NAC Server Fallback Feature and OOB Deployment

Similar Messages

• NAC - Global Device Filter in OOB deployment

  Hi,
  Some help would be appriciated. I'm trying to bypass authentication/posture assessment for a printer in an OOB NAC deployment (CAM/CAS Version 4.9.0
  I added the device MAC address in the global device filter, with the ALLOW access type set.
  "Change VLAN according to global device filter list" option is checked in the port profile set on the corresponding switch port.
  However, the device ends up in the Auth VLAN every time...
  What am I missing?

  Hi Tarik,
  Yes, the port is managed and a test profile named 'Printer_test' is currently assigned to the port.
  Here is what I see in the nac manager.log file (level set to debug) after the port comes up:
  2012-01-24 14:41:08.219 +0100   DefaultUDPTransportMapping_0.0.0.0/162 DEBUG com.perfigo.wlan.web.sms.SnmpTrapListener          - Received trap event SwitchTrapEvent [type=LINK_UP switch_ip=10.1.0.32 mac=null port=10035 dot1dBasePort=0 vlan=0]
  2012-01-24 14:41:08.219 +0100   DefaultUDPTransportMapping_0.0.0.0/162 DEBUG com.perfigo.wlan.web.sms.SnmpRunnable              - SnmpRunnable com.perfigo.wlan.web.sms.task.SwitchNotificationTask id=5091348 is created: SwitchTrapEvent [type=LINK_UP switch_ip=10.1.0.32 mac=null port=10035 dot1dBasePort=0 vlan=0]
  2012-01-24 14:41:08.219 +0100   DefaultUDPTransportMapping_0.0.0.0/162 DEBUG com.perfigo.wlan.web.sms.SnmpManager               - Task from device 10.1.0.32 submitted with task id 5091348
  2012-01-24 14:41:08.219 +0100   pool-3-thread-16 DEBUG com.perfigo.wlan.web.sms.SnmpRunnable              - SnmpRunnable com.perfigo.wlan.web.sms.task.SwitchNotificationTask id=5091348 starts run() after 0ms.
  2012-01-24 14:41:08.219 +0100   pool-3-thread-16 DEBUG com.perfigo.wlan.web.sms.SnmpRunnable              - Resolved PortProfile Switch Port Profile [ id=4 name='Printer_test' type='normal' auth_vlan=100 access_vlan=15 idle_vlan=-1 attributes=635 vlan_profile_id=0 description='' reserved='' ] from event SwitchTrapEvent [type=LINK_UP switch_ip=10.1.0.32 mac=null port=10035 dot1dBasePort=0 vlan=0]
  2012-01-24 14:41:08.220 +0100   pool-3-thread-16 INFO  com.perfigo.wlan.web.sms.SnmpRunnable              - Received SNMP LINK_UP trap, but switch 10.1.0.32 is not using LINK_UP  for task 5091348
  2012-01-24 14:41:08.220 +0100   pool-3-thread-16 DEBUG com.perfigo.wlan.web.sms.SnmpRunnable              - Trap does not need to processed: SwitchTrapEvent [type=LINK_UP switch_ip=10.1.0.32 mac=null port=10035 dot1dBasePort=0 vlan=0] for task 5091348
  2012-01-24 14:41:08.220 +0100   pool-3-thread-16 DEBUG com.perfigo.wlan.web.sms.SnmpRunnable              - SnmpRunnable com.perfigo.wlan.web.sms.task.SwitchNotificationTask id=5091348 ends run() after 1ms.
  2012-01-24 14:41:08.220 +0100   pool-3-thread-16 DEBUG com.perfigo.wlan.web.sms.SnmpRunnable              - SnmpRunnable com.perfigo.wlan.web.sms.task.SwitchNotificationTask id=5091348 finishes after 1ms.

