NAC and Multicasting

Similar Messages

• NAC and AD, Machine GPOs, Roaming Profiles = Chaos

  I've just observed a hapless Cisco consultant try to make NAC 4.1 work on computers with machine GPOs, roaming profiles, logon scripts within user GPOs, and for that matter legacy logon scripts with "run logon scripts synchronously" enabled. All of these technologies seem to fail on a NAC-enforced connection.
  We assign software on machine GPOs and we use roaming user profiles, and it seems we either need to have a domain controller and profile share on the isolation VLAN, which defeats the purpose of NAC, or perform some kind of machine authentication, which can occur before GPO processing and net logons can happen.
  While I'm not the Cisco consultant, it wasn't hard to recognize this problem.
  Everything I've read about NAC and CAA suggests this is a per-user compliance solution and not a per-machine solution. Surely others have observed this, and I think this is what machine authentication (802.1x) NAC, as opposed to user authentication NAC, is all about. At the risk of sounding like a total n00b, where can I start researching a NAC solution that supports what I want and lets us use the Cisco NAC gear we've already invested in?

  I have had similar issues and have solved many with a custom script that runs at log on. It is a compiled script and works great, AutoIT3.
  The policy part takes care of itself if you leave machines logged in long enough or do a gpupdate /force. This will force the group policy to synchronize but you will need to log off and on again.
  The roaming profile is much tougher. I am still trying to get this working. If anyone has any info on EXACTLY what takes place on a roaming profile synchronization, I would be grateful. If I can I will replicate that process in my script and solve this issue also.
  I have fixed the log in script stuff with a delayscript that I use (ironically) clean access to install. You have to launch it with the users credentials, though and not from Clean Access which uses the SYSTEM users credentials in its stub agent!
  This is a known issue to Cisco but any prodding of them to get it working would help. Their solution is braindead, just give unremediated machines full access! If they fail remediation, kick them off then. Gee, that gives the unremediated machine a mere two to three minutes to attack your AD DCs on each log in attempt. Not good.
  Anyway, that's where I am at. Most of this can be dealt with, some is still problematical.
  Dan S.

• I have to send messages through UDP multicast and unicast from same port. In Labview I tried that it throws error. I heard it is possible by means of Datagram (UDP unicast and multicast) Port Sharing. How can it be achieved in Labview?

  I have to send UDP multicast and Unicast messages to a remote port from a single source/local port. I tried by opening UDP unicast and multicast in the same port and got the expected error. I tried by opening a unicast connection and sending unicast messages.After that when multicast messages has to send I closed unicast and opened multicast in the same port.This is not throwing any error. But my requirenment is to comminicate with another application in C ++ which recieves this data, throwing an error of lost connectivity and both the applications are not abled to communicate properly. 
  In the other application with C++ this is implemented using port sharing. So how port sharing can be implemented in labview so that I can send both multicast and unicast messages from the same port?
  Thanks in advance

  UDP is a sessionless protocol, meaning that anyone listening on the specified port CAN receive the data. CAN because as you noted there is no guarantee in the protocol that it will be received. And if you send the data not to a specific address but a multicast address not only one computer can receive it but in fact every computer on the same subnet listening to that multicast address and depending on the TTL of the packet also computers in neighbouring subnets, although that last one is not a very reliable operation since routers can be configured to drop multicast packages anyhow despite of a different TTL saying otherwise.
  Accordingly there is no real way to make sure that a receiving UDP port is not already in use, since you don't build up a connection. UDP is more or less analogous to shouting your messages through a megaphone, and anyone listening on the right frequency (port) can hear it. You do bind the sender socket to a specific port number but that makes little difference.
  Rolf Kalbermatter
  CIT Engineering Netherlands
  a division of Test & Measurement Solutions

• What is the exact purpose of Transaction NACE and NAST Table?

  Hi All,
  What is the exact purpose of Transaction NACE and NAST Table?
  Pls help me…
  Akshitha.

