ISE: time profile for authenticated usergroup access

Similar Messages

• ISE v1.2 RADIUS - Authentication of access to a Riverbed Steelhead

  VENDOR RBT 17163
  ATTRIBUTE Local-User 1 string RBT
  TACACS+ docs
  TACACS+ (Shell Profile)
  Attribute(s): service ; local-user-name
  Value(s): rbt-exec ; <username>
  Usage: In order to grant the user read-only access, the <username> value must be set to monitor. In order to grant the user read-write access, the <username> value must be set to admin. If you have another account defined in addition to admin and monitor, configure that name to be returned.
  Example – Add Attributes to a Shell Profile (for read-only access)
  Attribute Requirement Attribute Value
  service Mandatory rbt-exec
  local-user-name Mandatory monitor
  Example – Add Attributes to a Shell Profile (for read-write access)
  Attribute Requirement Attribute Value
  service Mandatory rbt-exec
  local-user-name Mandatory
  I have successfully achieved getting the profile to identify the unit and to apply the correct Result.
  But my 'Result' is clearly incorrectly defined.
  The dictionary attribute value for Riverbed 17163
  local-user-name 1 STRING BOTH  NO
  I'm sure this is wrong!
  Access Type = ACCESS_ACCEPT
  local-user-name = shell:local-username=admin
  Service-Type = 1
  From the authenttication log it would appear it doesn't send this at all to the device
  Regards
  Ian Cowley

  OK it works..though perhaps not as granularly as I'd like.
  2 Authorization Rules; both identify the Riverbed device; VTY, PAP, Riverbed Device Group.
  and either AD Group for Admins, or Service Desk (in my case).
  The Permsisions responses [Policy - Results - Authorization - Authorization Profiles]  are:
  Riverbed Admins:
  Radius:Service-Type = Administrative
  Riverbed:Local-User = admin       [Policy - Policy Elements - Dictionary - System - Radius - RADIUS Vendors - Riverbed (17163) - Dictionary Attrubutes - Local-User 1 STRING BOTH ]
  [result of this is Service Type =6, Local-User=admin]
  Riverbed Monitor
  Radius:Service-Type = Administrative
  Riverbed:Local-User = monitor     
  [result of this is Service Type =6, Local-User=monitor]
  It greys out the Configuration - Network and Optimization pages
  Hope this helps
  IanC

• Looking for the block CD Generate Time Profiles for MPC simulation.vi

  Hello everyone!!! I am trying to implement MPC in LabVIEW. I have downloaded certain codes which shows the implementation. My question is in those codes i see a block named as CD Generate Time Profiles for MPC simulation.vi. I tried finding a lot for that block but i could not... Can anyone help me out with the problem (exactly under which section will i get that block) or can anyone tell me how do i give the set point profile for the MPC simulation problem???
  Solved!
  Go to Solution.

  The VIs related to generate profile can be found in:
  C:\Program Files (x86)\National Instruments\LabVIEW 2011\vi.lib\addons\Control Design\_MPC\Reference Profile
  or
  C:\Program Files\National Instruments\LabVIEW 2011\\vi.lib\addons\Control Design\_MPC\Reference Profile
  You can look at examples in:
  C:\Program Files (x86)\National Instruments\LabVIEW 2011\examples\Control and Simulation\Control Design\MPC
  C:\Program Files\National Instruments\LabVIEW 2011\examples\Control and Simulation\Control Design\MPC
  to verify how to use those VIs.
  Barp - Control and Simulation Group - LabVIEW R&D - National Instruments

• ISE Time Management for Sponsor Portal User

  Hi all,
  I'm currently using ISE version 1.2 and when I create a custom time management for each user, the rule applied to each user is only applied for a maximum 10 days eventhough I configured it for ex.30 days.
  want to check with all of you if anyone have the same issue?
  Firstly I think it's because the purge time is default set for 15 days, but even when I already changed it. The expiration time will still not get over than 10 days.
  Cheers
  Ryan

  Default Guest Time Profiles
  Time profiles provide a way to give different levels of time access to different guest accounts. Sponsors must assign a time profile to a guest when creating an account, but they cannot make changes to the time profiles. However, you can customize them and specify which time profiles can be used by particular sponsor groups. Beginning with Cisco ISE 1.2 time profiles are referred to as the account duration in the Sponsor portal.
  Cisco ISE 1.2 includes these default time profiles, which replace the profiles available previously:
  •DefaultFirstLoginEight—the account is available for 8 hours starting when the guest user first successfully connects to the Guest portal. This replaces the DefaultFirstLogin time profile.
  •DefaultEightHours—the account is available for 8 hours starting when sponsors first create the account. This replaces the DefaultOneHour time profile.
  •DefaultStartEnd—sponsors can specify dates and times on which to start and stop network access.
  If you upgrade to Cisco ISE 1.2, the older time profiles are still available, but you can delete them if you are not using them. If the older time profiles are assigned to a sponsor group, a message alerts you before deleting. If you perform a new installation of Cisco ISE 1.2, only the new time profiles display.

