static group assignment

• Skip to content
• Skip to search
• Skip to footer

Cisco Identity Services Engine Administrator Guide, Release 2.4

Bias-free language.

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

• Introduction to Cisco ISE
• Cisco ISE Licenses
• Cisco ISE Deployment Terminology
• Administration Portal
• Administrator Access Console
• Certificate Management in Cisco ISE
• Configure Admin Access Policies
• Adaptive Network Control
• Cisco ISE Software Patches
• Backup Data Type
• Cisco ISE Logging Mechanism
• Cisco ISE Reports
• TACACS+ Device Administration
• Cisco ISE Guest Services
• End-User Portals
• Administrative Access to Cisco ISE Using an External Identity Store
• Cisco ISE Users
• Profiled Endpoints on the Network

Agent Download Issues on Client Machine

• Personal Devices on a Corporate Network (BYOD)
• Define Network Devices in Cisco ISE
• Mobile Device Manager Interoperability with Cisco ISE
• Policy Sets
• TrustSec Architecture
• Posture Types
• Configure Client Provisioning in Cisco ISE
• Portal Settings for Client Provisioning Portals
• Threat Centric NAC Service
• Deployment and Node Settings
• Cisco pxGrid Node
• What Is Wireless Setup
• Enable Your Switch to Support Standard Web Authentication
• Monitoring and Troubleshooting Service in Cisco ISE

Chapter: Agent Download Issues on Client Machine

Endpoint settings, endpoint import from ldap settings, endpoint profiling policies settings, endpoint context visibility using udid attribute, session removal from the directory, global search for endpoints.

The client machine browser displays a “no policy matched” error message after user authentication and authorization. This issue applies to user sessions during the client provisioning phase of authentication.

Possible Causes

The client provisioning policy is missing required settings.

Posture Agent Download Issues

Remember that downloading the posture agent installer requires the following:

The user must allow the ActiveX installer in the browser session the first time an agent is installed on the client machine. The client provisioning download page prompts for this.

The client machine must have Internet access.

Ensure that a client provisioning policy exists in Cisco ISE. If yes, verify the policy identity group, conditions, and type of agent defined in the policy. Also ensure whether or not there is any agent profile configured under Policy > Policy Elements > Results > Client Provisioning > Resources > Add > NAC or AnyConnect Posture Profile , even a profile with all default values.

Try re-authenticating the client machine by bouncing the port on the access switch.

These windows enable you to configure and manage endpoints that connect to your network.

Enable Secure Connection

Check the Enable Secure Connection check box to import from an LDAP server over SSL.

Root CA Certificate Name

Click the drop-down arrow to view the trusted CA certificates.

The Root CA Certificate Name refers to the trusted CA certificate that is required to connect to an LDAP server. You can add (import), edit, delete, and export trusted CA certificates in Cisco ISE.

Anonymous Bind

You must enable either the Anonymous Bind check box, or enter the LDAP administrator credentials from the slapd.conf configuration file.

Enter the distinguished name (DN) configured for the LDAP administrator in the slapd.conf configuration file.

Admin DN format example: cn=Admin, dc=cisco.com, dc=com

Enter the password configured for the LDAP administrator in the slapd.conf configuration file.

Enter the distinguished name of the parent entry.

Base DN format example: dc=cisco.com, dc=com.

Query Settings

MAC Address objectClass

Enter the query filter, which is used for importing the MAC address, for example, ieee802Device.

MAC Address Attribute Name

Enter the returned attribute name for import, for example, macAddress.

Profile Attribute Name

Enter the name of the LDAP attribute. This attribute holds the policy name for each endpoint entry that is defined in the LDAP server.

When you configure the Profile Attribute Name field, consider the following:

If you do not specify this LDAP attribute in the Profile Attribute Name field or configure this attribute incorrectly, then endpoints are marked “Unknown” during an import operation, and these endpoints are profiled separately to the matching endpoint profiling policies.

If you configure this LDAP attribute in the Profile Attribute Name field, the attribute values are validated to ensure that the endpoint policy matches with an existing policy in Cisco ISE, and endpoints are imported. If the endpoint policy does not match with an existing policy, then those endpoints will not be imported.

Enter the time in seconds. The valid range is from 1 to 60 seconds.

The Unique Identifier (UDID) is an endpoint attribute that identifies MAC addresses of a particular endpoint. An endpoint can have multiple MAC addresses. For example, one MAC address for the wired interface and another for the wireless interface. The AnyConnect agent generates a UDID for that endpoint, and saves it as an endpoint attribute. The UDID remains constant for an endpoint; the UDID does not change with the AnyConnect installation or uninstallation. When using UDID, Context Visibility window ( Context Visibility > Endpoints > Compliance ) displays one entry instead of multiple entries for endpoints with multiple NICs. You can ensure posture control on a specific endpoint rather than on a Mac address.

