Which identity is ISE meant to place on CSR towards NDES?

Similar Messages

• OAM : Which identity server is used by Password Policy?

  Hi,
  The OAM setup has two identity servers (ois1, ois2), two webpass (wp1, wp2) on two web servers. wp1 is pointing to ois1 only and wp2 is pointing to ois2.
  We have two sets of Policy manager, Access server and WebGate. wg1 is pointing to aaa1 and wg2 is pointing to aaa2.
  Now, when a user tries to access a OAM webgate protected page and the password policy gets applied, do the identity server comes into picture? if yes, which identity server is used here, ois1 or ois2?
  I want to use ois1 for all the requests coming to webserver with wg1. How do I do it?
  Thanks in advance.

  Hi Colin,
  Thanks for your reply.
  The reason I put this question was - in a scenario when I dont have Access Server (any access component), then also Password Polices work. So, I understand identity server is used here. When we have access side components, what makes OAM not to use identity server at all. Or is it the feature of OAM - when the accessed resource is ptotected by WebGate the Password policies are taken care of by Access Server, otherwise by identity server or is it because of the 'obReadPasswdMode' and 'obWritePasswdMode' in the authentication scheme?
  I stopped my identity server and I saw the password policy working - so I know the behavior; still asking the above question for my better understanding of OAM.
  Thanks for your help!

• Which is the right way?/place to post the suggestion to SAP

  Hi Freinds,
  if someone have to make a suggestion to SAP, for its product extension..or maybe a new feature to add to its existing product offering...which is the right place...shld it be in the form of a blog or a post in a forum...
  and if indeed turns out to be a unique feasible feature and gets lots of positive response...why kind of recognition will it get....

  lol. there's a world outside the US for those who don't know.
  therefore ASUG might not be the right address for someone living elswhere. there are some SAP user groups in other areas of this world, eg in germany it's DSAG; unfortunately you have to be a member of those 'societies' (membership fee) and it's not easy to make yourself heard in the beginning.
  SAP could provide better channels for that, e.g. special SDN areas for that purpose.
  rgds,
  anton

• I just made a new account and i placed the account in my ipod but now its asking me submit a payment method which i do not want to place because i do not want to purchase any app that requires money. how can i use my account without giving a payment metho

  now asks me to put in my payment method. i do not wish to place it in because i am not looking forward to purchase any app that needs to be paid for. How can i use my account but not give in my credit card data?

  Create a NEW account/ID using these instructions. Make sure you follow the instructions. Many do not and if you do not you will not get the None option. You must use an email address that you have not used with Apple before. Make sure you specify a birthdate that results in being at least 13 years old
    Creating an iTunes Store, App Store, iBookstore, and Mac App Store account without a credit card
  More details of how:
  http://ipadhelp.com/ipad-help-tips-tricks/how-to-get-free-apps-from-the-app-stor e-without-a-credit-card/

• I hit iPhoto send and I get: The email server didn't recognize your username/password combination. -- then can't get back to re-enter, which was correct one in first place.

  I have filled out an iPhoto "postcard" format with a message and photo, etc., and when I hit send, I get the message "The email server didn’t recognize your username/password combination." I hit OK but it does not clear to refill the log-in -- and I believe the info was correct to start. I'd like to save (and not have to re-crete) the card, but see no way of doing so, thus am fearful of closing it (for good).

  in the iPhoto preferences ==> accounts delete your e-mail account and reenter it
  OR
  IMHO the better solution is to set Apple mail as the email client in the iPhoto preferences
  LN

• Which Identity components run automatically (Windows)?

  Hi,
  I've finished installing:
  OID
  OVD
  OIF
  OAM
  OIM
  On several Windows 2003 Servers, and while I haven't tested everything, things seem to be working.
  I noticed that for most of these, you actually have to start the WebLogic instance (startWebLogic) and then start each component up via the WL console (e.g., oam_server1, etc.), but I also noticed that the ldapd part of OID and also OVD appear to run on startup, and shows up under opmnctl. I understand that without running WebLogic, I can't access the OID and OVD consoles, but the "servers" themselves appear to run autonomously.
  So, I was wondering, what about the other components? Do any of them run like that, as kind of "services", and, in particular, OAM and OIF? Or, for those, do I always have to start the WebLogic console, and start the "servers" via the WL Console, in order for them to be "running"?
  Thanks,
  Jim

  I think the way the fusion idm components are developed and deployed has an impact on what you see.
  Lets talk of the individual products. I would assume we all know the very basics of weblogic architecture and the related terms.
  1. OVD: The OVD is not a managed instance of the weblogic server. It is a standalone J2SE instance. Therefore the OVD can run perfectly well without the weblogic and can run the opmn control. But the ODSM is a webapp deployed on the weblogic, so to administer the ovd, you will have to run the weblogic and then run the odsm.
  2. OAM: The OAM is a managed instance under weblogic server in a weblogic domain. (def port is 14001). So, the weblogic managed instance must be running for OAM to work. Note that the weblogic admin server might not run; you can start the managed instance through the command line as well. Same for OIM. Now, oamconsole is a webapp to administer the OAM instance, so the weblogic server needs to be running for oamconsole.
  3. Node manager is tied to one of host: if you want to startup/shutdown any managed instance from the weblogic console, then you must have the node manager running. If the node manager is not running, then the only way to start the managed instances from the command prompt. The admin instance must be running nevertheless.
  Hope this is correct and this helps. Let us know.

