ISE 1.3 Disallow authentication to network based on group

Similar Messages

• ISE and central web authentication

  Hello all,
  I have followed the steps in this document in detail:
  http://www.cisco.com/en/US/products/ps11640/products_configuration_example09186a0080ba6514.shtml
  however, my central authentication does not work. I get to the guest portal, i get authenticated through the guest portal,
  but then the "second" MAB authenticatino doesn't happen.
  In the last screencapture of the document, you get a green "Dynamic Authorization" line (third line from below). On my system
  this is a red line with the error message "11213 No response received from Network Access Device".
  (i have a successfull guest authentication in my ise logs, but it seems ise is unable to bounce or initiate the second MAB....)
  Any ideas ?
  regards,
  Geert

  By the way, i feel the document example is a bit too general. For example, if you implement the document, ISE will do web authentication and redirection even when you are using a 802.1X client and are authenticated (and you have no other rules in your Autorization sequence table)
  I managed to prevent this by adding an additional condition to the first rule "MAC not known" that has the CentralWebAuth policy. Only do webautentication if MAC not known AND Wired_MAB is being used.

• AAA authentication for networking devices using ACS 4.1 SE

  Hi!!!
  I want to perform AAA authentication for networking devices using ACS 4.1 SE.
  I do have Cisco 4500, 6500,2960, 3750, 3560, ASA, CSMARS, routers (2821) etc in my network. I want to have radius based authentication for the same.
  I want telnet, ssh has,console attempt to be verified by radius server & if ACS goes down then it will be via local enable passwordf.
  For all users i need to have different privilege levels based upon which access will be granted.
  could u plz send me the config that is required to be done in the active devices as well as ACS!!!!

  Pradeep,
  Are you planning MAC authentication for some users while using EAP for others?
  For MAC authentication, just use the following in your AP.
  aaa authentication login mac_methods group radius
  In your AP, select the radius server for mac authentication. You must have already defined your ACS as a radius server.
  In your SSID configuration, under client authentication settings,
  check "open authentication" and also select "MAC Authentication" from the drop-down list.
  If you want both MAC or EAP, then select "MAC Authentication or EAP" from the dropdown.
  Define the mac address as the username and password in ACS. Make sure the format of the mac is without any spaces.
  You will not need to change anything in XP.
  NOTE: XP normally does not require user authentication if machine has already authenticated but it might behave differently. If it does, I can let you know the registry settings to force the behaviour change.
  HTH

• Network based and a-gps, data use tests

  i was trying to find this kind of info, but only found others asking.
  i hope this is useful info for others, especially while roaming.
  skip to the bottom for conclusion,
  this is the process i took:
  i called nokia tech support,
  their phone support his horrible,
  the people on the phone don't actually know anything, and have to look up everything you ask them.
  they were the worst.
  i emailed nokia tech support.
  my message was:
  "i would like to know the difference between assisted gps positioning, and network based positioning. these are 2 of the 4 options on my nokia e66 for positioning methods. i would like to know if network based positioning uses internet data from my service provider to obtain my gps position. i am especially concerned with this function while i'm roaming internationally, as i do not want to be charged for roaming data use."
  in about half hour they responded w/ an answer, and then 45 min after that someone else responded w/ an answer.
  the first response, minus the hello's etc. was:
  "In response to your email, Assisted GPS and Network Based positioning methods generate costs related to data traffic so you will be charged for data use. Only "normal" GPS and Bluetooth GPS do not generate additional costs related to data traffic.
  Normal GPS is quite slow and does not work indoors. Therefore, it is recommended to enable at least A-GPS to get a faster position outdoors.
  Network based and Wi-Fi positioning also allow you to update your position inside buildings, but they cannot be used for navigation."
  the 2nd response was:
  "In response to your inquiry, the difference between Assisted GPS positioning (A-GPS) and Network based positioning is that,  A-GPS uses satellites while Network based positioning is based on information of your cellular network environment. It allows you to update your position inside buildings, but they cannot be used for navigation. Both positioning methods generate costs related to data traffic (unless you have configured the device to use Wi-Fi connection to make the internet connection). The cost may vary while you are on roaming. Kindly contact the service provider for information about data transmission costs."
  i can also respond w/ more questions, but instead did some tests, starting with sitting home, indoors, and eventualy moving to a window w/ lots of sky.
  test 1:
  i enabled:
  integrated gps
  network based
  assisted gps
  opened maps,
  set maps to be offline,
  set default internet access point to my home wlan network,
  closed maps,
  cleared all counters and the log on the phone's communication log.
  opened maps
  there is a pink circle around the area i may be in,
  the icon that would show gps satellite strength, changes to show the cell phone antenna icon.
  but the packet data counter is sending/receiving a total of around 3-8kb immediately, and over the course of time, it keeps adding up, every 1-2 minutes, and it is shown as packet data to/from the access point "at&t internet"
  over the course of ten minutes, it's been about 43kb.
  and i can tell on the phone's home screen that the packet data connection becomes active when it does.
  the maps kb indicator still says 0.0kb, with a line through the double arrow packet data symbol.
  test 2:
  now i exited maps,
  cleared the counters and logs
  i turned off a-gps.
  enabled only integrated gps and network based.
  i open maps,
  the same thing is happening as with the assisted gps on, except i connected to my home wlan once, in the middle of connecting to at&t internet 10 or so times.
  everything else is happening the same.
  test 3:
  i exited maps,
  cleared the counters and logs.
  enabled only integrated gps.
  i open maps, and there is no evidence of packet data connection, or wlan connection.
  nothing is showing up in the logs or packet counters, and there is no pink circle around where i may be.
  if i set maps to go online, w/ my wlan as the access point, or at&t internet, their respective icons show up on maps, as well as the phone's home screen.
  the phone's log show respective connections are made but w/ 0.0kb, and the phone's packet counter, as well as the maps kb usage, say 0.0kb.
  test 4:
  set maps to offline, w/ my wlan as access point.
  exited maps,
  turned phone off for a bit to test gps from cold start.
  turned on phone,
  cleared counters/logs,
  enabled only assisted gps and integrated gps.
  open maps, there's no pink circle around where i may be, just the red dot of where it thought i last was.
  there's about 4-5kb of data transfer,
  then i bring the phone to the window where there's a lot of clear sky, and my location is found pretty fast.
  i know that w/o assisted gps, w/ only integrated gps, it takes a while to get the gps signals.
  i went back and forth to/from the window, and there was packet data use again only once more, not continuously like w/ network based positioning.
  so to conclude my tests,
  setting the maps to be offline, still uses a-gps and network based positioning.
  network based uses a more data, continuously,
  which is the opposite of what i thought, i thought a-gps would use more, so i was using network based on and a-gps off while in canada. whoops.
  using assisted gps uses about 5-10kb, which, when roaming, according to at&t, they charge 1.95cents/kb.
  might be worthwhile for getting a quick gps signal, nothing worse than waiting forever for it to connect.
  the only way to be completely clear of data use is disable network based and assisted gps, or set the phone to offline mode.

