ISE using 2 domains with trust established

Similar Messages

• ISE 1.2 Authentication fails for 2nd AD domain with the forest trust relation

  We are running cisco ISE 1.2, we have new AD domain with forest trust relation between both the new and the old. authentication to with the new domain fails.
  Is there any requirements or configurations change needs to be done to make it success?

  Use the license that is currently on your ISE.  If your account has access to download the software, then you are good.  The license will not change during the upgrade.  If you are using ISE 1.2 Patch 8 or above, then you are using the same Base/Plus?Apex Licensing model. 
  If you are not yet on Patch 8, the you are using Base/Advanced and these will be converted during the upgrade.
  Please Rate Helpful posts and mark this question as answered if, in fact, this does answer your question.  Otherwise, feel free to post follow-up questions.
  Charles Moreton

• How can i Use SERVLET with RMI to avoid trust certificate

  I know that for begining RMI, you must launch the server and the client.
  for the server i use :
  java -Djavax.net.ssl.trustStore=server.keystore -Djavax.net.ssl.keyStore=server.keystore -Djavax.net.ssl.keyStorePassword=server TestServer
  for the client I use :
  java -Djavax.net.ssl.trustStore=client.keystore -Djavax.net.ssl.keyStore=client.keystore -Djavax.net.ssl.keyStorePassword=client TestClient
  and all work fine.
  but i want to use a servlet for rmi client and i wrote this:
  public class AppelServlet extends HttpServlet
       public void doPost(HttpServletRequest request, HttpServletResponse response)
       throws ServletException, IOException
            try
                 System.out.println("Registering secure RMI socket factory ...");
                 java.rmi.server.RMISocketFactory.setSocketFactory(new SecureRMISocketFactory());
            TestRemote test = (TestRemote) Naming.lookup("rmi://127.0.0.1:7123/TestClient");
  String reponse=test.toLowerCase("HELLO WORLD");
                 System.out.println("la reponse est : "+reponse);
       catch (Exception e)
            System.out.println("test client exception: " +e);
  PrintWriter out = response.getWriter();
            response.setContentType("text/html");
  and i have the following error on tomcat:
  Registering secure RMI socket factory ...
  test client exception: java.rmi.ConnectIOException: error during JRMP connection
  establishment; nested exception is:
  javax.net.ssl.SSLHandshakeException: Couldn't find trusted certificate
  i think i must precise how to indicate the truststore like in the first case.
  help me please.
  hamdi

  Hi,
  Try doing the following steps.
  Assuming you have a certificate obtained
  Export the certificate into a .cer file.
  On IE, goto tools->internet options->content->certificates, and export to a .cer file.
  Using keytool of java import the certificate to the store that can be used doing the following command.
  keytool -import -alias <ailas> -file < .cer filename> -keystore <storename here>
  set the javax.net.ssl.trustStore and javax.net.ssl.trustStorePassword properties at the command prompt using the command below.
  java -Djavax.net.ssl.trustStore=<storename> -Djavax.net.ssl.trustStorePassword=<password> <classname>
  Let me know if this helped.
  Also take a look at this link for using RMI with SSL
  http://java.sun.com/products/jdk/1.2/docs/guide/rmi/SSLInfo.html
  Regards,
  Roopasri Vittal
  Developer Technical Support
  Sun Microsystems
  http://sun.com/developers/support

• Wireless guest access with CWA and ISE using mobility anchor

  My team is trying to demo wireless guest access using CWA with an ISE server.  We appear to be hitting an issue when combining this with mobility anchoring.
  When we don't use a mobility anchor the authentication goes off without a hitch seemingly proving that the ISE configuration is sound.  The test laptop associates and gets redirected, auths, moves to the RUN state and access to the network is granted.
  When the mobility anchor is enabled, the test laptop does get redirected, authentication is successful, but the process does not fully complete, as on the foreign controller the user is in RUN state whereas on the anchor the user is still stuck at CWA required.
  Now, I've read the L2 auth occurs between the foreign controller and ISE, and the L3 auth occurs between the anchor controller and ISE, but this does not appear to borne out in packet captures of the process where both parts of the auth seems to go to and from the foreign controller and ISE.
  I'm curious to know if anyone else has come across this issue, or has ideas where I should be looking in the config or debugs to find the root cause.
  When setting up the controllers and ISE this guide (linked below) was used and the controllers are 2504 controllers on 7.5 series software and ISE is on the latest 1.2 patches:
  http://www.cisco.com/en/US/products/ps11640/products_configuration_example09186a0080bead09.shtml
  To me it seems to be mobility related, but the authentication flow does seem to be off compared with what the guide says.

