ISE foreign CWA / deployment WLC - missing user of anchor names

I'm not sure if this belongs to the section mobility or security - I'll just give it a try here.
I've set up wireless access visitor with Cisco ISE 1.3 (patch 2) and a stranger WLC / anchor of deployment (7.6.130.0).
So far almost everything works fine - but I probably have a problem with logging Cisco ISE.

In exploitation forest 'authentications Live', I see the authentication successful, but the identity of the column, it shows just the MAC address of endpoint.
If navigation to the identity store of endpoint endpoint of comments is in the right group (guestendpoints) and when you look at the details of the endpoint, I can see the "portalusername" who created the user.

If I click on endpoints active view (see attachment), I can see all active clients (Authz profile "PermitAccess"). I guess the user name of the client must be filled out there as well, no?

Someone has an idea what is the cause for this? Or is the normal behavior?

My rules of authentication are:
If "wireless_mab" and "RADIUS: Called-Station-ID ENDS WITH comments-SSID" then use "endpoints internal" and continue if "user not found".

My authorization rules are:
1.) if GuestEndpoints AND (Wireless_MAB AND RADIUS: Called-Station-ID ENDS_WITH Guest SSID) then PermitAccess
2.) if (Wireless_MAB AND RADIUS: Called-Station-ID ENDS_WITH Guest SSID) then GUEST_WEBAUTH
The profile GUEST_WEBAUTH Authz defined the CWA and preauthentication ACL for the WLC

The WLC I just configured the WLC foreign with the RADIUS (ISE) server and active authentication MAC the SSID.
All parameters such as aaa-override and RADIUS of the NAC are defined. The defined RADIUS is set on "settler" to comply with the ISE

According to my experience, this is the expected behavior.  The new workflow for the use case of comments starting at the point 1.3 of the ISE typically includes registration of endpoint, you're.  Your strategy for authz for post-portail of authentication (after the certificate of authenticity) needs the MAC address to use as the identity for permissions invited, not the guest credentials used on the portal.

That being said, I would like to be able to see the username of the user portal whenever a registered endpoint point authenticates (until it is served using endpoint political purges, of course).

Tim

Tags: Cisco Security

Similar Questions

  • Start Menu icon missing user!

    When I have connected to my Windows XP Pro computer and went to my Start menu, my user icon is missing. Only my name is there. How to bring back my user icon? : O

    You are right that there is no option that says "show the icon of the user".  If the "Start Menu" is already selected, then you have a different problem.

    When you start Windows, you get the homescreen or you go straight to your desktop?  If you get the Welcome screen, does show an icon for your username like this: http://www.softdistrict.com/wp-content/uploads/windowsxpwelcomescreen.jpg

    I suspect that you do not see the Welcome screen or if you do, there is no icon.  When one of these assumptions is correct, then

    Start > Control Panel > user accounts
    Click your user account
    Click on change my picture
    Click on an image
    Click the button change image
    exit from the control panel

  • For the WLC domain user authentication

    Hi guru

    Im having a problem in the configuration of my WLC domain users. I have ACS v3.3 and WLC 4112.

    I followed these instructions, but still I keep to authenticate whenever I tried to connect my laptop to some SSID. And in addition, the windows login me invite only once. Please help me

    http://www.Cisco.com/en/us/products/sw/secursw/ps2086/products_configuration_example09186a00801df0e4.shtml#manual

    Thank you.

    What says "Machine Authentication is not allowed"?

    Make sure that ACS helped him:

    http://www.Cisco.com/en/us/products/sw/secursw/ps2086/products_configuration_example09186a00801df0e4.shtml

  • new redirect URL of ISE 1.3 for WLC (Webauth external URL)

    Hello

    Could someone tell me the URL of ISE 1.3 for WLC?

    ISE1.2 was:

    https://ISE-1.Cisco.local:8443/guestportal/login.action

    Yes, the structure has been changed since version 1.2, and I did bother understand since there is now a button 'Portal test URL. Have you tried? Or do you still need to be able to manually browse for it?

    If you still need search manually it then you can use the test button to get the URL and then save it :)

    Thank you for evaluating useful messages!

  • Remove temporary files from the local disk c/documents and settings/user/localsettings/temp name

    Remove temporary files from the local disk c/documents and settings/user/localsettings/temp name

    By definition, this folder should contain only the elements you don't need.  If I understand correctly, this temporary folder is a place where temporary files are stored during program facilities and the facilities.  However, I have seen references other sites to help saying some programs can store folders and files.

    I do my own temporary file elsewhere, name it accordingly and move all the files in the temp folder to the new folder. Use your computer normally for a while, and if nothing complains about missing files, you have a good indication that none of the moved files are important and should be safe to delete.

  • How to get the full username by the user windows login name?

    Hello.

