ISE AD join question
Hello, we have recently purchased ISE and are in the process of intial configuration. We have joined the applainces to our AD. Now in our firewall rules, we see the ISE applaince sending LDAP (389) traffic to all of our DC's. Is there a way to limit what DC's ISE will query, or does it just pull up a list of DC's from the domain that is joined? If I do an NSLOOKUP on just the domain, I see numerous DC's listed, but ISE is sending to DC's that are outside of this list as well. I am not an AD guy, so forgive me if I do not understand how this is populated, but I am very confused on how ISE is getting the IP's of all the DC's. ANd would really like to restrict if possible, since many of the DC's are behnid firewalls that we did not open up for ISE to talk to, so the traffic is just being denied and filling up our syslog with denies.
Also, is there a show command, CLI or GUI, to show what DC's the ISE applainces knows about?
We are running 1.1.1.268 code.
Thank you all in advance for your help.
Hi,
If you are using sites and services in your DNS environment then ISE should only query the domain controllers that are sent in the dns response for GC and DC resolution requests. You may need to consult your AD and DNS folks in order to insure that the ISE is only given the correct domain controllers.
Thanks,
Tarik Admani
*Please rate helpful posts*
Similar Messages
-
CBO (optimizer) nest-loop join question
OS: Red Hat Linux
DB: 11gR1
I have gotten two conflicting answers while reading books by Don Burleson and Dan Hotka. It has to do with the CBO and nested-joins:
One says the CBO will choose the 'smaller' table as the driving table, the other states that the 'larger' table will be the driving table. And both stick by this philosophy as the preferred goal of any SQL Tuning -- that is, one states that the 'smaller' table should be the driving table. The other says the 'larger' table should be the driving table.
I had always thought that the 'smaller' table should be the driving table. That in a nested loop the driving will not likely use an index even. Who is correct? (I am not going to say who said what, btw). :-)
But I got to let one of them know they got a 'typo' ... :-)
Thx.user601798 wrote:
It is an over-simplistic scenario but, as I mentioned, if all other things are 'equal' -- which would include 'access time/work', then I think the small table as the driving table has the advantage.
It is not possible for +"*all* other things to be equal"+. (my emphasis).
If by +'access time/work'+ you mean the total is the same then it doesn't matter which table is first, the time/work is the same either way round.
If you want to say that the +'access time/work'+ for acquiring the first rowsource is the same for both paths, and the +'access time/work'+ for acquiring related rows from the second table is the same FOR EACH DRIVING ROW, then the total +'access time/work'+ will be difference, and it would be better to start with the smaller table. (The example by Salman Qureshi above: Re: CBO (optimizer) nest-loop join question would apply.)
On the other hand, and ignoring any idea of "all other things being equal", smaller tables tend to have smaller indexes, so if your smaller rowsource comes from a smaller table then acquiring those rows may be cheaper than acquiring rows from a larger table - which leads to the observation that (even with perfectly precise indexing):
<ul>
smaller number of rows * larger unit cost to find related rows
</ul>
may produce a larger value than
<ul>
larger number of rows * smaller unit cost to find related rows
</ul>
Regards
Jonathan Lewis
http://jonathanlewis.wordpress.com
http://www.jlcomp.demon.co.uk
A general reminder about "Forum Etiquette / Reward Points": http://forums.oracle.com/forums/ann.jspa?annID=718
If you never mark your questions as answered people will eventually decide that it's not worth trying to answer you because they will never know whether or not their answer has been of any use, or whether you even bothered to read it.
It is also important to mark answers that you thought helpful - again it lets other people know that you appreciate their help, but it also acts as a pointer for other people when they are researching the same question, moreover it means that when you mark a bad or wrong answer as helpful someone may be prompted to tell you (and the rest of the forum) what's so bad or wrong about the answer you found helpful. -
Today my colleagues and I deploy ISE found the following question.
Sometimes, can have the user authentication and authorization success under the same interface, user authentication and authorization is not successful.If restart ISE will be normal.
Why is that?
