Home > Cisco > Interface > Cisco Ise 13 User Guide

Cisco Ise 13 User Guide

Here you can view all the pages of manual Cisco Ise 13 User Guide. The Cisco manuals for Interface are available online for free. You can easily download all the documents as PDF.

Overview View all the pages Comments

Page 491

Todefineauthorizationconditionsthatarebasedonanendpointidentitygroupthathasbeenpreviously
authenticated,CiscoISEsupportsauthorizationthatwasdefinedduringendpointidentitygroup802.1X
authenticationstatus.WhenCiscoISEperforms802.1Xauthentication,itextractstheMACaddressfromthe
“Calling-Station-ID”fieldintheRADIUSrequestandusesthisvaluetolookupandpopulatethesession
cacheforthedevice'sendpointidentitygroup(definedasanendpointIDgroupattribute)....

Page 492

$Page 492 Configure Permissions for New Standard Authorization Profiles Procedure Step 1ChoosePolicy>PolicyElements>Results>Authorization>AuthorizationProfiles. Step 2ClickAdd. Step 3Entervaluesasrequiredtoconfigureanewauthorizationprofile.Supportedcharactersforthenamefieldare: space,!#$%&‘()*+,-./;=?@_{. Step 4ClickSubmittosaveyourchangestotheCiscoISEsystemdatabasetocreateanauthorizationprofile. Downloadable ACLs YoucandefineDACLsfortheAccess-Acceptmessagetoreturn.UseACLstopreventunwantedtrafficfrom...$

Configure Permissions for New Standard Authorization Profiles
Procedure
Step 1ChoosePolicy>PolicyElements>Results>Authorization>AuthorizationProfiles.
Step 2ClickAdd.
Step 3Entervaluesasrequiredtoconfigureanewauthorizationprofile.Supportedcharactersforthenamefieldare:
space,!#$%&‘()*+,-./;=?@_{.
Step 4ClickSubmittosaveyourchangestotheCiscoISEsystemdatabasetocreateanauthorizationprofile.
Downloadable ACLs
YoucandefineDACLsfortheAccess-Acceptmessagetoreturn.UseACLstopreventunwantedtrafficfrom...

Page 493

Supported Downloadable ACL Format for Inline Posture Node
ThefollowingformatissupportedforDACLs:
ACTIONPROTOCOLSOURCE_SUBNETWILDCARD_MASK[OPERATOR[PORT]]DEST_SUBNET
WILDCARD_MASK[OPERATOR[PORT]][ICMP_TYPE_CODE]
Table 24: DACL Format - Options
DescriptionOption
Specifieswhetherthepolicyelementpermissionsshould
permitordenyaccess.
ACTION
Specifiesanyoneofthefollowingprotocols:
•ICMP
•UDP
•TCP
•IP
PROTOCOL
Specifiesthesourcesubnetformatas‘any’.SOURCE_SUBNET
Specifiesanyoneofthefollowingdestinationsubnet...

Page 494

DescriptionOption
SpecifiesanyoneofthefollowingICMPtypecodes:
•0—Echoreply
•8—Echorequest
•3:[0-15]—Destinationunreachable
•5:[0-3]—ICMPredirects
ICMP_TYPE_CODE
Examples of acceptable ACL Format:
permittcpanyhost192.168.1.100eq80—permitswwwtrafficfromanywheretohost192.168.1.100
permitudpanyeq68anyeq67—permitsdhcptraffic
permiticmpanyany8,permiticmpanyany0—allowsicmpecho-requestandecho-reply
denyicmpanyany5:0—deniesicmpnetworkredirects...

Page 495

cache,thisaffectshowCiscoISEassignspermissionsfortheuserthatrequestsauthenticationinthefollowing
ways:
•IftheCalling-Station-IDvaluematchesonefoundintheCiscoISEcache,thentheauthorizationprofile
forasuccessfulauthorizationisassigned.
•IftheCalling-Station-IDvalueisnotfoundtomatchoneintheCiscoISEcache,thentheauthorization
profileforasuccessfuluserauthenticationwithoutmachineauthenticationisassigned.
Cisco Identity Services Engine Administrator Guide, Release 1.3    
449
Machine Access Restriction for...

Page 496

   Cisco Identity Services Engine Administrator Guide, Release 1.3
450
Machine Access Restriction for Active Directory User Authorization

Page 497

CHAPTER 21
Cisco ISE Endpoint Profiling Policies
•CiscoISEProfilingService,page452
•ConfigureProfilingServiceinCiscoISENodes,page453
•NetworkProbesUsedbyProfilingService,page454
•ConfigureProbesperCiscoISENode,page462
•SetupCoA,SNMPROCommunity,andEndpointAttributeFilter,page462
•AttributeFiltersforISEDatabasePersistenceandPerformance,page465
•AttributesCollectionfromIOSSensorEmbeddedSwitches,page468
•ProfilerConditions,page470
•ProfilingNetworkScanActions,page470
•CreateaProfilerCondition,page477...

Page 498

•ProfilerReports,page520
Cisco ISE Profiling Service
TheprofilingserviceinCiscoIdentityServicesEngine(ISE)identifiesthedevicesthatconnecttoyournetwork
andtheirlocation.TheendpointsareprofiledbasedontheendpointprofilingpoliciesconfiguredinCisco
ISE.CiscoISEthengrantspermissiontotheendpointstoaccesstheresourcesinyournetworkbasedonthe
resultofthepolicyevaluation.
Theprofilingservice:
•Facilitatesanefficientandeffectivedeploymentandongoingmanagementofauthenticationbyusing...

Page 499

•EventHandler—Aninternalqueuethatdisconnectsafastcomponent,whichfeedsdatatoaslower
processingcomponent(typicallyrelatedtoadatabasequery).
Endpoint Cache
•maxEndPointsInLocalDb=100000(endpointobjectsincache)
•endPointsPurgeIntervalSec=300(endpointcachepurgethreadintervalinseconds)
•numberOfProfilingThreads=8(numberofthreads)
Thelimitisapplicabletoallprofilerinternaleventhandlers.Amonitoringalarmistriggeredwhenqueuesize
limitisreached.
Cisco ISE Profiler Queue Size Limits...

Page 500

b)ChecktheEnableProfilingServicescheckboxtoruntheprofilingservice.
Step 6ClickSavetosavethenodeconfiguration.
Network Probes Used by Profiling Service
Networkprobeisamethodusedtocollectanattributeorasetofattributesfromanendpointonyournetwork.
TheprobeallowsyoutocreateorupdateendpointswiththeirmatchedprofileintheCiscoISEdatabase.
CiscoISEcanprofiledevicesusinganumberofnetworkprobesthatanalyzethebehaviorofdevicesonthe
networkanddeterminethetypeofthedevice.Networkprobeshelpyoutogainmorenetworkvisibility.
IP...

Start reading Cisco Ise 13 User Guide

Related Manuals for Cisco Ise 13 User Guide

Cisco Unity Connection 9x User Guide
124 pages | Cisco Interface
Cisco Unity Connection 8 Voicemail User Guide
124 pages | Cisco Interface
Cisco Mse 8 User Guide
8 pages | Cisco Interface
Cisco Ise 14 User Guide
232 pages | Cisco Interface

All Cisco manuals