Home > Cisco > Interface > Cisco Ise 13 User Guide

Cisco Ise 13 User Guide

Add to Favourites
    Download as PDF

    Here you can view all the pages of manual Cisco Ise 13 User Guide. The Cisco manuals for Interface are available online for free. You can easily download all the documents as PDF.

    Overview View all the pages Comments

    Page 271

    Page 271 Step 4Deregisterthenodetobebackedup. Step 5RestoretheMonitoringbackuptothenewlyderegisterednode. Step 6RegisterthenewlyrestorednodewiththecurrentAdministrationnode. Step 7PromotethenewlyrestoredandregisterednodeasthePAN. Restore a Monitoring Backup with a Monitoring Persona YoucanrestoreaMonitoringbackupinadistributedenvironmentwithonlyMonitoringpersona. Before You Begin •Purgetheoldmonitoringdata. •Scheduleabackuporperformanon-demandbackup. Procedure Step... 
    Step 4Deregisterthenodetobebackedup.
Step 5RestoretheMonitoringbackuptothenewlyderegisterednode.
Step 6RegisterthenewlyrestorednodewiththecurrentAdministrationnode.
Step 7PromotethenewlyrestoredandregisterednodeasthePAN.
Restore a Monitoring Backup with a Monitoring Persona
YoucanrestoreaMonitoringbackupinadistributedenvironmentwithonlyMonitoringpersona.
Before You Begin
•Purgetheoldmonitoringdata.
•Scheduleabackuporperformanon-demandbackup.
Procedure
Step...

    Page 272

    Page 272 Export Authentication and Authorization Policy Configuration YoucanexportauthenticationandauthorizationpolicyconfigurationintheformofanXMLfilethatyoucan readofflinetoidentifyanyconfigurationerrorsandusefortroubleshootingpurposes.ThisXMLfileincludes authenticationandauthorizationpolicyrules,simpleandcompoundpolicyconditions,dACLs,andauthorization profiles.YoucanchoosetoemailtheXMLfileorsaveittoyourlocalsystem. Procedure Step 1ChooseAdministration>System>Backup&Restore. Step 2ClickPolicyExport. Step... 
    Export Authentication and Authorization Policy Configuration
YoucanexportauthenticationandauthorizationpolicyconfigurationintheformofanXMLfilethatyoucan
readofflinetoidentifyanyconfigurationerrorsandusefortroubleshootingpurposes.ThisXMLfileincludes
authenticationandauthorizationpolicyrules,simpleandcompoundpolicyconditions,dACLs,andauthorization
profiles.YoucanchoosetoemailtheXMLfileorsaveittoyourlocalsystem.
Procedure
Step 1ChooseAdministration>System>Backup&Restore.
Step 2ClickPolicyExport.
Step...

    Page 273

    Page 273 Recovery of Lost Nodes Using Existing IP Addresses and Hostnames in a Distributed Deployment Scenario Inadistributeddeployment,anaturaldisasterleadstoalossofallthenodes.Afterrecovery,youwanttouse theexistingIPaddressesandhostnames. Forexample,youhavetwonodes:N1(PrimaryPolicyAdministrationNodeorPrimaryPAN)andN2 (SecondaryPolicyAdministrationNodeorSecondaryPAN.)AbackupoftheN1node,whichwastakenat timeT1,isavailable.Later,bothN1andN2nodesfailbecauseofanaturaldisaster. Assumption... 
    Recovery of Lost Nodes Using Existing IP Addresses and Hostnames in a Distributed
Deployment
Scenario
Inadistributeddeployment,anaturaldisasterleadstoalossofallthenodes.Afterrecovery,youwanttouse
theexistingIPaddressesandhostnames.
Forexample,youhavetwonodes:N1(PrimaryPolicyAdministrationNodeorPrimaryPAN)andN2
(SecondaryPolicyAdministrationNodeorSecondaryPAN.)AbackupoftheN1node,whichwastakenat
timeT1,isavailable.Later,bothN1andN2nodesfailbecauseofanaturaldisaster.
Assumption...

