Home > Cisco > Interface > Cisco Ise 13 User Guide

Cisco Ise 13 User Guide

Add to Favourites
    Download as PDF

    Here you can view all the pages of manual Cisco Ise 13 User Guide. The Cisco manuals for Interface are available online for free. You can easily download all the documents as PDF.

    Overview View all the pages Comments

    Page 501

    Page 501 CiscoIOSNetFlowVersion5packetsdonotcontainMACaddressesofendpoints.Theattributesthatare collectedfromNetFlowVersion5cannotbedirectlyaddedtotheCiscoISEdatabase.Youcandiscover endpointsbyusingtheirIPaddresses,andappendtheNetFlowVersion5attributestoendpoints,whichcan bedonebycombiningIPaddressesofthenetworkaccessdevicesandIPaddressesobtainedfromtheNetFlow Version5attributes.However,theseendpointsmusthavebeenpreviouslydiscoveredwiththeRADIUSor SNMPprobe.... 
    CiscoIOSNetFlowVersion5packetsdonotcontainMACaddressesofendpoints.Theattributesthatare
collectedfromNetFlowVersion5cannotbedirectlyaddedtotheCiscoISEdatabase.Youcandiscover
endpointsbyusingtheirIPaddresses,andappendtheNetFlowVersion5attributestoendpoints,whichcan
bedonebycombiningIPaddressesofthenetworkaccessdevicesandIPaddressesobtainedfromtheNetFlow
Version5attributes.However,theseendpointsmusthavebeenpreviouslydiscoveredwiththeRADIUSor
SNMPprobe....

    Page 502

    Page 502 Wireless LAN Controller Configuration in DHCP Bridging Mode WerecommendthatyouconfigurewirelessLANcontrollers(WLCs)inDynamicHostConfigurationProtocol (DHCP)bridgingmode,whereyoucanforwardalltheDHCPpacketsfromthewirelessclientstoCiscoISE. YoumustunchecktheEnableDHCPProxycheckboxavailableintheWLCwebinterface:Controller> Advanced>DHCPMasterControllerMode>DHCPParameters.YoumustalsoensurethattheDHCP IPhelpercommandpointstotheCiscoISEPolicyServicenode. DHCP SPAN Probe... 
    Wireless LAN Controller Configuration in DHCP Bridging Mode
WerecommendthatyouconfigurewirelessLANcontrollers(WLCs)inDynamicHostConfigurationProtocol
(DHCP)bridgingmode,whereyoucanforwardalltheDHCPpacketsfromthewirelessclientstoCiscoISE.
YoumustunchecktheEnableDHCPProxycheckboxavailableintheWLCwebinterface:Controller>
Advanced>DHCPMasterControllerMode>DHCPParameters.YoumustalsoensurethattheDHCP
IPhelpercommandpointstotheCiscoISEPolicyServicenode.
DHCP SPAN Probe...

    Page 503

    Page 503 theSwitchedPortAnalyzer(SPAN)probeforDHCPandHTTPisenabled,CiscoISEprofilercollectsboth theDHCPandHTTPtraffic. RADIUS Probe YoucanconfigureCiscoISEforauthenticationwithRADIUS,whereyoucandefineasharedsecretthatyou canuseinclient-servertransactions.WiththeRADIUSrequestandresponsemessagesthatarereceivedfrom theRADIUSservers,theprofilercancollectRADIUSattributes,whichcanbeusedforprofilingendpoints. CiscoISEcanfunctionasaRADIUSserver,andaRADIUSproxyclienttootherRADIUSservers.Whenit... 
    theSwitchedPortAnalyzer(SPAN)probeforDHCPandHTTPisenabled,CiscoISEprofilercollectsboth
theDHCPandHTTPtraffic.
RADIUS Probe
YoucanconfigureCiscoISEforauthenticationwithRADIUS,whereyoucandefineasharedsecretthatyou
canuseinclient-servertransactions.WiththeRADIUSrequestandresponsemessagesthatarereceivedfrom
theRADIUSservers,theprofilercancollectRADIUSattributes,whichcanbeusedforprofilingendpoints.
CiscoISEcanfunctionasaRADIUSserver,andaRADIUSproxyclienttootherRADIUSservers.Whenit...

