Authorization Rules.

Hi,
I am in the process of setting up OAM/OID to provide secure access to a website.
Part of the website is public and part of the website is secure.
For the secure part I want to limit access to a particular group of users who belong to i.e. secureGroup which has been created through the GroupManager function of Identity Administration.
I have created a Policy Domain for the protected part. I have also created an Authorisation Rule for the allowed users to grant them access. My understanding is that I need to create an LDAP rule to provide access to the group in question.
What is the format of the rule?. the documentation goes a bit light as to the fomat of the rule. I am just not sure how to say - is current user a member of secureGroup.....
Any help or pointers would be useful.

You're on the right track, however, the LDAP filter definition will not help you with a group based authorization decision (as a 'group' object never logs into the system).
Hit the 'select user' button which opens the OAM selector app. Look closely in the top right hand corner of the UI for blue links on the blue background - one for Employees, one for Groups. Select Groups and then search for and select your group object. Save the rule.
You can make the UI better by defining tab images for the person and group objectclasses - then those links are much more obvious.
Mark

Similar Messages

Max Authorization Rules in ISE

Just curious if anyone knew the max number of authorization rules you can have in an ISE deployment?
Sent from Cisco Technical Support iPad App

I read a discussion and its says, dev's have tested and support 140 Authorization rules in ISE 1.1.x.
Jatin Katyal
- Do rate helpful posts -

OAM : Multi-valued attribute in Authorization Rule Actions

Our application is protected by an Oracle Access Manager deployment, where the identity user base is based in an Oracle Internet Directory.
In the OID, for every user entry, we have a multi valued attribute (say, 'roleattr') which contains the roles recognized in our application. Once the user is authenticated by the Access Server, we need the roles associated to him to be fetched and returned in the page header (similar to uid).
Hence, our question is, in PolicyManager, by setting the Authorization Rule > Actions, is it possible to retrieve this attribute (which is 'multivalued') and populated into the pageHeader, so that our application can retrieve the same.

Sure, you'll get a colon-delimited list of the multiple values in your header!
-Vinod

Creating LDAP filter in authorization rule OAM 10G

Hi,
I want to set up a LDAP filter in Authorization rule based on which i will redirect users to specific URL's. what is the syntax to writing LDAP filters in OAM authorization policy. Any pointers to documentation will be appreciated.
Also i want to know whether authorizations always follow authentication. i.e. my redirection will be successful only after a user is authenticated in end application based on the headers we send out after successful authentication.
Please Help
Thanks
Edited by: 904630 on Dec 27, 2011 5:34 AM
Edited by: 904630 on Dec 27, 2011 5:36 AM

Open Identity server console and check the attribute's Display Name and type in Object classes section. I recently faced a similar issue and it got fixed after providing these two values.
Hope it works for your as well :)

ACS v5.5 authorization rules 320 limit

I am about embark on a large service provider ACS migration / installation and I suspect I am going to need more than 320 authorization rules, which is the limit stated in ACS v5.5 release notes.
Is the limit for the maximum number of rules for an Access Service, or for the ACS totally?

The limitation is for total acs
http://www.cisco.com/c/en/us/td/docs/net_mgmt/cisco_secure_access_control_system/5-5/release/notes/acs_55_rn.html#90057
Table 13 Limitations in ACS Deployments
Object Type
ACS System Limits
ACS Instances
22
Hosts
150,000
Identity Groups
1,000
Active Directory Group Retrieval
1,500
Network Devices
100,000
Network Device Groups
12
Device Hierarchies
6
All Locations
10,000
All Device Types
350
Services
25
Authorization Rules
320
Conditions
8
Authorization Profile
600
Service Selection Policy (SSP)
50
Network Conditions (NARs)
3,000
ACS Admins
50
9 static roles
dACLs
600 dACL with 100 ACEs each

Authorization Rule Success Return Value HeaderVar not found?

policy manager
policy domain
authorization rule
actions
success
return
Type           Name           Return Value
HeaderVar           REMOTE_EMAIL           xxx
Type           Name           Return Attribute
HeaderVar           REMOTE-EMAIL           mail
But, can not find any value for entry REMOTE_EMAIL or REMOTE-EMAIL, no matter in asp or jsp.
Other cookies values are OK. I doubt the headervar is set or not, or "HeaderVar" is correct.
Thanks!

