URL Redirection on Wireless Client Machine Fails
Wireless users athenticated by ISE internal identity but unable to redirect on URL.
Hi. First of all thanks for your reply.
By mistake I have attached above pdf.
Let me explain my scenario. WLC is integrated with ISE & ISE is integrated with AD. We have wireless users (not a guest wireless users) who has to go through the ISE process before gonna access the network. These domain users is successfully authenticating by the AD through WLC & ISE. Once the domain users authenticate they have to redirect to URL while accessing any website through browser but it is not happening.
Moreover, could you please help me that how to configure posture condition for AV & WSUS. Do you have any doc to configure following requirement & apply to profile.
Thanks
Similar Messages
-
Launching EAS from URL not working on client machine.
We are on version 11.1.1.4. When I use EAS URL on the server it is working fine. But when I use from a different machine other than the server it is not working, after selecting the "locale country" and clicking launch button it is giving the following error. i checked the java version also and client machine is on 1.6. I also tried on different IE versions. But from the same client machine I am able to connect through the installed version of EAS.
Is something I need to open ports or anything like that. Please let me know your suggestions or comments.
HTTP Status 404 -
type status report
description the requested resource () is not available
Hyperion embedded java container/1.0.0
Thanks,Shiva -- Java version on the server and the client machine is same which is 1.6.0_24.
That is good point about the network. Actually the client and the server are not in the same network but I opened ports on the network router as well as I disabled windows firewall on the server to make sure it is not creating the problem. -
Wireless client authentication failed
hi all,
I have a problem I have AP 1602i joined to WISM2 controller with IOS version 7.4.121
when client try to connect on the SSID, he receive a log "authentication failed" when I tried to rejoin the AP to other controller it work normally and when i back koining to the first controller it joins normally.
when the problem occure i noticed that the AP led is flashing and on the controller i can see the AP.
please advice
thanks in advancehi Manannalage ras...,
I already issue this command and tried to connect on the SSID but there is no output appeared on the controller it seem to be that the client MAC address is not reach to the controller
note that,
the AP connected through Modem to the controller and get the controller IP address from DNS by resolving its domain name to the controller IP -
Wism controller does not show url redirection spalash page
Hi
Wism controller does not show url redirection/splash page .
client takes the ip from the dhcp server. when browsing its not going to the authentication page as usual
Thank youCan you elaborate on your issue... really hard to follow. To me, it seems like you want to use a guest splash page. The client associates to the open guest ssid and get's an ip address. Now the user has to open a browser to get the portal page correct? This has nothing to do with the WLC, but the OS on the device. Some devices can detect if no internet is present after authentication and obtaining an address. This means the device will automatically open a browser to present the user with the splash page. Other devices will require the user to open a browser to get the login screen.
Scott -
Hello All,
We are getting "Unable to connect to Server at <<servername>>. enter a different URL and try again" error, if we are trying to connect to report server in report builder.
This issue is appearing only on 2-3 client machines only. Rest on other client machines and server URL is working fine.
Please suggest
Thanks in Advanace
-Regards
-Kumud VaishI would suggest looking at what might be different between those clients and the others that work. Do they run the same antivirus version? Did they receive any recent updates (windows or AV)? Are they potentially on a different network
(sometimes a wireless network is configured to be different from the wired)? Are they getting any different group policies?
We've seen the antivirus web control block access before in my environment. -
How to pick wireless physical address of client machine
Dear memebers,
Using the follwoing tutorail, I have picked the network card address ( MAC Address ).
[forms java beans|http://forms.pjc.bean.over-blog.com/article-15985856.html]
but this code dont' display / return the MAC address of wireless network card.