• Cisco ISE - General Info. & capabilities

  Hello All,
  I've read quiet a bit of ISE features, but would like to know the following:
  1. Can ISE provide/track details of user activity, like which servers/websites he accessed over a period of time?
  2. Can it provide details of how much data was transferred from a particular server to a specific client?
  3. For a 1500 user env. (1000 desktops and 500 wireless devices) which model of ISE would be appropriate?
  4. How would having ISE be different from already deployed authentication services like Active Directory or built-in application authentication for solutions like Oracle ERP systems?
  5. I see ISE as being marketed primarily for wireles devices (BYOD), but how would it help for wired devices (or does it become and unecessary authentication level apart from AD, switch based 802.1x, etc)
  Thank you.
  Regards,
  Adnan

  Cisco ISE is a consolidated policy-based access control system that  incorporates a superset of features available in existing Cisco policy  platforms. Cisco ISE performs the following functions:
  •Combines authentication, authorization, accounting (AAA), posture, and profiler into one appliance
  •Provides for comprehensive guest access management for the Cisco ISE administrator, sanctioned sponsor administrators, or both
  •Enforces  endpoint compliance by providing comprehensive client provisioning  measures and assessing device posture for all endpoints that access the  network, including 802.1X environments
  •Provides support for discovery, profiling, policy-based placement, and monitoring of endpoint devices on the network
  •Enables consistent policy in centralized and distributed deployments that allows services to be delivered where they are needed
  •Employs  advanced enforcement capabilities including security group access (SGA)  through the use of security group tags (SGTs) and security group access  control lists (SGACLs)
  •Supports scalability to support a number of deployment scenarios from small office to large enterprise environments
  The following key functions of Cisco ISE enable you to manage your entire access network.
  Provide Identity-Based Network Access
  The Cisco ISE solution provides context-aware identity management in the following areas:
  •Cisco ISE determines whether users are accessing the network on an authorized, policy-compliant device.
  •Cisco ISE establishes user identity, location, and access history, which can be used for compliance and reporting.
  •Cisco  ISE assigns services based on the assigned user role, group, and  associated policy (job role, location, device type, and so on).
  •Cisco  ISE grants authenticated users with access to specific segments of the  network, or specific applications and services, or both, based on  authentication results.
  ISE 3315 can support 1500 users with appropriate license.

• ISE integration with Mobile Device Management ( MDM ) help required

  Dear Techies,
       Am here bring to your notice an different issue and no much resources to support even in PEC or Cisco Document.
       We are conduction a Proof Of Concept (PoC) on  Secure Bring Your Own Device ( BYOD ) using Cisco ISE and gonna test all the scenarios like Wired, Wireless and VPN user access.
  Setup Brief :
  =========
        Our Setup has  ISE VM acting as Admin, Monitor and Profiling Device, we have NAC 3315 physical Appliance as Inline posture Device, Wireless LAN controller, Access point and the Identity source as Microsof Active Directory
       Having Plans to Integrate Mobile Device Management ( MDM ) and Citrix VDI setup also.
  Activity Brief:
  =========
       As of now we have tested the Wired Scenario Authentication and authorization for guest users and gonna carry out the profiling and posture.
  Clarifications Required
  ================
  Wired Scenario - Require some configuration / steps on how to carryout posture for the guest wired users i.e. LAPTOP.
  Wireless Scenario
  MDM can be integrated to ISE ? 
  How the MDM can be integrated to Cisco ISE configuration or Guide to show the same?
  What is the demarcation between MDM and ISE ( i.e. What is the role of ISE and MDM on Mobile Devices ) ?
  If MDM is available so then when the control of ISE ends, does MDM do management or ISE will do management of the devices ?
  Is MDM will do client provisioning or ISE should do ?
  Is MDM send or update patches of Mobile Devices ?
  As of now these are the scenarios, kindly revert if any good documents to show this or share your expertise on the Integration Part.
  Thanks for Reading...
  Arun