    I need determine the full username by the user Windows logon name. Where are many ways to determine the logon user name. For example application property node App.UserName or % variable %username% in cmd. But I found that one way to determine the full username by connected on behalf of the user - command net 'user' in cmd. This way is very slow and requires a huge code (I do get logged in user name, check if the connected local user or domain, create the command net 'user', find in output full username).

    Is there a simpler way without using cmd?

    PS, Full user name is displayed in the Windows logon screen and on the start menu and can be different from the name of the user.

    Here which may help: https://decibel.ni.com/content/docs/DOC-24358

  • Why the USER. IDENTITY.NAME is filled using Chrome but not IE. I have a small group of users where this happens.

    Hello

    I run a web site, ASP.NET 1.1 (not app) on Win 2003 server and IIS 6.  Users around the world have used for years.  Around June, a small group of users in the same office began to not be able to connect.  I have followed the issue to the fact that the USER. IDENTITY.NAME is not met.  IIS IWA turned on and I think anonymouse access disabled.  But I also played with these settings and received no differences other than blocking everyone.

    During troubleshooting, I found:

    1. THE USER. IDENTITY.NAME is filled if they use Chrome (same computer, the same user account,.. .just Chrome instead IE 8).

    2. we reconfigured a new laptop.  Windows and IE installed costs.  They remote desktop for the new laptop computer and get the same error.  I have Office remotely and able to connect just fine am using IE 8.

    3. I thought something with their power of Attorney might be the issue.  I caught their proxy file.  Nothing has changed.  I always log in fine.

    I'm not able to solve this further and think there must be a setting in their account windows or something that causes it is not to define.  The thing I don't understand is why Chrome works?

    Thanks for any help.

    Kind regards

    Brian

    Hello

    It is better suited for the IT Pro TechNet public. Please ask your question in the Forum on TechNet Support. You can follow the link to ask your question: http://social.msdn.microsoft.com/Forums/en-US/category/iedevelopment 

    Hope this information helps.

  • VirtualMachine.Admin.Name and asking the user for the name of the server

    I need to allow end users to designate the name of their server requested when you submit a request through VCAC. I do this using VirtualMachine.Admin.Name in the custom of my blueprint properties and it prompts the user to set.  I have also some scripts that run with the heel of building put into operation once the server is built which require me to enter the VC:VirtualMachine object for the server with the name of the server.  It does this in a loop in a table of all the VC:VirtualMachines met my VCenter server and find a match on the name with an xpath expression.  The name of the server is collected inside the cutting-edge designer using the getVirtualMachineName activity.  This activity is integrated into the designer and aims to do exactly what he says.  He then handed the name in the VCO workflow.  Not much, really.  I have used this method a lot in the past with VCAC.

    Problem:


    Recently, I started running this script on a new installation of VCO (5.5.1) and the new instance VCAC (version 6.0 - 1720522) and I see a very strange behavior.  When I get the name in the tip with the activity of getVirtualMachineName Designer, the name is that name WOULD have been affected had I pressed VCAC to automatically generate name for me using a prefix of machine profile.  Remember that you must associate a prefix of the default machine on your group of companies.  This is the prefix that is used to generate the name and associate it to the server in VCAC despite the fact that I am more precisely the substitution of this name automatically generated with the VirtualMachine.Admin.Name custom property in the custom of my blueprint properties.

    The strange thing is that the server is correctly named in the VSphere console and inside the guest OS.  In other words, the name that the user places in the VirtualMachine.Admin.Name field is what you get in the console VSphere and BONES.  So that part works.  Then why is he not being correctly named in the VCAC VirtualMachine object?

    EC which claimant misnamed is originally my workflow to fail.  I can work around this problem in the workflow, but I fear that there is still problems on the road if the alias is associated with the server inside VCAC himself.

    Once again, I did this with earlier versions of VCAC and VCO and not had this problem.  Anyone else seeing this?  I'm doing something wrong here?

    The custom property to use to allow a user to enter name themselves is the host name (just hostname, nothing else)... That's what I put to prompt the user to our forms.

  • ORA-01506: missing or illegal database name

    I can't start the database instead, I get the above error. Help, please

    [oracle@localhost /] $ pwd
    /
    [oracle@localhost /] $ cd/u01/app/oracle
    [oracle@localhost oracle] $ export ORACLE_BASE = / u01/app/oracle
    [oracle@localhost oracle] $ export ORACLE_HOME=/u01/app/oracle/product/11.2.0/dbhome_1
    [oracle@localhost oracle] $ export ORACLE_SID = orcl
    [oracle@localhost oracle] $ export PATH = $ORACLE_HOME/bin: $PATH
    [oracle@localhost oracle] $ export TNS_ADMIN=/u01/app/oracle/product/11.2.0/dbhome_1/network/admin
    [oracle@localhost oracle] $ sqlplus / as sysdba

    SQL * more: Production of release 11.2.0.1.0 Thu Feb 14 17:33:11 2013

    Copyright (c) 1982, 2009, Oracle. All rights reserved.

