ISE Authorization Policy Issues
Hello Team,
I´m getting troubles during my implementation: The User PC never gets IP Address from Access VLAN after AuthZ Policy succeded.
I have two vlans in my implementation:
Vlan ID 802 for Authentication (Subnet 10.2.39.0)
Vlan ID 50 for Access Users (Subnet Y.Y.Y.Y)
When I start my User PC, I get IP for VLAN 802 (10.2.39.3) and After Posture process, ISE inform the switch to put the User PC port in VLAN 50.
Here I have my Switch Port Configuration:
interface GigabitEthernet0/38
switchport access vlan 802
switchport mode access
switchport nonegotiate
switchport voice vlan 120
ip access-group ACL-DEFAULT in
authentication event fail action next-method
authentication event server dead action reinitialize vlan 50
authentication event server dead action authorize voice
authentication host-mode multi-auth
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
end
And Here, I have outputs AuthZ Policy in Action:
Oct 7 09:22:01.574 ANG: %DOT1X-5-SUCCESS: Authentication successful for client (0022.1910.4130) on Interface Gi0/38 AuditSessionID 0A022047000000F6126E9B17
Oct 7 09:22:01.582 ANG: %AUTHMGR-5-VLANASSIGN: VLAN 50 assigned to Interface Gi0/38 AuditSessionID 0A022047000000F6126E9B17
Oct 7 09:22:01.591 ANG: %EPM-6-POLICY_REQ: IP 0.0.0.0| MAC 0022.1910.4130| AuditSessionID 0A022047000000F6126E9B17| AUTHTYPE DOT1X| EVENT APPLY
Oct 7 09:22:01.591 ANG: %EPM-6-AAA: POLICY xACSACLx-IP-PERMIT_ALL_TRAFFIC-537cb1d6| EVENT DOWNLOAD-REQUEST
Oct 7 09:22:01.633 ANG: %EPM-6-AAA: POLICY xACSACLx-IP-PERMIT_ALL_TRAFFIC-537cb1d6| EVENT DOWNLOAD-SUCCESS
Oct 7 09:22:01.633 ANG: %EPM-6-IPEVENT: IP 0.0.0.0| MAC 0022.1910.4130| AuditSessionID 0A022047000000F6126E9B17| AUTHTYPE DOT1X| EVENT IP-WAIT
SWISNGAC8FL02#
Oct 7 09:22:02.069 ANG: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (0022.1910.4130) on Interface Gi0/38 AuditSessionID 0A022047000000F6126E9B17
SWISNGAC8FL02#
Oct 7 09:22:02.731 ANG: %EPM-6-IPEVENT: IP 10.2.39.3| MAC 0022.1910.4130| AuditSessionID 0A022047000000F6126E9B17| AUTHTYPE DOT1X| EVENT IP-ASSIGNMENT
Oct 7 09:22:02.731 ANG: %EPM-6-POLICY_APP_SUCCESS: IP 10.2.39.3| MAC 0022.1910.4130| AuditSessionID 0A022047000000F6126E9B17| AUTHTYPE DOT1X| POLICY_TYPE Named ACL| POLICY_NAME xACSACLx-IP-PERMIT_ALL_TRAFFIC-537cb1d6| RESULT SUCCESS
After that, I have:
SWISNGAC8FL02#sh auth sess int g0/38
Interface: GigabitEthernet0/38
MAC Address: 0022.1910.4130
IP Address: 10.2.39.3
User-Name: SNL\enzo.belo
Status: Authz Success
Domain: VOICE
Security Policy: Should Secure
Security Status: Unsecure
Oper host mode: multi-auth
Oper control dir: both
Authorized By: Authentication Server
Vlan Policy: 50
ACS ACL: xACSACLx-IP-PERMIT_ALL_TRAFFIC-537cb1d6
Session timeout: N/A
Idle timeout: N/A
Common Session ID: 0A022047000000F6126E9B17
Acct Session ID: 0x000001A7
Handle: 0x710000F7
Runnable methods list:
Method State
dot1x Authc Success
mab Not run
Apparently, everything is OK, but NOT. The User PC never gets IP Address from Access VLAN 50.
