ISE 1.1.1. and additional LDAP attribute retrieval

Similar Messages

• What is the best way update similar OID and OAM LDAP attributes via OIM?

  Our environment uses OIM provisioning to an OID LDAP which is used by OAM.
  For legacy purposes, we need to populate both the Oracle "orcl*" attributes and OAM "ob*" in cases where they have the same or similar usage.
  Example: When a user is disabled in OIM we need to set orclisenabled="false" and obUserAccountControl="DEACTIVATED" in OID
  What is the best way to accomplish this in OIM? My initial thought was to write a custom adapter, similar to the out-of-the-box OID Modify User adapter, which supports modifying multiple attributes.
  Is there a better way?

  You can create two tasks which will modify two attributes of OID.
  On Disable user task, call task1 and on Success of task1, call Task2 (using Task to Generate Feature).
  You can make use of OOTB connector only.

• Problem with getting LDAP attributes on ISE when EAPChaining is enabled

  Hi All,
  has anybody and idea how to set LDAP attributes retrieval with EAPChaining enabled?
  My scenarios is:
  - user with AnyConnect (EAP-FAST) connects to WLAN and sends it's credentials
  - ISE authenticates username and password against Active Directory
  - ISE should check if the same userid contains in LDAP Directory (not AD, different store) special attribute which controls access to our WLAN
  - If the attribute is found, then authorization profile is matched.
  This works when I disable EAP-Chaining Policy -> Policy Elements -> Results -> Authentication -> Allowed Protocols ...
  In logs I've found that the user was not found in LDAP, but the user exists.
  Maybe the workaround can be if just user from EAPChaining is used and not also the hostname, then it could match. But I cannot find any similar parameter which returns only user.
  Does anybody have an idea how to solve this?
  Thanks!
  K.

  Hi,
  This seems like a corner issue, because eap-fast with ldap is not supported. LDAP as the protocol doest support hash based authentication hence the reason ISE is failing to hit the ldap database.
  Referencing acs material since ise docs are not complete:
  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.2/user/guide/eap_pap_phase.html
  Sent from Cisco Technical Support Android App

• OAM 11gR2 Authentication using username/password/additional ldap field

  I want to add additional credential parameter along with username and password to be validated against LDAP.
  Is there any out of the box solution for authentication using username/password/additional ldap field in OAM 11gR2?
  This solutions exist in 10g and could not find any OOB feature in 11g.

  Do you need to accept additional parameter from user via login form & then use it in credential mapping step
  Not sure if %% syntax would work .. havent tried it. next option is to develop custom authentication plugin
  Additional ldap attribute against static value
  If you need to add additional ldap attribute (check against static value) that you can specify in LDAP search filter in "User Identification plugin" configuration
  Take a look at "MTLDAPPlugin" under custom authentication modules
  Hope this helps

• ISE 1.1.1 and LDAP debugging

  Hello,
  does ISE has any debug logs for LDAP communication during authorization - like obtaining attributes from LDAP server?
  Thanks.
  Regards
  Karel

  Yes it does,
  Here are the steps
  http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_logging.html#wp1061989
  If you scroll down there is a debug log level config section. Please set client, and the runtime to trace, reproduce, and download the ise.psc log.
  Thanks
  Sent from Cisco Technical Support iPad App

• Using additional userprofile attributes from LDAP

  Hi,
  my users are inside an OpenDS LDAP-Server connected to SSGD 4.41 - all works fine.
  I would like to store some additional SGD attributes like
  UserProfile.Multiple = yes/no
  (Multiple: Whether someone may log in using this user profile and whether this user profile will be shared by multiple users in the form of a "guest" account.)
  also inside the LDAP (extending my own LDAP-schema).
  Question: How can i tell SSGD to use this attribute UserProfile.Multiple from LDAP instead of looking into the
  local repository ?
  regards
  Danny

