  ORACLE_HOME/opmn/bin/opmnctl restartproc process-type=OC4J_SECURITY
  Registering mod_osso
  1.     This command sequence that follows shows a mod_osso instance being reregistered with the single sign-on server.
  $ORACLE_HOME/sso/bin/ssoreg.sh
       -oracle_home_path $ORACLE_HOME
       -config_mod_osso TRUE
       -mod_osso_url https://myhost.mydomain.com:4443
  2.     Restarting the Oracle HTTP Server
  After running ssoreg, restart the Oracle HTTP Server:
  ORACLE_HOME/opmn/bin/opmnctl restartproc process-type=HTTP_Server
  Configuring the Single Sign-On System for Certificates
  1.     Configure policy.properties with the Default Authentication Plugin
  Update the DefaultAuthLevel section of the policy.properties file with the correct authentication level for certificate sign-on. This file is at ORACLE_HOME/sso/conf. Set the default authentication level to this value:
  DefaultAuthLevel = MediumHighSecurity
  Then, in the Authentication plugins section, pair this authentication level with the default authentication plugin:
  MediumHighSecurity_AuthPlugin = oracle.security.sso.server.auth.SSOX509CertAuth
  2.     Restart the Single Sign-On Middle Tier
  After configuring the server, restart the middle tier:
  ORACLE_HOME/opmn/bin/opmnctl restartproc process-type=HTTP_Server
  ORACLE_HOME/opmn/bin/opmnctl restartproc process-type=OC4J_SECURITY
  Bringing the SSO Users to OCA User Certificate Request URL
  The OCA server reduces the administrative and maintenance cost of provisioning a user certificate. The OCA server achieves this by authenticating users by using OracleAS SSO server authentication. All users who have an Oracle AS SSO server account can directly get a certificate by using the OCA user interface. This reduces the time normoally requidred to provision a certificate by a certificate authority.
  The URL for the SSO certificate Request is:
  https://<Oracle_HTTP_host>:<oca_ssl_port>/oca/sso_oca_link
  You can configure OCA to provide the user certificate request interface URL to SSO server for display whenever SSO is not using a sertificate to authenticate a user. After the OracleAS SSO server authenticates a user, it then display the OCA screen enabling that user to request a certificate.
  To link the OCA server to OracleAS SSO server, use the following command:
  ocactl linksso
  opmnctl stoproc type=oc4j instancename=oca
  opmnctl startproc type=oc4j instancename=oca
  You also can use ocactl unlinksso to unlink the OCA to SSO.

  I have read the SSO admin guide, and performed the steps for enabling SSL on the SSO, and followed the steps to configure mod_osso with virtual host on port 4443 as mentioned in the admin guide.
  The case now is that when I call my form (which is developed by forms developer suite 10g and deployed on the forms server which is SSO enabled) , it calls the SSO module on port 7777 using http (the default behaviour).
  on a URL that looks like this :
  http://myhostname:7777/pls/orasso/orasso.wwsso_app_admin.ls_login?Site2pstoreToken=.......
  and gives the error :
  ( Forbidden
  You don't have permisission to access /sso/auth on this server at port 7777)
  when I manually change the URL to :
  https://myhostname:4443/pls/orasso/orasso.wwsso_app_admin.ls_login?Site2pstoreToken=.......
  the SSO works correctly.
  The question is :
  How can I change this default behaviour and make it call SSO on port 4443 using https instead ?
  Any ideas ?
  Thanks in advance

• Non-configurable materials with EK02 costing

  Hi all,
  We have a range of non configurable manufactured materials which, when used in standard sales orders, generate a production order and BOM. Presently the cost is automatically generated from the material master and is populated as a VPRS cost.
  As these materials have a BOM we want the cost to pick up from the BOM instead, ie as an EK02 cost. If we enter such a material and do a manual recost the EK02 populates in the sales order item conditions but we cannot get it to populate automatically as it does with configurable materials with BOMs.
  In the define item categories section in SPRO we have removed the determine cost tick. This has the desired effect of removing the VPRS cost but the EK02 cost still doesn't pull through. In the Bill of Material / Configuration section of the item category we tried setting the structure scope to A (Explode single-level bill of material) and B (Explode multi-level bill of material) but this didn't work. If we set it to D (Configuration, poss. with BOM explosion), then we get the "item can be configured but there is no configuration" error when used in a sales order which is expected as these products have no configuration.
  We also tried deleting the standard cost held in the material master to see if, as that value was now blank, it would pick up the EK02 instead but, alas, this also ddn't work.
  Any help / suggestions would be most appreciated.
  Kind regards, Rob

  HI,
  We are maintaining the Service masters for the services we render, there is no valuation of Inventory as only service is being rendered.
  But we have maintained BOM and Routings for the services we render.
  Even there is no valuation class in the serivice masters as this is non valuated.
  Can you guide me more on this pls.
  Thanks,
  Ravi

• Create a configurable material with reference to another config material

  Hi,
  I want to create a configurable material with reference to another configurable material from different system.
  Please tell me what data i need to check to see if that material has been created (copied manually) successfully.
  Thanks.

