Restricting SSIDs using Win2008 Radius Servers

Similar Messages

• Using Multiple RADIUS servers w/ LEAP & WPA concurrently

  Our current Wireless network was setup by someone on the outside an it uses LEAP w/ckip. When we have random employees come in CKIP is a pain since ckip usually isn't supported by any of the laptop OEM wireless drivers. We've had to resort to using the manufacturer's drivers to get it to work. So because of this we started looking at moving to using WPA w/ TKIP or AES. I started out with a small test setup using MS IAS, PEAP and an IOS based Aironet 1231. The test environment seems to be working fine I can associate with it and gain network access so I don't think there are any problems with IAS or PEAP.
  My intention is to setup additional SSIDs on new VLANs so I can run the test WPA network in parallel with the in use LEAP networks. My problem I've seem to run into is when I mix the two configs WPA no longer works. I've enable quite a few different debugs get an idea on what might be the problem and the only thing I can come up with at this time is the possibility of wlccp being the problem. When the machine is trying to connect to the WPA SSID I see a lot of wlccp messages which if I understand how this is supposed to work wlccp shouldn't come into play. For the WPA data clients I don't really care about fast roaming which is what I understand wlccp to be for. People aren't walking around with their laptops while doing something network dependent. They sit down in one location and so seemless roaming is a non-issue.
  I've attached sanitized version of the two configs. I'll continue to hack on this but I'm hoping I'm just overlooking something that a second set of eyes might catch. Or maybe it's not even possible. I'd also be interested in what others are using as their network EAP methods, EAP-FAST, PEAP, EAP-TLS. I initially chose PEAP since it seems like a happy medium between strength and ease of use from the client end since 98% of all clients will be Windows laptops. Any comments on using WPA-PSK vs LEAP with 7920 phones?
  Thanks in advance,
  jeff

  Jeff
  1. it is recommended that the AP you use as the primary WDS has the radiu disabled.
  2. It is also standard that your bridge groups be numbered the same as you VLAN's
  3. your native VLAN should not have an SSID associated with it. this is not mandatory but again SOP for multiple VLAN configs.
  4. heere is an excelent link for configuring WDS of course it shows using an ACS server as your radius server but any radius server will work.
  http://www.cisco.com/en/US/products/hw/wireless/ps4570/products_configuration_example09186a00801c951f.shtml.
  5 as Irene points out PEAP is a better choice for EAP as it is more secure than LEAP and more widely supported.
  6. Any version of WPA is prefered over the older security protocls due the the better encryption methods used.
  regards
  Bill

• Adding AAA servers to ACS to use Proxy RADIUS distribution Table

  Hello,
  I've added two non ACS radius servers (Radiator) to the AAA servers on Network Config, in order to use them on a proxy distribution table.
  I had problems authenticating users through those servers and I did a sniffer trace on the outside interface of the ACS.
  What I saw is that ACS sends packets to the AAA server configured as RADIUS on port 1645, not 1812, the expected standard, and port to which the others servers are listening to. How can I change this behaviour?
  Thanks
  Gustavo

  ACS by default will listen on both ports 1645 and 1812, the two "standard" Radius ports. However, when talking to a proxy server it will only send them on 1645, by default. To change this you have to go into the registry and change it as follows:
  Under [HKEY_LOCAL_MACHINE\SOFTWARE\Cisco\CiscoAAAv3.x\Hosts\\RADIUS] (where is the server you want to send the 1812 reuests to, and note that you may have to add the RADIUS key if it isn't there already), you can add the following:
  "authPort"=dword:0000066e <<---- 1645
  "acctPort"=dword:0000066d <<---- 1646
  "timeout"=dword:00000001
  "single connection"=dword:00000000
  "strip users"=dword:00000000
  You don't need all of them, you can just change the authPort to 1812 (714 in hex) and acctPort to 1813 (0x715) and you should be good to go. Make sure you reboot the server after making the registry changes. Keys are case-sensitive too so make sure you type them in EXACTLY as I've shown above.

