Help with configuring AP-1240AG as local authenticator for EAP-FAST client
Hi,
I am trying to configure an AP-1240AG as a local authenticator for a Windows XP client with no success. Here is a part of the AP configuration:
dot11 lab_test
authentication open eap eap_methods
authentication network-eap eap_methods
guest-mode
infrastructure-ssid
radius-server local
eapfast authority id 0102030405060708090A0B0C0D0E0F10
eapfast authority info lab
eapfast server-key primary 7 211C7F85F2A6056FB6DC70BE66090DE351
user georges nthash 7 115C41544E4A535E2072797D096466723124425253707D0901755A5B3A370F7A05
Here is the Windows XP client configuration:
Authentication: Open
Encrpytion WEP
Disable Cisco ccxV4 improvements
username: georges
password: georges
Results: The show radius local-server statistics does not show any activity for the user georges and the debug messages are showing the following:
*Mar 4 01:15:58.887: %DOT11-7-AUTH_FAILED: Station 0016.6f68.b13b Authentication failed
*Mar 4 01:16:28.914: %DOT11-7-AUTH_FAILED: Station 0016.6f68.b13b Authentication failed
*Mar 4 01:16:56.700: RADIUS/ENCODE(00001F5C):Orig. component type = DOT11
*Mar 4 01:16:56.701: RADIUS: AAA Unsupported Attr: ssid [263] 19
*Mar 4 01:16:56.701: RADIUS: [lab_test]
*Mar 4 01:16:56.701: RADIUS: 65 [e]
*Mar 4 01:16:56.701: RADIUS: AAA Unsupported Attr: interface [156] 4
*Mar 4 01:16:56.701: RADIUS: 38 32 [82]
*Mar 4 01:16:56.701: RADIUS(00001F5C): Storing nasport 8275 in rad_db
*Mar 4 01:16:56.702: RADIUS(00001F5C): Config NAS IP: 10.5.104.22
*Mar 4 01:16:56.702: RADIUS/ENCODE(00001F5C): acct_session_id: 8026
*Mar 4 01:16:56.702: RADIUS(00001F5C): sending
*Mar 4 01:16:56.702: RADIUS/DECODE: parse response no app start; FAIL
*Mar 4 01:16:56.702: RADIUS/DECODE: parse response; FAIL
It seems that the radius packet that the AP receive is not what is expected. Do not know if the problem is with the client or with the AP configuration. Try many things but running out of ideas. Any suggestions would be welcome
Thanks
Hi Stephen,
I do not want to create a workgroup bridge, just want to have the wireless radio bridge with the Ethernet port. I will remove the infrastructure command.
Thanks for your help
Stephane
Here is the complete configuration:
version 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname Lab
ip subnet-zero
aaa new-model
aaa group server radius rad_eap
aaa group server radius rad_mac
aaa group server radius rad_admin
aaa group server tacacs+ tac_admin
aaa group server radius rad_pmip
aaa group server radius dummy
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa authorization exec default local
aaa accounting network acct_methods start-stop group rad_acct
aaa session-id common
dot11 lab_test
authentication open eap eap_methods
authentication network-eap eap_methods
guest-mode
infrastructure-ssid
power inline negotiation prestandard source
bridge irb
interface Dot11Radio0
no ip address
no ip route-cache
ssid lab_test
traffic-metrics aggregate-report
speed basic-54.0
no power client local
channel 2462
station-role root
antenna receive right
antenna transmit right
no dot11 extension aironet
bridge-group 1
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
interface Dot11Radio1
no ip address
no ip route-cache
shutdown
dfs band 3 block
speed basic-6.0 9.0 basic-12.0 18.0 basic-24.0 36.0 48.0 54.0
channel dfs
station-role root
no dot11 extension aironet
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
interface FastEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
hold-queue 160 in
interface BVI1
ip address 10.5.104.22 255.255.255.0
ip default-gateway 10.5.104.254
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
ip radius source-interface BVI1
radius-server local
eapfast authority id 000102030405060708090A0B0C0D0E0F
eapfast authority info LAB
eapfast server-key primary 7 C7AC67E296DF3437EB018F73BE00D822B8
user georges nthash 7 14424A5A555C72790070616C03445446212202080A75705F513942017A76057007
control-plane
bridge 1 route ip
line con 0
line vty 0 4
end
Similar Messages
-
Welcome.
At the outset, I'm sorry for my English
Please help with configuration Photoshop CS6 appearance.
How to disable the background of the program so you can see the desktop. (same menus and tools)
i wantto be the same effect as CS5.Please try turning off
Window > Application Frame -
Certificate authentication for Cisco VPN client
I am trying to configure the cisco VPN client for certificate authentication on my ASA 5512-X. I have it setup currently for group authentication with shared pass. This works fine. But in order for you to pass pci compliance you cannot allow aggresive mode for ikev1. the only way to disable aggresive mode (and use main mode) is to use certificate authentication for the vpn client. I know that some one out there must being doing this already. I am goign round and round with this. I am missing some thing.
I have tried as I might and all I can get are some cryptic error messages from the client and nothing on the firewall. IE failed to genterate signature, invalid remote signature id. I have tried using different signatures (one built on ASA and bought from Godaddy, and one built from Windows CA, and one self signed).
Can some one provide the instructions on seting this up (asdm or cli). Can this even be done? I would love to just use the AnyConnect client but I believe you need licensing for that since our system states only 2 allowed. Thank you for your help.Dear Doug ,
What is asa code your are running on ASA hardware , for cisco anyconnect you need have Code 8.0 on your hardware with cisco anyconnect essential license enabled .Paste your me show version i will help you whether you need to procure license for your hardware . By default your hardware will be shipped with any connect essential license when you have order your hardware with asa code above 8.0 .
With Any connect essential you are allowed to use upto total VPN peers allowed based on your hardware
1) What is the AnyConnect Essentials License?
The Anyconnect Essentials is a license that allows you to connect up to your 'Total VPN Peers" platform limit with AnyConnect. Without an AnyConnect Essentials license, you are limited to the 'SSLVPN Peers' limit on your device. With the Anyconnect Essentials License, you can only use Anyconnect for SSL - other features such as CSD (Cisco Secure Desktop) and using the SSLVPN portal page for anything other than launching AnyConnect are restricted.
You can see your limits for the various licensing by issuing the 'show version' command on your ASA.
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited
Maximum VLANs : 150
Inside Hosts : Unlimited
Failover : Active/Active
VPN-DES : Enabled
VPN-3DES-AES : Enabled
Security Contexts : 2
GTP/GPRS : Disabled
SSL VPN Peers : 2
Total VPN Peers : 750
Shared License : Disabled
AnyConnect for Mobile : Disabled
AnyConnect for Cisco VPN Phone : Disabled
AnyConnect Essentials : Disabled
Advanced Endpoint Assessment : Disabled
UC Phone Proxy Sessions : 2
Total UC Proxy Sessions : 2
Botnet Traffic Filter : Disabled
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited
Maximum VLANs : 150
Inside Hosts : Unlimited
Failover : Active/Active
VPN-DES : Enabled
VPN-3DES-AES : Enabled
Security Contexts : 2
GTP/GPRS : Disabled
SSL VPN Peers : 2
Total VPN Peers : 750
Shared License : Disabled
AnyConnect for Mobile : Disabled
AnyConnect for Cisco VPN Phone : Disabled
AnyConnect Essentials : Enabled
Advanced Endpoint Assessment : Disabled
UC Phone Proxy Sessions : 2
Total UC Proxy Sessions : 2
Botnet Traffic Filter : Disabled
Any connect VPN Configuration .
