Home > Cisco > Interface > Cisco Ise 13 User Guide

Cisco Ise 13 User Guide

Add to Favourites
    Download as PDF

    Here you can view all the pages of manual Cisco Ise 13 User Guide. The Cisco manuals for Interface are available online for free. You can easily download all the documents as PDF.

    Overview View all the pages Comments

    Page 151

    Page 151 RestrictionsPermissionsAccess LevelAdmin Group Role Theroleismeantonlyfor ERSauthorization supportingInternalUsers, IdentityGroups,Endpoints, EndpointGroups,andSGT •CanonlyReadERS APIrequests Read-onlyaccesstoERSAPI, onlyGET External RESTful Services(ERS) Operator Related Topics CiscoISEAdministrators,onpage97 Create Admin Groups TheAdminGroupspageallowsyoutoview,create,modify,delete,duplicate,orfilterCiscoISEnetwork admingroups. Before You Begin... 
    RestrictionsPermissionsAccess LevelAdmin Group
Role
Theroleismeantonlyfor
ERSauthorization
supportingInternalUsers,
IdentityGroups,Endpoints,
EndpointGroups,andSGT
•CanonlyReadERS
APIrequests
Read-onlyaccesstoERSAPI,
onlyGET
External
RESTful
Services(ERS)
Operator
Related Topics
CiscoISEAdministrators,onpage97
Create Admin Groups
TheAdminGroupspageallowsyoutoview,create,modify,delete,duplicate,orfilterCiscoISEnetwork
admingroups.
Before You Begin...

    Page 152

    Page 152 Ifaninternaluserisconfiguredwithanexternalidentitystoreforauthentication,whileloggingintothe ISEAdminportal,theinternalusermustselecttheexternalidentitystoreastheIdentitySource. AuthenticationwillfailifInternalIdentitySourceisselected. Note Administrative Access to Cisco ISE CiscoISEadministratorscanperformvariousadministrativetasksbasedontheadministrativegrouptowhich theybelong.Theseadministrativetasksarecriticalandyoumustensurethatadministrativeaccessisrestricted... 
    Ifaninternaluserisconfiguredwithanexternalidentitystoreforauthentication,whileloggingintothe
ISEAdminportal,theinternalusermustselecttheexternalidentitystoreastheIdentitySource.
AuthenticationwillfailifInternalIdentitySourceisselected.
Note
Administrative Access to Cisco ISE
CiscoISEadministratorscanperformvariousadministrativetasksbasedontheadministrativegrouptowhich
theybelong.Theseadministrativetasksarecriticalandyoumustensurethatadministrativeaccessisrestricted...

    Page 153

    Page 153 Default Menu Access Permissions CiscoISEprovidesanoutoftheboxsetofpermissionsthatareassociatedwithasetofpredefinedadmin groups.Havingpredefinedadmingrouppermissionsallowyoutosetpermissionssothatamemberofany admingroupcanhavefullorlimitedaccesstothemenuitemswithintheadministrativeinterface(knownas menuaccess)andtodelegateanadmingrouptousethedataaccesselementsofotheradmingroups(known asdataaccess).ThesepermissionsarereusableentitiesthatcanbefurtherusedtoformulateRBACpolicies... 
    Default Menu Access Permissions
CiscoISEprovidesanoutoftheboxsetofpermissionsthatareassociatedwithasetofpredefinedadmin
groups.Havingpredefinedadmingrouppermissionsallowyoutosetpermissionssothatamemberofany
admingroupcanhavefullorlimitedaccesstothemenuitemswithintheadministrativeinterface(knownas
menuaccess)andtodelegateanadmingrouptousethedataaccesselementsofotheradmingroups(known
asdataaccess).ThesepermissionsarereusableentitiesthatcanbefurtherusedtoformulateRBACpolicies...

