Cisco ISE: How to match an endpoint belong to an identity group ?

Similar Messages

• Cisco ISE - How to map User- Location - Restrict Access to other locations

  Hi,
  i've got a simple question and I hope someone here can help me out with this mess.
  The problem is about WLAN 802.1x Auth with Cisco WLC and a ISE.
  The design goal is the following:
  There are several branch facilities. A user belongs to only ONE facility. This user should not access the WLAN in other facilities.
  The technical design is this:
  Local WLC and/or central vWLC. In the datacenter is one ISE which must handle the auth-requests. The identity source of the users, where I add and manage them, should be the ISE itself for the first time, later I want to AD and LDAP sources.
  Here is the problem:
  I don't understand how I can create a ruleset or something else where I can define that a user of facility A can only login over APs, WLCs,.....in facility A and NOT facility B. Or maybe my design is so bad that I have to start from scratch.
  PLEASE HELP.

  I don't know but may be this is the correct way to validate the user:
  NAS-ID in AP-Groups (One AP-Group per facility) must match "12345" AND Identity-Group must match "12345".
  Iam confused because there is no way to compare these values. 
  In this case to compare the value of "NAS-ID" and die users "IDENTITY-GROUP".
  If they match against each other than "Permit-Access".

• Cisco ISE - Posturing of a Linux Endpoint - Is it possible?

  We have a customer who wants to implement Cisco ISE and one of their requests is to posture Linux endpoints in addition to Windows endpoints.
  They have a set of system checks that they perform on Linux machines (catered towards RedHat) which they would like to be performed by ISE.
  From what I know prior to researching for this request was that the NAC agent is only compatible with endpoints running Windows or Mac OSX.
  Digging around, Linux endpoints are postured with a 'default-posture' status and thus an accompanying authorization profile must be set for 'default-posture'. I can't seem to find how to perform file checks, service checks, etc. on a Linux endpoint. Are these type of checks possible with Cisco ISE posture assessment on a Linux endpoint?
  One item that I found is to use the Host Scan package within the AnyConnect Posture module on a Linux endpoint.
  I see this as defeating the purpose of centralizing posturing on the ISE since the AnyConnect and ASA will be doing the posture checking.
  Any thoughts? Thanks in advance.

  Hello Alberto, posture assessment is not yet supported with ISE/AnyConnect. For more info check out the posture section in the ISE 1.3 Admin Guide:
  http://www.cisco.com/c/en/us/td/docs/security/ise/1-3/admin_guide/b_ise_admin_guide_13/b_ise_admin_guide_sample_chapter_010111.html
  Thank you for rating helpful posts!

• Cisco ISE: How to identify/inactive old users?

  Hello,
  I want to get all users / mac-adresses which haven't connected to out network since 180 days.
  How can I query that?
  The report "Dormant Users" dont seems to be the right way: it displays current associated users which are inactive...
  How can I purge Cisco ISE : cleaning it from useless, old, inactive mac-addresses?
  Thank you very much for any answer

  The only thing I could find was purging data in the MNT node.  The default is 90 days.  This doesnt apply because the profiles are store on the policy node.  I dont think you can in an automated form.  
  You could change the MNT to purge after 210 days and then run a report to see which macs have not authc in the passed 180 days.  That will require excel and some scripting.

• Cisco ISE: How to add a description of an Internal Endpoint

  Hello,
  In ACS 5, when adding an Internal Hosts, we could add a description of the host, in addition to the MAC address.
  In ISE, there is no such description field available. However, it present in the Internal User but not in Internal Hosts.
  How can we do to add description of MAC address device ?
  Many thanks,
  David

  is this what you are looking for , if not let me know

• Cisco ISE 1.2 and Symantec Endpoint Protection

  Hi Experts,
  Good Day!
  I'm just wondering if ISE 1.2 is able to detect an application/software in a laptop like the Symantec Endpoint Protection before giving the user an access to the network? Is it possible?
  I tried to searched over the internet however, I can't find any documentation about it.
  Thank you for your support.
  Cheers,
  Niks

  hello ,have you checked posturing service of ISE , with ISE posture service enabled you can check Antivirus Installation , Antivirus Version/ Antivirus Definition Date etc . Check the following link for different Posture Assessment Options  available
  http://www.cisco.com/en/US/partner/docs/security/ise/1.2/user_guide/ise_pos_pol.html#wp2276381

• WLS 7.0 - Admin Console - how to list what users belonging to a given group?

