ISE and SMS integration, how to configure

Similar Messages

• In dreamweaver mx 2004 and dreamweaver cs4, how I configure, when download/upload do not ask me to include DEPENDED FILES but act without including ?

  in dreamweaver mx 2004 and dreamweaver cs4, how I configure, when download/upload do not ask me to include DEPENDED FILES but act without including ?

  Open the Preferences panel (Edit menu on Windows, Dreamweaver menu on a Mac), and select the Site category. There are two checkboxes there for dependent files. Make sure both are selected. The Dreamweaver default is NOT to upload/download dependent files. You need to click Yes, if you want the dependent files to be included.

• Cisco ISE and SecurID Integration Questions

  I'm looking for some clarity trying to understand something conceptually. I want to integrate Cisco ISE with RSA SecurID, the idea being that if the user authenticates with RSA SecurID they end up on one VLAN, however, if they don't authenticate with (or don't use, or don't have) SecurID they'll end up on another VLAN. Note that I'm not using SecurID for wireless access...all PCs are wired to Ethernet.
  We have been using RSA SecurID for a while and are currently on version 8.0. Our users are authenticating via the RSA Agent typically on Windows 8.1. Instead of the usual Windows login prompt, the RSA Agent first prompts for the username and passcode (they use an app on their smartphones to get the passcode), then after a moment or two, it prompts for their Windows domain password.
  We have recently installed Cisco ISE version 1.3. With the help of a local Cisco engineer and going through the "Cisco Identity Services Engine User Guide", I have it set up and running along with a few 'test' ports on our Cisco 6809 switch, it basically works...as a test it's simply set up that if they authenticate they're on one VLAN, if not, they end up on another (this is currently without using RSA...just out-of-the-box Windows authentication).
  The Cisco engineer was unable to help me with RSA SecurID, so pressing on without him, out of the same user guide I have followed the directions for "RSA Identity Sources" under the "Managing Users and External Identity Sources", and that went well as far as ISE is concerned; I am now ready to get serious about getting ISE and SecurID working together.
  My mistake in this design so far was assuming that the RSA agent on the Windows client PCs would communicate with Cisco ISE...there doesn't seem to be a way to have them point to a non-RSA SecurID server for authentication. The concept I'm missing is what, or how, the end-user machine is supposed to authenticate taking advantage of both ISE and SecurID.
  I have dug deeper into the Cisco ISE documentation but it seems heavily biased towards Wi-Fi and BYOD implementations and it's not clear to me what applies to wired vs wireless. Perhaps it's a case that I'm not seeing the forest for the trees, but I'm not understanding what the end-user authentication looks like. It apears that as I learn more about ISE, it should become the primary SSO source, that SecurID becomes just an identity source and the PC clients would no-longer directly communicate with the SecurID servers. That being the case, do I need to replace the SecurID client on the PCs and something else Cisco-ish fills this role? An agent for ISE? How do they continue to use their passcode without the RSA agent?
  Thanks!

  The external db not operation indicates that there is no communication between ACS and RSA. Did you fetch the package.cab file to analyse the auth.log file?
  Have you already gone through the below listed link?
  http://www.security-solutions.co.za/cisco-CSACS-1113-SE-4.2-RSA-Authentication-Manager-Integration-Configuration-Example.html
  Regards,
  Jatin Katyal
  - Do rate helpful posts -

• ISE and SIEM integration

  Hi,
  One of the major concerns regarding security solutions is the way they interact. ISE specifically, is compatible with most of the SIEMs available today, as stated by Cisco (http://www.cisco.com/en/US/prod/vpndevc/ecosystem.html).
  In my particular case, I want to integrate ISE with ArcSight.
  For ArcSight to correctly parse the syslog messages that ISE sends, you have to install/configure an ISE smartconnector.
  What I'm missing though is how does ArcSight instructs ISE to take specific actions on users/devices that are involved in a network attack.
  Please check: http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5712/ps11640/at_a_glance_c45-728401.pdf
  SIEM/TD partners may utilize ISE as a conduit for taking mitigation actions within the Cisco network infrastructure. SIEM/TD platforms can instruct ISE to undertake quarantine or access-block actions on users and/or device based on ISE policies that have been defined for such actions.
  Thanks!
  Octavian

  There is no such docs available till now for ArcSight integration with ISE. I also found only these two links:
  http://www.cisco.com/c/dam/en/us/products/collateral/security/identity-services-engine/at_a_glance_c45-728401.pdf
  http://www.cisco.com/c/dam/en/us/solutions/enterprise-networks/context-aware-mobility-solution/profile_arcsight_c07-538803.pdf

• ISE and AD integration

  Hello All,
  Can anyone tell me what are all the prerequisites when integrating ISE with AD..?
  Thanks in advance.