If I do SWISNGAC8FL02#sh mac address-table | inc 0022.1910.4130
50 0022.1910.4130 STATIC Gi0/38
802 0022.1910.4130 STATIC Gi0/38
And
SWISNGAC8FL02#sh epm session summary
EPM Session Information
Total sessions seen so far : 17
Total active sessions : 1
Interface IP Address MAC Address VLAN Audit Session Id:
GigabitEthernet0/38 10.2.39.3 0022.1910.4130 802 0A022047000000F6126E9B17
My Switch is a Cisco IOS Software, C3560E Software (C3560E-IPBASEK9-M), Version 15.0(2)SE6, RELEASE SOFTWARE (fc2)
I am using ISE Version 1.2.1.198 Patch Info 2
Could you help me in this Case ?
Best Regards,
Daniel Stefani
It seems like the PC is operating in the VOICE-domain according to the cmd auth sess int you showed. Do you think that has something to do with your problem? I've experienced some PC's having problem with that.
If you could, try getting the PC to operate in the DATA-domain by not sending the voice-attribute from ISE after the authorization.
Similar Messages
-
Hey guys,
I have a question regarding ISE Authorization Policy. In my test lab, I don't have any wired station, and what I have is a wireless lapotp. I have configured to allow only EAP-TLS authentication. Now, my problem is I keep getting "15039 Rejected per authorization profile."
Under the Policy > Authorization, I created a rule where I just want to allow on EAP-TLS either via machine or user identity, and the bottom is the default DenyAccess. When I tried to join the wireless network, I kept getting denied. I checked the ACL counters on the WLC side and it was not increasing.
I changed the default DenyAccess to PermitAccess, and I was able to join the wireless network no problem, and the ACL counters on the WLC side increased.
It seems like I am hitting the default Authorization Policy first which is on the bottom of the authorization policy.
I attached the failed and authenticated logs that I got from ISE.
Has anyone have encoutered this issue?
The version that I have is 1.1.1
Thanks
P.S.
I went back to check my autorization condition, and it is blank (See the 1st screenshot)Hi,
it is obvious that you are not matching any condition.
rather than keeping the condition blank, fill it with a condition that is always match and try if that helps.
Regards,
Amjad
Rating useful replies is more useful than saying "Thank you" -
ISE - Authorization Profile issue
I'm running a trial of ISE and I'm attempting to create the authorization profile with the following settings:
Name: Posture_Remediation
Access Type: Access_Accept
Common Tools:
Posture Discovery, Enabled
Posture Discovery, ACL ACL-POSTURE-REDIRECT
The documentation says Common Tools, but in the screen shot it shows Common Tasks which is accurate to my install. Doc: http://www.cisco.com/en/US/products/ps10315/products_tech_note09186a0080bba10d.shtml#topic19
The issue is that I do not see a Posture Discovery option in the Common Tasks area. Can I add these the attributes using the Advanced Attributes settings or is there something I need to enable to display the Posture Discovery option within Common Tasks?
Any help would be appriceated.
AndrewHello Andrew,
As per your query i can suggest you-
Creating a New Authorization Policy
Use this procedure to create a new authorization policy.
To create a new authorization policy, complete the following steps:
Step 1 Choose Policy > Authorization > Standard.
Step 2 Click to select either Insert New Rule Above or Insert New Rule Below.
A new policy entry appears in the position you designated in the Standard panel of the Authorization Policy window.
Step 3 Enter values for the following authorization policy fields:
•Rule Name—You need to define a rule name for the new policy.
•Identity Groups—Choose a name for the identity group that you want associated with the policy.
–Click + ("plus" sign) next to the word "Any" to display a drop-down list of group choices, or choose Any for the policy for this identity group to include all users.
•Condition(s)—Choose the types of conditions or attributes for the identity group associated with the policy. Click + next to Condition(s) to display the following list of condition and attribute choices that you can configure:
–Select a Condition Name option from the drop-down list (Simple Conditions, Compound Conditions, or Time and Date Conditions) as needed.
–Select one of the Attribute options as needed. This displays a list of dictionaries that contain specific attributes related to the dictionary type.
When you select an attribute, you can define it as Equals, Not Equals, or Matches using a pull-down list of operator options, and select an AND or OR directive using a pull-down directive option.
