Access based on IP Address

Similar Messages

• Restrict application access based on IP address

  Hi!
  I am a newbie to Oracle Application Server, and I want to know if there is any way to restrict access to particular applications such as 'ascontrol' based on IP address.
  I am using Oracle Application Server 10g.
  Regards
  Drini

  You can see dms.conf file for something like that.
  Order deny, allow
  deny from all
  allow from 10.0.0.1
  This only allow 10.0.0.1 to see something.
  Greetings

• Restricting Access Based on IP Address

  I am wondering how Oracle Identity Management lets us check if the request comes from a specific IP Address before authentication. I need to restrict access to web pages for a username or role to a certain location and IP address, in fact a bank branch.
  Please note that I don't want to limit access to the server to one IP address in general, but I need to let in a pair of (IPx,Usernamex) in other words bind IPs and identities.
  Any suggestion for this?
  Thank you
  Regards,
  Farbod

  Hi
  Sorry for not answering until now but I have been busy the last couple of days.
  You need to implement this functionality on the first node in your system so that you can get the originator IP. If your application server is behind something that changes the originator IP you will simply not be able to read the IP and the approach of using SSO call outs will not work. SSO call out will only work if the app server is placed in front.
  If you have a load balancer in front you will need to install a reverse proxy of some kind in front of the load balancer. If you have the money for licenses I would recommend looking at OAAM.
  What you will be building is basically a SSO setup so as long as the SSO system supports your authentication scheme and has an SSO plug in that supports your app server you will be fine.
  If you have plenty of time but little license money you might want to look at building something based on Apache and Mod_proxy or mod_security. I did a little bit of work on this back in 2003 but it doesn't seem to be a common pattern today so I am not sure how viable this option is.
  Hope this helps
  /M

• ASA 5510 Firewall internet Restriction based on IP address and block rest users excluding Mails

  Hi,
  As i have assignment to create access list based on IP address like we have to allow internet access this IP range 192.168.172.201 to 212.
  And rest users we have to block excluding Mails.
  Please help.
  Thanks,
  Regards,
  Hemant Yadav 

