NAC OUT OF BAND REAL IP GATEWAY

Similar Messages

• NAC In-band Real IP Gateway process

  Hi all,
  I've been doing a lot of research and I still can't find good answers to some of my questions. All the big questions are answered for out-of-band configuration but I find that it's assumed that understanding in-band is taken for granted lol...I guess I'm slow =P
  How does In-band Real-IP Gateway work?
  What is the point of the /30 subnets?
  Are there access/auth VLAN pairs in in-band configurations?
  How does quarantining work?
  I read that the NAC Server can only send traffic out the untrusted port in one VLAN and that you aren't allowed to trunk that port. Does this mean that there's no support for multiple untrusted VLANs mapped to a single NAC Server?
  Can you do role-mapping with in-band configurations?
  Any help with any or all of these questions would be GREATLY appreciated!
  Thanks much =]
  ~ Xavier.

  Hi Xavier,
  let me try to answer your questions
  1.How does In-band Real-IP Gateway work?
  The CAS works in routed mode, so you have different IP addresses (on different subnets) on the trusted and untrusted interfaces. Since the CAS doesn't support routing protocols, all the routing has to be configured through static routes
  2. What is the point of the /30 subnets?
  The idea is to have small subnets for your clients so that with this IP config the clients in the authentication VLAN need to go through the CAS even to talk to other clients in the same L2 subnet.
  Check here for some explaination:
  http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/47/cas/s_dhcp.html#wp1057889
  3. Are there access/auth VLAN pairs in in-band configurations?
  If you ask if there's VLAN mapping, then the answer is NO, as the aim of the VLAN mapping is to *bridge* traffic between the trusted and untrusted mapped VLANs, but in Real-IP the CAS does L3 routing of the traffic.
  4. How does quarantining work?
  When a client is quarantined, this works in the same way as in OOB, as in this phase the client is still inline to the CAS.
  So the concept is that the CAS assigns the user to the temporary or quarantine role and it applies a traffic policy that you configured for the temporary or quarantine role.
  5. I  read that the NAC Server can only send traffic out the untrusted port  in one VLAN and that you aren't allowed to trunk that port. Does this  mean that there's no support for multiple untrusted VLANs mapped to a  single NAC Server?
  The "single" VLAN restriction for Real-IP CAS applies only to the *trusted* side. The CAS can be the default gateway for multiple VLANs/IP Subnets on the *untrusted* side.
  You configure additional VLAN/IP addresses on the untrusted side using the "managed subnet" configuration.
  This is also mentioned here:
  http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/45/cas/s_deploy.html#wp1050938
  The Clean Access Server can manage one or more  subnets, with its untrusted interface acting as a gateway for the  managed subnets. For details on setting up managed subnets, see Configuring Managed Subnets or Static Routes, page 5-26.
  6. Can you do role-mapping with in-band configurations?
  Yes, you can do it! However, you cannot assign VLANs as you do in OOB but you can assign different access level based on the IP traffic policies and bandwidth restrictions you assign to the specific role.
  Check for instance here for more details:
  http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/45/cam/m_users.html#wp1040231
  In a nutshell, irrespective of the use of InBand vs. OutOfBand:
  - the clients are InBand to the CAS during the CAS discovery, authentication, posture assessment and remediation phases.
  The main difference occurs when the user is authorized to have access to the network and you perform role assignment both in IB and OOB but..:
  - in IB the client traffic keeps on flowing inline to the CAS, so you can apply different access policies (ACL) and bandwidth control policies depending on the role (but you cannot assign VLAN);
  - in OOB the client traffic bypasses the CAS once it's authorized: in this case you can apply different VLANs but (since the CAS is no longer along the path) you can't apply ACLs and/or traffic shaping policies in this case.
  I hope this answers your questions.
  Regards,
  Federico
  If this answers your question please mark the question as "answered" and rate it, so other users can easily find it.

