Restricting SSIDs using Win2008 Radius Servers
Hello All,
I have a customer that wants to restrict SSIDs that groups get based on their AD credentials. Currently, he is using Windows 2008 Radius Server and AD with Cisco 5508 WLCs. I found examples that shows this is possible but my question is if I have 2 user groups (teachers and students) in AD and apply a policy for the Radius to send SSID x to teachers and SSID y to students. Upon successfully authentication, would this deny teachers access to SSID y and students access to SSID x?
Thanks in advance for you help! Any suggestions, comments, or links to documents on how this can be done would be greatly appreciated as well!!
From my recent memory, this would simply force the client to be placed in the appropriate WLAN ID. RADIUS will respond with WLAN ID the client should be "placed in", therefore if your "teacher policy (x)" authenticates a user, they will be pushed to WLAN ID , regardless if they connected to WLAN X or Y, presuming they're hitting the same NPS server/policies; and vice versa.
Bottom line is the network policy on the NPS is going to make the client move to the respective WLAN ID based on the "credentials" authenticated in the respective policy, regardless if they connect to WLAN X or Y. Make sure AAA override is enabled on each WLAN
List of VSAs supported on WLC
http://www.cisco.com/en/US/products/ps6307/products_tech_note09186a0080870334.shtml
WLAN ID
—When the WLAN-ID attribute is present in the RADIUS Access Accept, the system applies the WLAN-ID (SSID) to the client station after it authenticates. The WLAN ID is sent by the WLC in all instances of authentication except IPsec. In case of web authentication, if the WLC receives a WLAN-ID attribute in the authentication response from the AAA server, and it does not match the ID of the WLAN, authentication is rejected. Other types of security methods do not do this.
Taken from
http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008082d5b5.shtml#C2
This is for IAS but the VSAs will all be the same when configured in NPS
For setting the WLAN-ID on a per-user basis:
Attribute Name—Airespace-WLAN-Id
Vendor-assigned attribute number—1
Attribute Format—Integer/Decimal
Value—WLAN-ID
Similar Messages
-
Using Multiple RADIUS servers w/ LEAP & WPA concurrently
Our current Wireless network was setup by someone on the outside an it uses LEAP w/ckip. When we have random employees come in CKIP is a pain since ckip usually isn't supported by any of the laptop OEM wireless drivers. We've had to resort to using the manufacturer's drivers to get it to work. So because of this we started looking at moving to using WPA w/ TKIP or AES. I started out with a small test setup using MS IAS, PEAP and an IOS based Aironet 1231. The test environment seems to be working fine I can associate with it and gain network access so I don't think there are any problems with IAS or PEAP.
My intention is to setup additional SSIDs on new VLANs so I can run the test WPA network in parallel with the in use LEAP networks. My problem I've seem to run into is when I mix the two configs WPA no longer works. I've enable quite a few different debugs get an idea on what might be the problem and the only thing I can come up with at this time is the possibility of wlccp being the problem. When the machine is trying to connect to the WPA SSID I see a lot of wlccp messages which if I understand how this is supposed to work wlccp shouldn't come into play. For the WPA data clients I don't really care about fast roaming which is what I understand wlccp to be for. People aren't walking around with their laptops while doing something network dependent. They sit down in one location and so seemless roaming is a non-issue.
I've attached sanitized version of the two configs. I'll continue to hack on this but I'm hoping I'm just overlooking something that a second set of eyes might catch. Or maybe it's not even possible. I'd also be interested in what others are using as their network EAP methods, EAP-FAST, PEAP, EAP-TLS. I initially chose PEAP since it seems like a happy medium between strength and ease of use from the client end since 98% of all clients will be Windows laptops. Any comments on using WPA-PSK vs LEAP with 7920 phones?
Thanks in advance,
jeffJeff
1. it is recommended that the AP you use as the primary WDS has the radiu disabled.
2. It is also standard that your bridge groups be numbered the same as you VLAN's
3. your native VLAN should not have an SSID associated with it. this is not mandatory but again SOP for multiple VLAN configs.
4. heere is an excelent link for configuring WDS of course it shows using an ACS server as your radius server but any radius server will work.
http://www.cisco.com/en/US/products/hw/wireless/ps4570/products_configuration_example09186a00801c951f.shtml.