The page where you are expecting the HeaderVar to be shown is the resource protected or it is set as Authorization redirection action? If as action, please protect the page by OAM (set the HeaderVar in the Policy) and access the page directly and see if it shows the headerVar.
HTH.

ACS 5.3 cannot create default network access authorization rule

Hi, when I click 'Create...' under Access Policies > Default Network Access > Authorization, and then press the 'OK' button, it says 'Please configure at least 1 condition.' However I have no way to configure conditions as the 'Conditions' text is just bold text and not a link or any sort of configurable area. If I go to 'Customize' on the bottom right and add conditions to the right list box, I still have no options when I press Create. Also, the 'green light' next to Default Network Access is grey with a line through it. This is the most cryptic system I have ever used.. anyone have an idea? Thank you!

Looks like you are using chrome amd it's not a supported browser.
Supported Web Client/Browsers
You can access ACS 5.3 administrative user interface using the following Web Client/Browsers:
•Windows 7 32 bit
•Windows XP Professional (Service Pack 2 and 3)
•Windows Vista
•Internet Explorer version 7.x
•Internet Explorer version 8.x
•Internet Explorer version 9.x
•Mozilla Firefox version 3.x
•Mozilla Firefox version 4.x
http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.3/release/notes/acs_53_rn.html#wp222016
Jatin Katyal
- Do rate helpful posts -

[ISE] What is the best Authorization rules sequence ?

Hello,
like a FW set of rules, I think that ISE's authZ rules should also be ordered with care ?
What are the best practices ?
Most used first ?
Guest, MAB and Webauth at the end ?
Tell me...
Any screencap is welcome
Regards.

Hi,
The first rule matched is the rule that applies. Best practices are outline by one of the tac engineers in this document.
https://supportforums.cisco.com/community/netpro/security/aaa?view=blog
You can set attributes such as network device groups to determine if the wired, wireless, or vpn policies need to be in effect (which I am sure you are aware of).
Thanks,
Tarik Admani
*Please rate helpful posts*

Authorization rule for EAP-FAST (inner EAP-TLS)

We have an ISE deployment where we are looking to use EAP-FAST as our authentication method with EAP-TLS as the inner method. We are checking both machine and user certificate. We initally had the following condition in our AuthZ rule -> EapChainingResult = User and machine both succeeded, however we found that intially machine succeeds and the user doesnt succeed until after windows login. If we change the condition to EapTunnelType = EAPFAST then it works fine, logs show that while initially user fails and machine succeeds, after login to windows shell then both user and machine succeded log message is visible. My preference would be to get it working with the first condition as it is a more valid check but it doesnt work due to the initial failure, anyone else got EAP-FAST (EAP-TLS) working.
Regards

I have it running at a customer, and as you discovered only machine auth succeeds initially, this is because the user store where the users certificate is not opened until they have logged ind, this is working as intended.
What you can do is to have two different authz rules, one for eapchainingresult=machine succeded and user failed, and another one for when both succeed. This way you can give granular access by using another ACL for the machine, so the machine doesn't get full access to the network before a user has logged in.

ACS 5.3 Authorization problem with using Identity Groups in Access Policy Rule

Hello guys, I am found a problem which I can't solve regarding authorization with using Identity Groups in Access Policy rule.
ACS version: 5.3.0.40.6 (internal build B.839)
I have very simple RADIUS Authorization rule which authorize user on behalf of right Identity Group.
Requested Identity Group exist
Testing user is created in Internal Users and has assigned requested Identity Group
Radius Access Policy:
Authentication against Identity Store Sequence, where authorization server is external RSA SecurID device and additional attributes retrieval is configured from Internal Users.
Authorization is very simple – One Rule with only one Condition which is: Identity Group - in - Requested_Testing_Rule. Then Default rule is set to Deny.
When I will try login with my testing user then authentication against RSA SecurID is OK, but authorization will be denied by Default rule – It looks like my Rule with Identity Group is totally omitted.
I am managing several other ACS servers (version 5.3 but with older patches) where similar rules are working without problem.
What I am tested:
Remove testing user and create his account again.
Rename Identity Group
Use another Identity Group
Remove Access Policy rule and create it again
Use Compound Condition: System:Identity Group
Use Compound Condition: System:UserID instead of Identity Group in Rule (it is working without problem)
Do you have any idea where problem can be?

OK guys, it started working yesterday without any configuration change. Maybe it was some database inconsistence wich was solved by ACS itself.

