LDAP Identity Service
Hi
Another question. Is an LDAP version of the Identity service on the way? Is it possible to integrate a custom Identity service into the BPEL Designer/PM?
Best wishes
John Prince
Hi John,
Yes the BPEL PM 10.1.2 does support LDAP for Human Workflow as well as Engine. The documentation for the same is under construction. Please Send me a mail on collaxa_support_us.oracle.com, and I will reply as soon as the documentation is available.
Dhaval
Similar Messages
-
Identity Service LDAP with dynamic grouping
Hi all,
We are developing an enterprise application with oc4j and bpel.
First we managed to handle user management with XML based JAZN tool.
After that,we managed to connect identity service with iPlanet LDAP server and get users and roles(with static groups defined.)
But our client wanted static and dynamic groups together in their LDAP server,because of the complexity of their current user base.
When we try this,we cannot get the roles that are assigned with dynamic groups.But we can get the roles that are statically defined.
We check the roles from the worklist application (integration/worklistapp... thing..) and we se the static groups where we cannot see dynamic one's.
There is a section in is_config.xml like:
<roleControls>
<property name="nameattribute" value="cn"/>
<property name="objectclass" value="groupOfUniqueNames"/>
<property name="membershipsearchscope" value="onelevel"/>
<property name="memberattribute" value="uniquemember"/>
<search searchbase="ou=Groups,dc=dummy,dc=com,dc=tr" scope="onelevel" maxSizeLimit="1000" maxTimeLimit="120"/>
</roleControls>
I think the property uniquemember has an effect in this situation but I cannot find any sample configurations using dynamic groups in LDAP.
Hope somebody has already done that..I find a solution here:
http://download.oracle.com/docs/cd/E15523_01/integration.1111/e10226/hwf_config.htm
I am currently using weblogic's defaultAuthentication to test BPM 11g.
I do not know if this approach works in production environment. -
How to configure SOA Suite 11g Worklist with LDAP Identity Store
Hi
Im trying to configure the worklistapp to use an ldap identity store (SOA Suite 11g)
The ldap is a open source ldap (Open DS in this case), is NOT : OID, OVD, Active Directory, WLS OVD, IPlanet.
for doing so, i did the next configurations:
workflow-identity-config.xml
<configuration realmName="realm1">
<provider providerType="JPS" name="JpsProvider" service="Identity">
<property name="jpsContextName" value="worklist" />
</provider>
</configuration>
jps-config.xml
<?xml version="1.0" encoding="UTF-8" standalone='yes'?>
<jpsConfig xmlns="http://xmlns.oracle.com/oracleas/schema/11/jps-config-11_1.xsd" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://xmlns.oracle.com/oracleas/schema/11/jps-config-11_1.xsd" schema-major-version="11" schema-minor-version="1">
<!-- This property is for jaas mode. Possible values are "off", "doas" and "doasprivileged" -->
<property name="oracle.security.jps.jaas.mode" value="off"/>
<property name="custom.provider" value="true"/>
<serviceProviders>
<serviceProvider type="IDENTITY_STORE" name="idstore.ldap.provider" class="oracle.security.jps.internal.idstore.ldap.LdapIdentityStoreProvider">
<description>LDAP-based IdentityStore Provider</description>
</serviceProvider>
</serviceProviders>
<serviceInstances>
<serviceInstance name="idstore.ldap.opends" provider="idstore.ldap.provider">
<property name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory"/>
<property name="idstore.type" value="CUSTOM"/>
<property name="ldap.url" value="ldap://host:port"/>
<property name="subscriber.name" value="dc=company,dc=com"/>
<property name="search.type" value="SIMPLE"/>
<property name="security.principal" value="cn=adminuser,dc=company,dc=com"/>
<property name="security.credential" value="!adminuser_password"/>
