ISE and RSA token groups

We have wireless  network using ISE and RSA to do the authenticaiton. There are two groups of RSA token users, one is with username
Axxxx, the other Bxxxx.
Now we try to differ the authentications for the two group. One permit, the other deny.
I am wondering whether the ISE can do this or not.
thanks,
Han

ISE 1.2 should work with RSA 8.1. Please do try it in a lab setup would probably qualify it as part of ISE 1.3.

Similar Messages

  • Is ASA integration with ISE and RSA for 2 factor authentication a valid/tested design

    Hi,
    Customer currently uses ASA to directly integrate with RSA kind of solution to provide 2 factor authentication mechanism for VPN user access.  We're considering to introduce ISE to this picture, and to offload posture analysis from ASA to ISE.  And the flow we're thinking is to have ASA interface to ISE and ISE interface to RSA and AD backend infrastructure.  And we still need the 2 factor authentication to work, i.e., customer gets a SMS code in addition to its login username and password.  I'm wondering if ASA/ISE/RSA/AD integrated solution (and with 2 factor authentication to work) is a tested solution or Cisco validate design?  Any potential issue may break the flow?
    Thanks in advance for any input!
    Tina

    Hi,
    I have an update for this quite broad question.
    I have now came a bit further on the path.
    Now the needed Radius Access Attribute are available in ISE after adding them in
    "Policy Elements" -> "Dictionaris" -> "System" -> "Radius" -> "Cisco-VPN3000".
    I added both the attribute 146 Tunnel-Group-Name which I realy need to achive what I want(select diffrent OTP-backends depending on Tunnel Group in ASA) and the other new attribute 150 Client-Type which could be intresting to look at as well.
    Here the "Diagnostics Tools" -> "Generel tools" -> "TCP Dump" and Wireshare helped me understand how this worked.
    With that I could really see the attributes in the radius access requests going in to the ASA.
    Now looking at a request in "Radius Authentication details" I have
    Other Attributes:
    ConfigVersionId=29,Device Port=1025,DestinationPort=1812,RadiusPacketType=AccessRequest,Protocol=Radius,CVPN3000/ASA/PIX7.x-Tunnel-Group-Name=SMHI-TG-RA-ISESMS,CVPN3000/ASA/PIX7.x-Client-Type=,CPMSessionID=ac100865000006294FD60A7F,.....
    Ok, the tunnel group name attribute seems to be understood correct, but Client-Type just say =, no value for that.
    That is strange, I must have defined that wrong(?), but lets leave that for now, I do not really need it for the moment being.
    So now when I have this Tunnel-Group-Name attribute available I want to use it in my Rule-Based Authentication Policy.
    Problem now is that as soon as I in an expression add a criteria containing Cisco-VPN3000:CVPN3000/ASA/PIX7.x-Tunnel-Group-Name matches .* (just anything), then that row does not match any more. It still work matching against NAS-IP and other attributes.
    What could it be I have missed?
    Best regards
    /Mattias

  • ACS 4.0 and RSA Token Server problem

    Hi,
    We are having a problem trying to get ACS 4.0 for Windows to authenticate wireless users on an RSA Token server.
    Our Cisco 1200 series AP is configured for WPA2 and LEAP authentication. It points at the ACS server for RADIUS authentication. Now this works fine for users with a static password defined on the ACS internal database. However, for obvious security reasons, we?d like the authentication passed to our internal RSA server.
    I have installed the RSA Agent on the same server as the ACS along (after adding the generated sdconf.rec file to the System32 folder). The RSA server has been added to the ACS external databases and a user configured to use the RSA Token server for password.
    When we try to authenticate, the ACS fails the attempt with reason ?External DB password invalid?. The same user can successfully authenticate when using the RSA test authentication tool which is installed on the ACS server as part of the RSA Agent software.
    After running some debugs on a PIX in front of the servers, I can see traffic to/from the servers when using the test tool (which works), however it looks like ACS doesn?t even send traffic to the RSA server when authenticating.
    Any help or advice appreciated.
    Thanks

    Hi,
    The token servers only support PAP. Please make sure that the request are going to the RSA in PAP.
    Following link talks about the same.
    http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs40/user/o.htm#wp824733
    Regards,
    ~JG

  • LEAP, ACS and RSA token Card

    Hello,
    Is it possible to use LEAP with Rsa Token Card to authenticate WLAN users in addition with ACS ?
    Best Regards,

    You can use RSA SecurID with PEAP only. You will need ACS 3.2 at least with ACU 6.3/ ADU 1.0.
    I have it working with limited functionality

  • ISE and RSA

     I am trying to get ISE to work with RSA I have followed this link and got the jist of how to get it working.
    http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/user_guide/ise_user_guide/ise_man_id_stores.html
    I did however get lost trying to tell the folks who run the RSA what the Agent Host Settings need to be to work with ISE. They need info for the sceen below. Anyone done this before? We are doing a distributed deployment with 2 PSN nodes and 2 Admin nodes.

