ISE 1.3 Policy Set

Similar Messages

• Did Cisco ISE have limitation for policy setting?

  Deat All,
  Did anyone know about Cisco ISE limitation about policy setting?
  Right now my setting for windows posture policy around 200 windows patch checking, did ISE have limitation such as maximum windows patching policy line?
  Thanks you
  Best Regards

  Here is the nswer for your first question.
  Cisco ISE profiler collects a significant amount of endpoint data from the network in a short period of time. It causes Java Virtual Machine (JVM) memory utilization to go up due to accumulated backlog when some of the slower Cisco ISE components process the data generated by the profiler, which results in performance degradation and stability issues.
  To ensure that the profiler does not increase the JVM memory utilization and prevent JVM to go out of memory and restart, limits are applied to the following internal components of the profiler:
  Endpoint Cache—Internal cache is limited in size that has to be purged periodically (based on least recently used strategy) when the size exceeds the limit.
  Forwarder—The main ingress queue of endpoint information collected by the profiler.
  Event Handler—An internal queue that disconnects a fast component, which feeds data to a slower processing component (typically related to a database query).
  For more information go through :
  http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/user_guide/ise_user_guide/ise_prof_pol.html#12624

• ISE 1.2 - Match Policy Set based on endpoint identity group?

  Hello, I would like to create a condition that would force MAB'd clients to hit a certain policy set if their MAC address matches one in an endpoint identity group? Is this possible? I feel like a condition can be created using a combination of attributes, but I cannot seem to hit on it properly. Thanks.

  The cleanest way to to this would be to dedicate:
  1. (Wired) A test switch where all of your test devices are connecting. You can then build a policy set that matches against that NAS.
  2. (Wireless) A test SSID and/or a controller (virtual or 2504). You can then build a policy set that is dedicated to that SSID 
  Thank you for rating helpful posts! 

• Windows 7 desktop locks after 10 minutes idle - Policy setting?

  Is there a policy setting to lock the desktop after a certain amount of idle time?  I can't seem to find one, and searches on the web only seem to uncover lock up issues with software, rather than security policy settings.
  Right now our Win 7 desktops lock after 10 minutes of inactivity (set by old IT staffer who is no longer here).  This is way too short and we need to change it.  However, I can't find where the setting is.  The screensaver is disabled and the power settings are set to maximum.  The only policy setting that looks like it could be what I'm looking for is "Microsoft network server: Amount of idle time required before suspending session", but that wasn't set to 10.  I went and set it to 0 anyway and the desktop still locks after 10 mins.
  Can someone point me in the right direction for this setting?
  Thanks!

  When you leave your computer, it’s best to start a screensaver that can only be turned off with a password.
  On the Start menu, click Control
  Panel.
  Click Personalization, and then click Screen
  Saver.
  In the Wait box, choose 15 minutes
  (or less)
  Click On resume, display logon screen, and then click OK.
   just try reverse , it may work !!!!!!!!!!!!! :)

• How does one move Policy Sets & Policies from one server to another

  Is there a way to export Policy Set and Policy definitions from a development server and import into a production server?

  Not really, the only thing that you may be able to do is replicate the development server LiveCycle database (as this is where the policy set and policy information is stored) and use it for the production system.  remember all domains, ussers etc would have to be the same between development and production as the policy sets and policies contain users.
  The safest thing to do would be to re-create the policy sets and policies (from scratch) on the Production server.
  Regards
  Steve

• Users cannot access removable devices after you enable and then disable a Group Policy setting in Windows 7 64 Bit

  Users cannot access removable devices after you enable and then disable a Group Policy setting on Windows 7 64 bit machines.
  on the 32 bit machines I was able to apply this hotfix
  http://support2.microsoft.com/kb/2738898
  But it will not install on 64 bit machines. 
  Is there a hotfix for 64 bit?  If not, what is the work around?
  Thanks!
  Robert

  Select "Show hotfixes for all platforms and languages", then download x64 hotfix:
  Please take a moment to Vote as Helpful and/or Mark as Answer where applicable. Thanks.

• Setting a loopback policy setting for Domain Controllers/Preventing IE from accessing externally

  Hello, we need to set a lookback policy for our domain controllers to ensure IE doesn't access externally. Is the loopback the best method, or do you all have recommendations?

