FQDN ACL on 3650/3850 with centralized webauth

Similar Messages

• Adapter monitoring with central SLD!

  Hi ,
  we have central SLD in our landscape(different host from XI server),and our basis guys installed PI7.0 SP12.And AE is local as I can see under Integration server.
  I can see JPR in adapter in adapter monitoring.
  I have question here!
  should it needs to show all the list of adapters (FILE,JDBC,JMS,SOAP etc)in adapter monitoring in RWB?does it vary,if sld is central or local ?
  what is the ideal way.
  thank you,
  babu

  <i>where the adapter engine should appear in RWB under integration server or under non central adapter engine if we have installed central AE and central SLD?</i>
  Under Component monitoring -> Integration server -> Adapter Engine
  <i>and it has show all the adapters when we install central AE and with central SLD when we furthur click the show all adapters?</i>
  As i mentioned above, u may view all the adapters after clicking
  Adapter Engine -> Adapter Monitoring
  <i>or is it changed since PI 7.0 to cummunication channel monitoring and no adapter monitoring?</i>
  Yes. Now the monitoring of adapters r much intensively done by Communication Channel Monitoring
  Regards,
  Prateek

• JFServer.exe fault in Windows 2008 server with Central V 5.7

  I have an installation of Central 5.7 running 6 instances on Windows 2008 server 64 bit and have noticed that the six instances don't always come up when the machine is rebooted.  Here is the error that it logs in the Central Log. 
  "Open of table 'C:\Users\Userid|Appdata\Local\Temp\JFX8A00.tmp' failed.
  This also sometimes happens when I make changes to jobs in one of the instances and there seems to be no pattern wo what instances it happens in.
  This behavior does not appear to happen with Central 5.7 running on XP or 2003 server.
  Any thoughts on why this might be happening?

  This is a recently known issue specific to Central on Windows 2008
  Contact Adobe Support to obtain the patch. You can find their contact details in your support agreement.

• Error in test with Central Output Pro Server 5.5

  I am getting the following error,
  when I testing the Central Output Pro Server.
  I begin with a Central Output Pro Server Vers. 5.5 (demonstration version)
  some is the example which I use, I always have the same message in the logs:
  [313]*** Spawn of agent may have failed ***
  [306]Processing file 'exmpl1.dat', '^job exmpl1 "d:\Program Files\Adobe\
  [307]Launching task '"jftrans" "C:\Program Files\Adobe\Central\Server\Data\exmpl1.dat"
  [314]Agent exit message: [313]*** Spawn of agent may have failed ***
  [375]Skipping event because infile A is missing.
  It is probaly a configuration problem? but that to make.

