CSCum97337 - Ise Endpoint Profile is getting degraded based on poorer user agent

Similar Messages

• Trying to get Firefox to open in User Agent "Internet Explorer"

  I run an Internet Cafe and have recently installed Ubuntu 10.04 over Micro$oft.
  I HAVE to give customers an alternative to Live Messenger.
  I have TokBox setup .. but gives problems now & then.
  I need to cover all bases or lose customers.
  The only viable alternative I have found is '''EBuddy'''.
  Now the problem is .. when I log in using Internet Explorer and I connect to a contact - I can see the start video call "button".
  Any other browser and the webcam button does not show.
  All of the Firefox & Seamonkey User Agent Switchers I have tried work .. but I cannot expect the customer to know that they need to switch User Agent before they can use the webcam.
  I need to Launch either Firefox or Seamonkey (preferably Seamonkey - if the fix is to be a permanent one) in Internet Explorer mode.
  A permanent "fix" for Firefox was suggested on the Ubuntu Forum ...
  1. Open about:config
  2. Right-click, choose "New" > "String"
  3. Type "general.useragent.override" (no parentheses) into the "New String Value" dialog box that appears and press "Enter." Type or copy and paste the desired new user agent string into the "Enter String Value" box (in this case "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)" )
  When you're done, copy that Firefox profile to all of your computers (the .mozilla folder)
  I tried this on Seamonkey .. but it did not have the desired effect = no start video call button.
  There is a Proxy Tool add on for Seamonkey which can change the user agent and this works. Same thing for Firefox.
  But the user agent is back to default on browser re-start.
  In an ideal world I would like to create a Launcher on Ubuntu desktop which would open either Firefox or Seamonkey on the E Buddy sign in page and the User Agent would automatically be set to IE8 or 9.

  Try to set the user agent via a user.js file.
  *http://kb.mozillazine.org/user.js_file
  user_pref("general.useragent.override", "<IE user agent>");

• Using IE but getting Mozilla/4.0  in user-agent header

  I am using IE but am getting following while printing headers. Why?
  Name: user-agent
  Value: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

  This string is correct. You're using a mozillacompatible (Moz 4.0) useragent IE 6.0 (MSIE 6.0) on Windows XP (NT 5.1). For FireFox it should look like:Mozilla/5.0 (Windows; U; Windows NT 5.1; nl; rv:1.8.1.4) Gecko/20070515 Firefox/2.0.0.4Maybe you need to read something more about the useragent strings. This has actually nothing to do with Java nor servlets.

• ISE 1.2 Profiling - User Agent attribute incorrect

  Hi all,
  Just troubleshooting some profiling issues and have found that multiple devices are profiling incorrectly eg MAC OSX profiling as Apple-Device. Basically the issue is the user-agent string profiled by ISE is incorrect meaning that only the OUI is matched. During the BYOD onboarding process, non Internet Browser, applications and services (games and OCSP Daemons etc) are presenting their specific user-agent strings eg "OCSPD\1.0.2" to ISE resulting in incorrect profiling.
  Does anybody have any suggestions on how to resolve this issue as it is resulting in about 50% of devices been profiled at the "top level" ie Apple-Device or Windows Workstation (anything based on User-Agent). Can any one explain whether profiler works on the basis of first agent received, last agent received and why it doesn't hold onto a list of presented agents to make a decision? In my mind this is a pretty big issue in that some of the more popular device profiling policies are based on a user-agent string thus potentially preventing you from defining tight Authz policies eg IPAD only etc