  A-GPS: This uses information from cell network to get a rough idea of where you are. It then uses this information to figure out which satellites to look for. Result is a faster satellite lock. So A-GPS uses a few kB of data to get an initial position, but navigation is done using GPS satellites, which does not require ANY data connection.
  Network based: This uses information from the cell network to plot the current position when GPS satellite signal is not available, ie indoors, in a tunnel, etc. Position info derived from the cell network is not as accurate as that from GPS satellites, but serves as a stopgap until GPS signal can be re-acquired. Network based positioning used your data connection EACH TIME the satellite lock is lost. So the amount of data used is dependent on the quality of access you have to the GPS satellites. If you don't lose the connection to the GPS satellites, then you won't use any data.
  The ‘offline’ option within the Nokia Maps app only refers to street, POI, etc searches, NOT to A-GPS, Network based positioning or to connecting with the GPS satellites.
  If you want to navigate without using ANY data connection, set A-GPS off AND set Network based positioning off AND set the Internet option in Nokia Maps to Offline. Do this and you will not use any of your data connection allowance when navigating. There is no need to put the phone into flight mode.
  If I've helped you, you can thank me by clicking the green 'kudos' star on my post. Cheers.

• Open File - Security Warning with Network-based Silent Install of CS4

  I am attempting to run an enterprise deployment of CS4 Design Standard Edition onto a pool of WinXP Pro workstations. I placed all of the install files on a networked server running Windows 2003, and generated from there all of the requisite .xml files (install, uninstall, and override files). From this network share, I can successfully run a silent install.
  HOWEVER. Multiple times (two or three) during the course of the silent install, I receive the same pop-up security warning from Windows XP (definitely an OS message, not anti-virus or other) that reads as follows:
  Open File - Security Warning
  Do you want to run this file?
  Name: AIRApplicationRunner.exe
  Publisher: Adobe Systems Incorporated
  Type: Application
  From: (server IP address)
  I have tried excluding Adobe Air from the installation package, but I still receive the same security prompt. This is sufficiently a hassle to have to click through these prompts in a silent install. But more importantly I am unable to run the silent install as part of a logoff script because for all intents & purposes it is no longer a silent install (i.e. it requires user intervention). To top it off, I found when testing the logoff script the prompts are suppressed and the installation fails prior to the bulk of the installation (Photoshop, Illustrator, & InDesign).
  I'm sure that I could run the install by copying all of the files to each local workstation, but again that would defeat the purpose of an easy, network-based install. In the past I was able to install CS3 in this fashion with no troubles, which of course did not include Adobe Air.
  Can anybody offer a suggestion as to how to disable these security messages, or alternately, how to entirely exclude Adobe Air from the install package? I have found a VB script that is supposed to address the security warnings issue, but to run the script also requires the user to accept it at a security prompt.
  Thanks in advance for any assistance!
  -Dan

