Decrypting NAC appliance agent event logs

Talking about the Mac NAC agent the CAM config guide says...
'The Log file (~/Library/Application Support/Cisco Systems/CCAAgent/event.log) is encrypted. The user must use the decryption tool on Windows to see the log in clear text.'
Does any one know what decryption tool they are talking about.

I was told by TAC that logs are encrypted to prevent shared secrets and the like being taken and ONLY TAC persons have the decrypter. I have no idea if that applies here or is even necessarily true, but it's what I was told. So I would contact TAC and upload the log.

Similar Messages

  • CCA Agent debug - AD SSO NAC Appliance

    Hi,
    I'm investigating a HARD AD SSO issue on NAC appliance and checking the doc suggested by Prem (Troubleshooting Windows SSO)I don't understand how I can obtain the output in page 14 (title: Debug Logs from Agent).
    I've activated the event.log (adding registry key...) ad suggested but in that file I can see only a lot of exadecimal data....not easy to understand....
    can somebody help me ?
    thank, regards

    I think most of the hexadecimal characters are MAC addresses. In the following document go to chapter "error and event log messages" for understanding the messages
    http://www.cisco.com/univercd/cc/td/doc/product/vpn/ciscosec/cca/cca41/cam41ug.pdf

  • Windows update KB2964444 broke Event Logging Service and SQL Agent Service on Windows Server 2008 R2