• NAC Out-of-Band Deployment for wireless networks

  I am evaluating the NAC appliance for my wired and wireless users. I have read that the only way to deply NAC for wireless is in-band mode but it looks like the following link says that it is possible to deply NAC for wireless networks in-band or out-of-band mode:
  "NAC Appliance can be deployed for WLANs as an in-band deployment for full-time endpoint scanning or out-of-band within a central site for periodic scanning to confirm posture compliance. The NAC Appliance server performs authentication, posture assessment, and remediation. The server securely controls authenticated and unauthenticated user traffic by managing traffic policies based on protocol/port or subnet, providing bandwidth policy management based on shared, or per-user bandwidth, or using time-based sessions and heartbeat controls. (Figure 1)"
  http://www.cisco.com/en/US/prod/collateral/wireless/ps5678/ps6521/prod_brochure0900aecd80355b2f_ps6128_Products_Brochure.html
  Does anyone know if it is possible to use NAC out-of-band deployment for wireless networks? If you can point me to some documentation it will be appreciated.
  Regards

  Thanks Robert.
  In my case I am planning to deploy a central NAC appliance at the main office to control some branch offices and local wired users at the main office. The NAC appliance will operate in out-of-band mode. But for wireless users at the main office I will need an aditional NAC appliance operating in in-band mode, is this correct?
  Regards

• NAC out of band supported devices?

  i am facing issue to control Cat 500 express switch.switch is not going to out of band,
  any suggestion?
  Sent from Cisco Technical Support iPhone App

  Thanks for ur quick reply.
  But for remediation purpose, affected client pc has to move bia core network as the remediation servers will be placed in internal segment. In this case the affected pc will travell throught my network & can damage my security policy...
  Let me make it clear to you:
  1. My AV & PM servers are located into server zone which is connected with core switch.
  2. If i implement NAC & any outside user with non updated AV in his/her pc tries to login, then CAS will find this non comliant & will send to remediation zone which is basically a server zone where all AV, PM & remediation servers are located.
  3. I want any affected pc say non updated AV, will not travell through my network. They will get an URL & click on that which interims will talk to the AV server a& get the latest updates & push it to the end user.
  Whether this is achieveable???

• NAC L3 OOB Virtual Gateway/Real-IP Gateway

  In a Central Deployment (NAC server at Central Site) for Remote Office (WAN) users it´s possible to work with L3 OOB
  Virtual Gateway? or it´s only possible to work with L3 OOB Real-IP gateway?
  If it´s possible both modes (Real-IP o Virtual) which are the advantages/disadvantages of each one?
  I didn't found a response for this in the documentation.
  Thanks in advance.

  Hi, Paul
  >>I then disconnect the PC and patch it into the Switch 2. I then authenticate but instead of the port being moved to the correct VLAN it is left in the authentication VLAN and the Web Login cycles and asks me to log in again. Looking at the Online Users display it says I'm online on Switch 1 on the port I have disconnected from. This is INCORRECT!
  Have a look at the Switch Management ->Port Profiles and below "Options: Device Connected to Port" (the second one) "Change to .... if the device is certified" there should be Access VLAN option -make it active.

• NAC L2 Inband Real IP Gateway

  Hi Experts,
  I was just reading the cisco press book for NAC, and i came to the following para can any body explain me the L2 Inband Real Ip Gateway mode steps from the start
  If you use  Real IP Gateway mode on NAC Appliance Server, you will have to make changes. The default gateway of clients has to be changed to be NAC Appliance Server, not the distribution switch .
  Thanks

  Hi Experts,
  I was just reading the cisco press book for NAC, and i came to the following para can any body explain me the L2 Inband Real Ip Gateway mode steps from the start
  If you use  Real IP Gateway mode on NAC Appliance Server, you will have to make changes. The default gateway of clients has to be changed to be NAC Appliance Server, not the distribution switch .
  Thanks

• Question about out-of-band when deploying NAC

  1. When I deploy NAC, a PC or user device is on the certified list. If User device is infected by virus, NAC Server can recognize device which is infected and prevent PC or not when I deploy out-of-band (not in-band)?
  2. When I deploy out-of-band, cisco nac appliance can configure bandwidth for group users or not?
  Thank you for your answer.
  Duy Khang

  1) Answer: No. Clean Access (NAC Appliance) will not detect when a system is infected with a virus, regardless of which deployment (In-Band or Out of Band) is used.
  2) Answer: No. When deployed out of band, once the posture is completed, the client traffic no longer goes through the Clean Access server so there is no way to apply bandwidth or any other controls to it via Clean Access. In order to apply bandwidth or access restrictions via CCA, the CCA server would have to be in-band.

