ISE and Node Groups

Hi,
Does anyone know if node groups are purely for policy server nodes behind a load balancer such as ACE.  If you have a pair of policy server nodes at a site with no load balancer, and both nodes configured in all NAS's can these be in a node group.
Does anyone know if you can use a load balanced set of policy nodes with LWA and WLC.  There has to be affinity between the portal ISE and the AAA ISE configured in the WLC, these would be two different sessions one Radius and one HTTP, so the ACE would not be able to distinguish.
Thanks.
Gary

Hi Pon -
Do you mean groups of users or group of pages?
If you mean groups of users, you can create your sub-groups as a regular groups, and then when assigning users to your Main Finance group ... add the 2 groups which are your subGroups.
If you are talking about the Portal Page Group structure, you cannot nest page groups, but you can create pages and subpages.
Hope this helps,
Candace

Similar Messages

  • ISE HA / Node Group Licensing

    I have a single ISE 3355 with 2200 basic licenses.
    I am planning to purchase another 3355 for redundancy purposes.
    Do I just add this into the node group and the license pool is shared between the nodes? I cant imagine I have to rebuy all the licenses for the 2nd device.
    Thanks in advance.

    That is correct.  There is no need to purchase additional license paks.  The ISE deployment licenses are on a per endpoint basis, not per ISE node.  You can just add the new node to the existing deployment.
    You have probably already seen this, but here is a guide for distributed deployments:
    http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/user_guide/ise_user_guide/ise_dis_deploy.html
    Please Rate Helpful posts and mark this question as answered if, in fact, this does answer your question.  Otherwise, feel free to post follow-up questions.
    Charles Moreton

  • Cisco ISE and AD group

    Hi, I have a problem
    I setup ISE join it to AD, get from AD group name, and add it to ISE as external identity group. Then I make simple authentification policy rule which says, if protocol RADIUS than use AD1 store.
    After this I create authorization police rule, and it says that if external group from AD then permit access.
    And now when I try to connect via ASA, using anyconnect client, my authentification log says that I choose default authorization rule. Seems like ISE does not check my username for external group membership.
    Why it's happens ?
    Thanks

    Hi,
    The issue is with your Authorization Policy, you have configured a internal identity group.
    You need to change this and point to the your AD group, if you have retrieved the group from AD in the Groups settings under the AD settings, then you should be able to look for the condition but dropping down the "Attributes" Selecting AD ExternalGroups followed by your group.
    Thanks,
    Tarik Admani
    *Please rate helpful posts*

  • ISE - Installing the same certificate in every PSN in a node group

    Hi,
    to grant not to show the certificate error adevertise to all clients connecting to guest services (because obviously  they don't have the CA root certificate of our company), we have purchased a wildcard certificate from Verisign in order to work with all of our PSN Common Names and friendly url for sponsor and mydevices. But when I try to import it to more than one PSN the following error message is shown " The certificate already exists in the data base".
    How can I import the same certificate (with the same private key) in every PSN in a node group?
    We have ISE 1.1.2
    Thanks in advance!!
    Luis

    Hello All,
    ISE software also uses openssl. Though upto ISE 1.1.x interface does not provide with a field for SAN (Subject Alternative Name), but it should support wildcard certificates. It is just the interface that does not facilitate certificate and CSR generation. So we need to generate the certificate and CSR by explicit use of openssl. Tarik has already provided the link which can be of valuable assistance.
    As far as wildcard certificate support is concerned, ISE 1.2 would definitely support this feature. This is confirmed

  • ISE node group behind load balancer

    I'm trying to gather info on distributed deployment w/ multiple PSN nodes.
    Having read through some documents, it looks like you can put multiple PSN's in a node group, and then place the node group behind a load balancer.
    Q1:
    Node group config requires multicast.
    Cisco ACE LB doesn't support multicast, except in brige mode.
    How do people support distributed deployment in node group behind Ciso ACE?
    Q2:
    User guide says: "We recommend that you have two, three, or a maximum of four nodes in a node group."
    http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_dis_deploy.html#wp1134272
    What if we need more than 4 PSN nodes to support our network & user base?
    Q3:
    Has anyone been able to implement distributed deployment between two datacenters behind GSS?
    If GSS isn't possible, we'll be happy to just have it in working state behind ACE LB.
    thx!

    I have had close to zero experience with LBs so my answers will be limited:
    Q1: I don't think the multicast plays any role with the LB. The multicast address is needed for the ISE nodes for replication
    Q2: You will have to create a new node group with a new multicast address
    Q3: No help here
    Couple of other things to remember:
    1. The nodes must be layer 2 adjacent
    2. You must use routed mode...no NAT/SNAT. Each node must be reachable directly from the end clients
    3. You must perform sticky
    4. The Load balancers must be listed as NADs in ISE
    Hope this provides some help to you.
    Thank you for rating!

  • ISE and RSA token groups

    We have wireless  network using ISE and RSA to do the authenticaiton. There are two groups of RSA token users, one is with username
    Axxxx, the other Bxxxx.
    Now we try to differ the authentications for the two group. One permit, the other deny.
    I am wondering whether the ISE can do this or not.
    thanks,
    Han

    ISE 1.2 should work with RSA 8.1. Please do try it in a lab setup would probably qualify it as part of ISE 1.3.

