External Identity Sources, binding RSA securID to ISE

Similar Messages

• Multiple AD External Identity Sources in ISE 1.2

  First I guess is it possible to have multiple AD entries for External Identity Sources in ISE 1.2? When I display Active Directory (AD1) it displays my four ISE servers with a status of connected but I see no where to add anything additional. I did not originally set this up so figure I am missing something somewhere if this is possible. I though maybe add under LDAP and then it would roll into AD or something but I have nothing listed under LDAP either.
  What I am trying to do is figure out how to have ISE cover our two different domains. We ahve one big forest but currently that is split into two AD domains based upon our two divisions.  am trying to see if possibly I can simply get through the existing configuration to pull security groups from the other domain into the dictionary but so far that has proven not do able.
  Brent

  Saurav,
  I was beginning to think that might be the solution. Now I just need to go through the release notes and make sure there are no issues with it running on ACS-2111 appliance. We are currently using this as the secondary Admin but knew we would have to move off something. I think management is hoping later than sooner especially since we are still in that initial roll out phase.
  How does the system handle the fact that this is all centralized but I have users authenticating from the different time zones? I have been reading about everything pointing to the same NTP server but took that to simply be the servers in the ISE Cluster. Will this also impact all the switches and network devices involved in the authentication process?
  Brent

• ISE - External Identity Source (AD Groups)

  Assume there are no groups populated in this bucket (Identity Management-> Active Directory -> Groups) Does ISE just check if the user is in AD and allows them on?  I have clients authenticating that arent part of the single group I added to this bucket.
  This is why I ask ..
  "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
  ‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."       

  Yes, you understood it right. Let me add little more explanation.
  Group reterieval for authorization
  You can use the AD group data in the  authorization and group mapping tables and introduce special conditions  to match them against the retrieved groups.
  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.4/user/guide/users_id_stores.html#wp1170416
  Once you've selected the groups under
  Users and Identity Stores >
  External Identity Stores >
  Active Directory > directory groups
  The same groups will start appearing under below listed screen shot. From there you will see 2 options any / all like or / and condition. Based on user membership the authorization role can be assisgned.
  ~BR
  Jatin Katyal
  **Do rate helpful posts**

• ISE and no External Identity Source

  I have this particular case in which I need to make authentications for users in ISE without Active Directory/LDAP etc.
  I would like to have some kind of MAC to USER binding where the user would no be able to add more devices to the network. I know the eap chaining using anyconnect is a way of achieving this but then again I can only see it using AD or some kind of external database. Also printers, wireless and phones are in the map. I tried using MAB and CWA for this but do not want to have the users be able to self register their devices as if they were guests.
  EAP chaining without AD??? Possible?
  Any hope?
  Thank you 

  Someone else can chime in here but I don't think it is possible to perform EAP-Chaining with the internal database of ISE. With that being said, feel free to read the EAP-TEAP IETF doc :)
  http://tools.ietf.org/html/draft-ietf-emu-eap-tunnel-method-01

• ISE Not Authenticating Against RSA SecurID

  In the process of integrating ISE 1.2 into our environment with the eventual intent to replace ACS 5.x and having a challenge adding an RSA SecurID server as an external identity source.
  In ACS, we would create an internal user but configure the password to be handled externally and uses PAP or whatever to communicate with RSA.
  I don't see this option in ISE, only to use the RSA SecurID as a direct Identity Source, the problem is that if I try to authenticate to ISE using a device such as an iPhone, which is using MS-CHAPv2 by default, it produces an error in the authentication logs that the device is using a protocol not supported by the identity source.
  So what is the proper way to configure ISE to allow users to authenticate with a one-time-password against RSA SecurID?

  check the following link for Integrating Cisco ISE with RSA SecurID Server
  http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_man_id_stores.html#wp1080334

• ISE Admin Access Authentication against multiple AD/LDAP Identity Sources

  Hi all!
  We would like to grant admin cccess to our ISE deplyoment to users stored in multiple Active Directories. Since there is no trust relationship between these ADs, we created an LDAP Identity Source for each AD and also an Identity Source Sequence but in the UI we can only select one Identity Source.
  Any ideas how to solve this problem?
  Thanks in advance!
  Kind regards,
  Michael Langerreiter

