TrustSEC - Wired deployment on SGA

Similar Messages

• Port Authentication Options

  I'm needing help with finding out the available options I have when it comes to port control on a switch. 
  This is the problem I'm having and would like some ideas on how to resolve it: 
  I work for a school and I have a problem with Teachers switching out their PC with another PC of a previous employee that no longer works there. The switches are currently setup to use Sticky MAC's. I'm tired of having to go in and change the MAC address every time a computer gets moved. I would like to have something like this (I don't know if it is possible). 
  I would like to have it setup where each department (math, science, english. ect..) has a MAC address pool. An example would be if a computer in the math building gets plugged into another port in the math building it will still work, but if that computer gets plugged into a port in the science building it won't be allowed on the network. We have to keep track of all computers and what departments they are in, however we don't have to keep them for the whole campus. 
  I hope this makes sense, and thank you for any and all advise you give.

  That's what the Identity Services Engine (ISE) product is designed to do.
  For a wired deployment use case such as you describe, we use dot1x auth-control globally and then optionally combine it with MAC Authentication Bypass (MAB) at the individual interface level.
  With MAB we can register all those MAC addresses in an identity store (or set of stores) on the ISE server and authenticate and authorize systmes and users on the ports or even do things like assign them to different VLANs, download ACLs per port, assign Security Group Tags etc. on the basis of the machine and/or user identity. 

• ISE : error on wired 802.1x deployment

  Hi,
  i got this error message once i try to do wired 802.1x, identity source is from Active Directory
  I just curious i already enable 802.1x on the pc LAN port, but i just found the authentication method shown on ISE is using MAB !!!
  any clue?
  Thanks
  Noel

  Hello,
  Please check this link for "802.1x using Cisco ISE", it may help you in this.
  https://supportforums.cisco.com/docs/DOC-29409

• Deploying USB Enhanced Performance [Wired] Keyboard settings

  Hi. Is there any way to deploy the settings of the USB Enhanced Performance Keyboard settings so that all computers with the keyboard get the default settigs? Got 500+ computers to deploy.
  Solved!
  Go to Solution.

  Hi,
  there is no easy solution however this might be worth trying sincle I see it as feasible and maybe you can even use Migration Assistant if you do not have any other tool (I'm not expert on Migration Assistant).
  1. Manually export the registry settings from the current user.
  2. Change “HKEY_CURRENT_USER” to “HKEY_LOCAL_MACHINE”, in the exported registry file.
  3. Remove any reference to “\users\username”.
  4. Then, import the you modified registry file to another machine.
  SEE ATTACHAED FILE PLS.
  Let me know if this is sufficient and it helps.
  Jan Solar
  Product Marketing
  (not a technical support)
  http://blog.lenovo.com/author/jsolar/
  Attachments:
  reg_settings.png ‏223 KB

• Ask the Experts: Introduction to Cisco Trustsec Solution and Configuration (from Webcast)

  This is an opportunity to learn and ask more questions about Cisco Trustsec solution. The Trustsec solution is designed to flatten the network regardless of the access method but still provide fully distributed and differentiated access control no matter whether you are coming from wired or WiFi or remote access, the Trustsec solution provides a consistent access control policy.
  Ankur Bajaj is a customer support engineer from the AAA team at the Cisco Technical Assistance Center in Richardson, Texas, USA. He has 14 years of total experience. He has worked on a wide range of Cisco Security Technologies such as Cisco ASA, VPN deployments, NAC solution, ACS and ISE deployment. Ankur has CCIE # 22135 in Security.
  Mrinal Jaiswal has been with Cisco since 2007 with previous experience as a software developer.  He works with AAA and Wireless Technical Assistance. Mrinal holds a CCIE in security #31389, MCSA in 2003 track, MCAD in .net, GNIIT from NIIT.
  Beau Wallace is an engineer for the RTP AAA TAC team, supporting multiple solutions including ISE, TrustSec, 802.1x, ACS, NAC, etc. He attended East Carolina University and lives in Raleigh, NC. He holds CCNP, RHCSA, and Security+ Certifications
  This Discussion starts Dec 16th through Dec 19th, 2014
  Remember to use the rating system to let the exerts know if you have received an adequate response. 
  The experts might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation in Security community,  sub-community, AAA, Identity and NAC discussion forum shortly after the event. This event lasts through December 19, 2014. Visit this forum often to view responses to your questions and the questions of other community members.

