Home > Cisco > Interface > Cisco Ise 13 User Guide

Cisco Ise 13 User Guide

Add to Favourites
    Download as PDF

    Here you can view all the pages of manual Cisco Ise 13 User Guide. The Cisco manuals for Interface are available online for free. You can easily download all the documents as PDF.

    Overview View all the pages Comments

    Page 331

    Page 331 onCiscoISEmaintainsacost-basedroutingtabletomakethebestuseoftheRSAserversintherealm.You can,however,choosetooverridethisroutingwithamanualconfigurationforeachCiscoISEserverforthe realmusingatextfilecalledsdopts.recthroughtheAdminportal.RefertotheRSAdocumentationfor informationonhowtocreatethisfile. RSA Node Secret Reset Thesecuridfileisasecretnodekeyfile.WhenRSAisinitiallysetup,itusesasecrettovalidatetheagents. WhentheRSAagentthatresidesinCiscoISEsuccessfullyauthenticatesagainsttheRSAserverforthefirst... 
    onCiscoISEmaintainsacost-basedroutingtabletomakethebestuseoftheRSAserversintherealm.You
can,however,choosetooverridethisroutingwithamanualconfigurationforeachCiscoISEserverforthe
realmusingatextfilecalledsdopts.recthroughtheAdminportal.RefertotheRSAdocumentationfor
informationonhowtocreatethisfile.
RSA Node Secret Reset
Thesecuridfileisasecretnodekeyfile.WhenRSAisinitiallysetup,itusesasecrettovalidatetheagents.
WhentheRSAagentthatresidesinCiscoISEsuccessfullyauthenticatesagainsttheRSAserverforthefirst...

    Page 332

    Page 332 WhenyoucreatetheRSAidentitysourceforthefirsttime,theImportnewsdconf.recfilefieldwillbea mandatoryfield.Fromthenon,youcanreplacetheexistingsdconf.recfilewithanupdatedone,butreplacing theexistingfileisoptional. Step 3Entertheservertimeoutvalueinseconds.CiscoISEwillwaitforaresponsefromtheRSAserverforthe amountoftimespecifiedbeforeittimesout.Thisvaluecanbeanyintegerfrom1to199.Thedefaultvalue is30seconds. Step 4ChecktheReauthenticateonChangePINcheckboxtoforceareauthenticationwhenthePINischanged. Step... 
    WhenyoucreatetheRSAidentitysourceforthefirsttime,theImportnewsdconf.recfilefieldwillbea
mandatoryfield.Fromthenon,youcanreplacetheexistingsdconf.recfilewithanupdatedone,butreplacing
theexistingfileisoptional.
Step 3Entertheservertimeoutvalueinseconds.CiscoISEwillwaitforaresponsefromtheRSAserverforthe
amountoftimespecifiedbeforeittimesout.Thisvaluecanbeanyintegerfrom1to199.Thedefaultvalue
is30seconds.
Step 4ChecktheReauthenticateonChangePINcheckboxtoforceareauthenticationwhenthePINischanged.
Step...

    Page 333

    Page 333 b)ClickSaveinthisrowtosavethechanges. Step 8ClickSave. Configure Authentication Control Options for RSA Identity Source YoucanspecifyhowCiscoISEdefinesauthenticationfailuresandenableidentitycaching.TheRSAidentity sourcedoesnotdifferentiatebetween“Authenticationfailed”and“Usernotfound”errorsandsendsan Access-Rejectresponse. YoucandefinehowCiscoISEshouldhandlesuchfailureswhileprocessingrequestsandreportingfailures.... 
    b)ClickSaveinthisrowtosavethechanges.
Step 8ClickSave.
Configure Authentication Control Options for RSA Identity Source
YoucanspecifyhowCiscoISEdefinesauthenticationfailuresandenableidentitycaching.TheRSAidentity
sourcedoesnotdifferentiatebetween“Authenticationfailed”and“Usernotfound”errorsandsendsan
Access-Rejectresponse.
YoucandefinehowCiscoISEshouldhandlesuchfailureswhileprocessingrequestsandreportingfailures....

