DMVPN/preshared key configured and device stolen

Similar Messages

• Question on IKE preshared key for sun systems.

  Hi All
  I'm testing IPsec between a Sun system and a device(and Windows XP). The main mode negotiation failed in the third exchange when encryption is on. Responder side complains about the payload sent from the other side is malformed. I suspect the problem is related to the preshared key configuration. Sun system require a hexdecimal on preshared key and the resulting key length should be at least of what encryption algorithm require(from IP service manual:
  The encryption algorithm in this example (see Step 2) is DES, so the pre-shared key must be at least 64 bits. However, a longer key length is a good idea. For example,
  # ike.preshared on enigma, 192.168.66.1
  { localidtype IP
       localid 192.168.66.1
       remoteidtype IP
       remoteid 192.168.55.2
       # enigma and partym's shared key in hex (128 bits)
       key ac077cc699c17055848a3cf34377980a
  My question is that how should I configure the preshared key to match the one in Sun? like in windows system? I tried to use the exact same key on windows, but the authentication failed. If the problem is not from preshared key, any comments are welcome.
  Thanks a lot!

  To restore key from encoded data you have to use one of the KeySpec lasses in your case DESKeySpec. Then you can use KeyFactory (SecretKeyFactory in this case) class to regenerate key.
  SecretKeyFactory factory = SecretKeyFactory.getInstance("DES", "SunJCE");
  myDESkey = factory.generateSecret(keySpec);

• Apple Configurator and Mass Device Set-up

  I’m having some issues with iPads using the Apple Configurator and a Bretford Cart.  I submitted this to my lovely Apple account team, however they have not acknowledged or replied to me.  I could really use some help with this one!! PLEASE
  I have a deployment of about 1000 iPads.  The initial deployment is over but we collect them and redeploy them.
  Here is what I do with the cart.
  Load iPads in to it. 
  Update to the latest iOS (if approved internally).
  Restore a backup of an iPad configured with customized wallpaper.
  Install a profile that contains a webclip to our MDM install.
  The devices ARE not supervised, nor do I want to supervise them in any way.  We have an MDM and do not need or want device supervision.
  This used to work for me with minor issues.
  Now I’m having some problems.
  In particular:
  On some devices, I no longer get the choice to select “Next” at choose a Network connection.  Sometimes I get it and it allows me to go to choose “Continue without Wifi” and I’m good to go.  Sometimes I don’t have this choice and that is an issue.  Why is this happening? (Incidentally, when I erase all content and settings of a device that HAS allowed me to choose Next and Continue without Wifi, when it is restored, the option is no longer there.)
  After the update and backup is restored, I have to go through the Hello and Welcome screens before I can install a profile. Why?
  When I install profiles, it allows me to only install 1 profile at a time.  This does not work for me.  Why did this change in Apple Configurator?
  What used to be a fairly simple process is now becoming kind of a pain.  I’ve searched Apple forums and it seems others are having the same issues.   Are you able to help or give advice on a better way to do this?
  I have about 1000 iPads deployed and need to find the smoothest way to go about doing this.
  Thank you for any help or advice.

  Yes, an MDM is your best bet. If you aren't currently using an MDM and want to try one out, there is a free MDM solution by Meraki called Systems Manager. http://www.meraki.com/products/systems-manager/ . They have a location feature that might help you. The MDM can also allow you to lock the screen or do a remote wipe to keep the thief from accessing the data on the iPad.
  You can also have your users sign up with the Find My iPad app http://www.apple.com/ipad/find-my-ipad.html to help locate a stolen iPad.
  As ryanm512 said, if you Supervise your iPads in Apple Configurator the iPads can only be unsupervised using the computer that Supervised them.
  However, everything is out the window if the thief resets the iPad when its not connected to a network. Once wiped clean, the MDM and Find My iPad won't work.
  Here are some links I found on another post that may be helpful:
  How to Track and Report Stolen iPad
  http://www.ipadastic.com/tutorials/how-to-track-and-report-stolen-ipad
  Reporting a lost or stolen Apple product
  http://support.apple.com/kb/ht2526
  Report Stolen iPad Tips and iPad Theft Prevention
  http://www.stolen-property.com/report-stolen-ipad.php
  How to recover a lost or stolen iPad
  http://ipadhelp.com/ipad-help/how-to-recover-a-lost-or-stolen-ipad/
  How to Find a Stolen iPad
  http://www.ehow.com/how_7586429_stolen-ipad.html
  Apple Product Lost or Stolen
  http://sites.google.com/site/appleclubfhs/support/advice-and-articles/lost-or-st olen
  Oops! iForgot My New iPad On the Plane; Now What?
  http://online.wsj.com/article/SB10001424052702303459004577362194012634000.html
  If you don't know your lost/stolen iPad's serial number, use the instructions below. The S/N is also on the iPad's box.
  How to Find Your iPad Serial Number
  http://www.ipadastic.com/tutorials/how-to-find-your-ipad-serial-number
  Hope this helps!
  ~Joe

• Configurator - supervised devices and switching computers

  I manage a number of iPads through Configurator that we have supervised, and our company is making us upgrade computers.  Will I have to gather the iPads and un-supervise them then setup Configurator from scratch on the new computer or is there a way to transfer the profiles/etc?