• Dot1x with port security and redundant radius servers

  I have a strange issue with my dot1x port authentication.  I have two radius servers configured in my switch for redundancy, and on my switchport I have a Cisco IP phone and a PC.  Testing redundnacy with the radius servers, when I have both servers active and running, the port authentication works fine for both phone and pc.  When I fail the radius servers in the configuration, by disconnecting the NIC on it, the switch goes to the surviving radius server and authenticates, (I can see it in the running log) both the phone and PC get an access-accept, but only the phone works on the network and the port light stays amber showing it's blocking for the pc.  Strange, since it showed an accept on the radius server.
  This only seems to happen when the first one on the list is failed.  When the second one is failed, it obviously won't need to try it, so there's not an issue.  Any ideas?
  Here's the setup and configs:
  freeradius 2.1.12-4
  cisco 3560
  Switch Ports Model              SW Version            SW Image                
  *    1 52    WS-C3560G-48PS     12.2(53)SE2           C3560-IPBASEK9-M 
  aaa new-model
  aaa authentication dot1x default group radius
  aaa authorization network default group radius
  interface GigabitEthernet0/1
  switchport access vlan 100
  switchport mode access
  switchport voice vlan 110
  authentication event no-response action authorize vlan 901
  authentication host-mode multi-domain
  authentication port-control auto
  authentication periodic
  authentication violation protect
  mab
  dot1x pae authenticator
  dot1x timeout quiet-period 10
  dot1x timeout tx-period 1
  no mdix auto
  spanning-tree portfast
  radius-server host 10.90.1.88 auth-port 1645 acct-port 1646 key 7 xxx
  radius-server host 10.90.1.85 auth-port 1645 acct-port 1646 key 7 xxx
  Here's an authentication string from the radius server:
  (there are two mac address.  The first one 00.13 is the PC and the second 30.37 is the phone)
  rad_recv: Access-Request packet from host 10.90.100.7 port 1645, id=204, length=160
  User-Name = "001372b639a6"
  User-Password = "001372b639a6"
  Service-Type = Call-Check
  Framed-MTU = 1500
  Called-Station-Id = "9C-AF-CA-23-D9-01"
  Calling-Station-Id = "00-13-72-B6-39-A6"
  Message-Authenticator = 0xfeef777a8033c24934306b3cce78c8f1
  NAS-Port-Type = Ethernet
  NAS-Port = 50001
  NAS-Port-Id = "GigabitEthernet0/1"
  NAS-IP-Address = 10.90.100.7
  Wed Sep 18 10:48:06 2013 : Info: # Executing section authorize from file /etc/raddb/sites-enabled/default
  Wed Sep 18 10:48:06 2013 : Info: +- entering group authorize {...}
  Wed Sep 18 10:48:06 2013 : Info: ++[preprocess] returns ok
  Wed Sep 18 10:48:06 2013 : Info: ++[chap] returns noop
  Wed Sep 18 10:48:06 2013 : Info: ++[mschap] returns noop
  Wed Sep 18 10:48:06 2013 : Info: ++[digest] returns noop
  Wed Sep 18 10:48:06 2013 : Info: [suffix] No '@' in User-Name = "001372b639a6", looking up realm NULL
  Wed Sep 18 10:48:06 2013 : Info: [suffix] No such realm "NULL"
  Wed Sep 18 10:48:06 2013 : Info: ++[suffix] returns noop
  Wed Sep 18 10:48:06 2013 : Info: [eap] No EAP-Message, not doing EAP
  Wed Sep 18 10:48:06 2013 : Info: ++[eap] returns noop
  Wed Sep 18 10:48:06 2013 : Info: [sql]           expand: %{User-Name} -> 001372b639a6
  Wed Sep 18 10:48:06 2013 : Info: [sql] sql_set_user escaped user --> '001372b639a6'
  Wed Sep 18 10:48:06 2013 : Debug: rlm_sql (sql): Reserving sql socket id: 3
  Wed Sep 18 10:48:06 2013 : Info: [sql]           expand: SELECT id, username, attribute, value, op           FROM radcheck           WHERE username = '%{SQL-User-Name}'           ORDER BY id -> SELECT id, username, attribute, value, op           FROM radcheck           WHERE username = '001372b639a6'           ORDER BY id