the java code is here:
package oracle.forms.fd;
import java.net.InetAddress;
import java.io.InputStream;
import java.io.BufferedInputStream;
import java.io.IOException;
import java.text.ParseException;
import java.util.StringTokenizer;
import oracle.forms.ui.VBean;
import oracle.forms.handler.IHandler;
import oracle.forms.properties.ID;
* A Java Bean that returns Client machine info
* code found on the java forum
* http://forum.java.sun.com/thread.jspa?threadID=655913
* @author Francois Degrelle (wrapper)
* @version 1.1
public final class ClientInfos extends VBean {
private static final ID GETINFOS = ID.registerProperty("GET_CLIENT_INFOS");
private static final ID GETINFO = ID.registerProperty("GET_CLIENT_INFO");
private static final ID Operating = ID.registerProperty("OPERATING");
private static final ID architecture = ID.registerProperty("ARCHITECTURE");
private static final ID osVersion = ID.registerProperty("OSVERSION");
private static final ID IP = ID.registerProperty("IP");
private static final ID MAC = ID.registerProperty("MAC");
private static final ID javaVersion = ID.registerProperty("JAVAVERSION");
private static final ID javaVendor = ID.registerProperty("JAVAVENDOR");
private static final ID javaVendorUrl = ID.registerProperty("JAVAVENDORURL");
private static final ID javaHome = ID.registerProperty("JAVAHOME");
private static final ID javaVmSpecificationVersion = ID.registerProperty("JAVAVMSPECIFICATIONVERSION");
private static final ID javaVmSpecificationVendor = ID.registerProperty("JAVAVMSPECIFICATIONVENDOR");
private static final ID javaVmSpecificationName = ID.registerProperty("JAVAVMSPECIFICATIONNAME");
private static final ID userName = ID.registerProperty("USERNAME");
private static final ID userHome = ID.registerProperty("USERHOME");
private String sInfos = "";
private String sOperating = "";
private String sarchitecture = "";
private String sosVersion = "";
private String sIP = "";
private String sMAC = "";
private String sjavaVersion = "";
private String sjavaVendor = "";
private String sjavaVendorUrl = "";
private String sjavaHome = "";
private String sjavaVmSpecificationVersion = "";
private String sjavaVmSpecificationVendor = "";
private String sjavaVmSpecificationName = "";
private String suserName = "";
private String suserHome = "";
private boolean bInit = false ;
public void init(IHandler handler)
super.init(handler);
try {
sOperating = System.getProperty("os.name");
sarchitecture = System.getProperty("os.arch");
sosVersion = System.getProperty("os.version");
sIP = InetAddress.getLocalHost().getHostAddress();
sMAC = getMacAddress();
sjavaVersion = System.getProperty("java.version");
sjavaVendor = System.getProperty("java.vendor");
sjavaVendorUrl = System.getProperty("java.vendor.url");
sjavaHome = System.getProperty("java.home");
sjavaVmSpecificationVersion = System.getProperty("java.vm.specification.version");
sjavaVmSpecificationVendor = System.getProperty("java.vm.specification.vendor");
sjavaVmSpecificationName = System.getProperty("java.vm.specification.name");
suserName = System.getProperty("user.name");
suserHome = System.getProperty("user.home");
} catch(Throwable t) {
t.printStackTrace();
public Object getProperty(ID pId)
if(pId == GETINFOS)
sInfos = "Operating System:" + sOperating ;
sInfos += "\nOperating system architecture:" + sarchitecture ;
sInfos += "\nOperating system version:" + sosVersion ;
sInfos += "\nIP/Localhost:" + sIP ;
sInfos += "\nMAC Address:" + sMAC ;
sInfos += "\nJava Version:" + sjavaVersion ;
sInfos += "\nJava Vendor:" + sjavaVendor ;
sInfos += "\nJava vendor URL:" + sjavaVendorUrl ;
sInfos += "\nJava installation directory:" + sjavaHome ;
sInfos += "\nJava Virtual Machine specification version:" + sjavaVmSpecificationVersion;
sInfos += "\nJava Virtual Machine specification vendor:" + sjavaVmSpecificationVendor;
sInfos += "\nJava Virtual Machine specification name:" + sjavaVmSpecificationName;
sInfos += "\nUser Name:" + suserName;
sInfos += "\nUser's home directory:" + suserHome ;
return sInfos ;
else if(pId == Operating) return sOperating;
else if(pId == architecture) return sarchitecture ;
else if(pId == osVersion) return sosVersion ;
else if(pId == IP) return sIP ;
else if(pId == MAC) return sMAC ;
else if(pId == javaVersion) return sjavaVersion ;
else if(pId == javaVendor) return sjavaVendor ;
else if(pId == javaVendorUrl) return sjavaVendorUrl ;
else if(pId == javaHome) return sjavaHome ;
else if(pId == javaVmSpecificationVersion) return sjavaVmSpecificationVersion ;
else if(pId == javaVmSpecificationVendor) return sjavaVmSpecificationVendor ;
else if(pId == javaVmSpecificationName) return sjavaVmSpecificationName ;
else if(pId == userName) return suserName ;
else if(pId == userHome) return suserHome ;
return super.getProperty(pId);
private final static String getMacAddress() throws IOException {
String os = System.getProperty("os.name");
try {
if(os.startsWith("Windows")) {
return windowsParseMacAddress(windowsRunIpConfigCommand());
} else if(os.startsWith("Linux")) {
return linuxParseMacAddress(linuxRunIfConfigCommand());
} else {
throw new IOException("unknown operating system: " + os);
} catch(ParseException ex) {
ex.printStackTrace();
throw new IOException(ex.getMessage());
* Linux stuff
private final static String linuxParseMacAddress(String ipConfigResponse) throws ParseException {
