I have a Windows forest with 4 domains.  I want to authenticate a user against DOMAIN-A and then check that same user for group membership in DOMAIN-B.  So authentication policy says   If Radius:User-Name CONTAINS DOMAIN-A use DOMAIN-A and  authorization policy says If DOMAIN-B:ExternalGroups EQUALS domain-b.company.com/blah/blah/blah   When I try this authentication succeeds but it looks like it searches DOMAIN-A for group membership.  Can I get it to search DOMAIN-B instead?   And what does "Queried PIP" mean?   24402 User authentication against Active Directory succeeded - HOUPCS 22037 Authentication Passed 24423 ISE has not been able to confirm previous successful machine authentication 15036 Evaluating Authorization Policy 15048 Queried PIP - DOMAIN-B.ExternalGroups 24432 Looking up user in Active Directory - DOMAIN-A 24355 LDAP fetch succeeded - domain-a.company.com 24416 User's Groups retrieval from Active Directory succeeded - DOMAIN-A 15048 Queried PIP - DOMAIN-A.ExternalGroups 15048 Queried PIP - DOMAIN-B.ExternalGroups (2 times) 15048 Queried PIP - DOMAIN-C.ExternalGroups (2 times) 15048 Queried PIP - DOMAIN-D.ExternalGroups 15048 Queried PIP - DOMAIN-C.ExternalGroups 15048 Queried PIP - DOMAIN-A.ExternalGroups (2 times) 15004 Matched rule - Default 15016 Selected Authorization Profile - DenyAccess 15039 Rejected per authorization profile 11003 Returned RADIUS Access-Reject   Thanks for any help you can provide. -Jeff ... View more

Since upgrading from virtualized Prime 3.6 to 3.7 we are experiencing frequent application hangs.  I just can't log in, the wheel spins forever.  From the CLI a show app status NCS shows everything running.  CPU is not taxed.  Not sure what is going on.  I have to stop NCS and restart.  Has anyone else experienced this? Thanks, -Jeff ... View more

Where is the ability to search the configuration archive?    Let's say, for example, that I want to find all devices that have a particular syslog server specified.  I want to throw a simple search out there to see what devices have "logging host 1.2.3.4" in the latest configuration.     Is this functionality lacking in PI?  Believe it or not I still have an LMS installation collecting configurations solely to provide this functionality.  My server admin wants to retire the W2K8 server that LMS is running on and I want to let him, but I absolutely need the archive search function.   I see a few posts out here asking the same question but no replies.   Anyone? ... View more

I changed the address on a pair of 5508's in HA mode this weekend.  I was unable to find a detailed procedure to do this so I thought I would post it here.  These are running 8.2.166.0.   First, I changed the primary controller for all of the access points to my new address using Prime.  If you do not have Prime you would need to issue this command for each AP:   config ap primary-base <wlc name> <wlc address>   Or from the GUI, select an AP, click on the High Availability tab and enter the WLC name and new address as the primary address.  You could also use your current address as primary and the new address as secondary.   I also enabled ssh for the AP's globally so I could connect to them remotely if I had problems getting them to join on the new address.  Luckily I didn't. Procedure PRIMARY: Disable WLANS    config wlan disable all   PRIMARY: Disable HA mode (controllers will reboot)    config redundancy mode disable   STANDBY: Change the management IP address:    config interface address management 10.0.0.19 255.255.255.240 10.0.0.17   STANDBY: Change the VLAN assignment on the management interface    config interface vlan management 23   STANDBY: Change the redundancy management address:    config interface address redundancy-management 10.0.0.21 peer-redundancy-management 10.0.0.20   STANDBY: Enable all ports    config port adminmode all enable   PRIMARY: Change the management IP address    config interface address management 10.0.0.18 255.255.255.240 10.0.0.17   PRIMARY: Change the VLAN assignment on the management interface   config interface vlan management 23   PRIMARY: Change the redundancy management address    config interface address redundancy-management 10.0.0.20 peer-redundancy-management 10.0.0.21   PRIMARY & STANDBY: Enable HA mode. Controllers will reboot. Issue on primary first, then standby. No need to wait for primary to complete bootup before issuing on standby    config redundancy mode sso   PRIMARY: Enable WLANS    config wlan enable all Verify (WLC1) >show interface summary Number of Interfaces.......................... 5 Interface Name                   Port Vlan Id  IP Address      Type    Ap Mgr Guest -------------------------------- ---- -------- --------------- ------- ------ ----- management                       LAG  23       10.0.0.18       Static  Yes    No   redundancy-management            LAG  23       10.0.0.20       Static  No     No   redundancy-port                  -    untagged 169.254.0.20    Static  No     No   service-port                     N/A  N/A      0.0.0.0         Static  No     No   virtual                          N/A  N/A      1.1.1.1         Static  No     No  (WLC1) >show redundancy summary             Redundancy Mode = SSO ENABLED                 Local State = ACTIVE                  Peer State = STANDBY HOT                        Unit = Primary                     Unit ID = 4C:00:82:71:E6:40            Redundancy State = SSO                Mobility MAC = 4C:00:82:71:E6:40             BulkSync Status = Complete Average Redundancy Peer Reachability Latency = 428 Micro Seconds Average Management Gateway Reachability Latency = 2099 Micro Seconds   Don't forget to change the network device address for the WLC in ISE.  After I did this it still would not authenticate wireless users.  I was getting this error for everything in the live log:   5441 Endpoint started new session while the packet of previous session is being processed. Dropping new session.   I had seen a similar problem in the past though I can't remember what caused it.  I restarted ISE and authentications started working again.   I think there may be a command to clear the cache so that a restart isn't necessary but I am not sure what that is.   So just thought this might help someone.  I invite and welcome any improvements to this procedure.   -Jeff ... View more