ISE and LDAP Integration
Hello,
I have a question about the LDAP integration with the ISE:
Since the ISE has a limitation of reading only 100 groups, I cannot find the groups that I need to use on the authorization, and also the ISE cannot find group if I search for it directly.
What I mean here, that I can fetch the first 100 groups from the top of the directory, but when I search as example for any group (appear on the list or not) the ISE did not find it.
Even I tried to change the base DN and the search DN but without luck.
The ISE version is 1.1.4 installed on VM and the LDAP schema is AD.
Is there any missing information/tips required in such integration?
Hello,
I found a cisco doc that provides resolution of Key Features of Integration of Cisco ISE and LDAP .I hope this helps!
This section contains the following:
•Directory Service
•Multiple LDAP Instances
•Failover
•LDAP Connection Management
•User Authentication
•Authentication Using LDAP
•Binding Errors
•User Lookup
•MAC Address Lookup
•Group Membership Information Retrieval
•Attributes Retrieval
•Certificate Retrieval
http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_man_id_stores.html#wp1059913
Similar Messages
-
Hello All,
Can anyone tell me what are all the prerequisites when integrating ISE with AD..?
Thanks in advance.Hi Prasan,
Before you connect your ISE server with the Active Directory domain, you must check the following:
•Ensure that Cisco ISE hostnames are only 15 characters or less in length. Active Directory does not validate hostnames larger than 15 characters, which can cause a problem if you have multiple ISE hosts in your deployment whose hostnames are identical through the first 15 characters and only distinguished from one another by trailing digits or other identifiers.
•Ensure that your ISE server and Active Directory are time synchronized. Time in the ISE is set according to the Network Time Protocol (NTP) server. It is recommended that you use the NTP to synchronize time between the ISE and Active Directory. For more information on NTP server settings, see the "System Time and NTP Server Settings" section.
Refer to the Cisco Identity Services Engine CLI Reference Guide, Release 1.1 for information on how to configure the NTP server settings from the CLI.
•If there is a firewall between ISE and Active Directory, certain ports need to be opened to allow ISE to communicate with Active Directory. Ensure that the following default ports are open:
otocol
Port Number
LDAP
389 (UDP)
SMB1
445 (TCP)
KDC2
88 (TCP)
Global Catalog
3268 (TCP), 3269
KPASS
464 (TCP)
NTP
123 (UDP)
LDAP
389 (TCP)
LDAPS3
636 (TCP)
1 SMB = Server Message Block
2 KDC = Kerberos Key Distribution Center
3 LDAPS = Lightweight Directory Access Protocol over TLS/SSL
•The Active Directory username that you provide while joining to an Active Directory domain should be predefined in Active Directory and should have the permission to create and update for computer account objects and change password in the domain you are joining.
•Ensure that your Microsoft Active Directory Server does not reside behind a network address translator and does not have a Network Address Translation (NAT) address.
Supported document:
http://www.cisco.com/en/US/docs/security/ise/1.1/user_guide/ise_man_id_stores.html#wp1059011
Jatin Katyal
- Do rate helpful posts - -
Ask the Expert: Cisco BYOD Wireless Solution: ISE and WLC Integration
With Jacob Ideji, Richard Hamby and Raphael Ohaemenyi
Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about the new Identity Solutions Engine (ISE) and Wireless LAN Controller (WLC) hardware/software, integration, features, specifications, client details, or just questions about Cisco's Bring-your-own device (BYOD) solution with cisco Experts Richard Hamby, Jacob Ideji, and Raphael Ohaemenyi. The interest in BYOD (Bring You Own Device) solutions in the enterprise has grown exponentially as guests and company users increasingly desire to use personal devices to access . Cisco BYOD enhances user experience and productivity while providing security, ease-of-administration, and performance. The heart of the Cisco wireless BYOD solution is Identity Solutions Engine (ISE) utilizing the Cisco Unified Wireless portfolio. Starting with ISE v1.1.1MR and WLC (Wireless LAN Controller) code v7.2.110.0 and higher, end-to-end wireless BYOD integration is reality.
Jacob Ideji is the technical team lead in the Cisco authentication, authorization and accounting (AAA) security team in Richardson, Texas. During his four years of experience at Cisco he has worked with Cisco VPN products, Cisco Network Admission Control (NAC) Appliance, Cisco Secure Access Control Server, and Dot1x technology as well as the current Cisco Identity Services Engine. He has a total of more than 12 years experience in the networking industry. Ideji holds CCNA, CCNP, CCSP, CCDA, CCDP, and CISM certifications from Cisco plus other industry certifications.