  login as: Rakh
  [email protected]'s
  password:
  Type help or '?' for a list of available commands.
  FAST-HQ-ASA> en
  Password:
  Invalid password
  Password: ***********
  FAST-HQ-ASA# show rum
                      ^
  ERROR: % Invalid input detected at '^' marker.
  FAST-HQ-ASA# show run
  : Saved
  ASA Version 8.3(1)
  hostname FAST-HQ-ASA
  enable password 7tt1ICjiO2a2/Hn2 encrypted
  passwd U8oee3lIrDCUmSK2 encrypted
  names
  interface Ethernet0/0
  description ASA Outside segment
  speed 100
  duplex full
  nameif OUTSIDE
  security-level 0
  ip address 62.173.33.67 255.255.255.240
  interface Ethernet0/1
  description VLAN AGGREGATION point
  no nameif
  no security-level
  no ip address
  interface Ethernet0/1.2
  description INSIDE segment (User)
  vlan 2
  nameif INSIDE
  security-level 100
  ip address 192.168.172.1 255.255.255.0
  interface Ethernet0/1.3
  description LAN
  vlan 3
  nameif LAN
  security-level 100
  ip address 192.168.173.1 255.255.255.0
  interface Ethernet0/2
  shutdown
  no nameif
  no security-level
  no ip address
  interface Ethernet0/3
  shutdown
  no nameif
  no security-level
  no ip address
  interface Management0/0
  nameif management
  security-level 100
  ip address 192.168.1.1 255.255.255.0
  management-only
  ftp mode passive
  same-security-traffic permit inter-interface
  same-security-traffic permit intra-interface
  object network INSIDE
  subnet 192.168.172.0 255.255.255.0
  object network LAN
  subnet 192.168.173.0 255.255.255.0
  object network MAIL-SERVER
  host 192.168.172.32
  object network DENY-IP-INTERNET
  range 192.168.172.121 192.168.172.200
  object-group service serBLOCK-INTERNET tcp
  port-object eq www
  object-group network BLOCK-IP-INTERNET
  network-object object DENY-IP-INTERNET
  access-list 102 extended permit icmp any any time-exceeded
  access-list 102 extended permit icmp any any echo-reply
  access-list OUTSIDE-IN extended permit tcp any host 192.168.172.32 eq smtp
  access-list OUTSIDE-IN extended permit tcp any host 192.168.172.32 eq https
  access-list BLOCK-WWW extended deny tcp object-group BLOCK-IP-INTERNET any object-group serBLOCK-INTERNET
  access-list BLOCK-WWW extended permit ip any any
  pager lines 24
  logging asdm informational
  mtu OUTSIDE 1500
  mtu INSIDE 1500
  mtu LAN 1500
  mtu management 1500
  icmp unreachable rate-limit 1 burst-size 1
  no asdm history enable
  arp timeout 14400
  object network INSIDE
  nat (INSIDE,OUTSIDE) dynamic interface
  object network LAN
  nat (LAN,OUTSIDE) dynamic interface
  object network MAIL-SERVER
  nat (INSIDE,OUTSIDE) static 62.173.33.70
  access-group OUTSIDE-IN in interface OUTSIDE
  access-group BLOCK-WWW out interface OUTSIDE
  route OUTSIDE 0.0.0.0 0.0.0.0 62.173.33.65 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  dynamic-access-policy-record DfltAccessPolicy
  aaa authentication ssh console LOCAL
  http server enable
  http 192.168.1.0 255.255.255.0 management
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec security-association lifetime kilobytes 4608000
  vpn-addr-assign local reuse-delay 5
  telnet timeout 5
  ssh 192.168.172.37 255.255.255.255 INSIDE
  ssh 192.168.173.10 255.255.255.255 LAN
  ssh timeout 5
  console timeout 0
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  webvpn
  username Rakh password EV9pEo1UkhHJSbIW encrypted
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum client auto
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    inspect ip-options
  service-policy global_policy global
  prompt hostname context
  call-home
  profile CiscoTAC-1
    no active
    destination address http
  https://tools.cisco.com/its/service/oddce/services/DDCEService
    destination address email
  [email protected]
    destination transport-method http
    subscribe-to-alert-group diagnostic
    subscribe-to-alert-group environment
    subscribe-to-alert-group inventory periodic monthly
    subscribe-to-alert-group configuration periodic monthly
    subscribe-to-alert-group telemetry periodic daily
  Cryptochecksum:1ee78d19f958efc6fd95f5e9d4e97b8d
  : end
  FAST-HQ-ASA#

• No e-mail address for contact on the same Exchange server in "From", when access is limited by address book policy

  Hello,
  I have following awkward situation:
  I have [email protected] and [email protected] on the same exchange server.
  Address book policies for this users are configured in such way, so contoso.com users do not see tailspintoys.com users at all (customer address list, based on OU - different domain users are in different OUs; custom globaladdressbooks, based on PrimarySmtpAddress
  filtering and custom Offline Address books, based on customized address list, mentioned earlier).
  [email protected] send an e-mail to [email protected] When [email protected] checks his inbox (in OWA) he sees new e-mail but when he checks "From" field - he sees only the name and even when checking (double-click) contact details everything
  is blank, no e-mail/phone/additional info.
  I want users to have access to e-mail, so this problem does not occur (it causes other problems with replies in Outlook 2011 for Mac), but still do not want contoso.com users see tailspintoys.com users in any address books (offline/GAB).
  Any suggestions?
  Thank you in advance!

  Hi Phillip,
  According to the description, I found that you want to hide information except sender's display name (?) to another domain. Please correct me if there is any misunderstanding.
  Based on my experience, it is impossible.
  Would you like to tell me the reason that why you want to hide additional information, maybe we can achieve this goal via other methods, like Outlook Rules or Transport Rules.
  I also notice this, 'it causes other problems with replies in Outlook 2011 for Mac' , if there is any problem on Outlook 2011 for Mac, I suggest creating a new thread on the Mac forum.
  For your convenience:
  http://answers.microsoft.com/en-us/mac/forum/macoutlook?tab=Threads
  Hope it is helpful
  Thanks
  Mavis
  Mavis Huang
  TechNet Community Support

• Unable to access only Read Write addresses of AB Micrologix 1400 PLC using NI DSC and NI OPC server