  In addition to backing up the iOS apps, there are other files, too.
  See this: http://support.apple.com/kb/HT5194
  or read this:
  Note: If you use third-party backup software, make sure that the directory ~/Library/Application Support is not excluded from the backup.
  To recover your Apple Configurator data from a Time Machine backup:
  Choose Enter Time Machine from the Time Machine menu extra or System Preference pane.
  Press Command-Shift-G and type: ~/Library/Application Support
  Select the item "com.apple.configurator" in the backup with the appropriate date.
  Click Restore.
  If you are using third-party backup software, follow its instructions to restore ~/Library/Application Support/com.apple.configurator.
  You may also want to recover the following information from the backup of the same date:
  ~/Library/Keychains, to recover the Supervision Certificate and public and private keys. These will allow supervised devices to reconnect to the host computer.
  ~/Library/Preferences/com.apple.configurator.plist, to restore Configurator settings and preferences.
  Restoring data to a new Mac
  If you restore the files and folders listed above to a new Mac, you can use it to manage devices supervised by the previous Apple Configurator Mac.
  Additional Information
  If you have supervised devices with Apple Configurator and you lose the Apple Configurator data files, the devices will still be supervised by the Mac that is running Configurator, but Apple Configurator will not be able to reinstall app backups or user data onto those supervised devices.
  It is especially important to back up Apple Configurator information if you are using VPP codes. After a VPP code has been redeemed, only the Apple Configurator database keeps a record of what device that code was redeemed for. If this database is lost, and the app is deleted from the device, Apple Configurator will not be able to reuse the redeemed code in order to install the app, and you will need to purchase and redeem additional codes to replace the app on a device.
  ~
  I make sure my iPad configurator machine has regular TimeMachine backups. A 500GB USB2 drive is enough to handle the initial startup disk backup & incrementals afterwards. It is important to have a dedicated machine for profile tasks, too. An Intel Core 2 Duo 2GHz or greater Mac Mini should suffice and is quite inexpensive.

• Add device, discovery device, configure and trobleshoot device

  Hi
  I am new on network management, and I installed cisco prime 1.2 this week
  I need to perform these action on the ISE and on many catalyst switch
  - Add device
  - discovery device
  - Monitor, configure and trobleshoot device
  Which information should I ask to the network administrator (snmp version , ip address ...)
  How should I perform thses 3 action (any step by step document should be good for me)
  Regards

  Hi,
  Chekc the below links:
  http://www.cisco.com/en/US/docs/net_mgmt/prime/infrastructure/1.2/user/guide/gettingstarted.html#wp1069890
  http://www.cisco.com/en/US/docs/net_mgmt/prime/infrastructure/1.2/user/guide/gettingstarted.html#wp1070951
  http://www.cisco.com/en/US/docs/net_mgmt/prime/infrastructure/1.2/user/guide/gettingstarted.html#wp1070638
  Thanks-
  Afroz

• Anyconnect and preshared keys

  Is it possible to use the anyconnect client and still use preshared keys?  I'm trying to remediate a PCI issue that requires removing IKEv1, and preshared key, and disabling aggressive mode.
  Will any of this break Anyconnect?  Your assistance in appreciated!

  Hi,
  It is completely possible, You can disable the aggressive mode from the ASA and it will not affect the AnyConnect beacuse it uses (TLS and DTLS protocols)which is completely different from the IPSec.
  Now you can disable the aggressive mode as follow:
  hostname(config)# crypto ikev1 am-disable
  If you have VPN clients IPSec, they will work with main mode if you use certificate authentication only, not using pre-shared keys.
  Please don't forget to rate and Mark as correct the helpful Post!
  David Castro,
  Regards,

• CF Installations :Key differnces between Multiserver configuration and J2EE Configuration

  Hi,
  Can anyone give the important differences between Multiserver
  configuration and J2EE Configuration installations?..

