ISE Selecting wrong authorization profile

Similar Messages

• Info Cube doesn't show-up for selection on authorization profile?

  Hi,
  I would like to allow limited number of queries for a report user based on info cube using auth role. Steps I am using:
  PFCG
  Tab: Authorization
  Maintain Authorization data and Generate Profile
  Click "Change Authorization Data" to go to Change Role: Authorizations
  Expand Business Information Warehouse
  Expand Business Explorer - components
  Click Pencil for Info Cube to select the info cube for full authorization for info cube queries
  - It displayed the selection "from" "to" list for info cube.
  I wouldn't able to find my info cube "zsdc_c01", but I would to see all SAP delivered info cube.
  Any idea what setting should I set to see my info cube here so that I can select this info cube to give access to users for all queries build on this info cube using the role I created?
  I would appreciate any input.
  Steve

  Hi,
  I have the same or similar problem.
  I would like to limit/to restrict/to constrain the number of queries a user is allowed to create.
  could you give me information how to handle that in the user authentications?
  could you please describe me the whole process how to do that?
  The system I'm using is SAP BW 7.0.
  thanks
  Yusuf

• ISE Authorization Profile Question

  Hi,
  We are implementing ISE at a university and using dynamic VLAN allocation to segment the traffic into vlans of a manageable size - we do not want to use geographically based vlans for a number of reasons. However there is one scenario which I am struggling with.
  A number of students will be living in university owned houses which are not directly connected to the university network. In these houses an ISP will provide an ADSL circuit. These ADSL circuits will be aggregated back at the university data centre and will connect down one piece of wire to the university network. I haven't completed my testing yet but the general theory is that we can use multi-auth to allow them on to the network and apply appropriate access restrictions (these restrictions will differ from those applied to those applied when they connect "on campus") . However, in order to do this, I will need to create an authorization policy based on where they are coming from (ie what switch and what port). I can see how I can use Identity Groups to identify which switch the traffic is coming from but for the life of me I have no idea how I would identify the port.
  Anyone have any ideas how I might achieve my goal?
  Thanks
  Alan              

  Hi
  Cisco ISE allows for a wide range of variables within authorization policies to ensure that only authorized users can access the appropriate resources when they access the network. The initial release of Cisco ISE supports only RADIUS-governed access to the internal network and its resources. The authorization policy result is Cisco ISE assigning an authorization profile that might also involve a downloadable ACL specifying traffic management on the network policy enforcement device. The downloadable ACL specifies the RADIUS attributes that are returned during authentication and that define the user access privileges granted once authenticated by Cisco ISE.
  An authorization profile acts as a container where a number of specific permissions allow access to a set of network services. The authorization profile is where you define a set of permissions to be granted for a network access request and can include:
  • A profile name
  • A profile description
  • An associated DACL
  • An associated VLAN
  • An associated SGACL
  • Any number of other dictionary-based attributes

• ISE - Authorization Profile issue

  I'm running a trial of ISE and I'm attempting to create the authorization profile with the following settings:
  Name: Posture_Remediation
  Access Type: Access_Accept
  Common Tools:
  Posture Discovery, Enabled
  Posture Discovery, ACL ACL-POSTURE-REDIRECT
  The documentation says Common Tools, but in the screen shot it shows Common Tasks which is accurate to my install. Doc: http://www.cisco.com/en/US/products/ps10315/products_tech_note09186a0080bba10d.shtml#topic19
  The issue is that I do not see a Posture Discovery option in the Common Tasks area. Can I add these the attributes using the Advanced Attributes settings or is there something I need to enable to display the Posture Discovery option within Common Tasks?
  Any help would be appriceated.
  Andrew