String localHost = null;
try {
localHost = InetAddress.getLocalHost().getHostAddress();
} catch(java.net.UnknownHostException ex) {
ex.printStackTrace();
throw new ParseException(ex.getMessage(), 0);
StringTokenizer tokenizer = new StringTokenizer(ipConfigResponse, "\n");
String lastMacAddress = null;
while(tokenizer.hasMoreTokens()) {
String line = tokenizer.nextToken().trim();
boolean containsLocalHost = line.indexOf(localHost) >= 0;
// see if line contains IP address
if(containsLocalHost && lastMacAddress != null) {
return lastMacAddress;
// see if line contains MAC address
int macAddressPosition = line.indexOf("HWaddr");
if(macAddressPosition <= 0) continue;
String macAddressCandidate = line.substring(macAddressPosition + 6).trim();
if(linuxIsMacAddress(macAddressCandidate)) {
lastMacAddress = macAddressCandidate;
continue;
ParseException ex = new ParseException
("cannot read MAC address for " + localHost + " from [" + ipConfigResponse + "]", 0);
ex.printStackTrace();
throw ex;
private final static boolean linuxIsMacAddress(String macAddressCandidate) {
// TODO: use a smart regular expression
if(macAddressCandidate.length() != 17) return false;
return true;
private final static String linuxRunIfConfigCommand() throws IOException {
Process p = Runtime.getRuntime().exec("ifconfig");
InputStream stdoutStream = new BufferedInputStream(p.getInputStream());
StringBuffer buffer= new StringBuffer();
for (;;) {
int c = stdoutStream.read();
if (c == -1) break;
buffer.append((char)c);
String outputText = buffer.toString();
stdoutStream.close();
return outputText;
* Windows stuff
private final static String windowsParseMacAddress(String ipConfigResponse) throws ParseException {
String localHost = null;
try {
localHost = InetAddress.getLocalHost().getHostAddress();
} catch(java.net.UnknownHostException ex) {
ex.printStackTrace();
throw new ParseException(ex.getMessage(), 0);
StringTokenizer tokenizer = new StringTokenizer(ipConfigResponse, "\n");
String lastMacAddress = null;
while(tokenizer.hasMoreTokens()) {
String line = tokenizer.nextToken().trim();
// see if line contains IP address
if(line.endsWith(localHost) && lastMacAddress != null) {
return lastMacAddress;
// see if line contains MAC address
int macAddressPosition = line.indexOf(":");
if(macAddressPosition <= 0) continue;
String macAddressCandidate = line.substring(macAddressPosition + 1).trim();
if(windowsIsMacAddress(macAddressCandidate)) {
lastMacAddress = macAddressCandidate;
continue;
ParseException ex = new ParseException("cannot read MAC address from [" + ipConfigResponse + "]", 0);
ex.printStackTrace();
throw ex;
private final static boolean windowsIsMacAddress(String macAddressCandidate) {
// TODO: use a smart regular expression
if(macAddressCandidate.length() != 17) return false;
return true;
private final static String windowsRunIpConfigCommand() throws IOException {
Process p = Runtime.getRuntime().exec("ipconfig /all");
InputStream stdoutStream = new BufferedInputStream(p.getInputStream());
StringBuffer buffer= new StringBuffer();
for (;;) {
int c = stdoutStream.read();
if (c == -1) break;
buffer.append((char)c);
String outputText = buffer.toString();
stdoutStream.close();
return outputText;
how to pick the wireless physical address?
Regards:Hi !
our request object, which is available to all the jsp pages can access ip address and host name of client through these calls.
request.getRemoteAddr()
request.getRemoteHost()
Interface "ServletRequest"
getRemoteAddr ----
public java.lang.String getRemoteAddr()
Returns the Internet Protocol (IP) address of the client that sent the request. For HTTP servlets, same as the value of the CGI variable REMOTE_ADDR.
Returns:
a String containing the IP address of the client that sent the request
getRemoteHost
public java.lang.String getRemoteHost()
Returns the fully qualified name of the client that sent the request. If the engine cannot or chooses not to resolve the hostname (to improve performance), this method returns the dotted-string form of the IP address. For HTTP servlets, same as the value of the CGI variable REMOTE_HOST.
Returns:
a String containing the fully qualified name of the client
All the Best!
(Simmy) -
How to monitor Data downloaded, bandwidth used, Url hit in Client machine through SCOM
Hi,
Is there is any way which can monitor Data downloaded, bandwidth used, Url hit in Client machine(windows 7 and Windows 8.1) through SCOM.adawson wrote:
Hi,
I installed and running ebusiness suite 12.1.1 in Oracle Linux server 6.3, below is the url I used to run ebs in the Linux Server,
http://aserver.localdomain:8000/OA_HTML/AppsLogin
Can you access this URL on the server itself? Do you see the login page on the server?
I need to access the ebs from my laptop which is having windows 7 operating system.
My laptop (with IP Address 10.0.0.4) is connected to network and I can ping with my linux server's IP Address- 10.0.0.2 (ping 10.0.0.2 works)
but when I ping from my laptop with the server 's hostname ( ping aserver.localdomain) it says "ping request could not find host aserver.localdomain" .What if you access http://10.0.0.2/OA_HTML/AppsLogin from the client, can you see the main login page then?
when I tried to access the url "http://aserver.localdomain:8000/OA_HTML/AppsLogin" from the laptop ebs page is not opening.
