Home > Cisco > Interface > Cisco Ise 13 User Guide

Cisco Ise 13 User Guide

Add to Favourites
    Download as PDF

    Here you can view all the pages of manual Cisco Ise 13 User Guide. The Cisco manuals for Interface are available online for free. You can easily download all the documents as PDF.

    Overview View all the pages Comments

    Page 131

    Page 131 •EndpointPostureAgentResourcesDownload •CRL(CertificateRevocationList)Download TheCiscoISEproxyconfigurationsupportsbasicauthenticationforproxyservers.NTLANManager(NTLM) authenticationisnotsupported. Procedure Step 1ChooseAdministration>System>Settings>Proxy. Step 2EntertheproxyIPaddressorDNS-resolvablehostmaneandspecifytheportthroughwhichproxytraffic travelstoandfromCiscoISEinProxyhostserver:port. Step 3CheckPasswordrequiredcheckbox,ifrequired. Step... 
    •EndpointPostureAgentResourcesDownload
•CRL(CertificateRevocationList)Download
TheCiscoISEproxyconfigurationsupportsbasicauthenticationforproxyservers.NTLANManager(NTLM)
authenticationisnotsupported.
Procedure
Step 1ChooseAdministration>System>Settings>Proxy.
Step 2EntertheproxyIPaddressorDNS-resolvablehostmaneandspecifytheportthroughwhichproxytraffic
travelstoandfromCiscoISEinProxyhostserver:port.
Step 3CheckPasswordrequiredcheckbox,ifrequired.
Step...

    Page 132

    Page 132 RESTAPIinorderforapplicationsdevelopedforaCiscoISERESTAPItobeabletoaccessCiscoISE.The CiscoRESTAPIsusesHTTPSport9060,whichisclosedbydefault.IftheCiscoISERESTAPIsarenot enabledontheCiscoISEadminserver,theclientapplicationwillreceiveatime-outerrorfromtheserverfor anyGuestRESTAPIrequest. Procedure Step 1ChooseAdministration>Settings>ERSSettings. Step 2ChooseEnableERSforRead/WriteforthePrimaryAdministrationNode. Step 3ChooseEnableERSforReadforAllOtherNodesifthereareanysecondarynodes.... 
    RESTAPIinorderforapplicationsdevelopedforaCiscoISERESTAPItobeabletoaccessCiscoISE.The
CiscoRESTAPIsusesHTTPSport9060,whichisclosedbydefault.IftheCiscoISERESTAPIsarenot
enabledontheCiscoISEadminserver,theclientapplicationwillreceiveatime-outerrorfromtheserverfor
anyGuestRESTAPIrequest.
Procedure
Step 1ChooseAdministration>Settings>ERSSettings.
Step 2ChooseEnableERSforRead/WriteforthePrimaryAdministrationNode.
Step 3ChooseEnableERSforReadforAllOtherNodesifthereareanysecondarynodes....

    Page 133

    Page 133 CiscorecommendsthatyousetallCiscoISEnodestotheCoordinatedUniversalTime(UTC) timezone—especiallyifyourCiscoISEnodesareinstalledinadistributeddeployment.Thisprocedureensures thatthereportsandlogsfromthevariousnodesinyourdeploymentarealwaysinsyncwithregardtothe timestamps. Before You Begin YoumusthaveeithertheSuperAdminorSystemAdminadministratorroleassigned. IfyouhavebothaprimaryandasecondaryCiscoISEnode,youmustlogintotheuserinterfaceofthe... 
    CiscorecommendsthatyousetallCiscoISEnodestotheCoordinatedUniversalTime(UTC)
timezone—especiallyifyourCiscoISEnodesareinstalledinadistributeddeployment.Thisprocedureensures
thatthereportsandlogsfromthevariousnodesinyourdeploymentarealwaysinsyncwithregardtothe
timestamps.
Before You Begin
YoumusthaveeithertheSuperAdminorSystemAdminadministratorroleassigned.
IfyouhavebothaprimaryandasecondaryCiscoISEnode,youmustlogintotheuserinterfaceofthe...

