ISE Identity Groups in AuthZ Policy

Similar Messages

• ACS 5.3 Authorization problem with using Identity Groups in Access Policy Rule

  Hello guys, I am found a problem which I can't solve regarding authorization with using Identity Groups in Access Policy rule.
  ACS version: 5.3.0.40.6 (internal build B.839)
  I have very simple RADIUS Authorization rule which authorize user on behalf of right Identity Group.
  Requested Identity Group exist
  Testing user is created in Internal Users and has assigned requested Identity Group
  Radius Access Policy: 
  Authentication against Identity Store Sequence, where authorization server is external RSA SecurID device and additional attributes retrieval is configured from Internal Users.
  Authorization is very simple – One Rule with only one Condition which is: Identity Group - in - Requested_Testing_Rule. Then Default rule is set to Deny.
  When I will try login with my testing user then authentication against RSA SecurID is OK, but authorization will be denied by Default rule – It looks like my Rule with Identity Group is totally omitted.
  I am managing several other ACS servers (version 5.3 but with older patches) where similar rules are working without problem.
  What I am tested:
  Remove testing user and create his account again.
  Rename Identity Group
  Use another Identity Group
  Remove Access Policy rule and create it again
  Use Compound Condition: System:Identity Group
  Use Compound Condition: System:UserID instead of Identity Group in Rule (it is working without problem)
  Do you have any idea where problem can be?

  OK guys, it started working yesterday without any configuration change. Maybe it was some database inconsistence wich was solved by ACS itself.

• ISE Identity Group Assignment

  I need to avoid a large set of devices to get access to Internet through the Wireless Guest Service. I had made some test and know I can block a MAC address through the Policy Authorization (If Blacklist then DenyAccess).
  In order to blacklist a large set I would like to import the MAC list and include in the CSV the Identity Group Assignment. It appears it is not possible ... I can have an easy way to change the Identity Group Assignment instead of one by one?
  Regards.
  Daniel Escalante.        

  Additional Information and Question:
  Currently my Authorization Policy has this:
  The result is that any user trying to acesss the Guest Service can see the Guest Portal, introduce Credentials and if they are valid, the AUP is displayed, after that if the device is in the Blacklist, service is denied and the Guest Portal is displayed again, but any message about the situation is indicated to the user. I wonder if I can generate a message and even avoid the AUP if the device is in the blacklist.
  Any comment will be greatly appreciated.
  Regards.
  Daniel Escalante

• AuthZ Policy using specific Endpoint Identity Groups

  I am trying to create an AuthZ policy that will identify if a device is in specific Endpoint Identity Group.  See policy below.
  I used the IdentityGroup:Name attribute Equals the Identity Group MAB_Devices.  Please note that there are NO Identity groups listed in the dropdown options, so I typed in the name.   Alas, the rule is not working.   Anyone have advise on what I am doing wrong?  Thx

  Bransomar, your screenshot is an Authentication policy rule but you should do it in Authorization policy. Authentication policy sorts out requests by request method and origin and assigns an identity store to each.

• ISE 1.2 - Match Policy Set based on endpoint identity group?

  Hello, I would like to create a condition that would force MAB'd clients to hit a certain policy set if their MAC address matches one in an endpoint identity group? Is this possible? I feel like a condition can be created using a combination of attributes, but I cannot seem to hit on it properly. Thanks.

  The cleanest way to to this would be to dedicate:
  1. (Wired) A test switch where all of your test devices are connecting. You can then build a policy set that matches against that NAS.
  2. (Wireless) A test SSID and/or a controller (virtual or 2504). You can then build a policy set that is dedicated to that SSID 
  Thank you for rating helpful posts! 

• ISE Profiled devices not being used in authz policy.

  ISE is standalone.
  ver 1.2
  Eval license.
  I have a number of Cisco IP phones profiled by DHCP probe and sitting in the Endpoint Identity Group "Cisco-IP-Phone" (dynamic not static).
  However when this is used in an Authorization Policy it never matches.
  Just a basic Policy:
  if Cisco-IP-Phone (no conditions) then Cisco_IP_Phones ......no match.
  I can change Identity group to ANY and it works.
  Sure i must be misssing something but I've gone round and round with this.
  Tried deleting enpoints and allowing them to repopulate....failed.
  Tried changing endpoints to static with no luck.
  Noticed the "Cisco-IP-Phone" group is under the "Profiled" group so tried using that in the policy....no change.
  Whatever i've tried just ends with the Authz going to the "Default" policy.

