ISE won't match configured profiling policy

Similar Messages

• Configuring group policy for user profiles in Windows Server 2012 R2 Domain

  Requesting some experts advise on configuring group policy for user profiles.
  We will be building new Windows Server 2012 R2 Domain Controllers (Domain of 400 users).
  The settings which I am concerned:
  1. Folder Redirection: Desktop, Documents, Favorites.
  2. Quota for Folder Redirection - 1 GB per user.
  3. Map a networked drive - 1 GB per user.
  4. Roaming profile - (Will ignore if it does not suit our requirement). 
  The question is how outlook profile will be retained / automatically moved if the users move from once computer to other?
  FYI, E-mails hosted on MS Office365 and OST file size of few users more than 25GB. So, in case the user moves from one computer to other, the entire mailbox will be downloaded via internet. This consumes high bandwidth if more than 3-4 users shift per day.
  Thanks a lot for your valuable time and efforts.

  Hi,
  >>The question is how outlook profile will be retained / automatically moved if the users move from once computer to other?
  This depends on where our outlook data files are stored. If these data files are stored under
  drive:\Users\<username>\AppData\Local, then these files can’t be redirected, for folder redirection can’t redirect appdata local or locallow.
  However, regarding your question, we can refer to the following thread to find the solution.
  Roam outlook profiles without roaming profiles
  http://social.technet.microsoft.com/Forums/office/en-US/3908b8e0-8f44-4a34-8eb5-5a024df3463e/roam-outlook-profiles-without-roaming-profiles
  In addition, regarding how to configure folder redirection, the following article can be referred to for more information.
  Configuring Folder Redirection
  http://technet.microsoft.com/library/cc786749.aspx
  Hope it helps.
  Best regards,
  Frank Shen

• Configuration Profile for Apple Devices with ISE

  Hi,
  is there any possibility to put configuration profiles on apple device with the ise? I need to disable the dataroaming function in forgein countries for ipads.
  Best regards
  Felix

  Nice. Only trouble there seems to be multiple entry for same mac address there for same resource id.
  So when I try to get them as substring i get multiple copies of same mac address.
  But looks like this will work as solution to this problem.
  So far I was doing it this way (And i am sure there is clearer way to do it.)
  SUBSTRING((SELECT ',' + CAST(t2.MACAddress0 AS VARCHAR(40))
              FROM (SELECT DISTINCT ResourceID, MACAddress0 FROM  v_GS_NETWORK_ADAPTER) t2
              WHERE t2.ResourceID = ResourceID
              ORDER BY t2.ResourceID, t2.MACAddress0
              FOR XML PATH ('')
          ), 2, 100) [MACAddresses]

• ISE profiling policy

  hi forummers'
  i would like to ask i can create profiling policy in order to reduce overall load generate from policy service node.
  example
  Workstation
  - unique atrributes : MAC address
  - probed used        : RADIUS
  - collection method : RADIUs authentication
  Apple iPhone
  - unique atrributes : OUI
  - probed used        : RAIUS
  - collection method : RADIUs authentication
  Thanks
  Noel

  Noel,
  Can you please describle how you want to reduce the load on the policy service node? To create a profiling policy for workstations the mac address should work however for the apple iphones you will need more than just the apple OUI since the macbook, ipads and imacs all share the OUI for apple, you will need to use either the http user agent string to detect this is the OUI, and that is done by setting a default rule to the redirect page so this can happen.
  Let me know if this what you are looking for.
  Thanks,
  Tarik Admani

• Configuration profile won't install

  Dear all,
  I try to install a new Exchange configuration profile using Safari to be able to synchronize my ipod with my company's email and agenda (Lotus Traveler). The configuration profile is downloaded by Safari but the "Install profile screen" doesn't show up as it should do. I'm stuck on a web page with an empty square (representing a file I guess) and the name of the configuration file below. If I click on the file, nothing happens.
  This happens since I installed the application called "Files Lite" to be able to store all kinds of documents in my ipod touch. At first, I was proposed to open the configuration profile with "Files Lite", which I didn't want. So I uninstalled "Files Lite" but now, I can't even open the configuration file. I guess Files Lite didn't clean up everything.
  Did anybody experience this kind of problem ? Do you have any suggestion ?
  Thanks

  "Files Lite"'s support team says it's something they had not planned in their software. A new version should be published soon on itunes solving this issue.
  I personnaly found a workaround by uninstalling "Files Lite" PLUS another soft, "FileMap", which was in fact the origin of my problems ! Once all these files handlers uninstalled, I could install the configuration profile without any problem.