Please post the contents of the hosts file on the server and the client.
Is there any configuration to be made in Linux server where ebs is installed or tell me what things to be done to access ebs from another system.Just make sure the firewall is disabled on the Linux server.
I also have static ip configured in my router, So tell me what settings to be made to access this same ebs through internet.You do not need an internet access here since your server and client on the same network.
Thanks,
Hussein -
Fail to open mapping debugger in client machine
I have installed OWB 10.2.0.2 successfully on HP-UX server, and designed some db mappings and workflow on that.
Meanwhile, I installed OWB 10.2.0.2 as client on Windows XP.
Currently, I could deploy and execute the mappings and workflow in Control Center from client side, which could approve that the control center service is running OK on client, but when I tried to open mapping debugger, I met the following errors:
Mapping Debugger Error:
oracle.wh.service.sdk.mapping.debugger.WBMappingDebuggerException:
DBG1032:Cannot connect to location MAPPING_LOCATION:
java.sql.SQLException:Io exception: The Network Adapter could not establish the connection
You are not currently connected to a Control Center schema. You must establish a connection
to a Control Center schema before proceeding with the current debug session. If a connection
is not established , the debug session will end
It is strange that I could open the mapping debugger from server side, i.e. in XWindow of HP-UX, without any other modification, like redeploy or restart the control center service.
Could anyone give me a hand on the issue?If your server serves a web page with a link to a specific drive letter then when a client clicks the link it is going to look for a file on thier client machine.
Do you understand the client server relationship?
The href attribute of your anchor tag must point to an http or ftp address for a client to remotely access or download that file.
<%= request.getContextRoot() %> will give you the context root, then you can place the rest of the path. The files must be within the context of the http web server. -
Export to Office and PDF solutions fail on client machines, HTML works
I have created a nice Dashboard with the Trial version ($495). My client was very happy with the solution so I want to buy the software. However, there is one problem that I have encountered. When I deploy the solution on my clients machines they get a secuity eror with XCelcius solutions Exported to Office formats, .PowerPoint, Word, and also PDF. When I export to HTML the solution works perfectly on my clients IE8 browser.
I only need the features of the $195 version and not the additonal features of teh $495 (except maybe the HTML export).
My client system configuration is as follows:
Flash WIN 10,0,45,2
I have XCelcius version 5.3.0.0, Build # 12,3,0,670.
Since the client can get the HTML version working I assume that the bowser version of Flash is correct. Does Office use a different Flash executable than the browser?
Are there any instructions to remedy this problem on the client machines running XCelcuis Office exported solutions.
Great product.
Thanks in advance.Yes, this worked a treat, thanks very much! *
Iarla
* Note that I needed to manually remove iWorks as the For_iWork:iWork '09:iWork9Update5.dmg.zip file wouldn't work on the latest version of iWorks. This involved deleting the iWork folders in the Applications and Library directories. -
ISE Wired Central Web Authentication no url redirect
We are setting up ISE for wired guest accest but are having trouble with the client being redirected. The switch gets the download from ISE and shows that it should use the URL redirect with the correct ACL.
ISEtest3560#show authentication sessions interface fastEthernet 0/2
Interface: FastEthernet0/2
MAC Address: 001d.09cb.78bd
IP Address: Unknown
User-Name: 00-1D-09-CB-78-BD
Status: Authz Success
Domain: DATA
Security Policy: Should Secure
Security Status: Unsecure
Oper host mode: multi-auth
Oper control dir: both
Authorized By: Authentication Server
Vlan Group: N/A
ACS ACL: xACSACLx-IP-ISE-Only-52434fbe
URL Redirect ACL: ACL-WEBAUTH-REDIRECT
URL Redirect: https://REMOVED.Domain.corp:8443/guestportal/gateway?sessionId=0A0003E600000039064485B1&action=cwa
Session timeout: N/A
Idle timeout: N/A
Common Session ID: 0A0003E600000039064485B1
Acct Session ID: 0x00000293
Handle: 0x95000039
Runnable methods list:
Method State
dot1x Failed over
mab Authc Success
From the client pc I can get name resolution for anything I ping. I also can ping the ise server by name. The ACL that is downloaded it as follows:
Extended IP access list xACSACLx-IP-ISE-Only-52434fbe (per-user)
10 permit udp any eq bootpc any eq bootps
20 permit udp any any eq domain
30 permit ip any host 10.4.37.91
40 deny ip any any log
Extended IP access list ACL-WEBAUTH-REDIRECT
10 deny udp any eq bootpc any eq bootps
20 deny udp any any eq domain
30 deny ip any host 10.4.37.91
40 permit tcp any any eq www (13 matches)
50 permit tcp any any eq 443
51 permit tcp any any eq 8443
60 deny ip any any
The machine passes the Authentication with MAB and hits the CWA Authorization profile, ISE shows the cient as "Pending" then the next entry above that is the log is the dACL getting pushed to the switch. Could part of the issue be that the device shows Unknown for IP address? The command ip device tracking is in the swtich:
ISEtest3560#show running-config | include tracking
ip device tracking
ISEtest3560#
We have 802.1x clients working and the IP address for those do show up..