  I would like to avail your valuable inputs to understand on the  Client provisioning part for the Mobile Devices/ Laptop. I understand  from your reply that MDM integration is not available in the current  release ISE 1.1 - That is correct.
  Kindly let me know your views or any documents on the following scenarios with the current release in mind
  1. User  with Mobile devices connecting to Wireless  ( both Employee  and Guest ) , How the Flow differs for the Employee and Guest.  How the  client provisioning is done ( i.e. Like Posturing  or Compliance Check  ).
  The posturing and compliance check is done based on the user authentication information (i.e. AD memberOf vs Guest user) combined with the users endpoint (windows, mac osx, or a mobile device), ISE then has a few decisions to make based on the authorization policies. For example, if a Domain User coming from a Windows 7 machine joins the network, then can either use the nac agent, or the web agent. Then you can scan for registry settings, file settings, program requirements, hotfix compliance...and the list goes on. If the user fails a check then you can either assign an acl for the user so they only have guest access, or you can place them into a remediation vlan the options are entirely up to the requirements and however the solution is implemented.
  2. User  with Laptop  connecting to Wireless  ( both Employee  and Guest ). How the client provisioning is done ( i.e. Like Posturing   or Compliance Check ).
  Guests are usually redirected to the guest portal which they authenticate and their user group falls within the Guest container that is on the ISE internal database, that is usually coupled with an authorization profile that grants them internet access. For the client provisioning, that is usually done based on the operating system, via profiling (dhcp, and user agent string., netmap...etc) and can be fine tuned for all laptops or to a specific set of users based on their group membership.
  3. What are advantages of having ISE also in  place for Mobile devices, since most of the Mobile related tasks ( like  Authentication, Authorization, Profiling and  Posture ) are carried out  by MDM. I am checking for the significant advantage of having ISE for  Client network having only Mobile devices. Kindly clarify.
  Currently the advantage of Cisco ISE is that it supports profiling within wireless and really fits well within a network that has mostly Cisco products since they are all part of of the Borderless security initiative being driven on the backend. The product teams for wireless, wired, security (vpn..etc) and ISE are pretty close in building their solutions so that you can get connected with any device any where (sorry for the sales pitch). The latests wireless code is improving and is going to have support similar to the ios sensor for wired devices where dhcp, cdp, and other attributes can be sent in the radius packet for better profiling decisions. With integration for an MDM platform coming soon, and also support for TACACS rumored (have to verify with your account rep) you have options that really stand out from a unit that only supports MDM. Cisco ISE also comes with a wireless product ID so that makes the budget work when it comes to deploying ISE if you arent looking for enforcement on your wired devices.
  4. Do you recommend 802.1X Authentication to use for the Employee and Contractor? The Guest user  authentication as Open ?
  For internal users and vendors the best option by far is dot1x, almost all operating systems are capable of performing dot1x and the 1.1.1 MR has a piece now that can provision the supplicant for the users, by using scep to enroll certificates or configure peap settings.
  There is a feature within the guest portal that allows you to statically assign guests into endpoint group, that feature is called device registration web authentication. It seems like an open network but uses mac filtering to assign these devices to an endpoint without requiring users to enter any credentials. They are presented with an AUP page, once they accept their mac address is mapped to the endpoint group
  5. How can we ensure the Encryption of traffic from the Guest user to the NAD ( Network Access devices ) ?
  This may be a wireless question but I am sure the encryption is done using AES and using dot1x as the key management here is a brief background for this - http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00807f42e9.shtml#L2
  You can also use the anyconnect client which can provide macsec which is layer 2 encryption for wired - http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/qa_c67-622477_ns1049_Networking_Solutions_Q_and_A.html
  6. We are also looking for VDI  ( Citrix, VMware ) solution for the  client  ( both Employee and Guest ) , how ISE can play a role in  securing the VDI environment.
  For most thin clients you can perform dot1x authentication on the device itself, however that is something the manufacturer will have to support. This is a little gray for me.
  7. Is that any integration required  with Citrix or VMware. How the  VDI can be offered based on the User  role ( i.e. Employee, Contractor or Guest ), since Guest database is  available only with ISE, how the checks are made from the VDI  environment.
  IN ISE there is an identity sequence which can authenticate users in AD first, if the user is not found then it can look in the internal database.
  Our solution demands  MDM in the integrated  solution, As on today ISE cant be integrated with MDM. so what kind of  solution we can propose to have MDM and Cisco ISE .Do the clients now  enter the network should have already installed the MDM agent (or) any  other way of pushing the same to the Client.
  Today there is no integration between the devices, the last release time I heard was December for this feature. However it would be best to confirm with your Cisco Account rep on this issue.
  Thanks,
  Tarik Admani
  *Please rate helpful posts*

• ISE url-redirect CWA to Gig1

  Hello,
  say I want to have five ISE 1.3 nodes behind load balancer, I want only only G0 behind LB, and G1 interfaces will be dedicated for certain things. Specifically I want to use G1 interface for Redirected Web Portal access (could be CWA, device registration, NSP, etc). RADIUS auth will happen through LB on G0 of some specific PSN, and that PSN will url-redirect user to the CWA URL.
  How do I tell ISE to use specifically Gig1's IP address or Gig2's IP address? When I check result authorization profile, there is no option there, it's just ip:port. Obviously, that's not the right place, because which PSN is used to processed the policy is unpredictable.
  So then I go to guest portal, and specifically Self-Registered Guest Portal that I'm using. So here I see Gig0, Gig1, Gig2, and Gig3 listed. My guess is that if I only leave Gig1 selected then I will achieve my goal, is that correct?
  But then, why does it let me choose multiple interfaces, what happens if I select all of them?
  Am I missing another spot in ISE admin where I can control this?
  Additional question. I know that in ISE 1.2 you could configure "ip host" in ISE's CLI, which would force URL-redirect response to be translated to FQDN:port. Is that still the right method in ISE 1.3?
  Thanks!