  Hello Dalibor,
  While the service account user object has Use DES selected it would appear your user session is still sending the AS Java an RC4 service ticket.  This might occur if your user had requested a service ticket before Use DES was selected, or before that setting had replicated to the appropriate domain controller.  The fix might be as simple and logging out and logging back in now that some time has passed.
  You could also download the Microsoft kerbtray utility and inspect the service ticket enc type to validate this.  kerbtray can also be used to clear old tickets and is generally useful for troubleshooting this kind of thing.
  Thanks!
  Kyle

• The Ultimate Guide to Resolving Profile and Device Manager Issues

  The following article also applies to issues after re-setting the severs' hostname. It also applies to situations where re-setting the Code Signing Certifictateas described by Apple has not resolved the issue.
  Hello,
  I have been plagued with Profile Manager and Device Manager issues since day one.
  I would like to share my experience and to suggest a way how to resolve issues such as device cannot be enrolled or Code Signing Certificate not accepted.
  I shall try to be as brief as possible, just giving an overview of the steps that resolved my issues. The individual steps have been described elsewhere in this forum. For users who have purchased commercial SSL certs the following may not apply.
  In my view many of these issues are caused by missing or faulty certificates. So let us first touch on the very complex matter of certificates.
  Certificates come in many flavours such as CA (Certificate Authority), Code Signing Certificate, S/MIME and Server Identification.
  (Mountain?) Lion Server creates a so-called Intermediate CA certificate (IntermediateCA_hostname_1") and Server Identification Certificate ("hostname") when it installs first. This is critical for the  operation of many server functionalities, including Open Direcory. These certs together with the private/public keys can be found in your Keychain. Profile  and Device Manager may need a Code Signing Certificate.
  The most straightforward way to resolve the Profile Manaher issues is in my view to reset the server created certicates.
  The bad news is that this procedure involves quite a few steps and at least 2 hours of your precious time because it means creating a fresh Direcory Master.
  I hope that I have not forgotten to mention an important step. Readers' comments and addenda are welcome.
  I shall outline a sensible strategy:
  1. Clone your dysfunctional server to an external harddrive (SuperDuper does a reliable job)
  2. Start the server fom the clone and shut down ALL services.
  3. It may be sensible to set up a root user access.
  4. Back-up all user data such as addess book, calendar and other data that you *may* need to set up your server.
  5. Open Workgroup Manager and export all user and workgroup accounts to the drive that you using to re-build your server (it may cause problems if you back-up to an external drive).
  6. Just in case you may also want to back-up the Profile Manager database and erase user profiles:
  In Terminal (this applies to Lion Server - paths may be diferent in Mountain Lion !)
  Backup: sudo pg_dump -U _postgres -c device_management > $HOME/device_management.sql
  Erase database:
  sudo /usr/share/devicemgr/backend/wipeDB.sh
  7. Note your Directory (diradmin) password for later if you want to re-use it.
  8. Open Open Server Admin and demote OD Master to Standalone Directory.
  9. In Terminal delete the old Certificate Authority
  sudo rm -R /var/root/Library/Application\ Support/Certificate\ Authority/
  This step is crucial because else re-building you OD Master will fail.
  9. Go back to Server Admin and promote the Standalone Directory to OD Master. You may want to use the same hostname.
  10. When the OD Master is ready click on Overview and check that the LDAP and Keberos Realm reflect your server's hostname.
  11. Go back to Workgroup Manager and re-import users and groups.
  NOTE: passwords are not being exported. I do not know how to salvage user passwords. (Maybe passwords can be recovered by re-mporting an OD archive - comments welcome! ).
  12. Go to Server App and reset passwords and (not to forget) user homefolder locations, in particular if you want to login from a network account!
  If the home directory has not been defined you cannot login from a network account.
  13. You may now want to restore Profile Manager user profiles in Terminal. Issue the following commands:
  sudo serveradmin stop devicemgr
  sudo serveradmin start postgres
  sudo psql -U _postgres -d device_management -f $HOME/device_management.sql
  sudo serveradmin start devicemgr
  14. You can now switch back on your services, including Profile Manager.
  In Profile Manager you may have to configure Device Management. This creates a correct Code Signng Certicate.
  15. Check the certificate settings in Server App -> Hadware -> Settings-> SSL Certificates.
  16. Check that Apple Push Notifications are set.(you easily check if they are working later)
  17. You may want to re-boot OS Server from the clone now.
  18. After re-boot open Server App and check that your server is running well.
  19. Delete all profiles in System Preferences -> Profiles.
  19. Login to Profile Manager. You should have all users and profiles back. In my experience devices have to be re-enrolled before profiles can be pushed and/or devices be enrolled. You may just as well delete the displayed devices now.
  20. Grab one of your (portable) Macs that you want to enrol and go to (yourhostname)/mydevices and install the server's trust profile. The profile's name  should read "Trust Profile for...) and underneath in green font "Verified".
  21. Re-enrol that device. At this stage keep your finger's crossed and take a deep breath.
  22. If the device has been successfully enrolled you may at last want to test if pushing profiles really works. Login to Profile Manager as admin, select the newly enrolled device. Check that Automatic Push is enabled (-> Profile -> General). Create a harmless management profile such as defining the dock's position on the target machine. (Do not forget to click SAVE at the end - this is easily missed here). If all is well Profile Manager will display an active task (sending) and the dock's position on the target will have changed in a few seconds if you are on a LAN (Note: If sending seems to take forever: check on the server machine and/or on your router that the proper ports are open and that incoming data is not intercepted by Little Snitch or similar software).
  Note: if you intend to enrol an Apple iPhone you may first need to install the proper Apple Configuration software.
  Now enjoy Profile and Device Manager !
  Regards,
  Twistan