  Hi
  When a Output type in an apllication doc is configured with a Medium, Partner, Lang and other communication paramters an entry is created in NAST table
  so to trigger the output an entry in NAST is compulsory
  Output is a link between the Driver Program and the Sapscript,
  An output type summarizes messages of the same meaning. It contains parameters that are valid for all its assigned messages, for example appropriate partner functions.
  Transmission medium is a medium which the layout will be come out, this may be printout, Fax or Mail
  Check this link.
  http://help.sap.com/saphelp_nw2004s/helpdata/en/c8/19884743b111d1896f0000e8322d00/content.htm
  ex-how to config output type.
  You will assign output types using Transaction NACE.
  Do the follow steps to assign output type
  1)Select Application Type V2 which will have description Shipping.
  2)Click on Output types button.
  3)Go to change mode by pressing Ctrl+F4.
  4)Select one output type which already exists
  5)Do Copy As(F6)
  6)Give your output type against Output Type field.
  7)Under General data Tab, Give Program and Form routine and Save the data.
  i think it a work of functional guy but at senior level i think it is not a big deal for abaper.
  Check the following documentation
  In NACE t-codewe have the application for each one. based on the application output type can be defined, based on output type script and print progrma can be defined.
  If suppose data can be read from EDI then we should go for condition records.
  So whenever we execute the script first composer checks the output type and then execute the program. in program whenever opn form FM will be populate then script will open first. After that again program till another FM will populate if it then script will populate........like it is cycle proces. Composer does all these things and at last it will submit that output to spool.
  Go to the Transaction NACE.
  choose the related sub module.. like billing or shipping
  doubel click on Output Types
  Choose the Output Type for which whcih you wanted your script to trigger
  Then select the Output Type and double click on Processing Routine
  Then go to create new entries--> Select the Medium (1- print output), then enter your Script and Print Program detls --> Save and come out
  Now go to the Transaction (for which you have created the output type)... Issue output--> Select the output type --> Print....
  Device Types for SAP Output Devices (Detail Information)
  Definition
  The device type indicates the type of printer to be addressed. When you define an output device, choose the name of the device type that was defined in the SAP System for your printer model, such as Post2 for a PostScript printer. In the case of frontend printing under Microsoft Windows, you can also use the generic (device-independent) device type SWIN.
  The system uses the information in the device type to convert a document from the internal SAP character representation (spool request in OTF or in text format) to a device-specific, print-ready data stream (output request). Since a device type specifies attributes that apply to all devices of a certain model, it can be shared among device definitions. For example, all devices in the SAP spool system that are compatible with Hewlett-Packard LaserJet IIID printers would use the HPLJIIID device type.
  You should not confuse the device type with the printer driver. The device type is the total of all attributes of an output device that the SAP System must know to control the output device correctly, such as control commands for font selection, page size, character set selection, and so on. These attributes also include the printer driver that SAPscript/Smart Forms (the SAP form processor) should use for this printer. The SAPscript printer driver that is to be used for devices of this type for output formatting is therefore only an attribute that the device type specifies.
  How do I choose the correct device type?
  • In most cases, the SAP System already provides the appropriate device type for the printer type for the printer model that you want to use.
  These standard device types are completely defined and need no modification or extension before you use them in device definitions.
  • You can also download missing device types from the sapserv server. For a current list of the supported device types, see SAP Note 8928 in the SAP Service Marketplace.
  • Most printers can be controlled using a generic format, such as PostScript. They can be switched to a mode that is compatible with one of the standard printers for which an SAP device type is available. In this case, a supported model is emulated.
  • Almost all printers are delivered with Microsoft Windows printer drivers. The system can control these printers with the generic (device-independent) device type SWIN. The Microsoft Windows spool system then performs the processing of the print data.
  • If the specified device types are not available, and generic device types cannot be used, you must create your own device type or edit a copy of an existing device type. We recommend that only those with specialist knowledge of the SAP Spool System and printer driver code do this. For more information, see Defining a New Device Type .
  Attributes of a Device Type
  A device type is distinguished by the attributes listed below. If you change an existing device type or create a new device type, you must change at least some of these attributes.
  • Character set: A character set specifies the codes with which characters must be represented in the print-ready output stream (output request). This code replaces the generic SAP characters set that is used internally by the SAP spool system (spool request).
  • Printer driver: You can specify different printer drivers for printing SAPscript documents and ABAP lists.
  • Print controls: Print controls represent printer operations, such as boldface or changing the font size. These print control are replaced by printer-specific commands during the creation of the output request from a spool request.
  • Formats: Formats specify the format supported by the SAP system. The system differentiates between SAPScript formats (DINA4 and LETTER) and ABAP list formats (X_65_132 = 65 rows/132 columns).
  • Page format: A page format is the interface between a format and SAPscript. It specifies the paper dimensions with which SAPScript can calculate the row and column lengths.
  • Actions: Actions are output device-specific commands that are required for the implementation of a format. The action printer initialization, for example, can contain a printer command with which the number of rows on a page is defined. There is a set of actions for every format supported by a device type.
  Reward points for useful Answers

• 802.1x NAC and per-user ACLs

  Can 802.1x NAC and per-user ACLs be used together on the same port? I know some of the NAC documentation says that 802.1x NAC does not support downloadable ACLs but it looks like it might be outdated and according to http://cisco.com/en/US/products/ps7077/products_configuration_guide_chapter09186a0080817284.html , it appears that there is not preventing this.
  Also, when will URL redirection to a remediation server be supported with 802.1x NAC?

