ISE MAR cache 2-node deployment

Similar Messages

• ISE MAR cache

  Does anybody know what's going to happen if one changes the MAR cache timeout/aging setting found under Identity Management > External Identity Sources > Active Directory > Advanced Settings? Are the current cache entries going to get cleared or are they going to stay? Is there a way to actually see these entries somewhere (per PSN), and can one selectively delete them?
  Depending on the answer to these questions, I have to make the aging timeout change during a maintenance window on the customer's infrastructure. Using ISE 1.2, patch 6.
  Oh, and another question: Are there any drawbacks (e.g. cache size or security issues, other constraints) that would suggest to not increase the default aging timeout to a value of a full week or even more?
  Thanks
  Toni

  Hi Toni,
  Machine Access Restriction for Active Directory User Authorization
  Cisco ISE contains a Machine Access Restriction (MAR) component that provides an additional means of controlling authorization for Microsoft Active Directory-authentication users. This form of authorization is based on the machine authentication of the computer used to access the Cisco ISE network. For every successful machine authentication, Cisco ISE caches the value that was received in the RADIUS Calling-Station-ID attribute (attribute 31) as evidence of a successful machine authentication.
  Cisco ISE retains each Calling-Station-ID attribute value in cache until the number of hours that was configured in the “Time to Live” parameter in the Active Directory Settings page expires. Once the parameter has expired, Cisco ISE deletes it from its cache.
  When a user authenticates from an end-user client, Cisco ISE searches the cache for a Calling-Station-ID value from successful machine authentications for the Calling-Station-ID value that was received in the user authentication request. If Cisco ISE finds a matching user-authentication Calling-Station-ID value in the cache, this affects how Cisco ISE assigns permissions for the user that requests authentication in the following ways:
  If the Calling-Station-ID value matches one found in the Cisco ISE cache, then the authorization profile for a successful authorization is assigned.
  If the Calling-Station-ID value is not found to match one in the Cisco ISE cache, then the authorization profile for a successful user authentication without machine authentication is assigned.
  http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/user_guide/ise_user_guide/ise_authz_polprfls.html
  HTH
  Sandy

• Oracle Web Cache Administration and Deployment Guide

  Does anyone know where the Oracle Web Cache Administration and Deployment Guide is?
  From Oracle9iAS Documentation Library CD-ROM,
  it says this document is in OTN. However, I just can't find this document in OTN.
  Any idea?

  Rick -
  try this link on for size:
  http://technet.oracle.com/docs/products/ias/doc_library/1022doc_otn/caching.102/a90372/toc.htm
  To get to the (iAS documentation, try this path through technet
  Top Level
  -> click documentation link on RHS
  -> click Oracle9i Application Server link
  -> click Generic Documentation Library link (HTML) or (PDF)
  That should get you to the documentation library, from which you can view all the component doc, install guides, performance guides, etc.
  null

• ISE - Loss of All Nodes in a Distributed Deployment, Recovery Using New IP Addresses and Hostnames

  Hi Experts,
  I have a question regarding ISE disaster recovery with same hostname and IP. For step 2, is it a must to generate a self signed cert? is it possible to use back to original N1 CA- signed certificate?
  esolution Steps
  1. Obtain the N1 backup and restore it on N1A. See "Restoring Data from a Backup" section for more information. The restore script will identify the hostname change and domain name change, and will update the hostname and domain name in the deployment configuration based on the current hostname.
  2. You must generate a new self-signed certificate. See "Generating a Self-Signed Certificate" section for more information.
  3. You must log in to the Cisco ISE user interface on N1A, choose Administration > System > Deployment, and do the following:
  a. Delete the old N2 node. See "Removing a Node from Deployment" section for more information.
  b. Register the new N2A node as a secondary node. See "Registering and Configuring a Secondary Node" section for more information. Data from the N1A node will be replicated to the N2A node.
  http://www.cisco.com/c/en/us/td/docs/security/ise/1-1-1/user_guide/ise_user_guide/ise_backup.html

  Hi,
  The reason for asking to create a self signed cert is , the subject name of the certificate should match  ISE node FQDN. If you import the N1 node CA- signed certificate, that certificate will have the hostname of N1 node as its subject name and it will not work.
  So you have to create a self signed certificate or get a new CA signed certificate with subject name as N1A node FQDN.
  Hope this clarifies the reason of self signed certificate.

