LDAP integration with ISE

Similar Messages

• SNMP integration with ISE 1.2

  Hi Guys,
  Did anyone have a hard time integrating ISE 1.2 with SNMP server for polling system parameters? I'm trying to add ISE 1.2.1 to solarwinds SNMP server but when adding the required parameters like IP address and community string and doing an SNMP test connection it returns a failure message. SNMP configuration on ISE is quit simple. Only two commands are needed which are the SNMP server IP and community string values. Searching on the web, i saw a bug CSCun42967  that documents SNMP problems with ISE 1.2. Could that be the problem? or if there is any limitations for this integration?
  Thanks,
  Mohammad

  Here is the helpful link :
  https://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_sw_cnfg.pdf

• LDAP Integration with CUCM 9.0

  We would like to use LDAP to sync all of our users from Active Directory.  All of our current CM Users are local, the problem is that they have the same user names as our Active Directory users.  From what I understand this is going to be a problem because:
  "If accounts from LDAP match an existing Unified CM account that is not marked as an LDAP synchronized account, then these accounts are ignored."
  Does that mean we will have to delete all our existing CM users in order to sync the LDAP users correctly?  Is there a best practice for this?  Once we syncronize the LDAP users how to I ensure that the user gets associated with the proper phone?  Or do I have to visit each user individually? 

  I just did a quick test for this, my lab CUCM 9 is already LDAP integrated, but I created a local user, then I created that same local user in my LDAP OU, and performed a full sync.
  The user is no longer showing as a local active user, but as an active LDAP synchronized user.
  Which was my thought, there's only one conversion, from LDAP to local.
  The behavior is just as with any previous release, local users who match an LDAP user after you enable it, are just updated, and kept with all their configurations.
  I checked the option to turn it back again into a local user, did a full sync, and it's again an active LDAP user.
  HTH
  java
  if this helps, please rate
  www.cisco.com/go/pdihelpdesk

• Strip @domain on LDAP Integration with Cisco ISE?

  Hi there ,
  I got a WLC conntect with a Cisco ISE. There are two SSID authenticated against the ISE.
  One SSID has AD-Integration as External Identity Source, the other SSID is authenticated through LDAP.
  Authentication ist working fine.
  When an user authenticates through LDAP, he/she has to enter "username@domain". The protocol is EAP-GTC.
  How can I change the ISE that the user has only to enter "username" and the "@domain" part ist already set on the ISE?
  Thansk a lot,
  Norbert

  From the user guide it seems that LDAP only allows you to strip the prefix/suffix and can't add the suffix.
  http://www.cisco.com/en/US/docs/security/ise/1.1/user_guide/ise_man_id_stores.html#wp1054421
  Strip start of subject name up to the last occurrence of the separator
  Strip end of subject name from the first occurrence of the separator
  Regards,
  Jatin
  Do rate helpful posts-

• Jabber for Windows - without LDAP integrated with CUCM Jabber UDS - NO PEOPLE CAN SEARCH

  Hi all Jabber Experts,
  I have the CUCM, which is the versin 8.6 and the Presence Server, which is the version 8.6, that is not integrated the LDAP, but I want to deploy the Jabber for Windows.
  So I would use the UDS to deploy the Jabber for Windows (modified the XML and uploaded to the CUCM TFTP server).
  Finally, that can login the users, which is manually added from CUCM.
  But I cannot search other users from the Bubby List. Any idea for that?

