Is Multiple Compliant VLAN Possible with NAP 802.1x Enforcement?

Similar Messages

• SCOM 2012 and NAP 802.1X Enforcement - Event ID: 6276 during client startup - False positive

  Hi
  We are running SCOM 2012 and we are using NAP 802.1X enforcement with HP IDM. We are getting multiple event ID: 6276's entries in SCOM during computer start-up, which is false positives as it seems the computer is put into the Non-Compliant network until
  its true state is reported. Is there a way to suspend these events, in order for us to only receive valid Non-Compliant events?
  Regards, Francois
  Francois Vorster

  Hi,
  You can make dot3svc dependent on NAP agent so that NAP agent starts up completely before the first 802.1X authentication attempt is tried. This should reduce the number of re-authentication attempts.
  -Greg

• Dynamic vlans with multiple fallback-vlans?

  /* Style Definitions */
  table.MsoNormalTable
  {mso-style-name:"Table Normal";
  mso-tstyle-rowband-size:0;
  mso-tstyle-colband-size:0;
  mso-style-noshow:yes;
  mso-style-parent:"";
  mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
  mso-para-margin:0cm;
  mso-para-margin-bottom:.0001pt;
  mso-pagination:widow-orphan;
  font-size:10.0pt;
  font-family:"Times New Roman";
  mso-ansi-language:#0400;
  mso-fareast-language:#0400;
  mso-bidi-language:#0400;}
  I've got a problem with dynamic vlans. Trying to figure out configuration for the topology similar to the one in the picture.
  I’ve got four vlans for PCs, one vlan per department. I have to add fifth vlan (50) for devices that can be connected to any of the three switches: A, B, C. these devices need to be on their own vlan, no matter to which switch they are connected to. On the other hand, PCs connected to any port on those switches should be assigned to appropriate vlan (10,20,30 or 40).
  I was thinking about using dynamic vlans with list of mac addresses of devices that need to be on vlan 50 but not sure what to do with PCs. I don’t think I can use fallback vlan as I can set up only one fallback vlan for whole network and not per switch or port.
  I cannot use list of mac addresses of all pcs as there’s simply too many of them (my network is way bigger than in the picture, I simplified it only to present the idea). I imagine I would need multiple fallback vlans for different switches.
  Has anyone got any idea that could help me please? Maybe there’s some other and easier way?

  In new software (for Cisco switches) we provide multiple fallbacks for MAC authentication (MAB):
  1. 802.1x
  2. web authentication
  3. guest vlan (if no supplicant on the PC)
  4. auth fail vlan (if radius denies you access)
  So you could keep a list of MAC addresses for vlan 50 and do MAB for these devices if MAB fails you can use 802.1x for your PCs.
  This will require configuring 802.1x supplicants on all PC (Windows comes preloaded with one) and maintaining a radius of users who are able to log into the network. A lot of people use their Active directory pre-existing database as a backend to store their usernames and passwords for user authentication with dot1x.
  With using both dot1x and MAB you can now distinguish easily between two different processes and use your radius server to assign vlans based upon almost anything you can think of.
  -Elly

• Multiple usage of Source System is not possible with installed DMIS version on source

  Hello folks!
  I`ve got a problem trying to adjust the Data Replication to SAP BW (on HANA) using SAP LT Replication Server.
  I`ve deleted one connection and after that I`m trying to create new one through  Configuration & Monitoring Dashboard (transaction LTR) with the same source / target systems.
  As result when on the second step (Specify Source System) I specify RFC destination of the source system it appears an error with text
  "Multiple usage of Source System is not possible with installed DMIS version on source".
  But there`s no any adjusted connection in system now..
  Please, help me to understand  how to fix that problem, I can`t find a solution

  Hi,
  When you say that you 'deleted one connection', did you delete the RFC connection or the SLT Configuration? If it is not a real multiple usage scenario, then deactivate the 'allow multiple usage' flag, else install the correct DMIS version on both SLT and source.
  Thanks
  kris

• Is it possible to have multiple different texts conversations with the same two people?

