ISE wired TLS with group mapping

Similar Messages

• Issue with group mapping in ACS.

  When we map AD group in ACS with ACS group it coming as AD group and * (As below “ ,* ” ) , Because of this * everybody is able to login irrespective of his AD group.
  Please suggest way to only add the NT Group alone without the *.

  Actually '*' means something else.
  If you have a group on AD say 'Alfa'
  when you do a mapping on ACS, you'll see it like this,
  'Alfa', * ------- Group x
  Above means, if a user a member of Group 'Alfa' on AD, AND can also have any other group membership on AD (meaning of *), then map it to Group x on ACS.
  It does not mean map everyone to Group x, even if they are not a member of Group 'Alfa' on AD.
  As mentioned by JG above, all the users are able to authentication because of your 'All other combination' or \DEFAULT mapping on ACS.
  Map them to .
  Then only those will be able to log in, for whom you have the mapping defined on ACS.
  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.1/user/GrpMap.html#wp940538
  Check Step 8,
  "The asterisk (*) at the end of each set of groups indicates that users who are authenticated with the external user database can belong to other groups besides those in the set."
  Regards,
  Prem

• AD authentication problems. Problems with groups mapping

  Hi Everyone,
    I have my Edge Xi R2 server up and running with AD authentication fine for the past few months. Today I added another group and got a weird error message. Now no AD works and everytime I try to re-enable it I get this message below. I have deleted all my mapped groups and I still get the message. Has anyone come across this problem before?
  If the problem persists, please delete and re-map into BusinessObjects Enterprise all currently mapped groups
  Thank you,
  Adam

  This error indicates that one or more of your mapped groups, is invalid. (check for SID's in the error or windows event viewer logs)
  You can open a message with support to get help tracing your CMS, or you can try to figure out which (groups may cause hti error.
  To note it's also possible that something else is preventing the CMS from communicating with AD again a good reason to open a ticket.
  Regards,
  Tim

• ISE Security Group Mapping download to ASA

  We are implementing Security Tags with an ASA and ISE.  We have generated the PAC and imported it into the ASA and they in sync.  The Security Groups are present in the ASA, but the IP to Security Group Mapping that was manually placed in ISE aren't downloaded.  We have configured the WLC as a speaker and these mappings are dynamically updated on the ASA.  Does the ASA need to additional configuration, ie does ISE need to be configured as a peer for the static mappings to be downloaded?
  Please advise,
  Joe

  Update:
  I am testing with a username and enable password to see if this makes a difference.  It appears it now tries to deploy and says it is Updated but I don't see anything in the ASA.  All the ISE Diagnostic tests result in an invalid enable password.  I am logging into the ASA with the same creds without issue.  I have attempted several times with a copy and paste but it won't validate.
  Any suggestions?
  Thanks,
  Joe

• RSA authentication with LDAP group mapping

  Greetings,
  I'm trying to set up RSA authentication with LDAP group mapping with ACS Release 4.2(1) Build 15 Patch 3.
  The problem I'm having is that my users are in multiple OU's on our AD tree.  When I only put our base DN in for User Directory Subtree on ACS, it fails with a "External DB reports about an error condition" error.  If I add an OU in front of it, then it will work fine.
  As far as I know, you can only use one LDAP configuration with RSA.
  Any thoughts on this?

  @Tarik
  I believe your suggestion is the only way i'm going to get this to work. I ran across a similar method just this week that I have been working on.
  I was hoping for dynamic mapping with the original method, but I haven't found any way to make it happen.  I have resorted to creating a Radius profile on the RSA appliance for each access group I need.  Using the Class attribute, I then pass the desired Group name to the ACS, i.e. OU=Admins, and that seems to work.
  Thankfully, I have a small group of users that I am attempting to map.  I will only map those who need elevated priviliges to narrow down how many profiles I will have to manually create.  Likewise, our Account Admin will have to determine who gets assigned a particular access group.
  I would still prefer to do this dynamically.
  Scott

