ISE Identity Group Assignment
I need to avoid a large set of devices to get access to Internet through the Wireless Guest Service. I had made some test and know I can block a MAC address through the Policy Authorization (If Blacklist then DenyAccess).
In order to blacklist a large set I would like to import the MAC list and include in the CSV the Identity Group Assignment. It appears it is not possible ... I can have an easy way to change the Identity Group Assignment instead of one by one?
Regards.
Daniel Escalante.
Additional Information and Question:
Currently my Authorization Policy has this:
The result is that any user trying to acesss the Guest Service can see the Guest Portal, introduce Credentials and if they are valid, the AUP is displayed, after that if the device is in the Blacklist, service is denied and the Guest Portal is displayed again, but any message about the situation is indicated to the user. I wonder if I can generate a message and even avoid the AUP if the device is in the blacklist.
Any comment will be greatly appreciated.
Regards.
Daniel Escalante
Similar Messages
-
ISE Endpoint Identity Group assignment for 802.1x clients
Hello
I'm using ISE 1.3 to 802.1x authenticate AD PC's (machine and user with Anyconnect NAM) and to profile/mab IP Phones, printers, APs etc.
Phones are profiled (EndPointSource of SNMPQuery Probe) and are placed automatically in the correct Identity Group.
AD PC's aren't profiled and are listed under Endpoints withthe Enpoint Profile of "unknown"
To place AD PC's into a particular Identity Group, I created a Radius Profiling Policy to match on the Framed-IP-Address. This works well with the AD PC appearing in the correct Identity Group (with EndPointSource of RADIUS Probe).
My questions are:
A phone (profiled with EndPointSource of SNMPQuery Probe) consumes a Plus licence but an AD PC ("profiled" with EndPointSource of RADIUS Probe) does not - is this correct?
Authenticated 802.1x AD PC's have other attributes (like AD-Host-Resolved-DNs) that I'd like to use to assign PC's to an Identity Group. I can't use these attributes with any of the ISE profilers - is there a way to assign an 802.1x authenticated client to an Identity Group at the authorisation stage rather than use the profiler?
Thanks
AndyErr, no. There is no provision in EAP-TLS, PEAP (CHAP), or even basic EAP to provide network information (eg IP address/mask/gateway/DNS/etc).
There is also no provision in Windows 2k or XP interface management software to accept IP details for interface configuration via any wireless authentication protocol.
peter -
Static Identity Group Assignment
Does anyone know a way to bring in an endpoint with the following attributes?
Endpoint Policy Name Static = True
Static Group Assignment Static = True
The 1.2 manual says;
If the file used for import contains endpoints that have their MAC addresses, and their assigned endpoint profiling policy is the static assignment, then they are not re-profiled during import.
To change a dynamic assignment of an endpoint identity group to static, check the Static Group Assignment check box. If the check box is not checked, then the endpoint identity group is dynamic as assigned by the profiler based on policy configuration.
Statically Profiled Endpoints
An endpoint can be profiled statically when you create an endpoint with its MAC address and associate a profile to it along with an endpoint identity group in Cisco ISE. Cisco ISE does not reassign the profiling policy and the identity group for statically assigned endpoints.
A) Does anyone know a way to import from an LDAP database and maintain the Static Group Assignment = True.
I successfully do an LDAP import of the MAC and Endpoint Group (which comes in as True) but the Static Group Assignment has the Endpoint Group Assignment correct but static is false unchecked. I don't want these profiling any more. These are thousands of endpoints and I do not see any way to do a bulk change. I have tried exporting and re-importing but that doesn't really scale.
B) Would creation of an endpoint group that is not part of the Profiled endpoint group change the behavior I see above when I do my LDAP import?
If there were a way to do the bulk selection and change the static property or the Static Group Assignment that would be of huge benefits. The changes apply to the fields selected within the endpoints while maintaining the MAC property of the endpoint.
Thanks in advance for any suggestions.James,
That is possible but do you have the dhcp probe enabled and have you thought about setting up an ip helper statement or assigning the ISE node as one of the dhcp servers on the WLC?
There is a built in check such that if the dhcp class identifier contains MSFT will profile the endpoint as a windows workstation.
However if this is not the case then you can create the following condition under the Policy Elements > Conditions > Profiling > New Profiler Condition, you will use the create (advanced...) then select NMAP > 135-tcp > then set the operator EQUAL to msrpc.
Then go under the Microsoft-Workstation and select the option to create a matching identity group (its much easier rather than using the heirarchy option) and set the certainity factor 30. Then add this new condition and set the certainity to 30 also.
