Multiple AD External Identity Sources in ISE 1.2

First I guess is it possible to have multiple AD entries for External Identity Sources in ISE 1.2? When I display Active Directory (AD1) it displays my four ISE servers with a status of connected but I see no where to add anything additional. I did not originally set this up so figure I am missing something somewhere if this is possible. I though maybe add under LDAP and then it would roll into AD or something but I have nothing listed under LDAP either.
What I am trying to do is figure out how to have ISE cover our two different domains. We ahve one big forest but currently that is split into two AD domains based upon our two divisions.  am trying to see if possibly I can simply get through the existing configuration to pull security groups from the other domain into the dictionary but so far that has proven not do able.
Brent

Saurav,
I was beginning to think that might be the solution. Now I just need to go through the release notes and make sure there are no issues with it running on ACS-2111 appliance. We are currently using this as the secondary Admin but knew we would have to move off something. I think management is hoping later than sooner especially since we are still in that initial roll out phase.
How does the system handle the fact that this is all centralized but I have users authenticating from the different time zones? I have been reading about everything pointing to the same NTP server but took that to simply be the servers in the ISE Cluster. Will this also impact all the switches and network devices involved in the authentication process?
Brent

Similar Messages

  • External Identity Sources, binding RSA securID to ISE

    Hi all,
    Say, my topology was using ISE doing VPN inline posture, and bind RSA securID (version 7.1) as external Identity Sources.
    During  the deployment, in order to let my iPEP node join the Policy Service  Node, for the certificate i using the third party CA server (Window  server 2008 R2) as the root CA, both of these 2 ISE were mutual  authenticated and done.
    My question. as i using  RSA secureID as external identity sources, native behaviour, Will the  ISE trust RSA with no identity certificate signed by the identitical  root CA?
    Should i enroll this RSA appliance issue the CSR to CA server to sign and in the PKI environment? Is there a need for this?
    Thanks
    Noel

    Noel,
    From my experience when integrating with the RSA token server you need the sdconf.rec file exported from the RSA and you import that into the ISE configuration. You then select this identity store with your authentication policies for vpn users. There isnt a need for any certificates when integrating with a token server (that was the last time I checked) and even if there would just need to trust each other's certficats.
    I hope that helps!
    Sent from Cisco Technical Support iPad App

  • ISE Admin Access Authentication against multiple AD/LDAP Identity Sources

    Hi all!
    We would like to grant admin cccess to our ISE deplyoment to users stored in multiple Active Directories. Since there is no trust relationship between these ADs, we created an LDAP Identity Source for each AD and also an Identity Source Sequence but in the UI we can only select one Identity Source.
    Any ideas how to solve this problem?
    Thanks in advance!
    Kind regards,
    Michael Langerreiter

    I did check in my lab and yes for admin access we can't select identity store sequence in authentication. We can only pick one external database. However, on the login page you may select the appropriate database before you enter the username and password.
    Jatin Katyal
    - Do rate helpful posts -

  • ISE - External Identity Source (AD Groups)

    Assume there are no groups populated in this bucket (Identity Management-> Active Directory -> Groups) Does ISE just check if the user is in AD and allows them on?  I have clients authenticating that arent part of the single group I added to this bucket.
    This is why I ask ..
    "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
    ‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."       

    Yes, you understood it right. Let me add little more explanation.
    Group reterieval for authorization
    You can use the AD group data in the  authorization and group mapping tables and introduce special conditions  to match them against the retrieved groups.
    http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.4/user/guide/users_id_stores.html#wp1170416
    Once you've selected the groups under
    Users and Identity Stores >
    External Identity Stores >
    Active Directory > directory groups
    The same groups will start appearing under below listed screen shot. From there you will see 2 options any / all like or / and condition. Based on user membership the authorization role can be assisgned.
    ~BR
    Jatin Katyal
    **Do rate helpful posts**