  Hi,
  I have been using NI DSC and OPC servers (NI and Kepware) to communicate with Allen Bradley Micrologix 1400 PLC (1766-L32BXB). Recently at one  site I found that I could access Process values from the PLC correctly (Read Only tags) but could not access the Read Write Tags at all. The latter are addresses to which it should be possible to write Set (i.e., references) values from MMI or PC software. I am able to do so from the MMI not from the PC software. I get communication error message on the MMI and PC, mentioning the PLC address being accessed (e.g. N7:0).
  Support from the supplier is not available. Hence can anyone let me know if ladder logic could have been written to prevent PC software based access of Read/write addresses (N7:0 to 9 in this case), while permitting access to Read only addresses? Is the problem at the PLC end or OPC server end? Is there a way to get around this?
  Thanks in advance.

  The OPC Server cannot force Outputs so if th registers in question are the outputs of ladder rungs you cannot write to them via the server. The controller will accept the write from the server but will not execute the write. In some cases the server event log will post an error if it is the PLC. Do you get errors when you try to write and if so what are the posted error messages.
  Fred Loveless
  Kepware Technologies
  http://www.kepware.com

• Creating NAC remediation rules based on MAC address

  Hi All,
  Any idea please. Is it possible to control PCs allowed on the network based on MAC address list in NAC? I.e Create a list of MAC addresses for PCs on my network in NAC; then each pc granted network access (passed NAC authentication and remediation) on the network only if its MAC address is in that list.
  So my checks will be:
  1. Have antivirus updated
  2. Have antispyware updated
  3. Have windows updates installed
  4. Have MAC address registered in the MAC list
  5. etc.
  Then after the above checks pass --> GRANT network access.
  regards,
  Stanlaus.

  I have been doing some of this, and while it does provide some of the functionality that is lost without the ability to apply rules only to read messages, it is not a complete solution. One of the biggest drawbacks is that it is not easy to selectively limit what new mail shows up the smart mailbox. One approach that works, sort of, is to limit the smart mailbox to only messages from people in my address book. However, not all relevant messages are from people already in my mailbox, so it requires constantly double checking to make sure that things are slipping through the cracks.
  The best thing about being able to apply rules, after receiving them, based on the status of a message is that it puts the control in the users hands. It allows you to selectively apply rules, only when you want to apply them. Rather than always/never, you have the ability to apply rules "sometimes/as needed." It allows for fuzzy logic, rather than hard conditions.

• I cannot access my old email address anymore, however I have used it for my apple ID and now I want to delete it because the account has never been verified in the first place so my password for it doesn't work. What do I do?

  I cannot access my old email address anymore, however I have used it for my apple ID and now I want to delete it because the account has never been verified in the first place so my password for it doesn't work. So when I want to download apps I have to sign in with apple id but I can't so I made a new one, However I can't seem to be able to delete the old one. What do I do?

  You can't merge Apple IDs.  You also can't cancel (delete) and existing ID, you can only choose to stop using it.
  If your old ID was compromised and you can no longer access it, you'll have to contact Apple for assistance.  Go to https://expresslane.apple.com ; click 'See all products and services' at the bottom of the page. In the next page click 'More Products and Services, then 'Apple ID'. In the next page select 'Other Apple ID Topics' then then 'Apple ID account Security’.

• Authorisation of an old account on a new mac, Password not working, no longer have access to that email address, and security question not working. But I do have my mac authorised! ...is there anyway to copy or get authorisation info off it???

  Please help me!!!!
  I have got a new Mac, I am trying to share my itues on it as well as my old mac, I have had two itunes accounts in my life, one is current now (this account) one I have not had access to the email for years. Since I have bought music off both accounts, I wish to play it all on  both my macs. My Old mac has both accounts Authorised fine and all is good.
  My new Mac, I have thios account running fine, but keep getting prompted for the password for my old account, I have no idea what my old password is, I have not had access to that email address for 5 years, and for some strange reason the security question isn't working eaither.
  Since I do still have one Mac where it is Authorised, Is there any file I can copy accross or anyway to get the password out of the OSX 10.6.8 for my old account.
  Secondly, is there anyway to roll both accounts into just my current one.
  Many Thanks in advance for your help.
  Steve

  I too am having this same problem but I have not seen ANY solutions for it. Looks like Apple is ignoring it!!!!!!!!?

