Workaround ACL limitation WiSM

Similar Messages

• Is there a way to import ACL into WiSM

  I was
  trying to find an easier way to import ACL's into WiSM or WCS .
  Any thoughts ?

  From where?
  From another WLC/WiSM?  Yes you can (as long as you have the same firmware versions).
  From another appliance?  I don't think so.

• XCOPY folder with ACL - limited user

  Hi there,
  I created another post
  Here, but i think that's the wrong place for it. Apologies for double posting.
  I am trying to get one of my "limited user" to run a batch file which creates a folder from a template folder. Template folder has specific ACLs. but the user attempting to run it recieves "Access
  is denied"
  batch content:
  xcopy "\\server\templatefolder" "\\server\newfolder\" /O /X /E/ H /K
  The user running this batch is a limited user (Domain user but not part of the Local admin group)
  Windows 7 x64bit
  UAC is turned on
  Software
  Restriction Policy is in place but this particular batch file is allowed to run
  Apparently "/O" what triggers "Access is Denied". Any idea what permissions the user needs in order to run with "/O"? Adding the user to administrators, domain admin group is out of the question.
  I tried changing the ownership of the template folder to that user, no go.
  Thank you,

  Hi,
  First I would like to know if the issue is denied in copy files from the source folder, or copy files to the target folder.
  To confirm you can give the user full control on target folder and try again.
  And if "Apparently /O what triggers Access is Denied" means
  you have already confirmed that it is the source folder, what's the current user permission?
  I think it is easy for testing - create a test user with same permission as the "limited user", give it 1 permission at a time to find our the exact missing one.
   /O means "Copies file ownership and ACL information" so I think "Read permission" is needed. "Read attributes" may also be needed. I'll go and do a test as well. 
  If you have any feedback on our support, please send to [email protected]

• Workarounds of 32K-limitation in jdbc:kprb needed!

  Hello ALL.
  Can you help me with solution of workarounds the limitation in jdbc:kprb(internal driver) for stored java?
  I try to put large string more than 32K into LONG field type using internal driver and Java Stored Procedure.
  And I get the error: "Data size bigger than max size for this type"
  I get this error in oracle 9.2.0.1.
  But it works in oracle 10.2.0.1.
  =========================================================
  Here is the example:
  import oracle.sql.CLOB;
  import java.sql.Connection;
  import java.sql.DriverManager;
  import java.sql.PreparedStatement;
  import java.io.Reader;
  import java.io.CharArrayReader;
  import oracle.jdbc.pool.OracleDataSource;
  public class LongTest {
  public static void insertLong(String source, int counts)
  throws Exception {
  Connection conn = DriverManager.getConnection("jdbc:default:connection:");
  StringBuffer stringBuffer = new StringBuffer();
  for (int i = 0; i < counts; i++) {
  stringBuffer.append(source);
  Reader reader = new CharArrayReader(stringBuffer.toString().toCharArray());
  // String st = stringBuffer.toString();
  PreparedStatement pst = null;
  try {
  pst = conn.prepareStatement("insert into TEST_LONG (ldata) values (?)");
  pst.setCharacterStream(1, reader, stringBuffer.length());
  // pst.setString(1, st);
  pst.execute();
  } finally {
  if (pst != null) {pst.close();}
  =========================================================
  Here is table:
  create table test_long (ldata long)
  =========================================================
  Here is the procedure:
  create or replace procedure long_test (p_source varchar2, p_counts number) as
  language java
  name 'LongTest.insertLong(java.lang.String, int)';
  =========================================================
  Here is the test block:
  begin
  LONG_TEST('q', 33000);
  end;
  =========================================================
  Thanx!

  Please, help me with solution...
  Is it possible use oci driver from Java Stored Procedures? And how?
  Thanx

• IPv6 ACL host limitation also for private network?

  Hello,
  I'm using a cisco WS-C3750G-24TS-1U 12.2(44)SE5. I know the IPv6 ACL limitations for this hardware
  However, I think that private network(fc00::/7) should not be the case. In my case, I'm using EUI addresses.
  switchcore(config-ipv6-acl)#permit tcp any host 2001:0:0:0:222:64ff:fec2:1f5a eq www sequence 20
  switchcore(config-ipv6-acl)#permit tcp any host 3FFF:0:0:0:222:64ff:fec2:1f5a eq www sequence 20  
  switchcore(config-ipv6-acl)#permit tcp any host fdc8:0:0:0:222:64ff:fec2:1f5a eq www sequence 20
  % Host address FDC8::222:64FF:FEC2:1F5A can not be supported
  % ACE can not be added
  % Failed to modify access list
  switchcore(config-ipv6-acl)#permit tcp any host fc00:0:0:0:222:64ff:fec2:1f5a eq www sequence 20
  % Host address FC00::222:64FF:FEC2:1F5A can not be supported
  % ACE can not be added
  % Failed to add access list
  Is IOS right?

