AuthZ Policy using specific Endpoint Identity Groups

Similar Messages

• ISE 1.2 - Match Policy Set based on endpoint identity group?

  Hello, I would like to create a condition that would force MAB'd clients to hit a certain policy set if their MAC address matches one in an endpoint identity group? Is this possible? I feel like a condition can be created using a combination of attributes, but I cannot seem to hit on it properly. Thanks.

  The cleanest way to to this would be to dedicate:
  1. (Wired) A test switch where all of your test devices are connecting. You can then build a policy set that matches against that NAS.
  2. (Wireless) A test SSID and/or a controller (virtual or 2504). You can then build a policy set that is dedicated to that SSID 
  Thank you for rating helpful posts! 

• ISE Endpoint Identity Group assignment for 802.1x clients

  Hello
  I'm using ISE 1.3 to 802.1x authenticate AD PC's (machine and user with Anyconnect NAM) and to profile/mab IP Phones, printers, APs etc.
  Phones are profiled (EndPointSource of SNMPQuery Probe) and are placed automatically in the correct Identity Group.
  AD PC's aren't profiled and are listed under Endpoints withthe Enpoint Profile of "unknown"
  To place AD PC's into a particular Identity Group, I created a Radius Profiling Policy to match on the Framed-IP-Address. This works well with the AD PC appearing in the correct Identity Group (with EndPointSource of RADIUS Probe).
  My questions are:
  A phone (profiled with EndPointSource of SNMPQuery Probe) consumes a Plus licence but an AD PC ("profiled" with EndPointSource of RADIUS Probe) does not - is this correct?
  Authenticated 802.1x AD PC's have other attributes (like AD-Host-Resolved-DNs) that I'd like to use to assign PC's to an Identity Group. I can't use these attributes with any of the ISE profilers - is there a way to assign an 802.1x authenticated client to an Identity Group at the authorisation stage rather than use the profiler?
  Thanks
  Andy

  Err, no. There is no provision in EAP-TLS, PEAP (CHAP), or even basic EAP to provide network information (eg IP address/mask/gateway/DNS/etc).
  There is also no provision in Windows 2k or XP interface management software to accept IP details for interface configuration via any wireless authentication protocol.
  peter

• Reassign endpoint identity group en masse in ISE

  I imported a large number of endpoint identities and unfortunately some of them weren't correctly identified and I assigned them the wrong endpoint profile. The endpoints I need to move into another group all share a common OUI. Is it possible to move them all at once? I can't seem to find any way to do this.

  Tom,
  You can use the filter option in order to get the filter for the endpoints that are profiled incorrectly (perhaps the OUI you entered), check the select all option on the top left, and then export those endpoints. After you export the endpoints you can edit the group that you want to change them to, and then reimport this file back into ISE, this will change this back for you.
  I just tested this in my setup and worked fairly well.
  thanks,
  Tarik Admani
  *Please rate helpful posts*

• ISE 1.2 Multi-Portal Identity Group Mapping

  Hi,
  Quick question regarding the use of Multi-Portal on ISE 1.2: Is it possible to map a single portal to a certain identity group? e.g. I have a portal for guest users, to which only users in the "ACME_guests" identity group can authenticate. I have a separate Portal for employees, where only users of the "ACME_employees" group can authenticate.
  I know that I can specify a separate authentication sequence for each portal (e.g. internal, guests, AD), but I cant find a possibility to map a group to a certain portal. This has the consequence that e.g. guest users can log into the employee portal, and getting a successful authentication message. Of course I can further restrict the access in another policy rule, but this isnt a very neat solution.
  Anybody have any ideas? It seems so basic that it has to be possible somehow?!
  Regards

  You can redirect users so they can "stick" to one portal once they have successfully authenticated. There is a document regarding device registration web authentication. Basically after a user connects successfully you can redirect them to an AUP specially designed to statically assign users to a specific endpoint identity group.
  In the end if a user logs into portal A they hit the DRW and accept, ISE dumps them into a endpoint group called PortalA, you can then tie this into a policy where the PortalA endpoint is denied association to any other open ssid you have in your design.
  Here is the document -
  https://supportforums.cisco.com/docs/DOC-26667
  Tarik Admani
  *Please rate helpful posts*

• ISE Profiled devices not being used in authz policy.