  HI
  1. In Action profiles, logon to system and recheck correcion are available in action definition as well in condition configuration and the schedule condition is also maintained. but the display is not coming(i.e in the worklist this action is not getting displayed).
  You can check the schedule condition for the action and match the status values...or try recreating the action with schedule condition again....for customer specific ....copy the standard aciton with ur zname and make a schedule condition and check the same.
  2, In suppport team of incident when i give individual processor it throwing a warning that u r not the processor. but when i give org unit it is working perfectly. Could anyone guide on this.
  You need to have the empolyee role for BP ..goto BP and got here dropdown for ur bp and choose role Employee and then enter ur userid
  also make sure that u have the message processing role
  Hope it clarifies ur doubt and resolve ur prob
  Regards
  Prakhar

• Ask the Expert: ISE 1.2: Configuration and Deployment with Cisco expert Craig Hyps

  Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about how to deploy and configure Cisco Identity Services Engine (ISE) Version 1.2 and to understand the features and enhanced troubleshooting options available in this version, with Cisco expert Craig Hyps.
  October 27, 2014 through November 7, 2014.
  The Cisco Identity Services Engine (ISE) helps IT professionals meet enterprise mobility challenges and secure the evolving network across the entire attack continuum. Cisco ISE is a security policy management platform that identifies users and devices using RADIUS, 802.1X, MAB, and Web Authentication methods and automates secure access controls such as ACLs, VLAN assignment, and Security Group Tags (SGTs) to enforce role-based access to networks and network resources. Cisco ISE delivers superior user and device visibility through profiling, posture and mobile device management (MDM) compliance validation, and it shares vital contextual data with integrated ecosystem partner solutions using Cisco Platform Exchange Grid (pxGrid) technology to accelerate the identification, mitigation, and remediation of threats.
  Craig Hyps is a senior Technical Marketing Engineer for Cisco's Security Business Group with over 25 years networking and security experience. Craig is defining Cisco's next generation Identity Services Engine, ISE, and concurrently serves as the Product Owner for ISE Performance and Scale focused on the requirements of the largest ISE deployments.
  Previously Craig has held senior positions as a customer Consulting Engineer, Systems Engineer and product trainer.   He joined Cisco in 1997 and has extensive experience with Cisco's security portfolio.  Craig holds a Bachelor's degree from Dartmouth College and certifications that include CISSP, CCSP, and CCSI.
  Remember to use the rating system to let Craig know if you have received an adequate response.
  Because of the volume expected during this event, Ali might not be able to answer each question. Remember that you can continue the conversation on the Security community, sub-community shortly after the event. This event lasts through November 7, 2014. Visit this forum often to view responses to your questions and the questions of other community members.
  (Comments are now closed)

