Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
850
Views
0
Helpful
4
Replies

ISE - Oracle Access Manager (OAM)

VVVENKAT
Cisco Employee
Cisco Employee

‎07-27-2018 05:26 PM

Hi All,

 

I am working on a SDA engagement and have a query regarding Oracle Access Manager (OAM).

 

The customer has vendors who brings their own laptops and access customer's network. The vendors laptops are not part of customer's AD. However they have vendor's credential in Oracle Access Manager (OAM). I understand, Oracle Access Manager (OAM) cannot be used for 802.1x authentication.

 

So thought of creating a separate SSID (open, CWA ) for the vendors, redirect them to a portal and integrate with Oracle Access Manager (OAM) for authentication. They would also like to provide differentiated access to various vendors. Any thought on what attributes can be used to provide segmentation here?

 

Many Thanks

V.Venkata Manikandan 

0 Helpful
4 Replies 4

hslai
Cisco Employee
Cisco Employee

‎07-27-2018 07:05 PM

OAM appears supporting both groups and attributes so we should use either.

From what our teams tested, here are the procedures in OAM:

  • Login to the OAM console
  • Click on Security Realms > Realm > Users and Groups. Click on a user and configure its attributes and group memberships
  • Click on "Identity Provider Administration" and then "Service Provider Attribute Profilers"
  • Create or update a profile and add the groups and other attributes.
  • Map the profile to "Service Provider Partner".
0 Helpful

VVVENKAT
Cisco Employee
Cisco Employee
In response to hslai

‎07-30-2018 02:39 AM

Thanks Hsing. 

 

Currently, I understand we cannot use OAM in identity store sequence. Any thoughts on why is this.

 

Many Thanks

V.Venkata Manikandan

0 Helpful

hslai
Cisco Employee
Cisco Employee
In response to VVVENKAT

‎07-30-2018 05:38 AM

AFAIK SAML is for web authentications so the limitation applies to all SAML IdP's. AnyConnect VPN using SAML IdP is possible today with ASA remote access VPN but it also needs to launch a web browser to the IdP portal as part of the authentication. Please discuss your specific requirements with ISE PM team.

0 Helpful

Francesco Molino
VIP Alumni
VIP Alumni

‎07-27-2018 08:58 PM

Hi

I'm not very familiar with OAM but if it supports ldap, odbc or saml2.0 you'll be able to add this identity database on ise and when an authentication occurs, OAM should answer back to ise with a memberof attribute.
This will be the condition to use in your authorization profile to determine which consultant is connecting and give them specific rights (vlan, acl or sgt) on the network.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful
Customers Also Viewed These Support Documents