  ISE is standalone.
  ver 1.2
  Eval license.
  I have a number of Cisco IP phones profiled by DHCP probe and sitting in the Endpoint Identity Group "Cisco-IP-Phone" (dynamic not static).
  However when this is used in an Authorization Policy it never matches.
  Just a basic Policy:
  if Cisco-IP-Phone (no conditions) then Cisco_IP_Phones ......no match.
  I can change Identity group to ANY and it works.
  Sure i must be misssing something but I've gone round and round with this.
  Tried deleting enpoints and allowing them to repopulate....failed.
  Tried changing endpoints to static with no luck.
  Noticed the "Cisco-IP-Phone" group is under the "Profiled" group so tried using that in the policy....no change.
  Whatever i've tried just ends with the Authz going to the "Default" policy.

  Thank you for providing the detailed information. The problem is not with profiling as that appears to be working as expected. I believe that the issue is with your authentication policy. Looking at screen shot #2 you don't have a single policy that is enabled to allow a phone to authenticate via MAB. All of your MAB policies are showing as "disabled." The default policy is set to only use Internal Users as its Identity Store and phones won't be store there. You authorization policies look OK so I would suggest you try the following:
  1. Enable the top authentication rule called "MAB"
  2. Confirm that "Allow PAP/ASCII" and "Detect PAP as Host Lookup" are enabled under the Allowed Protocols
  3. Ensure that "Internal Endpoints" is selected for the Identity Store
  4. Test again
  Thank you for rating helpful posts!

• Cisco ISE: How to match an endpoint belong to an identity group ?

  Hello,
  I am running Cisco ISE 1.1.4.218 in a standalone environment.
  I am trying to setup Compound Condition for Authorization.
  I would like the condition to match the MAC address of the calling machine to the internal endpoint MAC address list.
  I created 1 endpoint identity group and 2 children groups
  - GroupParent
       - ChildA
       - ChildB
  I put the MAC address of my machine in the group ChildA.
  In my condition, I tried the following:
  IdentityGroup:Name, Equals, ChildA
  IdentityGroup:Name, Equals, GroupParent:ChildA
  IdentityGroup:Name, Match, .*(ChildA).*
  I even tried to put the MAC address in the GroupParent level and tried to update the condition to be:
  IdentityGroupName, Equals, GroupParent
  IdentityGroupName, Match, .*(GroupParent).*
  But no one of these options worked.
  I am almost sure that in Cisco ISE 1.1.1, it was working fine. But I updated today to 1.1.4 and I cannot make it work.
  Can anyone help me ?
  Best regards,
  David

  You could try the following to match only the parent group
  IdentityGroup:Name EQUALS GroupParent
  You could try the following to match only child group A
  IdentityGroup:Name EQUALS GroupParent#ChildA
  You could try the following to match all child groups of GroupParent
  IdentityGroup:Name STARTS_WITH GroupParent
  Please rate if this helps