• Questions in regards to server 2012R2 Remote desktop Service deployment and GPO

  Hi Everyone
  We have a business requirement moving to 2012R2 RDSH server. I have installed a 2012R2 member servers and enabled Remote desktop licensing role. I have activated the licenses. the servers is in operational
  I have deployed 3 windows 2012R2 member server "RDS1" , "RDS2" and "RDS3".
  on RDS1 I ran Add roles and Feature Wizard > Remote Desktop Services installation > Quick Start >Session based desktop deployment to complete the installation.
  On RDS1 Server Manage Dashboard Page Select Remote Desktop Services > Overview. Under RD Licensing I added my 2012R2 license server "2012r2-tslic". Go to task. Edit deployment properties RD license mode to per device and click OK.
  Reboot RDS1
  Check RD Licensing Diagnoser everything is clear
  On RDS2 I did the exact same thing ran Add roles and Feature Wizard > Remote Desktop Services installation > Quick Start >Session based desktop deployment to complete the installation. 
  But With RDS2 I move this server to an OU that link to a GPO with RD licensing details. after reboot the servers check RD Licensing Diagnoser I can see 2012r2-tslic specified as the license servers.  
  Based on this document
  http://blogs.technet.com/b/askperf/archive/2013/09/20/rd-licensing-configuration-on-windows-server-2012.aspx  Are you suppose to configure RD license server via Remote desktop Service deployment ? Not GPO ?
  Here are my questions
  We currently have ten 2008r2 terminal servers in a NLB cluster. each RDSH server have in house application installed on each one of them. User connect to the 2008R2 RDSH servers via RDP connection. we have a restricted GPO apply to those
  RDSH servers. user cannot do anything on RDSH servers apart from running the application and use excel.  On the remote desktop session host configuration we have enable settings like end a disconnected session , Active session limit  ,
  remote control users session , LPT port redirection.
  We push out RD license server detail via GPO to the terminal servers
  Can I use our existing GPO apply the licensing server settings , desktop restriction setting to the 2012R2 RDHS servers or we should be using Remote desktop Service deployment to do the job ? If that is the case how would you transfer the
  current 2008r2 environment to 2012 using Remote desktop Service deployment. is that mean I have to manually configure 1 by 1.
  Please help
  Many thanks

  Hi,
  Please see my response to you in the other thread.  Please contact me via email and I will go over the basic planning and deployment steps with you which will help clear things up and get you started off on the right foot.
  You should only run through the wizard and create a RDS deployment once.  Then you add the various servers (RDSH, RD Licensing, RD Gateway, etc), set Deployment properties, etc.
  Thanks.
  -TP

• NAC Server still in "Fallback: Allow All" state

  Hi Guys,
  i have a strange behaviour under my NAC Server.
  Today I saw that my NAC Server is in Fallback: Allow All state and the CAM is in Manager: DEAD but
  in the CAM web administration i can access that CAS.
  The CAS can ping the CAM too.
  there are two things that were changed in the last month.
  The CAM was moved to other city and they are using a 2MB link connection between them.
  The IP Address of the CAM was changed.
  I've checked my link connection between them because my CAM is in a different city  of the CAS but my link is in 50% load.
  Does anyone know any possibilitie to solve this?

  Hi,
  Are you using ip based certs or domain name? Also make sure when you do an nslookup that the CAS is able to resolve the ip address of the CAM. Also check your firewall and make sure that you are allowing all ip traffic between the CAS and the CAM.
  Also check yoru certs on the CAM and make sure that they havent expired. Are you using a standalone CAM and CAS setup are are they in failover configuration?
  Thanks,
  Tarik

• Difference between NAC profiler/collector and NAC server

  Hi,
  could anyone tell me the difference between NAC collector and NAC server?
  Thank you very much.
  Best regards.
  Giuseppe

  Sorry edunn, but your description of the NAC Collector is not particularly helpful. If I may:
  The NAC Profiler/collector is OEM'd from Great Bay Software. It performs automatic whitelisting of agentless devices, like IP phones and PBXs, printers, etc. In a NAC deployment without the profiler you'd have to go in to the NAC Server and manually enter the MAC addresses and/or IP addresses of devices that should bypass authentication and/or posture assessment. In a small environment that's not a big deal, but with multiple offices and/or subnets (with lots of phones or printers) this can be a hassle. Its also a big risk: If I know you're whitelisting by mac/IP I'll just go to a printer, print out its config page, set my NIC to have the same settings, and boom - I've just bypassed your $$ NAC solution, thankyouverymuch.
  The nice thing about the NAC profiler is that its -not- static: every time a switchport goes up/down, or a new MAC address is detected, an SNMP trap gets sent to the profiler. You can also forward (via ip-helper) all DHCP requests to the profiler (it doesn't respond or issue an IP address, of course, but it does look at what options you requested.) It will look at the MAC vendor address, IP address, DHCP options, network traffic (via Netflow), SPAN port traffic, has an open port (eg. 9100 or 515 for printing) or a combination of the above, and dynamically whitelist agentless devices based on confidence level.
  Its sort of like a reverse Turing test: if a device says its 'dumb' (no agent) AND acts the way its supposed to, it gets whitelisted. But if the Profiler starts seeing a supposed printer surf the Internet (or start receiving traffic on a port it should, or whatever), then it dynamically removes it from the whitelist, and now it will need to authenticate and pass posture.
  You can define different profile groups and what parameters are required for each, and set which groups get whitelisted.
  So basically the NAC Server is the gatekeeper, the NAC Manager is the global policy manager, and the NAC Profiler is the automatic whitelister.