<property name="user.login.attr" value="cn"/>
<property name="username.attr" value="cn"/>
<property name="groupname.attr" value="cn"/>
<extendedProperty>
<name>group.mandatory.attrs</name>
<values>
<value>cn</value>
<value>objectClass</value>
</values>
</extendedProperty>
<extendedProperty>
<name>group.object.classes</name>
<values>
<value>top</value>
<value>groupOfUniqueNames</value>
</values>
</extendedProperty>
<extendedProperty>
<name>group.filter.object.classes</name>
<values>
<value>groupOfUniqueNames</value>
</values>
</extendedProperty>
<extendedProperty>
<name>group.member.attrs</name>
<values>
<value>uniqueMember</value>
</values>
</extendedProperty>
<extendedProperty>
<name>group.search.bases</name>
<values>
<value>o=groups,dc=company,dc=com</value>
</values>
</extendedProperty>
<extendedProperty>
<name>user.mandatory.attrs</name>
<values>
<value>cn</value>
<value>objectClass</value>
<value>sn</value>
</values>
</extendedProperty>
<extendedProperty>
<name>user.object.classes</name>
<values>
<value>organizationalPerson</value>
<value>person</value>
<value>inetOrgPerson</value>
<value>top</value>
</values>
</extendedProperty>
<extendedProperty>
<name>user.filter.object.classes</name>
<values>
<value>inetOrgPerson</value>
</values>
</extendedProperty>
<extendedProperty>
<name>user.search.bases</name>
<values>
<value>o=users,dc=company,dc=com</value>
</values>
</extendedProperty>
</serviceInstance>
</serviceInstances>
<jpsContexts default="default">
<jpsContext name="worklist">
<serviceInstanceRef ref="credstore"/>
<serviceInstanceRef ref="keystore"/>
<serviceInstanceRef ref="policystore.xml"/>
<serviceInstanceRef ref="audit"/>
<serviceInstanceRef ref="idstore.ldap.opends"/>
</jpsContext>
</jpsContexts>
</jpsConfig>
but i get the error:
Jul 2, 2009 12:52:40 PM oracle.security.jps.internal.idstore.util.IdentityStoreUtil getIdentityStoreFactory
WARNING: The identity store factory name is not configured.
Jul 2, 2009 12:52:40 PM oracle.bpel.services.common.ServicesLogger __logException
SEVERE: <.> Error in authenticating user.
Error in authenticating and creating a workflow context for user realm1/user1.
Verify that the user credentials and identity service configurations are correct.
ORABPEL-30501
Error in authenticating user.
Error in authenticating and creating a workflow context for user sigfe.com/user1.
Verify that the user credentials and identity service configurations are correct.
at oracle.bpel.services.workflow.verification.impl.VerificationService.authenticateUser(VerificationService.java:603)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
So, anyone knows how i can specify the identity store factory?
or the correct parameters for a ldap identity store repository?
I used the 11G documentation for the security file :
http://download.oracle.com/docs/cd/E12839_01/core.1111/e10043/jpsprops.htm
thanksI am having exactly the same issue. Once I configure jps-config.xml file to use my custom authenticator and login into the worklist app, the following gets thrown. I was wondering if you need map some roles to the existing users in the Custom Authenticator.
Exception
exception.70692.type: error
exception.70692.severity: 2
exception.70692.name: Error while granting BPMOrganizationAdmin role to SOAOperator.
exception.70692.description: Error occured while granting the application role BPMOrganizationAdmin to application role SOAOperator.
exception.70692.fix: In the policy store, please add SOAOperator role as a member of BPMOrganizationAdmin role, if it is not already present. -
Identity service cannot find user
Installed BPEL 10.1.2
added user using jazn.jar
Now trying to log into worklist sample application
and I get identity service cannot find user. Do I need to assign any role(s) to new user.
Let me know.
I am seeing simple questions not getting answers. Is this an Active Forum?
