Home > Cisco > Interface > Cisco Ise 13 User Guide

Cisco Ise 13 User Guide

Add to Favourites
    Download as PDF

    Here you can view all the pages of manual Cisco Ise 13 User Guide. The Cisco manuals for Interface are available online for free. You can easily download all the documents as PDF.

    Overview View all the pages Comments

    Page 201

    Page 201 •CiscoISESubCAcertificate •CiscoISEEndpointRAcertificate •CiscoISEOCSPRespondercertificate YoumustbackupandrestoreCiscoISECAcertificatesandkeyswhenyou: •HaveaSecondaryAdministrationNodeinthedeployment •ReplacetheentireCiscoISECArootchain •ConfigureCiscoISErootCAtoactasasubordinateCAofanexternalPKI •UpgradefromRelease1.2toalaterrelease •Restoredatafromaconfigurationbackup.Inthiscase,youmustfirstregeneratetheCiscoISECAroot chainandthenbackupandrestoretheISECAcertificatesandkeys. Export Cisco ISE CA... 
    •CiscoISESubCAcertificate
•CiscoISEEndpointRAcertificate
•CiscoISEOCSPRespondercertificate
YoumustbackupandrestoreCiscoISECAcertificatesandkeyswhenyou:
•HaveaSecondaryAdministrationNodeinthedeployment
•ReplacetheentireCiscoISECArootchain
•ConfigureCiscoISErootCAtoactasasubordinateCAofanexternalPKI
•UpgradefromRelease1.2toalaterrelease
•Restoredatafromaconfigurationbackup.Inthiscase,youmustfirstregeneratetheCiscoISECAroot
chainandthenbackupandrestoretheISECAcertificatesandkeys.
Export Cisco ISE CA...

    Page 202

    Page 202 Serial#:0x6f6d4097-21f74c4d-8832ba95-4c320fb1ISECAkeysexportcompletedsuccessfully Import Cisco ISE CA Certificates and Keys AfteryouregistertheSecondaryAdministrationNode,youmustexporttheCAcertificatesandkeysfrom thePANandimportthemintotheSecondaryAdministrationNode. Procedure Step 1EnterapplicationconfigureisecommandfromtheCiscoISECLI. Step 2Enter8toimporttheCAcertificatesandkeys. Step 3Entertherepositoryname. Step 4Enterthenameofthefilethatyouwanttoimport. Step 5Entertheencryptionkeytodecryptthefile.... 
    Serial#:0x6f6d4097-21f74c4d-8832ba95-4c320fb1ISECAkeysexportcompletedsuccessfully
Import Cisco ISE CA Certificates and Keys
AfteryouregistertheSecondaryAdministrationNode,youmustexporttheCAcertificatesandkeysfrom
thePANandimportthemintotheSecondaryAdministrationNode.
Procedure
Step 1EnterapplicationconfigureisecommandfromtheCiscoISECLI.
Step 2Enter8toimporttheCAcertificatesandkeys.
Step 3Entertherepositoryname.
Step 4Enterthenameofthefilethatyouwanttoimport.
Step 5Entertheencryptionkeytodecryptthefile....

    Page 203

    Page 203 Procedure Step 1Administration>System>Certificates>CertificateSigningRequests Step 2ClickGenerateCertificateSigningRequests(CSR). Step 3ChooseISERootCAfromtheCertificate(s)willbeusedfordrop-downlist. Step 4ClickReplaceISERootCACertificatechain. TherootCAandsubordinateCAcertificatesgetgeneratedforallthenodesinyourdeployment. What to Do Next IfyouhaveaSecondaryPANinthedeployment,obtainabackupoftheCiscoISECAcertificatesandkeys... 
    Procedure
Step 1Administration>System>Certificates>CertificateSigningRequests
Step 2ClickGenerateCertificateSigningRequests(CSR).
Step 3ChooseISERootCAfromtheCertificate(s)willbeusedfordrop-downlist.
Step 4ClickReplaceISERootCACertificatechain.
TherootCAandsubordinateCAcertificatesgetgeneratedforallthenodesinyourdeployment.
What to Do Next
IfyouhaveaSecondaryPANinthedeployment,obtainabackupoftheCiscoISECAcertificatesandkeys...