    Page 504

    Page 504 SNMP Read Only Community Strings for NMAP Manual Subnet Scan TheNMAPmanualsubnetscanisaugmentedwithanSNMPQuerywheneverthescandiscoversthatUDP port161isopenonanendpointthatresultsinmoreattributesbeingcollected.DuringtheNMAPmanual subnetscan,theNetworkScanprobedetectswhetherSNMPport161isopenonthedevice.Iftheportis open,anSNMPQueryistriggeredwithadefaultcommunitystring(public)withSNMPversion2c.Ifthe devicesupportsSNMPandthedefaultReadOnlycommunitystringissettopublic,youcanobtaintheMAC... 
    SNMP Read Only Community Strings for NMAP Manual Subnet Scan
TheNMAPmanualsubnetscanisaugmentedwithanSNMPQuerywheneverthescandiscoversthatUDP
port161isopenonanendpointthatresultsinmoreattributesbeingcollected.DuringtheNMAPmanual
subnetscan,theNetworkScanprobedetectswhetherSNMPport161isopenonthedevice.Iftheportis
open,anSNMPQueryistriggeredwithadefaultcommunitystring(public)withSNMPversion2c.Ifthe
devicesupportsSNMPandthedefaultReadOnlycommunitystringissettopublic,youcanobtaintheMAC...

    Page 505

    Page 505 •Thedhcp-requested-addressattribute—AnattributecollectedbytheDHCPandDHCPSPANprobes. •TheSourceIPattribute—AnattributecollectedbytheHTTPprobe •TheFramed-IP-Addressattribute—AnattributecollectedbytheRADIUSprobe •ThecdpCacheAddressattribute—AnattributecollectedbytheSNMPprobe DNS Lookup with an Inline Posture Node Deployment in Bridged Mode FortheDomainNameServiceprobetoworkwithInlinePosturedeploymentintheBridgedmode,youmust... 
    •Thedhcp-requested-addressattribute—AnattributecollectedbytheDHCPandDHCPSPANprobes.
•TheSourceIPattribute—AnattributecollectedbytheHTTPprobe
•TheFramed-IP-Addressattribute—AnattributecollectedbytheRADIUSprobe
•ThecdpCacheAddressattribute—AnattributecollectedbytheSNMPprobe
DNS Lookup with an Inline Posture Node Deployment in Bridged Mode
FortheDomainNameServiceprobetoworkwithInlinePosturedeploymentintheBridgedmode,youmust...

    Page 506

    Page 506 SNMP Query Probe InadditiontoconfiguringtheSNMPQueryprobeintheEditNodepage,youmustconfigureotherSimple ManagementProtocolsettingsinthefollowinglocation:Administration>NetworkResources>Network Devices. YoucanconfigureSNMPsettingsinthenewnetworkaccessdevices(NADs)intheNetworkDeviceslist page.ThepollingintervalthatyouspecifyintheSNMPqueryprobeorintheSNMPsettingsinthenetwork accessdevicesqueryNADsatregularintervals. YoucanturnonandturnoffSNMPqueryingforspecificNADsbasedonthefollowingconfigurations:... 
    SNMP Query Probe
InadditiontoconfiguringtheSNMPQueryprobeintheEditNodepage,youmustconfigureotherSimple
ManagementProtocolsettingsinthefollowinglocation:Administration>NetworkResources>Network
Devices.
YoucanconfigureSNMPsettingsinthenewnetworkaccessdevices(NADs)intheNetworkDeviceslist
page.ThepollingintervalthatyouspecifyintheSNMPqueryprobeorintheSNMPsettingsinthenetwork
accessdevicesqueryNADsatregularintervals.
YoucanturnonandturnoffSNMPqueryingforspecificNADsbasedonthefollowingconfigurations:...

    Page 507

    Page 507 FeatureFeature EnabledLLDPinterfacestate EnabledLLDPreceive EnabledLLDPtransmit EnabledtosendallLLDP-MEDTLVsLLDPmed-tlv-select CDP and LLDP Capability Codes Displayed in a Single Character TheAttributeListofanendpointdisplaysasinglecharactervalueforthelldpCacheCapabilitiesand lldpCapabilitiesMapSupportedattributes.ThevaluesaretheCapabilityCodesthataredisplayedforthe networkaccessdevicethatrunsCDPandLLDP. Example 1 lldpCacheCapabilitiesSlldpCapabilitiesMapSupportedS Example 2... 
    FeatureFeature
EnabledLLDPinterfacestate
EnabledLLDPreceive
EnabledLLDPtransmit
EnabledtosendallLLDP-MEDTLVsLLDPmed-tlv-select
CDP and LLDP Capability Codes Displayed in a Single Character
TheAttributeListofanendpointdisplaysasinglecharactervalueforthelldpCacheCapabilitiesand
lldpCapabilitiesMapSupportedattributes.ThevaluesaretheCapabilityCodesthataredisplayedforthe
networkaccessdevicethatrunsCDPandLLDP.
Example 1
lldpCacheCapabilitiesSlldpCapabilitiesMapSupportedS
Example 2...