• ISE Time Profiles

  I have successfully setup my guest authentication through ISE but when I change the time profile from Default Eight Hours to Default Start End the user cannot login.  If I change the profile to Eight Hours, the access is granted.  Has anyone run into this?  I have tried to make a new profile, new sponsor group etc but no luck.  Any help would be highly appreciated.
  Additional information.  I am able to create the account using the DefaultEightHours setting.  Login and than change the account to DefaultStartEnd.  However, I cannot enter DefaultStartEnd from the start.  I have attached the troubleshooting error I see in ISE.
  Thanks,
  James

  Please review the below links which might be helpful:
  http://www.cisco.com/en/US/docs/solutions/Enterprise/Borderless_Networks/Smart_Business_Architecture/February2012/SBA_Ent_BN_BYOD-GuestWirelessAccessDeploymentGuide-February2012.pdf
  http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_guest_pol.html
  http://www.cisco.com/en/US/docs/security/ise/1.0.4/user_guide/ise10_guest_pol.pdf

• Long time wait for authentication with Windows 2003 AD

  Hello,
  We have a problem with authentication with 2003 AD. If it was no requests from VDI to Windows 2003 AD during some time (10-15 minutes), first request take a lot of time - 3-5 minutes and user need to wait after entering his username/password. Searching users in VDI GUI also take a lot of time in this situation.
  How to resolve this? Size of directory is very small.
  And with 2008 AD and Open LDAP there is no such problem.

  Same thing for 2003, it is called IAS (Internet Authentication Service).
  http://www.microsoft.com/technet/network/ias/default.mspx
  Basically you will set up IAS with a RADIUS Client which would be your wireless access point(s). Then you will set up a remote access policy which will define how connections are authorized or rejected (windows groups, protocols etc.). Don't forget to register IAS with active directory.

• ISE Guest Portal Time Profiles

  G'day All,
  Could someone advise if it is possible to extended or change the time profile of a guest account that has already been created? I am trying to understand using time profiles from within the Sponsor Portal. Imagine a guest user has an account created that gives them 2 weeks access, towards the end of the 2 weeks the user requires another week of access.
  From what I can see in both the ISE time profiles config page and from within the sponsor portal, either the user would have to wait until the existing account expired and have a new account created or a new account would have to be created to grant the additional access, and the existing account could be deleted, I am just seeking clarification of whether time extensions for Guest Accounts is possible prior to the account expiring.
  Currently using ISE 1.1.3
  Thanks in advanced guys.
  James.      

  Please follow the below steps to edite the time profile:
  Adding, Editing, or Duplicating Time Profiles
  To add or edit a time profile, complete the following steps:
  Step 1 From the Cisco ISE Administration interface, select Administration > Guest Management > Settings > Guest > Time Profiles.
  Step 2 Click one of the following:
  • Add—to create a new time profile
  • Edit—to edit an existing time profile
  • Duplicate—to duplicate an existing time profile
  Step 3 Enter the name and description of the new time profile.
  Step 4 Select a Time Zone for Restrictions. Time Restrictions are a set of time periods during which a guest account associated with that time profile would not be granted access to the network or guest portal.
  Step 5 From the Account Type drop- down menu, choose one of the predefined options:
  • StartEnd—allows sponsors to define start and end times for account durations
  • FromFirstLogin—allows sponsors to define the duration of time that guests can have access after login
  • FromCreation—allows sponsors to define the duration of time that guest can have access after account creation
  Step 6 Set the Duration for which the account will be active. The account expires after the duration set here has expired. This option is available only if you select the Account Type as FromFirstLogin or FromCreation.
  Step 7 Set the Restrictions for the guest access.
  These restrictions are composed of a day of the week and a start and end clock time. The Time Zone value specified in the time profile affects the clock times set in any of the Time Restrictions within the time profile. For example, a Time Restriction that specifies Monday 12:00 am to 8:00 am and Monday 6:00 pm to 11:59 pm would only grant system access between 8:00 am and 6:00 pm on Mondays within the time zone of the time profile. Any other day of the week would have no time restriction in this example and system access would be granted at any time.
  Step 8 Click Submit.

• Time profile - CM31

  How I can change the default time profile for CM31 ?