• NAC in-band vs out-of-band bandwidth management

  Hi,
  I am new to NAC. Would you please give me hints about bandwidth/traffic policy/QoS management when using out-of-band deployment of NAC? Is it possible NAC to configure the switch port with the appropriate bandwidth limiting template when it recognizes a certain user identity?
  Regards,
  Mladen

  Refer to NAC appliance configuration guide for more information
  http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/413/cam/m_intro.html

• Out of band Clocking between MWR-2941

  Good morning I'm having problems configuring out
  of band clocking between two MWR-2941
  I have configured one MWR-2941 to
  Remote
  recovered-clock slave
  interface Virtual-Cem 0/24
  cem 0
       xconnect 10.10.10.2 7600 encapsulation mpls
  network-clock select 1 PACKET-TIMING
  network-clock-select hold-timeout 900
  the Master Router is getting it clock signal from an E1/T1 interface
  MASTER
  controller E1 0/0
  clock source internal
  cem-group 0 unframed
  description Clocking-Signal
  controller E1 0/13
  clock source line
  cem-group 0 unframed
  interface CEM0/0
  description Clocking-Signal
  no ip address
  cem 0
    xconnect 172.16.20.26 7600 encapsulation mpls
  interface CEM0/13
  no ip address
  cem 0
    xconnect 172.16.20.26 11591 encapsulation mpls
  with this configuration i can't get any clocking at the remote site. I have configured this between a Cisco 7609 and the MWR-2941 without problem, but in the Cisco 7609 I can create another virtual-cem interface. But I can't find a way to create a virtual-cem in the MWR-2941 that should be working as the clock master.
  Any help will be greatly appreciated.
  Thank you very mucy.

  Thank you for your attention ,
  I did not see such out put of my sho mac add command ,
  I sent a image of my current topology , it may be useful , please find it.
  I used router instead of cisco layer 3 switches (SVI for user access vlan is configured on router as sub interfaces) , and On my NAC Server I created a vlan mapping rule that map unauthenticated vlan to one of my access vlan ,
  I have a problem with my Managed subnet !! I have to put my Managed Subnet as default gateway for my client because if I put the router SVI cisco nac agent client does not pop up at all !!!
  I read different documents about that and all of them said that your client default gateway must be SVI , but it does not work,
  best regard

• Out-of-band DTMF Transport

  Hello,
  I have recently been struggling with DTMF relay configuration in which the provider has issues with in-band DTMF transport and has requested DTMF's to be delivered out-of-band. Examining the SIP INFO and the SIP NOTIFY methods for out-of-band DTMF delivery, has led to the following predicament.
  As per this link
  http://www.cisco.com/en/US/docs/ios-xml/ios/voice/sip/configuration/15-mt/voi-sip-dtmf.html#GUID-901BED51-E8B2-4994-AC38-875E8A10D7C9
  "NOTIFY-based out-of-band DTMF relay is a Cisco proprietary function."
  While on the other hand, looking at another Support Community article at
  https://supportforums.cisco.com/community/netpro/collaboration-voice-video/ip-telephony/blog/2013/05/27/understanding-sip-dtmf-options-supported-by-cucm
  we have CSCse50733 according to which "CUCM and IOS gateways can receive SIP INFO (RFC 2976) messages for DTMF but cannot generate them"
  Does this mean that RFC-based out-of-band DTMF generation is currently not supported at all by Cisco voice gateways?
  Kind regards,
  Miroslav

  not supported per cisco TAC.

• Out of Band Management aka Lights Out ala ALOM/LOM/iLO ?