  Thank you for providing the detailed information. The problem is not with profiling as that appears to be working as expected. I believe that the issue is with your authentication policy. Looking at screen shot #2 you don't have a single policy that is enabled to allow a phone to authenticate via MAB. All of your MAB policies are showing as "disabled." The default policy is set to only use Internal Users as its Identity Store and phones won't be store there. You authorization policies look OK so I would suggest you try the following:
  1. Enable the top authentication rule called "MAB"
  2. Confirm that "Allow PAP/ASCII" and "Detect PAP as Host Lookup" are enabled under the Allowed Protocols
  3. Ensure that "Internal Endpoints" is selected for the Identity Store
  4. Test again
  Thank you for rating helpful posts!

• ISE 1.2: Remove unused Sponsor Group and Identity Group

  Hi
  I started with ISE 1.1.2 and now upgrade to 1.2.
  There are 1. Sponsor Groups and 2. Identity Groups which are no more in use, but I am not able to remove them anymore.
  1. One is a special Sponsor group which sponsor group policy I already removed. The I go to Aministration>Web Portal Management>Sponsor Groups and select the appropriate Group ans click delete and ok to confirm, the following error is displayed:
  com.cisco.cpm.nsf.api.exceptions.NSFEntityDeleteFailed: java.rmi.RemoteException: Failed to execute the Query : DELETE_USERONAPP ORA-02292: integrity constraint (CEPM.EDF_GST_SPGRPID_SUB) violated - child record found ; nested exception is: java.sql.SQLIntegrityConstraintViolationException: ORA-02292: integrity constraint (CEPM.EDF_GST_SPGRPID_SUB) violated - child record found
  2. The same happens with one Identity Group. I do not have it active anymore. Not in authentication, and not in authorization policy. I go to Administration>Identity Management>Groups>  and select te group to remove, and click "Delete selected" and confirm with ok, the following error occured:
  Cannot delete selected Identity Group(s) because there are resources which are mapped to these or its child identity group(s)
  Is there any reason for any of these issue?
  Many thanks

  Hi ,
  Please open service request with cisco. These kind of issues may happen when the dependencies are deleted from UI but there is a chance that some of the dependencies may not be deleted completely and are not visible from UI as well.  These kind of issues can be resolved under cisco guidance.
  Thanks,
  Naresh

• ISE 1.2 Multi-Portal Identity Group Mapping

  Hi,
  Quick question regarding the use of Multi-Portal on ISE 1.2: Is it possible to map a single portal to a certain identity group? e.g. I have a portal for guest users, to which only users in the "ACME_guests" identity group can authenticate. I have a separate Portal for employees, where only users of the "ACME_employees" group can authenticate.
  I know that I can specify a separate authentication sequence for each portal (e.g. internal, guests, AD), but I cant find a possibility to map a group to a certain portal. This has the consequence that e.g. guest users can log into the employee portal, and getting a successful authentication message. Of course I can further restrict the access in another policy rule, but this isnt a very neat solution.
  Anybody have any ideas? It seems so basic that it has to be possible somehow?!
  Regards

  You can redirect users so they can "stick" to one portal once they have successfully authenticated. There is a document regarding device registration web authentication. Basically after a user connects successfully you can redirect them to an AUP specially designed to statically assign users to a specific endpoint identity group.
  In the end if a user logs into portal A they hit the DRW and accept, ISE dumps them into a endpoint group called PortalA, you can then tie this into a policy where the PortalA endpoint is denied association to any other open ssid you have in your design.
  Here is the document -
  https://supportforums.cisco.com/docs/DOC-26667
  Tarik Admani
  *Please rate helpful posts*

• ISE 1.3 Identity Group

  Hello,
  in the old ISE 1.2 my guest users (created by the sponors portal) where put into a own created identity group called RU2_id_grp.
  How can I realize this on ISE 1.3. In ISE 1.3 the users fall always into the GuestType_Group which was created by the ISE.
  I need the sepearete groups for my authorization policy.
  Regards
  filip