Thanks
Raghuclosed
for OAS 10.1.2.0.2. & BPEL PM 10.1.2.0.2
I Install BPEL in MiddleTire
1. ./runInstaller
2. home = OAS home
3. tea
4. emctl stop em
emctl start em
5. Oracle_Home\opmn\bin\opmnctl stopproc ias-component=OraBPEL
Oracle_Home\opmn\bin\opmnctl startproc ias-component=OraBPEL
6. if OID working throw SSL, then 7,8 else 9
7. edit file Oracle_Home\j2ee\OC4J_BPEL\config\jazn.xml
<jazn provider="LDAP" location="ldap://host:636" default-realm="us">
<property name="ldap.user" value="cn=orcladmin"/>
<property name="ldap.password" value="!welcome1"/>
<property name="ldap.protocol" value="ssl"/>
</jazn>
8. edit file Oracle_Home\integration\orabpel\system\services\config\is_config.xml
<BPMIdentityServiceConfig
xmlns="http://www.oracle.com/pcbpel/identityservice/isconfig">
<provider providerType="JAZN" name="oid" >
<connection url="ldap://host:636" binddn="cn=orcladmin"
password="welcome1" encrypted="false">
<property name="securityProtocol" value="ssl" />
</connection>
</provider>
</BPMIdentityServiceConfig>
then 11
9. edit file Oracle_Home\j2ee\OC4J_BPEL\config\jazn.xml
<jazn provider="LDAP" location="ldap://host:389" default-realm="us">
<property name="ldap.user" value="cn=orcladmin"/>
<property name="ldap.password" value="!welcome1"/>
</jazn>
10. edit file Oracle_Home\integration\orabpel\system\services\config\is_config.xml
<provider providerType="JAZN" name="oid" >
<connection url="ldap://host:389" binddn="cn=orcladmin"
password="welcome1" encrypted="false"/>
</connection>
</provider>
11. edit file Oracle_Home\j2ee\OC4J_BPEL\application-deployments\hw_services\orion-application.xml
<jazn provider="LDAP" location="ldap://host:389" default-realm="us" >
<jazn-web-app auth-method="SSO"/>
</jazn>
12. Oracle_Home\opmn\bin\opmnctl stopproc ias-component=OraBPEL
Oracle_Home\opmn\bin\opmnctl startproc ias-component=OraBPEL
II Deploy BPEL portlets
1. throw EM add EAR to OC4J_BPEL:
fie: $ORACLE_HOME/integration/orabpel/system/services/lib/bpelportlet.ear
а. Parent app = orabpel
б. User Manager = Use JAZN LDAP User Manager
2. edit file Oracle_Home\j2ee\OC4J_BPEL\application-deployments\bpelPortlet\orion-application.xml
<jazn provider="LDAP" location="ldap://host:port" default-realm="us" >
<jazn-web-app auth-method="SSO"/>
</jazn>
3.Oracle_Home\opmn\bin\opmnctl stopproc ias-component=OraBPEL
Oracle_Home\opmn\bin\opmnctl startproc ias-component=OraBPEL
4. Register BPEL provider
http://bpel_host:bpel_port/BPELPortlet/providers
а. Login Frequency = Once Per User Session
636 - OID SSL port
389 - OID non SSL port -
User Task: Custom Identity Service
Hi my friends
Have anyone tried to use a custom Identity Service with BPEL User Tasks (I meam other than LDAP or JAZN)? Problems? Issues? Limitations?
I know I have to implement a set of interfaces (BPMIdentityService interface and others)...
Thanks.
Message was edited by:
mmenezesPablo;
I just read your post and hearing that you have the basic methods working has me very interested - I implemented all the Interfaces (BPMIdentityService, BPMProvider, BPMUser, BPMRole, BPMGroup) and changed the is_config.xml file. My realm showed up, and the connection pool I'm using seemed to work just fine, but when I tried to setup a Human Workflow using the new realm, I get an error on my searchUsers method (just hardcoded).
I read that you need to add your classes to the application.xml file and that makes sense - but when I add them, no realms show up at all - one step backward - AND the method still doesn't work.
Could you spare a desperate developer some advice on how you got yours working - a brief description of how to register your classes, if there's more than adding them to application.xml would be wonderful!
Cheers - -
Simple Custom Identity Service running on windows OK, but not on linux, y?
In <Oracle® BPEL Process Manager Developer's Guide 10g Release 2 (10.1.2)
B14448-03>,
Part III, 16<Oracle BPEL Process Manager Workflow
Services, Identity Service, Creating a Custom Identity Service Plug-in>
My pc, OS:windows 2003+BPEL PM Server10.1.2
Server, OS:linux+ias+OC4J_BPEL, i can't make sure the version, may be:10.1.2
In the Developer's Guide say:
Identity Service has 3 provider:
1, JAZN Provider
2,Third-party LDAP Directories
3,CUSTOM Repository LDAP-Based Plug-ins
so i like the third one.
1, i compile the project in Oracle_Home\integration\orabpel\samples\hw\isplugin\db.