  First of all, either you use CUCM 8.6 with CUPS 8.6, or you use CUCM 9.1 with IM&P 9.1, what you're mentioning is just impossible as they're not compatible and that's not supported.
  HTH
  java
  if this helps, please rate
  www.cisco.com/go/pdihelpdesk

• Is ASA integration with ISE and RSA for 2 factor authentication a valid/tested design

  Hi,
  Customer currently uses ASA to directly integrate with RSA kind of solution to provide 2 factor authentication mechanism for VPN user access.  We're considering to introduce ISE to this picture, and to offload posture analysis from ASA to ISE.  And the flow we're thinking is to have ASA interface to ISE and ISE interface to RSA and AD backend infrastructure.  And we still need the 2 factor authentication to work, i.e., customer gets a SMS code in addition to its login username and password.  I'm wondering if ASA/ISE/RSA/AD integrated solution (and with 2 factor authentication to work) is a tested solution or Cisco validate design?  Any potential issue may break the flow?
  Thanks in advance for any input!
  Tina

  Hi,
  I have an update for this quite broad question.
  I have now came a bit further on the path.
  Now the needed Radius Access Attribute are available in ISE after adding them in
  "Policy Elements" -> "Dictionaris" -> "System" -> "Radius" -> "Cisco-VPN3000".
  I added both the attribute 146 Tunnel-Group-Name which I realy need to achive what I want(select diffrent OTP-backends depending on Tunnel Group in ASA) and the other new attribute 150 Client-Type which could be intresting to look at as well.
  Here the "Diagnostics Tools" -> "Generel tools" -> "TCP Dump" and Wireshare helped me understand how this worked.
  With that I could really see the attributes in the radius access requests going in to the ASA.
  Now looking at a request in "Radius Authentication details" I have
  Other Attributes:
  ConfigVersionId=29,Device Port=1025,DestinationPort=1812,RadiusPacketType=AccessRequest,Protocol=Radius,CVPN3000/ASA/PIX7.x-Tunnel-Group-Name=SMHI-TG-RA-ISESMS,CVPN3000/ASA/PIX7.x-Client-Type=,CPMSessionID=ac100865000006294FD60A7F,.....
  Ok, the tunnel group name attribute seems to be understood correct, but Client-Type just say =, no value for that.
  That is strange, I must have defined that wrong(?), but lets leave that for now, I do not really need it for the moment being.
  So now when I have this Tunnel-Group-Name attribute available I want to use it in my Rule-Based Authentication Policy.
  Problem now is that as soon as I in an expression add a criteria containing Cisco-VPN3000:CVPN3000/ASA/PIX7.x-Tunnel-Group-Name matches .* (just anything), then that row does not match any more. It still work matching against NAS-IP and other attributes.
  What could it be I have missed?
  Best regards
  /Mattias

• EP60 and LDAP integration with Micosroft AD- Issues

  Hello,
  We have configured EP6 SP11 and Microsoft AD for the user authentication as below.
  MsAD:
  AD_Compass_Domain
  OU= Accounts
      OU=CORPORATE
            OU=IT
                  User1 (User master record)
                   User2 (User master record)
              OU=FI
                   User3 (User master record)
  OU=SAP_Portal
         OU=Corp_LDAP
               OU= Groups
                        SAP_Portal (Group Object and users are member of this group object as a link from all different OUs -user1,user2,user3)
                OU= Users
  EP6 LDAP config:
  Data Sources: Microsoft ADS (Flat Hierarchy) + Database
  (We also tried Deep hierarchy didn't work)
  LDAP Server:
  User Path : OU=SAP_Portal,DC=NA,DC=CompassDev,DC=Corp
  Group Path :
  OU=Groups,OU=Corp_LDAP,OU=SAP_Portal,DC=NA,DC=CompassDev,DC=Corp
  The issues:
  1- SAP Portal could not see the group object when I browse the LDAP from portal.
  2- SAP Portal is not allowing users (User1, User2, User3 etc which are member of the group object) to log in to the portal unless I put users directly under OU level like OU=Groups or if I point the path to the
  OU=Accounts level which we do not want to do that because we have 50,000 users defined under OU=Accounts and we want just some of them like 3000 users. Portal gives the message
  “user authentication failed”
  Note: I checked the UME and I don’t see the users listed in the group objects. Group object "SAP_Portal" is Universal Group object. (We also tried the global type)
  3- When we put user directly under OU level, then users can log in but they are not able to change their password. We also can not change the user passwords through the Portal admin tools(UME or Visual Admin). I
  have heard that without SSL, MsAD would not allow portal users to change their password.
  a. (Portal internal user, [email protected], has
  only read access on MsAD)
  Note: We use 3268 as an AD port and 389 is also active I tried both of them but no chance.
  Thanks for your help in advance.