  Hum... yes, you are right. I missed this point. Thanks.
  Anyway, "Private Network" would fit very well in this list
  –aggregatable global unicast addresses
  –link local addresses

• How many ASA 5520 ACL limit.

  Hello all,
  i want to understand ASA 5520 ACL limitation as max ACEs .
  in FWSM case is following link "rule limits" section.
  http://www.cisco.com/en/US/docs/security/fwsm/fwsm31/configuration/guide/specs_f.pdf
  but in ASA case, I cant find this information.
  where is this limitation in CCO?
  thanks.

  Balaji
  The right way is to quantify the ACE limit and not ACL limit as a single ACL can have many entries in it.
  Have a look at the link below for FWSM:
  http://www.cisco.com/en/US/docs/security/fwsm/fwsm40/configuration/guide/specs_f.html#wpxref93963
  Also look at the link below. Look at the Q&A for "Can you increase memory in order to store more Access Control Lists (ACLs)?". It also discusses a feature called "ACL       optimization", which was released in FWSM OS Version 4.0.
  http://www.cisco.com/en/US/products/hw/modules/ps2706/products_qanda_item09186a00801e9e26.shtml
  To view the total number  of rules available, the default values, current rule allocation, and the  absolute maximum number of rules you can allocate per feature, enter  the following command:
  hostname(config)# show resource rule
  Regards,
  RP

• How long can be URL in Go to URL when calling SSRS report?

  Hi
  I am facing issues when calling a report using go to URL. I have 6 cascading multiple value parameter in one of my report and from this I am calling another report by passing all these parameters using java script in go to URL option. Since I am passing
  all these multiple value parameter my report URL is exceeding up to 5000 to 7000 characters long. This is not working at all as max characters in URL are allowed to be 2048.
  Is there any work around to pass all these multiple value parameter using go to URL option?
  I thought of using Go to report instead but our business is not allowing to this.
  Thanks!
  Bhushan

  Hi Bhushan,
  As you may know, Microsoft Internet Explorer has a maximum uniform resource locator (URL) length of 2,083 characters. Internet Explorer also has a maximum path length of 2,048 characters. This limit applies to both POST request and GET request URLs.
  For more details, please see:
  Maximum URL length is 2,083 characters in Internet Explorer
  I am afraid it is a limitation in IE, so I would suggest you ask the questions to IE forum:
  http://social.technet.microsoft.com/Forums/ie/en-US/home?category=internetexplorer threads to seek further assistance. There are many IE experts who may help workaround the limitation.
  Thank you for your understanding.
  Regards,
  Katherine Xiong
  Katherine Xiong
  TechNet Community Support

• LV 8.2.1 Error 66 or 1379 occured at open Application Reference. A LV 8.2.1

  Hi,
  LV 8.2.1 Error 66 or 1379 occured at open Application Reference. A LV 8.2.1
  Using:
  Application access an other LV application on an remote PC with Vi-Server Technology. (Based on MS OS Windows XP SP2 with all patches ...)
  With LabVIEW 8.2.1 it is not possible (exactly: with one PC it works, with other PCs, (identical regarding configuration of LabVIEW-Components), the described errors occured ...
  There is no problem with LV 7.1.1. ( If the VI-Server Configuration of the .exe will be done within the .ini -File...)
  The differences between LV 7.1.1 are in the .ini-File of the application regarding the the access-List property.
  Error 66 occures if ther is no entry in the access-List property.-> OK.
  Error 1379 occures if i will use the copy of the LV .ini-File acl-property with allowed access from all clients (*) or special clients defined with IP-Adress ... -> BUG
  The same behaviour is described in 2 threads in the discussion forum ..., but in my application/configuration the workaround acl.configuration: "allow access from all clients" will work only with one PC ?
  So what is the solution ?
  At this moment i gol back to LV 7.1.1, but this is surely not the solution ....
  Thanks for help ....

  Hi!
  I have also found following discusion in the forum.
  But the the problem for Error 1379 lies in LabVIEW 8.2.1 and VI Server.
  This is a know Bug. This Bug should be fixed in a future version.
  The problem is that the IP address in the could not be resolved into a machine name.
  Workaround:
  This program works in 7.1 so the only option right now is to use 7.1 instead of 8.2.1.
  Plamen
  Message Edited by Support on 10-31-2007 08:59 AM
  National Instruments Germany
  Application Engineer

• I cannot connect to the WiFi at my library using iPad 2 64 GB 3G.

