ISE AD integration issues

Similar Questions

• OAM and Oracle Portal integration issue

  I have Oracle portal (OAS 10.2.0.3) installed and it worked fine with OAS SSO. I was able to log users in Oracle Internet DIrectory. I also installed Oracle Access manager (10.1.4.0) with Oracle Internet directory. Then I followed Oracle for example "integrating Oracle Access Manager with Oracle signs on and Oracle Portal" (http://www.oracle.com/technology/obe/fusion_middleware/im1014/oam-osso-portal/oam-osso-portal.htm) to integrate the OAM and Oracle Portal.
  
  In the last step, after I typed http:// < server.domain >: 7778/pls/portal and click on the login link, I saw the box of challenge based on LDAP (which was good). But after that I have provided the user name and an OID userand password clicked OK, the portal page has not changed at all. It seemed that I logged in, but I couldn't see Builder or portal, or the logout link admin tab. So I couldn't even log on the portal because the logout link was not displayed.
  
  could someone help me on this issue?
  
  Thank you
  Georges Nicks

  Hi Georges Nicks.

  I think that the OSSO plugin does not receive user name information correctly. You can add debugging statements in the SSOOblixAuth.java and recompile / redeploy to see if the value is received.

  In addition, the OBE article directs you to add the attribute back to ossouser (with the uid of the user as a value) on the success of the authentication. Can you try to add the same action Expression of authorization on the success of default permission?

  -Vinod

• VSS of LabVIEW integration issue

  Hello

  I'm trying to simulate jointly VSS and Labview by running a simple example of the AWRDE example file. I get the error message that I need license of integration (see the attached screenshot) in order to use the LabVIEW block in VSS. I'm under LabVIEW 2013 Professional Edition and have the next version of AWR:

  10.02R build 5983 Rev (78833). I have Windows 7 on my computer.

  Can someone please tell me what is license integration and how to get it. We have the license for LabVIEW, as well as software AWRDE. Thank you.

  Kind regards

  Kathar

  Hi, Kathar, the best way to fix this is to upgrade to AWRDE v11.01 (available from the download link at www.awrcorp.com).

• Mathematical integration issue

  Hi all

  Here's a VI I'm working... it's a Powermeter instrument that measures power through photodiode sensors. The unit is used to measure the power to 1 wavelength. I did the VI for example a range of whole wavelengths, with some time and that integrate all the values of the measured power. This way I can include the component wavelengts visible in the final value of the power measured.

  However, when measuring, after integration, I get different values depending on the stage of sampling. This may not be true, since I'm able to the same wavelength understood and changing step (measures for each 10 or 50 nanometers) should not affect the final result. I think the problem is in the method of integration. A person with knowledge of mathematical integration, or the integration of screws in the version complete LabVIEW? Can anyone suggest me perhaps another VI integration? Or maybe another method. I'll be very grateful!

  Best regards

  G.

  The simplest method of numerical integration is the rectangle rule. The following figure should explain it.

  

  In your case, 'h' is the stage of sampling (in nanometers), as well as the input dt.

  If you have a point each 10 nm and f (x) = 2 constant function. The area of a rectangle is so 10 * 2 = 20. Your dt should also be 10. However, if you set the dt to 0.1, the formula calculates 0, 1 * 2 = 0, 2, which is a false result. To get the correct value, you would need to have a sample of each 0.1 nanometers, so on a 10 nm range the area would be 0, 1 * 2 * 100 = 20. Another way keep the sampling on 10 nm and by multiplying the value of f (x) of 10/0, 1 = 100, so that there is 0, 1 * 200 = 20.

  If you are unsure, simply generate a const waveform and play with the settings. It is easy to determine the constant elementary functionst integral and on the other, such as the sine or cosine. If you manage to get the correct value on these features, you should be able to use the same settings on your signals custom, because she has the same stage of the sample.

  I hope it's clearer now

  Kind regards

  Adam

• The ISE Solution design issues?