Richard Hamby works on the Cisco BYOD Plan, Design, Implement (PDI) Help Desk for Borderless Networks, where he is the subject matter expert on wireless, supporting partners in the deployment of Cisco Unified Wireless and Identity Services Engine solutions. Prior to his current position, Hamby was a customer support engineer with the Cisco Technical Assistance Center for 3 years on the authentication, authorization, accounting (AAA) and wireless technology teams.
Raphael Ohaemenyi Raphael Ohaemenyi is a customer support engineer with the authentication, authorization and accounting (AAA) team in the Technical Assistance Center in Richardson, Texas, where he supports Cisco customers in identity management technologies. His areas of expertise include Cisco Access Control Server, Cisco Network Admission Control (NAC) Appliance, Cisco Identity Services Engine, and IEEE 802.1X technologies. He has been at Cisco for more than 2 years and has worked in the networking industry for 8 years. He holds CCNP, CCDP, and CCSP certification.
Remember to use the rating system to let Jacob, Richard and Raphael know if you have received an adequate response.
Jacob, Richard and Raphael might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the wireless mobility sub community forum shortly after the event. This event lasts through Oct 5th, 2012. Visit this forum often to view responses to your questions and the questions of other community members.OOPS !!
I will repost the whole messaqge with the correct external URL's:
In general, the Trustsec design and deployment guides address the specific support for the various features of the 'whole' Cisco TS (and other security) solution frameworks. And then a drill-down (usually the proper links are embedded) to the specifc feature, and then that feature on a given device. TS 2.1 defines the use of ISE or ACS5 as the policy server, and confiugration examples for the platforms will include and refer to them.
TrustSec Home Page
http://www.cisco.com/en/US/netsol/ns1051/index.html
http://www.cisco.com/en/US/solutions/collateral/ns170/ns896/ns1051/product_bulletin_c25-712066.html
http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5712/ps11637/ps11195/at_a_glance_c45-654884.pdf
I find this page very helpful as a top-level start to what features and capabilities exist per device:
http://www.cisco.com/en/US/solutions/ns170/ns896/ns1051/trustsec_matrix.html
The TS 2.1 Design Guides
http://www.cisco.com/en/US/solutions/ns340/ns414/ns742/ns744/landing_DesignZone_TrustSec.html
DesignZone has some updated docs as well
http://www.cisco.com/en/US/netsol/ns982/networking_solutions_program_home.html#~bng
As the SGT functionality (at this point) is really more of a router/LAN/client solution, the most detailed information will be in the IOS TS guides like :
http://www.cisco.com/en/US/docs/switches/datacenter/sw/6_x/nx-os/security/configuration/guide/b_Cisco_Nexus_7000_NX-OS_Security_Configuration_Guide__Release_6.x.html
http://www.cisco.com/en/US/docs/ios-xml/ios/sec_usr_cts/configuration/xe-3s/asr1000/sec-usr-cts-xe-3s-asr1000-book.html
http://www.cisco.com/en/US/docs/switches/lan/trustsec/configuration/guide/trustsec.html -
Cisco ISE and SecurID Integration Questions
I'm looking for some clarity trying to understand something conceptually. I want to integrate Cisco ISE with RSA SecurID, the idea being that if the user authenticates with RSA SecurID they end up on one VLAN, however, if they don't authenticate with (or don't use, or don't have) SecurID they'll end up on another VLAN. Note that I'm not using SecurID for wireless access...all PCs are wired to Ethernet.
We have been using RSA SecurID for a while and are currently on version 8.0. Our users are authenticating via the RSA Agent typically on Windows 8.1. Instead of the usual Windows login prompt, the RSA Agent first prompts for the username and passcode (they use an app on their smartphones to get the passcode), then after a moment or two, it prompts for their Windows domain password.
We have recently installed Cisco ISE version 1.3. With the help of a local Cisco engineer and going through the "Cisco Identity Services Engine User Guide", I have it set up and running along with a few 'test' ports on our Cisco 6809 switch, it basically works...as a test it's simply set up that if they authenticate they're on one VLAN, if not, they end up on another (this is currently without using RSA...just out-of-the-box Windows authentication).
The Cisco engineer was unable to help me with RSA SecurID, so pressing on without him, out of the same user guide I have followed the directions for "RSA Identity Sources" under the "Managing Users and External Identity Sources", and that went well as far as ISE is concerned; I am now ready to get serious about getting ISE and SecurID working together.
My mistake in this design so far was assuming that the RSA agent on the Windows client PCs would communicate with Cisco ISE...there doesn't seem to be a way to have them point to a non-RSA SecurID server for authentication. The concept I'm missing is what, or how, the end-user machine is supposed to authenticate taking advantage of both ISE and SecurID.