• Referencing EJB on remote server AND using deployment descriptor

  We're using Weblogic 6.1sp2 under Windows 2000.
  We have a web application on server A and several EJBs running on server B -
  some of these may in the future be moved to different servers.
  We would like to ensure that this only requires reconfiguring the deployment
  descriptors.
  In our web app, we access the EJB's like this:
  AccountHome accHome = (AccountHome) (new
  InitialContext()).lookup("java:comp/env/ejb/AccountHome")
  - we then map ejb/AccountHome to the JNDI name in the weblogic.xml file in
  the web app - the JNDI name will usually (but not always) be the class name
  of the implementing class, e.g. system.billing.accounting.AccountHome
  However, to make this work when the EJB is on server B, we must put a
  jndi.properties file in the server A classpath containing
  java.naming.provider.url=t3://server_b:7001/
  to point to server B.
  Now, this makes ALL JNDI lookups on server A go to server B - this is not
  what we want. Especially not in the case where some EJB's move to server C -
  B and C may be in separate clusters and will not be clustering the JNDI
  tree. Also, other web applications on the server will need to go to
  different servers.
  Alternatively, we could specify a property set in the InitialContext
  constructor with a provider url. But in that case, the mapping from
  web.xml/weblogic.xml is apparently not applied - or rather, if we look up
  "java:comp/env/ejb/AccountHome", weblogic maps it to
  "system.billing.accounting.AccountHome" and then tries to look it up on the
  local machine, server A.
  If we look up "system.billing.accounting.AccountHome", it does correctly
  look it up on the server specified in the provider url and finds the entry.
  However, this would mean that we would have to specify the exact jndi name.
  In addition, we would have to hard-code the server name for each lookup.
  An alternative would be to "copy" the JNDI entries from server B to server A
  (or to some other shared, global JNDI registry). But these would need to be
  kept in sync - especially since server B is really a cluster, where
  different servers may come online at different times and register their EJBs
  as clusterable, so the stubs would need to be continously updated.
  My best idea is to bypass the whole web.xml/weblogic.xml mapping scheme and
  just add our own config file with stuff like
  <mappings>
  <map entry="java:comp/env/ejb/AccountHome">
  <jndi-properties>
  java.naming.provider.url=t3://server_b:7001/
  java.naming.security.principal=jndiuser
  java.naming.security.credentials=mysecretpassword
  </jndi.properties>
  <jndi-name>sysmte.billing.accounting.AccountHome</jndi-name>
  </map>
  </mappings>
  We then need to wrap all the lookups in our own lookup mechanism which first
  checks the config file to find any mappings.
  However, this seems like reinventing the wheel and will also confuse most
  deployment tools etc.
  Does anybody have any suggestions where we
  1. Don't put a jndi.properties file in the server classpath
  2. Lookup ejb's using "java:comp/env/ejb/SomeEJB" - not the JNDI name.
  3. Don't hardcode the server names in the application - but potentially
  in the deployment descriptor.
  4. Can look up different EJB's on different machines
  Niels Harremoës