  Wed Sep 18 10:48:06 2013 : Debug: rlm_sql_mysql: query:  SELECT id, username, attribute, value, op           FROM radcheck           WHERE username = '001372b639a6'           ORDER BY id
  Wed Sep 18 10:48:06 2013 : Info: [sql] User found in radcheck table
  Wed Sep 18 10:48:06 2013 : Info: [sql]           expand: SELECT id, username, attribute, value, op           FROM radreply           WHERE username = '%{SQL-User-Name}'           ORDER BY id -> SELECT id, username, attribute, value, op           FROM radreply           WHERE username = '001372b639a6'           ORDER BY id
  Wed Sep 18 10:48:06 2013 : Debug: rlm_sql_mysql: query:  SELECT id, username, attribute, value, op           FROM radreply           WHERE username = '001372b639a6'           ORDER BY id
  Wed Sep 18 10:48:06 2013 : Info: [sql]           expand: SELECT groupname           FROM radusergroup           WHERE username = '%{SQL-User-Name}'           ORDER BY priority -> SELECT groupname           FROM radusergroup           WHERE username = '001372b639a6'           ORDER BY priority
  Wed Sep 18 10:48:06 2013 : Debug: rlm_sql_mysql: query:  SELECT groupname           FROM radusergroup           WHERE username = '001372b639a6'           ORDER BY priority
  Wed Sep 18 10:48:06 2013 : Debug: rlm_sql (sql): Released sql socket id: 3
  Wed Sep 18 10:48:06 2013 : Info: ++[sql] returns ok
  Wed Sep 18 10:48:06 2013 : Info: ++[expiration] returns noop
  Wed Sep 18 10:48:06 2013 : Info: ++[logintime] returns noop
  Wed Sep 18 10:48:06 2013 : Info: ++[pap] returns updated
  Wed Sep 18 10:48:06 2013 : Info: Found Auth-Type = PAP
  Wed Sep 18 10:48:06 2013 : Info: # Executing group from file /etc/raddb/sites-enabled/default
  Wed Sep 18 10:48:06 2013 : Info: +- entering group PAP {...}
  Wed Sep 18 10:48:06 2013 : Info: [pap] login attempt with password "001372b639a6"
  Wed Sep 18 10:48:06 2013 : Info: [pap] Using clear text password "001372b639a6"
  Wed Sep 18 10:48:06 2013 : Info: [pap] User authenticated successfully
  Wed Sep 18 10:48:06 2013 : Info: ++[pap] returns ok
  Wed Sep 18 10:48:06 2013 : Info: # Executing section post-auth from file /etc/raddb/sites-enabled/default
  Wed Sep 18 10:48:06 2013 : Info: +- entering group post-auth {...}
  Wed Sep 18 10:48:06 2013 : Info: ++[exec] returns noop
  Sending Access-Accept of id 204 to 10.90.100.7 port 1645
  Wed Sep 18 10:48:06 2013 : Info: Finished request 0.
  Wed Sep 18 10:48:06 2013 : Debug: Going to the next request
  Wed Sep 18 10:48:06 2013 : Debug: Waking up in 4.9 seconds.
  Wed Sep 18 10:48:11 2013 : Info: Cleaning up request 0 ID 204 with timestamp +77
  Wed Sep 18 10:48:11 2013 : Info: Ready to process requests.
  rad_recv: Access-Request packet from host 10.90.100.7 port 1645, id=205, length=160
  User-Name = "3037a616cd49"
  User-Password = "3037a616cd49"
  Service-Type = Call-Check
  Framed-MTU = 1500
  Called-Station-Id = "9C-AF-CA-23-D9-01"
  Calling-Station-Id = "30-37-A6-16-CD-49"
  Message-Authenticator = 0xc9173e759dd759b9d414d192783e8a8e
  NAS-Port-Type = Ethernet
  NAS-Port = 50001
  NAS-Port-Id = "GigabitEthernet0/1"
  NAS-IP-Address = 10.90.100.7
  Wed Sep 18 10:48:13 2013 : Info: # Executing section authorize from file /etc/raddb/sites-enabled/default
  Wed Sep 18 10:48:13 2013 : Info: +- entering group authorize {...}
  Wed Sep 18 10:48:13 2013 : Info: ++[preprocess] returns ok
  Wed Sep 18 10:48:13 2013 : Info: ++[chap] returns noop
  Wed Sep 18 10:48:13 2013 : Info: ++[mschap] returns noop
  Wed Sep 18 10:48:13 2013 : Info: ++[digest] returns noop