• Static Identity Group Assignment

                     Does anyone know a way to bring in an endpoint with the following attributes?
  Endpoint Policy Name       Static = True
  Static Group Assignment   Static = True
  The 1.2 manual says;
  If the file used for import contains endpoints that have their MAC addresses, and their assigned endpoint profiling policy is the static assignment, then they are not re-profiled during import. 
  To change a dynamic assignment of an endpoint identity group to static, check the Static Group Assignment check box. If the check box is not checked, then the endpoint identity group is dynamic as assigned by the profiler based on policy configuration.
  Statically Profiled Endpoints
  An endpoint can be profiled statically when you create an endpoint with its MAC address and associate a profile to it along with an endpoint identity group in Cisco ISE. Cisco ISE does not reassign the profiling policy and the identity group for statically assigned endpoints.
  A) Does anyone know a way to import from an LDAP database and maintain the Static Group Assignment = True.
  I successfully do an LDAP import of the MAC and Endpoint Group (which comes in as True) but the Static Group Assignment has the Endpoint Group Assignment correct but static is false unchecked.  I don't want these profiling any more.  These are thousands of endpoints and I do not see any way to do a bulk change.  I have tried exporting and re-importing but that doesn't really scale.
  B) Would creation of an endpoint group that is not part of the Profiled endpoint group change the behavior I see above when I do my LDAP import?
  If there were a way to do the bulk selection and change the static property or the Static Group Assignment that would be of huge benefits.  The changes apply to the fields selected within the endpoints while maintaining the MAC property of the endpoint.
  Thanks in advance for any suggestions.

  James,
  That is possible but do you have the dhcp probe enabled and have you thought about setting up an ip helper statement or assigning the ISE node as one of the dhcp servers on the WLC?
  There is a built in check such that if the dhcp class identifier contains MSFT will profile the endpoint as a windows workstation.
  However if this is not the case then you can create the following condition under the Policy Elements > Conditions > Profiling > New Profiler Condition, you will use the create (advanced...) then select NMAP > 135-tcp > then set the operator EQUAL to msrpc.
  Then go under the Microsoft-Workstation and select the option to create a matching identity group (its much easier rather than using the heirarchy option) and set the certainity factor 30. Then add this new condition and set the certainity to 30 also.
  Hope that helps,
  Thanks,
  Tarik Admani
  *Please rate helpful posts*

• ACS 5.3 Authorization problem with using Identity Groups in Access Policy Rule

  Hello guys, I am found a problem which I can't solve regarding authorization with using Identity Groups in Access Policy rule.
  ACS version: 5.3.0.40.6 (internal build B.839)
  I have very simple RADIUS Authorization rule which authorize user on behalf of right Identity Group.
  Requested Identity Group exist
  Testing user is created in Internal Users and has assigned requested Identity Group
  Radius Access Policy: 
  Authentication against Identity Store Sequence, where authorization server is external RSA SecurID device and additional attributes retrieval is configured from Internal Users.
  Authorization is very simple – One Rule with only one Condition which is: Identity Group - in - Requested_Testing_Rule. Then Default rule is set to Deny.
  When I will try login with my testing user then authentication against RSA SecurID is OK, but authorization will be denied by Default rule – It looks like my Rule with Identity Group is totally omitted.
  I am managing several other ACS servers (version 5.3 but with older patches) where similar rules are working without problem.
  What I am tested:
  Remove testing user and create his account again.
  Rename Identity Group
  Use another Identity Group
  Remove Access Policy rule and create it again
  Use Compound Condition: System:Identity Group
  Use Compound Condition: System:UserID instead of Identity Group in Rule (it is working without problem)
  Do you have any idea where problem can be?

  OK guys, it started working yesterday without any configuration change. Maybe it was some database inconsistence wich was solved by ACS itself.

• ISE Identity Groups in AuthZ Policy

  So we all know we can leverage identity groups in authorization policy, can we leverage two of them ? I tried building a compound condition that uses an identity group (MAB) along with another identity group (User) and can not get the policy to hit..Thoughts?

  I doubt that, as far as i can tell with ISE, when you are being authenticated either by mab or by a user/pass with ex PEAP, your identity is established as either, not both, and the identity is what gets compared to identity groups.

