Deauthenticate User on WLC w/ ISE for Testing

ISE v1.1.1.268
WLC v7.2.110.0
We have a wireless deployment using ISE and WLC's configure for LWA. Seeing that CWA has fewer "moving parts" I was trying to migrate to that. When testing my deployment under LWA, I could de-authenticate a user simply by finding the association on the WLC and removing it. Then, when that device would reconnect to the WLAN, it would prompt them for credentials through the WebAuth pages.
After configuring a WLAN for CWA I noticed that when I remove an association from the WLC in the same manner that the upon reconnecting to the WLNA the user never gets redirected to the WebAuth pages. I'm assuming this is because since the authentication takes places on the ISE server, rather than on the WLC (in LWA mode) that the authentication is still active (since I only removed the association on the WLC).
I looked around on ISE, but couldn't find a place to view active user authentications let alone remove those authentications. Can this be done? It'd be great for testing to make sure the WebAuth pages function as I need them to.
I used this guide to set up CWA: https://supportforums.cisco.com/docs/DOC-26442. The only exception to following that guide is that I used an authorization profile that sets the auth timeout to 36000 seconds.

I don't have profiler.
I can see all of the profiled endpoints, however. I've tried removing the endpoint I was testing with, but it doesn't help. When the client reassociates, the Policy Manager State goes straight to run even though ISE has only responded with the initial Authorization profile and not the CoA.

Similar Messages

  • How automaticaly create user's mailboxes with content for test purposes?

    Hi all!
    Tell me please, how can i imitate outlook's users activity. In result i need 10...200 mailboxes with 100-200 elements (mail, calendar's events, meeting requests and etc) and up to 100Mb size of each mailbox. It's need for creating test environment.
    Maybe some script or programs?

    You can use LoadGen tool of MS for simulating load on your exchange servers for various access methods. You can find it at below ling.
    http://www.microsoft.com/en-in/download/details.aspx?id=40726
    Abhijeet D

  • A Solution for Enabling Sandbox activation by non admin users for testing (OIM 11gr2 PS2)

    I just wanted to post what i came up with as a solution the the problem of not being able to Test the effects of sandbox changes for non admin level users prior to their publication.  We are constantly making changes to the UI through sandboxes, the problem is rolling a sandbox back isn't easy, and we cannot be sure of the effects they will have on non administrative users until they are published, since the out of the box sandbox link isn't available to non Sysadmin level users.
    To allow these non admin user accounts to test the effects of sandbox changes in our development environment, I did the following (as always, follow at your own risk):
    Create and activate a new sandbox.
    Close all open tabs (including the Home and Sandbox tabs) and click the "Customize" link.
    Click the view -> source drop down in the upper left.
    After the source is visible, click the Accessibility or Sandbox link to find the area that you will add the new "UserSandboxTest" (call it whatever you want) link.
    Add a new commandImageLink directly in the panelGroupLayout: horizontal item before the "switcher" item (see the UserSandboxLink in my screen shot below):
    Edit the Link you just inserted, Entering whatever you want the link to display as in your browser in the "Text" field.
    Export the sandbox.
    Unzip the exported sandbox and navigate to the IdmShellV2.jspx.xml (path should be: \templates\mdssys\cust\site\site).
    Edit the IdmShellV2.jspx.xml file and find the new item you added in step 5.
    Add the following to the commandImageLink xml item: actionListener="#{pageFlowScope.uiShell.context.launchSandboxes}" rendered="#{oimcontext.currentUser.roles['SANDBOX_USER'] != null}".  Note: I used a new custom enterprise role, SANDBOX_USER, to control the display of the new link, You should substitute whatever EL conditions you need in the rendered property.
    Save your IdmShellV2.jspx.xml file and zip the contents back up, just like you would for any other customization.
    Import your newly edited sandbox back into the target environment.
    Publish the sandbox.
    This seems to work great for allowing us to test other sandbox changes effects on different types of users. 