  I did check in my lab and yes for admin access we can't select identity store sequence in authentication. We can only pick one external database. However, on the login page you may select the appropriate database before you enter the username and password.
  Jatin Katyal
  - Do rate helpful posts -

• ISE Authentication Policy for RSA Securid and LDAP for VPN

  We are working on replacing our existing ACS server with ISE.  We have 2 groups of users, customers and employees.  The employee's utilize RSA securid for authentication while the customers use Window authentication.  We have integrated the AD into ISE using LDAP and this has been tested.  We are now working on trying to get the rsa portion to work.  We are wanting to utilize the authorization policy to assign the group-policy/IP for both clients via the LDAP user attributes.
  Here is my question:
  Under the authentication policy should we look @ an identity store that has RSA securid users, LDAP users and then internal users.  I assume if the user isn't present in the RSA store it will then look @ the LDAP, will this present an issue with overhead in our RSA environment.  With the legacy ACS the descsion on where to authenticate the user was done on the ACS, either Windows or RSA.  The employee users will still also be present in the LDAP so we can utilize the attributes for IP address/group policy.  The number of customer vpn's is several times larger than employees and I am afraid that if we have to query the securid servers for every authentication vpn authentication attempt this could cause issues.  Our utilimate goal is to move to any connect and utilize a single url for all authentication but allow ise to instruct the asa what attributes to hand to the client such as dns/Dacl. 
  Thanks,
  Joe

  That is not what I want. I want user "test1" to be able to do this:
  C
  Username: test1
  Enter PASSCODE:
  C2960>en
  Enter PASSCODE:
  C2960#
  In other words, test1 user has to type in his/her RSA token password to get
  into exec mode. After that, he/she has to use the RSA token password to
  get into enable mode. Each user can get into "enable" mode with his/her
  RSA token mode.
  The way you descripbed, it seemed like anyone in this group can go directly
  into enable mode without password. This is not what I have in mind.
  Any other ideas? Thanks.

• Is LDAP or AD as a external identity store recommended in ISE implementation for machine authentication

  Hi Experts,
  I have question about External identity store integration in ISE . I had chance to go through the cisco doc for ISE configuration especially for external identity store .
  there are two ways to configure external identity store.
  1) AD
  2) LDAP
  Which one is actually recommended ? technically which one would be convinient to configure to set-up machine authentication. do we have any limitation in terms of functionality in either of one ?

  Hi Leo,
  its not duplicate post , I have created one more post where you have linked that is for client policy enforcement . I want to understand how certificates will be pushed to client.
  This post is to understand the LDAP & AD intergration with ISE .
  I have requirement where client is asking to intergrate machine database using LDAP.
  I am quite new for LDAP intergration that is the reason I have created this discussion.

• RSA SecurID and Cisco ACS integration for user(s) with enable mode

  I thought I had this problem figured out but I guess not.
  I have a Cisco 2621 router with IOS 12.2(15)T17. Behind the
  router is a Gentoo linux, RSA SecurID 6.1 and Cisco ACS 3.2.
  I use tacacs+ authentication for logging into the Cisco router
  such as telnet and ssh. In the ACS I use "external user databases"
  for authentication which proxy the request from the ACS over
  to the RSA SecurID Server. I installed RSA Agents with
  sdconf.rec file on the Cisco ACS server. I renamed "user group 1"
  to be "RSA_SecurID" group. In the "External user databases" and
  "database configurations" I assign SecurID to this "RSA_SecurID"
  group.
  Everything is working fine. In the "User Setup" I can see dynamic
  user test1, test2,...testn listed in there as "dynamic users". In
  other words, I can telnet into the router with my two-factor
  SecurID.
  The problem is that if test1 wants to go into "enable" mode with
  SecurID login, I have to go into "test1" user setting and select
  "TACACS+Enable Password" and choose "Use external database password".
  After that, test1 can go into enable mode with his/her SecurID
  credential.
  Well, this works fine if I have a few users. The problem is that
  I have about 100 users that I need to do this. The solution is
  clearly not scalable. Is there a setting from group level that
  I can do this?
  Any ACS "experts" want to help me out here? Thanks.

