Home > Cisco > Interface > Cisco Ise 13 User Guide

Cisco Ise 13 User Guide

Add to Favourites
    Download as PDF

    Here you can view all the pages of manual Cisco Ise 13 User Guide. The Cisco manuals for Interface are available online for free. You can easily download all the documents as PDF.

    Overview View all the pages Comments

    Page 91

    Page 91 NavigatetoAdministration>pxGridServices>LiveLogtoviewthelistofevents.Youcanalsoclearthe logsandresynchronizeorrefreshthelist. ISE pxGrid Identity Mapping IdentityMappingenablesyoutomonitorusersthatareauthenticatedbyaDomainController(DC)andnot byCiscoISE.InnetworkswhereCiscoISEdoesnotactivelyauthenticateusersfornetworkaccess,itis possibletouseIdentityMappingtocollectuserauthenticationinformationfromtheactivedirectory(AD)... 
    NavigatetoAdministration>pxGridServices>LiveLogtoviewthelistofevents.Youcanalsoclearthe
logsandresynchronizeorrefreshthelist.
ISE  pxGrid  Identity Mapping
IdentityMappingenablesyoutomonitorusersthatareauthenticatedbyaDomainController(DC)andnot
byCiscoISE.InnetworkswhereCiscoISEdoesnotactivelyauthenticateusersfornetworkaccess,itis
possibletouseIdentityMappingtocollectuserauthenticationinformationfromtheactivedirectory(AD)...

    Page 92

    Page 92 Configuring Identity Mapping IDMappingrequiresconfigurationinISE,andtheActiveDirectoryDomainServermusthavetheright patchesandconfiguration. Configure Identity Mapping ISEmustbeabletoestablishaconnectionwithanADDomainController(DC). Before You Begin EnablepxGridservicestoconfigureIdentityMapping.ChooseAdministration>System>Deploymentto enablepxGridservices. ToaddanewDomainController(DC)forIdentityMapping,youneedthelogincredentialsofthatDC.... 
    Configuring Identity Mapping
IDMappingrequiresconfigurationinISE,andtheActiveDirectoryDomainServermusthavetheright
patchesandconfiguration.
Configure Identity Mapping
ISEmustbeabletoestablishaconnectionwithanADDomainController(DC).
Before You Begin
EnablepxGridservicestoconfigureIdentityMapping.ChooseAdministration>System>Deploymentto
enablepxGridservices.
ToaddanewDomainController(DC)forIdentityMapping,youneedthelogincredentialsofthatDC....

    Page 93

    Page 93 Filter Identity Mapping Youcanfiltercertainusers,basedontheirnameorIPaddress.Youcanaddasmanyfiltersasneeded.The “OR”logicoperatorappliesbetweenfilters.Ifboththefieldsarespecifiedinasinglefilter,the“AND”logic operatorappliesbetweenthesefields.TheMonitoringlivesessionshowsIdentityMappingcomponentsthat arenotfilteredoutbytheMappingFilters. Procedure Step 1ChooseAdministration>pxGridIdentityMapping>MappingFilters. Step 2ClickAdd,entertheUsernameandorIPaddressoftheuseryouwanttofilterandclickSubmit. Step... 
    Filter Identity Mapping
Youcanfiltercertainusers,basedontheirnameorIPaddress.Youcanaddasmanyfiltersasneeded.The
“OR”logicoperatorappliesbetweenfilters.Ifboththefieldsarespecifiedinasinglefilter,the“AND”logic
operatorappliesbetweenthesefields.TheMonitoringlivesessionshowsIdentityMappingcomponentsthat
arenotfilteredoutbytheMappingFilters.
Procedure
Step 1ChooseAdministration>pxGridIdentityMapping>MappingFilters.
Step 2ClickAdd,entertheUsernameandorIPaddressoftheuseryouwanttofilterandclickSubmit.
Step...