  Wed Sep 18 10:48:13 2013 : Info: [suffix] No '@' in User-Name = "3037a616cd49", looking up realm NULL
  Wed Sep 18 10:48:13 2013 : Info: [suffix] No such realm "NULL"
  Wed Sep 18 10:48:13 2013 : Info: ++[suffix] returns noop
  Wed Sep 18 10:48:13 2013 : Info: [eap] No EAP-Message, not doing EAP
  Wed Sep 18 10:48:13 2013 : Info: ++[eap] returns noop
  Wed Sep 18 10:48:13 2013 : Info: [sql]           expand: %{User-Name} -> 3037a616cd49
  Wed Sep 18 10:48:13 2013 : Info: [sql] sql_set_user escaped user --> '3037a616cd49'
  Wed Sep 18 10:48:13 2013 : Debug: rlm_sql (sql): Reserving sql socket id: 2
  Wed Sep 18 10:48:13 2013 : Info: [sql]           expand: SELECT id, username, attribute, value, op           FROM radcheck           WHERE username = '%{SQL-User-Name}'           ORDER BY id -> SELECT id, username, attribute, value, op           FROM radcheck           WHERE username = '3037a616cd49'           ORDER BY id
  Wed Sep 18 10:48:13 2013 : Debug: rlm_sql_mysql: query:  SELECT id, username, attribute, value, op           FROM radcheck           WHERE username = '3037a616cd49'           ORDER BY id
  Wed Sep 18 10:48:13 2013 : Info: [sql] User found in radcheck table
  Wed Sep 18 10:48:13 2013 : Info: [sql]           expand: SELECT id, username, attribute, value, op           FROM radreply           WHERE username = '%{SQL-User-Name}'           ORDER BY id -> SELECT id, username, attribute, value, op           FROM radreply           WHERE username = '3037a616cd49'           ORDER BY id
  Wed Sep 18 10:48:13 2013 : Debug: rlm_sql_mysql: query:  SELECT id, username, attribute, value, op           FROM radreply           WHERE username = '3037a616cd49'           ORDER BY id
  Wed Sep 18 10:48:13 2013 : Info: [sql]           expand: SELECT groupname           FROM radusergroup           WHERE username = '%{SQL-User-Name}'           ORDER BY priority -> SELECT groupname           FROM radusergroup           WHERE username = '3037a616cd49'           ORDER BY priority
  Wed Sep 18 10:48:13 2013 : Debug: rlm_sql_mysql: query:  SELECT groupname           FROM radusergroup           WHERE username = '3037a616cd49'           ORDER BY priority
  Wed Sep 18 10:48:13 2013 : Debug: rlm_sql (sql): Released sql socket id: 2
  Wed Sep 18 10:48:13 2013 : Info: ++[sql] returns ok
  Wed Sep 18 10:48:13 2013 : Info: ++[expiration] returns noop
  Wed Sep 18 10:48:13 2013 : Info: ++[logintime] returns noop
  Wed Sep 18 10:48:13 2013 : Info: ++[pap] returns updated
  Wed Sep 18 10:48:13 2013 : Info: Found Auth-Type = PAP
  Wed Sep 18 10:48:13 2013 : Info: # Executing group from file /etc/raddb/sites-enabled/default
  Wed Sep 18 10:48:13 2013 : Info: +- entering group PAP {...}
  Wed Sep 18 10:48:13 2013 : Info: [pap] login attempt with password "3037a616cd49"
  Wed Sep 18 10:48:13 2013 : Info: [pap] Using clear text password "3037a616cd49"
  Wed Sep 18 10:48:13 2013 : Info: [pap] User authenticated successfully
  Wed Sep 18 10:48:13 2013 : Info: ++[pap] returns ok
  Wed Sep 18 10:48:13 2013 : Info: # Executing section post-auth from file /etc/raddb/sites-enabled/default
  Wed Sep 18 10:48:13 2013 : Info: +- entering group post-auth {...}
  Wed Sep 18 10:48:13 2013 : Info: ++[exec] returns noop
  Sending Access-Accept of id 205 to 10.90.100.7 port 1645
  Cisco-AVPair = "device-traffic-class=voice"
  Wed Sep 18 10:48:13 2013 : Info: Finished request 1.
  Wed Sep 18 10:48:13 2013 : Debug: Going to the next request
  Wed Sep 18 10:48:13 2013 : Debug: Waking up in 4.9 seconds.
  Wed Sep 18 10:48:18 2013 : Info: Cleaning up request 1 ID 205 with timestamp +84
  Wed Sep 18 10:48:18 2013 : Info: Ready to process requests.
  Thanks!