    Connect to an instance is idle.

    SQL > startup
    ORA-01506: missing or illegal database name
    SQL >

    >
    ...
    [oracle@localhost oracle] $ export ORACLE_SID = orcl
    ...
    -rw - r - r - 1 root root 69 14 Feb 12:02 initorcl.ora
    ...
    >

    Why the initorcl.ora file is owned by root? As mentioned, do not perform any oracle about actions or commands as root.

    HTH
    Srini

  • Find IP address of users or the name of the workstation?

    Hi people:
    I had finished my security subsystem where I record things to users like username, the connection time, pages visited and so on.
    I would record the address IP of users and/or name of workstation also. Is this possible?

    Thanks in advance
    Oscar

    Oscar:

    You can use the owa_util.get_cgi_env API to get the IP address of the applicant.

    select owa_util.get_cgi_env('REMOTE_ADDR') from dual

    CITY

  • CWA with WLC Firmware 7.0.228 and ISE 1.1.1

    Hello

    ISE Central web authentication Cisco does support the WLC version 7.0.228?

    My client has many points of access that are supported only the code of the 7.0.228 firmware.

    Cisco ISE version 1.1.1

    WLC 5500 Series, but the existing access cannot support 7.3

    Thank you

    Mathias Maneesud

    After checking the ISE both the WLC release notes, it seems as if support CWA with radius of the NAC was introduced in 7.2.110

    WLC-

    http://www.Cisco.com/en/us/docs/wireless/controller/release/notes/crn7_2_110_0.html#wp784178

    ISE-

    http://www.Cisco.com/en/us/docs/security/ISE/1.1.1/compatibility/ise_sdt.html#wp55038

    Hope that helps.

    Tarik Admani
    * Please note the useful messages *.

  • iOS 8.0 our apple and ISE of CISCO [RESOLVED] custom portal users

    Hi guys,.
    I was wondering why after updating to iOS 8.0 our apple users, cannot
    go to the online portal ISE, we do em to connect via a WLC wich
    redirects web-auth, to ISE (radius server) process

    So what if we use the internal portal (Note2) wlc 5508 process all right
    After the update to 8.0 apple IOS devices cannot reach our custom portal
    None...

    everyone has experienced the same?

    BR

    Eugenio

    Glad that you got this work and good work on the search for a solution to your problem (+ 5 from me). Also, thank you for taking the time to come back and share it.

    If your problem is resolved, you must mark the thread as "Answered" :)

    One thing to consider too is CWA (Central Web Auth) instead of what you are doing is LWA (Local Web Auth). It's always better to CWA, there are many benefits to it.

    Thank you for evaluating useful messages!

  • Hiding authentication ISE in CWA for comments

    Ciao,.

    do you know how I can put a guest authentication cache?

    For example, a guest connect to guest SSID (open); authenticate using CWA (ISE and WLC). After each time comments logoff and login, no authentication is needed for the same days.

    Thank you

    With ISE 1.3, you can set the portal reviews auto register the mac address of devices when they connect for the first time as a guest. The next time that they connect, you can authenticate the mac address instead. Endpoint purge rules can be configured so that, if you wan't to reconnect again ise will remove the mac address of the specific group for this portal of comments and the user having to reconnect, e.g. once per day, or every time you wan't...

    If you're on ise 1.2, the only way is to change the timers inactive on the WLC to a value greater than the value default 300 seconds, which is really not a good way to do it if you plan to have a lot of users use this, it will consume power of memory and the process on the WLC.

  • ISE, Portal comments about WLC

    Hello

    Currently we have wireless comments through a portal of comments in the WLC. Is it possible to apply ISE and keep the portal of comments in the WLC?

    Example:

    The user connects to an SSID with a laptop. This laptop is emerging as not belogning to the corporate network and is then redirected to the portal of WLC comments.

    All the guides I have found is to have comments at the ISE portal.

    Concerning

    Philippe

    Hi Philippe,.

    You can use the role of ActivatedGuest (or any other external identity store) and to implement authentication radius instead of LWA or CWA, this way you can keep the gate on the controller.

    Greetings

  • Firefox 4 deployment with custom user settings?

    Hi people,

    I want to deploy FF 4.0 with custom user settings, but where is the "localized" my prefs.js file folder? In FF 3.6.x we extract the setup.exe file and with sources, we have deployed our customized firefox. In FF 4.0 now, there is some file missing from news sources. Are there any documents that explain the deployment of FF 4.0? Thank you very much

    You can always create a folder/defaults/profile and places the files in this folder to have in a new default profile. Folders that have no content are no longer present in the version of Firefox 4 RC, but some are still read and processed.

Maybe you are looking for