Home > Cisco > Interface > Cisco Ise 13 User Guide

Cisco Ise 13 User Guide

Add to Favourites
    Download as PDF

    Here you can view all the pages of manual Cisco Ise 13 User Guide. The Cisco manuals for Interface are available online for free. You can easily download all the documents as PDF.

    Overview View all the pages Comments

    Page 481

    Page 481 •AuthenticationSummary Cisco Identity Services Engine Administrator Guide, Release 1.3 435 View Authentication Results 
    •AuthenticationSummary
Cisco Identity Services Engine Administrator Guide, Release 1.3    
435
View Authentication Results

    Page 482

    Page 482 Cisco Identity Services Engine Administrator Guide, Release 1.3 436 View Authentication Results 
       Cisco Identity Services Engine Administrator Guide, Release 1.3
436
View Authentication Results

    Page 483

    Page 483 CHAPTER 20 Manage Authorization Policies and Profiles •CiscoISEAuthorizationPolicies,page437 •CiscoISEAuthorizationProfiles,page437 •DefaultAuthorizationPolicy,Rule,andProfileConfiguration,page441 •ConfigureAuthorizationPolicies,page443 •PermissionsforAuthorizationProfiles,page445 •DownloadableACLs,page446 •MachineAccessRestrictionforActiveDirectoryUserAuthorization,page448 Cisco ISE Authorization Policies AuthorizationpoliciesareacomponentoftheCiscoISEnetworkauthorizationservice.Thisserviceallows... 
    CHAPTER 20
Manage Authorization Policies and Profiles
•CiscoISEAuthorizationPolicies,page437
•CiscoISEAuthorizationProfiles,page437
•DefaultAuthorizationPolicy,Rule,andProfileConfiguration,page441
•ConfigureAuthorizationPolicies,page443
•PermissionsforAuthorizationProfiles,page445
•DownloadableACLs,page446
•MachineAccessRestrictionforActiveDirectoryUserAuthorization,page448
Cisco ISE Authorization Policies
AuthorizationpoliciesareacomponentoftheCiscoISEnetworkauthorizationservice.Thisserviceallows...

    Page 484

    Page 484 •Standardprofiles •Exceptionprofiles •Device-basedprofiles Profilesconsistofattributeschosenfromasetofresources,whicharestoredinanyoftheavailablevendor dictionaries,andthesearereturnedwhenthecompoundconditionforthespecificauthorizationpolicymatches. Becauseauthorizationpoliciescanincludecompoundconditionmappingtoasinglenetworkservicerule, thesecanalsoincludealistofauthorizationchecks. Forsimplescenarios,allauthorizationchecksaremadeusingtheANDBooleanoperatorwithintherule.For... 
    •Standardprofiles
•Exceptionprofiles
•Device-basedprofiles
Profilesconsistofattributeschosenfromasetofresources,whicharestoredinanyoftheavailablevendor
dictionaries,andthesearereturnedwhenthecompoundconditionforthespecificauthorizationpolicymatches.
Becauseauthorizationpoliciescanincludecompoundconditionmappingtoasinglenetworkservicerule,
thesecanalsoincludealistofauthorizationchecks.
Forsimplescenarios,allauthorizationchecksaremadeusingtheANDBooleanoperatorwithintherule.For...

    Page 485

    Page 485 •AnassociatedDACL •AnassociatedVLAN •AnassociatedSGACL •Anynumberofotherdictionary-basedattributes Authorization Policy Anauthorizationpolicycanconsistofasingleruleorasetofrulesthatareuser-defined.Theserulesactto createaspecificpolicy.Forexample,astandardpolicycanincludetherulenameusinganIf-Thenconvention thatlinksavalueenteredforidentitygroupswithspecificconditionsorattributestoproduceaspecificsetof permissionsthatcreateauniqueauthorizationprofile.Therearetwoauthorizationpolicyoptionsyoucanset:... 
    •AnassociatedDACL
•AnassociatedVLAN
•AnassociatedSGACL
•Anynumberofotherdictionary-basedattributes
Authorization Policy
Anauthorizationpolicycanconsistofasingleruleorasetofrulesthatareuser-defined.Theserulesactto
createaspecificpolicy.Forexample,astandardpolicycanincludetherulenameusinganIf-Thenconvention
thatlinksavalueenteredforidentitygroupswithspecificconditionsorattributestoproduceaspecificsetof
permissionsthatcreateauniqueauthorizationprofile.Therearetwoauthorizationpolicyoptionsyoucanset:...

    Page 486

    Page 486 Verificationstypicallyincludeoneormoreconditionsthatincludeauser-definednamethatcanthenbeadded toalibraryandreusedbyotherpolicies.YoudefineconditionsusingtheattributesfromtheCiscoISE dictionary,whichsupportsthefollowingdictionaries: •System-defineddictionary: ◦RADIUS •RADIUS-vendordictionaries ◦Airespace ◦Cisco ◦Cisco-BBSM ◦Cisco-VPN3000 ◦Microsoft Guidelines for Configuring Authorization Policies and Profiles Observethefollowingguidelineswhenmanagingoradministeringauthorizationpolicesandprofiles:... 
    Verificationstypicallyincludeoneormoreconditionsthatincludeauser-definednamethatcanthenbeadded
toalibraryandreusedbyotherpolicies.YoudefineconditionsusingtheattributesfromtheCiscoISE
dictionary,whichsupportsthefollowingdictionaries:
•System-defineddictionary:
◦RADIUS
•RADIUS-vendordictionaries
◦Airespace
◦Cisco
◦Cisco-BBSM
◦Cisco-VPN3000
◦Microsoft
Guidelines for Configuring Authorization Policies and Profiles
Observethefollowingguidelineswhenmanagingoradministeringauthorizationpolicesandprofiles:...