    I got the following problem:
    I discovered that on my Windows Server 2008R2 machine the event logging stopped working on 04/May/2014 at 03:15.
    Also, SQL Agent Service won't run
    The only change that day was security
    update KB2964444 - Security
    Update for Internet Explorer 11 for Windows Server 2008 R2for x64-based Systems, that was installed exactly 04/May/2014 at 03:00. Apparently, that's what broke my machine...
    When I try to start Windows Event Log via net
    start eventlog or via Services
    panel, I get an error:
    C:\Users\Administrator>net start eventlog
    The Windows Event Log service is starting.
    The Windows Event Log service could not be started.
    A system error has occurred.
    System error 2 has occurred.
    The system cannot find the file specified.
    I tried:
    restarted the OS (virtual on the host's VMWare).
    re-checked the settings in services menu -they are like in the link.
    checked the identity in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\eventlog -
    the identity is NT
    AUTHORITY\LocalService
    gave all Authenticated Users full access to C:\Windows\System32\winevt\Logs
    ran fc /scannow - Windows Resource Protection did not find any integrity violations.
    went to the file %windir%\logs\cbs\cbs.log -
    all clean, [SR] Repairing 0 components
    EDIT: Uninstalled the recent system updates and rebooted - didn't help
    EDIT: Sysinternals Process Monitor results when running start service from services panel (procmon in elevated mode):
    filters:
    process name is svchost.exe : include
    operation contains TCP : exclude
    the events captured are:
    21:50:33.8105780 svchost.exe 772 Thread Create SUCCESS Thread ID: 6088
    21:50:33.8108848 svchost.exe 772 RegOpenKey HKLM SUCCESS Desired Access: Maximum Allowed, Granted Access: Read
    21:50:33.8109134 svchost.exe 772 RegQueryKey HKLM SUCCESS Query: HandleTags, HandleTags: 0x0
    21:50:33.8109302 svchost.exe 772 RegOpenKey HKLM\System\CurrentControlSet\Services REPARSE Desired Access: Read
    21:50:33.8109497 svchost.exe 772 RegOpenKey HKLM\System\CurrentControlSet\Services SUCCESS Desired Access: Read
    21:50:33.8110051 svchost.exe 772 RegCloseKey HKLM SUCCESS
    21:50:33.8110423 svchost.exe 772 RegQueryKey HKLM\System\CurrentControlSet\services SUCCESS Query: HandleTags, HandleTags: 0x0
    21:50:33.8110705 svchost.exe 772 RegOpenKey HKLM\System\CurrentControlSet\services\eventlog SUCCESS Desired Access: Read
    21:50:33.8110923 svchost.exe 772 RegQueryKey HKLM\System\CurrentControlSet\services\eventlog SUCCESS Query: HandleTags, HandleTags: 0x0
    21:50:33.8111257 svchost.exe 772 RegOpenKey HKLM\System\CurrentControlSet\services\eventlog\Parameters SUCCESS Desired Access: Read
    21:50:33.8111547 svchost.exe 772 RegCloseKey HKLM\System\CurrentControlSet\services SUCCESS
    21:50:33.8111752 svchost.exe 772 RegCloseKey HKLM\System\CurrentControlSet\services\eventlog SUCCESS
    21:50:33.8111901 svchost.exe 772 RegQueryValue HKLM\System\CurrentControlSet\services\eventlog\Parameters\ServiceDll SUCCESS Type: REG_SZ, Length: 68, Data: %SystemRoot%\System32\wevtsvc.dll
    21:50:33.8112148 svchost.exe 772 RegCloseKey HKLM\System\CurrentControlSet\services\eventlog\Parameters SUCCESS
    21:50:33.8116552 svchost.exe 772 Thread Exit SUCCESS Thread ID: 6088, User Time: 0.0000000, Kernel Time: 0.0000000
    NOTE: previoulsy, for
    21:46:31.6130476 svchost.exe 772 RegQueryValue HKLM\System\CurrentControlSet\services\eventlog\Parameters\ServiceDll SUCCESS Type: REG_SZ, Length: 68, Data: %SystemRoot%\System32\wevtsvc.dll
    I also got NAME
    NOT FOUND error ,so I created the new string value for the Parameters with
    the name ServiceDll and
    data %SystemRoot%\System32\wevtsvc.dll (copied
    from the upper HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog key)
    and this event now is
    21:46:31.6130476 svchost.exe 772 RegQueryValue HKLM\System\CurrentControlSet\services\eventlog\Parameters\ServiceDll SUCCESS Type: REG_SZ, Length: 68, Data: %SystemRoot%\System32\wevtsvc.dll
    I also checked for the presence of wevtsvc.dll in
    the place and it's there.
    Also, I tried to capture all events with path containing 'event' and
    got following events firing every several seconds:
    21:38:38.9185226 services.exe 492 RegQueryValue HKLM\System\CurrentControlSet\services\EventSystem\Tag NAME NOT FOUND Length: 16
    21:38:38.9185513 services.exe 492 RegQueryValue HKLM\System\CurrentControlSet\services\EventSystem\DependOnGroup NAME NOT FOUND Length: 268
    21:38:38.9185938 services.exe 492 RegQueryValue HKLM\System\CurrentControlSet\services\EventSystem\Group NAME NOT FOUND Length: 268
    Also, I tried to capture all the events containing 'file',
    excluding w3wp.exe,
    chrome.exe, wmiprvse.exe, wmtoolsd.exe, System and it shows NO attempts to access any file ih the time I try to start
    the event logger (if run from cmd - there are several hits by net executable,
    not present if run from the panel).
    What can be done?

    Hi,
    I don’t found the similar issue, if you have the IE 11 please try to update system automatic or install the MS14-029 update.
    The related KB:
    MS14-029: Security update for Internet Explorer 11 for systems that do not have update 2919355 (for Windows 8.1 or Windows Server 2012 R2) or update 2929437 (for Windows 7
    SP1 or Windows Server 2008 R2 SP1) installed: May 13, 2014
    http://support.microsoft.com/kb/2961851/en-us
    Hope this helps.
    We
    are trying to better understand customer views on social support experience, so your participation in this
    interview project would be greatly appreciated if you have time.
    Thanks for helping make community forums a great place.