I have dug deeper into the Cisco ISE documentation but it seems heavily biased towards Wi-Fi and BYOD implementations and it's not clear to me what applies to wired vs wireless. Perhaps it's a case that I'm not seeing the forest for the trees, but I'm not understanding what the end-user authentication looks like. It apears that as I learn more about ISE, it should become the primary SSO source, that SecurID becomes just an identity source and the PC clients would no-longer directly communicate with the SecurID servers. That being the case, do I need to replace the SecurID client on the PCs and something else Cisco-ish fills this role? An agent for ISE? How do they continue to use their passcode without the RSA agent?
Thanks!The external db not operation indicates that there is no communication between ACS and RSA. Did you fetch the package.cab file to analyse the auth.log file?
Have you already gone through the below listed link?
http://www.security-solutions.co.za/cisco-CSACS-1113-SE-4.2-RSA-Authentication-Manager-Integration-Configuration-Example.html
Regards,
Jatin Katyal
- Do rate helpful posts - -
Dear All,
What are the configuration required on ISE to integrate with Prime 1.3.0.20?
On PI side, I have added ISE in the below path
Design-> External Management Servers -> ISE Servers.
Apart from this anything else to be done on PI..?
Thanks in advance.The stuff to do on the ISE is set up as a Radius Server for your client authentication. When ISE acts as a radius server, Prime Infrastructure collects additional information about these clients from Cisco ISE and provides all client relevant information to be visible in a single console on PI.
The point to remember is that PI is a management sloution for wired and wireless clients, while ISE acts as ACS and NAC combined. Recall that ACS on its own could not do posture validation without NAC.
Cheers -
Hi,
One of the major concerns regarding security solutions is the way they interact. ISE specifically, is compatible with most of the SIEMs available today, as stated by Cisco (http://www.cisco.com/en/US/prod/vpndevc/ecosystem.html).
In my particular case, I want to integrate ISE with ArcSight.
For ArcSight to correctly parse the syslog messages that ISE sends, you have to install/configure an ISE smartconnector.
What I'm missing though is how does ArcSight instructs ISE to take specific actions on users/devices that are involved in a network attack.
Please check: http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5712/ps11640/at_a_glance_c45-728401.pdf
SIEM/TD partners may utilize ISE as a conduit for taking mitigation actions within the Cisco network infrastructure. SIEM/TD platforms can instruct ISE to undertake quarantine or access-block actions on users and/or device based on ISE policies that have been defined for such actions.
Thanks!
OctavianThere is no such docs available till now for ArcSight integration with ISE. I also found only these two links:
http://www.cisco.com/c/dam/en/us/products/collateral/security/identity-services-engine/at_a_glance_c45-728401.pdf
http://www.cisco.com/c/dam/en/us/solutions/enterprise-networks/context-aware-mobility-solution/profile_arcsight_c07-538803.pdf -
EP60 and LDAP integration with Micosroft AD- Issues
Hello,
We have configured EP6 SP11 and Microsoft AD for the user authentication as below.
MsAD:
AD_Compass_Domain
OU= Accounts
OU=CORPORATE
OU=IT
User1 (User master record)
User2 (User master record)
OU=FI
User3 (User master record)
OU=SAP_Portal
OU=Corp_LDAP
OU= Groups
SAP_Portal (Group Object and users are member of this group object as a link from all different OUs -user1,user2,user3)
OU= Users
EP6 LDAP config:
Data Sources: Microsoft ADS (Flat Hierarchy) + Database
(We also tried Deep hierarchy didn't work)
LDAP Server:
User Path : OU=SAP_Portal,DC=NA,DC=CompassDev,DC=Corp
Group Path :
OU=Groups,OU=Corp_LDAP,OU=SAP_Portal,DC=NA,DC=CompassDev,DC=Corp
The issues:
1- SAP Portal could not see the group object when I browse the LDAP from portal.
2- SAP Portal is not allowing users (User1, User2, User3 etc which are member of the group object) to log in to the portal unless I put users directly under OU level like OU=Groups or if I point the path to the
OU=Accounts level which we do not want to do that because we have 50,000 users defined under OU=Accounts and we want just some of them like 3000 users. Portal gives the message
user authentication failed
Note: I checked the UME and I dont see the users listed in the group objects. Group object "SAP_Portal" is Universal Group object. (We also tried the global type)
3- When we put user directly under OU level, then users can log in but they are not able to change their password. We also can not change the user passwords through the Portal admin tools(UME or Visual Admin). I
have heard that without SSL, MsAD would not allow portal users to change their password.
a. (Portal internal user, [email protected], has
only read access on MsAD)
Note: We use 3268 as an AD port and 389 is also active I tried both of them but no chance.
