NAC Host-Based Policies Issue

Similar Messages

• Host-based OpenLDAP Authentication On Mac OS X Mountain Lion

  Hello All,
  I'm sorry if this is the wrong group to post such a question, or if this has been already answered.
  I have openldap (slapd version 2.4.31-1+nmu2ubuntu8) running on Ubuntu Server 14.04. The 'hostObject' objectClass is added in the OpenLDAP directory. The 'host' attribute is added under all ldap users, which allows users to access just those particular hosts. Apple schema has been added as well.
  I have a ubuntu client that authenticates users against the ldap server. The ubuntu client is configured to perform host-based authentication via pam modules. Only users that have access to the Ubuntu client can login, and others are denied access. I also have a Mac OS X Mountain Lion (10.8.5) client that authenticates users against the same openldap server. All network users can login through the login window. I would like to restrict access to the Mountain Lion client based on hosts, as I've it on the Ubuntu client.
  I tried to search for documentation on this, but didn't find any good one. Most of the documentation suggest that network user access be controlled on the Mountain Lion client. I'd really like to have that control on ldap server and not on client. Also, restricting network user access using 'Users & Groups' settings in System Preferences fails. All ldap users are blocked from login.
  I have successfully tested host-based authentication on a Ubuntu Server 10.04 client that is connected to the same ldap server. So, I know host based authentication works. I would really appreciate if anyone could shed some light on this, or point me to a document that talks about host-based authentication on Mac OS X Mountain Lion client.
  Thanks,
  Amit

  I just found the anwer to my own issue. The installation failed on Jam Pack Content 3 disk. To finish the installation I need to go to the Logic Pro Main menu under the item Download supplemental content

• Host based zfs config with Oracle's Unified Storage 7000 series

  Hi all,
  It is my understanding that the 7000 storage displays a FC or ISCSI lun to the host. I understand this LUN is a ZFS lun in the 7000 storage, however the host still sees this as only one LUN. If I configure a host based ZFS storage device on top of this LUN I have no host based zfs redundancy. So do we still need to create a host based ZFS mirror or a host based ZFS raidz device when use a 7000 series storage array?
  Thanks,
  Shawn

  Many thanks - telling ESX to connect to the 7310's IP address on one of the other subnets DOES appear to work!
  My brain must still be addled from some other recent issues we've been having...absolutely no idea why I hadn't tried it already...
  I stand by the fact that the BUI is ambigious, however - it still mentions that it's exported on only one of the networks...
  Thanks again...

• Wrt54gl vs host-based firewall

  I have here a wrt54gl I am setting up the wireless side. For some reason, when I set it up to do wireless (WPA, TKIP). I then try to connect to it using a XP laptop (wireless, the microsoft default host-based firewall). It tries to connect and then gives up. I try doing this for 2hours with the same results. When I disabled the firewall in the laptop, I was able to connect. So, I disconnect and then enable firewall and try to connect again. This time it also connects and picks up the dhcp info. Weird...

  Hi Dave,
  What happens if Sunscreen is not in the picture? I don't think are are any known
  issues with this part of the console. If you haven't already please download
  WLS6.1SP2 and try with that. If you still see this behaviour I suggest logging
  a support case.
  Kind Regards,
  Richard Wallace
  Senior Developer Relations Engineer
  BEA Support.
  "dave" <dave@work> wrote:
  Hi
  I wondered if anyone had any experience using host based firewalls and
  WLS.
  I am running 3 physical servers with 2 managed servers on each i.e. 6
  managed servers, all in one cluster. In the same VLAN is the WLS Admin
  server. On each server is SunScreen Lite allowing 2 way connectivity
  on TCP
  ports 7001, 7002 and multicast on 237.0.0.1. Connections between the
  Admin
  server and each physical server is also allowed on port 5555 for NodeManager
  to stop and start managed servers.
  My problem is that when looking at the console on the admin server via
  a
  browser, odd servers are listed as not running when in actual fact their
  process is still running when doing a ps -ef and are still servicing
  requests. Under the clustering tab, a server which is listed as not running
  under the servers tab, is listed as not in the cluster, although the
  field -
  Known Servers - lists all 6 managed servers.
  The only way to be able to control the server again is to kill the process
  on the box itself, and go back to the console and use NodeManager to
  start
  it up again. I am wondering what would make WebLogic remove the server
  from
  the list of running servers?
  Any comments appreciated.
  Cheers
  Dave

• BEx Analyzer: User ID based performance issue

  Hello Ladies and Gents,
  <b>The issue:</b>
  My BW team just upgraded our system to 2004s and we are experiencing an odd userid based performance issue.  If we run a query from the BEx Analyzer with user ID 'A' it takes about 3min for the variable selection screen to appear. If I log into the same machine user ID 'A' was using on my user ID B the query variable selection screen appears within seconds. What could possibly cause this?
  <b>What we know so far:</b>
  1. Investigated the security roles, seems like that is not the issue.
  2. It is PC client independent.  Two different user IDs(A and B) on the same machine running the same query in the same way (clicking through the BEx browser) produces different response times for the appearance of the variable selection screen. 
  Points will be rewarded and help will be greatly appreciated!

