Home > Cisco > Interface > Cisco Ise 13 User Guide

Cisco Ise 13 User Guide

Add to Favourites
    Download as PDF

    Here you can view all the pages of manual Cisco Ise 13 User Guide. The Cisco manuals for Interface are available online for free. You can easily download all the documents as PDF.

    Overview View all the pages Comments

    Page 391

    Page 391 Create External Identity Sources CiscoISEcanconnectwithexternalidentitysourcessuchasActiveDirectory,LDAP,RADIUSToken,and RSASecurIDserverstoobtainuserinformationforauthenticationandauthorization.Externalidentitysources alsoincludescertificateauthenticationprofilesthatyouneedforcertificate-basedauthentications. Procedure Step 1ChooseAdministration>IdentityManagement>ExternalIdentitySources. Step 2Chooseoneoftheseoptions: •CertificateAuthenticationProfileforcertificate-basedauthentications.... 
    Create External Identity Sources
CiscoISEcanconnectwithexternalidentitysourcessuchasActiveDirectory,LDAP,RADIUSToken,and
RSASecurIDserverstoobtainuserinformationforauthenticationandauthorization.Externalidentitysources
alsoincludescertificateauthenticationprofilesthatyouneedforcertificate-basedauthentications.
Procedure
Step 1ChooseAdministration>IdentityManagement>ExternalIdentitySources.
Step 2Chooseoneoftheseoptions:
•CertificateAuthenticationProfileforcertificate-basedauthentications....

    Page 392

    Page 392 •DonotaccessotherstoresinthesequenceandsettheAuthenticationStatusattributetoProcessError —IfyouwantCiscoISEtodiscontinuethesearch,iftheuserisnotfoundinthefirstselectedidentity source. •Treatasiftheuserwasnotfoundandproceedtothenextstoreinthesequence—IfyouwantCisco ISEtocontinuesearchingtheotherselectedidentitysourcesinsequence,iftheuserisnotfoundinthe firstselectedidentitysource. Whileprocessingarequest,CiscoISEsearchestheseidentitysourcesinsequence.Ensurethatyouhave... 
    •DonotaccessotherstoresinthesequenceandsettheAuthenticationStatusattributetoProcessError
—IfyouwantCiscoISEtodiscontinuethesearch,iftheuserisnotfoundinthefirstselectedidentity
source.
•Treatasiftheuserwasnotfoundandproceedtothenextstoreinthesequence—IfyouwantCisco
ISEtocontinuesearchingtheotherselectedidentitysourcesinsequence,iftheuserisnotfoundinthe
firstselectedidentitysource.
Whileprocessingarequest,CiscoISEsearchestheseidentitysourcesinsequence.Ensurethatyouhave...

    Page 393

    Page 393 Procedure Step 1ChooseAdministration>DevicePortalManagement>BlacklistPortal>Edit. Step 2ProvideauniquePortalNameandaDescriptionfortheportal. Ensurethattheportalnamethatyouusehereisnotusedforanyotherend-userportals. Step 3UsetheLanguagesmenutoexportandimportlanguagefilestousewiththeportal. Step 4Updatethedefaultvaluesforcertificategrouptags,languagesandsooninPortalSettings,anddefinebehavior thatappliestotheoverallportal. •HTTPSport—Enteraportvaluebetween8000to8999;thedefaultvalueis8443forallthedefault... 
    Procedure
Step 1ChooseAdministration>DevicePortalManagement>BlacklistPortal>Edit.
Step 2ProvideauniquePortalNameandaDescriptionfortheportal.
Ensurethattheportalnamethatyouusehereisnotusedforanyotherend-userportals.
Step 3UsetheLanguagesmenutoexportandimportlanguagefilestousewiththeportal.
Step 4Updatethedefaultvaluesforcertificategrouptags,languagesandsooninPortalSettings,anddefinebehavior
thatappliestotheoverallportal.
•HTTPSport—Enteraportvaluebetween8000to8999;thedefaultvalueis8443forallthedefault...