  There is an article on dev2dev that may explain what you are seeing...
  http://dev2dev.bea.com/articlesnews/discussion/thread.jsp?thread=142
  HTH
  dwfa
  "Niels Ull Harremoës" <[email protected]> wrote in message
  news:[email protected]...
  It turns out that we can make it work by entering the url of the server in
  the weblogic.xml entry - e.g. instead of having
  <reference-descriptor>
  <ejb-reference-description>
  <ejb-ref-name>ejb/AccountHome</ejb-ref-name>
  <jndi-name>system.billing.accounting.AccountHome</jndi-name>
  </ejb-reference-description>
  </reference-descriptor>
  we enter
  <reference-descriptor>
  <ejb-reference-description>
  <ejb-ref-name>ejb/AccountHome</ejb-ref-name>
  <jndi-name>t3://server_b:7001/system.billing.accounting.AccountHome</jndi-na
  me>
  </ejb-reference-description>
  </reference-descriptor>
  However, we are unsure on whether this will establish a new JNDIconnection
  to server_b on every lookup? And it's not documented anywhere?
  Does anybody have any other suggestions?
  "Niels Ull Harremoës" <[email protected]> wrote in message
  news:[email protected]...
  We're using Weblogic 6.1sp2 under Windows 2000.
  We have a web application on server A and several EJBs running on serverB -
  some of these may in the future be moved to different servers.
  We would like to ensure that this only requires reconfiguring thedeployment
  descriptors.
  In our web app, we access the EJB's like this:
  AccountHome accHome = (AccountHome) (new
  InitialContext()).lookup("java:comp/env/ejb/AccountHome")
  - we then map ejb/AccountHome to the JNDI name in the weblogic.xml file
  in
  the web app - the JNDI name will usually (but not always) be the classname
  of the implementing class, e.g. system.billing.accounting.AccountHome
  However, to make this work when the EJB is on server B, we must put a
  jndi.properties file in the server A classpath containing
  java.naming.provider.url=t3://server_b:7001/
  to point to server B.
  Now, this makes ALL JNDI lookups on server A go to server B - this is
  not
  what we want. Especially not in the case where some EJB's move to serverC -
  B and C may be in separate clusters and will not be clustering the JNDI
  tree. Also, other web applications on the server will need to go to
  different servers.
  Alternatively, we could specify a property set in the InitialContext
  constructor with a provider url. But in that case, the mapping from
  web.xml/weblogic.xml is apparently not applied - or rather, if we look
  up
  "java:comp/env/ejb/AccountHome", weblogic maps it to
  "system.billing.accounting.AccountHome" and then tries to look it up onthe
  local machine, server A.
  If we look up "system.billing.accounting.AccountHome", it does correctly
  look it up on the server specified in the provider url and finds theentry.
  However, this would mean that we would have to specify the exact jndiname.
  In addition, we would have to hard-code the server name for each lookup.
  An alternative would be to "copy" the JNDI entries from server B to
  server
  A
  (or to some other shared, global JNDI registry). But these would need tobe
  kept in sync - especially since server B is really a cluster, where
  different servers may come online at different times and register theirEJBs
  as clusterable, so the stubs would need to be continously updated.
  My best idea is to bypass the whole web.xml/weblogic.xml mapping schemeand
  just add our own config file with stuff like
  <mappings>
  <map entry="java:comp/env/ejb/AccountHome">
  <jndi-properties>
  java.naming.provider.url=t3://server_b:7001/
  java.naming.security.principal=jndiuser
  java.naming.security.credentials=mysecretpassword
  </jndi.properties>
  <jndi-name>sysmte.billing.accounting.AccountHome</jndi-name>
  </map>
  </mappings>
  We then need to wrap all the lookups in our own lookup mechanism whichfirst
  checks the config file to find any mappings.
  However, this seems like reinventing the wheel and will also confuse
  most
  deployment tools etc.
  Does anybody have any suggestions where we
  1. Don't put a jndi.properties file in the server classpath
  2. Lookup ejb's using "java:comp/env/ejb/SomeEJB" - not the JNDIname.
  3. Don't hardcode the server names in the application - butpotentially
  in the deployment descriptor.
  4. Can look up different EJB's on different machines
  Niels Harremoës

• NAC Server and NAC Manager installation

  Hi experts,
  When I've tried adding NAC Server to NAC Manager in CAM web management, it prompts: Failed to add server: Could not connect to 10.130.80.81
  Is there anything I can do for solving this?
  I'm new for NAC Manager and Server installation.
  The version using is 4.8.2
  BTW, I don't know how to generate SSL certificates (not temporarily) for installation, can anyone help also?
  Thanks in advance!
  Regards,
  Daniel

  Hi Daniel,
  this is related to the certificate issue.
  just generate temp certificate in NAM and NAS.
  Export the certificate along with key and store it in different location.
  then in SSL option there is trusted certificate authority
  load NAS certificate in NAM and NAM certificate in NAS. then try to configure or add NAS to NAM.
  it will work.