  Hi
  This is picking up from the overall profile
  Transaction code OPD0.
  <b>For help how to set the overall profile</b>
  Define overall profile
  In this menu option, you define the overall profiles for capacity leveling and the extended evaluation.
  The system always uses an overall profile when starting capacity leveling. It specifies various parameters for carrying out capacity leveling using the sub-profiles it contains.
  An overall profile contains the following sub-profiles:
  Selection profile
  Control profile
  Time profile
  Evaluation profile
  Period profile
  Planning table profile
  Planning table (tabular form) profile
  List profile
  Strategy profile
  Note
  The overall profiles are used as follows to control capacity planning:
  If you select the menu options: Capacity planning -> Leveling -> Work center view -> Planning table, then the profile SAPSFCG001 is processed in the standard version.
  You can change the profile, but the SAP sub-profiles should remain unchanged as far as possible.
  You can define your own profiles and allocate them to particular users by means of user parameters. (See user parameters CYA -> CYX)
  For example, when you access the planning table enter using the application menu "Capacity planning" -> Leveling -> Work center view -> Planning table the user parameter "CYA" is operative.
  You can select any overall profile you like by entering via the application menu "Capacity planning" -> Leveling -> Variable.
  Requirements
  To use the name of a subprofile in an overall profile, you must first have defined this subprofile.
  Standard settings
  Overall profiles are predefined in the SAP standard package.
  Actions
  Define overall profiles according to your requirements.
  Additional information
  In the documentation on capacity leveling you can find information on the standard profiles and parameters that are allocated to the individual menu options.
  Regards
  Ranga

• Time-Profile-Level Error on Activation

  Hello,
  I am in the process of creating an S&OP Model and so far created the following.
  1...Master Data & Attributes
  2...TimeProfile with 2 Levels(Daily and Weekly)
  3..Planning Area with Storage Time Profile Level as 'Daily'
  4...Two Planning levels at Daily and Weekly levels
  5. Two Stored Key Figures. One at Daily Planning Level and the other at Weekly Planning Level.
  Now, on activating the Planning Area I keep getting the following error.
  'Time-Profile-Level and Time-Profile-Level root attribute for plan-level "WEEKLYCUSTLOCPROD" are not consistent'
  When I delete the Key Figure that I created at the Weekly Planning Level, it seems to be activating fine.
  Can someone tell me what is it that I am doing wrong here. I need to create atleast 2 keyfigures at the weekly planning level.
  Thanks,
  Geetha

  Hi Geetha,
  Try going back into your planning area and checking if your time profile for the planning level has a 'root' defined.
  In my experience, upon creating planning levels you must explicitly check a root on the time profile.
  This is different behavior than when selecting regular Master Data Types to include in your planning level. Those default to having the key of the MDT being set as the 'root' for that planning level.

• One username for two tunnel in IPSec remote access vpn + ACS for authentication

  Hi all,
  I want to set up a username which can be used for two different IPSec tunnel (i.e. username USER1 can be used in tunnel TUN1 and TUN2). Can anyone help me how to do this? My current configuration is that I tied the username to tunnel group using group-lock (RADIUS property) so a username can only be used for a particular remote access vpn tunnel (USER1 can only be used for TUN1). I have already tried to enable multiple entry for group lock in ACS (by manipulating the dictionaru setting in ACS), but it seems that authentication still takes the first group and can not take the second group.

  You'd have to create a new AAA server group pointing to servers in the new domain for authentication.
  Then make a new connection profile that uses that AAA server group.
  Your users would have to choose the connection profile (absent some more advanced tricks like issuing them user certificates that can be checked for attributes which map to one profile or another).
  This could also be done with ISE 1.3 which can act as the RADIUS server and join to multiple AD domains on the backend as identity stores. (or even with ISE 1.2 if you use one of the AD directories as an LDAP store vs. native AD).

• ISE Profiling for Wireless Devices (WLC 5508) like Laptops and Mobile Devices

  Hi,
  We have integrated WLC 5508 to cisco ise 3315 with ios 1.1.1 and using Guest Sponsor portal for wireless guest users.
  Where we have created open ssid in wlc and redirect web login portal in wlc for guest  users. We have enable all respective node in policy service for profiling and also configure snmp in wlc as well as in ise.
  When guest user is connected to open ssid its get redirected to web login page of ise portal and when it gets login we are  only able to see the username which guest user login but not the end device in monitoring log.
  Wireless End devices are not able to get profiled can any one tell me what configuration I need to do on ise or wlc side to profiled end guest wireless device like android,iphone and laptops
  Thanks
  Pranav

  Hi Tarikh,
  I only want to identify the end devices for wilress guest user. I have configured MAB Authentication and configure autorization policy where in mention identity group any condition as wlc web authentication and athorization profile only guest mentioning plain access for the same.
  Can you help me how I can achived profiling for wirless guest devices. I have configured all profiling probes . Enable snmp on wlc as well as in network devices.
  What else I need to configured to achived just identiting device nothing but profiling and which should reflect in authnetication logs.
  Thanks
  Pranav

• Is ASA integration with ISE and RSA for 2 factor authentication a valid/tested design