Thanks for your help in advance.Sasikanth,
Usually before you switch UME to AD, you would read it with an LDAP web compliant browser, to check if you could access your OU, Group, and Users. Are you sure you can read the complete LDAP structure on AD?
Kindly re-check the process, to see if you missed out on any steps.
http://help.sap.com/saphelp_erp2004/helpdata/en/cc/cdd93f130f9115e10000000a155106/frameset.htm
Check note 772620 - UME 4.0: Create Groups on Microsoft Active Directory Server
Regards,
James -
ISE and SMS integration, how to configure
Hello folks,
I wonder what I have to do in ISE to enable it sending SMS when activating a new guest account. I believe there must be a corresponding setting somewhere under Web Portal Management to configure SMS gateway neither under Global system settings.This issue has not been resolved ( %mobilenumber% variable is not inserted into address %mobilenumber%@domain.net).
We opened case on this issue, but it is not yet resolved .
But support working in this direction - is already fixed problems with subdomains (@sms.domain.net) and restrictions on the number of characters after symbol @.
This issue we have resolved as follows: all notifications are sent to corporate e-mail Microsoft Exchange Server, where rule is configured to process messages sent over e-mail/SMS gateway (based on field *Destination in template "Configure SMS Text Notification"). According to this rule, Microsoft Exchange sends these messages to another server that is running a regular "Microsoft SMTP Service" ( for receiving and storing messages in a local folder). The same connector is configured to send messages for @sms.domain.net back to the mail server Microsoft Exchange. In the scheduler is configured launch PowerShell script that "cuts" from the body of the message variable %mobilenumber% (which was previously defined in template "Configure SMS Text Notification") and inserts it into address %mobilenumber%@sms.domain.net.mobilenumber%@sms.domain.net.
When the problem is resolved, this server will not be used/needed, and SMS message will be forwarded directly to the gateway e-mail/SMS or in SMSC.
Sincerely,
Andrey -
CQ5.5 and ldap integration/synchronization
Hi,
I have been trying to integrate ldap with CQ5.5 on Win7 machine. Following are the steps I have taken:
1. Installed cq-service-pack-5.5.2.20121012.zip
2. Installed cq-update-pkg-5.5.10.zip
1. Created F:/installed/cq5/author/crx-quickstart/conf/ldap_login.conf file with following content:
com.day.crx {
com.day.crx.core.CRXLoginModule optional
tokenExpiration="1800000";
com.day.crx.security.ldap.LDAPLoginModule required
principal_provider.class="com.day.crx.security.ldap.principals.LDAPPrincipalProvider"
tokenExpiration="1800000"
host="xx.xx.xx.xx"
port="636"
secure="true"
authDn="adt\\taduser"
authPw="xxxxxx"
userRoot="OU=publish,OU=people,DC=adt,DC=com"
userIdAttribute="userPrincipalName"
autocreate="create"
autocreate.path="none"
autocreate.user.firstName="rep:firstName"
autocreate.user.mail="profile/email"
autocreate.user.sn="profile/familyName"
autocreate.user.cn="rep:fullname"
groupRoot="OU=publish,OU=group,DC=adt,DC=com"
groupNameAttribute="CN"
autocreate.group.description="description"
autocreate.group.cn="rep:groupName"
groupMembershipAttribute="member"
userFilter="(objectClass=person)"
groupFilter="(objectClass=group)"
cache.expiration="1"
cache.maxsize="1";
2. Updated F:\installed\cq5\author\crx-quickstart\repository\repository.xml with:
<?xml version="1.0" encoding="ISO-8859-1"?>
<!-- ======================================================================= -->
<!-- $Id: repository-template.xml 78567 2011-06-16 04:27:03Z tripod $ -->
<!-- ======================================================================= -->
<!-- Copyright (c) 1997-2008 Day Management AG -->
<!-- Barfuesserplatz 6, 4001 Basel, Switzerland -->
<!-- All Rights Reserved. -->
<!-- -->
<!-- This software is the confidential and proprietary information of -->
<!-- Day Management AG, ("Confidential Information"). You shall not -->
<!-- disclose such Confidential Information and shall use it only in -->
<!-- accordance with the terms of the license agreement you entered into -->
<!-- with Day. -->
<!-- ======================================================================= -->
<!DOCTYPE Repository PUBLIC "-//Day Management AG//DTD CRX 2.4//EN"
"http://www.day.com/dtd/repository-2.4.dtd">
<Repository>
<!--
virtual file system where the repository stores global state
(e.g. registered namespaces, custom node types, etc.)
