ISE max-login-ignore-identity-response

Similar Messages

• [CS3][JS] Is there a JS equivalent of AS 'ignore application responses'

  I used 'ignoring application responses' a few times in AppleScript to speed up a script execution. Is there a Javascript equivalent. Curious.

  > I think that you'll find bigger performance gains in managing the undo queue by doing a save as every so often, or turning off undo through Rorohiko's plug-in (or, in CS4, disabling undo via doScript). Working with the window hidden can also produce some performance improvements.
  >
  Hi Ole,
  As best as I can tell, the only way to get those performance gains is to
  actually clear the undo stack (either by "save as", or by using
  Rorohiko's "Discard Undo" OpCode. Collapsing the undo stack either using
  APID, or via doScript in CS4 (great new feature, by the way!) does not
  actually clear the stack it just collapses the stack into one undo item
  which doesn't help performance (it might even hurt performance
  slightly). The whole collapsed stack is still retained in memory.
  Harbs
  http://www.in-tools.com

• Send an HTTP command without opening browser and ignore server response?

  I am trying to put together a very, very simple desktop app which can send 6 separate HTTP commands to a local webserver.
  The command would be something like:
  +open http://192.168.0.101/run.cgi?Menu+
  The command works fine, but the problem is it is being opened in the default web browser and then the response from the webserver is being opened in a new tab:
  +http://192.168.0.101/result.txt+
  I'm a novice so I'm only doing this in the most basic way, but wondered if there was a way I could run this command from the Terminal and add a few extra commands to the line to make it run "silently", i.e. not open a web browser and also ignore the response, just simply send the command "Menu".
  Many thanks
  Mark

  Great, sounds perfect for what I need to do. I have absolutly no idea how to use it yet though. Please if you can spare the time, could you just outline in plain idiot English how I should implement this so I can have various functions setup to use it.
  Many thanks
  Mark

• ISE max failed logins

  In ISE, does anyone know if the count for the Maximum Login Failures for Guest accounts  (found under the Settings>Guest>Portal Policy page) is a per session setting or cumulative for the lifetime of the account? Does the count ever get reset and is there a way to view current failed login count?
  Our use case is that we have guest accounts that get handed out to multiple guests (say for a hosted conference or a special event). We've had a couple of these type accounts get suspended because of hitting max failed logins. We've increased the setting, but would like to understand the settings further has some of the guest accounts need to exist over a significant period of time. 

  It is per session, when once successfully logged in, the counter is reset.

• ISE 1.2 Auth Avg Response Time

  Hi Guys,
  We have recently moved to ISE 1.2 (distributed deployment on UCS C220 blades) from ACS 5.x. We are seeing Avergage Auth response time ~150ms in each PSN nodes (4 in total) & wonder whether this is too slow.
  Is this normal or we should have much lower average response time for thos radius authentications ? What are the typical value you guys observed in those sort of deployment
  Any input would be much appreciated
  Rasika       

  Hi,
  Where did you get your information from? Is it from the ISE Authentication Report Summary? If so, which of the Average responses are you concerned about? Authentications By Day, Identity Group, Identity Store, Allowed Protocol etc.
  In my network average response based on protocol PEAP is 121ms. Authentication by day is 74ms. Then again my network may be smaller than yours. Also I have an appliance and not a Virtual Server. In my opinion, I don't think 150ms is that much to make the user notice. If authentication response gets close to 300ms, then you have an issue.
  If you have a very large network like a University Campus, then 150ms is OK.

• Can you Ignore Error Response Code in HttpUrlConnection?

  I have a problem with a HttpUrlConnection object throwing an IOException when it gets an HTTP Error Response code. Especially when there is an actual response from the server sent back that has more details in it that are actually helpful.
  I would like to just tell the HttpUrlConnection ot ignore HTTP error responses and just pass along the page or data that was returned instead. I need to handle this myself.
  The reason if it matters, is I am sending SOAP Envelopes, and if the Web Service doesn't like it, it will send an HTTP 500 Response Code, but it also sends a response SOAP Envelope that tells me exactly what is wrong.
  Right now to get this response I have to use a Sniffer, or worse since it is HTTPS (ssl) i have to use the jvm's SSL debug mode, and pull the response out of the hex code.
  I couldn't find anything about this, so I am afraid I am SOL, just hoping that there might be an obscure "feature" or "property" that can deal with this, that I can't find.
  ** 10 Duke Dollars to first person to provide a solution that works **

  Just call the getErrorStream() method to read the error response. Eg.
  HttpURLConnection conn = null;
  try {
    conn = (HttpURLConnection)
      new URL("http://www.google.com/givemea404").openConnection();
  } catch (Exception e) {
    InputStream in = conn.getErrorStream();
    int i = in.read();
    while (i != -1) {
      System.out.print((char) i);
      i = in.read();
  }