5 as Irene points out PEAP is a better choice for EAP as it is more secure than LEAP and more widely supported.
6. Any version of WPA is prefered over the older security protocls due the the better encryption methods used.
regards
Bill -
Adding AAA servers to ACS to use Proxy RADIUS distribution Table
Hello,
I've added two non ACS radius servers (Radiator) to the AAA servers on Network Config, in order to use them on a proxy distribution table.
I had problems authenticating users through those servers and I did a sniffer trace on the outside interface of the ACS.
What I saw is that ACS sends packets to the AAA server configured as RADIUS on port 1645, not 1812, the expected standard, and port to which the others servers are listening to. How can I change this behaviour?
Thanks
GustavoACS by default will listen on both ports 1645 and 1812, the two "standard" Radius ports. However, when talking to a proxy server it will only send them on 1645, by default. To change this you have to go into the registry and change it as follows:
Under [HKEY_LOCAL_MACHINE\SOFTWARE\Cisco\CiscoAAAv3.x\Hosts\\RADIUS] (where is the server you want to send the 1812 reuests to, and note that you may have to add the RADIUS key if it isn't there already), you can add the following:
"authPort"=dword:0000066e <<---- 1645
"acctPort"=dword:0000066d <<---- 1646
"timeout"=dword:00000001
"single connection"=dword:00000000
"strip users"=dword:00000000
You don't need all of them, you can just change the authPort to 1812 (714 in hex) and acctPort to 1813 (0x715) and you should be good to go. Make sure you reboot the server after making the registry changes. Keys are case-sensitive too so make sure you type them in EXACTLY as I've shown above. -
Dot1x with port security and redundant radius servers
I have a strange issue with my dot1x port authentication. I have two radius servers configured in my switch for redundancy, and on my switchport I have a Cisco IP phone and a PC. Testing redundnacy with the radius servers, when I have both servers active and running, the port authentication works fine for both phone and pc. When I fail the radius servers in the configuration, by disconnecting the NIC on it, the switch goes to the surviving radius server and authenticates, (I can see it in the running log) both the phone and PC get an access-accept, but only the phone works on the network and the port light stays amber showing it's blocking for the pc. Strange, since it showed an accept on the radius server.
This only seems to happen when the first one on the list is failed. When the second one is failed, it obviously won't need to try it, so there's not an issue. Any ideas?
Here's the setup and configs:
freeradius 2.1.12-4
cisco 3560
Switch Ports Model SW Version SW Image
* 1 52 WS-C3560G-48PS 12.2(53)SE2 C3560-IPBASEK9-M
aaa new-model
aaa authentication dot1x default group radius
aaa authorization network default group radius
interface GigabitEthernet0/1
switchport access vlan 100
switchport mode access
switchport voice vlan 110
authentication event no-response action authorize vlan 901
authentication host-mode multi-domain
authentication port-control auto
authentication periodic
authentication violation protect
mab
dot1x pae authenticator
dot1x timeout quiet-period 10
dot1x timeout tx-period 1
no mdix auto
spanning-tree portfast
radius-server host 10.90.1.88 auth-port 1645 acct-port 1646 key 7 xxx
radius-server host 10.90.1.85 auth-port 1645 acct-port 1646 key 7 xxx
Here's an authentication string from the radius server:
(there are two mac address. The first one 00.13 is the PC and the second 30.37 is the phone)
rad_recv: Access-Request packet from host 10.90.100.7 port 1645, id=204, length=160
User-Name = "001372b639a6"
User-Password = "001372b639a6"
Service-Type = Call-Check
Framed-MTU = 1500
Called-Station-Id = "9C-AF-CA-23-D9-01"
Calling-Station-Id = "00-13-72-B6-39-A6"
Message-Authenticator = 0xfeef777a8033c24934306b3cce78c8f1
NAS-Port-Type = Ethernet
NAS-Port = 50001
NAS-Port-Id = "GigabitEthernet0/1"
NAS-IP-Address = 10.90.100.7
Wed Sep 18 10:48:06 2013 : Info: # Executing section authorize from file /etc/raddb/sites-enabled/default
Wed Sep 18 10:48:06 2013 : Info: +- entering group authorize {...}
Wed Sep 18 10:48:06 2013 : Info: ++[preprocess] returns ok
Wed Sep 18 10:48:06 2013 : Info: ++[chap] returns noop
Wed Sep 18 10:48:06 2013 : Info: ++[mschap] returns noop
Wed Sep 18 10:48:06 2013 : Info: ++[digest] returns noop
Wed Sep 18 10:48:06 2013 : Info: [suffix] No '@' in User-Name = "001372b639a6", looking up realm NULL
Wed Sep 18 10:48:06 2013 : Info: [suffix] No such realm "NULL"
Wed Sep 18 10:48:06 2013 : Info: ++[suffix] returns noop
Wed Sep 18 10:48:06 2013 : Info: [eap] No EAP-Message, not doing EAP
Wed Sep 18 10:48:06 2013 : Info: ++[eap] returns noop
Wed Sep 18 10:48:06 2013 : Info: [sql] expand: %{User-Name} -> 001372b639a6
Wed Sep 18 10:48:06 2013 : Info: [sql] sql_set_user escaped user --> '001372b639a6'
Wed Sep 18 10:48:06 2013 : Debug: rlm_sql (sql): Reserving sql socket id: 3
Wed Sep 18 10:48:06 2013 : Info: [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = '001372b639a6' ORDER BY id
Wed Sep 18 10:48:06 2013 : Debug: rlm_sql_mysql: query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '001372b639a6' ORDER BY id
Wed Sep 18 10:48:06 2013 : Info: [sql] User found in radcheck table
Wed Sep 18 10:48:06 2013 : Info: [sql] expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = '001372b639a6' ORDER BY id
Wed Sep 18 10:48:06 2013 : Debug: rlm_sql_mysql: query: SELECT id, username, attribute, value, op FROM radreply WHERE username = '001372b639a6' ORDER BY id
Wed Sep 18 10:48:06 2013 : Info: [sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = '001372b639a6' ORDER BY priority
Wed Sep 18 10:48:06 2013 : Debug: rlm_sql_mysql: query: SELECT groupname FROM radusergroup WHERE username = '001372b639a6' ORDER BY priority
Wed Sep 18 10:48:06 2013 : Debug: rlm_sql (sql): Released sql socket id: 3
Wed Sep 18 10:48:06 2013 : Info: ++[sql] returns ok
Wed Sep 18 10:48:06 2013 : Info: ++[expiration] returns noop
Wed Sep 18 10:48:06 2013 : Info: ++[logintime] returns noop
Wed Sep 18 10:48:06 2013 : Info: ++[pap] returns updated
Wed Sep 18 10:48:06 2013 : Info: Found Auth-Type = PAP
Wed Sep 18 10:48:06 2013 : Info: # Executing group from file /etc/raddb/sites-enabled/default
Wed Sep 18 10:48:06 2013 : Info: +- entering group PAP {...}
Wed Sep 18 10:48:06 2013 : Info: [pap] login attempt with password "001372b639a6"
Wed Sep 18 10:48:06 2013 : Info: [pap] Using clear text password "001372b639a6"
Wed Sep 18 10:48:06 2013 : Info: [pap] User authenticated successfully
Wed Sep 18 10:48:06 2013 : Info: ++[pap] returns ok
Wed Sep 18 10:48:06 2013 : Info: # Executing section post-auth from file /etc/raddb/sites-enabled/default
Wed Sep 18 10:48:06 2013 : Info: +- entering group post-auth {...}
Wed Sep 18 10:48:06 2013 : Info: ++[exec] returns noop
Sending Access-Accept of id 204 to 10.90.100.7 port 1645
Wed Sep 18 10:48:06 2013 : Info: Finished request 0.
Wed Sep 18 10:48:06 2013 : Debug: Going to the next request
Wed Sep 18 10:48:06 2013 : Debug: Waking up in 4.9 seconds.