  As far as I'm aware, there's not a good Group Policy setting to do this. 
  If I understand your question correctly, you wish to prevent external Internet browsing from your Domain Controllers, but everyone else (other servers and workstations) should have full access.
  If that's the case, I would recommend blocking port 80 for the Domain Controllers in your Firewall, as they (I hope) have static local IP addresses.
  If you know of a good Group Policy setting however, it would be best to set it in the Default Domain Controller Policy, as that will only affect the Domain Controllers.
  The "loopback" policy you're referring to is the "Configure user Group Policy loopback processing mode", which can be used to apply the computer configuration "instead of" or "merged with" the user configuration when
  a user logs on to computers where this policy applies. Since the computer configuration is normally applied before the user configuration, that can be used to force rules on computers regardless of who's logging in.
  Please mark as answer or vote
  as helpful when
  it applies. Thanks!

• Question on a specific Group Policy setting for SCCM Updates

  Hello,
  This may not exactly be the correct forum for this question but in looking around I didn't come up with an immediate answer and was hoping someone else had this issue.
  I have a WSUS server and am moving over to SCCM for updates. I've actually had success in getting 2 sets of patches installed after some very frustrating days thanks to people here.
  I've noticed that when I switch workstations to my AD folder that has the SCCM Updates GPO instead of our standard WSUS GPO that we get action center errors "Set up Windows Update", "Windows Update is not set up". When we click
  the flag it tells us to "Choose an Update Option".
  In my new GPO I  do have Configure Automatic Updates Enabled for "Auto Download and notify for install" but we still get this warning. Is there a differnet setting that controls this action that anyone is aware of in their experience? I looked
  through the other settings but didn't se anything obvious.
  Thanks for any help!

  Hi Dustin,
  I'd read a number of different things trying to solve the problem. That article looked a little familiar but I re-read it carefully.
  I do have "specify intranet Microsoft Update service location" set to Not Configured as someone had correctly pointed me to that as the reason I was not getting updates.
  I did not have "Allow signed updates from an Intranet Micorsoft update server" enabled so that shoudl help some.
  "Configure Automatic Updates" was enabled because I, incorectly, thoguth that's all that might be needed since Ihad to make sure I'd Not Configured the first setting.
  I had "Turn on Recommended Updates" Enabled so I put it back to not configured.
  I understand that turning things to Not Configured doesn't necessarily change any previous group policy settings so I may be getting some fallout from having a WSUS server on these systems before. I'd just like to aviod having to have everyone go into the
  action center and manually click to configure updates.
  I'll see if my one setting change has any effect.
  UPDATE: I forced a gpupdate and the red flag in the action center has not disappeared.

• Insufficient privileges with nm-applet but polkit policy set

  Hi folks, I'm not running gnome but do run gnome-settings-daemon along with the sawfish window manager. My problem is that nm-applet tells me "insufficient privileges" whenever I select a wireless network. So I've been reading up on it and found that the culprit is probably polkit-1. After setting
  <allow_any>yes</allow_any>
  <allow_active>yes</allow_active>
  <allow_inactive>yes</allow_inactive>
  for all entries in /usr/share/polkit-1/actions/org.freedesktop.NetworkManager.policy I was hoping this would solve the problem but it hasn't. I still get the same error. So maybe it's not policykit related? How do I find out?
  Last edited by fetchinson (2012-10-19 14:17:09)

  Hi folks, I'm not running gnome but do run gnome-settings-daemon along with the sawfish window manager. My problem is that nm-applet tells me "insufficient privileges" whenever I select a wireless network. So I've been reading up on it and found that the culprit is probably polkit-1. After setting
  <allow_any>yes</allow_any>
  <allow_active>yes</allow_active>
  <allow_inactive>yes</allow_inactive>
  for all entries in /usr/share/polkit-1/actions/org.freedesktop.NetworkManager.policy I was hoping this would solve the problem but it hasn't. I still get the same error. So maybe it's not policykit related? How do I find out?
  Last edited by fetchinson (2012-10-19 14:17:09)