• ISE 1.0.4 - identity Sequence refuses to use AD after RSA

  We are running ISE 1.0.4 with a requirement that on the surface is simple, but fails to execute properly no matter how I tweak it it.  It is:
  VPN users either need to be within a certain AD group or
  They need to authenticate against RSA.
  I set authentication to use an identitysequence with RSA listed first, then AD second.
  I set authorization to check identity server (using network access:AuthenticationIdentityStore).
  - If it’s RSA, pass it.
  - If it’s Active directory, AND the condition with a check on that group membership.  Pass if both pass.
  - Set the default authorization rule to deny access.
  This should work.  Here’s where it breaks down.  It all stems from the fact that the same userIds exist in RSA and AD and that ISE steadfastly refuses to attempt the second identity server method listed in the sequence if RSA is listed first.
  •-          If I list RSA first and the “authentication failed” policy is set to Reject: 
  For users not in RSA that I want to authenticate against AD, it rejects – it attempts against RSA but never hits AD (second server listed in the Identity sequence).  This is what is broken
  This works for users in RSA
  •-          If I list the RSA server first and the “authentication failed” policy is set to continue
  Users not in RSA will pass authentication that shouldn’t because the network access:AuthenticationIdentityStore value will be pointing to the RSA server, regardless of whether they actually passed to that server or not.
  Effectively users can connect regardless of whether their password is right or not
  This option sets it to proceed from authentication to authorization
  •-          If I list AD first in the sequence Since the same ID exists in both AD and RSA, it’ll fail as bad password against AD.  It'll never attempt against RSA.
  Am I missing a simple fix for this?  I have a testbed in which I can simulate the issue but since I don’t have an RSA server handy, I’m using an identity sequence with AD and fallback to internal.  It works as I’d expect, falling back from AD to local if the user doesn't exist in AD.  If the user is in AD, it never tries local and shows the attempt as a bad password.

  There is a configuration option on the RSA server definition (Authentication Control options)
  This Identity Store does not differentiate between 'authentication failed' and 'user not found' when an authentication attempt is rejected. From the options below, select how such an authentication reject from the Identity Store should be interpreted for Identity Policy processing and reporting .
  Treat Rejects as 'authentication failed'
  Treat Rejects as 'user not found'
  If RSA is first server in sequence it will only continue to the next server if follwoing option is select "Treat Rejects as 'user not found'
  In addition you had a comment about the value of "network access:AuthenticationIdentityStore" attribute. This will contain the name of the last ID store that was checked. If want to ensure that the authentication did in fact succeed should also check the following:
  "Network Access:AuthenticationStatus EQUALS AuthenticationPassed"

• Cisco ISE Guest Login without provisioning

  Hi,
  I have setup the ise based on  https://supportforums.cisco.com/docs/DOC-26442  whereby I have an authorization rule for CWA and an authorization rule for guestflow with provisioning. All is working great, however I was wondering if it may be possible to setup the ise with the following scenarios with dual ssid:
  1. user login to guest ssid and redirects to guest web portal and input guest credential created by sponsor (this is working well)
  2. user login to guest ssid and redirects to guest web portal and input credential from AD goes to provisioning (this is working well)
  3. user login to guest ssid and redirects to guest web portal and input credential from specified AD group and get internet/network access without provisioning.
  For point 3, I was wondering if it may be possible and if so on how it may be accomplished? I have attached the present Authz rule for reference as well as the rule I have tried which does not seems to be working.
  Any help is appreciated!
  Thanks.

  No it doesn't, you can test the same , while editing the wireless SSID profile, opting authentication method as smart card other than PEAP/EAP.

• ISE web login Issue.

  Hi all:
       Here is  the scenario.My ISE is a vmare version,and works normal,now here comes an issue, my computer can't login the ISE web interface.
  The other computer can login the ISE web interface.
       I think it maybe the cert's issue,cause when I login the web interface,the website give me the vmare's cert, but I think It should be my AD's cert.
       Any help or suggestion will be appreciated.

  There is the problem in the browser  you are using. So please remove all the pre added certificate from your browser  and try to connect to ISE using HTTPS. ISE will issue a certificate to you. Add  this certificate and you will get the GUI of ISE.
  (Remove certificate from browser:  tools --> options --> content --> certificates --> remove then  restart it.)

• Cisco ISE Guest Login

  Hi,
  I have a weird problem; after a guest user account has been created on Cisco ise 1.1.4 patch 8; when the guest user is redirected to the ise guest portal; the first login is always unsuccessful. Upon entering the login credential and password correctly; the client would be redirected to the same login page. Upon retrying the process a few times; it would succeed after 2-3 times.
  On the ise authentication; I see a guest authentication error; "Guest Authentication Failed : 86020: Unknown exception" with only a single step seen on the logs for troubleshooting "5431  Guest Authentication Failed"
  I would like to check if anyone has seen such an issue/behaviour? 
  Any suggestions is appreciated.
  Thanks.

  No it doesn't, you can test the same , while editing the wireless SSID profile, opting authentication method as smart card other than PEAP/EAP.

