Pptp + vpdn-group from radius

Similar Messages

• Vpdn-group configuration

  I am replacing a 2611 with a 2811, I am copying the setups from the old router, I have a question about the following.. on the old router there was no line in my config for l2tp - I do not seem to be able to find any configuration options for it - I don't nec want to get rid of it but want to mainly know how to config it and if the same options apply for pptp? I think I have gone into all of the listed options and put in "?" is l2tp missing from the help?
  vpdn-group 1
  ! Default PPTP VPDN group
  accept-dialin
  protocol pptp
  l2tp tunnel password 7

  Which IOS version are you using? , if you are using lower version, need to upgrade to version 12.4(6)
  Sample VPN group configuration:
  vpdn-group 2
  ! Default L2TP VPDN group
  description L2TP for Dial
  accept-dialin
  protocol l2tp
  virtual-template 2
  l2tp tunnel password xxxxx

• LNS to provide IP from Radius

  Hello:
  We currently use a 7301 router as an LNS and have it configured to use a local IP pool and dynamically assigns an IP address to connecting DSL modems.  We would like to start providing a static IP to a username that autheticates to a radius server. I was wondering what the LNS config should have to support receiving an IP address from the radius and not using the local pool on the router.  We want the LNS to take the IP address that radius would provide and send that to the dsl modem.
  If anyone could help with what config items are needed to support this I would appreciate it.  What we are seeing now is radius authenticates the user, sends the IP address in the FRAMED-IP but the LNS picks an IP address from the local pool and assigns it. Just wondering what we are missing here to make the 7301 assign the ip from radius.
  Thank you.
  aaa authentication ppp vpdn local group radius
  aaa authorization network vpdn group radius local
  aaa authorization configuration default group radius
  aaa accounting delay-start
  aaa accounting update periodic 5
  aaa accounting network default
  action-type start-stop
  group radius
  vpdn enable
  vpdn-group NAME-HERE
  ! Default L2TP VPDN group
  accept-dialin
    protocol l2tp
    virtual-template 1
  lcp renegotiation always
  l2tp tunnel password 7 XXXx
  l2tp tunnel framing capabilities all
  interface Virtual-Template1
  mtu 1492
  ip unnumbered Loopback0
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  ip tcp adjust-mss 1392
  timeout absolute 1440 0
  peer default ip address pool dslpool
  ppp mtu adaptive
  ppp authentication pap vpdn
  ppp timeout idle 597600
  ip local pool dslpool x.x.x.x y.y.y.y

  Thank you for the suggestion.  I added debug radius and this is what was returned.  instead of the user getting the IP y.y.y.20 the next available IP in the DHCP local pool y.y.y.13 is assigned to the user instead. 
  Any other suggestions now that you are looking at ths output?
  Tor1-LNS1#test aaa group radius [email protected] password2 new-code
  User successfully authenticated
  Sep  3 01:57:59.682: AAA/AUTHEN/LOGIN (00000000): Pick method list 'default'
  Sep  3 01:57:59.682: RADIUS/ENCODE(00000000):Orig. component type = INVALID
  Sep  3 01:57:59.682: RADIUS/ENCODE(00000000): dropping service type, "radius-server attribute 6 on-for-login-auth" is off
  Sep  3 01:57:59.682: RADIUS(00000000): Config NAS IP: x.x.x.x
  Sep  3 01:57:59.682: RADIUS(00000000): sending
  Sep  3 01:57:59.682: RADIUS(00000000): Send Access-Request to x.x.x.x:1812 id 1645/49, len 65
  Sep  3 01:57:59.682: RADIUS:  authenticator 7E 70 CF 47 95 E5 89 1A - C3 10 3E 3E 18 9F 3B D2
  Sep  3 01:57:59.682: RADIUS:  User-Password       [2]   18  *
  Sep  3 01:57:59.682: RADIUS:  User-Name           [1]   21  "[email protected]"
  Sep  3 01:57:59.682: RADIUS:  NAS-IP-Address      [4]   6   y.y.y.y              
  Sep  3 01:57:59.710: RADIUS: Received from id 1645/49 x.x.x.x:1812, Access-Accept, len 68
  Sep  3 01:57:59.710: RADIUS:  authenticator AF CA 04 C3 A0 89 A5 69 - B7 33 6D A4 7E 56 B5 D9
  Sep  3 01:57:59.710: RADIUS:  Service-Type        [6]   6  
  Tor1-LNS1#Framed                    [2]
  Sep  3 01:57:59.710: RADIUS:  Idle-Timeout        [28]  6   86400                    
  Sep  3 01:57:59.710: RADIUS:  Framed-IP-Address   [8]   6   y.y.y.y.20             
  Sep  3 01:57:59.710: RADIUS:  Framed-IP-Netmask   [9]   6   255.255.255.255          
  Sep  3 01:57:59.710: RADIUS:  Framed-MTU          [12]  6   1500                     
  Sep  3 01:57:59.710: RADIUS:  Message-Authenticato[80]  18 
  Sep  3 01:57:59.710: RADIUS:   81 C4 3A 66 96 11 D3 E6 CF AD AF D2 A5 84 08 CA  [??:f????????????]
  Sep  3 01:57:59.710: RADIUS(00000000): Received from id 1645/49

