ISE 1.2 Multi-Portal Identity Group Mapping

Similar Messages

• ISE 1.1.1 - RegisteredDevices Identity Group

  Working on building a ISE 1.1.1 system to match our internal security policies, and have hit a dilemma. Here goes:
  The requirement states that there need to be differing network authorization profiles for different device types: Domain PCs, Non-Domain Workstations, iPads, and iPhone/Android Phones. Also, all (other than IP Phones and printers) endpoints must be self-registered by the user (My Devices workflow in CWA) who operates them so they appear in the My Device Portal.
  In the authorization rules, there appear to be no way to create a  authorization rule to match a "profiled workstation" AND a "registered  device".
  This is because within ISE, any endpoint that is "registered" joins the RegisteredDevices Identity Group, and is no longer a part of the configured indentity group created by the profiling system. For instance, a profiled Win7-Workstation is a member of the profiler-created Workstation IG until it is registered, then it becomes a member of the RegisteredDevices Identity Group.
  So basically, it appears ISE does not support per-devicetype(from profiler) authorization rules *while also* supporting device registration ("My Devices").
  Or am I missing something?

  Here is a screenshot of the rule in question:
  and here is the breakout of the Compound condition called WorkstationOSs, based on your recommendation:
  Without this compound condition, the authorization is matched. With it there, it is not matched, even though the endpoints are profiled as such.

• ISE 1.2: Remove unused Sponsor Group and Identity Group

  Hi
  I started with ISE 1.1.2 and now upgrade to 1.2.
  There are 1. Sponsor Groups and 2. Identity Groups which are no more in use, but I am not able to remove them anymore.
  1. One is a special Sponsor group which sponsor group policy I already removed. The I go to Aministration>Web Portal Management>Sponsor Groups and select the appropriate Group ans click delete and ok to confirm, the following error is displayed:
  com.cisco.cpm.nsf.api.exceptions.NSFEntityDeleteFailed: java.rmi.RemoteException: Failed to execute the Query : DELETE_USERONAPP ORA-02292: integrity constraint (CEPM.EDF_GST_SPGRPID_SUB) violated - child record found ; nested exception is: java.sql.SQLIntegrityConstraintViolationException: ORA-02292: integrity constraint (CEPM.EDF_GST_SPGRPID_SUB) violated - child record found
  2. The same happens with one Identity Group. I do not have it active anymore. Not in authentication, and not in authorization policy. I go to Administration>Identity Management>Groups>  and select te group to remove, and click "Delete selected" and confirm with ok, the following error occured:
  Cannot delete selected Identity Group(s) because there are resources which are mapped to these or its child identity group(s)
  Is there any reason for any of these issue?
  Many thanks

  Hi ,
  Please open service request with cisco. These kind of issues may happen when the dependencies are deleted from UI but there is a chance that some of the dependencies may not be deleted completely and are not visible from UI as well.  These kind of issues can be resolved under cisco guidance.
  Thanks,
  Naresh

• ISE 1.3 Identity Group

  Hello,
  in the old ISE 1.2 my guest users (created by the sponors portal) where put into a own created identity group called RU2_id_grp.
  How can I realize this on ISE 1.3. In ISE 1.3 the users fall always into the GuestType_Group which was created by the ISE.
  I need the sepearete groups for my authorization policy.
  Regards
  filip

  OK, then DESELECT the option above and do this:
  Navigate to Guest Access > Settings > Guest Locations and SSIDs.  Enter the locations to which your sponsors will assign guests:
  Remember to Save.
  Now to Guest Access > Configure > Sponsor Groups.  Click Create:
  Once you place your cursor in the text box for Select the locations that guests will be visiting, you will see the locations you created in the last step.
  Now assign the User Group to be associated with this Sponsor Group by clicking the Members... button:
  Click OK, then Save.
  This should do it for you.
  Please Rate Helpful posts and mark this question as answered if, in fact, this does answer your question.  Otherwise, feel free to post follow-up questions.
  Charles Moreton

• ISE 1.2 AUP Multi-Portal Configuration

  Currently we have ISE 1.2 configured using a multi-portal configuration.  We use a guest portal for both Guest Access and for devices we consider non-compliant employee.  Guest users are authenticated against an inernal user database in ISE, and the company owned devices auth against AD.  If we login with a guest account that was created using the sponsor portal, we do not get the acceptable usage policy to check before getting access. If we login using the AD account, we do get the Acceptable Usage Policy to check before getting access.  It appears this is the same portal, so why do we not get it for both?

  for guest AUP configuration
  AUP for posture assesment config

• How to map Portal User groups to a MDM System?