    Page 134

    Page 134 ChangingthetimezoneonaCiscoapplianceafterinstallationrequiresservicestoberestartedonthat particularnode.Hencewerecommendthatyouperformsuchchangeswithinamaintenancewindow. Also,itisimportanttohaveallthenodesinasingledeploymentconfiguredtothesametimezone.Ifyou havenodeslocatedindifferentgeographicallocationsortimezones,youshoulduseaglobaltimezone suchasUTConallthenodes. Caution Formoreinformationontheclocktimezonecommand,refertotheCiscoIdentityServicesEngineCLI ReferenceGuide. Configure SMTP Server to... 
    ChangingthetimezoneonaCiscoapplianceafterinstallationrequiresservicestoberestartedonthat
particularnode.Hencewerecommendthatyouperformsuchchangeswithinamaintenancewindow.
Also,itisimportanttohaveallthenodesinasingledeploymentconfiguredtothesametimezone.Ifyou
havenodeslocatedindifferentgeographicallocationsortimezones,youshoulduseaglobaltimezone
suchasUTConallthenodes.
Caution
Formoreinformationontheclocktimezonecommand,refertotheCiscoIdentityServicesEngineCLI
ReferenceGuide.
Configure SMTP Server to...

    Page 135

    Page 135 Before You Begin •YoumusthavetheSuperAdminorSystemAdminadministratorroleassigned. Procedure Step 1ChooseAdministration>System>Maintenance>PatchManagement>Install. Step 2ClickBrowseandchoosethepatchthatyoudownloadedfromCisco.com. Step 3ClickInstalltoinstallthepatch. AfterthepatchisinstalledonthePAN,Ciscologsyououtandyouhavetowaitforafewminutesbeforeyou canloginagain. Whenpatchinstallationisinprogress,ShowNodeStatusistheonlyfunctionthatisaccessibleon thePatchManagementpage. Note Step... 
    Before You Begin
•YoumusthavetheSuperAdminorSystemAdminadministratorroleassigned.
Procedure
Step 1ChooseAdministration>System>Maintenance>PatchManagement>Install.
Step 2ClickBrowseandchoosethepatchthatyoudownloadedfromCisco.com.
Step 3ClickInstalltoinstallthepatch.
AfterthepatchisinstalledonthePAN,Ciscologsyououtandyouhavetowaitforafewminutesbeforeyou
canloginagain.
Whenpatchinstallationisinprogress,ShowNodeStatusistheonlyfunctionthatisaccessibleon
thePatchManagementpage.
Note
Step...

    Page 136

    Page 136 WhenyouinstallapatchfromthePrimaryPANthatispartofadistributeddeployment,CiscoISEinstalls thepatchontheprimarynodeandthenallthesecondarynodesinthedeployment.Ifthepatchinstallationis successfulonthePrimaryPAN,CiscoISEthencontinuespatchinstallationonthesecondarynodes.Ifitfails onthePrimaryPAN,theinstallationdoesnotproceedtothesecondarynodes.However,iftheinstallation failsonanyofthesecondarynodesforanyreason,itstillcontinueswiththenextsecondarynodeinyour... 
    WhenyouinstallapatchfromthePrimaryPANthatispartofadistributeddeployment,CiscoISEinstalls
thepatchontheprimarynodeandthenallthesecondarynodesinthedeployment.Ifthepatchinstallationis
successfulonthePrimaryPAN,CiscoISEthencontinuespatchinstallationonthesecondarynodes.Ifitfails
onthePrimaryPAN,theinstallationdoesnotproceedtothesecondarynodes.However,iftheinstallation
failsonanyofthesecondarynodesforanyreason,itstillcontinueswiththenextsecondarynodeinyour...

    Page 137

    Page 137 thePAN,thepatchesarenotrolledbackfromthesecondarynodes.However,ifthepatchrollbackfailson anysecondarynode,itstillcontinuestorollbackthepatchfromthenextsecondarynodeinyourdeployment. WhileCiscoISErollsbackthepatchfromthesecondarynodes,youcancontinuetoperformothertasksfrom thePANGUI.Thesecondarynodeswillberestartedaftertherollback. View Patch Install and Rollback Changes ThemonitoringandtroubleshootingcomponentofCiscoISEprovidesinformationonthepatchinstallation... 
    thePAN,thepatchesarenotrolledbackfromthesecondarynodes.However,ifthepatchrollbackfailson
anysecondarynode,itstillcontinuestorollbackthepatchfromthenextsecondarynodeinyourdeployment.
WhileCiscoISErollsbackthepatchfromthesecondarynodes,youcancontinuetoperformothertasksfrom
thePANGUI.Thesecondarynodeswillberestartedaftertherollback.
View Patch Install and Rollback Changes
ThemonitoringandtroubleshootingcomponentofCiscoISEprovidesinformationonthepatchinstallation...