  • Resource group and node

    Hi to all.
    How to attach resource group and node?
    i.e. when i shutdown my node0. All resources switch to node1.
    I want:
    When my node0 boot then my resource group switch back.
    How I should make this?
    Thanks

    On node1:
    nfl-node1# clrg show | grep Nodelist
    Nodelist: nfl-node2 nfl-node1
    Nodelist: nfl-node2 nfl-node1
    Nodelist: nfl-node2 nfl-node1
    nfl-node1#
    On node2:
    nfl-node2# clrg show | grep Nodelist
    Nodelist: nfl-node2 nfl-node1
    Nodelist: nfl-node2 nfl-node1
    Nodelist: nfl-node2 nfl-node1
    nfl-node2#

  • Overhead calculation not happening after using Overhead key and orgin group

    overhead calculation not happening after using Overhead key and orgin group.
    There was a runtime error earlier related to u201Cdefine credit u201C IMG node under costing sheet component and we have applied SAP note 769946 and that error was gone out of the way
    We want to apply/add Overhead to SFG/FG materials.
    We are using PP order with PCC(product cost collector) as the cost object , i.e costing by period.(system ECC 6)
    But our problem is with material standard cost estimate process.
    We have assigned overhead keys to the percentage rates in costing sheet for material standard costing and assigned the origin groups to the credits of costing sheet. But after running the cost estimate overhead is not taking into account for standard cost calculation.
    In the define credit entry table key field is valid to date strangly and actually system should allow one than one entry with same valid to date and same sec.Cost element(type-41) for different cost centers.
    But if we without using overhead key and origin group, the entire cost in that supporting cost center will come to all materials (SFG/FG) and we can not distinguish between different product materials(SFG /FG).
    We have checked all things as mentined below.
    Firstly that the correct costing sheet is assigned to the valuation
    variant.
    That the costing sheet is entered for the appropriate material type:
    Finished and semi finished or material components.
    All of the above can be checked and verified via transaction OKKN.
    In addition make sure that the base value maintained is present in the
    costing, for example the base may include an Origin group, is that
    origin group part of the materials being costed?
    Similarly if the base is found and values exist how is the overhead
    rate of the costing sheet set up, is it valid etc.
    And finally do a similar check for the credit.
    we doubt this as a programm error...
    So, request all experts to have ur feedback..

    Dear,
    Check your origin group & material unit of mesaurement is same.
    some time in costing sheet origin group is maintain in different unit & for materail it's maitain in other unit of mesaurement.
    You can see unit of measure for material in Additional data - unit of measure.
    Check BOM component material unit also.
    Check same  unit of measure is maintain in KZS2
    I hope above will useful.
    GOPAN

  • ERROR IN IMPORT PHASE ( CREATE NODE GROUPS) CAN ANY TELL ME SOLUTION

    HI SAP EXPERTS,
    Iam doing Export & Import for Converting my SAP system which was previously a "NON-UNICODE" system and iam about to convert it to "UNICODE" system.
    i have followed the steps specified in the guide for converting a non-unicode system to unicode system for pre-conversion phase from T.code "SPUMG". and my Export was successful.
    While Import phase iam getting an error in " CREATE NODE GROUPS".....
    Iam using
    DATABASE--> IBM DB2    8.2 Ver and fixpack 3.
    can anyone please mention. we have execute any steps before starting an IMPORT.
    Thanks in advance
    Santosh Chaitanya
    Edited by: santosh chaitanya on Aug 26, 2008 3:43 PM

