Cisco ISE - How to map User- Location - Restrict Access to other locations

Similar Messages

• Cisco ACS - HOW ARE INTERNAL USER'S RESTRICTED IN THEIR ACCESS TO RESOURCES

  Does anyone have any insight into this process. Please advise.

  Hi Eduardoaliaga,
  I believe that when we are using PAP as the authentication protocol, the ACS is able to strip the domian prefix. However, my side is using the PEAP MsChapv2 as the authentication protocol and I believe that the TLS tunnel is prevent the ACS from stripping the domain prefix/sufix. Thus, I have also posted another discussion on the issue of when the authentication protocol of PEAP MsChapv2 is used, ACS is not able to strip the domain prefix/sufix. Thus, would you be also able to advice on if that is correct. Please refer to the links below.
  1) https://supportforums.cisco.com/thread/2061835
  2) http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.3/user/guide/eap_pap_phase_ps9911_TSD_Products_User_Guide_Chapter.html#wp1031191
  3) https://supportforums.cisco.com/message/3581951#3581951
  Thks and Rgds

• How to map user-defined fields in XML communication on SRM site

  Hi All!
  We use the External sourcing scenario and we transfer requirements from ERP  in SRM through XI (PurchaseRequestERPSourcingRequest_In)
  We should transfer the user-defined fields, but we can not map it in SRM site.
  We have enhanced enterprise service in XI, have realized BADI PUR_SE_PRERPSOURCINGRQCO_ASYN on ERP site.
  I see the XML message with ours z-fields in tr.  SXI_MONITOR (into SRM), but I can not find it in BBP_PDISC.
  We try to use BADI BBP_SAPXML1_IN_BADI (there is no method for SC), and BADI /SAPSRM/BD_SOA_MAPPING (z-fields is empty)
  Someone can tell how to map user-defined field for SC?
  Thanks in advance
  Evgeny Ilchenko

  Hello, Julia
  We have found solution our problem
  We have enhanced standard service in a new enhancement name space and defined own enhancement elements in our namespaces. Then these enhancement elements refered to the SAP standard Enterprise Service.
  But In our new interfaces were different  XML namespaces
  When we have correct an error we could use the next BADI
  on ERP site: PUR_SE_PRERPSOURCINGRQCO_ASYN
  on SRM site: /SAPSRM/BD_SOA_MAPPING
  BR,
  Evgeny

• HT3867 can not get my wifi to work in any other location than my home. How dow I get it to work in other locations?

  can not get my wifi to work in any other location than my home. How dow I get it to work in other locations?

  What happens at those other locations? Error messages?
  Do other devices connect to those other locations?
  What kind of networks are they?

• How can i telnet or get access to other LAN members in LAN without using third party software?

  I have admin access to the main  router in our LAN, so how can i telnet or get access to other LAN  members in LAN without using third party software?
  its linksys3500 router and  i login as admin using the gateway address in address bar..
  i  want to access the c drive of my colleague in same subnet in same  office and i know his ip address.but he not configured telnet accept  request.so without it how can i open his telnet port and access him

  I think you are using the wrong terminology. You can browse the hidden share of any pc if you know the ip and have a valid user account on the pc by typing in the following \\computername\c$ or \\ipaddress\c$ . It should prompt you for a user account. You may have to allow this through the windows firewall (or disable it completely).

• I have admin access to the main router in our LAN, so how can i telnet or get access to other LAN members in LAN without using third party software?

  I have admin access to the main router in our LAN, so how can i telnet or get access to other LAN members in LAN without using third party software?
  its linksys3500 router and  i login as admin using the gateway address in address bar..
  i want to access the c drive of my colleague in same subnet in same office and i know his ip address.but he not configured telnet accept request.so without it how can i open his telnet port and access him

  Duplicate post. 

• Cisco ISE: How to identify/inactive old users?

  Hello,
  I want to get all users / mac-adresses which haven't connected to out network since 180 days.
  How can I query that?
  The report "Dormant Users" dont seems to be the right way: it displays current associated users which are inactive...
  How can I purge Cisco ISE : cleaning it from useless, old, inactive mac-addresses?
  Thank you very much for any answer

  The only thing I could find was purging data in the MNT node.  The default is 90 days.  This doesnt apply because the profiles are store on the policy node.  I dont think you can in an automated form.  
  You could change the MNT to purge after 210 days and then run a report to see which macs have not authc in the passed 180 days.  That will require excel and some scripting.

