Cisco Ise 13 User Guide
Here you can view all the pages of manual Cisco Ise 13 User Guide. The Cisco manuals for Interface are available online for free. You can easily download all the documents as PDF.
Page 321
◦Useraccountisrestricted(disabled,lockedout,expired,passwordexpired,andsoon) ◦InitializationErrors—UsetheLDAPservertimeoutsettingstoconfigurethenumberofseconds thatCiscoISEshouldwaitforaresponsefromanLDAPserverbeforedeterminingthatthe connectionorauthenticationonthatserverhasfailed. PossiblereasonsforanLDAPservertoreturnaninitializationerrorare: ◦LDAPisnotsupported. ◦Theserverisdown. ◦Theserverisoutofmemory. ◦Theuserhasnoprivileges. ◦Administratorcredentialsareconfiguredincorrectly....
Page 322
•SearchingtheLDAPserverforanentrythatmatchestheMACaddressofthedevice •RetrievingaMACAddressgroupinformationforthedeviceforuseinpolicies •Retrievingvaluesforspecifiedattributesforuseinpolicies Add LDAP Identity Sources Before You Begin •Toperformthefollowingtask,youmustbeaSuperAdminorSystemAdmin. •CiscoISEalwaysusestheprimaryLDAPservertoobtaingroupsandattributesforuseinauthorization policies.Therefore,yourprimaryLDAPservermustbereachablewhenyouconfiguretheseitems. Procedure Step...
Page 323
Procedure Step 1ChooseAdministration>IdentityManagement>ExternalIdentitySources>LDAP. Step 2CheckthecheckboxnexttotheLDAPinstancethatyouwanttoeditandclickEdit. Step 3ClicktheDirectoryOrganizationtab. Step 4EnterthevaluesasdescribedinLDAPIdentitySourceSettings. Step 5ClickSubmittosavetheconfiguration. Retrieve Group Membership Details from the LDAP Server YoucanaddnewgroupsorselectgroupsfromtheLDAPdirectory. Procedure Step 1ChooseAdministration>IdentityManagement>ExternalIdentitySources>LDAP. Step...
Page 324
Procedure Step 1ChooseAdministration>IdentityManagement>ExternalIdentitySources>LDAP. Step 2CheckthecheckboxnexttotheLDAPinstancethatyouwanttoeditandclickEdit. Step 3ClicktheAttributestab. Step 4ChooseAdd>AddAttributetoaddanewattributeorchooseAdd>SelectAttributesFromDirectory toselectattributesfromtheLDAPserver. a)Ifyouchoosetoaddanattribute,enteranameforthenewattribute. b)Ifyouareselectingfromthedirectory,enteranexampleuserandclickRetrieveAttributestoretrieve...
Page 325
Step 2ConfigureCiscoISEtousesecureauthenticationwhencommunicatingwiththeLDAPidentitysource (Administration>IdentityManagement>ExternalIdentitySources>LDAP;besuretocheckthe SecureAuthenticationcheckboxintheConnectionSettingstab). Step 3SelecttherootCAcertificateintheLDAPidentitystore. RADIUS Token Identity Sources AserverthatsupportstheRADIUSprotocolandprovidesauthentication,authorization,andaccounting(AAA) servicestousersanddevicesiscalledaRADIUSserver.ARADIUSidentitysourceissimplyanexternal...
Page 326
Failover in RADIUS Token Servers CiscoISEallowsyoutoconfiguremultipleRADIUSidentitysources.EachRADIUSidentitysourcecan haveprimaryandsecondaryRADIUSservers.WhenCiscoISEisunabletoconnecttotheprimaryserver,it usesthesecondaryserver. Configurable Password Prompt in RADIUS Token Servers RADIUSidentitysourcesallowyoutoconfigurethepasswordprompt.Youcanconfigurethepassword promptthroughtheAdminportal. RADIUS Token Server User Authentication...
Page 327
oraUserNotFoundmessage.However,thisoptionreturnsaUserNotFoundmessagenotonlyforcases wheretheuserisnotknown,butforallfailurecases. ThefollowingtableliststhedifferentfailurecasesthatarepossiblewithRADIUSidentityservers. Table 17: Error Handling Reasons for FailureFailure Cases •Userisunknown. •Userattemptstologinwithanincorrect passcode. •Userloginhoursexpired. AuthenticationFailed •RADIUSserverisconfiguredincorrectlyin CiscoISE. •RADIUSserverisunavailable. •RADIUSpacketisdetectedasmalformed....
Page 328
•User-Name(RADIUSattribute1) •User-Password(RADIUSattribute2) •NAS-IP-Address(RADIUSattribute4) CiscoISEexpectstoreceiveanyoneofthefollowingresponses: •Access-Accept—Noattributesarerequired,however,theresponsecancontainavarietyofattributes basedontheRADIUStokenserverconfiguration. •Access-Reject—Noattributesarerequired. •Access-Challenge—TheattributesthatarerequiredperRADIUSRFCarethefollowing: ◦State(RADIUSattribute24) ◦Reply-Message(RADIUSattribute18)...
Page 329
Delete a RADIUS Token Server Before You Begin •Toperformthefollowingtask,youmustbeaSuperAdminorSystemAdmin. •EnsurethatyoudonotselecttheRADIUStokenserversthatarepartofanidentitysourcesequence.If youselectaRADIUStokenserverthatispartofanidentitysourcesequencefordeletion,thedelete operationfails. Procedure Step 1ChooseAdministration>IdentityManagement>ExternalIdentitySources>RADIUSToken. Step 2CheckthecheckboxnexttotheRADIUStokenserverorserversthatyouwanttodelete,thenclickDelete. Step...
Page 330
CiscoISEsupportsonlyoneRSArealm. Cisco ISE and RSA SecurID Server Integration ThesearethetwoadministrativerolesinvolvedinconnectingCiscoISEwithanRSASecurIDserver: •RSAServerAdministrator—ConfiguresandmaintainsRSAsystemsandintegration •CiscoISEAdministrator—ConfiguresCiscoISEtoconnecttotheRSASecurIDserverandmaintains theconfiguration ThissectiondescribestheprocessesthatareinvolvedinconnectingCiscoISEwiththeRSASecurIDserver...