• ISE 1.2 - MAR cache with PEAP vs EAP Chaining

  Does EAP chaining with EAP-FAST v2 and NAM 3.1 present the machine certificate for authentication during each connection to wireless?  It's not still tied to the windows log in event as with PEAP?
  I found this article, but would like to see if anyone has experience working with EAP chaining in ISE.
  https://tswireless.wordpress.com/2012/09/22/cisco-ise-machine-authentication-cache/

  Yes if you set up NAM for EAP-Chaining - Machine and User, and then select EAP-TLS w/cert, nam will send both when a user logs in. When the machine is booting only the machine identity will be sent (because we don't know the users identity before they have attempted to log in).

• Ask the Expert: ISE 1.2: Configuration and Deployment with Cisco expert Craig Hyps

  Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about how to deploy and configure Cisco Identity Services Engine (ISE) Version 1.2 and to understand the features and enhanced troubleshooting options available in this version, with Cisco expert Craig Hyps.
  October 27, 2014 through November 7, 2014.
  The Cisco Identity Services Engine (ISE) helps IT professionals meet enterprise mobility challenges and secure the evolving network across the entire attack continuum. Cisco ISE is a security policy management platform that identifies users and devices using RADIUS, 802.1X, MAB, and Web Authentication methods and automates secure access controls such as ACLs, VLAN assignment, and Security Group Tags (SGTs) to enforce role-based access to networks and network resources. Cisco ISE delivers superior user and device visibility through profiling, posture and mobile device management (MDM) compliance validation, and it shares vital contextual data with integrated ecosystem partner solutions using Cisco Platform Exchange Grid (pxGrid) technology to accelerate the identification, mitigation, and remediation of threats.
  Craig Hyps is a senior Technical Marketing Engineer for Cisco's Security Business Group with over 25 years networking and security experience. Craig is defining Cisco's next generation Identity Services Engine, ISE, and concurrently serves as the Product Owner for ISE Performance and Scale focused on the requirements of the largest ISE deployments.
  Previously Craig has held senior positions as a customer Consulting Engineer, Systems Engineer and product trainer.   He joined Cisco in 1997 and has extensive experience with Cisco's security portfolio.  Craig holds a Bachelor's degree from Dartmouth College and certifications that include CISSP, CCSP, and CCSI.
  Remember to use the rating system to let Craig know if you have received an adequate response.
  Because of the volume expected during this event, Ali might not be able to answer each question. Remember that you can continue the conversation on the Security community, sub-community shortly after the event. This event lasts through November 7, 2014. Visit this forum often to view responses to your questions and the questions of other community members.
  (Comments are now closed)