  802.1X support    requires an authentication server that is configured for Remote    Authentication Dial-In User Service (RADIUS). 802.1X authentication does  not   work unless the network access switch can route packets to the  configured   RADIUS server.
  Please check the  below links which can be helpful in configurations:
  Link-1
  http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/50sg/configuration/guide/dot1x.html

• How to set two radius servers one is window NPS another is cisco radius server

  how to set two radius servers one is window NPS another is cisco radius server
  when i try the following command, once window priority is first , i type cisco radius user name, it authenticated fail
  i can not use both at the same time
  radius-server host 192.168.1.3  is window NPS
  radius-server host 192.168.1.1 is cisco radius
  http://blog.skufel.net/2012/06/how-to-integrating-cisco-devices-access-with-microsoft-npsradius/
  conf t
  no aaa authentication login default line
  no aaa authentication login local group radius
  no aaa authorization exec default group radius if-authenticated
  no aaa authorization network default group radius
  no aaa accounting connection default start-stop group radius
  aaa new-model
  aaa group server radius IAS
   server 192.168.1.1 auth-port 1812 acct-port 1813
   server 192.168.1.3 auth-port 1812 acct-port 1813
  aaa authentication login userAuthentication local group IAS
  aaa authorization exec userAuthorization local group IAS if-authenticated
  aaa authorization network userAuthorization local group IAS
  aaa accounting exec default start-stop group IAS
  aaa accounting system default start-stop group IAS
  aaa session-id common
  radius-server host 192.168.1.1 auth-port 1812 acct-port 1813
  radius-server host 192.168.1.2 auth-port 1812 acct-port 1813
  radius-server host 192.168.1.3 auth-port 1645 acct-port 1646
  radius-server host 192.168.1.3 auth-port 1812 acct-port 1813
  privilege exec level 1 show config
  ip radius source-interface Gi0/1
  line vty 0 4
   authorization exec userAuthorization
   login authentication userAuthentication
   transport input telnet
  line vty 5 15
   authorization exec userAuthorization
   login authentication userAuthentication
   transport input telnet
  end
  conf t
  aaa group server radius IAS
   server 192.168.1.3 auth-port 1812 acct-port 1813
   server 192.168.1.1 auth-port 1812 acct-port 1813
  end

  The first AAA server listed in your config will always be used unless/until it becomes unavailable. At that point the NAD would move down to the next AAA server defined on the list and use that one until it becomes unavailable and then move to third one, and so on. 
  If you want to use two AAA servers at the same time then you will need to put a load balancer in front of them. Then the virtual IP (vip) will be listed in the NADs vs the individual AAA servers' IPs. 
  I hope this helps!
  Thank you for rating helpful posts!

• Ise Authentication to two different forests second using External Radius, Not LDAP

  Hi Guys,
  I am hoping someone can help me.  We currently have two AD forests one for staff and one for students.  These forests do not have a two way trust between them nor do we want to. We currently have Ise 1.2 integration with our Student forest using AD working just fine. The ipads and other devices are playing nicely and cooperating well.    We want to get our staff to be able to use ISE as well.  Currently there is no way to use two AD forests so I was directed to use LDAP instead for the second domain.  Unfortunatley after playing around with it LDAP doesn't support mschapv2 which our mobile devices like ipads do play nicely with.  This causes an issue only because we would have to utilize certificates to get everything to work correctly.  This is not the route we want to go.  So i was speaking to Tac and they recommended using an External Radius server.  Then modify my auth profiles to look for the domain name in the authentication string.  If it starts for example student\ then i can have ise forward the auth request to the AD integrated PSNs for auth.  If the auth string starts with staff\ for example i should be able to forward this request to my external radius server. 
  This sounds all good in theory but i have not found any documentation to support this to help me configure it.  Has anyone tried this approach?  Or have any leads on where i can find some good documentation as to what radius servers are supported.  I am hoping Windows server 2008 R2 with a radius role installed, but i am just not sure.
  If anyone can help i would greatly appreciate it.
  Thank you
  Joey