  I'm researching Xserve hardware for a project at work and am having a hard time finding out if these are real servers or not.
  By real server I mean that an out of band lights out management facility is there. One which would allow you to connect via serial or network (preferred) to a service processor. The service processor would then let you power the machine on/off, change firmware settings to ie: boot from network on the next boot, or from disk 3 or what-have-you.
  It should also give you access to the text console at a minimum once the os has loaded, and optionally let you see the gui (if there is any graphics adaptor installed).
  Something akin to Sun's LOM or ALOM, or HP's iLO facilities.
  If it isn't there, then this project isn't going to work with Xserves.

  Like you, I'm very familiar with Sun various LOM implementations. The ALOM is, IMHO, by far the most useful one [RSC supports telnet not SSH; eLOM is IPMI 2.0 like Apple but very clunky to work with in the CLI].
  The IPMI BMC present in the Xserve has a ton of capabilities, including Serial-over-LAN (SOL) for remote console access, but most features are (currently) unused. Apple ships the open-source ipmitool, as does Sun on S10 x64 systems, but no man pages (sourceforge has them); I think this is telling about how much effort has been put in to the Lights Out capability so far. I have been able to remotely query the Xserve LOM using ipmitool (from a Sun box) for various environmental conditions and to simply power-on/off the box. The GUI Server Manager client has equivalent functionality.
  While I can enable the SOL capability with ipmitool, I don't (yet) know how to connect for serial console access. One other point of frustration so far has been that the RS-232 console port on the Xserve is only used for getty to listen on; thus if the box is not fully booted, the console port does no good whatsoever.
  Don't get me wrong though; we are slowly replacing our Sun equipment with Xserve systems, as they offer much greater capability and easier management (in general) at a significantly lower cost than Sun. I just wish Apple would fix some of the basic Lights Out functionality that we have come to expect.
  Xserve Quad Xeon   Mac OS X (10.4.9)  

• Problem with Out of Band Discovery resulting with Out of Band features not available in SCCM console for computers with provisioned AMT device