  I was checking my log file and I noticed an anomoly between some of the "launching" log entries. That got me to looking further into my jfserver.ini file. I think I know what your problem is.
  Every program (agent) that Central can launch has to have entries in the jfserver.ini file. This includes the agents that come with Central as well as any custom agents that are added later (we have several that we've written for our application). These entries include an EXEPATH statement that is specific to the agent. Apparently this is separate and in addition to the entry in the [Paths] section.
  For your specific problem look for a section with a [jftrans] header. It may be missing, or it may just be missing the ExePath entry or that entry may be blank.
  If one is fouled up, look for others. If all options of Central were checked when it was installed you should have entries like the following. These are all in my file as a result of the installation. Of course the actual location would be different.
  [JFSTARTUP]
  ExePath=C:\JetForm\Central\Bin
  IniFileName=C:\JetForm\Central\Server\JFSTARTUP.ini
  LogFileName=C:\JetForm\Central\Server\jfserver.log
  EditCfgRtn=notepad %s
  [JFSHUTDN]
  ExePath=C:\JetForm\Central\Bin
  IniFileName=C:\JetForm\Central\Server\JFSHUTDN.ini
  LogFileName=C:\JetForm\Central\Server\jfserver.log
  EditCfgRtn=notepad %s
  [JFERROR]
  ExePath=C:\JetForm\Central\Bin
  IniFileName=C:\JetForm\Central\Server\PrtErrorCheck.ini
  LogFileName=C:\JetForm\Central\Server\jfserver.log
  EditCfgRtn=notepad %s
  [DEFAULT]
  ExePath=c:\jetform\central\Bin
  IniFileName=c:\jetform\central\Server\jfmerge.ini
  [JFNOJOB]
  ExePath=c:\jetform\central\Bin
  IniFileName=c:\jetform\central\Server\jfnojob.ini
  [JFEMSEND]
  ExePath=c:\jetform\central\Bin
  IniFileName=c:\jetform\central\Server\jfemsend.ini
  EditCfgRtn=notepad c:\jetform\central\Server\jfemsend.ini
  [JFMERGE]
  ExePath=c:\jetform\central\Bin
  IniFileName=c:\jetform\central\Server\jfmerge.ini
  [JFPVAGENT]
  ExePath=c:\jetform\central\Bin
  IniFileName=c:\jetform\central\Server\jfpvagent.ini
  EditCfgRtn=Notepad c:\jetform\central\Server\jfpvagent.ini
  [JFTRANS]
  ExePath=c:\jetform\central\Bin
  IniFileName=c:\jetform\central\Server\jftrans.ini
  EditCfgRtn=notepad c:\jetform\central\Server\jftrans.ini
  [XMLIMPORT]
  ExePath=c:\jetform\central\Bin
  EditCfgRtn=Notepad c:\jetform\central\Bin\xmlimport.xci
  IniFileName=c:\jetform\central\Bin\xmlimport.xci

• Can you use Multi Factor Authentication server with Central NPS and RD Gateway?

  Hi,
  Does anyone have any experience getting the Azure Multi-Factor Authentication (MFA) on-premise server, working with a Remote Desktop Gateway server, and a centralised NPS server?  I can get a solution whereby a user can get the second token (phone call/sms
  etc.) but the connection never gets established.  It looks like its looping as it repeats the phone call/text for a second time but again no connection.  I can’t figure out why.
  All the blogs are very vague as to whether you can combine a new MFA NPS connection policy with an existing username/group membership NPS policy on a centralised NPS server (with RAP/CAP policies).
  I need to understand whether we can combine both an MFA Radius policy with a Username/Password plus group membership NPS policy together to achieve two factor authentication.
  Do you have the Remote Desktop Gateway Server connect to the Central NPS server and then the NPS server use the MFA server as its proxy server? In effect turning the NPS server into a proxy Radius server?  
  Or do you configure the Remote Desktop Gateway server to use the MFA server as the proxy Radius server, and configure the MFA server to send on Radius requests to the central NPS server?
  Or either of these scenarios not supported and you can only use the MFA server as the only Radius server in the auth. process? (bypassing NPS policies?)
  Thanks if someone can assist,
  I’ve been using these blogs but to no successful effect:
  http://technet.microsoft.com/en-us/library/dn394287.aspx
  http://www.rdsgurus.com/uncategorized/step-by-step-using-windows-server-2012-r2-rd-gateway-with-azure-multifactor-authentication/
  http://dave.harris.uno/installing-and-configuring-azure-multi-factor-authentication-mfa/

  Hi Michael,
  Thank you for posting in Windows Server Forum.
  After going through your description, I can say that we can use MFA server with central NPS and RD Gateway. Also the link which you have provided points the step to apply. In addition you can refer below article.
  Configure Remote Desktop Gateway to use Multi-Factor AuthenticationConfigure Remote Desktop Gateway to use Multi-Factor Authentication 
  Hope it helps!
  Thanks.
  Dharmesh Solanki
  TechNet Community Support