  Is it possible to configure ISE in the following way:

  3 locations: main campus, 1 Site (Recovery Site) & Site2

  4 devices ISE.

  Main campus: 2 devices:

  Unit 1: PAN (P) + dem (P) + PSN (Just for backup, will be configured as a second ray on all of n)

  Unit 2: PSN (will be configured as the first Radius Server on Campus n main)

  Site 1 (DR Site): 1 unit

  Unit 1: PAN (S) + PSN (the Radius Server first for local NADs, third Ray on all other n), MnT (S)

  Box 2: 1 site

  Unit 1: PSN (the Radius Server first for local DNA)

  Due to some constraints, I'm not able to test this configuration in the laboratory and by looking at the document, although not mentioned specifically theoretically it seems possible to implement this way ISE, comments of support or support is much appreciated.

  Thanks for the info Maury. Overall, your design is OK for the number of endpoints that you have decided to run. Ideally, in a distributed deployment, you would 2 x ISE servers for Admin/M & T personas and then 2 x ISE for the Services of personal politics. You can also make one of the nodes in the primary for the Admin, but backup for M & T and vice versa for a better distribution of the load. So in your situation, you might do:

  Site A:

  ISE Server #1 - Admin main and secondary M & T

  ISE Server #1 - primary PSN secondary PSN for Site B to Site A

  Site b:

  ISE Server #1 - Admin secondary and primary M & T

  ISE Server #1 - primary PSN for Site B and secondary PSN for Site has

  Yet once, you won't have that many points of concurrent endpoints so you'll be OK going with the design that you have described. However, if you want to follow the guide Cisco design and future-proof your architecture and then I would follow my suggestion :)

  I hope this helps!

  Thank you for evaluating useful messages!

• ISE authorization policy issues

  Hello team,

  I m having trouble in my implementation: the PC of the user never gets address IP of the VLAN access after AuthZ successful political.

  I have two VLANS in my implementation:

  ID VLAN 802 for authentication (subnet 10.2.39.0)

  VLAN ID 50 for Access (subnet Y.Y.Y.Y) users

  When I start my PC of the user, I get IP for VLAN 802 (10.2.39.3) and the process after the Posture, ISE inform the switch to put the PC user port in 50 of VLAN.

  Here I have my Port Configuration on the switch:

  interface GigabitEthernet0/38
  switchport access vlan 802
  switchport mode access
  switchport nonegotiate
  switchport voice vlan 120
  IP access-group ACL by DEFAULT in
  authentication event fail following action method
  action of death event authentication server reset vlan 50
  action of death event authentication server allow voice
  the host-mode multi-auth authentication
  authentication order dot1x mab
  authentication priority dot1x mab
  Auto control of the port of authentication
  restrict the authentication violation
  MAB
  dot1x EAP authenticator
  dot1x tx-time 10
  spanning tree portfast
  end

  And here, I took out political AuthZ in Action:

