ISE 1.1.1 - RegisteredDevices Identity Group
Working on building a ISE 1.1.1 system to match our internal security policies, and have hit a dilemma. Here goes:
The requirement states that there need to be differing network authorization profiles for different device types: Domain PCs, Non-Domain Workstations, iPads, and iPhone/Android Phones. Also, all (other than IP Phones and printers) endpoints must be self-registered by the user (My Devices workflow in CWA) who operates them so they appear in the My Device Portal.
In the authorization rules, there appear to be no way to create a authorization rule to match a "profiled workstation" AND a "registered device".
This is because within ISE, any endpoint that is "registered" joins the RegisteredDevices Identity Group, and is no longer a part of the configured indentity group created by the profiling system. For instance, a profiled Win7-Workstation is a member of the profiler-created Workstation IG until it is registered, then it becomes a member of the RegisteredDevices Identity Group.
So basically, it appears ISE does not support per-devicetype(from profiler) authorization rules *while also* supporting device registration ("My Devices").
Or am I missing something?
Here is a screenshot of the rule in question:
and here is the breakout of the Compound condition called WorkstationOSs, based on your recommendation:
Without this compound condition, the authorization is matched. With it there, it is not matched, even though the endpoints are profiled as such.
Similar Messages
-
ISE 1.2 Multi-Portal Identity Group Mapping
Hi,
Quick question regarding the use of Multi-Portal on ISE 1.2: Is it possible to map a single portal to a certain identity group? e.g. I have a portal for guest users, to which only users in the "ACME_guests" identity group can authenticate. I have a separate Portal for employees, where only users of the "ACME_employees" group can authenticate.
I know that I can specify a separate authentication sequence for each portal (e.g. internal, guests, AD), but I cant find a possibility to map a group to a certain portal. This has the consequence that e.g. guest users can log into the employee portal, and getting a successful authentication message. Of course I can further restrict the access in another policy rule, but this isnt a very neat solution.
Anybody have any ideas? It seems so basic that it has to be possible somehow?!
RegardsYou can redirect users so they can "stick" to one portal once they have successfully authenticated. There is a document regarding device registration web authentication. Basically after a user connects successfully you can redirect them to an AUP specially designed to statically assign users to a specific endpoint identity group.
In the end if a user logs into portal A they hit the DRW and accept, ISE dumps them into a endpoint group called PortalA, you can then tie this into a policy where the PortalA endpoint is denied association to any other open ssid you have in your design.
Here is the document -
https://supportforums.cisco.com/docs/DOC-26667
Tarik Admani
*Please rate helpful posts* -
ISE 1.2: Remove unused Sponsor Group and Identity Group
Hi
I started with ISE 1.1.2 and now upgrade to 1.2.
There are 1. Sponsor Groups and 2. Identity Groups which are no more in use, but I am not able to remove them anymore.
1. One is a special Sponsor group which sponsor group policy I already removed. The I go to Aministration>Web Portal Management>Sponsor Groups and select the appropriate Group ans click delete and ok to confirm, the following error is displayed:
com.cisco.cpm.nsf.api.exceptions.NSFEntityDeleteFailed: java.rmi.RemoteException: Failed to execute the Query : DELETE_USERONAPP ORA-02292: integrity constraint (CEPM.EDF_GST_SPGRPID_SUB) violated - child record found ; nested exception is: java.sql.SQLIntegrityConstraintViolationException: ORA-02292: integrity constraint (CEPM.EDF_GST_SPGRPID_SUB) violated - child record found
2. The same happens with one Identity Group. I do not have it active anymore. Not in authentication, and not in authorization policy. I go to Administration>Identity Management>Groups> and select te group to remove, and click "Delete selected" and confirm with ok, the following error occured:
Cannot delete selected Identity Group(s) because there are resources which are mapped to these or its child identity group(s)
Is there any reason for any of these issue?
Many thanksHi ,
Please open service request with cisco. These kind of issues may happen when the dependencies are deleted from UI but there is a chance that some of the dependencies may not be deleted completely and are not visible from UI as well. These kind of issues can be resolved under cisco guidance.
Thanks,
Naresh -
Cisco ISE: How to match an endpoint belong to an identity group ?
Hello,
I am running Cisco ISE 1.1.4.218 in a standalone environment.
I am trying to setup Compound Condition for Authorization.
I would like the condition to match the MAC address of the calling machine to the internal endpoint MAC address list.
I created 1 endpoint identity group and 2 children groups
- GroupParent
- ChildA
- ChildB
I put the MAC address of my machine in the group ChildA.