  In iOS 8.1.3 is it possible to have multiple different text conversations with the same person? I'm looking for a way to set an old conversation aside to talk about something new.
  Is this possible?

  speculation is agaisnt the ToS here, but you never know (I was shocked when we got 8 track recording in GB2)
  best thing to do is to send Apple some Feedback and let them know what features you want (they really do read what's sent):
  http://www.bulletsandbones.com/GB/GBFAQ.html#sendfeedback
  (Let the page FULLY load. The link to your answer is at the top of your screen)

• Looking for Vlan isolation with some scenarios

  Hello All,
  I am in the process of validating NPS and few other product like PacketFence
  Whats i interested at most is two scenarios that can do isolation to designated VLAN in tree scenario
  First scenario : We have Symantec endpoint protection AV and we would like to have isolation in case of 
  client infection
  AV not installed
  Second scenario: Our organization firewalls have ids Snort based capable of sending syslog alert or SQL log alert, we would like to have   ability to inform some how the nap/nps server with violating IP and have it VLAN isolated.
  Third Scenario: unknown device attached to socket wall conf room or somewhere else will be isolated Most of network equipment are based on HP Procurve 2910al ,2920 ,1900 
  My question to you NPS experts is possible with given above scenarios?
  Please advice
  Thanks

  Hi talb,
  If we only use the build-in SHV in NPS, we can't achieve your goal.
  The build-in SHV supports checking of the following items:
  Firewall settings
  Antivirus settins
  Spyware protection settings
  Update settings
  If you want to customize the NAP, some coding is needed.
  For detailed information, please refer to the link below:
  https://msdn.microsoft.com/en-us/library/aa369712(VS.85).aspx
  Here is the Public API for NAP:
  https://msdn.microsoft.com/en-us/library/aa369706(VS.85).aspx
  Best Regards.
  Steven Lee Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

• VLAN concept with WLC

  Hi guys,
  This is my VLAN background:
  VLANs are used  to segment the network and break up the broadcast  domains in order to  reduce congestion and isolate network problems as  well as providing  scalability, performance improvement, security and  making network  additions, moves, and changes easier and more manageable.
  And this is my wireless VLAN background with the controllers:
  Host  A is a wireless LAN client communicating with the wired device, Host  B.  At the access point, the access point adds an LWAPP Header to the    frame and send it to the controller. After processing the 802.11 MAC    Header by WLC, it  extracts the payload (the IP packet), encapsulates  it   into an Ethernet  frame, and then forwards the frame onto the    appropriate wired network,  typically adding an 802.1Q VLAN tag.
  According to Cisco's "Fundamentals of Wireless Controllers" video (starting at 2:53), the 5508 controller allows you to use much larger subnets and less wireless VLANs. So with a 5508 controller in a completely wireless  infrastructure (no wired hosts),
  1. I don't need to break up broadcast  domains and have multiple subnets and I'm free to use a giant flat network?
  2. If I'm allowed to use large subnets, as far as the broadcast traffics (other than ARP and DHCP which are specially handled by WLC) are concerned, how does the controller handle that? I think I still will need multiple VLANs to control them according to my following WLC broadcast handeling background:
  "All traffic including broadcast sent to any destination by wireless  client get forwarded to WLC from its connected AP. WLC places the  broadcast message on to that VLAN, both wired and wireless clients that  are part of that vlan interface will get this broadcast message. Now,  the receiving wireless clients on that vlan can be associateded on to  any/different APs, APs mapped to different AP groups, even APs using  different L3 addresses from one or multiple WLCs, WLC inteligently  identifies the mapped VLAN interfaces and its respective APs through AP  group and forwards the broadcast(encapsulates) as Multicast packet to  those specific AP groups. Once APs receives the Multicast(broadcast), it  places it on the respective Radio's BSSID(where WLAN/ssid mapped) of AP  to reach the right wireless client. AP Radio's BSSID to SSID/WLAN to  interface mapping is pushed to AP by WLC at AP join. Also, Wired PCs  will receive the broadcast on its vlan as tagged(if tagged, otherwise  untagged) from WLC's interface, so does the other WLCs that spans this  vlan interface."
  Regards,
  Saman

  You should still follow your best practice for your subnet size. Remember that wireless is half duplex and only one device can talk at a given time. Also... The AP can be in a different vlan, ap group, etc, but the clients are still on the same vlan. So it means that the clients need to be on the same vlan, but the AP's can be on a different subnet since this doesn't matter.
  Sent from Cisco Technical Support iPhone App