  1. Without more specifics it is hard to determine actual issue. It may be possible that if configured in same subnet that asymmetric traffic caused connections to fail. A key enhancement in ISE 1.3 is to make sure traffic received on a given interface is sent out same interface.
  2. Common use cases for using different interfaces include separation of management traffic from user traffic such as web portal access or to support dedicated profiling interfaces. For example, you may want employees to use a different interface for sponsor portal access. For profiling, you may want to use a specific interface for HTTP SPAN traffic or possibly configure IP Anycast to simplify reception and redundancy of DHCP IP Helper traffic. Another use case is simple NIC redundancy.
  a. Management traffic is restricted to eth0, but standalone node will also have PSN persona so above use cases can apply for interfaces eth1-eth3.
  b. For dedicated PAN / MnT nodes it usually does not make sense to configure multiple interfaces although ISE 1.3 does add support for SNMP on multiple interfaces if needed to separate out. It may also be possible to support NIC redundancy but I need to do some more testing to verify. 
  For PSNs, NIC redundancy for RADIUS as well as the other use cases for separate profiling and portal services apply.
  Regarding Supplicant Provisioning issue, the flows are the same whether wireless or wired. The same identity stores are supported as well. The key difference is that wireless users are directed to a specific auth method based on WLAN configuration and Cisco wired switches allow multiple auth methods to be supported on same port. 
  If RADIUS Proxy is required to forward requests to a foreign RADIUS server, then decision must be made based on basic RADIUS attributes or things like NDG. ISE does not terminate the authentication requests and that is handled by foreign server. ISE does support advanced relay functions such as attribute manipulation, but recommend review with requirements with local Cisco or partner security SE if trying to implement provisioning for users authenticated via proxy. Proxy is handled at Authentication Policy level. CWA and Guest Flow is handled in Authorization Policy.  If need to authenticate a CWA user via external RADIUS, then need to use RADIUS Token Server, not RADIUS Proxy.
  A typical flow for a wired user without 802.1X configured would be to hit default policy for CWA.  Based on successful CWA auth, CoA is triggered and user can then match a policy rule based on guest flow and CWA user identity (AD or non-AD) and returned an authorization for NSP.
  Regarding AD multi-domain support...
  Under ISE 1.2, if need to authenticate users across different forests or domains, then mutual trusts must exist, or you can use multiple LDAP server definitions if the EAP protocol supports LDAP. RADIUS Proxy is another option  to have some users authenticated to different AD domains via foreign RADIUS server.
  Under ISE 1.3, we have completely re-architected our AD connector and support multiple AD Forests and Domains with or without mutual trusts.
  When you mention the use of RADIUS proxy, it is not clear whether you are referring to ISE as the proxy or another RADIUS server proxying to ISE.  If you had multiple ISE deployments, then a separate RADIUS Server like ACS could proxy requests to different ISE 1.2 deployments, each with their own separate AD domain connection.  If ISE is the proxy, then you could have some requests being authenticated against locally joined AD domain while others are sent to a foreign RADIUS server which may have one or more AD domain connections.
  In summary, if the key requirement is ability to join multiple AD domains without mutual trust, then very likely ISE 1.3 is the solution.  Your configuration seems to be a bit involved and I do not want to provide design guidance on a paper napkin, so recommend consult with local ATP Security SE to review overall requirements, topology, AD structure, and RADIUS servers that require integration.
  Regards,
  Craig

• ISE MAR in a Kiosk Environment

  Situation:
  Windows native supplicant configured for "Machine or User authentication."
  ISE configured for MAR with cache timeout of 24 hours.
  Questions in Red:
  1. Every morning Machine boots and successfully authenticates wiht 802.1X.   Machine dACL pushed by ISE to switch for Machine session.
  2. Few minutes later, UserA logs on successfully with 802.1X.   UserA dACL pushed by ISE to NAD for UserA Session.  UserA dACL supercede Machine dACL.
  3. UserA logs off.
  What is happening to the UserA dACL on the switch for that session?
  Does the workstation supplicant tells the NAD that UserA has disconnected?
  Does the workstation supplicant performs a new Machine authentication so the Machine dACL will now be reapplied to the session or is the switch still stuck with UserA dACL for that session?
  4. UserB logs. ISE will push UserB dACL. 
  Thanks.
  Cath.

  Cath,
  What version of OS are the kiosks on?
  First answers to your questions -
  What is happening to the UserA dACL on the switch for that session? - The user login will trigger a new dacl to be applied to the switch port, the machine dacl is then removed since this triggers a new aaa session.
  Does the workstation supplicant tells the NAD that UserA has disconnected? - When the user logs off, computer authentication then occurs which will apply the machine acl to the port, since this triggers a new aaa session.
  Does  the workstation supplicant performs a new Machine authentication so the  Machine dACL will now be reapplied to the session or is the switch  still stuck with UserA dACL for that session? - When the user logs off the machine acl should be applied, if the user locks the machine then the userA acl is still on the port.
  Here is some information that will provide insight to when the machine authentication is triggered, logging off of the client should be one of those scenarios.
  http://social.technet.microsoft.com/Forums/windows/en-US/5e1bbaa4-9dad-40da-8e53-a7d67e17c20b/windows-7-wireless-supplicant-user-or-computer-authentication
  Here are few issues when using MAR -
  ◦ Ethernet/WiFi transitions: Calling-Station-ID (MAC address) is used to link machine and user authentication; MAC address will change when laptop moves from wired to wireless breaking the MAR linkage.
  ◦ Machine state caching: The state cache of previous machine authentications is neither persistent across ACS/ISE reboots nor replicated amongst ACS/ISE instances.
  ◦ Hibernation/Standby: 802.1X fails when the endpoint enters sleep/hibernate mode and then moves to a different location, or comes back into the office the following day, where machine auth cache is not present in new RADIUS server or has timed out.
  I think the best solution out right now is the anyconnect nam with eap chaining, they perform machine authentication when booting up and logging off, and they perform eap chaining when users authenticatioin each and everytime. You can also remove the machine authenticated condition and use the eap-chaining condition instead.
  Thanks,
  Tarik Admani
  *Please rate helpful posts*