  I'm now able to deploy design suite premium cs4 successfully.
  The issue for me was that the AirapplicationRunner installs some useless software. I worked around the issue with the Airapplicationrunner prompt by removing any apps that are installed using that method. By "removing" I mean marking that app as "donotinstall" in the deployment file. The apps I removed are these adobe codes for adobe media player, adobe.com, adobeair itself. The below is from my deploy.xml file used for the silent workflow:
  donotinstall
  donotinstall
  donotinstall
  If you mark those three adobe codes as "donotinstall" the prompt never appears and the real apps get installed just fine.

• Updating hybrid configuration failed - Kerberos authentication: The network path was not found

  I'm configuring Exchange 2010 SP3 as a Hybrid server with Exchange Online. This is a single server running Exchange roles Mailbox, Client Access, Unified Messaging and Hub Transport.
  When I run the Manage Hybrid Configuration, I receive the following error:
  Updating hybrid configuration failed with error
  'System.Management.Automation.Remoting.PSRemotingTransportException: Connecting to remote server failed with the following error message : WinRM cannot process the request. The following error occurred while using Kerberos authentication: The network
  path was not found.
  The full text from the Hybrid Configuration log file (C:\Program Files\Microsoft\Exchange Server\V14\Logging\Update-HybridConfiguration)
  [1/5/2014 21:21:1] INFO:Opening runspace to
  http://[servername]/powershell?serializationLevel=Full
  [1/5/2014 21:21:1] INFO:Disconnected from On-Premises session
  [1/5/2014 21:21:1] ERROR:Updating hybrid configuration failed with error 'System.Management.Automation.Remoting.PSRemotingTransportException: Connecting to remote server failed with the following error message : WinRM cannot process the request. The following
  error occured while using Kerberos authentication: The network path was not found. 
   Possible causes are:
    -The user name or password specified are invalid.
    -Kerberos is used when no authentication method and no user name are specified.
    -Kerberos accepts domain user names, but not local user names.
    -The Service Principal Name (SPN) for the remote computer name and port does not exist.
    -The client and remote computers are in different domains and there is no trust between the two domains.
   After checking for the above issues, try the following:
    -Check the Event Viewer for events related to authentication.
    -Change the authentication method; add the destination computer to the WinRM TrustedHosts configuration setting or use HTTPS transport.
   Note that computers in the TrustedHosts list might not be authenticated.
     -For more information about WinRM configuration, run the following command: winrm help config. For more information, see the about_Remote_Troubleshooting Help topic.
     at System.Management.Automation.Runspaces.AsyncResult.EndInvoke()
     at System.Management.Automation.Runspaces.Internal.RunspacePoolInternal.EndOpen(IAsyncResult asyncResult)
     at System.Management.Automation.Runspaces.RunspacePool.Open()
     at System.Management.Automation.RemoteRunspace.Open()
     at Microsoft.Exchange.Management.Hybrid.RemotePowershellSession.Connect(PSCredential credentials, CultureInfo sessionUiCulture)
     at Microsoft.Exchange.Management.Hybrid.Engine.Execute(ILogger logger, String onPremPowershellHost, PSCredential onPremCredentials, PSCredential tenantCredentials, HybridConfiguration hybridConfiguration)
     at Microsoft.Exchange.Management.SystemConfigurationTasks.UpdateHybridConfiguration.InternalProcessRecord()'.
  I have sought help, posting on the forum at community.office365.com -
  http://community.office365.com/en-us/forums/158/t/212265.aspx. But I've got to a point where I believe the problem is more to do with how PowerShell is operating on the on-prem Exchange server.
  Has anyone else come across this problem running the Hybrid Configuration Wizard?

  Hello Darrell,
  Have you verified the settings of Powershell virtual directories for the on-premises Exchange Servers? The following article has a list of some common issues with that virtual directory and how to correct them:
  http://technet.microsoft.com/en-us/library/ff607221(v=exchg.80).aspxI would take a look at the one titled "Configure Kerberos Authentication" specifically to ensure everything
  looks good.
  As the article states you can run the Exchange BPA and it will check if any of these exist as well.

• WinRM cannot process the request. The following error occured while using Kerberos authentication: The network path was not found.