An issue with authentication and authorization on ISE 1.2

Hi, I'm new to ISE.
I have an issue with authentication and authorization.
I have ISE 1.2 plus patch 6 installed on VMware.
I have built-in Windows XP supplicant and 2960 cisco switch with IOS c2960-lanbasek9-mz.150-2.SE5.bin
On supplicant I use EAP(PEAP) with EAP-MSCHAP v2.
I created authentication and authorization rules with Active Directory as External Identity Source. Also I applied authorization profile with DACL.I login on Windows XP machine under different Active Directory accounts. Everything works fine (authentication, authorization ), but only for several hours. After several hours passed , authentication and authorization stop working . I can see that ISE trying authenticate and authorize users, but ISE always use only one account for authentication and authorization . Even if I login under different accounts ISE continue to use only one last account.
I traied to reboot switch and PC,but it didn’t help. Only rebooting of ISE helps. After ISE rebooting, authentication and authorization start to work properly for several hours.
I don’t understand is it a glitch or I misconfigured ISE or switch, supplicant?
What should I do to resolve this issue?
Switch configuration:
testISE#sh runn
Building configuration...
Current configuration : 7103 bytes
! Last configuration change at 12:20:15Tue Apr 15 2014
! NVRAM config last updated at 10:35:02 Tue Apr 15 2014
version 15.0
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname testISE
boot-start-marker
boot-end-marker
no logging console
logging monitor informational
enable secret 5 ************
enable password ********
username radius-test password 0 ********
username admin privilege 15 secret 5 ******************
aaa new-model
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa authorization auth-proxy default group radius
aaa accounting update periodic 5
aaa accounting dot1x default start-stop group radius
aaa server radius dynamic-author
client 172.16.0.90 server-key ********
aaa session-id common
clock timezone 4 0
system mtu routing 1500
authentication mac-move permit
ip dhcp snooping vlan 1,22
ip dhcp snooping
ip domain-name elauloks
ip device tracking probe use-svi
ip device tracking
epm logging
crypto pki trustpoint TP-self-signed-1888913408
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1888913408
revocation-check none
rsakeypair TP-self-signed-1888913408
crypto pki certificate chain TP-self-signed-1888913408
dot1x system-auth-control
spanning-tree mode pvst
spanning-tree extend system-id
vlan internal allocation policy ascending
ip ssh version 2
interface FastEthernet0/5
switchport mode access
ip access-group ACL-ALLOW in
authentication event fail action next-method
authentication event server dead action reinitialize vlan 1
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication open
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
interface FastEthernet0/6
switchport mode access
ip access-group ACL-ALLOW in
authentication event fail action next-method
authentication event server dead action reinitialize vlan 1
authentication event server alive action reinitialize
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
interface FastEthernet0/7
interface Vlan1
ip address 172.16.0.204 255.255.240.0
no ip route-cache
ip default-gateway 172.16.0.1
ip http server
ip http secure-server
ip access-list extended ACL-ALLOW
deny icmp any host 172.16.0.1
permit ip any any
ip radius source-interface Vlan1
logging origin-id ip
logging source-interface Vlan1
logging host 172.16.0.90 transport udp port 20514
snmp-server community public RO
snmp-server community ciscoro RO
snmp-server trap-source Vlan1
snmp-server source-interface informs Vlan1
snmp-server enable traps snmp linkdown linkup
snmp-server enable traps mac-notification change move
snmp-server host 172.16.0.90 ciscoro
radius-server attribute 6 on-for-login-auth
radius-server attribute 6 support-multiple
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server dead-criteria time 5 tries 3
radius-server vsa send accounting
radius-server vsa send authentication
radius server ISE-Alex
address ipv4 172.16.0.90 auth-port 1812 acct-port 1813
automate-tester username radius-test idle-time 15
key ******
ntp server 172.16.0.1
ntp server 172.16.0.5
end

Yes. Tried that (several times) didn't work. 5 people in my office, all with vers. 6.0.1 couldn't access their gmail accounts. Kept getting error message that username and password invalid. Finally solved the issue by using Microsoft Exchange and "m.google.com" as server and domain and that the trick. Think there is an issue with imap.gmail.com and IOS 6.0.1. I'm sure the 5 of us suddently experiencing this issue aren't the only ones. Apple will figure it out. Thanks.

