Is it possible to map a promoter group in Cisco ISE to a group of users in Active Directory, using a RADIUS server?

Hello!!

We are working on a mapping between a promoter Cisco ISE group and a user group in Active Directory, but the customer wants the mapping through a RADIUS SERVER, to avoid the ISE by querying directly activate Directory.

I know it is possible to use a RADIUS SERVER as source of external identity for ISE... but, is possible to use this RADIUS SERVER for this sponsor group manages?

Thank you and best regards!

Hi Rodrigo,

The answer is no. There is no way to integrate the portal Sponsor config with a RADIUS server. Your DB for authentication Portal Sponsor options;

AD
LDAP
User internal ISE DB

Sent by Cisco Support technique iPhone App

Tags: Cisco Security

Similar Questions

  • Why used to address changes Proxy stick of group policy for all users in Active Directory?

    We re-installed the Customer Site Proxy on a BDC service, we published all the strategies of Active Directory for the new DC IP address group however for many users in Internet Explorer LAN settings always keep coming back to the old address when adding in group policy, any ideas of what we missed?

    Hi MikeButterworth,

    Your question of Windows is more complex than what is generally answered in the Microsoft Answers forums. It is better suited for the IT Pro TechNet public. Please post your question in the TechNet forum.

    http://social.technet.Microsoft.com/forums/en/itproxpsp/threads

  • Multiple users Active Directory membership mapping group

    Hi all

    We got 4.2 ACS and two types of user access to our network:

    1_ we got some users in 'CiscoAdmins' Active Directory, corresponding group mapped Cisco ACS group is "switch Admins.

    2_ we also have some users in "VPN_Users' group Active Directory, corresponding mapped Cisco ACS group is"VPN_Users.

    In the "Command mapping" page on Cisco ACS 4.2, we put tte group 'CiscoAdmins' Active Directory mapping at the top "VPN_Users' Active Directory group mapping. So what happens is, if a user belongs to two "CiscoAdmins" and "VPN_Users" groups in Active Directory, users always goes in the "Switch_Admins" group in Cisco ACS.

    However for some users (who belong to two groups in Active Directory), we need to apply some IP allocation and specific authorization.

    The suggestiongs are welcome.

    Thanks in advance.

    Dumlu

    Yes, check ACS for belonging to the user group and it can determine if the user is a member of several groups and then map the corrosponding ACS group. Little additional material on the ACS group mapping

    http://www.Cisco.com/en/us/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/user/guide/GrpMap.html#wp940538#wp940538

    -

    Note: Please rate the answer if it helped

  • Assign the radius server to specific groups of VPN 3000

    Last week, I assigned a test Cisco ACS server to be used for authentication and device of accounting for a specific group on a Cisco VPN concentrator 3060. When I looked at ACS, it appears that not only the Group was to go there but others through this way and using the default values on the Cisco Secure ACS. Is it possible that I can make sure only the traffic assigned to this specific group of VPN using the ACS server defined?

    Thank you

    Hello

    Not sure about your implementation. But you must configure the group for this specific ad group map can only authentication.

    In the external group map db, map

    Group ACS VPN---> with<---- ad="" vpn="">

    Any other combination should point to any access group.

    Kind regards

    ~ JG

    Note the useful messages

  • Cisco ISE 1.2 and the ad group

    Hello

    I have Cisco ISE installed on my EXSi server for my test pilot. I added several ad groups at ISE as well.

    I created a condition of authorization policy, that is WIRELESS_DOT1X_USERS (see screenshot)
    Basically, I just replicate the default Wireless_802.1X and added Network Access: EapAuthentication, Equals, EAP - TLS.

    My problem is, I have been unable to join the wireless network, if I added my ad group to the authorization strategy (see screenshot). The user I is a member of WLAN USERS. If I removed the authorization policy group, the use is able to join the wireless network.

    I have attached the screenshot of ISE newspapers as well. I checked the ISE, AD/NPS, WLC, laptop computer time and date, and they are all in sync.

    I also have the WLC added as NPS client on my network.

    I checked the newspaper AD and I found it, it was the local management user WLCs trying to authenticate. It is supposed to be my wireless user Credential is not the WLC.

    It's the paper I received from the AD/NPS

    Access denied to user network policy server.

    Contact the server administrator to strategy network for more information.

    User:

    Security ID: NULL SID

    Account name: admin

    Domain account: AAENG

    Account name: AAENG\admin

    Client computer:

    Security ID: NULL SID

    Account name: -.

    Full account name: -.

    OS version: -.

    Called Station identifier: -.

    Calling the Station identifier: -.

    NAS:

    NAS IPv4 address: 172.28.255.42

    NAS IPv6 address: -.

    NAS identifier: RK3W5508-01

    NAS Port Type: -.

    NAS Port:                              -

    RADIUS client:

    Friendly name of client: RK3W5508-01

    The client IP address: 172.28.255.42

    Information about authentication:

    Connection request policy name: Windows authentication for all users use

    The network policy name: -.