• ISE does not register nodes - (blank pop-up window)

  Hello everyone !
  There CiscoISE 1.1.4.218 (all 8 patches) consisting of 6 nodes (2 admin, 2 monitors, 2 policy) on virtual machines.
  When testing failover between policy node, one of policy nodes has been removed from scheme of deployment. The  result of attempting to register this node is the blank warning pop-up  window, progress of registration stops without registration of policy  node (screenshot in attachment). The same
  thing  happens when I try to register a secondary monitoring nodes (that was  removed earlier, like in the case with police node). I  also attach a portion of log file taken from admin node (CLI) in the  moment of attempts registration of police / monitoring nodes.
  In the DNS is ok (defined in both side), all certificates are valid.
  Maybe somebody has already found a similar mistake ?
  Sincerely,
  Andrey

  Please check the following Prerequisites
  The fully qualified domain name (FQDN) of the standalone node that you are going to register, for example, ise1.cisco.com must be DNS-resolvable from the primary Administration ISE node.  Otherwise, node registration will fail. You must enter the IP addresses  and FQDNs of the ISE nodes that are part of your distributed deployment  in the DNS server.
  •The  primary Administration ISE node and the standalone node that you are  about to register as a secondary node should be running the same version  of Cisco ISE.
  •Node  registration fails if you provide the default credentials (username:  admin, password: cisco) while registering a secondary node. Before you  register a standalone node, you must log into its administrative user  interface and change the default password (cisco).
  •You  can alternatively create an administrator account on the node that is  to be registered and use those credentials for registering that node.  Every ISE administrator account is assigned one or more administrative  roles. To register and configure a secondary node, you must have one of  the following roles assigned: Super Admin, System Admin, or RBAC Admin.  See Cisco ISE Admin Group Roles and Responsibilities for more information on the various administrative roles and the privileges associated with each of them.
  •If  you plan to register a secondary Administration ISE node for high  availability, we recommend that you register the secondary  Administration ISE node with the primary first before you register other  Cisco ISE nodes. If Cisco ISE nodes are registered in this sequence,  you do not have to restart the secondary ISE nodes after you promote the  secondary Administration ISE node as your primary.
  •If  you plan to register multiple Policy Service ISE nodes running Session  services and you require mutual failover among those nodes, you must  place the Policy Service ISE nodes in a node group. You must create the  node group first before you register the nodes because you need to  select the node group to be used on the registration page. See "Creating, Editing, and Deleting Node Groups" section for more information.
  •Ensure  that the Certificate Trust List (CTL) of the primary node is populated  with the appropriate Certificate Authority (CA) certificates that can be  used to validate the HTTPS certificate of the standalone node (that you  are going to register as the secondary node). See the "Creating Certificate Trust Lists in the Primary Cisco ISE Node" section on page 12-24 for more information.
  •After  registering your secondary node to the primary node, if you change the  HTTPS certificate on the registered secondary node, you must obtain  appropriate CA certificates that can be used to validate the secondary  node's HTTPS certificate and import it to the CTL of the primary node.  See "Creating Certificate Trust Lists in the Primary Cisco ISE Node" section on page 12-24 for more information.