  FOREIGN
  *apfMsConnTask_4: Jan 28 23:04:59.525: 00:1e:c2:c0:96:05 Adding mobile on LWAPP AP 0c:d9:96:ba:7d:20(1)
  *apfMsConnTask_4: Jan 28 23:04:59.525: 00:1e:c2:c0:96:05 Association received from mobile on BSSID 0c:d9:96:ba:7d:2f
  *apfMsConnTask_4: Jan 28 23:04:59.525: 00:1e:c2:c0:96:05 Global 200 Clients are allowed to AP radio
  *apfMsConnTask_4: Jan 28 23:04:59.525: 00:1e:c2:c0:96:05 Max Client Trap Threshold: 0  cur: 0
  *apfMsConnTask_4: Jan 28 23:04:59.525: 00:1e:c2:c0:96:05 Rf profile 600 Clients are allowed to AP wlan
  *apfMsConnTask_4: Jan 28 23:04:59.525: 00:1e:c2:c0:96:05 Applying Interface policy on Mobile, role Unassociated. Ms NAC State 0 Quarantine Vlan 0 Access Vlan 0
  *apfMsConnTask_4: Jan 28 23:04:59.525: 00:1e:c2:c0:96:05 Re-applying interface policy for client
  *apfMsConnTask_4: Jan 28 23:04:59.525: 00:1e:c2:c0:96:05 0.0.0.0 START (0) Changing IPv4 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:2164)
  *apfMsConnTask_4: Jan 28 23:04:59.525: 00:1e:c2:c0:96:05 0.0.0.0 START (0) Changing IPv6 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:2185)
  *apfMsConnTask_4: Jan 28 23:04:59.526: 00:1e:c2:c0:96:05 apfApplyWlanPolicy: Retaining the ACL recieved in AAA attributes 255 on mobile
  *apfMsConnTask_4: Jan 28 23:04:59.526: 00:1e:c2:c0:96:05 apfApplyWlanPolicy: Apply WLAN Policy over PMIPv6 Client Mobility Type
  *apfMsConnTask_4: Jan 28 23:04:59.526: 00:1e:c2:c0:96:05 In processSsidIE:4565 setting Central switched to TRUE
  *apfMsConnTask_4: Jan 28 23:04:59.526: 00:1e:c2:c0:96:05 In processSsidIE:4568 apVapId = 1 and Split Acl Id = 65535
  *apfMsConnTask_4: Jan 28 23:04:59.526: 00:1e:c2:c0:96:05 Applying site-specific Local Bridging override for station 00:1e:c2:c0:96:05 - vapId 1, site 'AP-Group-CHEC.default', interface 'management'
  *apfMsConnTask_4: Jan 28 23:04:59.526: 00:1e:c2:c0:96:05 Applying Local Bridging Interface Policy for station 00:1e:c2:c0:96:05 - vlan 84, interface id 0, interface 'management'
  *apfMsConnTask_4: Jan 28 23:04:59.526: 00:1e:c2:c0:96:05 processSsidIE  statusCode is 0 and status is 0
  *apfMsConnTask_4: Jan 28 23:04:59.526: 00:1e:c2:c0:96:05 processSsidIE  ssid_done_flag is 0 finish_flag is 0
  *apfMsConnTask_4: Jan 28 23:04:59.526: 00:1e:c2:c0:96:05 STA - rates (8): 140 18 152 36 176 72 96 108 0 0 0 0 0 0 0 0
  *apfMsConnTask_4: Jan 28 23:04:59.526: 00:1e:c2:c0:96:05 suppRates  statusCode is 0 and gotSuppRatesElement is 1
  *apfMsConnTask_4: Jan 28 23:04:59.526: 00:1e:c2:c0:96:05 apfProcessAssocReq (apf_80211.c:7830) Changing state for mobile 00:1e:c2:c0:96:05 on AP 0c:d9:96:ba:7d:20 from Idle to AAA Pending
  *apfMsConnTask_4: Jan 28 23:04:59.526: 00:1e:c2:c0:96:05 Scheduling deletion of Mobile Station:  (callerId: 20) in 10 seconds
  *radiusTransportThread: Jan 28 23:04:59.550: 00:1e:c2:c0:96:05 Username entry (00-1E-C2-C0-96-05) created for mobile, length = 253
  *radiusTransportThread: Jan 28 23:04:59.550: 00:1e:c2:c0:96:05 Username entry (00-1E-C2-C0-96-05) created in mscb for mobile, length = 253
  *apfReceiveTask: Jan 28 23:04:59.550: 00:1e:c2:c0:96:05 Received SGT for this Client.
  *apfReceiveTask: Jan 28 23:04:59.550: 00:1e:c2:c0:96:05 Redirect URL received for client from RADIUS. Client will be moved to WebAuth_Reqd state to facilitate redirection. Skip web-auth Flag = 0
  *apfReceiveTask: Jan 28 23:04:59.550: 00:1e:c2:c0:96:05 Resetting web IPv4 acl from 255 to 255
  *apfReceiveTask: Jan 28 23:04:59.550: 00:1e:c2:c0:96:05 Resetting web IPv4 Flex acl from 65535 to 65535
  *apfReceiveTask: Jan 28 23:04:59.550: 00:1e:c2:c0:96:05 Applying Interface policy on Mobile, role Unassociated. Ms NAC State 2 Quarantine Vlan 0 Access Vlan 84
  *apfReceiveTask: Jan 28 23:04:59.550: 00:1e:c2:c0:96:05 Re-applying interface policy for client
  *apfReceiveTask: Jan 28 23:04:59.550: 00:1e:c2:c0:96:05 0.0.0.0 START (0) Changing IPv4 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:2164)