  Hi,
  We configured the Out of Band component, but are using Intel SCS RCS to provision AMT devices remotely­. The remote configuration process with Intel SCS works fine; we are able to connect to the AMT web UI and we can use a free KVM tool to manage the computer
  remotely.
  The AMT devices are configured with AD integration, so an object is created for each of them in a specific OU. Also, an AD group is added to the AMT devices so remote PT Administration permission is granted to it. This group includes the ConfigMgr Site
  Server account, the account of the server running the Out of Band Service Point and my own user account.
  This configuration seems OK since when connecting to the AMT web UI, I use Windows Integrated authentication with my user account and can manage the device successfully.
  So the only step remaining is running the OOB discovery to enable Out of Band features for the computers in the SCCM console. We want to use the ConfigMgr OOB console. I right-click a computer or a collection and launch the AMT discovery. I check the OOB
  server log, I don't see errors; the OOB service point connects to the AMT device and discover a status of 4, which is Externally provisioned, as expected. The problem is the AMT Status, AMT Version and Provisioned AMT fields for the computer in the ConfigMgr
  console doesn't get updated, even after doing display refresh.
  Here's the amtopmgr.log (I changed computer name and IP address information to protect client privacy) :
  General Worker Thread Pool: Work thread 364 started SMS_AMT_OPERATION_MANAGER 2014-06-16 15:16:25 364 (0x016C)
  Discover COMPUTERA using IP address 192.168.12.7 SMS_AMT_OPERATION_MANAGER 2014-06-16 15:16:25 364 (0x016C)
  AMT Discovery Worker: There are 1 tasks in pending list SMS_AMT_OPERATION_MANAGER 2014-06-16 15:16:25 2792 (0x0AE8)
  AMT Discovery Worker: Wait 20 seconds... SMS_AMT_OPERATION_MANAGER 2014-06-16 15:16:25 2792 (0x0AE8)
  AMT Discovery Worker: Wakes up to process instruction files SMS_AMT_OPERATION_MANAGER 2014-06-16 15:16:25 2792 (0x0AE8)
  AMT Discovery Worker: There are 1 tasks in pending list SMS_AMT_OPERATION_MANAGER 2014-06-16 15:16:25 2792 (0x0AE8)
  AMT Discovery Worker: Wait 20 seconds... SMS_AMT_OPERATION_MANAGER 2014-06-16 15:16:25 2792 (0x0AE8)
  DoPingDiscoveryForAMTDevice succeeded. SMS_AMT_OPERATION_MANAGER 2014-06-16 15:16:25 364 (0x016C)
  Flag iWSManFlagSkipRevocationCheck is not set. SMS_AMT_OPERATION_MANAGER 2014-06-16 15:16:25 364 (0x016C)
  session params : https://COMPUTERA.contoso.com:16993   ,  11001 SMS_AMT_OPERATION_MANAGER 2014-06-16 15:16:25 364 (0x016C)
  DoWSManDiscovery succeeded with user name: admin. AMTStatus = 1. SMS_AMT_OPERATION_MANAGER 2014-06-16 15:16:32 364 (0x016C)
  Start Kerberos Discovery SMS_AMT_OPERATION_MANAGER 2014-06-16 15:16:32 364 (0x016C)
  Flag iWSManFlagSkipRevocationCheck is not set. SMS_AMT_OPERATION_MANAGER 2014-06-16 15:16:32 364 (0x016C)
  session params : https://COMPUTERA.contoso.com:16993   ,  484001 SMS_AMT_OPERATION_MANAGER 2014-06-16 15:16:32 364 (0x016C)
  DoKerberosWSManDiscovery succeeded. AMTStatus = 4. SMS_AMT_OPERATION_MANAGER 2014-06-16 15:16:32 364 (0x016C)
  Discovery to IP address 192.168.12.7 16 15:16:32 364 (0x016C)
  CSMSAMTDiscoveryTask::Execute, discovery to STI17259CPCO succeed. AMT status is 4. SMS_AMT_OPERATION_MANAGER 2014-06-16 15:16:32 364 (0x016C)
  CSMSAMTDiscoveryTask::Execute - DDR written to E:\SMS\MP\OUTBOXES\ddr.box SMS_AMT_OPERATION_MANAGER 2014-06-16 15:16:32 364 (0x016C)
  CStateMsgReporter::DeliverMessages - Queued message: TT=1201 TIDT=0 TID='Fill Machine Property' SID=1 MUF=0 PCNT=5, P1='COMPUTERA' P2='' P3='COMPUTERA.contoso.com' P4='' P5='' SMS_AMT_OPERATION_MANAGER 2014-06-16 15:16:32 364 (0x016C)
  CStateMsgReporter::DeliverMessages - Created state message file: E:\SMS\MP\OUTBOXES\StateMsg.box\6heghx71.SMX SMS_AMT_OPERATION_MANAGER 2014-06-16 15:16:32 364 (0x016C)
  CStateMsgReporter::DeliverMessages - Queued message: TT=1201 TIDT=0 TID='Unspecified' SID=10 MUF=0 PCNT=1, P1='COMPUTERA.contoso.com' 16 15:16:32 364 (0x016C)
  CStateMsgReporter::DeliverMessages - Created state message file: E:\SMS\MP\OUTBOXES\StateMsg.box\rmit91js.SMX SMS_AMT_OPERATION_MANAGER 2014-06-16 15:16:32 364 (0x016C)
  General Worker Thread Pool: Succeed to run the task COMPUTERA.contoso.com 16 15:16:32 364 (0x016C)
  General Worker Thread Pool: Work thread 364 has been requested to shut down. SMS_AMT_OPERATION_MANAGER 2014-06-16 15:16:32 364 (0x016C)
  General Worker Thread Pool: Work thread 364 exiting. SMS_AMT_OPERATION_MANAGER 2014-06-16 15:16:32 364 (0x016C)
  The Management Point is up and running.
  Any suggestion or advice is welcomed!
  Thank you
  Patrick

