ISE - Branch Wired Design - Non-Converged Access - Best policy on the switch??
Hello,
I would like to understand that it would be the solution the most adapted in architecture ISE when the PSN server is on the central site and my remote site does not possess PSN and no equipments converge access.
What takes place it if my link between site central and remote site is down. In this case, which policy to put on my distant switch?
1/ Check various policies (dot1x -> MAB -> Web-auth) then no block port but just to send a message to the administrator.
2/ Put ACL on router site.
3/ ?? other idea
what would be the most adapted policy?
Tks a lot
bye
https://supportforums.cisco.com/discussion/11602321/ise-nad-radius-fail-open
Similar Messages
-
Hello,
I am an engineer working with a Cisco Gold Partner in Saudi Arabia. We have a large university as our client where they are constructing a new
building and require our services to build the network infrastructure. Therefore, we are to implement the routing and switching infrastructure as
well as the Wireless solution.
At present, I have no issues in implementing the R&S infrastructure as it is very straight forward but it has implications on the deployment of
the wireless solution which I explain further below. The R&S infrastructure comprises of the typical Core, Distribution, and Access layers and we
are focusing on the local distribution and access switches with regards to the new building. The client has a converged Layer 3 network spanning
from distribution layer to core layer and they are running EIGRP for this convergence. This is not a problem and has already been implemented.
Yet, the challenge arises in deploying the WLAN infrastructure. The client already has a Cisco WLAN infrastructure in place where they have a
large number of LAPs that are registered with their controllers in the Data Center. They have two WLC 5508 where one is the Primary and the other
the Secondary. The local distribution switch to which the WLC are connected also is the gateway for the SVIs for the SSIDs that are configured on
the controllers. This means that once the packets from the AP come in to the WLC, they are tagged with the correct VLAN and sent to the directly
connected distribution switch which then routes it into the rest of the Layer 3 network. Interestingly, the WLC 5508 are running AireOS 7.6 and
support the "New Mobility" feature. The two controllers have formed a Mobility Group (MG) between each other.
Now, the new building will have two Catalyst 3850 switches installed where each one has a total of 40 AP licenses pre-installed and activated
i.e. a total of 80 APs can be supported by the two switches. A total of 67 LAPs will be deployed in the new building which can be accommodated
between the two switches and their integrated controller.
Yet, based on my understanding and research about Converged Access is that, ideally, the Catalyst 3850 will only run the Mobility Agent (MA)
feature while a central controller would provide the Mobility Controller (MC) service. unfortunately, there are not enough licenses on the
existing WLC 5508 nor can we migrate the new licenses that will facilitate such a split deployment.
This means that I would need to configure the two Catalyst 3850 as independent MC and form a MG between them. I have done this and tested this
already and the mobility is working fine. But my concern is not about getting the Catalyst 3850 to work as this is simple but rather it is
focused on creating a common Mobility Domain (MD) so that clients can roam from this new building to the rest of the campus while maintaining the
state of their connections to the WLAN infrastructure.
To make things more complicated, since the new building will have its own Layer 3 distribution switch and the Catalyst 3850 switches will connect
to this distribution switch, it means that new VLANs and SVIs need to be created for the SSIDs broadcast in the new building. This means that new
subnets need to be assigned to the SSIDs.
As such, I have the following questions:
Q1) If we create new SVIs for the SSIDs (same SSIDs names will be used in the new building as in the rest of the university campus) this means
that new subnets will be assigned to these SSIDs. Now, I believe I have two options...one is to make the new Catalyst 3850s to be in the same MG
as the existing WLC 5508 which then cater for Layer 3 client roaming or I have to treat this as a totally seperate WLAN network and follow on to
the solution as per the next question. Please advise which is a better option?
Q2) I could create separate MG i.e. the new building Catalyst 3850s can be in one MG and the existing controllers can be in another MG. I can
then have one of the existing WLC 5508 (the primary one) to run the Mobility Oracle (MO) feature so as to create a single Mobility Domain (MD).
Would this facilitate in Layer 3 client roaming and RRM for all the controllers in the same MD?
Q3) If I do create a MD, how is this accomplished in such an environment since the documentation is severely limited in this regard?
Please advise at your earliest. To assist further, I have attached a topology diagram which may aid in explaining the situation with more
clarity. If these things are clarified, I will be better able to wrap my head around the technology and in turn service my clients better.