Session Trace for an Endpoint

You can use the global search box available at the top of the Cisco ISE home page to get session information for a particular endpoint. When you search with a criteria, you get a list of endpoints. Click on any of these endpoints to see the session trace information for that endpoint. The following figure shows an example of the session trace information displayed for an endpoint.

You can use the clickable timeline at the top to see major authorization transitions. You can also export the results in .csv format by using the Export Results option. The report gets downloaded to your browser.

You can click the Endpoint Details link to see more authentication, accounting, and profiler information for a particular endpoint. The following figure shows an example of endpoint details information displayed for an endpoint.

Sessions are cleaned from the session directory on the Monitoring and Troubleshooting node as follows:

Terminated sessions are cleaned 15 minutes after termination.

If there is authentication but no accounting, then such sessions are cleared after one hour.

All inactive sessions are cleared after five days.

You can use the global search box available at the top of the Cisco ISE home page to search for endpoints. You can use any of the following criteria to search for an endpoint:

MAC Address

Authorization Profile

Endpoint Profile

Failure Reason

Identity Group

Identity Store

Network Device name

Network Device Type

Operating System

Posture Status

Security Group

You should enter at least three characters for any of the search criteria in the Search field to display data.

The search result provides a detailed and at-a-glance information about the current status of the endpoint, which you can use for troubleshooting. Search results display only the top 25 entries. You can use filters to narrow down the results.

The following figure shows an example of the search result.

You can use any of the properties in the left panel to filter the results. You can also click on any endpoint to see more detailed information about the endpoint, such as:

Session trace

Authentication details

Accounting details

Posture details

Profiler details

Client Provisioning details

Guest accounting and activity

Was this Document Helpful?

Contact Cisco

• (Requires a Cisco Service Contract )

• school Campus Bookshelves
• menu_book Bookshelves
• perm_media Learning Objects
• login Login
• how_to_reg Request Instructor Account
• hub Instructor Commons
• Download Page (PDF)
• Download Full Book (PDF)
• Periodic Table
• Physics Constants
• Scientific Calculator
• Reference & Cite
• Tools expand_more
• Readability

selected template will load here

This action is not available.

7.4: Pre-Experimental Designs

• Last updated
• Save as PDF
• Page ID 124576

Learning Objectives

• Discuss when is the appropriate time to use a pre-experimental Design.
• Identify and describe the various types of pre-experimental designs.

What is it and When to Use it?

Time, other resources such as funding, and even one’s topic may limit a researcher’s ability to use a solid experimental design such a a between subject (which includes the classical experiment) or a within subject design. For researchers in the medical and health sciences, conducting one of these more solid designs could require denying needed treatment to patients, which is a clear ethical violation. Even those whose research may not involve the administration of needed medications or treatments may be limited in their ability to conduct a classic experiment. In social scientific experiments, for example, it might not be equitable or ethical to provide a large financial or other reward only to members of the experimental group. When random assignment of participants into experimental and control groups (using either randomization or matching) is not feasible, researchers may turn to a pre-experimental design (Campbell & Stanley, 1963).Campbell, D., & Stanley, J. (1963). Experimental and quasi-experimental designs for research . Chicago, IL: Rand McNally. However, this type of design comes with some unique disadvantages, which we’ll describe as we review the pre-experimental designs available.

If we wished to measure the impact of some natural disaster, for example, Hurricane Katrina, we might conduct a pre-experiment by identifying an experimental group from a community that experienced the hurricane and a control group from a similar community that had not been hit by the hurricane. This study design, called a static group comparison , has the advantage of including a comparison control group that did not experience the stimulus (in this case, the hurricane) but the disadvantage of containing experimental and control groups that were determined by a factor or factors other than random assignment. As you might have guessed from our example, static group comparisons are useful in cases where a researcher cannot control or predict whether, when, or how the stimulus is administered, as in the case of natural disasters.

In cases where the administration of the stimulus is quite costly or otherwise not possible, a one-shot case study design might be used. In this instance, no pretest is administered, nor is a control group present. In our example of the study of the impact of Hurricane Katrina, a researcher using this design would test the impact of Katrina only among a community that was hit by the hurricane and not seek out a comparison group from a community that did not experience the hurricane. Researchers using this design must be extremely cautious about making claims regarding the effect of the stimulus, though the design could be useful for exploratory studies aimed at testing one’s measures or the feasibility of further study.

Finally, if a researcher is unlikely to be able to identify a sample large enough to split into multiple groups, or if he or she simply doesn’t have access to a control group, the researcher might use a one-group pre-/posttest design. In this instance, pre- and posttests are both taken but, as stated, there is no control group to which to compare the experimental group. We might be able to study of the impact of Hurricane Katrina using this design if we’d been collecting data on the impacted communities prior to the hurricane. We could then collect similar data after the hurricane. Applying this design involves a bit of serendipity and chance. Without having collected data from impacted communities prior to the hurricane, we would be unable to employ a one-group pre-/posttest design to study Hurricane Katrina’s impact.