Please advise,
Thanks,
JoeISEtest3560#show ip access-lists interface fastEthernet 0/2
ISEtest3560#
Doesn't appear the dacl is being applied.
interface FastEthernet0/2
switchport access vlan 11
switchport mode access
ip access-group ACL-DEFAULT in
authentication event fail action next-method
authentication event server dead action reinitialize vlan 999
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication open
authentication order dot1x mab webauth
authentication priority dot1x mab webauth
authentication port-control auto
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
spanning-tree guard root
Extended IP access list ACL-DEFAULT
10 permit udp any eq bootpc any eq bootps
20 permit udp any any eq domain
30 permit icmp any any
40 permit udp any any eq tftp
41 permit ip any host 10.4.37.91
50 deny ip any any log (1059 matches)
Could the dACL being causing the issue with the Unknown, or is the Unknow causing the issue with the dACL?
Thanks,
Joe -
SSL VPN message "This (client) machine does not have the web access privilege."
Hello!
I am trying to configure the SSL VPN (WebVPN) and I am almost done but when clicking on the URL's I configured in the bookmarks, I get the message "This (client) machine does not have the web access privilege. Please contact your SSLVPN provider for assistance." I looked through the many tutorials and guides in existence and none talks about such error and the fix for it. In fact, if I search the net for this error message I get only one match, in the Cisco website, where is say that "The client computer does not meet the security criteria of having web access functionality through the SSL VPN gateway." and as fix it gave this tip "Check the URL to the gateway or contact the administrator if it persists." So, nothing on the website about what this issue is and how to fix it. I will provide my IOS configuration and hopefully someone will spot the issue. Here it goes:
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname R1
boot-start-marker
boot-end-marker
logging message-counter syslog
no logging buffered
enable secret 5 $1$1LLX$u7aTc8XfNqPZhPVGwEF/J0
enable password xxxxxxxx
aaa new-model
aaa authentication login userAuthen local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authorization network groupauthor local
aaa session-id common
crypto pki trustpoint TP-self-signed-1279712955
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1279712955
revocation-check none
rsakeypair TP-self-signed-1279712955
crypto pki certificate chain TP-self-signed-1279712955
certificate self-signed 01
3082023A 308201A3 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31323739 37313239 3535301E 170D3130 30333233 31313030
33375A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 32373937
31323935 3530819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100A8EF 34E3E792 36660498 9801F934 E8A41865 3599EA35 B073AC91 D7A53AF4
A4390D2F CB3DB2DE 936B28F0 A25F3CE1 6F40FD9E E79096F2 F89620E0 B31A7B34
649BBA22 AE44CB55 9F38BF0C 2F2770CF 8380C167 C17D760C 380E28E4 FF7D6874
9EFC310A 2AA60835 F1AA384F CD1A0173 19C98192 EBFBD531 24CB9203 EA9E7D54
B2C30203 010001A3 62306030 0F060355 1D130101 FF040530 030101FF 300D0603
551D1104 06300482 02523130 1F060355 1D230418 30168014 0D9D62EC DA77EAF3
11ABF64D 933633F9 2BA362DC 301D0603 551D0E04 1604140D 9D62ECDA 77EAF311
ABF64D93 3633F92B A362DC30 0D06092A 864886F7 0D010104 05000381 81006853
48ED4E3E 5721C653 D9A2547C 36E4F0CB A6764B29 9AFFD30A 1B382C8C C6FDAA55
265BCF6C 51023F5D 4AF6E177 C76C4560 57DE5259 40DE4254 E79B3E13 ABD0A78D
7E0B623A 0F2D9C01 E72EF37D 5BAB72FF 65A176A1 E3709758 0229A66B 510F9AA2
495CBB4B 2CD721A7 D6F6EB43 65538BE6 B45550D7 A80A4504 E529D092 73CD
quit
dot11 syslog
ip source-route
ip dhcp excluded-address 192.168.0.1 192.168.0.10
ip dhcp pool myPOOL
network 192.168.0.0 255.255.255.0
default-router 192.168.0.1
dns-server 87.216.1.65 87.216.1.66
ip cef
ip name-server 87.216.1.65
ip name-server 87.216.1.66
ip ddns update method mydyndnsupdate
HTTP
add http://username:[email protected]/nic/update?system=dyndns&hostname=<h>&myip=<a>
interval maximum 1 0 0 0
no ipv6 cef
multilink bundle-name authenticated
vpdn enable
vpdn-group pppoe
request-dialin
protocol pppoe
username cisco privilege 15 password 0 xxxxxxxx
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
crypto isakmp fragmentation
crypto isakmp client configuration group vpnclient
key cisco123
domain selfip.net
pool ippool
acl 110
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto dynamic-map dynmap 10