  Hi Danny,
  I don't think you can do this, as user profile data is never read from the LDAP directory. LDAP users always have to be mapped to a local profile (from the SGD datastore), meaning that any attributes on the user object from the LDAP directory wouldn't be considered when evaluating a user's profile.
  Does anyone else have a take on this?
  -- DD

• Ask the Expert: ISE 1.2: Configuration and Deployment with Cisco expert Craig Hyps

  Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about how to deploy and configure Cisco Identity Services Engine (ISE) Version 1.2 and to understand the features and enhanced troubleshooting options available in this version, with Cisco expert Craig Hyps.
  October 27, 2014 through November 7, 2014.
  The Cisco Identity Services Engine (ISE) helps IT professionals meet enterprise mobility challenges and secure the evolving network across the entire attack continuum. Cisco ISE is a security policy management platform that identifies users and devices using RADIUS, 802.1X, MAB, and Web Authentication methods and automates secure access controls such as ACLs, VLAN assignment, and Security Group Tags (SGTs) to enforce role-based access to networks and network resources. Cisco ISE delivers superior user and device visibility through profiling, posture and mobile device management (MDM) compliance validation, and it shares vital contextual data with integrated ecosystem partner solutions using Cisco Platform Exchange Grid (pxGrid) technology to accelerate the identification, mitigation, and remediation of threats.
  Craig Hyps is a senior Technical Marketing Engineer for Cisco's Security Business Group with over 25 years networking and security experience. Craig is defining Cisco's next generation Identity Services Engine, ISE, and concurrently serves as the Product Owner for ISE Performance and Scale focused on the requirements of the largest ISE deployments.
  Previously Craig has held senior positions as a customer Consulting Engineer, Systems Engineer and product trainer.   He joined Cisco in 1997 and has extensive experience with Cisco's security portfolio.  Craig holds a Bachelor's degree from Dartmouth College and certifications that include CISSP, CCSP, and CCSI.
  Remember to use the rating system to let Craig know if you have received an adequate response.
  Because of the volume expected during this event, Ali might not be able to answer each question. Remember that you can continue the conversation on the Security community, sub-community shortly after the event. This event lasts through November 7, 2014. Visit this forum often to view responses to your questions and the questions of other community members.
  (Comments are now closed)