  • CSA MC Events Log and Agent Panel Events Corrolation

    I have recently install CSA MC 6.0.0.201 and the agent on a Win2003 server. I have a question of events showing up in the agent panel and not showing up in the MC events log.
    I see a number of events in the agent 'panel' event viewer. At the end of the event is a number in brackets like [176].
    When I look at the MC event viewer but those events are not being reported.
    My query is:
    #1 I believe the example [176} is the rule being triggered. So if the event is not showing up in the event viewer how to I find that rule in the policies? I finally did stumble across the rule and I see that logging is disabled for that rule, but finding that rule was a needle in the haystack search. Is there an easier way to find rules?
    #2 Maybe I do not understand this part but in the MC I placed this server (the one with the MC) into 'Audit Mode' in hopes that would get the events from the agent to show up in the MC event log. No good. Is there a way to get all events - even if the rule says to not log the event - so show up in the MC log so I can creat an exception?
    Thanks
    Larry

    Tom,
    I think I may have made some progress. Yes I'm in advanced mode. I went into Systems | Groups and first selected the 'Servers' and turned on logging. Still most the events in the agent event viewer were not making it to the MC event log.
    So I went back in to the Systems | Groups and found there was a group called 'Servers - CSA Management Center' and turned on logging there and that got the events to start flowing into the MC events.
    Maybe this will help me get going.
    Larry

  • LS Centralized Logging Agent Event ID 33041

    I am seeing the following error very frequently on all my Lync servers that are running the CLS agent:
    LS Centralized Logging Agent Event ID 33041
    Lync Server Centralized Logging Service Agent Service was unable to convert etl trace record(s) to cache record(s) due to missing message formats and lost these record(s) permanently
    Cache file path: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\Tracing\CLS_WPP_10-13-2014-17-21-13.cache
    Missing message format(s): 1
    d4626f10-6a45-af12-1218-c8e7bb881225(95)
    Cause: Lync Server Centralized Logging Service Agent uses default.tmx file to convert ETL records to binary cache file records. If it can't find the message format information for a record it will be unable to determine the data types of the insert data for
    the record and the insert data will be lost.  This can happen if the default.tmx file is out of sync with respect to the code generating the .ETL records.
    Resolution:
    Verify that default.tmx file is current and update the default.tmx file if necessary. Check if there are any private bits installed causing default.tmx to be out of sync
    It appears the errors started with the install of the August CU updating Lync to 5.0.8308.738.  Note, this error is with CLS, not Lync Debugging tools.  I have verified that ClsAgent.exe is using C:\Program Files\Common Files\Microsoft
    Lync Server 2013\Tracing\default.tmx, which is 23041 KB and dated 8/3/2014.
    Anyone else seeing this?  Anyone have a fix?

    I'm experiencing this issue also.  I've updated to latest CU and fixed the agent not starting issue.  Now the agents run, and I can see the cache files growing.  But I get this blowing up the event log:
    Lync Server Centralized Logging Service Agent Service was unable to convert etl trace record(s) to cache record(s)
    due to missing message formats and lost these record(s) permanently
    Cache file path: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\Tracing\CLS_WPP_03-05-2015-16-00-53.cache
    Missing message format(s): 2
    68fdd900-4a3e-11d1-84f4-0000f80464e3(66)
    68fdd900-4a3e-11d1-84f4-0000f80464e3(64)
    Cause: Lync Server Centralized Logging Service Agent uses default.tmx file to convert ETL records to binary
    cache file records. If it can't find the message format information for a record it will be unable to determine the data types of the insert data for the record and the insert data will be lost.  This can happen if the default.tmx file is out of sync
    with respect to the code generating the .ETL records.
    Resolution:
    Verify that default.tmx file is current and update the default.tmx file if necessary. Check if there are any
    private bits installed causing default.tmx to be out of sync
    Log files created with Search-CsCLSLogging -Output "myfile.log"  produce this event and create an empty file.
    I've tried copying the default.tmx from the Tracing folder to the Debbing folder, as suggested in other posts, but have the same results.
    Interestingly, I can stop the agent service, and run the old OCSLogger Logging Tool program and can produce valid log files.
    Any suggestions?

  • NAC Appliance & Cisco Trust Agent

    Hi,
    I have a requirement to implement NAC using the NAC Appliance (Cisco Clean Access). Does anyone know if this will work correctly with CTA in the same way that the NAC framework would do?? I am interested as I wish to use the Cisco Secure Services Client as an 802.1x supplicant and this interfaces directly with the CTA.