    On step 10, adding the check to determine if the user should have access to the role ended up breaking access to the unauthenticated pages like the self registration page and the forgot userid/user login pages.  Non-authenticated users cannot execute the method to return the role, so that fails which leaves the page not loading.  To correct this I changed the rendered property to rendered="#{securityContext.authenticated}".  This prevents the link from displaying on non authenticated pages, but displays for anyone else who's logged on.  We only plan on using this in our development environment where no one but developers and system admins have access anyway, so it's not an issue that everyone will see the link.  I wouldn't recommend putting this in an environment where end users will be logging in and testing without developing a method (or finding another way to limit the display) that can be called by unauthenticated users to prevent them from seeing the link.

  • Using ISE for guest access together with anchor controller WLC in DMZ

    Hi there,
    I setup a guest WLAN in our LAB environment. I have one internal WLC connection to an anchor controller in our DMZ. I'm using the WLC integrated web-auth portal which works fine.
    To gain more flexibility regarding guest account provisioning and reporting my idea is to use Cisco Identity Services Engine (ISE) for web-authentication. So the anchor controller in the DMZ would redirect the guest clients to the ISE portal.
    As the ISE is located on the internal network while the guest clients end up in the DMZ network this would mean that I have to open the web-auth portal port of ISE for all guest client IPs in order to be able to authenticate.
    Does anyone know of a better solution for this ? Where to place the ISE for this scenario, etc ?
    Thx
    Frank

    So i ran into a similar scenario on a recent deployment:
    We had the following:
    WLC-A on private network (Inside)
    ISE Servers ISE01 and ISE02 (Inside)
    WLC-B Anchor in DMZ for Guest traffic (DMZ)
    ISE Server 3 (DMZ)
    ISE01 and ISE02 are used for 802.1X for the private network WLAN.
    Customer does not allow guest traffic to move from a less secure network to a more secure network (Compliance reasons).
    The foreign controller (WLC-A) must handle all L2 authentication and it must use the same policy node that the clients will hit for web auth.  Since we want to do CWA, we use Mac Filtering with ISE as the radius server.  If you send this traffic RADIUS authentication for Mac Filtering to ISE01/ISE02, it will use https://ise01.mydomain.com/... to redirect the client to.  Since we don't allow traffic to traverse from the DMZ with the anchor in it back inside to the network where ISE01 and ISE02 are, client redirection fails.  (This was a limitation of ISE 1.1.  Not sure if this persists in 1.2 or not.
    So what now?  In our deployment we decided to use a 3rd ISE policy node (ISE03 in the DMZ) for guest authentiction from the Foreign controller so that the client will use a DNS of https://ise03.mydomain.com/... to redirect the client to.  Once the session is authenticated, ISE03 will send a CoA back to the foreign which will remove the redirect for the session.  Note, you do have to allow ISE03 to send a CoA.
    In summary, if you can't allow guest traffic to head back inside the network to hit the CWA portal, you must add a policy node in a DMZ to use for the CWA portal so they have a resolvable and reachable policy node.

  • WLC, FlexConnect, ISE: Dynamic VLAN not working

    Hi,
    Not sure if this is a WLC or ISE problem, but since I am unsure of the WLC config I will try here first.
    Equipment:
    WiSM2 7.2.111.3
    ISE 1.1.1.268
    AP 3502 in FlexConnect
    What I want to achive:
    One SSID, multiple VLAN
    Devices gets profiled in ISE and based on type of device it gets asigned to a VLAN
    Problem:
    When the device connects the first time it ends up in native VLAN and not switched to the right VLAN, but when I reconnect then it is added to the right VLAN.
    WLC config (I know you like images so here you go ):
    I must be missing something but I can't figure out what. I will be attaching a debug aaa event enable for when the client connect the first time.
    In ISE I have an Authorization Profile that just say VLAN ID/Tag 158 (the VLAN that the device should go to) an it is added to the Authorization rule of the profiled device. CoA is set to Reauth.
    When the client connects I get three events in ISE:
    1.
    Authentication failed :
    22056 Subject not found in the applicable identity store(s)
    2. Authentication Success. With the results:
    UserName=00:18:DE:A2:BC:3A
    User-Name=00-18-DE-A2-BC-3A
    State=ReauthSession:c20e8b2f0000027e50ed27f8
    Class=CACS:c20e8b2f0000027e50ed27f8:ISE01/144259326/671335
    Termination-Action=RADIUS-Request
    Tunnel-Type=(tag=1) VLAN
    Tunnel-Medium-Type=(tag=1) 802
    Tunnel-Private-Group-ID=(tag=1) 158
    cisco-av-pair=profile-name=AX-Intel-Device
    3.
    Dynamic Authorization failed :
    11213 No response received from Network Access Device
    Has anyone got this to work? Do I need to add FlexConnect groups? If so then why?
    Regards,
    Philip

