ISE - External Identity Source (AD Groups)

Similar Messages

• Multiple AD External Identity Sources in ISE 1.2

  First I guess is it possible to have multiple AD entries for External Identity Sources in ISE 1.2? When I display Active Directory (AD1) it displays my four ISE servers with a status of connected but I see no where to add anything additional. I did not originally set this up so figure I am missing something somewhere if this is possible. I though maybe add under LDAP and then it would roll into AD or something but I have nothing listed under LDAP either.
  What I am trying to do is figure out how to have ISE cover our two different domains. We ahve one big forest but currently that is split into two AD domains based upon our two divisions.  am trying to see if possibly I can simply get through the existing configuration to pull security groups from the other domain into the dictionary but so far that has proven not do able.
  Brent

  Saurav,
  I was beginning to think that might be the solution. Now I just need to go through the release notes and make sure there are no issues with it running on ACS-2111 appliance. We are currently using this as the secondary Admin but knew we would have to move off something. I think management is hoping later than sooner especially since we are still in that initial roll out phase.
  How does the system handle the fact that this is all centralized but I have users authenticating from the different time zones? I have been reading about everything pointing to the same NTP server but took that to simply be the servers in the ISE Cluster. Will this also impact all the switches and network devices involved in the authentication process?
  Brent

• External Identity Sources, binding RSA securID to ISE

  Hi all,
  Say, my topology was using ISE doing VPN inline posture, and bind RSA securID (version 7.1) as external Identity Sources.
  During  the deployment, in order to let my iPEP node join the Policy Service  Node, for the certificate i using the third party CA server (Window  server 2008 R2) as the root CA, both of these 2 ISE were mutual  authenticated and done.
  My question. as i using  RSA secureID as external identity sources, native behaviour, Will the  ISE trust RSA with no identity certificate signed by the identitical  root CA?
  Should i enroll this RSA appliance issue the CSR to CA server to sign and in the PKI environment? Is there a need for this?
  Thanks
  Noel

  Noel,
  From my experience when integrating with the RSA token server you need the sdconf.rec file exported from the RSA and you import that into the ISE configuration. You then select this identity store with your authentication policies for vpn users. There isnt a need for any certificates when integrating with a token server (that was the last time I checked) and even if there would just need to trust each other's certficats.
  I hope that helps!
  Sent from Cisco Technical Support iPad App

• ISE and no External Identity Source

  I have this particular case in which I need to make authentications for users in ISE without Active Directory/LDAP etc.
  I would like to have some kind of MAC to USER binding where the user would no be able to add more devices to the network. I know the eap chaining using anyconnect is a way of achieving this but then again I can only see it using AD or some kind of external database. Also printers, wireless and phones are in the map. I tried using MAB and CWA for this but do not want to have the users be able to self register their devices as if they were guests.
  EAP chaining without AD??? Possible?
  Any hope?
  Thank you 

  Someone else can chime in here but I don't think it is possible to perform EAP-Chaining with the internal database of ISE. With that being said, feel free to read the EAP-TEAP IETF doc :)
  http://tools.ietf.org/html/draft-ietf-emu-eap-tunnel-method-01

• ISE is unable to retrieve groups and attributes

  Hello guys,
  I have Cisco ISE installed on EXSi in a lab. I was able to join the ISE server to my test Active Directory server, and under the OU=Computers, I can see my ISE hostname.
  However, when I go to Administrator > External Identity Sources > Active Directory > Groups > Add > Select Group from Directory:
  I have my domain entered in Domain box and an * for filter. When I clicked the "Retrieve Groups" button, I always received "Number of Groups Retrieved: 0 (Limit is 100)"
  It seem like ISE is unable to retrieve the groups that I have on my AD. I checked the status of my ISE server and it says that it is still connected to the domain. When I search for attributes, it keep saying that the user is not found.
  I disabled my AD's firewall and still getting the same results. I ran the detailed test connection, and it was a success and the port connections are all good. At this point, I am pretty much stuck.
  Any help would be greatly appreciated.
  Thanks

  I am sorry Jatin. I have another question.  I am working on Motorola RFS7000 WLC and Cisco ISE v1.1.1.
  I am not sure if I should create a new thread about the new issue I am having now.  I have successfully added my RFS controller and one AP7131 to ISE Network Devices. And I am able to login to these devices using my AD account. However, it is not allowing me to manage these devices.  I believe I am at exec mode. I SSH to my RFS and I can't even get to enable mode.

