Cisco ISE - How to map User- Location - Restrict Access to other locations
Hi,
i've got a simple question and I hope someone here can help me out with this mess.
The problem is about WLAN 802.1x Auth with Cisco WLC and a ISE.
The design goal is the following:
There are several branch facilities. A user belongs to only ONE facility. This user should not access the WLAN in other facilities.
The technical design is this:
Local WLC and/or central vWLC. In the datacenter is one ISE which must handle the auth-requests. The identity source of the users, where I add and manage them, should be the ISE itself for the first time, later I want to AD and LDAP sources.
Here is the problem:
I don't understand how I can create a ruleset or something else where I can define that a user of facility A can only login over APs, WLCs,.....in facility A and NOT facility B. Or maybe my design is so bad that I have to start from scratch.
PLEASE HELP.
I don't know but may be this is the correct way to validate the user:
NAS-ID in AP-Groups (One AP-Group per facility) must match "12345" AND Identity-Group must match "12345".
Iam confused because there is no way to compare these values.
In this case to compare the value of "NAS-ID" and die users "IDENTITY-GROUP".
If they match against each other than "Permit-Access".
Similar Messages
-
Cisco ACS - HOW ARE INTERNAL USER'S RESTRICTED IN THEIR ACCESS TO RESOURCES
Does anyone have any insight into this process. Please advise.
Hi Eduardoaliaga,
I believe that when we are using PAP as the authentication protocol, the ACS is able to strip the domian prefix. However, my side is using the PEAP MsChapv2 as the authentication protocol and I believe that the TLS tunnel is prevent the ACS from stripping the domain prefix/sufix. Thus, I have also posted another discussion on the issue of when the authentication protocol of PEAP MsChapv2 is used, ACS is not able to strip the domain prefix/sufix. Thus, would you be also able to advice on if that is correct. Please refer to the links below.
1) https://supportforums.cisco.com/thread/2061835
2) http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.3/user/guide/eap_pap_phase_ps9911_TSD_Products_User_Guide_Chapter.html#wp1031191
3) https://supportforums.cisco.com/message/3581951#3581951
Thks and Rgds -
How to map user-defined fields in XML communication on SRM site
Hi All!
We use the External sourcing scenario and we transfer requirements from ERP in SRM through XI (PurchaseRequestERPSourcingRequest_In)
We should transfer the user-defined fields, but we can not map it in SRM site.
We have enhanced enterprise service in XI, have realized BADI PUR_SE_PRERPSOURCINGRQCO_ASYN on ERP site.
I see the XML message with ours z-fields in tr. SXI_MONITOR (into SRM), but I can not find it in BBP_PDISC.
We try to use BADI BBP_SAPXML1_IN_BADI (there is no method for SC), and BADI /SAPSRM/BD_SOA_MAPPING (z-fields is empty)
Someone can tell how to map user-defined field for SC?
Thanks in advance
Evgeny IlchenkoHello, Julia
We have found solution our problem
We have enhanced standard service in a new enhancement name space and defined own enhancement elements in our namespaces. Then these enhancement elements refered to the SAP standard Enterprise Service.
But In our new interfaces were different XML namespaces
When we have correct an error we could use the next BADI
on ERP site: PUR_SE_PRERPSOURCINGRQCO_ASYN
on SRM site: /SAPSRM/BD_SOA_MAPPING
BR,
Evgeny -
can not get my wifi to work in any other location than my home. How dow I get it to work in other locations?
What happens at those other locations? Error messages?
Do other devices connect to those other locations?
What kind of networks are they? -
How can i telnet or get access to other LAN members in LAN without using third party software?
I have admin access to the main router in our LAN, so how can i telnet or get access to other LAN members in LAN without using third party software?
its linksys3500 router and i login as admin using the gateway address in address bar..
i want to access the c drive of my colleague in same subnet in same office and i know his ip address.but he not configured telnet accept request.so without it how can i open his telnet port and access himI think you are using the wrong terminology. You can browse the hidden share of any pc if you know the ip and have a valid user account on the pc by typing in the following \\computername\c$ or \\ipaddress\c$ . It should prompt you for a user account. You may have to allow this through the windows firewall (or disable it completely).
-
I have admin access to the main router in our LAN, so how can i telnet or get access to other LAN members in LAN without using third party software?
its linksys3500 router and i login as admin using the gateway address in address bar..
i want to access the c drive of my colleague in same subnet in same office and i know his ip address.but he not configured telnet accept request.so without it how can i open his telnet port and access himDuplicate post.
-
Cisco ISE: How to identify/inactive old users?
Hello,
I want to get all users / mac-adresses which haven't connected to out network since 180 days.