  That is not what I want. I want user "test1" to be able to do this:
  C
  Username: test1
  Enter PASSCODE:
  C2960>en
  Enter PASSCODE:
  C2960#
  In other words, test1 user has to type in his/her RSA token password to get
  into exec mode. After that, he/she has to use the RSA token password to
  get into enable mode. Each user can get into "enable" mode with his/her
  RSA token mode.
  The way you descripbed, it seemed like anyone in this group can go directly
  into enable mode without password. This is not what I have in mind.
  Any other ideas? Thanks.

• Integration of Cisco ACS SE 4.2 and RSA SecurID Token Server

  Hi,
  I would be very appreciated if anyone can share their experience. Thanks in advance.
  Issue:
  I am trying to configure the ACE SE 4.2 to authenticate using RSA SecurID Token Server.
  Problems encountered:
  Authentication failed. In the failed logged attempt the error "External Database not operational" was next to the login name.
  In the auth.log, there was "External DB [SecurID.dll]: aceclnt.dll callback returned error [23]".
  Questions:
  1. Please kindly advise how I should resolve this problem.
  2. Also, is there any successful message once ACS get the sdconf.rec? Will the "Purge Node Secret" button be enabled?
  Troubleshooting steps I have done:
  Below is the steps I took to setup the external DB.
  1. Verified sdconf.rec is not a garbage file using the Test authentication function in RSA client.
  2. FTP sdconf.rec in the external database configuration. (Had used Wireshark and confirm file transfered successfully.)
  2. Defined unknown user policy to check RSA SecurID Token Server to authenticate.
  Thank you.

  I have NO experience with ACS SE 4.2 and
  RSA SecurID Token Server BUT I have
  experiences with Cisco ACS 4.1 running on
  Windows 2003 SP2 Enterprise Edition and
  RSA SecurID Token Server.
  All the troubleshoot you've done is correct.
  In Windows 2003 running Cisco ACS, you can
  install the test authentication RSA client
  and that you can verify that the setup
  is correct (by verifying that the sdconf.rec
  is not corrupted).
  One thing I can think of is that when you
  setup the ACS SE box, under external
  database, configure unknown user policy,
  did you check it to tell how to define users
  when they are not found in the ACS internal
  database. Did you select RSA SecurID token
  server?
  Other than that, from what I understand,
  you've done everything correctly.

• RSA SecurID

  I have been use RSA securid authentication with Portal 3.0. Now I am trying to migrate to Portal 6.0. In Portal 6.0 authentication is done using Identity Server and it does not have RSA SecurID authentication. Any workaround or solutions.

  The SecureID module is not available "out the box"
  but it is available as a "addOn" module fpr Identity server:
  http://wwws.sun.com/software/download/inter_ecom.html
  Cheers,
  Alex :-)

• ACS appliance -- AD -- RSA Securid Server

  I have Cisco ACS appliance running version 3.3.2.2 and Windows Active Directory on Win2000 Advanced Server and RSA v5.2. I already installed successfully the remote agent in Active directory.
  Authentication using EAP-FAST from my wireless client going to ACS to AD is successful.
  But when authenticating going to RSA failed. I can't find logs that my ACS is communicating successfully with RSA.
  Here's more info:
  In Active Directory, remote agent for ACS installed succesfully. Agent for RSA is also installed succesfully.
  In ACS appliance, remote agent was already pointed to AD.
  No RSA SecurID Token Server found in my External User Database Configuration list. I think this is the problem.
  How can I manage to configure RSA SecurID Token Server in my ACS appliance?