• ISE Admin Access Authentication against multiple AD/LDAP Identity Sources

  Hi all!
  We would like to grant admin cccess to our ISE deplyoment to users stored in multiple Active Directories. Since there is no trust relationship between these ADs, we created an LDAP Identity Source for each AD and also an Identity Source Sequence but in the UI we can only select one Identity Source.
  Any ideas how to solve this problem?
  Thanks in advance!
  Kind regards,
  Michael Langerreiter

  I did check in my lab and yes for admin access we can't select identity store sequence in authentication. We can only pick one external database. However, on the login page you may select the appropriate database before you enter the username and password.
  Jatin Katyal
  - Do rate helpful posts -

• Renaming AD group used in external identity store

  Hello,
  There is a need to rename some of the Active Directory groups mapped to an external identity store on our ACS 5.4 server.  Has anybody ever done this?  Does the ACS server just magically pick up on the renamed group or do we need to manually remove the old group name and readd the new group name to the identity store?  If so, does that mean we need to modify all the rules associated with that group?
  Thanks, just trying to figure out how much work this is going to be.  

  Hi,
  AFAIK you would have to remove the policies associated with those group, remove the old groups, add the new groups and create the policies.
  You can however just create the new groups in the Active Directory, add the groups in the ACS and using the AD group 'OR' condition just add the new groups in the Policy.
  e,g if your old group name is "Helpdesk" and you would like to change it to "Helpdesk users"; you can create the new group in the AD, add the group in the ACS and in the policy just select if the user is part of either "Helpdesk" or "Helpdesk users" --> apply the policy.
  This way you would be able to save some of your time.
  Regards,
  Kush

• Is LDAP or AD as a external identity store recommended in ISE implementation for machine authentication

  Hi Experts,
  I have question about External identity store integration in ISE . I had chance to go through the cisco doc for ISE configuration especially for external identity store .
  there are two ways to configure external identity store.
  1) AD
  2) LDAP
  Which one is actually recommended ? technically which one would be convinient to configure to set-up machine authentication. do we have any limitation in terms of functionality in either of one ?

  Hi Leo,
  its not duplicate post , I have created one more post where you have linked that is for client policy enforcement . I want to understand how certificates will be pushed to client.
  This post is to understand the LDAP & AD intergration with ISE .
  I have requirement where client is asking to intergrate machine database using LDAP.
  I am quite new for LDAP intergration that is the reason I have created this discussion.

• Open Source News group in java

  Hi all
  Not sure where to post this.I am looking for an open source news group one similar to java forums where users can post comments on my application and stuff.Is there anything of such kind which
  is open source so that i can save time rewriting a similar one.I googled and tried some other sites but attempts were in vain.
  thanks,
  Sree

  DrClap,
  I see what you are saying but i don't think my company allows me to do that since its an in-house tool and i don't have much idea about how confidential they might consider posting
  things on an external server.So i'm planning if i could get an open source project or library which does that i could provide the space and stuff needed for it to work.
  thanks
  Sree

• AD -vs- LDAP for external Identity store in ACS

  Is there a difference in using AD versus LDAP in a Windows environment for an Identity Store? We are in the process of setting up the ACS 90 eval and I noticed you can setup either AD or LDAP or both as an external identity store. Are there advantages or disadvantages for one over the other?

  Suggest to go to "Monitoring & Reports > Reports > Catalog > AAA Protocol"
  Select TACACS Authorization and see the authorizations that occured today
  If you click on the details icon you should be able to see the actual LDAP groups that were retrieved in processing the request and so can see that the format/contents matches that which you entered

• BAM external data source

  We have around 400k records on which we want to build reports and in our initial approach we are planning to store the data in external tables and use external data source. For POC we created external tables and data source with around 55k records and some basic reports which used sum to group the data. For some reason this report won't load and we don't see any exceptions in the logs. In database session we can see the query it's executing and when we run the same query from sql plus, it returns data within less than 1sec. So we are unsure what the issue could be.
  We are looking for some pointers on what should we look for and how we can resolve this issue. Also if there is any way to specify jdbc connection pool properties.
  Thank you

  BAM is not for reporting purpose. It is ONLY for dashboard purpose. BAM itself has few over heads. So the response is not only dependent on query execution.
  Try creating only updating list with no conditions. Check if it is working. then go for complex reports with conditions.
  Regards,
  Vikrant Korde.