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808efbd2.shtml -
ISM with NAT44 - Need help with configuration
Hello everyone,
I'm trying to set up NAT44 in the following scenario below and I'm having a hard time figuring out how to redirect the traffic. As you can see the big problem is that I have one single interface that connects to the internal network (10.0.0.0/8) and also to the tunnel destinations all in the same VRF. Can you guys give me a hand? The trafiic comes from network network 10.0.0.0/8 enters interface bundle-ether 2 (Now it needs to be translated), once it is translated, now it needs to reach the destination known via GRE tunnel.
Configurations
vrf NAT_IN
address-family ipv4 unicast
vrf BLUE
address-family ipv4 unicast
hw-module service cgn location 0/3/CPU0
interface Bundle-Ether2
description UPLINK TO METRO ETHERNET
interface Bundle-Ether2.2 l2transport
encapsulation dot1q 2
rewrite ingress tag pop 1 symmetric
interface GigabitEthernet200/0/0/43
description LINK TO METRO ETHERNET
bundle id 2 mode active
interface GigabitEthernet300/0/0/43
description LINK TO METRO ETHERNET
bundle id 2 mode active
interface BVI2
description METRO
vrf BLUE
ipv4 address 100.0.0.10/24
interface tunnel-ip 101
description GRE_TUNNEL
vrf BLUE
ipv4 address 1.1.1.1/32
tunnel mode gre ipv4
tunnel source interface bvi 2
tunnel destination 200.0.0.1
interface BVI 100
vrf BLUE
ipv4 address [GATEWAY_100] [MASK_100]
interface BVI 200
vrf BLUE
ipv4 address [GATEWAY_200] [MASK_200]
interface BVI 300
vrf BLUE
ipv4 address [GATEWAY_300] [MASK_300]
interface ServiceApp1
vrf NAT_IN
ipv4 address 10.0.2.1 255.255.255.252
service cgn CGN service-type nat44
interface ServiceApp2
vrf BLUE
ipv4 address 10.0.2.2 255.255.255.252
service cgn CGN service-type nat44
interface ServiceInfra1
ipv4 address 10.0.3.1 255.255.255.0
service-location 0/3/CPU0
router static
address-family ipv4 unicast
vrf NAT_IN
address-family ipv4 unicast
0.0.0.0/0 ServiceApp1
10.0.0.0/8 vrf BLUE bvI 2 <NEXT HOP>
vrf BLUE
address-family ipv4 unicast
172.16.0.0/24 ServiceApp2
router ospf METRO
vrf BLUE
router-id [ROUTER_ID]
redistribute bgp 65500 metric 100
area 0
interface bvi 2
router ospf BLUE
vrf BLUE
router-id [ROUTER ID]
redistribute bgp 65500 metric 100
area 10
interface BVI100
interface BVI200
interface BVI200
router bgp 65500
address-family ipv4 unicast
address-family vpnv4 unicast
vrf BLUE
rd 65500:2
address-family ipv4 unicast
redistribute static
redistribute ospf BLUE
neighbor 1.1.1.2
remote-as 64512
ebgp-multihop 5
address-family ipv4 unicast
route-policy PASS in
route-policy PASS out
service cgn CGN
service-location preferred-active 0/3/CPU0
service-type nat44 nat44
portlimit 20000
inside-vrf NAT_IN
map outside-vrf BLUE address-pool 172.16.0.0/24
Thanks in advance,
RenatoHi Somnath,
Let's see if you can help with this new scenario. I want to extend this NAT configuration to a new site (BO1), but instead of using this entire setup with ASR9K, etc, I just want to use ASR9000v module and have this AS9K + ISM as the host. The first problem I see in this scenario is that I have the same 10.0.0.0/8 network in both sites, network which will access the same resources as the devices in the 10.0.0.0/8 in the main site.
1) Do you think if I create a new inside VRF [NAT_IN1] would address this issue?
2) Can I use the same outside VRF?
Here is the configurations.
!! IOS XR Configuration 4.3.1
vrf NAT_IN
address-family ipv4 unicast
import route-target
65500:2
65500:3
export route-target
65500:3
vrf RED
address-family ipv4 unicast
import route-target
65500:1
export route-target
65500:1
vrf NAT_OUT
address-family ipv4 unicast
import route-target
65500:4
export route-target
65500:4
vrf SATELLITE
vrf BLUE
address-family ipv4 unicast
import route-target
65500:2
export route-target
65500:2
hw-module service cgn location 0/3/CPU0
ipv4 access-list ABF
5 permit ospf any any
10 permit ipv4 any 10.200.0.0 0.0.255.255 nexthop1 vrf NAT_IN ipv4 10.0.2.2
20 permit icmp any any
interface Bundle-Ether3
description Uplink (BE3 - VRF NAT_IN) - VLAN 20
vrf NAT_IN
ipv4 address 1.1.1.1 255.255.255.0
ipv4 access-group ABF ingress
interface Bundle-Ether22
description LOOPBACK CABLE NAT_OUT
vrf NAT_OUT
ipv4 address 10.0.1.1 255.255.255.0
interface Bundle-Ether23
description LOOPBACK CABLE BLUE
vrf BLUE
ipv4 address 10.0.1.2 255.255.255.0
interface 6
description Uplink (BE6 - Global) - VLAN 20,51,80-82
interface 6.2
ipv4 address 1.1.1.2 255.255.255.0
encapsulation dot1q 2
interface 6.51 l2transport
description EFP - BE6 - VLAN 51
encapsulation dot1q 51
rewrite ingress tag pop 1 symmetric
interface 6.80 l2transport
description EFP - BE6 - VLAN 80
encapsulation dot1q 80
rewrite ingress tag pop 1 symmetric
interface 6.81 l2transport
description EFP - BE6 - VLAN 81
encapsulation dot1q 81
rewrite ingress tag pop 1 symmetric
interface 6.82 l2transport
description EFP - BE6 - VLAN 82
encapsulation dot1q 82
rewrite ingress tag pop 1 symmetric
interface Bundle-Ether100
description Bundle to Satellite 100
vrf SATELLITE
ipv4 point-to-point
ipv4 unnumbered Loopback0
nv
satellite-fabric-link satellite 100
remote-ports GigabitEthernet 0/0/0-43
interface Bundle-Ether200
description Bundle to Satellite 200
vrf SATELLITE
ipv4 point-to-point
ipv4 unnumbered Loopback0
nv
satellite-fabric-link satellite 200
remote-ports GigabitEthernet 0/0/0-43
interface Bundle-Ether300
description Bundle to Satellite 300
vrf SATELLITE
ipv4 point-to-point
ipv4 unnumbered Loopback0
nv
satellite-fabric-link satellite 300
remote-ports GigabitEthernet 0/0/0-35
interface Loopback0
description MGMT SATELLITE
vrf SATELLITE
ipv4 address 10.0.0.254 255.255.255.0
interface tunnel-ip31101
description BLUE-TUNNEL01
vrf BLUE
ipv4 address 10.200.253.90 255.255.255.252
tunnel mode gre ipv4
tunnel source 6.2
tunnel destination 13.13.13.13
interface tunnel-ip31102
description BLUE-TUNNEL02
vrf BLUE
ipv4 address 10.200.253.94 255.255.255.252
tunnel mode gre ipv4
tunnel source 6.2
tunnel destination 14.14.14.14
interface tunnel-ip31103
description RED-TUNNEL03
vrf RED
ipv4 address 10.200.253.90 255.255.255.252
tunnel mode gre ipv4
tunnel source 6.2
tunnel destination 13.13.13.13
interface tunnel-ip31104
description RED-TUNNEL04
vrf RED
ipv4 address 10.200.253.94 255.255.255.252
tunnel mode gre ipv4
tunnel source 6.2
tunnel destination 14.14.14.14
interface TenGigE0/0/0/0
description LINK TO SATELLITE 100
bundle id 100 mode on
interface TenGigE0/0/0/1
description LINK TO SATELLITE 100
bundle id 100 mode on
interface TenGigE0/0/0/2
description LINK TO SATELLITE 200
bundle id 200 mode on
interface TenGigE0/0/0/3
description LINK TO SATELLITE 200
bundle id 200 mode on
interface TenGigE0/0/0/4
description LINK TO SATELLITE 300
vrf SATELLITE
ipv4 point-to-point
ipv4 unnumbered Loopback0
nv
satellite-fabric-link satellite 300
remote-ports GigabitEthernet 0/0/36-43
interface TenGigE0/0/0/5
description LINK TO SATELLITE 300
bundle id 300 mode on
interface TenGigE0/0/0/16
description UPLINK (BE6 - GLOBAL) - VLAN 20,51,80-82
bundle id 6 mode active
interface TenGigE0/1/0/16
description UPLINK (BE6 - GLOBAL) - VLAN 20,51,80-82
bundle id 6 mode active
interface TenGigE0/0/0/17
description UPLINK (BE3 - VRF NAT_IN) - VLAN 20
bundle id 3 mode active
interface TenGigE0/1/0/17
description UPLINK (BE3 - VRF NAT_IN) - VLAN 20
bundle id 3 mode active
interface TenGigE0/0/0/22
description LOOPBACK CABLE TE0/1/0/22