  I have two forests with a transitive on-way trust between them: PROD -> TEST (test trusts PROD). I had previously had kerberos authentication working with winrm from PROD to machines in TEST. I have verified the trust is healthy, I also verified users
  in TEST can use WINRM with kerberos just fine. Users from PROD cannot connect via kerberos to machines in TEST with winrm.
  I have verified the service has registered the appropriate SPNs. I ran dcdiag against all my PROD and TEST domain controllers and didn't find anything that would prevent kerberos from happening. I even tried disabling the firewall entirely on my TEST dcs
  but that didn't gain me anything.
  I've enabled kerberos logging but only see the expected errors such as it couldn't find a PROD SPN for the machine, which it shouldn't from what I understand, it should go to the TEST domain and find the SPN from there.
  I'm really out of next steps before I call PSS and hope someone here has run into this and could provide me some next steps.
  PowerShell Error:
  Connecting to remote server failed with the following error message : WinRM cannot process the request. The following error occured while using Kerberos authentication: The network path was not found.  
   Possible causes are:
    -The user name or password specified are invalid.
    -Kerberos is used when no authentication method and no user name are specified.
    -Kerberos accepts domain user names, but not local user names.
    -The Service Principal Name (SPN) for the remote computer name and port does not exist.
    -The client and remote computers are in different domains and there is no trust between the two domains.
   After checking for the above issues, try the following:
    -Check the Event Viewer for events related to authentication.
    -Change the authentication method; add the destination computer to the WinRM TrustedHosts configuration setting or use HTTPS transport.
   Note that computers in the TrustedHosts list might not be authenticated.
     -For more information about WinRM configuration, run the following command: winrm help config. For more information, see the about_Remote_Troubleshooting Help topic.
      + CategoryInfo          : OpenError: (:) [], PSRemotingTransportException
      + FullyQualifiedErrorId : PSSessionStateBroken
  winrs Error:
  Winrs error:
  WinRM cannot process the request. The following error occured while using Kerberos authentication: The network path was not found.  
   Possible causes are:
    -The user name or password specified are invalid.
    -Kerberos is used when no authentication method and no user name are specified.
    -Kerberos accepts domain user names, but not local user names.
    -The Service Principal Name (SPN) for the remote computer name and port does not exist.
    -The client and remote computers are in different domains and there is no trust between the two domains.
   After checking for the above issues, try the following:
    -Check the Event Viewer for events related to authentication.
    -Change the authentication method; add the destination computer to the WinRM TrustedHosts configuration setting or use HTTPS transport.
   Note that computers in the TrustedHosts list might not be authenticated.
     -For more information about WinRM configuration, run the following command: winrm help config.

  Hi Adam,
  I'm a little unclear about which SPNs you were looking for, in which case could you confirm you were checking that on the computer object belonging to the actual destination host it has the following SPNs registered?
  WSMAN/<NetBIOS name>
  WSMAN/<FQDN>
  If you were actually trying to use WinRM to connect to the remote forest's domain controllers, then what you said makes sense, but I was caught between assuming this was the case or you meant another member server in that remote forest.
  Also, from the client trying to connect to this remote server, are you able to telnet to port 5985? (If you've used something other than the default, try that port)
  If you can't, then you've got something else like a firewall (be that the Windows firewall on the destination or a hardware firewall somewhere in between) blocking you at the port level, or the listener on the remote box just isn't working as expected. I
  just replied to your other winrm post with steps for checking the latter, so I won't repeat myself here.
  If you can telnet to it and the SPNs exist, then you might be up against something called selective authentication which has to do with how the trust was defined. You can have a read of
  this to learn a bit more about selective trusts and whether or not it's affecting you.
  Cheers,
  Lain

• Recommended storage for Network-based accounts?