    HI ,
    please find the last line's of sapinst_dev.log
    TRACE      [iaxxejsexp.cpp:188]
               EJS_Installer::writeTraceToLogBook()
    2008-09-10 18:14:44.625 User(venus\db2h01).getLoginEnvironment() done: Properties({
      CLASSPATH = .;C:\PROGRA1\IBM\SQLLIB\java\db2java.zip;C:\PROGRA1\IBM\SQLLIB\java\db2jcc.jar;C:\PROGRA1\IBM\SQLLIB\java\sqlj.zip;C:\PROGRA1\IBM\SQLLIB\java\db2jcc_license_cu.jar;C:\PROGRA1\IBM\SQLLIB\bin;C:\PROGRA1\IBM\SQLLIB\java\common.jar
      ClusterLog = C:\WINDOWS\Cluster\cluster.log
      ComSpec = C:\WINDOWS\system32\cmd.exe
      DB2INSTANCE = db2h01
      FP_NO_HOST_CHECK = NO
      INCLUDE = C:\PROGRA1\IBM\SQLLIB\INCLUDE;C:\PROGRA1\IBM\SQLLIB\LIB
      LIB = ;C:\PROGRA~1\IBM\SQLLIB\LIB
      NUMBER_OF_PROCESSORS = 4
      OS = Windows_NT
      PATHEXT = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
      PROCESSOR_ARCHITECTURE = AMD64
      PROCESSOR_IDENTIFIER = EM64T Family 6 Model 23 Stepping 6, GenuineIntel
      PROCESSOR_LEVEL = 6
      PROCESSOR_REVISION = 1706
      TEMP = C:\Documents and Settings\hr1adm\Local Settings\Temp
      TMP = C:\Documents and Settings\hr1adm\Local Settings\Temp
      windir = C:\WINDOWS
      DB2DB6EKEY = H01venus
      DB2DBDFT = H01
      DBMS_TYPE = db6
      DBS_DB6_SCHEMA = saphr1
      DSCDB6HOME = venus
      SAPSYSTEMNAME = HR1
      PATH = C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\PROGRA1\IBM\SQLLIB\BIN;C:\PROGRA1\IBM\SQLLIB\FUNCTION;C:\PROGRA1\IBM\SQLLIB\SAMPLES\REPL;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\PROGRA1\IBM\SQLLIB\BIN;C:\PROGRA1\IBM\SQLLIB\FUNCTION;C:\PROGRA1\IBM\SQLLIB\SAMPLES\REPL;C:\Program Files\IBM\SQLLIB\BIN;C:\Program Files\IBM\SQLLIB\FUNCTION;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\PROGRA1\IBM\SQLLIB\BIN;C:\PROGRA1\IBM\SQLLIB\FUNCTION;C:\PROGRA~1\IBM\SQLLIB\SAMPLES\REPL
    TRACE      [iaxxejsexp.cpp:188]
               EJS_Installer::writeTraceToLogBook()
    Setting effective user to venus\db2h01
    TRACE      [iaxxejsexp.cpp:188]
               EJS_Installer::writeTraceToLogBook()
    2008-09-10 18:14:44.640 User(venus\db2h01).getId()
    TRACE      [iaxxejsexp.cpp:188]
               EJS_Installer::writeTraceToLogBook()
    2008-09-10 18:14:44.640 User(venus\db2h01).getId() done: S-1-5-21-465082378-1841671448-1313926673-1102
    TRACE      [synxccuren.cpp:913]
               CSyCurrentProcessEnvironmentImpl::setEffectiveUser(PSyUser,iastring)
    effective user corresponds to real user
    TRACE      [synxccuren.cpp:467]
               grantAccessTo
    Granted access rights 0xf037f for object winsta0 to user venus\db2h01 with inheritance flags 0.
    TRACE      [synxccuren.cpp:467]
               grantAccessTo
    Granted access rights 0xf01ff for object default to user venus\db2h01 with inheritance flags 0.
    INFO       2008-09-10 18:14:44 [synxccuren.cpp:877]
               CSyCurrentProcessEnvironmentImpl::setUser()
    Switched to user: db2h01.