-->
<!--
<FileSystem class="com.day.jackrabbit.fs.cq.CQFileSystem">
<param name="path" value="${rep.home}/repStore.dat"/>
<param name="autoRepair" value="false"/>
</FileSystem>
-->
<FileSystem class="org.apache.jackrabbit.core.fs.local.LocalFileSystem">
<param name="path" value="${rep.home}/repository"/>
</FileSystem>
<!--
large binary objects are stored in the data store.
-->
<DataStore class="com.day.crx.core.data.ClusterDataStore"/>
<!--
security configuration
-->
<Security appName="com.day.crx">
<!--
security manager:
class: FQN of class implementing the JackrabbitSecurityManager interface
-->
<!--SecurityManager class="com.day.crx.core.CRXSecurityManager" workspaceName="" -->
<SecurityManager class="com.day.crx.core.CRXSecurityManager">
<!-- LDAP related configuration -->
<WorkspaceAccessManager class="org.apache.jackrabbit.core.security.simple.SimpleWorkspaceAccessManager"/>
<UserManager class="com.day.crx.core.CRXUserManagerImpl">
<param name="usersPath" value="/home/users"/>
<param name="groupsPath" value="/home/groups"/>
<param name="defaultDepth" value="1"/>
</UserManager>
<!--
optional user manager configuration
<UserManager class="org.apache.jackrabbit.core.security.user.UserPerWorkspaceUserManager">
<param name="usersPath" value="/home/users"/>
<param name="groupsPath" value="/home/groups"/>
<param name="defaultDepth" value="1"/>
<param name="autoExpandTree" value="true"/>
<AuthorizableAction class="org.apache.jackrabbit.core.security.user.action.AccessControlAction">
<param name="groupPrivilegeNames" value="jcr:read"/>
<param name="userPrivilegeNames" value="jcr:all"/>
</AuthorizableAction>
AuthorizableAction class="com.day.crx.core.ntlm.NTLMAuthorizableAction"/>
</UserManager> -->
<!--
optional workspace access manager configuration
-->
</SecurityManager>
<!--
access manager:
class: FQN of class implementing the AccessManager interface
-->
<AccessManager class="org.apache.jackrabbit.core.security.DefaultAccessManager"></AccessManager>
<!--
Use LoginModule authenticating against repository itself
-->
<LoginModule class="com.day.crx.core.CRXLoginModule">
<param name="anonymousId" value="anonymous"/>
<param name="adminId" value="admin"/>
<param name="disableNTLMAuth" value="true"/>
<param name="tokenExpiration" value="43200000"/>
<!-- param name="trust_credentials_attribute" value="d5b9167e95dad6e7d3b5d6fa8df48af8"/ -->
</LoginModule>
</Security>
<!--
location of workspaces root directory and name of default workspace
-->
<Workspaces rootPath="${rep.home}/workspaces" defaultWorkspace="crx.default" maxIdleTime="5"/>
<!--
workspace configuration template:
used to create the initial workspace if there's no workspace yet
-->
<Workspace name="${wsp.name}" simpleLocking="true">
<!--
virtual file system of the workspace:
class: FQN of class implementing FileSystem interface
-->
<FileSystem class="org.apache.jackrabbit.core.fs.local.LocalFileSystem">
<param name="path" value="${wsp.home}"/>
</FileSystem>
<!--
persistence manager of the workspace:
class: FQN of class implementing PersistenceManager interface
-->
<PersistenceManager class="com.day.crx.persistence.tar.TarPersistenceManager"/>
<!--
Search index and the file system it uses.
-->
<SearchIndex class="com.day.crx.query.lucene.LuceneHandler">
<param name="path" value="${wsp.home}/index"/>
<param name="resultFetchSize" value="50"/>
</SearchIndex>
<!--
Workspace security configuration
-->
<WorkspaceSecurity>
<AccessControlProvider class="org.apache.jackrabbit.core.security.authorization.acl.ACLProvider">
<param name="omit-default-permission" value="true"/>
</AccessControlProvider>
</WorkspaceSecurity>
<!--
XML Import configuration of the workspace
-->
<Import>
<ProtectedItemImporter class="org.apache.jackrabbit.core.xml.AccessControlImporter"/>
<ProtectedItemImporter class="org.apache.jackrabbit.core.security.user.UserImporter">
<param name="importBehavior" value="besteffort"/>
</ProtectedItemImporter>
</Import>
</Workspace>
<!--
Configures the versioning
-->
<Versioning rootPath="${rep.home}/version">
<!--
Configures the filesystem to use for versioning of the respective
persistence manager
-->
<FileSystem class="org.apache.jackrabbit.core.fs.local.LocalFileSystem">
<param name="path" value="${rep.home}/version"/>
</FileSystem>
<!--
Configures the persistence manager to use for the versioning.