For more information please refer to the link -
http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_authz_polprfls.html -
ISE authorization Policy not working
Hi ,
I have configured the ISE as per the belwo link
https://supportforums.cisco.com/document/110031/central-web-authentication-cwa-guests-ise
but my authorization policy is not working as when user get connected to guest wlan it get authneticated but when it look for authorization
it going to default policy it should hit on above policy created screen shot as belowWhat version of ISE + patch are you running?. Could you please send an screenshot of AUTH policies including the default --- > USE part?. Are you using customized portal for the first authentication process?
CWA is pretty straightforward. Only issues I faced was multiple VM (ISE Personas) running on one single server was not replicating properly the AUTHZ policies so I added the PSN persona into the PAN Node and everything worked fine immediately. In addition to that, I realized that I needed at least ONE ENTRY into the ISE PAN Internal Endpoints DB so I could hit the AUTH Policy for MAB & user not found condition which sent me to the AUTHZ = User Unknown + Redirect. Once I authenticated the user using the Default Portal that meant I hit the GUEST FLOW policy. If you are using customized portals for the first authentication process, check: web portal mgmt. --- > Guest --- > MultiPortal Configurations --- > Customized Portal -- > Authentication part. -
OIM 11g - User Management Authorization policy issues
Hello,
1) Created an organization -> Human Resource
2) Created an Role -> HR_Admins
3) Assigned HR_Admins roles as administrative role of Human Resource organization
4) Created user1 with organization as Human Resource & Assigned HR_Admins role to this user.
5) Created authorization policy for user management with following selections
Permission -> Create User.
Data Constraints -> Selected "Users that are members of selected Organizations" & selected above Human Resource organization.
Assignment -> HR_Admins role .
now when i log into user1 i am not able to see Administration tab where i can select Create user.
I am working on this issue for couple of days ,but not able to find the solution & have i missed some configurations ?
Thank-You
Rahul ShahHi Rahul,
I have tested your scenarion.. with below clause
1) Created an organization -> Human Resource
2) Created an Role -> HR_Admins
3) Assigned HR_Admins roles as administrative role of Human Resource organization
4) Created user1 with organization as Human Resource & Assigned HR_Admins role to this user. : default role All Users
5) Created authorization policy for user management with following selections
Permission -> Create User. :- *"Select ALL"*
Data Constraints -> Selected "Users that are members of selected Organizations" & selected above Human Resource organization.
Assignment -> HR_Admins role .
In data constraints
Organization Security Setting Hierarchy Aware (include all Child Organizations)
Now I am able to see the create user tab and, I can create user in Human Resource org only.
If it doesn't work for you. Just assign "REQUEST ADMINISTRATOR" IN AUTH POLICY. Test the result.
Also what is your OIM version?
Test it with fresh data like new role name, org and user,
-kuldeep
Edited by: Kuldeep on May 22, 2012 4:19 AM -
ISE authorization policy question
I'm in the process of finishing up my authorization policy and was hoping to get some input on how to deal with freshly imaged machines. The current authorization policy relies on Active Directory (peap-tls) and CCM (eap-tls). Since the newly imaged machines will not be part of the domain yet they'll fail and will either be completely denied access or they'll be dropped into a null vlan.
Would it be viable to create a policy that says if your name starts with the first 5 characters of our naming convention then you can be dumped onto the internal data VLAN and couple that with a DACL permitting access to ports necessary to join the domain?
I'm not sure what type of security implications this would have?
If this is not a suitable route what would be a best practice approach?You can do the later one if they fail authenticaton , they be granted separated Vlan with some defined access.
-
OIM 11g authorization policy issue
Hi ALL,
We have created one authorization policy.
which will give the following permissions for the users.
1.search users
2.view user details
3.Modify a single attribute in user profile
it has been assigned to a role.
Now we assigned this role to a user and he is able to search the users and view the details but he is able able to edit all the attributes besides the specified one. Please let me know where iam going wrong.In the Modify User, check for which all attributes are selected...if all are selected, then just select only one which you require.
J -
ISE Authorization Policy Register Device Problem
Dear all.
I have some problem about register device in ISE. I have to check registered device before access the network. But in register device process. I don't like to install Native Supplicant or any program in the device . I need to register device only and check it again to access the network.