• Flexconnect - local-switching - Interface Groups - multiple subnets/vlans

  So I'm trying to setup an "interface-group-like" configuration on some Flexconnect APs with local switching enabled in order to support multiple subnets/VLANs linked to a single SSID.
  Does anyone know if this is possible or have any suggestions?
  I've tried:
  AP Groups - One SSID which would require central switching for it to be of use (I think).
  AP Groups - Creating an additional SSID and then placing the APs in a group per site. This works but is going to be difficult to manage if I have 400+ sites running this sort of setup.
  For reference, my end goal is to have multiple (400+) branch sites with the same WLAN mapped to 3 or 4 different VLANs in order to split the subnets up into smaller chunks (/23s or /24s). These VLANs are all switched locally and are uniform in numbering across all the sites from a layer 2 perspective.
  Thanks,
  Ric

  Interface groups is not an available feature on FlexConnect. FlexConnect doesn't support layer 3 roaming if devices roam from one FlexConnect ap to another and the wlan to vlan mappings are different. This is a limitation to FlexConnect along with a few others listed in the FlexConnect deployment guide.
  -Scott

• How can I have multiple WINDOWS (NOT tabs) with INDEPENDENT content?

  How can I have multiple '''windows''' (''not ''tabs) with '''independent''' content?
  I used to be able to open separate windows with Firefox, and the content could be completely different in each window. No matter what I did in any window, no OTHER window open at the time, nor any of the content therein, was affected. This is no longer the case and it is extremely frustrating for me.
  I do ''not ''like tabs and do not use them. I prefer multiple windows plus I am so used to using them, for so many years now! But with v9.0.1 I suddenly can no longer do what I've always done with my browser without this aggravating problem constantly reminding me that I can't have what I want in firefox anymore.
  Or can I? Does anyone have a solution I don't realize exists?
  Thanks,
  Sowelu

  AppleScriptObjC can use pretty much everything in the Cocoa API, so yes, it is possible.
  Note that a view is not the same as a window, and a window can have multiple views. There are also many ways to implement "tabs";  take a look at some of Apple's applications - they use various mixtures of toolbars, checkboxes, and radio buttons, for example.  An application such as this will be a lot more involved than what you have done so far though, using custom classes and subclassing existing ones, so be prepared to do a lot of reading and researching.

• Multiple instances of mplayer with jack

  "_R_ealtime software mixing ?!?! wtf thats awesome--actually im not a studio junkie, i just need sound on one of them"
  i understand that the casual nature of my involvement with jackd suggests a less-than-appropriate level of respect and diligence for what this almighty app is capable of serving up.  i just need to level audio volume on multiple instances of mplayer with software mixing (my sound card is cheap).
  all my jackd configs are vanilla from the wiki as stated below.  if anyone has another solution or a request for information in regard to this solution please reply.  as always, thanks in advance
  --here is some err... background
  i have a some files that i would like to run with mplayer and a video file [with its own audio] that i would like to run concurrently.  it should be possible to use jackd to let one instance of mplayer show video with no sound while permitting the audio from the other instance to play at arbitrary volume.  without jack, i cannot control sound independantly since both instances seem to use the same device (PCM0).  furthermore i have found that starting multiple instances of mplayer leads to weird artifacts which persist after all running instances of mplayer concurrent with artifact appearance have been closed. 
  so i installed jack-audio-connection-kit following the wiki verbatim.  then i installed qjackctl.  starting jackd as root and qjackctl with sudo allowed me to see the first instance of mplayer but not the second.
  what is the difference between running mplayer through alsa and running mplayer through jack through alsa (not sure if the objects are accurately laid out there but whatever)?  the wiki basically provides an out of the box solution for software mixing a bunch of inputs (i have friends who do sound professionally though not with linux and im envisioning way more complicated stuff than my humble pair of mplayers
  Last edited by poopship21 (2010-09-25 15:20:56)

  ngoonee wrote:
  karol wrote:
  ngoonee wrote:And running mplayer through alsa won't be able to do what you want, simply because the mixing is fixed. JACK and pulseaudio are sound servers which allow you to control the mixing, both can do what you want.
  If you run one file with '-ao null' and the other one with '-vo null' you can manipulate them independently, there's no sound mixing involved, it just allows you "to add visuals to an audio feed spontaneously". They can both be run with 'af scaletempo' to speed up / slow down etc.
  Hmm, wonder if that's what the OP was looking for?
  From his first posts:
  poopship21 wrote:it should be possible to use jackd to let one instance of mplayer show video with no sound while permitting the audio from the other instance to play at arbitrary volume
  Also, read his second post. <shrugs>

• Control multiple apple tv units with 1 remote app

  Is it possible to control multiple apple TV units with 1 remote app on an iPhone/iPad? I have apple tv at home, set up under my own personal apple id. I have an apple tv unit at work which I want to use, but that uses our work apple id. can I control both units without having to log out of my personal id and then log into the work one?

