Cisco ISE Active Directory Add Group
Hi,
I came across the Cisco ISE on integrating with Microsoft Active Directory; I would like to check what may be the use case of the add group function (External identity source-->active directory-->group-->add group)? Not too sure if it may be possible to group multiple active directory groups to the created group?
I have attached a print capture of the "add group" for reference.
Any suggestion is appreciated.
I apologize for not following Ravi's post. However you can enter the group if searching for groups fails. It is case and format sensitive so using the method has to be precise....one example is looking in the authenticatiin report for a user under the "other attributes" if there is a group you want to apply as a policy you can copy and paste that group syntax under the add group which you posted.
Sent from Cisco Technical Support Android App
Similar Messages
-
Hi!!
We are working on a mapping between a Sponsor Group in Cisco ISE and a user group in Active Directory....but the client wants the mapping to be through a RADIUS SERVER, for avoiding ISE querying directly the Active Directory.
I know it is possible to use a RADIUS SERVER as an external identity source for ISE.....but, is it possible to use this RADIUS SERVER for this sponsor group handling?
Thanks and regards!!Yes It is possible to map Sponser group to user group in AD and if you want to know how to do please open the below link and go to Mapping Active Directory Groups to Sponsor Groups heading.
http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_guest_pol.html#wp1096365 -
Hi, I am writing a Powershell script locally on my machine to aggregate data from SharePoint 2010 and Active Directory. All groups in our SP environment are Active Directory Domain Groups (AD DG). Accessing group members via SharePoint is not
possible (as many of you already know). My plan was to pull Domain Group lists and aggregate AD DG data with SharePoint data (permission levels, etc...). I unfortunately ran into a problem when I realized that AD DGs are not considered "SP
Groups" but instead are considered user???
How do I leverage SharePoint web services to perform an action similar to /_vti_bin/UserGroup.asmx > GetRoleCollectionFromGroup? I do not want to perform this action on the server, but locally on my machine. When I run the below script
it throws a 401 error and complains it "can't find the group". Keep in mind I am trying to get info on a
AD Domain Group, not a
SharePoint Group. I think that is the underlying reason this request keeps failing as I tested the below script on SP groups and it worked perfectly.
clear
$CRED = Get-Credential
[System.Net.ServicePointManager]::ServerCertificateValidationCallback = { $true }
$uri = "http://{site}/_vti_bin/UserGroup.asmx"
$soap = '<?xml version="1.0" encoding="utf-8"?>'
$soap+= '<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">'
$soap+= '<soap:Body>'
$soap+= '<GetRoleCollectionFromGroup xmlns="http://schemas.microsoft.com/sharepoint/soap/directory/">'
$soap+= '<groupName>TestGroup</groupName>'
$soap+= '</GetRoleCollectionFromGroup>'
$soap+= '</soap:Body>'
$soap+= '</soap:Envelope>'
[xml]$WF = Invoke-RestMethod $uri -Credential $CRED -Method POST -ContentType "text/xml" -Body $soap
echo $WF
$WF.Envelope.Body.GetRoleCollectionFromGroupResponse.GetRoleCollectionFromGroupResult.GetRoleCollectionFromGroup.Roles.Role
Thank you.Hi, I am writing a Powershell script locally on my machine to aggregate data from SharePoint 2010 and Active Directory. All groups in our SP environment are Active Directory Domain Groups (AD DG). Accessing group members via SharePoint is not
possible (as many of you already know). My plan was to pull Domain Group lists and aggregate AD DG data with SharePoint data (permission levels, etc...). I unfortunately ran into a problem when I realized that AD DGs are not considered "SP
Groups" but instead are considered user???
