ISE - Periodic Dynamic Auth Failures

Similar Messages

• AUTH FAILURE.problem

  I use the following command to install OC4J 10g standalone but got error
  how to fix it?
  I haven't installed J2SE SDK as i discover jdevstudio have it
  i configure global environment variable in right click my computer
  as JAVA_HOME = C:\jdevstudio10133\jdk\bin\
  cmd still do not have java command, when i use the full link following
  i do not know username or password , then i read some blog use oc4jadmin
  to set password , but failed, how to install it?
  C:\OC4J10g\j2ee\home>C:\jdevstudio10133\jdk\bin\java -jar jazn.jar -activateAdmi
  n adminpassword
  AbstractLoginModule username: oc4jadmin
  AbstractLoginModule password:
  2008年6月26日 下午07:06:07 oracle.security.jazn.spi.xml.XMLRealmUser authenticate
  information: User(jazn.com/oc4jadmin) is deactivated. AUTH FAILURE.
  2008年6月26日 下午07:06:07 oracle.security.jazn.login.module.RealmLoginModule au
  thenticate
  Serious: [RealmLoginModule] authentication failed
  Authentication Failed

  i configure global environment variable in right
  click my computer
  as JAVA_HOME = C:\jdevstudio10133\jdk\bin\
  JAVA_HOME should be one level up before "bin"
  BTW I think you posted this on the wrong forum .

• System wide auth failure

  How do I log into my administrative account via terminal and then use the password command to change my password to fix a system wide auth failure?

  HI,
  I'm not sure how to do this using Terminal, but you can change the admin password using your instal disk.
  To reset the administrator password using the Mac OS X Install disc:
  Insert the Mac OS X Install disc and restart the computer.
  When you hear the startup tone, press and hold down the C key until you see the spinning gear.
  When the Language Chooser appears, select your language and click Continue.
  In the Installer, choose Utilities > Reset Password.
  Follow the onscreen instructions to change the password.
  Be sure to change your login keychain password in Keychain Access to match your new account password so your keychain is unlocked when you log in.
  I did find this thread re: Using Terminal to change the admin password.
  http://forums.macosxhints.com/archive/index.php/t-6906.html
  Carolyn

• Prime 2.0: User Auth Failure Count

  Hello
  In Prime 2.0, on the Home page> General, you can view dashlets showing various bits of information.
  One of those available is User Auth Failure Count and I am trying to establish what this table is showing me and if I can get this information out of Prime in a CSV format for example, in order to do some correlation with RADIUS logs.
  I want to establish whether the users being reported as having an auth failure are actually managing to get onto the network eventually, or whether we have an authentication problem we need to tackle.
  The only reference in Cisco documentation I have found to date says the following, which is not helpful to me:
  "User Auth Failure Count
  This dashlet displays a chart which shows user authentication failure count trend over time.  "
  Does anyone know if this information is exportable somehow?
  thanks
  Bryn

  Hi Scott
  I agree with your point that the historical data is available via MSE, but I now come round to my first question, which is how do I get to the data from Prime?
  I cannot find a report to run to get the Failed Auth User Count data, although it must be there for the information to be populating the dashlet
  I think I will have to try our Cisco contact
  thanks
  Bryn

• Auth Failure Traps

  After i changed snmp strings on our network devices , I see a list of devices with Auth Failure Traps on Syslog server.
  Ive check the snmp credential strings on CW for each device and they're correct.
  This is the error message on my syslog server:
  mm-dd-yyyy    11:23:16    Local0.Info    10.1.1.1    10.1.1.2.150 4 0  Authentication failure 10.1.1.254(CiscoWorks) 1 10.1.1.254(CiscoWorks)
  This message wasnt there before i re-new the snmp community string. After I chnage the snmp string on my routers and switches, I a lots of traps on my syslog server.
  How can I stop this?
  Thank you for your help
  Thanks

  Hi Joe,
  The root cause of authentication failure messages was due to dfmserver. When I stop it, the message disappeared.
  Process:
  DfmServer
  Path:
  C:\PROGRA~1\CSCOpx\objects\smarts\bin\CS_sm_server.exe
  Flags:
  Startup:
  Started automatically at boot.
  Dependencies:
  DfmBroker
  Before applying the patch, when I shutdown dfmserver, I could still see the polling. After applying the patch, the polling stop.
  There are only 2 patches for DFM. I have also applied fix CSCta56151.
  Patches installed
  Patch Name
  Version
  Installed Date
  CSCtb87449-0
  0
  02 Mar 2010, 11:28:07 WST
  CSCta56151-0
  0
  04 Mar 2010, 14:18:46 WST
  Any more tips Joe?