• EAP-TLS and ISE 1.1 with AD certificates

  Hello,
  I am trying to configure EAP-TLS authentication with AD certificates.
  All ISE servers are joined to AD
  I have the root certificate from the CA to Activie Directory installed on the ISE servers
  I created the certificate authentication profile using the root certificate
  I have PEAP\EAP-TLS enabled as my allowed protocol
  I am getting the following error for authentication:
  "11507  Extracted EAP-Response/Identity
  12500  Prepared EAP-Request proposing EAP-TLS with challenge
  11006  Returned RADIUS Access-Challenge
  11001  Received RADIUS Access-Request
  11018  RADIUS is re-using an existing session
  12301  Extracted EAP-Response/NAK requesting to use PEAP instead
  12300  Prepared EAP-Request proposing PEAP with challenge
  11006  Returned RADIUS Access-Challenge
  11001  Received RADIUS Access-Request
  11018  RADIUS is re-using an existing session
  12302  Extracted EAP-Response containing PEAP challenge-response and accepting PEAP as negotiated
  12318  Successfully negotiated PEAP version 0
  12800  Extracted first TLS record; TLS handshake started
  12805  Extracted TLS ClientHello message
  12814  Prepared TLS Alert message
  12817  TLS handshake failed
  12309  PEAP handshake failed"
  I have self-signed certificates on the ISE servers – do they need to be signed by the same CA as the client?
  Any other issues I am missing?
  Thanks,
  Michael Wynston
  Senior Solutions Architect
  CCIE# 5449
  Email: [email protected]
  Phone: (212)401-5059
  Cell: (908)413-5813
  AOL IM: cw2kman
  E-Plus
  http://www.eplus.com

  Please review the below link which might be helpful :
  http://www.cisco.com/en/US/solutions/collateral/ns340/ns414/ns742/ns744/docs/howto_60_byod_certificates.pdf
  http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_man_id_stores.pdf

• Is it possible to map a Sponsor Group in Cisco ISE to a user group in Active Directory, through a RADIUS server?

  Hi!!
  We are working on a mapping between a Sponsor Group in Cisco ISE and a user group in Active Directory....but the client wants the mapping to be through a RADIUS SERVER, for avoiding ISE querying directly the Active Directory.
  I know it is possible to use a RADIUS SERVER as an external identity source for ISE.....but, is it possible to use this RADIUS SERVER for this sponsor group handling?
  Thanks and regards!!

  Yes It is possible to map Sponser group to user group in AD and if you want to know how to do please open the below link and go to Mapping Active Directory Groups to Sponsor Groups heading.
  http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_guest_pol.html#wp1096365

• ACS 5.3 Group Mapping based on AD group membership

  Hi,
  I am configuring a new ACS 5.3 system. Part of the rules is that I want to match the users specific AD group membership, and match appropriatly to an identity group.
  What i'm trying to do is say that if the user is a member of the AD Group (G-CRP-SEC-ENG) then associate them with the Identity Group SEC-ENG. The under the access service, authorization portion, i assign shell profiles and command sets based on Identity Group.
  It seems that the ACS server will not match the AD Group for the user, and it will match the Default of teh Group Mapping portion of the policy every time.
  I tried several configuration choices from : AD1:ExternalGroups contains any <string showing in AD>, AD1:memberOf <group>.
  Is there something special i need to do in the Group Mapping Policy to get it to match and active directory group and result in assigning the host to an Identity Group?
  Thank you,
  Sami

  Ok, my case is like this.
  I use ACS 5.3 for VPN authentication, using AD and an external RSA for token authentication (2 factor authentication)
  I didn't add all the VPN users in the ACS, because it will be troublesome, the users authentication will be managed by AD and RSA server.
  In some cases where we need to restrict a group of user to only access certain resources, downloadable ACL is used.
  Following the Cisco docs, i manage to get downloadable ACL works when the authorization profile matching criteria is username, but when i change the matching criteria to Identity group, the downloadable ACL won't work.
  I have a case with Cisco engineer now and still in the middle to sort things out.
  The advice from the Cisco engineer is to have the Access Service set to Internal User instead of RSA server, but that will require us(the admin) to import all the VPN users into the ACS database.
  Wondering whether there is a fix for this.
  Thanks.