    TRACE      [iaxxejsexp.cpp:188]
               EJS_Installer::writeTraceToLogBook()
    2008-09-10 18:14:44.640 NWUsers.asRole() done
    TRACE      [iax6bnodeg.cpp:96]
               CDB6NodeGroups::Create(const map<iastring,iastring>&)
               lib=iamoddb6 module=CDB6NodeGroups
    Entered: CDB6NodeGroups::Create(const map<iastring,iastring>&)
    ERROR      2008-09-10 18:14:44 [iax6bnodeg.cpp:262]
               CDB6NodeGroups::Create(const map<iastring,iastring>&)
               lib=iamoddb6 module=CDB6NodeGroups
    MDB-01067  'Create Nodegroup' does not work. Execution of Statement: create nodegroup IBMCATGROUP on nodes (0) returned with: DB6CliExecute(): [IBM][CLI Driver][DB2/NT64] SQL0707N  The name "IBMCATGROUP" cannot be used because the specified identifier is reserved for system use.  SQLSTATE=42939
    TRACE      [iaxxejsbas.hpp:460]
               EJS_Base::dispatchFunctionCall()
    JS Callback has thrown unknown exception. Rethrowing.
    ERROR      2008-09-10 18:14:44 [iaxxgenimp.cpp:736]
               showDialog()
    FCO-00011  The step CreateNodegroups with step key |NW_ABAP_OneHost|ind|ind|ind|ind|0|0|NW_Onehost_System|ind|ind|ind|ind|1|0|NW_CreateDBandLoad|ind|ind|ind|ind|9|0|NW_CreateDB|ind|ind|ind|ind|0|0|NW_DB6_DB|ind|ind|ind|ind|1|0|NW_DB6_CreateNodegroups|ind|ind|ind|ind|17|0|CreateNodegroups was executed with status ERROR .
    TRACE      [iaxxgenimp.cpp:657]
               showDialog()
    <html><head></head><body><p>An error occurred while processing service <b>SAP ERP 2005 Support Release 1 > Additional Software Life-Cycle Tasks > System Copy > IBM DB2 UDB for UNIX and  Windows > Target System > Central System > Based on AS ABAP > Central System Installation</b>. You may now</p><ul> <li>press <I>Retry</I> to repeat the current step.</li> <li>press the <I>View Log</I> button to get more information about the error.</li> <li>stop the task and continue with it later.</li></ul><p>Log files are written to <b>C:/sapinstlog</b>.</p></body></html>
    TRACE      [iaxxgenimp.cpp:1093]
               showDialog()
    waiting for an answer from gui
    INFO       2008-09-10 18:14:49 [iaxxgenimp.cpp:787]
               showDialog()
    An error occured and the user decide to stop.\n Current step "|NW_ABAP_OneHost|ind|ind|ind|ind|0|0|NW_Onehost_System|ind|ind|ind|ind|1|0|NW_CreateDBandLoad|ind|ind|ind|ind|9|0|NW_CreateDB|ind|ind|ind|ind|0|0|NW_DB6_DB|ind|ind|ind|ind|1|0|NW_DB6_CreateNodegroups|ind|ind|ind|ind|17|0|CreateNodegroups".
    TRACE      [iaxxbprocess.cpp:55]
               CIaOsProcess::CEIdJanitor::~CEIdJanitor()
    Switching back to user Administrator.
    TRACE      [synxccuren.cpp:913]
               CSyCurrentProcessEnvironmentImpl::setEffectiveUser(PSyUser,iastring)
    effective user corresponds to real user
    TRACE      [synxccuren.cpp:787]
               CSyCurrentProcessEnvironmentImpl::setUser()
    Terminated current impersonation.
    please provide me a solution...
    Santosh