How do I leverage SharePoint web services to perform an action similar to /_vti_bin/UserGroup.asmx > GetRoleCollectionFromGroup? I do not want to perform this action on the server, but locally on my machine. When I run the below script
it throws a 401 error and complains it "can't find the group". Keep in mind I am trying to get info on a
AD Domain Group, not a
SharePoint Group. I think that is the underlying reason this request keeps failing as I tested the below script on SP groups and it worked perfectly.
clear
$CRED = Get-Credential
[System.Net.ServicePointManager]::ServerCertificateValidationCallback = { $true }
$uri = "http://{site}/_vti_bin/UserGroup.asmx"
$soap = '<?xml version="1.0" encoding="utf-8"?>'
$soap+= '<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">'
$soap+= '<soap:Body>'
$soap+= '<GetRoleCollectionFromGroup xmlns="http://schemas.microsoft.com/sharepoint/soap/directory/">'
$soap+= '<groupName>TestGroup</groupName>'
$soap+= '</GetRoleCollectionFromGroup>'
$soap+= '</soap:Body>'
$soap+= '</soap:Envelope>'
[xml]$WF = Invoke-RestMethod $uri -Credential $CRED -Method POST -ContentType "text/xml" -Body $soap
echo $WF
$WF.Envelope.Body.GetRoleCollectionFromGroupResponse.GetRoleCollectionFromGroupResult.GetRoleCollectionFromGroup.Roles.Role
Thank you. -
Hi, can anyone help me troubleshoot the following please:
Active Directory Security Group Discovery Agent reported warnings for 524 object(s). DDRs were generated for 0 object(s) that had warning(s) while reading non-critical properties. DDRs were not generated for 524 object(s) that had warnings while reading
critical properties.
Possible cause: OU name or Security Group name may contain at least a Unicode character which has conversion problem between Unicode and your system ANSI locale(e.g. Korean characters in English System Locale). The site server might not have access to
some properties of this object. The container specified might not have the properties available.
Solution: Please verify the Active Directory schema for properties that are not replicated or locked. Refer to the discovery logs for more information.
Does the error relate to 524 security groups? There are several invalid search paths listed in adsgdis.log, are these related?
Thanks,
DaleYou'll have to examine the log to determine exactly which objects its referring to. Although this is in the context of group discovery, group discovery still creates DDRs for computer objects within those groups so it could be either groups or computers.
This is not a search path issue though as it's clear that the discovery process found 524 different objects, but as stated, it could not properly read criticial properties of those objects and thus did not create DDRs for them.
As mentioned, reading the log in detail will list the objects individually and the reason it could not create a DDR for it.
Jason | http://blog.configmgrftw.com -
Active Directory System Group discovery has been removed
Hello,
I noticed in SCCM 2012 Active Directory System Group discovery has been removed which discovery is provided the
information previously collected through this discovery?
Thanks,
Dom
System Center Operations Manager 2007 / System Center Configuration Manager 2007 R2 / Forefront Client Security / Forefront Identity ManagerHi,
Yes Active Directory System Group Discovery has been removed (not Active Directory System Discovery)
It is written in http://technet.microsoft.com/en-us/library/gg712308.aspx#BKMK_DiscoveryMethods
What's new in SCCM 2012
and confirmed in
http://blogs.technet.com/b/elie/archive/2012/05/10/system-center-2012-configuration-manager-part2-discovery-methods.aspx
Thanks,
DOm
System Center Operations Manager 2007 / System Center Configuration Manager 2007 R2 / Forefront Client Security / Forefront Identity Manager -
Orchestrator Active Directory Add Computer to Group
Having trouble with the Add Computer to Group activity. I can't seem to find the right reference for an OU in my active directory forest (/Servers/KC). Any help?
William Busby, PMPHi William,
you can use the "Get Computer" and "Get Group" Activities to get all the information for the Group and Computer including the Distinguished Name. In the Filter tab of the two "Get-Activities" you can filter with name and other things.
The you can right click on the field for the Distinguished Names in the "Add Computer To Group" Activity and click Subscribe -> Publihed Data and choose the Distinguished Names you get as result from the Activities before.
Regards,
Stefan
German Orchestrator Portal ,
My blog in English -
ISE / Active Directory: issue to get users group
Hello,
We have a strange issue:
- ISE 1.2 patch 8
- no WLC, autonomous AP
In authentication, we check Wireless IEEE 802.11 (radius) and cisco-av-pair (ssid), then we use AD.
We have 3 SSIDs, so 3 rules, one DATA, one GUEST, one for TOIP.