  User specific personalization is retrieved before displaying the input variables. That might be a possibility, but hard to see it making such a difference.  Do you always try the sequence of User A, then User B, or have you confirmed that when you start with User B, it is quick, and tehn slow whne trying User A?
  Probably the best approach is to activate Trace and then logon with User A, turn trace off and print or save, then do the same thing for User B and compare.  The trace will show you all the various SQL stmts and such that run as part of your trying to launch the query.
  Please post back anything you learn.
  Some info on Personalization  for the Help pages.
  Personalization in BEx
  Use
  This function allows users to fill variables with user-specific values, to save user-specific accesses to BI objects for the history view in the BEx Open dialog box, and to save user-specific start views for Web applications.
  Integration
  The personalized data is stored in different DataStore objects, according to the personalization area.
  ·        User-specific variable values are stored in the DataStore object 0Pers_VAR.
  ·        Personalized data for the history view is stored in the DataStore object 0Pers_BOD.
  ·        Personalized start views for the Web application are stored in the DataStore object 0Pers_WTE.

• Recommendation Needed on Host Based Intrusion Detection

  Hi,
  I don't have any experience in selecting or implementing a host based intrusion detection package.
  I need a package to sit on a web server (Win 2k / 2003 with IIS), running some e-Commerce websites, and I need to make sure that this package can detect and/or block any attempt to manipulate the scripts or web pages. If it's possible, I want to make sure that only certain IP addresses are allowed to carry out changes for this web service.
  Can Cisco Security Agent fullfil my requirements? What is the licensing scheme if I wanted to deploy this on multiple servers? And do I have to get any central management station for these servers (any CiscoWorks platform for instance) or I can manage them individually?
  Any comment or recommendation would be highly appreciated.
  Thanks alot.
  Salem.

  CSA will work well for this. You would need a license for each server. It is managed with CiscoWorks VMS.
  http://www.cisco.com/en/US/products/sw/secursw/ps5057/index.html
  Tom S

• Host-based access restrictions

  What is the preferred method for implementing host-based access restrictions in Directory Server 5.2?
  I am setting up Solaris 9 clients using the native LDAP client.
  I tried setting up host-based access using netgorups, and it works great, but found the user's group associations stopped working. Only the default group shows up.
  Removing netgroups allows any valid user to authenticate to any host. Very bad.
  As a last resort, one could add an ACL for each user in the LDAP server specifying which hosts he can bind from. But then again, it's the proxyagent that will be binding.
  There has to be a better way to do this. Absolutely no info on this in the admin guides.

  Solaris10u6 (Solaris 10 10/08) added a pam_list module that appears to do what your asking about from a brief glance at the whats new.

• PAM-KRB5: account:  unable to get host based service name for realm

  I want a custom service to authenticate via PAM with Microsoft Active Directory Services on Windows 2003. kinit appears to work:
  Myserver% klist
  Ticket cache: /tmp/krb5cc_200
  Default principal: [email protected]
  Valid starting Expires Service principal
  Tue 01 Aug 2006 10:42:23 AM CDT Tue 01 Aug 2006 08:42:23 PM CDT krbtgt/[email protected]
  renew until Tue 08 Aug 2006 10:42:23 AM CDT
  Running a sample PAM consumer using 'winsamp' as its service name complains that Kerberos doesn't know the user. syslog reports: PAM-KRB5: account: unable to get host based service name for realm 'EXAMPLE.COM'.
  I'm stuggling to get any additional logging out of either PAM or Kerberos. Any advice appreciated.
  /etc/pam.conf:
  winsamp auth required pam_krb5.so.1 debug
  winsamp password required pam_krb5.so.1 debug
  winsamp account required pam_krb5.so.1 debug
  winsamp session required pam_krb5.so.1 debug
  /etc/krb5/krb5.conf:
  [libdefaults]
  default_realm = EXAMPLE.COM
  default_tkt_enctypes = des-cbc-md5 ; or des-cbc-crc
  default_tgs_enctypes = des-cbc-md5 ; or des-cbc-crc
  [realms]
  EXAMPLE.COM = {
  kdc = mykdc.example.com:88
  admin_server = mykdc.example.com
  default_domain = EXAMPLE.COM
  [domain_realm]
  .example.com = EXAMPLE.COM
  [logging]
  default = FILE:/var/krb5/kdc.log
  kdc = FILE:/var/krb5/kdc.log
  kdc_rotate = {
  # How often to rotate kdc.log. Logs will get rotated no more
  # often than the period, and less often if the KDC is not used
  # frequently.
  period = 1d
  # how many versions of kdc.log to keep around (kdc.log.0, kdc.log.1, ...)
  versions = 10
  [appdefaults]
  kinit = {
  renewable = true
  forwardable= true
  PAM sample application synopsis:
  pam_start("winsamp", "someuser", &conv, &pamh);
  err = pam_authenticate(pamh, 0);
  if (err == PAM_USER_UNKNOWN)
  printf("don't know that user\n"); // <-- we always arrive here
  logout();
  }