  Hi Prasan,
  Before you connect your ISE server with the Active Directory domain, you must check the following:
  •Ensure that Cisco ISE hostnames are only 15 characters or less in length. Active Directory does not validate hostnames larger than 15 characters, which can cause a problem if you have multiple ISE hosts in your deployment whose hostnames are identical through the first 15 characters and only distinguished from one another by trailing digits or other identifiers.
  •Ensure that your ISE server and Active Directory are time synchronized. Time in the ISE is set according to the Network Time Protocol (NTP) server. It is recommended that you use the NTP to synchronize time between the ISE and Active Directory. For more information on NTP server settings, see the "System Time and NTP Server Settings" section.
  Refer to the Cisco Identity Services Engine CLI Reference Guide, Release 1.1 for information on how to configure the NTP server settings from the CLI.
  •If there is a firewall between ISE and Active Directory, certain ports need to be opened to allow ISE to communicate with Active Directory. Ensure that the following default ports are open:
  otocol
  Port Number
  LDAP
  389 (UDP)
  SMB1
  445 (TCP)
  KDC2
  88 (TCP)
  Global Catalog
  3268 (TCP), 3269
  KPASS
  464 (TCP)
  NTP
  123 (UDP)
  LDAP
  389 (TCP)
  LDAPS3
  636 (TCP)
  1 SMB = Server Message Block
  2 KDC = Kerberos Key Distribution Center
  3 LDAPS = Lightweight Directory Access Protocol over TLS/SSL
  •The Active Directory username that you provide while  joining to an Active Directory domain should be predefined in Active  Directory and should have the permission to create and update for computer account objects and change password in the domain you are joining.
  •Ensure that your Microsoft Active Directory Server does not reside  behind a network address translator and does not have a Network Address  Translation (NAT) address.
  Supported document:
  http://www.cisco.com/en/US/docs/security/ise/1.1/user_guide/ise_man_id_stores.html#wp1059011
  Jatin Katyal
  - Do rate helpful posts -

• Ask the Expert: Cisco BYOD Wireless Solution: ISE and WLC Integration

  With Jacob Ideji, Richard Hamby  and Raphael Ohaemenyi   
  Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about  the new Identity Solutions Engine (ISE) and Wireless LAN Controller (WLC) hardware/software, integration, features, specifications, client details, or just questions about  Cisco's Bring-your-own device (BYOD) solution with cisco Experts Richard Hamby, Jacob Ideji, and Raphael Ohaemenyi. The interest in BYOD (Bring You Own Device) solutions in the enterprise has grown exponentially as guests and company users increasingly desire to use personal devices to access .  Cisco BYOD enhances user experience and productivity while providing security, ease-of-administration, and performance. The heart of the Cisco wireless BYOD solution is Identity Solutions Engine (ISE) utilizing the Cisco Unified Wireless portfolio.  Starting with ISE v1.1.1MR and WLC (Wireless LAN Controller) code v7.2.110.0 and higher, end-to-end wireless BYOD integration is reality. 
  Jacob Ideji is the technical team lead in the Cisco authentication, authorization and accounting (AAA) security team in Richardson, Texas. During his four years of experience at Cisco he has worked with Cisco VPN products, Cisco Network Admission Control (NAC) Appliance, Cisco Secure Access Control Server, and Dot1x technology as well as the current Cisco Identity Services Engine. He has a total of more than 12 years experience in the networking industry. Ideji holds CCNA, CCNP, CCSP, CCDA, CCDP, and CISM certifications from Cisco plus other industry certifications.
  Richard Hamby  works on the Cisco BYOD Plan, Design, Implement (PDI) Help Desk for Borderless Networks, where he is the subject matter expert on wireless, supporting partners in the deployment of Cisco Unified Wireless and Identity Services Engine solutions. Prior to his current position, Hamby was a customer support engineer with the Cisco Technical Assistance Center for 3 years on the authentication, authorization, accounting (AAA) and wireless technology teams. 
  Raphael Ohaemenyi  Raphael Ohaemenyi is a customer support engineer with the authentication, authorization and accounting (AAA) team in the Technical Assistance Center in Richardson, Texas, where he supports Cisco customers in identity management technologies. His areas of expertise include Cisco Access Control Server, Cisco Network Admission Control (NAC) Appliance, Cisco Identity Services Engine, and IEEE 802.1X technologies. He has been at Cisco for more than 2 years and has worked in the networking industry for 8 years. He holds CCNP, CCDP, and CCSP certification.
  Remember to use the rating system to let Jacob, Richard and Raphael know if you have received an adequate response.  
  Jacob, Richard and Raphael might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the wireless mobility sub community forum shortly after the event. This event lasts through Oct 5th, 2012. Visit this forum often to view responses to your questions and the questions of other community members.