In one more rules to grant authentication from APs to register in WDS: user in local database.
In authorization, we check cisco-av-pair (ssid) and AD user group, then we permit access.
(so 3 rules), and one more to authorise the internal base for WDS.
We have something strange:
- sometimes users can connect but later they can't: in the logs, the authorization rejects the user because the AD Group is not seen.
Exemple:
1- OK:
Authentication Details
Source Timestamp
2014-05-15 11:43:19.064
Received Timestamp
2014-05-15 11:43:19.065
Policy Server
radius
Event
5200 Authentication succeeded
All the GROUPS of user are seen:
false
AD ExternalGroups
xx/users/admexch
AD ExternalGroups
xx/users/glkdp
AD ExternalGroups
x/users/gl revue écriture
AD ExternalGroups
xx/users/pcanywhere
AD ExternalGroups
xx/users/wifidata
AD ExternalGroups
xx/informatique/campus/destinataires/aa informatique
AD ExternalGroups
xx/informatique/campus/destinataires/aa entreprises et cités
AD ExternalGroups
xx/informatique/campus/destinataires/aa campus
AD ExternalGroups
xx/users/aiga_creches
AD ExternalGroups
xx/users/admins du domaine
AD ExternalGroups
xx/users/utilisa. du domaine
AD ExternalGroups
xx/users/groupe de réplication dont le mot de passe rodc est refusé
AD ExternalGroups
xx/microsoft exchange security groups/exchange view-only administrators
AD ExternalGroups
xx/microsoft exchange security groups/exchange public folder administrators
AD ExternalGroups
xx/users/certsvc_dcom_access
AD ExternalGroups
xx/builtin/administrateurs
AD ExternalGroups
xx/builtin/utilisateurs
AD ExternalGroups
xx/builtin/opérateurs de compte
AD ExternalGroups
xx/builtin/opérateurs de serveur
AD ExternalGroups
xx/builtin/utilisateurs du bureau à distance
AD ExternalGroups
xx/builtin/accès dcom service de certificats
RADIUS Username
xx\cennelin
Device IP Address
172.25.2.87
Called-Station-ID
00:3A:98:A5:3E:20
CiscoAVPair
ssid=CAMPUS
ssid
campus
2- NO OK later:
Authentication Details
Source Timestamp
2014-05-15 16:17:35.69
Received Timestamp
2014-05-15 16:17:35.69
Policy Server
radius
Event
5434 Endpoint conducted several failed authentications of the same scenario
Failure Reason
15039 Rejected per authorization profile
Resolution
Authorization Profile with ACCESS_REJECT attribute was selected as a result of the matching authorization rule. Check the appropriate Authorization policy rule-results.
Root cause
Selected Authorization Profile contains ACCESS_REJECT attribute
Only 3 Groups of the user are seen:
Other Attributes
ConfigVersionId
5
Device Port
1645
DestinationPort
1812
RadiusPacketType
AccessRequest
UserName
host/xxxxxxxxxxxx
Protocol
Radius
NAS-IP-Address
172.25.2.80
NAS-Port
51517
Framed-MTU
1400
State
37CPMSessionID=b0140a6f0000C2E15374CC7F;32SessionID=radius/189518899/49890;
cisco-nas-port
51517
IsEndpointInRejectMode
false
AcsSessionID
radius/189518899/49890
DetailedInfo
Authentication succeed
SelectedAuthenticationIdentityStores
AD1
ADDomain
xxxxxxxxxxx
AuthorizationPolicyMatchedRule
Default
CPMSessionID
b0140a6f0000C2E15374CC7F
EndPointMACAddress
00-xxxxxxxxxxxx
ISEPolicySetName
Default
AllowedProtocolMatchedRule
MDP-PC-PEAP
IdentitySelectionMatchedRule
Default
HostIdentityGroup
Endpoint Identity Groups:Profiled:Workstation
Model Name
Cisco
Location
Location#All Locations#Site-MDP
Device Type
Device Type#All Device Types#Cisco-Bornes
IdentityAccessRestricted
false
AD ExternalGroups
xx/users/ordinateurs du domaine
AD ExternalGroups
xx/users/certsvc_dcom_access
AD ExternalGroups
xx/builtin/accès dcom service de certificats
Called-Station-ID
54:75:D0:DC:5B:7C
CiscoAVPair
ssid=CAMPUS
If you have an idea, thanks so much,
Regards,To configure debug logs via the Cisco ISE user interface, complete the following steps
:Step 1 Choose Administration > System > Logging > Debug Log Configuration. The Node List page appears, which contains a list of nodes and their personas.