• Java.policy setting

  Hi,
  I am writing an web based application using applets nadn eed to contact a MYSql database.
  I am getting Access Denied exception.
  In my java.policy file I added the following two lines :
  grant codeBase "http://mywebpage/"{
  permission java.security.AllPermission;
  I am still getting the following exception : Any help will be greatly appreciated since I have a demo tomorrow. (Is there anyway to confugure the java.policy or java.security file to allow the jar that contains my applet(dvt.jar) to access the underlying database.)
  Is there some place I need to specify explicitly where to find this java.policy file.
  Platform is UNIX.
  Thx
  Karthik
  Thx
  Karthik
  Unable to connect to any hosts due to exception: java.security.AccessControlException: access denied (java.net.SocketPermission 127.0.0.1:3306 connect,resolve)** BEGIN NESTED EXCEPTION ** java.security.AccessControlExceptionMESSAGE: access denied (java.net.SocketPermission 127.0.0.1:3306 connect,resolve)STACKTRACE:java.security.AccessControlException: access denied (java.net.SocketPermission 127.0.0.1:3306 connect,resolve)at java.security.AccessControlContext.checkPermission(Unknown Source)at java.security.AccessController.checkPermission(Unknown Source)at java.lang.SecurityManager.checkPermission(Unknown Source)at java.lang.SecurityManager.checkConnect(Unknown Source)at java.net.Socket.connect(Unknown Source)at java.net.Socket.connect(Unknown Source)at java.net.Socket.<init>(Unknown Source)at java.net.Socket.<init>(Unknown Source)at com.mysql.jdbc.StandardSocketFactory.connect(StandardSocketFactory.java:124)at com.mysql.jdbc.MysqlIO.<init>(MysqlIO.java:225)at com.mysql.jdbc.Connection.createNewIO(Connection.java:1783)at com.mysql.jdbc.Connection.<init>(Connection.java:450)at com.mysql.jdbc.NonRegisteringDriver.connect(NonRegisteringDriver.java:411)at java.sql.DriverManager.getConnection(Unknown Source)at java.sql.DriverManager.getConnection(Unknown Source)at vdt.VdtModuleApplet.getConnection(VdtModuleApplet.java:444)at vdt.VdtModuleApplet.init(VdtModuleApplet.java:105)at sun.applet.AppletPanel.run(Unknown Source)at java.lang.Thread.run(Unknown Source)** END NESTED EXCEPTION ** System = Inited, gotParameters, init propertiesGetting Connection Posts: 30 | Registered: Feb 2005 | IP: Logged

  Hi Folks, I am also facing the same kind of
  problem...when I am trying to open notepad by
  clicking on New option of my Frame's menu.. I am
  getting the message Access Denied...some permission
  problem is there...Please help me in directing about
  setting the policies...https://www.support.storagetek.com/LibraryAdminHelp/lsa/setting_up_java_policy_permissions.htm
  http://www.exciton.cs.rice.edu/JavaResources/security/policy.htm

