Home > Cisco > Interface > Cisco Ise 13 User Guide

Cisco Ise 13 User Guide

Add to Favourites
    Download as PDF

    Here you can view all the pages of manual Cisco Ise 13 User Guide. The Cisco manuals for Interface are available online for free. You can easily download all the documents as PDF.

    Overview View all the pages Comments

    Page 631

    Page 631 •TurnoffAutomaticUpdates—WindowsallowsclientstoturnofftheWindowsAutomaticUpdates feature.Here,clientsarevulnerableunlessclientsinstallupdatesregularly,whichcanbedonefromthe WindowsUpdateWebsitelink. YoucancheckwhetherornottheWindowsupdatesservice(wuaserv)isstartedorstoppedinanyWindows clientbyusingthepr_AutoUpdateCheck_Rule.ThisisapredefinedCiscorule,whichcanbeusedtocreate aposturerequirement.Iftheposturerequirementfails,theWindowsupdateremediationthatyouassociate... 
    •TurnoffAutomaticUpdates—WindowsallowsclientstoturnofftheWindowsAutomaticUpdates
feature.Here,clientsarevulnerableunlessclientsinstallupdatesregularly,whichcanbedonefromthe
WindowsUpdateWebsitelink.
YoucancheckwhetherornottheWindowsupdatesservice(wuaserv)isstartedorstoppedinanyWindows
clientbyusingthepr_AutoUpdateCheck_Rule.ThisisapredefinedCiscorule,whichcanbeusedtocreate
aposturerequirement.Iftheposturerequirementfails,theWindowsupdateremediationthatyouassociate...

    Page 632

    Page 632 Posture Assessment Requirements Aposturerequirementisasetofcompoundconditionswithanassociatedremediationactionthatcanbe linkedwitharoleandanoperatingsystem.Alltheclientsconnectingtoyournetworkmustmeetmandatory requirementsduringpostureevaluationtobecomecompliantonthenetwork. Posture-policyrequirementscanbesettomandatory,optional,oraudittypesinposturepolicies.Ifrequirements areoptionalandclientsfailtheserequirements,thentheclientshaveanoptiontocontinueduringposture evaluationofendpoints. Figure 34:... 
    Posture Assessment Requirements
Aposturerequirementisasetofcompoundconditionswithanassociatedremediationactionthatcanbe
linkedwitharoleandanoperatingsystem.Alltheclientsconnectingtoyournetworkmustmeetmandatory
requirementsduringpostureevaluationtobecomecompliantonthenetwork.
Posture-policyrequirementscanbesettomandatory,optional,oraudittypesinposturepolicies.Ifrequirements
areoptionalandclientsfailtheserequirements,thentheclientshaveanoptiontocontinueduringposture
evaluationofendpoints.
Figure 34:...

    Page 633

    Page 633 Client System Stuck in Noncompliant State Ifaclientmachineisunabletoremediateamandatoryrequirement,theposturestatuschangesto“noncompliant” andtheagentsessionisquarantined.Togettheclientmachinepastthis“noncompliant”state,youneedto restarttheposturesessionsothattheagentstartspostureassessmentontheclientmachineagain.Youcan restarttheposturesessionasfollows: •InwiredandwirelessChangeofAuthorization(CoA)inan802.1Xenvironment:... 
    Client System Stuck in Noncompliant State
Ifaclientmachineisunabletoremediateamandatoryrequirement,theposturestatuschangesto“noncompliant”
andtheagentsessionisquarantined.Togettheclientmachinepastthis“noncompliant”state,youneedto
restarttheposturesessionsothattheagentstartspostureassessmentontheclientmachineagain.Youcan
restarttheposturesessionasfollows:
•InwiredandwirelessChangeofAuthorization(CoA)inan802.1Xenvironment:...