Then it create a jar file(IS-DBPlugin.jar) in Oracle_Home\integration\orabpel\system\services\lib
2,Modify the provider config file: is_config.xml
modify the config file: application.xml
restart the Oracle BPEL server
3,run the sql files it provider int the polsql.cmd
OK, now the Identity Service work on Oracle lite database, it's my needs.
add a user into the tables
use the url:http://localhost:9700/integration/worklistapp/Login
i can login the worklist service use my custom user and password.
when the Identity Service use the JAZN Provider(XML), it's default choice.i add a user into the xml files, i mast restart my server if i want use the user login.
use the database plugin,when i insert a user name into the tables,i can login the service use the username immediately.
So i think it's easy to move it to my server(linux os). but when i copy the jar file to the folder,modify the config files,run ths sql files in the oracle database.
but when i open the url :http://server_ip:port/integration/worklistapp/Login
it can not work with a simple error message:Worklist service Identity Service error.
in the log files i find some message like this :
SOAP-ENV:Server.Exception
BPEL-10551 can not load the Custom Identity Service Class:
"IdentityServiceCustomPlugin.CustomIdentityService"
it has wasted me one week time. and i can't find the reason now.
who can help me ?
thanks
cnboyclemens,thanks.
i'm sorry that my English is poor.so i can't understand you mean completely.
you say it might be a linux jvm reason, can the metter be resolved?
and you say extract the jar file .which files i would extract,can you say particular?
thx! -
Identity service unable to find the realm
hi'
I am facing issue after configuring "Configuring Identity Service with Oracle Internet Directory"
I followed this administrator guide "http://download.oracle.com/docs/cd/B31017_01/integrate.1013/b28982/service_config.htm#sthref280"
this is the result after running the script:
C:\product\10.1.3.1\OracleAS_1\bpel\system\services\install\ant-tasks>configure_
oid orcladmin welcome1 389 false sonata seedAllUsers oc4jadmin welcome1 oc4j_soa
Buildfile: oid-config.xml
config-oid:
[echo] Configuring OID...
[mkdir] Created dir: C:\product\10.1.3.1\OracleAS_1\ldap\install
[java] Install Configuration
[java] Install Type: ConfigureOID
[java] Oracle Home: C:\product\10.1.3.1\OracleAS_1
[java] JDK Home: C:\product\10.1.3.1\OracleAS_1\jdk
[java] Proxy Required: false
[java] Database Vendor: oracle
[java] OID Host: ${oid.host}
[java] OID Port: 389
[java] OID Realm: sonata
[java] OID Seed: seedAllUsers
[java] Admin User: orcladmin
[java] ***************************************************************
[java] Trying to obtain OID specific details from configuration files.
[java] Warning: You would encounter problems if you have not associated you
r instance with an OID.
[java] ***************************************************************
[java] OID Host is: son1592
[java] OID Port is: 389
[java] Seeding users/roles in OID realm : sonata...
[java] Buildfile: bpminstall.xml
[java] seed-oid:
[java] init:
[java] seed-oid:
[java] Seeding system users/roles into OID ...
[java] Migration of LDIF data completed. All the entries are successfully m
igrated
[java] Seeding demo users/roles into OID ...
[java] Migration of LDIF data completed. All the entries are successfully m
igrated
[java] BUILD SUCCESSFUL
[java] Total time: 9 seconds
[java] Exit: 0
[java] Configuring BPEL identity service configuration file ...
[java] Adding jaas-mode attribute to hw_services orion-application.xml
[java] Adding jaas-mode attribute to orabpel orion-application.xml
bpel-grant-privileges:
[echo] Granting Server privileges to BPMSystemAdmin role...
[java] The specified permission has already been granted to the grantee.
[echo] Granting Domain privileges to BPMDefaultDomainAdmin role...
[java] The specified permission has already been granted to the grantee.
all:
BUILD SUCCESSFUL
Total time: 13 seconds
now when I am using the IdentityService servlet to look up users and roles by going to http://localhost:9700/integration/services/IdentityService/identity?operation=lookupUser and checking the realm
this is the error coming:
<env:Envelope
xmlns:env="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:ns0="http://xmlns.oracle.com/bpel/services/IdentityService">
<env:Body>
<env:Fault
xsi:type="env:Fault">
<faultcode>env:Server</faultcode>
<faultstring
xsi:nil="1"/>
<detail>
<ns0:identityServiceError>
<ns0:faultInfo>Realm is not found. Identity service unable to find the realm by name sonata. Check the error stack and fix the cause of the error. Contact oracle support if error is not fixable. </ns0:faultInfo>
</ns0:identityServiceError>
</detail>
</env:Fault>
</env:Body>
</env:Envelope>
thanks
Yatanhi Anirudh,
do you think this is wrong approach to copy file from home to other instances? actually I followed the following link to configure OID with BPEL
url--> "http://download-uk.oracle.com/docs/cd/B31017_01/integrate.1013/b28982/service_config.htm#BABIBGFF"
as per the document after executing the configure_oid.bat file only the jazn.xml inside the home was getting updated but no change was there in jazn.xml which was inside oc4j_soa folder, this was infact told in the document that we need to manually copy the properties from home--> jazn.xml file, but when I was trying to copy it was giving error, so insted of copying any thing from home--> jaxn.xml file, I copied the file and replaced it inside oc4j_soa.