  7 Oct 09:22:01.574 ANG: % DOT1X-5-SUCCESS: authentication successful for the client (0022.1910.4130) on the Interface Gi0/38 AuditSessionID 0A022047000000F6126E9B17
  7 Oct 09:22:01.582 ANG: % AUTHMGR-5-VLANASSIGN: 50 VLAN assigned to Interface Gi0/38 AuditSessionID 0A022047000000F6126E9B17
  7 Oct 09:22:01.591 ANG: % EMP-6-POLICY_REQ: IP 0.0.0.0. MAC 0022.1910.4130 | AuditSessionID 0A022047000000F6126E9B17 | AUTHTYPE DOT1X | EVENTS APPLY
  7 Oct 09:22:01.591 ANG: % EMP-6-AAA: POLICY xACSACLx-IP-PERMIT_ALL_TRAFFIC-537cb1d6 | DOWNLOAD EVENT-REQUEST
  7 Oct 09:22:01.633 ANG: % EMP-6-AAA: POLICY xACSACLx-IP-PERMIT_ALL_TRAFFIC-537cb1d6 | DOWNLOAD-SUCCESS EVENT
  7 Oct 09:22:01.633 ANG: % EMP-6-IPEVENT: IP 0.0.0.0. MAC 0022.1910.4130 | AuditSessionID 0A022047000000F6126E9B17 | AUTHTYPE DOT1X | IP-WAITING FOR EVENT
  SWISNGAC8FL02 #.
  7 Oct 09:22:02.069 ANG: AUTHMGR-5-SUCCESS percent: authorization succeeded for customer (0022.1910.4130) on the Interface Gi0/38 AuditSessionID 0A022047000000F6126E9B17
  SWISNGAC8FL02 #.
  7 Oct 09:22:02.731 ANG: % EMP-6-IPEVENT: IP 10.2.39.3 | MAC 0022.1910.4130 | AuditSessionID 0A022047000000F6126E9B17 | AUTHTYPE DOT1X | IP-ASSIGNMENT OF EVENT
  7 Oct 09:22:02.731 ANG: % EMP-6-POLICY_APP_SUCCESS: IP 10.2.39.3 | MAC 0022.1910.4130 | AuditSessionID 0A022047000000F6126E9B17 | AUTHTYPE DOT1X | POLICY_TYPE named ACL. POLICY_NAME xACSACLx-IP-PERMIT_ALL_TRAFFIC-537cb1d6 | RESULT SUCCESS

  After that, I have:

  SWISNGAC8FL02 #sh auth sess int g0/38
  Interface: GigabitEthernet0/38
  MAC address: 0022.1910.4130
  IP address: 10.2.39.3
  Username: SNL\enzo.belo
  Status: Authz success
  Field: VOICE
  Security policy: must ensure
  State of security: unsecured
  Oper host mode: multi-auth
  Oper control dir: both
  Authorized by: authentication server
            Policy of VLAN: 50
  ACL ACS: xACSACLx-IP-PERMIT_ALL_TRAFFIC-537cb1d6
  The session timeout: N/A
  Idle timeout: N/A
  The common Session ID: 0A022047000000F6126E9B17
  ACCT Session ID: 0x000001A7
  Handle: 0x710000F7

  Executable methods list:
  The method state
  dot1x Authc success
  MAB does not work
  !

  Apparently, everything is OK, but isn't. The PC of the user never gets the IP address of the access VLAN 50

  If I SWISNGAC8FL02 #sh - table mac address | 0022.1910.4130 Inc.
  50 0022.1910.4130 STATIC Gi0/38
  802 0022.1910.4130 STATIC Gi0/38

  And

  SWISNGAC8FL02 #sh EMP session summary
  EMP Session information
  -----------------------
  Total number of sessions seen so far: 17
  Total number of active sessions: 1

  IP address MAC address VLAN interface Audit Session Id:
  ----------------------------------------------------------------------------------
  GigabitEthernet0/38 10.2.39.3 0022.1910.4130 802 0A022047000000F6126E9B17

  My switch is a Cisco IOS software, the software C3560E (C3560E-IPBASEK9-M), Version 15.0 (2) SE6, VERSION of the SOFTWARE (fc2)

  I use the Version ISE 1.2.1.198 Patch Info 2

  Could you help me in this case?

  Best regards

  Daniel Stefani

  It seems that the PC is underway in the field of VOICE according to the cmd auth sess int that you have demonstrated. Do you think this has something to do with your problem? I knew a few PC have problem with that.

  If you could, try to get the PC to operate in the field of DATA by sending is not the voice of ISE after permission attribute.

• ACS 5.3 AD integration issues

  Hi all

  We have two devices ACS 5.3 in mode synchro with some local users, groups, devices, etc. I need to join the ACS service to Active Directory. I have a few questions, you can help me please?

  (1) we have a Parent domain and three child domians, I need customer of all areas of three children to be able to authenticate on ACS, should I become a member of the ACS in the parent domain, or is it possible to connect a GBA to three child domains?