    Page 487

    Page 487 Default Authorization Policy, Rule, and Profile Configuration TheCiscoISEsoftwarecomesinstalledwithanumberofpreinstalleddefaultconditions,rules,andprofiles thatprovidecommonsettingsthatmakeiteasierforyoutocreatetherulesandpoliciesrequiredinCiscoISE authorizationpoliciesandprofiles. Thetabledescribesbuilt-inconfigurationdefaultsthatcontainspecifiedvaluesinCiscoISE. Table 23: Authorization Policy, Profile, and Rule Configuration Defaults Additional InformationDescriptionPath in the User Interface Name... 
    Default Authorization Policy, Rule, and Profile Configuration
TheCiscoISEsoftwarecomesinstalledwithanumberofpreinstalleddefaultconditions,rules,andprofiles
thatprovidecommonsettingsthatmakeiteasierforyoutocreatetherulesandpoliciesrequiredinCiscoISE
authorizationpoliciesandprofiles.
Thetabledescribesbuilt-inconfigurationdefaultsthatcontainspecifiedvaluesinCiscoISE.
Table 23: Authorization Policy, Profile, and Rule Configuration Defaults
Additional InformationDescriptionPath in the
User
Interface
Name...

    Page 488

    Page 488 Additional InformationDescriptionPath in the User Interface Name Thisdefaultauthorizationprofile isappliedforallendpointsthat aredeclaredas“lost”intheMy DevicesPortal. Thisauthorizationprofilerejectsaccess todevicesthatareblacklisted.All blacklisteddevicesareredirectedtothe followingURL: https://ip:port/blacklistportal/gateway?portal=PortalID Policy> Policy Elements> Results> Authorization Profiles> Blacklist_Access Blacklist_Access Thisdefaultauthorizationprofile usestheDACLand... 
    Additional InformationDescriptionPath in the
User
Interface
Name
Thisdefaultauthorizationprofile
isappliedforallendpointsthat
aredeclaredas“lost”intheMy
DevicesPortal.
Thisauthorizationprofilerejectsaccess
todevicesthatareblacklisted.All
blacklisteddevicesareredirectedtothe
followingURL:
https://ip:port/blacklistportal/gateway?portal=PortalID
Policy>
Policy
Elements>
Results>
Authorization
Profiles>
Blacklist_Access
Blacklist_Access
Thisdefaultauthorizationprofile
usestheDACLand...

    Page 489

    Page 489 Additional InformationDescriptionPath in the User Interface Name Thisdefaultruleisdesignedto appropriatelyprovision“lost” userdevicesuntiltheyareeither removedfromthesystemor “reinstated.” Thisauthorizationpolicyusesa configurationdefaultrulewiththe followingvalues: •RuleName:BlackListDefault •EndpointIdentityGroup:Blacklist •Conditions:Any •Permissions/AuthorizationProfile: Blacklist_Access Policy> Authorization Policy BlackList Default Authorization Rule ThisdefaultruleusesCiscoIP... 
    Additional InformationDescriptionPath in the
User
Interface
Name
Thisdefaultruleisdesignedto
appropriatelyprovision“lost”
userdevicesuntiltheyareeither
removedfromthesystemor
“reinstated.”
Thisauthorizationpolicyusesa
configurationdefaultrulewiththe
followingvalues:
•RuleName:BlackListDefault
•EndpointIdentityGroup:Blacklist
•Conditions:Any
•Permissions/AuthorizationProfile:
Blacklist_Access
Policy>
Authorization
Policy
BlackList
Default
Authorization
Rule
ThisdefaultruleusesCiscoIP...

    Page 490

    Page 490 Before You Begin Beforeyoubeginthisprocedure,youshouldhaveabasicunderstandingofsimpleandrule-basedconditions, thebasicbuildingblocksofidentitygroups,conditions,andpermissions,andhowtheyareusedintheAdmin portal. Procedure Step 1ChoosePolicy>Authorization>Standard. Step 2Clickthedownarrowonthefar-rightandselecteitherInsertNewRuleAboveorInsertNewRuleBelow. Step 3Entertherulenameandselectidentitygroup,condition,attributeandpermissionfortheauthorizationpolicy.... 
    Before You Begin
Beforeyoubeginthisprocedure,youshouldhaveabasicunderstandingofsimpleandrule-basedconditions,
thebasicbuildingblocksofidentitygroups,conditions,andpermissions,andhowtheyareusedintheAdmin
portal.
Procedure
Step 1ChoosePolicy>Authorization>Standard.
Step 2Clickthedownarrowonthefar-rightandselecteitherInsertNewRuleAboveorInsertNewRuleBelow.
Step 3Entertherulenameandselectidentitygroup,condition,attributeandpermissionfortheauthorizationpolicy....
    Start reading Cisco Ise 13 User Guide

    Related Manuals for Cisco Ise 13 User Guide

    All Cisco manuals