Home > Cisco > Interface > Cisco Ise 13 User Guide

Cisco Ise 13 User Guide

Add to Favourites
    Download as PDF

    Here you can view all the pages of manual Cisco Ise 13 User Guide. The Cisco manuals for Interface are available online for free. You can easily download all the documents as PDF.

    Overview View all the pages Comments

    Page 541

    Page 541 UDP PortsTCP Ports ServicePortsServicePorts ntp123/udpsmtp25/tcp msrpc135/udpdomain53/tcp netbios-ns137/udphttp80/tcp netbios-dgm138/udppop3110/tcp netbios-ssn139/udpmsrpc135/tcp snmp161/udpnetbios-ssn139/tcp microsoft-ds445/udpimap143/tcp isakmp500/udphttps443/tcp route520/udpmicrosoft-ds445/tcp ms-sql-m1434/udpms-term-serv3389/tcp upnp1900/udphttp-proxy8080/tcp Create Endpoints with Static Assignments of Policies and Identity Groups... 
    UDP PortsTCP Ports
ServicePortsServicePorts
ntp123/udpsmtp25/tcp
msrpc135/udpdomain53/tcp
netbios-ns137/udphttp80/tcp
netbios-dgm138/udppop3110/tcp
netbios-ssn139/udpmsrpc135/tcp
snmp161/udpnetbios-ssn139/tcp
microsoft-ds445/udpimap143/tcp
isakmp500/udphttps443/tcp
route520/udpmicrosoft-ds445/tcp
ms-sql-m1434/udpms-term-serv3389/tcp
upnp1900/udphttp-proxy8080/tcp
Create Endpoints with Static Assignments of Policies and Identity Groups...

    Page 542

    Page 542 Procedure Step 1ChooseAdministration>IdentityManagement>Identities>Endpoints. Step 2ClickAdd. Step 3EntertheMACaddressofanendpointinhexadecimalformatandseparatedbyacolon. Step 4ChooseamatchingendpointpolicyfromthePolicyAssignmentdrop-downlisttochangethestaticassignment statusfromdynamictostatic. Step 5ChecktheStaticAssignmentcheckboxtochangethestatusofstaticassignmentthatisassignedtothe endpointfromdynamictostatic. Step... 
    Procedure
Step 1ChooseAdministration>IdentityManagement>Identities>Endpoints.
Step 2ClickAdd.
Step 3EntertheMACaddressofanendpointinhexadecimalformatandseparatedbyacolon.
Step 4ChooseamatchingendpointpolicyfromthePolicyAssignmentdrop-downlisttochangethestaticassignment
statusfromdynamictostatic.
Step 5ChecktheStaticAssignmentcheckboxtochangethestatusofstaticassignmentthatisassignedtothe
endpointfromdynamictostatic.
Step...

    Page 543

    Page 543 Default Import Template Available for Endpoints Youcangenerateatemplateinwhichyoucanupdateendpointsthatcanbeusedtoimportendpoints.By default,youcanusetheGenerateaTemplatelinktocreateaCSVfileintheMicrosoftOfficeExcelapplication andsavethefilelocallyonyoursystem.ThefilecanbefoundinAdministration>IdentityManagement >Identities>Endpoints>Import>ImportFromFile.YoucanusetheGenerateaTemplatelinktocreate atemplate,andtheCiscoISEserverwilldisplaytheOpeningtemplate.csvdialog.Thisdialogallowsyouto... 
    Default Import Template Available for Endpoints
Youcangenerateatemplateinwhichyoucanupdateendpointsthatcanbeusedtoimportendpoints.By
default,youcanusetheGenerateaTemplatelinktocreateaCSVfileintheMicrosoftOfficeExcelapplication
andsavethefilelocallyonyoursystem.ThefilecanbefoundinAdministration>IdentityManagement
>Identities>Endpoints>Import>ImportFromFile.YoucanusetheGenerateaTemplatelinktocreate
atemplate,andtheCiscoISEserverwilldisplaytheOpeningtemplate.csvdialog.Thisdialogallowsyouto...