• Cisco ISE - EAP-TLS - Machine / User Authentication - Multiple Certificate Authentication Profiles (CAP)

  Hello,
  I'm trying to do machine and user authentication using EAP-TLS and digital certificates.  Machines have certificates where the Principal Username is SAN:DNS, user certificates (smartcards) use SAN:Other Name as the Principal Username.
  In ISE, I can define multiple Certificate Authentication Profiles (CAP).  For example CAP1 (Machine) - SAN:DNS, CAP2 (User) - SAN:Other Name
  Problem is how do you specify ISE to check both in the Authentication Policy?  The Identity Store Sequence only accepts one CAP, so if I created an authentication policy for Dot1x to check CAP1 -> AD -> Internal, it will match the machine cert, but fail on user cert.  
  Any way to resolve this?
  Thanks,
  Steve

  You need to use the AnyConnect NAM supplicant on your windows machines, and use the feature called eap-chaining for that, windows own supplicant won't work.
  an example (uses user/pass though, but same concept)
  http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/howto_80_eapchaining_deployment.pdf

• How to Map user in EP 7

  Hi
  I am using EP 7. In user mapping for system access tab i got the IDES system which i have configured. My doubt is in Mapping Data option which User id and password do i need to mention .
  Is it portal user id and password or
  R3 user id and password
  If it is portal user id and password where should i mention R3 user id and password
  I am using user mapping type as UIDPW
  Please help me....
  Regards
  Sowmya

  Hi,
    Hope that is not problem with system but permission. Have a look at these threads.
  1) Some Users Can Not Select System
  2) Problem in viewing the various systems.....
  3) http://help.sap.com/saphelp_nw04s/helpdata/en/15/74ce1925fe4fe6a058dec056ef5f6f/frameset.htm
  Check the line "Map users with VC Role to a user with read permissions to the required back-end system."
  4) Not getting the Systems while clicking "Select Data Services"
  Regards,
  Harini S

• Cisco ISE: How to match an endpoint belong to an identity group ?

  Hello,
  I am running Cisco ISE 1.1.4.218 in a standalone environment.
  I am trying to setup Compound Condition for Authorization.
  I would like the condition to match the MAC address of the calling machine to the internal endpoint MAC address list.
  I created 1 endpoint identity group and 2 children groups
  - GroupParent
       - ChildA
       - ChildB
  I put the MAC address of my machine in the group ChildA.
  In my condition, I tried the following:
  IdentityGroup:Name, Equals, ChildA
  IdentityGroup:Name, Equals, GroupParent:ChildA
  IdentityGroup:Name, Match, .*(ChildA).*
  I even tried to put the MAC address in the GroupParent level and tried to update the condition to be:
  IdentityGroupName, Equals, GroupParent
  IdentityGroupName, Match, .*(GroupParent).*
  But no one of these options worked.
  I am almost sure that in Cisco ISE 1.1.1, it was working fine. But I updated today to 1.1.4 and I cannot make it work.
  Can anyone help me ?
  Best regards,
  David

  You could try the following to match only the parent group
  IdentityGroup:Name EQUALS GroupParent
  You could try the following to match only child group A
  IdentityGroup:Name EQUALS GroupParent#ChildA
  You could try the following to match all child groups of GroupParent
  IdentityGroup:Name STARTS_WITH GroupParent
  Please rate if this helps

• How to import user profiles from external sources(other than AD) into SharePoint

  Hi,
  I want to import user profiles from external sources other than AD.
  Badri

  You have to use BCS for importing the profiles,
  Check the following link with explanations
  http://msdn.microsoft.com/en-us/magazine/ee819133.aspx
  Please Mark it as answer if this reply helps you in resolving the issue,It will help other users facing similar problem

• Workset validation and restricted access to other workset based on first

  Hi All,
      I have a requirement in which I need to allow other worksets in ESS to be accessed only if one workset "Personal Information" is completed.
  in this workset, there is an iView "Certify Own Data". In this ivew there are couple of checkboxes which need to be ticked and saved. this checkboxes will automatically be checked when the user enters required data in other related ivews such as "Address", "Family Details", "communications" etc.
  Please someone suggest me how to achive this functionality. Do i need to develop new application or i can achieve this functionality by just maintaining some kind of  iview validation.
  Earlier response would be much appreciated.
  Thanks
  Uday

