How do I authenticate users in a specific AD group with Cisco ISE

Similar Messages

• How to create a transaction code for a function group with screen 100 as st

  Hello ,
  I have requirement where I need to create a function group and create screen 100, 200, 300 and include the function in the screens.
  Customer asked me to create a transaction with the screen 100 as the starting screen.
  Can you please let me know how to create a transaction code for a function group with screen 100 as starting screen.
  [ It is not a module pool program ].
  Thanks
  Prashanth.
  Moderator message - Please ask a specific question and do not ask the forum to do your work for you - post locked
  Edited by: Rob Burbank on Jun 2, 2009 11:49 AM

  Go to transaction SE93, enter a transaction code that you want and click on "create". Enter a text and select the "Transaction with Parameters" button. In the Default Values section, enter START_REPORT in the transaction field. Check the "skip initial screen" box. In the Name of Screen field section enter the following lines:
  Name of screen field:                               Value
  D_SREPOVARI-REPORTTYPE                RW
  D_SREPOVARI-REPORT                        ZPCA
  Save and transport accordingly.

• Is it possible to map a Sponsor Group in Cisco ISE to a user group in Active Directory, through a RADIUS server?

  Hi!!
  We are working on a mapping between a Sponsor Group in Cisco ISE and a user group in Active Directory....but the client wants the mapping to be through a RADIUS SERVER, for avoiding ISE querying directly the Active Directory.
  I know it is possible to use a RADIUS SERVER as an external identity source for ISE.....but, is it possible to use this RADIUS SERVER for this sponsor group handling?
  Thanks and regards!!

  Yes It is possible to map Sponser group to user group in AD and if you want to know how to do please open the below link and go to Mapping Active Directory Groups to Sponsor Groups heading.
  http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_guest_pol.html#wp1096365

• How can I access user permission for specific items in Sharepoint 2013 via REST API?

  I want to access user permissions for specific items like lists, documents, folders etc. via the REST API.
  Currently I am hitting the following endpoint:
  http://win-5a8pp4v402g/sharepoint_test/site_1/_api/web/getUserEffectivePermissions('win-5a8pp4v402g\\Sharepoint User 2')
  However the response looks like this:
     "d":
         "GetUserEffectivePermissions":
             "__metadata":
                 "type": "SP.BasePermissions"
             "High": "0",
             "Low": "0"
  I cant understand why high and low are both 0? I have added the user to a specific group. Also this is the same result for each of the users. Another thing to note is that I havent added the "Guest" user in the sharepoint server. So when I hit the endpoint for the Guest user, it still shows the same response. So I know there is something I am doing wrong.I want to access permission of a user for a specific item, say a document using the REST API. Can someone tell me how? What would be the endpoint?

  Thanks for the reply. Although this works for Lists, I need to get permissions of documents too. Here is what I have tried:
  http://win-5a8pp4v402g/sharepoint_test/site_1/_api/web/GetFileByServerRelativeUrl('/sharepoint_test/site_1/Documents/file1.txt')/GetUserEffectivePermissions(@user)?@user='i%3A0%23%2Ew%7Cwin-5a8pp4v402g%5Csharepoint%20user%201'
  And the response is:
     "error":
         "code": "-1, Microsoft.SharePoint.Client.ResourceNotFoundException",
         "message":
             "lang": "en-US",
             "value": "Cannot find resource for the request GetUserEffectivePermissions."
  Clearly this doesnt work for a file. Whats wrong?

• How do i authenticate users directly in AD from the Controller?

  I have a 4402 Controller and want to authenticate users in our Microsoft AD, is it possible? Im using a IAS server today but it would be great to do the authentication directly in AD.
  Regards Oystein

  http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a008093f1b9.shtml

• Securing AnyConnect VPN user access via specific LDAP groups in Active Directory?

  Is there a brief tutorial on how to secure AnyConnect VPN access using Active Directoty security groups?
  I have AAA LDAP authentication working on my ASA5510, to authenticate users against my internal AD 2008 R2 server, but the piece I'm missing is how to lock down access to AnyConnect users ONLY if they are a member of a specific Security Group (i.e. VPNUsers) within my AD schema.

  This looks fairly complete
  http://www.compressedmatter.com/guides/2010/8/19/cisco-asa-ldap-authentication-authorization-for-vpn-clients.html
  Sent from Cisco Technical Support iPad App

• How to verify the user information pass by the form with a stored procedure?