  Take a look at the following document:
  http://www.cisco.com/c/en/us/td/docs/security/ise/1-3/installation_guide/b_ise_InstallationGuide13.pdf
  Towards the end of the document you will find a section called: "Cisco ISE Infrastructure" and there you will see the following:
  • Cisco ISE management is restricted to Gigabit Ethernet 0.
  • RADIUS listens on all network interface cards (NICs).
  • All NICs can be configured with IP addresses.
  So, you can take an interface, give it an IP address and then assign it to the web portal that you are working with. 
  I hope this helps!
  Thank you for rating helpful posts!

• How to add attribute to ISE 1.2

  The authentication details page shows under "Other Attributes" an attribute called SelectedAuthenticationIdentityStores
  Is there a way I can create rules based on this attribute? I can't find it anywhere in the policy conditions options.
  Thanks in advance!

  I need to create an authorization condition that includes an external identity source. That does not appear to be an option so I want to add the SelectedAuthenticationIdentityStores attribute so I can create authorization conditions based on which identity store is used.
  This would be very simple if ISE would let you choose an external identity source in your second screenshot, but unfortunately it only allows you to select internal identity groups.
  Unless I'm missing something? Thank you for the help.
  EDIT:
  I actually need to create a authorization policy based on the "Identity Store" attribute, see picture. Is there a way to add this to the dictionary?

• Wired 802.1X with ISE | Some computers cannot be authenticated

  Hi,
  We have a customer which is using ISE with 802.1X in order to authenticate computers. All the computers have their own certificate and most of them can be authenticated fine! The issue is that some computers cannot be authenticated.
  The port configuration the authenticator (Cisco WS-C4510R+E IOS 151-1) are configured exactly the same:
  interface GigabitEthernet2/19
  switchport access vlan 999
  switchport mode access
  authentication event no-response action authorize vlan 111
  authentication host-mode multi-domain
  authentication port-control auto
  mab
  dot1x pae authenticator
  dot1x timeout tx-period 5
  But for some reason some PC cannot be authenticated. A wireshark capture on the computer not working shows that the computer receives a EAP Request Identity and also send a Response Identity to the switch but then nothing happens more:
  So the process is stucked in the EAP-Response/identity. I attach a debug capture on the switch for one of the computer which cannot be authenticated.
  It is really wired as most of the computer can be authenticated without any issues.
  Thanks in advance for your help.
  /Laurent

  I continued the debugging with the following debugs:
  debug dotx1 all
  debug authentication events
  And now I see the following interesting difference between the 2 clients:
  This one works:
  Aug 30 09:12:06.245: dot1x-ev(Gi3/34): New client detected, issuing Start Request to AuthMgr
  Aug 30 09:12:06.245: AUTH-EVENT (Gi3/34) Received 'START_REQUEST', current method is dot1x (handle 0x00000003)
  Aug 30 09:12:06.245: AUTH-EVENT (Gi3/34) Start request by method "dot1x" for bc5f.f439.21ca
  Aug 30 09:12:06.245: AUTH-EVENT: auth_mgr_idc_insert_key_in_record: update mac bc5f.f439.21ca
  Aug 30 09:12:06.245: AUTH-EVENT (Gi3/34) Sending NEW_MAC to dot1x (handle 0x5E0001D2)
  !! output suppressed - results in success
  This one does NOT work:
  Aug 30 09:14:22.247: dot1x-ev(Gi3/34): New client detected, issuing Start Request to AuthMgr
  Aug 30 09:14:22.247: AUTH-EVENT (Gi3/34) Received 'START_REQUEST', current method is dot1x (handle 0x00000003)
  Aug 30 09:14:22.247: AUTH-EVENT (Gi3/34) Start request by method "dot1x" for 3860.775d.cf06
  Aug 30 09:14:22.247: AUTH-EVENT (Gi3/34) MAC 3860.775d.cf06 moved from Gi1/2
  Aug 30 09:14:22.247: AUTH-EVENT (Gi3/34) MAC move action is deny
  !! output supressed - results in failure
  Both clients are testet one at a time on interface Gi3/34.
  The inteface that denies the MAC move action is Gi1/2. This is an interface connected to another network that both of the clients was previously connected to, before connecting them to the Dot1X network (In this case, interface Gi3/34)
  So now the question is what the MAC move action tries to do, and why it is denied...
  If i do a MAC-address table lookup of the affected address, it gives nothing! The MAC is not associated to interface Gi1/2 int the MAC table, even though this is where the auth-manager tries to move it from:
  SW_3.sal#sh mac add add 3860.775d.cf06     
  No entries present.
  If the MAC is not present in the address-table, how can it be associated to Gi1/2 ?
  I found out that the following command clear "whatever state" is inconsistent:
  clear authentication sessions mac xxxx.xxxx.xxxx
  And now the client can access the network!