• Question about Logon ticket with user mapping at BI-JAVA environment

  We're implementing BI 7.0 including BI Java and SAP EP for end user
  access.
  I have two question about SSO method when we're using BI Java.
  I know we can simply configure SSO logon ticket with BI-Java(EP
  included) and BI-ABAP through BI template installer and we already
  succeeded in that case.
  But the problem is we want to change it to user mapping SSO method for
  some our internal reason.
  After we configure user mapping SSO, we've got SSO failed error when we
  call BI-Java stuff like BEx Web Application iView.
  After many testing implemented, we found SSO Logon ticket with user
  mapping (using SAP reference system). It seems working now.
  But our question is "Is it no problem when we use SSO logon ticket with
  user mapping?" Is there any restriction or issue?
  One more question is we can ONLY use user base mapping when reference
  system used. How can we assign BI-ABAP users to EP Group?

  Using an SAP Reference system is allright. But if the reason u r going for this is because of different usernames in EP and BI, why dont you go for user mapping.
  Anyways, on restriction of reference syetms is that you can have ONLY ONE reference system defined in portal. In you case you can only have the BI system defined.
  Hope this helps!!

• ACS 3.3 Windows group mapping problem

  Hi,
  I?m running Cisco Secure ACS v.3.3 at Win 2000 server(sp4). ACS server is member of AD domain X. Additional there are two AD forests, so: domains X and Y are in the same forest, but domain Z is member of the second one. Trust relationships between all domains are established (AD Domain Controllers are w2k3 srv). I need to add Windows AD group mapping and that's no problem in domains X & Y. But when I'm trying to map some groups from Z domain, the "Failed to enumerate Windows groups. If you are using Active Directory consult the installation guide for information." error appears. In ACS documentation I have found information "ACS can only perform group mapping by using the local and global groups to which a user belongs in the domain that authenticated the user. You cannot use group membership in domains that the authenticated domain trusts that is for ACS group mapping. This restriction is not removed by adding a remote group to a group that is local to the domain providing the authentication." As I understand it's impossible to add mapping from the second forest? Am I right? If problem is solved in newer versions of ACS (4.0, 4.1)? Are there any fixes that can help?
  Thanks,
  Peter

  You need to set up proxy.
  http://www.microsoft.com/technet/prodtechnol/winxppro/deploy/ed80211.mspx
  Look for "Cross-Forest Authentication" in above link. And you get the Idea of what I mean. Though in above link its depicted with IAS server, but same is possible with ACS, as both can act as Radius server.
  There is a known bug, CSCsi04187
  PEAP MS-CHAP machine authentication will fail with machine not found if host/ format is sent from client. This only happens if the machine is autenticating to a domain forest that the ACS is not a member of.
  Conditions:
  The Machine authenticating to ACS is in a different domain forest then the ACS and the supplicant is using host/ as the machine name format. You also have to be using PEAP MS-CHAPv2.
  Workaround:
  If the supplicant has the option you can send the macine name in hos/ format.
  Many supplicants do not have this option.
  It is to be fixed for ACS 4.2 release.
  Regards,
  ~JG

• User in a windows group - mapping to acs group appears not be working

  I have a user in a windows group, this windows group is mapped to an ACS group but when the user logs in it appears as default group in ACS.
  Any suggestion?

  Hello, I recently implemented this very thing, actually integrated it with Authentication Proxy. Here are some settings to check:
  1. External User Databases - Database Configuration - Windows Database - Configure
  Make sure your domain is listed on moved to the Domain List section
  2. External User Databases - Database Group Mappings - Windows Database - - Add Manual Mapping
  Make sure you have the right AD group mapped to the internal ACS group, you can even set users* if you want to include all users.
  3. External User Databses - Unknown User Policy
  Check the "Check the following external user databases" radio dial and move Windows Database to Selected Databases
  Check “The database in which the user profile is held” radio dial in the Configure Enable Password Behaviour section
  Hope that helps!