  I found something interesting on this problem, it seems the OOB discovery process is working fine, but for an unknown reason, the site server is not receiving the information from the OOB Service Point to update the AMT Status of the client in the SCCM
  database.
  The log tells me that a DDR file is created to be sent to the site server. When looking into the SMS\MP\Outboxes\ddr.box folder, I see about 50 DDR files, the oldest one is dated when I started testing OOB discovery.
  So the server is unable to send the files to the site server.
  Also, since I started this thread, I noticed another issue that could be related to this problem. The same server is also holding the State Migration Point role, it is working fine, but when doing USMT operations, the status of the computer association is
  not updated in the console (In Progress, Completed, missing USMT store path, etc.). When looking into the SMS folder on the server, I see a big backlog of SVF files containing information related to the SMP.
  I looked into the log files, but didn't find the errors yet to explain this.
  The computer account of the server is a member of the SMS_SiteSystemToSiteServerConnection_Stat_XXX group on the site server.
  Note that status messages are being sent successfully, I see them in the Monitoring node of the console under Component State, and there is no backlog in the SMS\MP\Outboxes\statemsg.box folder.
  Tnx for your help
  Patrick

• Out-of-Band provisioning issue

  Hi there,
  I'm migrating from Configmanager 2007 to 2012 SP1 at a customer.
  With CM 2007 I'd succesfully implemented Out-of-band management. Now I'm having some issues with provisioning AMT from CM2012.
  The testing machines have never been provisioned with CM2007.
  The oobmgmt.log at the client logs succesful activated the device.
  At the server in the amtopmgr.log file the follwoing error is logged:
  Error: Can NOT get OTP from target device (MachineId = 16777220)
  I know this has to do with a one time password that is generated...I dont know where I have to look to resolve this issue.
  Part of the amtopmgr logfile:
  >>>>>>>>>>>>>>>Provision task (In Band Provision) begin<<<<<<<<<<<<<<<    SMS_AMT_OPERATION_MANAGER    28-10-2013 13:34:23  
   5268 (0x1494)
  Provision target is indicated with SMS resource id. (MachineId = 16777220 DSK-0925.water.intern)    SMS_AMT_OPERATION_MANAGER    28-10-2013 13:34:23    5268 (0x1494)
  Found valid basic machine property for machine id = 16777220.    SMS_AMT_OPERATION_MANAGER    28-10-2013 13:34:23    5268 (0x1494)
  Warning: Currently we don't support mutual auth. Change to TLS server auth mode.    SMS_AMT_OPERATION_MANAGER    28-10-2013 13:34:23    5268 (0x1494)
  The provision mode for device DSK-0925.water.intern is 1.    SMS_AMT_OPERATION_MANAGER    28-10-2013 13:34:23    5268 (0x1494)
  The IP addresses of the host DSK-0925.water.intern are 10.10.128.76.    SMS_AMT_OPERATION_MANAGER    28-10-2013 13:34:23    5268 (0x1494)
  Root hash of provisioning certificate is 2796BAE63F1801E277261BA0D77770028F20EEE4.    SMS_AMT_OPERATION_MANAGER    28-10-2013 13:34:23    5268 (0x1494)
  Attempting to establish connection with target device using SOAP.    SMS_AMT_OPERATION_MANAGER    28-10-2013 13:34:23    5268 (0x1494)
  Create provisionHelper with (Hash: FD16D8C6A482C73C12832BC19D5BCABD4460D5A3)    SMS_AMT_OPERATION_MANAGER    28-10-2013 13:34:23    5268 (0x1494)
  Set credential on provisionHelper...    SMS_AMT_OPERATION_MANAGER    28-10-2013 13:34:23    5268 (0x1494)
  Try to use provisioning account to connect target machine 10.10.128.76...    SMS_AMT_OPERATION_MANAGER    28-10-2013 13:34:23    5268 (0x1494)
  Core version of target machine 10.10.128.76 is: 9.0.3.    SMS_AMT_OPERATION_MANAGER    28-10-2013 13:34:24    5268 (0x1494)
  Succeed to connect target machine 10.10.128.76 using provisioning account #0.    SMS_AMT_OPERATION_MANAGER    28-10-2013 13:34:24    5268 (0x1494)
  GeneralInfo.GetProvisioningState finished with HResult = 0x0, status = 0x0, clientErr = 0.    SMS_AMT_OPERATION_MANAGER    28-10-2013 13:34:24    5268 (0x1494)
  Get device provisioning state is In Provisioning    SMS_AMT_OPERATION_MANAGER    28-10-2013 13:34:24    5268 (0x1494)
  Error: Can NOT get OTP from target device. (MachineId = 16777220)    SMS_AMT_OPERATION_MANAGER    28-10-2013 13:34:25    5268 (0x1494)
  CStateMsgReporter::DeliverMessages - Queued message: TT=1201 TIDT=0 TID='Unspecified' SID=13 MUF=0 PCNT=1, P1='DSK-0925.water.intern' P2='' P3='' P4='' P5=''    SMS_AMT_OPERATION_MANAGER    28-10-2013 13:34:25    5268
  (0x1494)
  CStateMsgReporter::DeliverMessages - Created state message file: C:\Program Files\Microsoft Configuration Manager\inboxes\auth\statesys.box\incoming\ikjsq3c0.SMX    SMS_AMT_OPERATION_MANAGER    28-10-2013 13:34:25  
   5268 (0x1494)
  >>>>>>>>>>>>>>>Provision task (In Band Provision) end<<<<<<<<<<<<<<<    SMS_AMT_OPERATION_MANAGER    28-10-2013 13:34:25  
   5268 (0x1494)
  Anyone has a good idea?
  Thanks in advance.
  Mark

