Using Peap w/ IAS

Similar Messages

• Problems authentication with PEAP WLC IAS Windows 2k3

  Hi all
  I have configured a WLC (6.0.182.0 model 2100) with authentiacion PEAP with IAS and a DA of Microsoft Windows 2003. I have been reading in the documentation "PEAP Under Unified Wireless Networks with Microsoft Internet Authentication Service (IAS)" that in the installation proccess of Active Directory it must select the option "Permissions compatible with pre-Windows 2000 server operation systems". In my scenario the other option was chosen "Permissions compatible only with Windows 200 or Windows Server 2003 operations system".
  I have test this scenario and it does not work.
  Is there some configuration in the WLC so that it can work without having to reinstall the AD?
  Thanks

  For the most part the WLC doesn't care about what type of authentication is being used. It really is just proxying the requests between the client and Radius server.
  I would make sure your EAP timer are extended with the commands:
  config advanced eap identity-request-timeout 10
  config advanced eap request-timeout 10

• ISE 1.2, Patch 7: "NAK requesting to use PEAP instead"

  We're experiencing seemingly random occurrences of users failing authentication because they're trying PEAP vs EAP. Does anyone know if it is possible to force the Windows supplicant to use EAP only?
  For what it's worth, the user can fail authentication for hours and I can either allow open authentication on the port for a bit, or the user can leave for the day and come back tomorrow and authentication will succeed. I'm not sure if it's an ISE problem or a supplicant problem, but I'm leaning towards supplicant.
  Personas:
  Administration
  Role:
  PRIMARY(A)
  System Time:
  Apr 24 2014 08:26:58 AM America/New_York
  FIPS Mode:
  Disabled
  Version:
  1.2.0.899
  Patch Information:
  7,1,3
  11001
  Received RADIUS Access-Request
  11017
  RADIUS created a new session
  15049
  Evaluating Policy Group
  15008
  Evaluating Service Selection Policy
  15048
  Queried PIP
  15048
  Queried PIP
  15004
  Matched rule
  11507
  Extracted EAP-Response/Identity
  12500
  Prepared EAP-Request proposing EAP-TLS with challenge
  12625
  Valid EAP-Key-Name attribute received
  11006
  Returned RADIUS Access-Challenge
  11001
  Received RADIUS Access-Request
  11018
  RADIUS is re-using an existing session
  12301
  Extracted EAP-Response/NAK requesting to use PEAP instead
  12300
  Prepared EAP-Request proposing PEAP with challenge
  12625
  Valid EAP-Key-Name attribute received
  11006
  Returned RADIUS Access-Challenge
  11001
  Received RADIUS Access-Request
  11018
  RADIUS is re-using an existing session
  12302
  Extracted EAP-Response containing PEAP challenge-response and accepting PEAP as negotiated
  12318
  Successfully negotiated PEAP version 0
  12800
  Extracted first TLS record; TLS handshake started
  12805
  Extracted TLS ClientHello message
  12806
  Prepared TLS ServerHello message
  12807
  Prepared TLS Certificate message
  12810
  Prepared TLS ServerDone message
  12305
  Prepared EAP-Request with another PEAP challenge
  11006
  Returned RADIUS Access-Challenge
  11001
  Received RADIUS Access-Request
  11018
  RADIUS is re-using an existing session
  12304
  Extracted EAP-Response containing PEAP challenge-response
  12305
  Prepared EAP-Request with another PEAP challenge
  11006
  Returned RADIUS Access-Challenge
  11001
  Received RADIUS Access-Request
  11018
  RADIUS is re-using an existing session
  12304
  Extracted EAP-Response containing PEAP challenge-response