• Assigning DNS addresses from Radius on LNS

  Hi we have a router which acts as an LNS and authenticates LT2P sessions via radius assigning each to a tunnel interface and giving it an IP address, we would also like to assign DNS settings via radius, we are using steel belted radius which is capable of doing this but we can't seem to get it to work.
  What I believe are relevant sections of the config are below;
  Any help greatly appreciated.
  Thanks
  Matt
  version 12.2
  aaa new-model
  aaa authentication login default line
  aaa authentication ppp default group radius
  aaa authorization network default group radius
  aaa session-id common
  ip name-server 4.2.2.2
  vpdn enable
  vpdn-group conn
  accept-dialin
  protocol l2tp
  virtual-template 1
  terminate-from hostname G20
  local name wllns
  l2tp tunnel password 7 050703062F4D4A064B
  vpdn-group test_G30
  accept-dialin
  protocol l2tp
  virtual-template 1
  terminate-from hostname G30
  local name wllns
  l2tp tunnel password 7 06115E3349420C0A161B420C5D076724762121302E120912
  vpdn-group test_G40
  accept-dialin
  protocol l2tp
  virtual-template 1
  terminate-from hostname G10
  local name wllns
  l2tp tunnel password 7 131246000E0001393828783464215E08440A135355595D50
  interface Virtual-Template1
  ip unnumbered FastEthernet0/0
  no ip route-cache
  peer default ip address pool mypool
  ppp authentication chap
  ip local pool mypool 172.20.0.1 172.20.30.254
  radius-server host 172.21.0.252 auth-port 1645 acct-port 1646
  radius-server key test
  radius-server authorization permit missing Service-Type
  call rsvp-sync
  end

  Hi Matt,
  Use the following Cisco AVP in Radreply.
  Cisco-AVPair+=ip:dns-servers=x.x.x.x
  HTH
  Hitesh Vinzoda
  Please rate useful posts.

• IP pool selection from RADIUS

  Hi,
  I'm trying to assign different ip addresses to each vpn client depending the group the belong to. To do so, I create three different pools locally to the router and configure the radius server to send the Cisco-AVPair=”ip:addr-pool=poolname”  attribute. The radius server is sending this attribute correctly but the router isn't using it. If I try with the Framed-IP-Address it works fine, but not for the pool.
  Here is the related router config:
  aaa new-model
  aaa authentication login RemoteUsers group radius
  aaa authorization network UsersGroup group radius
  aaa session-id common
  crypto isakmp policy 100
  encr aes 256
  authentication pre-share
  group 2
  crypto isakmp client configuration group Users
  key xxxx
  pool pool1
  acl UsersSplit
  crypto isakmp profile UsersProfile
     match identity group Users
     client authentication list RemoteUsers
     isakmp authorization list UsersGroup
     client configuration address respond
     virtual-template 1
  crypto ipsec transform-set Transf-Users esp-aes esp-sha-hmac
  mode transport
  crypto ipsec profile Prof-Users
  set transform-set Transf-Users
  set isakmp-profile UsersProfile
  ip local pool pool1 192.168.110.10 192.168.110.20
  ip local pool pool2 192.168.120.10 192.168.120.20
  ip local pool pool3 192.168.130.10 192.168.130.20
  Freeradius config:
  testuser Auth-Type := Local, User-Password == "testpass"
  Service-Type = Framed-User,
  Framed-Protocol = PPP,
  cisco-avpair = "ip:addr-pool=pool1",
  Without enabling authorization, testuser connects succesfully, but after I enable authorization to instruct the router to accept pool configuration, it automatically authenticate using the isakmp Users user, without asking for the real vpn testuser client and the connection fails.
  Is authorization essential? Using authentication I can assign ip addresses from Radius.
  I also used the Framed-IP-Pool value without success.
  What I'm missing?
  Thanks in advance.