    Page 334

    Page 334 Configure RSA Messages CiscoISEallowsyoutoconfiguremessagesthatarepresentedtotheuserwhileprocessingrequestssentto theRSASecurIDserver. Before You Begin Toperformthefollowingtask,youmustbeaSuperAdminorSystemAdmin. Procedure Step 1ChooseAdministration>IdentityManagement>ExternalIdentitySources>RSASecurID. Step 2ClickPrompts. Step 3ClicktheMessagestab. Step 4EnterthevaluesasdescribedinRSASecurIDIdentitySourceSettings. Step 5ClickSubmit. Identity Source Sequences... 
    Configure RSA Messages
CiscoISEallowsyoutoconfiguremessagesthatarepresentedtotheuserwhileprocessingrequestssentto
theRSASecurIDserver.
Before You Begin
Toperformthefollowingtask,youmustbeaSuperAdminorSystemAdmin.
Procedure
Step 1ChooseAdministration>IdentityManagement>ExternalIdentitySources>RSASecurID.
Step 2ClickPrompts.
Step 3ClicktheMessagestab.
Step 4EnterthevaluesasdescribedinRSASecurIDIdentitySourceSettings.
Step 5ClickSubmit.
Identity Source Sequences...

    Page 335

    Page 335 ForallowingguestuserstoauthenticatethroughLocalWebAuth,youmustconfigureboththeGuestPortal authenticationsourceandtheidentitysourcesequencetocontainthesameidentitystores. Procedure Step 1ChooseAdministration>IdentityManagement>IdentitySourceSequences>Add. Step 2Enteranamefortheidentitysourcesequence.Youcanalsoenteranoptionaldescription. Step 3ChecktheSelectCertificateAuthenticationProfilecheckboxandchooseacertificateauthenticationprofile forcertificate-basedauthentication. Step... 
    ForallowingguestuserstoauthenticatethroughLocalWebAuth,youmustconfigureboththeGuestPortal
authenticationsourceandtheidentitysourcesequencetocontainthesameidentitystores.
Procedure
Step 1ChooseAdministration>IdentityManagement>IdentitySourceSequences>Add.
Step 2Enteranamefortheidentitysourcesequence.Youcanalsoenteranoptionaldescription.
Step 3ChecktheSelectCertificateAuthenticationProfilecheckboxandchooseacertificateauthenticationprofile
forcertificate-basedauthentication.
Step...

    Page 336

    Page 336 Identity Source Details in Reports CiscoISEprovidesinformationabouttheidentitysourcesthroughtheAuthenticationsdashletandIdentity Sourcereports. Authentications Dashlet FromtheAuthenticationsdashlet,youcandrilldowntofindmoreinformationincludingfailurereasons. ChooseOperations>Authenticationstoviewreal-timeauthenticationsummary.Formoreinformation,see RecentRADIUSAuthentications,onpage857. Identity Source Reports... 
    Identity Source Details in Reports
CiscoISEprovidesinformationabouttheidentitysourcesthroughtheAuthenticationsdashletandIdentity
Sourcereports.
Authentications Dashlet
FromtheAuthenticationsdashlet,youcandrilldowntofindmoreinformationincludingfailurereasons.
ChooseOperations>Authenticationstoviewreal-timeauthenticationsummary.Formoreinformation,see
RecentRADIUSAuthentications,onpage857.
Identity Source Reports...

    Page 337

    Page 337 CHAPTER 15 Configure Guest Access •CiscoISEGuestServices,page291 •GuestandSponsorAccounts,page292 •GuestPortals,page303 •SponsorPortals,page316 •MonitorGuestandSponsorActivity,page325 •GuestAccessWebAuthenticationOptions,page327 Cisco ISE Guest Services CiscoIdentityServicesEngine(ISE)guestservicesenableyoutoprovidesecurenetworkaccesstoguests suchasvisitors,contractors,consultants,andcustomers.YoucansupportguestswithbaseCiscoISElicenses,... 
    CHAPTER 15
Configure Guest Access
•CiscoISEGuestServices,page291
•GuestandSponsorAccounts,page292
•GuestPortals,page303
•SponsorPortals,page316
•MonitorGuestandSponsorActivity,page325
•GuestAccessWebAuthenticationOptions,page327
Cisco ISE Guest Services
CiscoIdentityServicesEngine(ISE)guestservicesenableyoutoprovidesecurenetworkaccesstoguests
suchasvisitors,contractors,consultants,andcustomers.YoucansupportguestswithbaseCiscoISElicenses,...