  You just need to configure it differently on ACS. "Downloadable IP ACLs" used to be "Downloadable PIX ACLs" on ACS. It changed to "IP" when VPN concentrators started supporting this with ACLs too. You saw this with NAC, if I remember .. and EOU does it this way as well.
  802.1X with per-user ACLs was already shipping at the time though (has been for some time) and the mechanism is opertionally the same .. just functionally different.
  With per-user ACLs, you'd configure a VSA like:
  ip:inacl#1=deny ip any host 10.1.8.3
  ip:inacl#2=permit ip any any
  The "downloadable IP ACL" config would look like:
  deny ip any host 10.1.8.3
  permit ip any any
  In the end, both techniques use the same VSA. This VSA is 026\009\001. In "per-user-ACLs, there's no sort of handshake though to see if the ACL is already there, etc. It slaps the ACL on for you unconditionally as an authorization rule b/c you told it to. (hence the "ip:inacl" stuff above). With "downloadable", there's a handshake before actually applying the ACL .. to see if there's an earlier copy of the ACL, and it'll only update what changed, etc.
  So, it really boils down to semantics. Both techniques work. AAA config is subtely different on the backend. Look for this to get consistently deployed soon, but in the meantime, it's still supported ;-).
  Hope this helps,

• NAC and Checkpoint firewall

  Hi to all,
  Does anyone know if it is possible to configure SSO using NAC and a checkpoint firewall VPN client software on an user machine??
  Thanks in advance for your help

  Mark,
  If the checkpoint device can do standard radius accounting, it can work with CCA. When doing VPN SSO with CCA, it only cares about the accounting packets from the VPN head-end.
  HTH,
  Faisal

• NAC and WSUS

  Hi to all,
  I'm new at NAC, does anyone know the steps on how to configure the remediation on a client machine using NAC and WSUS?? Is there a rule that match it??, etc, etc...
  Thanks in advance for your help!

  Click clean access under device mgmt.
  Click the clean access agent tab.
  Click requirements.
  Add one for MS update check if you don't already have one made by clicking new requirement. Choose windows update service for the requirement type drop down box. If you already have a rule for the windows update service check you can click edit instead (next to the move up down arrow buttons).
  About half way down you can choose MS servers or WSUS servers.

• Cisco NAC and Microsoft NAP

  Dear all,
  I need to know what are the differences between Cisco NAC and Microsoft NAP ?
  Can NAP be used instead of NAC or not ? why ? why not ?

  I really do not know if you will find the answer that you are looking for. From what I remember NAP was an option that was available with the ACS via a special patch. This is only supported for vista clients if memory serves me correct.
  Here is the link that will help you with the basics.
  http://www.cisco.com/en/US/netsol/ns466/index.html
  We do not get much case volume or exposure to the NAP solution and with ACS 5.2 and ISE around the corner it might be too late to go through this setup and then run into issues with acs 4.2 possibly hitting eol/eos.
  Thanks,
  Tarik

• NAC and Linux Users .

  Hello Everyone .
  i have implement NAC on Wireless Environment using OOB Methods at one of the Universities  .
  everything went smooth ,,  acept one things . NAC and student using Linux Laptops .
  issue they are facing . is they are able to to load NAC login Page , and able to use their username and passwords , and after clicking
  Submit ,, they only see a Blank Page ... it suppose to have the page where web agent ... but that is not happing .. i have checked the
  monitor  page and online users but i can't see the user id or ip address ..
  Any idea how to fix such issue ??
  Regards
  Yousef Askool

  Hello. NAC agent and web agent are not supported on Linux.

• Diff bw changes NACE and SPRO

  hi all,
  Is there any difference if i change form and program name using NACE and SPRO?

  if u change the names and give urs...then they will be used for printing rather than the original ones...
  www.*******************/2007/11/message-contorl-in-abap.html
  www.sap-img.com/sapscripts/faq-for-sap-scripts.htm
  www.saptechies.com/what-spro-stands-for/
  reward points if helpful

• How to protect a PIM-SM network from unauthorized pim routers and multicast sources?