• ISE distribution system with 4 nodes & Licensing

  Hi,
  Question 1
  We have 04 ISE appliances and we are planning to deploy in distributed system such way that 02 ISE will act as PRI/SEC with the roles PAD/M&T and other 02 to be act as PRI/SEC with PDPs.
  Configuring PAD/MT pair is straighforward and has no doubts, however we have issue with other two nodes which is  (PDP) as PRI/SEC.
  ISE giving us warning that atleast one node should have monitor role enabled, however by the time Admin role is already enabled where we cant disabled.
  If someone has deployed this, appreciate can guide me in proper direction or share any document how to achieve this requirement.
  Question 2
  My other querry is about the licensing on this requirement. We have only 1 Base and 1 Adv license for all these 04 boxes for about 500 endpoints. However we can generate licenses against only 1 ISE appliance giving it's serial number and that will be installing on Primary PAP/MT box only, and what about other two boxes which will act as PRI/SEC PDPs and it will still giving warning that there's no licenses.
  Question 3
  When we deploy distributed system with above senario, what ISE node IP addresses that we need to configure on NAD (switch), will it be all 04 ip addres or it will be the pair of  PAP/MT or PDP..?
  Thanks in advance.

  Question 1
  We have 04 ISE appliances and we are planning to deploy in distributed system such way that 02 ISE will act as PRI/SEC with the roles PAD/M&T and other 02 to be act as PRI/SEC with PDPs. Configuring PAD/MT pair is straighforward and has no doubts, however we have issue with other two nodes which is  (PDP) as PRI/SEC.  ISE giving us warning that atleast one node should have monitor role enabled, however by the time Admin role is already enabled where we cant disabled.  If someone has deployed this, appreciate can guide me in proper direction or share any document how to achieve this requirement.
  Answer-  The type of ISE deployment you want to implement is Distributed with HA.
  In this particular case, you must have PAN and one MNT and rest nodes can be PSN, which depends as per your requirement.
  In your case you are going to run PAN & MNT on single node with HA and other 2 nodes are left for PSNs.
  There is no concept of HA for individual PSN, your all PSNs will remain active; however you can distribute the requests coming from NADs between 2 PSNs, like configure some NADs with one PSN IP and rest with other PSN.
  Question 2
  My other querry is about the licensing on this requirement. We have only 1 Base and 1 Adv license for all these 04 boxes for about 500 endpoints. However we can generate licenses against only 1 ISE appliance giving it's serial number and that will be installing on Primary PAP/MT box only, and what about other two boxes which will act as PRI/SEC PDPs and it will still giving warning that there's no licenses.
  Answer- First node in ISE is considered as Primary node under the ISE instance, so when you add more ISE appliances under that ISE instance all become secondary except the first one.
  Hence you install licenses on the Primary ISE node on which you installed ISE in early stage or you introduced in your network.
  So Licenses are meant for ISE instance not for the node.
  Question 3
  When we deploy distributed system with above senario, what ISE node IP addresses that we need to configure on NAD (switch), will it be all 04 ip addres or it will be the pair of  PAP/MT or PDP..?
  Answer- On NADs you have to configure PSN's IPs, like you can configure one PSN IP as a primary and other one as a secondary.

• How can I get a Powershell script which maps network drives to execute at logon to any workstation in my domain

  I want to map network drives for each user when they logon to any workstation in the network.  I have created and tested the PS1 script which works fine where the drives attach and used persistent parameter.  I have updated the Windows 7 Professional
  64-bit workstation to the latest PS 4.0 code.  I have created the GPO and believe everything is assigned properly.  I made changes to allow execution of local and remote signed scripts.  I have forced the changes on a workstation using GPUPDATE
  /force, but the drives do not connect.  The GPRESULT is as follows which shows the policies are in place as shown below.  
  What am I missing to get the script to execute? 
  RSOP data for MRC\mikeg on MIDRUBD03 : Logging Mode
  OS Configuration:            Member Workstation
  OS Version:                  6.1.7601
  Site Name:                   N/A
  Roaming Profile:             N/A
  Local Profile:               C:\Users\mikeg.MRC
  Connected over a slow link?: No
  USER SETTINGS
      CN=My Name,CN=Users,DC=mrc,DC=net
      Last time Group Policy was applied: 7/21/2014 at 8:22:05 AM
      Group Policy was applied from:      MIDSRVR01.mrc.net
      Group Policy slow link threshold:   500 kbps
      Domain Name:                        MRC
      Domain Type:                        Windows 2000
      Applied Group Policy Objects
          StartingUp
      The following GPOs were not applied because they were filtered out
          Default Domain Policy
              Filtering:  Not Applied (Empty)
          Local Group Policy
              Filtering:  Not Applied (Empty)
      The user is a part of the following security groups
          Domain Admins
          Everyone
          BUILTIN\Administrators
          BUILTIN\Users
          NT AUTHORITY\INTERACTIVE
          CONSOLE LOGON
          NT AUTHORITY\Authenticated Users
          This Organization
          LOCAL
          MRCAdmins
          Domain Users
          Enterprise Admins
          Schema Admins
          AS400_Permanent_Users
          Denied RODC Password Replication Group
          DnsAdmins
          High Mandatory Level
      The user has the following security privileges
      Resultant Set Of Policies for User
          Software Installations
              N/A
          Logon Scripts
              GPO: StartingUp
                  Name:         C:\Windows\SYSVOL\sysvol\mrc.net\Policies\{47773A6D-1115-4A3D-BB74-F672B315A430}\User\Scr
  pts\Logon\MapDriveScript.ps1
                  Parameters:
                  LastExecuted: This script has not yet been executed.
          Logoff Scripts
          Public Key Policies
              N/A
          Administrative Templates
              GPO: StartingUp
                  KeyName:     Software\Policies\Microsoft\Windows\PowerShell\EnableScripts
                  Value:       1, 0, 0, 0
                  State:       Enabled
              GPO: StartingUp
                  KeyName:     Software\Policies\Microsoft\Windows\PowerShell\ExecutionPolicy
                  Value:       82, 0, 101, 0, 109, 0, 111, 0, 116, 0, 101, 0, 83, 0, 105, 0, 103, 0, 110, 0, 101, 0, 100,
  0, 0, 0
                  State:       Enabled
          Folder Redirection
              N/A
          Internet Explorer Browser User Interface
              N/A
          Internet Explorer Connection
              N/A
          Internet Explorer URLs
              N/A
          Internet Explorer Security
              N/A
          Internet Explorer Programs
              N/A