  *apfReceiveTask: Jan 28 23:04:59.550: 00:1e:c2:c0:96:05 0.0.0.0 START (0) Changing IPv6 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:2185)
  *apfReceiveTask: Jan 28 23:04:59.550: 00:1e:c2:c0:96:05 apfApplyWlanPolicy: Retaining the ACL recieved in AAA attributes 0 on mobile
  *apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 apfApplyWlanPolicy: Apply WLAN Policy over PMIPv6 Client Mobility Type
  *apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 Inserting AAA Override struct for mobile
  MAC: 00:1e:c2:c0:96:05, source 2
  *apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 0.0.0.0 START (0) Initializing policy
  *apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 0.0.0.0 START (0) Change state to AUTHCHECK (2) last state START (0)
  *apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 0.0.0.0 AUTHCHECK (2) Change state to L2AUTHCOMPLETE (4) last state AUTHCHECK (2)
  *apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 Not Using WMM Compliance code qosCap 00
  *apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 0.0.0.0 L2AUTHCOMPLETE (4) Plumbed mobile LWAPP rule on AP 0c:d9:96:ba:7d:20 vapId 1 apVapId 1 flex-acl-name:
  *apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 0.0.0.0 L2AUTHCOMPLETE (4) Change state to DHCP_REQD (7) last state L2AUTHCOMPLETE (4)
  *apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 apfMsAssoStateInc
  *apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 apfPemAddUser2 (apf_policy.c:333) Changing state for mobile 00:1e:c2:c0:96:05 on AP 0c:d9:96:ba:7d:20 from AAA Pending to Associated
  *apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 apfPemAddUser2:session timeout forstation 00:1e:c2:c0:96:05 - Session Tout 1800, apfMsTimeOut '1800' and sessionTimerRunning flag is  0
  *apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 Scheduling deletion of Mobile Station:  (callerId: 49) in 1800 seconds
  *apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 Func: apfPemAddUser2, Ms Timeout = 1800, Session Timeout = 1800
  *apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 Sending Assoc Response to station on BSSID 0c:d9:96:ba:7d:2f (status 0) ApVapId 1 Slot 1
  *apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 apfProcessRadiusAssocResp (apf_80211.c:3066) Changing state for mobile 00:1e:c2:c0:96:05 on AP 0c:d9:96:ba:7d:20 from Associated to Associated
  *DHCP Socket Task: Jan 28 23:04:59.567: 00:1e:c2:c0:96:05 DHCP received op BOOTREQUEST (1) (len 308,vlan 84, port 13, encap 0xec03)
  *DHCP Socket Task: Jan 28 23:04:59.567: 00:1e:c2:c0:96:05 DHCP (encap type 0xec03) mstype 0ff:ff:ff:ff:ff:ff
  *DHCP Socket Task: Jan 28 23:04:59.567: 00:1e:c2:c0:96:05 DHCP dropping packet due to ongoing mobility handshake exchange, (siaddr 0.0.0.0,  mobility state = 'apfMsMmQueryRequested'
  *DHCP Socket Task: Jan 28 23:05:01.523: 00:1e:c2:c0:96:05 DHCP received op BOOTREQUEST (1) (len 308,vlan 84, port 13, encap 0xec03)
  *DHCP Socket Task: Jan 28 23:05:01.523: 00:1e:c2:c0:96:05 DHCP (encap type 0xec03) mstype 0ff:ff:ff:ff:ff:ff
  *DHCP Socket Task: Jan 28 23:05:01.523: 00:1e:c2:c0:96:05 DHCP dropping packet due to ongoing mobility handshake exchange, (siaddr 0.0.0.0,  mobility state = 'apfMsMmQueryRequested'
  *mmMaListen: Jan 28 23:05:02.362: 00:1e:c2:c0:96:05 0.0.0.0 DHCP_REQD (7) State Update from Mobility-Incomplete to Mobility-Complete, mobility role=ExpForeign, client state=APF_MS_STATE_ASSOCIATED
  *mmMaListen: Jan 28 23:05:02.362: 00:1e:c2:c0:96:05 apfMsRunStateInc
  *mmMaListen: Jan 28 23:05:02.362: 00:1e:c2:c0:96:05 0.0.0.0 DHCP_REQD (7) Change state to RUN (20) last state DHCP_REQD (7)
  *mmMaListen: Jan 28 23:05:02.362: 00:1e:c2:c0:96:05 0.0.0.0 RUN (20) Reached PLUMBFASTPATH: from line 5793
  *mmMaListen: Jan 28 23:05:02.362: 00:1e:c2:c0:96:05 0.0.0.0 RUN (20) Adding Fast Path rule
    type = Airespace AP Client
    on AP 0c:d9:96:ba:7d:20, slot 1, interface = 13, QOS = 0
    IPv4 ACL ID = 255, IPv6 ACL ID = 255,