Please note, that the current versioning implementation is based on
a 'normal' persistence manager, but this could change in future
implementations.
-->
<PersistenceManager class="com.day.crx.persistence.tar.TarPersistenceManager"/>
</Versioning>
<!--
Enable searching the /jcr:system subtree
-->
<SearchIndex class="com.day.crx.query.lucene.LuceneHandler">
<param name="path" value="${rep.home}/repository/index"/>
</SearchIndex>
<!--
Cluster configuration.
-->
<Cluster>
<Journal class="com.day.crx.persistence.tar.TarJournal"/>
</Cluster>
<!--
Configures extension modules
-->
<Modules>
<!--
Sample configuration of an EventLoggerModule requiring configuration
<Module class="com.day.crx.eventlogger.EventLoggerModule">
<param name="workspaces" value="crx.default"/>
<param name="logWorkspace" value="crx.logger"/>
<param name="logPath" value="/logger"/>
</Module>
-->
</Modules>
</Repository>
3. Updated F:\installed\cq5\author\crx-quickstart\bin\quickstart.bat with:
@echo off
:: This script configures the start information for this server.
:: The following variables may be used to override the defaults.
:: For one-time overrides the variable can be set as part of the command-line; e.g.,
:: SET CQ_PORT=1234 & ./start.bat
setlocal
::* TCP port used for stop and status scripts
set CQ_PORT=4502
::* http host name
:: set CQ_HOST=
::* interface that this server should listen to
:: set CQ_INTERFACE=eth0
::* show gui
set CQ_GUI=true
::* do not show browser on startup
set CQ_NOBROWSER=true
::* do not redirect stdout/stderr (logs to console)
set CQ_VERBOSE=true
::* do not fork the JVM
:: set CQ_NOFORK=true
::* force forking the VM using recommended default memory settings
:: set CQ_FORK=true
::* additional arguments for the forked JVM
:: set CQ_FORKARGS=
::* runmode(s)
set CQ_RUNMODE=author,dev
::* defines the path under which the quickstart work folder is located
:: set CQ_BASEFOLDER=
::* low memory action
:: set CQ_LOWMEMACTION=
::* name of the jarfile
:: set CQ_JARFILE=
::* use jaas.config
:: set CQ_USE_JAAS=true
::* config for jaas
set CQ_JAAS_CONFIG=F:/installed/cq5/author/crx-quickstart/conf/ldap_login.conf
::* default JVM options
set CQ_JVM_OPTS=-Djava.security.auth.login.config=F:/installed/cq5/author/crx-quickstart/conf/ldap_login.conf -Xms1024m -Xmx1024m -XX:PermSize=256M -XX:MaxPermSize=256M -XX:+UseConcMarkSweepGC -XX:NewRatio=1 -XX:CMSInitiatingOccupancyFraction=85 -XX:ParallelGCThreads=4 -XX:GCTimeRatio=3 -XX:+UseParNewGC -XX:-UseGCOverheadLimit -XX:SurvivorRatio=6 -Xloggc:F:/installed/cq5/author/crx-quickstart/gc.log -verbose:gc -XX:+PrintGCTimeStamps -XX:+HeapDumpOnOutOfMemoryError -Dcom.sun.management.jmxremote -Dcom.sun.management.jmxremote.port=9998 -Dcom.sun.management.jmxremote.authenticate=false -Dcom.sun.management.jmxremote.ssl=false -Djava.awt.headless=true
::* do not configure below this point
chdir /D %~dp0
cd ..\..
set START_OPTS=-use-control-port
if defined CQ_PORT set START_OPTS=%START_OPTS% -p %CQ_PORT%
if defined CQ_INTERFACE set START_OPTS=%START_OPTS% -a %CQ_INTERFACE%
if defined CQ_GUI set START_OPTS=%START_OPTS% -gui
if defined CQ_NOBROWSER set START_OPTS=%START_OPTS% -nobrowser
if defined CQ_VERBOSE set START_OPTS=%START_OPTS% -verbose
if defined CQ_NOFORK set START_OPTS=%START_OPTS% -nofork
if defined CQ_FORK set START_OPTS=%START_OPTS% -fork
if defined CQ_FORKARGS set START_OPTS=%START_OPTS% -forkargs %CQ_FORKARGS%
if defined CQ_RUNMODE set START_OPTS=%START_OPTS% -r %CQ_RUNMODE%
if defined CQ_BASEFOLDER set START_OPTS=%START_OPTS% -b %CQ_BASEFOLDER%
if defined CQ_LOWMEMACTION set START_OPTS=%START_OPTS% -low-mem-action %CQ_LOWMEMACTION%
if defined CQ_HOST set START_OPTS=%START_OPTS% -Dorg.apache.felix.http.host=%CQ_HOST%
if defined CQ_USE_JAAS set START_OPTS=%START_OPTS% -Djava.security.auth.login.config=%CQ_JAAS_CONFIG%
if not defined CQ_JARFILE for %%X in (*.jar) do set CQ_JARFILE=%%X
tasklist > oldTaskList.txt
start "CQ" cmd.exe /K java %CQ_JVM_OPTS% -jar %CQ_JARFILE% %START_OPTS%
tasklist > newTaskList.txt
java -cp %~dp0 GetProcessID oldTaskList.txt newTaskList.txt java.exe > crx-quickstart\conf\cq.pid
del newTaskList.txt
del oldTaskList.txt
4. Started CQ5 by double-clicking F:\installed\cq5\author\crx-quickstart\bin\quickstart.bat
Issue: I am not able to see the domain "com.adobe.granite.ldap" in http://localhost:4502/system/console/jmx
I am not sure what have I done wrong. Please let me know how can I synchronize all the users from LDAP into CRX.