• Just FYI, Windows Server 2012 R2 and Windows Server 2012 BranchCache Deployment Guide in Word format in the TechNet Gallery

  The Windows Server 2012 R2 and Windows Server 2012 BranchCache Deployment Guide is now available for download in Word format in the TechNet Gallery at
  http://bit.ly/1pYZT3F
  Thanks -
  James McIllece

  hello again,
  meanwhile I was lucky to find this article about Idenity Mapping in TechNet in the Storage Team Blog:
  http://blogs.technet.com/b/filecab/archive/2012/10/09/nfs-identity-mapping-in-windows-server-2012.aspx
  Likely to be overseen at the end of one paragraph it says:
  "Client for NFS does not support NFS V4.1 in Windows 8 or Windows Server 2012"
  Question : Is this an official statement and is it still valid with most recent
  Windows Server 2012 R2 that NFS client does NOT support NFSv4.x  ??
  thanks - Rainer

• L3 OOB NAC Server loadbalanced by ACE

  Hi is there any documentation or information on NAC server loadbalance by cisco ACE? I want to know typically how is the setup like and what is the traffic flow? is there a way to configure NAC clients to talk to the NAC directly after being loadbalanced by the ACE? meaning traffic flow going
  users>ACE>NAC Server Untrusted interface>user <---- during authentication
  instead of
  user>ACE>NAC Server Untrusted interface>ACE>user.

  Adrian,
  I've seem some internal documents on this. Please ping your account team and they can possibly help you out with the design for this.
  HTH,
  Faisal

• Three NAC server deployment

  Hello guys,
  Could you suggest a workaround to bypass the HA limitation of only two NAC servers. 
  The problem is we already had two NAC guest servers in active/active mode but now we have a third one at a new branch, which would need to share the same user DB.
  Is there a way to replicate the data from the cluster to this remote NAC server?
  The idea is achieving a scenario like working with multiple ACS servers distribuited worldwide and sharing the same user data.
  Thanks,
  Lucas

  Hi,
  Assuming the CAM has failed, the CAS would allow all traffic from the AUTH VLAN to the ACCESS VLAN. Since the CAM has failed, the switchports which are not in the AUTH VLAN would behave per the rules/ACLs on the VLAN they're in and won't get flipped over.
  HTH,
  Faisal

• Cisco Identity Services Engine (ISE) Version 1.2: What's New in Features and Troubleshooting Options

  With Ali Mohammed
  Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about what’s new in Cisco Identity Services Engine (ISE) Version 1.2 and to understand the new features and enhanced troubleshooting options with Cisco expert Ali Mohammed.
  Cisco ISE can be deployed as an appliance or virtual machine to enforce security policy on all devices that attempt to gain access to network infrastructure. ISE 1.2 provides feature enrichment in terms of mobile device management, BYOD enhancements, and so on. It also performs noise suppression in log collection so customers have greater ability to store and analyze logs for a longer period.
  Ali Mohammed is an escalation engineer with the Security Access and Mobility Product Group (SAMPG), providing support to all Cisco NAC and Cisco ISE installed base. Ali works on complicated recreations of customer issues and helps customers in resolving configuration, deployment, setup, and integration issues involving Cisco NAC and Cisco ISE products. Ali works on enhancing tools available in ISE/NAC that are required to help troubleshoot the product setup in customer environments. Ali has six and a half years of experience at Cisco and is CCIE certified in security (number 24130).
  Remember to use the rating system to let Ali know if you have received an adequate response.
  Because of the volume expected during this event, Ali might not be able to answer each question. Remember that you can continue the conversation on the Security community, sub-community shortly after the event. This event lasts through September 6, 2013. Visit this forum often to view responses to your questions and the questions of other community members.

