Home > Cisco > Interface > Cisco Ise 13 User Guide

Cisco Ise 13 User Guide

Add to Favourites
    Download as PDF

    Here you can view all the pages of manual Cisco Ise 13 User Guide. The Cisco manuals for Interface are available online for free. You can easily download all the documents as PDF.

    Overview View all the pages Comments

    Page 311

    Page 311 Diagnose Active Directory Problems TheDiagnosticToolisaservicethatrunsoneveryCiscoISEnode.Itallowsyoutoautomaticallytestand diagnosetheActiveDirectorydeploymentandexecuteasetofteststodetectissuesthatmaycausefunctionality orperformancefailureswhenCiscoISEusesActiveDirectory. TherearemultiplereasonsforwhichCiscoISEmightbeunabletojoinorauthenticateagainstActiveDirectory. ThistoolhelpsensurethattheprerequisitesforconnectingCiscoISEtoActiveDirectoryareconfigured... 
    Diagnose Active Directory Problems
TheDiagnosticToolisaservicethatrunsoneveryCiscoISEnode.Itallowsyoutoautomaticallytestand
diagnosetheActiveDirectorydeploymentandexecuteasetofteststodetectissuesthatmaycausefunctionality
orperformancefailureswhenCiscoISEusesActiveDirectory.
TherearemultiplereasonsforwhichCiscoISEmightbeunabletojoinorauthenticateagainstActiveDirectory.
ThistoolhelpsensurethattheprerequisitesforconnectingCiscoISEtoActiveDirectoryareconfigured...

    Page 312

    Page 312 Obtain the Active Directory Log File for Troubleshooting DownloadandviewtheActiveDirectorydebuglogstotroubleshootissuesyoumayhave. Before You Begin ActiveDirectorydebugloggingmustbeenabled. Procedure Step 1ChooseOperations>Troubleshoot>DownloadLogs. Step 2ClickthenodefromwhichyouwanttoobtaintheActiveDirectorydebuglogfile. Step 3ClicktheDebugLogstab. Step 4Scrolldownthispagetolocatethead_agent.logfile.Clickthisfiletodownloadit. Active Directory Alarms and Reports... 
    Obtain the Active Directory Log File for Troubleshooting
DownloadandviewtheActiveDirectorydebuglogstotroubleshootissuesyoumayhave.
Before You Begin
ActiveDirectorydebugloggingmustbeenabled.
Procedure
Step 1ChooseOperations>Troubleshoot>DownloadLogs.
Step 2ClickthenodefromwhichyouwanttoobtaintheActiveDirectorydebuglogfile.
Step 3ClicktheDebugLogstab.
Step 4Scrolldownthispagetolocatethead_agent.logfile.Clickthisfiletodownloadit.
Active Directory Alarms and Reports...

    Page 313

    Page 313 Active Directory Advanced Tuning Theadvancedtuningfeatureprovidesnode-specificsettingsusedforsupportactionunderthesupervisionof Ciscosupportpersonnel,toadjusttheparametersdeeperinthesystem.Thesesettingsarenotintendedfor normaladministrationflow,andshouldbeusedonlyunderguidance. Supplemental Information for Setting Up Cisco ISE with Active Directory ForconfiguringCiscoISEwithActiveDirectory,youmustconfiguregrouppolicies,andconfigureasupplicant formachineauthentication. Configure Group Policies in Active... 
    Active Directory Advanced Tuning
Theadvancedtuningfeatureprovidesnode-specificsettingsusedforsupportactionunderthesupervisionof
Ciscosupportpersonnel,toadjusttheparametersdeeperinthesystem.Thesesettingsarenotintendedfor
normaladministrationflow,andshouldbeusedonlyunderguidance.
Supplemental Information for Setting Up Cisco ISE with Active Directory
ForconfiguringCiscoISEwithActiveDirectory,youmustconfiguregrouppolicies,andconfigureasupplicant
formachineauthentication.
Configure Group Policies in Active...