  1. Without more specifics it is hard to determine actual issue. It may be possible that if configured in same subnet that asymmetric traffic caused connections to fail. A key enhancement in ISE 1.3 is to make sure traffic received on a given interface is sent out same interface.
  2. Common use cases for using different interfaces include separation of management traffic from user traffic such as web portal access or to support dedicated profiling interfaces. For example, you may want employees to use a different interface for sponsor portal access. For profiling, you may want to use a specific interface for HTTP SPAN traffic or possibly configure IP Anycast to simplify reception and redundancy of DHCP IP Helper traffic. Another use case is simple NIC redundancy.
  a. Management traffic is restricted to eth0, but standalone node will also have PSN persona so above use cases can apply for interfaces eth1-eth3.
  b. For dedicated PAN / MnT nodes it usually does not make sense to configure multiple interfaces although ISE 1.3 does add support for SNMP on multiple interfaces if needed to separate out. It may also be possible to support NIC redundancy but I need to do some more testing to verify. 
  For PSNs, NIC redundancy for RADIUS as well as the other use cases for separate profiling and portal services apply.
  Regarding Supplicant Provisioning issue, the flows are the same whether wireless or wired. The same identity stores are supported as well. The key difference is that wireless users are directed to a specific auth method based on WLAN configuration and Cisco wired switches allow multiple auth methods to be supported on same port. 
  If RADIUS Proxy is required to forward requests to a foreign RADIUS server, then decision must be made based on basic RADIUS attributes or things like NDG. ISE does not terminate the authentication requests and that is handled by foreign server. ISE does support advanced relay functions such as attribute manipulation, but recommend review with requirements with local Cisco or partner security SE if trying to implement provisioning for users authenticated via proxy. Proxy is handled at Authentication Policy level. CWA and Guest Flow is handled in Authorization Policy.  If need to authenticate a CWA user via external RADIUS, then need to use RADIUS Token Server, not RADIUS Proxy.
  A typical flow for a wired user without 802.1X configured would be to hit default policy for CWA.  Based on successful CWA auth, CoA is triggered and user can then match a policy rule based on guest flow and CWA user identity (AD or non-AD) and returned an authorization for NSP.
  Regarding AD multi-domain support...
  Under ISE 1.2, if need to authenticate users across different forests or domains, then mutual trusts must exist, or you can use multiple LDAP server definitions if the EAP protocol supports LDAP. RADIUS Proxy is another option  to have some users authenticated to different AD domains via foreign RADIUS server.
  Under ISE 1.3, we have completely re-architected our AD connector and support multiple AD Forests and Domains with or without mutual trusts.
  When you mention the use of RADIUS proxy, it is not clear whether you are referring to ISE as the proxy or another RADIUS server proxying to ISE.  If you had multiple ISE deployments, then a separate RADIUS Server like ACS could proxy requests to different ISE 1.2 deployments, each with their own separate AD domain connection.  If ISE is the proxy, then you could have some requests being authenticated against locally joined AD domain while others are sent to a foreign RADIUS server which may have one or more AD domain connections.
  In summary, if the key requirement is ability to join multiple AD domains without mutual trust, then very likely ISE 1.3 is the solution.  Your configuration seems to be a bit involved and I do not want to provide design guidance on a paper napkin, so recommend consult with local ATP Security SE to review overall requirements, topology, AD structure, and RADIUS servers that require integration.
  Regards,
  Craig

• Address Book now showing all LDAP attributes

  The Address Book does not provide access to all LDAP attributes. For example
  homePhone
  homePostalAddress
  labeledURI
  are some of the fields currently left out. It would be nice if it was possible to configure the schema mapping, similar to thunderbird which allows the mapping off all the field it know about to corresponding LDAP attributes. Also inetOrgPerson, even though it is the defacto standard is rather due for redesign.
  I am just wondering if anybody else if having this problem and if they found a solution?

  the script did not work for me
  python fixBirthdays
  Traceback (most recent call last):
  File "fixBirthdays", line 6, in <module>
  import AddressBook
  ImportError: No module named AddressBook
  further, the particular one vcard that is misbehaving - i exported it, and opened in Tedit.
  this is what isee for the date field.
  item1.X-ABDATE;type=pref:2003-06-17
  year is not negative either.
  i unchecked and checked birthday calendar in iCal. exited iCal after uncheck, relaunched iCal and checked that option.
  no show of the birthdate.
  stumped.

• Error 5398 Duplicate value addition in attribute ...

  I'm seeing the following error messages in my error log and am not sure what to do about it since the reference guide does not list it. Solaris 8, DS 5.2.
  ERROR<5398> - Entry - conn=-1 op=-1 msgId=-1 - Duplicate value addition in attribute "objectClass" of entry "ou=Configs, o=Contivity, o=vpn"
  ERROR<5398> - Entry - conn=-1 op=-1 msgId=-1 - Duplicate value addition in attribute "objectClass" of entry "cn=14649, ou=Configs, o=Contivity, o=vpn"
  Here are some historical events that may help shed light on things:
  The errors are occuring on Searay. I have another LDAP server called Mantaray. Here is some historical data that ay help shed light on the matter:
  I wanted the DNS domain the LDAP was using changed on Searay so I configured searay:o=vpn for Master replication and created o=vpn on Mantaray and configured it as a consumer.
  After the suffix was replicated I broke the replication and unconfigured Searay and then configured it. I then did the reverse and made Mantaray:o=vpn the master and Searay:o=vpn the consumer. I then broke the replication again and tried to get Multi-Master replication to work between the two servers. It took a few tries before things seemed to start working right.

