Home > Cisco > Interface > Cisco Ise 13 User Guide

Cisco Ise 13 User Guide

Add to Favourites
    Download as PDF

    Here you can view all the pages of manual Cisco Ise 13 User Guide. The Cisco manuals for Interface are available online for free. You can easily download all the documents as PDF.

    Overview View all the pages Comments

    Page 111

    Page 111 TheInlinePosturenode’suntrustedinterfaceshouldbedisconnectedwhentheInlinePosturenodeisbeing configured.IftheInlinePosturenode’strustedanduntrustedinterfacesareconnectedtothesameVLAN duringinitialconfigurationandtheInlinePosturenodeinitiallystartsafterchangingitspersona,multicast packettrafficgetsfloodedoutoftheuntrustedinterface.Thismulticaststormcanpotentiallybringdown devicesthatareconnectedtothesamesubnetorVLAN.TheInlinePosturenodeatthistimeisin Maintenancemode. Caution Cisco Identity Services Engine... 
    TheInlinePosturenode’suntrustedinterfaceshouldbedisconnectedwhentheInlinePosturenodeisbeing
configured.IftheInlinePosturenode’strustedanduntrustedinterfacesareconnectedtothesameVLAN
duringinitialconfigurationandtheInlinePosturenodeinitiallystartsafterchangingitspersona,multicast
packettrafficgetsfloodedoutoftheuntrustedinterface.Thismulticaststormcanpotentiallybringdown
devicesthatareconnectedtothesamesubnetorVLAN.TheInlinePosturenodeatthistimeisin
Maintenancemode.
Caution
Cisco Identity Services Engine...

    Page 112

    Page 112 Inline Posture Node Authorization ThefollowingimagesillustratetheclientauthorizationflowandsessionrecoveryusingLazyFetchmechanism forInlinePosturenode. Figure 8: Inline Posture Node Client Authorization Flow Cisco Identity Services Engine Administrator Guide, Release 1.3 66 Inline Posture Node Authorization 
    Inline Posture Node Authorization
ThefollowingimagesillustratetheclientauthorizationflowandsessionrecoveryusingLazyFetchmechanism
forInlinePosturenode.
Figure 8: Inline Posture Node Client Authorization Flow
   Cisco Identity Services Engine Administrator Guide, Release 1.3
66
Inline Posture Node Authorization

    Page 113

    Page 113 Figure 9: Inline Posture Node Session Recovery Using Lazy Fetch Mechanism Cisco Identity Services Engine Administrator Guide, Release 1.3 67 Inline Posture Node Authorization 
    Figure 9: Inline Posture Node Session Recovery Using Lazy Fetch Mechanism
Cisco Identity Services Engine Administrator Guide, Release 1.3    
67
Inline Posture Node Authorization

    Page 114

    Page 114 InlinePostureNodeSessionRemovalduetoClientDisconnect WhenawirelessclientiswanderingofffromtheWLCcontrol,theWLCisrequiredtosendaRADIUS AccountingStopsimilartotheVPNgatewaytoensurethattheInlinePosturenodecleansupthesession correspondingtotheclient. Deploy an Inline Posture Node TheinitialprocessfordeployinganInlinePosturenodeisthesame,whetheritisintendedtobeastandalone nodeorpartofanactive-standbypair. InlinePostureissupportedontheCiscoISE3415,ISE3315,ISE3355,andISE3395platforms.Note Procedure Step... 
    InlinePostureNodeSessionRemovalduetoClientDisconnect
WhenawirelessclientiswanderingofffromtheWLCcontrol,theWLCisrequiredtosendaRADIUS
AccountingStopsimilartotheVPNgatewaytoensurethattheInlinePosturenodecleansupthesession
correspondingtotheclient.
Deploy an Inline Posture Node
TheinitialprocessfordeployinganInlinePosturenodeisthesame,whetheritisintendedtobeastandalone
nodeorpartofanactive-standbypair.
InlinePostureissupportedontheCiscoISE3415,ISE3315,ISE3355,andISE3395platforms.Note
Procedure
Step...

    Page 115

    Page 115 configurationisstoredlocallyintheadministrationdatabase.AfteranInlinePosturenodeisregistered,itis rebooted. TointroduceanInlinePosturenodeinyourCiscoISEnetwork,youmustfirstregistertheInlinePosturenode withthePAN,configuretheInlinePosturesettings,andthencreateauthorizationprofilesandpoliciesthat establishtheInlinePosturegatekeepingpolicies. TheInlinePosturenodeisaRADIUSproxythatinterfaceswithNADsastheirRADIUSserver,makingthe... 
    configurationisstoredlocallyintheadministrationdatabase.AfteranInlinePosturenodeisregistered,itis
rebooted.
TointroduceanInlinePosturenodeinyourCiscoISEnetwork,youmustfirstregistertheInlinePosturenode
withthePAN,configuretheInlinePosturesettings,andthencreateauthorizationprofilesandpoliciesthat
establishtheInlinePosturegatekeepingpolicies.
TheInlinePosturenodeisaRADIUSproxythatinterfaceswithNADsastheirRADIUSserver,makingthe...