    Page 204

    Page 204 Configure Cisco ISE to Use Certificates for Authenticating Personal Devices YoucanconfigureCiscoISEtoissueandmanagecertificatesforendpoints(personaldevices)thatconnect toyournetwork.YoucanusetheinternalCiscoISECertificateAuthority(CA)servicetosignthecertificate signingrequest(CSR)fromendpointsorforwardtheCSRtoanexternalCA. Before You Begin •ObtainabackupoftheCiscoISECAcertificatesandkeysfromthePrimaryPANandstorethemina securelocationfordisasterrecoverypurposes.... 
    Configure Cisco ISE to Use Certificates for Authenticating Personal Devices
YoucanconfigureCiscoISEtoissueandmanagecertificatesforendpoints(personaldevices)thatconnect
toyournetwork.YoucanusetheinternalCiscoISECertificateAuthority(CA)servicetosignthecertificate
signingrequest(CSR)fromendpointsorforwardtheCSRtoanexternalCA.
Before You Begin
•ObtainabackupoftheCiscoISECAcertificatesandkeysfromthePrimaryPANandstorethemina
securelocationfordisasterrecoverypurposes....

    Page 205

    Page 205 Procedure Step 1ChooseAdministration>IdentityManagement>Identities>Users. Step 2ClickAdd. Step 3Entertheuserdetails. Step 4SelectEmployeefromtheUserGroupdrop-downlist. AlluserswhobelongtotheEmployeeusergroupsharethesamesetofprivileges. Step 5ClickSubmit. What to Do Next CreateaCertificateAuthenticationProfileforTLS-BasedAuthentication,onpage159 Create a Certificate Authentication Profile for TLS-Based Authentication... 
    Procedure
Step 1ChooseAdministration>IdentityManagement>Identities>Users.
Step 2ClickAdd.
Step 3Entertheuserdetails.
Step 4SelectEmployeefromtheUserGroupdrop-downlist.
AlluserswhobelongtotheEmployeeusergroupsharethesamesetofprivileges.
Step 5ClickSubmit.
What to Do Next
CreateaCertificateAuthenticationProfileforTLS-BasedAuthentication,onpage159
Create a Certificate Authentication Profile for TLS-Based Authentication...

    Page 206

    Page 206 Procedure Step 1ChooseAdministration>IdentityManagement>IdentitySourceSequences. Step 2ClickAdd. Step 3Enteranamefortheidentitysourcesequence.Forexample,Dot1X. Step 4ChecktheSelectCertificateAuthenticationProfilecheckboxandselectthecertificateauthenticationprofile thatyoucreatedearlier,namelyCAP. Step 5MovetheidentitysourcethatcontainsyouruserinformationtotheSelectedlistboxintheAuthentication SearchListarea. YoucanaddadditionalidentitysourcesandCiscoISEsearchesthesedatastoressequentiallyuntilamatch... 
    Procedure
Step 1ChooseAdministration>IdentityManagement>IdentitySourceSequences.
Step 2ClickAdd.
Step 3Enteranamefortheidentitysourcesequence.Forexample,Dot1X.
Step 4ChecktheSelectCertificateAuthenticationProfilecheckboxandselectthecertificateauthenticationprofile
thatyoucreatedearlier,namelyCAP.
Step 5MovetheidentitysourcethatcontainsyouruserinformationtotheSelectedlistboxintheAuthentication
SearchListarea.
YoucanaddadditionalidentitysourcesandCiscoISEsearchesthesedatastoressequentiallyuntilamatch...

    Page 207

    Page 207 Before You Begin IfyouaregoingtouseanexternalCertificateAuthority(CA)forsigningthecertificatesigningrequest(CSR), thenyoumusthavetheURLoftheexternalCA. Procedure Step 1ChooseAdministration>System>Certificates>ExternalCASettings. Step 2ClickAdd. Step 3EnteranamefortheexternalCAsetting.Forexample,EXTERNAL_SCEP. Step 4EntertheexternalCAserverURLintheURLtextbox. ClickTestConnectiontocheckiftheexternalCAisreachable.Clickthe+buttontoenteradditionalCA serverURLs. Step 5ClickSubmit. What to Do Next... 
    Before You Begin
IfyouaregoingtouseanexternalCertificateAuthority(CA)forsigningthecertificatesigningrequest(CSR),
thenyoumusthavetheURLoftheexternalCA.
Procedure
Step 1ChooseAdministration>System>Certificates>ExternalCASettings.
Step 2ClickAdd.
Step 3EnteranamefortheexternalCAsetting.Forexample,EXTERNAL_SCEP.
Step 4EntertheexternalCAserverURLintheURLtextbox.
ClickTestConnectiontocheckiftheexternalCAisreachable.Clickthe+buttontoenteradditionalCA
serverURLs.
Step 5ClickSubmit.
What to Do Next...