  Hi,
  Have anyone tried mapping portal user group to a MDM System?
  The idea is to avoid each user to do user mapping for MDM of their own.
  When i look into the usermapping section of a portal user group, it shows me a message -
  "There are no systems available for user mapping for the selected principal"
  Thanks and best regards,
  Arun prabhu S

  Hi All,
  Got it!
  1. Create portal users,
  2. Create a portal user group,
  3. Assign Users to User group,
  4. Go to System Administration, edit permission of the MDM system, add the user group to the MDM system permission list and save
  5. Go to User Management, modify the user grooup, go to the User mapping of the user group and do mapping for MDM system and user group using a valid MDM User name and password and Save
  6. In User Management, modify the Portal role for MDM , add the user group to the role and save
  7. Edit permission of the role object, add the user group to the permission list and save
  Result:
  All the users assigned to the user group will be able to access MDM information on the portal correspond to the MDM mapping done at the user group level. This avoids self user mapping in personalization link.
  Best regards,
  Arun prabhu S

• Cisco ISE: How to match an endpoint belong to an identity group ?

  Hello,
  I am running Cisco ISE 1.1.4.218 in a standalone environment.
  I am trying to setup Compound Condition for Authorization.
  I would like the condition to match the MAC address of the calling machine to the internal endpoint MAC address list.
  I created 1 endpoint identity group and 2 children groups
  - GroupParent
       - ChildA
       - ChildB
  I put the MAC address of my machine in the group ChildA.
  In my condition, I tried the following:
  IdentityGroup:Name, Equals, ChildA
  IdentityGroup:Name, Equals, GroupParent:ChildA
  IdentityGroup:Name, Match, .*(ChildA).*
  I even tried to put the MAC address in the GroupParent level and tried to update the condition to be:
  IdentityGroupName, Equals, GroupParent
  IdentityGroupName, Match, .*(GroupParent).*
  But no one of these options worked.
  I am almost sure that in Cisco ISE 1.1.1, it was working fine. But I updated today to 1.1.4 and I cannot make it work.
  Can anyone help me ?
  Best regards,
  David

  You could try the following to match only the parent group
  IdentityGroup:Name EQUALS GroupParent
  You could try the following to match only child group A
  IdentityGroup:Name EQUALS GroupParent#ChildA
  You could try the following to match all child groups of GroupParent
  IdentityGroup:Name STARTS_WITH GroupParent
  Please rate if this helps

• ISE Endpoint Identity Group assignment for 802.1x clients

  Hello
  I'm using ISE 1.3 to 802.1x authenticate AD PC's (machine and user with Anyconnect NAM) and to profile/mab IP Phones, printers, APs etc.
  Phones are profiled (EndPointSource of SNMPQuery Probe) and are placed automatically in the correct Identity Group.
  AD PC's aren't profiled and are listed under Endpoints withthe Enpoint Profile of "unknown"
  To place AD PC's into a particular Identity Group, I created a Radius Profiling Policy to match on the Framed-IP-Address. This works well with the AD PC appearing in the correct Identity Group (with EndPointSource of RADIUS Probe).
  My questions are:
  A phone (profiled with EndPointSource of SNMPQuery Probe) consumes a Plus licence but an AD PC ("profiled" with EndPointSource of RADIUS Probe) does not - is this correct?
  Authenticated 802.1x AD PC's have other attributes (like AD-Host-Resolved-DNs) that I'd like to use to assign PC's to an Identity Group. I can't use these attributes with any of the ISE profilers - is there a way to assign an 802.1x authenticated client to an Identity Group at the authorisation stage rather than use the profiler?
  Thanks
  Andy

  Err, no. There is no provision in EAP-TLS, PEAP (CHAP), or even basic EAP to provide network information (eg IP address/mask/gateway/DNS/etc).
  There is also no provision in Windows 2k or XP interface management software to accept IP details for interface configuration via any wireless authentication protocol.
  peter

• ISE Identity Groups in AuthZ Policy

  So we all know we can leverage identity groups in authorization policy, can we leverage two of them ? I tried building a compound condition that uses an identity group (MAB) along with another identity group (User) and can not get the policy to hit..Thoughts?