  OOPS !!
  I will repost the whole messaqge with the correct external URL's:
  In  general, the Trustsec design and deployment guides address the specific  support for the various features of the 'whole' Cisco TS (and other  security) solution frameworks.  And then a drill-down (usually the  proper links are embedded) to the specifc feature, and then that feature  on a given device.  TS 2.1 defines the use of ISE or ACS5 as the policy  server, and confiugration examples for the platforms will include and  refer to them.
  TrustSec Home Page
  http://www.cisco.com/en/US/netsol/ns1051/index.html
  http://www.cisco.com/en/US/solutions/collateral/ns170/ns896/ns1051/product_bulletin_c25-712066.html
  http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5712/ps11637/ps11195/at_a_glance_c45-654884.pdf
  I find this page very helpful as a top-level start to what features and capabilities exist per device:
  http://www.cisco.com/en/US/solutions/ns170/ns896/ns1051/trustsec_matrix.html
  The TS 2.1 Design Guides
  http://www.cisco.com/en/US/solutions/ns340/ns414/ns742/ns744/landing_DesignZone_TrustSec.html
  DesignZone has some updated docs as well
  http://www.cisco.com/en/US/netsol/ns982/networking_solutions_program_home.html#~bng
  As  the SGT functionality (at this point) is really more of a  router/LAN/client solution, the most detailed information will be in the  IOS TS guides like :
  http://www.cisco.com/en/US/docs/switches/datacenter/sw/6_x/nx-os/security/configuration/guide/b_Cisco_Nexus_7000_NX-OS_Security_Configuration_Guide__Release_6.x.html
  http://www.cisco.com/en/US/docs/ios-xml/ios/sec_usr_cts/configuration/xe-3s/asr1000/sec-usr-cts-xe-3s-asr1000-book.html
  http://www.cisco.com/en/US/docs/switches/lan/trustsec/configuration/guide/trustsec.html

• ISE and LDAP Integration

  Hello,
  I have a question about the LDAP integration with the ISE:
  Since the ISE has a limitation of reading only 100 groups, I cannot find the groups that I need to use on the authorization, and also the ISE cannot find group if I search for it directly.
  What I mean here, that I can fetch the first 100 groups from the top of the directory, but when I search as example for any group (appear on the list or not) the ISE did not find it.
  Even I tried to change the base DN and the search DN but without luck.
  The ISE version is 1.1.4 installed on VM and the LDAP schema is AD.
  Is there any missing information/tips required in such integration?

  Hello,
  I found a cisco doc that provides resolution of Key Features of Integration of Cisco ISE and LDAP .I hope this helps!
  This section contains the following:
  •Directory  Service
  •Multiple  LDAP Instances
  •Failover
  •LDAP  Connection Management
  •User  Authentication
  •Authentication  Using LDAP
  •Binding  Errors
  •User  Lookup
  •MAC  Address Lookup
  •Group  Membership Information Retrieval
  •Attributes  Retrieval
  •Certificate  Retrieval
  http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_man_id_stores.html#wp1059913

• ISE and PI Integration

  Dear All,
  What are the configuration required on ISE to integrate with Prime 1.3.0.20?
  On PI side, I have added ISE in the below path
  Design-> External Management Servers -> ISE Servers.
  Apart from this anything else to be done on PI..?
  Thanks in advance.