    ISE 1.2 should work with RSA 8.1. Please do try it in a lab setup would probably qualify it as part of ISE 1.3.

  • Is it possible to map a Sponsor Group in Cisco ISE to a user group in Active Directory, through a RADIUS server?

    Hi!!
    We are working on a mapping between a Sponsor Group in Cisco ISE and a user group in Active Directory....but the client wants the mapping to be through a RADIUS SERVER, for avoiding ISE querying directly the Active Directory.
    I know it is possible to use a RADIUS SERVER as an external identity source for ISE.....but, is it possible to use this RADIUS SERVER for this sponsor group handling?
    Thanks and regards!!

    Yes It is possible to map Sponser group to user group in AD and if you want to know how to do please open the below link and go to Mapping Active Directory Groups to Sponsor Groups heading.
    http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_guest_pol.html#wp1096365

  • ISE and Node Groups

    Hi,
    Does anyone know if node groups are purely for policy server nodes behind a load balancer such as ACE.  If you have a pair of policy server nodes at a site with no load balancer, and both nodes configured in all NAS's can these be in a node group.
    Does anyone know if you can use a load balanced set of policy nodes with LWA and WLC.  There has to be affinity between the portal ISE and the AAA ISE configured in the WLC, these would be two different sessions one Radius and one HTTP, so the ACE would not be able to distinguish.
    Thanks.
    Gary

    Hi Pon -
    Do you mean groups of users or group of pages?
    If you mean groups of users, you can create your sub-groups as a regular groups, and then when assigning users to your Main Finance group ... add the 2 groups which are your subGroups.
    If you are talking about the Portal Page Group structure, you cannot nest page groups, but you can create pages and subpages.
    Hope this helps,
    Candace

  • Cisco ISE and AD group

    Hi, I have a problem
    I setup ISE join it to AD, get from AD group name, and add it to ISE as external identity group. Then I make simple authentification policy rule which says, if protocol RADIUS than use AD1 store.
    After this I create authorization police rule, and it says that if external group from AD then permit access.
    And now when I try to connect via ASA, using anyconnect client, my authentification log says that I choose default authorization rule. Seems like ISE does not check my username for external group membership.
    Why it's happens ?
    Thanks

    Hi,
    The issue is with your Authorization Policy, you have configured a internal identity group.
    You need to change this and point to the your AD group, if you have retrieved the group from AD in the Groups settings under the AD settings, then you should be able to look for the condition but dropping down the "Attributes" Selecting AD ExternalGroups followed by your group.
    Thanks,
    Tarik Admani
    *Please rate helpful posts*

  • Integration of Cisco ACS SE 4.2 and RSA SecurID Token Server

    Hi,
    I would be very appreciated if anyone can share their experience. Thanks in advance.
    Issue:
    I am trying to configure the ACE SE 4.2 to authenticate using RSA SecurID Token Server.
    Problems encountered:
    Authentication failed. In the failed logged attempt the error "External Database not operational" was next to the login name.
    In the auth.log, there was "External DB [SecurID.dll]: aceclnt.dll callback returned error [23]".
    Questions:
    1. Please kindly advise how I should resolve this problem.
    2. Also, is there any successful message once ACS get the sdconf.rec? Will the "Purge Node Secret" button be enabled?
    Troubleshooting steps I have done:
    Below is the steps I took to setup the external DB.
    1. Verified sdconf.rec is not a garbage file using the Test authentication function in RSA client.
    2. FTP sdconf.rec in the external database configuration. (Had used Wireshark and confirm file transfered successfully.)
    2. Defined unknown user policy to check RSA SecurID Token Server to authenticate.
    Thank you.