    Page 116

    Page 116 AnewlyregisteredInlinePosturenodecomesupwithadefaultIPaddressof192.168.1.100,asubnet maskof255.255.255.0,andadefaultgatewayof192.168.1.1.Changethesevaluestofityour deploymentinStep3. Note Step 4Clickthefollowingtabsandentertheappropriateinformationforthefieldsinthetabs. •BasicInformation •DeploymentModes—AnewlyregisteredInlinePosturenodecomesupinmaintenancemode.For productionpurposes,youmustchoosetheRoutedorBridgedmode. •Filters—Enterthesubnetaddressandsubnetmaskfortheclientdevice,ortheMACaddressandIP... 
    AnewlyregisteredInlinePosturenodecomesupwithadefaultIPaddressof192.168.1.100,asubnet
maskof255.255.255.0,andadefaultgatewayof192.168.1.1.Changethesevaluestofityour
deploymentinStep3.
Note
Step 4Clickthefollowingtabsandentertheappropriateinformationforthefieldsinthetabs.
•BasicInformation
•DeploymentModes—AnewlyregisteredInlinePosturenodecomesupinmaintenancemode.For
productionpurposes,youmustchoosetheRoutedorBridgedmode.
•Filters—Enterthesubnetaddressandsubnetmaskfortheclientdevice,ortheMACaddressandIP...

    Page 117

    Page 117 What to Do Next TocompletethedeploymentoftheInlinePosturenode,youmustcreateDACLs,authorizationprofiles,and authorizationpolicyrules:unknown,compliant,andnoncompliant. Itisimportanttoassociatetheappropriatedownloadableaccesscontrollist(DACL)withthecorresponding profile.Forexample,theunknownDACLshouldbeassociatedwiththeunknownauthorizationprofile. Note Create Inline Posture Downloadable Access Control Lists Downloadableaccesscontrollists(DACLs)arebuildingblocksforauthorizationprofiles,andtheyprovide... 
    What to Do Next
TocompletethedeploymentoftheInlinePosturenode,youmustcreateDACLs,authorizationprofiles,and
authorizationpolicyrules:unknown,compliant,andnoncompliant.
Itisimportanttoassociatetheappropriatedownloadableaccesscontrollist(DACL)withthecorresponding
profile.Forexample,theunknownDACLshouldbeassociatedwiththeunknownauthorizationprofile.
Note
Create Inline Posture Downloadable Access Control Lists
Downloadableaccesscontrollists(DACLs)arebuildingblocksforauthorizationprofiles,andtheyprovide...

    Page 118

    Page 118 What to Do Next CreateInlinePosturenodeprofiles. Create Inline Posture Node Profiles YoumustcreatethreeInlinePostureauthorizationprofiles,aswellasanauthorizationprofileforaNAD. AllInlinePostureinboundprofilesareautomaticallysettocisco-av-pair=ipep-authz=truesothattheInline PosturenodeappliestheserulesinsteadofproxyingthemontotheNADs.TheURLredirectisessentialfor clientprovisioning,aswellasagentdiscoveryredirection. Before You Begin Toperformthefollowingtask,youmustbeaSuperAdmin,SystemAdmin,orPolicyAdmin.... 
    What to Do Next
CreateInlinePosturenodeprofiles.
Create Inline Posture Node Profiles
YoumustcreatethreeInlinePostureauthorizationprofiles,aswellasanauthorizationprofileforaNAD.
AllInlinePostureinboundprofilesareautomaticallysettocisco-av-pair=ipep-authz=truesothattheInline
PosturenodeappliestheserulesinsteadofproxyingthemontotheNADs.TheURLredirectisessentialfor
clientprovisioning,aswellasagentdiscoveryredirection.
Before You Begin
Toperformthefollowingtask,youmustbeaSuperAdmin,SystemAdmin,orPolicyAdmin....

    Page 119

    Page 119 Theelementsthatdefinetheauthorizationpolicyarereferencedwhenyoucreatepolicyrules.Yourchoice ofconditionsandattributesdefinestheauthorizationprofile. Before You Begin Toperformthefollowingtask,youmustbeaSuperAdminorSystemAdmin. Procedure Step 1ChoosePolicy>Authorization. Step 2Leavethedefaultrulesasis. Step 3CreatethefollowingUnknownPostureStatusRule: •IdentityGroup:Any •Condition:Session:PostureStatusEQUALS=Unknown •Permissions:IPN-Unknown-Compliant+nad-authorization-profile Step... 
    Theelementsthatdefinetheauthorizationpolicyarereferencedwhenyoucreatepolicyrules.Yourchoice
ofconditionsandattributesdefinestheauthorizationprofile.
Before You Begin
Toperformthefollowingtask,youmustbeaSuperAdminorSystemAdmin.
Procedure
Step 1ChoosePolicy>Authorization.
Step 2Leavethedefaultrulesasis.
Step 3CreatethefollowingUnknownPostureStatusRule:
•IdentityGroup:Any
•Condition:Session:PostureStatusEQUALS=Unknown
•Permissions:IPN-Unknown-Compliant+nad-authorization-profile
Step...

    Page 120

    Page 120 Intheexamplethatispresented,theserviceIPaddressusedforthebridgedmodehighavailabilitypairis differentfromthephysicalIPaddressesoftheInlinePosturenodes,effectivelycreatingacluster.TheWLC interactswiththeclusterasasingleunit,usingtheserviceIPaddress.Forthisreason,theserviceIPisdefined forthetrustedanduntrustednetworks. Bothnodesinahighavailabilitypairmustusethesamemode,eitherbridgedorrouter.Mixedmodesare notsupportedonInlinePosturehighavailabilitypairs. Note Before You Begin... 
    Intheexamplethatispresented,theserviceIPaddressusedforthebridgedmodehighavailabilitypairis
differentfromthephysicalIPaddressesoftheInlinePosturenodes,effectivelycreatingacluster.TheWLC
interactswiththeclusterasasingleunit,usingtheserviceIPaddress.Forthisreason,theserviceIPisdefined
forthetrustedanduntrustednetworks.
Bothnodesinahighavailabilitypairmustusethesamemode,eitherbridgedorrouter.Mixedmodesare
notsupportedonInlinePosturehighavailabilitypairs.
Note
Before You Begin...
    Start reading Cisco Ise 13 User Guide

    Related Manuals for Cisco Ise 13 User Guide

    All Cisco manuals