Cisco ISE Active Directory Add Group

Hi,
I came across the Cisco ISE on integrating with Microsoft Active Directory; I would like to check what may be the use case of the add group function (External identity source-->active directory-->group-->add group)? Not too sure if it may be possible to group multiple active directory groups to the created group?
I have attached a print capture of the "add group" for reference.
Any suggestion is appreciated.

I apologize for not following Ravi's post. However you can enter the group if searching for groups fails. It is case and format sensitive so using the method has to be precise....one example is looking in the authenticatiin report for a user under the "other attributes" if there is a group you want to apply as a policy you can copy and paste that group syntax under the add group which you posted.
Sent from Cisco Technical Support Android App

Similar Messages

  • Is it possible to map a Sponsor Group in Cisco ISE to a user group in Active Directory, through a RADIUS server?

    Hi!!
    We are working on a mapping between a Sponsor Group in Cisco ISE and a user group in Active Directory....but the client wants the mapping to be through a RADIUS SERVER, for avoiding ISE querying directly the Active Directory.
    I know it is possible to use a RADIUS SERVER as an external identity source for ISE.....but, is it possible to use this RADIUS SERVER for this sponsor group handling?
    Thanks and regards!!

    Yes It is possible to map Sponser group to user group in AD and if you want to know how to do please open the below link and go to Mapping Active Directory Groups to Sponsor Groups heading.
    http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_guest_pol.html#wp1096365

  • Unable to find Active Directory Domain Groups via /_vti_bin/UserGroup.asmx GetRoleCollectionFromGroup

    Hi, I am writing a Powershell script locally on my machine to aggregate data from SharePoint 2010 and Active Directory.  All groups in our SP environment are Active Directory Domain Groups (AD DG).  Accessing group members via SharePoint is not
    possible (as many of you already know).  My plan was to pull Domain Group lists and aggregate AD DG data with SharePoint data (permission levels, etc...).  I unfortunately ran into a problem when I realized that AD DGs are not considered "SP
    Groups" but instead are considered user??? 
    How do I leverage SharePoint web services to perform an action similar to /_vti_bin/UserGroup.asmx > GetRoleCollectionFromGroup?  I do not want to perform this action on the server, but locally on my machine.  When I run the below script
    it throws a 401 error and complains it "can't find the group".  Keep in mind I am trying to get info on a
    AD Domain Group, not a
    SharePoint Group.  I think that is the underlying reason this request keeps failing as I tested the below script on SP groups and it worked perfectly.
    clear
    $CRED = Get-Credential
    [System.Net.ServicePointManager]::ServerCertificateValidationCallback = { $true }
    $uri = "http://{site}/_vti_bin/UserGroup.asmx"
    $soap = '<?xml version="1.0" encoding="utf-8"?>'
    $soap+= '<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">'
    $soap+= '<soap:Body>'
    $soap+= '<GetRoleCollectionFromGroup xmlns="http://schemas.microsoft.com/sharepoint/soap/directory/">'
    $soap+= '<groupName>TestGroup</groupName>'
    $soap+= '</GetRoleCollectionFromGroup>'
    $soap+= '</soap:Body>'
    $soap+= '</soap:Envelope>'
    [xml]$WF = Invoke-RestMethod $uri -Credential $CRED -Method POST -ContentType "text/xml" -Body $soap
    echo $WF
    $WF.Envelope.Body.GetRoleCollectionFromGroupResponse.GetRoleCollectionFromGroupResult.GetRoleCollectionFromGroup.Roles.Role
    Thank you. 