    Page 94

    Page 94 AfteryouinstallandsetuptheInlinePostureapplication,youmustconfigurecertificatesbeforeyoucan registertheInlinePosturenodes.SeetheCiscoIdentityServicesEngineHardwareInstallationGuideformore information. Register an Inline Posture Node Werecommendthatyoudecideonthetypeofnode(CiscoISEorInlinePosture)atthetimeofregistration. Ifyouwanttochangethenodetypelater,youhavetoderegisterthenodefromthedeployment,restartCisco ISEonthestandalonenode,andthenreregisterit. Before You Begin... 
    AfteryouinstallandsetuptheInlinePostureapplication,youmustconfigurecertificatesbeforeyoucan
registertheInlinePosturenodes.SeetheCiscoIdentityServicesEngineHardwareInstallationGuideformore
information.
Register an Inline Posture Node
Werecommendthatyoudecideonthetypeofnode(CiscoISEorInlinePosture)atthetimeofregistration.
Ifyouwanttochangethenodetypelater,youhavetoderegisterthenodefromthedeployment,restartCisco
ISEonthestandalonenode,andthenreregisterit.
Before You Begin...

    Page 95

    Page 95 Synchronize Primary and Secondary Cisco ISE Nodes YoucanmakeconfigurationchangestoCiscoISEonlythroughthePrimaryPAN.Theconfigurationchanges getreplicatedtoallthesecondarynodes.If,forsomereason,thisreplicationdoesnotoccurproperly,you canmanuallysynchronizetheSecondaryPANwiththePrimaryPAN. Before You Begin YoumustclicktheSyncupbuttontoforceafullreplicationiftheSyncStatusissettoOutofSyncorifthe ReplicationStatusisFailedorDisabled. Procedure Step 1LogintothePrimaryPAN. Step... 
    Synchronize Primary and Secondary Cisco ISE Nodes
YoucanmakeconfigurationchangestoCiscoISEonlythroughthePrimaryPAN.Theconfigurationchanges
getreplicatedtoallthesecondarynodes.If,forsomereason,thisreplicationdoesnotoccurproperly,you
canmanuallysynchronizetheSecondaryPANwiththePrimaryPAN.
Before You Begin
YoumustclicktheSyncupbuttontoforceafullreplicationiftheSyncStatusissettoOutofSyncorifthe
ReplicationStatusisFailedorDisabled.
Procedure
Step 1LogintothePrimaryPAN.
Step...

    Page 96

    Page 96 Effects of Modifying Nodes in Cisco ISE WhenyoumakeanyofthefollowingchangestoanodeinaCiscoISEISE,thatnoderestarts,whichcauses adelay: •Registeranode(StandalonetoSecondary) •Deregisteranode(SecondarytoStandalone) •ChangeaprimarynodetoStandalone(ifnoothernodesareregisteredwithit;PrimarytoStandalone) •PromoteanAdministrationnode(SecondarytoPrimary) •Changethepersonas(whenyouassignorremovethePolicyServiceorMonitoringpersonafromanode)... 
    Effects of Modifying Nodes in Cisco ISE
WhenyoumakeanyofthefollowingchangestoanodeinaCiscoISEISE,thatnoderestarts,whichcauses
adelay:
•Registeranode(StandalonetoSecondary)
•Deregisteranode(SecondarytoStandalone)
•ChangeaprimarynodetoStandalone(ifnoothernodesareregisteredwithit;PrimarytoStandalone)
•PromoteanAdministrationnode(SecondarytoPrimary)
•Changethepersonas(whenyouassignorremovethePolicyServiceorMonitoringpersonafromanode)...

    Page 97

    Page 97 Afteryousavethenodegroup,itshouldappearinthenavigationpaneontheleft.Ifyoudonotseethenode groupintheleftpane,itmaybehidden.ClicktheExpandbuttononthenavigationpanetoviewthehidden objects. What to Do Next Addanodetoanodegroup.EditthenodebychoosingthenodegroupfromtheMemberofNodeGroup drop-downlist. Deploy pxGrid Node YoucanenableCiscopxGridpersonabothonastandalonenodeanddistributeddeploymentnode. Before You Begin •YouneedaPluslicensetoenabletheCiscopxGridpersona.... 
    Afteryousavethenodegroup,itshouldappearinthenavigationpaneontheleft.Ifyoudonotseethenode
groupintheleftpane,itmaybehidden.ClicktheExpandbuttononthenavigationpanetoviewthehidden
objects.
What to Do Next
Addanodetoanodegroup.EditthenodebychoosingthenodegroupfromtheMemberofNodeGroup
drop-downlist.
Deploy pxGrid Node
YoucanenableCiscopxGridpersonabothonastandalonenodeanddistributeddeploymentnode.
Before You Begin
•YouneedaPluslicensetoenabletheCiscopxGridpersona....

