Home > Cisco > Interface > Cisco Ise 13 User Guide

Cisco Ise 13 User Guide

Add to Favourites
    Download as PDF

    Here you can view all the pages of manual Cisco Ise 13 User Guide. The Cisco manuals for Interface are available online for free. You can easily download all the documents as PDF.

    Overview View all the pages Comments

    Page 191

    Page 191 Procedure Step 1ChooseAdministration>System>Certificates>CertificateSigningRequests Step 2EnterthevaluesforgeneratingaCSR.SeeCertificateSigningRequestSettings,onpage692forinformation oneachofthefields. Step 3ClickGeneratetogeneratetheCSR. TheCSRisgenerated. Step 4ClickExporttoopentheCSRinaNotepad. Step 5Copyallthetextfrom“-----BEGINCERTIFICATEREQUEST-----”through“-----ENDCERTIFICATE REQUEST-----.” Step 6PastethecontentsoftheCSRintothecertificaterequestofachosenCA. Step 7Downloadthesignedcertificate.... 
    Procedure
Step 1ChooseAdministration>System>Certificates>CertificateSigningRequests
Step 2EnterthevaluesforgeneratingaCSR.SeeCertificateSigningRequestSettings,onpage692forinformation
oneachofthefields.
Step 3ClickGeneratetogeneratetheCSR.
TheCSRisgenerated.
Step 4ClickExporttoopentheCSRinaNotepad.
Step 5Copyallthetextfrom“-----BEGINCERTIFICATEREQUEST-----”through“-----ENDCERTIFICATE
REQUEST-----.”
Step 6PastethecontentsoftheCSRintothecertificaterequestofachosenCA.
Step 7Downloadthesignedcertificate....

    Page 192

    Page 192 IfyouenabletheEnableValidationofCertificateExtensionsoption,andthecertificatethatyouareimporting containsabasicconstraintsextensionwiththeCAflagsettotrue,ensurethatthekeyusageextensionis present,andthatthekeyEnciphermentbitorthekeyAgreementbit,orboth,arealsoset. Step 7ChecktheserviceforwhichthiscertificatewillbeusedintheUsagearea. Thisinformationisautopopulated,ifyouhaveenabledtheUsageoptionwhilegeneratingtheCSR. Step 8ClickSubmittobindtheCA-signedcertificate.... 
    IfyouenabletheEnableValidationofCertificateExtensionsoption,andthecertificatethatyouareimporting
containsabasicconstraintsextensionwiththeCAflagsettotrue,ensurethatthekeyusageextensionis
present,andthatthekeyEnciphermentbitorthekeyAgreementbit,orboth,arealsoset.
Step 7ChecktheserviceforwhichthiscertificatewillbeusedintheUsagearea.
Thisinformationisautopopulated,ifyouhaveenabledtheUsageoptionwhilegeneratingtheCSR.
Step 8ClickSubmittobindtheCA-signedcertificate....

    Page 193

    Page 193 Note•IfyouchangetheAdmincertificateonaregisteredsecondarynode,youmust obtainappropriateCAcertificatesthatcanbeusedtovalidatethesecondarynode’s AdmincertificateandimportitintotheCTLofthePAN. •Ifyouuseself-signedcertificatestosecurecommunicationbetweenaclientand PSNinadeployment,whenBYODusersmovefromonelocationtoanother, EAP-TLSuserauthenticationfails.Forsuchauthenticationrequeststhathaveto beservicedbetweenafewPSNs,youmustsecurecommunicationbetweenthe... 
    Note•IfyouchangetheAdmincertificateonaregisteredsecondarynode,youmust
obtainappropriateCAcertificatesthatcanbeusedtovalidatethesecondarynode’s
AdmincertificateandimportitintotheCTLofthePAN.
•Ifyouuseself-signedcertificatestosecurecommunicationbetweenaclientand
PSNinadeployment,whenBYODusersmovefromonelocationtoanother,
EAP-TLSuserauthenticationfails.Forsuchauthenticationrequeststhathaveto
beservicedbetweenafewPSNs,youmustsecurecommunicationbetweenthe...