Regards,
AmirHi Amir,
Q1) If we create new SVIs for the SSIDs (same SSIDs names will be used in the new building as in the rest of the university campus) this means that new subnets will be assigned to these SSIDs. Now, I believe I have two options...one is to make the new Catalyst 3850s to be in the same MG as the existing WLC 5508 which then cater for Layer 3 client roaming or I have to treat this as a totally seperate WLAN network and follow on to the solution as per the next question. Please advise which is a better option?
I would configure them in the same mobility group. Also configure same SPG for those two 3850 stacks if users are frequently roaming within these two buildings.
Q2) I could create separate MG i.e. the new building Catalyst 3850s can be in one MG and the existing controllers can be in another MG. I can then have one of the existing WLC 5508 (the primary one) to run the Mobility Oracle (MO) feature so as to create a single Mobility Domain (MD). Would this facilitate in Layer 3 client roaming and RRM for all the controllers in the same MD?
MO is not required (it is only for very large scale deployments)
Q3) If I do create a MD, how is this accomplished in such an environment since the documentation is severely limited in this regard?
Yes, documents are hard to find :(
These notes may be useful to you based on my experience. I am running IOS-XE 3.6.1 in my production.
http://mrncciew.com/2014/05/06/configuring-new-mobility/
http://mrncciew.com/2013/12/14/3850ma-with-5760mc/
HTH
Rasika
*** Pls rate all useful responses **** -
Has anyone deployed converged access with 3850 switches and 5760 WLCs?
Has anyone deployed a converged access network architecture with 3850 switches and 5760 WLCs? I have done lots of projects with the 5508 WLCs In a centralized deployment. Basically with this design, I manage 2 logical networks as the wireless network is an overlay over the wired network. I can design firewall to segregate traffic between the wired and wireless hence I can carry both staff and guest traffic.
Now Cisco is telling us that there is new design such that the dats plane traffic can be dropped locally through the 3850 switched. I am not sold on this and have not found any recommended best practices on when should we use a converged access architecture.
Pros
With converged access, data traffic is terminated at the MA which is on the switches, hence the WLC will not be a bottleneck? This is to prepare adoption for 802.11ac?
Less hops for voice calls from user A to user B as data control traffic is dropped locally.
Cons
Now how do I segregate guest and staff traffic if my security folks say I need a firewall?
Troubleshooting wireless client mobility will be a nightmare as the 3850 switches are MA.
Pushing and upgrading code for the Code will mean upgrading the stack of switches in the LAN riser. This will be painful in a huge campus environment like an university.
Can someone convince me why would a customer choose converged access?
Sent from Cisco Technical Support iPad AppThey choose CA because of the capwap termination at the switch. You can still use a 5508 and tunnel guest to a DMZ segment if you wish. You will need a 5508 though is you want to tunnel traffic to an anchor WLC.
Sent from Cisco Technical Support iPhone App -
I own a e2000 router with the latest firmware. Set up access restriction policy for the mobile devices from my children. Deny policy based on Mac adress. Sometimes it works en sometimes it won' t work. It seems that my children keep using for instance whatssapp busy that the internet connections keeps open despite the policy. Does anyone know a solution for this?
kind regards,
ceesThanks Jake,
Ik know that factory reset is possible via the webinterface. My quenstion was if it is possible to do a scheduled reboot with a option in the firmware? Indeed the time-zone is important. I checked this.
Does anybody know if access restriction policy works on a live internet connection? For example: my daughter uses her smartphone with Facebook and she uses it from 16:00 tot 17:00 hour and the policy is that at 16:30 it must be blocked? Or can the policy only work on a connection when it starts up (and then checks the time in the policy to know if a restriction is possible.
cheers -
ISE Auth Policy with Converged Access
Hi
Im setting up a Dot1X authentication using ISE 1.3 and 5760/3850 WLAN controllers. The problem is that im not able to match my authentication policy defined on ISE. It jumps directly to the default policy, im using Called Station id= SSID but it is not able to match this.
I have configured this before on WLC Air OS but not with converged access. Is there something that needs to be done on the 3850 wlc to send this info to ISE ?Yes i can see that everything is working, with certificate and other stuff..It is only that it is not matching the SSID.