How to create LDAP filter-based rule to check Group membership in OAM

Hi folks,
I'm having hard time creating an authorization rule to verify ldap group membership. I've followed "Configure User Authorization" article from Oracle website (http://download.oracle.com/docs/cd/E10761_01/doc/oam.1014/b32420/v2authz.htm#BABHBFEJI) and created an Authorization scheme w ldap_attribute_name as User Parameter and ruleExpression as Required Parameter. Then, inside my policy I created an Authorization Rule based on my Authz scheme w Allow Access attrib filter-based Rule which looks like this:
ldap://ldap_server:port/ou=People,o=Company,c=US??sub?(ldap_attribute_name=ldap_attribute_value)
This works fine.
Now, I've added another filter-based rule under the same Authz Rule/Allow Access:
ldap://ldap_server:port/ou=Groups,o=Company,c=US?uniqueMember?sub?(&(objectClass=groupOfUniqueNames)(cn=ldap_group_name))
While query looks somewhat correct and works as a command-line argument (slightly modified format), it does not work in OAM (meaning people w out req-d group membership can still login).
Can someone steer me to the right direction as to what do I need to do:
1. Change/fix the ldap query
2. Create new Authz scheme with uniqueMember userParameter; create new Authz rule based on new authz scheme; create new Allow Access filter rule with the ldap query I have
3. Do smth else
Any help is greatly appreciated.
Thank you, Roman

You can create two authorization rules
First for user with attribute
and second for group
and then in authorization expression you can have AND of these two.
Regarding your query...
First ... If your requirement is to give access to all the members of a particular group then you don't require any ldap filters
All you have to do is in the authorization rule -> Allow access -> Select People (here you have to select group so click on the group tab, its little hard to see but its there in light blue color on dark blue tab) -> select the group you want to give access
Second.. If your requirement is such that you want to give access to a member of a group which has certain attribute lets say group with status active ( In this case you are not aware of the name of the group because user can be a member of any group but you want to give access only to the group with specific attribute.) then you have to write custom authorization plugin.
If the option is second let me know i can give you a solution which will work for a single domain without any effort of developing a major plugin.
Hope this helps,
Sagar

Authentication and Authorization question.

Hi All,
I require your help in getting validated my understanding on Authentication and Authorization. This is wrt to WebLogic Server and WebLogic Portal.
Authentication.
1. The custom authentication provider can authenticate(user and group) against any datastore(LDAP OR DB). The LoginModule is a kind of blockbox and it can return true/false depending on authentication.
2. The end result of this process is true/false.
Authorization.
1. The custom authorization providers can authorize the authenticated user based on role. All these entities ie(user,group,role) can be either in LDAP OR DB.
2. The end result of this process is true/false.
Role mapping.
1. The custom role mapper can put all the roles that a user belongs and returns all Role. This can happen agaist LDAP OR DB.
2. The end result is list of roles for a user.
Security policy configuration.
Is it mandatory that a user/group/role should be existing in WebLogic Server LDAP server(OR Portal LDAP server) to create these policies and authorization rules. What i mean by is that can user,group,role can exist in application specific database and still can be used for creatiing security policies??
Thanks,
Prashanth Bhat.

The Security Providers are useful/can be used for developing a standard j2ee application , which will be deployed as standard j2ee application.
The DA means Delegated Administrator, which is way how portal components are restricted to different types of administrators.
The VE means Visitor Entitlemens, which is way how portal components are restricted to end users.
My question is whether thess(DAs and VEs) can also be put
our datastore for access rights??
Thanks,
Prashanth Bhat.

OAM Authorization POST parameters

Dear all,
I have a question about the authorization rules in OAM, my requirement is that I want on successful authorization to send a POST parameter to a protected application this parameter will include some piece of data of the logged in user (for example his social security number) and I want to make sure that no authenticated user can send the social security number of another user, so I want this parameter to be sent by OAM to ensure that it will sent the number of the logged in user.
In authorization rules (on success action) I can sent an HTTP Header or set a cookie with the number of the logged in user but I couldn't find a way to send a POST parameter.
I thought of another solution to send the parameter through a normal HTML form and make an authorization rule to check in the POST parameter (say: ssn) in the HTTP request is equal to the SSN of the logged in user but I couldn't figure how to receive parameters in the authorization rule.
I don't know it writing custom authorization plugin can be a solution or there is another solution???
Thanks in advance

Hi,
As far as I know, OAM does send params to the end user application in 2 ways. 1. Header Var 2. Cookies.
Passing params through Headervar are safer than cookies as cookies can be tampered in the interim.
However, I think Custom Authz plugin or using Reverse Proxy Server might do this job for you. You might need to explore more on that.
For the alternative solution that you are talking about as passing SSN no. from HTML form, its vulnerable and it can easily be tampered with.
-Mahendra.