Wed Sep 18 10:48:11 2013 : Info: Cleaning up request 0 ID 204 with timestamp +77
Wed Sep 18 10:48:11 2013 : Info: Ready to process requests.
rad_recv: Access-Request packet from host 10.90.100.7 port 1645, id=205, length=160
User-Name = "3037a616cd49"
User-Password = "3037a616cd49"
Service-Type = Call-Check
Framed-MTU = 1500
Called-Station-Id = "9C-AF-CA-23-D9-01"
Calling-Station-Id = "30-37-A6-16-CD-49"
Message-Authenticator = 0xc9173e759dd759b9d414d192783e8a8e
NAS-Port-Type = Ethernet
NAS-Port = 50001
NAS-Port-Id = "GigabitEthernet0/1"
NAS-IP-Address = 10.90.100.7
Wed Sep 18 10:48:13 2013 : Info: # Executing section authorize from file /etc/raddb/sites-enabled/default
Wed Sep 18 10:48:13 2013 : Info: +- entering group authorize {...}
Wed Sep 18 10:48:13 2013 : Info: ++[preprocess] returns ok
Wed Sep 18 10:48:13 2013 : Info: ++[chap] returns noop
Wed Sep 18 10:48:13 2013 : Info: ++[mschap] returns noop
Wed Sep 18 10:48:13 2013 : Info: ++[digest] returns noop
Wed Sep 18 10:48:13 2013 : Info: [suffix] No '@' in User-Name = "3037a616cd49", looking up realm NULL
Wed Sep 18 10:48:13 2013 : Info: [suffix] No such realm "NULL"
Wed Sep 18 10:48:13 2013 : Info: ++[suffix] returns noop
Wed Sep 18 10:48:13 2013 : Info: [eap] No EAP-Message, not doing EAP
Wed Sep 18 10:48:13 2013 : Info: ++[eap] returns noop
Wed Sep 18 10:48:13 2013 : Info: [sql] expand: %{User-Name} -> 3037a616cd49
Wed Sep 18 10:48:13 2013 : Info: [sql] sql_set_user escaped user --> '3037a616cd49'
Wed Sep 18 10:48:13 2013 : Debug: rlm_sql (sql): Reserving sql socket id: 2
Wed Sep 18 10:48:13 2013 : Info: [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = '3037a616cd49' ORDER BY id
Wed Sep 18 10:48:13 2013 : Debug: rlm_sql_mysql: query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '3037a616cd49' ORDER BY id
Wed Sep 18 10:48:13 2013 : Info: [sql] User found in radcheck table
Wed Sep 18 10:48:13 2013 : Info: [sql] expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = '3037a616cd49' ORDER BY id
Wed Sep 18 10:48:13 2013 : Debug: rlm_sql_mysql: query: SELECT id, username, attribute, value, op FROM radreply WHERE username = '3037a616cd49' ORDER BY id
Wed Sep 18 10:48:13 2013 : Info: [sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = '3037a616cd49' ORDER BY priority
Wed Sep 18 10:48:13 2013 : Debug: rlm_sql_mysql: query: SELECT groupname FROM radusergroup WHERE username = '3037a616cd49' ORDER BY priority
Wed Sep 18 10:48:13 2013 : Debug: rlm_sql (sql): Released sql socket id: 2
Wed Sep 18 10:48:13 2013 : Info: ++[sql] returns ok
Wed Sep 18 10:48:13 2013 : Info: ++[expiration] returns noop
Wed Sep 18 10:48:13 2013 : Info: ++[logintime] returns noop
Wed Sep 18 10:48:13 2013 : Info: ++[pap] returns updated
Wed Sep 18 10:48:13 2013 : Info: Found Auth-Type = PAP
Wed Sep 18 10:48:13 2013 : Info: # Executing group from file /etc/raddb/sites-enabled/default
Wed Sep 18 10:48:13 2013 : Info: +- entering group PAP {...}
Wed Sep 18 10:48:13 2013 : Info: [pap] login attempt with password "3037a616cd49"
Wed Sep 18 10:48:13 2013 : Info: [pap] Using clear text password "3037a616cd49"
Wed Sep 18 10:48:13 2013 : Info: [pap] User authenticated successfully
Wed Sep 18 10:48:13 2013 : Info: ++[pap] returns ok
Wed Sep 18 10:48:13 2013 : Info: # Executing section post-auth from file /etc/raddb/sites-enabled/default
Wed Sep 18 10:48:13 2013 : Info: +- entering group post-auth {...}
Wed Sep 18 10:48:13 2013 : Info: ++[exec] returns noop
Sending Access-Accept of id 205 to 10.90.100.7 port 1645
Cisco-AVPair = "device-traffic-class=voice"
Wed Sep 18 10:48:13 2013 : Info: Finished request 1.