Table 7.2 summarizes each of the preceding examples of pre-experimental designs.

As implied by the preceding examples where we considered studying the impact of Hurricane Katrina, experiments do not necessarily need to take place in the controlled setting of a lab. In fact, many applied researchers rely on experiments to assess the impact and effectiveness of various programs and policies.

KEY TAKEAWAYS

• Pre-experimental designs are not ideal, but have to be done under certain circumstances.
• There are three major types of this design.

This browser is no longer supported.

Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.

Change static group membership to dynamic in Microsoft Entra ID

• 9 contributors

You can change a group's membership from static to dynamic (or vice-versa) In Microsoft Entra ID, part of Microsoft Entra. Microsoft Entra ID keeps the same group name and ID in the system, so all existing references to the group are still valid. If you create a new group instead, you would need to update those references. Dynamic group membership eliminates management overhead adding and removing users. This article tells you how to convert existing groups from static to dynamic membership using either the portal or PowerShell cmdlets.

When changing an existing static group to a dynamic group, all existing members are removed from the group, and then the membership rule is processed to add new members. If the group is used to control access to apps or resources, be aware that the original members might lose access until the membership rule is fully processed.

We recommend that you test the new membership rule beforehand to make sure that the new membership in the group is as expected.

Change the membership type for a group

The following steps can be performed using an account that has either the Global administrator, user administrator or groups administrator roles assigned.

• Sign in to the Microsoft Entra admin center as at least a Groups Administrator .
• Select Microsoft Entra ID.
• From the All groups list, open the group that you want to change.
• Select Properties .
• On the Properties page for the group, select a Membership type of either Assigned (static), Dynamic User, or Dynamic Device, depending on your desired membership type. For dynamic membership, you can use the rule builder to select options for a simple rule or write a membership rule yourself.

The following steps are an example of changing a group from static to dynamic membership for a group of users.

On the Properties page for your selected group, select a Membership type of Dynamic User , then select Yes on the dialog explaining the changes to the group membership to continue.

Select Add dynamic query , and then provide the rule.

After creating the rule, select Add query at the bottom of the page.

Select Save on the Properties page for the group to save your changes. The Membership type of the group is immediately updated in the group list.

Group conversion might fail if the membership rule you entered was incorrect. A notification is displayed in the upper-right hand corner of the portal that it contains an explanation of why the rule can't be accepted by the system. Read it carefully to understand how you can adjust the rule to make it valid. For examples of rule syntax and a complete list of the supported properties, operators, and values for a membership rule, see Dynamic membership rules for groups in Microsoft Entra ID .

Change membership type for a group (PowerShell)

To change dynamic group properties you will need to use cmdlets from the Microsoft Graph PowerShell module. for more information, see Install the Microsoft Graph PowerShell SDK .

Here is an example of functions that switch membership management on an existing group. In this example, care is taken to correctly manipulate the GroupTypes property and preserve any values that are unrelated to dynamic membership.

To make a group static:

To make a group dynamic:

These articles provide additional information on groups in Microsoft Entra ID.

• See existing groups
• Create a new group and adding members
• Manage settings of a group
• Manage memberships of a group
• Manage dynamic rules for users in a group

Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback .

Submit and view feedback for

Additional resources

• Jamf Nation Community

Script to add to static group

• Subscribe to RSS Feed
• Mark Topic as New
• Mark Topic as Read
• Float this Topic for Current User
• Printer Friendly Page

• Mark as New
• Report Inappropriate Content

Posted on ‎07-23-2020 04:11 PM

• All forum topics
• Previous Topic

‎07-23-2020 08:05 PM - edited ‎03-22-2022 01:17 PM

Posted on ‎03-22-2022 01:07 PM

‎03-22-2022 01:16 PM - edited ‎03-22-2022 01:19 PM

Posted on ‎03-22-2022 01:20 PM

Posted on ‎03-22-2022 01:24 PM

Posted on ‎03-22-2022 01:29 PM

‎03-22-2022 07:37 PM - edited ‎03-22-2022 07:37 PM

Posted on ‎03-22-2022 01:56 PM

Posted on ‎07-24-2020 07:18 AM

never-displayed

Advertisement

Here’s What We Know About the Moscow Concert Hall Attack

The assault on a popular concert hall was the deadliest act of terrorism in the Russian capital in more than a decade.

• Share full article

By Ivan Nechepurenko

• Published March 23, 2024 Updated March 25, 2024

An attack Friday at a popular concert venue near Moscow killed 137 people, the deadliest act of terrorism the Russian capital region has seen in more than a decade.