  12305
  Prepared EAP-Request with another PEAP challenge
  11006
  Returned RADIUS Access-Challenge
  11001
  Received RADIUS Access-Request
  11018
  RADIUS is re-using an existing session
  12304
  Extracted EAP-Response containing PEAP challenge-response
  12305
  Prepared EAP-Request with another PEAP challenge
  11006
  Returned RADIUS Access-Challenge
  11001
  Received RADIUS Access-Request
  11018
  RADIUS is re-using an existing session
  12304
  Extracted EAP-Response containing PEAP challenge-response
  12318
  Successfully negotiated PEAP version 0
  12812
  Extracted TLS ClientKeyExchange message
  12804
  Extracted TLS Finished message
  12801
  Prepared TLS ChangeCipherSpec message
  12802
  Prepared TLS Finished message
  12816
  TLS handshake succeeded
  12310
  PEAP full handshake finished successfully
  12305
  Prepared EAP-Request with another PEAP challenge
  11006
  Returned RADIUS Access-Challenge
  11001
  Received RADIUS Access-Request
  11018
  RADIUS is re-using an existing session
  12304
  Extracted EAP-Response containing PEAP challenge-response
  12313
  PEAP inner method started
  11521
  Prepared EAP-Request/Identity for inner EAP method
  12305
  Prepared EAP-Request with another PEAP challenge
  11006
  Returned RADIUS Access-Challenge
  11001
  Received RADIUS Access-Request
  11018
  RADIUS is re-using an existing session
  12304
  Extracted EAP-Response containing PEAP challenge-response
  11522
  Extracted EAP-Response/Identity for inner EAP method
  11806
  Prepared EAP-Request for inner method proposing EAP-MSCHAP with challenge
  12305
  Prepared EAP-Request with another PEAP challenge
  11006
  Returned RADIUS Access-Challenge
  11001
  Received RADIUS Access-Request
  11018
  RADIUS is re-using an existing session
  12304
  Extracted EAP-Response containing PEAP challenge-response
  11808
  Extracted EAP-Response containing EAP-MSCHAP challenge-response for inner method and accepting EAP-MSCHAP as negotiated
  15041
  Evaluating Identity Policy
  15006
  Matched Default Rule
  15013
  Selected Identity Source - *****
  24431
  Authenticating machine against Active Directory
  24470
  Machine authentication against Active Directory is successful
  22037
  Authentication Passed
  11824
  EAP-MSCHAP authentication attempt passed
  12305
  Prepared EAP-Request with another PEAP challenge
  11006
  Returned RADIUS Access-Challenge
  11001
  Received RADIUS Access-Request
  11018
  RADIUS is re-using an existing session
  12304
  Extracted EAP-Response containing PEAP challenge-response
  11810
  Extracted EAP-Response for inner method containing MSCHAP challenge-response
  11814
  Inner EAP-MSCHAP authentication succeeded
  11519
  Prepared EAP-Success for inner EAP method
  12314
  PEAP inner method finished successfully
  12305
  Prepared EAP-Request with another PEAP challenge
  11006
  Returned RADIUS Access-Challenge
  11001
  Received RADIUS Access-Request
  11018
  RADIUS is re-using an existing session
  12304
  Extracted EAP-Response containing PEAP challenge-response
  15036
  Evaluating Authorization Policy
  24433
  Looking up machine in Active Directory - host/*****
  24435
  Machine Groups retrieval from Active Directory succeeded
  15048
  Queried PIP
  15048
  Queried PIP
  15048
  Queried PIP
  15048
  Queried PIP
  15048
  Queried PIP
  15004
  Matched rule - Default
  15016
  Selected Authorization Profile - DenyAccess
  15039
  Rejected per authorization profile
  12306
  PEAP authentication succeeded
  11503
  Prepared EAP-Success
  11003
  Returned RADIUS Access-Reject 