  Hello,
  The configuration guideline for the ACS is described in "Configuring CiscoSecure ACS for Windows NT with ACE Server Authentication" at
  http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a0080094650.shtml
  I had this up and running with a customer. There was no AD involved though, so it is not entirely your case and there might be other obstacles on the way.
  ACS with ACE however works, though there were some nasty problems to be solved on the way to success.
  One thing to point out straight away also mentioned in the document mabove:
  Challenge Handshake Authentication Protocol (CHAP) cannot be used with the ACE tokens alone because of the requirement CHAP RFC (1994) that states:
  CHAP requires that the secret be available in plaintext form. Irreversibly encrypted password databases commonly available cannot be used.
  This precludes use of the ACE tokens for straight CHAP unless there is a separate CHAP password. For instance:
  username: xxxx
  password: xxxx
  Password Authentication Protocol (PAP) is a better choice here.
  This means the user has to enter "username*token" - the customer finally wrote a Java applet to construct the propper combination out of different clearly named input fields to simplify the input for unexperienced users.
  Hope this helps! Please rate all posts.
  Regards, Martin

• Unable to add external data source in BAM : Error ORA-12505

  Hi,
  In BAM,
  Im trying to add an external data source for creating a data object.
  But when i try to test the connection i get the following error:
  Listener refused the connection with the following error: ORA-12505, TNS:listener does not currently know of SID given in connect descriptor
  Source: "java.sql.SQLException: Listener refused the connection with the following error: ORA-12505, TNS:listener does not currently know of SID given in connect descriptor "
  Listener refused the connection with the following error: ORA-12505, TNS:listener does not currently know of SID given in connect descriptor
  Source: "oracle.net.ns.NetException: Listener refused the connection with the following error: ORA-12505, TNS:listener does not currently know of SID given in connect descriptor "
  As mentioned in another post ((Listener does not currently know of SID given in connection descriptor
  i tried
  lsnrctl stop.
  delete listener.ora
  lsnrctl start
  lsnrctl reload
  But still get the same error;
  Im able to access the database with the specified username and password using sqlplus.
  Your help will be appreciated.
  Regards
  Vignesh Ramanathan

  For #5, not Windows, ConfigMgr 2012 R2. Anything before ConfigMgr 2012 R2 is not supported for the 8.1 ADK.
  For the permissions, what accounts are you setting this for. In general, if the share is on the same server, Everyone Full or Read on the Share and System Full or Read on the NTFS should work.
  For the error message, it looks like you are trying to import an OS Image and not an OS Install Package. OS images use a WIM file and OS Install Packages use the entire set of source files from the media. For OS images, you must thus explicitly point it
  to a specific WIM file.
  Jason | http://blog.configmgrftw.com

• Excel SSAS Tabular error: An error occurred during an attempt to establish a connection to the external data source

  Hello there,
  I have an Excel report I created which works perfectly fine on my dev environment, but fails on my test environment when I try to do a data refresh.
  The key difference between both dev and test environments is that in dev, everything is installed in one server:
  SharePoint 2013
  SQL 2012: Database Instance, SSAS Instance, SSRS for SharePoint, SSAS POWERPIVOT instance (Powerpivot for SharePoint).
  In my test and production environments, the architecture is different:
  SQL DB Servers in High Availability (irrelevant for this report since it is connecting to the tabular model, just FYI)
  SQL SSAS Tabular server (contains a tabular model that processes data from the SQL DBs).
  2x SharePoint Application Servers (we installed both SSRS and PowerPivot for SharePoint on these servers)
  2x SharePoint FrontEnd Servers (contain the SSRS and PowerPivot add-ins).
  Now in dev, test and production, I can run PowerPivot reports that have been created in SharePoint without any issues. Those reports can access the SSAS Tabular model without any issues, and perform data refresh and OLAP functions (slicing, dicing, etc).
  The problem is with Excel reports (i.e. .xlsx files) uploaded to SharePoint. While I can open them, I am having a hard time performing a data refresh. The error I get is:
  "An error occurred during an attempt to establish a connection to the external data source [...]"
  I ran SQL Profiler on my SSAS Server where the Tabular instance is and I noticed that every time I try to perform a data refresh, I get the following entries:
  Every time I try to perform a data refresh, two entries under the user name ANONYMOUS LOGON.
  Since things work without any issues on my single-server dev environment, I tried running SQL Server Profiler there as well to see what I get.
  As you can see from the above, in the dev environment the query runs without any issues and the user name logged is in fact my username from the dev environment domain. I also have a separated user for the test domain, and another for the production domain.
  Now upon some preliminary investigation I believe this has something to do with the data connection settings in Excel and the usage (or no usage) of secure store. This is what I can vouch for so far:
  Library containing reports is configured as trusted in SharePoint Central Admin.
  Library containing data connections is configured as trusted in SharePoint Central Admin.
  The Data Provider referenced in the Excel report (MSOLAP.5) is configured as trusted in SharePoint Central Admin.
  In the Excel report, the Excel Services authentication settings is set as "use authenticated user's account". This wortks fine in the DEV environment.
  Concerning SecureStore, PowerPivot Configurator has configured it the PowerPivotUnnattendedAccount application ID in all the environments. There is
  NO configuration of an Application ID for Excel Services in any of the environments (Dev, test or production). Altough I reckon this is where the solution lies, I am not 100% sure as to why it fails in test and prod. But as I read what I am
  writing, I reckon this is because of the authentication "hops" through servers. Am I right in my assumption?
  Could someone please advise what am I doing wrong in this case? If it is the fact that I am missing an Secure Store entry for Excel Services, I am wondering if someone could advise me on how to set ip up? My confusion is around the "Target Application
  Type" setting.
  Thank you for your time.
  Regards,
  P.