    Page 138

    Page 138 •TheCertificateAuthority(trust)certificatesthatsigntheclientcertificates •AmethodtodetermineifaclientcertificatehasbeenrevokedbytheCA YoucanuseaCommonAccessCard(CAC)toauthenticatecredentialswhenloggingintoCiscoISE. Procedure Step 1ConfigureanActiveDirectoryidentitysourceinCiscoISEandjoinallCiscoISEnodestoActiveDirectory. Step 2Configureacertificateauthenticationprofileaccordingtotheguidelines. BesuretoselecttheattributeinthecertificatethatcontainstheadministratorusernameinthePrincipalName... 
    •TheCertificateAuthority(trust)certificatesthatsigntheclientcertificates
•AmethodtodetermineifaclientcertificatehasbeenrevokedbytheCA
YoucanuseaCommonAccessCard(CAC)toauthenticatecredentialswhenloggingintoCiscoISE.
Procedure
Step 1ConfigureanActiveDirectoryidentitysourceinCiscoISEandjoinallCiscoISEnodestoActiveDirectory.
Step 2Configureacertificateauthenticationprofileaccordingtotheguidelines.
BesuretoselecttheattributeinthecertificatethatcontainstheadministratorusernameinthePrincipalName...

    Page 139

    Page 139 d)ForeachCAcertificatethatcansignaclientcertificate,specifyhowtodotherevocationstatuscheckfor thatCA.ChooseaCAcertificatefromthelistandclickEdit.Ontheeditpage,chooseOCSPand/orCRL validation.IfyouchooseOCSP,chooseanOCSPservicetouseforthatCA.IfyouchooseCRL,specify theCRLDistributionURLandotherconfigurationparameters. Step 8Enableclientcertificate-basedauthentication.ChooseAdministration>System>AdminAccess> Authentication. a)ChooseClientCertificateBasedauthenticationtypeontheAuthenticationMethodtab.... 
    d)ForeachCAcertificatethatcansignaclientcertificate,specifyhowtodotherevocationstatuscheckfor
thatCA.ChooseaCAcertificatefromthelistandclickEdit.Ontheeditpage,chooseOCSPand/orCRL
validation.IfyouchooseOCSP,chooseanOCSPservicetouseforthatCA.IfyouchooseCRL,specify
theCRLDistributionURLandotherconfigurationparameters.
Step 8Enableclientcertificate-basedauthentication.ChooseAdministration>System>AdminAccess>
Authentication.
a)ChooseClientCertificateBasedauthenticationtypeontheAuthenticationMethodtab....

    Page 140

    Page 140 Securing SSH Key Exchange Using Diffie-Hellman Algorithm YoucanconfigureCiscoISEtoonlyallowDiffie-Hellman-Group14-SHA1SSHkeyexchanges.Todothis, youmustenterthefollowingcommandsfromtheCiscoISECommand-LineInterface(CLI)Configuration Mode: servicesshdkey-exchange-algorithmdiffie-hellman-group14-sha1 Here’sanexample: ise/admin#conft ise/admin(config)#servicesshdkey-exchange-algorithmdiffie-hellman-group14-sha1 Configure Cisco ISE to Send Secure Syslog... 
    Securing SSH Key Exchange Using Diffie-Hellman Algorithm
YoucanconfigureCiscoISEtoonlyallowDiffie-Hellman-Group14-SHA1SSHkeyexchanges.Todothis,
youmustenterthefollowingcommandsfromtheCiscoISECommand-LineInterface(CLI)Configuration
Mode:
servicesshdkey-exchange-algorithmdiffie-hellman-group14-sha1
Here’sanexample:
ise/admin#conft
ise/admin(config)#servicesshdkey-exchange-algorithmdiffie-hellman-group14-sha1
Configure Cisco ISE to Send Secure Syslog...
    Start reading Cisco Ise 13 User Guide

    Related Manuals for Cisco Ise 13 User Guide

    All Cisco manuals