  Sasikanth,
  Usually before you switch UME to AD, you would read it with an LDAP web compliant browser, to check if you could access your OU, Group, and Users. Are you sure you can read the complete LDAP structure on AD?
  Kindly re-check the process, to see if you missed out on any steps.
  http://help.sap.com/saphelp_erp2004/helpdata/en/cc/cdd93f130f9115e10000000a155106/frameset.htm
  Check note 772620 - UME 4.0: Create Groups on Microsoft Active Directory Server
  Regards,
  James

• ISE and LDAP Integration

  Hello,
  I have a question about the LDAP integration with the ISE:
  Since the ISE has a limitation of reading only 100 groups, I cannot find the groups that I need to use on the authorization, and also the ISE cannot find group if I search for it directly.
  What I mean here, that I can fetch the first 100 groups from the top of the directory, but when I search as example for any group (appear on the list or not) the ISE did not find it.
  Even I tried to change the base DN and the search DN but without luck.
  The ISE version is 1.1.4 installed on VM and the LDAP schema is AD.
  Is there any missing information/tips required in such integration?

  Hello,
  I found a cisco doc that provides resolution of Key Features of Integration of Cisco ISE and LDAP .I hope this helps!
  This section contains the following:
  •Directory  Service
  •Multiple  LDAP Instances
  •Failover
  •LDAP  Connection Management
  •User  Authentication
  •Authentication  Using LDAP
  •Binding  Errors
  •User  Lookup
  •MAC  Address Lookup
  •Group  Membership Information Retrieval
  •Attributes  Retrieval
  •Certificate  Retrieval
  http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_man_id_stores.html#wp1059913

• Flexconnect with ISE Issue

  Hi Everyone,
  I have a issue trying to deploy Flexconnect in WLC integrated with ISE.
  In the scenario, the users are working properly through the wireless network and they are able to authenticate, the NAC agent is invoked and everyone can get authorization access to the network using Radius NAC as NAC State. But when we tick the feature ""FlexConnect Local Switching"" and change the users cannot get IP Address from DHCP and the client status in WLC show POSTURE_REQD.
  We can see this in ISE that the user is able to authenticate but never get authorization and the NAC state is not showing in the PC.
  Any idea about this issue?? This is maybe any limitation or configuration error?
  Regards

  There are some documents for this type of deployment:
  http://www.cisco.com/en/US/products/ps11640/products_configuration_example09186a0080c090eb.shtml
  http://www.cisco.com/en/US/products/ps10315/products_tech_note09186a0080bcb905.shtml#anc13
  Don't stop after you've improved your network! Improve the world by lending money to the working poor:
  http://www.kiva.org/invitedby/karsteni