Hope that helps,
Thanks,
Tarik Admani
*Please rate helpful posts* -
ISE Identity Groups in AuthZ Policy
So we all know we can leverage identity groups in authorization policy, can we leverage two of them ? I tried building a compound condition that uses an identity group (MAB) along with another identity group (User) and can not get the policy to hit..Thoughts?
I doubt that, as far as i can tell with ISE, when you are being authenticated either by mab or by a user/pass with ex PEAP, your identity is established as either, not both, and the identity is what gets compared to identity groups.
-
ISE 1.2 Multi-Portal Identity Group Mapping
Hi,
Quick question regarding the use of Multi-Portal on ISE 1.2: Is it possible to map a single portal to a certain identity group? e.g. I have a portal for guest users, to which only users in the "ACME_guests" identity group can authenticate. I have a separate Portal for employees, where only users of the "ACME_employees" group can authenticate.
I know that I can specify a separate authentication sequence for each portal (e.g. internal, guests, AD), but I cant find a possibility to map a group to a certain portal. This has the consequence that e.g. guest users can log into the employee portal, and getting a successful authentication message. Of course I can further restrict the access in another policy rule, but this isnt a very neat solution.
Anybody have any ideas? It seems so basic that it has to be possible somehow?!
RegardsYou can redirect users so they can "stick" to one portal once they have successfully authenticated. There is a document regarding device registration web authentication. Basically after a user connects successfully you can redirect them to an AUP specially designed to statically assign users to a specific endpoint identity group.
In the end if a user logs into portal A they hit the DRW and accept, ISE dumps them into a endpoint group called PortalA, you can then tie this into a policy where the PortalA endpoint is denied association to any other open ssid you have in your design.
Here is the document -
https://supportforums.cisco.com/docs/DOC-26667
Tarik Admani
*Please rate helpful posts* -
Hello,
in the old ISE 1.2 my guest users (created by the sponors portal) where put into a own created identity group called RU2_id_grp.
How can I realize this on ISE 1.3. In ISE 1.3 the users fall always into the GuestType_Group which was created by the ISE.
I need the sepearete groups for my authorization policy.
Regards
filipOK, then DESELECT the option above and do this:
Navigate to Guest Access > Settings > Guest Locations and SSIDs. Enter the locations to which your sponsors will assign guests:
Remember to Save.
Now to Guest Access > Configure > Sponsor Groups. Click Create:
Once you place your cursor in the text box for Select the locations that guests will be visiting, you will see the locations you created in the last step.
Now assign the User Group to be associated with this Sponsor Group by clicking the Members... button:
Click OK, then Save.
This should do it for you.
Please Rate Helpful posts and mark this question as answered if, in fact, this does answer your question. Otherwise, feel free to post follow-up questions.
Charles Moreton -
ISE 1.2: Remove unused Sponsor Group and Identity Group
Hi
I started with ISE 1.1.2 and now upgrade to 1.2.
There are 1. Sponsor Groups and 2. Identity Groups which are no more in use, but I am not able to remove them anymore.
1. One is a special Sponsor group which sponsor group policy I already removed. The I go to Aministration>Web Portal Management>Sponsor Groups and select the appropriate Group ans click delete and ok to confirm, the following error is displayed:
com.cisco.cpm.nsf.api.exceptions.NSFEntityDeleteFailed: java.rmi.RemoteException: Failed to execute the Query : DELETE_USERONAPP ORA-02292: integrity constraint (CEPM.EDF_GST_SPGRPID_SUB) violated - child record found ; nested exception is: java.sql.SQLIntegrityConstraintViolationException: ORA-02292: integrity constraint (CEPM.EDF_GST_SPGRPID_SUB) violated - child record found
2. The same happens with one Identity Group. I do not have it active anymore. Not in authentication, and not in authorization policy. I go to Administration>Identity Management>Groups> and select te group to remove, and click "Delete selected" and confirm with ok, the following error occured:
Cannot delete selected Identity Group(s) because there are resources which are mapped to these or its child identity group(s)
Is there any reason for any of these issue?
Many thanksHi ,
Please open service request with cisco. These kind of issues may happen when the dependencies are deleted from UI but there is a chance that some of the dependencies may not be deleted completely and are not visible from UI as well. These kind of issues can be resolved under cisco guidance.
Thanks,
Naresh -
Cisco ISE: How to match an endpoint belong to an identity group ?
Hello,
I am running Cisco ISE 1.1.4.218 in a standalone environment.
I am trying to setup Compound Condition for Authorization.
I would like the condition to match the MAC address of the calling machine to the internal endpoint MAC address list.