    Page 394

    Page 394 ◦TheinterfacesyouenableheremustbeavailableonallyourPSNs,includingVM-basedoneswhen PolicyServicesturnedon.ThisisrequiredbecauseanyofthesePSNscanbeusedforaredirect atthestartoftheguestsession. ◦TheportalcertificateSubjectName/AlternateSubjectNamemustresolvetotheinterfaceIP. ◦Configureiphostx.x.x.xyyy.domain.cominISECLItomapsecondaryinterfaceIPtoFQDN, whichisusedtomatchCertificateSubjectName/AlternateSubjectName. •Certificategrouptag—Pickacertificategrouptagthatspecifiesthecertificatetousefortheportal’s... 
    ◦TheinterfacesyouenableheremustbeavailableonallyourPSNs,includingVM-basedoneswhen
PolicyServicesturnedon.ThisisrequiredbecauseanyofthesePSNscanbeusedforaredirect
atthestartoftheguestsession.
◦TheportalcertificateSubjectName/AlternateSubjectNamemustresolvetotheinterfaceIP.
◦Configureiphostx.x.x.xyyy.domain.cominISECLItomapsecondaryinterfaceIPtoFQDN,
whichisusedtomatchCertificateSubjectName/AlternateSubjectName.
•Certificategrouptag—Pickacertificategrouptagthatspecifiesthecertificatetousefortheportal’s...

    Page 395

    Page 395 Procedure Step 1ChooseAdministration>DevicePortalManagement>BYODPortals>Create,EditorDuplicate. Step 2ProvideauniquePortalNameandaDescriptionfortheportal. Ensurethattheportalnamethatyouusehereisnotusedforanyotherend-userportals. Step 3UsetheLanguageFiledrop-downmenutoexportandimportlanguagefilestousewiththeportal. Step 4Updatethedefaultvaluesforports,certificategrouptags,endpointidentitygroupsandsooninPortalSettings, anddefinebehaviorthatappliestotheoverallportal. Step... 
    Procedure
Step 1ChooseAdministration>DevicePortalManagement>BYODPortals>Create,EditorDuplicate.
Step 2ProvideauniquePortalNameandaDescriptionfortheportal.
Ensurethattheportalnamethatyouusehereisnotusedforanyotherend-userportals.
Step 3UsetheLanguageFiledrop-downmenutoexportandimportlanguagefilestousewiththeportal.
Step 4Updatethedefaultvaluesforports,certificategrouptags,endpointidentitygroupsandsooninPortalSettings,
anddefinebehaviorthatappliestotheoverallportal.
Step...

    Page 396

    Page 396 Create a Client Provisioning Portal YoucanprovideaClientProvisioningportaltoenableemployeestodownloadeithertheCiscoAnyConnect posturecomponentortheCiscoNACagent,whichverifiestheposturecomplianceofthedevicebefore allowingaccesstothenetwork. YoucancreateanewClientProvisioningportal,oryoucaneditorduplicateanexistingone.Youcandelete anyClientProvisioningportal,includingthedefaultportalprovidedbyCiscoISE. AnychangesthatyoumaketothePageSettingsonthePortalBehaviorandFlowSettingstabarereflected... 
    Create a Client Provisioning Portal
YoucanprovideaClientProvisioningportaltoenableemployeestodownloadeithertheCiscoAnyConnect
posturecomponentortheCiscoNACagent,whichverifiestheposturecomplianceofthedevicebefore
allowingaccesstothenetwork.
YoucancreateanewClientProvisioningportal,oryoucaneditorduplicateanexistingone.Youcandelete
anyClientProvisioningportal,includingthedefaultportalprovidedbyCiscoISE.
AnychangesthatyoumaketothePageSettingsonthePortalBehaviorandFlowSettingstabarereflected...

    Page 397

    Page 397 Step 7ClickSaveandthenClose. What to Do Next Youmustauthorizetheportalinordertouseit.Youcanalsocustomizeyourportaleitherbeforeorafteryou authorizeitforuse. Related Topics AuthorizePortals,onpage314 CustomizeDevicePortals,onpage355 Create an MDM Portal YoucanprovideaMobileDeviceManagement(MDM)portaltoenableemployeestomanagetheirmobile devicesthatareregisteredforuseonyourcorporatenetwork. YoucancreateanewMDMportal,oryoucaneditorduplicateanexistingone.YoucandeleteanyMDM... 
    Step 7ClickSaveandthenClose.
What to Do Next
Youmustauthorizetheportalinordertouseit.Youcanalsocustomizeyourportaleitherbeforeorafteryou
authorizeitforuse.
Related Topics
AuthorizePortals,onpage314
CustomizeDevicePortals,onpage355
Create an MDM Portal
YoucanprovideaMobileDeviceManagement(MDM)portaltoenableemployeestomanagetheirmobile
devicesthatareregisteredforuseonyourcorporatenetwork.
YoucancreateanewMDMportal,oryoucaneditorduplicateanexistingone.YoucandeleteanyMDM...