    Page 194

    Page 194 Step 2ImporttheRootCertificatestotheTrustedCertificateStore,onpage143. Step 3BindtheCA-SignedCertificatetotheCSR,onpage145. Associate the Portal Certificate Tag Before You Register a Node Ifyouusethe"DefaultPortalCertificateGroup"tagforalltheportalsinyourdeployment,beforeyouregister anewISEnode,ensurethatyouimporttherelevantCA-signedcertificate,choose"Portal"asaservice,and associatethe"DefaultPortalCertificateGroup"tagwiththiscertificate.... 
    Step 2ImporttheRootCertificatestotheTrustedCertificateStore,onpage143.
Step 3BindtheCA-SignedCertificatetotheCSR,onpage145.
Associate the Portal Certificate Tag Before You Register a Node
Ifyouusethe"DefaultPortalCertificateGroup"tagforalltheportalsinyourdeployment,beforeyouregister
anewISEnode,ensurethatyouimporttherelevantCA-signedcertificate,choose"Portal"asaservice,and
associatethe"DefaultPortalCertificateGroup"tagwiththiscertificate....

    Page 195

    Page 195 DescriptionOption WhenyouedittheexistingCA-signedcertificate: Choose"Portal"asaserviceforwhichyouwillusethiscertificateandassociate the"DefaultPortalCertificateGroup"tag. EditanexistingCA-signed certificate. Step 5RegistertheISEnodetothedeployment. Theportalconfigurationinthedeploymentisconfiguredtothe"DefaultPortalCertificateGroup"tagand theportalsareconfiguredtousetheCA-signedcertificateassociatedwiththe"DefaultPortalCertificate Group"tagonthenewnode. User and Endpoint... 
    DescriptionOption
WhenyouedittheexistingCA-signedcertificate:
Choose"Portal"asaserviceforwhichyouwillusethiscertificateandassociate
the"DefaultPortalCertificateGroup"tag.
EditanexistingCA-signed
certificate.
Step 5RegistertheISEnodetothedeployment.
Theportalconfigurationinthedeploymentisconfiguredtothe"DefaultPortalCertificateGroup"tagand
theportalsareconfiguredtousetheCA-signedcertificateassociatedwiththe"DefaultPortalCertificate
Group"tagonthenewnode.
User and Endpoint...

    Page 196

    Page 196 CWA Redirect to Renew Certificates Ifausercertificateisrevokedbeforeitsexpiry,CiscoISEcheckstheCRLpublishedbytheCAandrejects theauthenticationrequest.Incase,ifarevokedcertificatehasexpired,theCAmaynotpublishthiscertificate initsCRL.Inthisscenario,itispossibleforCiscoISEtorenewacertificatethathasbeenrevoked.Toavoid this,beforeyourenewacertificate,ensurethattherequestgetsredirectedtoCentralWebAuthentication (CWA)forafullauthentication.YoumustcreateanauthorizationprofiletoredirecttheuserforCWA. Configure... 
    CWA Redirect to Renew Certificates
Ifausercertificateisrevokedbeforeitsexpiry,CiscoISEcheckstheCRLpublishedbytheCAandrejects
theauthenticationrequest.Incase,ifarevokedcertificatehasexpired,theCAmaynotpublishthiscertificate
initsCRL.Inthisscenario,itispossibleforCiscoISEtorenewacertificatethathasbeenrevoked.Toavoid
this,beforeyourenewacertificate,ensurethattherequestgetsredirectedtoCentralWebAuthentication
(CWA)forafullauthentication.YoumustcreateanauthorizationprofiletoredirecttheuserforCWA.
Configure...