    Cisco is also introducing improved abilities to assess the security risk of unmanaged or agentless endpoints/devices, that do not support the CTA and are attempting to gain network access. This is accomplished through collaboration with a new auditing category of NAC partner program vendors. Vendors joining this new category include Altiris, Qualys, and Symantec (through the WholeSecurity acquisition). Collaboration with these vendor solutions helps the NAC framework dramatically improve its ability to assess the risk of agentless devices such as guest laptops, printers, PDAs, and Internet Protocol telephones. These devices can now be audited by this new category of partners. The audit results will then be communicated back to the network to enforce the proper network admission decision.
    http://newsroom.cisco.com/dlls/2005/prod_101805.html

  • Methods for Remote Event Log Collection (WMI vs RPC vs WinRM)

    Hi,
    I'm currently evaluating several 3rd party tools (SIEMs) to help me with log management in a large (mostly) Windows domain environment. Each tool uses a different approach to collecting the event log from remote systems, and I'd like help understanding the
    pros and cons of each approach. I've dropped this in the scripting forum as the tools are essentially running different scripts and it's this part I would like to understand.
    WMI: An agent installed on a windows server connects to each monitored box and grabs their event logs via WMI. Our legacy SIEM already collects from over 2000 servers using this method.
    RPC: As above, but using RPC. No changes required on the remote machines.
    WinRM: An appliance integrates with AD and collects event logs remotely using WinRM. This is reasonably new to me (i'm a security guy, not a sys admin) but I seem to have to enable an additional remote management tool, and open a new listening port on every
    single machine I want to collect the event log from.
    I read the following blog entry, which seemed to indicate that RPC was the best choice for performance, considering I'm going to be making high frequency connections to over 2000 targets:
    http://blogs.technet.com/b/josebda/archive/2010/04/02/comparing-rpc-wmi-and-winrm-for-remote-server-management-with-powershell-v2.aspx 
    However, everything I have found on the subject of remote event collection seems to suggest that WinRM is the "approved" method for event log collection. The vendor using the WinRM approach is also suggesting that it is the only official MS supported
    way of doing this.
    So I would like to ask, is there a reason that WMI and RPC should not be used for this purpose, since they clearly work and don't require any changes to my environment? Is there some advantage to WinRM that justifies touching my entire estate and opening
    an additional port (increasing my attack surface)?
    Thanks in advance,

    Hi,
    I'm aware of the push method, and may indeed move to it in time, although I'm just as likely to install a 3rd party agent on the machines to perform this role with greater functionality and manageability for the same effort. I've only seen organisations
    using commercial agents (snare, splunk, etc) or WMI for log collection in practice, so I don't think I'm the only one with reservations about it.
    Anything that involves making configuration changes to a large and very varied estate is not something to do lightly. Particularly if alternatives exist that don't require this change to be carried out immediately. That is why I'm looking to properly understand
    the pros and cons of these "legacy" approaches for use as an interim solution if nothing more.
    Pulling probably is more resource intensive, although I've not seen an actual comparison, but it's not really that fragile in my experience. If a single pull fails, you just collect the logs you missed at the next pull cycle in a few seconds/minutes.
    All logs are pulled directly into a SIEM for analysis, so that part is covered.
    Anyway, I appreciate the input, but I'm still holding out for concrete reasons to move away from WMI/RPC or to embrace WinRM. Bear in mind I'm considering fixing something that doesn't look broken to me!
    Cheers,

  • NAC Appliance & Nessus Scanning

    Hi All,
    In the process of getting our NAC appliance setup moved into a production level. We have everything working up to getting Nessus scanning working. I'm a bit confused by the documentation. It appears as though Nessus scanning only applys to web login users... is this correct? The doc shows activating Nessus vulnerability handling under General Setup -> Web Login. I don't see anywhere how to enable it for an agent environment. I have a setup where our test user is placed into the proper roles, and I have selected a Nessus vulnerabilty for that role. I never see the scan happen though. It's as if the agent isn't required to go through vulnerability scanning before being placed into his or her role. Is that correct? Thanks in advance for any help!
    -Mike