• Found in negative cache error while deploying webdynpro app

  Hi,
  I got the below  error when I deployed an webdynpro application.There are no build errors
  java.lang.ClassNotFoundException: com.sws.wdp.Internal_DCF_WindViewSet_DCF_AdminComp_DCF_AdminWind
  Found in negative cache -
  Loader Info -
  ClassLoader name:
  [sws.com/DCF_Admin] Parent loader name: [Frame ClassLoader]
  References: common:service:http;service:servlet_jsp service:ejb common:service:iiop;service:naming;service:p4;
  service:ts service:jmsconnector library:jsse library:servlet common:library:IAIKSecurity;library:activation;library:mail;
  library:tcsecssl library:ejb20 library:j2eeca library:jms library:opensql common:library:com.sap.security.api.sda;
  library:com.sap.security.core.sda;library:security.class;library:webservices_lib;service:adminadapter;
  service:basicadmin;service:com.sap.security.core.ume.service;service:configuration;service:connector;
  service:dbpool;service:deploy;service:jmx;service:jmx_notification;service:keystore;service:security;
  service:userstore interface:resourcecontext_api interface:webservices interface:cross
  interface:ejbserialization sap.com/tcwddispwda sap.com/tcwdcorecomp service:webdynpro service:sld
  library:tcddicddicservices library:com.sap.aii.proxy.framework library:tcgraphicsigs library:com.sap.mw.jco
  library:com.sap.lcr.api.cimclient library:sapxmltoolkit library:com.sap.aii.util.rb library:com.sap.util.monitor.jarm
  library:tcddicddicruntime library:com.sap.aii.util.xml library:com.sap.aii.util.misc
  library:tc~cmi Resources: /usr/sap/EPD/JC00/j2ee/cluster/server0/apps/sws.com/DCF_Admin/webdynpro/public/lib/app.jar
  Loading model: {parent,references,local} -
  I restarted the server but of no use.
  Please help me in resolving this.
  Thanks and  Regards,
  Rajesh.A

  Hi,
  Please have a look at this threads,
  Found in negative cache.... very strange.
  What's Negative Cache ??
  Regards
  Saravanan K

• Unable to generate self signed certificate on secondary ISE Identity Services Engine node

  certificate has expired,
  we can generate a new one on the primary node
  not on the secondary node that fails
  with
  "internal error - please ask your Administrator to review the error logs."
  Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
      at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Unknown Source)
      at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(Unknown Source)
      at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Unknown Source)
      at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Unknown Source)
      at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(Unknown Source)
      at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(Unknown Source)
      at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Unknown Source)
      at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Unknown Source)
      at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(Unknown Source)
      at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)
      at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(Unknown Source)
      at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(Unknown Source)
      at org.apache.axis.components.net.JSSESocketFactory.create(JSSESocketFactory.java:186)
      at org.apache.axis.transport.http.HTTPSender.getSocket(HTTPSender.java:191)
      at org.apache.axis.transport.http.HTTPSender.writeToSocket(HTTPSender.java:404)
      at org.apache.axis.transport.http.HTTPSender.invoke(HTTPSender.java:138)
      ... 71 more
  Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
      at sun.security.validator.PKIXValidator.doBuild(Unknown Source)
      at sun.security.validator.PKIXValidator.engineValidate(Unknown Source)
      at sun.security.validator.Validator.validate(Unknown Source)
      at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.validate(Unknown Source)
      at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown Source)
      at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown Source)
      ... 83 more
  Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
      at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(Unknown Source)
      at java.security.cert.CertPathBuilder.build(Unknown Source)
      ... 89 more
  2015-01-15 10:27:09,270 ERROR 2015-01-15 10:27:09,270  [http-443-15][] cpm.admin.infra.action.LocalCertAddAction- Unable to import certificate : com.cisco.cpm.infrastructure.certmgmt.api.CertMgmtException: com.cisco.cpm.nsf.api.exceptions.NSFEntitySaveFailed: com.cisco.cpm.nsf.api.exceptions.NSFEntityTypeException: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
  2015-01-15 10:27:22,019 INFO  2015-01-15 10:27:22,019  [http-443-17][] cpm.admin.infra.action.TimeSettingsAction- retrieve server status: SEC(A), SEC(M)

  What version and patch level of ISE are you running?