  Hi Jatin,
  Thanks for your quick reply. Here is the new configuration and the debugs. I'm using IOS c890-universalk9-mz.152-1.T.bin and Cisco VPN client 5.0.07.0290 version.
  IOS Configuration with authorization and accounting enabled:
  aaa new-model
  aaa authentication login RemoteUsers group radius
  aaa authorization network UsersGroup group radius
  aaa accounting network default
  aaa session-id common
  IOS Debugs:
  Jun  4 21:20:46.133: AAA/BIND(00000010): Bind i/f
  Jun  4 21:20:46.149: AAA/AUTHOR (0x10): Pick method list 'UsersGroup'
  Jun  4 21:20:46.153: RADIUS/ENCODE(00000010):Orig. component type = VPN IPSEC
  Jun  4 21:20:46.153: RADIUS:  AAA Unsupported Attr: interface         [222] 11
  Jun  4 21:20:46.153: RADIUS:   31 30 2E 31 34 2E 31 34 2E         [ 10.14.14.]
  Jun  4 21:20:46.153: RADIUS(00000010): Config NAS IP: 0.0.0.0
  Jun  4 21:20:46.153: RADIUS(00000010): Config NAS IPv6: ::
  Jun  4 21:20:46.153: RADIUS/ENCODE(00000010): acct_session_id: 6
  Jun  4 21:20:46.153: RADIUS(00000010): sending
  Jun  4 21:20:46.153: RADIUS/ENCODE: Best Local IP-Address 10.14.14.30 for Radius-Server 10.14.14.17
  Jun  4 21:20:46.153: RADIUS(00000010): Send Access-Request to 10.14.14.17:1812 id 1645/4, len 98
  Jun  4 21:20:46.153: RADIUS:  authenticator 01 A1 34 BE 06 3D C2 C5 - 4F EE 98 D7 47 4D BF AB
  Jun  4 21:20:46.153: RADIUS:  User-Name           [1]   10  "Users"
  Jun  4 21:20:46.153: RADIUS:  User-Password       [2]   18  *
  Jun  4 21:20:46.153: RADIUS:  Calling-Station-Id  [31]  13  "10.14.14.17"
  Jun  4 21:20:46.153: RADIUS:  NAS-Port-Type       [61]  6   Virtual                   [5]
  Jun  4 21:20:46.153: RADIUS:  NAS-Port            [5]   6   0
  ruc#
  Jun  4 21:20:46.153: RADIUS:  NAS-Port-Id         [87]  13  "10.14.14.30"
  Jun  4 21:20:46.153: RADIUS:  Service-Type        [6]   6   Outbound                  [5]
  Jun  4 21:20:46.153: RADIUS:  NAS-IP-Address      [4]   6   10.14.14.30
  Jun  4 21:20:46.153: RADIUS(00000010): Sending a IPv4 Radius Packet
  Jun  4 21:20:46.153: RADIUS(00000010): Started 5 sec timeout
  ruc#
  Jun  4 21:20:48.205: RADIUS: Received from id 1645/4 10.14.14.17:1812, Access-Reject, len 20
  Jun  4 21:20:48.205: RADIUS:  authenticator 2A B6 91 42 DF 70 2B 89 - AF D5 59 82 31 3B EA 53
  Jun  4 21:20:48.205: RADIUS(00000010): Received from id 1645/4
  As you can see, the router authenticates automatically using the Users user configured under at the isakmp client configuration group. The VPN client software does not prompt for the real user account and fails. Why the router is not asking for the user? I was expecting the router performs authentication first and authorization later. Take a look at the FreeRadius debug:
  FreeRadius debug:
  Ready to process requests.
  rad_recv: Access-Request packet from host 10.14.14.30:1645, id=4, length=98
          User-Name = "Users"
          User-Password = "cisco"  <--Where does this password comes from?!
          Calling-Station-Id = "10.14.14.17"
          NAS-Port-Type = Virtual
          NAS-Port = 0
          NAS-Port-Id = "10.14.14.30"
          Service-Type = Dialout-Framed-User
          NAS-IP-Address = 10.14.14.30
    Processing the authorize section of radiusd.conf
  modcall: entering group authorize for request 0
    modcall[authorize]: module "preprocess" returns ok for request 0
  radius_xlat:  '../var/log/radius/radacct/10.14.14.30/auth-detail-20130604.log'
  rlm_detail: ../var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d.lo
  g expands to ../var/log/radius/radacct/10.14.14.30/auth-detail-20130604.log
    modcall[authorize]: module "auth_log" returns ok for request 0
    modcall[authorize]: module "chap" returns noop for request 0
    modcall[authorize]: module "mschap" returns noop for request 0
      rlm_realm: No '@' in User-Name = "Users", looking up realm NULL
      rlm_realm: No such realm "NULL"
    modcall[authorize]: module "suffix" returns noop for request 0
    rlm_eap: No EAP-Message, not doing EAP
    modcall[authorize]: module "eap" returns noop for request 0
      users: Matched entry DEFAULT at line 188
    modcall[authorize]: module "files" returns ok for request 0
  rlm_pap: WARNING! No "known good" password found for the user.  Authentication m
  ay fail because of this.
    modcall[authorize]: module "pap" returns noop for request 0
  modcall: leaving group authorize (returns ok) for request 0
    rad_check_password:  Found Auth-Type System
  auth: type "System"
    ERROR: Unknown value specified for Auth-Type.  Cannot perform requested action
  auth: Failed to validate the user.
  Login incorrect: [Users/cisco] (from client vpnServer port 0 cli 10.14.14.17)
  Delaying request 0 for 1 seconds
  Finished request 0
  Going to the next request
  --- Walking the entire request list ---
  Waking up in 1 seconds...
  --- Walking the entire request list ---
  Waking up in 1 seconds...
  --- Walking the entire request list ---
  Sending Access-Reject of id 4 to 10.14.14.30 port 1645
  Waking up in 4 seconds...
  --- Walking the entire request list ---
  Cleaning up request 0 ID 4 with timestamp 51ae5a41
  Nothing to do.  Sleeping until we see a request.
  Any idea Jatin?