set transform-set myset
reverse-route
crypto map clientmap client authentication list userAuthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
archive
log config
hidekeys
interface Loopback0
ip address 10.11.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly
interface Loopback2
description SSL VPN Website IP address
ip address 10.10.10.1 255.255.255.0
interface Loopback1
description SSL DHCP Pool Gateway Address
ip address 192.168.250.1 255.255.255.0
interface FastEthernet0
description $ES_LAN$
ip address 192.168.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
interface BRI0
no ip address
encapsulation hdlc
shutdown
interface FastEthernet1
interface FastEthernet2
switchport access vlan 2
interface FastEthernet3
interface FastEthernet4
interface FastEthernet5
interface FastEthernet6
interface FastEthernet7
interface FastEthernet8
interface ATM0
no ip address
no atm ilmi-keepalive
pvc 8/35
encapsulation aal5mux ppp dialer
dialer pool-member 1
bundle-enable
dsl operating-mode auto
interface Vlan1
no ip address
interface Dialer1
ip ddns update hostname myserver.selfip.net
ip ddns update mydyndnsupdate host members.dyndns.org
ip address negotiated
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip policy route-map VPN-Client
dialer pool 1
ppp chap hostname xxx
ppp chap password 0 xxxx
ppp pap sent-username xxx password 0 xxxx
crypto map clientmap
ip local pool ippool 192.168.50.100 192.168.50.200
ip local pool sslvpnpool 192.168.250.2 192.168.250.100
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer1
ip http server
ip http authentication local
ip http secure-server
ip nat inside source static tcp 192.168.0.2 21 interface Dialer1 790
ip nat inside source static tcp 192.168.0.15 21 interface Dialer1 789
ip nat inside source list 102 interface Dialer1 overload
ip nat inside source static tcp 10.10.10.1 443 interface Dialer1 443
ip nat inside source static tcp 10.10.10.1 80 interface Dialer1 80
access-list 102 deny ip 192.168.0.0 0.0.0.255 192.168.50.0 0.0.0.255
access-list 102 permit ip 192.168.0.0 0.0.0.255 any
access-list 110 permit ip 192.168.0.0 0.0.0.255 192.168.50.0 0.0.0.255
access-list 144 permit ip 192.168.50.0 0.0.0.255 any
route-map VPN-Client permit 10
match ip address 144
set ip next-hop 10.11.0.2
control-plane
banner motd ^C
================================================================
UNAUTHORISED ACCESS IS PROHIBITED!!!
=================================================================
^C
line con 0
line aux 0
line vty 0 4
password mypassword
transport input telnet ssh
webvpn gateway MyGateway
ip address 10.10.10.1 port 443
http-redirect port 80
ssl trustpoint TP-self-signed-1279712955
inservice
webvpn install svc flash:/webvpn/svc_1.pkg sequence 1
webvpn install csd flash:/webvpn/sdesktop.pkg
webvpn context SecureMeContext
title "My SSL VPN Service"
secondary-color #C0C0C0
title-color #808080
ssl authenticate verify all
url-list "MyServers"
heading "My Intranet"
url-text "Cisco" url-value "http://192.168.0.2"
url-text "NetGear" url-value "http://192.168.0.3"
login-message "Welcome to My VPN"
policy group MyDefaultPolicy
url-list "MyServers"
functions svc-enabled
svc address-pool "sslvpnpool"
svc keep-client-installed
default-group-policy MyDefaultPolicy
aaa authentication list userAuthen
gateway MyGateway domain testvpn
max-users 100
csd enable
inservice
end
Thank you!Hi,
Please check SAP note:
2004579 - You cannot create a FR company from a Package
Thanks & Regards,
Nagarajan -
Group Policy not work in some client machine.
Hello All,
Existing environment is AD 2012. gpupdate /force command does not working in some client machine. And it's occur randomly. Error shown about 15-20% of client machine. Please suggest. Hopefully this time get reply from community.
The Error:
User policy could not be updated successfully. The following errors were encount
ered:
The processing of Group Policy failed. Windows attempted to read the file \\example.net\sysvol\example.net\Policies\{31B2F340-016D-11D2-945F-00C04FB
984F9}\gpt.ini from a domain controller and was not successful. Group Policy set
tings may not be applied until this event is resolved. This issue may be transie
nt and could be caused by one or more of the following:
a) Name Resolution/Network Connectivity to the current domain controller.
b) File Replication Service Latency (a file created on another domain controller
has not replicated to the current domain controller).
c) The Distributed File System (DFS) client has been disabled.