• Cannot start BI services after configuring LDAP integration

  Hi all,
  After configuring LDAP integration with OBIEE , I have stopped all BI services and started again. It throws following error:
  <Nov 24, 2012 2:05:16 PM AST> <Error> <Security> <BEA-090892> <The loading of OPSS java security policy provider failed due to exception, see th
  ption stack trace or the server log file for root cause. If still see no obvious cause, enable the debug flag -Djava.security.debug=jpspolicy to
  ore information. Error message: oracle.security.jps.JpsException: [PolicyUtil] Exception while getting default policy Provider>
  <Nov 24, 2012 2:05:16 PM AST> <Critical> <WebLogicServer> <BEA-000386> <Server subsystem failed. Reason: weblogic.security.SecurityInitializatio
  tion: The loading of OPSS java security policy provider failed due to exception, see the exception stack trace or the server log file for root c
  If still see no obvious cause, enable the debug flag -Djava.security.debug=jpspolicy to get more information. Error message: oracle.security.jps
  ception: [PolicyUtil] Exception while getting default policy Provider
  weblogic.security.SecurityInitializationException: The loading of OPSS java security policy provider failed due to exception, see the exception
  trace or the server log file for root cause. If still see no obvious cause, enable the debug flag -Djava.security.debug=jpspolicy to get more in
  ion. Error message: oracle.security.jps.JpsException: [PolicyUtil] Exception while getting default policy Provider
          at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.loadOPSSPolicy(CommonSecurityServiceManagerDelegateImpl.java:1398)
          at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.initialize(CommonSecurityServiceManagerDelegateImpl.java:1018)
          at weblogic.security.service.SecurityServiceManager.initialize(SecurityServiceManager.java:873)
          at weblogic.security.SecurityService.start(SecurityService.java:141)
          at weblogic.t3.srvr.SubsystemRequest.run(SubsystemRequest.java:64)
          Truncated. see log file for complete stacktrace
  Caused By: oracle.security.jps.JpsRuntimeException: oracle.security.jps.JpsException: [PolicyUtil] Exception while getting default policy Provid
          at oracle.security.jps.internal.policystore.PolicyDelegationController.<init>(PolicyDelegationController.java:293)
          at oracle.security.jps.internal.policystore.PolicyDelegationController.<init>(PolicyDelegationController.java:284)
          at oracle.security.jps.internal.policystore.JavaPolicyProvider.<init>(JavaPolicyProvider.java:270)
          at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
          at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:39)
          Truncated. see log file for complete stacktrace
  Caused By: oracle.security.jps.JpsException: [PolicyUtil] Exception while getting default policy Provider
          at oracle.security.jps.internal.policystore.PolicyUtil.getDefaultPolicyStore(PolicyUtil.java:899)
          at oracle.security.jps.internal.policystore.PolicyDelegationController.<init>(PolicyDelegationController.java:291)
          at oracle.security.jps.internal.policystore.PolicyDelegationController.<init>(PolicyDelegationController.java:284)
          at oracle.security.jps.internal.policystore.JavaPolicyProvider.<init>(JavaPolicyProvider.java:270)
          at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
          Truncated. see log file for complete stacktrace
  Caused By: java.security.PrivilegedActionException: oracle.security.jps.JpsException: [PolicyUtil] Unable to obtain default JPS Context!
          at java.security.AccessController.doPrivileged(Native Method)
          at oracle.security.jps.internal.policystore.PolicyUtil.getDefaultPolicyStore(PolicyUtil.java:844)
          at oracle.security.jps.internal.policystore.PolicyDelegationController.<init>(PolicyDelegationController.java:291)
          at oracle.security.jps.internal.policystore.PolicyDelegationController.<init>(PolicyDelegationController.java:284)
          at oracle.security.jps.internal.policystore.JavaPolicyProvider.<init>(JavaPolicyProvider.java:270)
          Truncated. see log file for complete stacktrace
  Caused By: oracle.security.jps.JpsException: [PolicyUtil] Unable to obtain default JPS Context!
          at oracle.security.jps.internal.policystore.PolicyUtil$1.run(PolicyUtil.java:860)
          at oracle.security.jps.internal.policystore.PolicyUtil$1.run(PolicyUtil.java:844)
          at java.security.AccessController.doPrivileged(Native Method)
          at oracle.security.jps.internal.policystore.PolicyUtil.getDefaultPolicyStore(PolicyUtil.java:844)
          at oracle.security.jps.internal.policystore.PolicyDelegationController.<init>(PolicyDelegationController.java:291)
          Truncated. see log file for complete stacktrace
  Caused By: oracle.security.jps.service.idstore.IdentityStoreException: JPS-00056: Failed to create identity store service instance idstore.ldap.
  er:idstore.ldap. Reason: oracle.security.jps.JpsRuntimeException: JPS-00027: internal error You configured a generic WLS LDAPAuthenticator.
  The identity store type cannot be determined. Please choose an LDAP Authentication provider that matches your LDAP server.
          at oracle.security.jps.internal.idstore.ldap.LdapIdentityStoreProvider.getIdStoreConfig(LdapIdentityStoreProvider.java:195)
          at oracle.security.jps.internal.idstore.ldap.LdapIdentityStoreProvider.access$300(LdapIdentityStoreProvider.java:70)
          at oracle.security.jps.internal.idstore.ldap.LdapIdentityStoreProvider$NoLibOvd.getInstance(LdapIdentityStoreProvider.java:242)
          at oracle.security.jps.internal.idstore.ldap.LdapIdentityStoreProvider.getInstance(LdapIdentityStoreProvider.java:114)
          at oracle.security.jps.internal.idstore.ldap.LdapIdentityStoreProvider.getInstance(LdapIdentityStoreProvider.java:70)
          Truncated. see log file for complete stacktrace
  >
  <Nov 24, 2012 2:05:16 PM AST> <Notice> <WebLogicServer> <BEA-000365> <Server state changed to FAILED>
  <Nov 24, 2012 2:05:16 PM AST> <Error> <WebLogicServer> <BEA-000383> <A critical service failed. The server will shut itself down>
  <Nov 24, 2012 2:05:16 PM AST> <Notice> <WebLogicServer> <BEA-000365> <Server state changed to FORCE_SHUTTING_DOWN>
  D:\OraHome\Middlleware>I was not able to login to console since admin server not getting started.
  Kindly help me to overcome this issue.
  Thanks,
  Haree