Thanks in advance,
AnuragPlease refer my post:
CQ5 as Windows Service with LDAP Authentication
http://forums.adobe.com/thread/1260837?tstart=0 -
Dear All,
I have ISE nodes in distributed environment.
1) Added PRI & SEC Monitoring node in Prime under Administration --> Servers -->ISE Servers.
By doing this i am getting ISE reports under Reports Launch Pad.
2) On ISE Administration --> System --> Logging --> Remote Logging Targets (Prime <IP address>, Port: 514, Facility:Local 6, Target Type: UDP syslog)
But i am unable to get any ISE syslog on the prime.
Can anyone tell me how to see the syslogs of ISE in Prime ?Thanks for your reply.
I have added third party syslog ip address on ISE as Remote logging. But i am not receiving AAA Passed/Failed logs whereas other system logs are being received.
Having Local 6 as facility code. any help? -
Hello - Couple of questions with respect to ISE integrations.
A. Is there any planned integration planned with ISE MnT persona and PCM in some way or form?
B. Does ISE MnT integrate with any Network Monitoring tool (IBM Tivoli etc)?
Thanks
SGHello,
I found a cisco doc that provides resolution of Key Features of Integration of Cisco ISE and LDAP .I hope this helps!
This section contains the following:
•Directory Service
•Multiple LDAP Instances
•Failover
•LDAP Connection Management
•User Authentication
•Authentication Using LDAP
•Binding Errors
•User Lookup
•MAC Address Lookup
•Group Membership Information Retrieval
•Attributes Retrieval
•Certificate Retrieval
http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_man_id_stores.html#wp1059913 -
Dear friends,
We are using ISE and WLC integrity in our network, we have Corporate and Guest SSID, we configured it but client cant connect to this ssid and cant be authenticated, please see attached files and tell me if i done something wrong in configuration of WLC
10.10.17.201 is ISE
Thank you for attentionHi,
After viewing the Trap logs it seems you have checked on validate machine.
On the client side, make sure you don't check validate machine and then try. -
ISE Authentication Policy for RSA Securid and LDAP for VPN
We are working on replacing our existing ACS server with ISE. We have 2 groups of users, customers and employees. The employee's utilize RSA securid for authentication while the customers use Window authentication. We have integrated the AD into ISE using LDAP and this has been tested. We are now working on trying to get the rsa portion to work. We are wanting to utilize the authorization policy to assign the group-policy/IP for both clients via the LDAP user attributes.
Here is my question:
Under the authentication policy should we look @ an identity store that has RSA securid users, LDAP users and then internal users. I assume if the user isn't present in the RSA store it will then look @ the LDAP, will this present an issue with overhead in our RSA environment. With the legacy ACS the descsion on where to authenticate the user was done on the ACS, either Windows or RSA. The employee users will still also be present in the LDAP so we can utilize the attributes for IP address/group policy. The number of customer vpn's is several times larger than employees and I am afraid that if we have to query the securid servers for every authentication vpn authentication attempt this could cause issues. Our utilimate goal is to move to any connect and utilize a single url for all authentication but allow ise to instruct the asa what attributes to hand to the client such as dns/Dacl.
Thanks,
JoeThat is not what I want. I want user "test1" to be able to do this:
C
Username: test1
Enter PASSCODE:
C2960>en
Enter PASSCODE:
C2960#
In other words, test1 user has to type in his/her RSA token password to get
into exec mode. After that, he/she has to use the RSA token password to
get into enable mode. Each user can get into "enable" mode with his/her
RSA token mode.