  salodh,
  Thank you for your response. Below is the authorization policy it should hit. The trouble is the workstation wants to use PEAP for some reason but we don't want PEAP because we're certificate-based. I understand what you're saying, and it's because I didn't word my question correctly. 
  12500
  Prepared EAP-Request proposing EAP-TLS with challenge
  12625
  Valid EAP-Key-Name attribute received
  11006
  Returned RADIUS Access-Challenge
  11001
  Received RADIUS Access-Request
  11018
  RADIUS is re-using an existing session
  12301
  Extracted EAP-Response/NAK requesting to use PEAP instead 
  If the NAK would not request PEAP, it would continue on to the following Authorization Policy (and succeed):
  Name
  Wired-******-PC
   Conditions
  Radius:Service-Type EQUALS Framed
  AND
  Radius:NAS-Port-Type EQUALS Ethernet
  AND
  *******:ExternalGroups EQUALS **********/Users/Domain Computers
  AND
  Network Access:EapAuthentication EQUALS EAP-TLS
  Again, this PEAP request only happens occasionally. This same workstation will work at other days/times. If I could figure out why some workstations randomly request PEAP (or find a way to force EAP only) I think that would take care of it.
  Thanks again, sir.
  Andrew

• Native Supplicant "NAK requesting to use PEAP instead"

  Hello,
  We have a Cisco ISE infrastructure in place and we're experiencing seemingly random occurrences of users failing authentication because they're trying PEAP vs EAP. Does anyone know if it is possible to force the native Windows supplicant to use EAP only?
  "Microsoft: Smart Card or other certificate" is selected under network authentication method, by group policy, and I thought that wouldn't allow PEAP, but our ISE logs show "NAK requesting to use PEAP instead", after which authorization
  fails because we're not using PEAP.
  For what it's worth, the user can fail authentication for hours and I can either allow open authentication on the port for a bit, or the user can leave for the day and come back tomorrow and authentication will succeed. I'm not sure if it's an ISE problem or
  a supplicant problem, but I'm leaning towards supplicant.
  Thanks,
  Andrew

  Hi,
  About this issue, please contact Cisco Tech Support for help.
  Karen Hu
  TechNet Community Support
  I've already been in contact with them and they've verified our configuration. All that can be done on the Cisco side is to "propose" the client to go through EAP-TLS as the first option, which we are doing. This will not block any clients trying to connect
  using other protocols, and, though this will propose EAP-TLS, there is now way to enforce it at the supplicant level. This will be a client decision always. From Cisco: 
  Please monitor this after the  change we applied,   but if the issue persists,   since we are dealing with windows supplicant,   it would be a good idea to involve the native supplicant support.

• How can i deploy macbooks and 802.1x authentication using PEAP/MSChap version 2

  How can i deploy macbooks and 802.1x authentication for wireless connectivity using PEAP/MSChap version 2. The Cert is generated by a 2008 Windows CA authority. I am trying to get to join but the MAC doesnt seem to want to accecpt the cert. Can i not validate the cert and still have it join the 802.1x wireless netqwotk? The wireless netwotk is using a Cisco 5508 wireless controller and Cisco 1142 access points. All works fine with Windows devices.

  Hi Tarik,
  Thanks for your answers,
  I've attached my configured AuthZ rules and AuthZ profile for provisioning,
  I want the process to be the same for iPhone, Android and Windows.
  1) Connect to the SSID
  2) Login using your AD credentials PEAP-MS-CHAP-v2
  3) Redirect to device registration portal (So I can set a limit of 3 devices per employee)
  4) As soon as the client click "register" no more redirects and PERMIT-ALL
  I think that I don't need to rely on profiling because In terms of AuthZ policies it should be something like this:
  1) if WIRELESS802.1x and PEAP-MS-CHAPV2 and BYODREGISTRATION=!YES(Unknown or not reg) then "Redirect to device registration(that is NSP right?)"
  2) if WIRELESS802.1x and PEAP-MS-CHAPV2 then PERMIT-ALL(no redirection)
  3) everything else = DENY-ALL
  But the NSP looks for Client Provisioning policies, so if I don't configure any policy it should Allow Network Access(See attachment photo3.png) but as I said on the post it shows that cannot retrieve the MAC-Address so the client can't register his device and don't have access to the network. (To grant access I've configured provisioning policies, that way the clients can register their devices but they are redirected to google play or are forced to install the profile at iOS and this is what I don't want because it is not necessary)
  What screenshoot do you need after the registration? the Auth report?
  Thank you very much for your time!