do you think this is not the right approach?
waiting for inputs.
thanks
Yatan -
Custom Identity Service - E-Business Suite
Hi
Just wondering if anyone has looked into creating a custom BPEL Identity Service Plug-in for E-Business Suite?
I'm not sure if we need to do this yet for a client, but if anyone had tried it would be great to here about any issues you came across or whether you got it to work....
Any help greatly appreciated.
ChrisThe easiest integration with DB repository is to use Oracle Virtual Directory ( OVD) database adapter.
You can write custom Plug-ins code using IdentityService APIs for 10.1.2 and 10.1.3 releases.
But we deprecated the approach and recommend to use OVD for customization for 11 release.
I have tested OVD with BPEL IdentityService LDAP provider. It works well even for 10.1. release.
That approach simplifies the mapping between LDAP inetOrgPerson and groupOfUnuiqueNames objectClasses and DB schema.
I can help you with OVD configuration. -
BPEL-10555 Identity Service Configuration error is thrown in Solaris O/S
I am getting the below error from the WorkList Application, when I run my code on Solaris O/S.
But when this same code is run on Windows, it works fine.
"500 Internal Server Error
BPEL-10555 Identity Service Configuration error. Identity Service Configuration file has error. "
It is because,I have imported 4 classes in my payload-body.jsp file of Human Task :-
oracle.bpel.services.workflow.task.model.ShortHistoryTaskType,
oracle.bpel.services.workflow.task.model.ShortHistoryType,
oracle.tip.pc.services.identity.BPMAuthorizationService,
oracle.tip.pc.services.identity.BPMUser,
I have also added the below code, to so show the list of "Approvers" in the jsp file :-
BPMUser bpmUser = null;
BPMAuthorizationService bpmAuthServ = wfSvcClient.getAuthorizationService
("jazn.com");
if (task != null && task.getSystemAttributes() != null &&
task.getSystemAttributes().getShortHistory() != null)
ShortHistoryType shortHistoryType = task.getSystemAttributes
().getShortHistory();
List taskList = shortHistoryType.getTask();
String taskApprovers = "";
for (int j = 0; j < taskList.size(); j++)
ShortHistoryTaskType individualShortHistoryTask =
(ShortHistoryTaskType) taskList.get
(j);
if (individualShortHistoryTask.getState().equals("COMPLETED") ||
individualShortHistoryTask.getState().equals("OUTCOME_UPDATED"))
bpmUser = bpmAuthServ.lookupUser
(individualShortHistoryTask.getUpdatedBy().getId());
taskApprovers += bpmUser.getFirstName() + " " +
bpmUser.getLastName() + ", ";
j++;
if (!taskApprovers.trim().equals(""))
taskApprovers = taskApprovers.substring(0,taskApprovers.lastIndexOf
(",")) + ".";
Please do suggest a proper solution to run the above code on Solaris O/S.We have set the OID and our security realm is "alshaya.com" would that be a problem.
Also below is my is_config.xml file :-
<?xml version = '1.0' encoding = 'UTF-8'?>
<ISConfiguration xmlns="http://www.oracle.com/pcbpel/identityservice/isconfig">
<configurations>
<configuration realmName="alshaya" displayName="alshaya Realm">
<provider providerType="JAZN" name="OID" service="Identity">
<connection url="ldap://boomidevp.alshaya.com:389" binddn="cn=orcladmin" password="ifbEl1hXVLg=" encrypted="true"/>
</provider>
</configuration>
</configurations>
</ISConfiguration>
So shall I change the below code as follows :-
BPMAuthorizationService bpmAuthServ = wfSvcClient.getAuthorizationService
("jazn.com");
to
BPMAuthorizationService bpmAuthServ = wfSvcClient.getAuthorizationService
("alshaya");
Will the above change work for me on Solaris O/S ?
