ISE and no External Identity Source

Similar Messages

• Multiple AD External Identity Sources in ISE 1.2

  First I guess is it possible to have multiple AD entries for External Identity Sources in ISE 1.2? When I display Active Directory (AD1) it displays my four ISE servers with a status of connected but I see no where to add anything additional. I did not originally set this up so figure I am missing something somewhere if this is possible. I though maybe add under LDAP and then it would roll into AD or something but I have nothing listed under LDAP either.
  What I am trying to do is figure out how to have ISE cover our two different domains. We ahve one big forest but currently that is split into two AD domains based upon our two divisions.  am trying to see if possibly I can simply get through the existing configuration to pull security groups from the other domain into the dictionary but so far that has proven not do able.
  Brent

  Saurav,
  I was beginning to think that might be the solution. Now I just need to go through the release notes and make sure there are no issues with it running on ACS-2111 appliance. We are currently using this as the secondary Admin but knew we would have to move off something. I think management is hoping later than sooner especially since we are still in that initial roll out phase.
  How does the system handle the fact that this is all centralized but I have users authenticating from the different time zones? I have been reading about everything pointing to the same NTP server but took that to simply be the servers in the ISE Cluster. Will this also impact all the switches and network devices involved in the authentication process?
  Brent

• External Identity Sources, binding RSA securID to ISE

  Hi all,
  Say, my topology was using ISE doing VPN inline posture, and bind RSA securID (version 7.1) as external Identity Sources.
  During  the deployment, in order to let my iPEP node join the Policy Service  Node, for the certificate i using the third party CA server (Window  server 2008 R2) as the root CA, both of these 2 ISE were mutual  authenticated and done.
  My question. as i using  RSA secureID as external identity sources, native behaviour, Will the  ISE trust RSA with no identity certificate signed by the identitical  root CA?
  Should i enroll this RSA appliance issue the CSR to CA server to sign and in the PKI environment? Is there a need for this?
  Thanks
  Noel

  Noel,
  From my experience when integrating with the RSA token server you need the sdconf.rec file exported from the RSA and you import that into the ISE configuration. You then select this identity store with your authentication policies for vpn users. There isnt a need for any certificates when integrating with a token server (that was the last time I checked) and even if there would just need to trust each other's certficats.
  I hope that helps!
  Sent from Cisco Technical Support iPad App

• ISE - External Identity Source (AD Groups)

  Assume there are no groups populated in this bucket (Identity Management-> Active Directory -> Groups) Does ISE just check if the user is in AD and allows them on?  I have clients authenticating that arent part of the single group I added to this bucket.
  This is why I ask ..
  "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
  ‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."       

  Yes, you understood it right. Let me add little more explanation.
  Group reterieval for authorization
  You can use the AD group data in the  authorization and group mapping tables and introduce special conditions  to match them against the retrieved groups.
  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.4/user/guide/users_id_stores.html#wp1170416
  Once you've selected the groups under
  Users and Identity Stores >
  External Identity Stores >
  Active Directory > directory groups
  The same groups will start appearing under below listed screen shot. From there you will see 2 options any / all like or / and condition. Based on user membership the authorization role can be assisgned.
  ~BR
  Jatin Katyal
  **Do rate helpful posts**

• ISE Admin Access Authentication against multiple AD/LDAP Identity Sources

  Hi all!
  We would like to grant admin cccess to our ISE deplyoment to users stored in multiple Active Directories. Since there is no trust relationship between these ADs, we created an LDAP Identity Source for each AD and also an Identity Source Sequence but in the UI we can only select one Identity Source.
  Any ideas how to solve this problem?
  Thanks in advance!
  Kind regards,
  Michael Langerreiter

  I did check in my lab and yes for admin access we can't select identity store sequence in authentication. We can only pick one external database. However, on the login page you may select the appropriate database before you enter the username and password.
  Jatin Katyal
  - Do rate helpful posts -

• ISE and Microsoft AD machine authentication

  Hello Security masters,
  my goal is to perform a PEAP authentication against Microsoft AD with the machine credentials of the Windows PC.
  The question is, how my authorization policy looks like? From my understanding I have different possibilities to solve this:
  1.) Directly referencing to the AD group, where the computer objects are stored:
  If "Any" and <AD-NAME>:ExternalGroups equals <DOMAIN>/COMPUTERS then PermitAccess
  Drawback: If I have multiple subdomains or if the computer accounts are stored in different OUs or groups, I have to check all of them (multiple rules or compound conditions)
  2.) Username checking
  If "Any" and Network Access:UserName STARTS_WITH host\ then "PermitAccess"
  I'm checking if the username starts with "host\", which is normally an indicator for a machine/computer account
  3.) Attribute checking
  If "Any" and <AD-NAME>:servicePrincipalName STARTS_WITH host\ then "PermitAccess"
  I'm checking the value of the "servicePrincipalName" of the AD. Normally only computers have this attribute and the value is "host\<PC-NAME>
  Is one of these three approaches the right way to do it, or am I doing it completely wrong.
  Is there a best-practice approach to do this? How did you guys solve this?
  Best regards and thank you in advance
  Johannes