Computer policy could not be updated successfully. The following errors were enc
ountered:
The processing of Group Policy failed. Windows attempted to read the file \\example.net\sysvol\example.net\Policies\{31B2F340-016D-11D2-945F-00C04FB
984F9}\gpt.ini from a domain controller and was not successful. Group Policy set
tings may not be applied until this event is resolved. This issue may be transie
nt and could be caused by one or more of the following:
a) Name Resolution/Network Connectivity to the current domain controller.Thanks for your reply. basically this error occurs with in same location as well as branch location. i have check event log in AD but not got any specific error. AD health status is ok. AD to AD synchronization also working well. All the client machine running
on windows 7 64 bit and few of them are windows 8.
Please suggest. if you need any event log for analysis i can send you.
Thanks
I recommend you examine the event logs upon an affected client machine. Specifically, look for the surrounding events on that machine (both System, and Application logs), for the hours previous and the hour after.
The time period may vary according to your environment (e.g. what is expected/normal for your environment, your configured GP refresh cycle-time).
e.g., are there network drops, or power drops, or system crashes, restarts at the similar time.
if it's a laptop, is it wireless? Was there a transition from wireless to wired operation?
Is there VPN in use?
If you are able to compare with another machine (I would encourage that), to understand what "normal" looks like in the logs, so that you have some kind of baseline data for comparison.
Other checks, maybe confirm that the machines are updating as required (have the relevant WindowsUpdates etc), and consider if some security/protection/firewall software might be interfering with normal Windows operations.
Also the potential for malware or virus, which can disturb many basic services (ensure a scan is performed and returns clean).
If you have the opportunity for an affected user to contact you urgently when the symptom occurs, check that the gpt.ini file is accessible from their PC.
e.g.: \\example.net\sysvol\example.net\Policies\{31B2F340-016D-11D2-945F-00C04FB
984F9}\gpt.ini
This file is hosted within the replicated SYSVOL share on your DC's, so check that it is accessible.
You might also validate the particular GPO this refers to, and check each of your DC's holds the correct copy of the files for that GPO GUID.
If you open that GPO, and perform a minor change to it (e.g. add a comment), then click Apply, OK, this should cause the GPO contents to replicate an updated version (be cautious, depending upon the nature of that GPO !!!)
Don
(Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!) -
The Group Policy Client Service Failed The Logon
Hello,
When our students login to our Windows 7 machines they are getting this error:
The Group Policy Client Service Failed The Logon
Access is denied.
We are attempting to use both volatile and roaming profiles. The profiles are being stored on their H drives. I seem to only see the issue when the Windows NT 6.1 Workstation Profile.V2 folder already exists on their H drive. If the profile is not there then everything works fine.
Loading the user's ntuser.dat hive located in their H drive and changing the permissions manually to allow System, Administrators, and Users Full Control fixes the issue. How can I do this across all my user's H drives? Should I just delete them all and manually create the folder myself?
Last time I found one, the permissions for the hive had an "Unknown" user in the permissions list. There was no "Users" group. Removing the "Unknown" and adding "Users" fixed the problem. Are the permissions getting corrupted somehow?
Thanks for any assistance.
I've used the following link for reference:
Support | Windows 7 Roaming Profiles fail - user is assigned a temporary profile or fails to log on
Novell Doc: ZENworks 10 Configuration Management Policy Management Reference - Assigning a Roaming Profile Policy that has the User Profile Stored on a Home DirectoryOriginally Posted by coreyhansen
So it appears that I am experiencing the temporary profile detailed in my link I referenced above. I have status bubbles disabled by policy and didn't notice the notification. I'm going to try pre-populating my user H drives with the Windows NT 6.1 Workstation Profile.V2 folder containing an ntuser.dat file I've already edited the hive permissions of. This worked in small scale testing, so we will see.
I've been referencing this thread: http://forums.novell.com/novell-prod....html#poststop
So I have tried this with students that are experiencing the problem, and gotten limited success. It feels like it works at random, with around 50% of attempts working.
Has anyone out there had success with roaming profiles? Do I just need to go back to folder redirection? Will anyone please respond?
This is what the student's ntuser.dat hive permissions look like when things are not working: -
Cisco ISE guest portal redirect not working after successful authentiation and URL redirect.
Hi to all,
I am having difficulties with an ISE deployment which I am scratching my head over and can't fathom out why this isn't working.
I have an ISE 3315 doing a captive webportal for my guest users who are on an SSID. The users are successfully redirected by the WLC to the following URL:https://x.x.x.x:8443/guestportal/Login.action?portalname=XXX_Guest_Portal
Now when the user passes through the user authentication splash screen they get redirected to https://x.x.x.x:8443/guestportal/guest/redir.html and recieve the following error:
Error: Resource not found.
Resource: /guestportal/
Does anyone have any ideas why the portal is doing this?