• Dynamic VLAN-Assignment from RADIUS with Aironet 1242AG doesn't work properly

  Hello All,
  our setting is to assign VLANs dynamically from RADIUS (freeradius) to Clients connected to the 1242 Access-Points with one SSID. We have Firmware
  12.4(10b)JA/JDA on the Aironet 1242.
  The clients should be connected to one of three VLANs - one for staff, one for students and one for guests. I use the Web-Interface of
  the 1242, because I'm not very familiar with IOS cli.
  After assigning the first VLAN to the SSID -> click Accept, assigning the second VLAN to the SSID (overwriting the previous one) -> click Accept,
  assigning the third VLAN to SSID (overwriting again) -> click Accept,  the assignment of VLANs works really fine,
  (the only thing i change on the page is VLAN, the SSID is set to mandatory WPAv2)
  BUT...
  when the 1242 is rebooted (due a building power off or similar) it doesn't work anymore. Clients end up in an endless authentication loop.
  After doing the procedure again from above - assigning all VLANs sequently once, it works fine again !  till next reboot...
  All VLANs have same encryption, cypher, TKIP+AES CCM. On the Cisco-Site I found a command, which i also tried with no success:
  'aaa authorization network default group radius'.
  I also tried to save the working config and load it into the 1242 again, this also did not work.
  It seems that i'm doing something wrong, but what ?
  Thanks for some help,
  Frank

  All you really need to do is make sure the subinterfaces/vlans are created for each VLAN you need, then have radius push down IETF attributes 64, 65, and 81.