  "Unless you have suppression configured, ISE will continue to collect profiling data and will re-profile a device as long as a rule with higher certainty factor is hit. However, if the certainty factor is the same the device will remain at its originally profiled group."
  The suppression feature will not affect the re-profiling of a device.  The suppression only affects the logging on the MnT node.  Since the Profiling is a PSN function the suppression has no affect on the outcome of a profiling event. 
  You are correct in that a rule with a higher certainty factor "wins" and this is the profile that is chosen.  Again, an understanding of how profiles work is not the issue here.  
  For example say only the RADIUS and HTTP probes are being utilized for an endpoint.  There are two endpoints one is a iPad and the other an iPhone.  The endpoint attributes that are known about the device are the MAC OUI and the useragent. 
  Based on the default profiling rules there are two three things that need to be identified either an iPhone or an iPad.  The first common item is that the MAC OUI is identified as apple.  This increases the certainty factor by 10.  The second is either the HTTP User agent containing either iPad/iPhone or the DHCP hostname containing either iPad/iPhone.  Both of those conditions would increase the certainty factor by 20 for a total of 30.  Since DHCP is not being used in this example we can remove that for a possibility and say that for an iPhone to be profiled as an iPhone it must both have a MAC OUI of apple and the useragent must contain iPhone.  Same goes for iPad, but iPad in the useragent. 
  Like smcbridebpc stated every application that uses HTTP will have a useragent string.  The profiler rules assume that the useragent that is being used contains either the word iPhone or iPad to distinguish these types of devices.  If an application on the device sends a useragent string such as  "OCSPD\1.0.2" which is obviously the OCSP Daemon.  This useragent string is "stuck" on the endpoint and no other usable useragents can be used to profile the device.  Therefore a race condition exists and depending on the application that wins determines if the profiler will be accurate or not.   
  The only two solutions that I can think of would be to have a useragent filter that would allow you to manually filter out useragents like "OCSPD\1.0.2" (or the ISE developers could filter known unusable user agents out on the backend)  OR everytime a new useragent is presented to the profiler for a device the useragent is joined to a list of useragents. 
  If the useragent was overwritten everytime a new useragent was presented then it would cause the device to be reclassified everytime the different applications presented useragents which would not be good.  
  It does look like a bug may have been filed and marked as fixed in release pending, but the bug notes do not list enough information to identify if this is the same issue that we are seeing.
  https://tools.cisco.com/bugsearch/bug/CSCuj45373

• ISE - Bulk change endpoint profiles?

  Anyone know how to actually do this? I've got about 300 devices that I want to change the endpoint profile on, and I'd like to do it in bulk as opposed to clicking on each one. When I check more than one, my "Edit" option is gone.
  I suppose I could export them, change the profile, delete all, then re-import the .csv... but that seems a little tedious if there's a way to do it in the GUI.
  Thanks.

  Hi Tarik,
  Thanks... I wasn't aware it just updated the profile and didn't require a delete. That's good news.
  I'll give it a shot.

• Report based on the user profile

  Hi,
  i'm trying to create a report with Oracle Report6i based on the user profile.
  I created a form with many Lovs, so that i can choose the parameter to send to the report (using a java script).
  I also would like to send the user that's currently logged in, just in order to filter the output.
  How can i use the api wwctx_api.get_user in the java script ?
  Thanks.

  Hi,
  It is not possible to use the api directly in javascript. Maybe you pass it as a parameter to a javascript function.
  Thanks,
  Sharmila