  • ISE and no External Identity Source

    I have this particular case in which I need to make authentications for users in ISE without Active Directory/LDAP etc.
    I would like to have some kind of MAC to USER binding where the user would no be able to add more devices to the network. I know the eap chaining using anyconnect is a way of achieving this but then again I can only see it using AD or some kind of external database. Also printers, wireless and phones are in the map. I tried using MAB and CWA for this but do not want to have the users be able to self register their devices as if they were guests.
    EAP chaining without AD??? Possible?
    Any hope?
    Thank you 

    Someone else can chime in here but I don't think it is possible to perform EAP-Chaining with the internal database of ISE. With that being said, feel free to read the EAP-TEAP IETF doc :)
    http://tools.ietf.org/html/draft-ietf-emu-eap-tunnel-method-01

  • Identity Service Engine (ISE) Admin Access

    Is it possible to authenticate the ISE administrator via an external Radius Server? The option I find is that it will not work, 
    The manual reads: 
    In Cisco ISE, you can authenticate administrators via an external identity store such as Active Directory, LDAP, or RSA SecureID. There are two models you can use to provide authentication via an external identity store:
    Is this the case ?

    Sure you can!
    Make sure you have the RADIUS server added to the ISE (Administration > Identity Management > External Identity Sources  Select RADIUS Token from the left menu).
    Then head over to Administration > System > Admin Access.  Change the * Identity Source to your RADIUS Server and click Save
    Log out and you will see an new entry on the log in screen.  Click the dropdown for Identity Source and choose your RADIUS Server.  If this connection gets dropped for any reason, you can always log in using the internal identity source as a fallback.
    Please Rate Helpful posts and mark this question as answered if, in fact, this does answer your question.  Otherwise, feel free to post follow-up questions.
    Charles Moreton

  • Is LDAP or AD as a external identity store recommended in ISE implementation for machine authentication

    Hi Experts,
    I have question about External identity store integration in ISE . I had chance to go through the cisco doc for ISE configuration especially for external identity store .
    there are two ways to configure external identity store.
    1) AD
    2) LDAP
    Which one is actually recommended ? technically which one would be convinient to configure to set-up machine authentication. do we have any limitation in terms of functionality in either of one ?

    Hi Leo,
    its not duplicate post , I have created one more post where you have linked that is for client policy enforcement . I want to understand how certificates will be pushed to client.
    This post is to understand the LDAP & AD intergration with ISE .
    I have requirement where client is asking to intergrate machine database using LDAP.
    I am quite new for LDAP intergration that is the reason I have created this discussion.

  • Create a cache for external map source - Error in parsing xml request.

    When doing the following:
    Create a cache for external map source
    I get "error in parsing xml request" when setting the following
    Map service Url:
    http://neowms.sci.gsfc.nasa.gov/wms/wms?version=1.3.0&service=WMS&request=GetCapabilities
    It looks like it is breaking on "&". Any suggestions?
    Rob

    Hi Chris,
    thanks for your reply!
    I've tried to add the following into persistence.xml (although I've read that eclipseLink uses L2 cache by default..):
    <shared-cache-mode>ALL</shared-cache-mode>
    Then I replaced the Cache bean with a stateless bean which has methods like
    Genre findGenreCreateIfAbsent(String genreName){
    Genre genre = genreDAO.findByName(genreName);
    if (genre!=null){
    return genre;
    genre = //Build new genre object
    genreDAO.persist(genre);
    return genre;
    As far as I undestood, the shared cache should automatically store the genre and avoid querying the DB multiple times for the same genre, but unfortunately this is not the case: if I use a FINE logging level, I see really a lot of SELECT queries, which I didn't see with my "home made" Cache...
    I am really confused.. :(
    Thanks again for helping + bye

  • Can you include an external data source in query condition?