  Hi,
  we're using pim sparse mode in a customer network with catalyst 2/3/4/6K switches, all multicast routers are redundant with pim dr running for access subnets. RPs are configured with anycast rp.
  A) Is there any possiblity to prevent rogue pim routers/igmp queriers connected to host ports from getting connected to the legal pim routers and from getting involved in the local igmp traffic?
  Maybe like DHCP Snooping used with DHCP. I read that in the latest Sup2T ios (http://www.cisco.com/c/dam/en/us/td/docs/switches/lan/catalyst6500/ios/15-2SY/config_guide/sup2T/15_2_sy_swcg_2T.pdf) there is a feature called 'ipv4 router guard' which does exactly what we're looking for:
  'When configured, the Router Guard feature makes the specified port a host port only. The port is prevented from becoming a router port, even if a multicast router control packets are received. In addition, any control packets normally received from multicast routers, such as IGMP queries and PIM joins, will also be discarded by this filter.'
  Afaik, PIM authentication isn't supported in current catalyst ios versions.
  Using a normal port ACL is not an option in our case because of a management decision.
  B) Is there any possibility to prevent (on a per-subnet basis) rogue sources from sending multicast streams to legal multicast-groups?
  Maybe, can I configure a svi of a host subnet or a host port to drop any incoming multicast stream while still accepting IGMP and sending out legal multicast streams?
  Using 'ip pim accept-register' command on the rp is not an option because we've tons of legal sources which would end in an very huge error-prone acl
  Unfortunately, a normal ACL is not an option here, too.
  Best Regards
  Thorsten

  We use two pim routers in each host subnet for redundancy, they elect the PIM DR.
  Does pim passive mode work here?
  (Config Guide: If the ip pim passive command is configured on an interface enabled for IP multicast, the router will operate this interface in PIM passive mode, which means that the router will not send PIM messages on the interface nor will it accept PIM messages from other routers across this interface. The router will instead consider that it is the only PIM router on the network and thus act as the DR and also as the DF for all bidir-PIM group ranges. IGMP operations are unaffected by this command. ... The redundant PIM stub router topology is not supported. The redundant topology exists when there is more than one PIM router forwarding multicast traffic to a single access domain. PIM messages are blocked, and the PIM asset and designated router election mechanisms are not supported on the PIM passive interfaces.)
  ip pim neighbor-filter maybe would work to prevent rogue pim routers to connect to the legal pim routers but wouldn't rogue pim routers still be able to manipulate the layer2 switch to send all igmp traffic to them and not to the legal pim routers?

• LGS308 problem with vlan and multicast

  Hello,
  I have a LGS308 smart switch and am having problems putting multicast traffic on a specific vlan.
  The switch is connected to a PC for management (vlan 1).
  All ports are in acces mode, vlan 1 untagged.
  I created vlan 2 and put it untagged on port 7 and 8.
  Now, when I connect a multicast device (IPTV) on port 8, the switch becomes unresponsive and nothing works.
  It seems the switch is flooded with multicast traffic.
  Simply turning IGMP snooping on didn't help so I think it needs more configuration.
  Is this a known problem?
  ps: Once I have this simple setup running I'm planning for a more advanced setup with trunking 2 vlans (iptv + internet) to another switch over a single UTP cable. But first things first

  Yes it should!
  I have changed the setup like this:
  Switch 1
  port 1 - access mode - vlan 1U <---> Internet
  port 2 - access mode - vlan 1U <---> PC
  port 7 - access mode - vlan 2U <---> IPTV source (IGMP)
  port 8 - trunk mode - vlan 1T + 2T <---> switch 2 port 8
  Switch 2
  port 7 - access mode - vlan 2U <---> IPTV source (IGMP)
  port 8 - trunk mode - vlan 1T + 2T <---> switch 2 port 8
  With this setup, I can reach both switches from my PC.
  However, multicast doesn't work. I don't get IPTV on switch 2 port 7.