  Hi Mark,
  I am experiencing the same issue you are, but only with one machine. I have over 1000 machines that have successfully provisioned, so it's a bit of a mystery at the moment.
  I have confirmed that my failing machine does have a OTP in the SCCM database by running the following query:
  select MachineID ,OTP from dbo.AMT_MachineProperties where HostName = '<machine name>'
  This shows a OTP for each machine, but I'm still having trouble with this one. Did you ever find a solution?
  Thanks,
  Russel

• Out-of-Band SMASH Library Event ID 4509 (SCOM 2012SP1UR3)

  Hi!
  I´m using the "Microsoft System Center Out-of-Band SMASH Library" 7.0.8707.0 found here:
  http://blogs.technet.com/b/momteam/archive/2012/04/02/ws-management-smash-device-discovery-template-released.aspx
  It is a reqiurement for some of DELLs MP:s.
  After creating a working (as it seems) discovery with the template, Event ID 4509 is logged with irregular intervals:
  The constructor for the managed module type "Microsoft.EnterpriseManagement.Mom.DatabaseQueryModules.GroupCalculationModule" threw an exception. This module was running in rule "Microsoft.SystemCenter.OOB.2cf63b4c061f4a67bac712ed75a57916.PoolManagesSMASHDevice.Discovery"
  running for instance "Network Monitoring Resource Pool" with id:"{E9178425-9B5C-85C1-E1DF-7E440E2E9FBF}" in management group "OMGROUP".
  The id “e9178425-9b5c-85c1-e1df-7e440e2e9fbf” is the "Network Monitoring Resource Pool", which is also the pool chosen for the discovery.
  I´ve also noticed that the initial discovery is carried out by the "All Management Servers Resource Pool", but then monitoring seem to be done by "Network Monitoring Resource Pool", but I don´t know if that is important:
  I don´t know what problems that can arise from this error, but it´s disturbing.
  Anyone else using this feature and seen or not seen the same?
  Regards
  Peter

  To fix your issue, refer to below link
  http://www.briandeyo.us/brd/wp/index.php/2009/10/08/operations-manager-not-sending-email-after-im-notification-settings-changed-event-id-4509
  Please remember, if you see a post that helped you please click "Vote As Helpful" and if it answered your question, please click "Mark As Answer".

• Cisco VM server based ISE deployment in out of Band

  Hi,
  can any one please share the link of Configuration guide for VM based Cisco ISE in out of band deployment model. 
  Regards,
  Awais

  Hi,
  can any one please share the link of Configuration guide for VM based Cisco ISE in out of band deployment model. 
  Regards,
  Awais