• Need help connecting to wifi using PEAP

  Today is the first time I've even heard of PEAP. My condo told me that connect to the wifi here, I need to use the provided user name and password. When I tried connecting via my iPad and my android phone, they were able to detect that the wifi system is using PEAP and to connect me after I entered in the username and password.
  Now I'm trying to connect my laptop running archlinuxx, and wifimenu is unable to automagically figure out how to connect; it finds the correct SSID, but after I select it, it doesn't even prompt me for a username and password. It says:
  successfully initialized wpa_supplicant
  WPA Authentication/Association Failed
  After looking around a bit, I tried adding an entry to my /etc/wpa_supllicant/wpa_supplicant.conf file like this:
  network={
    ssid="MySSID"
    key_mgmt=WPA-EAP
    eap=PEAP
    identity="myusername"
    password="mypassword"
  I omitted ca_cert, phase1, phase2and priority, because I've no idea what to put for those values and it seems like my other devices can connect without asking me for those values. I'm just making guesses as to what the values should be for key_mgmt and eap.

  You'll have to give us some more info as far as error messages or screen shots (Shift-Command-3).

• Aironet 1310 using Peap Auth and AES encryption??

  I have 2 1310 wireless briges in a point to point configuration with the root bridge acting as my ACS server..
  I am currently running Leap Authentication and with Wep encryption but would like to upgrade this to use Peap and AES if possible??
  I'm wondering if anyone has upgraded their solution to this type of encryption?
  thanks

  What IOS version are you running ? 12.4(25d)JA is the last supported IOS version for this product. So you should go with that image.
  If you are using AP as AAA server, then I think only EAP-FAST, LEAP & MAC authentication is supported. Not anything else.
  Here is WGB (workgroup bridge) configuration with EAP-FAST & you can get an idea how to configure EAP-FAST if you choose to. (In your case you have to configure root bridge & non-root bridge in two respective AP)
  http://mrncciew.com/2013/04/28/wgb-with-eap-fast/
  HTH
  Rasika
  **** Pls rate all useful responses ****

• Frequent disconnect using peap wpa2 with aes and tkip

  I got frequent disconnect for the users on wireless using peap wpa2 with aes and tkip.
  My network is setup with :
  -Wireless controller 4404
  -ACS 4.0
  -28 access point 1131g
  -Peap authentication with active directory windows 2003
  -windows xp - mschap2 with aes- tkip
  when i check only aes on the wireless controller 4404 the network user are able work in a stable condition

  This might similar to the bug where Wireless phones dont associate if WPA2 is configured with both AES/TKIP. In this case try to upgrade the controller.

• Apple MAC Cannot Connect on Wireless Using PEAP Auth

  I have a WLAN setup using the Cisco WiSM, Cisco ACS 4.1.3 as the Radius Server. We are using PEAP as the WLAN Security. THe issue is that all the clients who have Windows OS are able to connect to the WLAN and PEAP works fine.However the users who have Apple MAC OS are unable to connect to the WLAN that has PEAP as the Security setting. The MAC has OS 10.5.6 and I tried upgrading the image however the prob persists. On the ACS server I get in the Failed Log as "Internal Error".
  Can someone help what does the Error mean , and any resolution for the issue.

  Can you provide some detail about how you created the user profile on the Mac? Also - did you put the ACS server's certificate into the Mac's System store so that the Mac will trust the ACS server (or configure the PEAP profile on the Mac to ignore the ACS server's certificate)?

• Can we still use PEAP-MSCHAPV2 for authenticating to a WPA2-Enterprise network?