• Jini security policy setting

  hi,
  I am getting this exception in jini . Please give me solution. what steps is required to solve this problem. how to set ExecOptionPermission is existing policy.
  rmid: (WARNING) restart service throws:
  java.security.AccessControlException: access denied (com.sun.rmi.rmid.ExecOptionPermission -Djava.security.policy=c:\policy)
  at sun.rmi.server.Activation$DefaultExecPolicy.checkPermission(Activation.java:1857)
  at sun.rmi.server.Activation$DefaultExecPolicy.checkExecCommand(Activation.java:1747)
  at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
  at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
  at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
  at java.lang.reflect.Method.invoke(Method.java:597)
  at sun.rmi.server.Activation.checkArgs(Activation.java:1369)
  at sun.rmi.server.Activation.access$400(Activation.java:118)
  at sun.rmi.server.Activation$GroupEntry.getInstantiator(Activation.java:1166)
  at sun.rmi.server.Activation$GroupEntry.activate(Activation.java:1090)
  at sun.rmi.server.Activation$GroupEntry.restartServices(Activation.java:800)
  at sun.rmi.server.Activation.init(Activation.java:251)
  at sun.rmi.server.Activation.startActivation(Activation.java:202)
  at sun.rmi.server.Activation.main(Activation.java:2040)
  rmid: (WARNING) restart service throws:
  java.security.AccessControlException: access denied (com.sun.rmi.rmid.ExecOptionPermission -Djava.security.policy=c:\policy)
  at sun.rmi.server.Activation$DefaultExecPolicy.checkPermission(Activation.java:1857)
  at sun.rmi.server.Activation$DefaultExecPolicy.checkExecCommand(Activation.java:1747)
  at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
  at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
  at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
  at java.lang.reflect.Method.invoke(Method.java:597)
  at sun.rmi.server.Activation.checkArgs(Activation.java:1369)
  at sun.rmi.server.Activation.access$400(Activation.java:118)
  at sun.rmi.server.Activation$GroupEntry.getInstantiator(Activation.java:1166)
  at sun.rmi.server.Activation$GroupEntry.activate(Activation.java:1090)
  at sun.rmi.server.Activation$GroupEntry.restartServices(Activation.java:800)
  at sun.rmi.server.Activation.init(Activation.java:251)
  at sun.rmi.server.Activation.startActivation(Activation.java:202)
  at sun.rmi.server.Activation.main(Activation.java:2040)
  rmid: (WARNING) restart service throws:
  java.security.AccessControlException: access denied (com.sun.rmi.rmid.ExecOptionPermission -Djava.security.policy=c:\policy.all)
  at sun.rmi.server.Activation$DefaultExecPolicy.checkPermission(Activation.java:1857)
  at sun.rmi.server.Activation$DefaultExecPolicy.checkExecCommand(Activation.java:1747)
  at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
  at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
  at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
  at java.lang.reflect.Method.invoke(Method.java:597)
  at sun.rmi.server.Activation.checkArgs(Activation.java:1369)
  at sun.rmi.server.Activation.access$400(Activation.java:118)
  at sun.rmi.server.Activation$GroupEntry.getInstantiator(Activation.java:1166)
  at sun.rmi.server.Activation$GroupEntry.activate(Activation.java:1090)
  at sun.rmi.server.Activation$GroupEntry.restartServices(Activation.java:800)
  at sun.rmi.server.Activation.init(Activation.java:251)
  at sun.rmi.server.Activation.startActivation(Activation.java:202)
  at sun.rmi.server.Activation.main(Activation.java:2040)
  rmid: (WARNING) restart service throws:
  java.security.AccessControlException: access denied (com.sun.rmi.rmid.ExecOptionPermission -Djava.security.policy=c:\policy.all)
  at sun.rmi.server.Activation$DefaultExecPolicy.checkPermission(Activation.java:1857)
  at sun.rmi.server.Activation$DefaultExecPolicy.checkExecCommand(Activation.java:1747)
  at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
  at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
  at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
  at java.lang.reflect.Method.invoke(Method.java:597)
  at sun.rmi.server.Activation.checkArgs(Activation.java:1369)
  at sun.rmi.server.Activation.access$400(Activation.java:118)
  at sun.rmi.server.Activation$GroupEntry.getInstantiator(Activation.java:1166)
  at sun.rmi.server.Activation$GroupEntry.activate(Activation.java:1090)
  at sun.rmi.server.Activation$GroupEntry.restartServices(Activation.java:800)
  at sun.rmi.server.Activation.init(Activation.java:251)
  at sun.rmi.server.Activation.startActivation(Activation.java:202)
  at sun.rmi.server.Activation.main(Activation.java:2040)

  that looks suspicious, should be like
  file://E/abc/policy
  or somehting like that but no : after file
  policy.url.3=file:/E:/abc/policy.for testing purpose, just put the policy file in a convenient place, one you know how to get to, eg the root,
  file=/policy
  not familiar with appletviewer, but the switch for the policy file is usually something like,
  -Djava.security.policy=/policy

• Windows 2012 R2 default domain controllers policy set to enforced

  Hi Guys,
  So I've migrated my domain from Windows 2003 R2 over to Windows 2012 R2 and so far everything is running ok. Had a few problems relating to orphaned DC's but have cleared this up now. However, i'm now trying to get to grips with using group policy. When
  i migrated, the old policy settings seemed to have come across and things seem to be still locked down ok, in relation to certain OUs. I run a network at our local college so i have a student container which applies a lock-down policy. All these GPOs where
  previously setup by someone else.
  I setup a test network at home before i did the said migration and am now comparing some group policy settings, namely the default ones, and i have noticed that default domain controllers policy has been set to enforced on my newly migrated domain. At home
  on my test server i see it is not enforced by default and am wondering why this is? I have been reading up but i can't find anything that tells me it should be enforced but wary to disable this setting. The students return on Monday so i don't want to mess
  it up at this stage.
  One thing that i did find odd is when i first opened up the GPO's, i was prompted with a message which stated that the policies in the sysvol folder where not consistent with the ones in AD so i followed its recommendation to update.
  Any advise you guys have on this would be greatly appreciated.
  David

