Home > Cisco > Interface > Cisco Ise 13 User Guide

Cisco Ise 13 User Guide

Add to Favourites
    Download as PDF

    Here you can view all the pages of manual Cisco Ise 13 User Guide. The Cisco manuals for Interface are available online for free. You can easily download all the documents as PDF.

    Overview View all the pages Comments

    Page 551

    Page 551 TheupdatedOUIdatabaseisavailableforanyISEdeploymentasafeedthatCiscoISEdownloadstoitsown database.CiscoISEupdatesendpointsandthenstartsreprofilingendpoints. ThedesignatedCiscofeedserverislocatedathttps://ise.cisco.com:8443/feedserver/.Ifyouhaveanyissues accessingtheservice,ensurethatyournetworksecuritycomponents(likeafirewallorproxyserver,for example)allowdirectaccesstothisURL. Configure Profiler Feed Service TheProfilerFeedServiceretrievesnewandupdatedendpointprofilingpoliciesandMACOUIdatabase... 
    TheupdatedOUIdatabaseisavailableforanyISEdeploymentasafeedthatCiscoISEdownloadstoitsown
database.CiscoISEupdatesendpointsandthenstartsreprofilingendpoints.
ThedesignatedCiscofeedserverislocatedathttps://ise.cisco.com:8443/feedserver/.Ifyouhaveanyissues
accessingtheservice,ensurethatyournetworksecuritycomponents(likeafirewallorproxyserver,for
example)allowdirectaccesstothisURL.
Configure Profiler Feed Service
TheProfilerFeedServiceretrievesnewandupdatedendpointprofilingpoliciesandMACOUIdatabase...

    Page 552

    Page 552 Procedure Step 1ChooseAdministration>Certificates>TrustedCertificates,andcheckifVerisignClass3PublicPrimary CertificationAuthorityandVerisignClass3ServerCA-G3areenabled. Step 2ChooseAdministration>FeedService>Profiler. Step 3ChecktheEnableProfilerFeedServicecheckbox. Step 4EntertimeinHH:MMformat(localtimezoneoftheCiscoISEserver)intheFeedServiceSchedulersection. Bydefault,CiscoISEfeedserviceisscheduledat1.00AMeveryday. Step... 
    Procedure
Step 1ChooseAdministration>Certificates>TrustedCertificates,andcheckifVerisignClass3PublicPrimary
CertificationAuthorityandVerisignClass3ServerCA-G3areenabled.
Step 2ChooseAdministration>FeedService>Profiler.
Step 3ChecktheEnableProfilerFeedServicecheckbox.
Step 4EntertimeinHH:MMformat(localtimezoneoftheCiscoISEserver)intheFeedServiceSchedulersection.
Bydefault,CiscoISEfeedserviceisscheduledat1.00AMeveryday.
Step...

    Page 553

    Page 553 Procedure Step 1ChooseAdministration>FeedService>Profiler. Step 2ChecktheEnableProfilerFeedServicecheckbox. Step 3ClickGotoUpdateReportPageifyouwanttoviewtheconfigurationchangesmadeintheChange ConfigurationAuditreport. Step 4ClickUndoLatest. Profiler Reports CiscoISEprovidesyouwithvariousreportsonendpointprofiling,andtroubleshootingtoolsthatyoucanuse tomanageyournetwork.Youcangeneratereportsforhistoricalaswellascurrentdata.Youmaybeableto... 
    Procedure
Step 1ChooseAdministration>FeedService>Profiler.
Step 2ChecktheEnableProfilerFeedServicecheckbox.
Step 3ClickGotoUpdateReportPageifyouwanttoviewtheconfigurationchangesmadeintheChange
ConfigurationAuditreport.
Step 4ClickUndoLatest.
Profiler Reports
CiscoISEprovidesyouwithvariousreportsonendpointprofiling,andtroubleshootingtoolsthatyoucanuse
tomanageyournetwork.Youcangeneratereportsforhistoricalaswellascurrentdata.Youmaybeableto...