  Hello everyone. Sorry in advance for all the following information, but I want to thorough in hopes of allowing you to offer better input. I'm using an Xserve 2 x 2.8 Ghz. Quad Xeon (Mac OS X Server 10.6.6) with 22 GBs RAM and 6 GB NIC LACP bond to our backbone switch. This switch feeds three labs, each with their own gigabit switch, with a total of approximately 50 iMacs combined. All iMacs are connected via gigabit ethernet. All user accounts are network-based, bound to the Xserve via OD via AFP. I have WGM folder-redirects to keep the user caches folder and some of the Adobe stuff off the network for better performance. Primary software is the Adobe Creative Suite Premium CS5 throughout; with one lab using Final Cut Express & Pro and Adobe After Effects. This lab has local partitions for the high I/O requirements of video editing (so I'm not looking to sustain multiple HD streams over the network. etc.). I installed an 8TB OWC Mercury Rack Pro (external hardware RAID enclosure) with an Oxford 936 chipset this past summer, which is currently configured as RAID 5 and connected to the Xserve via a NewerTech 6GB-capable SATA host card (also provided by OWC). All of our network home directories are on the OWC Mercury Rack Pro. We also upgraded two of our three labs with brand new 27" Intel i5 iMacs this past summer. Lastly, I upgraded the Xserve to Snow Leopard also this past summer.
  The Problem:
  Since the upgrades this past summer (Snow Leopard Server, OWC Mercury Rack Pro, new iMacs), network account performance is notably more sluggish (log-in, opening apps, etc.) compared to before the upgrades (Xserve was running Server 10.5.8, labs had Mac Mini systems with gigabit running Mac OS X 10.5.8 and Adobe CS4). My network accounts were on an eSATA Rocstor ArticRoc RAID 5 unit previously, connected to the Xserve via an older Sonnet Tempo-X SATA card (which was PCI-X, not PCI-Express).
  Turns out the new iMacs don't support jumbo frames (yikes!), but notwithstanding that issue, it appears like the new Mercury Rack Pro might not be performing well under load. I've done some testing using OWC's provided QuickBench software. I logged into 3 iMacs using a local admin account, mounted three separate home directories from the Xserve and started testing performance simultaneously (to simulate multiple user access). The iMacs were next to each other, so my tests were started about 1 second apart, but were otherwise running simultaneously. Here's the results for review:
  The tests were performed without file caching enabled, to better gauge the raw storage performance. The results for each test file size are in MB/sec and the 4 result columns in order from left to right are Seq. Read, Seq. Write, Rand. Read, Rand. Write. The averages are totaled at the bottom. Hope this comes through in a readable fashion...
  iMac-1 Test:
  4 KB 10.499 0.502 10.645 0.087
  8 KB 16.351 4.179 15.913 0.143
  16 KB 29.35 11.213 28.878 0.213
  32 KB 39.703 19.318 40.633 0.251
  64 KB 55.519 27.347 51.766 0.335
  128 KB 70.823 38.541 63.345 0.414
  256 KB 78.946 46.074 70.803 0.383
  512 KB 87.872 56.071 77.47 0.325
  1024 KB 93.209 60.616 87.667 0.281
  Average 53.586 29.318 49.68 0.27
  iMac-2 Test:
  4 KB 9.901 0.494 10.843 0.08
  8 KB 14.208 5.116 15.942 0.142
  16 KB 22.762 9.668 26.973 0.174
  32 KB 30.357 16.301 42.276 0.183
  64 KB 2.605 25.486 51.606 0.179
  128 KB 4.831 28.404 18.495 0.308
  256 KB 87.839 43.936 87.014 0.404
  512 KB 96.93 28.836 95.64 0.335
  1024 KB 99.789 40.661 71.096 0.318
  Average 41.025 22.1 46.654 0.236
  iMac-3 Test:
  4 KB 4.689 0.79 10.348 0.065
  8 KB 7.908 5.526 16.399 0.086
  16 KB 6.848 8.783 27.967 0.056
  32 KB 30.183 14.756 42.096 0.132
  64 KB 46.42 13.255 53.114 0.277
  128 KB 74.744 11.307 4.369 0.424
  256 KB 80.955 25.521 26.432 0.484
  512 KB 97.356 16.138 65.667 0.386
  1024 KB 103.434 44.617 103.015 0.612
  Average 50.282 15.632 38.823 0.28
  It appears that small file performance is poor (historically a problem via AFP, I recall), but the Random Write performance is what scared me the most. It's very low across the spectrum. I'm going to provide these results to OWC for review, but wanted to get some additional perspective from the community. I'd appreciate any thoughts or ideas you might share.
  Related Question:
  We may have 35 users logged in at peak time. But given that I'm hosting network accounts for approximately 50 gigabit-equipped Macs, what would you recommend (or are you using) for storage based on my usage criteria mentioned earlier? I'm hoping there's a solution that's less expensive than the fibre-channel Promise RAID (or equivalent); as our budget unfortunately won't support that. Any storage solutions in the SATA realm that might be sufficient for hosting home directories where video capture isn't required?
  Thanks for your patience and your advice!
  Regards - Zeek

  RE: options (b) or (c) with external firewire or USB drives -- if you go this route, are you thinking of afp- or smb-mounting (i.e., ⌘k in Finder) the mini or cube or G3? If so, you'll want to get ahold of SharePoints (unless you know how to create mount points in NetInfo), so you can create an additional mount point on the mini or cube or G3 for your external drive. As you know, when you afp-mount another Mac, the mount points that show up are the individual user accounts on that other Mac /Users/{shortUserNameGoesHere}. But an external firewire drive would not be visible at /Volumes/{extDriveNameGoesHere} on the mini or cube or G3 from these User mount points because /Volumes/{extDriveNameGoesHere} is not in the path of /Users/{shortUserNameGoesHere}. The only way that you could get there would be if you connected as admin on the cube or mini or G3, and then mounted the mini or cube or G3 at its root (/). But you might not want to let regular user accounts access the cube or mini or G3 as admin. But SharePoints will let you define that mount point, so when you ⌘k, it shows up just like the user names do. I am not familiar with smb mounts (for the benefit of your Wintel boxes) but SharePoints will let you define smb mount points, too. It has enabled me to create a "community (inbound) fax" afp mount point, for remote users to retrieve faxes from my computer, as well as permit a "central" afp-mount point for all my users' dropboxes, so you don't have to mount every user if you have multiple drops to make. (That required me to actually move all the drop boxes to a common folder, and make aliases to those locations back in the original users' drop box locations). So you might want to look into SharePoints if you decide to go this route.
  (if you find that this solves your problem, or is actually helpful towards arriving at a solution to your problem, please consider clicking on either the "helpful" or "solved" buttons in the header of this post)