  This thread (http://swforum.sun.com/jive/thread.jspa?forumID=13&threadID=21473) seems similar but I cannot find where the nsslapd-rererral that kunal mehta mentions is located.
  I did look at the des.ldif for each server and both looked okay.

• Inbound mail routing based on LDAP attribute mailsystem

  Hi gents and ladies,
  i have a small question ...
  is it possible to route an email to a recipient based on an LDAP attribute like mailsystem or ldap attribute domain ?
  We have an infrastructure with domino and Xchange. All users have a - so called - maindomain.net SMTP Address.
  Is it possible to manage such routing via mail policies or message filters ?
  Or is it just easy to realize this jjust with SMTP routing list ? e.g. maindomain.net gets an entry in SMTP routing pointing to the domino gateway ... if no delivery is possible the default gateway (Xchange gateway) would be used instead ?
  Thanks in advance for your help and hints.                

  Hello  HPGroh2013,
  I think I answered your question in the previous entry, at least it looks the same to me.
  Regards,
  Andreas

• Word 2013 and Active Directory attribut

  Hi,
  I'm working with WS2008R2 SP1 AD and Office standard 2013 and W7 SP1 x64. Our compagny wants to create .dotm/.dotx with automatic fields.
  For example, we want that when a user opens a .dotx his name appears automatically. This one is easy it's the {AUTHOR \*MERGEFORMAT}.
  But What we want to do is to do the same for the:
  - street adress
  - email adress
  - the job title
  All informations are in our Active Directory, but it seems that Word does not read directly the Active Directory info but some cached info on the computer.
  So, is there a way or workaround to create some .dotx with the possibility to extrat some AD fields attribut attached with some user and at the end to build a semi automatic doc with the information of the user who has open this .dotx/.dotm?
  So far, clues say that I have to write some vba script and 2 kind of solution/workaround:
  The first lead is:
  To retrieve the user account properties from Active Directory, we have to turn to some VBA scripts, no way to achieve this via any built-in features.
  As far as I know, you can bind to the user account object by using the
  GetObject function and the LDAP provider.
  Then use the GetInfo method to initialize the local cache with attributes of the user account object. This step will ensure that the most up-to-date attribute values of the ADSI object are retrieved.
  For example:
  Set objUser = GetObject _
  ("LDAP://...")
  objUser.GetInfo
  If you want to get this attributes when you create a new document based on a template (.dotx/.dotm), you'll need to use the
  AutoNew macro.
  the second lead is:
  http://heureuxoli.developpez.com/office/word/creermodele/#L2-G
  Thank you in advance for any king od answer.
  best regards

  Hello,
  Have you tried these two methods? What is the result and what is your decision?
  If you're familiar with Visual Studio IDE and .Net Framework, I would recommend that you create a application-level or document-level Add-In for word. Because it's easy to access the AD with managed code, and it's suitable in your case. You can check the
  MSDN document here for the related objects you need to use in .Net Framework to access AD:
  https://msdn.microsoft.com/en-us/library/gg145037(v=vs.110).aspx
  But if you just want to use VBA for Word, this kb article tells you how to do this via ADO connection:
  https://support.microsoft.com/kb/187529/en-us?wa=wsignin1.0
  If you want to know something about Active Directory itself, then it's not the correct forum, you can open up new thread in the AD forums for help.
  Thanks for your understanding.
  We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
  Click
  HERE to participate the survey.

• Roles Setting and Removing Resource Attributes

  Hello All,
  I have a quick question (Which I hope has a quick answer). I am trying to set up a role, so that when it is assigned to a user, sets an attribute value on an LDAP resource. Then, when the role is removed from the user, the attribute value is cleared. When setting up the role, I specified the resource as assigned, and then set the attribute. When I set the role on a user, it is successfully setting the value in the attribute. When I remove the role from the user, it is not removing the value in the attribute. Is there an easy way to do this?
  Thanks!