  *mmMaListen: Jan 28 23:05:02.362: 00:1e:c2:c0:96:05 0.0.0.0 RUN (20) Fast Path rule (contd...) 802.1P = 0, DSCP = 0, TokenID = 15206  Local Bridging Vlan = 84, Local Bridging intf id = 0
  *mmMaListen: Jan 28 23:05:02.363: 00:1e:c2:c0:96:05 0.0.0.0 RUN (20) Successfully plumbed mobile rule (IPv4 ACL ID 255, IPv6 ACL ID 255, L2 ACL ID 255)
  *pemReceiveTask: Jan 28 23:05:02.364: 00:1e:c2:c0:96:05 Set bi-dir guest tunnel for 00:1e:c2:c0:96:05 as in Export Foreign role
  *pemReceiveTask: Jan 28 23:05:02.364: 00:1e:c2:c0:96:05 0.0.0.0 Added NPU entry of type 1, dtlFlags 0x4
  *pemReceiveTask: Jan 28 23:05:02.364: 00:1e:c2:c0:96:05 Skip Foreign / Export Foreign Client IP 0.0.0.0 plumbing in FP SCB
  *DHCP Socket Task: Jan 28 23:05:03.869: 00:1e:c2:c0:96:05 DHCP received op BOOTREQUEST (1) (len 308,vlan 84, port 13, encap 0xec03)
  *DHCP Socket Task: Jan 28 23:05:03.869: 00:1e:c2:c0:96:05 DHCP (encap type 0xec03) mstype 0ff:ff:ff:ff:ff:ff
  *DHCP Socket Task: Jan 28 23:05:03.869: 00:1e:c2:c0:96:05 DHCP processing DHCP REQUEST (3)
  *DHCP Socket Task: Jan 28 23:05:03.869: 00:1e:c2:c0:96:05 DHCP   op: BOOTREQUEST, htype: Ethernet, hlen: 6, hops: 0
  *DHCP Socket Task: Jan 28 23:05:03.869: 00:1e:c2:c0:96:05 DHCP   xid: 0xafea6bc9 (2951375817), secs: 5, flags: 0
  *DHCP Socket Task: Jan 28 23:05:03.869: 00:1e:c2:c0:96:05 DHCP   chaddr: 00:1e:c2:c0:96:05
  *DHCP Socket Task: Jan 28 23:05:03.869: 00:1e:c2:c0:96:05 DHCP   ciaddr: 0.0.0.0,  yiaddr: 0.0.0.0
  *DHCP Socket Task: Jan 28 23:05:03.869: 00:1e:c2:c0:96:05 DHCP   siaddr: 0.0.0.0,  giaddr: 0.0.0.0
  *DHCP Socket Task: Jan 28 23:05:03.869: 00:1e:c2:c0:96:05 DHCP   requested ip: 10.130.98.8
  *DHCP Socket Task: Jan 28 23:05:03.887: 00:1e:c2:c0:96:05 DHCP received op BOOTREPLY (2) (len 320,vlan 84, port 13, encap 0xec07)
  *DHCP Socket Task: Jan 28 23:05:03.887: 00:1e:c2:c0:96:05 DHCP processing DHCP ACK (5)
  *DHCP Socket Task: Jan 28 23:05:03.887: 00:1e:c2:c0:96:05 DHCP   op: BOOTREPLY, htype: Ethernet, hlen: 6, hops: 0
  *DHCP Socket Task: Jan 28 23:05:03.887: 00:1e:c2:c0:96:05 DHCP   xid: 0xafea6bc9 (2951375817), secs: 0, flags: 0
  *DHCP Socket Task: Jan 28 23:05:03.887: 00:1e:c2:c0:96:05 DHCP   chaddr: 00:1e:c2:c0:96:05
  *DHCP Socket Task: Jan 28 23:05:03.887: 00:1e:c2:c0:96:05 DHCP   ciaddr: 0.0.0.0,  yiaddr: 10.130.98.8
  *DHCP Socket Task: Jan 28 23:05:03.887: 00:1e:c2:c0:96:05 DHCP   siaddr: 10.30.4.173,  giaddr: 0.0.0.0
  *DHCP Socket Task: Jan 28 23:05:03.887: 00:1e:c2:c0:96:05 DHCP   server id: 1.1.1.2  rcvd server id: 1.1.1.2
  *DHCP Socket Task: Jan 28 23:05:03.887: 00:1e:c2:c0:96:05 10.130.98.8 RUN (20) DHCP Address Re-established
  *DHCP Socket Task: Jan 28 23:05:03.887: 00:1e:c2:c0:96:05 10.130.98.8 RUN (20) Reached PLUMBFASTPATH: from line 6978
  *DHCP Socket Task: Jan 28 23:05:03.887: 00:1e:c2:c0:96:05 10.130.98.8 RUN (20) Replacing Fast Path rule
    type = Airespace AP Client
    on AP 0c:d9:96:ba:7d:20, slot 1, interface = 13, QOS = 0
    IPv4 ACL ID = 255, IPv6 ACL ID
  *DHCP Socket Task: Jan 28 23:05:03.887: 00:1e:c2:c0:96:05 10.130.98.8 RUN (20) Fast Path rule (contd...) 802.1P = 0, DSCP = 0, TokenID = 15206  Local Bridging Vlan = 84, Local Bridging intf id = 0
  *DHCP Socket Task: Jan 28 23:05:03.888: 00:1e:c2:c0:96:05 10.130.98.8 RUN (20) Successfully plumbed mobile rule (IPv4 ACL ID 255, IPv6 ACL ID 255, L2 ACL ID 255)
  *DHCP Socket Task: Jan 28 23:05:03.888: 00:1e:c2:c0:96:05 Assigning Address 10.130.98.8 to mobile
  *DHCP Socket Task: Jan 28 23:05:03.888: 00:1e:c2:c0:96:05 DHCP success event for client. Clearing dhcp failure count for interface management.
  *DHCP Socket Task: Jan 28 23:05:03.888: 00:1e:c2:c0:96:05 DHCP success event for client. Clearing dhcp failure count for interface management.
  *DHCP Socket Task: Jan 28 23:05:03.888: 00:1e:c2:c0:96:05 DHCP successfully bridged packet to STA
  *pemReceiveTask: Jan 28 23:05:03.889: 00:1e:c2:c0:96:05 Set bi-dir guest tunnel for 00:1e:c2:c0:96:05 as in Export Foreign role
  *pemReceiveTask: Jan 28 23:05:03.889: 00:1e:c2:c0:96:05 10.130.98.8 Added NPU entry of type 1, dtlFlags 0x4
