EX90 and Self-Provisioning IVR

Similar Messages

• Cluster utilization and self-provisioning

  I am moving to a cloud infrastructure with VCAC for self-provisioning. How does this impact my target utilization for my HA cluster?  Previously I was targeting running each cluster at 80% utilization of RAM and CPU on each host for average peak utilization.  now I am going to allow vms to be self-provisioned.  I won't control the provisioning process anymore but various clients and tenants can provision VMs at will without my notice.  As a result, I have to be able to have capacity available more quickly to add VMs, and not suddenly run out of cluster capacity.  I want to minimize waste by running my clusters to capacity, but I also need to maximize elasticity.  What are some guidelines on how to do this?  Anyone have experiences to share -
  1. what did you pick as a target utilization figure and why ?
  2. how did you capacity plan / forecast for cluster capacity?
  3. did you use admission control?

  Sounds like a cool project. Keep in mind that from an infrastructure standpoint HA and admission control are still trying to solve the same problem, recover VMs from a host or OS failure as quickly as possible.
  As an example, if your new cluster has 20 hosts and you want to be able to have a host in maintenance mode and still suffer a host failure and you've decided to use % based admission control policy (this is the default recommendation, I would recommend you evaluate your environment and determine if it is the right option for you), you'll want to set the % at 10%. This will ensure that your cluster has sufficient resources to restart all running VMs. Keep in mind that unless VMs have reservations, HA just reserves capacity to start the VM, there is no guarantee of performance.
  As far as your target utilization, that depends on the SLAs you are providing and your tolerance for risk.
  At the last customer I worked for the answers were:
  1. We reserved capacity in a cluster such that we could have a host in maintenance mode and still lose a host and have no VMs experience performance degradation
  2. vCOps
  3. Yes

• ISE 1.2 WEBAUTH (CWA) + SELF PROVISIONING (NSP)

  I'm trying to achieve the following for our employees, contractors and guest.
  Guests and Contractors should be allowed to access the internet after successful auth on the ISE guest portal login page.
  contractors (ldap contractor group) -> webauth -> internet
  guest (internal ise db via sponsorportal) - webauth -> internet
  Employees should be allowed to register their devices after successful auth on the ISE portal login page and they should be allowed to access the internet once their device is registered. So they don't have to re-enter the credentials every 2 hours. 
  employee (ldap employee group) -> webauth -> nsp -> internet
  In ISE i've created a custom portal with mobile device portal and self-provisioning flow enabled. At the moment I don't have any client provisioning Policy configured and I've set the Native Supplicant Provisioning Policy Unavailable: to Allow network acces. 
  I'm currently experiencing problems with clients and they describe their problem as portal loop. when they enter their credentials they are redirected to the portal once again. I did move around some of the rules and it currently looks like this. At the moment i'm working remote and not able to replicate the problem myself. Any advice would be welcome and much appreciated. 
  Is there any available documention about the builtin attributes in ISE. I'm especially interested in network use EQUALS guest flow.

  Hi Patrick,
  I'm facing similar problem as yours , but on wired . My contractor (I name it vendor) is redirect to guest portal , and when they login they were redirected to the portal again.
  for the devices registration , I have set  the Native Supplicant Provisioning Policy Unavailable: to Allow network acces. 
  my authorization rules as follows :
  1- rules name : Vendor-wired  :  identity : registerddevices AND identitygroup: VENDOR  authorization profile: VENDOR-ACCESS
  2-  rules name : WIRED-CWA  :  identity : any  condition: device-type:SWITCH  authorization profile: CWA-PORTAL
  It looks like , when vendor is login , they are not hitting the first rule , although the device shows up in the registered devices , and the vendor account is in VENDOR identity group (local in ISE) , so they come back again to rules 2 , which redirect them to the CWA-PORTAL again .
  did you find any hint for this problem ?