Thanks
PaulHello,
As you are not able to get the guest portal, then you need to assure the following things:-
1) Ensure that the two Cisco av-pairs that are configured on the authorization profile should exactly match the example below. (Note: Do not replace the "IP" with the actual Cisco ISE IP address.)
–url-redirect=https://ip:8443/guestportal/gateway?...lue&action=cpp
–url-redirect-acl=ACL-WEBAUTH-REDIRECT (ensure that this ACL is also defined on the access switch)
2) Ensure that the URL redirection portion of the ACL have been applied to the session by entering the show epm session ip command on the switch. (Where the session IP is the IP address that is passed to the client machine by the DHCP server.)
Admission feature : DOT1X
AAA Policies : #ACSACL#-IP-Limitedaccess-4cb2976e
URL Redirect ACL : ACL-WEBAUTH-REDIRECT
URL Redirect :
https://node250.cisco.com:8443/guestportal/gateway?sessionId=0A000A72
0000A45A2444BFC2&action=cpp
3) Ensure that the preposture assessment DACL that is enforced from the Cisco ISE authorization profile contains the following command lines:
remark Allow DHCP
permit udp any eq bootpc any eq bootps
remark Allow DNS
permit udp any any eq domain
remark ping
permit icmp any any
permit tcp any host 80.0.80.2 eq 443 --> This is for URL redirect
permit tcp any host 80.0.80.2 eq www --> Provides access to internet
permit tcp any host 80.0.80.2 eq 8443 --> This is for guest portal
port
permit tcp any host 80.0.80.2 eq 8905 --> This is for posture
communication between NAC agent and ISE (Swiss ports)
permit udp any host 80.0.80.2 eq 8905 --> This is for posture
communication between NAC agent and ISE (Swiss ports)
permit udp any host 80.0.80.2 eq 8906 --> This is for posture
communication between NAC agent and ISE (Swiss ports)
deny ip any any
Note:- Ensure that the above URL Redirect has the proper Cisco ISE FQDN.
4) Ensure that the ACL with the name "ACL-WEBAUTH_REDIRECT" exists on the switch as follows:
ip access-list extended ACL-WEBAUTH-REDIRECT
deny ip any host 80.0.80.2
permit ip any any
5) Ensure that the http and https servers are running on the switch:
ip http server
ip http secure-server
6) Ensure that, if the client machine employs any kind of personal firewall, it is disabled.
7) Ensure that the client machine browser is not configured to use any proxies.
8) Verify connectivity between the client machine and the Cisco ISE IP address.
9) If Cisco ISE is deployed in a distributed environment, make sure that the client machines are aware of the Policy Service ISE node FQDN.
10) Ensure that the Cisco ISE FQDN is resolved and reachable from the client machine.
11) Or you need to do re-image again. -
Cisco ISE - Not use FQDN in url-redirect parameter
Hi,
I am using Cisco ISE Central Web Authentication for Guest Wireless. Clients are redirected for web authentication to: https://ip:port/guestportal/gateway?sessionId=SessionIdValue&action=cwa as it is specified by the url-redirect parameter in the Authorization Profile.
The “ip” field in the url is now replaced by the FQDN of the Cisco ISE, but I want to use the IP address instead of the FQDN. Is there any way to do that?
As far as I know in version 1.2 you can use the “ip host/no ip host” command to indicate what you want to use in the URL. However my Cisco ISE is running version 1.1.1.268.
Thank you very much.
Joana.Available in 1.2, and available as a "bit of a bodge" in 1.1.x (read "a lot of a bodge")
If you only have one PSN then you may be able to get it to work, but after that you lose the ability to get the session to be pointed automatically at whichever PSN they hit initially so it would break.
Copy the settings that are applied when you use CWA, then create your own based on the same settings but using the ip address pasted in there instead.
Maybe you are looking for
-
How do I stop my iTunes backing up my sms messages?
Someone who uses my laptop keeps finding my sms messages backed up and I want to stop my iTunes backing up my messages completely. Does anyone have any idea how to stop this?
-
Spell Checking only works for English after 10.4.9
After installing and reinstalling (combo version) of 10.4.9 on my Intel MacBook Pro, the Spell Checking is working only for the English language. Seems that other languages are not installed (although they are at the spelling pop up). When I activate
-
With no reason FCP will not open .... ?
Something is up here ... I CANT OPEN any FCP projects. Not a new one or an previously existing. I have no idea what is going on with this. Everything was working fine within the last several days and suddenly, no projects will open. This is what happ
-
I've upgraded to Mavericks (big mistake) and now InDesign and sometimes Illustrator (CS6) keeps crashing on me. I've brought my iMac to Apple, they said i needed more RAM, bought more RAM, keeps crashing. They reinstalled Mavericks, keeps crashing.
-
Using iMovie '11 with iPhoto '09
Now that you can buy iMovie '11 separately from the new App Store, is it safe to assume that it's perfectly compatible with versions of apps from earlier iLife suites - eg. iPhoto '09?