  Hi,
  In case of configurable material most important thing is configuration so please check weather the configuration is copied perfectly with all characteristics or not. Similarly check the valuation class and price control is proper or not.
  Regards,
  Umesh

• Configuring php5 with enable XML on OAS 10.1.3.x

  My requirement is to enable XML on OAS 10.1.3.5.
  I am not sure how to configure it, so I stated using separate PHP5.2 to configure with XML enable on the server. After installation, when I am starting the opmn services I am getting below error. I think the error with platform. Which means current OS version is 64bit and php5.2 stage is 32bit version I guess.
  OAS_HOME=/u20/app/MSRV1P/apmsrv1p/oracle/product/OAS
  URL : http://nacisdell277.us.oracle.com:10330/phpinfo.php
  I used below command to configure :
  ./configure prefix=$ORACLE_HOME/php with-config-file-path=$ORACLE_HOME/Apache/Apache/conf --with-apxs=$ORACLE_HOME/Apache/Apache/bin/apxs
  with-oci8=instantclient,/u20/app/MSRV1P/apmsrv1p/oracle/product/instantclient_10_2 with-config-file-path=/u20/app/MSRV1P/apmsrv1p/oracle/product/OAS/Apache/Apache/php5--enable-sigchild enable-xml enable-simplexml enable-libxml enable-dom enable-simplexml enable-xml enable-xmlreader enable-xmlwriter enable-simplexml –with-xsl -with-zlib with-xml --with-libxml-dir
  Error :
  /u20/app/MSRV1P/apmsrv1p/oracle/product/OAS/Apache/Apache/bin/apachectl startssl: execing httpd
  Syntax error on line 247 of /u20/app/MSRV1P/apmsrv1p/oracle/product/OAS/Apache/Apache/conf/httpd.conf:
  Cannot load /u20/app/MSRV1P/apmsrv1p/oracle/product/OAS/Apache/Apache/libexec/libphp5.so into server: /u20/app/MSRV1P/apmsrv1p/oracle/product/OAS/Apache/Apache/libexec/libphp5.so: wrong ELF class: ELFCLASS64
  I checked in the Metalink for “configuring php5 with enable XML on OAS 10.1.3.x” but I couldn’t find anything.
  Please advise me on this.
  Thanks

  Hello;
  You can try installing glibc-devel to fix this.
  However on my version :
  Application Server Control Release 10.1.2.3.0 - PHP 5 does not seem to work. The conflict on mine is that PHP 4 came wrapped in the Oracle install and they don't play well together.
  Make sure your httpd.conf does not have this in it :
  LoadModule php4_module libexec/libphp4.soI'm NOT advising you to remove it if its there, I'm merely pointing to a possible conflict.
  Best Regards
  mseberg
  Later
  Glad you don't have the same version as me. Hard to find anything on this, found these ( Not exact matches )
  http://php.net/manual/en/oci8.installation.php ( Search for ELF )
  http://enlinea.creaelicita.cl/guia/oci8.setup.html
  http://docs.oracle.com/cd/E17390_01/doc.650/e17370.pdf
  Found this in the pdf : ( Similar )
  If the following error is received:
  *ERROR* - obssocookie: could not dlopen()
  /opt/netpoint/AccessServerSDK//oblix/lib/libobaccess.so:
  /opt/netpoint/AccessServerSDK//oblix/lib/libobaccess.so: wrong ELF class:
  ELFCLASS32
  This indicates that the 32-bit version of the Access Gate SDK was installed instead of
  the required 64-bit version. Edited by: mseberg on Feb 4, 2012 5:53 AM
  Still later
  Another thought is the PHP forum :
  PHP
  Also you need the 32bit Instant Client to be able run PHP. See http://blogs.oracle.com/opal/entry/using_php_oci8_with_32-bit_php
  Same OS message :
  ORA-03106: fatal two-task communication protocol error
  Edited by: mseberg on Feb 4, 2012 7:03 PM
  Rogue Notes from my Fusion Middleware on Red Hat 5 64 bit
  I downloaded php-5.3.5.tar.gz from http://www.php.net/downloads.php.
  Download the OCI headers http://www.oracle.com/technetwork/middleware/ias/ociheaders-134541.tar
  environment
  export ORACLE_HOME=/u01/app/oracle/product/fmw/oracle_pfrd
  export ORACLE_INSTANCE=/u01/app/oracle/product/fmw/fr_inst
  export CONFIG_FILE_PATH=$ORACLE_INSTANCE/config/OHS/ohs1
  export LD_LIBRARY_PATH=$ORACLE_HOME/lib:$ORACLE_HOME/ohs/lib:$LD_LIBRARY_PATH
  Configure with Oracle Database (OCI8) support:
  ./configure with-apxs2=$ORACLE_HOME/ohs/bin/apxs prefix=$ORACLE_HOME with-config-file-path=$CONFIG_FILE_PATH with-oci8=$ORACLE_HOME --disable-rpath
  httpd.conf
  # And for PHP 5.x use:
  AddType application/x-httpd-php .php .phtml
  Edited by: mseberg on Feb 4, 2012 7:19 PM
  Edited by: mseberg on Feb 5, 2012 11:48 AM

• Server app : random errors in configuration applied with configuration profile

  When I verify the informations contained in the user configuration profile with both the profile manager and textmate everything is ok. When i installs the configuration profile on a computer there are errors in the configuration of Mail app the email address is configured as follows: [email protected] instead of: [email protected] and username is: [email protected] instead of : user1 . Both server and client computers are on running mac os x 10.8.
  thanks for the help !

  When I verify the informations contained in the user configuration profile with both the profile manager and textmate everything is ok. When i installs the configuration profile on a computer there are errors in the configuration of Mail app the email address is configured as follows: [email protected] instead of: [email protected] and username is: [email protected] instead of : user1 . Both server and client computers are on running mac os x 10.8.
  thanks for the help !