  HI
  In your case,If your users are limited users then no worries....
  They cannot open it with their license...
  Only "Super user" can do that....
  OR
  You can restrict the other users by giving 'Authorisations'.
  Goto Administration -> system initialisation ->Authorisation_>General Authorisation.
  Now you select the users to whom you want to restrict the access and at right hand side you can see "Customization tools"
  You can set as "No authorisation" for Customization tools for that particular user and update it...
  So that he cannot do anything with the user defined windows
  Edited by: kambadasan on May 25, 2011 2:21 PM

• CISCO ACS, How to Limit User Session ?

  Hi Guys,
  hope you would help me,
  how to limit the user session in ACS 5.x ?
  i'm aware the menu on
  Access Policies >Max User Session Policy > Max Session Group Settings
  i already set the global value to 1, Max Session for User in Group to 1, and Max Session for Group to 1.
  so it means the user only could open 1 connect at the same time right?
  the problem, it didn't works.
  i had 1 ACS 5.5
  2 CISCO Cisco IOS Software, 3700 Software (C3725-ADVENTERPRISEK9-M), Version 12.4(15)T13, RELEASE SOFTWARE (fc3)
  (let's call it R1 and R2 )
  i'm trying to telnet both of them at the same time, and it works ( it means the session limit didn't works, cmiiw )
  i already include :
  radius-server attribute 44 include-in-access-req
  radius-server host 192.168.217.98 auth-port 1645 acct-port 1646 key somekey
  on the line vty :
   accounting connection acs
   login authentication acs
  am i missing something?
  also, is this feature works on tacacs+ too?
  Thanks,

  Dash,
  You can leverage the group mapping feature where members of a certain AD group are mapped to a local group in ACS with the max sessions defined.
  http://www.cisco.com/c/en/us/td/docs/net_mgmt/cisco_secure_access_control_system/5-3/user/guide/acsuserguide/access_policies.html#pgfId-1162308
  Thanks,
  Tarik Admani

• Cisco ISE: How to add a description of an Internal Endpoint

  Hello,
  In ACS 5, when adding an Internal Hosts, we could add a description of the host, in addition to the MAC address.
  In ISE, there is no such description field available. However, it present in the Internal User but not in Internal Hosts.
  How can we do to add description of MAC address device ?
  Many thanks,
  David

  is this what you are looking for , if not let me know

• Cisco ISE (Authentication failed: 24415 User authentication against Active Directory failed since user's account is locked out)

  Hi,
  I have a setup ISE 1.1.1. Users are getting authenticate against AD. Everything is working fine except some users report disconnection. I see in the ISE that (Authentication failed: 24415 User authentication against Active Directory failed since user's account is locked out). Users are using Windows 7 OS.
  Error is enclosed & here is the port configuration.
  Port Configuration.
  interface GigabitEthernet0/2
  switchport access vlan 120
  switchport mode access
  switchport voice vlan 121
  authentication event fail action next-method
  authentication event server dead action reinitialize vlan 120
  authentication event server alive action reinitialize
  authentication host-mode multi-auth
  authentication order mab dot1x
  authentication priority dot1x mab
  authentication port-control auto
  authentication periodic
  authentication timer reauthenticate server
  mab
  dot1x pae authenticator
  dot1x timeout tx-period 60
  spanning-tree portfast
  ip dhcp snooping limit rate 30 interface GigabitEthernet0/2
  switchport access vlan 120
  switchport mode access
  switchport voice vlan 121
  authentication event fail action next-method
  authentication event server dead action reinitialize vlan 120
  authentication event server alive action reinitialize
  authentication host-mode multi-auth
  authentication order mab dot1x
  authentication priority dot1x mab
  authentication port-control auto
  authentication periodic
  authentication timer reauthenticate server
  mab
  dot1x pae authenticator
  dot1x timeout tx-period 60
  spanning-tree portfast
  ip dhcp snooping limit rate 30
  Please help.

  The error message means that Active Directory server Reject the authentication attempt
  as for some reasons the user account got locked.I guess, You should ask your AD Team to check in the AD
  Event Logs why did the user account got locked.
  Under Even Viewers, You can find it out
  Regards
  Minakshi (Do rate the helpful posts)