  Hi Neno,
  thank you for your answer.
  There are multiple domains in the forest and the computer / machine accounts are in multiple groups.
  So a trust relationship is not enough to reach the goal. In the ISE you have to add all these groups to the ISE search index in the External Identity Sources - AD settings. Plus you'll have to check for all these groups in the authorization policy (either manually or with a compound condition).
  Is that right?

• Cisco ISE and SecurID Integration Questions

  I'm looking for some clarity trying to understand something conceptually. I want to integrate Cisco ISE with RSA SecurID, the idea being that if the user authenticates with RSA SecurID they end up on one VLAN, however, if they don't authenticate with (or don't use, or don't have) SecurID they'll end up on another VLAN. Note that I'm not using SecurID for wireless access...all PCs are wired to Ethernet.
  We have been using RSA SecurID for a while and are currently on version 8.0. Our users are authenticating via the RSA Agent typically on Windows 8.1. Instead of the usual Windows login prompt, the RSA Agent first prompts for the username and passcode (they use an app on their smartphones to get the passcode), then after a moment or two, it prompts for their Windows domain password.
  We have recently installed Cisco ISE version 1.3. With the help of a local Cisco engineer and going through the "Cisco Identity Services Engine User Guide", I have it set up and running along with a few 'test' ports on our Cisco 6809 switch, it basically works...as a test it's simply set up that if they authenticate they're on one VLAN, if not, they end up on another (this is currently without using RSA...just out-of-the-box Windows authentication).
  The Cisco engineer was unable to help me with RSA SecurID, so pressing on without him, out of the same user guide I have followed the directions for "RSA Identity Sources" under the "Managing Users and External Identity Sources", and that went well as far as ISE is concerned; I am now ready to get serious about getting ISE and SecurID working together.
  My mistake in this design so far was assuming that the RSA agent on the Windows client PCs would communicate with Cisco ISE...there doesn't seem to be a way to have them point to a non-RSA SecurID server for authentication. The concept I'm missing is what, or how, the end-user machine is supposed to authenticate taking advantage of both ISE and SecurID.
  I have dug deeper into the Cisco ISE documentation but it seems heavily biased towards Wi-Fi and BYOD implementations and it's not clear to me what applies to wired vs wireless. Perhaps it's a case that I'm not seeing the forest for the trees, but I'm not understanding what the end-user authentication looks like. It apears that as I learn more about ISE, it should become the primary SSO source, that SecurID becomes just an identity source and the PC clients would no-longer directly communicate with the SecurID servers. That being the case, do I need to replace the SecurID client on the PCs and something else Cisco-ish fills this role? An agent for ISE? How do they continue to use their passcode without the RSA agent?
  Thanks!

  The external db not operation indicates that there is no communication between ACS and RSA. Did you fetch the package.cab file to analyse the auth.log file?
  Have you already gone through the below listed link?
  http://www.security-solutions.co.za/cisco-CSACS-1113-SE-4.2-RSA-Authentication-Manager-Integration-Configuration-Example.html
  Regards,
  Jatin Katyal
  - Do rate helpful posts -

• ISE and authenticating against Windows AD with RADIUS realm that is different from the Windows domain

  Hello
  We are in the process of evaluating the Cisco ISE VMWare appliance with a view to replace our existing FreeRADIUS installation as authentication provider for our wireless network and VPN service. As a part of this we are hoping to migrate our user authentication to Microsoft Active Directory - we have previously authenticated against a different identity store (not MS AD).  Because of this legacy our Windows domain is not the same as our RADIUS realm name - the Windows domain is "win.mydomain" whereas we wish to allow users to authenticate using "username@mydomain" or even "[email protected]" as they are doing today. We are experiencing an issue where authentication requests with the format "[email protected]" will be forwarded to the Windows AD whereas authentication requests with the format "username@mydomain" will fail with the log message "User not found in Active Directory". We do not know if the ISE itself is validating the username and triggering this error, or if the error originates from AD. We suspect the that the ISE is not even asking AD because "win.mydomain" is the domain configured in "Active Directory" in "External Identity Sources".
  Authentication requests against the AD without a realm are successful (that is, using only "username"). With this in mind we located a post on the Cisco support forums that described a process of proxying the request back to the ISE and strip the realm information, but this was specific for the ACS platform. We have attempted to implement this solution but it is still not working as we would have hoped, and we are not entirely certain where the fault might lie. We are currently using PEAP with MSCHAPv2 for authentication in our WLAN where the main problem is. We suspect that the "proxy-to-self" with realm stripping is an issue with PEAP.
  Is there a supported method of achieving our goal, or should we abandon the ISE platform as our scenario is simply not supported?