  I have an iPad 2 64GB with 3G (Verizon). This is my only computer. I only have a regular cell phone, not an iPhone or smart phone. I don't have an iPod either. The only way I access the Internet is through 3G. Not being computer savvy, I thought this would be the easiest method.  Are there many others out there like me? Things seemed to be more geared toward WiFi. I guess the 3G was meant only for people on the go who could not access WiFi, such as in a moving car? Just using 3G seems to have many limitations I did not realize. For example, the only reason I had to go to the library to try to connect to their WiFi was because I could not install an update to Skype. When I tried to install the update using 3G, I got a message saying it was over 20 MB and had to be done via WiFi, which I do not have. I connected to the WiFi at my local library, but I kept getting message that I could not connect to Internet. It's weird, because it did show I was connected to the library WiFi in General settings. It is a bit frustrating to have to go to  a hotspot to download anything that is 20MB or larger. I would get WiFi, but I don't want to buy a laptop or desktop. I was told that a wireless router has to be first set up with a laptop or desktop and not an iPad. Another limitation is I can't use Facetime with 3G. I can't print using airprint on 3G.  I also read that using 3G uses up the battery faster. Downloading a rented film from iTunes would eat up too much of my data plan using 3G. (And it is probably over 20 MB again.) I still haven't been able update to iOS 5.0 because I don't have another computer to connect to iTunes. WiFi seems to be cheaper if you you are a heavy user. I only get 20 MB a month for $20. Verizon charges 20 bucks for home Internet connection, but it is unlimited data usage. Sometimes I exhaust my data so quickly, I have to add more data before the month has ended. That gets expensive. So, my main question was about the public WiFi problem, but I also wanted to detail some of the limitations of using an iPad 2 as your sole computer using 3G. I was able to connect to the Apple store WiFi when I tested it out a while back, so I know it can be done using my iPad. Any hints on how to workaround the limitations of using 3G would also be appreciated. Thanks.

  Thanks for the quick response. No, I did not get any error messages or any terms-of-usage screen. The employee I told my problem to was not computer savvy either. She just suggested I move to different spots w/in the library to see if that would make a difference. It didn't. When I connected to the library WiFi it did change the Verizon 3G that is usually in the upper left corner to iPad with two to three emanating arcs. I may have to go to the library in the next town. I was able to connect to theirs in the past when I had to download something greater than 20 MB. Unless I really want it, I will probably not even try to download something more than 20 MB due to the hassle. Yeah, I may have been better off getting a normal desktop or laptop and getting WiFi at home. To do that now would mean having my iPad 2 and a desktop computer, which I feel is extravagant. (I know there are a lot of big spenders out there who got the iPad as additional gadget for fun. This is a rich country.) A Verizon rep told me I couldn't set up a WiFi router at home just using an iPad. So it seems like a person who just uses 3G is limited to surfing the net (not even much YouTube because it eats a lot of data) and using email. I read about an app that helps print wirelessly using 3G, but a reviewer said you had to be an engineer to get it done right. BTW, I like the Steelers. I'm old enough to remember Franco Harris and that blond guy whose name escapes me back in the '70s. Since I live in North Jersey I feel I have to support the Giants. But I know football about as well as computers.

• Re: (forte-users) Using IN in a direct SQLstatement.

  Hi,
  What does the string in myType look like? You should
  be careful with ' and \ as they are used by Forte. I
  suggest you post a sample of the myType's value.
  Regards,
  Peter Sham.
  --- Rumen Georgiev <[email protected]> wrote:
  Hi folks,
  I have a problem when executing direct SELECT
  statement against Oracle 7.4, something like that:
  SQL SELECT ..... INTO .... FROM ..... WHERE .....
  AND
  TYPE IN :myType ON SESSION .......
  myType is TextData containing a list of possible
  values separated by commas. myType is set at run
  time.
  When executed through SQL*Plus the result is O.K..
  When executed through Forte it doesn't return
  anything. It seems that eigther Forte or Oracle
  disregards the commas and treats myType as it will
  with =,>,<. What makes me think so is that when
  myType
  holds single value it works. It fails as soon as I
  concatenate one more value from the list. Same
  happens
  when using cursor. I didn't try it with DBSession
  methods but I assume the result will be the same. I
  can't use EXECUTE EMMEDIATE because I expect result
  set(INTO). So far the only way I can think of is a
  WHILE loop for every single value from the list.
  Any ideas,comments or workarounds?
  Thank's in advance.
  Rumen
  For the archives, go to:
  http://lists.sageit.com/forte-users and use
  the login: forte and the password: archive. To
  unsubscribe, send in a new
  email the word: 'Unsubscribe' to:
  [email protected]
  =====