• Unable to add external data source in BAM : Error ORA-12505

  Hi,
  In BAM,
  Im trying to add an external data source for creating a data object.
  But when i try to test the connection i get the following error:
  Listener refused the connection with the following error: ORA-12505, TNS:listener does not currently know of SID given in connect descriptor
  Source: "java.sql.SQLException: Listener refused the connection with the following error: ORA-12505, TNS:listener does not currently know of SID given in connect descriptor "
  Listener refused the connection with the following error: ORA-12505, TNS:listener does not currently know of SID given in connect descriptor
  Source: "oracle.net.ns.NetException: Listener refused the connection with the following error: ORA-12505, TNS:listener does not currently know of SID given in connect descriptor "
  As mentioned in another post ((Listener does not currently know of SID given in connection descriptor
  i tried
  lsnrctl stop.
  delete listener.ora
  lsnrctl start
  lsnrctl reload
  But still get the same error;
  Im able to access the database with the specified username and password using sqlplus.
  Your help will be appreciated.
  Regards
  Vignesh Ramanathan

  For #5, not Windows, ConfigMgr 2012 R2. Anything before ConfigMgr 2012 R2 is not supported for the 8.1 ADK.
  For the permissions, what accounts are you setting this for. In general, if the share is on the same server, Everyone Full or Read on the Share and System Full or Read on the NTFS should work.
  For the error message, it looks like you are trying to import an OS Image and not an OS Install Package. OS images use a WIM file and OS Install Packages use the entire set of source files from the media. For OS images, you must thus explicitly point it
  to a specific WIM file.
  Jason | http://blog.configmgrftw.com

• Excel SSAS Tabular error: An error occurred during an attempt to establish a connection to the external data source

  Hello there,
  I have an Excel report I created which works perfectly fine on my dev environment, but fails on my test environment when I try to do a data refresh.
  The key difference between both dev and test environments is that in dev, everything is installed in one server:
  SharePoint 2013
  SQL 2012: Database Instance, SSAS Instance, SSRS for SharePoint, SSAS POWERPIVOT instance (Powerpivot for SharePoint).
  In my test and production environments, the architecture is different:
  SQL DB Servers in High Availability (irrelevant for this report since it is connecting to the tabular model, just FYI)
  SQL SSAS Tabular server (contains a tabular model that processes data from the SQL DBs).
  2x SharePoint Application Servers (we installed both SSRS and PowerPivot for SharePoint on these servers)
  2x SharePoint FrontEnd Servers (contain the SSRS and PowerPivot add-ins).
  Now in dev, test and production, I can run PowerPivot reports that have been created in SharePoint without any issues. Those reports can access the SSAS Tabular model without any issues, and perform data refresh and OLAP functions (slicing, dicing, etc).
  The problem is with Excel reports (i.e. .xlsx files) uploaded to SharePoint. While I can open them, I am having a hard time performing a data refresh. The error I get is:
  "An error occurred during an attempt to establish a connection to the external data source [...]"
  I ran SQL Profiler on my SSAS Server where the Tabular instance is and I noticed that every time I try to perform a data refresh, I get the following entries:
  Every time I try to perform a data refresh, two entries under the user name ANONYMOUS LOGON.
  Since things work without any issues on my single-server dev environment, I tried running SQL Server Profiler there as well to see what I get.
  As you can see from the above, in the dev environment the query runs without any issues and the user name logged is in fact my username from the dev environment domain. I also have a separated user for the test domain, and another for the production domain.
  Now upon some preliminary investigation I believe this has something to do with the data connection settings in Excel and the usage (or no usage) of secure store. This is what I can vouch for so far:
  Library containing reports is configured as trusted in SharePoint Central Admin.
  Library containing data connections is configured as trusted in SharePoint Central Admin.
  The Data Provider referenced in the Excel report (MSOLAP.5) is configured as trusted in SharePoint Central Admin.
  In the Excel report, the Excel Services authentication settings is set as "use authenticated user's account". This wortks fine in the DEV environment.
  Concerning SecureStore, PowerPivot Configurator has configured it the PowerPivotUnnattendedAccount application ID in all the environments. There is
  NO configuration of an Application ID for Excel Services in any of the environments (Dev, test or production). Altough I reckon this is where the solution lies, I am not 100% sure as to why it fails in test and prod. But as I read what I am
  writing, I reckon this is because of the authentication "hops" through servers. Am I right in my assumption?
  Could someone please advise what am I doing wrong in this case? If it is the fact that I am missing an Secure Store entry for Excel Services, I am wondering if someone could advise me on how to set ip up? My confusion is around the "Target Application
  Type" setting.
  Thank you for your time.
  Regards,
  P.