The Islamic State claimed responsibility for the attack; American officials have attributed it to ISIS-K, a branch of the group.

Russian officials and state media have largely ignored ISIS’s claim of responsibility and instead suggested that Ukraine was behind the violence. Ukraine has denied any involvement, and American officials say there is no evidence connecting Kyiv to the attack.

Russian authorities have detained at least 11 people, including four migrant laborers described as Tajik citizens who have been charged with committing a terrorist act, but they have not identified most of the accused assailants or their motives.

Here’s a closer look at the attack.

What happened?

The gunmen entered the Crocus City Hall building, one of the biggest entertainment complexes in the Moscow area, with capacity of more than 6,000, shortly before a sold-out rock concert was scheduled to start. Armed with automatic rifles, they began shooting.

Using explosives and flammable liquids, Russian investigators said, they set the building ablaze, causing chaos as people began to run. The fire quickly engulfed more than a third of the building, spreading smoke and causing parts of the roof to collapse. Russia’s emergency service posted a video and pictures from after the fire showing charred seating and firefighters working to remove debris.

Russian law enforcement said that people had died from gunshot wounds and poisoning from the smoke.

At least three helicopters were dispatched to extinguish the fire or to try to rescue people from the roof. The firefighters were only able to contain the fire early on Saturday; the emergency service said it was mostly extinguished by 5 a.m.

The search for survivors ended on Saturday, as details about the victims began to emerge. Many of the more than 100 people injured in the attack were in critical condition.

Russia’s Investigative Committee, a top law-enforcement body, said on Sunday that 137 bodies had been recovered from the charred premises, including those of three children. It said that 62 victims had been identified so far and that genetic testing was underway to identify the rest.

Where are the assailants?

Attackers were able to flee the scene. Early on Saturday, the head of Russia’s top security agency, the F.S.B., said that 11 people had been detained in the connection to the attack, including “all four terrorists directly involved.” The four men were arraigned late Sunday and charged with committing a terrorist act, according to state and independent media outlets, and they face a maximum sentence of life in prison.

The press service of the Basmanny District Court said that the first two defendants, Dalerjon B. Mirzoyev and Saidakrami M. Rachalbalizoda, had pleaded guilty to the charges.

It did not specify any plea from the other two — Muhammadsobir Z. Fayzov, a 19-year-old barber and the youngest of the men charged, and Shamsidin Fariduni, 25, a married factory worker with an 8-month-old baby — according to Mediazona, an independent news outlet.

The men looked severely battered and injured as they appeared in court, and videos of them being tortured and beaten while under interrogation circulated widely on Russian social media.

There were signs that Russia would try to pin blame on Ukraine, despite the claim of responsibility by the Islamic State. The F.S.B. said in a statement that the attack had been carefully planned and that the terrorists had tried to flee toward Ukraine.

How are Russians responding?

President Vladimir V. Putin, who claimed victory in a presidential election last weekend, did not publicly address the tragedy until Saturday afternoon. In a five-minute address to the nation, he appeared to be laying the groundwork to blame Ukraine for the attack, claiming that “the Ukrainian side” had “prepared a window” for the attackers to cross the border from Russia into Ukraine.

But he did not definitively assign blame, saying that those responsible would be punished, “whoever they may be, whoever may have sent them.”

The attack has punctured the sense of relative safety for Muscovites over the past decade, bringing back memories of attacks that shadowed life in the Russian capital in the 2000s.

Russia observed a national day of mourning on Sunday as questions lingered about the identities and motives of the perpetrators. Flags were lowered to half-staff at buildings across the country.

Neil MacFarquhar contributed reporting.

Ivan Nechepurenko covers Russia, Ukraine, Belarus, the countries of the Caucasus, and Central Asia. He is based in Moscow. More about Ivan Nechepurenko

Remove Endpoint from Identity Group

Workflow #0030

Response Workflow

This workflow removes a static identity group assignment from a MAC address in Cisco Identity Services Engine (ISE). Note that this workflow does not move the endpoint back to an “Unknown” status. This means the endpoint may stay in the identity group until it’s reprofiled and moved elsewhere. Supported observable: mac_address

See the Important Notes page for more information about updating workflows

Requirements

• ISE - ERS - Endpoint - Search
• ISE - ERS - Endpoint - Update Identity Group
• The targets and account keys listed at the bottom of the page
• Cisco Identity Services Engine (ISE)

Workflow Steps

• Make sure the observable type provided is supported
• Make sure the endpoint exists and get its ID
• Reset the endpoint’s static group assignment

Configuration

• If you want to change the name of this workflow in the pivot menu, change its display name

Note: If your Cisco ISE deployment is on-premises and not accessible from the internet, you will need a SecureX orchestration remote to use ISE with orchestration.

Target Group: Default TargetGroup

Account Keys