    I have NO experience with ACS SE 4.2 and
    RSA SecurID Token Server BUT I have
    experiences with Cisco ACS 4.1 running on
    Windows 2003 SP2 Enterprise Edition and
    RSA SecurID Token Server.
    All the troubleshoot you've done is correct.
    In Windows 2003 running Cisco ACS, you can
    install the test authentication RSA client
    and that you can verify that the setup
    is correct (by verifying that the sdconf.rec
    is not corrupted).
    One thing I can think of is that when you
    setup the ACS SE box, under external
    database, configure unknown user policy,
    did you check it to tell how to define users
    when they are not found in the ACS internal
    database. Did you select RSA SecurID token
    server?
    Other than that, from what I understand,
    you've done everything correctly.

  • ACS for 802.1x Authentication using RSA Tokens and Microsoft PEAP

    Has anyone been able to configure 802.1x authentication on Windows XP machines using RSA tokens using Cisco ACS as the RADIUS server?
    I have come up with bunch of incompatibilities between the offered support e.g.
    1. Microsoft PEAP does not support anything but smartcard/certificate or MSCHAP2.
    2. Cisco support PEAP and inside it MSCHAP2 or EAP-GTC
    We tried using RSA provided EAP client both the EAP security and EAP-OTP options within Microsoft PEAP but ACS rejects that as "EAP type not configured"
    I know it works with third party EAP software like Juniper Odyssey client and the Cisco Aegis Client but we need to make it work with the native Windows XP EAP client.

    Hi,
    We have tried to do the exact same setup as you and we also failed.
    When we tried to authenticate the user with PEAP-MSCHAPv2 (WinXP native) ACS gives "external DB password invalid", and does not even try (!) to send the login to the RSA server. No traffic is seen between RSA and ACS.
    MS-PEAP relies on hashing the password with MS-CHAPv2 encoding. This is not reversible. RSA, on the other hand, does not require hashing of the password due to the one time nature of it. So they (RSA) don't.
    When we authenticate using e.g. a 3rd party Dell-client, we can successfully authenticate using either PEAP-GTC (Cisco peap), EAP-FAST and EAP-FAST-GTC.
    A list with EAP protocols supported by the RSA is in attach.
    Also below is the link which says the MS-PEAP is NOT supported with the RSA, please check the
    table "EAP Authentication Protocol and User Database Compatibility "
    http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs33/user/o.htm#wp792699
    What we are trying to do now in the project is leaving the AP authentication open and try to authenticate it using RADIUS through a firewall or Cisco router authentication proxy.

  • Router login with RSA token

    Is there any way to secure the logining process of a router using RSA token?
    And how to do that.
    Thank you!
    Regards.

    You can set the router to authenticate with TACACS or with Radius and then set up the authentication server to use RSA server as the authentication processor (an external authentication to the TACACS or Radius server).
    So the configuration of the router is pretty straightforward:
    aaa authentication login default group tacacs+ line
    aaa authentication enable default group tacacs+ enable
    The more unusual part is the configuration of the TACACS server to send authentication requests to RSA.
    HTH
    Rick