You can use the Filter button to search for a specific node, particularly if the node list is large.
www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_logging.html#wp1059750 -
ISE - Active Directory - LDAPS
I think I understood the customer concern. This is quoted from Microsofthttp://support.microsoft.com/kb/321051
"The Lightweight Directory Access Protocol (LDAP) is used to read from and write to Active Directory. By default, LDAP traffic is transmitted unsecured. You can make LDAP traffic confidential and secure by using Secure Sockets Layer (SSL) / Transport Layer Security (TLS) technology."
So the question now is how can we be sure the ISE communication is secure? ... I understand port 636 is used to transport LDAP-Secure ...
The ISE User Gude indicates that one of the ports required to be open in the case a firewall exists between ISE and ADE is 636 (LDAPS). -(ISE User Guide Page 5-6)
In my case there is no FW between ISE and AD, so how can I be sure LDAPS is being used?
ISE User Guide explais a little about security if the external identity source is an LDAP, but nothing about security is indicated in Active Directory configuration.
Regards.Hi,
The AD join operations allows you to run PEAP protocol and is much more resilient than using ldap because of the way it joins itself to the domain. It uses kerberos and rpc when performing user authentication.
When using ldaps that is configuration based on when you add the ldap instance.
Sent from Cisco Technical Support iPad App -
Tighter Integration with Active Directory User Groups
I just wrapped up a Jabber deployment with IM&P 9.1(1) and J4W clients 9.1(3).
The customer asked me if it is on Cisco's roadmap to allow groups in Active Directory to be pulled into the Jabber client. The primary business case is to allow those in IT to send out IM blasts to the corporation or certain departments.
Obviously, this would require a significant amount of development and a much tighter integration with Active Directory, but I need to ask anyway.
Has something like this been identified and placed on any roadmap?
Thanks,
Matthew BerryUnfortunately this kind of questions cannot be addressed here, roadmap questions need to go thru official channels for an answer.
You need to reach your SE/AM for this question.
HTH
java
if this helps, please rate
www.cisco.com/go/pdihelpdesk -
Cisco ISE Active Endpoint Usage Reset
Hi,
I have a Cisco ISE running version 1.1 and I was wondering if it may be possible to reset the license usage/active endpoint shown on the dashboard? This was noticed after a restore of ISE due to replacement of hardware and I noticed that the license usage count/active endpoints does not seems to go down.
The following methods have been tried however without any success:
1. Reboot ise server/service
2. Disable all network devices making use of ise such that there are no clients/devices accessing it; example switch/wlc/etc...
3. Deleted all endpoints usage in identies/identies group
4. Disable profiling on ise
As the ise has been installed with a base license; not too sure if it may be either a bad restore (all service/application are working though) / bad radius accounting which does not timed out on the ise / etc...
Any help is appreciated on how to reset the active endpoint/license usage.
Thanks.Here is a method for removing the stale records. Please give this a try:
http://www.cisco.com/en/US/docs/security/ise/1.1/api_ref_guide/ise_api_ref_ch2.html#wp1072950
Thanks,
Tarik Admani
*Please rate helpful posts* -
How do I setup Active Directory and Group Policy on Windows Server 2012?
I work for a school district that uses a Windows 2012 server with about 400 Windows 7 PCs and 150 Mac PCs. We are set up with Roaming Profiles on the PCs and would like to be able to setup Active Directory, Group Policy, and Roaming Profiles on our macs. (We also have a mac server that they are using as a file server only) As we are a school, our funds are very low. Now for the questions...
Is there a software that allow us to accomplish this?