I created 1 endpoint identity group and 2 children groups
- GroupParent
- ChildA
- ChildB
I put the MAC address of my machine in the group ChildA.
In my condition, I tried the following:
IdentityGroup:Name, Equals, ChildA
IdentityGroup:Name, Equals, GroupParent:ChildA
IdentityGroup:Name, Match, .*(ChildA).*
I even tried to put the MAC address in the GroupParent level and tried to update the condition to be:
IdentityGroupName, Equals, GroupParent
IdentityGroupName, Match, .*(GroupParent).*
But no one of these options worked.
I am almost sure that in Cisco ISE 1.1.1, it was working fine. But I updated today to 1.1.4 and I cannot make it work.
Can anyone help me ?
Best regards,
DavidYou could try the following to match only the parent group
IdentityGroup:Name EQUALS GroupParent
You could try the following to match only child group A
IdentityGroup:Name EQUALS GroupParent#ChildA
You could try the following to match all child groups of GroupParent
IdentityGroup:Name STARTS_WITH GroupParent
Please rate if this helps -
ISE 1.1.1 - RegisteredDevices Identity Group
Working on building a ISE 1.1.1 system to match our internal security policies, and have hit a dilemma. Here goes:
The requirement states that there need to be differing network authorization profiles for different device types: Domain PCs, Non-Domain Workstations, iPads, and iPhone/Android Phones. Also, all (other than IP Phones and printers) endpoints must be self-registered by the user (My Devices workflow in CWA) who operates them so they appear in the My Device Portal.
In the authorization rules, there appear to be no way to create a authorization rule to match a "profiled workstation" AND a "registered device".
This is because within ISE, any endpoint that is "registered" joins the RegisteredDevices Identity Group, and is no longer a part of the configured indentity group created by the profiling system. For instance, a profiled Win7-Workstation is a member of the profiler-created Workstation IG until it is registered, then it becomes a member of the RegisteredDevices Identity Group.
So basically, it appears ISE does not support per-devicetype(from profiler) authorization rules *while also* supporting device registration ("My Devices").
Or am I missing something?Here is a screenshot of the rule in question:
and here is the breakout of the Compound condition called WorkstationOSs, based on your recommendation:
Without this compound condition, the authorization is matched. With it there, it is not matched, even though the endpoints are profiled as such. -
ISE 1.2 - Match Policy Set based on endpoint identity group?
Hello, I would like to create a condition that would force MAB'd clients to hit a certain policy set if their MAC address matches one in an endpoint identity group? Is this possible? I feel like a condition can be created using a combination of attributes, but I cannot seem to hit on it properly. Thanks.
The cleanest way to to this would be to dedicate:
1. (Wired) A test switch where all of your test devices are connecting. You can then build a policy set that matches against that NAS.
2. (Wireless) A test SSID and/or a controller (virtual or 2504). You can then build a policy set that is dedicated to that SSID
Thank you for rating helpful posts! -
ACS 5.3 Authorization problem with using Identity Groups in Access Policy Rule
Hello guys, I am found a problem which I can't solve regarding authorization with using Identity Groups in Access Policy rule.
ACS version: 5.3.0.40.6 (internal build B.839)
I have very simple RADIUS Authorization rule which authorize user on behalf of right Identity Group.
Requested Identity Group exist
Testing user is created in Internal Users and has assigned requested Identity Group
Radius Access Policy:
Authentication against Identity Store Sequence, where authorization server is external RSA SecurID device and additional attributes retrieval is configured from Internal Users.
Authorization is very simple – One Rule with only one Condition which is: Identity Group - in - Requested_Testing_Rule. Then Default rule is set to Deny.
When I will try login with my testing user then authentication against RSA SecurID is OK, but authorization will be denied by Default rule – It looks like my Rule with Identity Group is totally omitted.
I am managing several other ACS servers (version 5.3 but with older patches) where similar rules are working without problem.
What I am tested:
Remove testing user and create his account again.
Rename Identity Group
Use another Identity Group
Remove Access Policy rule and create it again
Use Compound Condition: System:Identity Group
Use Compound Condition: System:UserID instead of Identity Group in Rule (it is working without problem)
Do you have any idea where problem can be?OK guys, it started working yesterday without any configuration change. Maybe it was some database inconsistence wich was solved by ACS itself.
-
AuthZ Policy using specific Endpoint Identity Groups
I am trying to create an AuthZ policy that will identify if a device is in specific Endpoint Identity Group. See policy below.
I used the IdentityGroup:Name attribute Equals the Identity Group MAB_Devices. Please note that there are NO Identity groups listed in the dropdown options, so I typed in the name. Alas, the rule is not working. Anyone have advise on what I am doing wrong? ThxBransomar, your screenshot is an Authentication policy rule but you should do it in Authorization policy. Authentication policy sorts out requests by request method and origin and assigns an identity store to each.