    Page 338

    Page 338 •AdministrationNode—Configurationchangesthatyoumaketousers,devices,andend-userportals arewrittentotheAdministrationnode. •PolicyServicesNode—Theend-userportalsrunonaPolicyServicesNode,whichhandlesallsession traffic,including:networkaccess,clientprovisioning,guestservices,posture,andprofiling.IfaPolicy ServiceNodeispartofanodegroup,andonenodefails,theothernodesdetectthefailureandresetany pendingsessions. •MonitoringNode—TheMonitoringnodecollects,aggregates,andreportsdataabouttheend-userand... 
    •AdministrationNode—Configurationchangesthatyoumaketousers,devices,andend-userportals
arewrittentotheAdministrationnode.
•PolicyServicesNode—Theend-userportalsrunonaPolicyServicesNode,whichhandlesallsession
traffic,including:networkaccess,clientprovisioning,guestservices,posture,andprofiling.IfaPolicy
ServiceNodeispartofanodegroup,andonenodefails,theothernodesdetectthefailureandresetany
pendingsessions.
•MonitoringNode—TheMonitoringnodecollects,aggregates,andreportsdataabouttheend-userand...

    Page 339

    Page 339 Whencreatingguestaccounts,certainsponsorgroupscanberestrictedtousingspecificguesttypes.Members ofsuchagroupcancreateguestswithonlythefeaturesspecifiedfortheirguesttype.Forinstance,thesponsor group,ALL_ACCOUNTS,canbesetuptouseonlytheContractorguesttype,andthesponsorgroups, OWN_ACCOUNTSandGROUP_ACCOUNTS,canbesetuptouseDailyandWeeklyguesttypes.Also, sinceself-registeringguestsusingtheSelf-RegisteredGuestportaltypicallyneedaccessforjustaday,you canassignthemtheDailyguesttype.... 
    Whencreatingguestaccounts,certainsponsorgroupscanberestrictedtousingspecificguesttypes.Members
ofsuchagroupcancreateguestswithonlythefeaturesspecifiedfortheirguesttype.Forinstance,thesponsor
group,ALL_ACCOUNTS,canbesetuptouseonlytheContractorguesttype,andthesponsorgroups,
OWN_ACCOUNTSandGROUP_ACCOUNTS,canbesetuptouseDailyandWeeklyguesttypes.Also,
sinceself-registeringguestsusingtheSelf-RegisteredGuestportaltypicallyneedaccessforjustaday,you
canassignthemtheDailyguesttype....

    Page 340

    Page 340 Theaccountpurgepolicychecksforexpiredguestaccounts,andsendsexpiration notification.Thispolicyrunsevery20minutes,soifyousettheaccountdurationtoless than20mins,itispossiblethatexpirationnoticesmaynotbesentoutbeforetheaccount ispurged. Note Youcanspecifythedurationtimeandthedaysoftheweekwhenaccessisprovidedtotheguests ofthisGuestTypebyusingtheAllowaccessonlyonthesedaysandtimesoption. ◦Thedaysoftheweekthatyouselectlimitsaccesstothedatesthatareselectableinthe Sponsor'scalendar.... 
    Theaccountpurgepolicychecksforexpiredguestaccounts,andsendsexpiration
notification.Thispolicyrunsevery20minutes,soifyousettheaccountdurationtoless
than20mins,itispossiblethatexpirationnoticesmaynotbesentoutbeforetheaccount
ispurged.
Note
Youcanspecifythedurationtimeandthedaysoftheweekwhenaccessisprovidedtotheguests
ofthisGuestTypebyusingtheAllowaccessonlyonthesedaysandtimesoption.
◦Thedaysoftheweekthatyouselectlimitsaccesstothedatesthatareselectableinthe
Sponsor'scalendar....
    Start reading Cisco Ise 13 User Guide

    Related Manuals for Cisco Ise 13 User Guide

    All Cisco manuals