• EAP-TLS with WLC 5508, Microsoft NPS and custom EKU OID´s

  We are trying to implement EAP-TLS with client certificates that have a custom EKU OID to distinguish the WLAN clients. The Microsoft Press Book
  Windows Server 2008 PKI and Certificate Security gives an example on how to configure a policy in NPS that matches specific EKU OID´s. At the moment we have two policies that have an allowed-certificate-oid configured that matches the OID´s in our certificates, but our setup is not working as expected. Authentications will only be successful, if the client authenticates with the certificate that is matched by the first policy rule.
  For example:
  Policy 1: allowed-certificate-OID --> corporate
  Policy 2: allowed-certificate-OID --> private
  Client authenticates with EKU corporate --> success
  Client authenticates with EKU private --> reject
  My expectation was, that if Policy 1 will not match the NPS goes over to Policy 2 and tries to authenticate the client.
  Has anyone a simmilar setup or can help to figure out what is going wrong?
  We have a WLC 5508 with Software Version                 7.4.100.0 and a NPS on a Windows Server 2008 R2
  regards
  Fabian

  The policy rejects and the NPS goes to the next policy, only if the user does not belong to the configured group.
  This means I need to have one AD group per application policy, but that will not solve my problem. A user could belong to more than one group, depending on how many devices he/she has. It will work with one group only for each user, because the first policy that matches a AD group, the user belongs to, could have a OID that is not in the certificate. This would cause a recejct with reason code 73:
  The purposes that are configured in the Application Policies extensions, also called Enhanced Key Usage (EKU) extensions, section of the user or computer certificate are not valid or are missing. The user or computer certificate must be configured with the Client Authentication purpose in Application Policies extensions. The object identifier for Client Authentication is 1.3.6.1.5.5.7.3.2.
  The certificate does include this OID but not the custom EKU.

• ISE wireless CPP with redirect exclusions, possible?

  Hi all, a little bit of a tricky situation here. I've got a wireless network and ISE 1.1.1. The wireless is mixed 7.0 and 7.3 code.
  On an ISE wired installation it's easy to have an authorization rule that URL redirects users to the client provisioning portal *BUT* to have a redirect ACL on the switch with deny statements that excludes specific websites from the redirection. This is done so users can click on remediation links from the NAC Agent and get to websites to download anti-virus, sig updates, windows updates, etc... but all other web attempts get redirected to the CPP.
  All fine and it works perfectly on the wired network. HOWEVER, I can't seem to find a similar way to do this on the wireless network. While you can create a posture redirection policy to send them to the CPP with an ACL, that ACL seems to only permit or deny traffic per a standard ACL. Meaning a user gets on but any attempt to go anywhere in a browser redirects to the CPP. This makes it impossible to get to the remediation pages.
  Is there any way to accomplish what I'm trying to do here? It seems like it should be a basic function.

  Sorry I had some personal issues to deal with and just got a chance to follow up on this. Firs of all, good job on figuring it out and posting the findings back here! (+5) from me for that!
  To answer your questions:
  #1. You are 100% about the logic on the WLC ACLs vs Switch ACLs. On switches "deny" means "don't redirect" the traffic, thus permit it on the network. On the WLCs "deny" means "redirect" the traffic, hence don't allow it on the network. I am not sure why Cisco did this but different BUs, different teams, etc
  #2. You are also correct on this one. Your vWLC and ISE are working as expected. While switches support dACLs, WLCs only support "named ACL." As a result, when referencing ACLs on ISE for wireless, that ACL has to exist on the WLC and it MUST BE NAMED THE SAME or it won't work.
  Hope this helps. If you issues are resolved please mark the thread as "answered"
  Thank you for rating!