• Cisco ISE Profiling Policy

  If an endpoint matches multiple Profiling Policies and each one of the Profiling Policies creates a new and unique Identity Group which Identity group will the endpoint be profiled into. My understanding is that an endpoint can only be profiled into a unique Identity Group. Another way of wording the question is, are the Profiling policies matched top down or some other way? thanks in advance.

  No problem Graham. To answer your second question: The attributes that are collected first that triggers a profiling rule would be used first. For instance, let's say that you have a profiling rule with CF of 100 that is looking for a DHCP class identifier of XYZ and then a second profiling rule with CF of 100 that is looking for the MAC OUI of ABC. In this situation, the second rule would be hit first since the MAC information is collected before the DHCP info is. As a result, the device will be profiled and placed in the endpoint group associated with the second profiling rule until/unless additional attributes are collected that would match a different profiling rule with CF > 100.
  I hope this makes sense
  Thank you for rating helpful posts!

• How to configure profile manager in Maverics when DNS is externally managed?

  Are there any guides to configuring Profile Manager as a MDM?
  Here is my story.
  Recently installed  Mac mini at a school where the DNS is externally managed by the Education departments IT group.  Upgraded to Maverics and installed Server app.  Configured profile manager to the point where we could generate a trust profile and enrolment profile.  Doesn't work because there is no DNS entry for Mac mini server.   Create entry but need to change host name and computer name and local machine name to match entry.  Suddenly profile manager not working at all.  Delete server app and it's configuration file in ~/Library/.  Reinstall.  Now Profile manager won't even activate.  Speak to Apple on phone, run various commands to reinitialise Open Directory and reset profile manager.  To no avail.  Apple say to reinstall Mavericks, Server and try again.
  Funny thing is I got profile manager to work as an MDM in a test environment, but changing DNS after doing so much configuration seems to have made a real mess of things.  Vowing to make a time machine backup as soon as Mavericks re-installs.
  Anyone know of any guides other than the one on krypted.com, which appears to be for the previous version of Profile Manager.
  Stom

  In general, either your OS X Server box has a DNS translation for its address, or it doesn't. 
  If you don't have valid DNS, you will have problems with various services, as DNS is fundamental to distributed authentication and encryption, among other uses. 
  OS X Server doesn't recover well from installations that start off with DNS errors, and the wipe and reinstallation suggested by Apple is usually easier than resolving the various issues that tend to arise within the configurations of the various services.
  If your server doesn't have a valid DNS translation, then either add the DNS translation into your organization's local DNS environment, or work to retrain or replace the folks that are unwilling or unable to administer and to properly maintain local DNS services, or (far less desirably) configure and start your own parallel DNS services.  There are other options, of course. 
  I'd escalate this discussion to management, and let them sort this out — at its core, this very likely isn't a technical issue.

• How to push EAP-TLS configuration Profile and Certificates to Mac books and Iphones

  Hi Team,
  We were able to push the EAP-TLS configuration profiles and certificates to windows devices via group policy.  However, we're now looking to see how we can accomplish this for Mac book and iphones?  Is there an open source application or something we can leverage to do this?
  Thanks

  I think ammahend was looking for a rough count which is what my question was going to be. The reason I would ask this is that if the device count is low then you could manually provision certs on those devices. Not ideal since you will have to manually generate CSRs, get them signed and then installed on the machines.
  Another way to do this is if you have an MDM solution in place. You can have the MDM integrate with your CA via SCEP and then on-board devices that way. You don't have to integrate ISE with MDM (advanced licenses needed) as you can only have ISE check for the cert and only perform EAP-TLS authentications. 
  Hope this helps!
  Thank you for rating helpful posts! 

