Double lookup possible in ISE 1.2 ?

I want to do MAB on a certain SSID and authenticate and register devices used in the SSID.
I managed to do that. If not "RegisteredDevice" then redirect to a portal where users can login with AD account and register there devices.
After registration, the device MAC is added to "RegisteredDevices" and the endpoint is profiled.
The ISE database contains an endpoint profile and this profile contains the propertie "BYODRegistration" = yes and "PortalUser" = the AD account xxx@ADdomain.
Now i want to link the state of the AD account to the database. When the user account is locked/expired/disabled, the device should be refused.
I wonder if it is possible to do the following:
MAB authentication occurs -> lookup MAC address in Registered Devices (=OK), lookup "Portal User" of device -> Query AD for this user, get property "UserAccountControl". Based on this property, i can determine if account is still active. If yes -> allow access. If not -> refuse access, even if device is in "RegisteredDevices".
When i troubleshoot however, i notice that -when using MAB- ISE is trying the MAC address as username against AD and gets returned: "Unknown User", of course. Is there a way to use the linked "PortalUser" as username against AD instead of MAC address ?
[NOTE: i am fully aware that the proper way of doing this is through Client Provisioning and Certificates with a second SSID using 802.1x to authenticate certificates, but for now, i want to prevent pushing anything to the clients.......]

Too bad.
I wish Cisco had implemented a property like this: RegisteredDevices:PortalUser:IdentityAccessRestricted
(i am assuming PortalUser is an AD account here). Maybe a PER can help.....

Similar Messages

Double Lookups?

I am struggling with something that I suspect is kindof basic. I would like to produce a report that is based on the need for multiple value lookups per line on a report. The data table contains:
Index, partid, parentid…….
The lookup contains:
Part_index, part_name
I would like my report to show
Index, partid, part_name, parentid, parent_name.
So I can show the part name instead of the id, for both parent and child. I cannot work out how to implement the “double lookup” of the names.
My best guess is something like below.
select
"MYINDEX",
"PART_ID",
(select PART_NAME from NAME_LOOKUP where "NAME_LOOKUP"."PART_INDEX"="PARTS"."PART_ID") as "Part Name",
"PARENT_ID",
(select PART_NAME from NAME_LOOKUP where "NAME_LOOKUP"."PART_INDEX"="PARTS"."PARENT_ID") as "Parent Name"
from "#OWNER#"."PARTS"
Thanks in advance for any suggestions.
J

Hi,
You can also do this with a self-join, which may be faster.
select     "MYINDEX",
     "PART_ID",
     part_lookup.PART_NAME     AS "Part Name",
     "PARENT_ID",
     parent_lookup.PART_NAME     AS "Parent Name"
from     "#OWNER#"."PARTS"
JOIN     NAME_LOOKUP     part_lookup
ON     part_lookup."PART_INDEX"     = "PARTS"."PART_ID"
JOIN     NAME_LOOKUP     parent_lookup
ON     parent_lookup."PART_INDEX"     = "PARTS"."PARENT_ID"
;This still has your original typo.
If there are parts that do not have matches in the name_lookup table, then change the JOINs to LEFT OUTER JOINs.

Pre-login posture assessment - possible with ISE?

Does anyone know if it is possible (or not) to have a windows machine posture assessed on boot? ie. before anyone logs in on it. Currently, I have to log in on my machine before the assessment starts. It would be good to have assessment begin as soon as the machine boots so that (assuming the machine passes assessment) it is completed by the time I log in. We are using the NAC Agent with ISE1.2.
Thanks in advance for your thoughts.

As far as i know, the posture agent does not do anything before user has logged in, i have never seen a posture report in ise, that indicates anything else, because you would get many failed posture compliance checks, if it did (checking user keys, user files, av status and so on in machine land).

Double Lookup in Numbers 3

Hi this one has had me stumped for a while so I hope there's the expertise out there!
I have two tables in different sheets; Lesson Sheet::Lesson Log Table and Pupil Summary Sheet::Pupil Progress Table.
I need to populate the summary sheet using the data from the Lesson Log Table, as per the image.
When a user selects a pupil, the Pupil Progress Table should update for the selected Pupil.
The formulas I need are for the cells circled blue and red. Any ideas?