• Does Cisco ISE-3315-K9 with ise version: Service Engine: 1.0.4.573 support command accouting like ACS

  Hi
  Can Anybody can update whether   ISE-3315-K9 with ise version: Service Engine: 1.0.4.573 , supports the command level accounting
  Bascially , we have integrated Cisco Switches with Cisco ISE for Device Authentication using Radius , we are able get the authentication logs on to the devices , but for any command changes or update done on Cisco devices we are not able to get the command accounting ..
  has succeed in  command level accounting on  Cisco ISE ..
  Please update
  Cisco ISE doesn't have TACACS feature ...

  Command Accounting is a TACACS+ feature so not for ISE....yet.
  However, you can do the following to send commands to syslog and not including passwords (hidekeys). I just picked 200 commands/lines to store in the local command buffer/log. increase or decrease as you have memory.  The notify syslog is what sends it via syslog.
  conf t
  archive
  log config
  logging enable
  logging size 200
  hidekeys
  notify syslog
  end
  wr mem
  Remember, syslog is clear text  :-)  log away from user traffic when possible.  Or use TLS based syslog when possible.
  I hope you find this answer useful, if it was satisfactory  for you, please mark the question as Answered.
  Please rate post you consider useful.
  -James

• [WLC - CWA] [ISE] Wlan Portal with Local Switiching

  Description: Guest Portal ISE (WLAN) in a Flexconnect local switching enviorment.
  Problem: The communication stops everytime we turn on the feature Radius NAC on the WLC.
  We are trying to use Central WebAuth in a Flexconnect environment and with so the procedure that we are using it´s the one that´s available in the cisco DOCS ( http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/116087-configure-cwa-wlc-ise-00.html ) but there´s something occuring in my setup. I´ve configured step by step the WLC and ISE in accordance with previous DOC but I can´t establish communication everytime I turn on the feature RADIUS NAC in the WLC.
  All the ACL´s were configured, I can see the ISE policy beeing sent to the client but when the PC tries to establish the connection to him nothing leaves the PC ( a simple ping was done ). I´ve tried a bunch of setups to see if it was a misconfiguration or something else but at the end , everytime I trun on the NAC feature the final client looses all the comms to anywere.
  You can see in the following attachment the setup of WLC, and AP with flexconnect groups (I´ve also tried without a group but the final result was the same)
  We are using a WLC 5500 with 7.6.120.0 ( http://www.cisco.com/c/en/us/td/docs/wireless/controller/7-6/configuration-guide/b_cg76.html ) and the only thing I can foun is a simple note stating,
  "Flex local switching with Radius NAC support is added in Release 7.2.110.0. It is not supported in 7.0 Releases and 7.2 Releases. Downgrading 7.2.110.0 and later releases to either 7.2 or 7.0 releases will require you to reconfigure the WLAN for Radius NAC feature to work."
  In the Flexconnect Feature Matrix the RADIUS NAC is supported in a local switching enviorment ( http://www.cisco.com/c/en/us/support/docs/wireless/5500-series-wireless-controllers/112042-technote-product-00.html?referring_site=RE&pos=3&page=http://www.cisco.com/c/en/us/support/docs/wireless/flex-7500-series-wireless-controllers/113605-ewa-flex-guide-00.html) but what  we´ve found out so far it´s  the other way around.
  Another thing that we´ve found is that in the version 7.4 configuration guide ( http://www.cisco.com/c/en/us/td/docs/wireless/controller/7-4/configuration/guides/consolidated/b_cg74_CONSOLIDATED/b_cg74_CONSOLIDATED_chapter_0110100.html#ID2372 ) cisco says that the "FlexConnect local switching is not supported."
  So, after seeing several docs my question is: Does Cisco support Radius NAC in a local switching environment ?

  Viten,
  tnx for the quick reply but,
  a) what do you mean by webauth ( http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/116087-configure-cwa-wlc-ise-00.html) ?
  b) When I say comms stop is that I´m simple using ping as a test to see what happens in the client.Whenever I activate the radius feature the final client (laptop) ceases all comms in a local switching environment.
  BR,
  DS