Static Identity Group Assignment

Similar Messages

• ISE Identity Group Assignment

  I need to avoid a large set of devices to get access to Internet through the Wireless Guest Service. I had made some test and know I can block a MAC address through the Policy Authorization (If Blacklist then DenyAccess).
  In order to blacklist a large set I would like to import the MAC list and include in the CSV the Identity Group Assignment. It appears it is not possible ... I can have an easy way to change the Identity Group Assignment instead of one by one?
  Regards.
  Daniel Escalante.        

  Additional Information and Question:
  Currently my Authorization Policy has this:
  The result is that any user trying to acesss the Guest Service can see the Guest Portal, introduce Credentials and if they are valid, the AUP is displayed, after that if the device is in the Blacklist, service is denied and the Guest Portal is displayed again, but any message about the situation is indicated to the user. I wonder if I can generate a message and even avoid the AUP if the device is in the blacklist.
  Any comment will be greatly appreciated.
  Regards.
  Daniel Escalante

• ISE Endpoint Identity Group assignment for 802.1x clients

  Hello
  I'm using ISE 1.3 to 802.1x authenticate AD PC's (machine and user with Anyconnect NAM) and to profile/mab IP Phones, printers, APs etc.
  Phones are profiled (EndPointSource of SNMPQuery Probe) and are placed automatically in the correct Identity Group.
  AD PC's aren't profiled and are listed under Endpoints withthe Enpoint Profile of "unknown"
  To place AD PC's into a particular Identity Group, I created a Radius Profiling Policy to match on the Framed-IP-Address. This works well with the AD PC appearing in the correct Identity Group (with EndPointSource of RADIUS Probe).
  My questions are:
  A phone (profiled with EndPointSource of SNMPQuery Probe) consumes a Plus licence but an AD PC ("profiled" with EndPointSource of RADIUS Probe) does not - is this correct?
  Authenticated 802.1x AD PC's have other attributes (like AD-Host-Resolved-DNs) that I'd like to use to assign PC's to an Identity Group. I can't use these attributes with any of the ISE profilers - is there a way to assign an 802.1x authenticated client to an Identity Group at the authorisation stage rather than use the profiler?
  Thanks
  Andy

  Err, no. There is no provision in EAP-TLS, PEAP (CHAP), or even basic EAP to provide network information (eg IP address/mask/gateway/DNS/etc).
  There is also no provision in Windows 2k or XP interface management software to accept IP details for interface configuration via any wireless authentication protocol.
  peter

• ISE 1.2 Multi-Portal Identity Group Mapping

  Hi,
  Quick question regarding the use of Multi-Portal on ISE 1.2: Is it possible to map a single portal to a certain identity group? e.g. I have a portal for guest users, to which only users in the "ACME_guests" identity group can authenticate. I have a separate Portal for employees, where only users of the "ACME_employees" group can authenticate.
  I know that I can specify a separate authentication sequence for each portal (e.g. internal, guests, AD), but I cant find a possibility to map a group to a certain portal. This has the consequence that e.g. guest users can log into the employee portal, and getting a successful authentication message. Of course I can further restrict the access in another policy rule, but this isnt a very neat solution.
  Anybody have any ideas? It seems so basic that it has to be possible somehow?!
  Regards

  You can redirect users so they can "stick" to one portal once they have successfully authenticated. There is a document regarding device registration web authentication. Basically after a user connects successfully you can redirect them to an AUP specially designed to statically assign users to a specific endpoint identity group.
  In the end if a user logs into portal A they hit the DRW and accept, ISE dumps them into a endpoint group called PortalA, you can then tie this into a policy where the PortalA endpoint is denied association to any other open ssid you have in your design.
  Here is the document -
  https://supportforums.cisco.com/docs/DOC-26667
  Tarik Admani
  *Please rate helpful posts*