    Page 274

    Page 274 2Youmustgenerateanewself-signedcertificate. 3YoumustlogintotheCiscoAdminportalonN1A,chooseAdministration>System>Deployment, anddothefollowing: DeletetheoldN2node. RegisterthenewN2Anodeasasecondarynode.DatafromtheN1AnodewillbereplicatedtotheN2A node. Recovery of a Node Using Existing IP Address and Hostname in a Standalone Deployment Scenario Astandaloneadministrationnodeisdown. Forexample,youhaveastandaloneadministrationnode,N1.AbackupoftheN1databasewastakenattime... 
    2Youmustgenerateanewself-signedcertificate.
3YoumustlogintotheCiscoAdminportalonN1A,chooseAdministration>System>Deployment,
anddothefollowing:
DeletetheoldN2node.
RegisterthenewN2Anodeasasecondarynode.DatafromtheN1AnodewillbereplicatedtotheN2A
node.
Recovery of a Node Using Existing IP Address and Hostname in a Standalone Deployment
Scenario
Astandaloneadministrationnodeisdown.
Forexample,youhaveastandaloneadministrationnode,N1.AbackupoftheN1databasewastakenattime...

    Page 275

    Page 275 Configuration Rollback Problem Theremaybeinstanceswhereyouinadvertentlymakeconfigurationchangesthatyoulaterdeterminewere incorrect.Forexample,youmaydeleteseveralNADsormodifysomeRADIUSattributesincorrectlyand realizethisissueseveralhourslater.Inthiscase,youcanrevertbacktotheoriginalconfigurationbyrestoring abackupthatwastakenbeforeyoumadethechanges. Possible Causes Therearetwonodes:N1(PrimaryPolicyAdministrationNodeorPrimaryPAN)andN2(SecondaryPolicy... 
    Configuration Rollback
Problem
Theremaybeinstanceswhereyouinadvertentlymakeconfigurationchangesthatyoulaterdeterminewere
incorrect.Forexample,youmaydeleteseveralNADsormodifysomeRADIUSattributesincorrectlyand
realizethisissueseveralhourslater.Inthiscase,youcanrevertbacktotheoriginalconfigurationbyrestoring
abackupthatwastakenbeforeyoumadethechanges.
Possible Causes
Therearetwonodes:N1(PrimaryPolicyAdministrationNodeorPrimaryPAN)andN2(SecondaryPolicy...

    Page 276

    Page 276 Forexample,youhavemultiplenodes:N1(PrimaryPAN),N2(SecondaryPAN),N3(SecondaryPolicy ServiceNode),N4(SecondaryPolicyServiceNode).Oneofthesecondarynodes,N3,fails. Resolution Steps 1ReimagethenewN3Anodetothedefaultstandalonestate. 2LogintotheN1AdminportalanddeletetheN3node. 3ReregistertheN3Anode. DataisreplicatedfromN1toN3A.Norestoreisrequired. Cisco Identity Services Engine Administrator Guide, Release 1.3 230 Recovery of Lost Nodes in Standalone and Distributed Deployments 
    Forexample,youhavemultiplenodes:N1(PrimaryPAN),N2(SecondaryPAN),N3(SecondaryPolicy
ServiceNode),N4(SecondaryPolicyServiceNode).Oneofthesecondarynodes,N3,fails.
Resolution Steps
1ReimagethenewN3Anodetothedefaultstandalonestate.
2LogintotheN1AdminportalanddeletetheN3node.
3ReregistertheN3Anode.
DataisreplicatedfromN1toN3A.Norestoreisrequired.
   Cisco Identity Services Engine Administrator Guide, Release 1.3
230
Recovery of Lost Nodes in Standalone and Distributed Deployments

    Page 277

    Page 277 CHAPTER 13 Setup Endpoint Protection Service •EnableEndpointProtectionServiceinCiscoISE,page231 •ConfigureNetworkAccessSettings,page231 •EndpointProtectionService,page233 •EPSQuarantineandUnquarantineFlow,page235 •EPSNASPortShutdownFlow,page236 •EndpointsPurgeSettings,page236 Enable Endpoint Protection Service in Cisco ISE EndpointProtectionService(EPS)isdisabledbydefault.YoumustenableEPSmanually,anditremains enableduntilyoumanuallydisabletheserviceintheAdminportal.... 
    CHAPTER 13
Setup Endpoint Protection Service
•EnableEndpointProtectionServiceinCiscoISE,page231
•ConfigureNetworkAccessSettings,page231
•EndpointProtectionService,page233
•EPSQuarantineandUnquarantineFlow,page235
•EPSNASPortShutdownFlow,page236
•EndpointsPurgeSettings,page236
Enable Endpoint Protection Service in Cisco ISE
EndpointProtectionService(EPS)isdisabledbydefault.YoumustenableEPSmanually,anditremains
enableduntilyoumanuallydisabletheserviceintheAdminportal....