  > So I've migrated my domain from Windows 2003 R2 over to Windows 2012 R2
  > and so far everything is running ok.
  This does NOT touch any GPOs, so your GPOs are not "migrated" or
  something like that - they are still what they were before.
  > enforced on my newly migrated domain. At home on my test server i see it
  > is not enforced by default and am wondering why this is?
  "A sever misunderstanding of how group policy inheritance and link order
  works" is the closest reason I see for this. The DDCP is linked to
  "Domain Controllers", and as long as you do not create subordinate OUs
  there (which I've never seen) and block inheritance on them, there's no
  reason to enforce.
  To add my experience from the field: When I see enforced GPOs, in most
  cases this enforcement is not required. People simply use it because
  they do not understand "link order".
  > One thing that i did find odd is when i first opened up the GPO's, i was
  > prompted with a message which stated that the policies in the sysvol
  > folder where not consistent with the ones in AD so i followed its
  > recommendation to update.
  That's fairly ok and nothing to hassle about.
  Martin
  Mal ein
  GUTES Buch über GPOs lesen?
  NO THEY ARE NOT EVIL, if you know what you are doing:
  Good or bad GPOs?
  And if IT bothers me - coke bottle design refreshment :))

• How to access a domain server which is targeted by Group Policy set to block Inbound and Outbound connections

  Hi,
  I have a practice lab with two physical servers 2012 R2, one of them is Hyper-V host and one of VMs is a domain controller. I was doeing some exercises with firewall rule deployment through Group Policy, so I created an outbound rule to block port 80 which
  was targeted to Domain Computers. Now my other physical server has inbound and outbound connections set to block and domain controller cannot be contacted to update policy ( with rule removed ). At least that is my understanding. Maybe I messed up something
  with the profiles too, because port 80 would not have block all outband traffic, or?
  I am new to IT so my understanding is still poor.
  Best
  Robert

  Hi Robert,
  If we block inbound connections, all connections that do not have firewall rules that explicitly allow the connection will be blocked.
  If we block outbound connections, all connections that do not have firewall rules that explicitly allow the connection will be blocked.
  If we block outbound TCP port 80, it will mean all websites will be unreachable, for TCP port 80 is for HTTP.
  Regarding Windows firewall security settings, the following article can be referred to for more information.
  Windows Firewall with Advanced Security Properties Page
  http://technet.microsoft.com/en-us/library/cc753002.aspx
  Best regards,
  Frank Shen

• Little Problem with Policy Setting in EM 11g

  Hi all !!
  I wanna revoke some privileges such as UTL_HTTP, UTL_FILE for Database Security
  But I don't know if I can revoke above privileges by disabling them in Policy Rule Setting in EM 11g instead of using SQL*plus ???
  Regards

  I've disabled some Pocily rules (Execute Privileges on UTL_FILE) in EM 11g . I just wonder if I need also to revoke it from PUBLIC by using SQL'Plus
  SQL>REVOKE execute on utl_file FROM public .

• User gets locked in lesser attempts than security policy setting

  Hi
  I have written my customized login code to login a user to the
  portal and I user the following code:
  IUser myUser = UMFactory.getUserFactory().getUserByLogonAlias(username, null);
  IUserAccountFactory accountFactory = UMFactory.getUserAccountFactory();
  IUserAccount account = accountFactory.getUserAccountByLogonId(myUser.getUniqueName());
  ILogonAuthentication ILA = UMFactory.getLogonAuthenticator();
  req.setAttribute(JUSER,myUser.getUniqueName());
  req.setAttribute(JPASSWORD,password);
  ILA.logon(req,res,AUTHSCHDEFAULT);     
  I notice that whenever I try to logon using my code with a
  wrong password, the user gets locked in 3 attemps even though the security policy
  (at ABAP and in Portal UME Configuration) setting for number of failed attempts is set to 5.
  (Although, please note that my code works fine logging the
  user into the portal when he enters the correct password)
  I try to check if the same thing happens with the standard logon module - com.sap.portals.runtime.logon,
  and notice that it locks correctly after 5 attempts.
  Would I have to add anything else in my code to make it work
  correctly?
  Thanks
  oj

  Hi All
  I tried to check in the CUA table the incorrect logon attempts value, and noticed that for every time I login (using my above code) with the wrong password, it increments the count by 2!! And that's the reason it gets locked out by the third time.
  What am I doing wrong?
  Thanks
  OJ