• Can't get version based downloads to work

  I am new to JNLP and trying to get version based downloads to work. I have read everything I can find, but I still seem to be missing something. My setup:
  Tomcat 4.1.18 (running in JDK 1.4.0)
  Java WebStart 1.2
  Win 2k
  files in .war
  -launch.jnlp
  -+1.0
  |-testapp.jar
  |-version.xml
  -+images
  |-Save.gif
  -+META-INF
  |-MANIFEST.MF
  -+WEB-INF
  |-+lib
  | |-jnlp-servlet.jar
  |-web.xmllaunch.jnlp
  TS: 2002-04-23 19:21:05
  <?xml version="1.0" encoding="UTF-8"?>
  <jnlp codebase="$$codebase" href="$$name">
     <information>
        <title>ljtest 1</title>
        <vendor>Lance</vendor>
        <description>just an example</description>
        <icon href="images/Save.gif"/>
     </information>
     <resources>
        <j2se version="1.2+"/>
        <jar href="1.0/testapp.jar" version="1.0"/>
     </resources>
     <application-desc main-class="Main"/>
  </jnlp>version.xml
  <jnlp-versions>
     <resource>
        <pattern>
           <name>testapp.jar</name>
           <version-id>1.0</version-id>
        </pattern>
        <file>testapp.jar</file>
     </resource>
  </jnlp-versions>web.xml
  <?xml version="1.0" encoding="ISO-8859-1"?>
  <!DOCTYPE web-app
      PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.2//EN"
      "http://java.sun.com/j2ee/dtds/web-app_2_2.dtd">
    <web-app>
       <servlet>
          <servlet-name>JnlpDownloadServlet</servlet-name>
          <servlet-class>com.sun.javaws.servlet.JnlpDownloadServlet</servlet-class>
          <init-param>
             <param-name>logLevel</param-name>
             <param-value>DEBUG</param-value>
          </init-param>
       </servlet>
       <servlet-mapping>
          <servlet-name>JnlpDownloadServlet</servlet-name>
          <url-pattern>*.jnlp</url-pattern>
       </servlet-mapping>
    </web-app>Things I have discovered (possibly in error?):
  1) I do not need to include the jaxp.jar and parser.jar files because I am using JDK 1.4
  2) I do not need to change my testapp.jar to testapp_V1.0.jar because I have included the the version.xml file in the 1.0 directory
  I keep getting the following error in WebStart when I loadup the jnlp:
  JNLPException[category: Download Error : Exception: null : LaunchDesc: null ]
       at com.sun.javaws.cache.DownloadProtocol.doDownload(Unknown Source)
       at com.sun.javaws.cache.DownloadProtocol.getDownloadSize(Unknown Source)I can get everything to work without version based downloads. Does anyone have any clue what I am doing wrong?
  Lance

  I found my own error. After loading up sun's reference implementation server in NetBean's debugger I noticed that it was only handling .jnlp files. Going back to the "Packaging JNLP Applications in a Web Archive" document I found my mistake. My web.xml files should have looked like this.
  <?xml version="1.0" encoding="ISO-8859-1"?>
  <!DOCTYPE web-app
      PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.2//EN"
      "http://java.sun.com/j2ee/dtds/web-app_2_2.dtd">
    <web-app>
       <servlet>
          <servlet-name>JnlpDownloadServlet</servlet-name>
          <servlet-class>com.sun.javaws.servlet.JnlpDownloadServlet</servlet-class>
          <init-param>
             <param-name>logLevel</param-name>
             <param-value>DEBUG</param-value>
          </init-param>
       </servlet>
       <servlet-mapping>
          <servlet-name>JnlpDownloadServlet</servlet-name>
          <url-pattern>*</url-pattern>
       </servlet-mapping>
    </web-app>The difference being the <url-pattern> tag. It now tells the web server to handle all files not just .jnlp.
  This allowed me to download version based jnlp entries. I still can't get jarDiff things to work, but I will keep banging my head against the wall till I figure that out.
  Lance

• NAC Profiler 2.18: Endpoint Profiles Missing

  This is a licensed Nac Profiler which has no canned Endpoint Profiles included.
  I go to Configuration--->Endpoint Profiles---> View/Edit Profile List
  The message I see is "No Profiles Found"
  Please clue me in on what I am missing.
  This is from the install guide:
  "Enabling Existing Endpoint Profiles
  Cisco NAC Profiler ships with a number of predefined Endpoint Profiles that have been created and tested in field deployments. These Profiles can be re-used as-is if desired, or may be modified as the situation dictates. In addition, they serve as templates for creating new profiles as outlined later in this section, and illustrate how different rule types and varying levels of certainty can be used to accurately Profile devices.
  To view the list of Endpoint Profiles that are currently available in the system configuration, navigate to the Configuration tab, and select Endpoint Profiles option from the global navigation menu in the far left hand pane, or select Endpoint Profiles from the leftmost column of the table on the main Configuration page. Select View/Edit Profile List to display the Endpoint Profiles currently saved in the system configuration."
  Thanks.

  To verify that Cisco NAC Profiler is populating entries properly in the Device Filter list of the CAM, log into the CAM as administrator. Select the Filters button under Device Management in the left-hand navigation bar. The following screen displays in the main pane of the browser, enumerating all the endpoints currently on the CAM Device Filter list.
  After configuring the Server module parameters, adding NAC Events, and performing a Synchronization process (full or NAC Event level), the endpoints that are in the Profile(s) matching enabled (and synchronized) NAC events should be populated to the device filter list of the CAM.
  http://www.cisco.com/en/US/docs/security/nac/profiler/configuration_guide/218/p_integration.html#wp1055729

• User Profile Services:How get to know how many user are using my site.