Can I reject the process of ISE about Native Supplicant after register device in the ISE System.
Thank You.
Toonthis is not supported,Supplicant (naive/NAC) can check the host registry, processes, applications, and services,can be used to perform Windows updates or antivirus and antispyware definition updates, launch qualified remediation programs, distribute files uploaded to the Cisco ISE server, distribute web site links to web sites in order for users to download files to fix their system, or simply distribute information and instructions.
-
Hi All
Has anyone successfully used a Guest Role in an ISE authorization policy?
I'm using 2 different Guest Roles that get assigned by the Sponsor on the account creation page.
I want to differentiate between the 2 roles in my authorization policies to ensure separation between the 2 types of user.
I've had a suggestion to use an Option field on the sponsor's account creation page - this will work but it would be more secure if the Guest Role could be used.
ISE version is 1.2.198.0
Regards
RogerExactly.
If I create a sponsored account I can use the credentials to authenticate to either SSID.
Similarly if I create a self-registered account I can use the credentials to authenticate to either SSID.
The correct policy set is selected each time based on the SSID.
It seems to me as if the guest roles effectively do nothing and that all users get assigned to a single group. Of course, as an administrator you simply can't ever see the accounts and where the user has been assigned to. Any attempts to differentiate based on the group simply fail.
It looks like the assignment of a guest role for self-registration is actually a global setting that is applied to all portals and therefore over-rides the guest role assigned within the sponsor group settings. See the attached image. -
Hi,
My end customer reported an issue with ISE 1.1.4-218.
The GUEST user is expired but still can authenticate in the WLAN.
That's an known issue/bug?
Thanks!
Regards,
Rafael EloiCheck if the option in the configuration part of the Authentication process = CONTINUE.
For example, when you use CWA, the IF AUTHENTICATION FAILED Option = CONTINUE so the MAB Auth always fails but based on that Option your connection continues so you are actually redirected using the AUTHORIZATION Policy. -
ISE 1.2 - Authorization Policy for Digital Certificates
Hi Everyone.
I have Cisco Ise 1.2 when I created authorization Policy rule for PEAP(MSCHAPv2) and the ISE can match on the rule e permit based on AuthProfile.
BUT, authentications using digital certificates (EAP_TLS) I can´t do some AuthorizationPolicy for match.
I´m try some:
if
any
AND
authEAPprot: EAP-TLS
AND
Certificate:inssue : iqual : CA-root
THEN
ACCESS_FULL
In Operations>Authetications I can see the authentication and when I open the details, I can see the method is EAP-TLS BUT my rule is not correct cuz authorization policy that use is Default.
Someone can do some Tip about How i can make this rule for authentications that use EAP-TLS (digital certificates)???
tksHi,
You will have to upload all certificates (intermediate and root) that are used to sign the client cert into the ISE CA database. You will also have to make sure that checkbox for trust for client authentication is checked.
Thanks,
Tarik Admani
*Please rate helpful posts* -
ISE / Active Directory: issue to get users group
Hello,
We have a strange issue:
- ISE 1.2 patch 8
- no WLC, autonomous AP
In authentication, we check Wireless IEEE 802.11 (radius) and cisco-av-pair (ssid), then we use AD.
We have 3 SSIDs, so 3 rules, one DATA, one GUEST, one for TOIP.
In one more rules to grant authentication from APs to register in WDS: user in local database.
In authorization, we check cisco-av-pair (ssid) and AD user group, then we permit access.
(so 3 rules), and one more to authorise the internal base for WDS.
We have something strange:
- sometimes users can connect but later they can't: in the logs, the authorization rejects the user because the AD Group is not seen.
