Home > Cisco > Interface > Cisco Ise 13 User Guide

Cisco Ise 13 User Guide

Add to Favourites
    Download as PDF

    Here you can view all the pages of manual Cisco Ise 13 User Guide. The Cisco manuals for Interface are available online for free. You can easily download all the documents as PDF.

    Overview View all the pages Comments

    Page 211

    Page 211 Procedure Step 1ChoosePolicy>PolicyElements>Results>Authorization>AuthorizationProfiles. Step 2ClickAddtocreateanewauthorizationprofile. Step 3Enteranamefortheauthorizationprofile. Step 4FromtheAccessTypedrop-downlist,chooseACCESS_ACCEPT. Step 5ClickAddtoaddtheauthorizationprofilesforcentralwebauthentication,centralwebauthenticationfor GooglePlay,nativesupplicantprovisioning,andnativesupplicantprovisioningforGoogle. Step 6ClickSave. What to Do Next CreateAuthorizationPolicyRules,onpage165 Create... 
    Procedure
Step 1ChoosePolicy>PolicyElements>Results>Authorization>AuthorizationProfiles.
Step 2ClickAddtocreateanewauthorizationprofile.
Step 3Enteranamefortheauthorizationprofile.
Step 4FromtheAccessTypedrop-downlist,chooseACCESS_ACCEPT.
Step 5ClickAddtoaddtheauthorizationprofilesforcentralwebauthentication,centralwebauthenticationfor
GooglePlay,nativesupplicantprovisioning,andnativesupplicantprovisioningforGoogle.
Step 6ClickSave.
What to Do Next
CreateAuthorizationPolicyRules,onpage165
Create...

    Page 212

    Page 212 ResultsOther ConditionsOperating SystemsIdentity GroupsRule Name EAP_TLS_INTERNAL (thenative supplicantprofile thatyoucreated earlier).Ifyouare usinganexternal CA,selectthe nativesupplicant profilethatyouhave createdforthe externalCA. Condition(s)AppleiOSAllAnyiOS EAP_TLS_INTERNAL (thenative supplicantprofile thatyoucreated earlier).Ifyouare usinganexternal CA,selectthe nativesupplicant profilethatyouhave createdforthe externalCA. Condition(s)AndroidAnyAndroid Cisco Identity Services Engine... 
    ResultsOther ConditionsOperating SystemsIdentity GroupsRule Name
EAP_TLS_INTERNAL
(thenative
supplicantprofile
thatyoucreated
earlier).Ifyouare
usinganexternal
CA,selectthe
nativesupplicant
profilethatyouhave
createdforthe
externalCA.
Condition(s)AppleiOSAllAnyiOS
EAP_TLS_INTERNAL
(thenative
supplicantprofile
thatyoucreated
earlier).Ifyouare
usinganexternal
CA,selectthe
nativesupplicant
profilethatyouhave
createdforthe
externalCA.
Condition(s)AndroidAnyAndroid
   Cisco Identity Services Engine...

    Page 213

    Page 213 ResultsOther ConditionsOperating SystemsIdentity GroupsRule Name UndertheNative Supplicant Configuration, specifythe following: 1ConfigWizard: Selectthe MACOSX supplicant wizardthatyou downloaded fromtheCisco site. 2WizardProfile: Choosethe EAP_TLS_INTERNAL nativesupplicant profilethatyou createdearlier. Ifyouareusing anexternalCA, selectthenative supplicant profilethatyou havecreatedfor theexternalCA. Condition(s)MACOSXAnyMACOSX Authorization Profiles for Certificate Services... 
    ResultsOther ConditionsOperating SystemsIdentity GroupsRule Name
UndertheNative
Supplicant
Configuration,
specifythe
following:
1ConfigWizard:
Selectthe
MACOSX
supplicant
wizardthatyou
downloaded
fromtheCisco
site.
2WizardProfile:
Choosethe
EAP_TLS_INTERNAL
nativesupplicant
profilethatyou
createdearlier.
Ifyouareusing
anexternalCA,
selectthenative
supplicant
profilethatyou
havecreatedfor
theexternalCA.
Condition(s)MACOSXAnyMACOSX
Authorization Profiles for Certificate Services...