• Pound sign (#) in auth failure in BI

  We get a pound sign in an RSSM trace of an auth failure.  It is related to a profit center hierarchy.
  When we grant a different hierarchy, there is no auth failure, but the pound sign still shows up in the trace, just with a green light.
  What might cause this?  Is it wise to grant the pound sign, or does it signify a data problem?

  Hello,
  Pound sign minds unassigned hierarchie value.
  The value displayed on the report cannot be assigned to a hierarchie node.
  If the light is green : No problem
  Did you read the following guide : How Tou2026 Work With Hierarchy Authorizations.pdf ?
  Hope this helps

• Doubt in dynamic auth from DSO

  Hi all,
  i have to create a dynamic authorization concept from DSO for an infoobject XXX.
  these things i have done.
  Created DSO with necessary fields,did load.
  wrote code in CMOD for the customer exit variable-YYY which was created in query designer.
  created a test query and in ch-restrictions, restricted the infoobject XXX with YYY . when i run the query its giving me proper results, in the sense, for what data is stored for my id in dynamic auth DSO , i am getting data. but when i remove this filter in the query ,i get all the records, which is not desired.   because in the role, value * is stored for that infoobject. 
  what steps to be taken next related to role ? since in some pdf it was mentioned that we need to include the authorization object in the role and restrict it to * or all values. but as i have mentioned above, i am getting all values when i reomve that restriction in the query designer.
  pls guide me if i have missed out any thing . [anything related to role also needed a change?]

  Hi
  The ch restriction is required then only the user exit code will be executed as you are restricting the values only in the user exit.
  If you remove the ch restrcition for that characteristic then all the values will be displayed because the exit is skipped on executing the query, hence you get all the values.
  Just place a break point in the user exit CMOD for the variable and execute the query in RSRT you will be able to view that.
  If you want the authorization to be role based then you can mention that the values starting with (ie)Z* (bsed on value in master data) need to be only displayed.
  But here it is based on a particular Infoobject value, so you need to restrict this at the exit and include the variable in the query for that characteristic. (Ch restriction you have mentioned is the filter for that characterisitic in the query?)
  Prathish

• DirectoryService reports mysterious auth failures

  My console log is full of log messages like ones included below. I would love to know where they come from, so I can fix whatever is wrong.
  I don't think that there is someone trying to break in, as I don't see corresponding failed ssh connections, or any errors in the afp / smb logs. I do see some break in attempts over ssh, but they don't correspond to the events / names reported for these errors in the console. The user names below also only match local users, and if this had been break in attempts, I wouldn't expect them to know the exact names of all my users. I also don't think that this problem is caused by the connecting LAN clients, as I also see the error for the admin & root accounts.
  To me it seems that some local service / facility is not configured correctly, but I'm at loss as to how to track this down.
  I'm running Mac OS X Server 10.4.3, and have the following things enabled:
  ssh, ard, afp, smb, httpd+webdav (for iCal sharing).
  ===============================================
  Nov 22 15:21:33 server DirectoryService[41]: Failed Authentication return is being delayed due to over five recent auth failures for username: mikael.
  Nov 22 15:26:10 server DirectoryService[41]: Failed Authentication return is being delayed due to over five recent auth failures for username: root.
  Nov 22 17:38:59 server DirectoryService[41]: Failed Authentication return is being delayed due to over five recent auth failures for username: root.
  Nov 22 17:45:19 server DirectoryService[41]: Failed Authentication return is being delayed due to over five recent auth failures for username: admin.
  Nov 22 17:48:04 server DirectoryService[41]: Failed Authentication return is being delayed due to over five recent auth failures for username: joar.
  Nov 22 17:50:15 server DirectoryService[41]: Failed Authentication return is being delayed due to over five recent auth failures for username: david.
  Nov 22 17:52:27 server DirectoryService[41]: Failed Authentication return is being delayed due to over five recent auth failures for username: johan.
  Nov 22 17:54:38 server DirectoryService[41]: Failed Authentication return is being delayed due to over five recent auth failures for username: fredrika.
  Nov 22 17:56:50 server DirectoryService[41]: Failed Authentication return is being delayed due to over five recent auth failures for username: tove.
  Nov 22 17:59:02 server DirectoryService[41]: Failed Authentication return is being delayed due to over five recent auth failures for username: mikael.
  Nov 22 18:53:47 server DirectoryService[41]: Failed Authentication return is being delayed due to over five recent auth failures for username: admin.
  Nov 22 18:53:47 server DirectoryService[41]: Failed Authentication return is being delayed due to over five recent auth failures for username: joar.
  Nov 22 22:34:15 server DirectoryService[41]: Failed Authentication return is being delayed due to over five recent auth failures for username: mikael.
  Nov 22 23:33:35 server DirectoryService[41]: Failed Authentication return is being delayed due to over five recent auth failures for username: root.
  Nov 22 23:41:23 server DirectoryService[41]: Failed Authentication return is being delayed due to over five recent auth failures for username: admin.
  Nov 22 23:44:28 server DirectoryService[41]: Failed Authentication return is being delayed due to over five recent auth failures for username: joar.
  Nov 22 23:47:36 server DirectoryService[41]: Failed Authentication return is being delayed due to over five recent auth failures for username: david.
  Nov 22 23:50:32 server DirectoryService[41]: Failed Authentication return is being delayed due to over five recent auth failures for username: johan.
  Nov 22 23:52:32 server DirectoryService[41]: Failed Authentication return is being delayed due to over five recent auth failures for username: fredrika.
  Nov 22 23:54:32 server DirectoryService[41]: Failed Authentication return is being delayed due to over five recent auth failures for username: tove.
  Nov 22 23:56:36 server DirectoryService[41]: Failed Authentication return is being delayed due to over five recent auth failures for username: mikael.
    Mac OS X (10.4.3)  