    Page 154

    Page 154 ForSuperAdminUser,allthemenuitemsareavailable.ForotherAdminUsers,alltheMenuItemsin thiscolumnareavailableforStandalonedeploymentandPrimaryNodeinDistributedDeployment.For SecondaryNodeinDistributedDeployment,theMenuItemsundertheAdministrationtabarenotavailable. Note Configure Menu Access Permissions CiscoISEallowsyoutocreatecustommenuaccesspermissionsthatyoucanmaptoanRBACpolicy. Dependingontheroleoftheadministrators,youcanallowthemtoaccessonlyspecificmenuoptions. Procedure Step... 
    ForSuperAdminUser,allthemenuitemsareavailable.ForotherAdminUsers,alltheMenuItemsin
thiscolumnareavailableforStandalonedeploymentandPrimaryNodeinDistributedDeployment.For
SecondaryNodeinDistributedDeployment,theMenuItemsundertheAdministrationtabarenotavailable.
Note
Configure Menu Access Permissions
CiscoISEallowsyoutocreatecustommenuaccesspermissionsthatyoucanmaptoanRBACpolicy.
Dependingontheroleoftheadministrators,youcanallowthemtoaccessonlyspecificmenuoptions.
Procedure
Step...

    Page 155

    Page 155 Permissible Network Device Groups Permissible Admin GroupsRBAC GroupData Access Name NoneUserIdentityGroups, EndpointIdentityGroups IdentityAdminIdentityAdminData Access AllLocations,AllDevice Types NoneNetworkDevice Admin NetworkAdminData Access NoneAdminGroupsSystemAdminSystemAdminData Access NoneAdminGroupsRBACAdminRBACAdminData Access Configure Data Access Permissions CiscoISEallowsyoutocreatecustomdataaccesspermissionsthatyoucanmaptoanRBACpolicy.Based... 
    Permissible Network
Device Groups
Permissible Admin GroupsRBAC GroupData Access Name
NoneUserIdentityGroups,
EndpointIdentityGroups
IdentityAdminIdentityAdminData
Access
AllLocations,AllDevice
Types
NoneNetworkDevice
Admin
NetworkAdminData
Access
NoneAdminGroupsSystemAdminSystemAdminData
Access
NoneAdminGroupsRBACAdminRBACAdminData
Access
Configure Data Access Permissions
CiscoISEallowsyoutocreatecustomdataaccesspermissionsthatyoucanmaptoanRBACpolicy.Based...

    Page 156

    Page 156 Before You Begin •EnsurethatyouhavecreatedalladmingroupsforwhichyouwanttodefinetheRBACpolicies. •Ensurethattheseadmingroupsaremappedtotheindividualadminusers. •EnsurethatyouhaveconfiguredtheRBACpermissions,suchasmenuaccessanddataaccesspermissions. Procedure Step 1ChooseAdministration>System>AdminAccess>Authorization>Policy. TheRBACPoliciespagecontainsasetofready-to-usepredefinedpoliciesfordefaultadmingroups.You cannoteditordeletethesedefaultpolicies. Step... 
    Before You Begin
•EnsurethatyouhavecreatedalladmingroupsforwhichyouwanttodefinetheRBACpolicies.
•Ensurethattheseadmingroupsaremappedtotheindividualadminusers.
•EnsurethatyouhaveconfiguredtheRBACpermissions,suchasmenuaccessanddataaccesspermissions.
Procedure
Step 1ChooseAdministration>System>AdminAccess>Authorization>Policy.
TheRBACPoliciespagecontainsasetofready-to-usepredefinedpoliciesfordefaultadmingroups.You
cannoteditordeletethesedefaultpolicies.
Step...

    Page 157

    Page 157 Procedure Step 1ChooseAdministration>System>AdminAccess>Settings>Access>Session. Step 2EnterthemaximumnumberofconcurrentadministrativesessionsthatyouwanttoallowthroughtheGUI andCLIinterfaces.ThevalidrangeforconcurrentadministrativeGUIsessionsisfrom1to20.Thevalid rangeforconcurrentadministrativeCLIsessionsis1to10. Step 3IfyouwantCiscoISEtodisplayamessagebeforeanadministratorlogsin,checkthePre-loginbannercheck boxandenteryourmessageinthetextbox. Step... 
    Procedure
Step 1ChooseAdministration>System>AdminAccess>Settings>Access>Session.
Step 2EnterthemaximumnumberofconcurrentadministrativesessionsthatyouwanttoallowthroughtheGUI
andCLIinterfaces.ThevalidrangeforconcurrentadministrativeGUIsessionsisfrom1to20.Thevalid
rangeforconcurrentadministrativeCLIsessionsis1to10.
Step 3IfyouwantCiscoISEtodisplayamessagebeforeanadministratorlogsin,checkthePre-loginbannercheck
boxandenteryourmessageinthetextbox.
Step...