Two ise ,Distributed Deployment,
I test redundancy。I closed the main equipment,The following error:
LOG:==============================================
The normal time:
6509-vss#show authentication sessions interface g1/9/36
Interface: GigabitEthernet1/9/36
MAC Address: 0021.cc68.a63e
IP Address: 172.30.60.11
User-Name: daiyue
Status: Authz Success
Domain: DATA
Oper host mode: multi-auth
Oper control dir: both
Authorized By: Authentication Server
Vlan Policy: N/A
ACS ACL: xACSACLx-IP-PERMIT_ALL_TRAFFIC-51ef7db1
Session timeout: N/A
Idle timeout: N/A
Common Session ID: AC1E3C02000000410155DA40
Acct Session ID: 0x0000006C
Handle: 0x73000041
Runnable methods list:
Method State
mab Failed over
dot1x Authc Success
Interface: GigabitEthernet1/9/36
MAC Address: 0026.2df8.a25f
IP Address: 172.30.60.10
User-Name: daiyue
Status: Authz Success
Domain: DATA
Oper host mode: multi-auth
Oper control dir: both
Authorized By: Authentication Server
Vlan Policy: N/A
ACS ACL: xACSACLx-IP-PERMIT_ALL_TRAFFIC-51ef7db1
Session timeout: N/A
Idle timeout: N/A
Common Session ID: AC1E3C02000000400154E52C
Acct Session ID: 0x0000006D
Handle: 0x91000040
Runnable methods list:
Method State
mab Failed over
dot1x Authc Success
When there is a problem:
6509-vss#
Feb 27 2014 17:43:11: %DOT1X-5-FAIL: Authentication failed for client (0021.cc68.a63e) on Interface Gi1/9/36
Feb 27 2014 17:43:11: %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'dot1x' for client (0021.cc68.a63e) on Interface Gi1/9/36
Feb 27 2014 17:43:11: %AUTHMGR-7-FAILOVER: Failing over from 'dot1x' for client (0021.cc68.a63e) on Interface Gi1/9/36
Feb 27 2014 17:43:11: %AUTHMGR-7-NOMOREMETHODS: Exhausted all authentication methods for client (0021.cc68.a63e) on Interface Gi1/9/36
Feb 27 2014 17:43:11: %AUTHMGR-5-FAIL: Authorization failed for client (0021.cc68.a63e) on Interface Gi1/9/36
Feb 27 2014 17:47:52: %AUTHMGR-7-FAILOVER: Failing over from 'mab' for client (0026.2df8.a25f) on Interface Gi1/9/36
Feb 27 2014 17:47:52: %AUTHMGR-5-START: Starting 'dot1x' for client (0026.2df8.a25f) on Interface Gi1/9/36
Feb 27 2014 17:48:02: %DOT1X-5-FAIL: Authentication failed for client (0021.cc68.a63e) on Interface Gi1/9/36
Feb 27 2014 17:48:02: %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'dot1x' for client (0021.cc68.a63e) on Interface Gi1/9/36
Feb 27 2014 17:48:02: %AUTHMGR-7-FAILOVER: Failing over from 'dot1x' for client (0021.cc68.a63e) on Interface Gi1/9/36
Feb 27 2014 17:48:02: %AUTHMGR-7-NOMOREMETHODS: Exhausted all authentication methods for client (0021.cc68.a63e) on Interface Gi1/9/36
Feb 27 2014 17:48:02: %AUTHMGR-5-FAIL: Authorization failed for client (0021.cc68.a63e) on Interface Gi1/9/36
Feb 27 2014 17:48:20: %RADIUS-4-RADIUS_DEAD: RADIUS server 172.30.60.54:1812,1813 is not responding.
Feb 27 2014 17:48:20: %RADIUS-4-RADIUS_ALIVE: RADIUS server 172.30.60.54:1812,1813 has returned.
Feb 27 2014 17:48:25: %RADIUS-4-RADIUS_DEAD: RADIUS server 172.30.60.54:1812,1813 is not responding.
Feb 27 2014 17:48:25: %RADIUS-4-RADIUS_ALIVE: RADIUS server 172.30.60.54:1812,1813 has returned.
Feb 27 2014 17:48:29: %DOT1X-5-SUCCESS: Authentication successful for client (0026.2df8.a25f) on Interface Gi1/9/36
Feb 27 2014 17:48:29: %AUTHMGR-7-RESULT: Authentication result 'success' from 'dot1x' for client (0026.2df8.a25f) on Interface Gi1/9/36
Feb 27 2014 17:48:29: %EPM-6-POLICY_REQ: IP 0.0.0.0| MAC 0026.2df8.a25f| AuditSessionID AC1E3C020000004D01CCB640| AUTHTYPE DOT1X| EVENT APPLY
Feb 27 2014 17:48:29: %EPM-6-IPEVENT: IP 0.0.0.0| MAC 0026.2df8.a25f| AuditSessionID AC1E3C020000004D01CCB640| AUTHTYPE DOT1X| EVENT IP-WAIT
Feb 27 2014 17:48:30: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (0026.2df8.a25f) on Interface Gi1/9/36
Feb 27 2014 17:48:34: %RADIUS-4-RADIUS_DEAD: RADIUS server 172.30.60.54:1812,1813 is not responding.