    Page 314

    Page 314 PolicyProperties Step 4ApplythepolicyatthedesiredorganizationalunitordomainActiveDirectorylevel. Thecomputerswillreceivethepolicywhentheyrebootandthisservicewillbeturnedon. Configure Odyssey 5.X Supplicant for EAP-TLS Machine Authentications Against Active Directory IfyouareusingtheOdyssey5.xsupplicantforEAP-TLSmachineauthenticationsagainstActiveDirectory, youmustconfigurethefollowinginthesupplicant. Procedure Step 1StartOdysseyAccessClient. Step 2ChooseOdysseyAccessClientAdministratorfromtheToolsmenu.... 
    PolicyProperties
Step 4ApplythepolicyatthedesiredorganizationalunitordomainActiveDirectorylevel.
Thecomputerswillreceivethepolicywhentheyrebootandthisservicewillbeturnedon.
Configure Odyssey 5.X Supplicant for EAP-TLS Machine Authentications Against Active Directory
IfyouareusingtheOdyssey5.xsupplicantforEAP-TLSmachineauthenticationsagainstActiveDirectory,
youmustconfigurethefollowinginthesupplicant.
Procedure
Step 1StartOdysseyAccessClient.
Step 2ChooseOdysseyAccessClientAdministratorfromtheToolsmenu....

    Page 315

    Page 315 Ifthisoptionisenabled,theOdysseysupplicantsendsthemachinenameintheformat host\andActiveDirectoryidentifiestherequestascomingfromamachineandwill lookupcomputerobjectstoperformauthentication.Ifthisoptionisdisabled,theOdysseysupplicant sendsthemachinenamewithoutthehost\prefixandActiveDirectorywilllookupuserobjectsandthe authenticationfails. AnyConnect Agent for Machine Authentication WhenyouconfigureAnyConnectAgentformachineauthentication,youcandooneofthefollowing:... 
    Ifthisoptionisenabled,theOdysseysupplicantsendsthemachinenameintheformat
host\andActiveDirectoryidentifiestherequestascomingfromamachineandwill
lookupcomputerobjectstoperformauthentication.Ifthisoptionisdisabled,theOdysseysupplicant
sendsthemachinenamewithoutthehost\prefixandActiveDirectorywilllookupuserobjectsandthe
authenticationfails.
AnyConnect Agent for Machine Authentication
WhenyouconfigureAnyConnectAgentformachineauthentication,youcandooneofthefollowing:...

    Page 316

    Page 316 •IdentityMappingreport.ThisreportprovidesinformationabouttheIdentityMappingcomponentfor troubleshooting •IdentityMappingdebuglogs •CiscoISEsessiondirectorymaintainsthecollecteduserinformation,sothatcustomerscanviewitfrom theLiveSessionsandqueryitfromthepxGridinterface •UsingtheCLIcommandshowapplicationstatusprovidesthehealthstatusofnodesthatuseIdentity Mapping •SupportsHighAvailability Configuring Identity Mapping IDMappingrequiresconfigurationinISE,andtheActiveDirectoryDomainServermusthavetheright... 
    •IdentityMappingreport.ThisreportprovidesinformationabouttheIdentityMappingcomponentfor
troubleshooting
•IdentityMappingdebuglogs
•CiscoISEsessiondirectorymaintainsthecollecteduserinformation,sothatcustomerscanviewitfrom
theLiveSessionsandqueryitfromthepxGridinterface
•UsingtheCLIcommandshowapplicationstatusprovidesthehealthstatusofnodesthatuseIdentity
Mapping
•SupportsHighAvailability
Configuring Identity Mapping
IDMappingrequiresconfigurationinISE,andtheActiveDirectoryDomainServermusthavetheright...