    Page 544

    Page 544 Static Assignments of Policies and Identity Groups for Endpoints Retained During Import IfthefileusedforimportcontainsendpointsthathavetheirMACaddresses,andtheirassignedendpoint profilingpolicyisthestaticassignment,thentheyarenotreprofiledduringimport.SeebelowhowCiscoISE retainstheCisco-Deviceprofile,thestaticassignmentofanendpointduringimport. Table 41: Static Assignment: Import From a File Endpoint Profiling Policy Assigned After Import in Cisco ISE Endpoint Profiling Policy Assigned Before Import in... 
    Static Assignments of Policies and Identity Groups for Endpoints Retained During Import
IfthefileusedforimportcontainsendpointsthathavetheirMACaddresses,andtheirassignedendpoint
profilingpolicyisthestaticassignment,thentheyarenotreprofiledduringimport.SeebelowhowCiscoISE
retainstheCisco-Deviceprofile,thestaticassignmentofanendpointduringimport.
Table 41: Static Assignment: Import From a File
Endpoint Profiling Policy Assigned After
Import in Cisco ISE
Endpoint Profiling Policy Assigned
Before Import in...

    Page 545

    Page 545 Procedure Step 1ChooseAdministration>IdentityManagement>Identities>Endpoints>Import>ImportFrom LDAP. Step 2Enterthevaluesfortheconnectionsettings. Step 3Enterthevaluesforthequerysettings. Step 4ClickSubmit. Export Endpoints with Comma-Separated Values File YoucanexportselectedorallendpointsfromaCiscoISEservertodifferentCiscoISEserversina comma-separatedvalues(CSV)fileinwhichendpointsarelistedwiththeirMACaddresses,endpointprofiling policies,andendpointidentitygroupstowhichtheyareassigned.... 
    Procedure
Step 1ChooseAdministration>IdentityManagement>Identities>Endpoints>Import>ImportFrom
LDAP.
Step 2Enterthevaluesfortheconnectionsettings.
Step 3Enterthevaluesforthequerysettings.
Step 4ClickSubmit.
Export Endpoints with Comma-Separated Values File
YoucanexportselectedorallendpointsfromaCiscoISEservertodifferentCiscoISEserversina
comma-separatedvalues(CSV)fileinwhichendpointsarelistedwiththeirMACaddresses,endpointprofiling
policies,andendpointidentitygroupstowhichtheyareassigned....

    Page 546

    Page 546 Dynamically Profiled Endpoints Whenendpointsarediscoveredonyournetwork,theycanbeprofileddynamicallybasedontheconfigured profilingendpointprofilingpolicies,andassignedtothematchingendpointidentitygroupsdependingon theirprofiles. Statically Profiled Endpoints AnendpointcanbeprofiledstaticallywhenyoucreateanendpointwithitsMACaddressandassociatea profiletoitalongwithanendpointidentitygroupinCiscoISE.CiscoISEdoesnotreassigntheprofiling policyandtheidentitygroupforstaticallyassignedendpoints. Unknown... 
    Dynamically Profiled Endpoints
Whenendpointsarediscoveredonyournetwork,theycanbeprofileddynamicallybasedontheconfigured
profilingendpointprofilingpolicies,andassignedtothematchingendpointidentitygroupsdependingon
theirprofiles.
Statically Profiled Endpoints
AnendpointcanbeprofiledstaticallywhenyoucreateanendpointwithitsMACaddressandassociatea
profiletoitalongwithanendpointidentitygroupinCiscoISE.CiscoISEdoesnotreassigntheprofiling
policyandtheidentitygroupforstaticallyassignedendpoints.
Unknown...

    Page 547

    Page 547 Whenasignificantattributechangesintheendpoint,attributesoftheendpointareautomaticallysavedinthe Administrationnodedatabasesothatyouhavethelatestsignificantchangeintheendpoint.IfthePolicy Servicenodethatownsanendpointisnotavailableforsomereasons,thentheAdministratorISEnodewill reprofileanendpointthatlosttheownerandyouhavetoconfigureanewPolicyServicenodeforsuch endpoints. Policy Service Nodes in Cluster CiscoISEusesPolicyServicenodegroupasaclusterthatallowstoexchangeendpointattributeswhentwo... 
    Whenasignificantattributechangesintheendpoint,attributesoftheendpointareautomaticallysavedinthe
Administrationnodedatabasesothatyouhavethelatestsignificantchangeintheendpoint.IfthePolicy
Servicenodethatownsanendpointisnotavailableforsomereasons,thentheAdministratorISEnodewill
reprofileanendpointthatlosttheownerandyouhavetoconfigureanewPolicyServicenodeforsuch
endpoints.
Policy Service Nodes in Cluster
CiscoISEusesPolicyServicenodegroupasaclusterthatallowstoexchangeendpointattributeswhentwo...