Issuance Authorization Based on Group Membership

Hello,
I have what should be a simple problem but for the life of me I can't get my claims to work like I believe they should. We use BOX with open enrollment and are looking at restricting who can access the site and have an account provisioned for them.
The goal is to use an existing set of groups to restrict access to the BOX site. I've read many posts about creating Issuance Authorization claims and have copied their examples for my use but nothing seems to work.
Our group naming standard for BOX access is "app-box-*" as we have several groups that are all billable to different areas. I want to use "app-box'*" in the language so I don't have to add 50 different rules for each group.
Claims that are being sent to BOX right now are: Email Address, Given name, surname, name, and group. I'm only sending BOX the app-box* groups a user is a member of by using this rule:
c:[Type == "http://schemas.xmlsoap.org/claims/Group", Value =~ "^App-Box-.*"] => issue(claim = c);
That seems to work just fine as I see the groups listed in my claim to BOX in my Fiddler trace. Next step is to create the issuance rules and restrict the access. I've tried two different rules so far and both haven't worked. I've also
modified them to just refer to one of the BOX groups specifically instead of the wildcard, but still no dice...
Claim built by the "permit or deny users based on incoming claim" wizard
c:[Type == "http://schemas.xmlsoap.org/claims/Group", Value =~ "^App-Box-.*"]
=> issue(Type = "http://schemas.microsoft.com/authorization/claims/permit", Value = "PermitUsersWithClaim");
Custom rule built by me from various blog posts.
Exists([Type == "http://schemas.xmlsoap.org/claims/Group", Value =~ "^App-Box-.*"])
=> issue(Type = "http://schemas.microsoft.com/authorization/claims/permit", Value = "true");
I get the dreaded event 325:
The Federation Service could not authorize token issuance for caller 'DOM\username
'. The caller is not authorized to request a token for the relying party 'box.net'. Please see event 501 with the same instance id for caller identity.
Additional Data
Instance id: fe28fe86-b588-472f-9a35-7818a5be53d4
Relying party: box.net
Exception details:
Microsoft.IdentityServer.Service.IssuancePipeline.CallerAuthorizationException: MSIS5007: The caller authorization failed for caller identity DOM\Username for relying party trust box.net.
at Microsoft.IdentityModel.Threading.AsyncResult.End(IAsyncResult result)
at Microsoft.IdentityModel.Threading.TypedAsyncResult`1.End(IAsyncResult result)
at Microsoft.IdentityServer.Service.SamlProtocol.SamlProtocolService.Issue(IssueRequest issueRequest)
at Microsoft.IdentityServer.Service.SamlProtocol.SamlProtocolService.ProcessRequest(Message requestMessage)
User Action
Use the AD FS 2.0 Management snap-in to ensure that the caller is authorized to request a token for the relying party.
Error 325 is eventually followed by error 364:
Encountered error during federation passive request.
Additional Data
Exception details:
Microsoft.IdentityServer.Web.AuthorizationFailedException: MSIS7011: Access denied.
at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.RequestBearerToken(HttpSamlRequestMessage httpSamlRequest, SecurityTokenElement onBehalfOf, String& samlpSessionState, String& samlpAuthenticationProvider)
at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.BuildSignInResponseCoreWithSerializedToken(String signOnToken, WSFederationMessage incomingMessage)
at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.BuildSignInResponseForProtocolRequest(FederationPassiveContext federationPassiveContext, SecurityToken securityToken)
at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.BuildSignInResponse(FederationPassiveContext federationPassiveContext, SecurityToken securityToken)
Can anyone help point me in the right direction? Using ADFS 2.0 server 2008r2. No proxies or anything, just direct connections to the ADFS boxes.
Thanks,
Adam

Issuance Authorization rules are executed BEFORE the transform rules so you're looking for a claim that doesn't exist (yet). Create a rule at the top of your authorization rule tab using "add" instead of "issue" then in a following
rule (same tab) issue the permit depending on if the user has that claim.
WORK

Authorization Rules.

Similar Messages

Maybe you are looking for