    Page 554

    Page 554 andCAMsperiodicallypullthelistofMACaddressesofendpointsandtheircorrespondingprofilesandthe listofalltheprofilenames,fromCiscoISE. YoumustexportthecontentsoftheX509CertificatefromtheCleanAccessManagerinAdministration> CleanAccessManager>SSL,andimportitintothePrimaryPANunderAdministration>System>Certificates >TrustedCertificatesStoreinCiscoISEforapropersecurecommunicationbetweenCiscoISEandCAM. FormoreinformationonhowtosetupapairofCAMsforhighavailability,seethelinkbelow. Cisco ISE Profiler and Cisco Clean... 
    andCAMsperiodicallypullthelistofMACaddressesofendpointsandtheircorrespondingprofilesandthe
listofalltheprofilenames,fromCiscoISE.
YoumustexportthecontentsoftheX509CertificatefromtheCleanAccessManagerinAdministration>
CleanAccessManager>SSL,andimportitintothePrimaryPANunderAdministration>System>Certificates
>TrustedCertificatesStoreinCiscoISEforapropersecurecommunicationbetweenCiscoISEandCAM.
FormoreinformationonhowtosetupapairofCAMsforhighavailability,seethelinkbelow.
Cisco ISE Profiler and Cisco Clean...

    Page 555

    Page 555 Procedure Step 1ChooseAdministration>NetworkResources>NACManagers. Step 2ClickAdd. Step 3EnterthenamefortheCiscoAccessManager. Step 4ClicktheStatuscheckboxtoenableRESTAPIcommunicationfromtheCiscoISEprofilerthatauthenticates connectivitytotheCAM. Step 5EntertheIPaddressfortheCAMexceptthefollowingIPaddresses:0.0.0.0and255.255.255.255. Step 6EntertheusernameandpasswordoftheCAMadministratorthatyouusetologintotheuserinterfaceofthe CAM. Step 7ClickSubmit. Create Endpoints with Static Assignments of Policies... 
    Procedure
Step 1ChooseAdministration>NetworkResources>NACManagers.
Step 2ClickAdd.
Step 3EnterthenamefortheCiscoAccessManager.
Step 4ClicktheStatuscheckboxtoenableRESTAPIcommunicationfromtheCiscoISEprofilerthatauthenticates
connectivitytotheCAM.
Step 5EntertheIPaddressfortheCAMexceptthefollowingIPaddresses:0.0.0.0and255.255.255.255.
Step 6EntertheusernameandpasswordoftheCAMadministratorthatyouusetologintotheuserinterfaceofthe
CAM.
Step 7ClickSubmit.
Create Endpoints with Static Assignments of Policies...

    Page 556

    Page 556 Import Endpoints from CSV Files YoucanimportendpointsfromaCSVfileforwhichyouhavealreadyexportedendpointsfromaCiscoISE server,oraCSVfilethatyouhavecreatedfromCiscoISEandupdatedwithendpointdetails. Thefileformathastobeintheformatasspecifiedinthedefaultimporttemplatesothatthelistofendpoints appearsasfollows:MAC,EndpointPolicy,EndpointIdentityGroup. BothendpointpolicyandendpointidentitygroupareoptionalforimportingendpointsinaCSVfile.Ifyou... 
    Import Endpoints from CSV Files
YoucanimportendpointsfromaCSVfileforwhichyouhavealreadyexportedendpointsfromaCiscoISE
server,oraCSVfilethatyouhavecreatedfromCiscoISEandupdatedwithendpointdetails.
Thefileformathastobeintheformatasspecifiedinthedefaultimporttemplatesothatthelistofendpoints
appearsasfollows:MAC,EndpointPolicy,EndpointIdentityGroup.
BothendpointpolicyandendpointidentitygroupareoptionalforimportingendpointsinaCSVfile.Ifyou...

    Page 557

    Page 557 Unknown Endpoints Reprofiled During Import IfthefileusedforimportcontainsendpointsthathavetheirMACaddresses,andtheirassignedendpoint profilingpoliciesistheUnknownprofile,thenthoseendpointsareimmediatelyreprofiledinCiscoISEtothe matchingendpointprofilingpoliciesduringimport.However,theyarenotstaticallyassignedtotheUnknown profile.IfendpointsdonothaveendpointprofilingpoliciesassignedtothemintheCSVfile,thentheyare assignedtotheUnknownprofile,andthenreprofiledtothematchingendpointprofilingpolicies.Seebelow... 
    Unknown Endpoints Reprofiled During Import
IfthefileusedforimportcontainsendpointsthathavetheirMACaddresses,andtheirassignedendpoint
profilingpoliciesistheUnknownprofile,thenthoseendpointsareimmediatelyreprofiledinCiscoISEtothe
matchingendpointprofilingpoliciesduringimport.However,theyarenotstaticallyassignedtotheUnknown
profile.IfendpointsdonothaveendpointprofilingpoliciesassignedtothemintheCSVfile,thentheyare
assignedtotheUnknownprofile,andthenreprofiledtothematchingendpointprofilingpolicies.Seebelow...

