Home > Cisco > Interface > Cisco Ise 13 User Guide

Cisco Ise 13 User Guide

Add to Favourites
    Download as PDF

    Here you can view all the pages of manual Cisco Ise 13 User Guide. The Cisco manuals for Interface are available online for free. You can easily download all the documents as PDF.

    Overview View all the pages Comments

    Page 171

    Page 171 Mobility/MobilityUpgradelicenseisalwaysdisplayedasBase/Plus/Apexintheuserinterfacewithits correspondingnumberofendpoints. Note IfyourCiscoISEnodeneedstosupport: •Alargernumberofconcurrentusersthanthenumberforwhichyouhavelicenses •Wired(LAN)access,andyoursystemhasonlytheMobilitylicense Youwillneedtoupgradeyourlicense(s)forthatnode.ThisprocessiscarriedoutbyyourCiscopartneror accountteamonly. Remove Licenses Before You Begin Keepthefollowinginmindbeforeattemptingtoremovealicense:... 
    Mobility/MobilityUpgradelicenseisalwaysdisplayedasBase/Plus/Apexintheuserinterfacewithits
correspondingnumberofendpoints.
Note
IfyourCiscoISEnodeneedstosupport:
•Alargernumberofconcurrentusersthanthenumberforwhichyouhavelicenses
•Wired(LAN)access,andyoursystemhasonlytheMobilitylicense
Youwillneedtoupgradeyourlicense(s)forthatnode.ThisprocessiscarriedoutbyyourCiscopartneror
accountteamonly.
Remove Licenses
Before You Begin
Keepthefollowinginmindbeforeattemptingtoremovealicense:...

    Page 172

    Page 172 Cisco Identity Services Engine Administrator Guide, Release 1.3 126 Manage License Files 
       Cisco Identity Services Engine Administrator Guide, Release 1.3
126
Manage License Files

    Page 173

    Page 173 CHAPTER 8 Manage Certificates •CertificateManagementinCiscoISE,page127 •CiscoISECAService,page152 •OCSPServices,page169 Certificate Management in Cisco ISE Acertificateisanelectronicdocumentthatidentifiesanindividual,aserver,acompany,orotherentityand associatesthatentitywithapublickey.Aself-signedcertificateissignedbyitsowncreator.Certificatescan beself-signedordigitallysignedbyanexternalCertificateAuthority(CA).ACA-signeddigitalcertificate isconsideredindustrystandardandmoresecure.... 
    CHAPTER 8
Manage Certificates
•CertificateManagementinCiscoISE,page127
•CiscoISECAService,page152
•OCSPServices,page169
Certificate Management in Cisco ISE
Acertificateisanelectronicdocumentthatidentifiesanindividual,aserver,acompany,orotherentityand
associatesthatentitywithapublickey.Aself-signedcertificateissignedbyitsowncreator.Certificatescan
beself-signedordigitallysignedbyanexternalCertificateAuthority(CA).ACA-signeddigitalcertificate
isconsideredindustrystandardandmoresecure....

    Page 174

    Page 174 PrimaryAdministrationNode(PAN),andareautomaticallyreplicatedtoallothernodesinanCisco ISEdeployment. Inadistributeddeployment,youmustimportthecertificateonlyintothecertificatetrustlist(CTL)ofthe PAN.Thecertificategetsreplicatedtothesecondarynodes. Ingeneral,toensurecertificateauthenticationinCiscoISEisnotimpactedbyminordifferencesin certificate-drivenverificationfunctions,uselowercasehostnamesforallCiscoISEnodesdeployedina network. Certificate Usage... 
    PrimaryAdministrationNode(PAN),andareautomaticallyreplicatedtoallothernodesinanCisco
ISEdeployment.
Inadistributeddeployment,youmustimportthecertificateonlyintothecertificatetrustlist(CTL)ofthe
PAN.Thecertificategetsreplicatedtothesecondarynodes.
Ingeneral,toensurecertificateauthenticationinCiscoISEisnotimpactedbyminordifferencesin
certificate-drivenverificationfunctions,uselowercasehostnamesforallCiscoISEnodesdeployedina
network.
Certificate Usage...