    Paul,
    Good to hear from you. I have been rather busy and I'm hoping to get some time in the near future to get the blog updated. The CMPC program I wrote has been quite popular with nearly 400 downloads so far.
    Back to the issue of Nessus scans. We're looking good, getting scans done now on the agent side. But I'm trying to test by enabling the TFTP server detected plugin. I have it setup as seen in the attachment. When I test against the workstation, it shows that it detected the TFTP server running. But, when the user logs in with the agent and is placed in that same role, they never are notified they are vulnerable. Why is that?
    Thanks for the help so far!
    -Mike
    http://cs-mars.blogspot.com

  • Errors in event log of Secondary DPM server protecting replicas on Primary

    Hello again
    I have two DPM servers, one situated on-site (primary) and one situated off-site (secondary). Protection jobs seem to be running correctly on both servers in that the jobs complete and I am able to restore data from the backups. I use the primary server
    to make the initial backups of critical systems and data (Exchange MDB's etc) and the secondary server to backup those replicas off-site in case of primary site loss or DPM system loss.
    The primary server is a physical server and the secondary server is a virtual server. Both DPM servers have their DPM databases stored on one physical SQL server that is in the primary site.
    Basically what is happening is that every day our virtual machines are snapshotted (secondary DPM server included) and everyday the snapshot of the secondary DPM server fails. I see the following to entries in the event log of the secondary server.
    Error 1:
    WARNING
    Source: MSDPM
    Event ID: 955
    The description for Event ID 955 from source MSDPM cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.
    If the event originated on another computer, the display information had to be saved with the event.
    The following information was included with the event:
    The consistency check resulted in the following changes to SQL Server Agent schedules: Schedules added: 2 Schedules removed: 2 Schedules updated: 0.  
    Problem Details:
    <ConsistencyCheck><__System><ID>26</ID><Seq>27861</Seq><TimeCreated>22/05/2014 23:01:31</TimeCreated><Source>SchedulerImpl.cs</Source><Line>719</Line><HasError>True</HasError></__System><Tags><JobSchedule
    /></Tags></ConsistencyCheck>
    the message resource is present but the message is not found in the string/message table
    Error 2
    ERROR
    Source: MSDPM
    Event ID: 4212
    The description for Event ID 4212 from source MSDPM cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.
    If the event originated on another computer, the display information had to be saved with the event.
    The following information was included with the event:
    DpmWriter service encountered an error during PrepareBackup as more than one component is selected for backup in the same snapshot set.  Select a single DPM replica for backup and try the operation again.
    Problem Details:
    <DpmWriterEvent><__System><ID>30</ID><Seq>7</Seq><TimeCreated>23/05/2014 00:30:45</TimeCreated><Source>d:\btvsts\21011\private\product\tapebackup\dpswriter\vssfunctionality.cpp</Source><Line>438</Line><HasError>True</HasError></__System><DetailedCode>4212</DetailedCode></DpmWriterEvent>
    the message resource is present but the message is not found in the string/message table
    These two events are followed by another event from VMWare Tools everyday
    Error 3:
    WARNING
    Source: VMWare Tools
    Event ID: 1000
    [ warning] [vmvss:vmvss] CVmSnapshotRequestor::CheckWriterStatus():1536: writer DPM Writer in failed state: res = 0x800423f4, err = 0x1, error =
    Has anyone come across this before? Currently I am not quite sure what is going wrong and whether it is actually related to snapshots failing, but I want to try to fix these errors first and see what happens.
    Regards

    Your ar using VMware for Virtualization?
    Are you trying to do an online Backup of the VM, think that will not work?
    One thing i wonder, your have installed second DPM if Site one fails or goes done, but SQL for DPM2 is in Site one? try to move SQL to external site for DPM 2
    Seidl Michael | http://www.techguy.at |
    twitter.com/techguyat | facebook.com/techguyat