  Hi Marvin, first, you would want to ensure the router or switch you use has support for SG-ACLs and enforcement via:
  http://www.cisco.com/c/en/us/solutions/enterprise-networks/trustsec/trustsec_matrix.html
  One you know that works, you can configure SG-ACLs with a source or destination on "unknown". This keyword indicates traffic where we cannot discover what SGT should be assigned to that traffic, or in other words, outside the trustsec domain. We use a relatively common command-set on enforcement supporting platforms, take a look at the following link for command syntax:
  http://www.cisco.com/c/en/us/td/docs/switches/lan/trustsec/configuration/guide/trustsec/sgacl_config.html
  Let me know if the unknown tag was what you were looking for!
  Edits: Spelling.

• How to deploy Windows 8.1 to many tablets ?

  We need to create a customized OS image (SOE) for Windows 8.1 and deploy to a number of tablet devices in our company.
  We can create the customized image but am are not clear about how to deploy to a tablet. We have SCCM 2012.
  Whats the best way to deploy an OS image to a Windows tablet ? I would prefer detailed steps on this procedure.

  Detailed procedures are not possible without a detailed inventory of your environment.
  PXE is my choice for new OS deployments, but not all tablets have PXE. Specifically what tablets do you have?
  Some Tablets are also not able to run x64 OS. Do you have any Atom processor machines?
  Installation works best when running from Ethernet, rather than Wi-Fi? What is your wired Network status?
  Do your machines need to be domain joined? do you have procedures for imaging machines dis-connected from your corpnet?
  Keith Garner - Principal Consultant [owner] -
  http://DeploymentLive.com

• ISE 1.2 Patch 8 - Wired CoA Bug

  Hi all,
  Just wondering if anyone else is having CoA issues using patch 8 on wired infrastructure? I was troubleshooting CoA this morning in a 5 node deployment (1 x Admin, 1 x Monitoring, 1 x secondary admin/monitoring and 2 x PSN) and found that CoA was not working. I did a debug aaa pod and it said that POD message was dropped due to an unconfigured client and listed off the IP address of the primary admin node that I had initiated the CoA from (in the gui).
  I thought this was strange in that I have always believed the CoA comes from the PSNs. I stopped the primary admin and did the same test using the secondary admin and the same error presented this time with the ip address of the secondary admin. I then proceeded to add the admin nodes as dynamic author clients and CoA started to work properly.
  So in summary I am wondering whether this is a bug, a misunderstanding on my part or a change to the way that ISE CoA now works?

  CoA Not Initiating on Client Machine
  Symptoms or
  Issue
  Cisco ISE is not able to identify the specified Network Access Device (NAD).
  Conditions Click the magnifying glass icon in Authentications to display the steps in the
  Authentication Report. The logs display the following error message:
  • 11007 Could not locate Network Device or AAA Client Resolution
  Possible Causes • The administrator did not correctly configure the Network Access Device
  (NAD) type in Cisco ISE.
  • Could not find the network device or the AAA Client while accessing NAS by
  IP during authentication.
  Resolution • Add the NAD in Cisco ISE again, verifying the NAD type and settings.
  • Verify whether the Network Device or AAA client is correctly configured in
  Administration > Network Resources > Network Devices
  Symptoms or
  Issue
  Users logging into the Cisco ISE network are not experiencing the required Change
  of Authorization (CoA).
  Conditions Cisco ISE uses port 1700 by default for communicating RADIUS CoA requests from
  supported network devices.
  Possible Causes Cisco ISE network enforcement points (switches) may be missing key configuration
  commands, may be assigning the wrong port (for example, a port other than 1700),
  or have an incorrect or incorrectly entered key.
  Resolution Ensure the following commands are present in the switch configuration file (required
  on switch to activate CoA and configure the switch):
  aaa server radius dynamic-author
  client <Monitoring_node_IP_address> server-key <radius_key>

• Ask the Expert: ISE 1.2: Configuration and Deployment with Cisco expert Craig Hyps

  Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about how to deploy and configure Cisco Identity Services Engine (ISE) Version 1.2 and to understand the features and enhanced troubleshooting options available in this version, with Cisco expert Craig Hyps.
  October 27, 2014 through November 7, 2014.
  The Cisco Identity Services Engine (ISE) helps IT professionals meet enterprise mobility challenges and secure the evolving network across the entire attack continuum. Cisco ISE is a security policy management platform that identifies users and devices using RADIUS, 802.1X, MAB, and Web Authentication methods and automates secure access controls such as ACLs, VLAN assignment, and Security Group Tags (SGTs) to enforce role-based access to networks and network resources. Cisco ISE delivers superior user and device visibility through profiling, posture and mobile device management (MDM) compliance validation, and it shares vital contextual data with integrated ecosystem partner solutions using Cisco Platform Exchange Grid (pxGrid) technology to accelerate the identification, mitigation, and remediation of threats.
  Craig Hyps is a senior Technical Marketing Engineer for Cisco's Security Business Group with over 25 years networking and security experience. Craig is defining Cisco's next generation Identity Services Engine, ISE, and concurrently serves as the Product Owner for ISE Performance and Scale focused on the requirements of the largest ISE deployments.
  Previously Craig has held senior positions as a customer Consulting Engineer, Systems Engineer and product trainer.   He joined Cisco in 1997 and has extensive experience with Cisco's security portfolio.  Craig holds a Bachelor's degree from Dartmouth College and certifications that include CISSP, CCSP, and CCSI.
  Remember to use the rating system to let Craig know if you have received an adequate response.
  Because of the volume expected during this event, Ali might not be able to answer each question. Remember that you can continue the conversation on the Security community, sub-community shortly after the event. This event lasts through November 7, 2014. Visit this forum often to view responses to your questions and the questions of other community members.
  (Comments are now closed)

  1. Without more specifics it is hard to determine actual issue. It may be possible that if configured in same subnet that asymmetric traffic caused connections to fail. A key enhancement in ISE 1.3 is to make sure traffic received on a given interface is sent out same interface.
  2. Common use cases for using different interfaces include separation of management traffic from user traffic such as web portal access or to support dedicated profiling interfaces. For example, you may want employees to use a different interface for sponsor portal access. For profiling, you may want to use a specific interface for HTTP SPAN traffic or possibly configure IP Anycast to simplify reception and redundancy of DHCP IP Helper traffic. Another use case is simple NIC redundancy.
  a. Management traffic is restricted to eth0, but standalone node will also have PSN persona so above use cases can apply for interfaces eth1-eth3.
  b. For dedicated PAN / MnT nodes it usually does not make sense to configure multiple interfaces although ISE 1.3 does add support for SNMP on multiple interfaces if needed to separate out. It may also be possible to support NIC redundancy but I need to do some more testing to verify. 
  For PSNs, NIC redundancy for RADIUS as well as the other use cases for separate profiling and portal services apply.
  Regarding Supplicant Provisioning issue, the flows are the same whether wireless or wired. The same identity stores are supported as well. The key difference is that wireless users are directed to a specific auth method based on WLAN configuration and Cisco wired switches allow multiple auth methods to be supported on same port. 
  If RADIUS Proxy is required to forward requests to a foreign RADIUS server, then decision must be made based on basic RADIUS attributes or things like NDG. ISE does not terminate the authentication requests and that is handled by foreign server. ISE does support advanced relay functions such as attribute manipulation, but recommend review with requirements with local Cisco or partner security SE if trying to implement provisioning for users authenticated via proxy. Proxy is handled at Authentication Policy level. CWA and Guest Flow is handled in Authorization Policy.  If need to authenticate a CWA user via external RADIUS, then need to use RADIUS Token Server, not RADIUS Proxy.
  A typical flow for a wired user without 802.1X configured would be to hit default policy for CWA.  Based on successful CWA auth, CoA is triggered and user can then match a policy rule based on guest flow and CWA user identity (AD or non-AD) and returned an authorization for NSP.
  Regarding AD multi-domain support...
  Under ISE 1.2, if need to authenticate users across different forests or domains, then mutual trusts must exist, or you can use multiple LDAP server definitions if the EAP protocol supports LDAP. RADIUS Proxy is another option  to have some users authenticated to different AD domains via foreign RADIUS server.
  Under ISE 1.3, we have completely re-architected our AD connector and support multiple AD Forests and Domains with or without mutual trusts.
  When you mention the use of RADIUS proxy, it is not clear whether you are referring to ISE as the proxy or another RADIUS server proxying to ISE.  If you had multiple ISE deployments, then a separate RADIUS Server like ACS could proxy requests to different ISE 1.2 deployments, each with their own separate AD domain connection.  If ISE is the proxy, then you could have some requests being authenticated against locally joined AD domain while others are sent to a foreign RADIUS server which may have one or more AD domain connections.
  In summary, if the key requirement is ability to join multiple AD domains without mutual trust, then very likely ISE 1.3 is the solution.  Your configuration seems to be a bit involved and I do not want to provide design guidance on a paper napkin, so recommend consult with local ATP Security SE to review overall requirements, topology, AD structure, and RADIUS servers that require integration.
  Regards,
  Craig