    Hi all,
    I have a user that wants to run a report off a subset keys in an external data source. Is this possible in Disco Plus?
    For example, he has an Excel file that is just a list of employee numbers. He then wants his Disco query to only bring back the employee records for the people listed in the Excel file. Right now, he uses Cognos and can do this. A visual representation of this would be a condiition that would accomplish something like this:
    WHERE EMPLOYEE_NUMBER IN (Excel row 1, Excel row 2, Excel row 3, ...)
    We do not want to have to load the data into a table each time to accomplish this, but no other way readily jumps out at me. Anyone have any ideas?
    Thanks in advance,
    Jewell

    Jewell.
    Given the situation you describe, I don't know of any 'reasonable' way to do this either the GUI in Desktop or the interface in Plus.
    However - and just for the grins - there may be a possibility if done through the command line interface of Desktop. I truly doubt you'll want to do it - given the limitations - but ...
    ... in the command line interface you can put in the switch for /parameter such as: /parameter today trunc(SYSDATE), which means that your report is looking for a parameter called 'today' and you're putting in the data to put in the parameter 'trunc(SYSDATE)'.
    So, you could either build the command line with a batchy-kinda-process in that via batch it reads a file as input and puts parameters, or hard code it manually (which no one would want to do). Problem is, if you have multiple values, I don't think it'd work as you're saying something like:
    /parameter today (SYSDATE,SYSDATE-1,SYSDATE+!) - which I doubt would work as it probably only wants one value
    or if you had:
    /parameter today SYSDATE /parameter today SYSDATE-1 /parameter today SYSDATE+1
    it also might choke.
    Alternatively, you could investigate using Plus with the Java command line utility and see if it's possible to do a similar thing via Java.
    ... so long answer to a short question ... (my specialty) 8-)
    Russ

  • Configure external synchronization source on ASR 903

    Hi,
    we want to use external synchronization source ( 2MHZ) connected to BITS port on ASR 903.
    this is our configuration, is it complete?
    network-clock revertive 
    network-clock synchronization automatic
    network-clock synchronization mode QL-enabled
    network-clock hold-off 500 global
    network-clock input-source 4 External R1 2m
    network-clock input-source 3 External R0 2m
    network-clock wait-to-restore 120 global
    esmc process
    regards,
    Fouad Jabri

    Hi CPMTECH,
    To configure the Windows Time Service on first forest root domain controller
    Log on to the domain controller.
    Type the following command to display the time difference between the local computer and a target computer, and then press ENTER:
    w32tm /stripchart /computer:target/samples:1/dataonly
    Where target specifies the DNS name or IP address of the NTP server that you are comparing the local computer's time against, such as time.windows.com and 1 specifies the number of time samples that will be returned from the target computer. In this example, only one sample will be returned to test basic NTP communication.
    Open UDP port 123 for outgoing traffic if needed.
    Open UDP port 123 (or a different port you have selected) for incoming NTP traffic.
    Type the following command to configure the PDC emulator and then press ENTER:
    w32tm /config /manualpeerlist:peers /syncfromflags:manual /reliable:yes /update
    Peers specifies the list of DNS names and/or IP addresses of the NTP time source that the PDC emulator synchronizes from. For example, you can specify time.windows.com. When specifying multiple peers, use a space as the delimiter and enclose them in quotation marks.
    http://technet.microsoft.com/en-us/library/cc784929(WS.10).aspx
    Skip step 2 complete step 5 first then step 2.
    Checkout if this work.
    Hope you find the info useful

  • Unable to add external data source in BAM : Error ORA-12505

    Hi,
    In BAM,
    Im trying to add an external data source for creating a data object.
    But when i try to test the connection i get the following error:
    Listener refused the connection with the following error: ORA-12505, TNS:listener does not currently know of SID given in connect descriptor
    Source: "java.sql.SQLException: Listener refused the connection with the following error: ORA-12505, TNS:listener does not currently know of SID given in connect descriptor "
    Listener refused the connection with the following error: ORA-12505, TNS:listener does not currently know of SID given in connect descriptor
    Source: "oracle.net.ns.NetException: Listener refused the connection with the following error: ORA-12505, TNS:listener does not currently know of SID given in connect descriptor "
    As mentioned in another post ((Listener does not currently know of SID given in connection descriptor
    i tried
    lsnrctl stop.
    delete listener.ora
    lsnrctl start
    lsnrctl reload
    But still get the same error;
    Im able to access the database with the specified username and password using sqlplus.
    Your help will be appreciated.
    Regards
    Vignesh Ramanathan