Please do reply. -
Issue in setting custom identity service for soa 11.1.1.4
Hello,
I am facing issue in setting custom identity service for soa 11.1.1.4
It is not picking up the implemented UserManager (in custom IDM) implemented via ServiceProvider and IdentityStoreService.
This is configured in jps-config.xml
The same setup was working in soa 11.1.1.2
I believe there is a change done in JpsProvider in bpm-service.jar to authenticate via default login context from oracle.security.jps.internal.jaas.module.authentication.JpsUserAuthenticationLoginModule
If my uderstanding is correct,
Please guide me in implementing custom identity store and services for bpm services for soa 11.1.1.4
Tried various work arounds but no luck.
Thanks
BalaHi...
Can u tell me how did u set up custom identity service for 11.1.1.2 ?
Thanks -
Custom Identity Service configuration in SOA Suite 11g
Has anyone been successfull in using custom identity service (available in 10.1.3.X) as a identity store in soa suite 11g human workflow component? If yes, please guide me.
Can you make sure your helloworld is using adf bindings as mentioned in thread Re: Urgent :: 11g Invoking Composite from Java/From Webservice Proxy
-
Ask the Expert: Integrating Cisco Identity Service Engine (ISE) 1.2 for BYOD
With Eric Yu and Todd Pula
Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about integrating Cisco ISE 1.2 for BYOD with experts Eric Yu and Todd Pula.
Cisco Bring Your Own Device (BYOD) is an end-to-end architecture that orchestrates the integration of Cisco's mobile and security architectures to various third-party components. The session takes a deep dive into the available tools and methodologies for troubleshooting the Cisco BYOD solution to identify root causes for problems that stem from mobile device manager integration, Microsoft Active Directory and certificate authority services, and Cisco Enterprise Mobility integration to the Cisco Identity Services Engine (ISE).
Todd and Eric recently delivered a technical workshop that helps network designers and network engineers understand integration of the various Cisco BYOD components by taking a deep dive to analyze best practice configurations and time-saving troubleshooting methodologies. The content consisted of common troubleshooting scenarios in which TAC engineers help customers address operational challenges as seen in real Cisco BYOD deployments.
Eric Yu is a technical leader at Cisco responsible for supporting our leading-edge borderless network solutions. He has 10 years of experience in the telecommunications industry designing data and voice networks. Previous to his current role, he worked as a network consulting engineer for Cisco Advance Services, responsible for designing and implementing Cisco Unified Communications for Fortune 500 enterprises. Before joining Cisco, he worked at Verizon Business as an integration engineer responsible for developing a managed services solution for Cisco Unified Communications. Eric holds CCIE certification in routing and switching no. 14590 and has two patents pending related to Cisco's medianet.
Todd Pula is a member of the TAC Security and NMS Technical Leadership team supporting the ISE and intrusion prevention system (IPS) product lines. Todd has 15 years of experience in the networking and information security industries, with 6 years of experience working in Cisco's TAC organization. Previous to his current role, Todd was a TAC team lead providing focused technical support on Cisco's wide array of VPN products. Before joining Cisco, he worked at Stanley Black & Decker as a network engineer responsible for the design, configuration, and support of an expansive global network infrastructure. Todd holds his CCIE in routing and switching no. 19383 and an MS degree in IT from Capella University.
Remember to use the rating system to let Eric and Todd know if you have received an adequate response.
Because of the volume expected during this event, Eric and Todd might not be able to answer every question. Remember that you can continue the conversation in the Security community, subcommunity AAA, Identity and NAC, shortly after the event. This event lasts through November 15, 2013. Visit this forum often to view responses to your questions and the questions of other Cisco Support Community members.Hi Antonio,
Many great questions to start this series. For the situation that you are observing with your FlexConnect configuration, is the problem 100% reproducible or is it intermittent? Does the problem happen for one WLAN but not another? As it stands today, the CoA-Ack needs to be initiated by the management interface. This limitation is documented in bug CSCuj42870. I have provided a link for your reference below. If the problem happens 100% of the time, the two configuration areas that I would check first include:
On the WLC, navigate to Security > RADIUS > Authentication. Click on the server index number for the associated ISE node. On the edit screen, verify that the Support for RFC 3576 option is enabled.