    Page 214

    Page 214 •NSP-Google-ThisprofileisforAndroiddevicesthatgothroughthesupplicantprovisioningflow. ChecktheWebAuthenticationcheckbox,chooseSupplicantProvisioningfromthedrop-downlist, andenterNSP-ACL-GoogleintheACLtextbox. ReviewthedefaultBlackhole_Wireless_Accessauthorizationprofile.TheAdvancedAttributesSettings shouldbe: •Cisco:cisco-av-pair=url-redirect=https://ip:port/blacklistportal/gateway?portal=PortalID •Cisco:cisco-av-pair=url-redirect-acl=BLACKHOLE Authorization Policy Rules for Certificate Services... 
    •NSP-Google-ThisprofileisforAndroiddevicesthatgothroughthesupplicantprovisioningflow.
ChecktheWebAuthenticationcheckbox,chooseSupplicantProvisioningfromthedrop-downlist,
andenterNSP-ACL-GoogleintheACLtextbox.
ReviewthedefaultBlackhole_Wireless_Accessauthorizationprofile.TheAdvancedAttributesSettings
shouldbe:
•Cisco:cisco-av-pair=url-redirect=https://ip:port/blacklistportal/gateway?portal=PortalID
•Cisco:cisco-av-pair=url-redirect-acl=BLACKHOLE
Authorization Policy Rules for Certificate Services...

    Page 215

    Page 215 Permissions (authorization profiles to be applied) ConditionsRule Name NSP(Wireless802.1XANDNetwork Access:AuthenticationMethod EQUALSMSCHAPV2) NSP PermitAccess(Wireless802.1XANDNetwork Access:AuthenticationMethod EQUALSx509_PKI EAP-TLS Revoke an Endpoint Certificate Ifyouneedtorevokeacertificateissuedtoanemployee'spersonaldevice,youcanrevokeitfromtheEndpoint Certificatespage.Forexample,ifanemployee'sdevicehasbeenstolenorlost,youcanlogintotheCisco... 
    Permissions (authorization profiles
to be applied)
ConditionsRule Name
NSP(Wireless802.1XANDNetwork
Access:AuthenticationMethod
EQUALSMSCHAPV2)
NSP
PermitAccess(Wireless802.1XANDNetwork
Access:AuthenticationMethod
EQUALSx509_PKI
EAP-TLS
Revoke an Endpoint Certificate
Ifyouneedtorevokeacertificateissuedtoanemployee'spersonaldevice,youcanrevokeitfromtheEndpoint
Certificatespage.Forexample,ifanemployee'sdevicehasbeenstolenorlost,youcanlogintotheCisco...

    Page 216

    Page 216 Appliance(ASA).TheOCSPclientsshouldcommunicatewiththeOCSPresponderusingtheOCSP request/responsestructuredefinedinRFC2560,5019. TheCiscoISECAissuesacertificatetotheOCSPresponder.TheOCSPresponderlistensonport2560for anyincomingrequests.ThisportisconfiguredtoallowonlyOCSPtraffic. TheOCSPresponderacceptsarequestthatfollowsthestructuredefinedinRFC2560,5019.Nonceextension issupportedintheOCSPrequest.TheOCSPresponderobtainsthestatusofthecertificateandcreatesan... 
    Appliance(ASA).TheOCSPclientsshouldcommunicatewiththeOCSPresponderusingtheOCSP
request/responsestructuredefinedinRFC2560,5019.
TheCiscoISECAissuesacertificatetotheOCSPresponder.TheOCSPresponderlistensonport2560for
anyincomingrequests.ThisportisconfiguredtoallowonlyOCSPtraffic.
TheOCSPresponderacceptsarequestthatfollowsthestructuredefinedinRFC2560,5019.Nonceextension
issupportedintheOCSPrequest.TheOCSPresponderobtainsthestatusofthecertificateandcreatesan...

    Page 217

    Page 217 •FailedOCSPresponderscenarios,forexample: ThefirstprimaryOCSPrespondernotresponding,andthesecondaryOCSPresponderrespondingto theCiscoISEOCSPrequest. ErrorsorresponsesnotreceivedfromCiscoISEOCSPrequests. AnOCSPrespondermaynotprovidearesponsetotheCiscoISEOCSPrequestoritmayreturnan OCSPResponseStatusasnotsuccessful.OCSPResponseStatusvaluescanbeasfollows: ◦tryLater ◦signRequired ◦unauthorized ◦internalError ◦malformedRequest Therearemanydate-timechecks,signaturevaliditychecksandsoon,intheOCSPrequest.For... 
    •FailedOCSPresponderscenarios,forexample:
ThefirstprimaryOCSPrespondernotresponding,andthesecondaryOCSPresponderrespondingto
theCiscoISEOCSPrequest.
ErrorsorresponsesnotreceivedfromCiscoISEOCSPrequests.
AnOCSPrespondermaynotprovidearesponsetotheCiscoISEOCSPrequestoritmayreturnan
OCSPResponseStatusasnotsuccessful.OCSPResponseStatusvaluescanbeasfollows:
◦tryLater
◦signRequired
◦unauthorized
◦internalError
◦malformedRequest
Therearemanydate-timechecks,signaturevaliditychecksandsoon,intheOCSPrequest.For...