  (2) will join ACS announcement affect the current configuration (local), somehow local users will lose access to certain devices or devices will disappear? What is a safe procedure?

  (3) another small question, I can access the WEB user interface, but can't SSH (putty) by using the same credentials, I'm doing something wrong?

  Thank you!

  1) join the parent domain and you can authenticate you of parent and child.

  -The parent and the child have default two-way trust, which is what is needed.

  (2) No, and that's for sure.

  (3) SSH creds differ from those of the web GUI.

  This is usually set when you install the ACS software.

  If you have forgotten it, perform a recovery password by using the DVD.

  Rate if useful :)

  Knowledge sharing makes you immortal.

  Kind regards

  Ed

• 2960 - S FlexStack - stack integration issue?

  I have a client with two features of WS-C2960S-24PD-L, both devices have Flexstack modules and run a software C2960S (C2960S-UNIVERSALK9-M), Version 12.2 (55) SE2, VERSION of the IOS SOFTWARE (fc1).

  The first switch is for use with a running-config on it and because of migration the customer asks me to add the new switch to the existing switch to make a single stack (CoXYZStack).

  I dug around on Cisco's Web site and am not able to find the following Guide Flexstack;

  http://www.Cisco.com/en/us/prod/collateral/switches/ps5718/ps6406/white_paper_c11-578928.html

  Unfortunately, this document is not really detail the configuration that I need a switch? Someone got the configuration Cisco Flexstack experience, if so can you give me some advice on the system requirements on the two switches.

  Basically what is happening, is that both switches act as independent 'stacks' in their own name and I am unable to get them to recognize each other or operate together in one set.

  1 supply ws-c2960s-24pd-l switch
  switch 2 supply ws-c2960s-24pd-l

  I tried the 'x' provision "xyz" switch line configuration on CoXYZSw1, and as you can see when you do a 'detail of switch sho' it shows as provisioned but on the CoXYZSw2 nothing ports battery or battery come off the power ring?

  CoXYZSw1 #sho switch retail
  Switch/battery Mac address: c8ba.bf77.1234
  Current H/W
  Switch # Mac address priority Version State role
  ----------------------------------------------------------
  * 1 master c8ba.bf77.1234 14 1 Ready< you="" will="" see="" i="" also="" tried="" altering="" coxyzsw1="" priority="" to="" 14="" to="" ensure="" it="" came="" up="" as="">
  2 Member 0000.0000.0000 0 1 put into service

  CoXYZSw1 #sho switch stack-ring speed

  Speed ring battery: 10G
  Configuration of the stack ring: down
  The ring protocol stack: FlexStack

  CoXYZSw1 battery-ports of the switch #sho
  # Port 1 Port 2 Switch
  --------    ------       ------
  1 down Down

  And as you know the switch does not see or recognize his neighbor? I tried the two possible Flexstack wiring configuratione i.e. battery 1 battery 1 / Stack 2 to 2 and 1 battery battery battery 2 / 1 battery battery 2

  CoXYZSw1 #sho neighboring switch
  # Port 1 Port 2 Switch
  --------    ------       ------
  1 none none

  Anyone has any ideas or a configuration example would be greatly appreciated.

  PS: Also had a trial with this config "stackmaker", but that doesn't seem to help much either? "stackmaker name CoXYZStack.

  You need a minimum of a battery cable is connected.

  Make sure that the 2nd switch DO NOT HAVE any configuration in there.

  And Yes, turn off the switch member of battery 2, connect a cable from the console and it lights up.  After the generated output.

• Void / navigation Menu / integration issue of the e-commerce of the BC, please help!

  Hello

  sarahcosmetics.com is an e-commerce site, that I've developed by muse and British Colombia.

  I sectioned off sub categories form of pages which make correctly however my client recently asked me to add a submenu for navigating these pages at the top of the site.