  Hi folks,
  Just installed wls7.0, start the example server and admin console, created a user
  and added into Operator group. But from the Operator Group pane, I cannot find a
  way to show all the users in a group. Any ideas?
  TIA
  chuck

  You can use JMX to list users
  http://weblogic-wonders.com/weblogic/2010/11/10/list-users-and-groups-in-weblogic-using-jmx/

• Cisco ISE doesn`t send packets to AD

  Hello!
  I`ve tried to configure authentication through AD. Intergation Cisco ISE with AD is successful and I can retrive all groups from AD. I`ve configured dot1X authentication (Policy>Authentication) to use at first AD, then Internal Users.I`ve configured the rule for one group in authorization policy (Policy>Authorization), I`ve added this group from AD (Administration> Identty Management> External Identity Sources> Active Directory> Groups).
  When the user tries to connect to LAN and enters credentials from AD, Cisco ISE always uses only Internal Identity Source and doesn`t try to seach user in AD.  I don`t see any packets to AD in Operations>Authentication and TCP Dump, Cisco ISE only checks Internal Identity Source.
  Does anybody know how to solve this problem?
  Thank you!

  Problem was in wrong configuration Authentication.
  Now I have the folowing problem, ISE can`t authenticate wired guest user through Central Web Access.
  Guest Portal sends message about succeful authentication and after that redirect again in Guest Portal.
  I have two rules in Policy>Authorization (attach: Auth).
  In Operations>Authentication I see folowing (attach: Guest)
  In defaultguestportal I have "Both" authentication and sequence from 3 Identity Stores (Intetnal Users, Internal Endpoint, AD)

• Cisco ISE User support

  In ISE-3355 Platform when we say it supports between 500 and 1000 concurrent users, is it the concurrent user session or authentication or what exactly it is?

  Hi,
  You can use the global search box available at the top of the Cisco ISE home page to search for endpoints. You can use any of the following criteria to search for an endpoint:
  •User name
  •MAC Address
  •IP Address
  •Authorization Profile
  •Endpoint Profile
  •Failure Reason
  •Identity Group
  •Identity Store
  •Network Device name
  •Network Device Type
  •Operating System
  •Posture Status
  •Location
  •Security Group
  •User Type
  You should enter at least three characters for any of the search criteria in the Search field to display data.
  The search result provides a detailed and at-a-glance information about the current status of the endpoint, which you can use for troubleshooting. Search results display only the top 25 entries. It is recommended to use filters to narrow down the results.

• Cisco ISE and ATA 188 profiling.

  I have tried to profile cisco ATA 188 adapter, based on cdp attribute;
  Platform: Cisco ATA 188
  and assigned to a create a same identity group. I am not able to see device profiled according to identity group assigned. Instead of it its always assigned to "cisco - device" group.
  On cisco switch side, i am seeing device being in data domain instead of voice domain, but strange enough its getting ip address from voice dhcp pool. If dot1x configs are not applied on port device is getting ip address from voice vlan and working fine.
  Any suggestion for this case?

  Can you post a screenshot of the custom profiling policy that you configured?
  Also, what version of code do you run on the switch and ISE

• How Cisco ISE 1.2 Base licenses are consumed and tracks concurrent endpoint connected to network

  Hello
  I am interested to know how the cisco ISE 1.2 base licences are consumed. As the cisco ise 1.2 user guide "The Base License is consumed whenever an authentication notification is received by Cisco ISE."
  Based on the above statement i have following queries :-
  Radius being the UDP based request, its only during the time endpoint is authenticated and authorized the base license is consumed and then its is released. Then how does cisco ISE tracks the concurrent endpoints connected to the network.
  Thanks
  Kumar

  thanks for the reply Tarik.
  As I understand, you mean that a base license is consumed by every radius authentication request and then the license is free to be utilised again
  Also would this means if Radius accounting is turned off, then concurrent sessions will not be tracked.
  Thanks
  Kumar

• Cisco ISE - What does "Multiple Matched Rule Applies" mean?

  Hi,
  In Cisco ISE authroiztion policy configuration, what does the option "multiple matched rule applies" mean? I can understand the "first matched rule", but in "multiple matched rule" how is the "permissions picked if multiple rules match? Or, what is the logic involved in picking up the permissions, if multiple rules are matched in authorization policy.
  No where in cisco document I see any explaination for this.
  Would appreciate if any one can point me to  a document or explain me the login in selecting the persmissions if multiple rules are matched. Also, what would the use-case for this?
  Thanks and Regards,
  Mohan