  I doubt that, as far as i can tell with ISE, when you are being authenticated either by mab or by a user/pass with ex PEAP, your identity is established as either, not both, and the identity is what gets compared to identity groups.

• ISE Identity Group Assignment

  I need to avoid a large set of devices to get access to Internet through the Wireless Guest Service. I had made some test and know I can block a MAC address through the Policy Authorization (If Blacklist then DenyAccess).
  In order to blacklist a large set I would like to import the MAC list and include in the CSV the Identity Group Assignment. It appears it is not possible ... I can have an easy way to change the Identity Group Assignment instead of one by one?
  Regards.
  Daniel Escalante.        

  Additional Information and Question:
  Currently my Authorization Policy has this:
  The result is that any user trying to acesss the Guest Service can see the Guest Portal, introduce Credentials and if they are valid, the AUP is displayed, after that if the device is in the Blacklist, service is denied and the Guest Portal is displayed again, but any message about the situation is indicated to the user. I wonder if I can generate a message and even avoid the AUP if the device is in the blacklist.
  Any comment will be greatly appreciated.
  Regards.
  Daniel Escalante

• ISE Security Group Mapping download to ASA

  We are implementing Security Tags with an ASA and ISE.  We have generated the PAC and imported it into the ASA and they in sync.  The Security Groups are present in the ASA, but the IP to Security Group Mapping that was manually placed in ISE aren't downloaded.  We have configured the WLC as a speaker and these mappings are dynamically updated on the ASA.  Does the ASA need to additional configuration, ie does ISE need to be configured as a peer for the static mappings to be downloaded?
  Please advise,
  Joe

  Update:
  I am testing with a username and enable password to see if this makes a difference.  It appears it now tries to deploy and says it is Updated but I don't see anything in the ASA.  All the ISE Diagnostic tests result in an invalid enable password.  I am logging into the ASA with the same creds without issue.  I have attempted several times with a copy and paste but it won't validate.
  Any suggestions?
  Thanks,
  Joe

• How to map 2 AD groups into 2 different LOCAL Identity Groups in ACS5.2?

  hi guis!
  i want to map 2 groups from external AD to 2 internal groups. like it was in 4.x. can someone advise me how to do this?

  In order to map 2 different AD groups to 2 different local Identity groups we will need to do the following.
  Assuming that the ACS is already Joined to a domain for example csco.com
  1. we need to populate the concerned 2 AD groups in
  Users and Identity Stores > External Identity Stores > Active Directory > Directory Groups tab.
  To do this please follow the steps given in the following link "Selecting an AD Group"
  http://www.cisco.com/en/US/partner/docs/net_mgmt/cisco_secure_access_control_system/5.2/user/guide/users_id_stores.html#wp1140999
  Once we have the 2 groups populated in there we now need to create a Group mapping policy under the concerned Access Service to map each AD group to the internal group (Internal groups need to be created prior).
  1. Make sure group mapping policy option is enabled for the concerned Access Service.
  Access Policies > Select the Access Service > Edit
  Under General Tab > Policy Structure > Make sure "Group Mapping" is checked
  2. Configure group mapping under the Access Service. (Lets say the Access Service name is "Default Network Access")
  Access Policies > Default Network Access > check the Radio button "Rule based result selection"
  3. Configure a rule
  Click on Create > Conditions > Check Compound condition >
  In the Dictionary choose "AD-AD1"
  Attribute Select "ExternalGroups"
  Operator "Contains any"
  Value > click on select > you should see the the 2 groups of AD added previously > select one for which we making a group mapping
  click on add
  You should now see a rule in "Current Condition Set"
  In results section > Select > the Internal group you want to map it to > click ok
  one group mapping is now created. Do exactly the same for the other AD group by creating another rule.
  Please save the changes and your group mapping is now ready like the one in ACS 4.
  to confirm if it is being used, try authenticating with a user in that AD group and see if the hit counts are increasing on the rule.