Feb 27 2014 17:48:34: %RADIUS-4-RADIUS_ALIVE: RADIUS server 172.30.60.54:1812,1813 has returned.
6509-vss(config-if)#
6509-vss(config-if)#
Feb 27 2014 17:48:49: %RADIUS-4-RADIUS_DEAD: RADIUS server 172.30.60.54:1812,1813 is not responding.
Feb 27 2014 17:48:49: %RADIUS-4-RADIUS_ALIVE: RADIUS server 172.30.60.54:1812,1813 has returned.
Feb 27 2014 17:49:02: %AUTHMGR-5-START: Starting 'mab' for client (0021.cc68.a63e) on Interface Gi1/9/36
Feb 27 2014 17:49:13: %RADIUS-4-RADIUS_DEAD: RADIUS server 172.30.60.54:1812,1813 is not responding.
Feb 27 2014 17:49:13: %RADIUS-4-RADIUS_ALIVE: RADIUS server 172.30.60.54:1812,1813 has returned.
Feb 27 2014 17:49:18: %RADIUS-4-RADIUS_DEAD: RADIUS server 172.30.60.54:1812,1813 is not responding.
Feb 27 2014 17:49:18: %RADIUS-4-RADIUS_ALIVE: RADIUS server 172.30.60.54:1812,1813 has returned.
Feb 27 2014 17:49:21: %MAB-5-FAIL: Authentication failed for client (0021.cc68.a63e) on Interface Gi1/9/36
Feb 27 2014 17:49:21: %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'mab' for client (0021.cc68.a63e) on Interface Gi1/9/36
Feb 27 2014 17:49:21: %AUTHMGR-7-FAILOVER: Failing over from 'mab' for client (0021.cc68.a63e) on Interface Gi1/9/36
Feb 27 2014 17:49:21: %AUTHMGR-5-START: Starting 'dot1x' for client (0021.cc68.a63e) on Interface Gi1/9/36
Feb 27 2014 17:49:23: %RADIUS-4-RADIUS_DEAD: RADIUS server 172.30.60.54:1812,1813 is not responding.
Feb 27 2014 17:49:23: %RADIUS-4-RADIUS_ALIVE: RADIUS server 172.30.60.54:1812,1813 has returned.
6509-vss(config-if)#end
6509-vss#show
Feb 27 2014 17:49:27: %RADIUS-4-RADIUS_DEAD: RADIUS server 172.30.60.54:1812,1813 is not responding.
Feb 27 2014 17:49:27: %RADIUS-4-RADIUS_ALIVE: RADIUS server 172.30.60.54:1812,1813 has returned.authen
6509-vss#show authentication
Feb 27 2014 17:49:28: %SYS-5-CONFIG_I: Configured from console by consolese
6509-vss#show authentication sessions int
6509-vss#show authentication sessions interface g1/9/36
Interface: GigabitEthernet1/9/36
MAC Address: 0021.cc68.a63e
IP Address: Unknown
User-Name: 0021cc68a63e
Status: Running
Domain: DATA
Oper host mode: multi-auth
Oper control dir: both
Session timeout: N/A
Idle timeout: N/A
Common Session ID: AC1E3C020000004E01CCCA18
Acct Session ID: 0x00000086
Handle: 0x7300004E
Runnable methods list:
Method State
mab Failed over
dot1x Running
Interface: GigabitEthernet1/9/36
MAC Address: 0026.2df8.a25f
IP Address: Unknown
User-Name: shenshu
Status: Authz Success
Domain: DATA
Oper host mode: multi-auth
Oper control dir: both
Authorized By: Authentication Server
Vlan Policy: N/A
Session timeout: N/A
Idle timeout: N/A
Common Session ID: AC1E3C020000004D01CCB640
Acct Session ID: 0x00000089
Handle: 0xB400004D
Runnable methods list:
Method State
mab Not run
dot1x Authc Success
LOG:============================================Please consider the order of authnetication method fail from here
http://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/identity-based-networking-service/application_note_c27-573287.html#wp9000028 -
ISE Sponsor Portal Questions!!!