    Authentication provider: Windows

    Authentication server: WIN - RSTMIMB7F45.aaeng.local

    Authentication type: PAP

    EAP Type:                              -

    Identifier for account: -.

    Results of logging: Accounting Information was written in the local log file.

    Reason code: 16

    Reason: Authentication failed due to incompatibility of user credentials. The provided username is not mapped to an existing user account or the password is incorrect.

    Hello

    The problem is with what ISE name, it's choosing to search of the AD. If you look in the ISE newspapers down, you'll see the username that use ISE (firstname, lastname) to search for the AD.

    In your certificate template see what attribute containst name AD (possibly the dns name or email or the name of principle of RFC 822 NT), go to your profile to authenticate cerificate and use this attribute for the user name.

    Thank you

    Tarik Admani
    * Please note the useful messages *.

  • Portal administrators from Active Directory groups

    I want to add additional users with the status of "admin", so that more people can use the "Admin Console". I want to do this using Active Directory groups.

    Can anyone say if this is possible and how?


    Maybe it's in the documentation, but I couldn't find it.

    For now, it is not possible to assign the Admin role to a group of users. However, you can promote individual users to the Administrator role. You can search for a user name and click on the user name to view the details of a user. On the left side, you will see a role (s) and the 'User' text is clickable. When you click on that text you will be able to change the role.

  • Strategy of Kerberos WinServer2008r2 Active Directory group

    Hi all

    Need help bad in this. I'm trying to implement kerberos on my active directory. What I understand is kerberos is the default and the primary authentication protocol used when connected to a domain, but where and how do I configure kerberos settings in group policy? I managed to find configurations of kerberos in the "Local Group Policy Editor", but this would not push configurations to my clients right?

    I want to disable NTLM authentication as well and once again I can found under local policies > security options, but they are all local policies right? Is it possible that I can disable NTLM on my active directory and ensure that these settings are applied to my both client computers?

    Thank you so much in advance!
    PS: Sorry if I got some of my facts wrong, I'm a student performs internship and my understanding in active directory is not as strong.

    Server forums are more on the side the web site of Microsoft TechNet,
    This is where you find people who know.

    http://social.technet.Microsoft.com/forums/en-us/categories

  • user belongs to a domain and user does not belong to the local administrator or power users groups, or any custom group and the user is not part of the domain administrators group, but user show that it is admin

    WinXP
    user belongs to a domain and user does not belong to the local administrator or power users groups, or any custom group and the user is not part of the domain administrators group, but user show that it is admin

    I did a gpupdate/force and restart twice PC
    Yet, user indicate it is always admin when we right click on Start menu and see the possibility to open all users

    Hi elena_ad,

    Your question of Windows is more complex than what is generally answered in the Microsoft Answers forums. It is better suited for the public on the TechNet site. Please post your question in the below link:

    http://social.technet.Microsoft.com/forums/en/winserverManagement/threads

  • Create a group of users to ACS 3.3 - simple question

    Hello

    I have a simple question:

    How can I create a group of additional users at the ACS 3.3?

    I don't see the option to delete or create groups of users. Perhaps is it not possible?

    Thanks in advance

    All groups that you have already exist in the list of groups (0 to 499). To "create" a new group, just rename one of the unused existing groups and use.

    If you don't see the groups in your list, you must verify that you have access to see all these groups.

    Verifier check in the control of the Administration, select your admin user ID. In the second table below marked 'administrator', you will see the "available groups" and the editable section 'groups '. move the groups that you want to use available for editable.

    Present and then OU should be able to see these groups on your drop-down list in the section groups.

  • Administrator rights to the ACS using Active Directory groups

    Good afternoon

    We must be able to use administrative accounts for our device ACS who reside in an Active Directory group, if possible.  If this is not possible, what other safer options would we be able to use (RADIUS authentication or authentication RSA 2)?

    Thanks in advance

    You can only use the locally stored accounts within the ACS.

  • Cisco Secure ACS groups 5.1 Active Directory and RSA Authentication Manager 7.1 for profiles

    / * Style definitions * / table. MsoNormalTable {mso-style-name: "Table Normal" "; mso-knew-rowband-size: 0; mso-knew-colband-size: 0; mso-style - noshow:yes; mso-style-priority: 99; mso-style - qformat:yes; mso-style-parent:" ";" mso-padding-alt: 0 cm 0 cm 5.4pt 5.4pt; mso-para-margin: 0 cm; mso-para-margin-bottom: .0001pt; mso-pagination: widow-orphan; font-size: 11.0pt; font family: 'Calibri', 'sans-serif"; mso-ascii-font-family: Calibri; mso-ascii-theme-make: minor-latin; mso-fareast-font-family:"Times New Roman"; mso-fareast-theme-make: minor-fareast; mso-hansi-font-family: Calibri; mso-hansi-theme-make: minor-latin ;}"}

    Hello

    I'm deploying an ACS connected to an RSA AuthManager (that is connected to an Active Directory domain)

    I create several groups within the Active Directory server, I try to give to users for their groups different access rights.