• ISE 1.2: Remove unused Sponsor Group and Identity Group

  Hi
  I started with ISE 1.1.2 and now upgrade to 1.2.
  There are 1. Sponsor Groups and 2. Identity Groups which are no more in use, but I am not able to remove them anymore.
  1. One is a special Sponsor group which sponsor group policy I already removed. The I go to Aministration>Web Portal Management>Sponsor Groups and select the appropriate Group ans click delete and ok to confirm, the following error is displayed:
  com.cisco.cpm.nsf.api.exceptions.NSFEntityDeleteFailed: java.rmi.RemoteException: Failed to execute the Query : DELETE_USERONAPP ORA-02292: integrity constraint (CEPM.EDF_GST_SPGRPID_SUB) violated - child record found ; nested exception is: java.sql.SQLIntegrityConstraintViolationException: ORA-02292: integrity constraint (CEPM.EDF_GST_SPGRPID_SUB) violated - child record found
  2. The same happens with one Identity Group. I do not have it active anymore. Not in authentication, and not in authorization policy. I go to Administration>Identity Management>Groups>  and select te group to remove, and click "Delete selected" and confirm with ok, the following error occured:
  Cannot delete selected Identity Group(s) because there are resources which are mapped to these or its child identity group(s)
  Is there any reason for any of these issue?
  Many thanks

  Hi ,
  Please open service request with cisco. These kind of issues may happen when the dependencies are deleted from UI but there is a chance that some of the dependencies may not be deleted completely and are not visible from UI as well.  These kind of issues can be resolved under cisco guidance.
  Thanks,
  Naresh

• How to map 2 AD groups into 2 different LOCAL Identity Groups in ACS5.2?

  hi guis!
  i want to map 2 groups from external AD to 2 internal groups. like it was in 4.x. can someone advise me how to do this?

  In order to map 2 different AD groups to 2 different local Identity groups we will need to do the following.
  Assuming that the ACS is already Joined to a domain for example csco.com
  1. we need to populate the concerned 2 AD groups in
  Users and Identity Stores > External Identity Stores > Active Directory > Directory Groups tab.
  To do this please follow the steps given in the following link "Selecting an AD Group"
  http://www.cisco.com/en/US/partner/docs/net_mgmt/cisco_secure_access_control_system/5.2/user/guide/users_id_stores.html#wp1140999
  Once we have the 2 groups populated in there we now need to create a Group mapping policy under the concerned Access Service to map each AD group to the internal group (Internal groups need to be created prior).
  1. Make sure group mapping policy option is enabled for the concerned Access Service.
  Access Policies > Select the Access Service > Edit
  Under General Tab > Policy Structure > Make sure "Group Mapping" is checked
  2. Configure group mapping under the Access Service. (Lets say the Access Service name is "Default Network Access")
  Access Policies > Default Network Access > check the Radio button "Rule based result selection"
  3. Configure a rule
  Click on Create > Conditions > Check Compound condition >
  In the Dictionary choose "AD-AD1"
  Attribute Select "ExternalGroups"
  Operator "Contains any"
  Value > click on select > you should see the the 2 groups of AD added previously > select one for which we making a group mapping
  click on add
  You should now see a rule in "Current Condition Set"
  In results section > Select > the Internal group you want to map it to > click ok
  one group mapping is now created. Do exactly the same for the other AD group by creating another rule.
  Please save the changes and your group mapping is now ready like the one in ACS 4.
  to confirm if it is being used, try authenticating with a user in that AD group and see if the hit counts are increasing on the rule.

• Hiding a document library from specific users or groups.

  Just FYI I am far from a SharePoint but have able to accomplish a lot from everyone's help on the forums, so thank you in advace.
  Now, Is it possible to hide a document library from specific users or groups? Here is what I am trying to accomplish.
  We have a Document library that we want the whole company to view, we will call this Company Share. We then want to have a separate library/app that
  is only visible to the Finance department. Then another library that is only visible to the shipping dept.
  So when Linda from finance logs into the SharePoint site under Site Contents she should only be able to see 2 items, Company share and Finance.
  Tom from shipping will only see Company Share and Shipping. Administrators and Management will see Company share, finance and shipping.
  I was able to hide the library using sharepoint designer by checking the box "Hide from Browser" which worked but now none of the users can view the library.
  They are only able to access it via a direct URLl link.
  Any help is appreciated.