• ISE 1.2 web authentication problem with wired clients

  Hello,
  i am having problems with centralized web authentication using a Catalyst 3650X with IOS 15.0.2 SE01 and ISE 1.2.
  Redirecting the client works fine, but as soon the client opens a web browser and ISE websites open to authenticate the client, the switch port resets, the authentication process restarts and the session ID changes. After the client enters the credentials a session expired messages appears on the client and i get an 86017 Session Missing message in ISE.
  here the output form the debug aaa coa log.
  Any ideas
  thanks in advanced
  Alex
  ! CLIENT CONNECT TO SWITCHPORT
  ISE-TEST-SWITCH#show authentication sessions interface gi0/3
              Interface:  GigabitEthernet0/3
            MAC Address:  001f.297b.bd82
             IP Address:  10.2.12.45
              User-Name:  00-1F-29-7B-BD-82
                 Status:  Authz Success
                 Domain:  DATA
        Security Policy:  Should Secure
        Security Status:  Unsecure
         Oper host mode:  multi-auth
       Oper control dir:  both
          Authorized By:  Authentication Server
            Vlan Policy:  N/A
                ACS ACL:  xACSACLx-IP-PERMIT_ALL_TRAFFIC-537cb1d6
       URL Redirect ACL:  ACL-WEBAUTH-REDIRECT
           URL Redirect:  https://nos-ch-wbn-ise1.nosergroup.lan:8443/guestportal/gateway?sessionId=AC1484640000026B28C02CDC&action=cwa
        Session timeout:  N/A
           Idle timeout:  N/A
      Common Session ID:  AC1484640000026B28C02CDC
        Acct Session ID:  0x0000029C
                 Handle:  0x8C00026C
  Runnable methods list:
         Method   State
         dot1x    Failed over
         mab      Authc Success
  ! CLIENT OPENS INTERNETEXPLORER -> REDIRECTS TO ISE 
  ! SWITCHPORT GOES IN ADMINISTRATIVE DOWN STARTS AUTHENTICATION AGAIN
  ISE-TEST-SWITCH#
  191526: .Jun 24 10:42:24.340 UTC: COA: 10.0.128.38 request queued
  191527: .Jun 24 10:42:24.340 UTC: RADIUS:  authenticator 7F A9 85 AB F6 4A D0 F3 - B4 E6 F2 56 74 C6 2D 33
  191528: .Jun 24 10:42:24.340 UTC: RADIUS:  NAS-IP-Address      [4]   6   172.20.132.100
  191529: .Jun 24 10:42:24.340 UTC: RADIUS:  Calling-Station-Id  [31]  19  "00:1F:29:7B:BD:82"
  191530: .Jun 24 10:42:24.340 UTC: RADIUS:  Acct-Terminate-Cause[49]  6   admin-reset               [6]
  191531: .Jun 24 10:42:24.340 UTC: RADIUS:  Event-Timestamp     [55]  6   1403606529
  191532: .Jun 24 10:42:24.340 UTC: RADIUS:  Message-Authenticato[80]  18
  191533: .Jun 24 10:42:24.340 UTC: RADIUS:   E0 3C B2 8C 89 47 67 A8 69 F5 3D 08 61 FF 53 6E          [ <Ggi=aSn]
  191534: .Jun 24 10:42:24.340 UTC: RADIUS:  Vendor, Cisco       [26]  43
  191535: .Jun 24 10:42:24.340 UTC: RADIUS:   Cisco AVpair       [1]   37  "subscriber:command=bounce-host-port"
  191536: .Jun 24 10:42:24.340 UTC: COA: Message Authenticator decode passed
  191537: .Jun 24 10:42:24.340 UTC:  ++++++ CoA Attribute List ++++++
  191538: .Jun 24 10:42:24.340 UTC: 06D96C58 0 00000001 nas-ip-address(600) 4 172.20.132.100
  191539: .Jun 24 10:42:24.349 UTC: 06D9AC18 0 00000081 formatted-clid(37) 17 00:1F:29:7B:BD:82
  191540: .Jun 24 10:42:24.349 UTC: 06D9AC4C 0 00000001 disc-cause(434) 4 admin-reset
  191541: .Jun 24 10:42:24.349 UTC: 06D9AC80 0 00000001 Event-Timestamp(445) 4 1403606529(53A95601)
  191542: .Jun 24 10:42:24.349 UTC: 06D9ACB4 0 00000081 ssg-command-code(490) 1 33
  191543: .Jun 24 10:42:24.349 UTC:
  191544: .Jun 24 2014 10:42:24.365 UTC: %EPM-6-IPEVENT: IP 10.2.12.45| MAC 001f.297b.bd82| AuditSessionID AC1484640000026B28C02CDC| AUTHTYPE DOT1X| EVENT IP-RELEASE
  191545: .Jun 24 2014 10:42:24.382 UTC: %EPM-6-IPEVENT: IP 10.2.12.45| MAC 001f.297b.bd82| AuditSessionID AC1484640000026B28C02CDC| AUTHTYPE DOT1X| EVENT IP-WAIT
  191546: .Jun 24 2014 10:42:24.382 UTC: %EPM-6-POLICY_REQ: IP 0.0.0.0| MAC 001f.297b.bd82| AuditSessionID AC1484640000026B28C02CDC| AUTHTYPE DOT1X| EVENT REMOVE
  191547: .Jun 24 2014 10:42:24.390 UTC: %EPM-6-AUTH_ACL: POLICY Auth-Default-ACL-OPEN| EVENT DETACH-SUCCESS
  191548: .Jun 24 2014 10:42:26.353 UTC: %LINK-5-CHANGED: Interface GigabitEthernet0/3, changed state to administratively down
  191549: .Jun 24 2014 10:42:27.359 UTC: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/3, changed state to down
  ISE-TEST-SWITCH#
  191550: .Jun 24 2014 10:42:36.366 UTC: %LINK-3-UPDOWN: Interface GigabitEthernet0/3, changed state to down
  191551: .Jun 24 10:42:40.592 UTC: AAA/BIND(000002A7): Bind i/f
  191552: .Jun 24 2014 10:42:41.129 UTC: %AUTHMGR-5-START: Starting 'dot1x' for client (001f.297b.bd82) on Interface Gi0/3 AuditSessionID AC1484640000026C28C2FA05
  191553: .Jun 24 2014 10:42:42.580 UTC: %LINK-3-UPDOWN: Interface GigabitEthernet0/3, changed state to up
  191554: .Jun 24 2014 10:42:43.586 UTC: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/3, changed state to up
  ! SESSION ID CHANGES, USER ENTERS CREDENTIALS 
  ! ERROR MESSAGE AT CLIENT "YOUR SESSION HAS EXPIRED"
  ! ERROR MESSAGE IN ISE "86017 SESSION MISSING"
  ISE-TEST-SWITCH#show authentication sessions interface gi0/3
              Interface:  GigabitEthernet0/3
            MAC Address:  001f.297b.bd82
             IP Address:  10.2.12.45
                 Status:  Running
                 Domain:  UNKNOWN
        Security Policy:  Should Secure
        Security Status:  Unsecure
         Oper host mode:  multi-auth
       Oper control dir:  both
        Session timeout:  N/A
           Idle timeout:  N/A
      Common Session ID:  AC1484640000026C28C2FA05
        Acct Session ID:  0x0000029D
                 Handle:  0x2C00026D
  Runnable methods list:
         Method   State
         dot1x    Running
         mab      Not run