• Error while deploying configuration profile

  Hi, I'm using iPhone-4 4.3.5 GSM and trying to deploy configuration profile.
  Conf. profile has defined VPN (custom-ssl) with certificates: srever and client crt
  I do press install in iPhone Configuration utility.
  iPhone suggests me to install profile.
  I can't find anything anywhere about this issue:
  When I do press install and get a log (iPhone configuration utility -> console):
  Oct 11 09:58:50 unknown mc_mobile_tunnel[180] <Warning>: MC|mc_mobile_tunnel starting.
  Oct 11 09:58:50 unknown profiled[171] <Warning>: MC|Profile vvj.develbureau.ru queued for installation.
  Oct 11 09:58:50 unknown mc_mobile_tunnel[180] <Warning>: MC|mc_mobile_tunnel shutting down.
  Oct 11 09:59:04 unknown profiled[171] <Warning>: MC|Beginning profile installation...
  Oct 11 09:59:09 unknown profiled[171] <Warning>: MC|VPN: couldn't create vpn interface
  Oct 11 09:59:09 unknown Preferences[81] <Warning>: -[VPNConnectionStore reloadVPN]: The active VPN configuration has changed from  to (null)
  Oct 11 09:59:09 unknown profiled[171] <Warning>: MC|Rolling back installation of profile *********************...
  Oct 11 09:59:09 unknown profiled[171] <Warning>: MC|Installation of profile ************************ failed with error: NSError 0x1f5a3ef0:
  Desc   :     vvj.
  Sugg   :     VPN VPN (vvj-custom-ssl).
  US Desc: The profile vvj could not be installed.
  US Sugg: The VPN service VPN (vvj-custom-ssl) could not be installed.
  Domain : MCProfileErrorDomain
  Code   : 1009
  Type   : MCFatalError
  Params : (
  vvj
  ...Underlying error:
  NSError 0x1f5a3b00:
  Desc   :     VPN VPN (vvj-custom-ssl).
  US Desc: The VPN service VPN (vvj-custom-ssl) could not be installed.
  Domain : MCVPNErrorDomain
  Code   : 15000
  Type   : MCFatalError
  Params : (
  "VPN (vvj-custom-ssl)"
  Oct 11 09:59:09 unknown profiled[171] <Warning>: MC|Profile ************** failed to install with error: NSError 0x1f5a42a0:
  Desc   :
  Sugg   :     vvj.
  US Desc: Profile Failed to Install
  US Sugg: The profile vvj could not be installed.
  Domain : MCInstallationErrorDomain
  Code   : 4001
  Type   : MCFatalError
  ...Underlying error:
  NSError 0x1f5a3ef0:
  Desc   :     vvj.
  Sugg   :     VPN VPN (vvj-custom-ssl).
  US Desc: The profile vvj could not be installed.
  US Sugg: The VPN service VPN (vvj-custom-ssl) could not be installed.
  Domain : MCProfileErrorDomain
  Code   : 1009
  Type : MCFatalError
  Params : (
  vvj
  ...Underlying error:
  NSError 0x1f5a3b00:
  Desc   :     VPN VPN (vvj-custom-ssl).
  US Desc: The VPN service VPN (vvj-custom-ssl) could not be installed.
  Domain : MCVPNErrorDomain
  Code   : 15000
  Type   : MCFatalError
  Params : (
  "VPN (vvj-custom-ssl)"
  Oct 11 09:59:09 unknown profiled[171] <Warning>: MC|Removing certificate with persistent ID 63657274000000000000000b
  Oct 11 09:59:09 unknown profiled[171] <Warning>: MC|Removing certificate with persistent ID 63657274000000000000000c