• ACS 5.3 Authorization problem with using Identity Groups in Access Policy Rule

  Hello guys, I am found a problem which I can't solve regarding authorization with using Identity Groups in Access Policy rule.
  ACS version: 5.3.0.40.6 (internal build B.839)
  I have very simple RADIUS Authorization rule which authorize user on behalf of right Identity Group.
  Requested Identity Group exist
  Testing user is created in Internal Users and has assigned requested Identity Group
  Radius Access Policy: 
  Authentication against Identity Store Sequence, where authorization server is external RSA SecurID device and additional attributes retrieval is configured from Internal Users.
  Authorization is very simple – One Rule with only one Condition which is: Identity Group - in - Requested_Testing_Rule. Then Default rule is set to Deny.
  When I will try login with my testing user then authentication against RSA SecurID is OK, but authorization will be denied by Default rule – It looks like my Rule with Identity Group is totally omitted.
  I am managing several other ACS servers (version 5.3 but with older patches) where similar rules are working without problem.
  What I am tested:
  Remove testing user and create his account again.
  Rename Identity Group
  Use another Identity Group
  Remove Access Policy rule and create it again
  Use Compound Condition: System:Identity Group
  Use Compound Condition: System:UserID instead of Identity Group in Rule (it is working without problem)
  Do you have any idea where problem can be?

  OK guys, it started working yesterday without any configuration change. Maybe it was some database inconsistence wich was solved by ACS itself.

• ISE 1.3 Identity Group

  Hello,
  in the old ISE 1.2 my guest users (created by the sponors portal) where put into a own created identity group called RU2_id_grp.
  How can I realize this on ISE 1.3. In ISE 1.3 the users fall always into the GuestType_Group which was created by the ISE.
  I need the sepearete groups for my authorization policy.
  Regards
  filip

  OK, then DESELECT the option above and do this:
  Navigate to Guest Access > Settings > Guest Locations and SSIDs.  Enter the locations to which your sponsors will assign guests:
  Remember to Save.
  Now to Guest Access > Configure > Sponsor Groups.  Click Create:
  Once you place your cursor in the text box for Select the locations that guests will be visiting, you will see the locations you created in the last step.
  Now assign the User Group to be associated with this Sponsor Group by clicking the Members... button:
  Click OK, then Save.
  This should do it for you.
  Please Rate Helpful posts and mark this question as answered if, in fact, this does answer your question.  Otherwise, feel free to post follow-up questions.
  Charles Moreton

• AuthZ Policy using specific Endpoint Identity Groups

  I am trying to create an AuthZ policy that will identify if a device is in specific Endpoint Identity Group.  See policy below.
  I used the IdentityGroup:Name attribute Equals the Identity Group MAB_Devices.  Please note that there are NO Identity groups listed in the dropdown options, so I typed in the name.   Alas, the rule is not working.   Anyone have advise on what I am doing wrong?  Thx

  Bransomar, your screenshot is an Authentication policy rule but you should do it in Authorization policy. Authentication policy sorts out requests by request method and origin and assigns an identity store to each.

• Effective start and end dates for roles/group assignment

  Hi,
  Does Access Manager (in legacy or realm) mode support effective start date/end date on a role/group assignment on a user?
  Thanks,
  Srinivas

  Hi Ankush,
  I am also of the same opinion. Start and end dates can probably be enforced by a policy condition in AM but would lead to proliferation of policies as we would end up creating policies per role entitlement duration for a user.
  Any thoughts on whether the sunrise/sunset concept of Identity Manager can be used for this requirement.
  Thanks,
  Srinivas

• Static record group and lov problem

  hi all,
  1)I created a form module
  2)created a basic datablock based on empno and ename from emp table.
  3) created a static record group ,where i specified the column name as col1,provided the values as 1 ,2,3,4,5 etc
  4) created an LOV and assigned the above record group to the LOV
  5) then assigned the lov to the emp.empno item in the datablock emp....
  when i run the form .....i get the list of values message on the console (bottom end of the window) ....
  but I am not able to see the LOV when i press the cntrl L or see it from the edit menu command ?
  what must be the problem ?
  ta
  s

  Dear,
  May be you don't set LOV's "Column Mapping Properties". After setting the properties correctly you will be able to display LOV.
  Thanks.