  Hi,
  I've seen this as well and I think the cause is someone trying to use either Server Admin or Server Monitor without the correct credentials on that server.
  I haven't verified this, but I had a colleague reenter the username and password in both of these programs on his machine and the messages went away on the server.
  Hope that helps.
  Kevin Anderson
  Fairbanks School District
  Fairbanks, Alaska
  20 in iMac G5   Mac OS X (10.4.3)   Many, many Xserves

• ISE 1.2 EAP Chaining and Windows 8 - Auth failures

  Hi All,
  I've got a couple sites that appear to have issues with EAP chaining, ISE 1.2 and Anyconnect client on windows 8 enterprise.
  Basically the windows 8 machines authenticate intermittently and randomly but largely fail auth. 
  Often the client will work perfectly for a boot even after a few reboots etc and then might stop working.  Other clients won't work at all no mater what settings you configure.
  Outer Method - EAP-FASTv2
  Inner Method - MSChapV2
  ISE 1.2 with Patch 1 (latest)
  Windows 8 Enterprise - with patch http://support.microsoft.com/kb/2743127
  Anyconnect Client  3.1.0466 (latest)
  Machine and User Auth Against AD.
  Cert checks disabled for testing.
  Clients using same configuration.xml file
  Symptom is Anyconnect prompts for username / password instead of using existing credentials.  Typing credentials doesn't work.
  Logs show failed "anonymous" authentications or client EAP timeouts.
  Cheers
  Peter.

  Hi Peter,
  It sounds like the Inner Method is not being negotitated properly so its only reading the Outer Method which by default is set to show "Anonymous" in AnyConnect Profiles.
  Is it possible to upload a PDF version or copy paste the output of the failure from ISE's perspective?
  Kind Regards,
  Vlad