bundle id 22 mode on
interface TenGigE0/0/0/23
description LOOPBACK CABLE TE0/1/0/23
bundle id 22 mode on
interface TenGigE0/1/0/0
description LINK TO SATELLITE 100
bundle id 100 mode on
interface TenGigE0/1/0/1
description LINK TO SATELLITE 100
bundle id 100 mode on
interface TenGigE0/1/0/2
description LINK TO SATELLITE 200
bundle id 200 mode on
interface TenGigE0/1/0/3
description LINK TO SATELLITE 200
bundle id 200 mode on
interface TenGigE0/1/0/4
description LINK TO SATELLITE 300
bundle id 300 mode on
interface TenGigE0/1/0/5
description LINK TO SATELLITE 300
bundle id 300 mode on
interface TenGigE0/1/0/22
description LOOPBACK CABLE TE0/0/0/22
bundle id 23 mode on
interface TenGigE0/1/0/23
description LOOPBACK CABLE TE0/0/0/23
bundle id 23 mode on
interface BVI30
vrf RED
ipv4 address 10.200.25.193 255.255.255.192
interface BVI31
vrf BLUE
ipv4 address 10.200.1.1 255.255.255.248
interface BVI32
vrf BLUE
ipv4 address 10.200.25.129 255.255.255.224
interface BVI33
vrf BLUE
ipv4 address 10.200.25.1 255.255.255.128
interface BVI36
vrf BLUE
ipv4 address 10.200.237.145 255.255.255.240
interface BVI51
vrf RED
ipv4 address 192.168.7.12 255.255.255.0
interface BVI80
vrf RED
ipv4 address 10.200.26.169 255.255.255.224
interface BVI81
vrf BLUE
ipv4 address 10.200.25.164 255.255.255.240
interface BVI82
vrf BLUE
ipv4 address 10.200.25.180 255.255.255.240
interface ServiceApp1
description NAT_IN
vrf NAT_IN
ipv4 address 10.0.2.1 255.255.255.252
service cgn CGN service-type nat44
interface ServiceApp2
description NAT_OUT
vrf NAT_OUT
ipv4 address 10.0.2.5 255.255.255.252
service cgn CGN service-type nat44
interface ServiceInfra1
description ISM
ipv4 address 10.0.3.1 255.255.255.0
service-location 0/3/CPU0
prefix-set PS_ROUTES
10.200.0.8,
10.200.5.40/29,
10.200.1.0/29,
10.200.5.32/29,
10.200.0.144/28,
10.200.106.0/28,
10.200.106.16/28
end-set
prefix-set PS_BGP_BLUE_OUT
10.200.24.192/26,
10.200.5.40/29,
10.200.240.0/25,
10.200.1.0/29,
10.200.25.128/27,
10.200.25.0/25,
10.200.5.32/29,
10.200.26.0/25,
10.200.0.144/28,
10.200.27.128/27,
10.200.27.0/25,
10.200.106.0/28,
10.200.106.128/25,
10.200.106.16/28,
10.200.107.128/25
end-set
route-policy RP_DENY_ALL
drop
end-policy
route-policy RP_PASS_ALL
pass
end-policy
route-policy RP_BGP_BLUE_OUT
if destination in PS_BGP_BLUE_OUT then
pass
endif
end-policy
route-policy RP_PASS_ROUTES
if destination in PS_ROUTES then
pass
endif
end-policy
router static
address-family ipv4 unicast
0.0.0.0/0 1.1.1.20
vrf NAT_IN
address-family ipv4 unicast
0.0.0.0/0 ServiceApp1
vrf RED
vrf NAT_OUT
address-family ipv4 unicast
0.0.0.0/0 10.0.1.2
10.200.24.192/26 ServiceApp2
vrf BLUE
address-family ipv4 unicast
10.200.24.192/26 10.0.1.1
router ospf
log adjacency changes
vrf NAT_IN
router-id 1.1.1.1
disable-dn-bit-check
redistribute bgp 65500 metric 5 metric-type 2 route-policy RP_PASS_ROUTES
area 7
interface Bundle-Ether3
router ospf RED
log adjacency changes
vrf RED
router-id 10.200.26.169
disable-dn-bit-check
redistribute bgp 65500 metric 10 metric-type 2
area 11
interface BVI30
interface BVI80
router ospf BLUE
log adjacency changes
vrf BLUE
router-id 10.200.25.164
disable-dn-bit-check
redistribute static
redistribute bgp 65500 metric 10 metric-type 2
area 0
interface BVI81
interface BVI82
area 2
interface BVI31
interface BVI32
interface BVI33
interface BVI36
router bgp 65500
address-family ipv4 unicast
address-family vpnv4 unicast
vrf NAT_IN
rd 65500:3
bgp router-id 1.1.1.1
address-family ipv4 unicast
route-target download
vrf RED
rd 65500:1
bgp router-id 10.200.253.90
address-family ipv4 unicast
network 10.200.25.192/26
network 10.200.26.128/27
network 10.200.26.192/27
network 10.200.27.192/26
network 10.200.104.128/27
network 10.200.104.160/27
neighbor 10.200.253.89
remote-as 64512
ebgp-multihop 5
update-source tunnel-ip31103
address-family ipv4 unicast
route-policy RP_PASS_ALL in
route-policy RP_PASS_ALL out
soft-reconfiguration inbound
neighbor 10.200.253.93
remote-as 64512
ebgp-multihop 5
update-source tunnel-ip31104
address-family ipv4 unicast
route-policy RP_PASS_ALL in
route-policy RP_PASS_ALL out
soft-reconfiguration inbound
vrf BLUE
rd 65500:2
bgp router-id 10.200.253.90
address-family ipv4 unicast
network 10.200.0.144/28
network 10.200.1.0/29
network 10.200.5.32/29
network 10.200.5.40/29
network 10.200.24.192/26
network 10.200.25.0/25
network 10.200.25.128/27
network 10.200.26.0/25
network 10.200.27.0/25
network 10.200.27.128/27
network 10.200.106.0/28
network 10.200.106.16/28
network 10.200.106.128/25
network 10.200.107.128/25
network 10.200.240.0/25
neighbor 10.200.253.89
remote-as 64512
ebgp-multihop 5
update-source tunnel-ip31101
address-family ipv4 unicast
route-policy RP_PASS_ALL in
route-policy RP_BGP_BLUE_OUT out
soft-reconfiguration inbound
neighbor 10.200.253.93
remote-as 64512
ebgp-multihop 5
update-source tunnel-ip31102
address-family ipv4 unicast
route-policy RP_PASS_ALL in
route-policy RP_BGP_BLUE_OUT out
soft-reconfiguration inbound
l2vpn
load-balancing flow src-dst-ip
bridge group VLAN30
bridge-domain VLAN30
routed interface BVI30
bridge group VLAN31
bridge-domain VLAN31
routed interface BVI31
bridge group VLAN32
bridge-domain VLAN32
routed interface BVI32
bridge group VLAN33
bridge-domain VLAN33
routed interface BVI33
bridge group VLAN36
bridge-domain VLAN36
routed interface BVI36
bridge group VLAN51
bridge-domain VLAN51
routed interface BVI51
bridge group VLAN80
bridge-domain VLAN80
interface 6.80
routed interface BVI80
bridge group VLAN81
bridge-domain VLAN81
interface 6.81
routed interface BVI81
bridge group VLAN82
bridge-domain VLAN82
interface 6.82
routed interface BVI82
nv
satellite 100
type asr9000v
ipv4 address 10.0.0.1
satellite 200
type asr9000v
ipv4 address 10.0.0.2
satellite 300
type asr9000v
ipv4 address 10.0.0.3
service cgn CGN
service-location preferred-active 0/3/CPU0
service-type nat44 nat44
portlimit 20000
inside-vrf NAT_IN
map outside-vrf NAT_OUT address-pool 10.200.24.192/26
Thanks in advance,
Renato -
Configuring AAA to include local auth for Console connections
Recently realized, during a maintenance window, that my AAA configurations are not set to use local authentication if the AAA server is unavailable. Could use a little help in making sure I have the correct setup. Below is what I have configured today:
aaa new-model
aaa authentication login default group tacacs+
aaa authentication enable default group tacacs+
aaa authorization auth-proxy default group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
tacacs-server host x.x.x.x
tacacs-server timeout 120
tacacs-server directed-request
tacacs-server key <key>Would I add that as a separate line, or to the current one? Examples:
aaa new-model
aaa authentication login default group tacacs+
aaa authentication enable default group tacacs+
aaa authorization auth-proxy default group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa authorization console
OR
aaa new-model
aaa authentication login default group tacacs+
aaa authentication enable default group tacacs+
aaa authorization auth-proxy default group tacacs+ console
aaa accounting commands 15 default start-stop group tacacs+ -
WRT310N: Help with DMZ/settings (firmware 1.0.09) for wired connection
Hello. I have a WRT310N and have been having a somewhat difficult time with my xbox 360's connection. I have forwarded all the necessary ports (53, 80, 88, 3074) for it to run, and tried changing MTU and what-not.