  1. Without more specifics it is hard to determine actual issue. It may be possible that if configured in same subnet that asymmetric traffic caused connections to fail. A key enhancement in ISE 1.3 is to make sure traffic received on a given interface is sent out same interface.
  2. Common use cases for using different interfaces include separation of management traffic from user traffic such as web portal access or to support dedicated profiling interfaces. For example, you may want employees to use a different interface for sponsor portal access. For profiling, you may want to use a specific interface for HTTP SPAN traffic or possibly configure IP Anycast to simplify reception and redundancy of DHCP IP Helper traffic. Another use case is simple NIC redundancy.
  a. Management traffic is restricted to eth0, but standalone node will also have PSN persona so above use cases can apply for interfaces eth1-eth3.
  b. For dedicated PAN / MnT nodes it usually does not make sense to configure multiple interfaces although ISE 1.3 does add support for SNMP on multiple interfaces if needed to separate out. It may also be possible to support NIC redundancy but I need to do some more testing to verify. 
  For PSNs, NIC redundancy for RADIUS as well as the other use cases for separate profiling and portal services apply.
  Regarding Supplicant Provisioning issue, the flows are the same whether wireless or wired. The same identity stores are supported as well. The key difference is that wireless users are directed to a specific auth method based on WLAN configuration and Cisco wired switches allow multiple auth methods to be supported on same port. 
  If RADIUS Proxy is required to forward requests to a foreign RADIUS server, then decision must be made based on basic RADIUS attributes or things like NDG. ISE does not terminate the authentication requests and that is handled by foreign server. ISE does support advanced relay functions such as attribute manipulation, but recommend review with requirements with local Cisco or partner security SE if trying to implement provisioning for users authenticated via proxy. Proxy is handled at Authentication Policy level. CWA and Guest Flow is handled in Authorization Policy.  If need to authenticate a CWA user via external RADIUS, then need to use RADIUS Token Server, not RADIUS Proxy.
  A typical flow for a wired user without 802.1X configured would be to hit default policy for CWA.  Based on successful CWA auth, CoA is triggered and user can then match a policy rule based on guest flow and CWA user identity (AD or non-AD) and returned an authorization for NSP.
  Regarding AD multi-domain support...
  Under ISE 1.2, if need to authenticate users across different forests or domains, then mutual trusts must exist, or you can use multiple LDAP server definitions if the EAP protocol supports LDAP. RADIUS Proxy is another option  to have some users authenticated to different AD domains via foreign RADIUS server.
  Under ISE 1.3, we have completely re-architected our AD connector and support multiple AD Forests and Domains with or without mutual trusts.
  When you mention the use of RADIUS proxy, it is not clear whether you are referring to ISE as the proxy or another RADIUS server proxying to ISE.  If you had multiple ISE deployments, then a separate RADIUS Server like ACS could proxy requests to different ISE 1.2 deployments, each with their own separate AD domain connection.  If ISE is the proxy, then you could have some requests being authenticated against locally joined AD domain while others are sent to a foreign RADIUS server which may have one or more AD domain connections.
  In summary, if the key requirement is ability to join multiple AD domains without mutual trust, then very likely ISE 1.3 is the solution.  Your configuration seems to be a bit involved and I do not want to provide design guidance on a paper napkin, so recommend consult with local ATP Security SE to review overall requirements, topology, AD structure, and RADIUS servers that require integration.
  Regards,
  Craig

• NEEDED : ISE 1.1.3 Posture configuration and Switch Config (ACL, dACL)

  hello,
  could anyone please post screen capture of ISE posture configuration ( and remediation )
  I need urgently a dACL and a redirection ACL that work at least in a mockup lab.
  Authentification and authorizations policies not needed.
  posture and remediation policies not needed.
  The issue is about ACLs (I guess)
  Also needed is a valid switch config file, with ACL (if necessary) a the DOT1x ethernet port.
  My IOS is 122.55 SE or 52 SE
  Thank you by advance.
  Best regards.
  V.

  Hi Venkatesh,
  Your the ultimate ISE Guru !!
  You're right
  Thanks a lot.
  See screen captures and Sw config below
  aaa new-model
  aaa group server radius ISE
  server 192.168.6.10 auth-port 1812 acct-port 1813
  server 192.168.6.10 auth-port 1645 acct-port 1646
  aaa authentication login default local
  aaa authentication dot1x default group ISE
  aaa authorization network default group ISE
  aaa authorization network auth-list group ISE
  aaa authorization auth-proxy default group radius
  aaa accounting dot1x default start-stop group ISE
  aaa server radius dynamic-author
  client 192.168.6.10 server-key 123456789
  ip dhcp snooping
  ip device tracking
  dot1x system-auth-control
  dot1x critical eapol
  interface FastEthernet1/0/1
  switchport mode access
  ip access-group ACL-ALLOW in
  authentication port-control auto
  authentication periodic
  dot1x pae authenticator
  dot1x timeout tx-period 10
  spanning-tree portfast
  spanning-tree bpduguard enable
  ip http server
  ip http secure-server
  ip access-list extended ACL-ALLOW
  permit ip any any
  ip access-list extended ACL-POSTURE-REDIRECT
  deny   udp any any eq domain
  deny   udp any host 192.168.6.10 eq 8905
  deny   udp any host 192.168.6.10 eq 8906
  deny   tcp any host 192.168.6.10 eq 8443
  deny   tcp any host 192.168.6.10 eq 8905
  deny   tcp any host 192.168.6.10 eq www
  permit ip any any
  snmp-server community snmp RO
  snmp-server community RO RO
  snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
  snmp-server enable traps mac-notification change move threshold
  snmp-server host 192.168.6.10 public
  snmp-server host 192.168.6.10 version 2c snmp  mac-notification
  radius-server attribute 6 on-for-login-auth
  radius-server attribute 6 support-multiple
  radius-server attribute 8 include-in-access-req
  radius-server attribute 25 access-request include
  radius-server dead-criteria time 5 tries 3
  radius-server host 192.168.6.10 auth-port 1645 acct-port 1646 key 123456789
  radius-server vsa send accounting
  radius-server vsa send authentication
  V.