  Hi,
  User Profile Services:How get to know how many user are using my site.
  Recently i have done migration sharepoint 2010 to sharepoint 2013,I did not migrate USer profile services because less user are using user profile here,but i need to know how many few uer are using my site for data store.
  Is any why we can get to know  user name who are using my site document library and other things.
  Hasan Jamal Siddiqui(MCTS,MCPD,ITIL@V3),Sharepoint and EPM Consultant,TCS
  |
  | Twitter

  Fallowing command shows only count of my site user ,I need to know how many upload data on my site
  Hasan Jamal Siddiqui(MCTS,MCPD,ITIL@V3),Sharepoint and EPM Consultant,TCS
  |
  | Twitter

• How to get PERNR based on user ID

  Hi All,
  How to get PERNR based on userid.
  please help me in resolving this.
  Thanks for the support.
  Regards,
  Dhananjaya R E

  hope this will help u
  DATA:   t_pernr LIKE pa0105-pernr,
            t_email LIKE pa0105-usrid_long.
  STEP 1 - Find personnel number for UNAME
     SELECT SINGLE pernr
               INTO t_pernr
               FROM pa0105
             WHERE subty = '0001'
            AND endda >= sy-datum
           AND begda <= sy-datum
           AND usrid = p_uname.
  Employee record found*
  IF sy-subrc = 0.
  STEP 2 - Find email address for personnel number*
  SELECT SINGLE usrid_long
           INTO t_email
           FROM pa0105
          WHERE pernr = t_pernr
            AND subty = '0022'
            AND endda >= sy-datum
            AND begda <= sy-datum.

• MSE-provided location used with ISE Authorization Profile

              Hello Everyone,
  Can MSE-provided location be used in an ISE Authorization Profile?
  Thanks much,
  David D.

  Yes, ISE 1.2 can used this feature if it is used with Merridian or Ironmobile integration. and This is still in Road Map.

• PAM-KRB5: account:  unable to get host based service name for realm

  I want a custom service to authenticate via PAM with Microsoft Active Directory Services on Windows 2003. kinit appears to work:
  Myserver% klist
  Ticket cache: /tmp/krb5cc_200
  Default principal: [email protected]
  Valid starting Expires Service principal
  Tue 01 Aug 2006 10:42:23 AM CDT Tue 01 Aug 2006 08:42:23 PM CDT krbtgt/[email protected]
  renew until Tue 08 Aug 2006 10:42:23 AM CDT
  Running a sample PAM consumer using 'winsamp' as its service name complains that Kerberos doesn't know the user. syslog reports: PAM-KRB5: account: unable to get host based service name for realm 'EXAMPLE.COM'.
  I'm stuggling to get any additional logging out of either PAM or Kerberos. Any advice appreciated.
  /etc/pam.conf:
  winsamp auth required pam_krb5.so.1 debug
  winsamp password required pam_krb5.so.1 debug
  winsamp account required pam_krb5.so.1 debug
  winsamp session required pam_krb5.so.1 debug
  /etc/krb5/krb5.conf:
  [libdefaults]
  default_realm = EXAMPLE.COM
  default_tkt_enctypes = des-cbc-md5 ; or des-cbc-crc
  default_tgs_enctypes = des-cbc-md5 ; or des-cbc-crc
  [realms]
  EXAMPLE.COM = {
  kdc = mykdc.example.com:88
  admin_server = mykdc.example.com
  default_domain = EXAMPLE.COM
  [domain_realm]
  .example.com = EXAMPLE.COM
  [logging]
  default = FILE:/var/krb5/kdc.log
  kdc = FILE:/var/krb5/kdc.log
  kdc_rotate = {
  # How often to rotate kdc.log. Logs will get rotated no more
  # often than the period, and less often if the KDC is not used
  # frequently.
  period = 1d
  # how many versions of kdc.log to keep around (kdc.log.0, kdc.log.1, ...)
  versions = 10
  [appdefaults]
  kinit = {
  renewable = true
  forwardable= true
  PAM sample application synopsis:
  pam_start("winsamp", "someuser", &conv, &pamh);
  err = pam_authenticate(pamh, 0);
  if (err == PAM_USER_UNKNOWN)
  printf("don't know that user\n"); // <-- we always arrive here
  logout();
  }