-
Effective start and end dates for roles/group assignment
Hi,
Does Access Manager (in legacy or realm) mode support effective start date/end date on a role/group assignment on a user?
Thanks,
SrinivasHi Ankush,
I am also of the same opinion. Start and end dates can probably be enforced by a policy condition in AM but would lead to proliferation of policies as we would end up creating policies per role entitlement duration for a user.
Any thoughts on whether the sunrise/sunset concept of Identity Manager can be used for this requirement.
Thanks,
Srinivas -
Hi,
is there any way to generate a report in ISE, to see what devices the users using ?
I understand we can do it from search function, but this is a manual effort and can't be scheduled..
from search function we can search the username and it will show the endpoints that the user is using
From the report function,
I can only get this data for registered device but not for those devices that's just using 802.1x without supplicant provisioning flow
same thing for guests, since they're using web authentication..
does this mean that we can only generate report for personal devices that the staff are using but not the corporate devices itself?I doubt that, as far as i can tell with ISE, when you are being authenticated either by mab or by a user/pass with ex PEAP, your identity is established as either, not both, and the identity is what gets compared to identity groups.
-
Deprovisioning AD Group Assignment fails when setting MX_INACTIVE
Hi,
IdM 7.1 SP5 Patch Level 2
We have an Identity which has some AD Group privileges assigned to it via a role. So these privileges exist as MX_AUTOPRIVILEGE attributes on the identity.
If we remove the role, the privileges are removed and the SAP provisioning framework task DeprovisionADSGroupAssignment works ok.
If we set MX_INACTIVE, de-provisioning is triggered for each repository but the task DeprovisionADSGroupAssignment fails because it cannot determine the DN for the AD groups from the privilege master records.
My analysis so far has deduced the following:
The SAP provisioning framework task DeprovisionADSGroupAssignment uses a javascript sap_getGroupDN to determine the DN value for the ad group. It uses the audit record's UserId field to determine which old_id to read from the MXIV_OENTRIES table. The audit record UserId has the format: e.g. #15:DELETE;0;205081 i.e. attribute 15 on our system is (MX_AUTOPRIVILEGE), the operation is DELETE, the checksum is 0 and the OldValuesId is 205081.
From there the script uses the mskey of the privilege to look up the DN<repository name> attribute on the privilege master. This DN is then used in the To LDAP pass to remove the identity from the AD group.
So unless you actually remove the privileges from the identity, the values don't exist in the MXIV_OENTRIES table and therefore, the script cannot find the mskey for the privilege and therefore cannot get the DN.
Does anyone know if setting MX_INACTIVE is supposed to remove roles and privileges before triggering de-provisioning or how this is designed to work?
Has anyone else de-provisioned AD accounts and groups by just setting MX_INACTIVE?
Edited by: Paul Abrahamson on Dec 3, 2010 5:54 PMWe've now set up a scheduled job to pick up all users which should be made inactive on a given day and this job first removes roles and privileges (triggering de-provisioning of AD groups because the privileges are removed) and then after a while sets the MX_INACTIVE attribute.
Incidentally I also found this [SAP Note 1540835 - LDAP group assignment fails due to ambiguous bchecksum |https://service.sap.com/sap/support/notes/1540835] which 'corrects' some logic in the sap_getGroupDN global script - it now uses context variables instead of reading the MXIV_OENTRIES table etc...
Maybe you are looking for
-
Visited a secure site to renew my membership, but there was no indication on FIREFOX WINDOW that the site was secure. Whereas, when using Internet Explorer the usual padlock symbol was displayed.
-
Email Notification: Unable to connect to smtp server
Hi, I am working on SOA 11g. Jdeveloper version 11.1.1.5.0. I am trying to send an email. I have done all required configurations such as: 1) Mail Access Protocol = IMAP 2) Outgoing Mail Server = smtp.companyname.com 3) Outgoing Mail Server Port = 25
-
I just updated pages, I can't count the amount of words with space anymore. Can anybody help me?
I just updated pages, I can't count the amount of words with space anymore. Can anybody help me?
-
Launching full screen movie (not projector) from a standalone
Hi. I'm developing a standalone projector (for use on a DVD) that will automatically start playing a progressive movie within a smaller window in the projector. I want to give the viewer the option of viewing the movie (not the projector) fullscreen.
-
in FBZP, we assign payment advice form, but we need to send payment advice by email, we have maintained email in vendor master, what else do we need to configure?