  L.S,
  For authenticating to a BYOD wireless network a lot of companies use WPA2-Enterprise connected to a Microsoft IAS/NPS server to authenticate against Active Directory. There seems to be a way to intercept this wireless traffic using a roque accesspoint using the same (company) SSID-name and tools like freeradius-WPE and cloudcracker.
  If the BYOD client doesn't check the certificate provided by the fake radius server, the MSCHAPv2-negotiation can be discovered and the hacker will get the username AND hashed password which can be lookup'd by rainbow tables sites like cloudcracker.
  Is there still a safe way to deploy AD-authentication to BYOD clients?
  Kind Regards,
  Arjen

  I have tested the WPA2-enterprise/PEAP-MSCHAPv2 exploit this week placing a laptop in my car on the company parking lot with a Kali image, using hostap and freeradius-wpe configured with the company SSID. It was very easy to find out the mschapv2 challenge/responses of a number of android/windows phones that there just walking past my car. Also iPhone has a bad WPA2-enterprise implementation (see: http://research.edm.uhasselt.be/~bbonne/docs/robyns14wpa2enterprise.pdf), so bye bye WPA2-enterprise/PEAP-MSCHAPv2.
  Wonder what other (large) companies are using for their BYOD wireless networks! EAP-TLS using certificate sounds like the only feasible option, however, we are afraid that the enrolment of certificates to the BYOD-clients will be a total disaster. I heard stories that some android phones lose their client certificate after a reboot :(

• Dynamic VLAN/SSID assignment using 4402/MS IAS

  Greetings,
  In short we have a WLC4402 (50 AP license) and approx 30 1252s LAPs in place. Right now we have three VLANs/SSIDs in place - one for admin, one for teachers and one for students. The WLC uses a MS Windows 2003 server running IAS for PEAP authentication. The clients are Windows XP, the SSID is entered manually based on "pre-designation" of the laptop's "type" (either admin, teacher or student).
  This is working fine. However more and more frequently our users have been "sharing" laptops so a student may need to use a teacher's laptop and vice-versa. In short we would like to use dynamic VLAN/SSID assignment so that if a student does have a teacher's laptop the "student" VLAN/SSID would be assigned to them when log in (and the proper ACLs, QoS policies, etc would be applied)
  We have found documentation on how to perform this with an ACS but is there anything available for this configuration with a MS IAS server.
  Any input/information would be greatly appreciated.
  Joe

  Shaun,
  My LAG - etherchannel interface
  interface Port-channel8
  description WLC-portchannel
  switchport
  switchport trunk encapsulation dot1q
  switchport trunk allowed vlan 1,3,24-26
  switchport mode trunk
  end
  My 2 WLC Fiber ports:
  Current configuration : 382 bytes
  interface GigabitEthernet7/47
  description CiscoWLC-LAG-Ports
  switchport trunk encapsulation dot1q
  switchport trunk allowed vlan 1,3,24-26
  switchport mode trunk
  service-policy output autoqos-voip-policy
  qos trust cos
  auto qos voip trust
  tx-queue 3
  bandwidth percent 33
  priority high
  shape percent 33
  spanning-tree bpdufilter enable
  channel-group 8 mode on
  end
  2200-3A#sh run int g7/48
  Building configuration...
  Current configuration : 382 bytes
  interface GigabitEthernet7/48
  description CiscoWLC-LAG-Ports
  switchport trunk encapsulation dot1q
  switchport trunk allowed vlan 1,3,24-26
  switchport mode trunk
  service-policy output autoqos-voip-policy
  qos trust cos
  auto qos voip trust
  tx-queue 3
  bandwidth percent 33
  priority high
  shape percent 33
  spanning-tree bpdufilter enable
  channel-group 8 mode on
  end
  I use vl1 for ap mgmt, vl3 for hotspot, and vl24-26 for WPA2 clients and wireless voip devices.
  One of my AP switchports on the same switch. I let the trunk port to the AP carry a range of vlan's, and then a manage the vlans assigned to clients with IAS and the WLC.
  interface FastEthernet4/48
  description AP-PoE
  switchport trunk encapsulation dot1q
  switchport trunk allowed vlan 1-1004
  switchport mode trunk
  service-policy output autoqos-voip-policy
  qos trust cos
  auto qos voip trust
  tx-queue 3
  bandwidth percent 33
  priority high
  shape percent 33
  end
  Jim

• PEAP and IAS

  Hey everyone,
  I have done a fair bit of reading into PEAP, IAS, 802.11x and so on.
  This is the part I am confused with - I wish to have multiple VLAN's one for each of year groups. Can I force VLAN assignments using IAS / PEAP authentication using the same SSID? Or do I need one SSID per VLAN?
  Last question - For each switchport an AP's connect to does the port needs to be configured as trunk?
  Any help would be appreciated.
  Cheers,
  MArk

  Mark -
  These will help you:
  Dynamic VLANs
  http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008076317c.shtml
  AP VLAN Groups
  http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008073c723.shtml
  You will only need a trunk for you AP if you are running H-REAP.