    I think you're hitting CSCua58554
    The bugtoolkit description is horrible....  From what I recall when I ran into it, I believe that Flex connect is having a problem with Mac filtering based AAA override on open wlans (and/or CWA based).  In general, AAA override works fine when it is from like an eap authentication.
    We had to use a 7.3 ES to resolve it.....
    Looks like it is implemented in 7.4 though.....     If you dont want to join the 7.4 bandwagon quite yet, you might could ask TAC for an ES of 7.3,  don't think they have a 7.2 build.

  • Cisco WLC 2504 webportal for Server 2008 R2 DC LDAP or RADIUS

    HI,Friends.
    I want to get my mobile or Notebook clients connecting to wireless and use my Domain users ,Cisco WLC 2504 to authenticate via LDAP or  RADIUS to our Windows Server 2008 Domain Controllers
    question:
    one,i can use my domain one Organizational Unit ,such as cn=use01,ou=test,dc=lzh,dc=com. now, noly user01 can logon on web, But how I make all my domain users can use web log it ? 
    I was using radius authentication or ldap certification to do web authentication ?which is good. ???
    I specified child ou, ou its users superiors can not be landed on

    hi ,Scott Fella
    Thank you,I am very happy to receive your reply,  I finally binding domain user authentication LDAP authentication done successfully. but You say the combination of nps I did not do the radius authentication is successful, I do not know where the problems.
    the err:
    <Event><Timestamp data_type="4">07/27/2014 18:33:36.845</Timestamp><Computer-Name data_type="1">PDC-CQ</Computer-Name><Event-Source data_type="1">IAS</Event-Source><User-Name data_type="1">11</User-Name><Service-Type data_type="0">1</Service-Type><NAS-IP-Address data_type="3">10.10.10.253</NAS-IP-Address><NAS-Port data_type="0">1</NAS-Port><NAS-Identifier data_type="1">WLC-CNNEWCITY</NAS-Identifier><NAS-Port-Type data_type="0">19</NAS-Port-Type><Vendor-Specific data_type="2">00003763010600000001</Vendor-Specific><Calling-Station-Id data_type="1">10.12.0.11</Calling-Station-Id><Called-Station-Id data_type="1">10.10.10.253</Called-Station-Id><Client-IP-Address data_type="3">10.10.10.253</Client-IP-Address><Client-Vendor data_type="0">0</Client-Vendor><Client-Friendly-Name data_type="1">WLC</Client-Friendly-Name><Proxy-Policy-Name data_type="1">Use Windows authentication for all users</Proxy-Policy-Name><Provider-Type data_type="0">1</Provider-Type><SAM-Account-Name data_type="1">CNNEWCITY\11</SAM-Account-Name><Class data_type="1">311 1 10.10.10.1 07/27/2014 09:41:28 5</Class><Authentication-Type data_type="0">1</Authentication-Type><NP-Policy-Name data_type="1">Connections to other access servers</NP-Policy-Name><Quarantine-Update-Non-Compliant data_type="0">1</Quarantine-Update-Non-Compliant><Fully-Qualifed-User-Name data_type="1">cnnewcity.com/user/test/11</Fully-Qualifed-User-Name><Packet-Type data_type="0">1</Packet-Type><Reason-Code data_type="0">0</Reason-Code></Event>
    <Event><Timestamp data_type="4">07/27/2014 18:33:36.845</Timestamp><Computer-Name data_type="1">PDC-CQ</Computer-Name><Event-Source data_type="1">IAS</Event-Source><Class data_type="1">311 1 10.10.10.1 07/27/2014 09:41:28 5</Class><Fully-Qualifed-User-Name data_type="1">cnnewcity.com/user/test/11</Fully-Qualifed-User-Name><Quarantine-Update-Non-Compliant data_type="0">1</Quarantine-Update-Non-Compliant><Client-IP-Address data_type="3">10.10.10.253</Client-IP-Address><Client-Vendor data_type="0">0</Client-Vendor><Client-Friendly-Name data_type="1">WLC</Client-Friendly-Name><Proxy-Policy-Name data_type="1">Use Windows authentication for all users</Proxy-Policy-Name><Provider-Type data_type="0">1</Provider-Type><SAM-Account-Name data_type="1">CNNEWCITY\11</SAM-Account-Name><NP-Policy-Name data_type="1">Connections to other access servers</NP-Policy-Name><Authentication-Type data_type="0">1</Authentication-Type><Packet-Type data_type="0">3</Packet-Type><Reason-Code data_type="0">66</Reason-Code></Event>
    then,You gave two figures is that what you mean? what's the meaning it that services-type =login ?