  Oct 11 09:59:10 unknown Preferences[81] <Warning>: -[VPNBundleController _vpnConfigurationChanged:] (0x1f5bef80:<VPNBundleController: 0x1f5bef80>): _serviceCount(0), serviceCount(0), toggleInRootMenu(0), RootMenuItem(1)
  Oct 11 10:00:09 unknown SpringBoard[71] <Notice>: MultitouchHID(1cd1d100) uilock state: 0 -> 1
  Oct 11 10:00:09 unknown com.apple.SpringBoard[71] <Notice>: CoreAnimation: timed out fence 500
  Oct 11 10:00:10 unknown profiled[171] <Warning>: profiled|Idled.
  Oct 11 10:00:10 unknown profiled[171] <Warning>: profiled|Service stopping.
  Oct 11 10:00:10 unknown com.apple.SpringBoard[71] <Notice>: CoreAnimation: timed out fence 500
  Oct 11 10:00:36 unknown CommCenter[32] <Notice>: No more assertions for PDP context 0.  Returning it back to normal.
  Oct 11 10:00:36 unknown CommCenter[32] <Notice>: Scheduling PDP tear down timer for (340005936.512346) (current time == 340005636.512355)
  Oct 11 10:02:36 unknown SCHelper[80] <Notice>: active (but IDLE) sessions
  Oct 11 10:02:36 unknown SCHelper[80] <Notice>:   0x1cd54b90 {port = 0x404f, caller = Preferences(81):MobileVPN, path = /Library/Preferences/SystemConfiguration/preferences.plist}
  Oct 11 10:02:36 unknown SCHelper[80] <Notice>:   0x1cd54040 {port = 0x380f, caller = Preferences(81):com.apple.settings.wi-fi, path = /Library/Preferences/SystemConfiguration/preferences.plist}
  Oct 11 10:02:36 unknown SCHelper[80] <Notice>:   0x1cd50030 {port = 0x1e07, caller = SpringBoard(71):com.apple.preferences, path = /Library/Preferences/SystemConfiguration/preferences.plist}
  Oct 11 10:04:15 unknown SpringBoard[71] <Notice>: MultitouchHID(1cd1d100) uilock state: 1 -> 0
  Oct 11 10:04:15 unknown kernel[0] <Debug>: set_crc_notification_state 0
  Oct 11 10:04:55 unknown kernel[0] <Debug>: launchd[183] Builtin profile: MobileSafari (sandbox)
  Oct 11 10:04:55 unknown MobileSafari[183] <Warning>: No search engine config file found at /var/mobile/Library/Safari/SearchEngines.plist
  Oct 11 10:04:56 unknown configd[25] <Debug>: CaptiveNetworkSupport:UIAllowedNotifyCallback:70 uiallowed: true
  Oct 11 10:04:57 unknown MobileSafari[183] <Warning>: -[UIApplication endIgnoringInteractionEvents] called without matching -beginIgnoringInteractionEvents. Ignoring.
  Oct 11 10:04:57 unknown MobileSafari[183] <Warning>: -[UIApplication endIgnoringInteractionEvents] called without matching -beginIgnoringInteractionEvents. Ignoring.
  Oct 11 10:04:57 unknown MobileSafari[183] <Warning>: -[UIApplication endIgnoringInteractionEvents] called without matching -beginIgnoringInteractionEvents. Ignoring.
  Oct 11 10:04:58 unknown MobileSafari[183] <Warning>: -[UIApplication endIgnoringInteractionEvents] called without matching -beginIgnoringInteractionEvents. Ignoring.
  Oct 11 10:05:03 unknown configd[25] <Debug>: CaptiveNetworkSupport:UIAllowedNotifyCallback:70 uiallowed: false
  Oct 11 10:06:16 unknown SpringBoard[71] <Notice>: MultitouchHID(1cd1d100) uilock state: 0 -> 1