  Hi 3s1k,
  What did you mean that "management does not want the actual folder library they are in to be visible"?
  Please give more information about your requirement?
  Best Regards,
  Wendy
  Wendy Li
  TechNet Community Support

• Error while creating authorisation policy using OIM 11g API

  Hi,
  We have a requirement to create ‘Authorization Policies’ (assign Data Constraints, Permissions & Assignments) using OIM 11g API’s.  I am using ‘oracle.iam.authzpolicydefn.api.PolicyDefinitionService & oracle.iam.authzpolicydefn.vo.AuthzPolicy’.  But when I am trying to attach Entity/Feature (User Management) to authorisation policy, it is throwing exception.  Below is the code snippet which I am trying to implement.
  Line1: PolicyDefinitionService policyService = oimClient.getService(PolicyDefinitionService.class);
  Line2: AuthzPolicy authPolicy = new AuthzPolicy();
  Line3: authPolicy.setName("Test Authz Policy");
  Line4: authPolicy.setDisplayName("Test Authz Policy Dsp Name");
  Line5: authPolicy.setDescription("Test Authz Policy Description");
  Line6: Feature feature = oimClient.getService(Feature.class);
  Line7: Action featureAction = feature.getAction(FeatureManagerConstants.Features.USER_MGMT.getId());
  Line8: List<Action> actions = new ArrayList<Action>();
  Line9: actions.add(featureAction);
  Line10: authPolicy.setActions(actions);
  Line11: policyService.createPolicy(authPolicy);
  Exception: oracle.iam.platform.utils.NoSuchServiceException: java.lang.ClassNotFoundException: oracle.iam.authzpolicydefn.api.FeatureDelegate
  The above exception is throwing at Line6.
  Let me know if anyone implemented.
  - Kalyan Mutya

  If you are using JDeveloper , can you able to get class after giving "." .If yes no than it is the problem with the jar file you are using .Check whether you can able to import oracle.iam.authzpolicydefn.api.Feature.
  Thanks ,
  Animesh anand

• How to only synchronize one specific LDAP user group with SAP?

  Hi,
  Hopefully this is the correct forum to post this in. I want to have continuous one-way synchronization of users from my LDAP server to my SAP central system. I've started configure in SAP using transaction SM59 and LDAP. Can I somewhere set that only one specific LDAP user group shall be transferred to SAP (they do not need to be assigned to any specific group, profile, role in SAP) - or should this be done on the LDAP server side (or is it at all possible)?
  Correct me if I'm wrong, but the User Group field in the report RSLDAPSYNC_USER only concerns SAP user groups right? This would therefore not be sufficient since I want to select the users to synchronize based on user groups in the directory.
  Thanks, Oscar

  We've used a repository constant to specify the LDAP filter for reading users / groups from the LDAP target.
  E.g. LDAP_FILTER_USERS (&(objectCategory=person)(objectClass=user))
  Then we also have a constant for the LDAP_STARTING_POINT
  For our AD Group Initial Load we filter according to these settings:
  LDAP_FILTER_GROUPS = (objectclass=group)
  LDAP_STARTING_POINT_GROUPS = ou=IDMManagedGroups,ou=Groups,dc=cfstest,dc=le,dc=ac,dc=uk
  The above example only reads AD groups starting at the specified OU
  Then in a Job From LDAP Pass the LDAP URL looks like this:
  LDAP://%$rep.LDAP_HOST%:%$rep.LDAP_PORT%/%$rep.LDAP_STARTING_POINT_GROUPS%?*?SUB?%$rep.LDAP_FILTER_GROUPS%
  I hope this helps
  Paul