    Page 508

    Page 508 CiscoISEdoesnotsupportSNMPTrapsthatarereceivedfromtheWirelessLANControllers(WLCs) andAccessPoints(APs). Note Configure Probes per Cisco ISE Node YoucanconfigureoneormoreprobesontheProfilingConfigurationtabperCiscoISEnodeinyourdeployment thatassumesthePolicyServicepersona,whichcouldbe: •Astandalonenode—IfyouhavedeployedCiscoISEonasinglenodethatassumesallAdministration, Monitoring,andPolicyServicepersonasbydefault. •Multiplenodes—IfyouhaveregisteredmorethanonenodeinyourdeploymentthatassumePolicy... 
    CiscoISEdoesnotsupportSNMPTrapsthatarereceivedfromtheWirelessLANControllers(WLCs)
andAccessPoints(APs).
Note
Configure Probes per Cisco ISE Node
YoucanconfigureoneormoreprobesontheProfilingConfigurationtabperCiscoISEnodeinyourdeployment
thatassumesthePolicyServicepersona,whichcouldbe:
•Astandalonenode—IfyouhavedeployedCiscoISEonasinglenodethatassumesallAdministration,
Monitoring,andPolicyServicepersonasbydefault.
•Multiplenodes—IfyouhaveregisteredmorethanonenodeinyourdeploymentthatassumePolicy...

    Page 509

    Page 509 Procedure Step 1ChooseAdministration>System>Settings>Profiling. Step 2ChooseoneofthefollowingsettingstoconfiguretheCoAtype: •NoCoA(default)—YoucanusethisoptiontodisabletheglobalconfigurationofCoA.Thissetting overridesanyconfiguredCoAperendpointprofilingpolicy. •PortBounce—Youcanusethisoption,iftheswitchportexistswithonlyonesession.Iftheportexists withmultiplesessions,thenusetheReauthoption. •Reauth—Youcanusethisoptiontoenforcereauthenticationofanalreadyauthenticatedendpointwhen itisprofiled.... 
    Procedure
Step 1ChooseAdministration>System>Settings>Profiling.
Step 2ChooseoneofthefollowingsettingstoconfiguretheCoAtype:
•NoCoA(default)—YoucanusethisoptiontodisabletheglobalconfigurationofCoA.Thissetting
overridesanyconfiguredCoAperendpointprofilingpolicy.
•PortBounce—Youcanusethisoption,iftheswitchportexistswithonlyonesession.Iftheportexists
withmultiplesessions,thenusetheReauthoption.
•Reauth—Youcanusethisoptiontoenforcereauthenticationofanalreadyauthenticatedendpointwhen
itisprofiled....

    Page 510

    Page 510 •Endpointdeleted—WhenanendpointisdeletedfromtheEndpointspageandtheendpointisdisconnected orremovedfromthenetwork. •Anexceptionactionisconfigured—Ifyouhaveanexceptionactionconfiguredperprofilethatleadsto anunusualoranunacceptableeventfromthatendpoint.Theprofilingservicemovestheendpointtothe correspondingstaticprofilebyissuingaCoA. •Anendpointisprofiledforthefirsttime—Whenanendpointisnotstaticallyassignedandprofiledfor thefirsttime;forexample,theprofilechangesfromanunknowntoaknownprofile.... 
    •Endpointdeleted—WhenanendpointisdeletedfromtheEndpointspageandtheendpointisdisconnected
orremovedfromthenetwork.
•Anexceptionactionisconfigured—Ifyouhaveanexceptionactionconfiguredperprofilethatleadsto
anunusualoranunacceptableeventfromthatendpoint.Theprofilingservicemovestheendpointtothe
correspondingstaticprofilebyissuingaCoA.
•Anendpointisprofiledforthefirsttime—Whenanendpointisnotstaticallyassignedandprofiledfor
thefirsttime;forexample,theprofilechangesfromanunknowntoaknownprofile....
    Start reading Cisco Ise 13 User Guide

    Related Manuals for Cisco Ise 13 User Guide

    All Cisco manuals