I have tried different ways to do the SSID filtering:
NAS port ID Equals SSID,
Called Station ID Equals SSID
But noen of these works. Does anyone know if i have to do something different when doing this setup through converged access ? -
ISE web auth for non-cisco switch(D-link 3528)
Is it possible to use ISE(inline posture node) to redirect the wired users to ISE guest portal ?
And the wired users will get full network access after they pass the web auth.you can use ISE ln-line posture node with 3rd part switches
RADIUS access device must supply the following RADIUS attributes:
Calling-Station-Id (for MAC_ADDRESS)
User-Name
NAS-Port-Type
RADIUS accounting message must have the Framed-IP-Address attribute
VLAN, DACL features can be used but again it depends on switch models let us know specific switch models . Certain advanced use cases, such as those that involve posture assessment, profiling, and web authentication, are not consistently available with non-Cisco devices or may provide limited functionality, -
Converged or Non-Converged 2012 R2 Hyper-V Cluster
Here's the scenario.
I have 4 Poweredge R710 Servers each with a total of 12 1Gb NICs connected to 2 phyical switches for redundancy. I have 4 of these reserved for ISCSI storage connectivity.
For the remaining 8 NICs previously in a Server 2008 R2 cluster I would have had the following:
Management Team (2 NICS)
Backup Team (2 NICS)
Hyper-V Team (2 NICS)
Live Migration (1 NIC)
Cluster/CSV (1 NIC)
Now I want to upgrade the Hyper-V cluster to Server 2012 R2 using the same hardware and I have read much on converged networks, smb multichannel and new inbuilt NIC teaming.
I understand there are many different ways to design the networking now and therefore for the networking hardware I have available what are other peoples thoughts on the best design.
Should I keep the old style non-converged networking and have underutilized NICS for much of the time or would a converged network design be able to provide better network performance?
Say for example I create a TEAM of 8 x 1gb NICs and split the Management, Backup, Hyper-V, Live-Mig and Cluster/CSV with vNICS and weighted QOS I would see improvements in the networking?
What are your thoughts?
Microsoft PartnerHi ,
You can converge all NICs then split every type traffic on virtual NIC ,please refer to the 2nd senario within following link:
http://technet.microsoft.com/en-us/library/jj735302.aspx
Best Regards
Elton Ji
We
are trying to better understand customer views on social support experience, so your participation in this
interview project would be greatly appreciated if you have time.
Thanks for helping make community forums a great place. -
SharePoint Designer 2013 cannot access workflows in Office 365 Site
I have an Office 365 SharePoint site with a number of workflows that I have created on my machine with SPD 2013. After a number of weeks I was unable to access the workflows from my machine through SPD (while still being able to access pages, site assets
etc.), getting the following error: (Am restricted from submitting images)
"Server-side activities have been updated. You need to restart SharePoint Designer to use the updated version of activities"
Restarting SPD doesn't help, after clicking OK I get the "SharePoint Designer cannot display the item" screen, prompting me to refresh.
When I do refresh, I get the following:
"Windows Workflow Foundation, part of .Net Framework 3.0, must be installed to use this feature"
This is happening on my machine, Windows 7 64 Bit, SPD 2013 64 Bit, but on a colleague's machine, Win 7 64 Bit, SPD 2013 64 Bit I can access the workflows.
I get the same error if I try to create a new Workflow on my machine but I can create it on my colleague's machine.
I downloaded SPD 2013 on a 32 bit laptop I have access to, in which I can create a workflow. One existing workflow can be accessed, updated etc. with no issue, one opens to a prompt to "Insert a stage" and one tells me that it "Failed to load
the workflow definition for the workflow", then the "SharePoint Designer cannot display the item" screen. All of these workflows can be accessed from my colleague's machine.
Here are the actions that I have taken to date on my own machine:
Cleared the caches multiple times
Checked for updates
Installed .Net Framework 4.5
Re-installed .Net Framework 4.0 (which contains 3.0)
Uninstalled and re-installed SPD 2013
Due to issues with a workflow on the site I am in contact with MS Support who are aware of this issue, they sent me a link to a hot fix that was already installed but they have no concrete idea of what might be going on.
I was convinced that it was an issue on my machine, but I don't know what the issues that I have seen on the 32 bit SPD on the new laptop mean.
I have been searching the internet for a fix with no success, I would appreciate any help.