  Hello Andrew,
  As per your query i can suggest you-
  Creating a New Authorization Policy
  Use this procedure to create a new authorization policy.
  To create a new authorization policy, complete the following steps:
  Step 1 Choose Policy > Authorization > Standard.
  Step 2 Click to select either Insert New Rule Above or Insert New Rule Below.
  A new policy entry appears in the position you designated in the Standard panel of the Authorization Policy window.
  Step 3 Enter values for the following authorization policy fields:
  •Rule Name—You need to define a rule name for the new policy.
  •Identity Groups—Choose a name for the identity group that you want associated with the policy.
  –Click + ("plus" sign) next to the word "Any" to display a drop-down list of group choices, or choose Any for the policy for this identity group to include all users.
  •Condition(s)—Choose the types of conditions or attributes for the identity group associated with the policy. Click + next to Condition(s) to display the following list of condition and attribute choices that you can configure:
  –Select a Condition Name option from the drop-down list (Simple Conditions, Compound Conditions, or Time and Date Conditions) as needed.
  –Select one of the Attribute options as needed. This displays a list of dictionaries that contain specific attributes related to the dictionary type.
  When you select an attribute, you can define it as Equals, Not Equals, or Matches using a pull-down list of operator options, and select an AND or OR directive using a pull-down directive option.
  For more information please refer to the link -
  http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_authz_polprfls.html

• ISE Authorization profile

  I am trying to create an authorization profile in ISE. My vlan for that profile is 50. When I try to add the Tag ID as 50 it is not allowing me to do so.
  The message I am getting is : “Tag ID should contain only numerical value and in the range 0-31. How can the vlan be 0”. How to deal with this issue when my vlan ids are higher then 31.
  I was wondering if anyone else had similar issue? Or am I missing anything.
  Ds

• MSE-provided location used with ISE Authorization Profile

              Hello Everyone,
  Can MSE-provided location be used in an ISE Authorization Profile?
  Thanks much,
  David D.

  Yes, ISE 1.2 can used this feature if it is used with Merridian or Ironmobile integration. and This is still in Road Map.

• Wrong Selection of Project Profile, how to rectify - Project System

  Dear Gurus,
  I have problem in Project system, wherein by mistake i have selected customer project profile instead of Capital Investment Project profile.
  I have incurred some costs in Network alread in this project & posted.
  I am not able change the CJ07 the project profile from Customer Project to Capital Investment, due to which the costs booked already in Network are setting in Network and not able to CJ88 from Network to WBS from WBS to AUC.
  I have changed the CJ12 the WBS element from customer to capitable investment, but not able to change the project profile in Project Definition level.
  Kindly help if u have any solution.
  Thanks in advance
  Srihari Ediga

  no one responded,hence closed to post new thread.

• Difference between Reauthentication action of Common Task for Authorization Profile

  Hi guys,
  Would you mind helping me to choose reauthentication action for Authorization Profile?
  At Cisco ISE User Guide got "Reauthentication—To choose, select the check box and enter a value in seconds for maintaining connectivity during reauthentication. You can also choose attribute values from the Timer drop-down list. You choose to maintain connectivity during reauthentication by selecting to use either the default (a value of 0) or RADIUS-Request (a value of 1) from the drop-down list. Setting this to the RADIUS-Request value maintains connectivity during the reauthentication process."
  Then, what is "default" behaviour? What is different between default action and Radius-Request action ?
  On the other hands, could someone explain in detail the sequence and priority of IEEE 802.1X, MAC authentication bypass (MAB), and Central Web Authentication (CWA). I read a lot of paper, but still don't get it. It is possible to configure MAB will be fail in Authentication Policy with Wire_MAB ?
  Appreciate all your help!!!

  Hasan Saeed Khan wrote:
  Actually I started off my question with the "implementation of treble control" that SAP course AD940 suggests.
  I had never heard of this treble control and the added value of splitting rolebuilding and profile generation doesn't make much sense to me but that's my personal opinion.
  On the technical side of things: in your first post you state "No authorization data is displayed in the authorization tab unless I enter authorization tab with change button and provide inputs for org level field & generate profile."
  It is also possible to change the data and save this but not generate the profile yet. I just tried this by doing the following:
  Create role
  Add transactions to menu
  Edit profile, org levels & authroization data.
  Hit 'save'.
  Accept proposed profile name.
  Go back to PFCG main screen and ignore message of profile not being generated. (Click 'continue')
  And this leaves me with a role with yellow traffic light on the authorization tab an the profile status is: "Current version not generated"
  So it should be possible to maintain roles and profiles separately.