How can I query that?
The report "Dormant Users" dont seems to be the right way: it displays current associated users which are inactive...
How can I purge Cisco ISE : cleaning it from useless, old, inactive mac-addresses?
Thank you very much for any answerThe only thing I could find was purging data in the MNT node. The default is 90 days. This doesnt apply because the profiles are store on the policy node. I dont think you can in an automated form.
You could change the MNT to purge after 210 days and then run a report to see which macs have not authc in the passed 180 days. That will require excel and some scripting. -
Hello,
I'm trying to do machine and user authentication using EAP-TLS and digital certificates. Machines have certificates where the Principal Username is SAN:DNS, user certificates (smartcards) use SAN:Other Name as the Principal Username.
In ISE, I can define multiple Certificate Authentication Profiles (CAP). For example CAP1 (Machine) - SAN:DNS, CAP2 (User) - SAN:Other Name
Problem is how do you specify ISE to check both in the Authentication Policy? The Identity Store Sequence only accepts one CAP, so if I created an authentication policy for Dot1x to check CAP1 -> AD -> Internal, it will match the machine cert, but fail on user cert.
Any way to resolve this?
Thanks,
SteveYou need to use the AnyConnect NAM supplicant on your windows machines, and use the feature called eap-chaining for that, windows own supplicant won't work.
an example (uses user/pass though, but same concept)
http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/howto_80_eapchaining_deployment.pdf -
Hi
I am using EP 7. In user mapping for system access tab i got the IDES system which i have configured. My doubt is in Mapping Data option which User id and password do i need to mention .
Is it portal user id and password or
R3 user id and password
If it is portal user id and password where should i mention R3 user id and password
I am using user mapping type as UIDPW
Please help me....
Regards
SowmyaHi,
Hope that is not problem with system but permission. Have a look at these threads.
1) Some Users Can Not Select System
2) Problem in viewing the various systems.....
3) http://help.sap.com/saphelp_nw04s/helpdata/en/15/74ce1925fe4fe6a058dec056ef5f6f/frameset.htm
Check the line "Map users with VC Role to a user with read permissions to the required back-end system."
4) Not getting the Systems while clicking "Select Data Services"
Regards,
Harini S -
Cisco ISE: How to match an endpoint belong to an identity group ?
Hello,
I am running Cisco ISE 1.1.4.218 in a standalone environment.
I am trying to setup Compound Condition for Authorization.
I would like the condition to match the MAC address of the calling machine to the internal endpoint MAC address list.
I created 1 endpoint identity group and 2 children groups
- GroupParent
- ChildA
- ChildB
I put the MAC address of my machine in the group ChildA.
In my condition, I tried the following:
IdentityGroup:Name, Equals, ChildA
IdentityGroup:Name, Equals, GroupParent:ChildA
IdentityGroup:Name, Match, .*(ChildA).*
I even tried to put the MAC address in the GroupParent level and tried to update the condition to be:
IdentityGroupName, Equals, GroupParent
IdentityGroupName, Match, .*(GroupParent).*
But no one of these options worked.
I am almost sure that in Cisco ISE 1.1.1, it was working fine. But I updated today to 1.1.4 and I cannot make it work.
Can anyone help me ?
Best regards,
DavidYou could try the following to match only the parent group
IdentityGroup:Name EQUALS GroupParent
You could try the following to match only child group A
IdentityGroup:Name EQUALS GroupParent#ChildA
You could try the following to match all child groups of GroupParent
IdentityGroup:Name STARTS_WITH GroupParent
Please rate if this helps -
How to import user profiles from external sources(other than AD) into SharePoint
Hi,
I want to import user profiles from external sources other than AD.
BadriYou have to use BCS for importing the profiles,
Check the following link with explanations
http://msdn.microsoft.com/en-us/magazine/ee819133.aspx
Please Mark it as answer if this reply helps you in resolving the issue,It will help other users facing similar problem -
Workset validation and restricted access to other workset based on first
Hi All,
I have a requirement in which I need to allow other worksets in ESS to be accessed only if one workset "Personal Information" is completed.
in this workset, there is an iView "Certify Own Data". In this ivew there are couple of checkboxes which need to be ticked and saved. this checkboxes will automatically be checked when the user enters required data in other related ivews such as "Address", "Family Details", "communications" etc.
Please someone suggest me how to achive this functionality. Do i need to develop new application or i can achieve this functionality by just maintaining some kind of iview validation.
Earlier response would be much appreciated.
Thanks
UdayHI
In your case,If your users are limited users then no worries....
They cannot open it with their license...
Only "Super user" can do that....