  • CoA issues between ISE and 3750x

    We are having an issue using the cisco ise 1.1.2 and a 3750x (Version 12.2(58)SE2)
    When the radius sends a reauthentication CoA message to the switch, the switch responds with a 'session contect not found' reply. I have upgraded the code to the latest levels on both the ise and switch and still have the same resultts.
    This reauthenticate is needed after the NAC profiler determines the pc is complient. I am receiving the complient message from the pc and switch, but becuase the switch never reauthentices the client after the CoA request, the client is never granted full access.
    I am not sure if the radius server is sending the wrong session id, or if the switch is looking at it wrong.
    Please Help...!!!!!
    -Debug --
    Log Buffer (10000 bytes):
    Feb 28 19:34:21.940 UTC: RADIUS: COA  received from id 38 10.122.1.82:40171, CoA Request, len 140
    Feb 28 19:34:21.940 UTC: COA: 10.122.1.82 request queued
    Feb 28 19:34:21.940 UTC: RADIUS:  authenticator 62 6B 15 C9 C7 A5 CA 88 - 4F B2 EE 4C A0 3D 9F 50
    Feb 28 19:34:21.948 UTC: RADIUS:  NAS-IP-Address      [4]   6   10.122.1.66
    Feb 28 19:34:21.948 UTC: RADIUS:  Event-Timestamp     [55]  6   1362080061
    Feb 28 19:34:21.948 UTC: RADIUS:  Message-Authenticato[80]  18
    Feb 28 19:34:21.948 UTC: RADIUS:   BC B3 BA 2A 11 BD 63 0B 22 7E 82 AA C2 A5 F7 C4              [ *c"~]
    Feb 28 19:34:21.948 UTC: RADIUS:  Vendor, Cisco       [26]  41
    Feb 28 19:34:21.948 UTC: RADIUS:   Cisco AVpair       [1]   35  "subscriber:command=reauthenticate"
    Feb 28 19:34:21.948 UTC: RADIUS:  Vendor, Cisco       [26]  49
    Feb 28 19:34:21.948 UTC: RADIUS:   Cisco AVpair       [1]   43  "audit-session-id=0A7A014200000272048AF0F1"
    Feb 28 19:34:21.948 UTC: COA: Message Authenticator decode passed
    Feb 28 19:34:21.948 UTC:  ++++++ CoA Attribute List ++++++
    Feb 28 19:34:21.948 UTC: 07353140 0 00000001 nas-ip-address(585) 4 10.122.1.66
    Feb 28 19:34:21.948 UTC: 0735375C 0 00000001 Event-Timestamp(430) 4 1362080061(512FB13D)
    Feb 28 19:34:21.948 UTC: 0735376C 0 00000009 audit-session-id(794) 24 0A7A014200000272048AF0F1
    Feb 28 19:34:21.948 UTC: 0735377C 0 00000009 ssg-command-code(475) 1 32
    Feb 28 19:34:21.948 UTC:
    Feb 28 19:34:21.957 UTC: AUTH-EVENT: auth_mgr_ch_search_record - Search record in IDC db failed
    Feb 28 19:34:21.957 UTC: RADIUS/ENCODE(00000000):Orig. component type = Invalid
    Feb 28 19:34:21.957 UTC: RADIUS(00000000): sending
    Feb 28 19:34:21.957 UTC: RADIUS(00000000): Send CoA Nack Response to 10.122.1.82:40171 id 38, len 62
    Feb 28 19:34:21.957 UTC: RADIUS:  authenticator DF 18 2F 59 21 4F 84 E1 - 61 B8 43 B8 01 C5 58 B4
    Feb 28 19:34:21.957 UTC: RADIUS:  Reply-Message       [18]  18
    Feb 28 19:34:21.957 UTC: RADIUS:   4E 6F 20 76 61 6C 69 64 20 53 65 73 73 69 6F 6E  [ No valid Session]
    Feb 28 19:34:21.957 UTC: RADIUS:  Dynamic-Author-Error[101] 6   Session Context Not Found [503]
    Feb 28 19:34:21.957 UTC: RADIUS:  Message-Authenticato[80]  18
    Feb 28 19:34:21.957 UTC: RADIUS:   30 C9 AE 52 80 2E A2 54 FF F3 4B C7 28 31 A9 61          [ 0R.TK(1a]
    ESWHQFL02-S#
    ESWHQFL02-S#
    -- Switch Config -
    aaa authentication login default group tacacs+ local-case
    aaa authentication login local_login local
    aaa authentication enable default group tacacs+ enable
    aaa authentication dot1x default group radius
    aaa authorization exec default group tacacs+ local
    aaa authorization commands 5 default group tacacs+ local
    aaa authorization commands 15 default group tacacs+ local
    aaa authorization network default group radius
    aaa authorization network auth-list group DOT1X
    aaa accounting dot1x default start-stop group radius
    aaa accounting exec default start-stop group tacacs+
    aaa accounting commands 5 default start-stop group tacacs+
    aaa accounting commands 15 default start-stop group tacacs+
    aaa accounting network default start-stop group tacacs+
    aaa server radius dynamic-author
    client 10.122.1.82 server-key 7 14141B180F0B
    client 10.122.1.80 server-key 7 045802150C2E
    aaa session-id common
    radius-server attribute 6 on-for-login-auth
    radius-server attribute 6 support-multiple
    radius-server attribute 8 include-in-access-req
    radius-server host 10.122.1.82 auth-port 1812 acct-port 1813 key 7 13061E010803
    radius-server host 10.122.1.80 auth-port 1812 acct-port 1813 key 7 104D000A0618
    radius-server deadtime 5
    radius-server key 7 030752180500
    radius-server vsa send accounting
    radius-server vsa send authentication