• ISE 1.2 Authentication Failures at First time Connection

  Hi,
   I have a trouble with ISE 1.2 when trying to authenticate for first time an end-device, this device might be either a Workstation or IP Phone or Printer,etc. it fails or staying in running mode. The result is the same it can not access the network.  hopefully I'm still in open mode :)
  As i described in the beginning everything has status Running or Authz Failed. and after a time of period usually one day finally succeeds.
  This happens mostly for workstations and printers, but in case of phones does not have the same behavior. I unplug plug the phones or I shut/ no shut the ports in order to trigger it to succeed. For some phones worked but other obstinately declined.
  The phones which are not Cisco phones authenticated with MD5 (a simple username and pass  ) i think the problem should not related with the auth protocol.
  Below are some logs from one phone. For me coming to a short conclusion this must be related with the switches which are 3750e (15.02 SE 4 IOS)
  or with the same the ISE, why because i have almost the same behavior for all end-devices.
  I kindly remain your comments...
  2169669: Apr 16 18:02:20.573 EEST: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/35, changed state to up
  2169670: Apr 16 18:02:20.783 EEST: %DOT1X-5-FAIL: Authentication failed for client (0080.9f7d.3ddf) on Interface Gi1/0/34 AuditSessionID 0A114D0D0000D5E8855C01DE
  2169671: Apr 16 18:02:20.791 EEST: %AUTHMGR-7-RESULT: Authentication result 'timeout' from 'dot1x' for client (0080.9f7d.3ddf) on Interface Gi1/0/34 AuditSessionID 0A114D0D0000D5E8855C01DE
  S301#
  2169672: Apr 16 18:02:20.992 EEST: %AUTHMGR-5-START: Starting 'dot1x' for client (0080.9f7d.3ddf) on Interface Gi1/0/34 AuditSessionID 0A114D0D0000D5F0855DE0EF
  2169673: Apr 16 18:02:21.580 EEST: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/35, changed state to up
  S301#
  2169674: Apr 16 18:02:24.289 EEST: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/35, changed state to down
  S301#
  2169675: Apr 16 18:02:25.288 EEST: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/35, changed state to down
  2169676: Apr 16 18:02:26.269 EEST: %AUTHMGR-5-START: Starting 'dot1x' for client (0080.9f7d.3e6f) on Interface Gi1/0/35 AuditSessionID 0A114D0D0000D5F1855DF3BE
  2169677: Apr 16 18:02:26.294 EEST: %DOT1X-5-FAIL: Authentication failed for client (0080.9f7d.3e6f) on Interface Gi1/0/35 AuditSessionID 0A114D0D0000D5F1855DF3BE
  2169678: Apr 16 18:02:26.294 EEST: %AUTHMGR-7-RESULT: Authentication result 'fail' from 'dot1x' for client (0080.9f7d.3e6f) on Interface Gi1/0/35 AuditSessionID 0A114D0D0000D5F1855DF3BE
  2169679: Apr 16 18:02:26.303 EEST: %DOT1X-5-FAIL: Authentication failed for client (0080.9f7d.3e6f) on Interface Gi1/0/35 AuditSessionID 0A114D0D0000D5F1855DF3BE
  2169680: Apr 16 18:02:26.303 EEST: %AUTHMGR-7-RESULT: Authentication result 'fail' from 'dot1x' for client (0080.9f7d.3e6f) on Interface Gi1/0/35 AuditSessionID 0A114D0D0000D5F1855DF3BE
  2169681: Apr 16 18:02:26.319 EEST: %DOT1X-5-FAIL: Authentication failed for client (0080.9f7d.3e6f) on Interface Gi1/0/35 AuditSessionID 0A114D0D0000D5F1855DF3BE
  2169682: Apr 16 18:02:26.319 EEST: %AUTHMGR-7-RESULT: Authentication result 'fail' from 'dot1x' for client (0080.9f7d.3e6f) on Interface Gi1/0/35 AuditSessionID 0A114D0D0000D5F1855DF3BE
  2169683: Apr 16 18:02:26.319 EEST: %AUTHMGR-7-FAILOVER: Failing over from 'dot1x' for client (0080.9f7d.3e6f) on Interface Gi1/0/35 AuditSessionID 0A114D0D0000D5F1855DF3BE
  2169684: Apr 16 18:02:26.319 EEST: %AUTHMGR-5-START: Starting 'mab' for client (0080.9f7d.3e6f) on Interface Gi1/0/35 AuditSessionID 0A114D0D0000D5F1855DF3BE
  2169685: Apr 16 18:02:26.328 EEST: %MAB-5-FAIL: Authentication failed for client (0080.9f7d.3e6f) on Interface Gi1/0/35 AuditSessionID 0A114D0D0000D5F1855DF3BE
  2169686: Apr 16 18:02:26.328 EEST: %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'mab' for client (0080.9f7d.3e6f) on Interface Gi1/0/35 AuditSessionID 0A114D0D0000D5F1855DF3BE
  2169687: Apr 16 18:02:26.328 EEST: %AUTHMGR-7-FAILOVER: Failing over from 'mab' for client (0080.9f7d.3e6f) on Interface Gi1/0/35 AuditSessionID 0A114D0D0000D5F1855DF3BE
  2169688: Apr 16 18:02:26.328 EEST: %AUTHMGR-7-NOMOREMETHODS: Exhausted all authentication methods for client (0080.9f7d.3e6f) on Interface Gi1/0/35 AuditSessionID 0A114D0D0000D5F1855DF3BE
  S301#
  2169689: Apr 16 18:02:26.336 EEST: %AUTHMGR-5-FAIL: Authorization failed or unapplied for client (0080.9f7d.3e6f) on Interface Gi1/0/35 AuditSessionID 0A114D0D0000D5F1855DF3BE
  S301#
  2169690: Apr 16 18:02:27.737 EEST: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/35, changed state to up
  2169691: Apr 16 18:02:28.744 EEST: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/35, changed state to up
  Regards
  T.C