On the WLC, navigate to the WLANs tab and click on the WLAN ID for the WLAN in question. On the edit screen, navigate to Security > AAA and make sure the Radius Server Overwrite interface is unchecked. When this option is checked, the WLC will attemp to send client authentication requests and the CoA-Ack/Nak via the dynamic interface assigned to the WLAN vs. the management interface. Because of the below referenced bug, all RADIUS packets except the CoA-Ack/Nak will actually be transmitted via the dynamic interface. As a general rule of thumb, if using the Radius NAC option on a WLAN, you should not configure the Radius Server Overwrite interface feature.
Bug Info: https://tools.cisco.com/bugsearch/bug/CSCuj42870
For your second question, you raise a very valid point which I am going to turn into a documentation enhancement request. We don't currently have a document that lists the possible supplicant provisioning wizard errors that may be encountered. Please feel free to post specific errors that you have questions about in this chat and we will try to get you answers. For most Android devices, the wizard log file can be found at /sdcards/downloads/spw.log.
As for product roadmap questions, we won't be able to discuss this here due to NDA. Both are popular asks from the field so it will be interesting to see what the product marketing team comes up with for the next iterration of ISE.
Related Info:
Wireless BYOD for FlexConnect Deployment Guide -
ISE Admin Access Authentication against multiple AD/LDAP Identity Sources
Hi all!
We would like to grant admin cccess to our ISE deplyoment to users stored in multiple Active Directories. Since there is no trust relationship between these ADs, we created an LDAP Identity Source for each AD and also an Identity Source Sequence but in the UI we can only select one Identity Source.
Any ideas how to solve this problem?
Thanks in advance!
Kind regards,
Michael LangerreiterI did check in my lab and yes for admin access we can't select identity store sequence in authentication. We can only pick one external database. However, on the login page you may select the appropriate database before you enter the username and password.
Jatin Katyal
- Do rate helpful posts - -
Not Working-central web-authentication with a switch and Identity Service Engine
on the followup the document "Configuration example : central web-authentication with a switch and Identity Service Engine" by Nicolas Darchis, since the redirection on the switch is not working, i'm asking for your help...
I'm using ISE Version : 1.0.4.573 and WS-C2960-24PC-L w/software 12.2(55)SE1 and image C2960-LANBASEK9-M for the access.
The interface configuration looks like this:
interface FastEthernet0/24
switchport access vlan 6
switchport mode access
switchport voice vlan 20
ip access-group webauth in
authentication event fail action next-method
authentication event server dead action authorize
authentication event server alive action reinitialize
authentication order mab
authentication priority mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication violation restrict
mab
spanning-tree portfast
end
The ACL's
Extended IP access list webauth
10 permit ip any any
Extended IP access list redirect
10 deny ip any host 172.22.2.38
20 permit tcp any any eq www
30 permit tcp any any eq 443
The ISE side configuration I follow it step by step...
When I conect the XP client, e see the following Autenthication session...
swlx0x0x#show authentication sessions interface fastEthernet 0/24
Interface: FastEthernet0/24
MAC Address: 0015.c549.5c99
IP Address: 172.22.3.184
User-Name: 00-15-C5-49-5C-99
Status: Authz Success
Domain: DATA
Oper host mode: single-host
Oper control dir: both
Authorized By: Authentication Server
Vlan Group: N/A
URL Redirect ACL: redirect
URL Redirect: https://ISE-ip:8443/guestportal/gateway?sessionId=AC16011F000000510B44FBD2&action=cwa
Session timeout: N/A
Idle timeout: N/A
Common Session ID: AC16011F000000490AC1A9E2
Acct Session ID: 0x00000077
Handle: 0xB7000049
Runnable methods list:
Method State
mab Authc Success
But there is no redirection, and I get the the following message on switch console:
756005: Mar 28 11:40:30: epm-redirect:IP=172.22.3.184: No redirection policy for this host
756006: Mar 28 11:40:30: epm-redirect:IDB=FastEthernet0/24: In epm_host_ingress_traffic_qualify ...
I have to mention I'm using an http proxy on port 8080...
Any Ideas on what is going wrong?