  • ISE for Guest Auth but need traffic logs

    We have guests that visit our office and connect to the Guest WiFi. We want to implement ISE for the self-sign in portal. That would help us determine the user and have them accept the legal terms without involving IT.
    When a guests logs in and surfs the web, We want to track which websites they go to for legal purposes and hold that information for 18 months. I am not sure how I can achieve this second part.
    The guests may visit it us 1 or 2 times every 6 months so using WSA with AD auth, for example, would not be ideal and that's why we like the ISE portal.
    We are using Cisco 5500 WLC's.
    Any help is appreciated.

    If your guests surf through an ASA firewall, you can send that firewall syslog to ise, and ise will correlate the logs with the guest users that are logged in, so you can track activity in ise. There is a report that is called something like "Guest Activity" where this will get collected.

  • [WLC - CWA] [ISE] Wlan Portal with Local Switiching

    Description: Guest Portal ISE (WLAN) in a Flexconnect local switching enviorment.
    Problem: The communication stops everytime we turn on the feature Radius NAC on the WLC.
    We are trying to use Central WebAuth in a Flexconnect environment and with so the procedure that we are using it´s the one that´s available in the cisco DOCS ( http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/116087-configure-cwa-wlc-ise-00.html ) but there´s something occuring in my setup. I´ve configured step by step the WLC and ISE in accordance with previous DOC but I can´t establish communication everytime I turn on the feature RADIUS NAC in the WLC.
    All the ACL´s were configured, I can see the ISE policy beeing sent to the client but when the PC tries to establish the connection to him nothing leaves the PC ( a simple ping was done ). I´ve tried a bunch of setups to see if it was a misconfiguration or something else but at the end , everytime I trun on the NAC feature the final client looses all the comms to anywere.
    You can see in the following attachment the setup of WLC, and AP with flexconnect groups (I´ve also tried without a group but the final result was the same)
    We are using a WLC 5500 with 7.6.120.0 ( http://www.cisco.com/c/en/us/td/docs/wireless/controller/7-6/configuration-guide/b_cg76.html ) and the only thing I can foun is a simple note stating,
    "Flex local switching with Radius NAC support is added in Release 7.2.110.0. It is not supported in 7.0 Releases and 7.2 Releases. Downgrading 7.2.110.0 and later releases to either 7.2 or 7.0 releases will require you to reconfigure the WLAN for Radius NAC feature to work."
    In the Flexconnect Feature Matrix the RADIUS NAC is supported in a local switching enviorment ( http://www.cisco.com/c/en/us/support/docs/wireless/5500-series-wireless-controllers/112042-technote-product-00.html?referring_site=RE&pos=3&page=http://www.cisco.com/c/en/us/support/docs/wireless/flex-7500-series-wireless-controllers/113605-ewa-flex-guide-00.html) but what  we´ve found out so far it´s  the other way around.
    Another thing that we´ve found is that in the version 7.4 configuration guide ( http://www.cisco.com/c/en/us/td/docs/wireless/controller/7-4/configuration/guides/consolidated/b_cg74_CONSOLIDATED/b_cg74_CONSOLIDATED_chapter_0110100.html#ID2372 ) cisco says that the "FlexConnect local switching is not supported."
    So, after seeing several docs my question is: Does Cisco support Radius NAC in a local switching environment ?