    Page 98

    Page 98 •Configuremonitoringrolesandservicesonbothnodesandnamethemfortheirprimaryandsecondary roles,asappropriate. •ConfigurerepositoriesforbackupanddatapurgingonboththeprimaryandsecondaryMonitoringnodes. Forthebackupandpurgingfeaturestoworkproperly,usethesamerepositoriesforboththenodes. Purgingtakesplaceonboththeprimaryandsecondarynodesofaredundantpair.Forexample,ifthe primaryMonitoringnodeusestworepositoriesforbackupandpurging,youmustspecifythesame repositoriesforthesecondarynode.... 
    •Configuremonitoringrolesandservicesonbothnodesandnamethemfortheirprimaryandsecondary
roles,asappropriate.
•ConfigurerepositoriesforbackupanddatapurgingonboththeprimaryandsecondaryMonitoringnodes.
Forthebackupandpurgingfeaturestoworkproperly,usethesamerepositoriesforboththenodes.
Purgingtakesplaceonboththeprimaryandsecondarynodesofaredundantpair.Forexample,ifthe
primaryMonitoringnodeusestworepositoriesforbackupandpurging,youmustspecifythesame
repositoriesforthesecondarynode....

    Page 99

    Page 99 Procedure Step 1ChooseAdministration>System>Deployment. Step 2Checkthecheckboxnexttothesecondarynodethatyouwanttoremove,andthenclickDeregister. Step 3ClickOK. Step 4VerifyreceiptofanalarmonyourPrimaryPANtoconfirmthatthesecondarynodeisderegisteredsuccessfully. IfthesecondarynodefailstoderegisterfromthePrimaryPAN,thealarmisnotgenerated. Change the Hostname or IP Address of a Standalone Cisco ISE Node Youcanchangethehostname,IPaddress,ordomainnameofstandaloneCiscoISEnodes.Youcannotuse... 
    Procedure
Step 1ChooseAdministration>System>Deployment.
Step 2Checkthecheckboxnexttothesecondarynodethatyouwanttoremove,andthenclickDeregister.
Step 3ClickOK.
Step 4VerifyreceiptofanalarmonyourPrimaryPANtoconfirmthatthesecondarynodeisderegisteredsuccessfully.
IfthesecondarynodefailstoderegisterfromthePrimaryPAN,thealarmisnotgenerated.
Change the Hostname or IP Address of a Standalone Cisco ISE Node
Youcanchangethehostname,IPaddress,ordomainnameofstandaloneCiscoISEnodes.Youcannotuse...

    Page 100

    Page 100 Procedure Step 1Re-imageorre-installtheCiscoISEsoftwareonthenewnodes. Step 2ObtainalicensewiththeUDIforthePrimaryandSecondaryPANsandinstallitonthePrimaryPAN. Step 3RestorethebackuponthereplacedPrimaryPAN. TherestorescriptwilltrytosyncthedataontheSecondaryPAN,buttheSecondaryPANisnowastandalone nodeandthesyncwillfail.DataissettothetimethebackupwastakenonthePrimaryPAN. Step 4RegisterthenewnodeasasecondaryserverwiththePrimaryPAN. Cisco Identity Services Engine Administrator Guide, Release 1.3 54 Replace... 
    Procedure
Step 1Re-imageorre-installtheCiscoISEsoftwareonthenewnodes.
Step 2ObtainalicensewiththeUDIforthePrimaryandSecondaryPANsandinstallitonthePrimaryPAN.
Step 3RestorethebackuponthereplacedPrimaryPAN.
TherestorescriptwilltrytosyncthedataontheSecondaryPAN,buttheSecondaryPANisnowastandalone
nodeandthesyncwillfail.DataissettothetimethebackupwastakenonthePrimaryPAN.
Step 4RegisterthenewnodeasasecondaryserverwiththePrimaryPAN.
   Cisco Identity Services Engine Administrator Guide, Release 1.3
54
Replace...
    Start reading Cisco Ise 13 User Guide

    Related Manuals for Cisco Ise 13 User Guide

    All Cisco manuals