  OK, then DESELECT the option above and do this:
  Navigate to Guest Access > Settings > Guest Locations and SSIDs.  Enter the locations to which your sponsors will assign guests:
  Remember to Save.
  Now to Guest Access > Configure > Sponsor Groups.  Click Create:
  Once you place your cursor in the text box for Select the locations that guests will be visiting, you will see the locations you created in the last step.
  Now assign the User Group to be associated with this Sponsor Group by clicking the Members... button:
  Click OK, then Save.
  This should do it for you.
  Please Rate Helpful posts and mark this question as answered if, in fact, this does answer your question.  Otherwise, feel free to post follow-up questions.
  Charles Moreton

• ISE Endpoint Identity Group assignment for 802.1x clients

  Hello
  I'm using ISE 1.3 to 802.1x authenticate AD PC's (machine and user with Anyconnect NAM) and to profile/mab IP Phones, printers, APs etc.
  Phones are profiled (EndPointSource of SNMPQuery Probe) and are placed automatically in the correct Identity Group.
  AD PC's aren't profiled and are listed under Endpoints withthe Enpoint Profile of "unknown"
  To place AD PC's into a particular Identity Group, I created a Radius Profiling Policy to match on the Framed-IP-Address. This works well with the AD PC appearing in the correct Identity Group (with EndPointSource of RADIUS Probe).
  My questions are:
  A phone (profiled with EndPointSource of SNMPQuery Probe) consumes a Plus licence but an AD PC ("profiled" with EndPointSource of RADIUS Probe) does not - is this correct?
  Authenticated 802.1x AD PC's have other attributes (like AD-Host-Resolved-DNs) that I'd like to use to assign PC's to an Identity Group. I can't use these attributes with any of the ISE profilers - is there a way to assign an 802.1x authenticated client to an Identity Group at the authorisation stage rather than use the profiler?
  Thanks
  Andy

  Err, no. There is no provision in EAP-TLS, PEAP (CHAP), or even basic EAP to provide network information (eg IP address/mask/gateway/DNS/etc).
  There is also no provision in Windows 2k or XP interface management software to accept IP details for interface configuration via any wireless authentication protocol.
  peter

• Cisco ISE: How to match an endpoint belong to an identity group ?

  Hello,
  I am running Cisco ISE 1.1.4.218 in a standalone environment.
  I am trying to setup Compound Condition for Authorization.
  I would like the condition to match the MAC address of the calling machine to the internal endpoint MAC address list.
  I created 1 endpoint identity group and 2 children groups
  - GroupParent
       - ChildA
       - ChildB
  I put the MAC address of my machine in the group ChildA.
  In my condition, I tried the following:
  IdentityGroup:Name, Equals, ChildA
  IdentityGroup:Name, Equals, GroupParent:ChildA
  IdentityGroup:Name, Match, .*(ChildA).*
  I even tried to put the MAC address in the GroupParent level and tried to update the condition to be:
  IdentityGroupName, Equals, GroupParent
  IdentityGroupName, Match, .*(GroupParent).*
  But no one of these options worked.
  I am almost sure that in Cisco ISE 1.1.1, it was working fine. But I updated today to 1.1.4 and I cannot make it work.
  Can anyone help me ?
  Best regards,
  David

  You could try the following to match only the parent group
  IdentityGroup:Name EQUALS GroupParent
  You could try the following to match only child group A
  IdentityGroup:Name EQUALS GroupParent#ChildA
  You could try the following to match all child groups of GroupParent
  IdentityGroup:Name STARTS_WITH GroupParent
  Please rate if this helps

• ISE 1.1.1 - RegisteredDevices Identity Group

  Working on building a ISE 1.1.1 system to match our internal security policies, and have hit a dilemma. Here goes:
  The requirement states that there need to be differing network authorization profiles for different device types: Domain PCs, Non-Domain Workstations, iPads, and iPhone/Android Phones. Also, all (other than IP Phones and printers) endpoints must be self-registered by the user (My Devices workflow in CWA) who operates them so they appear in the My Device Portal.
  In the authorization rules, there appear to be no way to create a  authorization rule to match a "profiled workstation" AND a "registered  device".
  This is because within ISE, any endpoint that is "registered" joins the RegisteredDevices Identity Group, and is no longer a part of the configured indentity group created by the profiling system. For instance, a profiled Win7-Workstation is a member of the profiler-created Workstation IG until it is registered, then it becomes a member of the RegisteredDevices Identity Group.
  So basically, it appears ISE does not support per-devicetype(from profiler) authorization rules *while also* supporting device registration ("My Devices").
  Or am I missing something?