Regards
NunoOK, so I upgraded the IOS to version
SW Version: 12.2(55)SE5, SW Image: C2960-LANBASEK9-M
I tweak with ACL's to the following:
Extended IP access list redirect
10 permit ip any any (13 matches)
and created a DACL that is downloaded along with the authentication
Extended IP access list xACSACLx-IP-redirect-4f743d58 (per-user)
10 permit ip any any
I can see the epm session
swlx0x0x#show epm session ip 172.22.3.74
Admission feature: DOT1X
ACS ACL: xACSACLx-IP-redirect-4f743d58
URL Redirect ACL: redirect
URL Redirect: https://ISE-ip:8443/guestportal/gateway?sessionId=AC16011F000000510B44FBD2&action=cwa
And authentication
swlx0x0x#show authentication sessions interface fastEthernet 0/24
Interface: FastEthernet0/24
MAC Address: 0015.c549.5c99
IP Address: 172.22.3.74
User-Name: 00-15-C5-49-5C-99
Status: Authz Success
Domain: DATA
Oper host mode: multi-auth
Oper control dir: both
Authorized By: Authentication Server
Vlan Group: N/A
ACS ACL: xACSACLx-IP-redirect-4f743d58
URL Redirect ACL: redirect
URL Redirect: https://ISE-ip:8443/guestportal/gateway?sessionId=AC16011F000000510B44FBD2&action=cwa
Session timeout: N/A
Idle timeout: N/A
Common Session ID: AC16011F000000160042BD98
Acct Session ID: 0x0000001B
Handle: 0x90000016
Runnable methods list:
Method State
mab Authc Success
on the logging, I get the following messages...
017857: Mar 29 11:27:04: epm-redirect:IDB=FastEthernet0/24: In epm_host_ingress_traffic_qualify ...
017858: Mar 29 11:27:04: epm-redirect:epm_redirect_cache_gen_hash: IP=172.22.3.74 Hash=271
017859: Mar 29 11:27:04: epm-redirect:IP=172.22.3.74: CacheEntryGet Success
017860: Mar 29 11:27:04: epm-redirect:IP=172.22.3.74: Ingress packet on [idb= FastEthernet0/24] matched with [acl=redirect]
017861: Mar 29 11:27:04: epm-redirect:IDB=FastEthernet0/24: Enqueue the packet with if_input=FastEthernet0/24
017862: Mar 29 11:27:04: epm-redirect:IDB=FastEthernet0/24: In epm_host_ingress_traffic_process ...
017863: Mar 29 11:27:04: epm-redirect:IDB=FastEthernet0/24: Not an HTTP(s) packet
What I'm I missing? -
Integration of custom identity services with JDeveloper BPEL designer
Hi,
I'd like to know if a custom user repository plugin will cause the 'Identity Lookup Dialog' (Step 6 of Human Workflow Wizard to generate a user task) to utilize the list of users and groups from a third party provider, when used as the Custom Identity Service provider.
I'd like to have the custom list of users and groups at 'design time' of the BPEL process itself, as well as process runtime. Is this possible?
This is with respect to both BPEL PM v10.2.0.2 and v 10.1.3.1.0.
Regards,
Vineetok, thank you for the reply.
But the installation of the Oracle BPEL Process Manger for Developers which includes the JDeveloper and the BPEL Designer doesn't come with 10.1.3.1.0?
I have to install the JDeveloper and the BPEL Process Manager seperate?
Thx
Maybe you are looking for
-
E-Business 12.1.1 Installation Problem
I am having problems installing Oracle E-Business Suite Application version 12.1.1. I am running Windows 2003 Server. I did the following when I tried to install the Application: 1. I downloaded the software from Oracle edelivery website. 2.
-
Trying to use a Nano with 10.2.8
Alrigth, I just bought an iPod Nano. On the car ride home, I see that you need 10.3.4 to use it. I can't get that unless I buy a new computer... which isn't gonna happen. I have an iMac G3, 10.2.8,iTunes 6.0.1, and a highspeed 2.0 USB. Can I use the
-
Where are the printer settings for "draft", "photo", etc as in windows? Hi, I have an HP Photosmart Air printer and am befuddled by the lack of ability to change settings on my new Macbook. Under system preferences there are no options for the above.
-
System dependet default SAP GUI Design
Hi to all! In the SAP GUI, there is the possibility to set system design dependent. So it is different from R3 system to R3 system. Is there a way to change the design on the R3 system or what criteria will be the default design chosen? Thanks Herma
-
ca root certificate is not trusted I need working pls .