Hi Team,
Few questions!!
Can we integrate ISE with Safenet(Token) for VPN access using Inline Posture?
2. When we create user account in Sponsor portal in ISE. By Default Where does the user gets created, In internal database of ISE or in Active Directory?
3. Advantages of Sponsor portal over NAC guest server?
Cheers!!
MinakshiCan we integrate ISE with Safenet(Token) for VPN access using Inline Posture?
Yes you can
2. When we create user account in Sponsor portal in ISE. By Default Where does the user gets created, In internal database of ISE or in Active Directory?
They are updated into Local ISE database
3. Advantages of Sponsor portal over NAC guest server?
Sponsor portal allows a person ( can be anyone assigned by Admin ) to manage Guest account.
Refer http://www.cisco.com/c/en/us/td/docs/security/ise/1-0/sponsor_guide/ise10_sponsor_book/ise10_sponsor.html -
ISE policy creation question - best practices
Ok, I am a rookie ISE user here and am trying to learn as I go. I have a 802.1x policy for our corporate users on both wired and wireless and a wireless guest policy that redirects to the guest portal to enter credentials created in the sponsor portal. The corporate user has access to corporate resources and the guest basically has access to just the internet.
I need to make what I am calling a Vendor policy that is basically a hybrid of the corporate user and the guest user. These would be vendors that are on-site to assist with programming and need access longer than what the guest account can be created for. This would also have specific ACLs that grant them access to the specific resources they would nee. I would like to tie this into AD authentication since they have an AD account created to be able to access those corporate resources in most cases. My first question is do I have a single policy that is tweaked as vendors come and go or do I simply create a specific policy for each vendor? My second question is do I or should I create unique SSIDs for each vendor?
As I said I am just now getting into getting ISE configured. I am just not sure of what is considered a best practice or what is considered a secure way to may things happen. In regards to the policies I have created, they work but I think I have a couple holes to address.
Thanks ...
BrentMostly makes sense. I have the AD part just need to get an AD group created for my test subject.
I created an Endpoint Identity Group to place the vendors devices into so that we can allow laptop to connect but not phone. Got that.
I think I can handle the Authorization Profile. It will be something like if VendorAsset and AD1:ExternalGroups Equals VendorADGroup then VendorPermissions. VendorPermissions would be the ACL that limits where they can go. I also need to create a non 802.1x based SSID as well and add this to the Authorization profile but can still be generic enough to be useable by all vendors.
I think it is my Authentication rules that I need to modify for Vendor as my Corporate based policies use Dot1x and I need a policy that does not use dot1x. Right? -
I'm not a big SQ02 user, but was hoping someone who has used it more could answer a question posed by one of our analysts. They would like to create an Infoset for some reporting needs where there is a join between VBAK and VEDA. No problem with this since it makes the connection based on the sales document field. However, they only want to bring in rows from VEDA where the item is 000000, not all the individual line items. Is there a way to accomplish this in the join definition (I couldn't see any way to restrict that there)? Or would you have to build in the VEDA item field as a parameter where it can be input as all zeroes?
Any input would be appreciated. Thanks... Jodyafter creating the joins in infoset in sq02, goto sq01, create an infoset query, select your infotype from your usergroup.
here, below output button you have a drop down button as 'field group' and 'field catalog', from here make the line number as selection criteria(drag and drop in the right part of screen).
you will have this item in selection screen. pass 000000 here and execute...
i hope task done. any doubt? -
ISE problem "Joined to domain but disconnected"
Hi all experts.
I recently have experienced this issue.
I have been using ISE1.1.2.145 and joined to AD since the ISE was released, but never seen this error before.
I did not touch any configuration and I was trying to test CWA with multiple WLCs.
I finished all configuration about CWA, and I was verifing if it is working.
while I was trying to login as user on AD, I could not. so I looked up on External Identity Source and it apears.
does anyone know why it is giving me that error ?
the ISE and AD both see the same NTP and time difference between them is only 1 minute, timezone is same.
even though they are looking at the same NTP, it's outside of private network and it is isolated.
also, I am able to ping each other. DNS is working. I don't see why it is not working......
can anyone help me with this problem ?I had this issue as well but my NTP settings were correct and the time was not slipped at all.