  I currently have a link to the following pages: "Lips" 'eyes' and 'face' through hypertext links which I have incorporated into my muse projects 'page' products I was able to locate the appropriate links to my store via BC categories after setting up the shopping cart.

  It was to find work but my clients asked me to incorporate a dropdown under linking products to, 'Lips' "eyes" and "deal with" via the navigation menu.

  I thought it would be child's play I use a widget of grid of muse for the navigation menu that works very well on the other sites, however in this case, when I publish it links to these pages, it connects to my muse model pages for "Lips" 'eyes' and 'face' (who seem to have a different hyperlink) so no products are returned.

  I'm really need help to know what the difference is and how to get around this problem to properly set up the sub menu of navigation.

  Currently, the hypertext links this page works fine, http://www.sarahcosmetics.com/products.html

  So I guess you deleted the navigation sub under products menu.

  Includes pages 'Lips', 'Eyes' and 'Face' {tag_pagecontent} then they will appear under models when the site is published in British Colombia. In case you use the content of the tag, try to remove and insert content directly on the pages and then include in menu to main menu navigation link, it should work.

  If you still need help, then I suggest you to publish the site as a place to test new with all the links of the menu SUP to the title of the item in main menu of products, so that we can check on our end.

  Thank you

  Sanjit

• Navigation glossary integration issues

  Here's my situation. I'm building a course in version 5.5. I have a slide opening and then a glossary placed as slide 2 slide. This slide should be accessible when the user clicks a button on the glossary on each slide. A back on the Glossary button will return to the previous slide visited users. I am also using the standard playback bar. I need to keep the glossary blade hidden until users click the button of the glossary. As it is now, the slide is visible when moving forwards and backwards using the playback bar. What is the best way to keep the hidden during the navigation slide? I'm not very familiar with advanced actions and am very new to using the program. Thank you.

  Here is a brief overview of what you need to do:

  1. Create a variable named, say, varAllowGlossaryand set its initial value to 0. (Use of the project > Variables menu to create the variable).
  2. Create a conditional advanced action named, say, SkipOrShowGlossary to run this logic:
     • If varAllowGlossary is 0, go to the next slide, ELSE continue
  3. Set the action 'on input"of your glossary to Execute advanced Actions of slide > SkipOrShowGlossary
  4. Define the action of "On the exit" of your slide Glossary to assign varAllowGlossary to 0 (although this action will not be executed if the user click the back button on the slide instead).
  5. Create a standard tip Action named, say, ReturnFromGlossary, with two actions as follows:
     
     • Assign the varAllowGlossary with 0
     • Go to last visited slide
       
  6. Set ReturnFromGlossary as the action of 'Success' of the BACKSPACE on the slide of glossary.
     
  7. Create an advanced standard action named, say, GoToGlossary with two actions as follows:
     • Assign the varAllowGlossary with 1
     • Go to slide {your slide glossary}
       
  8. Set GoToGlossary as the action of 'Success' of any button that is intended to keep the user in the glossary.

  Hope that helps!

  Trevor

• ISE and AirWatch MDM integration

  I have been using ISE with the integration of AirWatch for over a year.  Recently, it seems that AirWatch has updated their certificates and now I can't get ISE and AirWatch to communicate.  I can access the AirWatch API URL through a browser, and I see that the browser uses TLS 1.2.     According to TAC, Cisco, ISE does not support TLS 1.2.  I have cases open with two TACS, but have yet to find a resolution.

  Someone at - it ISE / Airwatch integration currently work?

  Wes,

  I have a client who had what sounds like the same issue.  It came down to AirWatch change the host he was using. It was a long journey to get to the right answer but when AirWatch changed host, things started working again.  It took several calls with AirWatch until someone had the idea to make this change.

  Hope that helps.

  Tim

• Integration of CISCO ISE with another controller wireless lan of the seller

  Hi all!