    Page 197

    Page 197 Create an Authorization Policy Profile for CWA Redirection Before You Begin EnsurethatyouhaveconfiguredalimitedaccessACLontheWLC. Procedure Step 1ChoosePolicy>PolicyElements>Results>Authorization>AuthorizationProfiles. Step 2ClickAdd. Step 3Enteranamefortheauthorizationprofile.Forexample,CertRenewal_CWA. Step 4ChecktheWebRedirection(CWA,DRW,MDM,NSP,CPP)checkboxintheCommonTasksarea. Step 5ChooseCentralizedWebAuthfromthedrop-downlistandthelimitedaccessACL. Step... 
    Create an Authorization Policy Profile for CWA Redirection
Before You Begin
EnsurethatyouhaveconfiguredalimitedaccessACLontheWLC.
Procedure
Step 1ChoosePolicy>PolicyElements>Results>Authorization>AuthorizationProfiles.
Step 2ClickAdd.
Step 3Enteranamefortheauthorizationprofile.Forexample,CertRenewal_CWA.
Step 4ChecktheWebRedirection(CWA,DRW,MDM,NSP,CPP)checkboxintheCommonTasksarea.
Step 5ChooseCentralizedWebAuthfromthedrop-downlistandthelimitedaccessACL.
Step...

    Page 198

    Page 198 Procedure Step 1ChoosePolicy>PolicySets. Step 2ClickCreateAbove. Step 3Enteranameforthenewrule. Step 4Choosethefollowingsimpleconditionandresult: IfCertRenewalRequiredEQUALSTrue,thenchoosetheauthorizationprofilethatyoucreatedearlier (CertRenewal_CWA)forthepermission. Step 5ClickSave. What to Do Next Whenyouaccessthecorporatenetworkwithadevicewhosecertificatehasexpired,clickRenewtoreconfigure yourdevice. Enable BYOD Settings in the Guest Portal... 
    Procedure
Step 1ChoosePolicy>PolicySets.
Step 2ClickCreateAbove.
Step 3Enteranameforthenewrule.
Step 4Choosethefollowingsimpleconditionandresult:
IfCertRenewalRequiredEQUALSTrue,thenchoosetheauthorizationprofilethatyoucreatedearlier
(CertRenewal_CWA)forthepermission.
Step 5ClickSave.
What to Do Next
Whenyouaccessthecorporatenetworkwithadevicewhosecertificatehasexpired,clickRenewtoreconfigure
yourdevice.
Enable BYOD Settings in the Guest Portal...

    Page 199

    Page 199 consoletoallowemployeestousetheirpersonaldevicesonthecompany'snetwork.ACA-signeddigital certificateisconsideredindustrystandardandmoresecure.TheISECAoffersthefollowingfunctionalities: •CertificateIssuance:ValidatesandsignsCertificateSigningRequests(CSRs)forendpointsthatconnect toyournetwork. •KeyManagement:GeneratesandsecurelystoreskeysandcertificatesonbothPANandPSNnodes. •CertificateStorage:Storescertificatesissuedtousersanddevices.... 
    consoletoallowemployeestousetheirpersonaldevicesonthecompany'snetwork.ACA-signeddigital
certificateisconsideredindustrystandardandmoresecure.TheISECAoffersthefollowingfunctionalities:
•CertificateIssuance:ValidatesandsignsCertificateSigningRequests(CSRs)forendpointsthatconnect
toyournetwork.
•KeyManagement:GeneratesandsecurelystoreskeysandcertificatesonbothPANandPSNnodes.
•CertificateStorage:Storescertificatesissuedtousersanddevices....

    Page 200

    Page 200 Simple Certificate Enrollment Protocol Profiles Tohelpenablecertificateprovisioningfunctionsforthevarietyofmobiledevicesthatuserscanregisteron thenetwork,CiscoISEenablesyoutoconfigureoneormoreSimpleCertificateEnrollmentProtocol(SCEP) CertificateAuthority(CA)profiles(calledasCiscoISEExternalCASettings)topointCiscoISEtomultiple CAlocations.Thebenefitofallowingformultipleprofilesistohelpensurehighavailabilityandperform... 
    Simple Certificate Enrollment Protocol Profiles
Tohelpenablecertificateprovisioningfunctionsforthevarietyofmobiledevicesthatuserscanregisteron
thenetwork,CiscoISEenablesyoutoconfigureoneormoreSimpleCertificateEnrollmentProtocol(SCEP)
CertificateAuthority(CA)profiles(calledasCiscoISEExternalCASettings)topointCiscoISEtomultiple
CAlocations.Thebenefitofallowingformultipleprofilesistohelpensurehighavailabilityandperform...
    Start reading Cisco Ise 13 User Guide

    Related Manuals for Cisco Ise 13 User Guide

    All Cisco manuals