  Hi,
  I would like to know how to verify user information pass by the form with a stored procedure.
  I want make a portal which accepts to new user registration, but I want verify the new user's informations (like the name don't contain a number etc).
  Thanks for your help
  regards
  jla

  Hi Samson,
  You can use the UI API to do this. You can catch the form_ADD event and then validate the input from the users. You can even block the event from completing (and stop the document from being added) if your code finds some incorrect data using the bubbleEvent functionality.
  I don't have one specific example to show you, but if you look at some of the SDK samples (for example C:\Program Files\SAP\SAP Business One SDK\Samples\COM UI\VB.NET\02.CatchingEvents) to see how to work with events, you can then create your own validation to ensure the users data is valid.
  Regards,
  Niall

• Check if user belongs to specific sharepoint group using designer workflow

  Hi,
  I am developing a SharePoint 2010 Designer workflow [Reusable workflow].
  Can I check if the workflow initiator belongs to specific SharePoint group. Do we have any action/activity for this?
  I have some business logic that needs to be executed if user initiating the workflow belongs to specific SharePoint group.
  Any suggestions/pointers on this would be highly appreciated.
  Regards, Ketan Gandhi

  Hi,
  You will not able to see it OOTB. You can refer this link if you want this
  workflow action.
  http://spdactivities.codeplex.com.
  Thanks.Please mark it as an answer if it helped.

• WLS 7.0 - Admin Console - how to list what users belonging to a given group?

  Hi folks,
  Just installed wls7.0, start the example server and admin console, created a user
  and added into Operator group. But from the Operator Group pane, I cannot find a
  way to show all the users in a group. Any ideas?
  TIA
  chuck

  You can use JMX to list users
  http://weblogic-wonders.com/weblogic/2010/11/10/list-users-and-groups-in-weblogic-using-jmx/

• Cisco ip phones authenticate 802.1x with cisco ise 1.3

  Dear all,
  I want to configure cisco ise 1.3 with 802.1x , to authenticate cisco ip phones ( CUCM 10.5.2 ) with LSC certificate. 
  How I have to configure cisco ise authentication rules for 802.1x with cisco ip phones? Are there any configuration examples ? 
  Thanks

  following are ISE 802.1x  sample authentication rules..you can change the protocol (Policy -> policy elements - > results -> authentication and you can select the proctocal)

• Read group membership for a user object and populate every group with matching user from another domain

  I have LON\JSmith in LON domain and DEL\JimSmith in DEL domain
  I would like to extract group memberships of LON\JSmith in LON domain and append matching by email (i.e. DEL\JimSmith) user object in every group in LON domain.
  for instance
  LON\JSmith and DEL\JimSmith is the same person and has same email address [email protected]
  LON\JSmith belongs to 3 groups - LON\localadmingroup;LON\univdesktop;LON\globalsurvey
  The outcome of the script should be
  LON\JSmith; DEL\JimSmith    should be in 3 groups - LON\localadmingroup;LON\univdesktop;LON\globalsurvey.
  How can i do it?
  Navgup

  Hi Navgup,
  Please refer to the script below, to query users in other domain by specifying the parameter "-Server" in the cmdlet "get-aduser", and also note I haven't tested the script below:
  import-module activedirectory
  get-adgroupmember "group"|foreach{
  $email=(get-aduser $_.samaccountname -properties *).EmailAddress#get the user email
  Get-ADUser -filter {EmailAddress -eq $email} -properties * -server DomainB.company.com|select samaccountname, memberof}#filter user name and group with the email in other domain
  To get users across domain, please also refer this blog:
  Adding/removing members from another forest or domain to groups in Active Directory:
  http://blogs.msdn.com/b/adpowershell/archive/2010/01/20/adding-removing-members-from-another-forest-or-domain-to-groups-in-active-directory.aspx?Redirected=true
  I hope this helps.

• Cisco ip phones authenticate 802.1x with cisco ise

  Dears,
  I want to  configure ip phones authenticate from Cisco ISE with 802.1X with certificates. But i can not find any configuration guide about this solutions.
  I find one config and this is about ACS. Please provide me any documentation guide on cisco ise.
  Thanks. 