Thanks
MickHi,
According to your post, my understanding is that SharePoint Designer 2013 cannot access workflows in Office 365 Site.
There was an issue recently when a service release was implemented that incremented the version number in the HTML header on some SharePoint online sites to '16' when SPD was expecting '15'.
I suggest to install internet explore 10 and install a patch for IE10. Then test with "open with windows explore" then opened in SPD from sharepoint online.
In addition, I suggest that in SPD go to Account > Switch Account and type in the credentials of the site you are trying to open (it defaults to your Microsoft Login).
If the issue persists, to troubleshoot this issue, you can uninstall all versions of SharePoint Designer on workstation, clear cache and then reinstalling the latest SharePoint Designer. For the detailed information, you can refer to the
article: http://support.microsoft.com/kb/2794961
Here are two similar threads for you to take a look at:
http://social.msdn.microsoft.com/Forums/sharepoint/en-US/15fd1436-3166-4e43-8b22-cdb480091548/cant-open-sharepoint-online-site-in-sharepoint-designer-2013
http://community.office365.com/en-us/forums/154/t/149314.aspx?PageIndex=2
By the way, you can also post the question in Office 365 forum and more experts will assist you.
Office 365 forums
:http://community.office365.com/en-us/forums/default.aspx
More information:
SharePoint
Designer 2013: Server-side activities have been updated:
http://www.andreasthumfart.com/2013/08/sharepoint-designer-2013-server-side-activities-have-been-updated/
Best Regards,
Linda Li
We
are trying to better understand customer views on social support experience, so your participation in this
interview project would be greatly appreciated if you have time.
Thanks for helping make community forums a great place. -
ISE - AAA radius authentication for NAD access
Hi ,
I have configured the switches to use the ISE as the Radius server to authenticate with , on the ISE i've configured an authentication policy
for the "NADs" using the "Wired Devices" group which points to the AD indentity source to authenticate against .
While testing the login access to the switches we've come up with 2 results :
1.A domain user can indeed login to the switch as intended.
2.Every domain user which exists in the AD indentity source can login , this is an undesired result .
So I am trying to search for a way to restrict access to the NADs to only a particular group belonging to the AD , for example the group/ou
of the IT_department only .
I haven't been successfull , would appreciate any ideas on how to accomplish this .
Switch configurations :
=================
aaa new-model
aaa authentication login default group radius local
ISE Authentication policy
==================
Policy Name : NADs Authentication
Condition: "DEVICE:Device Type Equals :All Device Types#Wired"
Allowed Protocol : Default Network Access
use identity source : AD1Thank you for the quick replys , and now ok , I've configured the following authorization policy :
Rule Name : Nad Auth
Conditions
if: Any
AND : AD1:ExternalGroups EQUALS IT_Departments
Permissions , then PermitAccess
What I don't understand is that it needs to match an "identity group" which can be either "Endpoint Identity group" or "Users Identity group" , I am limited with the if statement and cannot chose the same device group a choose before .
How can i do that , i am thinking ahead an asking myself if in other cases a user might match this policy rule and can interfer ? -
ISE Network Access Security Policy Document - High/Low
Has anybody created the High and Low level designs for the NASP?
This is my first time and its always easier to have a template to work off of than to reinvent the wheel. An incomplete example is displayed below but I was hoping someone had a complete one of high and low.