• SSID with preshared key + ISE

  Hi,
  We have recently implemented Wifi at out site. we have Cisco 3502 AP's, 2504-WLC and the latest cisco ISE. I understand that in ISE deployment, we cant have a preshared key (password or key) for the SSID as ISE will take over the authentication. is that right?
  Current scenario:
  1. Laptop with wifi enabled will select the SSID in the list. since we have disabled the broadcast, it will be shown as other network in the list.
  2. User will the other network and manually enter the SSID string.
  3. Once the SSID matches with the WLC, he/she will be redirected to ISE url where the he/she needs to enter the domain credentials
  4. After the credentials are validated, ISE (NAC) agent will be downloaded on the laptop.
  5. Posture will begin and check for the compliance.
  6. If the laptop is compliant, laptop will be allowed in the network else will be rejected.
  Here, i would like to have preshared authetiation for SSID in the first phase as my infosec team is very particular about that. How can i achieve that?

  Creating Native Supplicant Profiles
  Before You Begin
  •If you intend to use a TLS device protocol for remote device registration, be sure you set up at least one Simple Certificate Enrollment Protocol (SCEP) profile, as described in Simple Certificate Enrollment Protocol Profiles, page 8-31.
  •Be sure to open up TCP port 8909 and UDP port 8909 to enable Cisco NAC Agent, Cisco NAC Web Agent, and supplicant provisioning wizard installation. For more information on port usage, see the “Cisco ISE Appliance Ports Reference” appendix in the Cisco Identity Services Engine Hardware Installation Guide, Release 1.2.
  Step 1Choose Policy > Policy Elements > Results > Client Provisioning > Resources.
  Step 2Choose Add > Native Supplicant Profile.
  Step 3Specify a Name for the agent profile.
  Step 4Enter an optional Description for the Native Supplicant Profile.
  Step 5Select an Operating System for this profile.
  Step 6Enable the appropriate options for Wired or Wireless Connection Type (or both) for this profile. If you enable the Wireless connection option, be sure to also specify the device SSID and the wireless Security type (either WPA2 Enterprise or WPA Enterprise).
  Step 7Choose the Allowed Protocol for the device profile.
  Step 8Enable or disable other
  Optional Settings as appropriate for this profile.
  You can create native supplicant profiles to enable users to bring their own devices into the Cisco ISE network. When the user logs in, based on the profile that you associate with that user’s authorization requirements, Cisco ISE provides the necessary supplicant provisioning wizard needed to set up the user’s personal device to access the network.

• C6250 on Win XP will not configure and install

  I installed  HP Photosmart Full Feature Software and Drivers ver 10.0.1.
  Doing a network install, the application sees the printer as a network device.
  However, as it tries to configure and install, I get an ERROR, all it shows me is a large red "X" between the printer and the router, not other information.
  I am running Win XP 32 bit on an HP (Compaq) 6910p Notebook.
  I downloaded the  HP Home Network Diagnostic Utility and I was able to send a command to the printer to print a diagnositc page (from my notebook, wireless)
  I have uninstalled and reinstalled 2 times.  I tried downloading this patch :   Critical Update to Correct a PC to Printer Communication Issue  but it faied.  I tried downloading this update:  Critical Update to Enhance Reliability of Network and USB Connectivity and Improve System Responsive...  but it told me I had no SW that required this update.
  Any ideas ?

  It sounds like you are unable to scan and that is why you need to install the printer.  One problem I've seen is that a mutlifunction adapter for your product can be in the device manager prior to installation and that causes the device to fail to install.  To open the device manager, go to the control panel and then click device manager (or hold the windows key and press the pause key, then click device manager).  Once device manager is open, click the view menu and then click the "Show hidden devices" item.  You should now see an item in the list in the main window for Multifunction adapters.  Look for an entry under Multifunction adapters of "Photosmart C6250".  If you find this entry, right-click on it and select "Uninstall" from the drop down menu.  Now try to install the printer by inserting you CD and selecting "Add a device".  The install should now succeed.  If you didn't find an entry for your printer under multifunction adapters then your problem is elsewhere.
  Mike
  Say "Thanks" by clicking the Kudos Star in the post that helped you.
  I am an HP employee.