  Seems like your issue maybe related to DNS, when ISE receives the format [email protected], the dns request is failing. However, there is a setting for alternate UPN Suffixes that can be configured to include domain.com and student.domain.com.
  Here is a windows article that should fix this for you. Once you get this updated please reboot ISE so it rejoins AD. Try your tests again.
  http://technet.microsoft.com/en-us/library/cc772007.aspx
  Thanks,
  Tarik Admani
  *Please rate helpful posts*

• Web Analyzer - ability to access external data sources?

  Documentation on help.sap.com for the 2004s Web Analyzer notes it can render queries, query views, infoproviders, and <b>external data sources</b> for ad-hoc analysis in the standardized reporting template.
  Can anyone clarify exactly what constitutes external data?  To my knowledge, I didn't think it was possible to report on something outside of the BI instance (let's say an Oracle table on another server, for example).
  Thanks in advance for your help.

  Hi Scott,
  in the Web Analyzer you can use external OLAP data sources(ODBO or XMLA) . Relational data sources are not supported in NW2004s.
  You can set this up in the portal system landscape.
  Please have a look on
  http://help.sap.com/saphelp_nw2004s/helpdata/de/8e/020597f9b4486492e69283fab424fa/frameset.htm
  and
  http://help.sap.com/saphelp_nw2004s/helpdata/de/8e/020597f9b4486492e69283fab424fa/frameset.htm
  Depending on the data source different capabilities are supported, so that some options are only available when you are using the BI OLAP Processor and won't be supported when using external data sources.
  Heike

• BAM external data source

  We have around 400k records on which we want to build reports and in our initial approach we are planning to store the data in external tables and use external data source. For POC we created external tables and data source with around 55k records and some basic reports which used sum to group the data. For some reason this report won't load and we don't see any exceptions in the logs. In database session we can see the query it's executing and when we run the same query from sql plus, it returns data within less than 1sec. So we are unsure what the issue could be.
  We are looking for some pointers on what should we look for and how we can resolve this issue. Also if there is any way to specify jdbc connection pool properties.
  Thank you

  BAM is not for reporting purpose. It is ONLY for dashboard purpose. BAM itself has few over heads. So the response is not only dependent on query execution.
  Try creating only updating list with no conditions. Check if it is working. then go for complex reports with conditions.
  Regards,
  Vikrant Korde.

• I have new hard drive in macbook pro(08) and have SATA cable with external power source to old hard drive (10.5.8)via. USB port and newer drive(10.6.8) will not recognize older drive..Do I need to partition newer drive with older disk to recover data?

  I have new HD 750GB Hybrid in 2008 Macbook Pro 17" w/ Snow Leopard 10.6.8  connected to old Hard drive(250GB that had 10.5.8 on it at time of failure) via SATA cable to USB port with external power source.. Computer not acknowledging old HD at all in Disk Utility or otherwise (that I'm aware of)..Do I need to partition New HD and load old(10.5.8) onto partition to recognize older drive for data recovery? Thanks Wayno08