  • CoA issues between ISE and 3750x

    We are having an issue using the cisco ise 1.1.2 and a 3750x (Version 12.2(58)SE2)
    When the radius sends a reauthentication CoA message to the switch, the switch responds with a 'session contect not found' reply. I have upgraded the code to the latest levels on both the ise and switch and still have the same resultts.
    This reauthenticate is needed after the NAC profiler determines the pc is complient. I am receiving the complient message from the pc and switch, but becuase the switch never reauthentices the client after the CoA request, the client is never granted full access.
    I am not sure if the radius server is sending the wrong session id, or if the switch is looking at it wrong.
    Please Help...!!!!!
    -Debug --
    Log Buffer (10000 bytes):
    Feb 28 19:34:21.940 UTC: RADIUS: COA  received from id 38 10.122.1.82:40171, CoA Request, len 140
    Feb 28 19:34:21.940 UTC: COA: 10.122.1.82 request queued
    Feb 28 19:34:21.940 UTC: RADIUS:  authenticator 62 6B 15 C9 C7 A5 CA 88 - 4F B2 EE 4C A0 3D 9F 50
    Feb 28 19:34:21.948 UTC: RADIUS:  NAS-IP-Address      [4]   6   10.122.1.66
    Feb 28 19:34:21.948 UTC: RADIUS:  Event-Timestamp     [55]  6   1362080061
    Feb 28 19:34:21.948 UTC: RADIUS:  Message-Authenticato[80]  18
    Feb 28 19:34:21.948 UTC: RADIUS:   BC B3 BA 2A 11 BD 63 0B 22 7E 82 AA C2 A5 F7 C4              [ *c"~]
    Feb 28 19:34:21.948 UTC: RADIUS:  Vendor, Cisco       [26]  41
    Feb 28 19:34:21.948 UTC: RADIUS:   Cisco AVpair       [1]   35  "subscriber:command=reauthenticate"
    Feb 28 19:34:21.948 UTC: RADIUS:  Vendor, Cisco       [26]  49
    Feb 28 19:34:21.948 UTC: RADIUS:   Cisco AVpair       [1]   43  "audit-session-id=0A7A014200000272048AF0F1"
    Feb 28 19:34:21.948 UTC: COA: Message Authenticator decode passed
    Feb 28 19:34:21.948 UTC:  ++++++ CoA Attribute List ++++++
    Feb 28 19:34:21.948 UTC: 07353140 0 00000001 nas-ip-address(585) 4 10.122.1.66
    Feb 28 19:34:21.948 UTC: 0735375C 0 00000001 Event-Timestamp(430) 4 1362080061(512FB13D)
    Feb 28 19:34:21.948 UTC: 0735376C 0 00000009 audit-session-id(794) 24 0A7A014200000272048AF0F1
    Feb 28 19:34:21.948 UTC: 0735377C 0 00000009 ssg-command-code(475) 1 32
    Feb 28 19:34:21.948 UTC:
    Feb 28 19:34:21.957 UTC: AUTH-EVENT: auth_mgr_ch_search_record - Search record in IDC db failed
    Feb 28 19:34:21.957 UTC: RADIUS/ENCODE(00000000):Orig. component type = Invalid
    Feb 28 19:34:21.957 UTC: RADIUS(00000000): sending
    Feb 28 19:34:21.957 UTC: RADIUS(00000000): Send CoA Nack Response to 10.122.1.82:40171 id 38, len 62
    Feb 28 19:34:21.957 UTC: RADIUS:  authenticator DF 18 2F 59 21 4F 84 E1 - 61 B8 43 B8 01 C5 58 B4
    Feb 28 19:34:21.957 UTC: RADIUS:  Reply-Message       [18]  18
    Feb 28 19:34:21.957 UTC: RADIUS:   4E 6F 20 76 61 6C 69 64 20 53 65 73 73 69 6F 6E  [ No valid Session]
    Feb 28 19:34:21.957 UTC: RADIUS:  Dynamic-Author-Error[101] 6   Session Context Not Found [503]
    Feb 28 19:34:21.957 UTC: RADIUS:  Message-Authenticato[80]  18
    Feb 28 19:34:21.957 UTC: RADIUS:   30 C9 AE 52 80 2E A2 54 FF F3 4B C7 28 31 A9 61          [ 0R.TK(1a]
    ESWHQFL02-S#
    ESWHQFL02-S#
    -- Switch Config -
    aaa authentication login default group tacacs+ local-case
    aaa authentication login local_login local
    aaa authentication enable default group tacacs+ enable
    aaa authentication dot1x default group radius
    aaa authorization exec default group tacacs+ local
    aaa authorization commands 5 default group tacacs+ local
    aaa authorization commands 15 default group tacacs+ local
    aaa authorization network default group radius
    aaa authorization network auth-list group DOT1X
    aaa accounting dot1x default start-stop group radius
    aaa accounting exec default start-stop group tacacs+
    aaa accounting commands 5 default start-stop group tacacs+
    aaa accounting commands 15 default start-stop group tacacs+
    aaa accounting network default start-stop group tacacs+
    aaa server radius dynamic-author
    client 10.122.1.82 server-key 7 14141B180F0B
    client 10.122.1.80 server-key 7 045802150C2E
    aaa session-id common
    radius-server attribute 6 on-for-login-auth
    radius-server attribute 6 support-multiple
    radius-server attribute 8 include-in-access-req
    radius-server host 10.122.1.82 auth-port 1812 acct-port 1813 key 7 13061E010803
    radius-server host 10.122.1.80 auth-port 1812 acct-port 1813 key 7 104D000A0618
    radius-server deadtime 5
    radius-server key 7 030752180500
    radius-server vsa send accounting
    radius-server vsa send authentication

    As per the cisco recommendation IOSv12.2(52)SE is suitable for Catalyst 3750-X which will support all  the features without any issues like  MAB,802.1X,CWA,LWA,COA,VLAN,DACL,SAG as mentioned in the link below:
    http://www.cisco.com/en/US/docs/security/ise/1.1.1/compatibility/ise_sdt.html.
    I see you are using IOSv12.2(58)SE2,which is not recommended.So you can  downgrade to IOSv12.2(52)SE which will solve your issues.