  That is correct! Cisco ISE supports integration with a single Active  Directory identity source. Cisco ISE uses this Active Directory identity  source to join itself to an Active Directory domain. If this Active  Directory source has a multidomain forest, trust relationships must  exist between its domain and the other domains in order for Cisco ISE to  retrieve information from all domains within the forest.
  However,  you may create multiple instances for LDAP. Cisco ISE can communicate  via LDAP to Active Directory servers in an untrusted domain. The only  limitation you would see with LDAP being a database that it doesn't  support PEAP MSCHAPv2 ( native microsoft supplicant). However it does  suppport EAP-TLS.
  For more information you may go through the below listed link
  http://www.cisco.com/en/US/solutions/collateral/ns340/ns414/ns742/ns744/docs/howto_45_multiple_active_directories.pdf

• "Accounting-Start" and "Accounting-Stop" with same "user name" and "session Id" recorded in different RADIUS servers.

  Hi,
  I have questions about "Accounting-Start" and "Accounting-Stop".
  1.If a NAS configured to have a primary and a backup RADIUS server. To start with all the “Accounting-Start” records will be in the primary RADIUS server. Later on the primary server goes down (Primary server won’t tell the NAS?). When sessions stop, the NAS sends the “Accounting-Stop” to the secondary. I understand the “Start-Stop” record with the same “user name” and “session-id” ideally should be recorded in the same server. If this situation happens what should both the NAS and RADIUS server do?
  2.A NAS configured to have a primary and backup RADIUS server. To start with all the “Accounting-Start” records will be in the primary RADIUS server. Later on the administrator decided to change the primary server (as there are problems with the previous primary). sessions stop, the NAS sends the “Accounting-Stop” to the new primary. This ends up the “Accounting-Start” and “Accounting-Stop” with the same “user name” and “session Id” in two RADIUS servers.
  To summarize, how to avoid the ”start-stop” pair ends up in different servers ? If it does, is it  an issue for RADIUS application ?
  Cheers,
  1.If a NAS configured to have a primary and a backup RADIUS server. To start with all the “Accounting-Start” records will be in the primary RADIUS server. Later on the primary server goes down (Primary server won’t tell the NAS?). When sessions stop, the NAS sends the “Accounting-Stop” to the secondary. I understand the “Start-Stop” record with the same “user name” and “session-id” ideally should be recorded in the same server. If this situation happens what should both the NAS and RADIUS server do?
  2.A NAS configured to have a primary and backup RADIUS server. To start with all the “Accounting-Start” records will be in the primary RADIUS server. Later on the administrator decided to change the primary server (as there are problems with the previous primary). sessions stop, the NAS sends the “Accounting-Stop” to the new primary. This ends up the “Accounting-Start” and “Accounting-Stop” with the same “user name” and “session Id” in two RADIUS servers.
  To summarize, how to avoid the ”start-stop” pair ends up in different servers ? If it does, is it  an issue for RADIUS application ?
  Cheers,

  vignesh and BalusC,
  following is the code in front controller's doFilter method. is this not thread safe?
          HttpServletRequest req = (HttpServletRequest) request;
          HttpServletResponse res = (HttpServletResponse) response;
          HttpSession session = req.getSession();
          somepackage.User user;
          if(session.getAttribute("user") == null){
              user = new somepackage.User();
              session.setAttribute("user", user);
          }else{           
              user = (somepackage.User) session.getAttribute("user");
          }user object maintains all information about a user. if it is in session scope, everything should work fine.
  another observation is after some time of usage, both people in different systems are getting same session.getId()
  in my logout page i am using
  session.invalidate();
  thanks,
  moses

• Using external radius with ise for guest authentication

  Hi Everyone,
  I am trying to migrate from NAC Guest Server to Cisco ISE Guest CWA on wireless, and can't figure out whether what i am trying is just unsupported or i just can't find out how to do this ?
  I am attempting to authenticate my existing guest users, using a radius lookup towards my existing NAC Guest server, which has many hundred guest users with long account duration, which i really don't want to recreate on ISE, and send new passwords to all those users. Problem is i can't export the user list from NAC guest server with the password intact, and ISE can't import guest users with a set password.
  Any ideas ?