• ISE Authentication cache in CWA for Guest

  Ciao,
  do you known how I can cache a guest authentication ? 
  For example a Guest connect to guest SSID (open); authenticate using CWA (ISE and WLC). After that every time the guest logoff and login,  no authentication is required during the same days.
  Thanks

  You can find "Automatically register guest devices /Allow guests to register devices"  option here -> Guest Access > Configure > Guest Portals > Create, Edit or Duplicate > Portal Behavior and Flow Settings > Guest Device Registration Settings.
  using this option -Automatically create an endpoint for the device from which the guest is accessing this portal. The endpoint will be added to the endpoint identity group specified for this portal and is subject to the identity group's purge policy.
  An authorization rule can now be created to allow access to endpoints in that identity group, so that web authentication is no longer required.
  And you have "ActivatedGuest" option in 1.2

• ISE with dot1x and Posture deployment in pararrel with certain users

  Hi,
  We want to deploy ISE in sequencial order, meaning that I will initially have all users authenticate/authorized with dot1x/MAB etc, then only on certain locations or users to have posture condition validation/verification while others not.
  Can someone please advise whether this approach is possible, as far I understand, once you have posture policies in place as authorization rule it will hit all the users. This may be possible where you can match the switch or the location as a seperate condition, but if all users are spread/mixed we just need to find a simple way how to do it or whether it is not possible..?

  We have modified the attached policy on rule 04 and 05 (from top) and add a new condition Device locationEqual "Switch1".According to this rule any user connected to Switch1 only do the posture and same user PCconnect any other switch (other than switch1), it should do only the dot1x/MAB (rule 1-3). But in our case user PC connect any other switch than switch1, it hit the ISE default policy(not included in this attachement) and also it pop-ups the NAC agent and do the posturing. Questions-why the PC/user is not hitting rule 1-3 and goes to default rule-why the PC/user is doing posture where there's no posture rule hitting.
  Hi,
  First of all, I would assume you configured the PC for machine or user authentication.
  So, when a user connects to the network using other switch but not switch1, it will get 2 hits:
  1. Computer authentication - this PC is part of Domain Computers
  2. Default rule - because you configured (domain) user authentication for dot1x requests that are received only from switch1!
  You haven't specified a rule for domain users alone (with no location condition) and with no posture.
  You have to add something like this:
  1. dot1x + Domain PC
  2. dot1x + Domain User + location + preposture
  3. dot1x + Domain User + location + posture compliant
  4. dot1x + Domain User (and no posture condition)
  To answer your second question, event though you 've excepted a certain user from posture, if NAC Agent is installed, it will popup and it will say that you're compliant, so practically it isn't doing posture
  (http://www.cisco.com/en/US/docs/security/ise/1.1/user_guide/ise_pos_pol.html)
  Generating a Posture Requirement The run-time services requests for the posture requirement for the  endpoint by looking up at the role to which the user belongs to and the  operating system on the client. If you do not have a policy associated  with the role, then the run-time services communicate to the NAC Agent  with an empty requirement. If you have a policy associated with the  role, then the run-time services run through the posture policies  through one or more requirements associated with the policies and for  each requirement through one or more conditions.
  If you want to rollout for posture, you could use exception rules (check the top section of authorization rules) or you could do only posture audit for your rules so that everyone can get network access event though they're not compliant.

• Distributed cache during solution deployment

  Hi,
  We are using MySite newsfeed.
  What is the best practice during deployment of solution the distributed cache is not affected.
  Last time when we did IIS reset the feed was lost and we have to use repopulated job to pull the data.Is there any beetr way to follow during deployment and server upgrades.
  Thanks,
  Sudan

  Hi Sudan,
  The Distributed Cache service stores data in-memory only, so executing iisreset might cause cache flush. Please refer to the thread below to move all cached items from local cache to other cache host in the cluster:
  http://social.technet.microsoft.com/Forums/sharepoint/en-US/6a415c75-4ca3-4c43-9110-25a68db93a54/sharepoint-2013-my-site-newsfeed-posts-disappear?forum=sharepointgeneral 
  Regards,
  Rebecca Tu
  TechNet Community Support

• OBIEE on RHEL5.5 using clustering of 4 nodes deployed on weblogic

  It is my first experiance of installaing OBI in production enviornament. I have to install OBIEE 10.1.3.4.1 on four IBM HS22 Blade Servers, under RHEL 5.5, deployed on Weblogic in active/active configuration. Weblogic will be clustered. I am confused of steps of installation, please rectify me if following steps are wrong:
  Step 1: install Weblogic on Node1, and configure clustering of Weblogic on other 3 nodes.
  Setp 2: Install OBIEE on all 4 nodes. Complete installation, not specific products, using Advanced installation type. so that all componets are installed on all the nodes
  Step 3: Configure clustering of OBIEE keeping Node1 as Master BI Server, Primary Cluster Controler, Primary scheduler.