• EBusiness Suite User "Auto-provisioning" and  "Self-Request" Problem

  I have two types of OIM User, Staff and Contingent
  Staff (Role = Full-Time)
  Contingent (Role = Contractor / Role = Consultant)
  Resource Object: eBusiness Suite User
  Here's my RO configuration:
  Auto Pre-populate: true
  Allow Multiple: true
  Self Request Allowed: true
  Allow All: true
  Auto-Launch: true
  EBS Connector, by default has two forms:
  UD_EBS_UO: Object Form
  UD_EBS_USER: Process Form
  I have requirement which will auto-provision eBusiness Suite User resource to Staff users.
  Originally, UD_EBS_OU is the table name used by the RO. For auto-provisioning to work, I have implemented it this way:
  First, I have defined a User Group for Staff and assign an Access Policy to it (for users with Role == Full-Time).
  Then, I have detached Object Form UD_EBS_UO from the RO. This way, when Staff user is created in OIM, it is automatically provisioned with eBusiness Suite User, though it won't have a Resource Form, only a Process Form. Process Form fields are automatically pre-populated with values (via my Pre-populate adapters).
  Now my problem is during Self-Request. Contingent user doesn't get auto-provisioned with EBS RO, but he can self-request for it. Problem is, since I detached the Object Form from the RO, user is not seeing any form during request. And I have a requirement that approver of the request should also be able to view/modify the details of the request form. But that is not possible now that Object Form does not exist for this RO.
  Is it possible that Self-Request and Auto-Provisioning works both ways under the same Resource Object? How do I configure that? Appreciate your quick response and help. :)
  Edited by: user10202544 on Feb 10, 2010 3:27 AM

  Yes I have set permissions to all users for the Object Form.
  It is required for me to have both Self Request and Auto-provisioning work for eBusiness Suite RO.
  During approval, however, the approver needs to see the Object Form (where he can view/modify its values before approving it). That's impossible for me since I detached the Object Form from the Resource Object. I need do to this for auto-provisioning to work.
  It seems that it doesn't work both ways. Any other suggestions?

• ISE 1.2 - Self-Provisioned devices still in pending registration status

  Hi everybody,
  I'm on ISE 1.2 patch 2, setting up single-SSID self-provisioning BYOD flow which works as expected except for a couple of issues:
  first PEAP authorization always fails (no server certificate confirmation appears on device and no Endpoint Profile is assigned), second on goes through as expected and self-registration flow is started;
  at the end of the flow, TLS certs are installed, device appears in endpoint database under user's account but "Device Registration Status" stays "pending" and this makes it impossibile to further authorized RegisteredDevices identity group;
  single mobile devices gets different "Endpoint Profile" result at each subsquent access. For example: Android smartphones are profiled as Android or HTC device or HP devices or Samsung randomly.
  I've tried to analyze log files but cannot extract a full dump of the profiling process that could help identify why all this happens.
  Can you please help?
  Regards,
  L

  Hi Kevin,
  I did not find and answer. In subsequent patches the self-registration flow seems to have changed somehow and now I have more device in 'Registered' state, but still most of the time at the end of the process there is no guarantee that the devices will be in this stage. I've moved to more broad policies for authorization (i.e. if you have a valid certificate and login from one of the accepted profiles, we'll let you in).
  Please let me know if you open a TAC case, what is the answer.
  Regards,
  L

• ISE upgrade 1.2: Self-provisioning portal not working

  Hi all,
  I need help with Self-Provisioning portal flow not showing the agent installation page after upgrade from 1.1.1 to 1.2 on a couple of 3315. I've configured all the pieces as instructed by BYOD SBA guide at http://www.cisco.com/en/US/docs/solutions/SBA/February2013/Cisco_SBA_SLN_BYOD_InternalCorporateAccessDeploymentGuide-Feb2013.pdf
  Screenshot of page is attached:
  I've checked ise-console.log application log file and found two errors correponding to the first page:
  [portal-http-84431][] SystemConsole -::c0a8a82a000000d7523c70f9::guest:- com.cisco.cpm.provisioning.exception.ProvisioningException: java.security.cert.CertificateException: Unable to initialize, java.io.IOException: DerInputStream.getLength(): lengthTag=127, too big.
  [portal-http-84431][] SystemConsole -::c0a8a82a000000d7523c70f9::guest:-         at com.cisco.cpm.provisioning.cert.CertProvisioningFactory.initialize(CertProvisioningFactory.java:333)
  and the second (not working) one:
  [portal-http-84431][] SystemConsole -:xxxxx@xxxxxxx:c0a8a82a000000d7523c70f9::guest:- java.lang.NullPointerException
  [portal-http-84431][] SystemConsole -:xxxxx@xxxxxxx:c0a8a82a000000d7523c70f9::guest:-  at com.cisco.cpm.provisioning.cache.FlowStateCacheManager.getFlowStateCache(FlowStateCacheManager.java:202)
  Looks like something is wrong with a certification file, but I cannot find what is. I've exported and re-installed current server certificates (as instructed by upgrade guide for 1.2) and nothing changed.
  Can somebody please help?
  Thanks,
  L