Often when you end up with complicated formulas, index columns, and intermediate calculation tables, that's a sign maybe there's an easier way to do things (perhaps just filter the original data table, and live with the fact that the format is not as nice?). But here is one way that seems to do what you describe:
The index columns, which are later used by the INDEX MATCH lookup combination, are concatenation:
The formula in F2, copied down and right: =IF(LEN(C2)>0,C$1&$A2&C2&$B2,"")
The Calculations table:
C2, copied right: =IFERROR(INDEX(Lesson Log Table::$B,MATCH($A2&$A$1&C$1,Lesson Log Table::$F,-)),")
C3, copied right: =IFERROR(INDEX(Lesson Log Table::$B,MATCH($A3&$A$1&C$1,Lesson Log Table::$G,-)),")
C4, copied right: =IF(AND(Calculations::C4>Calculations::B4,Calculations::C4≠"Lesson Date"),Calculations::C4,"")
The Summary table:
C2 copied right and down: =IF(AND(Calculations::C2>Calculations::B2,Calculations::C2≠"Lesson Date"),Calculations::C2,"")
SG

Double Question:Possible to save Image? and How do I use Frame ...

Hello everybody,
Ive got lotsa questions today! I was just wondering if it was possible that I could save an image that I previously opened (with MediaTracker), and modified. I would imagine that it would be possible, but I have no idea what the try catch block would look like, nor the code to actually do it. Any ideas?
I was also wondering how I would get my class to use methods from the package that I just compiled, as well as from the Frame class.
Because I cant just write:
public class point extends Frame, SimpleGUI
How do I do this one?
You guys are the best..
Rick

I was also wondering how I would get my class to use
methods from the package that I just compiled, as well
as from the Frame class.
Because I cant just write:
public class point extends Frame, SimpleGUI
How do I do this one?No multiple inheritence in Java (though you may implement many interfaces). One work-around is to extend one object and instantiate the other as a component of the new class.

Re-lookup possible ?

I have the following scenario:
A RMi Server bound to Registry and a client who has get the Remote Object via Lookup.
All works fine, but then the server was killed and restarted.
If the client calls now a method of the Remote Object a ConnectionError occurs.
How can I get the new Remote Object from the Server?
Regards,
Geri

I new lookup doesn't work.
I made a new lookup and get no error. But if I call a remote method a get a
ConnectionException. Any ideas?
Regards,
Geri

ISE and Selfservice with single SSID

Hi, i have:
WLAN 2504 Controller with 7.2 Software
ISE 1.1.2
A single SSID with 802.1x Authentication
Today the wireless users are authenticated against an cisco acs. I want to switch to the ISE and make use of the mydevices portal. I want to re-use my single SSID and don't want to make any provisioning.
- The user connects to the single SSID
- The user configures peap authentication on his device
- The user authenticates to a ldap directory with username and password
- After successfull authentication the user will be redirected to the mydevices portal
- he logs in with his ldap credentials
- the mac address of his current device is listed in the mydevice portal
- user adds his device to the known devices list
- manual reconnect to my ssid
Is this possible with ISE? Is there a howto out there with exact this scenario?
Kind regards

Hello Andreas,
WLC 2504 supports CWA, CoA & dACL.
This wireless controller also supports MAC filtering with RADIUS lookup. For WLCs that support version 7.2.103.0, there is support for session ID and COA with MAC filtering so it is more MAB-like. So it should fulfill your requirement and you can use single SSID.
For more detailed help review “Universal WLC Configuration Guide” & “ISE 1.1.x Network Component Compatibility” at the following location:
http://www.cisco.com/en/US/solutions/collateral/ns340/ns414/ns742/ns744/docs/howto_11_universal_wlc_config.pdf
http://www.cisco.com/en/US/partner/docs/security/ise/1.1.1/compatibility/ise_sdt.html
Regards,
Ashok

Is is possibel to do an RFC Lookup from The Graphical Mapping?