  Setting up ISE as radius  proxy server will work because NAC guest user does not support exporting user information with passwords
  Step 1 Choose Administration > Network Resources > External RADIUS Servers.
  The External RADIUS Servers page appears.
  Step 2 Click Filter > Advanced Filter to perform your search. The Filter page appears.
  Step 3 You must define whether the search should match any or all of the rules that you define on this page.
  Step 4 Enter your search criteria based on the name or description of the RADIUS server, choose an operator, and enter the value.
  Step 5 You can do the following:
  •To add a filter condition, click the plus sign (+).
  •To remove a filter condition, click the minus sign (-).
  •To clear all filter conditions, click Clear Filter.
  Step 6 Click Go to perform your search.
  You can also save the filter criteria so that it can be used again. Click the Save icon to save the filter condition.

• How to configure sendmail to use multiple LDAP servers ?

  Hi everybody!
  I have a sendmail running on Solaris 10 and a LDAP server(192.168.1.9) also running Solaris 10 OS. I have configured the sendmail the following way:
  bash-3.00# ldapclient list
  NS_LDAP_FILE_VERSION= 2.0
  NS_LDAP_BINDDN= cn=proxyagent,ou=profile,dc=email,dc=reso,dc=ru
  NS_LDAP_BINDPASSWD= {NS1}*********************
  NS_LDAP_SERVERS= 192.168.1.9
  NS_LDAP_SEARCH_BASEDN= dc=email,dc=domain,dc=ru
  NS_LDAP_AUTH= simple
  NS_LDAP_SEARCH_REF= FALSE
  NS_LDAP_SEARCH_SCOPE= sub
  NS_LDAP_SEARCH_TIME= 30
  NS_LDAP_CACHETTL= 43200
  NS_LDAP_PROFILE= default
  NS_LDAP_CREDENTIAL_LEVEL= proxy
  NS_LDAP_BIND_TIME= 10
  I also have another LDAP server (IP 192.168.1.10). It is configured as a replicant of the 192.168.1.9 LDAP server.
  The question is how can i configure sendmail to use both LDAP servers ?
  The man pages explain how to configure ldapclient to use ONE server and what if want to use two or more? All the settings and the profiles the same.
  Thanks in advance =))

  Hi!
  To add LDAP servers to the Solaris ldapclient, you might use the ldapclient command:
  ldapclient manual -v -a defaultServerList="servera.yourdomain.com serverb.yourdomain.com"
  But this is only failover, AFAIK the Solaris ldapclient does not perform loadbalancing by itself.
  But I am not sure about your sendmail programm. Normally, sendmail has its own configuration
  and can be configured to use LDAP e.g. for aliases etc.
  Regards!
  Rainer

• What are the entities that can be re-used in different servers, SI App, SI instance? And how?

  Greetings,
  What are the entities that can be re-used in different servers, SI App, SI instance? And how?
  e.g. can I use a deployed IQStreamable@app1  into app2?
  can I use a deployed observable/app1/siInstance1/Server1 into another query/app3/siInstance3/server2?
  On the presentation titled "04 – Installing, Deploying and Maintaining the SQL Server 2008 R2 StreamInsight Runtime Engine" with file name SQL10R2UPD05-DECK-04.pptx on ecn.channel9.msdn.com/o9/learn/SQL2008R2TrainingKit/Presentations/SQL10R2UPD05-DECK-04/SQL10R2UPD05-DECK-04.pptx
  It is mentioned one of the deployment option is "Deployment: Standalone Server"
  and it mention the following:
  "Use this option for the following scenarios:
  - Metadata objects need to be shared between applications
    - Event Types
    - Adapter Types
    - Query Templates
  - A data source registered with the server provides an event stream for another existing application"
  Could you please provide good example that explain the above statement?
  Cheers, Muhammad