• How do i verify my icloud account if i no longer have access to the email address they want me to verify it with??

  how do i verify my icloud account if i no longer have access to the email address they want me to verify it with??

  Go to http://appleid.apple.com and click 'Manage your account'. You will be able to change the non-Apple email address you use as a login. You will then need to log out and in again on all your devices.

• I cant access icloud, my email address has changed recently and I cant use any emails and passwords or set up a new id, cant get hold of apple support for help, very frustrated!

  I can not access icloud, my email address changed a while ago none of my email addresses and passwords work, I have tried to get a new password but that dosent work!, tried to contact apple support, no luck there either! What can I do?

  If you are trying to change the iCloud ID ("email address") you have to go to Settings>iCloud, tap Delete Account, provide the password for the old ID when prompted to turn off Find My iDevice, then sign back in with the ID you wish to use.  When you do this you may find that the password for your old ID isn't accepted.  If this should happen, and if your old ID is an earlier version of your current ID, you need to temporarily recreate your old ID by going to https://appleid.apple.com, click Manage my Apple ID and sign in with your current iCloud ID.  Click edit next to the primary email account, change it back to your old email address and save the change.  Then edit the name of the account to change it back to your old email address.  You can now use your current password to turn off Find My iDevice on your device, even though it prompts you for the password for your old account ID. Then save any photo stream photos that you wish to keep to your camera roll.  When finished go to Settings>iCloud, tap Delete Account and choose Delete from My iDevice when prompted (your iCloud data will still be in iCloud).  Next, go back to https://appleid.apple.com and change your primary email address and iCloud ID name back to the way it was.  Now you can go to Settings>iCloud and sign in with your current iCloud ID and password.

• How to fix: Unhandled page fault on read access to 0x00000000 at address 0x00aa4088 .

  hi
  i recently downloaded a game (assassins creed I), i opened it and the intro showed up after that the screen went white, then black and a window came up calld exception raised and then below it, it said, Unhandled page fault on read access to 0x00000000 at address 0x00aa4088.
  i have tried opening it many times and the same results come up.
  i've looked everywere and found that other people have had this same problem but no one has fixed it yet
  any help will be appreciated
  thanks

  I did try the OP's solution, but it proved to be only temporary. Take a gander at my proposition, and if you are experiencing many issues with your MBA and WiFi Connection, try doing all of the possible fixes located on these forums to see which one (hopefully) works for you. Here's my attempt at a solution.
  Well, after toying around with many of the settings on the MBA, I then began to work on the AirPort Extreme (Gigabit Version) and I discovered that the MBA would only connect when I selected "Interference Robustness" when configuring the MBA. This made a difference no matter what "Wireless Mode" the AE was in, be it 802.11n(b/g) Support, plain 802.11n(5Ghz), ect. So, try that out if you have an AirPort Extreme/Express and MBA, and post your results. The MBA is running 10.5.5 with only one update remaining (10.5.6).
  {This has posted in various threads by me, myself, and I, and I am only reposting so that many threads are aware of this. Hope it helps at least one person.}

• I changed my Apple ID on iTunes and on the iPhone 4. When I try to "Update All" the old Apple ID (I no longer have access to the email address) shows up. How do I update those apps?

  I changed my Apple ID on iTunes and on the iPhone 4. When I try to "Update All" the old Apple ID shows up (I no longer have access to that email address). How do I update those apps?

  Apps are DRM protected and tied to the account used to originally obtain them. They cannot be transferred to another iTunes account nor updated using another iTunes account. Only the account used to obtain them can be used to update them. You can contact iTunes support, explain the situation & ask that they add these apps to the download queue of your new account:
  http://www.apple.com/support/itunes/contact.html