Greetings,
While doing a message mapping I need to get the value from R3 system using an RFC, is it is possible ?

Hi
we can do by using rfc look ups
Lookup in mapping is the feature provided by SAP to lookup the data in the target R/3 or DB systems with the API provided.
You need to write UDF in order to implement the API's provided by SAP.Consider the below example
VendorNumber-UDF--CURR
The scenario is legacy to SAP. The legacy system doesn't provide the currency details. But the target field need's to be populated with currency value.
"The business rules says there are values maintained in SAP Table where if you pass VendorNumber it will return thr currency to you"
So what you can do? You can write UDF implementing SAP Provided API's and do a lookup in the SAP System and get back the currency value and populate them in CURR field.
I hope it clears a bit.
Please find the below blogs
DB Lookup: /people/siva.maranani/blog/2005/08/23/lookup146s-in-xi-made-simpler
RFC Lookup:https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/a03e7b02-eea4-2910-089f-8214c6d1b439
There are three types of look ups u can do
RFC look up
SOAP look up
JDBC look up
What is Lookup and why we need:
Within an XI mapping it is a common requirement to be able to perform data lookups on-the-fly. In particular, there may be a need to look up some data that is maintained in an R/3 application.
In the error handling topic we have seen the different validations which need to be performed on file. This can be done through Lookup.
Some use cases:
Look up material number from table MARA.
Look up cost center budget.
Look up employee information.
Look up unit-of-measure (UOM) information from table t006a.
Lookup for raising an alert.
The purpose of the lookup may be:
To perform application-level validation of the data, before sending it to the backend.
To populate fields of the XML document with some additional data found in the backend application.
This is a form of value transformation.
The "value mappings" offered by XI are not adequate in this case, since the data would have to be manually entered in the Integration Directory.
There are two ways in which we can do lookup:
Call lookup method from GUI mapping.
Call lookup method from XSLT mapping.
Lookup method from GUI mapping can be called using any of the following ways.
RFC lookup using JCO (without communication channel)
/people/sravya.talanki2/blog/2005/12/21/use-this-crazy-piece-for-any-rfc-mapping-lookups
RFC lookup with communication channel.
/people/alessandro.guarneri/blog/2006/03/27/sap-xi-lookup-api-the-killer
Lookup using JDBC adapter.
/people/siva.maranani/blog/2005/08/23/lookup146s-in-xi-made-simpler
/people/sap.user72/blog/2005/12/06/optimizing-lookups-in-xi
CSV file lookup.
/people/sundararamaprasad.subbaraman/blog/2005/12/09/making-csv-file-lookup-possible-in-sap-xi
Lookups with XSLT - https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/8e7daa90-0201-0010-9499-cd347ffbbf72
/people/sravya.talanki2/blog
https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/05a3d62e-0a01-0010-14bc-adc8efd4ee14
DB lookup - /people/siva.maranani/blog/2005/08/23/lookup146s-in-xi-made-simpler
SOAP Lookup - /people/bhavesh.kantilal/blog/2006/11/20/webservice-calls-from-a-user-defined-function
You can refer to these links.
/people/alessandro.guarneri/blog/2006/03/27/sap-xi-lookup-api-the-killer Absolute stealer.
/people/siva.maranani/blog/2005/08/23/lookup146s-in-xi-made-simpler
For Java APIs and also here you can map that how many types of lookups are possible in XI.
http://help.sap.com/javadocs/NW04/current/pi/com/sap/aii/mapping/lookup/package-summary.html