    Viten,
    tnx for the quick reply but,
    a) what do you mean by webauth ( http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/116087-configure-cwa-wlc-ise-00.html) ?
    b) When I say comms stop is that I´m simple using ping as a test to see what happens in the client.Whenever I activate the radius feature the final client (laptop) ceases all comms in a local switching environment.
    BR,
    DS

  • Webauth redirect through WLC not working for Mac OSX

    We have a WLC5508 setup to redirect guest users to an ISE for web authentication. We configured the Flexconnect ACL's and external authentication. It works when using Internet Explorer on a PC, or when connecting from a IOS device (iPad, iPhone). When trying to connect from a Macbook Pro or Macbook Air, I get prompted with the guest portal to login, I type in my credential, then I see a window pop up that is attempting to launch the redirect window. That window never fully comes up. I get prompted about the certificate being from an unsigned authority, and I select to trust always. If I disconnect and try reconnecting, I get the same problem.
    Any ideas on why this would be specific to OSX?

    I had a case where I wanted to set something similiar up I just wanted "passthrough" (discaimer page) L3 security instead of some radius authentication.
    If the WLC doing the authentication is an "Anchor" WLC, then the only L3 security setting that works is the "Authentication" under "WLAN->SSID->Security tab->Layer 3" tab and enabling web-policy. Since I don't know if you use an anchor WLC I can't say if you have the same problem as I did.
    I got this information from
    http://www.cisco.com/en/US/docs/wireless/controller/7.2/configuration/guide/cg_mobility.html#wp1233539 maybe you have somthing there that can help.

  • Ise failover test

    As part of an ISE implementation, I want to test ISE failover for Admin, MnT, and PSN personas.  Does anyone have an ISE failover test plan or ISE failover test best practices documentation to share?
    Thanks much,
    David Daverso

    Steps for Administration persona failover testing
    1. Stop ISE services on Primary Admin
    Primary Admin# application stop ise
    2. Log in to the Secondary Admin GUI and manually promote to Primary
    3. Wait 10-15 minutes before process is complete
    4. Verify ISE services are up on promoted Secondary Admin
    Secondary Admin# sh application status ise
    5. Promoted Primary Admin checks
    Deployment pages shows all nodes are green and in synch
    6. User testing to verify successful authentications and logging
    Note:
    After you promote your secondary Administration node to become the primary Administration
    node, you must reconfigure your scheduled Cisco ISE backups in the newly promoted primary
    Administration node
    because scheduled backups are not replicated from the primary to secondary Administration
    node.
    7. After step 6 testing is complete restore original Primary Admin
    8. Start ISE services on original Primary Admin
    Primary Admin# application start ise
    9. Verify ISE services are up on original Primary Admin
    Primary Admin# sh application status ise
    10. Promoted Primary Admin checks
    Deployment pages shows original Primary Admin green and in synch
    11. Stop ISE services on Promoted Primary Admin
    Secondary Admin# application stop ise
    12. Log in to the original Primary Admin GUI and manually promote to Primary
    13. Wait 10-15 minutes before process is complete
    14. Verify ISE services are up on original Primary Admin
    Primary Admin# sh application status ise
    15. Promoted Primary Admin checks
    Deployment pages shows all nodes are green and in synch
    16. User testing to verify successful authentications and logging
    Note:
    After you promote your secondary Administration node to become the primary Administration
    node, you
    must reconfigure your scheduled Cisco ISE backups in the newly promoted primary
    Administration node
    because scheduled backups are not replicated from the primary to secondary Administration
    node.
    17. Start ISE services on original Secondary Admin
    Secondary Admin# application start ise
    18. Verify ISE services are up on original Secondary Admin
    Secondary Admin# sh application status ise
    19. Primary Admin checks
    Deployment pages shows original Secondary Admin green and in synch
    20. User testing to verify successful authentications and logging