  rumen, peter,
  Database placeholder substitution is only available for atomic value,
  ie. myType can only be CI, or NG, or MS.
  There are many ways to workaround this limitation, such as defining
  your select statement to contain the IN clause before doing the DBprepare.
  hope this helps,
  linh ...
  -----Original Message-----
  From: Peter Sham [mailto:[email protected]]
  Sent: Tuesday, October 12, 1999 5:57 PM
  To: Rumen Georgiev; [email protected]
  Subject: Re: (forte-users) Using IN in a direct SQL statement.
  Hi,
  Maybe try this:
  myType.setValue('(\'CI\',\'NG\',\'MS\')');
  Regards,
  Peter Sham.
  --- Rumen Georgiev <[email protected]> wrote:
  Peter,
  I tried a couple of things to no avail. The simplest
  one is like this:
  myType.SetValue('\'CI\',\'NG\',\'MS\'');
  It works if I do
  myType.SetValue('\'CI\'');
  Same is valid if myType is declared as a String.
  Hi,
  What does the string in myType look like? Youshould
  be careful with ' and \ as they are used by Forte. I
  suggest you post a sample of the myType's value.
  Regards,
  Peter Sham.
  --- Rumen Georgiev <[email protected]> wrote:
  Hi folks,
  I have a problem when executing direct SELECT
  statement against Oracle 7.4, something like that:
  SQL SELECT ..... INTO .... FROM ..... WHERE .....
  AND
  TYPE IN :myType ON SESSION .......
  myType is TextData containing a list of possible
  values separated by commas. myType is set at run
  time.
  When executed through SQL*Plus the result is O.K..
  When executed through Forte it doesn't return
  anything. It seems that eigther Forte or Oracle
  disregards the commas and treats myType as it will
  with =,>,<. What makes me think so is that when
  myType
  holds single value it works. It fails as soon as I
  concatenate one more value from the list. Same
  happens
  when using cursor. I didn't try it with DBSession
  methods but I assume the result will be the same.I
  can't use EXECUTE EMMEDIATE because I expectresult
  set(INTO). So far the only way I can think of is a
  WHILE loop for every single value from the list.
  Any ideas,comments or workarounds?
  Thank's in advance.
  Rumen__________________________________________________
  For the archives, go to:
  http://lists.sageit.com/forte-users and use
  the login: forte and the password: archive. To
  unsubscribe, send in a new
  email the word: 'Unsubscribe' to:
  [email protected]
  =====
  For the archives, go to: http://lists.sageit.com/forte-users and use
  the login: forte and the password: archive. To unsubscribe,
  send in a new
  email the word: 'Unsubscribe' to: [email protected]

• Authentication Open Failure

  Is there away to stop the port from reauthenticating when a device fails to open. I am trying to set up low-impact mode on a wired network. And I have some WYSE terminals that I don't want to authenticate to the network so I would like them to fail open with an ACL limiting their access. However the switch continues to try and authenticate the device even after it has failed authentication. This is causing my logs on ISE to be full of bogus authentication failures. Is there a way to limit thoses errors or the the switchport from trying to reauthenticate? Below is the switchport config.
  switchport access vlan 33
  switchport mode access
  switchport voice vlan 233
  ip access-group ACL-DEFAULT in
  authentication event fail retry 1 action next-method
  authentication event server dead action authorize vlan 33
  authentication event server alive action reinitialize
  authentication host-mode multi-auth
  authentication open
  authentication order dot1x mab
  authentication priority dot1x mab
  authentication port-control auto
  authentication timer reauthenticate server
  authentication violation restrict
  mab
  dot1x pae authenticator
  dot1x timeout tx-period 10
  spanning-tree portfast

  Hi Nicolas,
  You can configure a Restricted VLAN using the command "authentication event fail action authorize vlan (number)" and limit the access for that vlan using ACLs.
  You can refer to
  http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_58_se/configuration/guide/sw8021x.html#wp1179086 for more info.
  HTH,
  Regards,
  Kush

• 802.1x authentucation only on Virtaul machine. i want to by pass EAP authentication on Host machine

  i want to do EAP authentication (802.1x) authentication by the client installed on Virtual machine. i want to by pass EAP authentication(802.1x) on Host machine, because i wanted to test it on the client in VM not on the host machine. for wifi it works fine because i can have a USB wifi NIC which connects to VM directly and the authentication goes fine as host machine NIC does not come into the picture at all.
  but in Case of wired VM NIC has to go via Host NIC.