  Part of the problem was that the Sun server's domain was not an exact match for the ADS domain. One was XXXX.EXAMPLE.COM and the other was just EXAMPLE.COM. Adding the equiv. domains in krb5.conf improved that situation.
  The sample PAM application still doesn't behave the way I want. When pam.conf is configured to authenticate against /etc/passwd, it works. Not when authenticating against ADS alone. I've come to the conclusion that PAM is for authenticating ONLY access to Solaris accounts.
  My application does not need a Solaris account. Am I using the wrong authentication API?

• Old host-based printer can be networked using Airport Express

  Was thrilled to find out that my old HP printer works (uh, at least it DID work) as a wireless network printer because of Airport Express! (THAT's why I paid more for a router with a printer port.)
  According to HP, my old HP LaserJet 1020 printer is host-based and therefore supposedly NOT network-compatible. (True, a host-based printer CAN be shared among computers on a network as long as the printer is connected to the powered-on main computer, but I wanted more than that.) BTW, the HP 1020 shares drivers with the network-compatible 1022.
  But AX doesn't care whether a printer is host-based. Took several steps (including Bonjour) to get it to work, and I've printed wirelessly from both my PCs with the HP LaserJet 1020 plugged into the AX USB port.
  First I installed the HP drivers (1020/1022 plug and play, from the HP website) and set up and printed from computer 1. Late at night, maybe I did this through Bonjour, but I think instead I was able to just find it through Windows > Add a printer). It defaulted to an HP 1020.
  Next I installed the HP drivers and set up and printed from computer 2. Bonjour didn't find the printer, so I did a manual setup through Airport Utility, choosing TCP/IP and entering the IP address of the AX (10.0.1.1). I chose to set it up as an HP 1022, based on my limited understanding that some folks report better results that way.
  When I went back to print from computer 1, I printed a file successfully. However, even later that night (yawn), when I tried to print a second file from computer 1, the print job would show up in the queue as "printing" but would then revert to error.
  Any settings advice out there? I've read that the 1020 has been known to crash the print spooler, so I may re-install on computer 1 as if it's a 1022. Should I change the spooler settings? Shouldn't need to "share" the printer through Windows, right? Do I need to add _1 to the printer's IP address on the second computer? At least it worked ONCE, so I'm confident this can be set up to work reliably.

  Just wanted to provide my happy update. For whatever reason, all I had to do was redo the printer setup on computer 1, and all I needed was Windows Add a Printer, now tha I know what steps to take. I'm printing wirelessly to it through my network, yay!
  So if you have a host-based printer (which HP support website says is not network compatible), you can still use it as a network printer, thanks to Airport Express! No need to plug the printer into a computer and use Windows Printer Share.

• Are supported Windows host based printers from HP by Netweaver?

  Are Windows host based (GDI) printers from HP supported by NetWeaver?
  For example HP LASERJET PROFESSIONAL P1102.
  Which SPAD configuration I must set, to print for it?

  Hello,
  The following SAP Notes will be a good starting point for you:
  [Note 1135055 - Printer Vendor Wizard Note: HP|https://service.sap.com/sap/support/notes/1135055]
  [Note 1036961 - Device type selection wizard in transaction SPAD|https://service.sap.com/sap/support/notes/1036961]
  Success.
  Wim  Van den Wyngaert

• Host based mirror on FC LUN's

  Hi everybody,
  I would like to know, if it's possible or somebody has experience to create a host-based mirror with Oracle VM 3.1.x - on 2.x it was possible using MD-device and format it with ocfs2.
  As far as I can see in 3.1.x the only way for mirroring on SAN would be on the storage box, which will produce additional costs for BC-Volume license ...
  Kr
  Michael.