• Changing Fixed Assets useful life according IAS rules

  Hi all,
  According to the new IAS rules (International Accounting Standards) when an asset's useful life (currently with straight line depreciation) is changed we have to distribute the "net book value" (remaining depreciation to be posted) between all the remaining months in the same proportion.
  Currently, SAP standard calculates the depreciation as the difference between the posted depreciation throughout the previous months and the amount that should have been depreciated with the new useful life, and it assigns this calculated amount in the current month when the useful life is changed.
  We have checked that the remaining depreciation to be posted can be distributed equally over the remaining periods of the fiscal year by marking the "smoothing" flag through transaction OAYR per company code, but we need this amount to be distributed over all the remaining periods for the new useful life (not only over the current fiscal year).
  Please find below an example to try to clarify my query:
  A fixed asset with str.line depreciation has the following values:
  Acquisition value: 12000 eur
  Useful life: 3 years
  Depreciation per year: 4000 eur.
  The asset starts to depreciate on 01.01.2008 and its useful life is
  changed to 2 years on 01.07.2008. On that moment the net book value is
  10000 eur.
  SAP adjusts the difference between the amount that should have been
  depreciated with the new useful life (3.000 eur) and the real amount
  posted (2.000 eur) = 1.000 eur depending on the "smoothing" flag:
  1. If the flag is not marked: SAP assigns 1.500 eur (500 eur (6.000/12)
  + 1.000 eur from the difference) on 01.07.2008
  2. If the flag is marked: SAP distributes the difference between the
  remaining periods of the current year (from July to December) and it
  assigns 666,66 eur per month (500 eur + 166,66, obtained from 1.000
  eur/6 months).
  But we need the same depreciation amount distributed over the remaining
  months: 10.000 eur/18 months = 555,55 eur/month.
  Has anyone come through the same problem before?
  The only solution I can think of is transferring the asset values to a new one. Or maybe a user exit.
  Any feedback will be much appreciated.
  Thank you very much in advance. Best regards

  Hi Markus,
  Sorry to come back to you regarding this question. Unfortunately we are not still on 6.0 so we can't take advantage of the new functionality.
  I am now trying to make an asset transfer through transaction ABUMN but the new asset is taking into account the capitalisation value of the original asset rather than the net book value that we would need the system to consider to calculate the new depreciation values.
  Do you know if there is a way to solve this?
  Thanks a lot. Best regards

• Mac & 802.1x Machine Authentication to Microsoft AD using PEAP

  We are having trouble successfully connecting wirelessly our Active Directory-bound Macs to our internal 802.1x wireless network using EAP-PEAP with machine authentication. All of our Windows machines work fine. We have a network profile built out of JAMF, with some generic payloads configured, including Use Directory Authentication and the appropriate Verisign certificate attached to authenticate to the Cisco Radius Server onsite. We are able to connect to this wireless network when we also have the machine directly connected via Ethernet. Somehow this causes the Mac to pass the correct domainhost\machinename. When we aren't connected directly, the Mac attempts to authenticate with the incorrect domainhost in front of the correct \machinename. The logs from Console are attached below:
  Apr 22 13:37:28 MACHINENAME eapolclient[****]: System Mode Using AD Account '(wrongdomain)\machinenameinAD$'
  Apr 22 13:37:28 MACHINENAME eapolclient[****]: en0 PEAP: authentication failed with status 1
  Apr 22 13:37:28 MACHINENAME eapolclient[****]: peap_request: ignoring non PEAP start frame
  Apr 22 13:37:31 MACHINENAME eapolclient[****]: en0 STOP
  Apr 22 13:37:52 MACHINENAME eapolclient[****]: opened log file '/var/log/eapolclient.en0.log'
  Apr 22 13:37:52 MACHINENAME eapolclient[****]: System Mode Using AD Account '(correctdomain)\machinenameinAD$'
  Apr 22 13:37:52 MACHINENAME eapolclient[****]: en0 START
  Apr 22 13:37:53 MACHINENAME eapolclient[****]: eapmschapv2_success_request: successfully authenticated
  The first, unsuccessful attempt above is when we are attempting to authenticate and connect wirelessly without a connection to ethernet. The 2nd, successful attempt is when are also connected to Ethernet, which passes the correct domain name, properly authenticating the domain\machinename. After reboot, we have to again plug in directly to Ethernet to reauthenticate to this wirelss network. Any idea(s) why plugging into Ethernet would cause the Mac to send the correct domainhost? Thanks.