  Thanks for the reply Veeravalli.
  I have stoped the services and delete the config.lok file then edited the config.xml file under *%MW_HOME%\user_projects\domains\bifoundation_domain\config* . Then started the BI services. Now its working fine.
  Thanks,
  Haree

• ISE with Domino LDAP Integration

  Hi everyone,
  Does anyone has know about Domino LDAP ? I would like to integrate this LDAP with Cisco ISE.
  I try to bind this LDAP but it does not show me anything in "Naming Context". So I cannot choose group to map into ISE.
  I test this on WLC. It is success to do but cannot make the same thing with Cisco ISE.
  Is this LDAP supports with Cisco ISE 1.1.1 ?
  Regards,
  Pongsatorn Maneesud

  Hi,
  There are two templates that are supported (schemas) one is for AD and the other is for openLdap, do you have a screenshot on how the WLC is configured?
  However you can create your own see if this guide gets you started:
  http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_man_id_stores.html#wp1068762
  Here is some information on the domino schema -
  http://www-12.lotus.com/ldd/doc/domino_notes/rnext/help6_admin.nsf/b3266a3c17f9bb7085256b870069c0a9/715915cede8d461685256c1d00393b5d?OpenDocument
  Thanks,
  Tarik admani

• Cisco ISE integration with third-party firewalls

  Can Cisco ISE be integrated with a third-party firewall (such as Checkpoint), to provide authentication/authorization services to remote VPN user devices (based on device MAC address)?
  The remote user would establish a VPN connection to a third-party firewall, based on a username/password authentication, but the user would only be allowed to send/receive traffic to the internal network if the MAC address of the device being used was authorized by Cisco ISE.
  Thank you in advance.

  Rui,
  I do not think the vpn client sends the ip address in a called-station-id, that might be the public ip address that the client is initiating the request from. If you have an existing radius server or can run a packet capture you should be able to verify that.
  If the client does send the mac address in the radius packet then you can create a custom condition that can be used to check the mac address along with the username to allow it access to the session. However in VPN deployments there is no concept of profiling since 802.1x deployments usually include the client's mac address.
  Thanks,
  Tarik Admani
  *Please rate helpful posts*