  I agree with tarik & also this might be helpful for you:
  An authorization policy can  consist of a single rule or a set of rules that are user-defined. These  rules act to create a specific policy. For example, a standard policy  can include the rule name using an If-Then convention that links a value  entered for identity groups with specific condition(s) or attributes to  produce a specific set of permissions that create a unique  authorization profile. There are two authorization policy options you  can set:
  •First Matched Rules Apply
  •Multiple Matched Rule Applies
  These two options direct Cisco ISE  to use either the first matched or the multiple matched rule type  listed in the standard policy table when it matches the user's set of  permissions. These are the two types of authorization policies that you  can configure:
  •Standard
  •Exception
  Standard policies are policies  created to remain in effect for long periods of time, to apply to a  larger group of users or devices or groups, and allow access to specific  or all network endpoints. Standard policies are intended to be stable  and apply to a large groups of users, devices, and groups that share a  common set of privileges.
  Standard policies can be used as  templates in which you modify the original values to serve the needs of a  specific identity group, using specific conditions or permissions to  create another type of standard policy to meet the needs of new  divisions, or groups of users, devices, or groups in your network.
  By contrast, exception policies  are appropriately named because this type of policy acts as an exception  to the standard policies. Exception polices are intended for  authorizing limited access that is based on a variety of factors  (short-term policy duration, specific types of network devices, network  endpoints or groups, or the need to meet special conditions or  permissions or an immediate requirement).
  Exception policies are created to  meet an immediate or short-term need such as authorizing a limited  number of users, devices, or groups to access network resources. An  exception policy lets you create a specific set of customized values for  an identity group, condition, or permission that are tailored for one  user or a subset of users. This allows you to create different or  customized policies to meet your corporate, group, or network needs.
  http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_authz_polprfls.html

• Cisco ISE Active Endpoint Usage Reset

  Hi,
  I have a Cisco ISE running version 1.1 and I was wondering if it may be possible to reset the license usage/active endpoint shown on the dashboard? This was noticed after a restore of ISE due to replacement of hardware and I noticed that the license usage count/active endpoints does not seems to go down.
  The following methods have been tried however without any success:
  1. Reboot ise server/service
  2. Disable all network devices making use of ise such that there are no clients/devices accessing it; example switch/wlc/etc...
  3. Deleted all endpoints usage in identies/identies group
  4. Disable profiling on ise
  As the ise has been installed with a base license; not too sure if it may be either a bad restore (all service/application are working though) / bad radius accounting which does not timed out on the ise / etc...
  Any help is appreciated on how to reset the active endpoint/license usage.
  Thanks.                  

  Here is a method for removing the stale records. Please give this a try:
  http://www.cisco.com/en/US/docs/security/ise/1.1/api_ref_guide/ise_api_ref_ch2.html#wp1072950
  Thanks,
  Tarik Admani
  *Please rate helpful posts*

• Cisco ISE 1.1.4 Patch 7 (Internal Endpoint Mac Addresses Getting Disppeared)

  Hi Folks,
  I am having issue that mac addresses which we are trying to add under Internal Endpoint Group for MAB getting disappear automatically after few minutes. We tried multiple mac addresses but result same. We can see the mac address which we added earlier but new mac address getting disappear. Is there any limit to add mac address under Internal Endpoint. We have following licenses.
  L-ISE-ADV-1K-M=  Cisco ISE 1000 EndPoint Advanced + Base Migration License
  Thanks

  Tabish,
  We'll update the latest patch and then look for the work around from any one of our Cisco experts

• Cisco ISE Vs Cisco Anyconnect Posture module with Advanced Endpoint Protection

  We are planning to use cisco Anyconnect posture module with Adv Endpoint protection to examine the VPN users- This can check whether they a antivirus/anti spyware software installed on their work station and can force to update def file if its older than specified number of days, it can also check the firewall status on their workstation and enable if its not already.This can detect keylogger and emulation softwares also.
  Do we get any additional advantages in using ISE compared to Anyconnect posture module ......
  Siddhartha       

  These are good questions. We had them last year before we decided to purchase ISE, specifically for our VPN users.
  I will be watching this thread to see what kind of responses you get.
  As of right now, I can verify the ISE can indeed check if specific Anti-Virus is installed (i.e., your corporate AntiVirus), or if ANY (supported by Cisco within ISE) antivirus is installed, and it can force an update process for the AV if it detects that the DAT files are older than a admin specified amount of time.
  Our issue at the moment (if you haven't searched the forums) is ISE detected the proper WSUS updates are indeed installed on the users systems and allowing the users system to talk to our internal WSUS server.
  We are now wondering if the Advanced Endpoint licensing on the ASA would have been a better way to go.
  Wishing you luck in finding your answers for us all.
  Dirk