    Page 634

    Page 634 canbeassociatedwiththreedifferentauthorizationpolicies.Todifferentiatetheseauthorizationpolicies,you canusetheSession:PostureStatusattributealongwithotherconditions. Unknown Profile Ifnomatchingposturepolicyisdefinedforanendpoint,thentheposturecompliancestatusoftheendpoint maybesettounknown.Aposturecompliancestatusofunknowncanalsoapplytoanendpointwherea matchingposturepolicyisenabledbutpostureassessmenthasnotyetoccurredforthatendpointand,therefore nocompliancereporthasbeenprovidedbytheclientagent.... 
    canbeassociatedwiththreedifferentauthorizationpolicies.Todifferentiatetheseauthorizationpolicies,you
canusetheSession:PostureStatusattributealongwithotherconditions.
Unknown Profile
Ifnomatchingposturepolicyisdefinedforanendpoint,thentheposturecompliancestatusoftheendpoint
maybesettounknown.Aposturecompliancestatusofunknowncanalsoapplytoanendpointwherea
matchingposturepolicyisenabledbutpostureassessmenthasnotyetoccurredforthatendpointand,therefore
nocompliancereporthasbeenprovidedbytheclientagent....

    Page 635

    Page 635 •MultipleMatchedRuleApplies—Thisoptionsetsaccessprivilegeswithmultipleauthorizationpolicies thatarematchedduringevaluationfromthelistofallthestandardauthorizationpolicies Step 3ClickthedownarrownexttoEditinthedefaultstandardauthorizationpolicyrow. Step 4ClickInsertNewRuleAbove. Step 5Enterarulename,chooseidentitygroupsandotherconditions,andassociateanauthorizationprofileinthe newauthorizationpolicyrowthatappearsabovethedefaultstandardauthorizationpolicyrow. Step... 
    •MultipleMatchedRuleApplies—Thisoptionsetsaccessprivilegeswithmultipleauthorizationpolicies
thatarematchedduringevaluationfromthelistofallthestandardauthorizationpolicies
Step 3ClickthedownarrownexttoEditinthedefaultstandardauthorizationpolicyrow.
Step 4ClickInsertNewRuleAbove.
Step 5Enterarulename,chooseidentitygroupsandotherconditions,andassociateanauthorizationprofileinthe
newauthorizationpolicyrowthatappearsabovethedefaultstandardauthorizationpolicyrow.
Step...

    Page 636

    Page 636 Cisco Identity Services Engine Administrator Guide, Release 1.3 590 Configure Standard Authorization Policies 
       Cisco Identity Services Engine Administrator Guide, Release 1.3
590
Configure Standard Authorization Policies

    Page 637

    Page 637 CHAPTER 24 Cisco TrustSec Policies Configuration •TrustSecArchitecture,page591 •ConfigureTrustSecGlobalSettings,page594 •ConfigureTrustSecDevices,page595 •ConfigureTrustSecAAAServers,page597 •SecurityGroupsConfiguration,page598 •EgressPolicy,page601 •SGTAssignment,page607 •TrustSecConfigurationandPolicyPush,page612 •RunTopNRBACLDropsbyUserReport,page621 TrustSec Architecture TheCiscoTrustSecsolutionestablishescloudsoftrustednetworkdevicestobuildsecurenetworks.Each... 
    CHAPTER 24
Cisco TrustSec Policies Configuration
•TrustSecArchitecture,page591
•ConfigureTrustSecGlobalSettings,page594
•ConfigureTrustSecDevices,page595
•ConfigureTrustSecAAAServers,page597
•SecurityGroupsConfiguration,page598
•EgressPolicy,page601
•SGTAssignment,page607
•TrustSecConfigurationandPolicyPush,page612
•RunTopNRBACLDropsbyUserReport,page621
TrustSec Architecture
TheCiscoTrustSecsolutionestablishescloudsoftrustednetworkdevicestobuildsecurenetworks.Each...