    I tried to define an access policy "NetOp/NetAdm" and two authorization rules:

    Rule-1 AD - AD1:ExternalGroups contains all dir. INTRA/groups/NETOP 'Auth for net operators' 0

    Rule 2 AD - AD1:ExternalGroups contains all dir. INTRA/groups/NETADM 'Auth net admin' 0

    Default: refuse

    In the identity, I have configured the RSA identity source, so that users get authenticated by the RSA Authentication Manager.

    But I still refuse to get access, RSA authentication is successful, but the group membership, active directory does not work, even with the unix attributes or group principal defined for the user.

    My question is this valid configuration scenario? Is there another way to define several profiles according to the Group of users of external source?

    The stages of monitoring:

    Measures

    Request for access received RADIUS 11001

    11017 RADIUS creates a new session

    Assess Service selection strategy

    15004 Matched rule

    Access to Selected 15012 - NetOp/NetAdm service policy

    Evaluate the politics of identity

    15004 Matched rule

    15013 selected identity Store - server RSA

    24500 Authenticating user on the server's RSA SecurID.

    24501 a session is established with the server's RSA SecurID.

    24506 check successful operation code

    24505 user authentication succeeded.

    24553 user record has been cached

    24502 with RSA SecurID Server session is closed

    Authentication 22037 spent

    22023 proceed to the recovery of the attribute

    24628 user cache not enabled in the configuration of the RADIUS identity token store.

    Identity sequence 22016 completed an iteration of the IDStores

    Evaluate the strategy of group mapping

    15006 set default mapping rule

    Authorization of emergency policy assessment

    15042 no rule has been balanced

    Evaluation of authorization policy

    15006 set default mapping rule

    15016 selected the authorization - DenyAccess profile

    15039 selected authorization profile is DenyAccess

    11003 returned RADIUS Access-Reject

    Thank you

    Christophe

    I think you need to do is to create a sequence of identity with RSA as a selection in

    Authentication and recovery research list of attributes and AD in the additional attribute list recovery research. Then select this sequence as a result of the politics of identity for the service

  • Active Directory groups can be put into service in the FDMEE places?

    Hi experts FeeDMEE:

    We are upgrading to HFM/FDMEE 11.1.2.4.    We would like to use only the Active Directory groups for our security in Shared Services.

    I did a lot of audit looking at whether we can use security location FDMEE ad groups.  So far, the only way I found to make the security location uses the native approach (settings / security settings / security location...) Security by location, click on keep usergroup to set up groups).    But it doesn't seem to be an option if you create groups such as native or ad groups (FDMEE them creates only natively).

    Does anyone know if it is possible in FDMEE to use security of the location ad groups?

    Thank you
    Mark Smith

    I discovered that it is more possible for FDMEE create Aboriginal groups for the security of the location.

    However, Active Directory groups can be added as members of indigenous groups.   In this way, users should only be added to Active Directory groups.    The only maintenance is to add or remove groups active directory to or from the indigenous groups of FDMEE.

  • We cannot draw power ratio cli for single user of VDI which is a member of VDI several groups in Active Directory?

    Hi all

    Is it possible to identify single user VDI which is a member of VDI several groups in Active Directory from power Cli script

    Thank you

    VM2014

    Oops, my mistake. Try this

    Get-ADUser-filter *-MemberOf properties |

    where {$m = $_.} MemberOf | where {$_-match 'app-view'}; $m - not $null - and @($m). {Count - gt 1} |

    Select the Name,@{N='#VDI groups; {E = {$m.Count}}.

    @{N = 'Groups of VDI'; E = {($m | Get-ad group | Select name - ExpandProperty) - join ' | '}}

  • View of VM, linked Clones and Thinapp to a group of users?

    In our configuration of the display, I have a pool of 80 people, some users have asked MS Visio.

    I created a package of visio and wanted to deploy to a group of users, but I can only assign to a pool.

    Is it possible so I can assign MS Visio only to a certain (AD) Group of people without having to create an additional pool?

    For another application, I use the security feature in the application thinapped, which do not allow users to start the program and again reports an error message. It does not work with visio propperly: a user with visio can open files visio very well with the editor, a user without visio should get the (internet Explorer) visio Viewer, but the application is launched instead (which restores the safety message and the user cannot view the visio file).

    In theory if you added it to a pool only people within the security group would be able to access.   You can also use a login script register which means that it could only be saved for those who can visit his profile.    See the link below for example sript login.

    http://blogs.VMware.com/ThinApp/2008/10/ThinApp-thinreg.html

  • Manage multiple groups of users

    How, as an administrator, manage the content of several groups of users so that I see all the documents, but they see only those that apply to them?

    Hi Jena,

    First of all, if you want to see the records of users to your account, you can start sharing of account. Here is the link for reference:

    http://helpx.Adobe.com/EchoSign/KB/account-sharing.html

    In addition, it is not possible to restrict this functionality for specific users. Account sharing can be enabled or disabled for all users only. In addition, it is initialized when the requestee accepts the sharing.

    Let me know if you need help!

    Kind regards

    -Usman

Maybe you are looking for