Home > Cisco > Interface > Cisco Ise 13 User Guide

Cisco Ise 13 User Guide

Add to Favourites
    Download as PDF

    Here you can view all the pages of manual Cisco Ise 13 User Guide. The Cisco manuals for Interface are available online for free. You can easily download all the documents as PDF.

    Overview View all the pages Comments

    Page 641

    Page 641 Procedure Step 1ChooseAdministration>System>Settings>TrustSecSettings. Step 2Enterthevaluesinthefields. Step 3ClickSave. What to Do Next •ConfigureTrustSecDevices,onpage595 Configure TrustSec Devices ForCiscoISEtoprocessrequestsfromTrustSec-enableddevices,youmustdefinetheseTrustSec-enabled devicesinCiscoISE. Procedure Step 1ChooseAdministration>NetworkResources>NetworkDevices. Step 2ClickAdd. Step 3EntertherequiredinformationintheNetworkDevicessection. Step... 
    Procedure
Step 1ChooseAdministration>System>Settings>TrustSecSettings.
Step 2Enterthevaluesinthefields.
Step 3ClickSave.
What to Do Next
•ConfigureTrustSecDevices,onpage595
Configure TrustSec Devices
ForCiscoISEtoprocessrequestsfromTrustSec-enableddevices,youmustdefinetheseTrustSec-enabled
devicesinCiscoISE.
Procedure
Step 1ChooseAdministration>NetworkResources>NetworkDevices.
Step 2ClickAdd.
Step 3EntertherequiredinformationintheNetworkDevicessection.
Step...

    Page 642

    Page 642 Generate a TrustSec PAC from the Settings Screen YoucangenerateaTrustSecPACfromtheSettingsscreen. Procedure Step 1ChooseAdministration>System>Settings. Step 2FromtheSettingsnavigationpaneontheleft,clickProtocols. Step 3ChooseEAP-FAST>GeneratePAC. Step 4GenerateTrustSecPAC. Generate a TrustSec PAC from the Network Devices Screen YoucangenerateaTrustSecPACfromtheNetworkDevicesscreen. Procedure Step 1ChooseAdministration>NetworkResources>NetworkDevices. Step... 
    Generate a TrustSec PAC from the Settings Screen
YoucangenerateaTrustSecPACfromtheSettingsscreen.
Procedure
Step 1ChooseAdministration>System>Settings.
Step 2FromtheSettingsnavigationpaneontheleft,clickProtocols.
Step 3ChooseEAP-FAST>GeneratePAC.
Step 4GenerateTrustSecPAC.
Generate a TrustSec PAC from the Network Devices Screen
YoucangenerateaTrustSecPACfromtheNetworkDevicesscreen.
Procedure
Step 1ChooseAdministration>NetworkResources>NetworkDevices.
Step...

    Page 643

    Page 643 Generate a TrustSec PAC from the Network Devices List Screen YoucangenerateaTrustSecPACfromtheNetworkDeviceslistscreen. Procedure Step 1ChooseAdministration>NetworkResources>NetworkDevices. Step 2ClickNetworkDevices. Step 3CheckthecheckboxnexttoadeviceforwhichyouwanttogeneratetheTrustSecPACandclickGenerate PAC. Step 4Providethedetailsinthefields. Step 5ClickGeneratePAC. Push Button ThePushoptionintheegresspolicyinitiatesaCoAnotificationthatcallstheTrustsecdevicestoimmediately... 
    Generate a TrustSec PAC from the Network Devices List Screen
YoucangenerateaTrustSecPACfromtheNetworkDeviceslistscreen.
Procedure
Step 1ChooseAdministration>NetworkResources>NetworkDevices.
Step 2ClickNetworkDevices.
Step 3CheckthecheckboxnexttoadeviceforwhichyouwanttogeneratetheTrustSecPACandclickGenerate
PAC.
Step 4Providethedetailsinthefields.
Step 5ClickGeneratePAC.
Push Button
ThePushoptionintheegresspolicyinitiatesaCoAnotificationthatcallstheTrustsecdevicestoimmediately...

    Page 644

    Page 644 •Name—NamethatyouwanttoassigntotheCiscoISEserverinthisAAAServerlist.Thisnamecan bedifferentfromthehostnameoftheCiscoISEserver. •Description—Anoptionaldescription. •IP—IPaddressoftheCiscoISEserverthatyouareaddingtotheAAAServerlist. •Port—PortoverwhichcommunicationbetweentheTrustSecdeviceandservershouldtakeplace.The defaultis1812. Step 4ClickSubmit. What to Do Next ConfigureSecurityGroups. Security Groups Configuration... 
    •Name—NamethatyouwanttoassigntotheCiscoISEserverinthisAAAServerlist.Thisnamecan
bedifferentfromthehostnameoftheCiscoISEserver.
•Description—Anoptionaldescription.
•IP—IPaddressoftheCiscoISEserverthatyouareaddingtotheAAAServerlist.
•Port—PortoverwhichcommunicationbetweentheTrustSecdeviceandservershouldtakeplace.The
defaultis1812.
Step 4ClickSubmit.
What to Do Next
ConfigureSecurityGroups.
Security Groups Configuration...