  Here is a screenshot of the rule in question:
  and here is the breakout of the Compound condition called WorkstationOSs, based on your recommendation:
  Without this compound condition, the authorization is matched. With it there, it is not matched, even though the endpoints are profiled as such.

• Static Identity Group Assignment

                     Does anyone know a way to bring in an endpoint with the following attributes?
  Endpoint Policy Name       Static = True
  Static Group Assignment   Static = True
  The 1.2 manual says;
  If the file used for import contains endpoints that have their MAC addresses, and their assigned endpoint profiling policy is the static assignment, then they are not re-profiled during import. 
  To change a dynamic assignment of an endpoint identity group to static, check the Static Group Assignment check box. If the check box is not checked, then the endpoint identity group is dynamic as assigned by the profiler based on policy configuration.
  Statically Profiled Endpoints
  An endpoint can be profiled statically when you create an endpoint with its MAC address and associate a profile to it along with an endpoint identity group in Cisco ISE. Cisco ISE does not reassign the profiling policy and the identity group for statically assigned endpoints.
  A) Does anyone know a way to import from an LDAP database and maintain the Static Group Assignment = True.
  I successfully do an LDAP import of the MAC and Endpoint Group (which comes in as True) but the Static Group Assignment has the Endpoint Group Assignment correct but static is false unchecked.  I don't want these profiling any more.  These are thousands of endpoints and I do not see any way to do a bulk change.  I have tried exporting and re-importing but that doesn't really scale.
  B) Would creation of an endpoint group that is not part of the Profiled endpoint group change the behavior I see above when I do my LDAP import?
  If there were a way to do the bulk selection and change the static property or the Static Group Assignment that would be of huge benefits.  The changes apply to the fields selected within the endpoints while maintaining the MAC property of the endpoint.
  Thanks in advance for any suggestions.

  James,
  That is possible but do you have the dhcp probe enabled and have you thought about setting up an ip helper statement or assigning the ISE node as one of the dhcp servers on the WLC?
  There is a built in check such that if the dhcp class identifier contains MSFT will profile the endpoint as a windows workstation.
  However if this is not the case then you can create the following condition under the Policy Elements > Conditions > Profiling > New Profiler Condition, you will use the create (advanced...) then select NMAP > 135-tcp > then set the operator EQUAL to msrpc.
  Then go under the Microsoft-Workstation and select the option to create a matching identity group (its much easier rather than using the heirarchy option) and set the certainity factor 30. Then add this new condition and set the certainity to 30 also.
  Hope that helps,
  Thanks,
  Tarik Admani
  *Please rate helpful posts*

• AuthZ Policy "Monitor Only" mode

  I have a question about the AuthZ Policy “Monitor Only” or "Audit" mode.  I want to test a new AuthZ policy by using “Monitor Only” mode, but I am not seeing any indication that my Test device is hitting the rule while in Monitor only mode… It ends up hitting our last default rule which is currently permit any.  If I actually enable the rule, I can see the device hitting the rule and getting denied in the Authentication log window.
  So I know the rule works, but I want to only monitor the rule for now to see what would get denied, so that we can assess how we want to handle auth for said devices.  According some info I found, I should be seeing an indication in the Auth log window that a rule was matched, if it is Monitor only mode.
  I am currently running ISE 1.3.0.876.
  Any help is appreciated

  I have had the same experience.  If you look at the AuthZ details for the connection, you will see under Other Attributes a special attribute returned named "RadiusAuthorizationPolicyMatchedMonitorRules," but as far as I know there is no way to run a report on it. Maybe someone else has a suggestion on it.
  What I do as a workaround is create a rule matching the conditions and create a special Authorization Profile for the rule that just has ACCESS_ACCEPT (not to break any traffic), then run a RADIUS Authentication report matching that Authorization Profile.

• ISE Identity Report

  Hi,
  is there any way to generate a report in ISE, to see what devices the users using ?
  I understand we can do it from search function, but this is a manual effort and can't be scheduled..
  from search function we can search the username and it will show the endpoints that the user is using
  From the report function,
  I can only get this data for registered device but not for those devices that's just using 802.1x without supplicant provisioning flow
  same thing for guests, since they're using web authentication..
  does this mean that we can only generate report for personal devices that the staff are using but not the corporate devices itself?

  I doubt that, as far as i can tell with ISE, when you are being authenticated either by mab or by a user/pass with ex PEAP, your identity is established as either, not both, and the identity is what gets compared to identity groups.