I don't know if I have DMZ setup incorrectly, or if it's my settings.
Setup as follows:
PCX2200 modem connected via ethernet to WRT310N.
The WRT310N has into ethernet port 1 a WAP54G, and then upstairs (so that my Mother's computer can get a strong signal) I have another WAP54G that I believe receives its signal from the downstairs 54G.
In the back of the WRT310N, I have my computer connected via ethernet port 3, and my Xbox 360 connected via ethernet port 4.
Now, I first figured I just have so many connections tied to the router and that is the reason for being so slow. However, when I unplug all the other ethernet cords and nothing is connected wirelessly, except for my Xbox connected to ethernet port 4, it is still poor. Also, with everything connected (WAP54G and other devices wirelessly) I get on my PC and run a speedtest. For the sake of advice, my speedtests I am running on my PC are (after 5 tests) averagely 8.5 Mbps download, and 1.00 Mbps upload, with a ping of 82ms.
Here is an image of the results:
http://www.speedtest.net][IMG]http://www.speedtest.net/result/721106714.png
Let me add a little more detail of my (192.168.1.1) settings for WRT310N.
For starters, my Father's IT guy at his workplace set up this WRT310N and WAP54G's. So some of these settings may be his doing. I just don't know which.
"Setup" as Auto-configurations DHCP. I've added my Xbox's IP address to the DHCP reservation the IP of 192.168.1.104. This has (from what I've noticed) stayed the same for days.
MTU: Auto, which stays at 1500 when I check under status.
Advanced Routing: NAT routing enabled, Dynamic Routing disabled.
Security: Disabled SPI firewall, UNchecked these: Filter Anonymous Internet Requests, Multicast, and Internet NAT redirection.
VPN passthrough: All 3 options are enabled (IPSec, PPTP, L2TP)
Access Restrictions: None.
Applications and Gaming: Single port forwarding has no entries. Port Range Forwarding I have the ports 53 UDP/TCP, 88 UDP, 3074 UDP/TCP, and 80 TCP forwarded to IP 192.168.1.104 enabled. (192.168.1.104 is the IP for my xbox connected via ethernet wired that is in DHCP reserved list)
Port Range Triggering: It does not allow me to change anything in this page.
DMZ: I have it Enabled. This is where I am a bit confused. It says "Source IP Address" and it has me select either "Any IP address" or to put entries to the XXX.XXX.XXX.XXX to XXX fields. I have selected use any IP address. Then the source IP area, it says "Destination:" I can do either "IP address: 192.168.1.XXX" or "MAC address:" Also, under MAC Address, it says DHCP Client Table and I went there and saw my Xbox under the DHCP client list (It shows up only when the Xbox is on) and selected it.
Under QoS: WMM Enabled, No acknowledgement disabled.
Internet Access Priority: Enabled. Upstream Bandwith I set it to Manual and put 6000 Kbps. I had it set on Auto before, but I changed it. I have no idea what to put there so I just put a higher number.
Then I added for Internet Access Priority a Medium Priority for Ethernet Port 4 (the port my xbox is plugged into).
Administration: Management: Web utility access: I have checked HTTP, unchecked HTTPS.
Web utility access via Wireless: Enabled. Remote Access: Disabled.
UPnp: Enabled.
Allow Users to Configure: Enabled.
Allow users to Disable Internet Access: Enabled.
Under Diagnostics, when I try and Ping test 192.168.1.104 (xbox when on and connected to LIVE), I get:
PING 192.168.1.104 (192.168.1.104): 24 data bytes
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Request timed out.
--- 192.168.1.104 data statistics ---
5 Packets transmitted, 0 Packets received, 100% Packet loss
Also, when I do Traceroute Test for my Xbox's IP, I just keep getting:
traceroute to 192.168.1.104 (192.168.1.104), 30 hops max, 40 byte packets
1 * * * 192.168.1.1 Request timed out.
2 * * * 192.168.1.1 Request timed out.
As for the Wireless Settings, it is all on the default settings with Wi-Fi Protected setup Enabled.
To add, I have tried connecting my modem directly to the Xbox and my connection is much improved. I have no difficulty getting the NAT open, for it seems my settings are working for that. Any help with these settings would be VERY much appreciated.
Message Edited by CroftBond on 02-18-2010 01:09 PMI own 2 of these routers (one is a spare) with the latest firmware and I have been having trouble with them for over a year. In my case the connection speed goes to a crawl and the only way to get it back is to disable the SPI firewall. Rebooting helps for a few minutes, but the problem returns. All of the other fixes recommended on these forums did not help. I found out the hard way that disabling the SPI Firewall also closes all open ports ignoring your port forwarding settings. If you have SPI Firewall disabled, you will never be able to ping your IP from an external address. Turn your SPI Firewall back on and test your Ping.
John -
Help with Multiple libraries and one storage location for files
I cannot get an answer to this question anywhere and was really hoping that The [H] would be able to help.
Here is my current set up that allows my wife and I to have completely independent libraries and ratings, but use the same files:
-Shared folder with MP3s on a network drive.
-Two PCs, each with it's own Ipod associated to it with individual libraries but all pointing to the same network share for MP3 Files.
-Each PC is using the SAME Itunes account for downloads.
-Each account has it's own library folder also on a network share.
Now to my question(s)/problem with downloaded content:
(1) Is there any way to have a file that is downloaded from Itunes be automatically placed in a shared location accessible to both Libraries? (Say if I download the latest Jack Johnson album, can it automatically show up in my wife's library and vice versa?)
(2) Is there any way to share the album artwork versus having two copies of everything(one for each library)?