  Errors When Adding Devices to My Devices Portal
  Employees cannot add a device that is already added if another employee has previously added the device so that it already exists in the Cisco ISE endpoints database.
  If employees are attempting to add a device that supports a native supplicant, recommend that they use that instead. That registration process will overwrite the original registration and switch ownership to the new user.
  If the device is a MAC Authentication Bypass (MAB) device, such as a printer, then you must resolve ownership of the device, and if appropriate, remove the device from the endpoints database so that the new owner can successfully add the device.
  For more information on self-provisioning.
  http://www.cisco.com/en/US/docs/security/ise/1.2/user_guide/ise_mydevices.html Errors When Adding Devices to My Devices Portal
  Employees cannot add a device that is already added if another employee has previously added the device so that it already exists in the Cisco ISE endpoints database.
  If employees are attempting to add a device that supports a native supplicant, recommend that they use that instead. That registration process will overwrite the original registration and switch ownership to the new user.
  If the device is a MAC Authentication Bypass (MAB) device, such as a printer, then you must resolve ownership of the device, and if appropriate, remove the device from the endpoints database so that the new owner can successfully add the device.
  For more information on self-provisioning.
  http://www.cisco.com/en/US/docs/security/ise/1.2/user_guide/ise_mydevices.html

• CUCM 10 Self Provisioning Problem with TAGs on Universal Device Template

  Hi friends.
  I've been provisioning IP Phone by Self Povisioning. The phones were provisioned almost perfectly. I notice the TAGs that i filed up on Device Template (look above), are not "translated" on Device Phone.
  Universal Device Template
  The Tags on Universal Line Template comes  perfectly to Line Description.
  Had you ever seen something like this?
  Kind Regards
  Fernando Penteado

  Hi folks. I could identify the problem with Variable and TAG. In order to Self Provisioning works fine, we need to mark Owner User on Universal Device Template.
  Look that.
  Thanks

• ISE Guest Self-Provisioning Portal

  Hi,
  I  get the Guest portal page and my credentails authenticate correctly and  the device is authenticated using MAB. Then I redirect to Self-Provisioning portal and get this message
  This device has not been registered
  You need to manually configure your device
  Your device configuration is not supported by the setup wizard
  Device ID < MAC of my windows XP PC
  Any idea how to enable self registration for gests?
  My goal is when guest is authenticated in first time it need to enter credentials and to registered MAC address,then when guest come again it need to pass only authentication, without registration MAC address.
  Thanks

  Tarik, where is the mistake in my steps?
  1) I create Authorization Profile for Guest devices registration (see attach AuthProfile)
  2) I create Authorization Profile for Web Registration
  3) I create Authorization Policy (see attach AuthPolicy)
  When user connects to the network, he is redirected to Guest Portal where he needs to aply AUP, after clicking "Accept" error appears (see attach ISE_Error). In ISE I see the folowing errors (see attach ISE_Auth_Error).

• Java not recognized by Cisco Self-Provisioning Portal on Apple computers

  Have a Mac Mini running that had this problem under OSX 10.8 and is persisting in 10.9.  When this computers reaches the self-provisioning portal, after clicking submit on the MAC address registration, the following screen displays an erroneous error that Java isn't installed.
  Have gone through updating Java from Apple (2013-005) as well as from Oracle/Java (1.7), and applied several variations of uninstalling and reinstalling Java, doesn't seem to make a difference.  From the top, the Mac Mini attaches to Wifi and the self-provisioning page appears with an authentication request.  User authenticates succesfully.  The next page displays the MAC address for the machine and a description field.  Upon filling out the description, the page is submitted.  The following page tha should complete the provisioning process, rather, displays an error that Java isn't installed and the user should go to java.com to complete the installation.  According to the Java.com, Java is installed. According to terminal (by executing the command "java -version"), Java is installed. Running other Java applications, like JDE, run perfectly well.  The self-provisioning page seems to be unaware of Java despite everything else.  Ideas?

