Home > Cisco > Interface > Cisco Ise 13 User Guide

Cisco Ise 13 User Guide

Add to Favourites
    Download as PDF

    Here you can view all the pages of manual Cisco Ise 13 User Guide. The Cisco manuals for Interface are available online for free. You can easily download all the documents as PDF.

    Overview View all the pages Comments

    Page 291

    Page 291 Import Cisco ISE Internal Users YoucanimportnewuserdataintoISEwithacsvfiletocreatenewinternalaccounts.Atemplatecsvfileis availablefordownloadonthepageswhereyoucanimportuseraccounts.Youcanimportuserson Administration>IdentityManagement>Identities>Users. Procedure Step 1ChooseAdministration>IdentityManagement>Identities>Users. Step 2ClickImporttoimportusersfromacomma-delimitedtextfile. Ifyoudonothaveacomma-delimitedtextfile,clickGenerateaTemplatetocreateacsvfilewiththe headingrowsfilledin. Step... 
    Import Cisco ISE Internal Users
YoucanimportnewuserdataintoISEwithacsvfiletocreatenewinternalaccounts.Atemplatecsvfileis
availablefordownloadonthepageswhereyoucanimportuseraccounts.Youcanimportuserson
Administration>IdentityManagement>Identities>Users.
Procedure
Step 1ChooseAdministration>IdentityManagement>Identities>Users.
Step 2ClickImporttoimportusersfromacomma-delimitedtextfile.
Ifyoudonothaveacomma-delimitedtextfile,clickGenerateaTemplatetocreateacsvfilewiththe
headingrowsfilledin.
Step...

    Page 292

    Page 292 Export User Identity Groups CiscoISEallowsyoutoexportlocallyconfigureduseridentitygroupsintheformofacsvfile. Procedure Step 1ChooseAdministration>IdentityManagement>Groups>IdentityGroups>UserIdentityGroups. Step 2Checkthecheckboxthatcorrespondstotheuseridentitygroupthatyouwanttoexport,andclickExport. Step 3ClickOK. Import User Identity Groups CiscoISEallowsyoutoimportuseridentitygroupsintheformofacsvfile. Procedure Step 1ChooseAdministration>IdentityManagement>Groups>IdentityGroups>UserIdentityGroups.... 
    Export User Identity Groups
CiscoISEallowsyoutoexportlocallyconfigureduseridentitygroupsintheformofacsvfile.
Procedure
Step 1ChooseAdministration>IdentityManagement>Groups>IdentityGroups>UserIdentityGroups.
Step 2Checkthecheckboxthatcorrespondstotheuseridentitygroupthatyouwanttoexport,andclickExport.
Step 3ClickOK.
Import User Identity Groups
CiscoISEallowsyoutoimportuseridentitygroupsintheformofacsvfile.
Procedure
Step 1ChooseAdministration>IdentityManagement>Groups>IdentityGroups>UserIdentityGroups....

    Page 293

    Page 293 External Identity Sources CiscoISEallowsyoutoconfiguretheexternalidentitysourcethatcontainsuserinformation.CiscoISE connectstoanexternalidentitysourcetoobtainuserinformationforauthentication.Externalidentitysources alsoincludecertificateinformationfortheCiscoISEserverandcertificateauthenticationprofiles.CiscoISE usesauthenticationprotocolstocommunicatewithexternalidentitysources.Thefollowingtablelists authenticationprotocolsandtheexternalidentitysourcesthattheysupport. Table 15: Authentication Protocols... 
    External Identity Sources
CiscoISEallowsyoutoconfiguretheexternalidentitysourcethatcontainsuserinformation.CiscoISE
connectstoanexternalidentitysourcetoobtainuserinformationforauthentication.Externalidentitysources
alsoincludecertificateinformationfortheCiscoISEserverandcertificateauthenticationprofiles.CiscoISE
usesauthenticationprotocolstocommunicatewithexternalidentitysources.Thefollowingtablelists
authenticationprotocolsandtheexternalidentitysourcesthattheysupport.
Table 15: Authentication Protocols...