  Part of the problem was that the Sun server's domain was not an exact match for the ADS domain. One was XXXX.EXAMPLE.COM and the other was just EXAMPLE.COM. Adding the equiv. domains in krb5.conf improved that situation.
  The sample PAM application still doesn't behave the way I want. When pam.conf is configured to authenticate against /etc/passwd, it works. Not when authenticating against ADS alone. I've come to the conclusion that PAM is for authenticating ONLY access to Solaris accounts.
  My application does not need a Solaris account. Am I using the wrong authentication API?

• SC-Sourcing getting contracts based on category_id? BADI-bbp_sos_Badi?

  Hi,
  In Shopping Cart-Sourcing, by default it is selecting contracts based on ORDERED_PROD,PRODUCT (material no).
  But I want to implement search logic to get contracts based on CATEGORY_ID.
  All the contracts related to this category_id I want to get that contracts.
  Can any one give idea how I can get this?
  I tried to implement BADI -BBP_SOS_BADI
  Method -BBP_SOS_SEARCH
  I tried to use the FM - BBP_PD_INDEX_FIND and pass the contracts to the BADI but it is not working.
  Did anyone worked on this method, please let me know how to get the complete contracts info and sending back to BADI?
  Thanks in advance.

  Hi,
  there is one open point for me in your question. Would you like to search:
  1) only for product category contracts (which don't have product ID)
  2) for contracts, which category equals to the category ID of the SC item (practically also contracts should appear, which have from the SC items product ID different product ID)
  For the first case you only need to modificate the coding in the form SOS_LOCAL_CALL_PD (LBBP_SC_APPF87):
  Kontext-Block                                          
    else.                                                
      clear ev_error.                                    
  *   Delete heade contract from the SOS                 
  Delete-Block                                           
      DELETE et_con_list WHERE ctr_item_number = space.  
  Insert-Block                                           
  *    DELETE et_con_list WHERE ctr_item_number = space. 
  With this change in addition to the ORDERED_PROD search also product category contracts will be found.
  Regards,
  Peter

• SC-Sourcing getting contracts based on category_id?

  Hi,
  In SC-Sourcing, by default it is selecting contracts based on ORDERED_PROD,PRODUCT (material no).
  But I want to implement search logic to get contracts based on  CATEGORY_ID.
  All the contracts related to this category_id I want to get that contracts.
  Can any one give idea how I can get this?
  I tried to implement BADI -BBP_SOS_BADI
  Method -BBP_SOS_SEARCH
  I tried to use the FM - BBP_PD_INDEX_FIND and pass the contracts to the BADI but it is not working.
  Did anyone worked on this method, please let me know how to get the complete contracts info and sending back to BADI?
  Thanks in advance.

  Hi,
  please see the answer:
  SC-Sourcing getting contracts based on category_id? BADI-bbp_sos_Badi?
  Regards,
  Peter

• Can 'Region' field gets defaulted based on owner of account?

  Hi
  Can 'Region' field in Account sales information gets defaulted based on owner of account?
  Owner belongs to 'West' region then account should get defaulted with same region.
  I have defined 'West' as territory for this owner.
  Do anybody has expression available for making field default ?
  Thanks
  Santosh

  Mahesh,
  Read-only is an option, but only if you never want users to change the values. If your users always work in the same Div, Region, and Sub-Region, then it would be reasonable to lock it so they don't feel like they have to update it. If,however, you have users that work in more than one sub-region, and they need to update it, then you wouldn't make it read-only.
  As far as workflow is concerned, you would need it to update the values when the ownership changes, if that is a requirement. If you choose not to update it, then it might not reflect the correct values for the new owner. Your decision on whether or not to implement the workflow would be based on whether or not your business rules require it. Most of the time, customers want the data to reflect the correct values for the current owner, but not always, so check with your customers and let the requirements drive the decision.
  Good Luck,
  Thom