    Page 175

    Page 175 EAP-TLSclientcertificateshouldhaveKeyUsage=KeyAgreementandExtendedKeyUsage=Client Authenticationforthefollowingciphers: Note •ECDHE-ECDSA-AES128-GCM-SHA256 •ECDHE-ECDSA-AES256-GCM-SHA384 •ECDHE-ECDSA-AES128-SHA256 •ECDHE-ECDSA-AES256-SHA384 EAP-TLSclientcertificateshouldhaveKeyUsage=KeyEnciphermentandExtendedKeyUsage=Client Authenticationforthefollowingciphers: •AES256-SHA256 •AES128-SHA256 •AES256-SHA •AES128-SHA •DHE-RSA-AES128-SHA •DHE-RSA-AES256-SHA •DHE-RSA-AES128-SHA256 •DHE-RSA-AES256-SHA256... 
    EAP-TLSclientcertificateshouldhaveKeyUsage=KeyAgreementandExtendedKeyUsage=Client
Authenticationforthefollowingciphers:
Note
•ECDHE-ECDSA-AES128-GCM-SHA256
•ECDHE-ECDSA-AES256-GCM-SHA384
•ECDHE-ECDSA-AES128-SHA256
•ECDHE-ECDSA-AES256-SHA384
EAP-TLSclientcertificateshouldhaveKeyUsage=KeyEnciphermentandExtendedKeyUsage=Client
Authenticationforthefollowingciphers:
•AES256-SHA256
•AES128-SHA256
•AES256-SHA
•AES128-SHA
•DHE-RSA-AES128-SHA
•DHE-RSA-AES256-SHA
•DHE-RSA-AES128-SHA256
•DHE-RSA-AES256-SHA256...

    Page 176

    Page 176 For,matchingisperformedbetweenthenodes(iftherearetwo)andbetweentheandpxGrid. CiscoISEchecksforamatchingsubjectnameasfollows: 1CiscoISElooksatthesubjectalternativename(SAN)extensionofthecertificate.IftheSANcontains oneormoreDNSnames,thenoneoftheDNSnamesmustmatchtheFQDNoftheCiscoISEnode.Ifa wildcardcertificateisused,thenthewildcarddomainnamemustmatchthedomainintheCiscoISEnode’s FQDN. 2IftherearenoDNSnamesintheSAN,oriftheSANismissingentirely,thentheCommonName(CN)... 
    For,matchingisperformedbetweenthenodes(iftherearetwo)andbetweentheandpxGrid.
CiscoISEchecksforamatchingsubjectnameasfollows:
1CiscoISElooksatthesubjectalternativename(SAN)extensionofthecertificate.IftheSANcontains
oneormoreDNSnames,thenoneoftheDNSnamesmustmatchtheFQDNoftheCiscoISEnode.Ifa
wildcardcertificateisused,thenthewildcarddomainnamemustmatchthedomainintheCiscoISEnode’s
FQDN.
2IftherearenoDNSnamesintheSAN,oriftheSANismissingentirely,thentheCommonName(CN)...

    Page 177

    Page 177 IfacertificatechainconsistsofarootCAcertificateplusoneormoreintermediateCAcertificates,tovalidate theauthenticityofauserordevicecertificate,youmustimporttheentirechainintotheTrustedCertificates Store. Forinter-nodecommunication,youmustpopulatetheTrustedCertificatesStorewiththetrustcertificate(s) neededtovalidatetheAdminsystemcertificatebelongingtoeachnodeintheCiscoISEdeployment.Ifyou wanttousethedefaultself-signedcertificateforinternodecommunication,thenyoumustexportthiscertificate... 
    IfacertificatechainconsistsofarootCAcertificateplusoneormoreintermediateCAcertificates,tovalidate
theauthenticityofauserordevicecertificate,youmustimporttheentirechainintotheTrustedCertificates
Store.
Forinter-nodecommunication,youmustpopulatetheTrustedCertificatesStorewiththetrustcertificate(s)
neededtovalidatetheAdminsystemcertificatebelongingtoeachnodeintheCiscoISEdeployment.Ifyou
wanttousethedefaultself-signedcertificateforinternodecommunication,thenyoumustexportthiscertificate...