    Page 317

    Page 317 ThistestensuresthattheconnectiontotheDCishealthy.HoweveritdoesnotcheckwhetherCiscoISEcan fetchtheuserinformationuponlogin. Step 8ClickSubmit.Anupdatedtableisdisplayedwiththenewly-definedDCincludedinthelistofDCs.The statuscolumnindicatesthedifferentstatesofDC. YoucanalsoImportorExporttheDClist. Whileimporting,youneedtoprovidethepasswordinthetemplate.Asthefilecontainspassword, theimporttemplateshouldbetreatedassensitive.TheExportoptiondoesnotexportthepassword. Note Filter Identity Mapping... 
    ThistestensuresthattheconnectiontotheDCishealthy.HoweveritdoesnotcheckwhetherCiscoISEcan
fetchtheuserinformationuponlogin.
Step 8ClickSubmit.Anupdatedtableisdisplayedwiththenewly-definedDCincludedinthelistofDCs.The
statuscolumnindicatesthedifferentstatesofDC.
YoucanalsoImportorExporttheDClist.
Whileimporting,youneedtoprovidethepasswordinthetemplate.Asthefilecontainspassword,
theimporttemplateshouldbetreatedassensitive.TheExportoptiondoesnotexportthepassword.
Note
Filter Identity Mapping...

    Page 318

    Page 318 Anentryinthetreecontainsasetofattributes,whereeachattributehasaname(anattributetypeorattribute description)andoneormorevalues.Theattributesaredefinedinaschema. Eachentryhasauniqueidentifier:itsdistinguishedname(DN).Thisnamecontainstherelativedistinguished name(RDN),whichisconstructedfromattributesintheentry,followedbytheDNoftheparententry.You canthinkoftheDNasafullfilename,andtheRDNasarelativefilenameinafolder. Multiple LDAP Instances... 
    Anentryinthetreecontainsasetofattributes,whereeachattributehasaname(anattributetypeorattribute
description)andoneormorevalues.Theattributesaredefinedinaschema.
Eachentryhasauniqueidentifier:itsdistinguishedname(DN).Thisnamecontainstherelativedistinguished
name(RDN),whichisconstructedfromattributesintheentry,followedbytheDNoftheparententry.You
canthinkoftheDNasafullfilename,andtheRDNasarelativefilenameinafolder.
Multiple LDAP Instances...

    Page 319

    Page 319 IftheLDAPserverclosedtheconnection,theconnectionmanagerreportsanerrorduringthefirstcallto searchthedirectory,andtriestorenewtheconnection.Aftertheauthenticationprocessiscomplete,the connectionmanagerreleasestheconnection. LDAP User Authentication LDAPcanbeusedasanexternaldatabaseforCiscoISEuserauthentication.CiscoISEsupportsplainpassword authentication.Userauthenticationincludes: •SearchingtheLDAPserverforanentrythatmatchestheusernameintherequest... 
    IftheLDAPserverclosedtheconnection,theconnectionmanagerreportsanerrorduringthefirstcallto
searchthedirectory,andtriestorenewtheconnection.Aftertheauthenticationprocessiscomplete,the
connectionmanagerreleasestheconnection.
LDAP User Authentication
LDAPcanbeusedasanexternaldatabaseforCiscoISEuserauthentication.CiscoISEsupportsplainpassword
authentication.Userauthenticationincludes:
•SearchingtheLDAPserverforanentrythatmatchestheusernameintherequest...

    Page 320

    Page 320 ◦Plainusernames •SubjectsRefertoGroups—Thesubjectobjectscontainanattributethatspecifiesthegrouptowhich theybelong. LDAPidentitysourcescontainthefollowingparametersforgroupmembershipinformationretrieval: •Referencedirection—Thisparameterspecifiesthemethodtousewhendetermininggroupmembership (eithergroupstosubjectsorsubjectstogroups). •Groupmapattribute—Thisparameterindicatestheattributethatcontainsgroupmembershipinformation. •Groupobjectclass—Thisparameterdeterminesthatcertainobjectsarerecognizedasgroups.... 
    ◦Plainusernames
•SubjectsRefertoGroups—Thesubjectobjectscontainanattributethatspecifiesthegrouptowhich
theybelong.
LDAPidentitysourcescontainthefollowingparametersforgroupmembershipinformationretrieval:
•Referencedirection—Thisparameterspecifiesthemethodtousewhendetermininggroupmembership
(eithergroupstosubjectsorsubjectstogroups).
•Groupmapattribute—Thisparameterindicatestheattributethatcontainsgroupmembershipinformation.
•Groupobjectclass—Thisparameterdeterminesthatcertainobjectsarerecognizedasgroups....
    Start reading Cisco Ise 13 User Guide

    Related Manuals for Cisco Ise 13 User Guide

    All Cisco manuals