  • SQL Server monitoring error event log 4001

    hello Experts ,
    We have SCOM 2012 R2 environment ,I have installed SQL SERVER MPs 6.5.0.1 and installed SCOM agent on some of SQL Server. Some of the SQL Server are monitoring working properly not all SQL Server but getting error  for some of SQL Server in event log
    Event :4001
    Management Group: SCOMMgtGroup. Script: Main Module: CPUUsagePercentDataSource.ps1 : 
    Computer Name = 'MHSSCOM01.memnet.org' WMI = 'ComputerManagement11' Service Name = 'MSSQLSERVER' SQL Instance Name = 'MSSQLSERVER'
    Exception calling "Fill" with "1" argument(s): "The user does not have permission to perform this action."Error occured during CPU Usage for SQL Instances data source executing.
    Computer:MHSSCOM01 
    Reason: Exception calling "Fill" with "1" argument(s): "The user does not have permission to perform this action."
    also not getting Database information within the SQL Server instances for these SQL Server within "Instances Summary "
    for resolution ,I have created a Run as account (windows)for SQL monitoring then associated it with Run as profile with SQL Server default account,Discovery account and Monitoring account and distribute it securely to each SQL Server health service object
    .The run as account have  added to local admin group on each SQL server.
    How to resolved the event log error and how to get database information for all instances of sql server.
    Thanks
    RICHA

    Hi,
    It seems like that the action account that run the script does not have enough permissions on the monitored SQL server, I would like to suggest you follow the below link to check your runas account configuration:
    http://blogs.technet.com/b/kevinholman/archive/2010/09/08/configuring-run-as-accounts-and-profiles-in-r2-a-sql-management-pack-example.aspx
    And make sure the action account also have SQL admin account to the SQL server.
    Here is also a link that may be helpful for you:
    http://blogs.technet.com/b/momteam/archive/2014/05/12/kb-event-4001-in-the-operations-manager-log-during-sql-server-2012-monitoring.aspx
    Regards,
    Yan Li
    Regards, Yan Li

  • All agents were logged of automatically from agent dekstop

    Hello,
    We had an issue last week where all agents where logged of automatically.  By the way we have UCCE version 8, CTIOS agent desktop 8, Call manager 8, and 7961 Cisco phones. Agents were able to log back in and everything seems to be working fine.  We are running duplex mode in call center. on the CTIOS server it show in call manger the agent destkop unregister, however the call manager and switch logs doesnt show unregister. It is really weird and on the switch there isnt any errors that indicate that packets were loss, does any UCCE expert out there know what could of been the root cause.  The error on the CTIOS server says cucm faulire for all those phones but phones werent unregistered.
    Any Suggestion please help.
    Thanks,

    All agents logged off, not just half? Typically when you run in duplex, half of those CTI OS Agent Desktops should connect to your secondary CTIOS server (50% chance at login). Are the effected agents all in the same location? To me this points to perhaps being a network issue if everyone was effected.
    Can you run a report on the Logout codes for the effected agents? What logout codes were recorded for this event?
    -Jameson

  • The Data Access service is either not running or not yet initialized. Check the event log for more information

    Hi,
    I have SCSM with remote SQL and the SCSM Management server give below error
    Message: Failed to connect to server ‘Name of Server’
    Microsoft.EnterpriseManagement.Common.ServiceNotRunningException: The Data Access service is either not running or not yet initialized. Check the event log for more information. —> System.ServiceModel.EndpointNotFoundException: Could not connect to net.tcp://ServerName:5724/DispatcherService.
    The connection attempt lasted for a time span of 00:00:04.0070932. TCP error code 10061: No connection could be made because the target machine actively refused it IPAddress:5724.  —> System.Net.Sockets.SocketException: No connection could be made
    because the target machine actively refused it IPAddress:5724
    I had try to restart SQL & MS with same error,
    Also i had try the following
    https://social.technet.microsoft.com/Forums/systemcenter/en-US/c670d54d-3a92-481f-8dc9-55c475ad196f/problems-with-data-access-service-after-rebooting
    https://social.technet.microsoft.com/Forums/systemcenter/en-US/26dc1d5c-fa82-403f-8949-3073f3b82a60/the-data-access-service-is-either-not-running-or-not-yet-initialized
    Not help meRegards

    I had same error before 
    below steps to solve it
    Make sure SQL Server Running & ServiceManager Database not full
    Stop All SCSM Services,
               System Center Management Configuration
       Microsoft System Center Data Access Service.
       Microsoft Monitoring Agent
    Rename Health Service State to Health Service State_old --- @ "C:\Program Files\Microsoft System Center 2012 R2\Service Manager"
    Start SCSM Services
        Microsoft Monitoring Agent
               System Center Management Configuration
       Microsoft System Center Data Access Service.
    Wait 2 min...
    check Event Viewer... 
    hope this help you.
    Regards, Ibrahim Hamdy