  I'm not using authentication method with certificates for none end-devices
  Workstations with the windows default authentication protocol EAP/MSCHAPv2
  In front of them there are non Cisco IP-phones with auth. method EAP/MD5
  Finally I also have some printers again with option EAP/MD5
  For all of these devices I received the same behavior, after many hours finally the authenticated with ISE. But is this the expected behavior?
  What I understand is that if the devices finally authenticated then it means that there isn’t anything wrong with the method.
  The misunderstanding points are 3
  Why there is so much delay for all devices to authenticate?
  Why some devices, mostly IP phones (not all) continuing to fail to the authentication method. All my devices are identical with the same software / patch, same model etc.
  I have noticed randomly some devices one moment to succeed and the next moment to failed
  So for my understanding there is an abnormal behavior and i cannot find the way /pattern to correct it or to understand the reason :)
  Port config
  switchport access vlan xxx
   switchport mode access
   switchport voice vlan yyy
   ip access-group ACL-ALLOW in
   authentication event fail action next-method
   authentication event server dead action reinitialize vlan xxx
   authentication event server dead action authorize voice
   authentication event server alive action reinitialize
   authentication host-mode multi-domain
   authentication open
   authentication order dot1x mab
   authentication priority dot1x mab
   authentication port-control auto
   authentication periodic
   authentication timer reauthenticate server
   authentication violation restrict
   mab
   dot1x pae authenticator
   no cdp enable
   spanning-tree portfast
  result template
  Switch#sh auth sess int g1/0/46
              Interface:  GigabitEthernet1/0/46
            MAC Address:  xxxx.xxxx.xxxx
             IP Address:  xx.xxx.xx.xxx
              User-Name:  xxxxxxxxxxxx
                 Status:  Authz Failed
                 Domain:  DATA
        Security Policy:  Should Secure
        Security Status:  Unsecure
         Oper host mode:  multi-domain
       Oper control dir:  both
        Session timeout:  N/A
           Idle timeout:  N/A
      Common Session ID:  0A114D0A00001972016208E1
        Acct Session ID:  0x00001BB7
                 Handle:  0x6D0009B6
  Runnable methods list:
         Method   State
         dot1x    Failed over
         mab      Failed over

• ISE 1.2 Auth Avg Response Time

  Hi Guys,
  We have recently moved to ISE 1.2 (distributed deployment on UCS C220 blades) from ACS 5.x. We are seeing Avergage Auth response time ~150ms in each PSN nodes (4 in total) & wonder whether this is too slow.
  Is this normal or we should have much lower average response time for thos radius authentications ? What are the typical value you guys observed in those sort of deployment
  Any input would be much appreciated
  Rasika       

  Hi,
  Where did you get your information from? Is it from the ISE Authentication Report Summary? If so, which of the Average responses are you concerned about? Authentications By Day, Identity Group, Identity Store, Allowed Protocol etc.
  In my network average response based on protocol PEAP is 121ms. Authentication by day is 74ms. Then again my network may be smaller than yours. Also I have an appliance and not a Virtual Server. In my opinion, I don't think 150ms is that much to make the user notice. If authentication response gets close to 300ms, then you have an issue.
  If you have a very large network like a University Campus, then 150ms is OK.

• ISE for Guest Auth but need traffic logs

  We have guests that visit our office and connect to the Guest WiFi. We want to implement ISE for the self-sign in portal. That would help us determine the user and have them accept the legal terms without involving IT.
  When a guests logs in and surfs the web, We want to track which websites they go to for legal purposes and hold that information for 18 months. I am not sure how I can achieve this second part.
  The guests may visit it us 1 or 2 times every 6 months so using WSA with AD auth, for example, would not be ideal and that's why we like the ISE portal.
  We are using Cisco 5500 WLC's.
  Any help is appreciated.

  If your guests surf through an ASA firewall, you can send that firewall syslog to ise, and ise will correlate the logs with the guest users that are logged in, so you can track activity in ise. There is a report that is called something like "Guest Activity" where this will get collected.