Employee Authorization Rule
Table of Contents for Employee Security Policy:
I. Members pg. xxx
II. Acceptable Use Policy pg. xxx
III. Windows 7 Security Requirements pg. xxx
1. Approved AV Installed & Up-to-date pg. xxx
a. Security checks pg. xxx
b. Security rules pg. xxx
IV. Network Access Permissions pg. xxx
1. VLAN Segmentation pg. xxx
a. Noncompliant Posture VLAN pg. xxx
b. Access VLAN Name/ID pg. xxx
2. Access Control List pg. xxx
3. SmartPort Macro pg. xxx
4. Security Group Tag number pg. xxx
IV. Network Access Permissions
1. VLAN Segmentation – Yes
a. Noncompliant Posture VLAN = quarantine-vlan/100
b. Access VLAN Name/ID = employees/10
2. Access Control List – Yes
a. Compliant ACL = permit All IP
b. Noncompliant ACL =
5 Permit TCP from any to “AUP web server” equaling 80
Description: Allow anyone to access the acceptable use policy link
64 Cisco ISE for BYOD and Secure Unified Access
10 Permit TCP from any to “Link based remediation resources” equaling 80 & 443
Description: Allow web traffic to the appropriate remediation resources
20 Permit TCP from any to “file based remediation” equaling 80 & 443
Description: Allow web traffic to the cam for remediation file distribution
30 Permit UDP from any to “dmz DNS Server” equaling DNS
Description: Allow DNS only to the dmz dns server
40 Deny IP from any to any
Description: Block everything else
3. SmartPort Macro – no
4. Security Group Tag number – 10You can download Cisco ISE High Level design document template from the following link
ATP Partner Resource Center
http://www.ciscosecurityatp.com/login.asp?strReturn=/index.asp -
Hi
Im about to set up a converged access solution with WLC 5760 as MC and several 3850 as MA. It is not clear to me what needs to be configured on the MC and what needs to be configured on the MA´s.
I know that each MA has to be configured with the WLAN configuration , but what about things like security profile, acl ,radius ? Anyone has a good documentation explaining this ?Hi
Below should help you to start with basic peering between MA & MC
http://mrncciew.com/2013/12/14/3850ma-with-5760mc/
WLAN configuration to be done on MA
http://mrncciew.com/2013/12/04/wlan-config-in-3850-part-1/
http://mrncciew.com/2013/12/06/wlan-config-with-3850-part-2/
Below post should also helps you on 5760/3850 basic configs
http://mrncciew.com/2013/12/12/getting-started-with-5760/
http://mrncciew.com/2013/09/29/getting-started-with-3850/
http://mrncciew.com/2013/12/16/configuring-radius-on-5760/
Also this thread listed some useful documentation about CA.
https://supportforums.cisco.com/discussion/11984726/converged-access-design-information
HTH
Rasika
**** Pls rate all useful responses *** -
Hi
Im doing CWA with my 3850 wlc, but the client seems to be stuck in "WEBAUTH_PEND " on the WLC client list.
It all looks ok in the ISE logs and in the client detail i can see that it has gotten the redirect url, but nothing is happening.
Someone who can give me some ideas to where i should look into ?See if these links help
https://supportforums.cisco.com/document/147096/converged-access-%E2%80%93-configure-ssid-central-web-authentication-cwa-using-ise-catalyst
HTH
Rasika
*** Pls rate all useful responses *** -
AP1262 bridge to Non-Cisco Access Point?
I would like to use a Cisco AP1262 in a mobile command vehicle to bridge to any WiFi Access Point that I know the SSID and Pasword to. Will the 1262 Bridge to a Non-Cisco Access Point?
If so, any assistance in finding an example configuration would be appreciated.
Thanks,
BrianHi Brian,
Yes, you can configure 1262 as Universal Workgroup bridge where it will associate to any cisco or non-cisco root AP. You can only connect one wired client behind universal WGB.
You just need to configure "station-role workgroup-bridge universal <wired_client_MAC>" under radio interface of WGB. (1262)
Something similar should work for your 1262, if you want it in 5GHz, otherwise configure radio 0 interface for WGB
hostname WGB
dot11 ssid <SSID-NAME>
authentication open
authentication key-management wpa version 2
wpa-psk ascii <PASSWORD>
interface Dot11Radio1
encryption mode ciphers aes-ccm
station-role workgroup-bridge universal 068d.098a.d422 <- Ur wired MAC
ssid <SSID-NAME>
bridge-group 1
interface GigabitEthernet0
bridge-group 1
NB: I haven't tested this, so you have to test & confirm. If WPA2/AES is not supported then you may need to choose suitable security protocol & encryption mechanism.