• Forte integration with LDAP

  Hi.
  Has anyone successfully integrated with LDAP using the C library from
  LDAP SDK?
  Currently I'm facing a problem when I tried to generate the C++ wrapper
  for the C library. The compiler is unable to resolved the data type of
  some data structs. This is because the definition for these structs are
  not defined in any of the include files provided. According to the LDAP
  SDK doc, this is because the fields for those data structs are not
  intended to be accessible to the clients.
  That is why in my wrapper project, I defined these struct, each has the
  property Opaque = TRUE.
  The following is the error message:
  BEGIN FILE
  Working directory is d:\forte\tmp\cg13\pc_nt\ldapsrch
  Processing BOM file: LDAPSrch.bom
  Microsoft (R) 32-bit C/C++ Optimizing Compiler Version 11.00.7022 for
  80x86
  Copyright (C) Microsoft Corp 1984-1997. All rights reserved.
  LDAPSrch.cc
  LDAPSrch.cc(70) : error C2027: use of undefined type 'BerElement'
  LDAPSrch.cc(127) : error C2027: use of undefined type 'LDAP'
  LDAPSrch.cc(184) : error C2027: use of undefined type 'LDAPMessage'
  LDAPSrch.cc(203) : error C2733: second C linkage of overloaded function
  'ldap_init' not allowed
  LDAPSrch.cc(204) : error C2733: second C linkage of overloaded function
  'ldap_simple_bind_s' not allowed
  LDAPSrch.cc(205) : error C2733: second C linkage of overloaded function
  'ldap_perror' not allowed
  LDAPSrch.cc(206) : error C2733: second C linkage of overloaded function
  'ldap_search_s' not allowed
  LDAPSrch.cc(207) : error C2733: second C linkage of overloaded function
  'ldap_first_entry' not allowed
  LDAPSrch.cc(208) : error C2733: second C linkage of overloaded function
  'ldap_next_entry' not allowed
  LDAPSrch.cc(209) : error C2733: second C linkage of overloaded function
  'ldap_get_dn' not allowed
  LDAPSrch.cc(210) : error C2733: second C linkage of overloaded function
  'ldap_first_attribute' not allowed
  LDAPSrch.cc(211) : error C2733: second C linkage of overloaded function
  'ldap_next_attribute' not allowed
  LDAPSrch.cc(212) : error C2733: second C linkage of overloaded function
  'ldap_get_values' not allowed
  LDAPSrch.cc(213) : error C2373: 'ldap_value_free' : redefinition;
  different
  type modifiers
  LDAPSrch.cc(214) : error C2733: second C linkage of overloaded function
  'ldap_ber_free' not allowed
  LDAPSrch.cc(215) : error C2733: second C linkage of overloaded function
  'ldap_msgfree' not allowed
  LDAPSrch.cc(216) : error C2373: 'ldap_memfree' : redefinition; different
  type modifiers
  LDAPSrch.cc(217) : error C2733: second C linkage of overloaded function
  'ldap_unbind' not allowed
  cl /W3 /Gf /GX /MD /c /Ob1 /vmg /DSTRICT /DWIN32 /D__WIN32__
  /DLIBOO_DLL
  WIN32_LEAN_AND_MEAN /Id
  :\forte\install\inc\cmn /Id:\forte\install\inc\os
  /Id:\forte\install\inc\ds
  /Id:\forte\install\inc\handles /Id:\forte :\forte\LdapAPIs\include
  /FoLDAPSrch.obj /Tp LDAPSrch.cc
  So, please advise on how should I proceed.
  Thanks in advance.
  from: suen
  To unsubscribe, email '[email protected]' with
  'unsubscribe forte-users' as the body of the message.
  Searchable thread archive <URL:http://pinehurst.sageit.com/listarchive/>

  Hi Anoop,
  To adapt an SAP Workflow, you can create a configuration. In this configuration you can redefine values for steps of the workflow definition. These values are evaluated at runtime instead of the values originally defined.
  You can configure the following step types:
  Activity
  User decision
  Document from template
  Wait
  Moreover,Features
  You can set the following data individually in the step definition of the configurable step types:
  1)Responsible agents
  2)Excluded agents
  3)Message recipient for completion
  4)Priority
  5)Requested start
  6)Indicator denoting whether the step is included in the    workflow log
  7)Activation of a latest end, a latest start, or a requested end with the reaction Send mail
  This URL privides info about various workflow codes http://help.sap.com/erp2005_ehp_02/helpdata/en/9b/572614f6ca11d1952e0000e82dec10/content.htm
  Regds,
  Krutarth
  ·        Reference date/time for latest end, latest start, and requested end
  ·        Message recipient for missed deadline
  ·        Information about the work item display