  Thanks. No dice. The instructions on that page also appear to be woefully out of date too. In Safari, on the preferences security tab, there is no checkbox for "Enable Java" (I think that is a Safari 6.0.4 thing on OS X 10.8 or thereabouts). In OS X 10.9 there's just the "allow plugins" checkbox and the "manage website settings" button. Assuming this is where it's at now, moving to the Java plugin in the list, they were already "allow". I went a step further and set it for the three websites listed (that include the provisioning portal domain) to "allow always". No luck. Then went to another step further and click "run in unsafe mode" for every item in the Java website list and again it made no difference. The self provisioning portal page still says that Java isn't installed :-(
  For Firefox, the instructions on that page are out of date too. Under what I believe are the correct settings, the Java applet plug-in for 7.45 is set to "always activate". I assume this is the same thing as seeing the "disable" button in previous FF versions, indicating that the job applet plug-in is actively running.
  The chrome instructions on the page are irrelevant because my OS X and hardware are 64-bit and so is Java but not chrome. Therefore Java doesn't run on chrome on this machine in the first place.
  I don't know who's browser the self provisioning portal fires up since it fires up its own window, not a Firefox or Safari specific one. In windows for example the self-provisioning portal fires up a tab in IE. That actually makes it simpler to debug IMO.
  Any more advice? Java seems to be running just fine for every thing else. What am I missing?
  UPDATE (Just another thought)
  Alternatively, could it be a the with WebKit? Or Cisco's implementation of WebKit (as far as whether any changes would have been required for OS X 10.9 in the way with kids is instantiated)? If or example the self provisioning portal is opening up its own "browser" by using the Safari webkit function (as opposed to opening a tab directly in Safari itself) could this be a bug in Safari itself, or a changed API that Cisco has failed to implement (considering the other incompatibilities various Cisco products have with OS X 10.9)? I just hope that the problem is something that I can fix with a workaround rather than waiting for a patch from either Apple or Cisco that may or may not come anytime soon? :-/

• Certificates - server self provisioning

  I have an OES 11 server that is the certificate authority for my tree.
  Server self-provisioning is enabled. My ZCM 11 server just reported
  that the certificate is due to expire in less than 90 days. Just
  trying to be pro-active. I assume that self-provisioning will
  recreate the certificate soon, but the only thing I have found is
  this:
  https://www.netiq.com/documentation/...u.html#b9zmjmu
  which makes it look like I need to actually reboot the server or they
  will never get re-created. So what needs to happen?
  Ken

  Hello,
  you could trigger the pki health check by unloading and reloading the pkiserver module in edirectory.
  If self provisioning is enabled, this will create new server certificates if expired.
  (but I don't know how many days before)
  And this checks and exports the CA and server certificates from edirectory to files on the server.
  I've done this a few times to renew certificates online without restarting the server or edirectory.
  But I'm not sure how this affects ZCM!!
  ndstrace -c "unload pkiserver"
  -> check /var/opt/novell/eDirectory/log/ndsd.log
  ndstrace -c "load pkiserver"
  -> check /var/opt/novell/eDirectory/log/ndsd.log
  and /var/opt/novell/eDirectory/log/PKIHealth.log
  Information about creating or exporting certificates will be in PKIHealth.log
  Then you need to reload some services:
  LDAP:
  ndstrace -c "unload nldap"
  ndstrace -c "load nldap"
  -> check /var/opt/novell/eDirectory/log/ndsd.log if ldap loads again.
  For me in some few situations ldap does not load again, so edir must be restarted anyhow
  LUM:
  namconfig -k
  rcnamcd restart
  Other:
  rcapache2 restart
  rcnovell-httpstkd restart
  rcnovell-tomcat6 restart
  rcsfcb restart
  If other oes server using this server as ldap-server you have to do the
  namconfig -k
  rcnamcd restart
  on these servers too.
  regards
  Matthias
  Originally Posted by ab
  On 03/27/2014 03:11 PM, KeN Etter wrote:
  > On Thu, 27 Mar 2014 19:12:03 GMT, ab <[email protected]>
  > wrote:
  >
  > Thanks for the explanation!
  >
  >> An eDirectory restart is required, I believe. You may also be able to run
  >> 'ndsconfig upgrade' and have it do it, or else you can always use the
  >> iManager tools to recreate them. I'm 99% sure, though, that without at
  >> least some kind of interaction the certs will not be recreated.
  >
  > The docs state that the certs will be recreated if they are "about to
  > expire". So if I restart eDirectory or the server, how close to the
  > expiration date do I need to be for them to be automatically
  > recreated? Or should I just manually recreate them? (But then server
  > self-provisioning seems a bit useless.)
  I believe ninety days is the threshold. If not, definitely thirty. The
  self-provisioning, in that case, makes sense if you regularly restart eDir
  (monthly, for example, to grab a backup, or apply other patches for eDir
  or the OS, etc.). It may also make sense as I believe it causes the cert
  to be auto-exported to the filesystem so that other applications can
  easily see them and trust them. Maybe this is a different but related
  feature, but as I have not looked closely at the docs don't quote me on
  it. Either way I agree... it could be more-useful to have something
  actually happen in environments with non-microsoft uptimes.
  Good luck.
  If you find this post helpful and are logged into the web interface,
  show your appreciation and click on the star below...