  Hi Ali,
  We currently have a two-node deployment running 1.1.3.124, as depicted in diagram:
  http://www.cisco.com/en/US/docs/security/ise/1.2/upgrade_guide/b_ise_upgrade_guide_chapter_010.html#ID89
  Question 1:
  After step 1 is done, node B becomes the new primary node.
  What's the license impact at that stage, when the license is mainly tied to node A, the previous primary PAN?
  Step 3 says to obtain a new license that's tied to both node A & node B, as if it's implying an issue would arise, if we leave node B as the primary PAN, instead of reverting back to node A.
  =========
  Question 2:
  When step 1 is completed, node B runs 1.2, while node A runs 1.1.3.124.
  Do both nodes still function as PSN nodes, and can service end users at that point? (before we proceed to step 2)
  Both nodes are behind our ACE load balancer, and I'm trying to confirm the behavior during the upgrade, to determine when to take each node out of the load balancing serverfarm, to keep the service up and avoid an outage.
  ===========
  Question 3:
  According to the upgrade guide, we're supposed to perform a config backup from PAN & MnT nodes.
  Is the config backup used only when we need to rollback from 1.2 to 1.1.3, or can it be used to restore config on 1.2?
  It also says to record customizations & alert settings because after  the upgrade to 1.2, these settings would change, and we would need to  re-configure them.
  Is this correct? That's a lot of screen shots we'll need to take; is there any way to avoid this?
  It says: "
  Disable services such as Guest, Profiler, Device Onboarding, and so on before upgrade and enable them after upgrade. Otherwise, you must add the guest users who are lost, and devices must be profiled and onboarded again."
  Exactly how do you disable services? Disable all the authorization policies?
  http://www.cisco.com/en/US/docs/security/ise/1.2/upgrade_guide/b_ise_upgrade_guide_chapter_01.html#reference_4EFE5E15B9854A648C9EF18D492B9105
  ==================
  Question 4:
  The 1.1 user guide says the maximum number of nodes in a node group was 4.
  The 1.2 guide now says the maximum is 10.
  Is there a hard limit on how many nodes can be in a node group?
  We currently don't use node group, due to the lack of multicast support on the ACE-20.
  Is it a big deal not to have one?
  http://www.cisco.com/en/US/customer/docs/security/ise/1.2/user_guide/ise_dis_deploy.html#wp1230118
  thanks,
  Kevin