  You do not need to load 10.5.8 onto your new drive in order for a 10.6.8 system to see the contents of a 10.5.8 system.
  You might want to check out the hard drive troubleshooting bootk in the downloads section of this web site:
  http://scsc-online.com
  They also sell a product named Phoenix that can do OS extraction  and volume copying/cloning, but to be honest I don't know if it's appropriate in this case.
  I would suggest the following:
  Open up Terminal.app (under utilities) and type "diskutil list" without the quotes. This is the command line version of Disk Utility. If the external drive doesn't show up at all, then it's likely not connected properly, not getting power, or just plain dead. If it shows up with only a devce name like disk0s16 but no volume it means the drive is seen, the OS just can't make sense of it.
  Assuming the drive shows up, I would try to boot off the original installl disks for the system and run Disk Utility from that. I'm assuming the drive will show up. You'll want to select the option to repair the drive and then perform the option to repair the permissions.
  If the unit isn't showing up, as per step 1, try a different USB port. More importantly with your unit, try it on another side of the unit if possible. If you read the book I referenced above, some of those units have I/O boards that are separated from the logic board. If the cable from the logic board to the I/O card goes bad or has problems, which isn't all that uncommon, some or all of the ports on the I/O card may appear to be bad as well. If you use a USB port on another side, it would be routing out of a completely different I/O path, so that's a potential problem.
  If the drive is only seen with a device name such as disk0s16, it's likely either the index files are corrupt beyond Disk Utility's ability to see them. The  only thing that I think would help would be a product named DIsk Warrior, but I can't guarantee that.
  Disk Warrior can be found at:
  http://www.alsoft.com/diskwarrior/
  The company that I linked in the first link above also makes a product named Scannerz that does HD and system testing. The Scannerz/Disk Warrior combination make a good pair because the complement each other....Scannerz does what Disk Warriror can't and Disk Warrior does what Scannerz can't. However, at this point I'm not too sure getting a tool like Scannerz would be of much use because it sounds like the  damage has already been done.
  Let us know what happens.

• Is LDAP or AD as a external identity store recommended in ISE implementation for machine authentication

  Hi Experts,
  I have question about External identity store integration in ISE . I had chance to go through the cisco doc for ISE configuration especially for external identity store .
  there are two ways to configure external identity store.
  1) AD
  2) LDAP
  Which one is actually recommended ? technically which one would be convinient to configure to set-up machine authentication. do we have any limitation in terms of functionality in either of one ?

  Hi Leo,
  its not duplicate post , I have created one more post where you have linked that is for client policy enforcement . I want to understand how certificates will be pushed to client.
  This post is to understand the LDAP & AD intergration with ISE .
  I have requirement where client is asking to intergrate machine database using LDAP.
  I am quite new for LDAP intergration that is the reason I have created this discussion.

• External data sources and ODBC

  Does Numbers 2009 support connecting to external data sources such as MySQL via ODBC?

  NO.
  Yvan KOENIG (VALLAURIS, France) jeudi 10 février 2011 17:31:31

• Ask the Expert: Cisco BYOD Wireless Solution: ISE and WLC Integration

  With Jacob Ideji, Richard Hamby  and Raphael Ohaemenyi   
  Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about  the new Identity Solutions Engine (ISE) and Wireless LAN Controller (WLC) hardware/software, integration, features, specifications, client details, or just questions about  Cisco's Bring-your-own device (BYOD) solution with cisco Experts Richard Hamby, Jacob Ideji, and Raphael Ohaemenyi. The interest in BYOD (Bring You Own Device) solutions in the enterprise has grown exponentially as guests and company users increasingly desire to use personal devices to access .  Cisco BYOD enhances user experience and productivity while providing security, ease-of-administration, and performance. The heart of the Cisco wireless BYOD solution is Identity Solutions Engine (ISE) utilizing the Cisco Unified Wireless portfolio.  Starting with ISE v1.1.1MR and WLC (Wireless LAN Controller) code v7.2.110.0 and higher, end-to-end wireless BYOD integration is reality. 
  Jacob Ideji is the technical team lead in the Cisco authentication, authorization and accounting (AAA) security team in Richardson, Texas. During his four years of experience at Cisco he has worked with Cisco VPN products, Cisco Network Admission Control (NAC) Appliance, Cisco Secure Access Control Server, and Dot1x technology as well as the current Cisco Identity Services Engine. He has a total of more than 12 years experience in the networking industry. Ideji holds CCNA, CCNP, CCSP, CCDA, CCDP, and CISM certifications from Cisco plus other industry certifications.
  Richard Hamby  works on the Cisco BYOD Plan, Design, Implement (PDI) Help Desk for Borderless Networks, where he is the subject matter expert on wireless, supporting partners in the deployment of Cisco Unified Wireless and Identity Services Engine solutions. Prior to his current position, Hamby was a customer support engineer with the Cisco Technical Assistance Center for 3 years on the authentication, authorization, accounting (AAA) and wireless technology teams. 
  Raphael Ohaemenyi  Raphael Ohaemenyi is a customer support engineer with the authentication, authorization and accounting (AAA) team in the Technical Assistance Center in Richardson, Texas, where he supports Cisco customers in identity management technologies. His areas of expertise include Cisco Access Control Server, Cisco Network Admission Control (NAC) Appliance, Cisco Identity Services Engine, and IEEE 802.1X technologies. He has been at Cisco for more than 2 years and has worked in the networking industry for 8 years. He holds CCNP, CCDP, and CCSP certification.
  Remember to use the rating system to let Jacob, Richard and Raphael know if you have received an adequate response.  
  Jacob, Richard and Raphael might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the wireless mobility sub community forum shortly after the event. This event lasts through Oct 5th, 2012. Visit this forum often to view responses to your questions and the questions of other community members.