In my condition, I tried the following:
IdentityGroup:Name, Equals, ChildA
IdentityGroup:Name, Equals, GroupParent:ChildA
IdentityGroup:Name, Match, .*(ChildA).*
I even tried to put the MAC address in the GroupParent level and tried to update the condition to be:
IdentityGroupName, Equals, GroupParent
IdentityGroupName, Match, .*(GroupParent).*
But no one of these options worked.
I am almost sure that in Cisco ISE 1.1.1, it was working fine. But I updated today to 1.1.4 and I cannot make it work.
Can anyone help me ?
Best regards,
DavidYou could try the following to match only the parent group
IdentityGroup:Name EQUALS GroupParent
You could try the following to match only child group A
IdentityGroup:Name EQUALS GroupParent#ChildA
You could try the following to match all child groups of GroupParent
IdentityGroup:Name STARTS_WITH GroupParent
Please rate if this helps -
Hello,
in the old ISE 1.2 my guest users (created by the sponors portal) where put into a own created identity group called RU2_id_grp.
How can I realize this on ISE 1.3. In ISE 1.3 the users fall always into the GuestType_Group which was created by the ISE.
I need the sepearete groups for my authorization policy.
Regards
filipOK, then DESELECT the option above and do this:
Navigate to Guest Access > Settings > Guest Locations and SSIDs. Enter the locations to which your sponsors will assign guests:
Remember to Save.
Now to Guest Access > Configure > Sponsor Groups. Click Create:
Once you place your cursor in the text box for Select the locations that guests will be visiting, you will see the locations you created in the last step.
Now assign the User Group to be associated with this Sponsor Group by clicking the Members... button:
Click OK, then Save.
This should do it for you.
Please Rate Helpful posts and mark this question as answered if, in fact, this does answer your question. Otherwise, feel free to post follow-up questions.
Charles Moreton -
ISE Endpoint Identity Group assignment for 802.1x clients
Hello
I'm using ISE 1.3 to 802.1x authenticate AD PC's (machine and user with Anyconnect NAM) and to profile/mab IP Phones, printers, APs etc.
Phones are profiled (EndPointSource of SNMPQuery Probe) and are placed automatically in the correct Identity Group.
AD PC's aren't profiled and are listed under Endpoints withthe Enpoint Profile of "unknown"
To place AD PC's into a particular Identity Group, I created a Radius Profiling Policy to match on the Framed-IP-Address. This works well with the AD PC appearing in the correct Identity Group (with EndPointSource of RADIUS Probe).
My questions are:
A phone (profiled with EndPointSource of SNMPQuery Probe) consumes a Plus licence but an AD PC ("profiled" with EndPointSource of RADIUS Probe) does not - is this correct?
Authenticated 802.1x AD PC's have other attributes (like AD-Host-Resolved-DNs) that I'd like to use to assign PC's to an Identity Group. I can't use these attributes with any of the ISE profilers - is there a way to assign an 802.1x authenticated client to an Identity Group at the authorisation stage rather than use the profiler?
Thanks
AndyErr, no. There is no provision in EAP-TLS, PEAP (CHAP), or even basic EAP to provide network information (eg IP address/mask/gateway/DNS/etc).
There is also no provision in Windows 2k or XP interface management software to accept IP details for interface configuration via any wireless authentication protocol.
peter -
ISE Identity Groups in AuthZ Policy
So we all know we can leverage identity groups in authorization policy, can we leverage two of them ? I tried building a compound condition that uses an identity group (MAB) along with another identity group (User) and can not get the policy to hit..Thoughts?
I doubt that, as far as i can tell with ISE, when you are being authenticated either by mab or by a user/pass with ex PEAP, your identity is established as either, not both, and the identity is what gets compared to identity groups.
-
ISE 1.2 - Match Policy Set based on endpoint identity group?
Hello, I would like to create a condition that would force MAB'd clients to hit a certain policy set if their MAC address matches one in an endpoint identity group? Is this possible? I feel like a condition can be created using a combination of attributes, but I cannot seem to hit on it properly. Thanks.
The cleanest way to to this would be to dedicate:
1. (Wired) A test switch where all of your test devices are connecting. You can then build a policy set that matches against that NAS.
2. (Wireless) A test SSID and/or a controller (virtual or 2504). You can then build a policy set that is dedicated to that SSID
Thank you for rating helpful posts! -
I need to avoid a large set of devices to get access to Internet through the Wireless Guest Service. I had made some test and know I can block a MAC address through the Policy Authorization (If Blacklist then DenyAccess).
In order to blacklist a large set I would like to import the MAC list and include in the CSV the Identity Group Assignment. It appears it is not possible ... I can have an easy way to change the Identity Group Assignment instead of one by one?
Regards.