  • Integrate NAC Appliance with Active Directory

    We try to implement on our customer, NAC appliance integrating with Active Directory Single sign on.
    The NAC configured with L2 OOB. User first connect to switch and got the authentice Vlan, then the user will be authenticate using their domain account login, if success the user will be mapping to the Vlan assign to them.
    The agent SSO installed on Active Directory is running well, and at the CAS also the service SSO started.
    Let say i've this situation:
    1. User A has been assign to Vlan 15 Employee
    2. User A plug to switch and got dummy vlan and will authenticate using Domain account on AD, If succeded than, the port will be bounce, the user running an cisco agent on background
    3. Now user A has their on Vlan ID 15
    I've created the Authentication server on CAM for the Active Directory, but i've find it's so difficult to config mapping rules between user roles to Active directory. The guidance pdf how to implement NAC i've downloaded from cisco, not mention it how to mapping user roles to Active Directory...
    Has any one has been configured mapping rules user roles to Active directory?

    So you would create a mapping rule against your lookup server like so.
    Say the AD group membership is "Finance"
    for ADSSO you would apply the mapping rule to your LOOKUP Server
    where the expression is
    memberOf contains CN=Finance and apply it to role employee if VLAN 15 is your employee vlan then you would designate vlan 15 in your Employee role under user role configuration
    Now you cant test this with ADSSO with the test auth function so what I like to do is create an AD authentication server and test against that as long as you have some form of mapping configured the auth results will return all memberships for the userename you login with so you can get the syntax exactly right.

  • Solaris cluster event log

    Someone please tell me there is a way to get readable data from the even log in /var/cluster/log. I'm not finding anything in my searches, so I really hope I'm just overlooking something simple. Thanks in advance for any help.

    Hi,
    there's a binary called showev4 but I do not remember from where I've downloaded it. :)
    Sun Cluster 3.x series clusters records event logs as binary log files. Log files can not be read with standard cluster commands. showev4 is a binary to read these log files.
    Usage :
    ./showev4 /var/cluster/logs/eventlog
    Sample output :
    Tue May 29 08:37:38 2007
    class: EC_Cluster subclass: ESC_cluster_gds_probe
    vendor: SUNW pub: gds pid: 2347
    cluster_id: 0x45E81ADA cluster: test3210g node: testxdb1
    ts_sec: 1180417058 ts_usec: 538717
    severity: 0 (Info) initiator: 3 (Agent)
    r_name: mysql-server
    rg_name: mysql-rg status_msg: Probe has been executed with exit code 0 [opt/SUNWscmys/bin/probe_mysql -R mysql-server -G mysql-rg -B /global/mysql -D /global/mysql-data -U mysql   -H mysql-IP -F fmuser%fmuser -L /global/mysql-data/logs -C ]
    Tue May 29 08:37:38 2007
    class: EC_Cluster subclass: ESC_cluster_gds_probe
    vendor: SUNW pub: gds pid: 2347
    cluster_id: 0x45E81ADA cluster: test3210g node: testxdb1
    ts_sec: 1180417058 ts_usec: 539543
    severity: 0 (Info) initiator: 3 (Agent)
    r_name: mysql-server
    rg_name: mysql-rg status_msg: The probe result is 0

  • NAC Cisco Agent cannot connect to LAN (Requirement Mandatory SCCM 2012 agent installed - ccmexec services)

    hi Support, 
    we have a problem, our NAC Cisco Agent cannot detect SCCM Agent Service (ccmexec).  here the snapshot:
    the configuration as following:
    here the NAC Cisco Agent Logs, download here:
    https://drive.google.com/file/d/0B9ShGyy3UzoeejlvZ2MwVVo2V1U/edit?usp=sharing 
    Whether the NAC 4.8 support integration with SCCM 2012?
    Thanks
    Endrik

    Wow, no responses?
    Was I too long winded?

Maybe you are looking for