I logged into the cli and ran this: #sh logging application ad_agent.log tail
which led me to this error:
2013-11-15T07:55:57.177566-06:00 host-psn1 adclient[10469]: INFO base.bind.healing Lost connection to DVN.COM(GC). Running in disconnected mode: KDC refused skey: Preauthentication failed
2013-11-15T07:55:57.282448-06:00 host-psn1 adclient[10469]: ERROR base.adagent Can't use default machine password. Please reset computer account in Active Directory.
Go into Active Directory Users and Computers and right click on the computer account object and click reset account.
Which resulted in these log entries:
2013-11-15T07:57:57.473370-06:00 host-psn1 adclient[10469]: INFO samba.interop Attempting interoperability with untested Samba version .
2013-11-15T07:57:58.266485-06:00 host-psn1 adclient[10469]: INFO base.bind.healing Reconnected to odcmsadrw002p.dvn.com(GC). Running in connected
mode.
2013-11-15T07:58:25.006230-06:00 host-psn1 adclient[10469]: INFO daemon.main Start trusted domain discovery
2013-11-15T07:58:25.058151-06:00 host-psn1 adclient[10469]: INFO daemon.main Trusted domain discovery complete : 4 domains found
2013-11-15T07:58:25.058189-06:00 host-psn1 adclient[10469]: INFO daemon.main Have new domain info map: flushing all negative objects
2013-11-15T07:58:25.100676-06:00 host-psn1 adclient[10469]: INFO base.kerberos.krb5conf Wrote /etc/krb5.conf
That fixed me up. Hope this helps someone else out there. -
Wondering if someone could guide me in the direction I need
to pull some results. I have a dynamic select box that I only want
to pull teams from if they are not involved in a challenge.
Question is, I'm not quite sure how to go about pulling this out.
I have a table name "team". Fields: id, captain, teamname
And a table holding the challenges called "teamchallenges"
Fields: id, team1, team2, team3, team1active, team2active,
team3active
What I want to do is display in this dropdown the id, captain
and teamname from "team" ONLY if they are not listed anywhere in
the "teamchallenges" table as being active.
The variable "team1" holds the id from the table "team" and
then the variable "team1active" is a yes or no. Same goes for the
variables 1 - 3.
I am stumped on what kind of coding I need to do this. I
think I need some type of inner join.Something like this should work for you (I have not verified
the syntax)
SELECT * FROM team
WHERE 1=1
AND NOT ID IN (SELECT team1 FROM teamchallenges WHERE
team1active= true)
AND NOT ID IN (SELECT team2 FROM teamchallenges WHERE
team2active= true)
AND NOT ID IN (SELECT team3 FROMteamchallenges WHERE
team3active= true)
cheers,
fober -
JOIN question... Join two tables without omiting rows
I ran into a problem that should have an easy solution (I hope), but I'm having a hard time coming up with a solution.
Basically, I have two tables, one with actual amounts and one with the budget. I am to write a sql select statement that joins these tables together and includes all of their rows. I've been able to join the tables together using JOIN, LEFT JOIN, and RIGHT JOIN, but it always omits rows that I need.
Below, I have examples of my tables (AMOUNT_TABLE and BUDGET_TABLE). For simplicity sake, I've built the examples to show the same values in the first four columns, with the 5th and 6th columns (SUB_ACCOUNT, AMOUNT, BUDGET) as the only values that are different. My actual tables aren't quite as simple, but I didn't think it was relavent for this question.
AMOUNT_TABLE
FISCAL_YEAR
PERIOD
ACCT_UNIT
ACCOUNT
SUB_ACCOUNT
AMOUNT
2013
1
11111
555555
0000
100
2013
1
11111
555555
1000
100
2013
1
11111
555555
2000
100
2013
1
11111
555555
3000
100
2013
1
11111
555555
4000
100
BUDGET_TABLE
FISCAL_YEAR
PERIOD
ACCT_UNIT
ACCOUNT
SUB_ACCOUNT
BUDGET
2013
1
11111
555555
3000
200
2013
1
11111
555555
4000
200
2013
1
11111
555555
5000
200
2013
1
11111
555555
6000
200
Here is the output I'm hoping for. Notice that SUB_ACCOUNTs 0000, 1000, and 2000 show amounts with no budget since there isn't a matching row in the BUDGET_TABLE. And likewise, for SUB_ACCOUNTs 5000 and 6000, they show budgets with no amounts since there isn't a matching row in the AMOUNT_TABLE.