    Page 398

    Page 398 •Non-compliant—WhenthedevicebeingenrolledisnotcompliantwiththerequirementsoftheMDM system. •Continue—Whenthedeviceshouldtryconnectingtothenetworkincaseofconnectivityissues. •Enroll—WhenthedevicerequirestheMDMagentandneedstobeenrolledintheMDMsystem. Step 7ClickSaveandthenClose. What to Do Next Youmustauthorizetheportalinordertouseit.Youcanalsocustomizeyourportaleitherbeforeorafteryou authorizeitforuse.Alsoseethefollowingtopics: •AddCertificates,onpage344 •CreateEndpointIdentityGroups,onpage346... 
    •Non-compliant—WhenthedevicebeingenrolledisnotcompliantwiththerequirementsoftheMDM
system.
•Continue—Whenthedeviceshouldtryconnectingtothenetworkincaseofconnectivityissues.
•Enroll—WhenthedevicerequirestheMDMagentandneedstobeenrolledintheMDMsystem.
Step 7ClickSaveandthenClose.
What to Do Next
Youmustauthorizetheportalinordertouseit.Youcanalsocustomizeyourportaleitherbeforeorafteryou
authorizeitforuse.Alsoseethefollowingtopics:
•AddCertificates,onpage344
•CreateEndpointIdentityGroups,onpage346...

    Page 399

    Page 399 •AcceptableUsePolicy(AUP)PageSettings—AddaseparateAUPpageanddefinetheacceptableuse policybehaviorforemployees. •Post-LoginBannerPageSettings—Notifyemployeesofadditionalinformationaftertheylogintothe portal. •EmployeeChangePasswordSettings—Allowemployeestochangetheirownpasswords.Thisoption isenabledonlyiftheemployeeispartoftheInternalUsersdatabase. Step 6InthePortalPageCustomizationtab,customizethefollowinginformationthatappearsintheMyDevices portalduringregistrationandmanagement:... 
    •AcceptableUsePolicy(AUP)PageSettings—AddaseparateAUPpageanddefinetheacceptableuse
policybehaviorforemployees.
•Post-LoginBannerPageSettings—Notifyemployeesofadditionalinformationaftertheylogintothe
portal.
•EmployeeChangePasswordSettings—Allowemployeestochangetheirownpasswords.Thisoption
isenabledonlyiftheemployeeispartoftheInternalUsersdatabase.
Step 6InthePortalPageCustomizationtab,customizethefollowinginformationthatappearsintheMyDevices
portalduringregistrationandmanagement:...

    Page 400

    Page 400 Before You Begin Ifyoudonotplantouseadefaultportal,youmustfirstcreatetheportalsoyoucanassociatetheportalname withtheauthorizationprofile. Procedure Step 1ChoosePolicy>PolicyElements>Results>Authorization>AuthorizationProfiles. Step 2Createanauthorizationprofileusingthenameoftheportalthatyouwanttoauthorizeforuse. What to Do Next Youshouldcreateaportalauthorizationpolicyrulethatusesthenewlycreatedauthorizationprofile. Create Authorization Policy Rules... 
    Before You Begin
Ifyoudonotplantouseadefaultportal,youmustfirstcreatetheportalsoyoucanassociatetheportalname
withtheauthorizationprofile.
Procedure
Step 1ChoosePolicy>PolicyElements>Results>Authorization>AuthorizationProfiles.
Step 2Createanauthorizationprofileusingthenameoftheportalthatyouwanttoauthorizeforuse.
What to Do Next
Youshouldcreateaportalauthorizationpolicyrulethatusesthenewlycreatedauthorizationprofile.
Create Authorization Policy Rules...
    Start reading Cisco Ise 13 User Guide

    Related Manuals for Cisco Ise 13 User Guide

    All Cisco manuals