  First, that statement - and those materials - refer to the "legacy" StreamInsight query/adapter model. They do not refer to how things work with the Reactive model introduced in version 2.1. Specifically, it talks about Dynamic Query Composition (DQC).
  You cannot use a deployed Observable in another instance of StreamInsight. You may be able to use them across applications in the same instance - off the top of my head, I'm not sure. I'm getting ready to get on a plane but will take a look at it later.
  Typically, however, applications act as containers (comparable to .NET AppDomains) so I don't think that you'd be able to do this easily. That said, the code and assemblies
  can be reused across multiple instances/applications. You would have separate instances of the classes involved but you would be able to reuse the query logic. That's a common use case.
  Can you be more specific about your use case and what you are trying to accomplish here? It's possible that there are alternative ways to do what you are trying to do.
  DevBiker (aka J Sawyer)
  Microsoft MVP - Sql Server (StreamInsight)
  If I answered your question, please mark as answer.
  If my post was helpful, please mark as helpful.

• How to Create  and use of Coherence servers in weblogic serevr 11g (10.3.6)?

  how to Create  and use of Coherence servers in weblogic serevr 11g (10.3.6)?

  See the below discussion
  How to create and use Webservice controls using WSDL in weblogic portal10.3
  Thanks,
  Venkat Sarvabatla

• I've reinstalled OS X 10.7.5 using the Apple servers but my files were not erased, has the HD been reformatted and 10.7.5 reinstalled?

  I've reinstalled OS X 10.7.5 using the Apple servers but my files were not erased, has the HD been reformatted and 10.7.5 reinstalled?

  Reinstalling OS X does not erase your files.
  Compare
  OS X Lion: Reinstall Mac OS X
  and
  OS X Lion: Erase and reinstall Mac OS X - Apple Support

• Restricted stock used in intra-company stock transfer

  Hi,
  Can anyone give me the link about the description and difference between unrestricted stock, restricted stock and blocked stock?
  And for intra-company stock transfer(in one company code), I would like to post goods issue with restriced stock. and in inter-company stock transter and third-party sales, I would not like restricted stock to be used. How can I configure in system?
  Many thanks,
  Aries

  Hi Attila,
  Thank you for your informaiton.
  For different delivery types, such as LF, NLCC, NL, the checking rule are all the same. It is very unreasonalbe
  because for NL(stock transfer under one company code), we would like restricted stock used and for LF and NLCC, we only want unrestricted stock. Due to the same checking rule for all the delivery types, changing checking rule will not meet the requirements for all the types. If there is a customizing to set checking rules for different delivery types. If there is not, how can I do modification to meet our requirement?
  Many Thanks
  Aries

• Is it possible to use UCS Blade Servers in ACE Load Balancing

  Hi all ,
  Is it possible to use UCS Blade Servers in ACE Load Balancing ?? Please note that UCS Blade Servers are not connected directly to 6500 Switch where ACE Module installed .i am expecting a good suggestion from whether ACE or Switching Expert
  Thanks in advance
  Sanjeevi

  There is nothing that would prevent you from loadbalancing the applications that run on UCS servers.  ACE can loadbalance applications that are directly L2 attached (bridged or routed mode) or even servers that are multiple hops L3 hops away using one-armed mode with source nat.  The key to this is that the return traffic from the server needs to make it back to the ACE.

• %HA_EM-3-LOG: NAC-RADIUS-FAIL-OPEN-DEAD: All RADIUS servers are dead changing the nac-enforcement ACL to permit all

  We just implemented ISE 802.1x in couple of our  Cisco 4507 switches  and we are seeing the following error in the log.
  %HA_EM-3-LOG: NAC-RADIUS-FAIL-OPEN-DEAD: All RADIUS servers are dead changing the nac-enforcement ACL to permit all
  I paste it in the Cisco error message decoder and came back with not found.
  Thanks...

  Jimmy,
  Srory for the late reply but it turned out to be we needed to add the missing auth data vlan command on the switch. After that the error went away.
  Thanks for you input I do appreciate it.
  Jack.