Daniel Escalante.Additional Information and Question:
Currently my Authorization Policy has this:
The result is that any user trying to acesss the Guest Service can see the Guest Portal, introduce Credentials and if they are valid, the AUP is displayed, after that if the device is in the Blacklist, service is denied and the Guest Portal is displayed again, but any message about the situation is indicated to the user. I wonder if I can generate a message and even avoid the AUP if the device is in the blacklist.
Any comment will be greatly appreciated.
Regards.
Daniel Escalante -
Static Identity Group Assignment
Does anyone know a way to bring in an endpoint with the following attributes?
Endpoint Policy Name Static = True
Static Group Assignment Static = True
The 1.2 manual says;
If the file used for import contains endpoints that have their MAC addresses, and their assigned endpoint profiling policy is the static assignment, then they are not re-profiled during import.
To change a dynamic assignment of an endpoint identity group to static, check the Static Group Assignment check box. If the check box is not checked, then the endpoint identity group is dynamic as assigned by the profiler based on policy configuration.
Statically Profiled Endpoints
An endpoint can be profiled statically when you create an endpoint with its MAC address and associate a profile to it along with an endpoint identity group in Cisco ISE. Cisco ISE does not reassign the profiling policy and the identity group for statically assigned endpoints.
A) Does anyone know a way to import from an LDAP database and maintain the Static Group Assignment = True.
I successfully do an LDAP import of the MAC and Endpoint Group (which comes in as True) but the Static Group Assignment has the Endpoint Group Assignment correct but static is false unchecked. I don't want these profiling any more. These are thousands of endpoints and I do not see any way to do a bulk change. I have tried exporting and re-importing but that doesn't really scale.
B) Would creation of an endpoint group that is not part of the Profiled endpoint group change the behavior I see above when I do my LDAP import?
If there were a way to do the bulk selection and change the static property or the Static Group Assignment that would be of huge benefits. The changes apply to the fields selected within the endpoints while maintaining the MAC property of the endpoint.
Thanks in advance for any suggestions.James,
That is possible but do you have the dhcp probe enabled and have you thought about setting up an ip helper statement or assigning the ISE node as one of the dhcp servers on the WLC?
There is a built in check such that if the dhcp class identifier contains MSFT will profile the endpoint as a windows workstation.
However if this is not the case then you can create the following condition under the Policy Elements > Conditions > Profiling > New Profiler Condition, you will use the create (advanced...) then select NMAP > 135-tcp > then set the operator EQUAL to msrpc.
Then go under the Microsoft-Workstation and select the option to create a matching identity group (its much easier rather than using the heirarchy option) and set the certainity factor 30. Then add this new condition and set the certainity to 30 also.
Hope that helps,
Thanks,
Tarik Admani
*Please rate helpful posts* -
ACS 5.3 Authorization problem with using Identity Groups in Access Policy Rule
Hello guys, I am found a problem which I can't solve regarding authorization with using Identity Groups in Access Policy rule.
ACS version: 5.3.0.40.6 (internal build B.839)
I have very simple RADIUS Authorization rule which authorize user on behalf of right Identity Group.
Requested Identity Group exist
Testing user is created in Internal Users and has assigned requested Identity Group
Radius Access Policy:
Authentication against Identity Store Sequence, where authorization server is external RSA SecurID device and additional attributes retrieval is configured from Internal Users.
Authorization is very simple – One Rule with only one Condition which is: Identity Group - in - Requested_Testing_Rule. Then Default rule is set to Deny.
When I will try login with my testing user then authentication against RSA SecurID is OK, but authorization will be denied by Default rule – It looks like my Rule with Identity Group is totally omitted.
I am managing several other ACS servers (version 5.3 but with older patches) where similar rules are working without problem.
What I am tested:
Remove testing user and create his account again.
Rename Identity Group
Use another Identity Group
Remove Access Policy rule and create it again
Use Compound Condition: System:Identity Group
Use Compound Condition: System:UserID instead of Identity Group in Rule (it is working without problem)
Do you have any idea where problem can be?OK guys, it started working yesterday without any configuration change. Maybe it was some database inconsistence wich was solved by ACS itself.
-
AuthZ Policy using specific Endpoint Identity Groups
I am trying to create an AuthZ policy that will identify if a device is in specific Endpoint Identity Group. See policy below.
I used the IdentityGroup:Name attribute Equals the Identity Group MAB_Devices. Please note that there are NO Identity groups listed in the dropdown options, so I typed in the name. Alas, the rule is not working. Anyone have advise on what I am doing wrong? ThxBransomar, your screenshot is an Authentication policy rule but you should do it in Authorization policy. Authentication policy sorts out requests by request method and origin and assigns an identity store to each.