    As per the cisco recommendation IOSv12.2(52)SE is suitable for Catalyst 3750-X which will support all  the features without any issues like  MAB,802.1X,CWA,LWA,COA,VLAN,DACL,SAG as mentioned in the link below:
    http://www.cisco.com/en/US/docs/security/ise/1.1.1/compatibility/ise_sdt.html.
    I see you are using IOSv12.2(58)SE2,which is not recommended.So you can  downgrade to IOSv12.2(52)SE which will solve your issues.

  • Field Symbols, Field String, and Field Group.

    Hi,
    Can you differentiate between filed symbols, field strings and field groups,
    With regards,
    Bharath Mohan B

    Hi,
    Field Symbols
    Field symbols are placeholders or symbolic names for other fields. They do not physically reserve space for a field, but point to its contents. A field symbol cam point to any data object. The data object to which a field symbol points is assigned to it after it has been declared in the program.
    Whenever you address a field symbol in a program, you are addressing the field that is assigned to the field symbol. After successful assignment, there is no difference in ABAP whether you reference the field symbol or the field itself. You must assign a field to each field symbol before you can address the latter in programs.
    Field symbols are similar to dereferenced pointers in C (that is, pointers to which the content operator * is applied). However, the only real equivalent of pointers in ABAP, that is, variables that contain a memory address (reference) and that can be used without the contents operator, are reference variables in ABAP Objects.
    All operations programmed with field symbols are applied to the field assigned to it. For example, a MOVE statement between two field symbols moves the contents of the field assigned to the first field symbol to the field assigned to the second field symbol. The field symbols themselves point to the same fields after the MOVE statement as they did before.
    You can create field symbols either without or with type specifications. If you do not specify a type, the field symbol inherits all of the technical attributes of the field assigned to it. If you do specify a type, the system checks the compatibility of the field symbol and the field you are assigning to it during the ASSIGN statement.
    Field symbols provide greater flexibility when you address data objects:
    If you want to process sections of fields, you can specify the offset and length of the field dynamically.
    You can assign one field symbol to another, which allows you to address parts of fields.
    Assignments to field symbols may extend beyond field boundaries. This allows you to address regular sequences of fields in memory efficiently.
    You can also force a field symbol to take different technical attributes from those of the field assigned to it.
    The flexibility of field symbols provides elegant solutions to certain problems. On the other hand, it does mean that errors can easily occur. Since fields are not assigned to field symbols until runtime, the effectiveness of syntax and security checks is very limited for operations involving field symbols. This can lead to runtime errors or incorrect data assignments.
    While runtime errors indicate an obvious problem, incorrect data assignments are dangerous because they can be very difficult to detect. For this reason, you should only use field symbols if you cannot achieve the same result using other ABAP statements.
    For example, you may want to process part of a string where the offset and length depend on the contents of the field. You could use field symbols in this case. However, since the MOVE statement also supports variable offset and length specifications, you should use it instead. The MOVE statement (with your own auxiliary variables if required) is much safer than using field symbols, since it cannot address memory beyond the boundary of a field. However, field symbols may improve performance in some cases.
    check the below links u will get the answers for your questions
    http://help.sap.com/saphelp_nw04/helpdata/en/fc/eb3860358411d1829f0000e829fbfe/content.htm
    http://www.sts.tu-harburg.de/teaching/sap_r3/ABAP4/field_sy.htm
    http://searchsap.techtarget.com/tip/1,289483,sid21_gci920484,00.html
    Syntax Diagram
    FIELD-SYMBOLS
    Basic form
    FIELD-SYMBOLS <fs>.
    Extras:
    1. ... TYPE type
    2. ... TYPE REF TO cif
    3. ... TYPE REF TO DATA
    4. ... TYPE LINE OF type
    5. ... LIKE s
    6. ... LIKE LINE OF s
    7. ... TYPE tabkind
    8. ... STRUCTURE s DEFAULT wa
    The syntax check performed in an ABAP Objects context is stricter than in other ABAP areas. See Cannot Use Untyped Field Symbols ad Cannot Use Field Symbols as Components of Classes.
    Effect
    This statement declares a symbolic field called <fs>. At runtime, you can assign a concrete field to the field symbol using ASSIGN. All operations performed with the field symbol then directly affect the field assigned to it.
    You can only use one of the additions.
    Example
    Output aircraft type from the table SFLIGHT using a field symbol:
    FIELD-SYMBOLS <PT> TYPE ANY.
    DATA SFLIGHT_WA TYPE SFLIGHT.
    ASSIGN SFLIGHT_WA-PLANETYPE TO <PT>.
    WRITE <PT>.
    Addition 1
    ... TYPE type
    Addition 2
    ... TYPE REF TO cif
    Addition 3
    ... TYPE REF TO DATA
    Addition 4
    ... TYPE LINE OF type
    Addition 5
    ... LIKE s
    Addition 6
    ... LIKE LINE OF s
    Addition 7
    ... TYPE tabkind
    Effect
    You can define the type of the field symbol using additions 2 to 7 (just as you can for FORM parameters (compare Defining the Type of Subroutine Parameters). When you use the ASSIGN statement, the system carries out the same type checks as for USING parameters of FORMs.
    This addition is not allowed in an ABAP Objects context. See Cannot Use Obsolete Casting for FIELD SYMBOLS.
    In some cases, the syntax rules that apply to Unicode programs are different than those for non-Unicode programs. See Defining Types Using STRUCTURE.
    Effect
    Assigns any (internal) field string or structure to the field symbol from the ABAP Dictionary (s). All fields of the structure can be addressed by name: <fs>-fieldname. The structured field symbol points initially to the work area wa specified after DEFAULT.
    The work area wa must be at least as long as the structure s. If s contains fields of the type I or F, wa should have the structure s or at least begin in that way, since otherwise alignment problems may occur.
    Example
    Address components of the flight bookings table SBOOK using a field symbol:
    DATA SBOOK_WA LIKE SBOOK.
    FIELD-SYMBOLS <SB> STRUCTURE SBOOK
    DEFAULT SBOOK_WA.
    WRITE: <SB>-BOOKID, <SB>-FLDATE.
    Related
    ASSIGN, DATA
    Additional help
    Declaring Field Symbols
    FIELD GROUPS
    are used to hold/handle large amount of data when the internal table are not useful
    we use EXTRACT statement, HEADER structure in them
    see the example
    REPORT demo_extract.
    NODES: spfli, sflight.
    FIELD-GROUPS: header, flight_info, flight_date.
    START-OF-SELECTION.
      INSERT: spfli-carrid spfli-connid sflight-fldate
                INTO header,
              spfli-cityfrom spfli-cityto
                INTO flight_info.
    GET spfli.
      EXTRACT flight_info.
    GET sflight.
      EXTRACT flight_date.
    END-OF-SELECTION.
      SORT STABLE.
      LOOP.
        AT FIRST.
          WRITE / 'Flight list'.
          ULINE.
        ENDAT.
        AT flight_info WITH flight_date.
          WRITE: / spfli-carrid , spfli-connid, sflight-fldate,
                   spfli-cityfrom, spfli-cityto.
        ENDAT.
        AT flight_date.
          WRITE: / spfli-carrid , spfli-connid, sflight-fldate.
        ENDAT.
        AT LAST.
          ULINE.
          WRITE: cnt(spfli-carrid), 'Airlines'.
          ULINE.
        ENDAT.
      ENDLOOP.
    FIELD STRING is nothing but a string with  one row of records.
    Reward points if useful
    regards
    Anji