Wed Sep 18 10:48:13 2013 : Debug: Going to the next request
Wed Sep 18 10:48:13 2013 : Debug: Waking up in 4.9 seconds.
Wed Sep 18 10:48:18 2013 : Info: Cleaning up request 1 ID 205 with timestamp +84
Wed Sep 18 10:48:18 2013 : Info: Ready to process requests.
Thanks!802.1X support requires an authentication server that is configured for Remote Authentication Dial-In User Service (RADIUS). 802.1X authentication does not work unless the network access switch can route packets to the configured RADIUS server.
Please check the below links which can be helpful in configurations:
Link-1
http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/50sg/configuration/guide/dot1x.html -
How to set two radius servers one is window NPS another is cisco radius server
how to set two radius servers one is window NPS another is cisco radius server
when i try the following command, once window priority is first , i type cisco radius user name, it authenticated fail
i can not use both at the same time
radius-server host 192.168.1.3 is window NPS
radius-server host 192.168.1.1 is cisco radius
http://blog.skufel.net/2012/06/how-to-integrating-cisco-devices-access-with-microsoft-npsradius/
conf t
no aaa authentication login default line
no aaa authentication login local group radius
no aaa authorization exec default group radius if-authenticated
no aaa authorization network default group radius
no aaa accounting connection default start-stop group radius
aaa new-model
aaa group server radius IAS
server 192.168.1.1 auth-port 1812 acct-port 1813
server 192.168.1.3 auth-port 1812 acct-port 1813
aaa authentication login userAuthentication local group IAS
aaa authorization exec userAuthorization local group IAS if-authenticated
aaa authorization network userAuthorization local group IAS
aaa accounting exec default start-stop group IAS
aaa accounting system default start-stop group IAS
aaa session-id common
radius-server host 192.168.1.1 auth-port 1812 acct-port 1813
radius-server host 192.168.1.2 auth-port 1812 acct-port 1813
radius-server host 192.168.1.3 auth-port 1645 acct-port 1646
radius-server host 192.168.1.3 auth-port 1812 acct-port 1813
privilege exec level 1 show config
ip radius source-interface Gi0/1
line vty 0 4
authorization exec userAuthorization
login authentication userAuthentication
transport input telnet
line vty 5 15
authorization exec userAuthorization
login authentication userAuthentication
transport input telnet
end
conf t
aaa group server radius IAS
server 192.168.1.3 auth-port 1812 acct-port 1813
server 192.168.1.1 auth-port 1812 acct-port 1813
endThe first AAA server listed in your config will always be used unless/until it becomes unavailable. At that point the NAD would move down to the next AAA server defined on the list and use that one until it becomes unavailable and then move to third one, and so on.
If you want to use two AAA servers at the same time then you will need to put a load balancer in front of them. Then the virtual IP (vip) will be listed in the NADs vs the individual AAA servers' IPs.
I hope this helps!
Thank you for rating helpful posts! -
Ise Authentication to two different forests second using External Radius, Not LDAP
Hi Guys,
I am hoping someone can help me. We currently have two AD forests one for staff and one for students. These forests do not have a two way trust between them nor do we want to. We currently have Ise 1.2 integration with our Student forest using AD working just fine. The ipads and other devices are playing nicely and cooperating well. We want to get our staff to be able to use ISE as well. Currently there is no way to use two AD forests so I was directed to use LDAP instead for the second domain. Unfortunatley after playing around with it LDAP doesn't support mschapv2 which our mobile devices like ipads do play nicely with. This causes an issue only because we would have to utilize certificates to get everything to work correctly. This is not the route we want to go. So i was speaking to Tac and they recommended using an External Radius server. Then modify my auth profiles to look for the domain name in the authentication string. If it starts for example student\ then i can have ise forward the auth request to the AD integrated PSNs for auth. If the auth string starts with staff\ for example i should be able to forward this request to my external radius server.