HTH
Rasika
*** Pls rate all useful responses **** -
I cannot get itunes to work/install on myPC. I am running windows 8 in a 64 bit machine. I also want to purchase books via itunes for my Nook. Are you deliberately excluding PC owners so we cannot use ituens on our computers???? I have selected a community but have no idea what community I should be working with. Can somone explai these communities to me? Also. you don't allow much time to go thru the sign up process. I had to start over SEVERAL times as you kept timing me out. Jesus...when people are signing up for the first time, we have no idea of the questions that will be asked. Give us a break and give us time to sign up. Not everone is disability free and able to go thru your process quickly...you are NOT user friendly. You should be for people who are wanting to join your community. I used to want an Apple product but now that I have had first hand experience with your web page, I think I will probably stay away from Apple products. VERY DISAPPOINTING
Jan 11, 2014 10:26 AM Re: I NEED I TUNES FOR A 64 BIT PC. OPERATING SYSTEM IS WINDOWS 8, NON TOUCH SCREEN. WHICH IS THE ABSOLUTELY BEST WAY TO GET ITUNES OPERATING CORRECTLY ON MY PC????//I HAVE TRIED SEVERAL THINGS, NONE OF WHICH ARE WORKING. IS ITUNES DELIBERATELY EXCLUDING
Re: I NEED I TUNES FOR A 64 BIT PC. OPERATING SYSTEM IS WINDOWS 8, NON TOUCH SCREEN. WHICH IS THE ABSOLUTELY BEST WAY TO GET ITUNES OPERATING CORRECTLY ON MY PC????//I HAVE TRIED SEVERAL THINGS, NONE OF WHICH ARE WORKING. IS ITUNES DELIBERATELY EXCLUDING PC'S in response to Birdlover1
Post over in the iTunes for Windows forum, here:
https://discussions.apple.com/community/itunes/itunes_for_windows
sebastian -
Auto deploying branch office printers with Direct Access
Hello there
I am implementing my first Direct Access topology and have a question. We will have branch offices with workstations deployed using Direct Access for administrative purposes. We have staff moving around from branch to branch with the goal to
make logging on to the network and accessing resources for users as automated as possible. One of the questions I have regards auto configuring branch printers for users using Group Policy. The branch offices have workstations, printers and NAT modem/routers
with DHCP - but no servers.
If we have a stand alone network printer, how do we list that printer in Active Directory allowing the user to auto-configure it using group policy? If we install it on a server at Head Office, would the print job travel there first and then back to
the branch? Obviously this is not ideal. Or can it be directed straight to the printer using a script or something?
Alternatively we can install and share it on a branch workstation and list it in the directory, but would this not be same the problem as above? This is not ideal either as it would depend on the workstation being always on and available.
Any input Direct Access gurus?
Thanks in advance
MIS5000Hi,
Thanks for your post.
We could have 2 possible solutions for natively deploy printers using Group Policy without the need for any scripting:
1) Group Policy Preferences – available in Windows Server 2008 and later
2) Print Management – available in Windows Server 2003 R2 and later
http://blog.powershell.no/2009/11/08/deploying-printers-using-group-policy/
Did you try to use the Print Management? You can share printers on a network and centralize print server and network printer management tasks using the Print Management Microsoft Management Console (MMC) snap-in. Print Management helps you to monitor print
queues and receive notifications when print queues stop processing print jobs. It also enables you to migrate print servers and deploy printer connections using Group Policy.
https://technet.microsoft.com/en-us/library/cc731857.aspx
Meanwhile, if you have any Direct Access related issue, I think you may ask in network forums:
https://social.technet.microsoft.com/Forums/windowsserver/en-US/home?forum=winserverNIS
Regards.
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]
Maybe you are looking for
-
Error while using Photoshop CS5 on my Mac book pro 10.5.8
Everytime i open a new page to work on my Photoshop cs5 trial version, i am getting an error that 'Startup disk' is too full, delete some to create some space. i don't know what that means, as i am trying to locate startup disk on my computer, but al
-
Problem installing SQL server 2014 Express Edition on Windows 8 32 bit
Installation stops at a certain point and do not progress any further. Here i am attaching an image for the scenario.
-
Exporting/deploying app preferences from computer to computer...
I need to install 24 CS4 design premium in my workflow. I want to fully adjust preferences in all CS4 applications in one PC and import them to all other CS4 computers. I dont think only color setting, I mean edit/preferences menu. Only for adjusting
-
How do you add the files name to images within a PDF
I have been searching the web trying to find an answer to this question, I am not sure what the proper term is called, but I refer to it as a 'coded pdf'. Hopefully someone knows what I am talking about and can help me find an answer! The end product
-
Af:query how to control the query combobox and change it's label text
My colleague designed a well working af:query search page with several selectable predefined queries. Now it's up to me to control this combobox from outside the component with big colored buttons for user convenience. If the user clicks on one of th