• Deprovisioning AD Group Assignment fails when setting MX_INACTIVE

  Hi,
  IdM 7.1 SP5 Patch Level 2
  We have an Identity which has some AD Group privileges assigned to it via a role. So these privileges exist as MX_AUTOPRIVILEGE attributes on the identity.
  If we remove the role, the privileges are removed and the SAP provisioning framework task DeprovisionADSGroupAssignment works ok.
  If we set MX_INACTIVE, de-provisioning is triggered for each repository but the task DeprovisionADSGroupAssignment fails because it cannot determine the DN for the AD groups from the privilege master records.
  My analysis so far has deduced the following:
  The SAP provisioning framework task DeprovisionADSGroupAssignment uses a javascript sap_getGroupDN to determine the DN value for the ad group. It uses the audit record's UserId field to determine which old_id to read from the MXIV_OENTRIES table. The audit record UserId has the format: e.g. #15:DELETE;0;205081 i.e. attribute 15 on our system is (MX_AUTOPRIVILEGE), the operation is DELETE, the checksum is 0 and the OldValuesId is 205081.
  From there the script uses the mskey of the privilege to look up the DN<repository name> attribute on the privilege master. This DN is then used in the To LDAP pass to remove the identity from the AD group.
  So unless you actually remove the privileges from the identity, the values don't exist in the MXIV_OENTRIES table and therefore, the script cannot find the mskey for the privilege and therefore cannot get the DN.
  Does anyone know if setting MX_INACTIVE is supposed to remove roles and privileges before triggering de-provisioning or how this is designed to work?
  Has anyone else de-provisioned AD accounts and groups by just setting MX_INACTIVE?
  Edited by: Paul Abrahamson on Dec 3, 2010 5:54 PM

  We've now set up a scheduled job to pick up all users which should be made inactive on a given day and this job first removes roles and privileges (triggering de-provisioning of AD groups because the privileges are removed) and then after a while sets the MX_INACTIVE attribute.
  Incidentally I also found this [SAP Note 1540835 - LDAP group assignment fails due to ambiguous bchecksum |https://service.sap.com/sap/support/notes/1540835] which 'corrects' some logic in the sap_getGroupDN global script - it now uses context variables instead of reading the MXIV_OENTRIES table etc...

• ISE 1.2: Remove unused Sponsor Group and Identity Group

  Hi
  I started with ISE 1.1.2 and now upgrade to 1.2.
  There are 1. Sponsor Groups and 2. Identity Groups which are no more in use, but I am not able to remove them anymore.
  1. One is a special Sponsor group which sponsor group policy I already removed. The I go to Aministration>Web Portal Management>Sponsor Groups and select the appropriate Group ans click delete and ok to confirm, the following error is displayed:
  com.cisco.cpm.nsf.api.exceptions.NSFEntityDeleteFailed: java.rmi.RemoteException: Failed to execute the Query : DELETE_USERONAPP ORA-02292: integrity constraint (CEPM.EDF_GST_SPGRPID_SUB) violated - child record found ; nested exception is: java.sql.SQLIntegrityConstraintViolationException: ORA-02292: integrity constraint (CEPM.EDF_GST_SPGRPID_SUB) violated - child record found
  2. The same happens with one Identity Group. I do not have it active anymore. Not in authentication, and not in authorization policy. I go to Administration>Identity Management>Groups>  and select te group to remove, and click "Delete selected" and confirm with ok, the following error occured:
  Cannot delete selected Identity Group(s) because there are resources which are mapped to these or its child identity group(s)
  Is there any reason for any of these issue?
  Many thanks

  Hi ,
  Please open service request with cisco. These kind of issues may happen when the dependencies are deleted from UI but there is a chance that some of the dependencies may not be deleted completely and are not visible from UI as well.  These kind of issues can be resolved under cisco guidance.
  Thanks,
  Naresh

• ISE 1.2 - Match Policy Set based on endpoint identity group?

  Hello, I would like to create a condition that would force MAB'd clients to hit a certain policy set if their MAC address matches one in an endpoint identity group? Is this possible? I feel like a condition can be created using a combination of attributes, but I cannot seem to hit on it properly. Thanks.