• CONFIGURE CHANNEL DEVICE TYPE DISK  doesn't function

  Dear all,
  I have a problem with a backup.
  Facts:
  OS: SunOS hod 5.10 Generic_142901-03 i86pc i386 i86pc
  Oracle 11.2.0.1 with RAC
  So, Although i put in rman parameters section the CONFIGURE CHANNEL DEVICE TYPE DISK FORMAT '/rman/backups/%U'; the backup was done but in FRA that is located in
  BS Key  Type LV   Size       Device Type  Elapsed Time  Completion Time
  36 Incr 0 210.82G DISK 10:32:57 24-JAN-13
  BP Key: 36 Status: AVAILABLE Compressed: YES Tag: TAG20130123T210005
  *Piece Name: +DATA/db_name/backupset/2013_01_23/nnndn0_tag20130123t210005_0.442.805496407*
  List of Datafiles in backup set 36...
  ANd my question is:
  How, although i configure that the backups would be in /rman/backups/%U this was located in +DATA (fRA) ??
  what im doing wrong ??
  Thanks for your help.

  thanks for your answer: here is my rman script. We invoked the script like this: rman_db_script.sh SID 0
  #!/bin/ksh
  function email_dba
  if [ -s $email_file ]
  then
  subj="$prog: FAILED on $sid@$box at `date`"
  while read dba_id
  do
  mailx -s "$subj" $dba_id < $email_file
  echo "mailx -s "$subj" $dba_id "
  done < /oracle/app/oracle/dba/util/motifylist.txt
  fi
  # set and check
  function set_and_check
  ps -ef | grep ora_pmon_$sid | grep -v grep > /dev/null
  rc=$?
  if [ $rc != 0 ]
  then
  echo "$prog: database $ORACLE_SID is not online" >> $log_file
  echo "$prog: database $ORACLE_SID is not online" >> $email_file
  # email_dba
  exit 1
  fi
  rtime=`date '+%Y%m%d_%H%M'`
  ORACLE_BASE=/opt/app/oracle
  ORACLE_HOME=/opt/app/oracle/product/11.2.0/dbhome_1
  export ORACLE_HOME
  PATH=$ORACLE_HOME/bin:$PATH
  export PATH
  logdir=/opt/oracle/logs
  log_file=$logdir/$prog.$sid.level${bk_level}.log.$rtime
  email_file="$logdir/$prog.email.$sid"
  cat /dev/null > $email_file
  box=`hostname`
  orauser=oracle
  bk_dir=/rman/backups/$sid
  echo "===== `date '+%Y%m%d %H:%M:%S'` $prog: Started =====" > $log_file
  backup_type="INCREMENTAL LEVEL $bk_level"
  # find $logdir -name $prog.*.log.* -type f -mtime +10 -exec /bin/rm -f {} \;
  # find $bk_dir -name ctl.* -type f -mtime +10 -exec /bin/rm -f {} \;
  echo "ORACLE_SID=$ORACLE_SID" >> $log_file
  echo "ORACLE_USER=$orauser" >> $log_file
  echo "ORACLE_HOME=$ORACLE_HOME" >> $log_file
  echo "BACKUP TYPE=$backup_type" >> $log_file
  return
  # backup database and archive logs to disk
  function backup_dbs_to_disk
  echo "===== Backup $sid to FRA Started At `date` =====" >> $log_file
  $ORACLE_HOME/bin/rman nocatalog << rman_cmd >> $log_file 2>&1
  connect target
       # se haran en el directorio sgte no en el FRA
       CONFIGURE CHANNEL DEVICE TYPE DISK FORMAT '/rman/backups/%U';
  #CONFIGURE CONTROLFILE AUTOBACKUP ON;
  run
  ALLOCATE CHANNEL ch1 TYPE disk ;
  BACKUP $backup_type
  filesperset 10
  DATABASE;
  sql 'alter system archive log current';
  BACKUP filesperset 10 ARCHIVELOG ALL DELETE ALL INPUT;
  sql "alter database backup controlfile to trace as ''$bk_dir/ctl.trc.$rtime''";
  sql "alter database backup controlfile to ''$bk_dir/ctl.$rtime'' reuse";
  RELEASE CHANNEL ch1;
  #CONFIGURE CONTROLFILE AUTOBACKUP OFF;
  rman_cmd
  rc=$?
  if [ $rc != 0 ]
  then
  echo "Backup $sid to Disk Failed At `date`" >> $log_file
  echo "Backup $sid to Disk Failed At `date`" >> $email_file
  email_dba
  exit 1
  else
  echo "===== Backup $sid to Disk Completed At `date` =====" >> $log_file
  fi
  return
  # delete obsolete backups
  function del_obsolete_bk
  echo "===== Delete Obsolete Backups Started At `date` =====" >> $log_file
  $ORACLE_HOME/bin/rman nocatalog << rman_cmd >> $log_file 2>&1
  connect target
  ALLOCATE CHANNEL FOR MAINTENANCE DEVICE TYPE DISK;
  Report obsolete;
  delete force noprompt obsolete;
  rman_cmd
  rc=$?
  if [ $rc != 0 ]
  then
  echo "Delete Obsolete Backups Failed At `date`" >> $log_file
  echo "Delete Obsolete Backups Failed At `date`" >> $email_file
  email_dba
  exit 1
  else
  echo "===== Delete Obsolete Backups Completed At `date` =====" >> $log_file
  fi
  return
  # main program
  if [ $# -ne 2 ]
  then
  clear
  echo "\nIncorrect argument, ORACLE_SID Backup_Level needed\n"
  echo "\nUsage: $0 ORACLE_SID BACKUP_LEVEL(0/1)\n"
  return 1
  fi
  sid=$1
  bk_level=$2
  diff_cum=$3
  # prog=`basename $0`
  prog=rman_backup_dbs.sh
  export debug='N'
  if [[ $debug = 'Y' ]];then set -x;fi
  unset ORACLE_SID
  unset ORACLE_HOME
  unset SQLPATH
  ORACLE_SID=$sid
  export ORACLE_SID
  set_and_check
  backup_dbs_to_disk
  del_obsolete_bk
  echo "===== `date '+%Y%m%d %H:%M:%S'` $prog: Completed =====" >> $log_file
  subj="$sid@$box backup completed successfully at `date`"
  # while read dba_id
  # do
  # mailx -s "$subj" $dba_id < $log_file
  # done < /oracle/app/oracle/dba/util/backup/scripts/email_dba.list
  return 0
  # end program
  #############################################################################