  • CWA with ISE and 5760

    Hi,
    we have an ISE 1.2 (Patch 5), two 5760 Controllers (3.3), one acting as Primary Controller (named WC7) for the APs and the other as Guest Anchor (named WC5).
    I have trouble with the CWA. The Guest is redirected and enters the correct credentials. After that, the CoA fails with error-cause(272) 4 Session Context Not Found. I have no idea why....
    aaa authentication login Webauth_ISE group ISE
    aaa authorization network cwa_macfilter group ISE
    aaa authorization network Webauth_ISE group ISE
    aaa accounting network ISE start-stop group ISE
    aaa server radius dynamic-author
    client 10.232.127.13 server-key 0 blabla
    auth-type any
    radius-server attribute 6 on-for-login-auth
    radius-server attribute 31 send nas-port-detail mac-only
    wlan test4guests 18 test4guests
    aaa-override
    accounting-list ISE
    client vlan 1605
    no exclusionlist
    mac-filtering cwa_macfilter
    mobility anchor
    nac
    no security wpa
    no security wpa akm dot1x
    no security wpa wpa2
    no security wpa wpa2 ciphers aes
    security dot1x authentication-list Webauth_ISE
    no shutdown
    wc5# debug aaa coa
    Feb 27 12:19:08.444: COA: 10.232.127.13 request queued
    Feb 27 12:19:08.444: RADIUS:  authenticator CC 33 26 77 56 96 30 58 - BC 99 F3 1A 3C 61 DC F4
    Feb 27 12:19:08.444: RADIUS:  NAS-IP-Address      [4]   6   10.232.127.11
    Feb 27 12:19:08.444: RADIUS:  Calling-Station-Id  [31]  14  "40f308c3c53d"
    Feb 27 12:19:08.444: RADIUS:  Event-Timestamp     [55]  6   1393503547
    Feb 27 12:19:08.444: RADIUS:  Message-Authenticato[80]  18
    Feb 27 12:19:08.444: RADIUS:   22 F8 CF 1C 61 F3 F9 42 01 E4 36 77 9C 9B CC 56            [ "aB6wV]
    Feb 27 12:19:08.444: RADIUS:  Vendor, Cisco       [26]  41
    Feb 27 12:19:08.444: RADIUS:   Cisco AVpair       [1]   35  "subscriber:command=reauthenticate"
    Feb 27 12:19:08.444: RADIUS:  Vendor, Cisco       [26]  43
    Feb 27 12:19:08.444: RADIUS:   Cisco AVpair       [1]   37  "subscriber:reauthenticate-type=last"
    Feb 27 12:19:08.444: RADIUS:  Vendor, Cisco       [26]  49
    Feb 27 12:19:08.444: RADIUS:   Cisco AVpair       [1]   43  "audit-session-id=0aea2001530f2e1e000003c6"
    Feb 27 12:19:08.444: COA: Message Authenticator decode passed
    Feb 27 12:19:08.444:  ++++++ CoA Attribute List ++++++
    Feb 27 12:19:08.444: 92FB84A0 0 00000001 nas-ip-address(600) 4 10.232.127.11
    Feb 27 12:19:08.444: 92FB87EC 0 00000081 formatted-clid(37) 12 40f308c3c53d
    Feb 27 12:19:08.444: 92FB8820 0 00000001 Event-Timestamp(445) 4 1393503547(530F2D3B)
    Feb 27 12:19:08.444: 92FB8854 0 00000001 reauthenticate-type(756) 4 last
    Feb 27 12:19:08.444: 92FB8888 0 00000081 audit-session-id(819) 24 0aea2001530f2e1e000003c6
    Feb 27 12:19:08.444: 92FB88BC 0 00000081 ssg-command-code(490) 1 32
    Feb 27 12:19:08.444:
    Feb 27 12:19:08.444:  ++++++ Received CoA response Attribute List ++++++
    Feb 27 12:19:08.444: 92FB84A0 0 00000001 nas-ip-address(600) 4 10.232.127.11
    Feb 27 12:19:08.444: 92FB87EC 0 00000081 formatted-clid(37) 12 40f308c3c53d
    Feb 27 12:19:08.444: 92FB8820 0 00000001 Event-Timestamp(445) 4 1393503547(530F2D3B)
    Feb 27 12:19:08.444: 92FB8854 0 00000001 reauthenticate-type(756) 4 last
    Feb 27 12:19:08.444: 92FB8888 0 00000081 audit-session-id(819) 24 0aea2001530f2e1e000003c6
    Feb 27 12:19:08.444: 92FB88BC 0 00000081 ssg-command-code(490) 1 32
    Feb 27 12:19:08.444: 92FB88F0 0 00000002 error-cause(272) 4 Session Context Not Found
    Feb 27 12:19:08.444:
    wc5#

    Reason for this are two bugs which prevent this from working:
    https://tools.cisco.com/bugsearch/bug/CSCul83594
    https://tools.cisco.com/bugsearch/bug/CSCun38344
    This is embarrassing because this is a really common scenario. QA anyone?
    So, with ISE and 5760 CWA is not working at this time. 

  • ISE and LDAP Integration

    Hello,
    I have a question about the LDAP integration with the ISE:
    Since the ISE has a limitation of reading only 100 groups, I cannot find the groups that I need to use on the authorization, and also the ISE cannot find group if I search for it directly.
    What I mean here, that I can fetch the first 100 groups from the top of the directory, but when I search as example for any group (appear on the list or not) the ISE did not find it.
    Even I tried to change the base DN and the search DN but without luck.
    The ISE version is 1.1.4 installed on VM and the LDAP schema is AD.
    Is there any missing information/tips required in such integration?