  Hi Danny. Older thread here, but I can confirm 10.8.4 did indeed resolve a very specific bug in circumstances where the netbios name did not match the domain name. We worked with Apple's engineers on resolution for this fix and can confirm that until we got our Macs to 10.8.4, we experienced similar issues with machine-based configuration profiles failing to authenticate as a result of incorrectly passing the wrong domain.
  Glad you found resolution with a later version of the OS.
  Reference: http://lists.psu.edu/cgi-bin/wa?A2=MACENTERPRISE;Zrq7fg;201303271647570400

• Can I use existing 10g iAS install with Application Express?

  I apologize if this has been addressed somewhere else, but I haven't been able to find a definitive answer yet.
  I have a 10g DB installed on machine A, and have been following the instructions to install Application Express. Instead of installing another instance of HTTP_Server (from the companion CD) on machine A, I have machine B with a full 10g iAS install on it (discoverer, portal, infrastructure, etc). I would like to use machine B as the front end to access htmldb. Machine B has 2 oracle homes, one for the infrastructure and one for the BI tools/portal stuff. Which one do I configure for htmldb? From reading in this forum I think I can use the dads.conf file instead of the marvel.conf file (which doesn't exist) to add the pls/htmldb info, but I can't figure out which one to edit. I probably have something else wrong somewhere, but this would help narrow things down. Currently when I go to the following url http://machineb:7778/pls/htmldb I get "503 Service Temporarily Unavailable".
  Thanks in advance for any help.
  Rhonda

  Sure, you can use the Application Server, no need to install another one.
  You would add the configuration to the BI tools/portal stuff Oracle Home, not the infrastructure.
  You don't need the marvel.conf explicitly (but this is installed per default when you install the http server from the 10g companion CD).
  You could just add the DAD configuration to the dads.conf.
  To make it a bit simpler I would do the following:
  1) remove the entries for /pls/htmldb from your current dads.conf (if they exist).
  2) follow the instructions here: http://www.oracle.com/technology/products/database/application_express/howtos/howto_useoas10g.html
  And use the following for the contents of the file marvel.conf (make sure to change it accordingly for your environment (changes to make are bold):
  AddType text/xml xbl
  AddType text/x-component htc
  Alias /i/ /home/oracle/oracle/product/10.2.0/db/htmldb/images/
  <Location /pls/htmldb>
      Order deny,allow
      PlsqlDocumentPath docs
      AllowOverride None
      PlsqlDocumentProcedure wwv_flow_file_manager.process_download
      PlsqlDatabaseConnectString localhost:1521:o1020
      PlsqlNLSLanguage AMERICAN_AMERICA.AL32UTF8
      PlsqlAuthenticationMode Basic
      SetHandler pls_handler
      PlsqlDocumentTablename wwv_flow_file_objects$
      PlsqlDatabaseUsername HTMLDB_PUBLIC_USER
      PlsqlDefaultPage htmldb
      PlsqlDatabasePassword <password for HTMLDB_PUBLIC_USER>
      Allow from all
      PlsqlErrorStyle ModplsqlStyle
  </Location>
  ~Dietmar.