  Hi Rameshwar,
  PowerPivot workbooks contain embedded data connections. To support workbook interaction through slicers and filters, Excel Services must be configured to allow external data access through embedded connection information. External data access is required
  for retrieving PowerPivot data that is loaded on PowerPivot servers in the farm. Please refer to the steps below to solve this issue:
  In Central Administration, in Application Management, click Manage service applications.
  Click Excel Services Application.
  Click Trusted File Location.
  Click http:// or the location you want to configure.
  In External Data, in Allow External Data, click Trusted data connection libraries and embedded.
  Click OK.
  For more information, please see:
  Create a trusted location for PowerPivot sites in Central Administration:
  http://msdn.microsoft.com/en-us/library/ee637428.aspx
  Another reason is Excel Services returns this error when you query PowerPivot data in an Excel workbook that is published to SharePoint, and the SharePoint environment does not have a PowerPivot for SharePoint server, or the SQL Server Analysis
  Services (PowerPivot) service is stopped. Please check this document:
  http://technet.microsoft.com/en-us/library/ff487858(v=sql.110).aspx
  Finally, here is a good article regarding how to troubleshoot PowerPivot data refresh for your reference. Please see:
  Troubleshooting PowerPivot Data Refresh:
  http://social.technet.microsoft.com/wiki/contents/articles/3870.troubleshooting-powerpivot-data-refresh.aspx
  Hope this helps.
  Elvis Long
  TechNet Community Support

• Sharepoint 2013 Excel External Data Source Refresh Issue

  I have been facing this issue for quite some time now.. i have created an Excel sheet in Excel-13 and have imported data from an external data source [SQL server 2012]. 
  Everything is working fine, with the excel sheet on the desktop. Data refreshes, every-time i open the excel file and also at regular intervals that i have configured in the data source properties.
  The problem begins when i save that excel sheet on my sharepoint server. the issues that i am facing are :
  1. Changes made into the original data source, are not reflected immediately inside the excel sheet inside the browser. after 5-10 minutes, it reflects the changes..
  2. The data doesn't refreshes automatically. After i update my data inside the sql server table, i have to manually trigger the refresh of the data connection when viewing the excel sheet inside the browser, even though i have marked "Refresh when opening
  the file", and refresh every 1 minute inside the excel sheet. Any solutions ??
  I have been troubled a lot by this issue, and seek for some quick solution.. Any help here ??

  I found the solution finally, my self ..
  Issue - 1 : It's going to take atleat 5-minutes to refresh the data connection, that is generally not a big time span.
  Issue - 2 : 
  --> Set Your connection to refresh everytime the file is opened. go to internet explorer -> file -> internet options -> general -> Browsing History -> Settings -> Check for newer versions of stored pages... Check 'Every time I visit the
  webpage'. 
  Now everytime i update your original data source, wait for 5-10 minutes and refresh my web page containing the excel sheet.. The Contents of the excel sheet are updated as desired..