• Cisco ISE Deployment

  Dears,
  We have 2  ISE server. I configured wired, wireless,vpn, guest user authentication from ISE server. All of them are normal working. Both of ISE server have same Image.(ver 1.2) I deployed ISE servers as HA.  I register second ISE server at primary ISE server.  I attached the configuration files. 
  I want one ISE device is primary( Administration, Monitoring and Policy are active in primary ISE) and the other ISE server  is backup or standby. (Administration, Monitoring and Policy are standby). When the Primary ISE server is  going to down then all AAA process is going  through the secondary ISE server( it is like redundancy on  ASA) 
  Is it possible to configure? If yes how I do this configuration? 
  Thank for your helping.

  ISE 1.2 does not have an Automatic Failover for the Admin Nodes.  If the primary node goes down, you have to manually promote the secondary node.
  Until you promote the secondary, the deployment has very serious limitations:
  So, you see, there is no true HA with Automatic Failover for ISE 1.2.You have to have both ISE servers on anyway and the Monitoring Persona is the only one that does support Automatic Failover, so it really does make sense to deploy your nodes as noted here:
  Node1:  Admin (Primary), Monitoring (Secondary), Policy Service
  Node2:  Admin (Secondary), Monitoring (Primary), Policy Service
  The notes I referenced can be found in the ISE 1.2 User Guide.
  Please Rate Helpful posts and mark this question as answered if, in fact, this does answer your question.  Otherwise, feel free to post follow-up questions.
  Charles Moreton

• Has anyone deployed converged access with 3850 switches and 5760 WLCs?

  Has anyone deployed a converged access network architecture with 3850 switches and 5760 WLCs? I have done lots of projects with the 5508 WLCs In a centralized deployment. Basically with this design, I manage 2 logical networks as the wireless network is an overlay over the wired network. I can design firewall to segregate traffic between the wired and wireless hence I can carry both staff and guest traffic.
  Now Cisco is telling us that there is new design such that the dats plane traffic can be dropped locally through the 3850 switched. I am not sold on this and have not found any recommended best practices on when should we use a converged access architecture.
  Pros
  With converged access, data traffic is terminated at the MA which is on the switches, hence the WLC will not be a bottleneck? This is to prepare adoption for 802.11ac?
  Less hops for voice calls from user A to user B as data control traffic is dropped locally.
  Cons
  Now how do I segregate guest and staff traffic if my security folks say I need a firewall?
  Troubleshooting wireless client mobility will be a nightmare as the 3850 switches are MA.
  Pushing and upgrading code for the Code will mean upgrading the stack of switches in the LAN riser. This will be painful in a huge campus environment like an university.
  Can someone convince me why would a customer choose converged access?
  Sent from Cisco Technical Support iPad App

  They choose CA because of the capwap termination at the switch. You can still use a 5508 and tunnel guest to a DMZ segment if you wish. You will need a 5508 though is you want to tunnel traffic to an anchor WLC.
  Sent from Cisco Technical Support iPhone App