  Hi, I'm using iPhone-4 4.3.5 GSM and trying to deploy configuration profile.
  Conf. profile has defined VPN (custom-ssl) with certificates: srever and client crt
  I do press install in iPhone Configuration utility.
  iPhone suggests me to install profile.
  I can't find anything anywhere about this issue:
  When I do press install and get a log (iPhone configuration utility -> console):
  Oct 11 09:58:50 unknown mc_mobile_tunnel[180] <Warning>: MC|mc_mobile_tunnel starting.
  Oct 11 09:58:50 unknown profiled[171] <Warning>: MC|Profile vvj.develbureau.ru queued for installation.
  Oct 11 09:58:50 unknown mc_mobile_tunnel[180] <Warning>: MC|mc_mobile_tunnel shutting down.
  Oct 11 09:59:04 unknown profiled[171] <Warning>: MC|Beginning profile installation...
  Oct 11 09:59:09 unknown profiled[171] <Warning>: MC|VPN: couldn't create vpn interface
  Oct 11 09:59:09 unknown Preferences[81] <Warning>: -[VPNConnectionStore reloadVPN]: The active VPN configuration has changed from  to (null)
  Oct 11 09:59:09 unknown profiled[171] <Warning>: MC|Rolling back installation of profile *********************...
  Oct 11 09:59:09 unknown profiled[171] <Warning>: MC|Installation of profile ************************ failed with error: NSError 0x1f5a3ef0:
  Desc   :     vvj.
  Sugg   :     VPN VPN (vvj-custom-ssl).
  US Desc: The profile vvj could not be installed.
  US Sugg: The VPN service VPN (vvj-custom-ssl) could not be installed.
  Domain : MCProfileErrorDomain
  Code   : 1009
  Type   : MCFatalError
  Params : (
  vvj
  ...Underlying error:
  NSError 0x1f5a3b00:
  Desc   :     VPN VPN (vvj-custom-ssl).
  US Desc: The VPN service VPN (vvj-custom-ssl) could not be installed.
  Domain : MCVPNErrorDomain
  Code   : 15000
  Type   : MCFatalError
  Params : (
  "VPN (vvj-custom-ssl)"
  Oct 11 09:59:09 unknown profiled[171] <Warning>: MC|Profile ************** failed to install with error: NSError 0x1f5a42a0:
  Desc   :
  Sugg   :     vvj.
  US Desc: Profile Failed to Install
  US Sugg: The profile vvj could not be installed.
  Domain : MCInstallationErrorDomain
  Code   : 4001
  Type   : MCFatalError
  ...Underlying error:
  NSError 0x1f5a3ef0:
  Desc   :     vvj.
  Sugg   :     VPN VPN (vvj-custom-ssl).
  US Desc: The profile vvj could not be installed.
  US Sugg: The VPN service VPN (vvj-custom-ssl) could not be installed.
  Domain : MCProfileErrorDomain
  Code   : 1009
  Type : MCFatalError
  Params : (
  vvj
  ...Underlying error:
  NSError 0x1f5a3b00:
  Desc   :     VPN VPN (vvj-custom-ssl).
  US Desc: The VPN service VPN (vvj-custom-ssl) could not be installed.
  Domain : MCVPNErrorDomain
  Code   : 15000
  Type   : MCFatalError
  Params : (
  "VPN (vvj-custom-ssl)"
  Oct 11 09:59:09 unknown profiled[171] <Warning>: MC|Removing certificate with persistent ID 63657274000000000000000b
  Oct 11 09:59:09 unknown profiled[171] <Warning>: MC|Removing certificate with persistent ID 63657274000000000000000c
  Oct 11 09:59:10 unknown Preferences[81] <Warning>: -[VPNBundleController _vpnConfigurationChanged:] (0x1f5bef80:<VPNBundleController: 0x1f5bef80>): _serviceCount(0), serviceCount(0), toggleInRootMenu(0), RootMenuItem(1)
  Oct 11 10:00:09 unknown SpringBoard[71] <Notice>: MultitouchHID(1cd1d100) uilock state: 0 -> 1
  Oct 11 10:00:09 unknown com.apple.SpringBoard[71] <Notice>: CoreAnimation: timed out fence 500
  Oct 11 10:00:10 unknown profiled[171] <Warning>: profiled|Idled.
  Oct 11 10:00:10 unknown profiled[171] <Warning>: profiled|Service stopping.
  Oct 11 10:00:10 unknown com.apple.SpringBoard[71] <Notice>: CoreAnimation: timed out fence 500
  Oct 11 10:00:36 unknown CommCenter[32] <Notice>: No more assertions for PDP context 0.  Returning it back to normal.
  Oct 11 10:00:36 unknown CommCenter[32] <Notice>: Scheduling PDP tear down timer for (340005936.512346) (current time == 340005636.512355)
  Oct 11 10:02:36 unknown SCHelper[80] <Notice>: active (but IDLE) sessions
  Oct 11 10:02:36 unknown SCHelper[80] <Notice>:   0x1cd54b90 {port = 0x404f, caller = Preferences(81):MobileVPN, path = /Library/Preferences/SystemConfiguration/preferences.plist}
  Oct 11 10:02:36 unknown SCHelper[80] <Notice>:   0x1cd54040 {port = 0x380f, caller = Preferences(81):com.apple.settings.wi-fi, path = /Library/Preferences/SystemConfiguration/preferences.plist}
  Oct 11 10:02:36 unknown SCHelper[80] <Notice>:   0x1cd50030 {port = 0x1e07, caller = SpringBoard(71):com.apple.preferences, path = /Library/Preferences/SystemConfiguration/preferences.plist}
  Oct 11 10:04:15 unknown SpringBoard[71] <Notice>: MultitouchHID(1cd1d100) uilock state: 1 -> 0
  Oct 11 10:04:15 unknown kernel[0] <Debug>: set_crc_notification_state 0
  Oct 11 10:04:55 unknown kernel[0] <Debug>: launchd[183] Builtin profile: MobileSafari (sandbox)
  Oct 11 10:04:55 unknown MobileSafari[183] <Warning>: No search engine config file found at /var/mobile/Library/Safari/SearchEngines.plist
  Oct 11 10:04:56 unknown configd[25] <Debug>: CaptiveNetworkSupport:UIAllowedNotifyCallback:70 uiallowed: true
  Oct 11 10:04:57 unknown MobileSafari[183] <Warning>: -[UIApplication endIgnoringInteractionEvents] called without matching -beginIgnoringInteractionEvents. Ignoring.
  Oct 11 10:04:57 unknown MobileSafari[183] <Warning>: -[UIApplication endIgnoringInteractionEvents] called without matching -beginIgnoringInteractionEvents. Ignoring.
  Oct 11 10:04:57 unknown MobileSafari[183] <Warning>: -[UIApplication endIgnoringInteractionEvents] called without matching -beginIgnoringInteractionEvents. Ignoring.
  Oct 11 10:04:58 unknown MobileSafari[183] <Warning>: -[UIApplication endIgnoringInteractionEvents] called without matching -beginIgnoringInteractionEvents. Ignoring.
  Oct 11 10:05:03 unknown configd[25] <Debug>: CaptiveNetworkSupport:UIAllowedNotifyCallback:70 uiallowed: false
  Oct 11 10:06:16 unknown SpringBoard[71] <Notice>: MultitouchHID(1cd1d100) uilock state: 0 -> 1