(output)
FISCAL_YEAR
PERIOD
ACCT_UNIT
ACCOUNT
SUB_ACCOUNT
AMOUNT
BUDGET
2013
1
11111
555555
0000
100
0
2013
1
11111
555555
1000
100
0
2013
1
11111
555555
2000
100
0
2013
1
11111
555555
3000
100
200
2013
1
11111
555555
4000
100
200
2013
1
11111
555555
5000
0
200
2013
1
11111
555555
6000
0
200
Hopefully, my question is clear. Any help on this would be greatly appreciated. Thanks in advance.Use ANSI join syntax - FULL OUTER JOIN:
with amount_table as (
select 2013 fiscal_year,1 period,11111 acct_unit,555555 account,0000 sub_account,100 amount from dual union all
select 2013,1,11111,555555,1000,100 from dual union all
select 2013,1,11111,555555,2000,100 from dual union all
select 2013,1,11111,555555,3000,100 from dual union all
select 2013,1,11111,555555,4000,100 from dual
budget_table as (
select 2013 fiscal_year,1 period,11111 acct_unit,555555 account,3000 sub_account,200 budget from dual union all
select 2013,1,11111,555555,4000,200 from dual union all
select 2013,1,11111,555555,5000,200 from dual union all
select 2013,1,11111,555555,6000,200 from dual
select nvl(a.fiscal_year,b.fiscal_year) fiscal_year,
nvl(a.period,b.period) period,
nvl(a.acct_unit,b.acct_unit) acct_unit,
nvl(a.account,b.account) account,
nvl(a.sub_account,b.sub_account) sub_account,
nvl(a.amount,0) amount,
nvl(b.budget,0) budget
from amount_table a
full join
budget_table b
on (
a.fiscal_year = b.fiscal_year
and
a.period = b.period
and
a.acct_unit = b.acct_unit
and
a.account = b.account
and
a.sub_account = b.sub_account
FISCAL_YEAR PERIOD ACCT_UNIT ACCOUNT SUB_ACCOUNT AMOUNT BUDGET
2013 1 11111 555555 0 100 0
2013 1 11111 555555 1000 100 0
2013 1 11111 555555 2000 100 0
2013 1 11111 555555 3000 100 200
2013 1 11111 555555 4000 100 200
2013 1 11111 555555 6000 0 200
2013 1 11111 555555 5000 0 200
7 rows selected.
SQL>
SY. -
Not sure if this goes here, but I thought I'd try anyway.
I'm using Oracle 8i for a legacy app and the RDBMS won't be updated anytime soon. I'm trying to write a fairly complex sum and join query. I have two different tables with hours worked type information. I need to be able to sum the hours for a work day on each table and put, in a web table like a GridView, all rows, even if there isn't a match in the opposite table. So, for example
Table 1
ID SHOP WORKDATE SHOPHOURS
1 AM1 1/1/2008 4
1 AM1 1/1/2008 4
2 AM1 1/1/2008 8
3 AM1 1/1/2008 8
Table 2
ID WORKDATE PAYHOURS
2 1/1/2008 7
3 1/1/2008 8
4 1/1/2008 9
What I need to see is
ID SHOP WORKDATE SHOPHOURS PAYHOURS
1 AM1 1/1/2008 8 0
2 AM1 1/1/2008 8 7
3 AM1 1/1/2008 8 8
4 1/1/2008 8 9
Since i'm on 8i, I can't use a FULL OUTER Join, so i'm kind of stumped. Any suggestions would be greatly appreciated.You might want to post this to question to [SQL Forum|http://forums.oracle.com/forums/forum.jspa?forumID=75] instead for better result, but i can give you a solution. This is definitely not the best solution, but it works.
select nvl(table1.id,table2.id) id, shop,
nvl(table1.workdate,table2.workdate) workdate,
sum(nvl(shophours,0)) shophours, sum(nvl(payhours,0)) payhours
from table1, table2 where table1.id(+) = table2.id
group by nvl(table1.id,table2.id), shop,
nvl(table1.workdate,table2.workdate)
union
select nvl(table1.id,table2.id) id, shop,
nvl(table1.workdate,table2.workdate) workdate,
sum(nvl(shophours,0)) shophours, sum(nvl(payhours,0)) payhours
from table1, table2 where table1.id = table2.id(+)
group by nvl(table1.id,table2.id), shop,
nvl(table1.workdate,table2.workdate) Cheers,
[Nur Hidayat|http://nur-hidayat.net] -
I have assignment for sql query by asking list all products where designer of product lives in the same region as supplier of the product. However, I have no clue to solve it. Please assist.