  • License for testing and production systems

    Hi Experts
    Can any one help me out on implementing license in my B1 System.
    According to our contract we have licensed following user types:
    User Type
    Licensed
    AddOn Access License    25
    Professional User                5
    Software Development Kit - Development Version 20
    We have Test/development system in one hardware and Production system on different hardware. Please advice me how to request/allocate license for my test/development system and production system.
    We tried creating a Test System in SAP Market place and requested license for test system. While requesting license for production system, it is found that the license is exceeded. In other words, developent system license also counted.
    Please advice me on the best practices of B1 license implementation.
    Thanks and regards
    Ajith G

    Hi,
    Our customer wants to Keep the production data secure. Developers and consultants should not have the access to it.
    Then you have only two options:
    1.Either you should maintain a standalone b1 server for the developers and consultants to test their solutions and scenarios.
    2.Otherwise you can create users in sql studio for accessing only the test database.
    So that as per your requirement
    All configurations and sample data will be kept in a test environment where developers and consultants can do their work.Once everything is correct Admin will do the transfer to production.
    Note:New users can be created in the sql studio under Databases-><Company Db>->Security->Users, Rt.click new user

  • P6 user name is not valid for connecting to the reporting database

    No data is available because your P6 user name is not valid for connecting to the reporting database
    I am getting above error in the following environment:
    P6 running on wls instance 1.
    BI Publisger running on wls instance 2
    MS SQL server 2005
    Note that the error appears when I clink on the 'Reports' tab in P6. My admin user on P6 has access to report/analyser modules.
    To connect P6 to BI Publisher I am using 'PxRptUser' in the P6 configuration for Bi Publisher. I know as well that the WSDL URL is correct and I can test this in SoapUI tool.
    In BI publisher I have created the PMDB data source using PxRprUser, and the test of this connection works.
    (Because the report samples come with Oracle flavoured SQL that SQL server does not like, I have configured BI Publisher so I have just a single report left that sources it data from an xml file. This works in BI Publisher. It also helps me in that I do not need to add 'WHERE' clauses and parameters required for SQL server?)
    Furthermore, using a DB tool, I can connect to my SQL server using PxRPTUser.
    So why do I get the error above?
    I picked up somewhere that I should not be adding users to BI Publisher. Funny enough, testing the 'login' method the BI Publisher exposes through its WSDL (as above) I noticed I HAD to create the user PxRptUser in BI publisher application itself (on top of PxRptUser in database) for the login web service to work with PxRptUser
    That did not solve the connection between P6 and BI Publisher though. What am I missing ...
    Edited by: user3674522 on 10/11/2011 20:16

    Thought I found something but can't repliacte, som issue is still there:
    Had a look at the wls instance logs where BI publisher is running, and the error I get is:
    111111_023646955][][ERROR] javax.naming.NamingException: Unresolved naming: cn=admin, dc=user, dc=users, dc=principals at [cn=admin]
    That user, admin, is the one I have used to access P6. Why is this passed on to BI Publisher? I thought the idea was that the PxRptUser set in BI Publisher configurations in P6 would be used?
    Edited by: user3674522 on 10/11/2011 20:17