  OOPS !!
  I will repost the whole messaqge with the correct external URL's:
  In  general, the Trustsec design and deployment guides address the specific  support for the various features of the 'whole' Cisco TS (and other  security) solution frameworks.  And then a drill-down (usually the  proper links are embedded) to the specifc feature, and then that feature  on a given device.  TS 2.1 defines the use of ISE or ACS5 as the policy  server, and confiugration examples for the platforms will include and  refer to them.
  TrustSec Home Page
  http://www.cisco.com/en/US/netsol/ns1051/index.html
  http://www.cisco.com/en/US/solutions/collateral/ns170/ns896/ns1051/product_bulletin_c25-712066.html
  http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5712/ps11637/ps11195/at_a_glance_c45-654884.pdf
  I find this page very helpful as a top-level start to what features and capabilities exist per device:
  http://www.cisco.com/en/US/solutions/ns170/ns896/ns1051/trustsec_matrix.html
  The TS 2.1 Design Guides
  http://www.cisco.com/en/US/solutions/ns340/ns414/ns742/ns744/landing_DesignZone_TrustSec.html
  DesignZone has some updated docs as well
  http://www.cisco.com/en/US/netsol/ns982/networking_solutions_program_home.html#~bng
  As  the SGT functionality (at this point) is really more of a  router/LAN/client solution, the most detailed information will be in the  IOS TS guides like :
  http://www.cisco.com/en/US/docs/switches/datacenter/sw/6_x/nx-os/security/configuration/guide/b_Cisco_Nexus_7000_NX-OS_Security_Configuration_Guide__Release_6.x.html
  http://www.cisco.com/en/US/docs/ios-xml/ios/sec_usr_cts/configuration/xe-3s/asr1000/sec-usr-cts-xe-3s-asr1000-book.html
  http://www.cisco.com/en/US/docs/switches/lan/trustsec/configuration/guide/trustsec.html

• ISE and Citrix Netscaler for LB

  I'm working on a solution where we have NetScaler load balancers distributing radius requests from the NADs to respectvie PSNs. Authentication works and redirect URLs work etc.. The challenge we're having is with EAP-TLS sessions. The user get's a provisioned certificate and chain that checks out on the endpoint fine. When the user tries to connect with the device we see EAP timeouts from the ISE session to the supplicant. Each PSN has the internal identity cert configured for EAP authentication that has been configured from the same internal CA within the customers PKI.
  Has anyone configured a NetScaler for use with ISE and besides the general guidlines below are there more specific things that need to be done to make this work with Citrix NetScalers?
  Load Balancing guidelines.
  No NAT.
  Each PSN must be reachable by the PAN / MNT directly, without having to go through NAT (Routed mode LB, not NAT).
  Each PSN must also be reachable directly from the client network for redirections (CWA, Posture, etc…)
  Perform sticky (aka: persistence) based on Calling-Station-ID and Framed-IP-address
  Session-ID is recommended if load balancer is capable (ACE is not).
  VIP for PSNs gets listed as the RADIUS server on each NAD for all RADIUS AAA.
  Each PSN gets listed individually in the NAD CoA list by real IP address (not VIP).
  If ”Server NAT" the PSN-initiated CoA traffic, then can list single VIP in NAD CoA list.
  Load Balancers get listed as NADs in ISE so their test authentications may be answered.
  ISE uses the Layer 3 address to identify the NAD, not the NAS-IP-Address in the RADIUS packet. This is a primary reason to avoid Source NAT (SNAT) for traffic sent to VIP.

  Does anyone have a working configuration for this?  I'm getting successful authentications from the supplicant, but CoA fails. When I perform a CoA I get two of each of the following messages:
  1) Event & Failure reason "5436 RADIUS packet already in the process"
  then
  2) Event "5417 Dynamic Authorization failed" / Failure reason "11215 No response has been received from Dynamic Authorization Client in ISE"
  The policy nodes are not physically located behind the NetScaler, so I have them pointing to the NetScaler as the default GW.  I'm not sure if we have the policy on the NS configured correctly though, because I had to add the NetScaler as a Network Device and I was under the impression that the switch and PSN should continue to talk directly to each other.
  Any help would be greatly appreciated!
  Cheers!
  Ken