  Hi,
  Customer currently uses ASA to directly integrate with RSA kind of solution to provide 2 factor authentication mechanism for VPN user access.  We're considering to introduce ISE to this picture, and to offload posture analysis from ASA to ISE.  And the flow we're thinking is to have ASA interface to ISE and ISE interface to RSA and AD backend infrastructure.  And we still need the 2 factor authentication to work, i.e., customer gets a SMS code in addition to its login username and password.  I'm wondering if ASA/ISE/RSA/AD integrated solution (and with 2 factor authentication to work) is a tested solution or Cisco validate design?  Any potential issue may break the flow?
  Thanks in advance for any input!
  Tina

  Hi,
  I have an update for this quite broad question.
  I have now came a bit further on the path.
  Now the needed Radius Access Attribute are available in ISE after adding them in
  "Policy Elements" -> "Dictionaris" -> "System" -> "Radius" -> "Cisco-VPN3000".
  I added both the attribute 146 Tunnel-Group-Name which I realy need to achive what I want(select diffrent OTP-backends depending on Tunnel Group in ASA) and the other new attribute 150 Client-Type which could be intresting to look at as well.
  Here the "Diagnostics Tools" -> "Generel tools" -> "TCP Dump" and Wireshare helped me understand how this worked.
  With that I could really see the attributes in the radius access requests going in to the ASA.
  Now looking at a request in "Radius Authentication details" I have
  Other Attributes:
  ConfigVersionId=29,Device Port=1025,DestinationPort=1812,RadiusPacketType=AccessRequest,Protocol=Radius,CVPN3000/ASA/PIX7.x-Tunnel-Group-Name=SMHI-TG-RA-ISESMS,CVPN3000/ASA/PIX7.x-Client-Type=,CPMSessionID=ac100865000006294FD60A7F,.....
  Ok, the tunnel group name attribute seems to be understood correct, but Client-Type just say =, no value for that.
  That is strange, I must have defined that wrong(?), but lets leave that for now, I do not really need it for the moment being.
  So now when I have this Tunnel-Group-Name attribute available I want to use it in my Rule-Based Authentication Policy.
  Problem now is that as soon as I in an expression add a criteria containing Cisco-VPN3000:CVPN3000/ASA/PIX7.x-Tunnel-Group-Name matches .* (just anything), then that row does not match any more. It still work matching against NAS-IP and other attributes.
  What could it be I have missed?
  Best regards
  /Mattias

• Problem with Windows 7 802.1x prompted for authentication multiple times

  I have setup a WLAN for users to bring in their own devices (devices are not on the domain).  It is setup for WPA2-Enterprise/AES and it doesn't require certificates.  We authenticate with a Cisco Secure Access Server 5.1.44 (setup with Active Directory).
  I have configure dthe Windows 7 wireless client:
  WPA-Enterprise/AES
  PEAP - removed "Validate server certificate"
  EAPMSCHAPv2 properties disabled "Automatically use my Windows login name and password
  Advanced settings 802.1x - ticked for "user authentication"
  My problem is when I connect to the WLAN, I'm prompted for authentication multiple times (x2).  On the second login prompt everything logs in OK.  No errors are received after the first login attempt.
  Thanks

  This doesn't have anything to do with eap settings?
  Are the current defaults the recommended settings:
  EAP-Identity-Request Timeout (seconds)........... 30
  EAP-Identity-Request Max Retries................. 2
  EAP Key-Index for Dynamic WEP.................... 0
  EAP Max-Login Ignore Identity Response........... enable
  EAP-Request Timeout (seconds).................... 30
  EAP-Request Max Retries.......................... 2
  EAPOL-Key Timeout (milliseconds)................. 1000
  EAPOL-Key Max Retries............................ 2
  EAP-Broadcast Key Interval....................... 3600
  I have seen this multiple times on varying drivers and systems. The first time you login until it is cached.
  Thanks,
  Andrew

• Hi. I am using a time capsule for few PC s. I have made 5 different account to access time capsule. but in windows when i enter account name and password for one account, i cannot access other accounts, because windows saves username

  Hi. I am using a time capsule for few PC s. I have made 5 different account to access time capsule. but in windows when I enter account name and password for one account, i cannot access other accounts, because windows saves username. how can i prevent this from happenning. I really need to access all my accounts and dont want it to save automaticlly.

  Why have 5 accounts if you need to access all of them.. just have one account?
  Sorry I cannot follow why you would even use the PC to control the Time Capsule. Apple have not kept the Windows version of the utility up to date.. so they keep making it harder and harder to run windows with apple routers.

• Can I hook up a windows computer to my airport time capsule for internet access?

  We have hooked up our time capsule for the first time today.  It works wonderful on our apple products BUT can I connect a windows based computer to it for internet access? 

  Yes. Both Ethernet and 802.11 are cross-platform.
  (109122)