• ISE, WLC: web auth, blocking user account

  Hello!
  We are implementing BYOD concept with ISE (1.1.4) and WLC 5508 (7.4.100).
  On WLC there is SSID(WLAN) with MAC filtering without L2 security. For authentication user is redirected to the ISE Guest Portal.
  Credentials are created at the ISE sponsor portal.
  We create user account in ISE sponsor portal with one hour lease.
  In 10 minutes we delete (or block)  user credentials.
  In spite of it the user is still able to work. Even if we manually disconnect client and reconnect it again, client opens the browser and there is no redirection to the ISE web auth page.
  This happens because WLC thinks, that client is still associated.
  There are session and idle timeout timers in WLC WLAN, but they can't solve the problem of automatic client session removing.
  From my point of you, ISE must send some kind of reauth request to the user after account deletion, to make user authentication impossible .
  In practice, ISE doesn't tell wlc or user, that client sesssion is blocked.
  How the user account blocking process can be automated without manually deleting the client session from WLC client database?

  It seems that there is some bug about CoA when deleting Guest accounts
  CSCuc82135
  Guests need to be removed from the network on Suspend/Delete/Expiration
  When a guest user is deleted from the system, the RADIUS sessions   associated with that guest user still exists.
  Workaround   Reissue the Change of Authorization using the   session information from Monitoring reports for the sessions associated with   that guest user.
  http://www.cisco.com/en/US/docs/security/ise/1.1.1/release_notes/ise111_rn.html#wp411891
  from BUG Toolkit there is Release-Pending in "Fixed-in" option.

• CHARM: SDHF_04 auths failure

  I am testing ChaRM and an incorrect authorisations failure has occurred.
  The scenario is as follows;
  Using the Developer user, have successfully created Normal Corrections
  and processed them.
  Now trying to create Emergency Corrections the process fails at the
  action "Set to In Development", the error produced is "An action was
  terminated due to an exceptional siutation"
  Having then run SU53 an authorisation failure is detected.
  The failure is on Auth Obj B_USERSTAT, for BERSL SDHF_04 - this is
  completely incorrect - this BERSL would allow the developer to approve
  for production, the current action is to simply set to in development.
  The configuration is clear that the Authorisation required for this
  action is BERSL SDHF_01 which the user has got through the
  SOCM_DEVELOPER role.
  Based on the documentation
  http://help.sap.com/saphelp_nw70ehp1/helpdata/en/45/51fbdbd4941803e10000000a1553f7/frameset.htm
  We have given the developer the correct roles, also based on our
  experience with the normal correction the role is correct. - I realise that Emergency & normal corrections are processed differently, however my statement is based on the configuration & the required auths in the Developer role.
  The only user who should have the access being requested is the
  production manager - this role has the requested access as detailed in
  the documentation.
  Why is the action of "Set to in development" for an emergency correction
  require SDHF_04? Or in fact anything other than SDHF_01 as detailed in
  the configuration.
  I would appreciate any pointers on where I should look to see why this auth check is happening.
  Thanks in advance
  Marina

  Hi
  In the standard behavior, after a Change Manager creates an urgnt correction by authorizing a change request,
  the MC links will be added to the document flow area.
  Check this document flowin your urg. correction. If the cycle assignment is still empty,  that means their change manager has not fully authorized this urg correction
  As a result, since the link to MC is still missing,  it is required to assign the urg correction to a cycle when you shift its
  phase to "In developmnt". That's the reason why you receive such kind of an error.
  And it explains why change manager's role is needed here.
  If this role is also done according to the documentation, there could be an issue in the actions executed.
  Sometimes some inconsistencies in the customizing are the reason why PPF actions are not automatically executed.
  if this is your case reactivation of BCSet SOLMAN40_CHARM_BASICFUNC_001 may be helpful.
  Kind regards,
  Marta

• Using ISE to dynamically VLAN change

  Hello all,
  I need some help to dynamically change VLAN on each port of my Catalyst 3560, to do this, I don't want to use the MAC address filtering but I want to use conditions already in place in my ISE to switch port between two VLAN (Guest and Corporate) where one give access to the corporate LAN and the other to Internet without LAN access.
  Maybe someone of you had could have some ideas to do this with the use, or maybe without VLAN?
  PS : Sorry for my bad English, i'm not a native English speaker ;)
  Thank you in advance.

   I do not get exactly what are you looking for.. But still
  The  two kind of access you are anticipating can be achived by either way
  Chage of VLAN : as explained by you... you need to create two differnent authorization policies as per  users belongs  to (AD )group <e.g. employee or guest..> ..
  dACL : You can push downloadable Acl to switch as per user membership to AD.
  Let me know if you need help from design or configuration  point of view...