• ML1000 RPR load balancing and multicast problem

  Hello,
  We have SDH network consisting in a STM16 ring with 7 ONS15454 MSPP nodes, sw version 9.0.1. In each node we have a ML1000-2 card connected in a RPR configuration through VC4-8C(8x155Mbs) circuits.
  My questions:
  Q1 We had expected the ring to balance itself but instead 90% of the traffic is going anti-clockwise which is the direction of the POS-0.
  Q2 We are not able to transmit Multicast packets and we sometimes have problems with udp losses. Could this be due to a bad configuration of the ML-1000? Should we investigate higher in the core switches(6500’s)?
  Thanks

  Manuel,
  I just published a document on load balancing on the ML card.  (ML Load Balancing after 5.doc).
  Check the document section in the Optical Forum.
  Also check the on-line configuration guide.
  http://www.cisco.com/en/US/docs/optical/15000r9_0/ethernet/454/guide/45490a_mlcardovw.html
  As for question #2.  o may find some answers on multicast in the load balancing document or configuration guide.  If not, I suggest opening a TAC case so they can verify your ML configuration.
  Hope this Helps,
  Steve Noyes
  CSE Cisco TAC

• Screen capture as video and multicasting

  halo everyone, i am planing to do a multicast program which capture the local screen as video and transmit to all client.
  It is one way communication which is clients are always only on listening mode(It cannot be stop). Server can choose to broadcast or stop the broadcast.
  eg software: TightProjector / VNC
  Currently my multicast connection is done, all the client can get message from multicast server.
  I stuck on how to capture local screen as video and transmit to all the client.
  Any method for me to start with it?
  What should i looking for??
  thx in adv
  :D

  morgalr wrote:
  If you're looking for screen shots, you'll be looking into Robot...once you have the screenshots. ImageIO can turn the images into JPEGs, and the JMF can turn JPEGs into a MOV.

• Screen capture as video and multicast

  halo everyone, i am planing to do a multicast program which capture the local screen as video and transmit to all client.
  It is one way communication which is clients are always only on listening mode(It cannot be stop). Server can choose to broadcast or stop the broadcast.
  eg software: TightProjector / VNC
  Currently my multicast connection is done, all the client can get message from multicast server.
  I stuck on how to capture local screen as video and transmit to all the client.
  Any method for me to start with it?
  What should i looking for??
  thx in adv
  :D

  I'm having some problem with the picture receiving.
  Below is my codes:
  Server-
  import java.awt.*;
  import java.awt.image.*;
  import java.awt.event.*;
  import java.net.*;
  import java.io.*;
  import javax.imageio.*;
  import javax.swing.*;
  public class robottestSent
       public static void main(String[] args) throws AWTException, IOException
            Dimension screenSize = Toolkit.getDefaultToolkit().getScreenSize();
            Rectangle screenRectangle = new Rectangle(screenSize);
            Robot robot = new Robot();
            ByteArrayOutputStream baos = new ByteArrayOutputStream();
            BufferedImage image = robot.createScreenCapture(screenRectangle);
            ImageIO.write(image, "png", baos);
            baos.flush();
            byte[] resultImage = baos.toByteArray();
            baos.close();
            //int wahaha = testtest.intValue();
            System.out.println(resultImage);
            try
                 DatagramSocket socket = new DatagramSocket();
                 //byte buffer[] = new byte[1024];
                 InetAddress address = InetAddress.getByName("230.0.0.1");
                 DatagramPacket packet = new DatagramPacket(resultImage, resultImage.length, address, 9013);
                 socket.send(packet);
                 socket.close();
            catch(Exception exp)
                      System.err.println(exp); //New added
  }Client-
  import java.awt.*;
  import java.awt.image.*;
  import java.awt.event.*;
  import java.net.*;
  import java.io.*;
  import javax.imageio.*;
  import javax.swing.*;
  public class robottestGet
      public static void main(String[] args)
           try
                while(true)
                      MulticastSocket socket = new MulticastSocket(9013);
                      InetAddress address = InetAddress.getByName("230.0.0.1");
                      socket.joinGroup(address);
                      byte message[] = new byte[1024];
                      DatagramPacket packet = new DatagramPacket(message, message.length);
                      System.out.println("test_1");
                      socket.receive(packet);
                      System.out.println("test_2");
                      BufferedImage newImage = ImageIO.read ( new ByteArrayInputStream ( packet.getData() ) );
                      JDialog window = new JDialog();
                      Container windowContent = window.getContentPane();
                      JLabel label = new JLabel(new ImageIcon(newImage));
                      JScrollPane pane = new JScrollPane(label);
                      windowContent.add(pane, BorderLayout.CENTER);
                      window.setSize(300, 300);
                      window.show();
           catch(Exception exp)
                System.err.println(exp);
  }The server sent a PNG format image raw byte to client, but at the client side, it appear
  javax.imageio.IIOException: Error reading PNG image dataThe problem is, when i change the format to others like "jpeg/bmp", the transmition failed, it appear
  java.net.SocketException: The message is larger than the maximum supported by the underlying transport: Datagram send failedWhy is that problem actually? T.T
  Edited by: nick_khor on Nov 20, 2009 3:46 AM