  The cleanest way to to this would be to dedicate:
  1. (Wired) A test switch where all of your test devices are connecting. You can then build a policy set that matches against that NAS.
  2. (Wireless) A test SSID and/or a controller (virtual or 2504). You can then build a policy set that is dedicated to that SSID 
  Thank you for rating helpful posts! 

• The business system HRK_005 is not a business system in the group assigned

  Hi there,
  i have a Problem. I want to transport a Scenario from our Consolidation to our Prod System.
  In this Szenario, there are XI and HR Systems included.
  On Consolidation Side:
  XIK_001
  HRK_005
  in Prod
  XIP_001
  HRP_001
  When i now export the whole Scenario from our K System and want to import it to our P Systems the following error occurs:
  The business system HRK_005 is not a business system in the group assigned to production.
  I have no System HRK_005 in production. HRK_005 is in Group Consolidation?!?
  Can someone help here?
  Thanks
  Bjoern

  Oops i spoke with u r key code it bounced back .
  Well i explained standard way to export and import Intergration Directory objects.
  K - Development System ( SLD_Dev)
  P - Production System (SLD _Prod)
  In K - SLD_Dev needs Group -- This is based on the Integration Server (IS) of the K / P XI server.
  IS (K) -- Group1 / IS (P) -- Group2 (All this in the SLD_Dev)
  Assign all BS of K to Group1
  Assign all BS of P tp Group2
  For BS of K specify the target transport as Production BS (P).
  Now goto P (SLD_Prod) create the BS as same in K what you have created in Group2
  Now export from K (Dev) to P(prod)
  am not able to view the link provided.
  Any ways i have listed standard way for transport, hope this helps
  Srini

• How to create Static Record group in Oracle Forms??

  Dear All,
  I have the following values V1,V2 to be placed in my list item field during DML operations.
  I have an example to create the record group based on the table; whereas i have never tried for static value creation.
  Could you please guide me how can i acheive this.?
  Thanks ....
  Regards,
  Sunil.G

  Thanks dhivya for your reply.
  Actually what happens is; when i use the same methodology as you mentioned, it is asking me to set the Initial value.
  Whereas in my applications; user has to manually select any of the values i.e eithe V1 or V2 for the first time.
  Moreover i have found the query:-
  I have created a static record group RG_VERSIONS i.e creating a new record group with the static values mentioning the "Column names " as "Version_label" which i have given the column values as "V1" and "V2" and then another column name as "Version_value" with the column values as "V1" and "V2".
  Then i used the below query in the WHEN-NEW-FORM-INSTANCE trigger:-
  PROCEDURE p_when_new_form_instance
  IS
  l_rg_id recordgroup;
  l_item_id item;
  BEGIN
  --Populating value for  Version Type based on static record group
  l_rg_id := FIND_GROUP ('RG_VERSION');
  IF NOT ID_NULL (l_rg_id)
  THEN
  l_item_id := FIND_ITEM ('BLOCKNAME.COLUMN_NAME');
  POPULATE_LIST (l_item_id, l_rg_id);
  END IF;
  END p_when_new_form_instance;
  Then it was working fine.
  Thanks for your time.
  Regards,
  Sunil.G
  Edited by: Sunil G on Jun 27, 2010 6:00 AM

• Report User (groups) assigned to Bundles

  Hi,
  i need a report of users or user groups assigned to Bundles. I can create a report of Workstations assigned to Bundles. But the users are LDAP users, so they're not available in the user database of ZCM? Is there an option to report Bundles and there assigned LDAP Users or User Groups?
  Regards,
  Patrick

  petjez,
  It appears that in the past few days you have not received a response to your
  posting. That concerns us, and has triggered this automated reply.
  Has your problem been resolved? If not, you might try one of the following options:
  - Visit http://www.novell.com/support and search the knowledgebase and/or check all
  the other self support options and support programs available.
  - You could also try posting your message again. Make sure it is posted in the
  correct newsgroup. (http://forums.novell.com)
  Be sure to read the forum FAQ about what to expect in the way of responses:
  http://forums.novell.com/faq.php
  If this is a reply to a duplicate posting, please ignore and accept our apologies
  and rest assured we will issue a stern reprimand to our posting bot.
  Good luck!
  Your Novell Forums Team
  http://forums.novell.com