  I am currently working on an assignment and eager to integrate the identity service provider in the network. the only problem is that the deployed wireless network earlier of another provider I just need to know that either ISE has integration with the other controller feature wireless provider and can provide guest access control. The LDAP integration is also required.

  Waiting for help!

  Hello

  According to my knowledge Yes, Cisco ISE can be integrated with another controller wireless LAN of the seller, but limited. (Aruba, Rukus) and if you want to add the external identity group to your network, then LDAP integration is required.

• 1.3 of the ISE and NAC

  I have a client that 5508 WLCs runs through the area, and I'm catching IEEE802.1x authentication for the enterprise WLAN and WebAuth for WLAN of comments... they PSK now :(

  They have ad and ISE and NAC great interest, so my immediate thoughts are to integrate ISE AD and use ISE as RADIUS server for .1x on the WLC. Then use the WLC and ISE do WebAuth for comments... It's all of the standard stuff, but it gives the background.

  Now, we come to the interesting bit... they want to run BYOD. They are involved in the financial markets, so the BYOD must be tightly controlled. They ask on ISE coupled with the NAC, but I am not convinced that I need the NAC since the arrival of the ISE1.3. Of course, I will examine three (min) SSID, corporate knowledge, comments and BYOD, just logically distinct. I have nothing that ISE 1.2 cannot press the company and comments but BYOD must full profiling and reclamation prohibition or device before access to the net.

  Someone at - he comments or suggestions? Is ISE 1.3 enough NAC-like that I don't need more, or if this is not the case, what additional benefits does that ISE can support

  Thanks for your advice/comments/experiences

  Jim

  Hi Jim -.

  Version 1.3 offers an integrated PKI and a significantly improved services reviews experience. The internal PKI is nice if the customer does not have a PKI solution in place. Don't forget however that the PKI ISE internal can only issue certificates to BYOD devices which have boarded through the ISE BYOD "flow", you cannot use the ISE PKI to issue certificates to computers in the domain.

  With regard to the NAC: you need to specify exactly what is needed here. If you were to make "posture assessment" then ISE can do for machines based on Windows and OSX. You can check for things like: A / V, a/s, status of the firewall, Windows hotfixes. If you want to make the posture on mobile devices, so you will need to integrate ISE with MDM (mobile device management) solution such as: Airwatch, Mobile, Extend360 iron, etc. ISE may question the MDM for things like: the device is protected with a PIN, is the rooted device, is the encrypted device, etc.

  I hope this helps!

  Thank you for evaluating useful messages!

• Cisco ISE - authentication policy

  Hello guys,.

  Hold the opinions of a scalable strategy for authentication of users and / or the workstations in Cisco's ISE for the following scenario:

  Customer with some 130 branch offices. Each branch has an another AD domain without trust with the HQ and with the other branches.

  Knowing that the ISE supports integration with up to 50 domains, what suggestion for this case?

  Kind regards
  Daniel Stefani

  Stefani,

  Of course it will work, you can even use a centralized architecture CA, make sure just that you can distribute these certificates at endpoints...

  Another option is to check if the AD user account is limited (disabled, locked, has expired, password has expired and so on) via LDAP, but you need the username is equal to some field in the certificate (CN or SAN).

  Kind regards

  Fabio

• ISE corrupt 1.2 Portal sponsor

  Hello

  Since I started using the portal sponsor ISE it showes me wrongly, see attached screenshot.

  

  I tried different browsers, but the problem is the same. Other pages are okay, just the basics with guest users have problem.

  Looks like it happened after upgrading from a previous version of ISE.

  Someone knows how to fix this?

  Thank you and greet

  Karel

  Hey Karel,

  Bug details are as follows:

  CSCuj93990   page accounts managed comments is not centered

  It is still in process and according to the report, it is said that it is addressed in version 1.3 of ISE, where we are re-design the comments feature to improve performance in ISE 1.2 issues free.

  If you need an immediate fix for this I'd say open a TAC case and apply the fix for this problem in one of the patches on ISE 1.2.

  Thank you.