  *pemReceiveTask: Jan 28 23:05:03.890: 00:1e:c2:c0:96:05 Skip Foreign / Export Foreign Client IP 10.130.98.8 plumbing in FP SCB
  *apfReceiveTask: Jan 28 23:05:18.716: 00:1e:c2:c0:96:05 Received SGT for this Client.
  *apfReceiveTask: Jan 28 23:05:18.716: 00:1e:c2:c0:96:05 Resetting web IPv4 acl from 0 to 255
  *apfReceiveTask: Jan 28 23:05:18.716: 00:1e:c2:c0:96:05 Resetting web IPv4 Flex acl from 65535 to 65535
  *apfReceiveTask: Jan 28 23:05:18.716: 00:1e:c2:c0:96:05 AAA redirect is NULL. Skipping Web-auth for Radius NAC enabled WLAN.
  *apfReceiveTask: Jan 28 23:05:18.716: 00:1e:c2:c0:96:05 apfApplyWlanPolicy: Retaining the ACL recieved in AAA attributes 255 on mobile
  *apfReceiveTask: Jan 28 23:05:18.716: 00:1e:c2:c0:96:05 apfApplyWlanPolicy: Apply WLAN Policy over PMIPv6 Client Mobility Type
  *apfReceiveTask: Jan 28 23:05:18.716: 00:1e:c2:c0:96:05 Inserting AAA Override struct for mobile
  MAC: 00:1e:c2:c0:96:05, source 2
  *apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 Setting session timeout 3600 on mobile 00:1e:c2:c0:96:05
  *apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 Session Timeout is 3600 - starting session timer for the mobile
  *apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 Applying cached RADIUS Override values for mobile 00:1e:c2:c0:96:05 (caller pem_api.c:2307)
  *apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 Setting session timeout 3600 on mobile 00:1e:c2:c0:96:05
  *apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 Session Timeout is 3600 - starting session timer for the mobile
  *apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 10.130.98.8 RUN (20) Applied RADIUS override policy
  *apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 10.130.98.8 RUN (20) Replacing Fast Path rule
    type = Airespace AP Client
    on AP 0c:d9:96:ba:7d:20, slot 1, interface = 13, QOS = 0
    IPv4 ACL ID = 255, IPv6 ACL ID
  *apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 10.130.98.8 RUN (20) Fast Path rule (contd...) 802.1P = 0, DSCP = 0, TokenID = 15206  Local Bridging Vlan = 84, Local Bridging intf id = 0
  *apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 10.130.98.8 RUN (20) Successfully plumbed mobile rule (IPv4 ACL ID 255, IPv6 ACL ID 255, L2 ACL ID 255)
  *apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 Not Using WMM Compliance code qosCap 00
  *apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 10.130.98.8 RUN (20) Plumbed mobile LWAPP rule on AP 0c:d9:96:ba:7d:20 vapId 1 apVapId 1 flex-acl-name:
  *apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 10.130.98.8 RUN (20) Change state to RUN (20) last state RUN (20)
  *apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 apfMsAssoStateInc
  *apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 apfPemAddUser2 (apf_policy.c:333) Changing state for mobile 00:1e:c2:c0:96:05 on AP 0c:d9:96:ba:7d:20 from AAA Pending to Associated
  *apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 apfPemAddUser2:session timeout forstation 00:1e:c2:c0:96:05 - Session Tout 3600, apfMsTimeOut '1800' and sessionTimerRunning flag is  1
  *apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 Scheduling deletion of Mobile Station:  (callerId: 49) in 3600 seconds
  *apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 Func: apfPemAddUser2, Ms Timeout = 1800, Session Timeout = 3600
  *apfReceiveTask: Jan 28 23:05:18.718: 00:1e:c2:c0:96:05 Sending Assoc Response to station on BSSID 0c:d9:96:ba:7d:2f (status 0) ApVapId 1 Slot 1
  *apfReceiveTask: Jan 28 23:05:18.718: 00:1e:c2:c0:96:05 apfProcessRadiusAssocResp (apf_80211.c:3066) Changing state for mobile 00:1e:c2:c0:96:05 on AP 0c:d9:96:ba:7d:20 from Associated to Associated
  *pemReceiveTask: Jan 28 23:05:18.720: 00:1e:c2:c0:96:05 Set bi-dir guest tunnel for 00:1e:c2:c0:96:05 as in Export Foreign role
  *pemReceiveTask: Jan 28 23:05:18.720: 00:1e:c2:c0:96:05 10.130.98.8 Added NPU entry of type 1, dtlFlags 0x4