  Guest authentication failed: 86017: Session cache entry missing
  try adjusting the UTC timezone during the guest creation in the sponsor portal.
  86017
  Guest
  Session Missing
  Session ID missing. Please contact your System Administrator.
  Info

• Can anyone explain Assisted GPS vs Network based f...

  I just got a new E5 and was playing with some settings as well as Ovi maps. On ovi maps, I can see two figures on the bottom right corner, one is a counter for data usage and one looks like a phone signal with green and red bars. Now, I have it in offline mode so the data usage is at 0.0kb.
  I wanted to know what the difference between the Assisted GPS and Network based positioning methods are. If I turn on Assisted GPS, the data counter still stays at 0.0kb, so I'm not sure if A-GPS uses data or not. Is there a way to know if A-GPS is working like the network based data counter?

  http://almost-a-technocrat.blogspot.com/2010/07/gps-positioning-methods-explained.html
  --------------------------------------------------​--------------------------------------------------​--------------------------------------------------​--If you find this helpful, pl. hit the White Star in Green Box...

• C5 time does not work, even with network based tim...

  Hi Nokia peoples,
  When is the patch anticipated for our C5's to fix the broken clock problems?
  If it just displayed the wrong time it would be one thing, but since it affects the ordering of text messages displayed et al, it's a bit more of a catastrophic issue.
  Others have reported that hard resetting the device only lasts momentarily and that the bug is pretty fatal.
  Thanks, please let us know the plan.