So my goal is to have two libraries with a central location for ALL files, including anything downloaded from Itunes by each individual user. Is this possible?Have your wife transfer all purchases from the iPad into iTunes, backup her iPad and then sync with iTunes. Everything ... All media and other content will be available in that iTunes library and she will have a current backup.
Assuming that your son will still be sharing your wife's Apple ID (he is too young to have one of his own) .... When you set up his iPad, restore the iPad from your wife's backup and then select only the content that you want your son to have on his iPad in the iTunes library and then sync that iPad with iTunes.
The game progress is stored in the backup and should transfer onto his device when you restore from your wife's backup. You can always delete any content (apps, movies, music) that you don't want your son to have on the iPad, if you missed it when you synced with iTunes after setting the device up for him.
You can set your sync preferences - any way that you want to - for both devices and still use the same iTunes library for both iPads. So ... Yes you can sync any apps that you want to his iPad and any apps that your wife wants to her iPad. You just need to restore your son's iPad from your wife's backup in order to get his game progress onto his iPad.
In case you need these....
Transfer purchases.
http://support.apple.com/kb/HT1848
How to backup and restore from a backup
http://support.apple.com/kb/HT1766
Remember to have your wife backup her iPad just before you restore his iPad from the backup so that his most recent progress will be available in the backup. -
Need help with saving data and keeping table history for one BP
Hi all
I need help with this one ,
Scenario:
When adding a new vendor on the system the vendor is suppose to have a tax clearance certificate and it has an expiry date, so after the certificate has expired a new one is submitted by the vendor.
So i need to know how to have SBO fullfil this requirement ?
Hope it's clear .
Thanks
BonganiHi
I don't have a problem with the query that I know I've got to write , the problem is saving the tax clearance certificate and along side it , its the expiry date.
I'm using South African localization.
Thanks -
Help with data migration- Balances from legacy system for Loans Management
Hi all,
Can someone please help with this. I need help in how to go about migrating legacy data and balances for loans to SAP FS-CML.
Which flow types to use, and to do the migration.
Thanks.
Fisayo.Hi Fisayo,
good documentation you can find in the transaction KCLJ
=> Help => Application help.
You also can find some documentation in the IMG:
=> Loans Management
=> Tools
=> External Data Transfer
=> Transfer Categories
=> Loans Master Data and Conditions
=> Loans Flow Data
You could use transaction KCLJ to upload the existing flows. For this you need a sender file with the flows you want to upload. This file you can create manually or by a report in the old/legacy system that writes the file in your file system.
The sender structure must be defined in transaction KCLL and you could use transaction KCLT to create or change a file to test the upload program.
You will also find some information in the online documentation.
Please be aware that the upload of flows must be tested very exactly. Iif you take over 'wrong' flows, this could cause serious problems in the future when you work with the contracts.
Best regards,
Tomislav -
Need help with 3 way call to a 1 for English or 2 ...
I can do a 3 way with Skype, but the recording I need to have my client listen to is telling me to push 1 for English or 2 for Spanish. Can you tell me how to do this?
Do you want to set up auto attandant service based on Skype? if so, you can try PrettyMay Call Center for Skype which can be used easily.
check out more at: http://www.prettymay.net
Want to record Skype calls, check out at:
hereandhere -
EAP Authentication Configuration for EAP-FAST and PEAP
Hi Everyone,
I pretty much got EAP working, however using LEAP
When I get to EAP-FAST and PEAP, I just can't seem to get it to work
What am I missing, I do know that EAP-FAST and PEAP involve certificates. However, how do i set them up on the client side?
Hope you guys can help me on this, stuck on this part xDEAP is a complicated subject for sure. But it shouldn't be really once you know the foundation.
EAP-PEAP can use server side and client side and EAP-FAST can as well. It all depends how its deployed.
Generally speaking, most deployments of PEAP use server side only and EAP-FAST uses PACS only.
The cert that you install on the radius server for PEAP is passed to the wireless supplicant and is used by the supplicant to hash the logon and password from the user. This hash is passed back to the radius server who has the private key who can decode the hash and pass the user ID and password back to AD for example.
Hope this helps .. -
CIsco ISE use two different local certificates for EAP
Hi Experts,
ISE 1.2.1.198
It is possible to use two different local certificates on cisco ISE, generated by two different root CA, for EAP?
Example:
1 - Microsoft CA for notebooks
2 - Different CA (public, openssl, other) for mobiles
And, in case it is possible, which will be the first one presented from the server to the client for EAP-TLS authentication?
Thanks
AndreaThanks for your reply,
i think i'll go for another pair of PSN for the mobiles
Andrea -
Help with Configuring an HWIC AP with a 7920
I am trying to configure an HWIC-AP on a 2811 router. I keep getting the error No service-IP config failed on the 7920. The 7920 is registering with the router but Im not able to receive a number. Im using CCME on the router. Im only interested in the bare minimum at this point before I add any security features. Below is the config I am using.
interface Dot11Radio0/3/0
no ip address
ssid ldk
vlan 1
authentication open
guest-mode
infrastructure-ssid optional
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0
54.0
station-role root
interface Dot11Radio0/3/0.1
encapsulation dot1Q 1 native
no snmp trap link-status
I am also using switchports and int Vlan1 is 192.168.2.1 /24.
This is the first time I have configure the HWIC-AP. Any help would be greatly appreciated.
Thanks,
LawnyIt required that I assign a static IP address to the dot11 subinterface and I had to use two dhcp pools. One for the IP phones that were plugging into the switchports and another for the wireless IP phones.
Below is the entire config for the phones. -
I'm new to Cisco and we just took over a client with an ASA 5505 I need to do 2 things first
I need to know how to open or forward ports to an internal IP address they want me to open ports 3389 and 1433 to an internal address 192.168.192.52
but only from 207.235.73.64 and 255.255.255.192
40.143.46.64 and 255.255.255.192
o and
66.192.91.128 and 255.255.255.192
40.143.28.64 and 255.255.255.192
And second Id link to getb the ASDM downlaoded and working as I;ve used that before in other offices and it helps me out as a non cisco expert. I try going to the device IP in a browser 192.168.192.1/admin and just get a prompt for username and password but it doesn;t take the one I have. Here is the config on the device right now. Any help you guys can point me to Id appreciate. 4 hours of Google research has gotten me no where
sho run
: Saved
ASA Version 7.2(3)
hostname vmine
domain-name mine
enable password CyQcVKTj6CW8.Vsj encrypted
names
interface Vlan1
nameif inside
security-level 100
ip address 192.168.192.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address x.x.x.x 255.255.255.248
interface Vlan3
mac-address 001f.6ce3.bd99
no forward interface Vlan1
nameif guest
security-level 10
ip address 205.10.2.1 255.255.255.0
interface Ethernet0/0
description Internet-Connection
switchport access vlan 2
interface Ethernet0/1
description Connection to Inside Network
speed 100
duplex full
interface Ethernet0/2
shutdown
interface Ethernet0/3
switchport access vlan 2
interface Ethernet0/4
switchport access vlan 3
interface Ethernet0/5
description Connection to Public Network
switchport access vlan 3
speed 100
duplex full
interface Ethernet0/6
shutdown
interface Ethernet0/7
shutdown
passwd CyQcVKTj6CW8.Vsj encrypted
ftp mode passive
dns server-group DefaultDNS
domain-name domain
access-list guest extended permit icmp any any
access-list guest extended permit ip any any
access-list inside extended permit icmp any any
access-list inside extended permit ip any any
access-list outside extended permit icmp any any echo-reply
access-list outside extended permit tcp any any eq 8440
access-list nonat extended permit ip 192.168.192.0 255.255.255.0 192.168.252.0 255.255.255.0
access-list outside-in extended permit tcp any any eq https
access-list outside-in extended permit tcp host x.x.x.x any eq 1433
access-list outside-in extended permit tcp host x.x.x.x any eq 1433
access-list outside-in extended permit tcp host x.x.x.x any eq 1433
access-list outside-in extended permit tcp host x.x.x.x any eq 1433
access-list outside-in extended permit tcp host x.x.x.x any eq 1433
access-list outside-in extended permit tcp host x.x.x.x any eq 1433
access-list outside-in extended permit tcp host x.x.x.x any eq 1433
access-list outside-in extended permit tcp host x.x.x.x any eq 1433
access-list outside-in extended permit tcp host x.x.x.x any eq 1433
access-list outside-in extended permit tcp host x.x.x.x any eq 1433
access-list outside-in extended permit tcp host x.x.x.x any eq 1433
pager lines 24
logging enable
logging buffer-size 16384
logging buffered informational
mtu inside 1500
mtu outside 1500
mtu guest 1500
ip local pool vpn-ip 192.168.252.1-192.168.252.