    Page 294

    Page 294 •LDAPtoaddanLDAPidentitysource(seeLDAP,onpage271formoredetails). •RADIUSTokentoaddaRADIUSTokenserver(seeRADIUSTokenIdentitySources,onpage279 formoredetails). •RSASecurIDtoaddanRSASecurIDserver(seeRSAIdentitySources,onpage283formoredetails). Certificate Authentication Profiles Foreachprofile,youmustspecifythecertificatefieldthatshouldbeusedastheprincipalusernameand whetheryouwantabinarycomparisonofthecertificates. Add a Certificate Authentication Profile... 
    •LDAPtoaddanLDAPidentitysource(seeLDAP,onpage271formoredetails).
•RADIUSTokentoaddaRADIUSTokenserver(seeRADIUSTokenIdentitySources,onpage279
formoredetails).
•RSASecurIDtoaddanRSASecurIDserver(seeRSAIdentitySources,onpage283formoredetails).
Certificate Authentication Profiles
Foreachprofile,youmustspecifythecertificatefieldthatshouldbeusedastheprincipalusernameand
whetheryouwantabinarycomparisonofthecertificates.
Add a Certificate Authentication Profile...

    Page 295

    Page 295 •Alwaysperformbinarycomparison—Thisoptionalwaysperformsthebinarycomparisonofclient certificatetocertificateonaccountinidentitystore(ActiveDirectoryorLDAP). Step 6ClickSubmittoaddthecertificateauthenticationprofileorsavethechanges. Active Directory as an External Identity Source CiscoISEusesMicrosoftActiveDirectoryasanexternalidentitysourcetoaccessresourcessuchasusers, machines,groups,andattributes.UserandmachineauthenticationinActiveDirectoryallowsnetworkaccess... 
    •Alwaysperformbinarycomparison—Thisoptionalwaysperformsthebinarycomparisonofclient
certificatetocertificateonaccountinidentitystore(ActiveDirectoryorLDAP).
Step 6ClickSubmittoaddthecertificateauthenticationprofileorsavethechanges.
Active Directory as an External Identity Source
CiscoISEusesMicrosoftActiveDirectoryasanexternalidentitysourcetoaccessresourcessuchasusers,
machines,groups,andattributes.UserandmachineauthenticationinActiveDirectoryallowsnetworkaccess...

    Page 296

    Page 296 FeaturesAuthentication Protocols •Userandmachineauthentication •Groupsandattributesretrieval •Binarycertificatecomparison ProtectedExtensibleAuthentication Protocol-TransportLayerSecurity(PEAP-TLS) UserauthenticationLightweightExtensibleAuthenticationProtocol (LEAP) Active Directory Attribute and Group Retrieval for Use in Authorization Policies CiscoISEretrievesuserormachineattributesandgroupsfromActiveDirectoryforuseinauthorization... 
    FeaturesAuthentication Protocols
•Userandmachineauthentication
•Groupsandattributesretrieval
•Binarycertificatecomparison
ProtectedExtensibleAuthentication
Protocol-TransportLayerSecurity(PEAP-TLS)
UserauthenticationLightweightExtensibleAuthenticationProtocol
(LEAP)
Active Directory Attribute and Group Retrieval for Use in Authorization Policies
CiscoISEretrievesuserormachineattributesandgroupsfromActiveDirectoryforuseinauthorization...

    Page 297

    Page 297 Thecertificateauthenticationprofiledeterminesthefieldwheretheusernameistakenfrominordertolookup theuserinActiveDirectorytobeusedforretrievingcertificates,forexample,SubjectAlternativeName (SAN)orCommonName.AfterCiscoISEretrievesthecertificate,itperformsabinarycomparisonofthis certificatewiththeclientcertificate.Whenmultiplecertificatesarereceived,CiscoISEcomparesthecertificates tocheckforonethatmatches.Whenamatchisfound,theuserormachineauthenticationispassed. Active Directory User Authentication Process... 
    Thecertificateauthenticationprofiledeterminesthefieldwheretheusernameistakenfrominordertolookup
theuserinActiveDirectorytobeusedforretrievingcertificates,forexample,SubjectAlternativeName
(SAN)orCommonName.AfterCiscoISEretrievesthecertificate,itperformsabinarycomparisonofthis
certificatewiththeclientcertificate.Whenmultiplecertificatesarereceived,CiscoISEcomparesthecertificates
tocheckforonethatmatches.Whenamatchisfound,theuserormachineauthenticationispassed.
Active Directory User Authentication Process...