    Page 178

    Page 178 Thefollowingfigureshowsanexampleofawildcardcertificatethatisusedtosecureawebsite. Figure 13: Wildcard Certificate Example Wildcard Certificate Support in Cisco ISE CiscoISEsupportswildcardcertificates.Inearlierreleases,CiscoISEverifiedanycertificateenabledfor HTTPStoensuretheCNfieldmatchestheFullyQualifiedDomainName(FQDN)ofthehostexactly.Ifthe fieldsdidnotmatch,thecertificatecouldnotbeusedforHTTPScommunication. Inearlierreleases,CiscoISEusedthatCNvaluetoreplacethevariableintheurl-redirectA-Vpairstring.... 
    Thefollowingfigureshowsanexampleofawildcardcertificatethatisusedtosecureawebsite.
Figure 13: Wildcard Certificate Example
Wildcard Certificate Support in Cisco ISE
CiscoISEsupportswildcardcertificates.Inearlierreleases,CiscoISEverifiedanycertificateenabledfor
HTTPStoensuretheCNfieldmatchestheFullyQualifiedDomainName(FQDN)ofthehostexactly.Ifthe
fieldsdidnotmatch,thecertificatecouldnotbeusedforHTTPScommunication.
Inearlierreleases,CiscoISEusedthatCNvaluetoreplacethevariableintheurl-redirectA-Vpairstring....

    Page 179

    Page 179 Ifyouusewildcardcertificates,westronglyrecommendthatyoupartitionyourdomainspaceforgreater security.Forexample,insteadof*.example.com,youcanpartitionitas*.amer.example.com.Ifyoudo notpartitionyourdomain,itcanleadtoserioussecurityissues. Note Wildcardcertificateusesanasterisk(*)andaperiodbeforethedomainname.Forexample,theCNvaluefor acertificate’sSubjectNamewouldbeagenerichostnamesuchasaaa.ise.localandtheSANfieldwouldhave... 
    Ifyouusewildcardcertificates,westronglyrecommendthatyoupartitionyourdomainspaceforgreater
security.Forexample,insteadof*.example.com,youcanpartitionitas*.amer.example.com.Ifyoudo
notpartitionyourdomain,itcanleadtoserioussecurityissues.
Note
Wildcardcertificateusesanasterisk(*)andaperiodbeforethedomainname.Forexample,theCNvaluefor
acertificate’sSubjectNamewouldbeagenerichostnamesuchasaaa.ise.localandtheSANfieldwouldhave...

    Page 180

    Page 180 Advantages of Using Wildcard Certificates •Costsavings.CertificatessignedbyathirdpartyCertificateAuthorityisexpensive,especiallyasthe numberofserversincrease.WildcardcertificatesmaybeusedonmultiplenodesintheCiscoISE deployment. •Operationalefficiency.WildcardcertificatesallowallPolicyServiceNode(PSN)EAPandwebservices tosharethesamecertificate.Inadditiontosignificantcostsavings,certificateadministrationisalso simplifiedbycreatingthecertificateonceandapplyingitonallthePSNs.... 
    Advantages of Using Wildcard Certificates
•Costsavings.CertificatessignedbyathirdpartyCertificateAuthorityisexpensive,especiallyasthe
numberofserversincrease.WildcardcertificatesmaybeusedonmultiplenodesintheCiscoISE
deployment.
•Operationalefficiency.WildcardcertificatesallowallPolicyServiceNode(PSN)EAPandwebservices
tosharethesamecertificate.Inadditiontosignificantcostsavings,certificateadministrationisalso
simplifiedbycreatingthecertificateonceandapplyingitonallthePSNs....
    Start reading Cisco Ise 13 User Guide

    Related Manuals for Cisco Ise 13 User Guide

    All Cisco manuals