The way you descripbed, it seemed like anyone in this group can go directly
into enable mode without password. This is not what I have in mind.
Any other ideas? Thanks. -
We are doing an LDAP integration with ISE but we are getting following error. We are not able to identiry the problem when we tested the following scenirios.
1. When we check with Anonymous access we are successful and we get the message “ Bind Successful to gluetest.systems.XXXX:3269”
2. When we use the user name and password CN=GRHIIISEPOC,OU=,XXXX, DC=YYYY, DC=ADROOTTEST,DC=YYYY. We are not successful and we get the message “ Test Failed: Invalid Admin Credentials or Security Settings: Check Admin Username and Password and make the security settings are compatible with the server:”
Please confirm is the user id what i am using is not having an admin preveliages or i am entered the parameters correctly.
ThanksDid you use softerra or an ldap browser to pull the dn of this user account.
Thanks
Sent from Cisco Technical Support Android App -
Current State:
• I have a customer running CUCM 6.1 and UCCX 7.01SR5. Currently their CUCM is *NOT* LDAP integrated and using local accounts only. UCCX is AXL integrated to CUCM as usual and is pulling users from CUCM and using CUCM for login validation for CAD.
• The local user accounts in CUCM currently match the naming format in active directory (John Smith in CUCM is jsmith and John Smith is jsmith in AD)
Goal:
• Upgrade software versions and migrate to new hardware for UCCX
• LDAP integrate the CUCM users
Desired Future State and Proposed Upgrade Method
Using the UCCX Pre Upgrade Tool (PUT), backup the current UCCX 7.01 server.
Then during a weekend maintenance window……
• Upgrade the CUCM cluster from 6.1 to 8.0 in 2 step process
• Integrate the CUCM cluster to corporate active directory (LDAP) - sync the same users that were present before, associate with physical phones, select the same ACD/UCCX line under the users settings as before
• Then build UCCX 8.0 server on new hardware and stop at the initial setup stage
• Restore the data from the UCCX PUT tool
• Continue setup per documentation
At this point does UCCX see these agents as the same as they were before?
Is the historical reporting data the same with regards to agent John Smith (local CUCM user) from last week and agent John Smith (LDAP imported CUCM user) from this week ?
I have the feeling that UCCX will see the agents as different almost as if there is a unique identifier that's used in addition to the simple user name.
We can simplify this question along these lines
Starting at the beginning with CUCM 6.1 (local users) and UCCX 7.01. Let's say the customer decided to LDAP integrate the CUCM users and not upgrade any software.
If I follow the same steps with re-associating the users to devices and selecting the ACD/UCCX extension, what happens?
I would guess that UCCX would see all the users it knew about get deleted (making them inactive agents) and the see a whole group of new agents get created.
What would historical reporting show in this case? A set of old agents and a set of new agents treated differently?
Has anyone run into this before?
Is my goal possible while keeping the agent configuration and HR data as it was before?I was doing some more research looking at the DB schema for UCCX 8.
Looking at the Resource table in UCCX, it looks like there is primary key that represents each user.
My question, is this key replicated from CUCM or created locally when the user is imported into UCCX?
How does UCCX determine if user account jsmith in CUCM, when it’s a local account, is different than user account jsmith in CUCM that is LDAP imported?
Would it be possible (with TAC's help most likely) to edit this field back to the previous values so that AQM and historical reporting would think the user accounts are the same?
Database table name: Resource
The Unified CCX system creates a new record in the Resource table when the Unified CCX system retrieves agent information from the Unified CM.
A Resource record contains information about the resource (agent). One such record exists for each active and inactive resource. When a resource is deleted, the old record is flagged as inactive; when a resource is updated, a new record is created and the old one is flagged as inactive.
Maybe you are looking for
-
I got Adobe Illustrator CS4 vesion, how to upgrade to CS5 version?
Can i upgrade my Adobe Illustrator to version CS5 ??
-
I decided to "Upgrade" DW to CC 2014. First problem. This is NOT AN UPGRADE! This is a new installation. The button in Creative Cloud should say 'Install' and not 'Upgrade'. This is extremely irritating! Please give your customers credit for having a
-
I have had my iphone 4 for 18 months on contract..I have had no problems at all up until the begining of this month. The first issue was that the home button, double click issue wasn't working too well. I read that their was a way to calibrate the
-
My Zen Micro has been shuttin off by itself after a few minutes and it always has to rebuild its library every time. It's not low on battery, it has two bars, but it shuts down regardless. Does anyone know how to solve this problem?
-
Css tab menu (don't work in firefox)
Ok i have a css tabbed menu that we use at this site take a look. WebSite . It works perfect in IE but firefox is different. Any idea on how i can get the same effect in firefox.