This sounds all good in theory but i have not found any documentation to support this to help me configure it. Has anyone tried this approach? Or have any leads on where i can find some good documentation as to what radius servers are supported. I am hoping Windows server 2008 R2 with a radius role installed, but i am just not sure.
If anyone can help i would greatly appreciate it.
Thank you
JoeyThat is correct! Cisco ISE supports integration with a single Active Directory identity source. Cisco ISE uses this Active Directory identity source to join itself to an Active Directory domain. If this Active Directory source has a multidomain forest, trust relationships must exist between its domain and the other domains in order for Cisco ISE to retrieve information from all domains within the forest.
However, you may create multiple instances for LDAP. Cisco ISE can communicate via LDAP to Active Directory servers in an untrusted domain. The only limitation you would see with LDAP being a database that it doesn't support PEAP MSCHAPv2 ( native microsoft supplicant). However it does suppport EAP-TLS.
For more information you may go through the below listed link
http://www.cisco.com/en/US/solutions/collateral/ns340/ns414/ns742/ns744/docs/howto_45_multiple_active_directories.pdf -
Hi,
I have questions about "Accounting-Start" and "Accounting-Stop".
1.If a NAS configured to have a primary and a backup RADIUS server. To start with all the “Accounting-Start” records will be in the primary RADIUS server. Later on the primary server goes down (Primary server won’t tell the NAS?). When sessions stop, the NAS sends the “Accounting-Stop” to the secondary. I understand the “Start-Stop” record with the same “user name” and “session-id” ideally should be recorded in the same server. If this situation happens what should both the NAS and RADIUS server do?
2.A NAS configured to have a primary and backup RADIUS server. To start with all the “Accounting-Start” records will be in the primary RADIUS server. Later on the administrator decided to change the primary server (as there are problems with the previous primary). sessions stop, the NAS sends the “Accounting-Stop” to the new primary. This ends up the “Accounting-Start” and “Accounting-Stop” with the same “user name” and “session Id” in two RADIUS servers.
To summarize, how to avoid the ”start-stop” pair ends up in different servers ? If it does, is it an issue for RADIUS application ?
Cheers,
1.If a NAS configured to have a primary and a backup RADIUS server. To start with all the “Accounting-Start” records will be in the primary RADIUS server. Later on the primary server goes down (Primary server won’t tell the NAS?). When sessions stop, the NAS sends the “Accounting-Stop” to the secondary. I understand the “Start-Stop” record with the same “user name” and “session-id” ideally should be recorded in the same server. If this situation happens what should both the NAS and RADIUS server do?
2.A NAS configured to have a primary and backup RADIUS server. To start with all the “Accounting-Start” records will be in the primary RADIUS server. Later on the administrator decided to change the primary server (as there are problems with the previous primary). sessions stop, the NAS sends the “Accounting-Stop” to the new primary. This ends up the “Accounting-Start” and “Accounting-Stop” with the same “user name” and “session Id” in two RADIUS servers.
To summarize, how to avoid the ”start-stop” pair ends up in different servers ? If it does, is it an issue for RADIUS application ?
Cheers,vignesh and BalusC,
following is the code in front controller's doFilter method. is this not thread safe?
HttpServletRequest req = (HttpServletRequest) request;
HttpServletResponse res = (HttpServletResponse) response;
HttpSession session = req.getSession();
somepackage.User user;
if(session.getAttribute("user") == null){
user = new somepackage.User();
session.setAttribute("user", user);
}else{
user = (somepackage.User) session.getAttribute("user");
}user object maintains all information about a user. if it is in session scope, everything should work fine.
another observation is after some time of usage, both people in different systems are getting same session.getId()
in my logout page i am using
session.invalidate();
thanks,
moses -
Using external radius with ise for guest authentication
Hi Everyone,
I am trying to migrate from NAC Guest Server to Cisco ISE Guest CWA on wireless, and can't figure out whether what i am trying is just unsupported or i just can't find out how to do this ?
I am attempting to authenticate my existing guest users, using a radius lookup towards my existing NAC Guest server, which has many hundred guest users with long account duration, which i really don't want to recreate on ISE, and send new passwords to all those users. Problem is i can't export the user list from NAC guest server with the password intact, and ISE can't import guest users with a set password.