• Unable to view external webcam content.  I'm using IE11 with Windows 7 64 bit.  I've tried deactivating Activex control, tried different browsers etc, tweeked the tools for trusted sites etc, but am totally stuck. I know the cams are working as i can view

  Unable to view external webcam content.  I'm using IE11 with Windows 7 64 bit.  I've tried deactivating Activex control, tried different browsers etc, tweeked the tools for trusted sites etc, but am totally stuck. I know the cams are working as i can view them on mobile phone via puffin browser.  I can play Youtube videos etc just fine. So why not the webcam?

  First, confirm that ActiveX Filtering is configured to allow Flash content:
  https://forums.adobe.com/thread/867968
  Internet Explorer 11 introduces a number of changes both to how the browser identifies itself to remote web servers, and to how it processes JavaScript intended to target behaviors specific to Internet Explorer. Unfortunately, this means that content on some sites will be broken until the content provider changes their site to conform to the new development approach required by modern versions of IE.
  You can try to work around these issues by using Compatibility View:
  http://windows.microsoft.com/en-us/internet-explorer/use-compatibility-view#ie=ie-11
  If that is too inconvenient, using Google Chrome may be a preferable alternative.

• Have any companies setup  a domain with cluster using  BEA platform8.1 sp2?

  Hi, everyone,
  Do you know who has setup a domain with cluster in production using BEA platform8.1 sp2. That is, the customer uses portal and integration in the same managed server, and uses the cluster technique.
  I want to know whether there was a successful case or not till now. If possible, please send me some information about it. My account is [email protected], or [email protected]
  Thank you very much.
  Loen xie

  Hi, everyone,
  Do you know who has setup a domain with cluster in production using BEA platform8.1 sp2. That is, the customer uses portal and integration in the same managed server, and uses the cluster technique.
  I want to know whether there was a successful case or not till now. If possible, please send me some information about it. My account is [email protected], or [email protected].
  Thank you very much.
  Loen xie

• Send Email using Second Domain with ActiveSync

  Hello Apple Support!
  Could you please help, we using 2x domains for our mail exchange environment.
  1 domain is set as primary SMTP for mailbox, mailbox connected to Iphone with ActiveSync,
  We have created possibility to send as using second domain with Distribution list in Microsoft Outlook.
  Is it possible to get option on Iphone to Send As from another email address (second domain) with ActiveSync?
  Thank you!
  Best regards,
  Oscar

  Hello, Apple Support!
  Probably it is not possible, if not, can you please confirm.
  Thank you!
  Best regards,
  Oscar

• Using my own domain with iCloud email

  I've had my own domain and email address for over a decade, and it's lasted me through a number of providers. Is there any reasonable way to use it with iCloud? It seems like iCloud is tied to a new .me email address, and it's not like I'm going to change my everyday email address to use it.
  —Andreas

  Hi,
  I have found away that I think may help you.
  Background as to why I use it. I have a @me.com address and Gmail but my contacts only know my Gmail account but I wanted to use cloud email so it would sync properly across all my devices, MBP, iPad and iPhone and also have the push email that the previous Mobile Me had and iCloud has now
  So what I have done on my MBP is this. I use Mail.
  You need to go into system preferences and select iCloud...in here turn off Mail and Notes.
  Now open Mail and select preferences. Then select accounts. Delete all accounts there.
  Now set up a new account by pressing the + button. After that enter the details as if you were setting up to use your Me.com account and press CREATE.
  You now go to a page where you can edit all your mail settings manually. In the first section of the page you have:
  Account Type - This should say -  iCloud IMAP
  Description - This can be described by you to be anything
  Email Address - This is the email address you want people recieving the email to see
  Full Name - As it says put your name
  Incoming Mail Server - If you want the mails to come from iCloud then use: p99-imap.mail.me.com
  User Name: The user name of the icloud
  Password: the password of icloud
  **Note** In this section you are putting in where you want the mails to come from. In this case I wanted the mails to come from iCloud so I forwarded all my mails from my Gmail account to my @me.com address, and then got iCloud to deliver them.
  Outgoing Mail Server: Now this is the interesting part. I have changed this to the GMAIL server on my Gmail account. I have done this as I want my mails saved also at my Gmail account so by routing them through Gmail this happens as well as recording the sent mails at iCloud.
  On iPhone and iPad you just add iCloud and then turn off mail again. Now you set up a mail account using the other option.
  1. IMAP Account Information - In here i put the information that i want my contacts to see
  2. Incoming Mail Server - I put the iCloud information
  3. Outgoing Mail Server - I put the Gmail server
  So in short now, i get complete syncing of my mails across my 3 iDevices and have the extra back up of iCloud, but my clients do not see my @me.com (iCloud) email address, they see my Gmail address that I have been using for many years so there is no confusion for them.
  I really hope you get all of that, this is the first time I have helped on here so am very much a newbie but it seems to be working for me.
  James
  MBP - 2009
  iPhone 4 - 2010
  iPad 2 - 2011

• Domain/Forest trust - is it being used?

  Is there an easy way to tell whether a trust is actively being used? We have some old trusts that we'd like to remove but we want to see if anything is actively authenticating across the trust.
  How can I do this?
  TIA!

  > Is there an easy way to tell whether a trust is actively being used?
  You could monitor TGS creation on your Domain Controllers. If your DC
  issues TGS tickets for users from other domains, the trust is used.
  Greetings/Grüße,
  Martin
  Mal ein
  gutes Buch über GPOs lesen?
  Good or bad GPOs? - my blog…
  And if IT bothers me -
  coke bottle design refreshment (-:

• Migrating multiple domains with same name - how? Rename? Migrate through temporary domain?

  Hi,
  we have acquired another company, and they have multiple, separate domains with the same name (every site has a domain with NetBIOS name "COMPANY" and DNS name "company.local"). Now we want to migrate all these domains into ours using
  ADMT.
  Unfortunately, we did not manage to migrate one of these domains completely, so the trust must remain established for some time. But we have to continue with the second domain - which normally would require a trust, but of course we can't establish a trust
  to two domains with the same name at the same time.
  I found two potential solutions for the dilemma, but I'm not sure if both are reasonable:
  1) Rename the domain with RENDOM.EXE to COMPANY2 and company2.local and then migrate with ADMT
  2) Migrate COMPANY to a temporary domain such as COMPANYTEMP and then migrate from COMPANYTEMP to our domain
  Given that there are roughly 100 users, 2 domain controllers and 8 other servers, what would be the better approach? Is option 2 possible at all, so would I be able to use the sidHistory attribute migrated from the original COMPANY domain in our domain at
  all?
  There is also an Exchange 2007 server, which seems to make option 1 impossible unless we find another way to migrate it (like, export all mailboxes to PST before migration) ...