• ISE Guest login page problems

  hello all,
  am trying to setup a 'guest' access for known people... i mean, the validation of the credentials are made to a LDAP server. User account are created there, and inside a wfacces group.
  My probleme is when i activate my autorization policy #3, the guest need to enter his credential many times...
  Rule 1: if Network Access:UseCase EQUALS Guest Flow then Permitaccess
  Rule 2: if (Wireless_MAB AND Radius:NAS-Identifier EQUALS Guest_corp  ) then Authprof_Guest_corp
  Rule3 : if (Radius:NAS-Identifier EQUALS Guest_corp AND ldap_corp:ExternalGroups EQUALS cn=wfAcces,ou=ISE,ou=security,ou=groups,o=my.domain ) then PermitAccess
  In my Authprof_Guest_corp, i have my ACL, my redirect URL and the identity source sequence.
  Removing my rule 3 fix the issue, but i dont want ALL LDAP users to be able to access inet...
  The Multiple Matched Rule Applies is selected
  Any idea what am doing wrong? or how i should do that?

  There are several things which need to check in order to  resolute.
  1.)  Authentication Failure message indicates that the user’s  credentials are invalid. Resolution Check if the Active Directory user  account and credentials that are used to connect to the Active Directory  domain are correct.
  2.) Test Bind to Server Click to test and ensure that the LDAP server  details and credentials can successfully bind. If the test fails, edit  your LDAP server details and retest.
  3.)Cisco ISE allows you to import MAC addresses and the associated  profiles of endpoints securely from an LDAP server. You can use an LDAP  server to import endpoints and the associated profiles, by using
  either the default port 389, or securely over SSL, by using the default  port 636.

• ISE Guestportal login action resource not found

  I'm setting a new ISE for guest webauth. I'm getting indicated message when I try to login as a Guest.
  I'm missing something?
  Regards.

  Adding additional info:
  I'm running ISE 1.1.1.246
  The error apeears before the login screeen. I got a certificate warning, and when I do continue I got the error
  Error: Resource not found
  Resource: /guestportal/Login.Action

• Max-width Ignored on fo:block and fo:block-container

  I am writing an XSLT template using XSL-FO and I have an fo:block for which I want to limit the width. I set the property max-width to "3in" on the block, and that did nothing. Then I put the block into an fo:block-container and set the max-width property of it to "3in", and this was also ignored.
  Is this a bug in the rendering engine or am I doing something wrong?
  The block is in an fo:static-content.
  Thanks,
  Kurz

  I'm not exactly sure I get what you intention is, but here are a few things to consider maybe.
  max width will not make the image expand, just keep it from being any wider than the max width.
  images by default display as in line. To make a width property work reliably, you will need to set it to block:
  div#secondaries ol.secondary li div.item-img img {
  display: block;
  width: 100%;
  image width as set above will be affected by its containers. (If you meant to limit the width of the image rather  than to resize it, the same thing should still be true of a max-width  on the image, though cross-browser support will be unreliable.)
  The relevant container for the case above is:
  div#secondaries ol.secondary li {
  font-size: 1.1em;
  width: 30%;
  margin-top: 0em;
  margin-bottom: 1.5em;
  margin-left: 0em;
  So do you really mean it to be 30% or did you mean 100%.

• ISE and no External Identity Source

  I have this particular case in which I need to make authentications for users in ISE without Active Directory/LDAP etc.
  I would like to have some kind of MAC to USER binding where the user would no be able to add more devices to the network. I know the eap chaining using anyconnect is a way of achieving this but then again I can only see it using AD or some kind of external database. Also printers, wireless and phones are in the map. I tried using MAB and CWA for this but do not want to have the users be able to self register their devices as if they were guests.
  EAP chaining without AD??? Possible?
  Any hope?
  Thank you 

  Someone else can chime in here but I don't think it is possible to perform EAP-Chaining with the internal database of ISE. With that being said, feel free to read the EAP-TEAP IETF doc :)
  http://tools.ietf.org/html/draft-ietf-emu-eap-tunnel-method-01

• AIM: max logins exceeded

  My phone: Verizon Tour, BB OS 5.0.0.732, AIM client 2.5.63.
  When I try to login to the AIM client, I get the error:
  The maximum number of logins has been exceeded.
  I have seen other people with this issue, but no confirmed resolution.  I am not logged into AIM anywhere else.  I have logged out of Facebook.  I have enabled then deleted my BB phone number on my account on moble.aol.com.  I have uninstalled and reinstalled the BB AIM client.  I have rebooted my BB.  I can log onto AIM (iChat) on my Mac.
  This is getting a bit frustrating at this point.  Any help is appreciated.

  >
  What is the best possible solution other than restarting the database?
  Killing existing sessions ?
  How to rectify this error and what all needs to be done to make sure that this error doesnt come up again
  $ oerr ora 00020
  00020, 00000, "maximum number of processes (%s) exceeded"
  // *Cause:  All process state objects are in use.
  // *Action: Increase the value of the PROCESSES initialization parameter.You need to evaluate the right maximum number of processes that can connect to database instance: please read http://download.oracle.com/docs/cd/E11882_01/server.112/e17110/initparams197.htm#REFRN10175.
  Edited by: P. Forstmann on 18 avr. 2011 20:34