    Hi, I am writing a Powershell script locally on my machine to aggregate data from SharePoint 2010 and Active Directory.  All groups in our SP environment are Active Directory Domain Groups (AD DG).  Accessing group members via SharePoint is not
    possible (as many of you already know).  My plan was to pull Domain Group lists and aggregate AD DG data with SharePoint data (permission levels, etc...).  I unfortunately ran into a problem when I realized that AD DGs are not considered "SP
    Groups" but instead are considered user??? 
    How do I leverage SharePoint web services to perform an action similar to /_vti_bin/UserGroup.asmx > GetRoleCollectionFromGroup?  I do not want to perform this action on the server, but locally on my machine.  When I run the below script
    it throws a 401 error and complains it "can't find the group".  Keep in mind I am trying to get info on a
    AD Domain Group, not a
    SharePoint Group.  I think that is the underlying reason this request keeps failing as I tested the below script on SP groups and it worked perfectly.
    clear
    $CRED = Get-Credential
    [System.Net.ServicePointManager]::ServerCertificateValidationCallback = { $true }
    $uri = "http://{site}/_vti_bin/UserGroup.asmx"
    $soap = '<?xml version="1.0" encoding="utf-8"?>'
    $soap+= '<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">'
    $soap+= '<soap:Body>'
    $soap+= '<GetRoleCollectionFromGroup xmlns="http://schemas.microsoft.com/sharepoint/soap/directory/">'
    $soap+= '<groupName>TestGroup</groupName>'
    $soap+= '</GetRoleCollectionFromGroup>'
    $soap+= '</soap:Body>'
    $soap+= '</soap:Envelope>'
    [xml]$WF = Invoke-RestMethod $uri -Credential $CRED -Method POST -ContentType "text/xml" -Body $soap
    echo $WF
    $WF.Envelope.Body.GetRoleCollectionFromGroupResponse.GetRoleCollectionFromGroupResult.GetRoleCollectionFromGroup.Roles.Role
    Thank you. 

  • SMS_AD_SECURITY_GROUP_DISCOVERY_AGENT - Active Directory Security Group Discovery Agent reported warnings for 524 object(s). DDRs were generated for 0 object(s) that had warning(s) while reading non-critical properties.

    Hi, can anyone help me troubleshoot the following please:
    Active Directory Security Group Discovery Agent reported warnings for 524 object(s). DDRs were generated for 0 object(s) that had warning(s) while reading non-critical properties. DDRs were not generated for 524 object(s) that had warnings while reading
    critical properties.
    Possible cause: OU name or Security Group name may contain at least a Unicode character which has conversion problem between Unicode and your system ANSI locale(e.g. Korean characters in English System Locale). The site server might not have access to
    some properties of this object. The container specified might not have the properties available.
    Solution: Please verify the Active Directory schema for properties that are not replicated or locked. Refer to the discovery logs for more information.
    Does the error relate to 524 security groups? There are several invalid search paths listed in adsgdis.log, are these related?
    Thanks,
    Dale

    You'll have to examine the log to determine exactly which objects its referring to. Although this is in the context of group discovery, group discovery still creates DDRs for computer objects within those groups so it could be either groups or computers.
    This is not a search path issue though as it's clear that the discovery process found 524 different objects, but as stated, it could not properly read criticial properties of those objects and thus did not create DDRs for them.
    As mentioned, reading the log in detail will list the objects individually and the reason it could not create a DDR for it.
    Jason | http://blog.configmgrftw.com

  • Active Directory System Group discovery has been removed

    Hello,
    I noticed in SCCM 2012 Active Directory System Group discovery has been removed which discovery is provided the
    information previously collected through this discovery?
    Thanks,
    Dom
    System Center Operations Manager 2007 / System Center Configuration Manager 2007 R2 / Forefront Client Security / Forefront Identity Manager

    Hi,
    Yes Active Directory System Group Discovery has been removed (not Active Directory System Discovery)
    It is written in http://technet.microsoft.com/en-us/library/gg712308.aspx#BKMK_DiscoveryMethods
    What's new in SCCM 2012
    and confirmed in
    http://blogs.technet.com/b/elie/archive/2012/05/10/system-center-2012-configuration-manager-part2-discovery-methods.aspx
    Thanks,
    DOm
    System Center Operations Manager 2007 / System Center Configuration Manager 2007 R2 / Forefront Client Security / Forefront Identity Manager

  • Orchestrator Active Directory Add Computer to Group

    Having trouble with the Add Computer to Group activity. I can't seem to find the right reference for an OU in my active directory forest (/Servers/KC). Any help?
    William Busby, PMP

    Hi William,
    you can use the "Get Computer" and "Get Group" Activities to get all the information for the Group and Computer including the Distinguished Name. In the Filter tab of the two "Get-Activities" you can filter with name and other things.
    The you can right click on the field for the Distinguished Names in the "Add Computer To Group" Activity and click Subscribe -> Publihed Data and choose the Distinguished Names you get as result from the Activities before.
    Regards,
    Stefan
    German Orchestrator Portal ,
    My blog in English