• ISE Wired DOT1X authorization fails

  I'm configuring wired dot1x, and it won't work. My end goal is to use machine/user authentication for this wired profile, but for now, because of issues I'm just attempting wired user authentication. Below is what I have
  -authorization profile to allow a user based on the default (wired dot1x) and AD memberOF to get the person into the network
  -the network card on the computer is setup to use "user authetication" inside of the NIC authentication tab....this is PEAP by the way.
  Here is what I am seeing. I do a reboot of the machine, and the login for Windows comes up and I login. Once in Windows I look at the NIC and it says Authentication failed. ISE says that it PASSED and used my authorization profile to pass it and says that it sent my dacl. Doing a show authentication session int gi8/36 says "status authz FAILED".
  I get the same thing if I use both machine and user. Machine boot->login->ISE says there was a successful authentication for the machine and sends a dacl->sh auth sess int gi8/36 says status authz failed on the switch, and the NIC shuts due to failed authentication which after that it's obviously not going to pass the user side of my policy. This is driving my nuts. If anyone could help it would be greatly appreciated. Below is config info. Thanks
  Windows machines are Win7/64
  switch is 6509e with 12.2(33)SXI 11 running on it.
  Interface:  GigabitEthernet8/36
            MAC Address:  10ee.f10c.4820
             IP Address:  Unknown
              User-Name:  jcarrabine
                 Status:  Authz Failed
                 Domain:  DATA
         Oper host mode:  multi-auth
       Oper control dir:  both
        Session timeout:  N/A
           Idle timeout:  N/A
      Common Session ID:  0A800C010000018CF35CA5D8
        Acct Session ID:  0x0000077B
                 Handle:  0x0000018C
  Runnable methods list:
         Method   State
         dot1x    Authc Success
         mab      Not run
  Dot1x Info for GigabitEthernet8/36
  PAE                       = AUTHENTICATOR
  PortControl               = AUTO
  ControlDirection          = Both
  HostMode                  = MULTI_AUTH
  QuietPeriod               = 60
  ServerTimeout             = 0
  SuppTimeout               = 30
  ReAuthMax                 = 2
  MaxReq                    = 2
  TxPeriod                  = 10
  interface GigabitEthernet8/36
  description TEST PORT
  switchport
  switchport access vlan 52
  switchport mode access
  switchport voice vlan 143
  authentication event fail action next-method
  authentication host-mode multi-auth
  authentication open
  authentication order dot1x mab
  authentication priority dot1x mab
  authentication port-control auto
  authentication timer inactivity 10
  authentication violation restrict
  mab
  dot1x pae authenticator
  dot1x timeout tx-period 10
  spanning-tree portfast edge
  spanning-tree bpduguard enable
  end
  aaa authentication dot1x default group radius
  aaa authorization network default group radius
  aaa accounting dot1x default start-stop group radius
  ip radius source-interface Loopback0
  radius-server attribute 6 on-for-login-auth
  radius-server attribute 6 support-multiple
  radius-server attribute 8 include-in-access-req
  radius-server host 10.128.12.41 auth-port 1812 acct-port 1813 key 7 061106324961273C464640
  radius-server host 10.126.12.41 auth-port 1812 acct-port 1813 key 7 120E0C0417242221697A76
  radius-server vsa send accounting
  radius-server vsa send authentication

  I fixed this issue So to the trained eye this should be obvious. The authz ultimatly failed not because of my authorization policies, but because I have no default permit ip any any ACL on the port. This is a requirement for the IOS I'm running. The dACL's can not be applied to the switchport without it, and thus will throw the port into an authz fail without it.

• BW Issues while generating authorization profiles RSSB_GENERATE_AUTH progm.

  Hello,
  We loaded ZTCADS02 hierarchy datastore authorization template with the following data fields mapping and along with the other authorization templates (ZTCADS01, DS03)
  when I try to generate the authorization profiles using RSSB_GENERATE_AUTHORIZATIONS program, I am getting the following error
  “Hierarchy YES_BRANDS (version, key date 12/31/9999) does not exist  Message no. RSSBR050”
  Here are the fields and field contents on ZTCADS02 datastore. Am I loading wrong data to any of the fields?? I tried couple of combinations for Hierarchy name (0TCTHIENM) but none of this helps me in successful generation of the profiles.
  0TCTHIENM = YES_BRANDS/99991231//0BP_GRP
  0TCTHIENM = YES_BRANDS
  0TCTUSERNM     User                     CARLMGRN1
  0TCTSYSID     BW System     SBC100
  0TCTAUTH     Authorization (Tech)     ZBP_GRP
  0TCTADTO     Validity, to                     99991231
  0TCTIOBJNM     InfoObject                     0TCTAUTHH
  0TCTHIENM     Hierarchy Name     YES_BRANDS
  0TCTHIEVERS     Hierarchy Version     A
  0TCTHIEDATE     Hierarch, Valid to     99991231
  0TCTNIOBJNM     Node (InfoObject)     0BP_GRP
  0TCTATYPE     Type of Authorizatn     2
  0TCTOBJVERS     Object Version     A
  0TCTADFROM     Validity, from     20061113
  0TCTNODE     Nodes              454BA58E856300F6000000000A173125
  0TCTACOMPM     Validity Period     1
  0TCTTLEVEL     Hierarchy Level     9
  0TCTNDEF     Default Value     Y
  Infoobject to be checked is 0BP_GRP which is hierarchy check
  ZBP_GRP is custom authorization object created by me with fields actvt, 0BP_GRP and 0TCTAUTHH fields via RSSM
  All suggestions are really appreciated and promise to reward very good points,
  for all good answers.
  Regards
  Sreeni