• ISE integration with Mobile Device Management ( MDM ) help required

  Dear Techies,
       Am here bring to your notice an different issue and no much resources to support even in PEC or Cisco Document.
       We are conduction a Proof Of Concept (PoC) on  Secure Bring Your Own Device ( BYOD ) using Cisco ISE and gonna test all the scenarios like Wired, Wireless and VPN user access.
  Setup Brief :
  =========
        Our Setup has  ISE VM acting as Admin, Monitor and Profiling Device, we have NAC 3315 physical Appliance as Inline posture Device, Wireless LAN controller, Access point and the Identity source as Microsof Active Directory
       Having Plans to Integrate Mobile Device Management ( MDM ) and Citrix VDI setup also.
  Activity Brief:
  =========
       As of now we have tested the Wired Scenario Authentication and authorization for guest users and gonna carry out the profiling and posture.
  Clarifications Required
  ================
  Wired Scenario - Require some configuration / steps on how to carryout posture for the guest wired users i.e. LAPTOP.
  Wireless Scenario
  MDM can be integrated to ISE ? 
  How the MDM can be integrated to Cisco ISE configuration or Guide to show the same?
  What is the demarcation between MDM and ISE ( i.e. What is the role of ISE and MDM on Mobile Devices ) ?
  If MDM is available so then when the control of ISE ends, does MDM do management or ISE will do management of the devices ?
  Is MDM will do client provisioning or ISE should do ?
  Is MDM send or update patches of Mobile Devices ?
  As of now these are the scenarios, kindly revert if any good documents to show this or share your expertise on the Integration Part.
  Thanks for Reading...
  Arun