  • User defined function in java for message mapping

    I wrote the following user defined function in java for message mapping and mapped vendor with this. The aim of this function is to write a error file at defined path when i send empty Vendor value from File to RFC-Function module BAPI_PO_CREATE. The "err.txt" error file is not written when i execute in TEST but the value "ERROR" is returned to destination Vendor Field.
    public String  validation(String a, Container container) {
    //write your code here
    if (a.equals("")) {
    try {
    String source = "Vendor cannot be empty";
    char buffer[] = new char[source.length()];
    source.getChars(0, source.length(), buffer, 0);
    for (int i = 0; i < buffer.length; i +=2)
       f0.write(buffer<i>);
    f0.close();
    FileWriter f1 =  new FileWriter("/10.10.0.55/sapmnt/trans/edixiin/err.txt");
    f1.write(buffer);
    f1.close();
    catch (IOException e) {}
    return "ERROR";

    Hi Senthil,
    Check these things :
    1) Whether you have permission to create a file in that directory.
    2) try giving this 
    10.10.0.55
    sapmnt
    trans
    edixiin
    err.txt
    3) Also check for permissions.
    Hope this will help you.
    Regards
    Suraj

  • IDOC Scenario - User  has no RFC authorization for function group EDIN

    Hi all,
    I'm trying to configure an IDOC scenario from ECC to XI.
    RFC's, ports and destinations already configured. On WE19 I'm creating an IDOC for testing the scenario. The IDOC is sent successfully, and it stops on TRFC Monitor with error "User PIRFCUSER has no RFC authorization for function group EDIN." .
    Some of you knows what authorization is needed? Basis team said the roles are the same at DEV environment, and there this scenario works fine.
    Thanks for your help.
    regards.
    Roberti

    Hi,
    Check with PIRFCUSER user , that is having the right authorization or not ..
    And make sure that this user is present in the system & it should  not locked.
    to check that user is present or not-----goto su01 of the system & check
    Regards
    Seshagiri

  • How to use ISE for VPN auth

    Hello
    looking for documenation how to setup ISE to authenticate VPN users. Right now we are usign ACS 4.2 to provide dACL and authetnication but would like to migrate this feature to ISE. Wea re using microsoft AD.
    Any good docs, white papers, field notes, how-to that can address this issue will be appreciated.
    Thanks

    We use the ISE for VPN (connection with openldap). On the authentication policy you have multiple options. We used the network access - device ip address option. On the Authorization  tab we used again the ip address option in combination with an ldap attribute where there was a definition of the status of the person (student, teacher, admin,...). On the policy elements tab we made some authorization profiles in results - authorization - authorization profiles. When you make a new profile you can select under Common tasks the asa vpn attribute. There you can  for example insert admin.
    So if you have an admin user that wants to login:
    authentication: user found in ldap (or ad)
    authorization:
    -user is coming from asa ip address
    -user attribute is admin
    = user is authorized for the admin class on your asa vpn device.

Maybe you are looking for

  • Does anyone still have iTunes 7.0 or 7.1.0 NOT the latest 7.1.1?

    I've just upgraded to the latest version of iTunes and for some unknown reason my computer no longer "sees" my iPod. Fortunately my iTunes library is still intact so I just need to back out 7.1.1 and go back to the previous version (7.0) to get runni

  • My pdf files open in media player how do I default it to adobe reader

    My pdf files open in media player how do I default it to adobe reader.   I have win 7 enterprise servic pack 1

  • Error in Dep Run

    Hi All, While Running the Depriciation i am getting below error Account 600400 is a Depreciation A/c for F & F. Account 600400 requires an assignment to a CO object Message no. KI235 Diagnosis You have not defined a CO account assignment for an accou

  • Taking display value for calculations using structures in Bex query

    Hi I am using Bex analyzer to do a simple report with two key figures ‘Sales’ and ‘Plans’ from cube and two more calculated key figures ‘Abs Deviation’ and ‘% error’. The report displays at category and product levels. Category is higher and one cate

  • 24" LED Camera Versus MacBook Pro Camera.  Can you choose?

    I have built-in iSight cameras in both my MacBook Pro and my 24" LED display. Photo Booth uses the laptop's camera. iChat uses the big screen camera. Is there a way to choose which camera should be active for a given app? When using the LED screen, I