  Issue is resolved. There was a problem with the data load.
  Thanks
  Sreeni

• Invoices paid using wrong payment profile

  Hello,
  This is on r12.1.3
  User has made a mistake.  They have selected few invoices  for payment and inadverantly selected a wrong payment profile (with Payment Type - Electronic).
  Whereas, it should have been a different payment profile with (Payment Type - Printed).
  Now those checks wont print and payment is applied to invoices.   Is there any data fix where I can point such invoices/payments to the  correct payment profile?
  Please advise
  Darsh

  Hi Darsh
  As a payment has been generated these invoices will not be selected for payment again under the other payment profile.
  The supported method of generating a payment under the other payment profile would be to cancel the payment but not the invoice and then amend the payment type for the new payment profile to select.
  AB

• DNG files rendered with wrong color profile?

  Does someone else also have a problem with DNG (digital negative) files showing incorrect colors when opened in Apple software (Preview, iPhoto, Aperture..)?
  I have a Nikon D750 and currently consider using DNG as archive format for my RAW files.
  But the converted DNG files are shown with a wrong color profile when opened via Apple's own camera raw framework...
  It works in Adobe software - such as Lightroom - but any software using the OS X internal camera raw framework seems to use the wrong color profile when opening the DNG. Note that the original D750 NEF files are opened and rendered correctly.
  I am using OS X Yosemite 10.10.2 with the latest Camera Raw Compatibility Update 6.02 installed.
  On the Adobe side, it is Lightroom 5.7 and DNG Converter 8.7.1.
  I tried all kinds of different conversion settings. It does not seem to make a difference whether I embed preview images in the DNG or not, whether I shoot in 12 or 14bit RAW, and whether I include the original RAW file into the DNG or not. I also tried to explicitly select the 'Camera Standard' color profile in Lightroom first and then export the DNG, but still on the OS X side the resulting image looks wrong as compared to the original NEF.
  Any other Nikon user here who could verify my problems?

  A few simple tests on your end may help you better understand:
  1. Capture the same image (same camera settings in RAW and JPEG)
  2. Open these images in Canon DPP - they will be a close match, this is because Canon DPP and the Canon camera itself use similar RAW processing algorithms
  3. Open convert the CR2 to DNG, and open the CR2, DNG, and JPEG in Adobe Camera RAW - the CR2 and DNG should be a very close (if not identical) match if you use the same processing settings for each, since they are both being processed by ACR's algorithms; the JPEG will probably not match as it was processed with Canon's algorithms
  What you are seeing is at the HEART of raw processing, and has nothing to do with color spaces or with DNG being at fault. The very nature of RAW processing means every processor (DPP, ACR, CaptureOne, etc) will produce different results by default - that's not to say that with some adjustments you can't match one processor's results to another, but it won't be the case by default.
  The choice of RAW processor has FAR more an impact on your results than color space - in fact color space should have virtually no visual impact, though depending on the scene photographed you might have better gradations in some color spaces, better handling of highly saturated colors in some, but the overall look should remain close regardless of color space choice.
  Further, as has been pointed out by others, raw files (which includes CR2 and DNG) do not have a color space - raw files are by definition raw image data which has yet to be processed into a color space. When you see color space assignments in RAW processors, that is relevant to the files you create FROM the raw files, not relevant to the raws themselves.
  Before bringing inflammatory language and false assumptions to a forum with a high level of expert membership you might want to research the issue, and devise some simple tests (like above) to help you understand the issue first.