• Powershell: Set Access Based Enumeration on share in Failover Cluster

  Hi guys, 
  I'm facing the following problem. Below you see my script to create a shared folder. (My folder share is visible in failover cluster manager, underneath clustergroup TESTSTO01.) 
  Now I need to enable Access Based Enumeration on this share. Has anyone a clue how to do that in powershell? (Version 2). 
  I also need to make sure that the files and programs are not available offline. 
  Thanks in advance! 
  $SHARE_READ = 1179817     # 100100000000010101001  
  $SHARE_CHANGE = 1245631 # 100110000000100010110     
  $SHARE_FULL = 2032127     # 111110000000111111111  
  $SHARE_NONE = 1         # 000000000000000000001  
  $ACETYPE_ACCESS_ALLOWED = 0  
  $ACETYPE_ACCESS_DENIED = 1  
  $ACETYPE_SYSTEM_AUDIT = 2  
  $ACEFLAG_INHERIT_ACE = 2  
  $ACEFLAG_NO_PROPAGATE_INHERIT_ACE = 4  
  $ACEFLAG_INHERIT_ONLY_ACE = 8  
  $ACEFLAG_INHERITED_ACE = 16  
  $ACEFLAG_VALID_INHERIT_FLAGS = 31  
  $ACEFLAG_SUCCESSFUL_ACCESS = 64  
  $ACEFLAG_FAILED_ACCESS = 128  
  # New Trustee  
  function New-Trustee($Domain, $User)  
  $Trustee = ([WMIClass]"\\TESTSTO01\root\cimv2:Win32_Trustee").CreateInstance()
      $Trustee.Domain = $Domain  
      $Trustee.Name = $User  
      if ($User -eq "Administrators")
  {$Trustee.SID = @(1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0,32,2,0,0)}
  else 
  {$Trustee.SID = @(1, 1, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0)} 
      return $Trustee  
  # New ACE  
  function New-ACE($Domain, $User, $Access, $Type, $Flags)  
  $ACE = ([WMIClass]"\\TESTSTO01\root\cimv2:Win32_ACE").CreateInstance()
      $ACE.AccessMask = $Access  
      $ACE.AceFlags = $Flags  
      $ACE.AceType = $Type  
      $ACE.Trustee = New-Trustee $Domain $User 
      return $ACE   
  # Get SD  
  function Get-SD
  $sd = ([WMIClass]"\\TESTSTO01\root\cimv2:Win32_SecurityDescriptor").CreateInstance()  
  $ACE1 = New-ACE -Domain $null -User "Everyone" -Access $SHARE_CHANGE -Type $ACETYPE_ACCESS_ALLOWED -Flags $ACEFLAG_INHERIT_ACE  
  $ACE2 = New-ACE -Domain $null -User "Administrators" -Access $SHARE_FULL -Type $ACETYPE_ACCESS_ALLOWED -Flags $ACEFLAG_INHERIT_ACE 
  [System.Management.ManagementObject[]] $DACL = $ACE1, $ACE2
  $sd.DACL =$DACL
  return $sd
  # Create-Share  
  function Create-Share($ShareName, $Path, $Comment,$Access)  
      $checkShare = (Get-WmiObject Win32_Share -Filter "Name='$ShareName'")  
      if ($checkShare -ne $null) {  
          # "Share exists and will now be deteted!!!"  
          get-WmiObject Win32_Share -Filter "Name='$ShareName'" | foreach-object { $_.Delete() }  
      $wmishare = [WMIClass] "\\TESTSTO01\ROOT\CIMV2:Win32_Share"  
  $Access = Get-SD
      $R = $wmishare.Create($Path,$Sharename,0,$null,$Comment,"", $Access)  
      if ($R.ReturnValue -ne 0) {  
          Write-Error "Error while creating share: " + $R.ReturnValue  
          exit  
      # Write-Host "Share has been created."  
  # Create first share with permissons **********************************  
  $ShareName = "$Company$"  
  $Path = "$Driveletter" + ":\$Company"  
  $Comment = ""  
  $Domain = $Null 
  Create-Share $ShareName $Path $Comment $Access