Below are 4 tables I created:
CREATE Table REGION
RegCode Varchar2 (8),
RegName Varchar2 (40),
ShipDays Number (2),
PRIMARY KEY (RegCode)
CREATE Table SUPPLIER
SuppCode Number (3),
SuppName Varchar2 (50),
Rating Varchar2 (1),
RegCode Varchar2 (8),
PRIMARY KEY (SuppCode),
FOREIGN KEY (RegCode) REFERENCES REGION
CREATE table DESIGNER
FirstName Varchar2 (30),
Surname Varchar2 (30),
Email Varchar2 (45),
Gender Varchar2 (1),
RegCode Varchar2 (8),
PRIMARY KEY (FirstName, Surname),
FOREIGN KEY (RegCode) REFERENCES REGION
CREATE table PRODUCT
ProdCode Varchar2 (3),
ProdName Varchar2 (35),
SellingPrice Varchar2 (4),
CostPrice Varchar2 (4),
FirstName Varchar2 (30),
Surname Varchar2 (30),
SuppCode Number (3),
PRIMARY KEY (ProdCode),
FOREIGN KEY (FirstName,Surname) REFERENCES DESIGNER,
FOREIGN KEY (SuppCode) REFERENCES SUPPLIER
Thanks a ton,
MandyYou won't need the region table at all, because the region code in supplier and designer will be enough for you to know that they are the same.
Do you know how to join tables at all?
Write your query by starting with products. Then join it to supplies using the value that is the primary key in supplier and a foreign key in products. Then, join to designer in the same manner. The only tricky thing about the second join is that you'l need two fields to complete the join. After that, you'll be ready to find records where the region code is the same.
Good luck! I hope this is enough to get you started... -
SQL query -- self-join question?
SQL> l
1* select originator,destination,oaddress,daddress from (select * from activity where rownum<=3)
SQL> /
10099 10004 16196344392 16199375530
10064 10002 18454644069 18456563415
10065 10006 18302650166 16416609306
looking at the above query, i am just performing a simple select from one of my tables. Now i require the carriername for both originator and destination columns, and the names for these are found on another table carrier.
so, i am re-write the above query as: (join with carrier table)
SQL>
SQL> select originator,destination,oaddress,daddress,carriername from (select * from activity,carrier where originator=carrier_code and rownum<=3);
10006 10099 19182772772 19189553062 USA1
10004 10311 15096701636 15096692171 USA2
10000 10003 15125898141 15122930569 USA3
Now, i got the carrier name for my originator, how would i find the carriername for my destination also (in the same query). One way of doing it is joining the carrier table twice, but is there any other better approach.
Hope i am clear, any help will be greatly appreciated. Thanks.select
A.originator, A.destination, A.oaddress, A.daddress
, B.carrier_name name_originator
, C.carrier_name name_destination
from
activity A
,carrier B
,carrier C
where
A.originator = B.carrier_code
and A.destination = C.carrier_code -
ISE authorization policy question
I'm in the process of finishing up my authorization policy and was hoping to get some input on how to deal with freshly imaged machines. The current authorization policy relies on Active Directory (peap-tls) and CCM (eap-tls). Since the newly imaged machines will not be part of the domain yet they'll fail and will either be completely denied access or they'll be dropped into a null vlan.
Would it be viable to create a policy that says if your name starts with the first 5 characters of our naming convention then you can be dumped onto the internal data VLAN and couple that with a DACL permitting access to ports necessary to join the domain?
I'm not sure what type of security implications this would have?
If this is not a suitable route what would be a best practice approach?You can do the later one if they fail authenticaton , they be granted separated Vlan with some defined access.
-
ISE Authorization Profile Question
Hi,
We are implementing ISE at a university and using dynamic VLAN allocation to segment the traffic into vlans of a manageable size - we do not want to use geographically based vlans for a number of reasons. However there is one scenario which I am struggling with.