• To read an authorization profile.

  Hi,
  I am trying to provide authorization in a HR report. An administrative person can execute the report. At this momet, a user can see the information of all employees. Instead, the users should be restricted for a group of employees who’s organizational key has been assigned in his authorization profile.  I am trying this with P_ORGIN authorization object.  I can use P_orgin with single static organizational key. But, in this report, I have different sets of organization key for different administrative users. Fot this reason, I will need to read the user’s authorization profile to get the set of organizational key. Can anyone tell me how can I read the authorization profile for a particular user who is using the sytem so that the program can check the set of organizational key.   I am using R/3 version 4.6C.

  Or more generally (for multiple users:
  REPORT ztest NO STANDARD PAGE HEADING LINE-SIZE 255.
  TABLES: usref,
          usr11.
  DATA: BEGIN OF itab OCCURS 0.
          INCLUDE STRUCTURE usref.
  DATA: END OF   itab.
  DATA: BEGIN OF itab1 OCCURS 0.
          INCLUDE STRUCTURE usref.
  DATA: END OF   itab1.
  DATA: BEGIN OF itab2 OCCURS 0,
          user    LIKE usref-user,
          profile LIKE usref-profile,
          ptext   LIKE usr11-ptext,
        END   OF itab2.
  DATA: old_prof  LIKE usref-profile,
        prof_desc LIKE usr11-ptext.
  itab-user = sy-uname.
  APPEND itab.
  itab-user = 'USERNAME'.
  APPEND itab.
  CALL FUNCTION 'SUSR_GET_PROFILES_OF_USER'
       TABLES
            users    = itab
            profiles = itab1.
  SORT itab1 BY profile.
  LOOP AT itab1.
    IF itab1-profile <> old_prof.
      SELECT SINGLE ptext INTO prof_desc
        FROM usr11
        WHERE langu = sy-langu
        AND   profn = itab1-profile
        AND   aktps = 'A'.
      old_prof = itab1-profile.
    ENDIF.
    itab2-user    = itab1-user.
    itab2-profile = itab1-profile.
    itab2-ptext   = prof_desc.
    APPEND itab2.
  ENDLOOP.
  SORT itab2 BY user profile.
  LOOP AT itab2.
    WRITE: /001 itab2-user, itab2-profile, itab2-ptext.
  ENDLOOP.
  Rob

• How to create and allocate authorization profiles?

  How to create and allocate authorization profiles? please issue step by step and usage of  TC:PFCG.

  Hi Srinivas,
  I would like to try to explain how to create an authorization profile.
  1. you have to create a user with the Tcode SU01 at first
  2. run Tcode /nPFCG.
  3. enter a name for the role (naming convention is here very important) which you want to create and then click on "create Role".
  4. enter a short description for the role and then click on Authorization tab.
  5. now you are required to save the role. Click on it and continue.
  6. click on the tab "change authorization data" and select the authorization template what you need.
  7.change the authorization field value.
  8.click on button "Generate".
  9.click on button Back
  10. click on Tab user to assign the role to the user which you created in step one
  11.click on button User comparison and then complete comparison
  Hope this helps

• IMac/Snow Leopard choosing wrong color profile?

  Hey guys,
  I am a wedding photographer and I calibrated my iMac twice a month with a Spyder 3 calibrator. I have noticed a few times, that even though I have chosen the color profile I have created with the Spyder 3, sometimes my iMac does NOT have that color profile selected. It seems like it reverts back to the standard iMac color profile at times - with no explanation. Is this a bug, or am I the user doing something to cause this to happen: log out, shutdowns, etc.
  I am really unsure, so if anyone has a solution or explanation for this that would be great! Once I retouched a whole session using the wrong color profile (I didn't know it had changed) and it was a disaster.

  The file that holds which monitor profile is being used may be corrupt. You can remove this file from the Preferences folder of your user account:
  com.apple.systempreferences.plist
  Place it in the trash, or just to the desktop and restart. Or log out and log back in. The OS will create a new preference file.
  This file holds various settings, so you may notice other items in the System Preferences back at their defaults.
  As to your calibration habits, every other week is overkill for LCD monitors. This was the case with CRTs where every other week, or at minimum once a month was normal. CRTs drift from their settings much faster than LCDs. Every other month with an LCD is more than sufficient.