10
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm.bin
no asdm history enable
arp timeout 14400
global (outside) 1 x.x.x.x
global (outside) 2 x.x.x.x
nat (inside) 0 access-list nonat
nat (inside) 1 192.168.192.0 255.255.255.0
nat (guest) 2 205.10.2.0 255.255.255.0
static (inside,outside) tcp interface www 192.168.192.170 www netmask 255.255.255.255
static (inside,outside) tcp interface https 192.168.192.170 https netmask 255.255.255.255
static (inside,outside) x.x.x.x 192.168.192.52 netmask 255.255.255.255
access-group inside in interface inside
access-group outside-in in interface outside
access-group guest in interface guest
route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 0.0.0.0 0.0.0.0 inside
http 192.168.192.0 255.255.255.0 inside
snmp-server host inside 192.168.192.10 poll community ciscosnmp
snmp-server location PIX
no snmp-server contact
snmp-server community ciscosnmp
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps syslog
crypto ipsec transform-set DES-MD5 esp-des esp-md5-hmac
crypto dynamic-map dynvpn 10 set transform-set DES-MD5
crypto map vpn 65535 ipsec-isakmp dynamic dynvpn
crypto map vpn interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption des
hash md5
group 2
lifetime 28800
crypto isakmp nat-traversal 20
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 30
console timeout 0
dhcpd dns 209.253.113.10 209.253.113.18
dhcpd address 205.10.2.10-205.10.2.99 guest
dhcpd dns 209.253.113.10 209.253.113.18 interface guest
dhcpd enable guest
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect ipsec-pass-thru
service-policy global_policy global
group-policy RA-VPN internal
group-policy RA-VPN attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value nonat
username VMRemote password .RSNgq92vZTSELWV encrypted
username VMRemote attributes
vpn-group-policy RA-VPN
username VMVPN password jSqp8CjjxHhRa6jk encrypted
username kernels password jDS98nJtthzlEvw5 encrypted
tunnel-group VMVPN type ipsec-ra
tunnel-group VMVPN general-attributes
address-pool vpn-ip
tunnel-group VMVPN ipsec-attributes
pre-shared-key *
prompt hostname context
Cryptochecksum:52c3d65fc1111c561b1598cc341dc6d5
: endHi,
As per your 1st query , I think he Static NAT should work fine.
To restrict the access from the outside only for certain IP , you can use Source Based ACL:-
access-list outside-in extended permit tcp 207.235.73.64 255.255.255.192 host x.x.x.x eq 3389
access-list outside-in extended permit tcp 40.143.46.64 255.255.255.192 host x.x.x.x eq 3389
access-list outside-in extended permit tcp 66.192.91.128 255.255.255.192 host x.x.x.x eq 3389
access-list outside-in extended permit tcp 40.143.28.64 255.255.255.192 host x.x.x.x eq 3389
access-list outside-in extended permit tcp 207.235.73.64 255.255.255.192 host x.x.x.x eq 1433
access-list outside-in extended permit tcp 40.143.46.64 255.255.255.192 host x.x.x.x eq 1433
access-list outside-in extended permit tcp 66.192.91.128 255.255.255.192 host x.x.x.x eq 1433
access-list outside-in extended permit tcp 40.143.28.64 255.255.255.192 host x.x.x.x eq 1433
If you would like to use the LOCAL username and Passowrd on the ASA:-
aaa authentication http console LOCAL
Thanks and Regards,
Vibhor -
Please help with Configuring Database Security Store
Here's the error i get....
Any ideas?
Initializing WebLogic Scripting Tool (WLST) ...
Welcome to WebLogic Server Administration Scripting Shell
Type help() for help on available commands
Info: Data source is: opss-DBDS
WLS ManagedService is not up running. Fall back to use system properties for con
figuration.
Info: DB JDBC driver: oracle.jdbc.OracleDriver
Info: DB JDBC URL: jdbc:oracle:thin:@localhost:1521/idgov
Connected:oracle.jdbc.driver.T4CConnection@21bce8d
Disconnect:oracle.jdbc.driver.T4CConnection@21bce8d
INFO: Found persistence provider "org.eclipse.persistence.jpa.PersistenceProvide
r". OpenJPA will not be used.
[oracle.security.jps.internal.config.db.DbCredStoreServiceConfigurator] checkSe
rviceSetup - done
Aug 13, 2013 8:47:47 PM oracle.security.jps.internal.config.ldap.LdapCredStoreSe
rviceConfigurator schemaCompatibleHandler
INFO: Credential store schema upgrade not required. Store Schema version 11.1.1.
6.0 is compatible to the seed schema version 11.1.1.4.0
[oracle.security.jps.internal.config.db.DbCredStoreServiceConfigurator] checkSe
rviceSchema - Store schema has been seeded completely
[oracle.security.jps.internal.config.db.DbCredStoreServiceConfigurator] updateS
erviceConfiguration - done
[oracle.security.jps.internal.config.db.DbCredStoreServiceConfigurator] seedSch
emaAndCreateDIT - failed JPS-10000: There was an internal error in the policy st
ore.
Exception in thread "Main Thread" java.lang.RuntimeException: JPS-10000: There w
as an internal error in the policy store.
oracle.security.jps.internal.api.common.JpsCredentialStoreLdapNodeCreationExcept
ion: JPS-10000: There was an internal error in the policy store.
at oracle.security.jps.internal.common.rdbms.util.JpsDbBootstrapImpl.cre
ateJpsCredentailStoreInLdap(JpsDbBootstrapImpl.java:303)
at oracle.security.jps.internal.config.ldap.LdapCredStoreServiceConfigur
ator.addServiceStoreBase(LdapCredStoreServiceConfigurator.java:114)
at oracle.security.jps.internal.config.ldap.LdapCredStoreServiceConfigur
ator.seedSchemaAndCreateDIT(LdapCredStoreServiceConfigurator.java:142)
at oracle.security.jps.internal.tools.configuration.ldap.LdapServiceEnab
ler.runConfiguration(LdapServiceEnabler.java:448)
at oracle.security.jps.internal.tools.configuration.ldap.LdapServiceEnab
ler.configureCredentialStoreService(LdapServiceEnabler.java:233)
at oracle.security.jps.internal.tools.configuration.ldap.LdapServiceEnab
ler.configureSecurityServices(LdapServiceEnabler.java:171)
at oracle.security.jps.internal.tools.configuration.ldap.LdapServiceEnab
ler.main(LdapServiceEnabler.java:129)
Caused by: oracle.security.jps.service.policystore.PolicyStoreConnectivityExcept
ion: JPS-10000: There was an internal error in the policy store.