• Trying to install features and Roles

  OK I've selected my features and Roles. When I run the install from a PXE boot using the Lite Touch Windows PE (x64). The OS installs and reboots and then attempt to run the roles and features install, at which point it dies and return the summary screen
  showing errors. These error are listed below from the ZTIOSRoles log. Close to the bottom of this transaction list is the following.
  <![LOG[Copying source files locally from
  \\WIN-DEPLOY-SRV\DeploymentShare$\Operating Systems\Windows Server 2012 R2 SERVERSTANDARDCORE x64\sources\sxs]LOG]!><time="12:46:55.000+000" date="11-08-2013" component="ZTIOSRole" context="" type="1"
  thread="" file="ZTIOSRole">
  I am able to browse to the share and dig down to the directory. I guess at this point my questions are.
  1. Why is it looking to something on the deploymentshare when the fuctionallity is built into windows itself?
  2. What component is ZTIOSRole and how do I find out what it is really looking for?
  Note: This is a 2012 R2 Server and I'm trying to install ... And it fails at the First Role
  File and Storage Services
  ---- File Services
  --------File Server
  --------Data DeDuplication
  Hyper-v
  Role Administration
  ---- Hyper-v Management Tools
  -------- Hyper-v GUI Management Tools
  -------- Hyper-v Module for Windows Powershell
  Windows Server Backup
  Can someone please help
  <![LOG[Microsoft Deployment Toolkit version: 6.2.5019.0]LOG]!><time="12:46:54.000+000" date="11-08-2013" component="ZTIOSRole" context="" type="1" thread="" file="ZTIOSRole">
  <![LOG[The task sequencer log is located at C:\Users\ADMINI~1\AppData\Local\Temp\SMSTSLog\SMSTS.LOG.  For task sequence failures, please consult this log.]LOG]!><time="12:46:54.000+000" date="11-08-2013" component="ZTIOSRole"
  context="" type="1" thread="" file="ZTIOSRole">
  <![LOG[Roles will be installed.]LOG]!><time="12:46:54.000+000" date="11-08-2013" component="ZTIOSRole" context="" type="1" thread="" file="ZTIOSRole">
  <![LOG[Roles specified in Role:]LOG]!><time="12:46:54.000+000" date="11-08-2013" component="ZTIOSRole" context="" type="1" thread="" file="ZTIOSRole">
  <![LOG[  FileAndStorage-Services]LOG]!><time="12:46:54.000+000" date="11-08-2013" component="ZTIOSRole" context="" type="1" thread="" file="ZTIOSRole">
  <![LOG[  Hyper-V]LOG]!><time="12:46:54.000+000" date="11-08-2013" component="ZTIOSRole" context="" type="1" thread="" file="ZTIOSRole">
  <![LOG[RoleServices specified in RoleService:]LOG]!><time="12:46:54.000+000" date="11-08-2013" component="ZTIOSRole" context="" type="1" thread="" file="ZTIOSRole">
  <![LOG[  File-Services]LOG]!><time="12:46:54.000+000" date="11-08-2013" component="ZTIOSRole" context="" type="1" thread="" file="ZTIOSRole">
  <![LOG[  FS-FileServer]LOG]!><time="12:46:54.000+000" date="11-08-2013" component="ZTIOSRole" context="" type="1" thread="" file="ZTIOSRole">
  <![LOG[  FS-Data-Deduplication]LOG]!><time="12:46:54.000+000" date="11-08-2013" component="ZTIOSRole" context="" type="1" thread="" file="ZTIOSRole">
  <![LOG[Features specified in Feature:]LOG]!><time="12:46:54.000+000" date="11-08-2013" component="ZTIOSRole" context="" type="1" thread="" file="ZTIOSRole">
  <![LOG[  RSAT-Role-Tools]LOG]!><time="12:46:54.000+000" date="11-08-2013" component="ZTIOSRole" context="" type="1" thread="" file="ZTIOSRole">
  <![LOG[  RSAT-AD-Tools]LOG]!><time="12:46:54.000+000" date="11-08-2013" component="ZTIOSRole" context="" type="1" thread="" file="ZTIOSRole">
  <![LOG[  RSAT-Hyper-V-Tools]LOG]!><time="12:46:54.000+000" date="11-08-2013" component="ZTIOSRole" context="" type="1" thread="" file="ZTIOSRole">
  <![LOG[  Hyper-V-Tools]LOG]!><time="12:46:54.000+000" date="11-08-2013" component="ZTIOSRole" context="" type="1" thread="" file="ZTIOSRole">
  <![LOG[  Hyper-V-PowerShell]LOG]!><time="12:46:54.000+000" date="11-08-2013" component="ZTIOSRole" context="" type="1" thread="" file="ZTIOSRole">
  <![LOG[  Windows-Server-Backup]LOG]!><time="12:46:54.000+000" date="11-08-2013" component="ZTIOSRole" context="" type="1" thread="" file="ZTIOSRole">
  <![LOG[No items were specified in variable OptionalOSRoles.]LOG]!><time="12:46:54.000+000" date="11-08-2013" component="ZTIOSRole" context="" type="1" thread="" file="ZTIOSRole">
  <![LOG[No items were specified in variable OptionalOSRoleServices.]LOG]!><time="12:46:54.000+000" date="11-08-2013" component="ZTIOSRole" context="" type="1" thread="" file="ZTIOSRole">
  <![LOG[No items were specified in variable OptionalOSFeatures.]LOG]!><time="12:46:54.000+000" date="11-08-2013" component="ZTIOSRole" context="" type="1" thread="" file="ZTIOSRole">
  <![LOG[ZTI Heartbeat: Processing roles (0% complete]LOG]!><time="12:46:54.000+000" date="11-08-2013" component="ZTIOSRole" context="" type="1" thread="" file="ZTIOSRole">
  <![LOG[Event 41003 sent: ZTI Heartbeat: Processing roles (0% complete]LOG]!><time="12:46:54.000+000" date="11-08-2013" component="ZTIOSRole" context="" type="1" thread="" file="ZTIOSRole">
  <![LOG[Property Parameters is now = -FeatureName FileAndStorage-Services]LOG]!><time="12:46:54.000+000" date="11-08-2013" component="ZTIOSRole" context="" type="1" thread="" file="ZTIOSRole">
  <![LOG[Validating connection to
  \\WIN-DEPLOY-SRV\DeploymentShare$\Operating Systems\Windows Server 2012 R2 SERVERSTANDARDCORE x64]LOG]!><time="12:46:54.000+000" date="11-08-2013" component="ZTIOSRole" context="" type="1" thread=""
  file="ZTIOSRole">
  <![LOG[Mapping server share:
  \\WIN-DEPLOY-SRV\DeploymentShare$\Operating Systems\Windows Server 2012 R2 SERVERSTANDARDCORE x64\sources\sxs]LOG]!><time="12:46:55.000+000" date="11-08-2013" component="ZTIOSRole" context="" type="1"
  thread="" file="ZTIOSRole">
  <![LOG[ZTI ERROR - Unhandled error returned by ZTIOSRole: Path not found (76)]LOG]!><time="12:47:00.000+000" date="11-08-2013" component="ZTIOSRole" context="" type="3" thread="" file="ZTIOSRole">
  <![LOG[Event 41002 sent: ZTI ERROR - Unhandled error returned by ZTIOSRole: Path not found (76)]LOG]!><time="12:47:00.000+000" date="11-08-2013" component="ZTIOSRole" context="" type="1" thread=""
  file="ZTIOSRole">