  Ok, that's what I expected. Still, I have servers in the old domain, so if I do these steps:
  first create a new temporary domain i.e COMPANYTEMP and
  create trust between COMPANYTEMP -
  COMPANY(Right)
  then do the migration with sidHistory from COMPANY(right) --> COMPANYTEMP ,
  disconnect the domain COMPANY(right) ,
  users will lose connectivity to any servers in the domain. I understand that it does not work with all domains connected? Of course I can't make OURCOMPANY's domain controllers see the DCs of COMPANY (right) in DNS (though I could achieve it the other way
  round).
  My original plan was:
  first create a new temporary domain i.e COMPANYTEMP and
  create trust between COMPANYTEMP -
  COMPANY(Right)
  then do the migration with sidHistory from COMPANY(right) --> COMPANYTEMP ,
  create trust between OURDOMAIN and COMPANYTEMP
  then do the migration with sidHistory from
  COMPANYTEMP --> OURDOMAIN,
  Migrate users
  Migrate computers
  Migrate servers
  remove trusts and old domain
  But I see that this will not work out, right? So, my only option would be:
  first create a new temporary domain i.e COMPANYTEMP and
  create trust between COMPANYTEMP -
  COMPANY(Right)
  then do the migration with sidHistory from COMPANY(right) --> COMPANYTEMP ,
  Migrate computers and servers to COMPANYTEMP
  Install new Exchange server in COMPANYTEMP
  migrate mailboxes to COMPANYTEMP
  disconnect / abandon COMPANY(right)
  create trust between OURDOMAIN and COMPANYTEMP
  then do the migration with sidHistory from COMPANYTEMP
  --> OURDOMAIN,
  Migrate users
  Migrate computers
  Migrate servers
  Migrate mailboxes
  remove trusts and old domain
  And to minimize user impact, all this would have to be done in one go (over night), which is hardly possible .........................

• Using XA with Oracle ERP application

  Hi,
  We have two Tuxedo Domains that we need to establish global transaction:
  First Domain - Tuxedo 6.4 with Oracle 8.0.6 database.
  Second Domain - Tuxedo 6.4 with Oracle ERP application (Oracel version 8.0.5)
  A Client that calls a Tuxedo server in the first domain this service doing some work
  on the database and then calls another service in the second domain (using Domain
  connection).
  The service in the second Domain activate a Oracle API (package) from the ERP application.
  The Rollback works but we problem with the commit. We recieve the following Oracle
  Error - ORA-06574: Function "VIEW_ALL" references package state can not execute remotly.
  Revital Bloom
  [email protected]

  Subbu,
  As I mentioned earlier in this thread, support for Oracle RAC has been
  implemented in Tuxedo 9.1 and in the Tuxedo 8.1 and Tuxedo 9.0 rolling patch
  streams. There are no plans to backport this feature to Tuxedo 8.0. If you
  plan to use RAC transactionally and if it is possible for multiple services
  that could be located on different RAC instances to be accessed in a single
  transaction (which will be true for most applications), then you should
  upgrade to a version of Tuxedo with support for Oracle RAC. The
  documentation at http://e-docs.bea.com/tuxedo/tux91/ads/adorac.htm#248431
  gives an overview of RAC support in Tuxedo.
  Ed
  <Subramonian Arumugom> wrote in message news:[email protected]..
  Hello Nadeer, Hello Ed,
  Has the implementation of Tuxedo8.0 with Oracle RAC was completed
  successfully ?.
  If it is done , I have few doubts. Could you please help me ?.
  1) I hope your Tuxedo middleware connects to the oracle Database using
  Oracle XA resource manager and the TMS server built using buildtms with
  oracle as RM .As per the mail from Ed, migration of Tuxedo9.1 should be done
  before moving to Oracle RAC.
  Also from BEA documentation, Oracle RAC support was given as new feature in
  Tuxedo9.1.
  Our Application uses Oracle RM to connect to Oracle DB[ Oracle 10g] from
  Tuxedo8.0. So do we need to upgrade to Tuxedo9.1. for using Oracle RAC ?.
  Thanks for your help
  Best Regards
  Subbu
  #9880278452
  Edited by subramonian.a at 04/16/2007 12:15 AM
  Edited by subramonian.a at 04/16/2007 12:19 AM
  Edited by subramonian.a at 04/16/2007 1:37 AM
  Edited by subramonian.a at 04/16/2007 8:20 AM

• [WLC - CWA] [ISE] Wlan Portal with Local Switiching

  Description: Guest Portal ISE (WLAN) in a Flexconnect local switching enviorment.
  Problem: The communication stops everytime we turn on the feature Radius NAC on the WLC.
  We are trying to use Central WebAuth in a Flexconnect environment and with so the procedure that we are using it´s the one that´s available in the cisco DOCS ( http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/116087-configure-cwa-wlc-ise-00.html ) but there´s something occuring in my setup. I´ve configured step by step the WLC and ISE in accordance with previous DOC but I can´t establish communication everytime I turn on the feature RADIUS NAC in the WLC.
  All the ACL´s were configured, I can see the ISE policy beeing sent to the client but when the PC tries to establish the connection to him nothing leaves the PC ( a simple ping was done ). I´ve tried a bunch of setups to see if it was a misconfiguration or something else but at the end , everytime I trun on the NAC feature the final client looses all the comms to anywere.
  You can see in the following attachment the setup of WLC, and AP with flexconnect groups (I´ve also tried without a group but the final result was the same)
  We are using a WLC 5500 with 7.6.120.0 ( http://www.cisco.com/c/en/us/td/docs/wireless/controller/7-6/configuration-guide/b_cg76.html ) and the only thing I can foun is a simple note stating,
  "Flex local switching with Radius NAC support is added in Release 7.2.110.0. It is not supported in 7.0 Releases and 7.2 Releases. Downgrading 7.2.110.0 and later releases to either 7.2 or 7.0 releases will require you to reconfigure the WLAN for Radius NAC feature to work."
  In the Flexconnect Feature Matrix the RADIUS NAC is supported in a local switching enviorment ( http://www.cisco.com/c/en/us/support/docs/wireless/5500-series-wireless-controllers/112042-technote-product-00.html?referring_site=RE&pos=3&page=http://www.cisco.com/c/en/us/support/docs/wireless/flex-7500-series-wireless-controllers/113605-ewa-flex-guide-00.html) but what  we´ve found out so far it´s  the other way around.
  Another thing that we´ve found is that in the version 7.4 configuration guide ( http://www.cisco.com/c/en/us/td/docs/wireless/controller/7-4/configuration/guides/consolidated/b_cg74_CONSOLIDATED/b_cg74_CONSOLIDATED_chapter_0110100.html#ID2372 ) cisco says that the "FlexConnect local switching is not supported."
  So, after seeing several docs my question is: Does Cisco support Radius NAC in a local switching environment ?