• Lms3.2 passwords & preshared key

  hello,
  i have added some ASA to my ciscoworks server.
  when i look at the config i see that preshared keys are removed and replaced by a star *
  i see something like
  tunnel-group cisco ipsec-attributes
  pre-shared-key *
  then i searched some directories for the the plain text config files and it does not contain the preshared keys....
  if i try to recover from a disaster with those "backup files" it's gonna be useless
  is there any tricks to include preshared keys and passwords to my config files
  thanks

  The devices themselves are putting these stars in the config (starting in 8.2).  The way RME archives the config is to do a "show runn" and extract the config from the output.  RME does not yet support the ability to do a copy runn tftp, which would allow the clear text passwords to be archived.    However, this undos the security one would get by performing the screen scraping over SSH.  Therefore, LMS only uses the "show runn" command to get the config.

• USB Keyboard Multimedia keys ; two input devices for one keyboard.

  Hi. I can't get my multimedia keys to work (Microsoft Wireless Laser Desktop USB keyboard). They don't show up in dmesg, xev, or the command line scan code program at all, even though the standard keys show as usual.
  One peculiarity is that the keyboard appears to be mapped to two devices /dev/input/event3 (the standard keys) and /dev/input/event4 (the multimedia keys) ; is there a way to "merge" the two inputs ? Is it a kernel problem ?
  TIA, Paul

  I solved my problem :-)
  Keyboard creates two event devices:
  lrwxrwxrwx 1 root root 9 lip 17 12:57 pci-0000:00:1a.1-usb-0:1:1.0-event-kbd -> ../event1
  lrwxrwxrwx 1 root root 9 lip 17 12:57 pci-0000:00:1a.1-usb-0:1:1.1-event- -> ../event2
  I had only first of it configured in xorg.conf (normal keys). I configured second device as below  (Identifier  "Multimedia keys"):
  # Core keyboard's InputDevice section
  Section "InputDevice"
  Identifier "Logitech Media Keyboard 600"
  Driver "evdev"
  Option "Device" "/dev/input/by-id/usb-Logitech_Logitech_USB_Keyboard-event-kbd" # it is my event1
  Option "XkbModel" "evdev"
  Option "XkbLayout" "pl"
  Option "evBits" "+1"
  Option "keyBits" "~1-255 ~352-511"
  Option "Pass" "3"
  EndSection
  Section "InputDevice"
  Identifier "Multimedia keys"
  Driver "evdev"
  Option "Device" "/dev/input/by-path/pci-0000:00:1a.1-usb-0:1:1.1-event-" # it is my event2
  Option "XkbModel" "evdev"
  Option "Protocol" "evdev"
  EndSection
  In Serverlayout I added entry for  InputDevice  "Multimedia keys":
  Section "ServerLayout"
  Identifier "Dual Head"
  InputDevice "Logitech MX620" "CorePointer"
  InputDevice "Logitech Media keyboard 600" "CoreKeyboard"
  InputDevice "Multimedia keys" "SendCoreEvents"
  Screen "Desktop"
  EndSection
  And almost all multimedia keys started to work.
  I had small problems with couple of keys which created keycodes greater than 255. I used keyfuzz to remap these keycodes to something smaller than 255.
  After that i scaned all keycodes with xev, and mapped them to keysymlinks with xmodmap.
  Now all media keys are working and I can configure KDE to use it.