  Unable to find type [CmdletBinding(SupportsShouldProcess=$TRUE)]: make sure tha
  t the assembly containing this type is loaded.
  At C:\Script Nathalie\Everyware2.ps1:294 char:45
  + [CmdletBinding(SupportsShouldProcess=$TRUE)] <<<<
      + CategoryInfo          : InvalidOperation: (CmdletBinding(S...dProcess=$T
     RUE):String) [], RuntimeException
      + FullyQualifiedErrorId : TypeNotFound
  The term 'param' is not recognized as the name of a cmdlet, function, script fi
  le, or operable program. Check the spelling of the name, or if a path was inclu
  ded, verify that the path is correct and try again.
  At C:\Script Nathalie\Everyware2.ps1:295 char:6
  + param <<<< (
      + CategoryInfo          : ObjectNotFound: (param:String) [], CommandNotFou
     ndException
      + FullyQualifiedErrorId : CommandNotFoundException
  The term 'begin' is not recognized as the name of a cmdlet, function, script fi
  le, or operable program. Check the spelling of the name, or if a path was inclu
  ded, verify that the path is correct and try again.
  At C:\Script Nathalie\Everyware2.ps1:304 char:6
  + begin <<<<  {
      + CategoryInfo          : ObjectNotFound: (begin:String) [], CommandNotFou
     ndException
      + FullyQualifiedErrorId : CommandNotFoundException
  Get-Process : Cannot evaluate parameter 'Name' because its argument is specifie
  d as a script block and there is no input. A script block cannot be evaluated w
  ithout input.
  At C:\Script Nathalie\Everyware2.ps1:331 char:8
  + process <<<<  {
      + CategoryInfo          : MetadataError: (:) [Get-Process], ParameterBindi
     ngException
      + FullyQualifiedErrorId : ScriptBlockArgumentNoInput,Microsoft.PowerShell.
     Commands.GetProcessCommand
  The term 'end' is not recognized as the name of a cmdlet, function, script file
  , or operable program. Check the spelling of the name, or if a path was include
  d, verify that the path is correct and try again.
  At C:\Script Nathalie\Everyware2.ps1:345 char:4
  + end <<<<  {
      + CategoryInfo          : ObjectNotFound: (end:String) [], CommandNotFound
     Exception
      + FullyQualifiedErrorId : CommandNotFoundException
  The term 'set-shareABE' is not recognized as the name of a cmdlet, function, sc
  ript file, or operable program. Check the spelling of the name, or if a path wa
  s included, verify that the path is correct and try again.
  At C:\Script Nathalie\Everyware2.ps1:348 char:13
  + set-shareABE <<<<  TESTSTO01 $Company$ -Enable
      + CategoryInfo          : ObjectNotFound: (set-shareABE:String) [], Comman
     dNotFoundException
      + FullyQualifiedErrorId : CommandNotFoundException

• Configuring ISE to proxy Authentications based on email address

  Hi
  I'm looking for a little help configuring ISE to proxy requests to external radius servers based on email address and password. I want to configure eduroam on our WLAN. Eduroam allows students connect to the WIFI of other Campuses using their local credentials
  Workflow:
  User associates to SSID (eduroamTest)
  Prompted for username & password (802.1x)
  User puts in username and password in the form [email protected] (UPN)
  If the user is part of our local institution they are authenticated using our local radius server (ISE)
  If the user is a  member of a partner institution the request is proxied to an external radius server (National Gateways).
  The National Gateways  passes the request to the relevant institution based on the UPN (eg @ucd.ie will be passed to ucd radius servers)
  The institution authenticates the user and passes the  request back to the National Gateways
  The National Gateways passes this request back to our ISE server and the external user is authenticated
  The user can browse the web
  What I have done:
  Setup the National Gateways as external proxy servers
  Created firewall rules to allow the traffic
  Configured the proxy sequence with these servers
  Created a policy to proxy requests to the proxy sequence
  What I need to figure out:
  How to get ISE to authenticate/proxy requests, for the SSID eduroamTest, based on UPN eg (if username = *@rcsi.ie then use local ISE otherwise use proxy service)
  Any help with this configuration would be greatly appreciated as I am new to ISE.
  If you need any more info please let know.
  Kind regards
  John

  Sounds like you did most of the work already. To get ISE to direct certain requests based on attributes in the request to another radius server, all you need to do, is create a new authentication rule, where you check for the following attributes ;
  radius/called-station-id contains "eduroam"
  and
  radius/username ends with "rcsi.ie"
  Then you can select the radius server sequence you created instead of the normal "Allowed protocols" list.
  If you want to be in control of the authorization, there is a flag you must set in the radius server sequence in ISE, this will let you control what rights the client is given locally, while still authenticating the user remotely.