  i am plaining for complete installation on all the nodes but while doing configuration in files NQSConfig.INI and NQClusterConfig.INI etc, i will do like
  Node1 as primary node for cluster and scheduler and Presentation Services and Master BI Server
  Node2 as secondary node for cluster and scheduler and Presentation Services and BI Server
  Node3 as BI Server
  Node4 as BI Server
  I can install only one component BI Server on Node3 and Node4, but to keep my installation straight farward i am installing complete on all nodes. please suggest will it work. Or shall I proceed with complete install on Node1 and Node2, but custom install on Node3 and Node4
  Regarding load balancing this has to be done by the cluster controler, please suggest if i am wrong. I have a separate WebServer which i need to configure.

• Cache / application node configuration

  Hi!
  I am doing a Coherense evaluation and yesterday I talked to the UK Tangosol office that suggested I post these questions here to more quickly get answers. I hope you can help.
  I would like to configure a number of nodes to ONLY hold data for a distributed cache. Let us call them cache nodes.
  A number of other nodes should be configured to participate in the same distributed cache but not hold any data. They will use a "near" cache with the distributed cache as "back cache". This is the nodes were my application logic will go. Let us call them application nodes.
  My first question is if I must have the same configuration on the cache nodes as I have on the application nodes (i.e. must I use a "near cache" even though I do not need or want a "front cache" here since nobody will access the data locally? I assume that the invalidation of even an empty front cache has some associated cost and this is another reason to not have one when not needed.
  My second question is if I must make som special provisions in my CacheStore (that will use JDBC to sync with a database) to ensure that modified data will either not be written to either the cache or the database or both (for instance in the event of a critical hardware failure of the cache node calling the CacheStore during a call to one of the "store" or "erase" methods) - or is this "automagically" taken care of some how by the layer above the CacheStore? Is the answer the same or different if I use replication of the data in the replicated cache or not? My plan is to NOT use replication and instead take the hit that some cache data is lost (will be reloaded if needed later) in the event of a critical error killing one of the cache nodes. If I must do something special in the CacheStore to ensure that the database and cache is always coherent I would like some example code that i can start from...
  My third question is if my proposed configuration is fully coherent or is it theoretically possible that a client can send a request that modify an object to one of the application node and then (assuming my load balancer is NOT sticky) immediately requests the same data from another application node and get the OLD object value back? I.e. is the update/invalidation from/to the near caches synchronous or asynchronous? If this is a "possible" scenario is there anything that can be done to avoid it with this setup (except getting a sticky load balancer)?
  Lastly if you happen to sit on some configuration examples that set up exactly this kind of scenario (or something very close to it) I would appreciate having a look at them. I have found some examples on the forum but none that do the same thing...
  Best Regards
  MagnusE

  Thanks for your quick and informative answer Jon! I need to think more about some of your points to make sure i understand the implications. A few quick follow-up questions though:
  With a write-through cache, Coherence will call your
  CacheStore implementation before updating the cache,
  and so the database will always have the most current
  version of the data, even in the event of a cache
  server failure.But will the cache also get the new verssion of thew data somehow in the event of a failure (that oocur just after the data has been stored in the database but before the storage node managed to put it in the cache) or will this cause non-coherence between database and cache? Will the application node get an exception back from its put operation in this case (so it at least is aware that the data may not have gone into both the cache and the database)?
  What happens if the data store fail to put the data in the database (due to a database constraint or a database failure etc) and the store method in the datastore class throws an exception? Will the storage node still put the new (or changed) object in the cache (causing a non-coherence between databse and cache) or not?
  Do you have some documentation that explains how the product handles all the known "corner cases" (like failures during or just after the datastore methods are called etc - it would be valuable since they are often the cause of the rare but really nasty problems...
  Best Regards
  Magnus
  Message was edited by: Magnus
  Message was edited by: Magnus