    For #5, not Windows, ConfigMgr 2012 R2. Anything before ConfigMgr 2012 R2 is not supported for the 8.1 ADK.
    For the permissions, what accounts are you setting this for. In general, if the share is on the same server, Everyone Full or Read on the Share and System Full or Read on the NTFS should work.
    For the error message, it looks like you are trying to import an OS Image and not an OS Install Package. OS images use a WIM file and OS Install Packages use the entire set of source files from the media. For OS images, you must thus explicitly point it
    to a specific WIM file.
    Jason | http://blog.configmgrftw.com

  • Batch code for running a find/replace all on multiple files within a source floder/directory

    What I need is a Batch source code that will open all files in a folder/directory and run a find and replace_all query within them and then save all the files.  The files were created in Illustrator and saved using the Scene7 FXG format extension.    These files will be uploaded into Scene7 as a group after the find and replace macro/query is run on the code.  The same find and replace query will be the same for all the files.  Basically this function or batch process  will save time in setting the same parameters all at one time instead of having to set the parameters individually in scene7.
    a source code sample of the find/replace module macro might be              searchString:  s7:colorvalue="#FFFFFFFF" 
                                                                                                                          replaceString: s7:colorValue="#&txtclr;"
                                                                                                                          searchWhat   "FXG document"    
                                                                                                                             searchSource:  true,
                                                                                                                        useRegularExpressions:   true
    I have no problems creating batch files within Ai and PhotoShop but I have limited programming skills in how to create source code for manuipulating documents outside of those apps or in a OS invironment.
    I could probably come up witha simple program to do what i want for one document but i get lost when dealing with multiple documents in a source folder (prolbem is,  I will be dealing with thousands of documents not 100 or less)
    If anything which Adope cloud app would work best:  Dreamweaver or Edge code   (or just use my notepad)

    What I need is a Batch source code that will open all files in a folder/directory and run a find and replace_all query within them and then save all the files.  The files were created in Illustrator and saved using the Scene7 FXG format extension.    These files will be uploaded into Scene7 as a group after the find and replace macro/query is run on the code.  The same find and replace query will be the same for all the files.  Basically this function or batch process  will save time in setting the same parameters all at one time instead of having to set the parameters individually in scene7.
    a source code sample of the find/replace module macro might be              searchString:  s7:colorvalue="#FFFFFFFF" 
                                                                                                                          replaceString: s7:colorValue="#&txtclr;"
                                                                                                                          searchWhat   "FXG document"    
                                                                                                                             searchSource:  true,
                                                                                                                        useRegularExpressions:   true
    I have no problems creating batch files within Ai and PhotoShop but I have limited programming skills in how to create source code for manuipulating documents outside of those apps or in a OS invironment.
    I could probably come up witha simple program to do what i want for one document but i get lost when dealing with multiple documents in a source folder (prolbem is,  I will be dealing with thousands of documents not 100 or less)
    If anything which Adope cloud app would work best:  Dreamweaver or Edge code   (or just use my notepad)

  • Excel SSAS Tabular error: An error occurred during an attempt to establish a connection to the external data source