• Woes wiring up an ejb to use a database control

  first my question & then background:
  how do i wire up an ejb to use a database control jcx object so that the dbcontrol is instantiated at runtime?
  here's the scene:
  i created a java page flow from a database control & this works correctly, but i also need to be able to expose some of the functionality to another deployed application. this application, incidentally is not a workshop application; but rather is a hand-coded war.
  the first application (a workshop app) renders forms that use a database control to persist the data. it only uses one table & therefore, there is only one pojo. as i mentioned, this resides in web project & works correctly. i abstracted my dbcontrol & my pojo to a separate java controls project & built this as a library. the jpf still has no problems seeing the dbcontrol.
  there is a second application (a non workshop app) that needs to be able to use a method provided by the dbcontrol. i created an ejb in a third project in the first application that makes the call to dbcontrol in the exact same way that the jpf did. but i am finding, however, that the dbcontrol is null whenever the ejb makes the call to it's method.
  here's the more detailed design:
  i started with a database control. i mapped to my datasource, wrote out the sql for the methods i wanted & generated the pageflow from this. i rewrote the pageflow/jsps to suit my needs & everything just works. i did notice at the time that i generated the page flow that the dbcontrol was never instantiated. here is a snippet of the jpf:
  <pre>
  public class SiteAlertMessageManagementController extends PageFlowController {
  * This is the control used to generate this pageflow
  * @common:control
  private SiteAlertMessageDBControl dbControl;
  public Forward getCurrentMessage() {  
  SiteAlertMessage currentMessage = dbControl.getCurrentMessage();
  </pre>
  because SiteAlertMessageDBControl is an interface, i assumed that the '@common:control' annotation told weblogic what it needed to know in order to instantiate a runtime class of time SiteAlertMessageDBControl. because it just worked, i never questioned this.
  with the form read/write functionality complete, i assumed i could quickly wrap an ejb around the dbcontrol method & be done with it. i soon realized that i could not create an ejb inside a web project & that an ejb project would not have classpath visibility to my dbcontrol & pojo, so i put the dbcontrol & the pojo into a java control project & made a library out of this. i double checked that the web project could see the classes in the library & they could.
  so i created a separate ejb project that also could now see the classes in the library. i thought i was in the home stretch. i now have these projects in my first application:
  administrationControls, administrationWeb, & administrationEjb. i moved the administrationControls.jar & the administrationEjb.jar over to the WEB-INF/lib directory of my (remember: non-workshop) war & wired up the code to pull the bean off jndi tree to make the rmi call. but it didn't work. so i backtracked & created a new jsp back in my workshop project that would make the same rmi call so that i could use the debugger. with this as the background, here is my specific problem.
  what i noticed is that the ejb code itself works correctly. i guess i should show it as well.
  <pre>
  public class SiteAlertMessagesAPI extends GenericSessionBean implements SessionBean {
  * This is the control used to generate this pageflow
  * @common:control
  private SiteAlertMessageDBControl dbControl;
  public void ejbCreate() {
  // Your code here
  * @ejbgen:remote-method
  public SiteAlertMessage getCurrentMessage() throws Exception {
  SiteAlertMessage message = null;
  try {
  // dbControl is null here
  message = dbControl.getCurrentMessage();
  catch (Exception e) {
  e.printStackTrace();
  return message;
  </pre>
  the problem is that my dbControl object is null. what i did was cut & paste the code from the jpf over to my bean. like i stated earlier, i assumed that the annotation would tell weblogic to instantiate an instance. this was obviously not the case. incidentally, i rewrote my ejbCreate() method like this:
  <pre>
  public void ejbCreate() {
  // Your code here
  dbControl = new SiteAlertMessageDBControl();
  </pre>
  but workshop gives me a "error: this type is abstract and thus cannot be instantiated" warning.
  my question is: how do i wire up an ejb to use a database control jcx object so that the dbcontrol is instantiated at runtime?
  any light you could shed on this would be most appreciated. thanks,
  doug