  • Cisco ISE and SecurID Integration Questions

    I'm looking for some clarity trying to understand something conceptually. I want to integrate Cisco ISE with RSA SecurID, the idea being that if the user authenticates with RSA SecurID they end up on one VLAN, however, if they don't authenticate with (or don't use, or don't have) SecurID they'll end up on another VLAN. Note that I'm not using SecurID for wireless access...all PCs are wired to Ethernet.
    We have been using RSA SecurID for a while and are currently on version 8.0. Our users are authenticating via the RSA Agent typically on Windows 8.1. Instead of the usual Windows login prompt, the RSA Agent first prompts for the username and passcode (they use an app on their smartphones to get the passcode), then after a moment or two, it prompts for their Windows domain password.
    We have recently installed Cisco ISE version 1.3. With the help of a local Cisco engineer and going through the "Cisco Identity Services Engine User Guide", I have it set up and running along with a few 'test' ports on our Cisco 6809 switch, it basically works...as a test it's simply set up that if they authenticate they're on one VLAN, if not, they end up on another (this is currently without using RSA...just out-of-the-box Windows authentication).
    The Cisco engineer was unable to help me with RSA SecurID, so pressing on without him, out of the same user guide I have followed the directions for "RSA Identity Sources" under the "Managing Users and External Identity Sources", and that went well as far as ISE is concerned; I am now ready to get serious about getting ISE and SecurID working together.
    My mistake in this design so far was assuming that the RSA agent on the Windows client PCs would communicate with Cisco ISE...there doesn't seem to be a way to have them point to a non-RSA SecurID server for authentication. The concept I'm missing is what, or how, the end-user machine is supposed to authenticate taking advantage of both ISE and SecurID.
    I have dug deeper into the Cisco ISE documentation but it seems heavily biased towards Wi-Fi and BYOD implementations and it's not clear to me what applies to wired vs wireless. Perhaps it's a case that I'm not seeing the forest for the trees, but I'm not understanding what the end-user authentication looks like. It apears that as I learn more about ISE, it should become the primary SSO source, that SecurID becomes just an identity source and the PC clients would no-longer directly communicate with the SecurID servers. That being the case, do I need to replace the SecurID client on the PCs and something else Cisco-ish fills this role? An agent for ISE? How do they continue to use their passcode without the RSA agent?
    Thanks!

    The external db not operation indicates that there is no communication between ACS and RSA. Did you fetch the package.cab file to analyse the auth.log file?
    Have you already gone through the below listed link?
    http://www.security-solutions.co.za/cisco-CSACS-1113-SE-4.2-RSA-Authentication-Manager-Integration-Configuration-Example.html
    Regards,
    Jatin Katyal
    - Do rate helpful posts -