    Hello there,
    I have an Excel report I created which works perfectly fine on my dev environment, but fails on my test environment when I try to do a data refresh.
    The key difference between both dev and test environments is that in dev, everything is installed in one server:
    SharePoint 2013
    SQL 2012: Database Instance, SSAS Instance, SSRS for SharePoint, SSAS POWERPIVOT instance (Powerpivot for SharePoint).
    In my test and production environments, the architecture is different:
    SQL DB Servers in High Availability (irrelevant for this report since it is connecting to the tabular model, just FYI)
    SQL SSAS Tabular server (contains a tabular model that processes data from the SQL DBs).
    2x SharePoint Application Servers (we installed both SSRS and PowerPivot for SharePoint on these servers)
    2x SharePoint FrontEnd Servers (contain the SSRS and PowerPivot add-ins).
    Now in dev, test and production, I can run PowerPivot reports that have been created in SharePoint without any issues. Those reports can access the SSAS Tabular model without any issues, and perform data refresh and OLAP functions (slicing, dicing, etc).
    The problem is with Excel reports (i.e. .xlsx files) uploaded to SharePoint. While I can open them, I am having a hard time performing a data refresh. The error I get is:
    "An error occurred during an attempt to establish a connection to the external data source [...]"
    I ran SQL Profiler on my SSAS Server where the Tabular instance is and I noticed that every time I try to perform a data refresh, I get the following entries:
    Every time I try to perform a data refresh, two entries under the user name ANONYMOUS LOGON.
    Since things work without any issues on my single-server dev environment, I tried running SQL Server Profiler there as well to see what I get.
    As you can see from the above, in the dev environment the query runs without any issues and the user name logged is in fact my username from the dev environment domain. I also have a separated user for the test domain, and another for the production domain.
    Now upon some preliminary investigation I believe this has something to do with the data connection settings in Excel and the usage (or no usage) of secure store. This is what I can vouch for so far:
    Library containing reports is configured as trusted in SharePoint Central Admin.
    Library containing data connections is configured as trusted in SharePoint Central Admin.
    The Data Provider referenced in the Excel report (MSOLAP.5) is configured as trusted in SharePoint Central Admin.
    In the Excel report, the Excel Services authentication settings is set as "use authenticated user's account". This wortks fine in the DEV environment.
    Concerning SecureStore, PowerPivot Configurator has configured it the PowerPivotUnnattendedAccount application ID in all the environments. There is
    NO configuration of an Application ID for Excel Services in any of the environments (Dev, test or production). Altough I reckon this is where the solution lies, I am not 100% sure as to why it fails in test and prod. But as I read what I am
    writing, I reckon this is because of the authentication "hops" through servers. Am I right in my assumption?
    Could someone please advise what am I doing wrong in this case? If it is the fact that I am missing an Secure Store entry for Excel Services, I am wondering if someone could advise me on how to set ip up? My confusion is around the "Target Application
    Type" setting.
    Thank you for your time.
    Regards,
    P.

    Hi Rameshwar,
    PowerPivot workbooks contain embedded data connections. To support workbook interaction through slicers and filters, Excel Services must be configured to allow external data access through embedded connection information. External data access is required
    for retrieving PowerPivot data that is loaded on PowerPivot servers in the farm. Please refer to the steps below to solve this issue:
    In Central Administration, in Application Management, click Manage service applications.
    Click Excel Services Application.
    Click Trusted File Location.
    Click http:// or the location you want to configure.
    In External Data, in Allow External Data, click Trusted data connection libraries and embedded.
    Click OK.
    For more information, please see:
    Create a trusted location for PowerPivot sites in Central Administration:
    http://msdn.microsoft.com/en-us/library/ee637428.aspx
    Another reason is Excel Services returns this error when you query PowerPivot data in an Excel workbook that is published to SharePoint, and the SharePoint environment does not have a PowerPivot for SharePoint server, or the SQL Server Analysis
    Services (PowerPivot) service is stopped. Please check this document:
    http://technet.microsoft.com/en-us/library/ff487858(v=sql.110).aspx
    Finally, here is a good article regarding how to troubleshoot PowerPivot data refresh for your reference. Please see:
    Troubleshooting PowerPivot Data Refresh:
    http://social.technet.microsoft.com/wiki/contents/articles/3870.troubleshooting-powerpivot-data-refresh.aspx
    Hope this helps.
    Elvis Long
    TechNet Community Support