  Hi,
  unfortunatly, it's not possible to use a control outside a control or a
  web service...
  Emmanuel
  douglas thomas a ?crit :
  first my question & then background:
  how do i wire up an ejb to use a database control jcx object so that the dbcontrol is instantiated at runtime?
  here's the scene:
  i created a java page flow from a database control & this works correctly, but i also need to be able to expose some of the functionality to another deployed application. this application, incidentally is not a workshop application; but rather is a hand-coded war.
  the first application (a workshop app) renders forms that use a database control to persist the data. it only uses one table & therefore, there is only one pojo. as i mentioned, this resides in web project & works correctly. i abstracted my dbcontrol & my pojo to a separate java controls project & built this as a library. the jpf still has no problems seeing the dbcontrol.
  there is a second application (a non workshop app) that needs to be able to use a method provided by the dbcontrol. i created an ejb in a third project in the first application that makes the call to dbcontrol in the exact same way that the jpf did. but i am finding, however, that the dbcontrol is null whenever the ejb makes the call to it's method.
  here's the more detailed design:
  i started with a database control. i mapped to my datasource, wrote out the sql for the methods i wanted & generated the pageflow from this. i rewrote the pageflow/jsps to suit my needs & everything just works. i did notice at the time that i generated the page flow that the dbcontrol was never instantiated. here is a snippet of the jpf:
  <pre>
  public class SiteAlertMessageManagementController extends PageFlowController {
  * This is the control used to generate this pageflow
  * @common:control
  private SiteAlertMessageDBControl dbControl;
  public Forward getCurrentMessage() {  
  SiteAlertMessage currentMessage = dbControl.getCurrentMessage();
  </pre>
  because SiteAlertMessageDBControl is an interface, i assumed that the '@common:control' annotation told weblogic what it needed to know in order to instantiate a runtime class of time SiteAlertMessageDBControl. because it just worked, i never questioned this.
  with the form read/write functionality complete, i assumed i could quickly wrap an ejb around the dbcontrol method & be done with it. i soon realized that i could not create an ejb inside a web project & that an ejb project would not have classpath visibility to my dbcontrol & pojo, so i put the dbcontrol & the pojo into a java control project & made a library out of this. i double checked that the web project could see the classes in the library & they could.
  so i created a separate ejb project that also could now see the classes in the library. i thought i was in the home stretch. i now have these projects in my first application:
  administrationControls, administrationWeb, & administrationEjb. i moved the administrationControls.jar & the administrationEjb.jar over to the WEB-INF/lib directory of my (remember: non-workshop) war & wired up the code to pull the bean off jndi tree to make the rmi call. but it didn't work. so i backtracked & created a new jsp back in my workshop project that would make the same rmi call so that i could use the debugger. with this as the background, here is my specific problem.
  what i noticed is that the ejb code itself works correctly. i guess i should show it as well.
  <pre>
  public class SiteAlertMessagesAPI extends GenericSessionBean implements SessionBean {
  * This is the control used to generate this pageflow
  * @common:control
  private SiteAlertMessageDBControl dbControl;
  public void ejbCreate() {
  // Your code here
  * @ejbgen:remote-method
  public SiteAlertMessage getCurrentMessage() throws Exception {
  SiteAlertMessage message = null;
  try {
  // dbControl is null here
  message = dbControl.getCurrentMessage();
  catch (Exception e) {
  e.printStackTrace();
  return message;
  </pre>
  the problem is that my dbControl object is null. what i did was cut & paste the code from the jpf over to my bean. like i stated earlier, i assumed that the annotation would tell weblogic to instantiate an instance. this was obviously not the case. incidentally, i rewrote my ejbCreate() method like this:
  <pre>
  public void ejbCreate() {
  // Your code here
  dbControl = new SiteAlertMessageDBControl();
  </pre>
  but workshop gives me a "error: this type is abstract and thus cannot be instantiated" warning.
  my question is: how do i wire up an ejb to use a database control jcx object so that the dbcontrol is instantiated at runtime?
  any light you could shed on this would be most appreciated. thanks,
  doug

• ISE with CWA and wired guest access via WLC Anchor

  Can an Anchor WLC (WLCa) provide a wired guest LAN service if the wlan guest access is using CWA?
  We are deploying a WLAN only ISE solution (it is a full license ISE though) but they just want a few wired guest ports.  I was hoping to add L2 switch to the DMZ where the WLCa is and that the L2 switch wouldnt need any other config as the WLCa just bridges the wired to the wlan vlan.  This Im sure i have done before.
  So now I have set wiredguest the same as i have done before ISE and my wired clients get an IP address, but when they redirect, the URL they get is different, and the redirect just doesnt work.
  It comes out as:
  https://my_ise_ip:8443/guestportal/Login.action?switch_url=https://my_ise_host/login.html&wlan=my_wired_guest_lan&redirect=www.google.co.uk
  So does my simple L2 only switch need an ISE config on it or should the WLCa be handling or the redirection just as it would for a wlan device.

  The ISE never receives an auth entry, so i dont believe the redirect is working for the wired client.  So even though the clients browser gets a redirect url which fails connection, the client info in the WLCa doesnt have a redirect ACL listed like a wlan client would

• Maximum SGA size in 32-bit OS

  Hi All
  I want to deploy Oracle Linux 5 to set up for DBA and the server and OS is 32-bit. My questions are
  what is the maximum limit of SHMMAX value i can set?
  and for this what is the maximum size of oracle SGA?
  looking for your early response.
  Jeesun

  My questions are what is the maximum limit of SHMMAX value i can set?
  and for this what is the maximum size of oracle SGA?It depends on if you are using PAE or not.
  More at:
  http://en.wikipedia.org/wiki/Physical_Address_Extension
  http://www.puschitz.com/TuningLinuxForOracle.shtml
  http://www.idevelopment.info/data/Oracle/DBA_tips/Linux/LINUX_8.shtml