    Page 548

    Page 548 Procedure Step 1ChooseAdministration>IdentityManagement>Groups>EndpointIdentityGroups. Step 2ClickAdd. Step 3Enterthenamefortheendpointidentitygroupthatyouwanttocreate(donotincludespacesinthenameof theendpointidentitygroup). Step 4Enterthedescriptionfortheendpointidentitygroupthatyouwanttocreate. Step 5ClicktheParentGroupdrop-downlisttochooseanendpointidentitygrouptowhichyouwanttoassociate thenewlycreatedendpointidentitygroup. Step 6ClickSubmit. Identified Endpoints Grouped in Endpoint Identity Groups... 
    Procedure
Step 1ChooseAdministration>IdentityManagement>Groups>EndpointIdentityGroups.
Step 2ClickAdd.
Step 3Enterthenamefortheendpointidentitygroupthatyouwanttocreate(donotincludespacesinthenameof
theendpointidentitygroup).
Step 4Enterthedescriptionfortheendpointidentitygroupthatyouwanttocreate.
Step 5ClicktheParentGroupdrop-downlisttochooseanendpointidentitygrouptowhichyouwanttoassociate
thenewlycreatedendpointidentitygroup.
Step 6ClickSubmit.
Identified Endpoints Grouped in Endpoint Identity Groups...

    Page 549

    Page 549 thesedevicesthatyouaddedthroughthedeviceregistrationportalfromtheendpointslistintheEndpoints pageinCiscoISE.Devicesthatyouhaveblacklistedinthedeviceregistrationportalareassignedtothe Blacklistendpointidentitygroup,andanauthorizationprofilethatexistsinCiscoISEredirectsblacklisted devicestoanURL,whichdisplays“UnauthorisedNetworkAccess”,adefaultportalpagetotheblacklisted devices. •Unknown—ThisendpointidentitygroupincludesendpointsthatdonotmatchanyprofileinCiscoISE.... 
    thesedevicesthatyouaddedthroughthedeviceregistrationportalfromtheendpointslistintheEndpoints
pageinCiscoISE.Devicesthatyouhaveblacklistedinthedeviceregistrationportalareassignedtothe
Blacklistendpointidentitygroup,andanauthorizationprofilethatexistsinCiscoISEredirectsblacklisted
devicestoanURL,whichdisplays“UnauthorisedNetworkAccess”,adefaultportalpagetotheblacklisted
devices.
•Unknown—ThisendpointidentitygroupincludesendpointsthatdonotmatchanyprofileinCiscoISE....

    Page 550

    Page 550 group,CiscoISEdisplaysamessagethatyouhavesuccessfullyremovedendpointsfromtheidentitygroup butreprofilesthembackintheendpointidentitygroup. Endpoint Identity Groups Used in Authorization Rules Youcaneffectivelyuseendpointidentitygroupsintheauthorizationpoliciestoprovideappropriatenetwork accessprivilegestothediscoveredendpoints.Forexample,anauthorizationruleforalltypesofCiscoIP PhonesisavailablebydefaultinCiscoISEinthefollowinglocation:Policy>Authorization>Standard.... 
    group,CiscoISEdisplaysamessagethatyouhavesuccessfullyremovedendpointsfromtheidentitygroup
butreprofilesthembackintheendpointidentitygroup.
Endpoint Identity Groups Used in Authorization Rules
Youcaneffectivelyuseendpointidentitygroupsintheauthorizationpoliciestoprovideappropriatenetwork
accessprivilegestothediscoveredendpoints.Forexample,anauthorizationruleforalltypesofCiscoIP
PhonesisavailablebydefaultinCiscoISEinthefollowinglocation:Policy>Authorization>Standard....
    Start reading Cisco Ise 13 User Guide

    Related Manuals for Cisco Ise 13 User Guide

    All Cisco manuals