• Set an ip unnumbered from radius

  Hi all,
  I was reading a lot documentation and testing a lot of scenarios but i can not set template configuration from RADIUS…
  This it my configuration,
  aaa new-model
  aaa authentication login admin local
  aaa authentication ppp default local group radius
  aaa authorization template
  aaa authorization network default group radius local
  aaa accounting delay-start
  aaa accounting update newinfo
  aaa accounting network default start-stop group radius
  bba-group pppoe pruebavrf
  virtual-template 33
  sessions per-mac limit 48
  sessions per-vlan limit 1400
  interface Loopback10
  ip address 192.168.44.1 255.255.255.0
  interface FastEthernet0/0.8
  description PRUEBAS
  encapsulation dot1Q 8
  pppoe enable group pruebavrf
  interface Virtual-Template33
  no ip address
  no ip redirects
  no ip unreachables
  ip mtu 1480
  ip tcp adjust-mss 1400
  peer default ip address pool pool_local
  ppp authentication pap chap
  radius-server attribute 44 extend-with-addr
  radius-server attribute 8 include-in-access-req
  radius-server attribute nas-port format d
  radius-server configure-nas
  radius-server host X.X.X.X auth-port 1812 acct-port 1813 key xxxx
  radius-server retransmit 2
  radius-server timeout 6
  radius-server vsa send accounting
  radius-server vsa send authentication
  ip local pool pool_local x.x.x.x
  And this is RADIUS configuration
  testvdsl@knetip Auth-Type := local, User-Password == "xxxx"
  Service-Type = Framed-User,
  cisco-avpair += "template:ip-unnumbered=Loopback 10",
  Framed-Protocol = PPP
  I think that with this configuration virtual-access would be take the ip of Loopback 10 as unnumbered but doesn't work.
  Router#sh int Vi2.1
  Virtual-Access2.1 is up, line protocol is up
  Hardware is Virtual Access interface
  MTU 1492 bytes, BW 100000 Kbit/sec, DLY 100000 usec,
  reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation PPP, LCP Open
  PPPoE vaccess, cloned from Virtual-Template33
  Vaccess status 0x0
  Keepalive set (10 sec)
  128 packets input, 1803 bytes
  128 packets output, 1799 bytes
  Last clearing of "show interface" counters never
  This is the RADIUS debug,
  .Nov 10 12:38:42: RADIUS(000E4E19): Send Access-Request to x.x.x.x:1812 id 1645/79, len 135
  .Nov 10 12:38:42: RADIUS: authenticator 3C 22 8C 1E AE 21 20 82 - B9 58 57 E3 16 6D C9 8B
  .Nov 10 12:38:42: RADIUS: Vendor, Cisco [26] 41
  .Nov 10 12:38:42: RADIUS: Cisco AVpair [1] 35 "client-mac-address=xxxx"
  .Nov 10 12:38:42: RADIUS: Framed-Protocol [7] 6 PPP [1]
  .Nov 10 12:38:42: RADIUS: User-Name [1] 17 "testvdsl@knetip"
  .Nov 10 12:38:42: RADIUS: User-Password [2] 18 *
  .Nov 10 12:38:42: RADIUS: NAS-Port-Type [61] 6 Ethernet [15]
  .Nov 10 12:38:42: RADIUS: NAS-Port [5] 6 8
  .Nov 10 12:38:42: RADIUS: NAS-Port-Id [87] 9 "0/0/0/8"
  .Nov 10 12:38:42: RADIUS: Service-Type [6] 6 Framed [2]
  .Nov 10 12:38:42: RADIUS: NAS-IP-Address [4] 6 x.x.x.x
  .Nov 10 12:38:42: RADIUS: Received from id 1645/79 x.x.x.x:1812, Access-Accept, len 74
  .Nov 10 12:38:42: RADIUS: authenticator E5 D8 63 D4 D5 EE EC C8 - F7 BB 4A B9 6A C8 60 F6
  .Nov 10 12:38:42: RADIUS: Service-Type [6] 6 Framed [2]
  .Nov 10 12:38:42: RADIUS: Vendor, Cisco [26] 42
  .Nov 10 12:38:42: RADIUS: Cisco AVpair [1] 36 "template:ip-unnumbered=Loopback 10"
  .Nov 10 12:38:42: RADIUS: Framed-Protocol [7] 6 PPP [1]
  .Nov 10 12:38:42: RADIUS(000E4E19): Received from id 1645/79
  Somebody can help me?
  Thank you in advance.