  The stuff to do on the ISE is set up as a Radius Server for your client authentication. When ISE acts as a radius server, Prime Infrastructure collects additional information about these clients from Cisco ISE and provides all client relevant information to be visible in a single console on PI.
  The point to remember is that PI is a management sloution for wired and wireless clients, while ISE acts as ACS and NAC combined. Recall that ACS on its own could not do posture validation without NAC.
  Cheers

• ISE and SMS notification

  Environment
  ISE 1.1.2
  As already stated in other posts in this forum, it appears there is a kind of limitation when configuring SMS Notification options via the ISE GUI interface under the "Administration ==> Web Portal Management ==> Settings ==> Sponsor ==> Language template ==> English ==> Configuring SMS Text message Notification"  panel :
  the Destination field, in this panel, can only contain explicitely the email address of the SMS Gateway;
  it cannot contain an email address with the %mobilenumber% variable, such as %mobilenumber%@domain.com ;
  this variable is never replaced by ISE;
  I read the ISE User's Guide about that part which explains the Gateway can be an Email/SMS third party service Provider such as clickatell.com ;
  but, it would have been more than nice if CISCO could take into account other kind of SMS gateways, especially those based on "off the rack" hard/soft appliances owned by the customer and whose most common way of working is by sending them an email with destination field based on the previously referred  format  : %mobilenumber%@domain.com ;
  Is this a feature that could appear soon in futures ISE releases ?
  thanks in advance

  Hello,  I'm trying with version 1.3.
  In "SMTP API destination address:"  field I have configured :  [email protected]
  In body field,  I put for example "movil:$mobilenumber$"
  Then, when testing,  ISE don't  put the phone number in "To:" field,  but it's ok in the "body" field.
  ¿I'm doing something wrong or that functionality is not supported ?

• ISE and SMS in plain text for Guest Credntial notification

  I have configured a SMS notification for the Guest Credential.
  When the SMS gateway receive the message, it's discarded because it's not in plain text, it's contains some HTML tag.
  We haven't the possibility on the SMS gateway to modify the received message.
  On the ISE I seen that we can choose  the email format only for the system alarm settings and no for SMS message.
  Correct ?
  It's possible to send the message in plain text !!!!
  thank you

  I think it only use HTML.
  Step 6 Type the email body in the Layout text box. This contains the account login information for the guest user.
  You can use HTML tags and special variables for formatting the language template for e-mail notification. The following is an example of the login information for the body of an email in an English language template:
  Welcome to the Guest Portal, your username is %username% and password is %password%
  Jatin Katyal
  - Do rate helpful posts -

• IMessage and SMS fallback - how does it work?

  Hi community,
  I am really struggling to understand how iMessage works when the receiver use iMessage normally but does not have a data connection for whatever reason (but does have normal GSM cellphone signal).  People are saying that iMessage is intelligent and will fall-back on SMS if the recipient is not contactable on iMessage - but this seemingly DOES NOT HAPPEN.  It only automatially falls-back on SMS if the sender (ie. me) does not have data coverage - which is useless, I know when I dont have data - I can work that one out for myself thank-you-very-much Apple.
  My friends on limited data plans will often turn their mobile-data off (from the settings menu) to save on $ charges and on battery life.  I of course, never know exactly when they have done this.  So at various times when they have data enabled iMessage will discover the link between their apple ID and phone number and automatically start using iMessage - which is great.  However if on a subsequent day they turn their data off, I will try to message them and they will never receive it but I will get no clear indication on my end that this has failed.  It might be 2 or 3 days until they turn their data back on, or stumble into a free hotspot until they get my message.
  The same happened when I went abroad but in reverse - I turned my data off, yet my family's phones were still trying to send me iMessage messages, I didn't get them for several days until I connected my iPad to a hotel's WiFi.
  So the only way I can be sure messages get through to my friends and family and that my friends and family can get through to me in a timely manner is for us ALL to disable iMessage completely.  Making iMessage pointless.
  Please prove me wrong, but I cannot get it to function in any other way.

  I remember having sent an iMessage to one of my friends and I was wondering why it firstly was sent as an iMessage and then obviously got sent another time, this time the bubble turned green so I knew it was an SMS. Later I asked him why this might probably have happened and he told me he was doing a phone call and fell back to GSM, and he wasn't connected to WiFi.
  So my impression is that iMessage indeed also screens whether the recipient has internet connection or not. If he doesn't, the iPhone will send an SMS.
  Regards

• Log4j and Web context - how to configure?