• Error: The decapsulated inner packet doesn't match the negotiated policy in the SA

  I upgraded my ASA from 8.2(1) to 8.4(3) as I wanted to try to get Android devices to properly connect via VPN.
  After some effort, I was able to get the Android devices to connect via VPN.  However, my syslog server has a number of errors recorded that look this this:
  %ASA-4-402116: IPSEC: Received an ESP packet (SPI= 0x1E76EFA6, sequence number= 0x1F0) from x.x.x.x (user= testuser) to y.y.y.y.  The decapsulated inner packet doesn't match the negotiated policy in the SA.  The packet specifies its destination as z.z.z.z, its source as a.a.a.a, and its protocol as tcp.  The SA specifies its local proxy as y.y.y.y/255.255.255.255/udp/42246 and its remote_proxy as x.x.x.x/255.255.255.255/udp/0.
  Digging further, it seems this error might be due to a NAT issues with the VPN connections.  VPN previously worked with Cisco's VPN client on Windows, though I did not test to see if that is no longer working.  However, I made no changes in the config, except for those related to additions needed to support L2TP.  With the below config, Android clients can connect to the ASA and access the internal network, but they cannot connect to external addresses.  I'm at a loss.
  The addresses used in the config: 192.168.1.0/24 are on the internal LAN and 192.168.3.0/24 are addresses assigned to VPN clients.
  I noted in the config this line:
  access-list inside_nat0_outbound extended permit ip any 192.168.3.0 255.255.255.0
  The access list is not referenced anywhere, though it was referenced in the 8.2(1) config like this:
  nat (inside) 0 access-list inside_nat0_outbound
  I'm not sure what else changed, but I've looked over the config and I just cannot see what the issue might be.  I'm hoping somebody might be able to point out my error.
  Here's the config file (at least the parts that might be of interest):
  : Saved
  ASA Version 8.4(3)
  interface Vlan1
  nameif inside
  security-level 100
  ip address 192.168.1.1 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address dhcp setroute
  boot system disk0:/asa843-k8.bin
  object network obj-192.168.3.0
  subnet 192.168.3.0 255.255.255.0
  object network obj_any
  subnet 0.0.0.0 0.0.0.0
  access-list outside_access_in extended permit icmp any interface outside time-exceeded
  access-list outside_access_in extended permit icmp any interface outside echo-reply
  access-list outside_access_in extended permit icmp any interface outside unreachable
  access-list outside_mpc extended permit ip any interface outside
  access-list inside_mpc extended permit ip 192.168.1.0 255.255.255.0 any
  access-list testVPN_splitTunnelAcl extended permit ip 192.168.1.0 255.255.255.0 any
  access-list inside_nat0_outbound extended permit ip any 192.168.3.0 255.255.255.0
  ip local pool VPN-Pool-1 192.168.3.1-192.168.3.254 mask 255.255.255.0
  ip verify reverse-path interface outside
  nat (inside,any) source static any any destination static obj-192.168.3.0 obj-192.168.3.0 no-proxy-arp
  object network obj-192.168.3.0
  nat (outside,outside) dynamic interface
  object network obj_any
  nat (inside,outside) dynamic interface
  access-group outside_access_in in interface outside
  crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANSP esp-aes esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANSP mode transport
  crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANSP esp-des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANSP mode transport
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 10 set ikev1 transform-set ESP-AES-128-SHA-TRANSP ESP-3DES-SHA-TRANSP
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
  crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map outside_map interface outside
  crypto ikev1 enable outside
  crypto ikev1 policy 5
  authentication pre-share
  encryption aes
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 10
  authentication pre-share
  encryption aes-256
  hash sha
  group 2
  lifetime 86400
  group-policy testVPN internal
  group-policy testVPN attributes
  wins-server value 192.168.1.8
  dns-server value 192.168.1.8 192.168.1.4
  vpn-idle-timeout none
  vpn-tunnel-protocol ikev1
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value testVPN_splitTunnelAcl
  default-domain value test.us
  group-policy testVPNnsl2tp internal
  group-policy testVPNnsl2tp attributes
  wins-server value 192.168.1.8
  dns-server value 192.168.1.8 192.168.1.4
  vpn-idle-timeout none
  vpn-tunnel-protocol l2tp-ipsec
  group-policy testVPNns internal
  group-policy testVPNns attributes
  wins-server value 192.168.1.8
  dns-server value 192.168.1.8 192.168.1.4
  vpn-idle-timeout none
  vpn-tunnel-protocol ikev1
  username testuser password PASSWORD encrypted privilege 15
  username testuser2 password PASSWORD nt-encrypted privilege 15
  tunnel-group DefaultRAGroup general-attributes
  address-pool VPN-Pool-1
  default-group-policy testVPNnsl2tp
  tunnel-group DefaultRAGroup ipsec-attributes
  ikev1 pre-shared-key *****
  tunnel-group DefaultRAGroup ppp-attributes
  authentication ms-chap-v2
  tunnel-group testVPN type remote-access
  tunnel-group testVPN general-attributes
  address-pool VPN-Pool-1
  default-group-policy testVPN
  tunnel-group testVPN ipsec-attributes
  ikev1 pre-shared-key *****
  tunnel-group testVPNns type remote-access
  tunnel-group testVPNns general-attributes
  address-pool VPN-Pool-1
  default-group-policy testVPNns
  tunnel-group testVPNns ipsec-attributes
  ikev1 pre-shared-key *****
  tunnel-group testVPNnsl2tp type remote-access
  tunnel-group testVPNnsl2tp general-attributes
  address-pool VPN-Pool-1
  default-group-policy testVPNnsl2tp
  tunnel-group testVPNnsl2tp ipsec-attributes
  ikev1 pre-shared-key *****
  tunnel-group testVPNnsl2tp ppp-attributes
  authentication ms-chap-v2
  One last question: in order to get the connection from Android to work, I was forced to use "tunnel-group DefaultRAGroup".  Is that actually a limitation, or did I make an error that forced that requirement?  I wanted to use "tunnel-group testVPNnsl2tp".
  Thanks!