• Prime Infrastructure 2.2- problems: Wired Detailed Device Inventory report not running / Cisco 5500 WLCs no listed in subgroup

  New installation of Prime Infrastructure 2.2.0 (PI-VA-2.2.0.0.158.ova)
  installed fixes/software/device packs:
  PI 2.2.1 Poodle Fix (installed)
  PI 2.2.1 Maintenance Release (installed,ncs stopped,rebooted)
  Prime Infrastrucutre 2.2 Device Pack 3 (installed,ncs stopped,rebooted)
  Licences installed (ncs stopped,rebooted)
  Added all devices via Bulk Import (Inventory>Device Management>Network Devices)
  Problem 1:
  The Cisco 5500 WLCs are not listed in Inventory>Device Management>Network Devices (see screen shot) but listed under "All Devices"!
  The Cisco 4400 WLCs and the 8500 WLCs are listed within their subgroup.
  Devices are in "Managed State"
  Problem 2: fixed! (Browser issue)
  Problem 3:
  Unable to run "Wired Detailed Device Inventory" report because I get the error message: Failed to run report: Unable to retrieve data for: Chassis Information (if Chassis Information is selected, if System Information is selected I get the error message with ...retrieve data for:System Information)
  All devices do have an "Admin Status = Managed" and the Last Inventory Collections Status = Completed.
  Has anyone the same issues or a tip for me?
  Another topic, the "User Defined Fileds" are not exported when with running a "Device Export" (Inventory > Device Management > Network Devices). ;-(
  BR
  Bastian

  Hallo Bastian,
  I think you still have browser issue, Using IE is still the best with Prime.
  I have exactly same prime 2.2 and installed fixes/software/device packs.
  I have no problem I can see all views. I use now IE 11, with Chrome 42.0.2311.90 and firefox 37.01 I have problems too with lots of views. You have not tell what browser + version you have.
  Since you have same prime 2.2 as me. I have other problems, can you check yours?
  Can you see a functional CLI template page at Configuration > Templates > Features & Technologies:
  https://supportforums.cisco.com/discussion/12481691/can-cisco-prime-22-still-do-simple-ad-hoc-deployment-job-cli-over-all-switches
  Do you have SNMP Connectivity Failed while Verify Credentials  has no errors all green and checked. 
  https://supportforums.cisco.com/discussion/12494786/snmp-request-exceeds-internal-data-buffer-512-bytes-prime-22-asa-5545

• Cisco wired guest with one wlc

  Hello my name is Ivan
  I have a question:
  You can configure wired guest for wired network users so that appears the cisco wlc web portal for guest user authentication? having the following:
  Only one (1) cisco wlc 5508 no settings for auto  anchor  or foreing controller, a cisco acs v5.4,  cisco switches, and access points.
  I'm using 802.1x, and when the user because autententicacion policies fall into the guest vlan, the user receives full IP routing vlan guest, comes to internet through the router for guest users, but not redirected to the website of wlc .
  I would like to redirect http traffic from cisco switch to the cisco wlc for wlc web portal
  My deployment is to flex connect wireless authentication, and local switching center
  How I can do this?
  Thanks for your answers.

  Hi Scott, thanks for your answer:
  My scenary is:
  Site A Corporate
  WLC 5508 Flex Connect Central Auth + Local Switching
  1. int management:  vlan 10 - 10.1.1.2/24
  2. int virtual: 1.1.1.1
  3. wired-guest: vlan 30
  wlans:
  1. corporate - mapped to interface  management 802.1x wpa, 2pa2
  2. guest - mapped to interface management web auth
  3. wired-guest: web auth, ingress wired, egress management
  Cisco ACS v5.4
  Site B: Branch
  AP Ligthweight in the vlan 10, vlans mapped 100 and 30, 100 for wlan corporate and 30 for wlan guest.
  Switches Cisco,
  The branch have a router of internet to users guest.
  The switch cisco have a 802.1x configuration, and the method to authenticate users can not have a supplicant 802.1x is web auth.
  Actually i can not redirect the traffic from the switch in the branch to cisco wlc 5508 in the corporate site. The users bypass the interception of the cisco wlc and they can goes to internet without the portal of authentication.
  Please could you give and advice to resolv it?
  Regards for your answers.