  • ISE / Active Directory: issue to get users group

    Hello,
    We have a strange issue:
    - ISE 1.2 patch 8
    - no WLC, autonomous AP
    In authentication, we check Wireless IEEE 802.11 (radius) and cisco-av-pair (ssid), then we use AD.
    We have 3 SSIDs, so 3 rules, one DATA, one GUEST, one for TOIP.
    In one more rules to grant authentication from APs to register in WDS: user in local database.
    In authorization, we check cisco-av-pair (ssid) and AD user group, then we permit access.
    (so 3 rules), and one more to authorise the internal base for WDS.
    We have something strange:
    - sometimes users can connect but later they can't: in the logs, the authorization rejects the user because the AD Group is not seen.
    Exemple:
    1- OK:
    Authentication Details
    Source Timestamp
    2014-05-15 11:43:19.064
    Received Timestamp
    2014-05-15 11:43:19.065
    Policy Server
    radius
    Event
    5200 Authentication succeeded 
    All the GROUPS of user are seen:
    false
    AD ExternalGroups
    xx/users/admexch
    AD ExternalGroups
    xx/users/glkdp
    AD ExternalGroups
    x/users/gl revue écriture
    AD ExternalGroups
    xx/users/pcanywhere
    AD ExternalGroups
    xx/users/wifidata
    AD ExternalGroups
    xx/informatique/campus/destinataires/aa informatique
    AD ExternalGroups
    xx/informatique/campus/destinataires/aa entreprises et cités
    AD ExternalGroups
    xx/informatique/campus/destinataires/aa campus
    AD ExternalGroups
    xx/users/aiga_creches
    AD ExternalGroups
    xx/users/admins du domaine
    AD ExternalGroups
    xx/users/utilisa. du domaine
    AD ExternalGroups
    xx/users/groupe de réplication dont le mot de passe rodc est refusé
    AD ExternalGroups
    xx/microsoft exchange security groups/exchange view-only administrators
    AD ExternalGroups
    xx/microsoft exchange security groups/exchange public folder administrators
    AD ExternalGroups
    xx/users/certsvc_dcom_access
    AD ExternalGroups
    xx/builtin/administrateurs
    AD ExternalGroups
    xx/builtin/utilisateurs
    AD ExternalGroups
    xx/builtin/opérateurs de compte
    AD ExternalGroups
    xx/builtin/opérateurs de serveur
    AD ExternalGroups
    xx/builtin/utilisateurs du bureau à distance
    AD ExternalGroups
    xx/builtin/accès dcom service de certificats
    RADIUS Username
    xx\cennelin
    Device IP Address
    172.25.2.87
    Called-Station-ID
    00:3A:98:A5:3E:20
    CiscoAVPair
    ssid=CAMPUS
    ssid
    campus 
    2- NO OK later:
    Authentication Details
    Source Timestamp
    2014-05-15 16:17:35.69
    Received Timestamp
    2014-05-15 16:17:35.69
    Policy Server
    radius
    Event
    5434 Endpoint conducted several failed authentications of the same scenario
    Failure Reason
    15039 Rejected per authorization profile
    Resolution
    Authorization Profile with ACCESS_REJECT attribute was selected as a result of the matching authorization rule. Check the appropriate Authorization policy rule-results.
    Root cause
    Selected Authorization Profile contains ACCESS_REJECT attribute 
    Only 3 Groups of the user are seen:
    Other Attributes
    ConfigVersionId
    5
    Device Port
    1645
    DestinationPort
    1812
    RadiusPacketType
    AccessRequest
    UserName
    host/xxxxxxxxxxxx
    Protocol
    Radius
    NAS-IP-Address
    172.25.2.80
    NAS-Port
    51517
    Framed-MTU
    1400
    State
    37CPMSessionID=b0140a6f0000C2E15374CC7F;32SessionID=radius/189518899/49890;
    cisco-nas-port
    51517
    IsEndpointInRejectMode
    false
    AcsSessionID
    radius/189518899/49890
    DetailedInfo
    Authentication succeed
    SelectedAuthenticationIdentityStores
    AD1
    ADDomain
    xxxxxxxxxxx
    AuthorizationPolicyMatchedRule
    Default
    CPMSessionID
    b0140a6f0000C2E15374CC7F
    EndPointMACAddress
    00-xxxxxxxxxxxx
    ISEPolicySetName
    Default
    AllowedProtocolMatchedRule
    MDP-PC-PEAP
    IdentitySelectionMatchedRule
    Default
    HostIdentityGroup
    Endpoint Identity Groups:Profiled:Workstation
    Model Name
    Cisco
    Location
    Location#All Locations#Site-MDP
    Device Type
    Device Type#All Device Types#Cisco-Bornes
    IdentityAccessRestricted
    false
    AD ExternalGroups
    xx/users/ordinateurs du domaine
    AD ExternalGroups
    xx/users/certsvc_dcom_access
    AD ExternalGroups
    xx/builtin/accès dcom service de certificats
    Called-Station-ID
    54:75:D0:DC:5B:7C
    CiscoAVPair
    ssid=CAMPUS 
    If you have an idea, thanks so much,
    Regards,