Exemple:
1- OK:
Authentication Details
Source Timestamp
2014-05-15 11:43:19.064
Received Timestamp
2014-05-15 11:43:19.065
Policy Server
radius
Event
5200 Authentication succeeded
All the GROUPS of user are seen:
false
AD ExternalGroups
xx/users/admexch
AD ExternalGroups
xx/users/glkdp
AD ExternalGroups
x/users/gl revue écriture
AD ExternalGroups
xx/users/pcanywhere
AD ExternalGroups
xx/users/wifidata
AD ExternalGroups
xx/informatique/campus/destinataires/aa informatique
AD ExternalGroups
xx/informatique/campus/destinataires/aa entreprises et cités
AD ExternalGroups
xx/informatique/campus/destinataires/aa campus
AD ExternalGroups
xx/users/aiga_creches
AD ExternalGroups
xx/users/admins du domaine
AD ExternalGroups
xx/users/utilisa. du domaine
AD ExternalGroups
xx/users/groupe de réplication dont le mot de passe rodc est refusé
AD ExternalGroups
xx/microsoft exchange security groups/exchange view-only administrators
AD ExternalGroups
xx/microsoft exchange security groups/exchange public folder administrators
AD ExternalGroups
xx/users/certsvc_dcom_access
AD ExternalGroups
xx/builtin/administrateurs
AD ExternalGroups
xx/builtin/utilisateurs
AD ExternalGroups
xx/builtin/opérateurs de compte
AD ExternalGroups
xx/builtin/opérateurs de serveur
AD ExternalGroups
xx/builtin/utilisateurs du bureau à distance
AD ExternalGroups
xx/builtin/accès dcom service de certificats
RADIUS Username
xx\cennelin
Device IP Address
172.25.2.87
Called-Station-ID
00:3A:98:A5:3E:20
CiscoAVPair
ssid=CAMPUS
ssid
campus
2- NO OK later:
Authentication Details
Source Timestamp
2014-05-15 16:17:35.69
Received Timestamp
2014-05-15 16:17:35.69
Policy Server
radius
Event
5434 Endpoint conducted several failed authentications of the same scenario
Failure Reason
15039 Rejected per authorization profile
Resolution
Authorization Profile with ACCESS_REJECT attribute was selected as a result of the matching authorization rule. Check the appropriate Authorization policy rule-results.
Root cause
Selected Authorization Profile contains ACCESS_REJECT attribute
Only 3 Groups of the user are seen:
Other Attributes
ConfigVersionId
5
Device Port
1645
DestinationPort
1812
RadiusPacketType
AccessRequest
UserName
host/xxxxxxxxxxxx
Protocol
Radius
NAS-IP-Address
172.25.2.80
NAS-Port
51517
Framed-MTU
1400
State
37CPMSessionID=b0140a6f0000C2E15374CC7F;32SessionID=radius/189518899/49890;
cisco-nas-port
51517
IsEndpointInRejectMode
false
AcsSessionID
radius/189518899/49890
DetailedInfo
Authentication succeed
SelectedAuthenticationIdentityStores
AD1
ADDomain
xxxxxxxxxxx
AuthorizationPolicyMatchedRule
Default
CPMSessionID
b0140a6f0000C2E15374CC7F
EndPointMACAddress
00-xxxxxxxxxxxx
ISEPolicySetName
Default
AllowedProtocolMatchedRule
MDP-PC-PEAP
IdentitySelectionMatchedRule
Default
HostIdentityGroup
Endpoint Identity Groups:Profiled:Workstation
Model Name
Cisco
Location
Location#All Locations#Site-MDP
Device Type
Device Type#All Device Types#Cisco-Bornes
IdentityAccessRestricted
false
AD ExternalGroups
xx/users/ordinateurs du domaine
AD ExternalGroups
xx/users/certsvc_dcom_access
AD ExternalGroups
xx/builtin/accès dcom service de certificats
Called-Station-ID
54:75:D0:DC:5B:7C
CiscoAVPair
ssid=CAMPUS
If you have an idea, thanks so much,
Regards,To configure debug logs via the Cisco ISE user interface, complete the following steps
:Step 1 Choose Administration > System > Logging > Debug Log Configuration. The Node List page appears, which contains a list of nodes and their personas.
You can use the Filter button to search for a specific node, particularly if the node list is large.
www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_logging.html#wp1059750 -
ISE Authentication Policy for RSA Securid and LDAP for VPN
We are working on replacing our existing ACS server with ISE. We have 2 groups of users, customers and employees. The employee's utilize RSA securid for authentication while the customers use Window authentication. We have integrated the AD into ISE using LDAP and this has been tested. We are now working on trying to get the rsa portion to work. We are wanting to utilize the authorization policy to assign the group-policy/IP for both clients via the LDAP user attributes.