• ISE 1.2 - Match Policy Set based on endpoint identity group?

  Hello, I would like to create a condition that would force MAB'd clients to hit a certain policy set if their MAC address matches one in an endpoint identity group? Is this possible? I feel like a condition can be created using a combination of attributes, but I cannot seem to hit on it properly. Thanks.

  The cleanest way to to this would be to dedicate:
  1. (Wired) A test switch where all of your test devices are connecting. You can then build a policy set that matches against that NAS.
  2. (Wireless) A test SSID and/or a controller (virtual or 2504). You can then build a policy set that is dedicated to that SSID 
  Thank you for rating helpful posts! 

• ISE 1.2 Guest portal user cannot change their passwords

  I have a WLC 5508(version 7.6) and a server installed  the ISE (version 1.2.1.198)，Now we configured the CWA，Use guest portal as an employee and guest login url，We can use the manually create internal user and password successfully logged in, and we set up allow guest users to change password in Multi-Portal, but the user can not change the password in the guest portal ,I suspect the change password option on the Guest  Portal actually works? Can anyone tell me how to change their own username password in the guest portal ?

  Requiring Guests to Change Password
  You can allow or require guest users to change their password after their initial account credentials are created by the sponsor. If guest users change their passwords, sponsors cannot provide guests with their login credentials if they are lost. The sponsor must create a new guest account.
  You can either allow guests to change their passwords, or you can require that they do it at expiration and at first login. To require internal users using a guest portal to change their password upon their next login, choose Administration > Identity Management > Identities > Users . Select the specific internal user from the Network Access Users list and enable the change password check box.
  Before You Begin
  Create a Guest portal or modify the DefaultGuestPortal. This setting is specific to each Guest portal.
  Step 1 Choose Administration > Web Portal Management > Settings > Guest > Multi-Portal Configuration.
  Step 2 Check the Guest portal to update and click Edit .
  Step 3 Click the Operations tab.
  Step 4 Check either or both options:
  Allow guest users to change password
  Require guest users to change password at expiration and first login
  Step 5 Click Save .

• ACS 5.3 Group Mapping based on AD group membership

  Hi,
  I am configuring a new ACS 5.3 system. Part of the rules is that I want to match the users specific AD group membership, and match appropriatly to an identity group.
  What i'm trying to do is say that if the user is a member of the AD Group (G-CRP-SEC-ENG) then associate them with the Identity Group SEC-ENG. The under the access service, authorization portion, i assign shell profiles and command sets based on Identity Group.
  It seems that the ACS server will not match the AD Group for the user, and it will match the Default of teh Group Mapping portion of the policy every time.
  I tried several configuration choices from : AD1:ExternalGroups contains any <string showing in AD>, AD1:memberOf <group>.
  Is there something special i need to do in the Group Mapping Policy to get it to match and active directory group and result in assigning the host to an Identity Group?
  Thank you,
  Sami

  Ok, my case is like this.
  I use ACS 5.3 for VPN authentication, using AD and an external RSA for token authentication (2 factor authentication)
  I didn't add all the VPN users in the ACS, because it will be troublesome, the users authentication will be managed by AD and RSA server.
  In some cases where we need to restrict a group of user to only access certain resources, downloadable ACL is used.
  Following the Cisco docs, i manage to get downloadable ACL works when the authorization profile matching criteria is username, but when i change the matching criteria to Identity group, the downloadable ACL won't work.
  I have a case with Cisco engineer now and still in the middle to sort things out.
  The advice from the Cisco engineer is to have the Access Service set to Internal User instead of RSA server, but that will require us(the admin) to import all the VPN users into the ACS database.
  Wondering whether there is a fix for this.
  Thanks.