  • Sharepoint 2013 Excel External Data Source Refresh Issue

    I have been facing this issue for quite some time now.. i have created an Excel sheet in Excel-13 and have imported data from an external data source [SQL server 2012]. 
    Everything is working fine, with the excel sheet on the desktop. Data refreshes, every-time i open the excel file and also at regular intervals that i have configured in the data source properties.
    The problem begins when i save that excel sheet on my sharepoint server. the issues that i am facing are :
    1. Changes made into the original data source, are not reflected immediately inside the excel sheet inside the browser. after 5-10 minutes, it reflects the changes..
    2. The data doesn't refreshes automatically. After i update my data inside the sql server table, i have to manually trigger the refresh of the data connection when viewing the excel sheet inside the browser, even though i have marked "Refresh when opening
    the file", and refresh every 1 minute inside the excel sheet. Any solutions ??
    I have been troubled a lot by this issue, and seek for some quick solution.. Any help here ??

    I found the solution finally, my self ..
    Issue - 1 : It's going to take atleat 5-minutes to refresh the data connection, that is generally not a big time span.
    Issue - 2 : 
    --> Set Your connection to refresh everytime the file is opened. go to internet explorer -> file -> internet options -> general -> Browsing History -> Settings -> Check for newer versions of stored pages... Check 'Every time I visit the
    webpage'. 
    Now everytime i update your original data source, wait for 5-10 minutes and refresh my web page containing the excel sheet.. The Contents of the excel sheet are updated as desired..

  • Is there a MagSafe 2 compatible portable external power source for the retina display MacBook Pro?

    I’m using a retina display MacBook Pro with the MagSafe 2 connection.   I would like to have a portable external power source to extend the use of my laptop on long field trips where I am away from power sources. Swapping batteries is not an option for this generation of MacBook Pros.  There seem to be many options for PC’s and even iPhones/iPads/iPods but the MagSafe 2 connection seems to be the issue.  I saw one link that suggested buying an Apple MagSafe 2 power adapter and performing surgery on the power cord (using components provided by the vendor) so that the adapter would run on their back up battery.  I was hoping for a more esthetically pleasing solution. Any suggestions?  Does this product exist and I just missed it? Clearly, if a MagSafe(1) compatible external battery existed I could adapt that using the MagSafe to MagSafe 2 converter.

    Sparon,
    I wouldn’t recommend using an underpowered AC adapter with your MacBook Pro. It sounds as though the best solution would be to get a different laptop bag with a sufficiently large side pocket.

Maybe you are looking for

  • Strange Error while opening Web UI in a new browser window

    Dear Experts My requirement is to launch one of my custom Web UI screens in a new window upon clicking a button. I am successfull in lauching it in new window. How did I do it: Step 1) Created a custom object type (ZOBJ) for my z component in SPRO->U

  • 3.0 upgrade problems...do I need to reinstall iTunes?

    I purchased/downloaded the upgrade for my 1st generation Touch. During the install, XP launches the New Hardware Wizard and it prompts for the driver location. When it can't be located, XP says the hardware isn't installed properly. iTunes gives a 16

  • Error in transporting technical content  Datasource

    Hello We are facing issues with transporting the Datasource ans associated transfer rules for 0TCTSOURSYS_ATTR from development to quality. When transporting the following objects: >Datasource Replica >Transfer Rules >Transfer structure we are receiv

  • Front LED stays on when in closed lid operation

    Is the front led supposed to stay on? my previous powerbook didn't do this, but this may be a new intel feature, maybe?

  • Exporting iphoto album to external hard drive.

    Hello, I'm trying to export an iphoto album to an external hard drive that shows up on the left side (side bar) of finder. If I copy and paste the album, the pictures are rearranged. Is there a way to drag and drop the album directly into the externa