  802.1x configuration for IP Phones
  http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Security/TrustSec_1-99/IP_Tele/IP_Telephony_DIG.html#69217

• How to retrieve all users in a specific group

  Hi,
  I am using SunOne directory server. Can someone please post a sample code that illustrates how to fetch all the list of users in a particular group.
  1) Let's say I want to find all the users in a group called "marketing". The root context is dc=mycompany,dc=com This group can be anywhere below this root context. Only information I am told is the name of the group - "marketing". How will I get all the users in this group?
  2) For each user that is retrieved from the group marketing, how will I find out the user's DN?
  Thanks for the help,
  - Satish

  Do it like this...
  String searchBase = "ou=marketing";
  StringBuffer filter = new StringBuffer();
  filter.append("(|");
  if (organizationName != null && !organizationName.trim().equals("")) {
       filter.append("(");
       filter.append(ou);
       filter.append("=");
       filter.append("marketing");
       filter.append(")");
  SearchControls constraints = new SearchControls();
  constraints.setSearchScope(SearchControls.SUBTREE_SCOPE);
  constraints.setCountLimit(200); // How many users should be found
  constraints.setTimeLimit(100000); // how much time should this search wait
  // Get a initial context and set it to the ctx object
  ctx.search(searchBase, filter.toString(), constraints);

• How can I authenticate users against a WAS system from third-party app?

  We are looking at developing a third-party standalone web application e.g. in Rails (but it could be on any framework for that matter).
  How would we go about authenticating users against a SAP WAS backend? Are there some standard web services for this? What other means are there for authentication?
  Kind Regards,
  Martin

  From the comment in SUSR_LOGIN_CHECK_RFC you just need to pass user name and it will return if user can still log on. Only your system will know credentials for this user so an attacker won't be able to use this service for cracking passwords.
  This FM is in the same function group as:
  CREATE_RFC_REENTRANCE_TICKET
  SUSR_CHECK_LOGON_DATA
  SUSR_DELETE_OWN_PASSWORD
  SUSR_GENERATE_PASSWORD
  SUSR_GET_ADMIN_USER_LOGIN_INFO
  SUSR_GET_X509CERT_MAPPING_LIST
  SUSR_LOGIN_CHECK_RFC
  SUSR_USER_CHANGE_PASSWORD_RFC
  SUSR_USER_EXTID_DEL
  SUSR_USER_EXTID_GET
  SUSR_USER_EXTID_GET_ALL
  SUSR_USER_EXTID_LOOKUP
  SUSR_USER_EXTID_RENAME
  SUSR_USER_EXTID_SET
  SUSR_USER_EXTID_SET_ALL
  SUSR_USER_FROM_CERTIFICATE_RFC
  SUSR_USER_SETEXTID
  You would need to ensure that only the service exposing the "login check" can be called, and not the FM's in the group.
  BTW: SAP Java WAS can provide SAML 2.0 assersions (technically a component shipped with IdM, but you don't have to use the rst of the IdM if you don't want to..). If your applications are all web enabled ones (WDA?) then that is an option to consider, which is also strategically supported.
  SSO2 Logon tickets are not really a strategy anymore... and installing a double-stack system on all ECC sytems just to have SAML is not strategic either.. 
  I have heard several wishes for SAML authentication for SAPGui, but not seen anything official yet in that direction.
  Cheers,
  Julius

• How to configure RDS to let a specific RDS group access a specific RDS server (no VDI or farm) ?

  Hi there,
  We have one domain with 40 sites. On each site is a RODC, wich also has RDS. (RDS the old way, no broker installed)
  The RODC's are 2008R2 and 2012R2 servers.
  Everything works fine, however everyone can access all servers as a straight forward RDS user (no VDI).
  Everyone is in the build in group for remote user.
  I'd like to have people that work on ServerA  only are able to contact serverA  for RDS.
  B on B, C on C and so on ...  This for all 40 sites.
  I made a policy for each site allowing RDS_A to access server A and so on. Is this the right way to do it, or can I do it having less GPO's ?  I need 40 right now!!!  Linking the policy to the right OU, containing the specific server.
  Something is still wrong, because other people still can access serverA.
  I get into it, but maybe I'm doing it wrong, so please give me some advice :)
  Thanks,
  Ben.
  Ben van der Meer

  Hi Ben,
  Thank you for posting in Windows Server Forum.
  You can achieve this through group policy but you can do one thing. You can create one group for one server (Suppose group A for server A, B for B, so on). After creating that group add particular user to that group and apply the group policy setting on that
  group for particular group. 
  The group policy which can apply is “Allow users to connect remotely using Remote Desktop Services” under below mention path.
  Computer Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Connections
  More information.
  http://technet.microsoft.com/en-us/library/ee791922(v=ws.10).aspx
  Hope it helps!
  Thanks.
  Dharmesh Solanki
  TechNet Community Support