• Accounting on 3850 with 2702 AP

  Hi,
  Just installed a 3850 with the latest version and access points 2702i.
  By now everything is working just fine except the accounting, in particular the fields Calling-station-id and called-station-id where I get IP addresses.
  I was expecting to see the client MAC and the AP or WLC MAC (not sure on this last one).
  My question is if this is some kind of bug or misconfiguration!? If this is a bug when will it be solved?
  Best regards,
  Hugo Veiga
  -------------------------Debugs----------
  version:  WS-C3850-48P       03.06.01E         cat3k_caa-universalk9
  PAC#debug radius accounting
  *Dec  9 18:04:37.668: RADIUS:  User-Name           [1]   15  "[email protected]"
  *Dec  9 18:04:37.668: RADIUS:  Calling-Station-Id  [31]  16  "192.168.203.21"
  *Dec  9 18:04:37.668: RADIUS:  Called-Station-Id   [30]  12  "10.244.2.1"
  *Dec  9 18:04:37.668: RADIUS:  NAS-Port-Id         [87]  5   "127"
  *Dec  9 18:04:37.668: RADIUS:  NAS-IP-Address      [4]   6   10.254.208.3             
  *Dec  9 18:04:37.669: RADIUS:  Nas-Identifier      [32]  5   "PAC"
  *Dec  9 18:04:37.669: RADIUS:  Vendor, Airespace   [26]  12 
  *Dec  9 18:04:37.669: RADIUS:   Airespace-WLAN-ID  [1]   6   1                         
  *Dec  9 18:04:37.669: RADIUS:  Tunnel-Type         [64]  6   00:VLAN                   [13]
  *Dec  9 18:04:37.669: RADIUS:  Tunnel-Medium-Type  [65]  6   00:ALL_802                [6]
  *Dec  9 18:04:37.669: RADIUS:  Tunnel-Private-Group[81]  6   "1202"
  *Dec  9 18:04:37.669: RADIUS:  Framed-IP-Address   [8]   6   192.168.203.21           
  *Dec  9 18:04:37.669: RADIUS:  Class               [25]  46 
  *Dec  9 18:04:37.669: RADIUS:   6A F4 06 40 00 00 01 37 00 01 02 00 C0 A8 64 01 00 00 00 00 00 00 00 00 00 00 00 00 01 CF FF 53 2B 29 3B 56 00 00 00 00 00 A5 30 5B       [ j@7dS+);V0[]
  *Dec  9 18:04:37.669: RADIUS:  Acct-Session-Id     [44]  10  "0000509A"
  *Dec  9 18:04:37.669: RADIUS:  Vendor, Cisco       [26]  49 
  *Dec  9 18:04:37.669: RADIUS:   Cisco AVpair       [1]   43  "audit-session-id=0af40201548739b200003c71"
  *Dec  9 18:04:37.669: RADIUS:  NAS-Port-Type       [61]  6   802.11 wireless           [19]
  *Dec  9 18:04:37.669: RADIUS:  Acct-Authentic      [45]  6   Remote                    [3]
  *Dec  9 18:04:37.670: RADIUS:  Service-Type        [6]   6   Framed                    [2]
  *Dec  9 18:04:37.670: RADIUS:  Vendor, Cisco       [26]  27 
  *Dec  9 18:04:37.670: RADIUS:   Cisco AVpair       [1]   21  "service-type=Framed"
  *Dec  9 18:04:37.670: RADIUS:  Acct-Status-Type    [40]  6   Start                     [1]
  *Dec  9 18:04:37.670: RADIUS:  Acct-Delay-Time     [41]  6   0                        

  Found the solution. The correct answer:
  issue the command: wireless security dot1x radius call-station-id macaddress

• Finding other files with Centrale

  I have (sadly) upgraded to a new laptop. I have successfully moved all my media files to the new laptop.
  My new laptop has Win7. It is a home deluxe version, and therefore there is no WinXP emulator available. So, my beloved Creative Media Organizer no longer works. I'm stuck with Centrale.
  I download a lot of podcasts and other files that are NOT part of my 'music library' on the laptop, and I cannot, after MANY attempts and much research, figure out how to access files that are not part of the music library with the Creative Centrale (or the Windows Explorer, I tried that too.)
  Any suggestions?