Any ideas ?Setting up ISE as radius proxy server will work because NAC guest user does not support exporting user information with passwords
Step 1 Choose Administration > Network Resources > External RADIUS Servers.
The External RADIUS Servers page appears.
Step 2 Click Filter > Advanced Filter to perform your search. The Filter page appears.
Step 3 You must define whether the search should match any or all of the rules that you define on this page.
Step 4 Enter your search criteria based on the name or description of the RADIUS server, choose an operator, and enter the value.
Step 5 You can do the following:
•To add a filter condition, click the plus sign (+).
•To remove a filter condition, click the minus sign (-).
•To clear all filter conditions, click Clear Filter.
Step 6 Click Go to perform your search.
You can also save the filter criteria so that it can be used again. Click the Save icon to save the filter condition. -
How to configure sendmail to use multiple LDAP servers ?
Hi everybody!
I have a sendmail running on Solaris 10 and a LDAP server(192.168.1.9) also running Solaris 10 OS. I have configured the sendmail the following way:
bash-3.00# ldapclient list
NS_LDAP_FILE_VERSION= 2.0
NS_LDAP_BINDDN= cn=proxyagent,ou=profile,dc=email,dc=reso,dc=ru
NS_LDAP_BINDPASSWD= {NS1}*********************
NS_LDAP_SERVERS= 192.168.1.9
NS_LDAP_SEARCH_BASEDN= dc=email,dc=domain,dc=ru
NS_LDAP_AUTH= simple
NS_LDAP_SEARCH_REF= FALSE
NS_LDAP_SEARCH_SCOPE= sub
NS_LDAP_SEARCH_TIME= 30
NS_LDAP_CACHETTL= 43200
NS_LDAP_PROFILE= default
NS_LDAP_CREDENTIAL_LEVEL= proxy
NS_LDAP_BIND_TIME= 10
I also have another LDAP server (IP 192.168.1.10). It is configured as a replicant of the 192.168.1.9 LDAP server.
The question is how can i configure sendmail to use both LDAP servers ?
The man pages explain how to configure ldapclient to use ONE server and what if want to use two or more? All the settings and the profiles the same.
Thanks in advance =))Hi!
To add LDAP servers to the Solaris ldapclient, you might use the ldapclient command:
ldapclient manual -v -a defaultServerList="servera.yourdomain.com serverb.yourdomain.com"
But this is only failover, AFAIK the Solaris ldapclient does not perform loadbalancing by itself.
But I am not sure about your sendmail programm. Normally, sendmail has its own configuration
and can be configured to use LDAP e.g. for aliases etc.
Regards!
Rainer -
Greetings,
What are the entities that can be re-used in different servers, SI App, SI instance? And how?
e.g. can I use a deployed IQStreamable@app1 into app2?
can I use a deployed observable/app1/siInstance1/Server1 into another query/app3/siInstance3/server2?
On the presentation titled "04 – Installing, Deploying and Maintaining the SQL Server 2008 R2 StreamInsight Runtime Engine" with file name SQL10R2UPD05-DECK-04.pptx on ecn.channel9.msdn.com/o9/learn/SQL2008R2TrainingKit/Presentations/SQL10R2UPD05-DECK-04/SQL10R2UPD05-DECK-04.pptx
It is mentioned one of the deployment option is "Deployment: Standalone Server"
and it mention the following:
"Use this option for the following scenarios:
- Metadata objects need to be shared between applications
- Event Types
- Adapter Types
- Query Templates
- A data source registered with the server provides an event stream for another existing application"
Could you please provide good example that explain the above statement?
Cheers, MuhammadFirst, that statement - and those materials - refer to the "legacy" StreamInsight query/adapter model. They do not refer to how things work with the Reactive model introduced in version 2.1. Specifically, it talks about Dynamic Query Composition (DQC).
You cannot use a deployed Observable in another instance of StreamInsight. You may be able to use them across applications in the same instance - off the top of my head, I'm not sure. I'm getting ready to get on a plane but will take a look at it later.
Typically, however, applications act as containers (comparable to .NET AppDomains) so I don't think that you'd be able to do this easily. That said, the code and assemblies
can be reused across multiple instances/applications. You would have separate instances of the classes involved but you would be able to reuse the query logic. That's a common use case.