  Chris,
  This is still a bit off the mark.  I think I might be confusing the issue by including some of the VPN configuration that I had previously installed and working (e.g., two other VPN tunnel groups with split tunneling on one of them).  Let's just remove that stuff from consideration.  I actually tested the current configs just to see if they are working since the upgrade.  testVPN is working with the split tunneling, but testVPNns (no-split tunneling) does not allow external access.  I guess there is a NAT config issue there, too, but not sure what it is, yet.  I've not investigated that closely.
  I want to solve one problem at a time, though I understand there are some interdependencies.
  What I'd like to focus on right now is just the L2TP VPN connection.
  From what I've been able to understand from the documentation, what I need are these lines:
  crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANSP esp-aes esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANSP mode transport
  crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANSP esp-des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANSP mode transport
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 10 set ikev1 transform-set ESP-AES-128-SHA-TRANSP ESP-3DES-SHA-TRANSP
  crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map outside_map interface outside
  crypto ikev1 enable outside
  group-policy testVPNnsl2tp internal
  group-policy testVPNnsl2tp attributes
  wins-server value 192.168.1.8
  dns-server value 192.168.1.8 192.168.1.4
  vpn-idle-timeout none
  vpn-tunnel-protocol l2tp-ipsec
  tunnel-group DefaultRAGroup general-attributes
  address-pool VPN-Pool-1
  default-group-policy testVPNnsl2tp
  tunnel-group DefaultRAGroup ipsec-attributes
  ikev1 pre-shared-key P74bmqL6rT40bl5
  tunnel-group DefaultRAGroup ppp-attributes
  authentication ms-chap-v2
  crypto ikev1 policy 5
  authentication pre-share
  encryption aes
  hash sha
  group 2
  lifetime 86400
  I still want to assign the IP addresses to VPN clients out of 192.168.3.0/24.
  The tricky part is understanding exactly what NAT rules to insert and to avoid that error message I'm getting relatred to the encapsulated packets.  I tried to introduce the commands you had, but it's missing stuff that I would need for L2TP/IPSec (e.g., "mode transport").  I also don't think I want "pfs group5".  The above config "works" in that I get connected -- all negotiation is done.  It's just that packets from the VPN client are not able to go out to the Internet and I'm seeing that encapsulation error messages when I try to send a packet.
  Paul

• How can I add the "Profile Removal Password Payload"  to a configuration Profile?

  How can I add the “Profile Removal Password Payload”  to a configuration Profile?
  I’m not seeing an option to add this option when I edit the configuration profile within Apple Configurator.
  Do I have to edit the configuration profile(xml file) within a text editor?
  FYI:
  https://developer.apple.com/library/ios/featuredarticles/iPhoneConfigurationProf ileRef/Introduction/Introduction.html
  Profile Removal Password Payload
  The Removal Password payload is designated by specifying com.apple.profileRemovalPassword value as the PayloadType value.
  A password removal policy payload provides a password to allow users to remove a locked configuration profile from the device. If this payload is present and has a password value set, the device asks for the password when the user taps a profile's Remove button. This payload is encrypted with the rest of the profile.
  Key
  Type
  Value
  RemovalPassword
  String
  Optional. Specifies the removal password for the profile.