  Hi,
  I'll try to guide you through this though I'm not sure of all the words in English...Well you see, I had just the same problem as you and tried about evertyhing. And I hopes someone would give you tje answer but they didn't so I almost gave up when I suddenly solved the problem.
  What you do is this. Step by step. (On your mac-computer.) (Question-mark (?) means I'm not sure what the term is in Englis but I try to translate it word by word from Swedish)
  1. Open your "Finder"
  2. Click on "Programs"
  3. Open the map called "tool-programs?"
  4. Open the "Airport administration tools?" (It has the symbol of a roundshaped airport.)
  5. Click on Setup. (In the upper left corner there are four different buttons. The third says Setup)
  6. Enter the password for your basestation
  7. Click on Password (the fourth button in the upper left corner with a lock as a symbol)
  8. There you will have a HEX equivalent password (WEP-key) which you need for your PC.
  Then you just type in this password on your PC-computer and you will soon be able to use the internet via your airport and the airtunes as well.
  Good luck!
  /Emanuel

• Waiting ACK from Radius Server before sending traffic

  Hello,
  After receiving the access accept from the Radus, the AS give the IP address to the client/user and send a Accounting Start to the Radus Server.
  I just want to know if is possible for the AS to wait the Ack of the Accounting Start from the Radius Server, before forwarding the client traffic to the destination.
  I see some documentation in the web and I find:
  aaa dnis map xxx accounting network wait-start group YYY..
  Is this the right thing to do? If I use ? after network this option doesn't appear.
  The IOS is: 5300-j-mz.122-11.T2.bin
  Thanks a lot
  Ira
  Ira

  Yes, I think its possible to start the accounting after receiving ack from radius server.For this, the command will be,
  router(config)#aaa accounting "what-to-track info" wait-start "where-to-send info".
  This wait-start cmd says that wait for receiving the ack from server before staring the accounting process.

• Using a source-ip on a vpdn-group

  Hi,
  I'm using different source-ip under two vpdn-groups, and try to open an L2TP tunnel from my XP to 1.1.1.1 and 2.2.2.2:
  vpdn enable
  vpdn-group 1
  accept-dialin
  protocol l2tp
  virtual-template 1
  source-ip 1.1.1.1
  no l2tp tunnel authentication
  vpdn-group 2
  accept-dialin
  protocol l2tp
  virtual-template 2
  source-ip 2.2.2.2
  no l2tp tunnel authentication
  I found out that I can open the tunnel only to the first vpdn-group (1.1.1.1), and when I try to open the tunnel to 2.2.2.2, I saw (on a sniffer and on debug ip packet) that the router is getting my SCCRQ, but replay with the SCCRP from souse 1.1.1.1 (the first vpdn-group).
  I tried it with several platform and with several IOS images but it always the same.
  Do I miss something?
  Israel.

  Here is document on L2TP Dial-Out Load Balancing and Redundancy.
  http://www.cisco.com/en/US/products/sw/iosswrel/ps1839/products_feature_guide09186a00801541b7.html

• How do I delete a contact group from my iphone

  How do I delete a contact group from my iphone?

  Download Easy Group. It is totally free. Lauch it. Click on Edit. Click on red-cross next to your unwanted group. That's all. http://itunes.apple.com/fr/app/easy-group/id461469079?mt=8
  Rémi
  Note: As I am Easy Group developper, I may receive some form of compensation, financial or otherwise,from my recommendation or link.