at oracle.security.jps.internal.policystore.rdbms.JpsDBDataManager.handl
eRollbackException(JpsDBDataManager.java:1345)
at oracle.security.jps.internal.policystore.rdbms.JpsDBDataManager.inter
nalCommitTxn(JpsDBDataManager.java:1508)
at oracle.security.jps.internal.policystore.rdbms.JpsDBDataManager.commi
tTransactionInDoAs(JpsDBDataManager.java:1475)
at oracle.security.jps.internal.policystore.rdbms.JpsDBDataManager.commi
tTransaction(JpsDBDataManager.java:1466)
at oracle.security.jps.internal.common.rdbms.util.JpsDbBootstrapImpl.cre
ateJpsCredentailStoreInLdap(JpsDbBootstrapImpl.java:296)
at oracle.security.jps.internal.config.ldap.LdapCredStoreServiceConfigur
ator.addServiceStoreBase(LdapCredStoreServiceConfigurator.java:113)
at oracle.security.jps.internal.config.ldap.LdapCredStoreServiceConfigur
ator.seedSchemaAndCreateDIT(LdapCredStoreServiceConfigurator.java:142)
at oracle.security.jps.internal.tools.configuration.ldap.LdapServiceEnab
ler.runConfiguration(LdapServiceEnabler.java:447)
at oracle.security.jps.internal.tools.configuration.ldap.LdapServiceEnab
ler.configureCredentialStoreService(LdapServiceEnabler.java:232)
at oracle.security.jps.internal.tools.configuration.ldap.LdapServiceEnab
ler.configureSecurityServices(LdapServiceEnabler.java:170)
... 1 more
Caused by: javax.persistence.RollbackException: Exception [EclipseLink-4002] (Ec
lipse Persistence Services - 2.3.1.v20111018-r10243): org.eclipse.persistence.ex
ceptions.DatabaseException
Internal Exception: java.sql.SQLIntegrityConstraintViolationException: ORA-00001
: unique constraint (DEV20_OPSS.IDX_JPS_RDN_PDN) violated
Error Code: 1
Call: INSERT INTO JPS_DN (ENTRYID, PARENTDN, RDN) VALUES (?, ?, ?)
bind => [3 parameters bound]
Query: InsertObjectQuery(EntryId=11437:rdn=cn=credentialstore:pdn=cn=jpsroot,cn=
jpscontext,cn=iam,: JpsStore Entry={[EntryId = 11437:Attribute RowId = 45348
dn = cn=CredentialStore,cn=IAM,cn=JPSContext,cn=jpsroot, EntryId = 11437:Attribu
te RowId = 45349
objectclass = top, EntryId = 11437:Attribute RowId = 45350
objectclass = orclContainer, EntryId = 11437:Attribute RowId = 45351
cn = CredentialStore]})
at org.eclipse.persistence.internal.jpa.transaction.EntityTransactionImp
l.commitInternal(EntityTransactionImpl.java:102)
at org.eclipse.persistence.internal.jpa.transaction.EntityTransactionImp
l.commit(EntityTransactionImpl.java:63)
at oracle.security.jps.internal.policystore.rdbms.JpsDBDataManager$8.run
(JpsDBDataManager.java:1488)
at oracle.security.jps.internal.policystore.rdbms.JpsDBDataManager.inter
nalCommitTxn(JpsDBDataManager.java:1492)
at oracle.security.jps.internal.policystore.rdbms.JpsDBDataManager.commi
tTransactionInDoAs(JpsDBDataManager.java:1476)
at oracle.security.jps.internal.policystore.rdbms.JpsDBDataManager.commi
tTransaction(JpsDBDataManager.java:1466)
at oracle.security.jps.internal.common.rdbms.util.JpsDbBootstrapImpl.cre
ateJpsCredentailStoreInLdap(JpsDbBootstrapImpl.java:297)
at oracle.security.jps.internal.config.ldap.LdapCredStoreServiceConfigur
ator.addServiceStoreBase(LdapCredStoreServiceConfigurator.java:114)
at oracle.security.jps.internal.config.ldap.LdapCredStoreServiceConfigur
ator.seedSchemaAndCreateDIT(LdapCredStoreServiceConfigurator.java:142)
at oracle.security.jps.internal.tools.configuration.ldap.LdapServiceEnab
ler.runConfiguration(LdapServiceEnabler.java:448)
at oracle.security.jps.internal.tools.configuration.ldap.LdapServiceEnab
ler.configureCredentialStoreService(LdapServiceEnabler.java:233)
at oracle.security.jps.internal.tools.configuration.ldap.LdapServiceEnab
ler.configureSecurityServices(LdapServiceEnabler.java:171)
... 1 more
Caused by: Exception [EclipseLink-4002] (Eclipse Persistence Services - 2.3.1.v2
0111018-r10243): org.eclipse.persistence.exceptions.DatabaseException
Internal Exception: java.sql.SQLIntegrityConstraintViolationException: ORA-00001
: unique constraint (DEV20_OPSS.IDX_JPS_RDN_PDN) violated
Error Code: 1
Call: INSERT INTO JPS_DN (ENTRYID, PARENTDN, RDN) VALUES (?, ?, ?)
bind => [3 parameters bound]
Query: InsertObjectQuery(EntryId=11437:rdn=cn=credentialstore:pdn=cn=jpsroot,cn=
jpscontext,cn=iam,: JpsStore Entry={[EntryId = 11437:Attribute RowId = 45348
dn = cn=CredentialStore,cn=IAM,cn=JPSContext,cn=jpsroot, EntryId = 11437:Attribu
te RowId = 45349
objectclass = top, EntryId = 11437:Attribute RowId = 45350
objectclass = orclContainer, EntryId = 11437:Attribute RowId = 45351
cn = CredentialStore]})
at org.eclipse.persistence.exceptions.DatabaseException.sqlException(Dat
abaseException.java:324)
at org.eclipse.persistence.internal.databaseaccess.DatabaseAccessor.exec
uteDirectNoSelect(DatabaseAccessor.java:840)
at org.eclipse.persistence.internal.databaseaccess.DatabaseAccessor.exec
uteNoSelect(DatabaseAccessor.java:906)
at org.eclipse.persistence.internal.databaseaccess.DatabaseAccessor.basi
cExecuteCall(DatabaseAccessor.java:592)
at org.eclipse.persistence.internal.databaseaccess.DatabaseAccessor.exec
uteCall(DatabaseAccessor.java:535)
at org.eclipse.persistence.internal.sessions.AbstractSession.basicExecut
eCall(AbstractSession.java:1717)
at org.eclipse.persistence.sessions.server.ClientSession.executeCall(Cli
entSession.java:253)
at org.eclipse.persistence.internal.queries.DatasourceCallQueryMechanism
.executeCall(DatasourceCallQueryMechanism.java:207)
at org.eclipse.persistence.internal.queries.DatasourceCallQueryMechanism
.executeCall(DatasourceCallQueryMechanism.java:193)
at org.eclipse.persistence.internal.queries.DatasourceCallQueryMechanism
.insertObject(DatasourceCallQueryMechanism.java:342)
at org.eclipse.persistence.internal.queries.StatementQueryMechanism.inse
rtObject(StatementQueryMechanism.java:162)
at org.eclipse.persistence.internal.queries.StatementQueryMechanism.inse
rtObject(StatementQueryMechanism.java:177)
at org.eclipse.persistence.internal.queries.DatabaseQueryMechanism.inser
tObjectForWrite(DatabaseQueryMechanism.java:472)
at org.eclipse.persistence.queries.InsertObjectQuery.executeCommit(Inser
tObjectQuery.java:80)
at org.eclipse.persistence.queries.InsertObjectQuery.executeCommitWithCh
angeSet(InsertObjectQuery.java:90)
at org.eclipse.persistence.internal.queries.DatabaseQueryMechanism.execu
teWriteWithChangeSet(DatabaseQueryMechanism.java:287)
at org.eclipse.persistence.queries.WriteObjectQuery.executeDatabaseQuery
(WriteObjectQuery.java:58)
at org.eclipse.persistence.queries.DatabaseQuery.execute(DatabaseQuery.j
ava:844)
at org.eclipse.persistence.queries.DatabaseQuery.executeInUnitOfWork(Dat
abaseQuery.java:743)