Lookups

What is LookUp's in XI

Hi,
Within an XI mapping it is a common requirement to be able to perform data lookups on-the-fly. In particular, there may be a need to look up some data that is maintained in an R/3 application.
In the error handling topic we have seen the different validations which need to be performed on file. This can be done through Lookup.
Some use cases:
     Look up material number from table MARA.
     Look up cost center budget.
     Look up employee information.
     Look up unit-of-measure (UOM) information from table t006a.
     Lookup for raising an alert.
The purpose of the lookup may be:
     To perform application-level validation of the data, before sending it to the backend.
     To populate fields of the XML document with some additional data found in the backend application.
This is a form of value transformation.
The "value mappings" offered by XI are not adequate in this case, since the data would have to be manually entered in the Integration Directory.
There are two ways in which we can do lookup:
     Call lookup method from GUI mapping.
     Call lookup method from XSLT mapping.
Lookup method from GUI mapping can be called using any of the following ways.
     RFC lookup using JCO (without communication channel)
      /people/sravya.talanki2/blog/2005/12/21/use-this-crazy-piece-for-any-rfc-mapping-lookups
     RFC lookup with communication channel.
                 /people/alessandro.guarneri/blog/2006/03/27/sap-xi-lookup-api-the-killer
     Lookup using JDBC adapter.
      /people/siva.maranani/blog/2005/08/23/lookup146s-in-xi-made-simpler
      /people/sap.user72/blog/2005/12/06/optimizing-lookups-in-xi
     CSV file lookup.
      /people/sundararamaprasad.subbaraman/blog/2005/12/09/making-csv-file-lookup-possible-in-sap-xi
thnx
Chirag

Value lookup

Hi,
1) I need help regarding how to do value lookup in SAP XI.
2) My particular scenario includes a small list as well a long list. Is their a differnce in how i can eficiently do a value lookup based on whether it is short or long list.
Thanks,
Kunal

Hi Kuna,
If the values have to be maintained by user then it's normally done in tables (any database)...and then within the message mapping by using function we can connect to databse for lookup (JDBC lookup).
You can also use value mapping if you are not looking at picking up values from application system.
It is just like your SM30 transcation.You can get the info under SAP XI->Design and Configuration->Configuration->Value Mapping.
If you are in SP13 you can use lookup API SAP XI->Design and Configuration->Design->Mapping look ups.
Also have look at these Blogs and threads...
/people/sundararamaprasad.subbaraman/blog/2005/12/09/making-csv-file-lookup-possible-in-sap-xi
/people/alessandro.guarneri/blog/2006/03/27/sap-xi-lookup-api-the-killer
JDBC Lookup
EJB Lookup
Re: RFC Lookup.
CSV File LookUp
I hope it helps...
Regards,
Abhy

Possible values for WDY_ATTRIBUTE_FORMAT_PROP-DATE_FORMAT?

Hi,
where can I lookup possible values for formatting a date typed field using WDY_ATTRIBUTE_FORMAT_PROP-DATE_FORMAT?
I did not find any documentation so far.

Same question here.
I have a field in webdynpro table of type domain TZNTSTMPL which is displayed as "06.12.2011 08:46:30,7730500". I want to format it like "06.12.2011 08:46:30" and thought it is maybe possible with something like:
data: LS_ATT_FORMAT TYPE wdy_attribute_format_prop,
LO_IF_SO_ITEMS TYPE REF TO IF_WD_CONTEXT_NODE_INFO.
LO_IF_SO_ITEMS->set_attribute_format_props( name = 'CREATED_ON'
format_properties = ls_att_format ).
So anyone has an idea which value for WDY_ATTRIBUTE_FORMAT_PROP-DATE_FORMAT are possible?
Thanks
Markus

Distributed ISE & Distributed PKI = EAP-TLS issues ... Correct?

In a distributed ISE deployment with regional intermediate CA, I am getting failed authentication due to " EAP-TLS failed SSL/TLS handshake because of an unknown CA in the client certificates chain". Client device have only one client certificate issued from regional intermediate CA. When client device goes across the region, they can't authenticate and gets this "unknown” CA error. The admin node has certificates of all intermediate CAs and root CA.
One possible solution is to add intermediate CA certificates to all regional Node groups but apparently it is not possible on ISE policy nodes.
Have a look at the diagram below and let me know you think (Client authentication failure at both location 1 and 3).

Thanks Jan for reply. And short answer is Yes ....
we have identified the issue and it has been resolved now. It was down to one of the cert corruption on primary admin.
It was only identified after going to debug logs in prrt. Verification was done by export that particular cert and analyzing it. Don't know how it got corrupted but it did.
In CA cert section on primary admin node, it was displaying correct value like issue date etc but when it was exported for analysis, I couldn't open it.
So moral of the story is that the someone thought that they need to put a status field against every cert on ISE and it wasn't decided how to check its status - no offence.