A number of students will be living in university owned houses which are not directly connected to the university network. In these houses an ISP will provide an ADSL circuit. These ADSL circuits will be aggregated back at the university data centre and will connect down one piece of wire to the university network. I haven't completed my testing yet but the general theory is that we can use multi-auth to allow them on to the network and apply appropriate access restrictions (these restrictions will differ from those applied to those applied when they connect "on campus") . However, in order to do this, I will need to create an authorization policy based on where they are coming from (ie what switch and what port). I can see how I can use Identity Groups to identify which switch the traffic is coming from but for the life of me I have no idea how I would identify the port.
Anyone have any ideas how I might achieve my goal?
Thanks
AlanHi
Cisco ISE allows for a wide range of variables within authorization policies to ensure that only authorized users can access the appropriate resources when they access the network. The initial release of Cisco ISE supports only RADIUS-governed access to the internal network and its resources. The authorization policy result is Cisco ISE assigning an authorization profile that might also involve a downloadable ACL specifying traffic management on the network policy enforcement device. The downloadable ACL specifies the RADIUS attributes that are returned during authentication and that define the user access privileges granted once authenticated by Cisco ISE.
An authorization profile acts as a container where a number of specific permissions allow access to a set of network services. The authorization profile is where you define a set of permissions to be granted for a network access request and can include:
• A profile name
• A profile description
• An associated DACL
• An associated VLAN
• An associated SGACL
• Any number of other dictionary-based attributes -
ISE VM install question related to Disk Space on VMDK
Hi all, and thanks in advance for any help/advice you can offer.
We recently licensed for 10 ISE VM instances in our environment. We are trying to install the 3945 OVA file and it is forcing us to allocate 600GB for the appliance in the VMDK. Per the install guide, however, the PSN only requires 200GB of disk space. This install will be for a PSN persona eventually, once its built and added to a deployment. So do we have to burn 400Gb for this? I am being told by the VM team that once the 600GB is allocated in the VMDK, it will not be able to be changed later to 200GB. I am told it can expand, but there is no option to shrink the disk size to 200GB. Almost seems as though the OVA should have been made to require a 200GB partition, then you could expand that to 300GB for Admin persona's and more for Monitoring persona's. As it stands, without the option to shrink the drive size, we are wasting 400GB unless I am missing something. Thus I am asking for your help!
Install guide where VM disk sizing is specified is located at:
http://www.cisco.com/c/en/us/td/docs/security/ise/1-3/installation_guide/b_ise_InstallationGuide13/b_ise_InstallationGuide12_chapter_011.html#ID-1417-000000d9
Thank you,
JeffHello Prasad,
I am not sure what database are will be using in your system.
Check SAPnotes # 799639 "Hardware Requirements" and # 956921- IDES ERP 2005 ECC 6.0.
Here are databse approximations :
The database sizes are:
ORACLE: 200 GB
MaxDB: 180 GB
MSSQL: 150 GB
DB2-UDB 150 GB
DB2 on iSeries 240 GB
I can't comment on RAM size as i am not aware number of users, functionalities you will be using etc.
for this you can create a project under http://service.sap.com/sizing. You will get a close approximation.
This is a easy self guided procedure and its good, you can get a close hardware approximation thought this quick sizer tool.
Regarding processor its up to you. You can call vendors and check according to your budget.
Best Regards
NIraj
Maybe you are looking for
-
A proper solution to a WPF application using On Screen Keyboard
Hi. I´ve been working for some time on a good OSK solution for my WPF apps, that are running on a tablet. But it´s hard working with the OSK.exe and tabtip.exe, because of several bugs, strange behaviour and no standardized solution to this ordinary
-
This question is related to other questions in this discussion thread, but about a different aspect. The program on my QNAP NAS uses Java to bring up the dialog for the selection of files to upload. Each time Java is updated this code has the problem
-
When I try to play videos on Apple's website, "missing plug-ins" appears. The same happens when I try to play Apple trailers. Other "users" on the same iMac don't have this problem.
-
This is the BPM i have encountered with. The parameters for the steps are : 1. Start: One Queue 1. Loop: Condition: CO_endloop value: not = true 2. Parallel: End condition; necessary branches : value: 1 3. Fork Start. 4. Receive: message: Collect mes
-
Tags are not searched if not enabled
I disabled tags in my profile (mainly because they appear on the right side of boards and take up too much space, although that actually helps with my 800x600 issue, which still isn't resolved ). I did enable them shortly, though, to mark a specific