Here is my question:
Under the authentication policy should we look @ an identity store that has RSA securid users, LDAP users and then internal users. I assume if the user isn't present in the RSA store it will then look @ the LDAP, will this present an issue with overhead in our RSA environment. With the legacy ACS the descsion on where to authenticate the user was done on the ACS, either Windows or RSA. The employee users will still also be present in the LDAP so we can utilize the attributes for IP address/group policy. The number of customer vpn's is several times larger than employees and I am afraid that if we have to query the securid servers for every authentication vpn authentication attempt this could cause issues. Our utilimate goal is to move to any connect and utilize a single url for all authentication but allow ise to instruct the asa what attributes to hand to the client such as dns/Dacl.
Thanks,
JoeThat is not what I want. I want user "test1" to be able to do this:
C
Username: test1
Enter PASSCODE:
C2960>en
Enter PASSCODE:
C2960#
In other words, test1 user has to type in his/her RSA token password to get
into exec mode. After that, he/she has to use the RSA token password to
get into enable mode. Each user can get into "enable" mode with his/her
RSA token mode.
The way you descripbed, it seemed like anyone in this group can go directly
into enable mode without password. This is not what I have in mind.
Any other ideas? Thanks. -
Hi
I want to find out if its possible on ISE dot1x implementation to authenticate domain machines using EAP-TLS (certificate) and after successful authentication, authorize the user using AD domain users. I cant seem to get this to work, the ISE just skips the authorization policy which I created to reference AD.
It seems you can only authenticate and authorize with the same parameter which i was able to achieve using MSCHAP-V2.
My aim is to authenticate the connecting PC using internal CA and further authorize the users using AD membership.
ThanksAlthough EAP Fast and the EAP chaining are not proprietary to Cisco, AnyConnect is the only supplicant that I am aware of that currently supports the feature.
The only other option that I tell you is using machine access restrictions MAR, but I would highly recommend against this unless the customer is aware of the caveats associated with MAR. With MAR the supplicant is configured to use "user or computer" When the user is logged off the device authenticates using the computer's account. When the user logs in the supplicant starts the authentication process over using the user credentials. With MAR ISE first verifies that the machine authenticated before the user. If not then the user is not authorized to connect. The issue is that if the device goes into hibernation instead of logging off the user may fail to authenticate because ISE doesnt see the computer auth.
EAP chaining is the answer to MAR's shortfalls. This is because the computer and the user authenticate together everytime.
If their goal is to ensure that the device is a corporate owned device then you can always consider posture as a means to ensure that. You can have a registry entry, or file on the computer that signifies that the device is a corporate owned device. You would still need to install the posture agent and this would change the licensing requirements where as eap chaining is included in the base licensing and doesn't require plus or apex.
The other outside of the box idea that i have seen is to use GPO to change the LAN NIC's name
to something like "Corporate LAN" and then using profiling you can create a custom profile that matches. See pages 91-114 there are several options listed including the ones I've already mentioned.
http://d2zmdbbm9feqrf.cloudfront.net/2015/anz/pdf/BRKSEC-3697.pdf -
Custom OWSM Authorization Policy Not Visible in OSB 11g
I am trying to configure custom OWSM authorization policies to grant web service access in OSB to userids associated with custom WebLogic groups. Both OSB and SOA are version 11.1.1.5 with an Oracle Enterprise 11g database backend. To help rule out some possible operational errors, here are things that ARE working with the combination of SOA and OSB servcies:
* the underlying SOA service functions in the /em console test page
* the OSB proxy service works from the /sbconsole test page with OWSM oracle/wss_username_token_policy enabled
* the oracle/log_policy can be added to the OSB business service and generates log entries
* the outer proxy service can be successfully invoked from a remote client with no security policies,
with HTTP transport security and authorization policies and with OWSM authentication policies
attached (given the correct request payloads)
These findings would appear to rule out connection errors from the OSB engine to the jdbc/mds/owsm DataSource or proper startup of the "OWSM Policy Support in OSB Initializer Application" service within WebLogic. (By the way, that deploys with a typo in its registered name -- "Aplication" with a single p.)