at org.eclipse.persistence.queries.ObjectLevelModifyQuery.executeInUnitO
fWorkObjectLevelModifyQuery(ObjectLevelModifyQuery.java:108)
at org.eclipse.persistence.queries.ObjectLevelModifyQuery.executeInUnitO
fWork(ObjectLevelModifyQuery.java:85)
at org.eclipse.persistence.internal.sessions.UnitOfWorkImpl.internalExec
uteQuery(UnitOfWorkImpl.java:2871)
at org.eclipse.persistence.internal.sessions.AbstractSession.executeQuer
y(AbstractSession.java:1516)
at org.eclipse.persistence.internal.sessions.AbstractSession.executeQuer
y(AbstractSession.java:1498)
at org.eclipse.persistence.internal.sessions.AbstractSession.executeQuer
y(AbstractSession.java:1449)
at org.eclipse.persistence.internal.sessions.CommitManager.commitNewObje
ctsForClassWithChangeSet(CommitManager.java:224)
at org.eclipse.persistence.internal.sessions.CommitManager.commitAllObje
ctsForClassWithChangeSet(CommitManager.java:191)
at org.eclipse.persistence.internal.sessions.CommitManager.commitAllObje
ctsWithChangeSet(CommitManager.java:136)
at org.eclipse.persistence.internal.sessions.AbstractSession.writeAllObj
ectsWithChangeSet(AbstractSession.java:3799)
at org.eclipse.persistence.internal.sessions.UnitOfWorkImpl.commitToData
base(UnitOfWorkImpl.java:1415)
at org.eclipse.persistence.internal.sessions.RepeatableWriteUnitOfWork.c
ommitToDatabase(RepeatableWriteUnitOfWork.java:636)
at org.eclipse.persistence.internal.sessions.UnitOfWorkImpl.commitToData
baseWithChangeSet(UnitOfWorkImpl.java:1505)
at org.eclipse.persistence.internal.sessions.RepeatableWriteUnitOfWork.c
ommitRootUnitOfWork(RepeatableWriteUnitOfWork.java:267)
at org.eclipse.persistence.internal.sessions.UnitOfWorkImpl.commitAndRes
ume(UnitOfWorkImpl.java:1143)
at org.eclipse.persistence.internal.jpa.transaction.EntityTransactionImp
l.commitInternal(EntityTransactionImpl.java:84)
at org.eclipse.persistence.internal.jpa.transaction.EntityTransactionImp
l.commit(EntityTransactionImpl.java:63)
at oracle.security.jps.internal.policystore.rdbms.JpsDBDataManager$8.run
(JpsDBDataManager.java:1487)
at oracle.security.jps.internal.policystore.rdbms.JpsDBDataManager.inter
nalCommitTxn(JpsDBDataManager.java:1492)
at oracle.security.jps.internal.policystore.rdbms.JpsDBDataManager.commi
tTransactionInDoAs(JpsDBDataManager.java:1475)
at oracle.security.jps.internal.policystore.rdbms.JpsDBDataManager.commi
tTransaction(JpsDBDataManager.java:1466)
at oracle.security.jps.internal.common.rdbms.util.JpsDbBootstrapImpl.cre
ateJpsCredentailStoreInLdap(JpsDbBootstrapImpl.java:296)
at oracle.security.jps.internal.config.ldap.LdapCredStoreServiceConfigur
ator.addServiceStoreBase(LdapCredStoreServiceConfigurator.java:113)
at oracle.security.jps.internal.config.ldap.LdapCredStoreServiceConfigur
ator.seedSchemaAndCreateDIT(LdapCredStoreServiceConfigurator.java:142)
at oracle.security.jps.internal.tools.configuration.ldap.LdapServiceEnab
ler.runConfiguration(LdapServiceEnabler.java:447)
at oracle.security.jps.internal.tools.configuration.ldap.LdapServiceEnab
ler.configureCredentialStoreService(LdapServiceEnabler.java:232)
at oracle.security.jps.internal.tools.configuration.ldap.LdapServiceEnab
ler.configureSecurityServices(LdapServiceEnabler.java:170)
... 1 more
Caused by: java.sql.SQLIntegrityConstraintViolationException: ORA-00001: unique
constraint (DEV20_OPSS.IDX_JPS_RDN_PDN) violated
at oracle.jdbc.driver.T4CTTIoer.processError(T4CTTIoer.java:445)
at oracle.jdbc.driver.T4CTTIoer.processError(T4CTTIoer.java:396)
at oracle.jdbc.driver.T4C8Oall.processError(T4C8Oall.java:879)
at oracle.jdbc.driver.T4CTTIfun.receive(T4CTTIfun.java:450)
at oracle.jdbc.driver.T4CTTIfun.doRPC(T4CTTIfun.java:192)
at oracle.jdbc.driver.T4C8Oall.doOALL(T4C8Oall.java:531)
at oracle.jdbc.driver.T4CPreparedStatement.doOall8(T4CPreparedStatement.
java:207)
at oracle.jdbc.driver.T4CPreparedStatement.executeForRows(T4CPreparedSta
tement.java:1044)
at oracle.jdbc.driver.OracleStatement.doExecuteWithTimeout(OracleStateme
nt.java:1329)
at oracle.jdbc.driver.OraclePreparedStatement.executeInternal(OraclePrep
aredStatement.java:3593)
at oracle.jdbc.driver.OraclePreparedStatement.executeUpdate(OraclePrepar
edStatement.java:3674)
at oracle.jdbc.driver.OraclePreparedStatementWrapper.executeUpdate(Oracl
ePreparedStatementWrapper.java:1354)
at org.eclipse.persistence.internal.databaseaccess.DatabaseAccessor.exec
uteDirectNoSelect(DatabaseAccessor.java:831)
... 45 more
at oracle.security.jps.internal.tools.configuration.ldap.LdapServiceEnab
ler.throwExceptionWithStackTrace(LdapServiceEnabler.java:145)
at oracle.security.jps.internal.tools.configuration.ldap.LdapServiceEnab
ler.main(LdapServiceEnabler.java:137)
Error: Failed to initialize security store.
Error: Create operation has failed.
C:\Oracle\IDGMiddleware\oracle_common\common\bin>Try to configure the policy store with different ID (highlighted in the below command)
./wlst.sh <Oracle_IDM1_Home>/common/tools/configureSecurityStore.py -d <WLS_Domain>/OAM_domain -c IAM -p <Password> -m create
OR
Reinstall the RCU and try to configure the policy store.
Maybe you are looking for
-
MacBook Pro (snow leopard) 2006 will not restart. Getting blank screen with folder (?)
MacBook Pro (snow leopard) 2006 has begun to turn off attached Cinema Display over the last two days. Comes back on on restart. This morning, the MacBook screen also went blank white on restart. Tried to use Snow Leopard CD to restart but it was ejec
-
I updated my iPod Touch, and now the App Store won't stop crashing?
I just got a new update for my iPod touch. I had to delete a few apps to make space. Then, I proceeded downloading. I have the 4th generation and my iPod is about 6 months old (I had to get another one from my warranty because my other one got broken
-
SAP ERP E-commerce E-selling Runtime error creating a order
Hi Gurus, I am working on setting up the E-commerce with SAP ERP as back end. I did the XCM configuration. I was able to log on to the applications both B2B and B2C -- navigate through Product catalog and other areas.But when I try creating a order (
-
Getting my network connection up
ok so i need to install the madwifi driver in order to get my network connection up but the thing is i don't have a network connection to paco -A madwifi-blahblah so how do I go about installing the driver? I do have access to the net from another co
-
Hello, any idea why on iphone you can't recive any sms with the sender-id shorter than 3 digit? Example: if you subscribe to a service named AA, you will never recive any sms from the service AA, but for your operator all messages are delivered. Thnx