  • CWA with ISE and 5760

    Hi,
    we have an ISE 1.2 (Patch 5), two 5760 Controllers (3.3), one acting as Primary Controller (named WC7) for the APs and the other as Guest Anchor (named WC5).
    I have trouble with the CWA. The Guest is redirected and enters the correct credentials. After that, the CoA fails with error-cause(272) 4 Session Context Not Found. I have no idea why....
    aaa authentication login Webauth_ISE group ISE
    aaa authorization network cwa_macfilter group ISE
    aaa authorization network Webauth_ISE group ISE
    aaa accounting network ISE start-stop group ISE
    aaa server radius dynamic-author
    client 10.232.127.13 server-key 0 blabla
    auth-type any
    radius-server attribute 6 on-for-login-auth
    radius-server attribute 31 send nas-port-detail mac-only
    wlan test4guests 18 test4guests
    aaa-override
    accounting-list ISE
    client vlan 1605
    no exclusionlist
    mac-filtering cwa_macfilter
    mobility anchor
    nac
    no security wpa
    no security wpa akm dot1x
    no security wpa wpa2
    no security wpa wpa2 ciphers aes
    security dot1x authentication-list Webauth_ISE
    no shutdown
    wc5# debug aaa coa
    Feb 27 12:19:08.444: COA: 10.232.127.13 request queued
    Feb 27 12:19:08.444: RADIUS:  authenticator CC 33 26 77 56 96 30 58 - BC 99 F3 1A 3C 61 DC F4
    Feb 27 12:19:08.444: RADIUS:  NAS-IP-Address      [4]   6   10.232.127.11
    Feb 27 12:19:08.444: RADIUS:  Calling-Station-Id  [31]  14  "40f308c3c53d"
    Feb 27 12:19:08.444: RADIUS:  Event-Timestamp     [55]  6   1393503547
    Feb 27 12:19:08.444: RADIUS:  Message-Authenticato[80]  18
    Feb 27 12:19:08.444: RADIUS:   22 F8 CF 1C 61 F3 F9 42 01 E4 36 77 9C 9B CC 56            [ "aB6wV]
    Feb 27 12:19:08.444: RADIUS:  Vendor, Cisco       [26]  41
    Feb 27 12:19:08.444: RADIUS:   Cisco AVpair       [1]   35  "subscriber:command=reauthenticate"
    Feb 27 12:19:08.444: RADIUS:  Vendor, Cisco       [26]  43
    Feb 27 12:19:08.444: RADIUS:   Cisco AVpair       [1]   37  "subscriber:reauthenticate-type=last"
    Feb 27 12:19:08.444: RADIUS:  Vendor, Cisco       [26]  49
    Feb 27 12:19:08.444: RADIUS:   Cisco AVpair       [1]   43  "audit-session-id=0aea2001530f2e1e000003c6"
    Feb 27 12:19:08.444: COA: Message Authenticator decode passed
    Feb 27 12:19:08.444:  ++++++ CoA Attribute List ++++++
    Feb 27 12:19:08.444: 92FB84A0 0 00000001 nas-ip-address(600) 4 10.232.127.11
    Feb 27 12:19:08.444: 92FB87EC 0 00000081 formatted-clid(37) 12 40f308c3c53d
    Feb 27 12:19:08.444: 92FB8820 0 00000001 Event-Timestamp(445) 4 1393503547(530F2D3B)
    Feb 27 12:19:08.444: 92FB8854 0 00000001 reauthenticate-type(756) 4 last
    Feb 27 12:19:08.444: 92FB8888 0 00000081 audit-session-id(819) 24 0aea2001530f2e1e000003c6
    Feb 27 12:19:08.444: 92FB88BC 0 00000081 ssg-command-code(490) 1 32
    Feb 27 12:19:08.444:
    Feb 27 12:19:08.444:  ++++++ Received CoA response Attribute List ++++++
    Feb 27 12:19:08.444: 92FB84A0 0 00000001 nas-ip-address(600) 4 10.232.127.11
    Feb 27 12:19:08.444: 92FB87EC 0 00000081 formatted-clid(37) 12 40f308c3c53d
    Feb 27 12:19:08.444: 92FB8820 0 00000001 Event-Timestamp(445) 4 1393503547(530F2D3B)
    Feb 27 12:19:08.444: 92FB8854 0 00000001 reauthenticate-type(756) 4 last
    Feb 27 12:19:08.444: 92FB8888 0 00000081 audit-session-id(819) 24 0aea2001530f2e1e000003c6
    Feb 27 12:19:08.444: 92FB88BC 0 00000081 ssg-command-code(490) 1 32
    Feb 27 12:19:08.444: 92FB88F0 0 00000002 error-cause(272) 4 Session Context Not Found
    Feb 27 12:19:08.444:
    wc5#

    Reason for this are two bugs which prevent this from working:
    https://tools.cisco.com/bugsearch/bug/CSCul83594
    https://tools.cisco.com/bugsearch/bug/CSCun38344
    This is embarrassing because this is a really common scenario. QA anyone?
    So, with ISE and 5760 CWA is not working at this time. 

  • ISE and LDAP Integration

    Hello,
    I have a question about the LDAP integration with the ISE:
    Since the ISE has a limitation of reading only 100 groups, I cannot find the groups that I need to use on the authorization, and also the ISE cannot find group if I search for it directly.
    What I mean here, that I can fetch the first 100 groups from the top of the directory, but when I search as example for any group (appear on the list or not) the ISE did not find it.
    Even I tried to change the base DN and the search DN but without luck.
    The ISE version is 1.1.4 installed on VM and the LDAP schema is AD.
    Is there any missing information/tips required in such integration?

    Hello,
    I found a cisco doc that provides resolution of Key Features of Integration of Cisco ISE and LDAP .I hope this helps!
    This section contains the following:
    •Directory  Service
    •Multiple  LDAP Instances
    •Failover
    •LDAP  Connection Management
    •User  Authentication
    •Authentication  Using LDAP
    •Binding  Errors
    •User  Lookup
    •MAC  Address Lookup
    •Group  Membership Information Retrieval
    •Attributes  Retrieval
    •Certificate  Retrieval
    http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_man_id_stores.html#wp1059913

Maybe you are looking for