Here are the steps that were performed:
1) created group myfirmIdentityData in WebLogic console (/console)
2) created userid myappuser in WebLogic console
3) added myappuser to the myfirmIdentityData group in WebLogic console
4) cloned the oracle/component_authorization_permitall Security policy to myfirm/authorize_IdentityData
using the Fusion console (/em on the SOA domain)
5) edied myfirm/authorize_IdentityData to add the "role" myfirmIdentityGroup to the
list of permitted roles (***)
*** note -- "roles" referenced within the OWSM policy configuration dialogs actually correspond to "groups" at the WebLogic Server level. A bit confusing at first but harmless.
6) accessed the SOA service in the Fusion console (/em), clicked on the Policies tab and verified
the myfirm/authorize_IdentityData policy is available for application to the SOA service (BUT DID
NOT ATTACH IT HERE -- I'm trying to attach it at the "outer" layer in OSB, not SOA Suite)
7) accessed the Service Bus console (/sbconsole), started a change session, selected the
proxy service, then clicked on the Policies tab, then clicked the Add button in the
Service Level Policies section
At that point, the only services listed are the factory supplied oracle/********* policies. There are two pages listed and flipping between the two doesn't show any other policies other than the oracle/***** policies.
I even tried stopping and starting the domain thinking maybe OSB caches all of the OWSM policies at startup rather than querying the mds_owsm schema dynamically to no avail. No myfirm/****** policies are displayed after a domain restart.
Any insight?
Thanks.Once again, I wound up opening a Support Request with the TAC for direction on this issue. The policies were not appearing for assignment to OSB proxy / business services because they were being created against the wrong type of object within OWSM.
In a nutshell, policies in OWSM can be created to be applied against:
* Components --- only usable against SOA services
* Service Endpoints --- against URLs used as access points into services
* Service Clients -- against consumers of services as identified by credentials
* All -- all of the above
However, policies built against Components can only be applied to SOA composite services. When I cloned the existing oracle/component_authorization_permitall Security policy to myfirm/authorize_IdentityData policy then limited it to the myfirmIdentityGroup group, that policy would only be assignable to SOA composities since it applied to only Components.
To allow the group based authorization policy to be enforced in the outer OSB tier, the oracle/binding_authorization_permitall_policy was cloned to myfirm/authorize_IdentityGroup. That policy was defined to apply to endpoints and once saved, appeared in the GUI of the Service Bus console to assign to the proxy service for the service being implemented. A second component policy named myfirm/componentauthorize_IdentityGroup was cloned from oracle/component_authorize_permitall_policy to perform the group authorization at the SOA layer.
A different issue is being encountered configuring the OSB business service to forward the OWSM headers from the outer proxy service to the SOA service so the authorization succeeds at the inner layer but that's a different problem. With the SOA layer authorization policy disabled, client tests to the proxy service function correctly with a userid in the myfirmIdentityGroup group and generate an authorization failure when another client credential is used that does not belong to myfirmIdentityGroup.
Maybe you are looking for
-
Seemingly, every time I have to force quit a program or if a program crashes, a weird window can be seen in my Dock. It's hard to explain, so here is a picture: http://idisk.mac.com/km23-Public/?view=web You can see an outline at the bottom left up t
-
Acrobat 7 Pro Suddenly Printing Gibberish
Suddenly, Acrobat 7 Pro prints PDF files created in MS WORD as gibberish. I switched printers and got the same results. The files print properly using READER 9.1. Also, the files display properly on the screen in Acrobat 7. It appears to be a corrupt
-
Hi All, I'm working on a multi-agent simulator in which agents learn an environment while moving through it. Being somewhat new to Java, I'm looking for suggestions on what data structure to use for storing an agents associative memory. To give you a
-
Do I need to buy a certificate or a product key in order to sideload a LOB Metro app?
Do I need to buy a certificate or a product key in order to sideload a LOB Metro app?
-
Can't load JdbcOdbc library on Win95`
I have set up my data source name and it is present in the odbc.ini file in C:\windows I compile and execute the sample code and the Jdbc-Odbc Bridge loads but then it tries to load the JdbcOdbc library and can't. Here is the output: DriverManager.ge