• Get All Groups from Weblogic

  Hello everyone,
  Well i'm having little problem to get all groups that exists in Weblogic. I already search but the only thing i can get is the groups from the user that is autenticated in the application.
  Best regards,
  Tiago Marques

  See if this helps - http://weblogic-wonders.com/weblogic/2010/11/10/list-users-and-groups-in-weblogic-using-jmx/

• Get all groups from an AD Server

  Hi everyone,
  I'm trying to get all groups from and AD server.
  Here's how I'm doing it:
  DirContext ctx = new InitialDirContext( (Hashtable<String,String>) env);
            Name n2 = new CompositeName().add(groupsContainer);
            NamingEnumeration<Binding> contentsEnum = ctx.listBindings(n2);
            int i = 1;
            while ( contentsEnum.hasMore() && (i++) < 1000 )
                 Binding binding = contentsEnum.next();
                 groups.add(binding.getName().substring(3));
            return groups; The problem is, I always get an error if I don't restrict the results number to below 1000.
  The error is the following *javax.naming.SizeLimitExceededException: [LDAP: error code 4 - Sizelimit Exceeded];*
  After googling, I found it it's due to a field in the AD Server, that restrict the result number.
  So there is no way that I can obtain all groups without changing that field?
  Regards,
  Nuno.

  Hi Nuno,
  You have to increase the MaxPageSize value at ActiveDirectory level to retrieve results more than 1000. By default the MaxPageSize value is 1000. There is no option other than increasing the MaxPageSize value.
  Thanks & Regards,
  Murali.
  ============

• Hide Particular Item Group from Selection Criteria of Sales Analysis Report

  Hello Experts,
  Is this possible to Hide Particular Item Group from Selection Criteria of Sales Analysis Report?
  I have one Item Group as 'Special Items'.
  Now, when I open  Item wise sales analysis report, I want to hide above mentioned group from selection criteria.
  Thanks in advance.
  Best Regards,
  Pankit Sheth

  Hi,
  1. Not possible to put validation for selection criteria windows.
  2. In standard, I don't think it is possible to hide only one item group.
  3. Alternatively don't give authorization to user for running sales reports. If still need create customized query and ask user run every month.
  Thanks & Regards,
  Nagarajan

• Provisioning multiple AD Groups from a Single Privilege

  Experts,
  We're encountering a situation here when we provision to multiple Active Directory groups from a single IDM Role.
  The scenario is this:
  We have a workflow that has multiple conditional and switch tasks that result in the provisioning of users to Active Directory 2008 (mixed mode) Our workflow uses the provisioning framework and all users have been granted the ONLY privilege for the system.
  The workflow will result in adding the users to multiple AD groups sometimes two AD groups that are associated with a single IDM role. The first assignment always works, the second does simply does not occur, no entry in the system or job log although IDM does show that the role has been assigned with an 'OK' status.
  We've accomplished a workaround by redesigning the workflow so that only single roles are assigned at a time and using chain result OK links to move from one provisioning activity to another, but frankly, we are unsatisfied with this.  IDM should be handling this much better through
  I'm wondering if we have a pending value floating out there and we should just be applying the pending value at the end of every AD group add.
  Any thoughts on this would be appreciated.
  Thanks,
  Matt

  Matt,
  In your post you mention "I'm wondering if we have a pending value floating out there and we should just be applying the pending value at the end of every AD group add"... I'm faced with a similar issue were I'm left pending values for privileges after the group is assigned.
  I've imported the AD groups as privileges. I assign them without issue. But when I review the assignments I can see that each corresponding privilege assignment now has a pending value. I can not remove the privilege from the user at this point.
  Have you seen this before? Any suggestions on how I can clean this up. BTW, I'm using the SAP PF basically unchanged...
  Thanks!

• How to create a Group from an existing email -

  I just want to create a Group from an existing email received.  Don't want to add people individually to Address Book, then drag them to the Group.  Would prefer to copy/paste the addresses into the Group.  I'm part of a team at work wth 25 people!  Do I really have to add their addresses individually?  Seems ridiculous.  Don't even need their names - just the emails, so when I type in "United," for example, I get all the folks in that Group which is named "United."
  Thanks.

  There was a "magical" set of Applescripts that would have done that, but it no longer works.
  There is no way in the OS to do that besides making the Applescript yourself using the current Script Editor.
  Another way to do what you want is to select all of the addresses (select one, then cmd-A). Then, drag the selection to somewhere in the Finder. That will create a text clipping. You can then drag that text clipping into the address field in Mail.
  The text clipping will be named with the first few email addresses. You can rename it in the Finder.
  Each one can be your own "distribution" list.