  >                  Name:
  > C:\Windows\SYSVOL\sysvol\mrc.net\Policies\{47773A6D-1115-4A3D-BB74-F672B315A430}\User\Scr
  > pts\Logon\MapDriveScript.ps1
  >                  Parameters:
  First: Only one of all current answers points in the right direction.
  You picked the local sysvol path on the DC which does not exist on
  clients, of course...
  The Path to the script MUST be an UNC path starting like
  \\mrc.net\sysvol\mrc.net\Policies\...
  Second: You CANNOT execute PS1 directly (unless you change the .ps1 file
  extension configuration). The "Name" MUST be "powershell.exe", and the
  script itself goes into "Parameters".
  Martin
  Mal ein
  GUTES Buch über GPOs lesen?
  NO THEY ARE NOT EVIL, if you know what you are doing:
  Good or bad GPOs?
  And if IT bothers me - coke bottle design refreshment :))

• How to implement place holder columns in data template

  Hi,
  I have a requirement where I have to mimic the functionality of place holder columns in RDF using Data Templates in XML Publisher.
  How can I call a pl/sql function at element level when we try to group records in the data template.
  To make it simple , let us say I have a requirement to retrieve the address of an employee(address line 1,address line 2, city,country)
  In RDF what I do is define 4 place holder columns to capture address attributes, and in a formula column I set values to these attributes. How do I implement this in XML Publisher data template.
  When I tried to implement the above requirement using test variables, I was able to execute a pl/sql function after the group tag, but not within the group tag.
  I got the result for calc_values3 , but didn;t get anythng for calc_values1 and 2
  Data Template:
  <dataTemplate name="XXLCPAY142R" description="online payslip" defaultPackage="XXLCPAY_ONLINEPAYSLIP_PKG" version="1.0">
  <parameters>
  <parameter name="P_ASSIGNMENT_ACTION_ID" dataType="number" />
  </parameters>
  <dataQuery>
  <sqlStatement name="Q_PAYMENT_RUN">
  <![CDATA[
  SELECT PAAPRV.assignment_action_id assignment_action_id
  ,PAAPRV.payroll_action_id payroll_action_id
  ,PAAPRV.run_assignment_action_id run_assignment_action_id
  ,PAAPRV.run_payroll_action_id run_payroll_action_id
  ,PAAPRV.person_id person_id
  ,PAAPRV.full_name full_name
  ,PAAPRV.last_name surname
  ,PAAPRV.assignment_id assignment_id
  ,PAAPRV.business_group_id business_group_id
  ,PAAPRV.assignment_number assignment_number
  ,PAAPRV.registered_employer legal_employer
  ,PAAPRV.abn abn
  ,PAAPRV.grade grade
  ,PAAPRV.payroll_id payroll_id
  ,PAAPRV.time_period_id time_period_id
  ,PAAPRV.period_start_date period_start_date
  ,PAAPRV.period_end_date period_end_date
  ,TO_CHAR(PAAPRV.period_start_date,'DD-Mon-YYYY') period_start_display
  ,TO_CHAR(PAAPRV.period_end_date,'DD-Mon-YYYY') period_end_display
  ,PAAPRV.period_number || ' ' || TO_CHAR(PAAPRV.period_end_date,'YYYY') period_number
  ,TO_CHAR(PTP.regular_payment_date,'DD-Mon-YYYY') pay_date
  ,PAAPRV.date_earned date_earned
  ,PAAF.ass_attribute2 legacy_position
  ,HR_GENERAL.DECODE_LOOKUP('EMPLOYEE_CATG',PAAF.employee_category) paypoint
  ,PPB.name salary_basis
  ,PAAF.people_group_id people_group_id
  ,PAAF.collective_agreement_id cagr_id
  FROM pay_au_asg_payment_runs_v PAAPRV
  ,per_time_periods PTP
  ,per_all_assignments_f PAAF
  ,per_pay_bases PPB
  WHERE PAAPRV.time_period_id = PTP.time_period_id
  AND PAAPRV.assignment_id = PAAF.assignment_id
  AND PAAF.pay_basis_id = PPB.pay_basis_id
  AND PAAPRV.date_earned BETWEEN PAAF.effective_start_date AND PAAF.effective_end_date
  AND PAAPRV.assignment_action_id = :P_ASSIGNMENT_ACTION_ID
  ]]>
  </sqlStatement>
  <sqlStatement name="Q_EARNINGS_DEDUCTIONS">
  <![CDATA[
  SELECT PAI.locking_action_id assignment_action_id_elements
       ,PRR.assignment_action_id assignment_action_id_run_ele
       ,PRR.run_result_id run_result_id
       ,PPA.effective_date effective_date_run
       ,PAAF.pay_basis_id pay_basis_id
       ,PETF.element_type_id element_type_id_ele
       ,NVL(PETF.reporting_name
       ,PETF.element_name) element_name_ear_ded
       ,PIVF.input_value_id input_value_id
       ,PEC.classification_name classification_name
       ,PRRV.result_value amount_elements
       ,DECODE( PEC.classification_name
       , 'Earnings' , 1
       ,'Pre Tax Deductions' , 2
       ,'Involuntary Deductions' , 3
       ,'Voluntary Deductions' , 3 ) sort_order_elements
       ,CASE NVL(PETF.reporting_name
       ,PETF.element_name)
       WHEN 'Salary' THEN 1
       ELSE 2
       END sort_order_name
       ,DECODE( PEC.classification_name
       ,'Earnings',1
       ,0
       ) earnings_count
       ,DECODE( PEC.classification_name
       ,'Earnings',0
       ,1
       ) deductions_count     
       FROM pay_action_interlocks PAI
       ,pay_assignment_actions PAA
       ,pay_payroll_actions PPA
       ,per_all_assignments_f PAAF
       ,pay_run_results PRR
       ,pay_run_result_values PRRV
       ,pay_input_values_f PIVF
       ,pay_element_types_f PETF
       ,pay_element_classifications PEC
       WHERE PAI.locked_action_id = PAA.assignment_action_id
       AND PAA.payroll_action_id = PPA.payroll_action_id
       AND PAA.assignment_id = PAAF.assignment_id
       AND PAA.assignment_action_id = PRR.assignment_action_id
       AND PRR.run_result_id = PRRV.run_result_id