OR
You can restrict the other users by giving 'Authorisations'.
Goto Administration -> system initialisation ->Authorisation_>General Authorisation.
Now you select the users to whom you want to restrict the access and at right hand side you can see "Customization tools"
You can set as "No authorisation" for Customization tools for that particular user and update it...
So that he cannot do anything with the user defined windows
Edited by: kambadasan on May 25, 2011 2:21 PM -
CISCO ACS, How to Limit User Session ?
Hi Guys,
hope you would help me,
how to limit the user session in ACS 5.x ?
i'm aware the menu on
Access Policies >Max User Session Policy > Max Session Group Settings
i already set the global value to 1, Max Session for User in Group to 1, and Max Session for Group to 1.
so it means the user only could open 1 connect at the same time right?
the problem, it didn't works.
i had 1 ACS 5.5
2 CISCO Cisco IOS Software, 3700 Software (C3725-ADVENTERPRISEK9-M), Version 12.4(15)T13, RELEASE SOFTWARE (fc3)
(let's call it R1 and R2 )
i'm trying to telnet both of them at the same time, and it works ( it means the session limit didn't works, cmiiw )
i already include :
radius-server attribute 44 include-in-access-req
radius-server host 192.168.217.98 auth-port 1645 acct-port 1646 key somekey
on the line vty :
accounting connection acs
login authentication acs
am i missing something?
also, is this feature works on tacacs+ too?
Thanks,Dash,
You can leverage the group mapping feature where members of a certain AD group are mapped to a local group in ACS with the max sessions defined.
http://www.cisco.com/c/en/us/td/docs/net_mgmt/cisco_secure_access_control_system/5-3/user/guide/acsuserguide/access_policies.html#pgfId-1162308
Thanks,
Tarik Admani -
Cisco ISE: How to add a description of an Internal Endpoint
Hello,
In ACS 5, when adding an Internal Hosts, we could add a description of the host, in addition to the MAC address.
In ISE, there is no such description field available. However, it present in the Internal User but not in Internal Hosts.
How can we do to add description of MAC address device ?
Many thanks,
Davidis this what you are looking for , if not let me know
-
Hi,
I have a setup ISE 1.1.1. Users are getting authenticate against AD. Everything is working fine except some users report disconnection. I see in the ISE that (Authentication failed: 24415 User authentication against Active Directory failed since user's account is locked out). Users are using Windows 7 OS.
Error is enclosed & here is the port configuration.
Port Configuration.
interface GigabitEthernet0/2
switchport access vlan 120
switchport mode access
switchport voice vlan 121
authentication event fail action next-method
authentication event server dead action reinitialize vlan 120
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication order mab dot1x
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
mab
dot1x pae authenticator
dot1x timeout tx-period 60
spanning-tree portfast
ip dhcp snooping limit rate 30 interface GigabitEthernet0/2
switchport access vlan 120
switchport mode access
switchport voice vlan 121
authentication event fail action next-method
authentication event server dead action reinitialize vlan 120
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication order mab dot1x
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
mab
dot1x pae authenticator
dot1x timeout tx-period 60
spanning-tree portfast
ip dhcp snooping limit rate 30
Please help.The error message means that Active Directory server Reject the authentication attempt
as for some reasons the user account got locked.I guess, You should ask your AD Team to check in the AD
Event Logs why did the user account got locked.
Under Even Viewers, You can find it out
Regards
Minakshi (Do rate the helpful posts)
Maybe you are looking for
-
Can't use any tools from the toolbar
I'm running InDesign CS6 ver. 8.0.1 on a Windows 7 64-bit pc. InDesign has been running perfectly for about two years on this pc until about a month ago when I suddenly couldn't use the tools from the toolbar any longer. I have searched for a soluti
-
When I updated my IPad my YouTube App disappeared. How can I get it back?
When I updated my IPad my YouTube App disappeared. How can I get it back?
-
CE 7.2 on 32-bit Windows 7?
Hello, has anyone successfully installed CE 7.2 or 7.1 on Windows 7, 32-bit? I'm trying to install CE 7.2 as Developer Workplace on Windows 7 Enterprise, 32-bit (with 4 GB RAM hardware). The installation warned about compatibility, but was able to co
-
Hi all, I'm trying this morning to make the backup of my iPhone from 32 gigabytes. When I start the synchronization and backup I get written'' iTunes could not back up iPhone because an error occurred. I tried it on another iphone (4) and everything
-
Hello all, and thank you for taking the time to read this. I'm trying to print a PDF of a document which original I don't have. The document already has a significant margin, and Reader is adding 25 Milimeters. If I were to print it straight, I woul