  OK I've selected my features and Roles. When I run the install from a PXE boot using the Lite Touch I am able to browse to the share and dig down to the directory. I guess at this point my questions are.
  1. Why is it looking to something on the deploymentshare when the fuctionallity is built into windows itself?
  I think you are incorrect in stating that all functionality is built into Windows. Windows may require the sxs directory contents to install some OS Roles and Features. Does this directory exist in your Deployment Share, and if so does it contain all the files
  synced with your original OS source?
  Keith Garner - keithga.wordpress.com

• Windows Server 2008 x64 and Crystal Reports Server Embedded

  We're attempting to certify our software with Windows Server 2008 x64 and want to know the best way to configure both the server and client of Crystal Reports Server Embedded.  Currently, our software is certified against Windows Server 2003 x86, and we install Crystal Reports Server Embedded XI Release 2 (no SP) on the application server, and we deploy the Crystal Reports .NET merge modules for XI Release 2 (no SP) on any client machines.
  I believe I am correct in stating that no version of Crystal Reports Server Embedded officially supports Windows Server 2008 x64 (based on some other forum postings) until SP1 comes out (which I don't think has happened at this point).  If that is true, we can live with installing the RAS on a separate Windows Server 2003 x64, if that's even possible.  With that said, can we even get our Windows Server 2008 x64 running with the latest Crystal Reports 2008 .NET merge modules?  We've tried many different configurations between CR XI R2 SPs and CR 2008 for both client and server and have very little luck (either it won't install correctly because of x64 or missing .cabs, etc.) on both the client and server side of things.
  Can someone suggest the optimal configuration when Windows Server 2008 x64 is in the mix, noting that we can use a secondary Windows Server 2003 (x64 preferred but can fallback to x86)?  Or do we have to wait for Crystal Reports Server Embedded 2008 SP1 to be released, and if so, does anyone know of the date?
  Thanks,
  Ross Beehler

  CRSE 2008 is a 32 bit app, it works on 64 bit OS's but all parts must also be running in 32 bit mode.

• NAC for wireless layer 3 oob

  Hi,
  Anyone implemented nac for wireless layer 3 oob? This is using nac appliance not ise.
  What I did is to configure wlc as per layer 2 oob setup. Configure svi 669 (authentication/quarantine vlan) on switches that’s with the wism. Pbr all vlan 669 traffic to test cas untrusted interface.
  Problem now I’m not able to get an ip from dhcp after associating. DHCP works when tested on wired. Is there any additional config to be done on WLC or am i doing it right??
  The test cas/cam are ugraded to ver 4.8.2.
  Regards
  Joachim

  Everyone can do a mistake and it seems I did a big one :-)
  l3 wireless OOB was not supported until last version :
  §Wireless L3 OOB RIP has been introduced in 4.8.2.
  §In order to support wireless in L3 OOB RIP deployment – DHCP release and renew values were propagated from CAS to the client so that client can perform IP refresh.
  §The configuration of WLC and AP’s needs to be done like in Wireless L2 OOB VGW deployments.
  §There are no ports in WLC hence Port profile is not required
  §WLC allows only two VLAN’s namely Quarantine (Auth) and Access VLAN’s. Hence the support for User role Vlans is not there in Wireless deployments.
  §iPhone/iPad support is also not present. Reason being IP address cannot be refreshed in iPhone/iPad due to lack of support for Java Applet/ActiveX.
  §The authentication trap control needs to be checked in order for the WLC to send 599.0.4 trap.

• Oracle forms and reports deployment

  hi,
  i am new to oracle application server i am testing oracle forms and reports deployment, please let me know what part of application server i need to be install for deployment of forms and reports.
  only Forms & Reports Services will be fine ?
  regards,
  Nikunj

  only Forms & Reports Services will be fine ?If you only need Forms and Reports, then yes, you can install the standalone version Forms and Reports services, which does not have infrastructure and is much lighter.
  Of course, in this case, you can't use features that require infrastructure, like Internet Directory, Single Sign On, Portal, and so on.