    Page 558

    Page 558 Table 46: Invalid Profiles: Import from a File Endpoint Profiling Policy Assigned After Import in Cisco ISE Endpoint Profiling Policy Assigned Before Import in Cisco ISE MAC Address Xerox-DeviceUnknown.00:00:00:00:01:02 Theendpointisnotimportedbecause thereisnomatchingprofileinCiscoISE. Ifanendpointsuchas00:00:00:00:01:05 isassignedtoaninvalidprofileotherthan theprofilesthatareavailableinCiscoISE, thenCiscoISEdisplaysawarningmessage thatthepolicynameisinvalidandthe endpointwillnotbeimported.... 
    Table 46: Invalid Profiles: Import from a File
Endpoint Profiling Policy Assigned After
Import in Cisco ISE
Endpoint Profiling Policy Assigned Before
Import in Cisco ISE
MAC Address
Xerox-DeviceUnknown.00:00:00:00:01:02
Theendpointisnotimportedbecause
thereisnomatchingprofileinCiscoISE.
Ifanendpointsuchas00:00:00:00:01:05
isassignedtoaninvalidprofileotherthan
theprofilesthatareavailableinCiscoISE,
thenCiscoISEdisplaysawarningmessage
thatthepolicynameisinvalidandthe
endpointwillnotbeimported....

    Page 559

    Page 559 Procedure Step 1ChooseAdministration>IdentityManagement>Identities>Endpoints. Step 2ClickExport,andchooseoneofthefollowing: •ExportSelected—YoucanexportonlytheselectedendpointsintheEndpointspage. •ExportAll—Bydefault,youcanexportalltheendpointsintheEndpointspage. Step 3ClickOKtosavetheprofiler_endpoints.csvfile. Identified Endpoints CiscoISEdisplaysidentifiedendpointsthatconnecttoyournetworkanduseresourcesonyournetworkin... 
    Procedure
Step 1ChooseAdministration>IdentityManagement>Identities>Endpoints.
Step 2ClickExport,andchooseoneofthefollowing:
•ExportSelected—YoucanexportonlytheselectedendpointsintheEndpointspage.
•ExportAll—Bydefault,youcanexportalltheendpointsintheEndpointspage.
Step 3ClickOKtosavetheprofiler_endpoints.csvfile.
Identified Endpoints
CiscoISEdisplaysidentifiedendpointsthatconnecttoyournetworkanduseresourcesonyournetworkin...

    Page 560

    Page 560 databaseonlywhensignificantattributeschangeintheendpoints,andreplicatedtotheotherPolicyService nodesdatabase. Thefollowingarethesignificantattributes: •ip •EndPointPolicy •MatchedValue •StaticAssignment •StaticGroupAssignment •MatchedPolicyID •NmapSubnetScanID •PortalUser •DeviceRegistrationStatus •BYODRegistration WhenyouchangeendpointprofiledefinitionsinCiscoISE,allendpointshavetobereprofiled.APolicy Servicenodethatcollectstheattributesofendpointsisresponsibleforreprofilingofthoseendpoints.... 
    databaseonlywhensignificantattributeschangeintheendpoints,andreplicatedtotheotherPolicyService
nodesdatabase.
Thefollowingarethesignificantattributes:
•ip
•EndPointPolicy
•MatchedValue
•StaticAssignment
•StaticGroupAssignment
•MatchedPolicyID
•NmapSubnetScanID
•PortalUser
•DeviceRegistrationStatus
•BYODRegistration
WhenyouchangeendpointprofiledefinitionsinCiscoISE,allendpointshavetobereprofiled.APolicy
Servicenodethatcollectstheattributesofendpointsisresponsibleforreprofilingofthoseendpoints....
    Start reading Cisco Ise 13 User Guide

    Related Manuals for Cisco Ise 13 User Guide

    All Cisco manuals