  I would like to avail your valuable inputs to understand on the  Client provisioning part for the Mobile Devices/ Laptop. I understand  from your reply that MDM integration is not available in the current  release ISE 1.1 - That is correct.
  Kindly let me know your views or any documents on the following scenarios with the current release in mind
  1. User  with Mobile devices connecting to Wireless  ( both Employee  and Guest ) , How the Flow differs for the Employee and Guest.  How the  client provisioning is done ( i.e. Like Posturing  or Compliance Check  ).
  The posturing and compliance check is done based on the user authentication information (i.e. AD memberOf vs Guest user) combined with the users endpoint (windows, mac osx, or a mobile device), ISE then has a few decisions to make based on the authorization policies. For example, if a Domain User coming from a Windows 7 machine joins the network, then can either use the nac agent, or the web agent. Then you can scan for registry settings, file settings, program requirements, hotfix compliance...and the list goes on. If the user fails a check then you can either assign an acl for the user so they only have guest access, or you can place them into a remediation vlan the options are entirely up to the requirements and however the solution is implemented.
  2. User  with Laptop  connecting to Wireless  ( both Employee  and Guest ). How the client provisioning is done ( i.e. Like Posturing   or Compliance Check ).
  Guests are usually redirected to the guest portal which they authenticate and their user group falls within the Guest container that is on the ISE internal database, that is usually coupled with an authorization profile that grants them internet access. For the client provisioning, that is usually done based on the operating system, via profiling (dhcp, and user agent string., netmap...etc) and can be fine tuned for all laptops or to a specific set of users based on their group membership.
  3. What are advantages of having ISE also in  place for Mobile devices, since most of the Mobile related tasks ( like  Authentication, Authorization, Profiling and  Posture ) are carried out  by MDM. I am checking for the significant advantage of having ISE for  Client network having only Mobile devices. Kindly clarify.
  Currently the advantage of Cisco ISE is that it supports profiling within wireless and really fits well within a network that has mostly Cisco products since they are all part of of the Borderless security initiative being driven on the backend. The product teams for wireless, wired, security (vpn..etc) and ISE are pretty close in building their solutions so that you can get connected with any device any where (sorry for the sales pitch). The latests wireless code is improving and is going to have support similar to the ios sensor for wired devices where dhcp, cdp, and other attributes can be sent in the radius packet for better profiling decisions. With integration for an MDM platform coming soon, and also support for TACACS rumored (have to verify with your account rep) you have options that really stand out from a unit that only supports MDM. Cisco ISE also comes with a wireless product ID so that makes the budget work when it comes to deploying ISE if you arent looking for enforcement on your wired devices.
  4. Do you recommend 802.1X Authentication to use for the Employee and Contractor? The Guest user  authentication as Open ?
  For internal users and vendors the best option by far is dot1x, almost all operating systems are capable of performing dot1x and the 1.1.1 MR has a piece now that can provision the supplicant for the users, by using scep to enroll certificates or configure peap settings.
  There is a feature within the guest portal that allows you to statically assign guests into endpoint group, that feature is called device registration web authentication. It seems like an open network but uses mac filtering to assign these devices to an endpoint without requiring users to enter any credentials. They are presented with an AUP page, once they accept their mac address is mapped to the endpoint group
  5. How can we ensure the Encryption of traffic from the Guest user to the NAD ( Network Access devices ) ?
  This may be a wireless question but I am sure the encryption is done using AES and using dot1x as the key management here is a brief background for this - http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00807f42e9.shtml#L2
  You can also use the anyconnect client which can provide macsec which is layer 2 encryption for wired - http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/qa_c67-622477_ns1049_Networking_Solutions_Q_and_A.html
  6. We are also looking for VDI  ( Citrix, VMware ) solution for the  client  ( both Employee and Guest ) , how ISE can play a role in  securing the VDI environment.
  For most thin clients you can perform dot1x authentication on the device itself, however that is something the manufacturer will have to support. This is a little gray for me.
  7. Is that any integration required  with Citrix or VMware. How the  VDI can be offered based on the User  role ( i.e. Employee, Contractor or Guest ), since Guest database is  available only with ISE, how the checks are made from the VDI  environment.
  IN ISE there is an identity sequence which can authenticate users in AD first, if the user is not found then it can look in the internal database.
  Our solution demands  MDM in the integrated  solution, As on today ISE cant be integrated with MDM. so what kind of  solution we can propose to have MDM and Cisco ISE .Do the clients now  enter the network should have already installed the MDM agent (or) any  other way of pushing the same to the Client.
  Today there is no integration between the devices, the last release time I heard was December for this feature. However it would be best to confirm with your Cisco Account rep on this issue.
  Thanks,
  Tarik Admani
  *Please rate helpful posts*

• Siebel new LDAP adapter integration with BI Publisher

  Hi All!!
  We have configured our Siebel (8.1.1.3) security adapter with LDAP. BI Publisher is using Siebel security model.
  We had to clone our AOM (fins_esn which is using the security adapter LDAP) to finsxx_esn because we are migrating the AD 2000 to 2008 (we are also changing the domain). The roll out will last 2 month, users will be migrated by branch, it wont be a big bang.
  We have to generate a new LDAP security adapter to authenticate users who are logging to finsxx_esn to the AD 2008 (AD 2008 is on a diferent domain than AD 2000. This is working for application autehtication, no problems found here)
  On a standalone environment report generation is working. But for a distributed environment (1 AOM, 1 NAOM, 1 Web Server) is not working.
  Does anyone knows how to integrate to BI Publisher when you have two LDAP security adapters on Siebel Application? Or is there any authentication method to use instead of "Siebel Security" so as to achieve this?
  Regards

  We actually ran into a similar problem where I work. I created a support web ticket for our issue and the response is that BIP 11G is not supported for integration with Siebel 8.1, or any other version for that matter. Oracle is currently working on a fix to integrated the latest version of Siebel with BIP.
  There advice to me was to downgrade to BIP 10G for the time being.