• Maintain the acct key and accruals/provisions in the calculation schema

  Dear All,
  I have a problem during invoice posting.
  I create a new freight condition type & assigned it to the calculation schema. I also create a  new account key & assigned to the calculation schema in  accrual keys. Then done OBYC settings. During MIGO, its working fine. But when i post the Miro against po, giving an error msg., "Maintain the acct key and accruals/provisions in the calculation schema, Message no. M8434"
  plz help me to solve this issue.

  Have you ticked the 'Acruals' in control data 2 in M/06 for this condition.
  Regards,
  Piyush

• Maintain the acct key and acurals/provisions in calculation schema-MIRO

  Hi,
  In PO we have maintained different delivery condition.
  When we are doing MIRO we are getting error "maintain the acct key and acurals/provisions in calculation schema" for condition type YLBB and YLBE.
  However we have checked condition type and calulation schema and found that acct key and accurals maintained.
  YLB9     BivacInspec.fee/Quan
  YLBB     LPRC charges/Quant.
  YLBC     Port charges/Quant.
  YLBE     Clearing Charges/Qt.
  Please suggest somesolution.
  Thanks
  Ashok

  Hi Ashok,
  In M/08  check whether   acct key and acurals/provisions in calculation schema" for condition type YLBB and YLBE are maintained or not.
  Also if they are maintained there then check in M/06 for condition type YLBB and YLBE  , whether accurals check box are checked or not...If not check and then try.
  Cheers!!!
  Utsav

• ISE 1.0 Posture and Client provisioning

  I've configured 802.1x with dynamic VLAN for users and MAB for phones - it works fine. Now I wanna to implement client provisioning and posture validation for users. After reading ISE user guide there are still several big questions:
  1. Is it possible to combine 802.1x and posture? (it was not recommended with NAC)
  2. How can I bind existing 802.1x authorization profile and posture policy?
  3. What is a switch configuration for client provisioning to work(redirect, quarantine zone, download NAC agent)?
  4. Do ISE posture and client provisioning have L2 virtual gateway, trusted and untrusted ports, as in NAC?

  With ISE you can perform 802.1x first and after that optionally you can perform posture. This is done with Radius, that's why it's really and completely out of band, and there's no such concept of trusted or untrusted port because the traffic is never inline.
  Still, with ISE you have another option of "inline Posture", in which there's trusted and untrusted ports. I guess that's for some specific cases in which you can't go out-of-band.
  On the other hand, so called "out-of-band" NAC was really always an inline solution, only after the user has authenticated and security policies have been verified then the user goes "out-of-band".

• Reset transfer posting for doubful receivables and its provisions

  Dear Expert,
  I have run f103 (transfer posting for doubful receivables) and f104 (provisions for doubful receivable) but the value is wrong.
  is it possible if i want to reset/cancel f103 and f104 and the rerun it? how can it be?
  Thx n regards,
  Marilyn

  SE93 add variant

• Cisco ISE posture assesment and client provisioning

  Hello,
  I have Cisco ISE and Cisco IOS device. I have configured RADIUS in between these device.
  Also I have configured RADIUSbetween Cisco ISE and Cisco ASA. Now I want to know that how to do posture assesment for these devices(Cisco ISE and Cisco ASA or Cisco ISE and Cisco IOS). Please give me whole steps to do posture assesment for cisco ios device in Cisco ise.
  Also, please provide me logs related to posture assesment and client provisioning.
  Thanks in advance.

  You may go through the below listed link to download a PDF link
  Posture assessment with ISE.
  http://www.cisco.com/web/CZ/expo2012/pdf/T_SECA4_ISE_Posture_Gorgy_Acs.pdf
  ~BR
  Jatin Katyal
  **Do rate helpful posts**