  Do you or have you ever tryed to put dvds on you iPod?
  If they dont rip right they will still go on your iPod and you will have no way to get to them.Have you tryed the following..?
  This bar should not take more than few megabytes so you must have used your iPod in disk mode and added files through My Computer. To delete these go to My Computer > iPod (make sure your iPod "disk use" is enabled in iTunes) and delete the files you added there. DO NOT try to delete any files/folders that you did not create as it will mess up your iPod.
  Best Regards, Zack

• DPM console not connecting . Error- Cannot connect to Data Protection Manager. This version of DPM is not supported with Central Console Client (ID : 33345) DPM console not connecting

  I  am having problem connecting the DPM console to ther server. It gives me following error -
  "Cannot connect to Data Protection Manager. This version of DPM is not supported with Central Console Client (ID : 33345)"
  The server is DPM R2 and the same console is working on one other computer.
  Any idea how to solve the problem?
  Thanks   

  Hi
  Please make sure you have both versions of Microsoft Visual C++ 2008 Redistributable installed..
  Also make sure you have .netframework 2 installed. If you look at the dpm logs it should say what is missing.

• DMVPN phase 3 migration with Central hub

  I am looking at migrating my phase 2 DMVPN network to phase 3. The current network contains 3 regional hubs each serving approx 100 spokes. The end goal is to be able to build spoke to spoke tunnels between sites that are homed to hubs in different regions. I understand from reading the document "Migrating from Dynamic Multipoint VPN Phase 2 to Phase 3" that phase 3 regional hubs can be linked in a heirarchy via a cental hub but there is no detail in the doc and I have not been able to find a white paper that deals with this specifically. Does anyone have experience with this topology or have documention that deals with central hub configuration and deployment?
  Regards,
  Mike

  Mike,
  Might be a good idea to run this by your SE.
  In general phase 3 design with phase 3 images you need to remember you will follow routing for NHRP, i.e. if you summarize properly you will scale pretty decently (with or without regional hub).
  What are the benefits of phase 3 design comapred to phase 2 design that you're trying to achieve?
  Marcin.
  P.S. If we're talking about same migtation document
  http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6660/ps6808/prod_white_paper0900aecd8055c34e_ps6658_Products_White_Paper.html
  it's an un-maintained marketing document, all our efforts to correct some of the problems there (ip ospf network point-to-multipoint for example) so far have not come to fruition.

• Fiori CRM apps with central hub deployment

  Hello Experts,
  We are looking to configure Fiori CRM apps in our landscape with central hub deployment option. Our CRM backend and frontend server (Gateway) are 2 separate systems.
  The CRM backend system (CRM 7.0 EHP3) is running NW 7.4 whereas the frontend server where we have installed the Gateway component is running NW 7.31. Can we go ahead and install the CRM UI components on our frontend server or is it mandatory that the frontend server also runs NW 7.4?
  Regards,
  Saurabh
  Tags edited by: Michael Appleby

  Hi Masa,
  The link you mentioned gives details about the required SAP Gateway Components for NetWeaver 7.3 & 7.4, but does not mention anywhere whether the NetWeaver version of the backend business suite system should necessarily be NW7.4 if we have front-end system on NW7.4.
  I am looking to clarify the doubt regarding whether both front-end and back-end systems should be on the same NetWeaver release or it is fine to have front-end on 7.31 and back-end on 7.4
  Regards,
  Saurabh