       AND PRRV.input_value_id = PIVF.input_value_id
       AND PRR.element_type_id = PETF.element_type_id
       AND PETF.classification_id = PEC.classification_id
       AND PPA.effective_date BETWEEN PAAF.effective_start_date AND PAAF.effective_end_date
       AND PPA.effective_date BETWEEN PETF.effective_start_date AND PETF.effective_end_date
       AND PPA.effective_date BETWEEN PIVF.effective_start_date AND PIVF.effective_end_date
       AND PPA.action_type IN ( 'R','Q' )
       AND PRR.status IN ('P','PA')
       AND PEC.classification_name IN ( 'Earnings'
       ,'Pre Tax Deductions'
       ,'Involuntary Deductions'
       ,'Voluntary Deductions')
       AND PIVF.name = 'Pay Value'
       AND PAI.locking_action_id = :assignment_action_id
       ORDER BY sort_order_elements ASC, sort_order_name ASC
  ]]>
  </sqlStatement>
  </dataQuery>
  <dataTrigger name="beforeReport" source="XXLCPAY_ONLINEPAYSLIP_PKG.BEFORE_REPORT" />
  <dataStructure>
  <group name="G_PAYMENT_RUN" source="Q_PAYMENT_RUN">
  <element name="assignment_action_id" value="assignment_action_id"/>
  <element name="payroll_action_id" value="payroll_action_id"/>
  <element name="run_assignment_action_id" value="run_assignment_action_id"/>
  <element name="run_payroll_action_id" value="run_payroll_action_id"/>
  <element name="person_id" value="person_id"/>
  <element name="full_name" value="full_name"/>
  <element name="surname" value="surname"/>
  <element name="assignment_id" value="assignment_id"/>
  <element name="business_group_id" value="business_group_id"/>
  <element name="assignment_number" value="assignment_number"/>
  <element name="legal_employer" value="legal_employer"/>
  <element name="abn" value="abn"/>
  <element name="grade" value="grade"/>
  <element name="payroll_id" value="payroll_id"/>
  <element name="time_period_id" value="time_period_id"/>
  <element name="period_start_date" value="period_start_date"/>
  <element name="period_end_date" value="period_end_date"/>
  <element name="period_start_display" value="period_start_display"/>
  <element name="period_end_display" value="period_end_display"/>
  <element name="period_number" value="period_number"/>
  <element name="pay_date" value="pay_date"/>
  <element name="date_earned" value="date_earned"/>
  <element name="legacy_position" value="legacy_position"/>
  <element name="paypoint" value="paypoint"/>
  <element name="salary_basis" value="salary_basis"/>
  <element name="people_group_id" value="people_group_id"/>
  <element name="cagr_id" value="cagr_id"/>
  <group name="G_EARNINGS_DEDUCTIONS" source="Q_EARNINGS_DEDUCTIONS">
  <element name="assignment_action_id_elements" value="assignment_action_id_elements"/>
  <element name="assignment_action_id_run_ele" value="assignment_action_id_run_ele"/>
  <element name="run_result_id" value="run_result_id"/>
  <element name="effective_date_run" value="effective_date_run"/>
  <element name="pay_basis_id" value="pay_basis_id"/>
  <element name="element_type_id" value="element_type_id"/>
  <element name="element_name_ear_ded" value="element_name_ear_ded"/>
  <element name="input_value_id" value="input_value_id"/>
  <element name="classification_name" value="classification_name"/>
  <element name="amount_elements" value="amount_elements"/>
  <element name="sort_order_elements" value="sort_order_elements"/>
  <element name="sort_order_name " value="sort_order_name "/>
  <element name="earnings_count" value="earnings_count"/>
  <element name="deductions_count" value="deductions_count"/>
  <element name="calc_values" value="XXLCPAY_ONLINEPAYSLIP_PKG.CALC_VALUES(67772)"/>
  <element name="calc_values1" value="XXLCPAY_ONLINEPAYSLIP_PKG.RETURN_TEST"/>
  <element name="calc_values2" dataType="number" value="XXLCPAY_ONLINEPAYSLIP_PKG.P_TEST" function="XXLCPAY_ONLINEPAYSLIP_PKG.P_TEST"/>
  </group>
  </group>
  <element name="calc_values3" dataType="number" value="XXLCPAY_ONLINEPAYSLIP_PKG.P_TEST"/>
  </dataStructure>
  </dataTemplate>
  CREATE OR REPLACE PACKAGE XXLCPAY_ONLINEPAYSLIP_PKG
  AS
  P_TEST NUMBER;
  P_ASSIGNMENT_ACTION_ID NUMBER;
  FUNCTION BEFORE_REPORT RETURN BOOLEAN;
  FUNCTION RETURN_TEST RETURN NUMBER;
  FUNCTION RETURN_TEST1 RETURN NUMBER;
  FUNCTION RETURN_TEST2 RETURN NUMBER;
  FUNCTION CALC_VALUES(element_type_id number) RETURN NUMBER;
  END XXLCPAY_ONLINEPAYSLIP_PKG;
  CREATE OR REPLACE PACKAGE BODY XXLCPAY_ONLINEPAYSLIP_PKG
  AS
  P_TEST1 NUMBER;
  P_TEST2 NUMBER;
  FUNCTION BEFORE_REPORT RETURN BOOLEAN
  IS
  BEGIN
  P_TEST := 2;
  FND_FILE.PUT_LINE(FND_FILE.LOG,'From Before Report');
  RETURN(TRUE);
  END BEFORE_REPORT;
  FUNCTION RETURN_TEST RETURN NUMBER
  IS
  BEGIN
  FND_FILE.PUT_LINE(FND_FILE.LOG,'Call 1');
  RETURN(P_TEST);
  END RETURN_TEST;
  FUNCTION CALC_VALUES(element_type_id number) RETURN NUMBER
  IS
  BEGIN
  FND_FILE.PUT_LINE(FND_FILE.LOG,'Call 2');
  p_test1 := null;
  p_test2 := null;
  if ( element_type_id = 67772 ) then
  P_TEST1 := 5;
  P_TEST2 := 7;
  elsif (element_type_id = 67804 ) then
  P_TEST1 := 9;
  P_TEST2 := 11;
  end if;
  RETURN(1);
  END CALC_VALUES;
  FUNCTION RETURN_TEST1 RETURN NUMBER
  IS
  BEGIN
  RETURN(P_TEST1);
  END RETURN_TEST1;
  FUNCTION RETURN_TEST2 RETURN NUMBER
  IS
  BEGIN
  RETURN(P_TEST2);
  END RETURN_TEST2;
  END XXLCPAY_ONLINEPAYSLIP_PKG;
  /