ISE Sending Hostname in CWA Redirect

Dear Support Team.
we have setup in which wireless controllers are deployed in Foreign & Anchor Scenario. (Guest WLC or Anchor is deployed in DMZ) , Controllers are running 7.3 and CWA config is done as per standard TAC documents.
When WLC redirects the session to ISE, Redirection URL has ISE hostname and is something like this
https://ise-ip-address:8443/guestportal/gateway........
we have setup Guest Access in such a way, that guest dhcp pool is using the Public DNS, we are not providing our internal DNS to guest dhcp pool, since public DNS does not have an entry for ise-ip-address, DNS resolution Fails and CWA is not happening.
is it possible that ISE can send IP address in place of its hostname, for example
https://10.15.24.20:8443/guestportal/gateway......
Any help will be highly appreciated.
Thanks
Ahad

One workaround that I have gotten to work in the past when using ASA firewalls is to create a static NAT entry and leverage DNS inspection to translate the Private IP address for you. It is important to note that in this example the domain name that the ISE PSN is registered as is on a publicly resolvable domain name which you have control of the DNS entries.
In this example we will have a three legged ASA. Inside, DMZ, and Outside.
The PSN's hostname is psn.example.com.
The PSN's Private IP address is 10.1.1.100
Steps:
Create a Public DNS record for psn.example.com. For best practices you should use an IP address that belongs to you and that is not a part of RFC 1918. This way the public DNS servers do not reject the IP address for some other reason. In this example we will use 1.1.1.1
Enable DNS inspeciton on the ASA.
Create a Static NAT entry for 1.1.1.1 (outside) -> 10.1.1.100 (inside) and enable DNS translation.
Now when the CWA user connects and gets a public DNS server it will query the public server for psn.exmaple.com and the public DNS server will return 1.1.1.1. Now because of the DNS inspection the reply of 1.1.1.1 is replaced with the private IP address of 10.1.1.100.
End result is the DMZ host using a public DNS server to return a private IP address. If you have multiple PSNs you will need to create multiple DNS and NAT.
You are welcome to try and use RFC Bogus RFC 1918 addresses, but the public DNS servers may have rules against doing so which is why i recommend using the public IP addresses that you own. It is important to remember that even though you are creating Inside to Outside NAT entries for your ISE servers because you haven't created any inboundACL's they are not exposed to the Internet just because you created a NAT for them.
Here is a cisco doc on how to do "DNS Doctoring"
http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/72273-dns-doctoring-3zones.html
I should note that I have tested this using 1.2 with the static hostname, but I have not tested it with 1.1.4, but the underlying pricipals should be the same.

Ise and authorization vlans

ineed to know for sure (and with detailed official documentation links or experience if possible)
if ISE for CoA accepts vlan names rather than vlan id numbers (multiple vtp domains: we have multiple vlan id numbers under the same consistant naming)
thank you in advance for your response

Not a problem, in the link that I posted at the end that is covered. Here is the comments that I was referring to:
Assign vendor-specific tunnel attributes in the RADIUS server. The RADIUS server must return these attributes to the switch:
–[64] Tunnel-Type = VLAN
–[65] Tunnel-Medium-Type = 802
–[81] Tunnel-Private-Group-ID = VLAN name or VLAN ID
Attribute [64] must contain the value VLAN (type 13). Attribute [65] must contain the value 802 (type 6). Attribute [81] specifies the VLAN name or VLAN ID assigned to the 802.1X-authenticated user.
Thanks,
Tarik Admani
*Please rate helpful posts*

ISE and MAB descrisption

Ciao,
I not found a field for insert a description's Mac Address. Is there a possibility in ISE to do this ?
Iarno Pagliani

Unfortunately not That is something that I have suggested in the past. I would recommend that you check with your local Cisco account manager and make a suggestion as well. The more the better
Thank you for rating !

Double lookup possible in ISE 1.2 ?

Similar Messages

Maybe you are looking for