• 3850 with ISE Guestportal no redirect in V 3.3.4

   Hi, Experts,
  I currently have a customer problem. We use  a 5508 WLC as mobility controller and 3850 as Mobile Agents.  For AAA we user ISE with profiling an guest portal.
  In 3850 Release V3.6 everything is o.k.
  In 3850 Release V3.3.4 the use get no redirect Guest Page from ISE. We must use this Software because it solves other Problems and can managed from Prime.
  Does anyone have an idea ?
  Thanks !
   Redirect ACL from ISE :
  Deny DHCP, DNS, 192.168.105.10
  Allow http,https
  URL : (https://192.168 .105.10/........
  Config from 3850 Switch:
  aaa group server radius ISE
  server name xxx-ise-01
  server name xxx-ise-02
  ip radius source-interface Vlan32
  ip access-list extended ACL_PREAUTH
  remark Allow DHCP
  permit udp any eq bootpc any eq bootps
  remark Allow DNS
  permit udp any any eq domain
  permit icmp any any
  remark Allow ISE Portal
  permit tcp any host 192.168.105.10eq 8443
  permit tcp any host 192.168.105.10eq www
  permit tcp any host 192.168.105.10eq 8905
  permit tcp any host 192.168.105.10eq 8909
  permit udp any host 192.168.105.10eq 8905
  permit udp any host 192.168.105.10eq 8909
  permit tcp any host 192.168.105.11eq 8443
  permit tcp any host 192.168.105.11eq www
  permit tcp any host 192.168.105.11eq 8905
  permit tcp any host 192.168.105.11eq 8909
  permit udp any host 192.168.105.11eq 8905
  permit udp any host 192.168.105.11eq 8909
  remark Cleanup
  deny ip any any
  permit tcp any host 192.168.105.10eq 443
  permit tcp any host 192.168.105.11eq 443
  ip access-list extended ACL_REDIRECT
  remark Pass through all non-web traffic including 443 to radius server
  deny udp any eq bootpc any eq bootps
  deny udp any any eq domain
  deny ip any host 192.168.105.10
  deny ip any host 192.168.105.11
  remark Redirect all other web traffic
  permit ip any any
  ip access-list extended REDIRECT
  deny icmp any any
  deny udp any any eq bootps
  deny udp any any eq bootpc
  deny udp any any eq domain
  deny ip any host 192.168.105.10
  permit tcp any any eq www
  permit tcp any any eq 443
  wireless mobility controller ip 192.168.127.8 public-ip 192.168.127.8
  wireless management interface Vlan127
  wireless rf-network xxxxx
  wlan xxxxx-Internet 1 xxxxx-Internet
  aaa-override
  accounting-list ISE
  client vlan 1114
  ip flow monitorxxxxx-flowmon-avc input
  ip flow monitor xxxxx-flowmon-avc output
  mac-filtering default
  nac
  no security wpa
  no security wpa akm dot1x
  no security wpa wpa2
  no security wpa wpa2 ciphers aes
  no shutdown

  Hi ,
  Is it Central web-authentication/BYOD  or WLan traffic anchored to some other controller ?
  In any case I can only bring out one difference , In 3.6 version , stuff like redirection etc on IOS-XE acts similar to what we have been doing IN CUWN i.e 5508 controller. Before that , it is different.
  Coming to 3.3.4 , this will require dedicated Tshoot etc , So better to get handled via a TAC case in my opinion.
  But as a first step check the o/p of "#sh wireless client mac-address" after the client gets an ip address to see if redirect URL and ACL are returned by the ISE or not.
  Regards
  Dhiresh
  **** Pls rate all useful responses ****

• Cisco 3650 Issue with 1231 AP

  hi all,
  i've got an issue with a new cisco 3650 48 port wherein older AP 1231 keeps on disconnecting.
  the connection is just a simple trunk.
  #sh run int g1/0/47
  Building configuration...
  Current configuration : 62 bytes
  interface GigabitEthernet1/0/47
   switchport mode trunk
  end
  1231 is working fine on a 3560.
  could someone advice if anything else need to do on 3650?
  *Apr 21 09:32:33.243: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/47, changed state to down
  *Apr 21 09:32:34.255: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/47, changed state to down
  *Apr 21 09:32:37.369: %ILPOWER-7-DETECT: Interface Gi1/0/47: Power Device detected: IEEE PD
  *Apr 21 09:32:40.406: %ILPOWER-5-IEEE_DISCONNECT: Interface Gi1/0/47: PD removed
  *Apr 21 09:32:40.407: %ILPOWER-3-CONTROLLER_PORT_ERR: Controller port error, Interface Gi1/0/47: Power given, but Power Controller does not report Power Good
  *Apr 21 09:32:48.994: %ILPOWER-7-DETECT: Interface Gi1/0/47: Power Device detected: Cisco PD
  *Apr 21 09:32:49.473: %ILPOWER-5-POWER_GRANTED: Interface Gi1/0/47: Power granted
  *Apr 21 09:32:53.355: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/47, changed state to up
  *Apr 21 09:32:55.356: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/47, changed state to up
  *Apr 21 09:34:27.142: %ILPOWER-5-IEEE_DISCONNECT: Interface Gi1/0/47: PD removed
  *Apr 21 09:34:27.142: %ILPOWER-3-CONTROLLER_PORT_ERR: Controller port error, Interface Gi1/0/47: Power Controller reports power Imax error detected
  *Apr 21 09:34:27.847: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/47, changed state to down
  *Apr 21 09:34:28.855: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/47, changed state to down
  *Apr 21 09:34:39.384: %ILPOWER-7-DETECT: Interface Gi1/0/47: Power Device detected: Cisco PD
  *Apr 21 09:34:40.235: %ILPOWER-5-POWER_GRANTED: Interface Gi1/0/47: Power granted
  *Apr 21 09:34:43.875: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/47, changed state to up
  *Apr 21 09:34:45.874: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/47, changed state to up