Is there a free solution or a very reduced price option to do this?
I heard that http://www.centrify.com/products/mac-edition.asp may accomplish this and I read something about it on here but didn't know if this is what I was really trying to do becuase it was marked as "The Golden Triangle" and did not mention Raoming Profiles. This is the link though: https://discussions.apple.com/message/17200059#17200059
Any help would be greatly appreciated.The above reply does not take into account that I am trying to use GROUP POLICY EDITOR to make it the default browser.
-
We have a wireless setup using WLC and ISE, authenticating BYOD against Active Directory.
The challange we have is that when users change their AD password, they forget to update their smartphones resulting in their AD accounts being locked out.
We have PEAP enabled, with retries set to 1.
When does the retries "reset" so that it will try again?
And is there other things we can look at to prevent this behaviour?The best thing to do is to train your users to update the password in all their devices. Otherwise the account will be mostly locked out if an auto-auth device is configured with the old password.
HTH
Amjad
Rating useful replies is more useful than saying "Thank you" -
ISE : Active Directory integration long usernames sAMAccountname
Have a customer deploying ISE for wireless authentication using PEAP-MSCHAPv2. They've encountered an issue where some users with long usernames are failing authentication to ISE. ISE logs that the user is not found in the user database (Active Directory).
Upon further review, it appears that ISE is using the sAMAccountname as the username token to authenticate against.
sAMAccountname is limited to 20 characters.
Customer is running a full Windows 2008 domain and users login to the domain using their User Principal Name (no 20 character limit). Therefore, when the user creates a wireless connection and passes his Windows credentials to PEAP, it fails because the username is too long and ISE does not find user in AD database.
Is there a way to point ISE to use a different username token instead of sAMAccountname? or is this a known issue?I don't think there is any way to increase the limit of 20 characters. You have to create to user name with 20 characters limit.
-
Wireless Deployment with Active Directory User Group Integration
I am trying to find out the best practice in deploying a WLAN for users in the cooperate environment, which uses their company active directory integrated laptops to join to the WLAN.
I know this can be done using certificates easily but I want to just find a way to deploy this without certificates and only based on the AD user group. Maybe a Radius server + LDAP server integration solution would be great.
Please advice. Thanks.
Cheers
Lal Antony
www.lalantony.comThe easiest way to deply this is with a Microsoft toolkit, it has everything you need included, manuals, scripts to install and configure server-side components and it's very easy to use. You can get it from here:
http://www.microsoft.com/downloads/en/details.aspx?FamilyID=60c5d0a1-9820-480e-aa38-63485eca8b9b&displaylang=en
It's based on Win2003 server but I've been advised by MS that it should be OK on Win2008 as well. -
HI everyone.
Is it possible to see all the users that have been logged and allowed by Cisco ISE, and that are currently active; and to force them to log off or end up their connection? (for example, users that have to authenticate in a Guest Portal)
How can we do it?.
Thanks!As long as all those WLAN IDs are set to authenticate users via ISE, they should show up in the page I indicated. I have done several implementations and this has always been the case (as it is documented to work).
If you're not seeing the same, you should probably open a TAC case to walk through the setup to investigate.
Maybe you are looking for
-
Hi We are on ECC 6.0. After displaying a document in FB03, if i wish to print it, only the line items are passed for output (in spool) not the header data. If i go to Document - Print preview and then print, complete document is passed to output. Al
-
Why is my iTunes and App Store in Chinese on my brand new iPad 2?
Why is my iTunes and App Store in Chinese on my brand new iPad 2?
-
20$ pre order bonuses at kmart
Kmart is now offering 20$ pre order bonuses on many upcoming releases, including Destiny, Watchdogs and several others. Plus with there offer you can get one for each system and collect the bonus for each of them. Is Best Buy going to start offering
-
Hi. This might be a little difficult to explain. I want to change the colour of certain people's faces in FCP 5. Just their faces, possibly their bodies as well, but not the entire frame. The story i'm working on involved on character seeing others i
-
Is there a way to have a count be partition over a date range count(records) over(partition by ids range start_date to end_date)