-
How to map 2 AD groups into 2 different LOCAL Identity Groups in ACS5.2?
hi guis!
i want to map 2 groups from external AD to 2 internal groups. like it was in 4.x. can someone advise me how to do this?In order to map 2 different AD groups to 2 different local Identity groups we will need to do the following.
Assuming that the ACS is already Joined to a domain for example csco.com
1. we need to populate the concerned 2 AD groups in
Users and Identity Stores > External Identity Stores > Active Directory > Directory Groups tab.
To do this please follow the steps given in the following link "Selecting an AD Group"
http://www.cisco.com/en/US/partner/docs/net_mgmt/cisco_secure_access_control_system/5.2/user/guide/users_id_stores.html#wp1140999
Once we have the 2 groups populated in there we now need to create a Group mapping policy under the concerned Access Service to map each AD group to the internal group (Internal groups need to be created prior).
1. Make sure group mapping policy option is enabled for the concerned Access Service.
Access Policies > Select the Access Service > Edit
Under General Tab > Policy Structure > Make sure "Group Mapping" is checked
2. Configure group mapping under the Access Service. (Lets say the Access Service name is "Default Network Access")
Access Policies > Default Network Access > check the Radio button "Rule based result selection"
3. Configure a rule
Click on Create > Conditions > Check Compound condition >
In the Dictionary choose "AD-AD1"
Attribute Select "ExternalGroups"
Operator "Contains any"
Value > click on select > you should see the the 2 groups of AD added previously > select one for which we making a group mapping
click on add
You should now see a rule in "Current Condition Set"
In results section > Select > the Internal group you want to map it to > click ok
one group mapping is now created. Do exactly the same for the other AD group by creating another rule.
Please save the changes and your group mapping is now ready like the one in ACS 4.
to confirm if it is being used, try authenticating with a user in that AD group and see if the hit counts are increasing on the rule. -
Reassign endpoint identity group en masse in ISE
I imported a large number of endpoint identities and unfortunately some of them weren't correctly identified and I assigned them the wrong endpoint profile. The endpoints I need to move into another group all share a common OUI. Is it possible to move them all at once? I can't seem to find any way to do this.
Tom,
You can use the filter option in order to get the filter for the endpoints that are profiled incorrectly (perhaps the OUI you entered), check the select all option on the top left, and then export those endpoints. After you export the endpoints you can edit the group that you want to change them to, and then reimport this file back into ISE, this will change this back for you.
I just tested this in my setup and worked fairly well.
thanks,
Tarik Admani
*Please rate helpful posts* -
ISE 1.2 - cannot delete AD group
Hi all,
I have a standalone node, ISE 1.2, in our lab which is joined to the AD.
By accident I added an invalid AD group, and when I try to delete the group and "Save Configuration", the ISE responds:
"Error: One or more of the groups being deleted are referred to by Authorization Policy Conditions."
However I cannot find any references to this group among the authorization policy conditions - so how can I remove the group?
Kind regards,
LennartWalfors,
I know what you're saying. While deleting a newly added AD group. you're getting below listed error even though the group is not referred or called inside any rule or policy.
Error: One or more of the groups being deleted are referred to by Authorization Policy Conditions.
It seems like a cosmetic defect
CSCug13042 error message incorrectly indicating AD groups are mapped to a policy
~BR
Jatin Katyal
**Do rate helpful posts**
Maybe you are looking for
-
Data Mining - Scalar Mining Structure Column Data type error...
Hoping someone will have a solution for this error Errors in the metadata manager. The data type of the '~CaseDetail ~MG-Fact Voic~6' measure must be the same as its source data type. This is because the aggregate function is not set to count or dist
-
Hello community, I have an Excel Model that that i have been using fine on Excel 2010 64bit. It uses relatively large amounts of data from different sources via PowerPivot.(Circa 25 different tables, with different sql queries and results totallin
-
Deploying an Application with Managed Libraries
Hi, I am trying to deploy an Applicaition on Oracle App Server 10.1.3. I develop the application in Jdev 1013 in my JDeveloper descriptor, i edit the Properties - File Groups/Web-INF/lib - Filters, i deselect the Merged contents. Create a war file. A
-
Library file cannot be saved (-48)
Many people have posted regarding issues with the iTunes Library file not being able to be saved. Usually, they show error -50, and the solution seems to be deleting all podcasts or recreating the library file. I've got a slightly different error mes
-
Wont let me update anything and this website is useless!!!!!
i have upgrades and it wont let me upgrade them it starts to maybe transfere 0.1mb then cancels and says there is there was a roblem installing...... i have tried it with bbm whatsapp a few games and all the same ive tried it with 3 g and wifi. this