  Hi,
  When setting the RoleAttribute you need to set "Authoritive Set to Value, Clear Existing", then when the Role is removed from the user the attribute value is deprovisioned. Unfortunately this also has the affect of removing any other value that the attribute may have (especially true since many LDAP attributes are multi-valued).
  HTH,
  Paul Walker

• Read LDAP Attributes

  Hi Friends,
     Is it possible to read an LDAP attribute of a logged user from WD application running in portal? How and where to see all the available attributes in LDAP?
  Thanks in advance
  Nathan.

  Hi Nathan,
    Right now i am also working on using attribute value of LDAP users in webdynpro application. You need to work on UME API.which is availabel on SDN.
  you will get the values in webdynpro application through these API.
  Thanks,
  sahu

• Windows LDAP attributes match for the Synology LDAP client profile filter.

  I am having Windows server 2012 domain controller with LDAP enabled. I wish to enable LDAP client on Synology Diskstation to search for users and enable them access of shared folders of Synology. Hence, I have enabled the client which shows connected to the Windows LDAP service, but not populating any users.
  Anybody figured out this? It requires profile settings. I'm finding difficult to identify the LDAP attributes match for the Synology profile filter attributes.
  Refer following image.
  This topic first appeared in the Spiceworks Community

  Specify a Dynamic Access Profile with:
  Criteria: User has ALL of the following AAA attribute values...
  ldap.memberOf != GroupName
  cisco.tunnelgroup = TunnelGruopName
  Should work
  /K

• AnyConnect and nested LDAP memberof

  Hi
  Below you will see that I have configured two memberOf mapings. The second is what I need help with.
  The first AD group named VPN_CORP contains users that require access to our corporate office through VPN. This works fine.
  However, I think it would be easier to adminisrate if I can drag user groups under the VPN_CORP group. I've created
  this second "Finance users" mapping and placed an existing AD user group named 'Finance Users' under VPN_CORP.
  My problem is this isn't working. Although the AD group "Finance Users" is under VPN_CORP, if I execute a domain 'find'
  searching for my test user dfood, it doesn't show me that dfood is suboedenant to group VPN_CORP, Finance Users but rather
  only the original path where the user group Finance Users truely exist.
  I know I can enter the full path to the true OU and this would work but this is defeating the purpose
  of simplifying this.
  I guess what I'm trying to ask is how can I configure this to traverse groups dropped into the
  container VPN_CORP? Am I stuck adding users individually?
  Sincerely
  Jeff
  ldap attribute-map ACME_LDAP_Map
    map-name  memberOf IETF-Radius-Class
    map-value memberOf CN=VPN_CORP,CN=Users,DC=acme,DC=com CORP-Policy
    map-value memberOf “CN=Finance Users,CN=VPN_CORP,CN=Users,DC=acme,DC=com” CORP-Policy
  aaa-server LDAP_SRV_GRP (inside) host 10.8.16.140
  server-port 636
  ldap-base-dn DC=acme,DC=com
  ldap-scope subtree
  ldap-naming-attribute sAMAccountName
  ldap-login-password .x.x.x.x.
  ldap-login-dn XXXXXXXXXXXX
  ldap-over-ssl enable
  server-type microsoft
  ldap-attribute-map acme_LDAP_Map

  I know this is from over a year ago and was wondering if anything had changed? I to am looking to try to use nested members for my VPN authentication.
  Here is why... When our server group originally set the network up they created base groups. Then under each base group they created our different locations and placed users into those location levels. This made it easier for them to research issues with a specific group or supposedly run reports to give the security stuff for a specific location across the board. Right, wrong or indifferent I an now trying to fit this into our new AnyConnect VPN deployment. I am going to have over 300 different users and have been asked to try to keep this mothod.
  I noticed in the above that there was a reference to DAP? If that is the solution where can I find more information on how this works and how to set it up?
  Brent