    Page 208

    Page 208 Step 4SpecifytheSubjectAlternativeName(SAN)andthevalidityperiodofthecertificate. Step 5Specifyakeysize.Youmustchoose1024orahigherkeysize. Step 6SpecifytheExtendedKeyUsage.ChecktheClientAuthenticationcheckboxifyouwantthecertificateto beusedforclientauthentication.ChecktheServerAuthenticationcheckboxifyouwantthecertificateto beusedforserverauthentication. Step 7ClickSubmit. TheinternalCAcertificatetemplateiscreatedandwillbeusedbytheclientprovisioningpolicy. What to Do Next... 
    Step 4SpecifytheSubjectAlternativeName(SAN)andthevalidityperiodofthecertificate.
Step 5Specifyakeysize.Youmustchoose1024orahigherkeysize.
Step 6SpecifytheExtendedKeyUsage.ChecktheClientAuthenticationcheckboxifyouwantthecertificateto
beusedforclientauthentication.ChecktheServerAuthenticationcheckboxifyouwantthecertificateto
beusedforserverauthentication.
Step 7ClickSubmit.
TheinternalCAcertificatetemplateiscreatedandwillbeusedbytheclientprovisioningpolicy.
What to Do Next...

    Page 209

    Page 209 Download Agent Resources from Cisco Site for Windows and MAC OS X Operating Systems ForWindowsandMACOSXoperatingsystems,youmustdownloadtheremoteresourcesfromtheCisco site. Before You Begin Ensurethatyouareabletoaccesstheappropriateremotelocationtodownloadclientprovisioningresources toCiscoISE,byverifyingthattheproxysettingsforyournetworkarecorrectlyconfigured. Procedure Step 1ChoosePolicy>PolicyElements>Resources>ClientProvisioning>Resources. Step 2ChooseAdd>AgentresourcesfromCiscosite. Step... 
    Download Agent Resources from Cisco Site for Windows and MAC OS X Operating Systems
ForWindowsandMACOSXoperatingsystems,youmustdownloadtheremoteresourcesfromtheCisco
site.
Before You Begin
Ensurethatyouareabletoaccesstheappropriateremotelocationtodownloadclientprovisioningresources
toCiscoISE,byverifyingthattheproxysettingsforyournetworkarecorrectlyconfigured.
Procedure
Step 1ChoosePolicy>PolicyElements>Resources>ClientProvisioning>Resources.
Step 2ChooseAdd>AgentresourcesfromCiscosite.
Step...

    Page 210

    Page 210 Configure the Dot1X Authentication Policy Rule for TLS-Based Authentication YoumustupdatetheDot1XauthenticationpolicyruleforTLS-basedauthentications. Before You Begin EnsurethatyouhavethecertificateauthenticationprofilecreatedforTLS-basedauthentication. Procedure Step 1ChoosePolicy>Authentication. Step 2ClicktheRule-Basedradiobutton. Thedefaultrule-basedauthenticationpolicyincludesaruleforDot1Xauthentication. Step 3EdittheDot1Xauthenticationpolicyrule. Step... 
    Configure the Dot1X Authentication Policy Rule for TLS-Based Authentication
YoumustupdatetheDot1XauthenticationpolicyruleforTLS-basedauthentications.
Before You Begin
EnsurethatyouhavethecertificateauthenticationprofilecreatedforTLS-basedauthentication.
Procedure
Step 1ChoosePolicy>Authentication.
Step 2ClicktheRule-Basedradiobutton.
Thedefaultrule-basedauthenticationpolicyincludesaruleforDot1Xauthentication.
Step 3EdittheDot1Xauthenticationpolicyrule.
Step...
    Start reading Cisco Ise 13 User Guide

    Related Manuals for Cisco Ise 13 User Guide

    All Cisco manuals