  You have found where it is stored in Thunderbird?
  Delete it. When Thunderbird needs it again, it will ask you for it.

• Configuration Profile Code-Signing Certificates

  Today, I learned that the Code-Signing Certificate used for signing Device Configuration Profiles is _different_ (and much more expensive) than the SSL Certificate used by other Lion Server services.
  I understand that these certificates follow a trust _chain_, and that Lion Server creates a default Code-Signing certificate based on the self-signed certificate it creates during setup. Since then, I've replaced my self-signed SSL Cert with a fully verified one.
  How can I use OpenSSL to create a Code-Signing certificate based on my purchased SSL Certificate, just like Lion Server did?

  You must obtain a code-signing cert from a trusted authority or it won't be trusted by any of your clients.
  ** Code-signing your profiles is kind of pointless if you're a small business or school. This is only useful if you're a large enterprise (or maybe a college or university) deploying profiles to many devices and are worried about tampering. A signed SSL cert more useful than a code-signing cert.
  ** (This is totally my opinion but that's how I see it. Code-signing certs allow your clients to determine that the code is in fact from you and it hasn't been altered in transit to the client. If this is really a concern for you then you would need to obtain a cert from a trusted authority, but I bet it's not...)

• IOS Configuration Profile Reference outdated

  Hi,
  I'm currently writing a technical draft iPhone policy for our enterprise. The iPhone configuration utility is a nice tool to create such a policy but it is not really usable for documentation of the different directives. Therefore I was looking for another documentation. The «iOS Configuration Profile Reference» seems to be a nice document, since it describes every single directive.
  Unfortunately I had to find out, that there are much more parameters in the current iPhone configuration Utility 3.3 (274) then specified in the iOS Configuration Profile Reference - even it's version is dated to 2011-03-08.
  Does anybody know if there is a more current Version of this document, or another paper which specifies all possible parameters?
  Chris

  any one can help to answer the quesiton?

• Can't install configuration profile on iPad - "The profile ... could not be installed"

  Hi all,
  I'm trying to create a simple test MDM server.
  I'm using a Windows Server 2008 R2, and an iPad (iOS 5.01).
  I set up a python based web server to accept requests in port 8080, installed an APNs certificate and created a configuration profile using IPCU with an MDM payload (and a VERISIGN credentials paylod to match it).
  I have ports open to on the server (443, 1640, 2195 and 8080 where my server is listening).
  I sent the configuration profile to myself, via email and tried installing it on my iPad.
  I got the response:
  Profile Failed to Install
  The profile "MDM test profile" could not be installed.
  Does anyone know what could be the problem here? What am I missing?
  I have tried installing on an iPhone as well, same problem.
  Thanks,
  Tomer

  Try a clean re-install.
  * Download the setup file from http://www.mozilla.com/en-US/firefox/RC (this is for the Firefox 4 release candidate)
  * Uninstall Firefox, do not select the option to "Remove my Firefox personal data"
  * Delete the Firefox installation directory - http://kb.mozillazine.org/Installation_directory
  * Re-install Firefox
  This process does not remove the Firefox user data such as bookmarks and passwords which are stored elsewhere in the profile folder.
  You may also need to manually reset the Software Update feature by deleting the software update files as shown in the "Software Update not working properly" section here - http://kb.mozillazine.org/Software_Update

• Localy configured security policy in domain environment

  Hello.
  I have run in to a problem when configuring security policy for servers in my domain. Due to the large size of my environment and many different local administrators on servers quite a few of those administrators has configured local security policys on
  their servers instead of asking for our central IT-dep to create domain based GPO's for those settings.
  It's quite often settings that give a account the right to logon as a batchjob and so on. This creates the problem for us that work centraly that we can't configure central GPO since we will overwrite the localy configured ones and that will quite often
  create a application to stop working.
  So my question is if there's any way to make a inventory to find out what servers has a local configured  policy so that i can change that to a central one.
  /Lee

  You can use secedit to get the local security policy. You can use
  psexec to get it remotely and store the content in a share. Once done, you can fetch the data using Powershell and get what you need.
  This posting is provided AS IS with no warranties or guarantees , and confers no rights.
  Ahmed MALEK
  My Website Link
  My Linkedin Profile
  My MVP Profile