  Hi,
  Guest LDOM images can be on anything, as it is transparent to the LDOM. Remember the Control domain is actually serving the filesystems to the guest LDOM`s. So they can either be whole LUN`s, zfs devices, mounted filesystems, anything really. You could even have a LDOM guest image on a NFS filesystem if you really wanted..
  I have setup the majority of systems using the SAN attached to the Control domain, and then setup ZFS filesystems on these LUN`s and placed disk images on the ZFS filesystems. This means that we can use ZFS snapshots on the control domain if we need to do any patching etc.etc.
  I would also suggest that you have a minimum of 2 connections to each of your SAN devices. One connection is bad, m`kay? :D
  Edited by: krankyd on Sep 23, 2009 1:01 AM

• What is the minimal reqs to use Host-based IPS?

  I have several servers touching the internet, and one basic ASA-5510.
  Aside from purchasing the AIP-SSM and upgrading the 5510 license, what else is required to have a host-based IPS?
  Do I need to purchase MARS or other software?
  How are the security-agents spec'ed?
  Thanks.    

  This is what Cisco is saying to that topic (from the EOL-page):
  Cisco's network security product portfolio has complementary security technologies, such as Cisco Intrusion Prevention Systems,Cisco ASA 5500 Series Adaptive Security Appliances, and Cisco IronPort Email and Web gateways. Please contact your Cisco account team for more information on these products. While there is no direct Cisco Security Agent replacement product from Cisco, many endpoint security products are available from a wide variety of third-party vendors. We expect that customers will want to do their own due diligence in choosing a replacement product that best meets their needs.
  For Clients I would go for the typical security-packages every anti-virus-vendor has to offer. In addition with a web-filter the protection should be quite good. For Servers, network-based IPS together with filtering reverse-proxys and application-gateways do the work for me. But I really miss the CSA in some cases.
  Don't stop after you've improved your network! Improve the world by lending money to the working poor:
  http://www.kiva.org/invitedby/karsteni

• ACU & Host Based EAP

  I have been able to setup EAP-TLS with Windows XP using the Windows network settings. I would like to use the Aironet Client Utility to control my profiles as it offers more configurability and information.
  I create a profile in the ACU with the SSID, Dynamic WEP, and select Host Based EAP from the Network Security Type drop-down menu. When I enable this profile, I lose all network connectivity. I have tried this with the 'Use Windows to configure my wireless network settings' checkbox both checked and unchecked and I have not removed any of the settings for this SSID from the Windows networking.
  What am I missing? Thanks.

  Try following this the instructions on this link
  http://www.cisco.com/univercd/cc/td/doc/product/wireless/airo_350/350cards/windows/incfg6/win5_ch6.htm#1170175

• URL-Host-Based Virtual Servers

  Hi,
  I am trying to configure SJS-AS PE 8.1 to accomplish URL-Host-Based virtual servers as descibed in Example 3 of "Deploying Virtual Servers" in the document http://docs.sun.com/source/817-3652-10/agvirt.html (I know it's for v7, but it conceptually descibes exactly what I am trying to do).
  The document outlines the scenario perfectly, but gives no example of how exactly to configure the app server this way. My understanding from the admin guide is that a listener has to be unique on a port and address, so once I create it for 0.0.0.0:80, how can I assign it to multiple virtual servers?
  Can someone point me to some example showing how to configure the app server this way?
  Thanks
  Chris

  Yes. why are we able to use the same port 80 for several software virtual servers. and then when it comes to use https, we have to use different ports?
  Besides, please let me know if it is possible to use SSL with Software and not Hardware virtual servers. As if the Admin guide says it is only possible with hardware VS.
  Thank you.

• C200 firmware Host Based Upgrade loop

  Rebooted a UCSM managed C200 this morning, and it keeps entering the Host Based Upgrade utility on reset. After POST, a screen appears with "Fetching System Information.....", and then the following appears:
  Selecting "q" repeats the cycle, and selecting "y" brings up the following screen:

  Paul,
  Evidently, the server is NOT booting up from the local disk or SAN as it is using the Host Upgrade Utility to boot up, so definitely you should have a .ISO file mounted in the Vïrtual Media"tab or a CD in the DVD unit.
  Please check VM tab and DVD unit, reboot the server, get into the BIOS and make sure that you are using the correct boot order to boot up the box, either the RAID option to boot up locally or to boot up from SAN if that is what you are trying to do.
  Please keep us posted on what happens after you check on the above.
  -Kenny