  Does anyone know of a way to manage log4j.properties in the Web context? Specifically, to configure it so that:
  a) logs go to an appropriate directory (probably $CATALINA_BASE/logs)
  b) the logfile is named for the context (e.g. /MyContext would go to mycontext.log)
  log4j.properties allows for variables. However, these variables are either defined inside the log4j.properties, which is a catch-22 for this, or checked against java System properties, which are JVM-wide. I could put a context listener that sets a predetermined property, but then it affects everything in the JVM, i.e. all other contexts, making it useless. Here is what I see as my options:
  1- hardcode a full path in the log4j.properties, making distribution of the WAR difficult
  2- hardcode it per context, but use $CATALINA_BASE as a system var. This is not terrible, but then depends on Tomcat, as opposed to being able to switch to other containers. It also makes the log4j.properties less transportable across contexts (more effort)
  3- Configure everything in a Listener. This would work, but then I lose my ability to configure declaratively (log4j.properties or log4j.xml), and my ability to do configureAndWatch().
  Ideally, I would like to have one of the following:
  a- a variable that log4j picks up that is unique to each context and declares its path, but portable across containers (unlikely)
  b- second best, have my listener determine the real path to logs, set some variable that is only held in this context, then have log4j read the properties or xml file correctly resolving the variable
  c- less so, I guess the listener can load up the properties or XML file, manipulate any instance of the variable manually, then load the properties into PropertyConfigurator for log4j. Not quite sure how to do this, though.
  Anyone tackled this?

  Does it matter if I have to access the OWA url using a trailing folder name? I access OWA like so, https://owa.example.com/owa, I know it's a bit redundant, but I don't know how to make mail aware of that, or even if it's a problem? If I leave off the URL I can connect but not authenticate, with the URL it's obviously an invalid hostname. Anyone familiar with this issue?

• ADFS and SharePoint Integration: How to use ADFS Roles?

  Hello,
  I've successfully integrated SharePoint with ADFS2 and users can login by ADFS. One of the claims mapping in ADFS and SharePoint is SAM-Account-Name->Windows account name.
  Is there any guideline how to grant a permission to an specific role? For example I want to grand read access to an specific list to a specific AD group called "ListReaders"
  A link to an online article explains how to use ADFS Roles in SharePoint would be a great help.
  Thank you,

  Hi Allan,
  According to your description, my understanding is that grant permission to ADFS roles.
  Please refer to “A Fellows” last suggestion to grant permission to ADFS roles in the link below:
  http://social.technet.microsoft.com/Forums/en-US/4d5ee453-1447-4d14-b297-33c27ef2c24d/permissions-using-adfs-roles?forum=sharepointadmin
  More reference:
  http://www.css-security.com/blog/claims-based-authentication-and-authorization-with-adfs-2-0-and-sharepoint-2010/
  Thanks,
  Victoria
  Forum Support
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact
  [email protected]
  Victoria Xia
  TechNet Community Support

• ISE and Prime Integration

  Dear All,
  I have ISE nodes in distributed environment.
  1) Added PRI & SEC Monitoring node in Prime under Administration --> Servers -->ISE Servers. 
  By doing this i am getting ISE reports under Reports Launch Pad.
  2) On ISE Administration --> System --> Logging --> Remote Logging Targets (Prime <IP address>, Port: 514, Facility:Local 6, Target Type: UDP syslog)
  But i am unable to get any ISE syslog on the prime.
  Can anyone tell me how to see the syslogs of ISE in Prime ? 

  Thanks for your reply.
  I have added third party syslog ip address on ISE as Remote logging. But i am not receiving AAA Passed/Failed logs whereas other system logs are being received. 
  Having Local 6 as facility code. any help?

• ISE and WLC

  Dear friends,
  We are using ISE and WLC integrity in our network, we have Corporate and Guest SSID, we configured it but client cant connect to this ssid and cant be authenticated, please see attached files and tell me if i done something wrong in configuration of WLC
  10.10.17.201 is ISE
  Thank you for attention

  Hi,
  After viewing the Trap logs it seems you have checked on validate machine.
  On the client side, make sure you don't check validate machine and then try.