  "Automatic time update" or Network based time update may not be available on all networks. check with some other operator sim

• Network Based Backup of OS X Server

  This tech doc:
  Restoring OS X Server from a Time Machine backup
  states
  "Important: When restoring, restore from a local Time Machine backup. If you try to restore from a network-based Time Machine backup, not all settings will be restored correctly."
  Does anyone have information regarding which settings will not be restored correctly?

  How to Make a Non-Commercial DVD copy of MAC OS X Leopard
  Making a DVD Image

  Step1. Insert the retail Mac OS X Install DVD into your drive.

  Step 2. Launch Disk Utility (Applications > Utilities).

  Step 3. In Disk Utility, you will notice a white pane on the left hand side. In the pane, select the Mac OS X Install DVD by clicking on it once.

  Step 4. Click New Image on the Disk Utility toolbar.

  Step 5. A dialog box will appear. Give the new image a name. I used 'Mac OS X Install DVD'. Select the destination where you wish to save it. Leave Image Format at Compressed (default) and Encryption at None (default).

  Step 6. Click Save to begin creating the image.

  Step 7. Once your image has been created DO NOT mount it. Leave the image alone and proceed to the next section.

Burning the Image

  Step 1. Launch Disk Utility (Applications > Utilities).

  Step 2. Click Burn on the Disk Utility toolbar (upper left).

  Step 3. Navigate to where you saved the DVD image created in the previous section. Click on the image file, then click the Burn button. Do not drag and drop the image file into Disk Utility during this step.

  Step4. Insert a DVD when prompted and proceed to Burn it. (use good quality media) 
Using these exact steps I was successfully able to create a personal backup copy of Mac OS X Leopard. I hope this helps.

• Setting Default Dashboard based on Groups/users in OBIEE 10g

  Hi,
  I am having a requirement and facing some issues with setting a default dashboard option to the users who ever access the application. Below is the brief description of entire requirement.
  The main requirement is to integrate OBIEE into a .net and silver light application. We will be having a 3 links in the .net application , which in turn displays the OBIEE reports and dashboards upon clicking the 3 links.
  We are using the concept of Init blocks, session variables and Go URL from an OBIEE standpoint for accomplishing this integration requirement. We have also configured LDAP server in OBIEE.
  The issue we are facing is out of the 3 links in .net application, we have one link/icon called dashboard icon which should display bunch of OBIEE dashboard pages in the form of 4 tabs but currently it is showing the My Dashboard home page. For this to achieve to set default dashboard page is to go to My account and change the default dashboard to the desired dashboard and log out and log in back to the application and we will be all set with dashboard pages being displayed upon lcking the dashboard icon but this is manual process for each user as they need to login into the .net application and change the setting s in My Account manually to change the default dashboard setting to the desired one.
  How should I make sure, whoever is logging into the Application (every user) should be able to see the default dashboard pages without changing the options manually by going to My Account.
  The LDAP server is taking care of the Authentication part of the users as every user record is maintained in Active directory which in turn is part of LDAP server.
  To brief high level requirement on single statement is  how to make a default dashboard pages to users based on group in OBIEE. Is there any option in OBIEE, where we can change or set a default dashboard to particular group in OBIEE either in RPD or UI level.
  Appreciate your help on this.
  Let me know if anyone needs any more information in this regard.
  Thank
  Praveen

  You can set 'PORTALPATH'. Have a look at these threads below:
  how to get default dashboards when users logs in
  Re: PORTALPATH for Each Group
  - Bharath

• How to set up presentation service group based on groups defined in LDAP

  Hello guys
  we have successfully implemented LDAP authentication, and we imported 5 groups from LDAP to BI server. However, these 5 groups and their members are not displaying on presentation server under presentation catalog group, it still only has two groups "everyone" and "admin"..
  To manuelly create these 5 groups and members will be too much work, so what can I do to get these 5 groups and members on presentation service with the proper data level security defined in admin tool?
  Please advice
  Thanks

  Have you created an Init Block to populate the GROUP variable? See the following post:
  http://oraclebizint.wordpress.com/2007/10/12/oracle-bi-ee-101332-and-oid-user-and-group-phase-2/

• Map a network drive by group membership

  Hello,
  I'd like to map network drives by group membership.
  To begin I just tried with this command.
  $TestMembers = Get-ADGroupMember -identity Test
  $TestMembers | foreach-object {New-PSDrive -name T -PSProvider FileSystem -Root \\MyServer\MyShare -persist}
  My network drive is well mapped but for all my domain users.
  Could you please tell me what's wrong in my command ?
  I know I could use Group Policy Preferences but I'd like to know the powershell command.
  Thanks by Advance.
  Seb.
  Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

  Hello,
  Thanks for your answer it will help me.
  Best Regards.
  Seb.
  Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.