  pre,
  i don't think it's a cable issue. correction on the working AP, it's supposed to be a AIR-SAP1602E.
  this AP is working on the 3650.
  i've searched and i think the AIR-AP1231 isn't supported on this switch platform.
  http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3650/software/release/3e/release_notes/OL3264701.html#18425
  this new switch isn't friendly. first, i had the issue with PVLAN and now this :(

• Remote Mesh AP with Centralized Controller

  Need help to clarify this technical requirement. we are in the midst of designing a wireless Mesh AP solution for our customer.
  Customer Requirement:-
  1. Customer wants to deploy REmote MEsh APs (1500 Series) with a centralized 4404 Controller at HQ site.
  2. The Remote and HQ site is linked thru a leased line with 2 routers in between
  Based on cisco's document REAP and HREAP is not supported in LWAPP Mesh APs. So if the Mesh APs were to be deployed at Remote sites (3 total). How this be achieved?
  Your input would be very much appreciated.
  Thanks.

  Well since the mesh AP's don't support h-reap, you would have to run them like local mode AP's. So depending on your WAN connection/bandwidth you can possible achieve this. Currently the mesh isn't designed or remote site wireless, since there is no h-reap function, but you can get it to work if you have a good wan connection.
  Sent from Cisco Technical Support iPhone App

• ISE 1.2.1.198 Wired - Central WebAuth Fail

  Hello, I have a trouble with WebAuth.
  I follow this guide to implement this, but it does not work.
  http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/113362-config-web-auth-ise-00.html
  Port Redirection is working, because when I am trying to access any page, and open guestportal.
  After GuestPortal is open, I set user/pass on the webpage.
  user: webauthuser
  After this, display the page Self-Provisioning Portal "Welcome webauthuser" but with the error "The system administrator has either not configured or enabled a policy for your device. Contact your system administrator".
  I have this Authorization Profiles
  On Operations / Authentication, I have the following...
  Event 21:28:21.801

  Partner help to troubleshoot this. It was fix.
  Uncheck "Enable Self-Provisioning Flow" on
  Administration > Web Portal Management > Settings > Guest > Multi-Portal Configurations > DefaultGuestPortal > Operations
  Tks.

• ISE Central webauth and vWLC 7.4

  Hi Everybody,
  I am wondering if anyone has gotten this scenario to work, Cisco ISE Guest Portal via CWA redirect on an AP connected to a Virtual WLC running 7.4. As vWLC can only run flexconnect, and no centrally switched vlans are supported, how would this scenario be possible, if at all, the AP would have to do the redirect instead of the controller ?

  Yes, I agree with Tarik
  also do review the below link which might be helpful:
  http://www.cisco.com/en/US/solutions/collateral/ns340/ns414/ns742/ns744/docs/howto_41_guest_services.pdf
  http://www.cisco.com/en/US/solutions/collateral/ns340/ns414/ns742/ns744/docs/howto_40_webauthentication_dg.pdf