  Viten,
  tnx for the quick reply but,
  a) what do you mean by webauth ( http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/116087-configure-cwa-wlc-ise-00.html) ?
  b) When I say comms stop is that I´m simple using ping as a test to see what happens in the client.Whenever I activate the radius feature the final client (laptop) ceases all comms in a local switching environment.
  BR,
  DS

• Domains and Trust

  So I got in this morning to start working with AD (prep for the move to Office365) tried to launch domains and trust and I receive the following error: "The configuration information describing this enterprise is not available. The target principal name is incorrect. I believe the secure connection is broken. At present, I cannot log on to the PDC emulator. I have 3 DC in total and its the PDC that's giving me problems. I believe this is stemming from a Kerberos error event id 5. Authentication against the PDC is still good however I cannot do anything with domains and trust.
  I have read several posts about stopping KDC and resetting the password but I cannot gain access to the PDC. 
  This topic first appeared in the Spiceworks Community

  Also what's the operation system of the affected servers in those two domains?
  And what's the error message?
  Whatever, it seems like a cross domain sharing issue and admin share is involved.
  Please first see if this is the cause:
  Error message when you try to access an administrative share on a Windows Vista-based computer from another Windows Vista-based computer that is a member of a workgroup: "Logon unsuccessful: Windows is unable to log you on"
  http://support.microsoft.com/kb/947232
  Please check if local account is actually using when accessing the admin share. Try with different domain account to see the result. Make sure the account does have permission to access.
  If you have any feedback on our support, please send to [email protected]

• MOBI SSO with trusted authentication and form based authentication

  Dear All,
  I am trying to configure Trusted authentication based SSO FOR MOBI, here are the details:
  - SAP BI 4.1 SP04
  - Trusted authentication with HTTP header configurred for BI Launchpad and working fine.
  Now to have SSO from Mobile, I plan to leverage the existing configuration of BI Launchpad and at Mobile level, I want to use authentication type as TRUSTED_AUTH_FORM, instead of TRUSTED_AUTH_BASIC, with the approach: Trusted authentication with HTTP header.
  And
  Provide our app users their X502 certs.
  1. Will the above approach work ??
  2. As per SAP NOTE: 2038165 - SSO using form based trusted auth gives with the SAP BI app for iOS gives error MOB00920 this does not work and is still under investigation from July last year ? So for any community member, has this been found working ??
  I would appreciate your valuable inputs.
  Regards,
  Sarvjot Singh

  Hi,
  According to your post, my understanding is that you want to know the difference of the SharePoint three type user authentications.
  Windows claims-based authentication uses your existing Windows authentication provider (Active Directory Domain Services [AD DS]) to validate the credentials of connecting clients. Use this authentication to allow AD DS-based accounts access to SharePoint
  resources. Authentication methods include NTLM, Kerberos, and Basic.
  Forms-based authentication can be used against credentials that are stored in an authentication provider that is available through the ASP.NET interface
  SAML token-based authentication in SharePoint 2013 requires coordination with administrators of a claims-based environment, whether it is your own internal environment or a partner environment.
  There is a good article contains all the SharePoint Authentications, including how they work and how to configure.
  http://sp77.blogspot.com/2014/02/authentication-in-sharepoint-2013_5.html#.VFcyQ_mUfkJ
  Thanks & Regards,
  Jason
  Jason Guo
  TechNet Community Support

• Unable to edit document using "Edit with Word" option

  Hi All,
  i am having an issue with Office web apps. i am using SharePoint 2013 and Office web apps 2013. all the configurations have been done successfully. but i have a different kind of issue.
  i am able to open documents in browser
  i am able to edit document using " edit with word/excel web" option
  but i am unable to edit document using "edit with word/excel" option
  i have Office 2010 installed on my local machine.
  do we need to have MS office of 2013 version? or is there anything missing from configuration part.
  Please help me.
  Thank You,
  Bhaskar.

  Hi,
  According to your post, my understanding is that you could not use the "edit with word/excel" option.
  I had tested the issue with the Office 2010, the option worked well.
  You don’t need to install the Office 2013 to use this option.
  What did you mean “but i am unable to edit document using "edit with word/excel" option
  Did you mean the option gray out? Did the issue occur in other browsers?
  You can use compatibility mode to check whether it works.
  Open IE->Tools->Compatibility View Settings
  You can also add the site into Trusted sites.
  Open the IE->Internet Options->Security->Sites->add the site into the Websites, then check whether it works.
  What's more, you can also use other browsers to check whether it works, such as Firefox, Chrome.
  Thanks & Regards,
  Jason
  Jason Guo
  TechNet Community Support