  For this, you need to have a master query and child query.
  1) In your master query you will have to identify one unique column and call a pl/sql pkg function which calculates all values for your place holder columns and inserts rows into a pl/sql table with the index as your unique column
  ex: Master query returns
  empnum name amount
  1 scott 250
  2 bob 350
  and your calculated value is 10 percent of the amount
  your pl/sql pkg should insert records into the pl/sql table like r(1):= 250*0.1 = 25 r(2):= 350*0.1 = 35
  2) The child query will get executed for each row of you rmaster query, so you should be able to read the values based on which master records row it is executing for
  Please bear in mind that you have to make sure that the report is not executed by two different people at the same time, else you have to consider session or any other unique identifier in addition to your master records unique identifier.
  Cheers,
  Girish.

• ISE internal user authentication failure - user not found

  Hi Forumers'
  I trying to do wireless 802.1x, where identity store using intenral user.
  But i found this error message when i trying to connect
  Authentication failed                                                                                 :
  22056 Subject not found in the applicable identity store(s)
  My authrorization rules is built like this
  identity groups = user identities group / " mygroup"
  condition = no setting
  permissions = standard / PermitAccess
  Question 1
  Any troubleshooting step to do on this?
  Question 2
  For the Authorization rules, what's the condition should set for using Internal User as Identity store?
  Thanks
  Noel

  The error is caused to an authentication failure and is not an issue with authorization
  You need to look at your authentications policy (Policy->Authentications) and see which identity store was authenticated against
  In addition can do the Live Authentications page (Monitor->Authentications) and for the failing record click on the icon under details. This will give you the full details of the requets processing and you can see which rule was matched in the identity policy (Identity Policy Matched Rule) and "Selected Identity Stores".