    Page 218

    Page 218 Table 9: OCSP Syslog Messages DescriptionMessage ThenumberofnonresponsiveprimaryrequestsOCSPPrimaryNotResponsiveCount ThenumberofnonresponsivesecondaryrequestsOCSPSecondaryNotResponsiveCount Thenumberof‘good’certificatesthatarereturnedfora givenCAusingtheprimaryOCSPserver OCSPPrimaryCertsGoodCount Thenumberof‘good’statusesthatarereturnedforagiven CAusingtheprimaryOCSPserver OCSPSecondaryCertsGoodCount Thenumberof‘revoked’statusesthatarereturnedfora givenCAusingtheprimaryOCSPserver... 
    Table 9: OCSP Syslog Messages
DescriptionMessage
ThenumberofnonresponsiveprimaryrequestsOCSPPrimaryNotResponsiveCount
ThenumberofnonresponsivesecondaryrequestsOCSPSecondaryNotResponsiveCount
Thenumberof‘good’certificatesthatarereturnedfora
givenCAusingtheprimaryOCSPserver
OCSPPrimaryCertsGoodCount
Thenumberof‘good’statusesthatarereturnedforagiven
CAusingtheprimaryOCSPserver
OCSPSecondaryCertsGoodCount
Thenumberof‘revoked’statusesthatarereturnedfora
givenCAusingtheprimaryOCSPserver...

    Page 219

    Page 219 CHAPTER 9 Manage Network Devices •NetworkDevicesDefinitionsinCiscoISE,page173 •DefaultNetworkDeviceDefinitioninCiscoISE,page174 •CreateaNetworkDeviceDefinitioninCiscoISE,page174 •ImportNetworkDevicesintoCiscoISE,page175 •ExportNetworkDevicesfromCiscoISE,page176 •NetworkDeviceGroups,page176 •ImportNetworkDeviceGroupsintoCiscoISE,page177 •ExportNetworkDeviceGroupsfromCiscoISE,page177 •ImportTemplatesinCiscoISE,page178 •MobileDeviceManagerInteroperabilitywithCiscoISE,page182... 
    CHAPTER 9
Manage Network Devices
•NetworkDevicesDefinitionsinCiscoISE,page173
•DefaultNetworkDeviceDefinitioninCiscoISE,page174
•CreateaNetworkDeviceDefinitioninCiscoISE,page174
•ImportNetworkDevicesintoCiscoISE,page175
•ExportNetworkDevicesfromCiscoISE,page176
•NetworkDeviceGroups,page176
•ImportNetworkDeviceGroupsintoCiscoISE,page177
•ExportNetworkDeviceGroupsfromCiscoISE,page177
•ImportTemplatesinCiscoISE,page178
•MobileDeviceManagerInteroperabilitywithCiscoISE,page182...

    Page 220

    Page 220 • •YoucanconfiguretheSimpleNetworkManagementProtocol(SNMP)inthenetworkdevicedefinition fortheProfilingservicetocommunicatewiththenetworkdevicesandprofileendpointsthatareconnected tothenetworkdevices. •YoumustdefineTrustsec-enableddevicesinCiscoISEtoprocessrequestsfromTrustsec-enabled devicesthatcanbepartoftheCiscoTrustsecsolution.AnyswitchthatsupportstheTrustsecsolution isanTrustsec-enableddevice. TrustsecdevicesdonotusetheIPaddress.Instead,youmustdefineothersettingssothatTrustsec... 
    •
•YoucanconfiguretheSimpleNetworkManagementProtocol(SNMP)inthenetworkdevicedefinition
fortheProfilingservicetocommunicatewiththenetworkdevicesandprofileendpointsthatareconnected
tothenetworkdevices.
•YoumustdefineTrustsec-enableddevicesinCiscoISEtoprocessrequestsfromTrustsec-enabled
devicesthatcanbepartoftheCiscoTrustsecsolution.AnyswitchthatsupportstheTrustsecsolution
isanTrustsec-enableddevice.
TrustsecdevicesdonotusetheIPaddress.Instead,youmustdefineothersettingssothatTrustsec...
    Start reading Cisco Ise 13 User Guide

    Related Manuals for Cisco Ise 13 User Guide

    All Cisco manuals