    To configure debug logs via the Cisco ISE user interface, complete the following steps
    :Step 1 Choose Administration > System > Logging > Debug Log Configuration. The Node List page appears, which contains a list of nodes and their personas.
    You can use the Filter button to search for a specific node, particularly if the node list is large.
    www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_logging.html#wp1059750

  • ISE - Active Directory - LDAPS

    I think I understood the customer concern. This is quoted from Microsofthttp://support.microsoft.com/kb/321051
    "The Lightweight Directory Access Protocol (LDAP) is used to read from and write to Active Directory. By default, LDAP traffic is transmitted unsecured. You can make LDAP traffic confidential and secure by using Secure Sockets Layer (SSL) / Transport Layer Security (TLS) technology."
    So the question now is how can we be sure the ISE communication is secure? ... I understand port 636 is used to transport LDAP-Secure ...
    The ISE User Gude indicates that one of the ports required to be open in the case a firewall exists between ISE and ADE is 636 (LDAPS). -(ISE User Guide Page 5-6)
    In my case there is no FW between ISE and AD, so how can I be sure LDAPS is being used?
    ISE User Guide explais a little about security if the external identity source is an LDAP, but nothing about security is indicated in Active Directory configuration.
    Regards.

    Hi,
    The AD join operations allows you to run PEAP protocol and is much more resilient than using ldap because of the way it joins itself to the domain. It uses kerberos and rpc when performing user authentication.
    When using ldaps that is configuration based on when you add the ldap instance.
    Sent from Cisco Technical Support iPad App

  • Tighter Integration with Active Directory User Groups

    I just wrapped up a Jabber deployment with IM&P 9.1(1) and J4W clients 9.1(3).
    The customer asked me if it is on Cisco's roadmap to allow groups in Active Directory to be pulled into the Jabber client.  The primary business case is to allow those in IT to send out IM blasts to the corporation or certain departments.
    Obviously, this would require a significant amount of development and a much tighter integration with Active Directory, but I need to ask anyway.
    Has something like this been identified and placed on any roadmap?
    Thanks,
    Matthew Berry

    Unfortunately this kind of questions cannot be addressed here, roadmap questions need to go thru official channels for an answer.
    You need to reach your SE/AM for this question.
    HTH
    java
    if this helps, please rate
    www.cisco.com/go/pdihelpdesk

  • Cisco ISE Active Endpoint Usage Reset

    Hi,
    I have a Cisco ISE running version 1.1 and I was wondering if it may be possible to reset the license usage/active endpoint shown on the dashboard? This was noticed after a restore of ISE due to replacement of hardware and I noticed that the license usage count/active endpoints does not seems to go down.
    The following methods have been tried however without any success:
    1. Reboot ise server/service
    2. Disable all network devices making use of ise such that there are no clients/devices accessing it; example switch/wlc/etc...
    3. Deleted all endpoints usage in identies/identies group
    4. Disable profiling on ise
    As the ise has been installed with a base license; not too sure if it may be either a bad restore (all service/application are working though) / bad radius accounting which does not timed out on the ise / etc...
    Any help is appreciated on how to reset the active endpoint/license usage.
    Thanks.                  

    Here is a method for removing the stale records. Please give this a try:
    http://www.cisco.com/en/US/docs/security/ise/1.1/api_ref_guide/ise_api_ref_ch2.html#wp1072950
    Thanks,
    Tarik Admani
    *Please rate helpful posts*

  • How do I setup Active Directory and Group Policy on Windows Server 2012?