  Hello,
  I managed to do that with a VM and a host, both authenticating in wired, behind a phone. The host would receive an ACL limiting its traffic to just internet and the VM could access the internal network. (do not ask to discuss the use case).
  The considerations were that :
  both host and VM would need to be on the same dynamically assigned VLAN, as 2960/3750 do not support two DATA domain hosts in different vlans (3850 apparently supports or will support it), so I had to have 802.1X both on host and in VM.
  the VSwitch in VMworkstation had to be in bridge mode.
  authentication mode multiauth had to be enabled in the interface in order to cope with multiple authenticated sessions behind the same interface.
  What is exactly your question?
  Gustavo

• Modify WavesetResult in a custom adapter

  Hello,
  I have a custom adapter which extends the standard LDAP one.
  In the realUpdate method I do some custom processing to effectively update the cn (naming attribute) to workaround this limitation of the standard LDAP adapter:
  protected void realUpdate (WSUser user, WavesetResult result) throws WavesetException {
       super.realUpdate(user, result);
       // some custom processing here
  what I'd like now is to get rid of the information message saying "Attribute 'firstname' maps to 'cn' on {2}. Modifying naming attribute 'cn' is not supported. 'cn' not updated." Since the cn is actually modified. I've seen that it is stored in the "result" object (result.getResults().toString() shows it in the trace)
  I tried several things:
  - result.remove* methods => java.util.ConcurrentModificationException !
  - result = new WavesetException(); => no effect, the message still appears after the "Save" button is clicked...
  of course I tried these things at the end of the custom method, not before the super.realUpdate() call ;-)
  I'm running out of ideas there. Can someone help me?
  Thanks.

  Do you thoroughly understand the reason why the adapter refuses to modify the CN attribute?
  If so, redefine the following method in the adapter:
    protected boolean addAttributes(LDAPObject ldapObject, WSUser user, String operation, WavesetResult result)

• Storage Groups

  Hello,
  When booting from SAN in UCS, what's the best practice when creating the Storage Groups in the disk array?
  For instance, VMware: is it best-practice to have one storage group for each ESXi and add its own ESXi Boot LUN (id=0) plus the VM datastore LUNs needed?
  Do other environments (Linnux, Windows, Hyoer-V) have anything special in these terms with which to take care of?
  Thanks,

  It's a security issue.  Because the LUN ID can be changed easily on the host, you could essentiall clobber the wrong LUN if your server admin mistakenly changed the LUN ID.  Also, once a host is booted up, it will be able to see & access every LUN within the storage group regardless of LUN ID.  The significance of the LUN ID matches the host only impacts a host trying to SAN boot.
  The two main forms of security enforced in Storage is Zoning and Masking.
  Zoning - done on the storage switch, acts like an ACL limiting the scope of what a zone's members can see.  A zone will normally only contain one host and the target WWNs.  **Who can I see**
  Masking - done on the storage array limits "what" LUNs a host has access to.  This is done in the form of Storage groups.  **What can I access**.
  Circumventing either poses a great risk at data corruption/destruction since various operating systems can only read their native file systems.  Ex. If you had all your hosts in one storage group (ESX, Windows etc) and tried to only separate them by a LUN ID, a simple 1-digit change of the boot target LUN ID on the initiator could cause a host to not read the filesystem and potentially right a new signature to the risk - overwritting your existing data.  Windows can't read a linux partition and vice-versa.
  Follow these best practices and your data will be much safer & secure.
  Regards,
  Robert

• How to use CMP with Inheritance?

  I've a thorny problem with 2 EJBs which I hope I can use CMP for persistence.
  I'm supposed to implement a web-based forum and I'm thinking of using a ForumThread entity bean and a ForumReply entity bean to store the postings/messages in the forum.
  A ForumReply, according to OO design, is the same as a ForumThread (which is the first message of a topic) except that they've a parent thread/reply. So I thought of using Inheritance with the ForumThread as the parent (base) class and ForumReply as the sub (derived) class.
  But it seems that CMP in EJB 2.0 does not support this relationship as yet. Is there any way to workaround this limitation without having to remodel the relationship? What should I do in such a situation? Anyone care to share how he overcome this?
  It's not quite possible to give up inheritance in OO design simply because EJB 2.0 CMP doesn't support it right? We end up creating bad softwar design.
  So do I have to go back to using Bean Managed Persistence in this case?

  I hate CMP. Why don't you use JDO or Hibernate?
  Anyway, if you want to do it with CMP, here is your solution: http://www.theserverside.com/resources/article.jsp?l=EJBInheritance