    Page 158

    Page 158 CiscoISEdoesnotsupportadministratorpasswordswithUTF-8characters.Note Before You Begin •Toperformthefollowingtask,youmustbeaSuperAdminorSystemAdmin. Procedure Step 1ChooseAdministration>System>AdminAccess>Authentication. Step 2Selecteitheroftheseauthenticationmethods: •PasswordBased—IfyouwanttousethestandarduserIDandpasswordcredentialsforanadministrator login,choosethePasswordBasedoptionandspecifyeitherthe“Internal”or“External”authentication type.... 
    CiscoISEdoesnotsupportadministratorpasswordswithUTF-8characters.Note
Before You Begin
•Toperformthefollowingtask,youmustbeaSuperAdminorSystemAdmin.
Procedure
Step 1ChooseAdministration>System>AdminAccess>Authentication.
Step 2Selecteitheroftheseauthenticationmethods:
•PasswordBased—IfyouwanttousethestandarduserIDandpasswordcredentialsforanadministrator
login,choosethePasswordBasedoptionandspecifyeitherthe“Internal”or“External”authentication
type....

    Page 159

    Page 159 Procedure Step 1ChooseAdministration>System>AdminAccess>Settings>Session>SessionTimeout. Step 2EnterthetimeinminutesthatyouwantCiscoISEtowaitbeforeitlogsouttheadministratorifthereisno activity.Thedefaultvalueis60minutes.Thevalidrangeisfrom6to100minutes. Step 3ClickSave. Terminate an Active Administrative Session Ciscodisplaysallactiveadministrativesessionsfromwhichyoucanselectanysessionandterminateatany pointoftime,ifaneedtodosoarises.ThemaximumnumberofconcurrentadministrativeGUIsessionsis... 
    Procedure
Step 1ChooseAdministration>System>AdminAccess>Settings>Session>SessionTimeout.
Step 2EnterthetimeinminutesthatyouwantCiscoISEtowaitbeforeitlogsouttheadministratorifthereisno
activity.Thedefaultvalueis60minutes.Thevalidrangeisfrom6to100minutes.
Step 3ClickSave.
Terminate an Active Administrative Session
Ciscodisplaysallactiveadministrativesessionsfromwhichyoucanselectanysessionandterminateatany
pointoftime,ifaneedtodosoarises.ThemaximumnumberofconcurrentadministrativeGUIsessionsis...

    Page 160

    Page 160 Administrative Access to Cisco ISE Using an External Identity Store InCiscoISE,youcanauthenticateadministratorsviaanexternalidentitystoresuchasActiveDirectory, LDAP,orRSASecureID.Therearetwomodelsyoucanusetoprovideauthenticationviaanexternalidentity store: •ExternalAuthenticationandAuthorization—TherearenocredentialsthatarespecifiedinthelocalCisco ISEdatabasefortheadministrator,andauthorizationisbasedonexternalidentitystoregroupmembership only.ThismodelisusedforActiveDirectoryandLDAPauthentication.... 
    Administrative Access to Cisco ISE Using an External Identity Store
InCiscoISE,youcanauthenticateadministratorsviaanexternalidentitystoresuchasActiveDirectory,
LDAP,orRSASecureID.Therearetwomodelsyoucanusetoprovideauthenticationviaanexternalidentity
store:
•ExternalAuthenticationandAuthorization—TherearenocredentialsthatarespecifiedinthelocalCisco
ISEdatabasefortheadministrator,andauthorizationisbasedonexternalidentitystoregroupmembership
only.ThismodelisusedforActiveDirectoryandLDAPauthentication....
    Start reading Cisco Ise 13 User Guide

    Related Manuals for Cisco Ise 13 User Guide

    All Cisco manuals