    Page 638

    Page 638 ThefollowingfigureshowsanexampleofaTrustSecnetworkcloud. Figure 35: TrustSec Architecture TrustSec Components ThekeyTrustSeccomponentsinclude: •NetworkDeviceAdmissionControl(NDAC)—Inatrustednetwork,duringauthentication,eachnetwork device(forexampleEthernetswitch)inaTrustSeccloudisverifiedforitscredentialandtrustworthiness byitspeerdevice.NDACusestheIEEE802.1Xport-basedauthenticationandusesExtensible AuthenticationProtocol-FlexibleAuthenticationviaSecureTunneling(EAP-FAST)asitsExtensible... 
    ThefollowingfigureshowsanexampleofaTrustSecnetworkcloud.
Figure 35: TrustSec Architecture
TrustSec Components
ThekeyTrustSeccomponentsinclude:
•NetworkDeviceAdmissionControl(NDAC)—Inatrustednetwork,duringauthentication,eachnetwork
device(forexampleEthernetswitch)inaTrustSeccloudisverifiedforitscredentialandtrustworthiness
byitspeerdevice.NDACusestheIEEE802.1Xport-basedauthenticationandusesExtensible
AuthenticationProtocol-FlexibleAuthenticationviaSecureTunneling(EAP-FAST)asitsExtensible...

    Page 639

    Page 639 ofsecuritypolicy.Asyouadddevices,yousimplyassignoneormoresecuritygroups,andthey immediatelyreceivetheappropriatepermissions.Youcanmodifythesecuritygroupstointroducenew privilegesorrestrictcurrentpermissions. •SecurityExchangeProtocol(SXP)—SGTExchangeProtocol(SXP)isaprotocoldevelopedforTrustSec servicetopropagatetheIP-SGTbindingsacrossnetworkdevicesthatdonothaveSGT-capablehardware supporttohardwarethatsupportsSGT/SGACL. •EnvironmentDataDownload—TheTrustSecdeviceobtainsitsenvironmentdatafromCiscoISEwhen... 
    ofsecuritypolicy.Asyouadddevices,yousimplyassignoneormoresecuritygroups,andthey
immediatelyreceivetheappropriatepermissions.Youcanmodifythesecuritygroupstointroducenew
privilegesorrestrictcurrentpermissions.
•SecurityExchangeProtocol(SXP)—SGTExchangeProtocol(SXP)isaprotocoldevelopedforTrustSec
servicetopropagatetheIP-SGTbindingsacrossnetworkdevicesthatdonothaveSGT-capablehardware
supporttohardwarethatsupportsSGT/SGACL.
•EnvironmentDataDownload—TheTrustSecdeviceobtainsitsenvironmentdatafromCiscoISEwhen...

    Page 640

    Page 640 MeaningTerm AnyoftheCiscoCatalyst6000SeriesorCiscoNexus7000Seriesswitches thatsupporttheTrustSecsolution. TrustSecdevice ATrustSec-capabledevicewillhaveTrustSec-capablehardwareand software.Forexample,theNexus7000SeriesSwitcheswiththeNexus operatingsystem. TrustSec-capabledevice TheTrustSecdevicethatauthenticatesdirectlyagainsttheCiscoISEserver. Itactsasboththeauthenticatorandsupplicant. TrustSecseeddevice WhenpacketsfirstencounteraTrustSec-capabledevicethatispartofa... 
    MeaningTerm
AnyoftheCiscoCatalyst6000SeriesorCiscoNexus7000Seriesswitches
thatsupporttheTrustSecsolution.
TrustSecdevice
ATrustSec-capabledevicewillhaveTrustSec-capablehardwareand
software.Forexample,theNexus7000SeriesSwitcheswiththeNexus
operatingsystem.
TrustSec-capabledevice
TheTrustSecdevicethatauthenticatesdirectlyagainsttheCiscoISEserver.
Itactsasboththeauthenticatorandsupplicant.
TrustSecseeddevice
WhenpacketsfirstencounteraTrustSec-capabledevicethatispartofa...
    Start reading Cisco Ise 13 User Guide

    Related Manuals for Cisco Ise 13 User Guide

    All Cisco manuals