    Page 278

    Page 278 simultaneously.Ifyoudiscoverahostileendpointonyournetwork,youcanshutdowntheendpoint’saccess, usingEPStoclosetheNASport. Before You Begin •YoumustenableEPS. •YoumustcreateauthorizationprofilesandExceptiontypeauthorizationpoliciesforEPS. Procedure Step 1ChooseOperations>EndpointProtectionService. Step 2UnderEndpointOperation,entertheIPAddressorMACAddressofanendpoint. Step 3ClicktheOperationsdrop-downlisttochooseoneofthefollowingactions: •Quarantine—Isolatestheendpoint,restrictingaccessonthenetwork... 
    simultaneously.Ifyoudiscoverahostileendpointonyournetwork,youcanshutdowntheendpoint’saccess,
usingEPStoclosetheNASport.
Before You Begin
•YoumustenableEPS.
•YoumustcreateauthorizationprofilesandExceptiontypeauthorizationpoliciesforEPS.
Procedure
Step 1ChooseOperations>EndpointProtectionService.
Step 2UnderEndpointOperation,entertheIPAddressorMACAddressofanendpoint.
Step 3ClicktheOperationsdrop-downlisttochooseoneofthefollowingactions:
•Quarantine—Isolatestheendpoint,restrictingaccessonthenetwork...

    Page 279

    Page 279 BecauseCoArequiresaMACaddressorsessionID,werecommendthatyoudonotbouncetheportthat isshownintheNetworkDeviceSNMPreport. Note Endpoint Protection Service EndpointProtectionService(EPS)isaservicethatrunsontheAdministrationnodethatcanbeusedfor monitoringandcontrollingnetworkaccessofendpoints.EPSisalsoknownasAdaptiveNetworkControl (ANC).EPScanbeinvokedbytheISEadministratorontheadminGUIandalsothroughpxGridfromthird partysystems.EPSsupportswiredandwirelessdeploymentsandrequiresaPlusLicense.... 
    BecauseCoArequiresaMACaddressorsessionID,werecommendthatyoudonotbouncetheportthat
isshownintheNetworkDeviceSNMPreport.
Note
Endpoint Protection Service
EndpointProtectionService(EPS)isaservicethatrunsontheAdministrationnodethatcanbeusedfor
monitoringandcontrollingnetworkaccessofendpoints.EPSisalsoknownasAdaptiveNetworkControl
(ANC).EPScanbeinvokedbytheISEadministratorontheadminGUIandalsothroughpxGridfromthird
partysystems.EPSsupportswiredandwirelessdeploymentsandrequiresaPlusLicense....

    Page 280

    Page 280 Procedure Step 1ChoosePolicy>PolicyElements>Authorization>AuthorizationProfiles. Step 2ClickAdd. Step 3Enterauniquenameanddescriptionfortheauthorizationprofile,andleavetheAccessTypeas ACCESS_ACCEPT. Step 4ChecktheDACLNamecheckbox,andchooseDENY_ALL_TRAFFICfromthedrop-downlist. Step 5ClickSubmit. Create Exception Policies for Network Access through EPS ForEPSauthorization,youmustcreateaquarantineexceptionpolicythatisprocessedbeforeallstandard... 
    Procedure
Step 1ChoosePolicy>PolicyElements>Authorization>AuthorizationProfiles.
Step 2ClickAdd.
Step 3Enterauniquenameanddescriptionfortheauthorizationprofile,andleavetheAccessTypeas
ACCESS_ACCEPT.
Step 4ChecktheDACLNamecheckbox,andchooseDENY_ALL_TRAFFICfromthedrop-downlist.
Step 5ClickSubmit.
Create Exception Policies for Network Access through EPS
ForEPSauthorization,youmustcreateaquarantineexceptionpolicythatisprocessedbeforeallstandard...
    Start reading Cisco Ise 13 User Guide

    Related Manuals for Cisco Ise 13 User Guide

    All Cisco manuals