    I work for a school district that uses a Windows 2012 server with about 400 Windows 7 PCs and 150 Mac PCs. We are set up with Roaming Profiles on the PCs and would like to be able to setup Active Directory, Group Policy, and Roaming Profiles on our macs. (We also have a mac server that they are using as a file server only) As we are a school, our funds are very low. Now for the questions...
    Is there a software that allow us to accomplish this?
    Is there a free solution or a very reduced price option to do this?
    I heard that http://www.centrify.com/products/mac-edition.asp may accomplish this and I read something about it on here but didn't know if this is what I was really trying to do becuase it was marked as "The Golden Triangle" and did not mention Raoming Profiles. This is the link though: https://discussions.apple.com/message/17200059#17200059
    Any help would be greatly appreciated.

    The above reply does not take into account that I am trying to use GROUP POLICY EDITOR to make it the default browser.

  • ISE / Active Directory

    We have a wireless setup using WLC and ISE, authenticating BYOD against Active Directory.
    The challange we have is that when users change their AD password, they forget to update their smartphones resulting in their AD accounts being locked out.
    We have PEAP enabled, with retries set to 1.
    When does the retries "reset" so that it will try again?
    And is there other things we can look at to prevent this behaviour?

    The best thing to do is to train your users to update the password in all their devices. Otherwise the account will be mostly locked out if an auto-auth device is configured with the old password.
    HTH
    Amjad
    Rating useful replies is more useful than saying "Thank you"

  • ISE : Active Directory integration long usernames sAMAccountname

    Have a customer deploying ISE for wireless authentication using PEAP-MSCHAPv2.  They've encountered an issue where some users with long usernames are failing authentication to ISE.  ISE logs that the user is not found in the user database (Active Directory).
    Upon further review, it appears that ISE is using the sAMAccountname as the username token to authenticate against.
    sAMAccountname is limited to 20 characters. 
    Customer is running a full Windows 2008 domain and users login to the domain using their User Principal Name (no 20 character limit).  Therefore, when the user creates a wireless connection and passes his Windows credentials to PEAP, it fails because the username is too long and ISE does not find user in AD database.
    Is there a way to point ISE to use a different username token instead of sAMAccountname?  or is this a known issue?

    I don't think there is any way to increase the limit of 20 characters. You have to create to user name with 20 characters limit.

  • Wireless Deployment with Active Directory User Group Integration

    I am trying to find out the best practice in deploying a WLAN for users in the cooperate environment, which uses their company active directory integrated laptops to join to the WLAN.
    I know this can be done using certificates easily but I want to just find a way to deploy this without certificates and only based on the AD user group. Maybe a Radius server + LDAP server integration solution would be great.
    Please advice. Thanks.
    Cheers
    Lal Antony
    www.lalantony.com

    The easiest way to deply this is with a Microsoft toolkit, it has everything you need included, manuals, scripts to install and configure server-side components and it's very easy to use. You can get it from here:
    http://www.microsoft.com/downloads/en/details.aspx?FamilyID=60c5d0a1-9820-480e-aa38-63485eca8b9b&displaylang=en
    It's based on Win2003 server but I've been advised by MS that it should be OK on Win2008 as well.

  • CISCO ISE Active Users

    HI everyone.
    Is it possible to see all the users that have been logged and allowed by Cisco ISE, and that are currently active; and to force them to log off or end up their connection? (for example, users that have to authenticate in a Guest Portal)
    How can we do it?. 
    Thanks!

    As long as all those WLAN IDs are set to authenticate users via ISE, they should show up in the page I indicated. I have done several implementations and this has always been the case (as it is documented to work).
    If you're not seeing the same, you should probably open a TAC case to walk through the setup to investigate.

Maybe you are looking for

  • Printing document from FB03

    Hi We are on ECC 6.0.  After displaying a document in FB03, if i wish to print it, only the line items are passed for output (in spool) not the header data. If i go to Document - Print preview and then print, complete document is passed to output. Al

  • Why is my iTunes and App Store in Chinese on my brand new iPad 2?

    Why is my iTunes and App Store in Chinese on my brand new iPad 2?

  • 20$ pre order bonuses at kmart

    Kmart is now offering 20$ pre order bonuses on many upcoming releases, including Destiny, Watchdogs and several others. Plus with there offer you can get one for each system and collect the bonus for each of them. Is Best Buy going to start offering

  • Changing colour of people

    Hi. This might be a little difficult to explain. I want to change the colour of certain people's faces in FCP 5. Just their faces, possibly their bodies as well, but not the entire frame. The story i'm working on involved on character seeing others i

  • Partition over date range

    Is there a way to have a count be partition over a date range count(records) over(partition by ids range start_date to end_date)