    Hello,
    I found a cisco doc that provides resolution of Key Features of Integration of Cisco ISE and LDAP .I hope this helps!
    This section contains the following:
    •Directory  Service
    •Multiple  LDAP Instances
    •Failover
    •LDAP  Connection Management
    •User  Authentication
    •Authentication  Using LDAP
    •Binding  Errors
    •User  Lookup
    •MAC  Address Lookup
    •Group  Membership Information Retrieval
    •Attributes  Retrieval
    •Certificate  Retrieval
    http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_man_id_stores.html#wp1059913

  • ISE and Citrix Netscaler for LB

    I'm working on a solution where we have NetScaler load balancers distributing radius requests from the NADs to respectvie PSNs. Authentication works and redirect URLs work etc.. The challenge we're having is with EAP-TLS sessions. The user get's a provisioned certificate and chain that checks out on the endpoint fine. When the user tries to connect with the device we see EAP timeouts from the ISE session to the supplicant. Each PSN has the internal identity cert configured for EAP authentication that has been configured from the same internal CA within the customers PKI.
    Has anyone configured a NetScaler for use with ISE and besides the general guidlines below are there more specific things that need to be done to make this work with Citrix NetScalers?
    Load Balancing guidelines.
    No NAT.
    Each PSN must be reachable by the PAN / MNT directly, without having to go through NAT (Routed mode LB, not NAT).
    Each PSN must also be reachable directly from the client network for redirections (CWA, Posture, etc…)
    Perform sticky (aka: persistence) based on Calling-Station-ID and Framed-IP-address
    Session-ID is recommended if load balancer is capable (ACE is not).
    VIP for PSNs gets listed as the RADIUS server on each NAD for all RADIUS AAA.
    Each PSN gets listed individually in the NAD CoA list by real IP address (not VIP).
    If ”Server NAT" the PSN-initiated CoA traffic, then can list single VIP in NAD CoA list.
    Load Balancers get listed as NADs in ISE so their test authentications may be answered.
    ISE uses the Layer 3 address to identify the NAD, not the NAS-IP-Address in the RADIUS packet. This is a primary reason to avoid Source NAT (SNAT) for traffic sent to VIP.

    Does anyone have a working configuration for this?  I'm getting successful authentications from the supplicant, but CoA fails. When I perform a CoA I get two of each of the following messages:
    1) Event & Failure reason "5436 RADIUS packet already in the process"
    then
    2) Event "5417 Dynamic Authorization failed" / Failure reason "11215 No response has been received from Dynamic Authorization Client in ISE"
    The policy nodes are not physically located behind the NetScaler, so I have them pointing to the NetScaler as the default GW.  I'm not sure if we have the policy on the NS configured correctly though, because I had to add the NetScaler as a Network Device and I was under the impression that the switch and PSN should continue to talk directly to each other.
    Any help would be greatly appreciated!
    Cheers!
    Ken

  • ISE and certificates

    Hi all,
    Im trying to get my head around using 3d party certificates with the ISE and I think I need some guidance here.
    I have a setup of 6 ISE nodes, 2xAdmin, 2xMonitoring and 2xPolicy.
    All of these have the domain-name of abc.local.
    I want to use MS-CHAPv2 and guest service without certifcate error.
    So do I need to enroll all of my six nodes with a 3d party CA? Or just 2xPolicy nodes?
    I know the best solution would be all six but just to know if it is possible.
    How do I get around the problem with .local? I do not think it is possible to get a certificate with .local as a domain in FQDN.
    Is SAN certificate usefull here? How would the look (still .local in CN..?)
    Other things to consider in this?
    regards
    Mikael

    It is ok to use Apache you just need the correct OID enabled which is for server authentication. You can use the same cert for authentication and http web server, however the eap authentication server requirements are not as stringent on the hostname as the http management.
    Also what are you using for the format when creating the CSR are you just using the CN-isefqdn, or did you follow the example here: http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_man_cert.html#wp1077292
    Step 4 Enter  the certificate subject and the required key length. The certificate  subject is a distinguished name (DN) identifying the entity that is  associated with the certificate. The DN must include a common name  value. Elements of the distinguished name are:
    •C = Country
    •S = Test State or Province
    •L = Test Locality (City)
    •O = Organization Name
    •OU = Organizational Unit Name
    •CN = Common Name
    •E = E-mail Address
    Tarik Admani
    *Please rate helpful posts*

Maybe you are looking for

  • How to create longtext or blob data types in SQL using labview

    Hello, I am fairly new to SQL, and I'm using the labview database connectivity toolset.  Using labview 6.1 I am using the DB Tools Create Table vi to create my tables.  I want the tables to hold 1000 character strings.  But the longest string that I

  • Cannot open/edit previously saved forms

    I just upgraded my reader and now I cannot open/edit any of my forms previously saved.  I work in a law office so I can't re do all my forms.  How do I open and edit forms I previously saved?

  • CS 4 is blank?

    Worked on a project all week. Saved the project as three increments, A, B, and C. Did a final render of C last night, saved the file and went to bed. Today, I went to open C so that I could export it, but the entire interface is blank. nothing!!! No

  • Error "request method not found" in Collaboration?

    Hi, using Collaboration Instant Messaging, after a brief time without chat activity, casts the error popup message "request method not found" After this message, user click “OK” and message close, but from that moment, beginning to have problemas nav

  • HT3986 WHO IN BREMERTON/TACOMA WA AREA CAN INSTALL WINDOWS 7 AND BOOT CAMP FOR ME??

    I purchased a Brand New 27" Imac in January with the 3tb fusion hard drive and I am looking for someone to help me install BootCamp5 and Windows 7.0 Professional. I live in the Silverdale/Bremerton Washington are area. I can drive to Tacoma or Seattl