Can you be more specific about your use case and what you are trying to accomplish here? It's possible that there are alternative ways to do what you are trying to do.
DevBiker (aka J Sawyer)
Microsoft MVP - Sql Server (StreamInsight)
If I answered your question, please mark as answer.
If my post was helpful, please mark as helpful. -
how to Create and use of Coherence servers in weblogic serevr 11g (10.3.6)?
See the below discussion
How to create and use Webservice controls using WSDL in weblogic portal10.3
Thanks,
Venkat Sarvabatla -
I've reinstalled OS X 10.7.5 using the Apple servers but my files were not erased, has the HD been reformatted and 10.7.5 reinstalled?
Reinstalling OS X does not erase your files.
Compare
OS X Lion: Reinstall Mac OS X
and
OS X Lion: Erase and reinstall Mac OS X - Apple Support -
Restricted stock used in intra-company stock transfer
Hi,
Can anyone give me the link about the description and difference between unrestricted stock, restricted stock and blocked stock?
And for intra-company stock transfer(in one company code), I would like to post goods issue with restriced stock. and in inter-company stock transter and third-party sales, I would not like restricted stock to be used. How can I configure in system?
Many thanks,
AriesHi Attila,
Thank you for your informaiton.
For different delivery types, such as LF, NLCC, NL, the checking rule are all the same. It is very unreasonalbe
because for NL(stock transfer under one company code), we would like restricted stock used and for LF and NLCC, we only want unrestricted stock. Due to the same checking rule for all the delivery types, changing checking rule will not meet the requirements for all the types. If there is a customizing to set checking rules for different delivery types. If there is not, how can I do modification to meet our requirement?
Many Thanks
Aries -
Is it possible to use UCS Blade Servers in ACE Load Balancing
Hi all ,
Is it possible to use UCS Blade Servers in ACE Load Balancing ?? Please note that UCS Blade Servers are not connected directly to 6500 Switch where ACE Module installed .i am expecting a good suggestion from whether ACE or Switching Expert
Thanks in advance
SanjeeviThere is nothing that would prevent you from loadbalancing the applications that run on UCS servers. ACE can loadbalance applications that are directly L2 attached (bridged or routed mode) or even servers that are multiple hops L3 hops away using one-armed mode with source nat. The key to this is that the return traffic from the server needs to make it back to the ACE.
-
We just implemented ISE 802.1x in couple of our Cisco 4507 switches and we are seeing the following error in the log.
%HA_EM-3-LOG: NAC-RADIUS-FAIL-OPEN-DEAD: All RADIUS servers are dead changing the nac-enforcement ACL to permit all
I paste it in the Cisco error message decoder and came back with not found.
Thanks...Jimmy,
Srory for the late reply but it turned out to be we needed to add the missing auth data vlan command on the switch. After that the error went away.
Thanks for you input I do appreciate it.
Jack.
Maybe you are looking for
-
Calling a WL Webservice using wsse from a java class
One of the business partners I am integrating with needs to call my web service which is secured with UserTokens. The buiness partner is running in a J2EE environment, but not BEA. They will be calling the web service using a Java Class. Do I need to
-
All third party icons disappear Yosemite
While I'm editing my bookmarks in Safari all the third-party icons disappear from the menu bar. In fact they did not stop working but they just disappeared. I tried to relaunch the Finder but without any result. I fixed this issue only by logging out
-
My four-year-old hard drive (250gig) crashed. I have purchased and installed a Seagate Momentus Hybrid (750gig). I have partitioned it for the "Macintosh HD." I have booted from a USB flash drive with OSX Lion on it. My question is, do I need to r
-
If there is no enough stock, backflush still could do it?
Hi experts Now we do production order confirmation or backflush, even though there is no enough stock ,it just give warning , but we still could continue do it. and when we have mateirals on hand, we will go to COGI to reporcess it. Is that possb
-
Hi Everyone, I am working on upgrade from 4.6c to ECC6.0. During syntax checking i find one error in program. The statements ENHANCEMENT-SECTION and ENHANCEMENT-POINT (without the STATIC addition) can only be used in executable coding. How can i reso