    Page 298

    Page 298 Active Directory Account Permissions Required for Performing Various Operations Cisco Machine AccountsLeave OperationsJoin Operations ForthenewlycreatedCisco machineaccountthatisusedto communicatetotheActive Directoryconnection,thefollowing permissionsarerequired: •Abilitytochangeown password •Readtheuser/machine objectscorrespondingto users/machines •Querysomepartsofthe ActiveDirectorytolearn aboutrequiredinformation (forexample,trusted domains,alternativeUPN suffixesandsoon.) •AbilitytoreadtokenGroups... 
    Active Directory Account Permissions Required for Performing Various Operations
Cisco Machine AccountsLeave OperationsJoin Operations
ForthenewlycreatedCisco
machineaccountthatisusedto
communicatetotheActive
Directoryconnection,thefollowing
permissionsarerequired:
•Abilitytochangeown
password
•Readtheuser/machine
objectscorrespondingto
users/machines
•Querysomepartsofthe
ActiveDirectorytolearn
aboutrequiredinformation
(forexample,trusted
domains,alternativeUPN
suffixesandsoon.)
•AbilitytoreadtokenGroups...

    Page 299

    Page 299 Network Ports That Must Be Open for Communication NotesAuthenticatedTargetPort (remote-local)Protocol —NoDNSServers/AD DomainControllers Randomnumber greaterthanorequal to49152 DNS(TCP/UDP) —YesDomainControllers445MSRPC MSAD/KDCYes(Kerberos)DomainControllers88Kerberos (TCP/UDP) —YesDomainControllers389LDAP(TCP/UDP) —YesGlobalCatalog Servers 3268LDAP(GC) —NoNTP Servers/Domain Controllers 123NTP —Yes(UsingRBAC credentials) OtherISENodesin theDeployment 80IPC DNS Server... 
    Network Ports That Must Be Open for Communication
NotesAuthenticatedTargetPort (remote-local)Protocol
—NoDNSServers/AD
DomainControllers
Randomnumber
greaterthanorequal
to49152
DNS(TCP/UDP)
—YesDomainControllers445MSRPC
MSAD/KDCYes(Kerberos)DomainControllers88Kerberos
(TCP/UDP)
—YesDomainControllers389LDAP(TCP/UDP)
—YesGlobalCatalog
Servers
3268LDAP(GC)
—NoNTP
Servers/Domain
Controllers
123NTP
—Yes(UsingRBAC
credentials)
OtherISENodesin
theDeployment
80IPC
DNS Server...

    Page 300

    Page 300 •TheMicrosoftActiveDirectoryserverdoesnotresidebehindanetworkaddresstranslatoranddoesnot haveaNetworkAddressTranslation(NAT)address. •TheMicrosoftActiveDirectoryaccountintendedforthejoinoperationisvalidandisnotconfigured withtheChangePasswordonNextLogin. •YouhavetheprivilegesofaSuperAdminorSystemAdmininISE. IfyouseeoperationalissueswhenCiscoISEisconnectedtoActiveDirectory,seetheADConnector OperationsReportunderOperations>Reports. Note... 
    •TheMicrosoftActiveDirectoryserverdoesnotresidebehindanetworkaddresstranslatoranddoesnot
haveaNetworkAddressTranslation(NAT)address.
•TheMicrosoftActiveDirectoryaccountintendedforthejoinoperationisvalidandisnotconfigured
withtheChangePasswordonNextLogin.
•YouhavetheprivilegesofaSuperAdminorSystemAdmininISE.
IfyouseeoperationalissueswhenCiscoISEisconnectedtoActiveDirectory,seetheADConnector
OperationsReportunderOperations>Reports.
Note...
    Start reading Cisco Ise 13 User Guide

    Related Manuals for Cisco Ise 13 User Guide

    All Cisco manuals