  Hi Rameshwar,
  PowerPivot workbooks contain embedded data connections. To support workbook interaction through slicers and filters, Excel Services must be configured to allow external data access through embedded connection information. External data access is required
  for retrieving PowerPivot data that is loaded on PowerPivot servers in the farm. Please refer to the steps below to solve this issue:
  In Central Administration, in Application Management, click Manage service applications.
  Click Excel Services Application.
  Click Trusted File Location.
  Click http:// or the location you want to configure.
  In External Data, in Allow External Data, click Trusted data connection libraries and embedded.
  Click OK.
  For more information, please see:
  Create a trusted location for PowerPivot sites in Central Administration:
  http://msdn.microsoft.com/en-us/library/ee637428.aspx
  Another reason is Excel Services returns this error when you query PowerPivot data in an Excel workbook that is published to SharePoint, and the SharePoint environment does not have a PowerPivot for SharePoint server, or the SQL Server Analysis
  Services (PowerPivot) service is stopped. Please check this document:
  http://technet.microsoft.com/en-us/library/ff487858(v=sql.110).aspx
  Finally, here is a good article regarding how to troubleshoot PowerPivot data refresh for your reference. Please see:
  Troubleshooting PowerPivot Data Refresh:
  http://social.technet.microsoft.com/wiki/contents/articles/3870.troubleshooting-powerpivot-data-refresh.aspx
  Hope this helps.
  Elvis Long
  TechNet Community Support

• Sharepoint 2013 Excel External Data Source Refresh Issue

  I have been facing this issue for quite some time now.. i have created an Excel sheet in Excel-13 and have imported data from an external data source [SQL server 2012]. 
  Everything is working fine, with the excel sheet on the desktop. Data refreshes, every-time i open the excel file and also at regular intervals that i have configured in the data source properties.
  The problem begins when i save that excel sheet on my sharepoint server. the issues that i am facing are :
  1. Changes made into the original data source, are not reflected immediately inside the excel sheet inside the browser. after 5-10 minutes, it reflects the changes..
  2. The data doesn't refreshes automatically. After i update my data inside the sql server table, i have to manually trigger the refresh of the data connection when viewing the excel sheet inside the browser, even though i have marked "Refresh when opening
  the file", and refresh every 1 minute inside the excel sheet. Any solutions ??
  I have been troubled a lot by this issue, and seek for some quick solution.. Any help here ??

  I found the solution finally, my self ..
  Issue - 1 : It's going to take atleat 5-minutes to refresh the data connection, that is generally not a big time span.
  Issue - 2 : 
  --> Set Your connection to refresh everytime the file is opened. go to internet explorer -> file -> internet options -> general -> Browsing History -> Settings -> Check for newer versions of stored pages... Check 'Every time I visit the
  webpage'. 
  Now everytime i update your original data source, wait for 5-10 minutes and refresh my web page containing the excel sheet.. The Contents of the excel sheet are updated as desired..

• Is there a MagSafe 2 compatible portable external power source for the retina display MacBook Pro?

  I’m using a retina display MacBook Pro with the MagSafe 2 connection.   I would like to have a portable external power source to extend the use of my laptop on long field trips where I am away from power sources. Swapping batteries is not an option for this generation of MacBook Pros.  There seem to be many options for PC’s and even iPhones/iPads/iPods but the MagSafe 2 connection seems to be the issue.  I saw one link that suggested buying an Apple MagSafe 2 power adapter and performing surgery on the power cord (using components provided by the vendor) so that the adapter would run on their back up battery.  I was hoping for a more esthetically pleasing solution. Any suggestions?  Does this product exist and I just missed it? Clearly, if a MagSafe(1) compatible external battery existed I could adapt that using the MagSafe to MagSafe 2 converter.

  Sparon,
  I wouldn’t recommend using an underpowered AC adapter with your MacBook Pro. It sounds as though the best solution would be to get a different laptop bag with a sufficiently large side pocket.