  On the ATV menu itself there is an option to name the ATV.
  Does that not do it for you?

• PLEASE LET ME KNOW IF THIS IS POSSIBLE WITH FLUID GRID LAYOUT?

  This is an example of what I'm trying to do. Excel was the best way for me to provide a visual. Is this possible? Every time I try to place divs in a similar layout, the div will not take up multiple rows. For example div 4 would move down and where row 7 is would now be row 4. Div 2 would have also moved down because of 5. I have a large image that needs to be placed to the left of a header and vertical menu. I'm trying to keep the header and menu seperate and the image needs to be aligned to the top left of the text. I'm sorry that I'm overcomplicating this. I must admit it surprises me that the fluid grid appears to be dictated by rows. I'm wondering if for this particular design I should just stick to a table.

  I'm perplexing by your question.  How do you expect the divs to move in other resolutions?  For the question to be whether this is possible with a fluid grid there has to be some transformation between the layouts.  If you are just looking for a static layout, that is possible.  If the heights are to be fixed like that you could just specify the heights on the divs to make the height.  If the divs are moving down then add the attribute clear:none; to the div, in this case 2 and 4.  This will prevent the float from being cleared and pushing the element down.

• I need a report in SAP which allows multiple Profit centers selection with

  Hi,
      Cany anybody help me with below issue -
  I need a report in SAP which allowing multiple Profit centers selection with :
  - Profit Center #
  - Profit center Name
  - Profit center long text
  - Profit Center group
  - the related PC node showing the BU and the product category group.
  Let me know is there any report which can provide us with all this details.
  With regards.

  Hi,
  I recommend the PCA standard drill-down or interactive reports accessible via the follwoing menu path:
  Accounting --> Enterprise Controlling --> PCA --> Infosystem --> Reports for PCA
  There are several reports which allow entering profitcenter groups or profitcenters.
  Long Text is not possible. Makes also no sense to report on Long Text.
  Best regards,
  Andreas

• Load balancing multiple SSO mid-tier with single SSO database

  I want to load balance SSO middle tier servers and have them access a single SSO database. When you install infrastructure and select SSO only it creates a new infrastructure database. How can I install multiple SSO servers and point them to a single database. I am doing Load Balancing with F5 and read an Oracle WP where they mentioned an Oracle supported configuration where they load balanced SSO servers with F5.
  KB

  Two possible solutions:
  1.) Oracle 10gAS Enterprise Deployment Guide (B13998-03) follow the configuration for SSO configuration in Chapter 5.
  2.) I have not tried this but it should be logically possible with the SSO. 10gAS Administrators guide (B13995-05) Part III Advanced Administration. The success of this method assumes you have OID and SSO each installed in separate homes. You would be cloning the SSO home to another box as if it were a middle tier (it is still part of the infrastructure) then re-configuring it on the new box.
  Personally solution 1 is the best method. We are using F5 Big-IP with this configuration and it is working great.
  Hope this helps!

• Is pagination possible with jmx metrics on OEM?

  Hi, I implemented a MXBean interface which returns a list of objects (say, 100 rows of data). On oem, the list of 100 row data is displayed. However, I want to paginate that 100 rows, say 25 rows per display. Is this possible? I actually tried to have a parameter on the MXBean operation/attribute as the index and implement the pagination logic on the MXBean, but this still seems not possible because I have to give the value for that parameter at the time when I generate the metadata, and this parameter can not be changed once the monitoring target is added on OEM. So, I am wondering if pagination is possible with OEM, and how can I achieve that?
  Thanks in advance!
  -JC

  Since by definition a single EM agent must reside on a single database host, then, no, you can't monitor multiple hosts.
  Unless you mean that you want to monitor multiple virtual hosts from a single physical host ... but in that case, you'd still need one host per database host.
  That's just the way EM works. Always has, probably always will.