    Page 645

    Page 645 Procedure Step 1ChoosePolicy>PolicyElements>Results>TrustSec>SecurityGroups. Step 2ClickAddtoaddanewsecuritygroup. Step 3Enteranameanddescription(optional)forthenewsecuritygroup. Step 4EnteraTagValue.Tagvaluecanbesettobeenteredmanuallyorautogenerate.Youcanalsoreservearange fortheSGT.YoucanconfigureitfromtheTrustsecglobalsettingspageunderAdministration>System> Settings>TrustSecSettings. Step 5ClickSave. What to Do Next ConfigureSecurityGroupAccessControlLists Import Security Groups into Cisco ISE... 
    Procedure
Step 1ChoosePolicy>PolicyElements>Results>TrustSec>SecurityGroups.
Step 2ClickAddtoaddanewsecuritygroup.
Step 3Enteranameanddescription(optional)forthenewsecuritygroup.
Step 4EnteraTagValue.Tagvaluecanbesettobeenteredmanuallyorautogenerate.Youcanalsoreservearange
fortheSGT.YoucanconfigureitfromtheTrustsecglobalsettingspageunderAdministration>System>
Settings>TrustSecSettings.
Step 5ClickSave.
What to Do Next
ConfigureSecurityGroupAccessControlLists
Import Security Groups into Cisco ISE...

    Page 646

    Page 646 Procedure Step 1ChoosePolicy>PolicyElements>Results>TrustSec>SecurityGroups. Step 2ClickExport. Step 3Toexportsecuritygroups,youcandooneofthefollowing: •Checkthecheckboxesnexttothegroupthatyouwanttoexport,andchooseExport>ExportSelected. •ChooseExport>ExportAlltoexportallthesecuritygroupsthataredefined. Step 4Savetheexport.csvfiletoyourlocalharddisk. Add Security Group Access Control Lists Before You Begin Toperformthefollowingtask,youmustbeaSuperAdminorSystemAdmin. Procedure Step... 
    Procedure
Step 1ChoosePolicy>PolicyElements>Results>TrustSec>SecurityGroups.
Step 2ClickExport.
Step 3Toexportsecuritygroups,youcandooneofthefollowing:
•Checkthecheckboxesnexttothegroupthatyouwanttoexport,andchooseExport>ExportSelected.
•ChooseExport>ExportAlltoexportallthesecuritygroupsthataredefined.
Step 4Savetheexport.csvfiletoyourlocalharddisk.
Add Security Group Access Control Lists
Before You Begin
Toperformthefollowingtask,youmustbeaSuperAdminorSystemAdmin.
Procedure
Step...

    Page 647

    Page 647 Permit_Web_SGACL permittcpdsteq80 permittcpdsteq443 denyip Deny_JumpHost_Protocols denytcpdsteq23 denytcpdsteq23 denytcpdsteq3389 permitip ThefollowingtablelistssyntaxforSGACLforIOS,IOSXEandNS-OSoperatintsystems. Syntax common across IOS, IOS XE, and NX-OSSGACL CLI and ACEs deny,exit,no,permitconfigacl ahp,eigrp,gre,icmp,igmp,ip,nos,ospf,pcp,pim,tcp,udpdeny permit dst,log,srcdenytcp denytcpsrc denytcpdst portnumberdenytcpdsteq denytcpsrceq Dst,log,srcdenyudp denyudpsrc denyudpdest... 
    Permit_Web_SGACL
permittcpdsteq80
permittcpdsteq443
denyip
Deny_JumpHost_Protocols
denytcpdsteq23
denytcpdsteq23
denytcpdsteq3389
permitip
ThefollowingtablelistssyntaxforSGACLforIOS,IOSXEandNS-OSoperatintsystems.
Syntax common across IOS, IOS XE, and NX-OSSGACL CLI and ACEs
deny,exit,no,permitconfigacl
ahp,eigrp,gre,icmp,igmp,ip,nos,ospf,pcp,pim,tcp,udpdeny
permit
dst,log,srcdenytcp
denytcpsrc
denytcpdst
portnumberdenytcpdsteq
denytcpsrceq
Dst,log,srcdenyudp
denyudpsrc
denyudpdest...

    Page 648

    Page 648 EachcombinationofasourceSGTtoadestinationSGTisacellintheEgressPolicy. YoucanviewtheEgressPolicyinthePolicy>TrustSec>EgressPolicypage. YoucanviewtheEgresspolicyinthreedifferentways: •SourceTreeView •DestinationTreeView •MatrixView Source Tree View TheSourceTreeviewlistsacompactandorganizedviewofsourceSGTsinacollapsedstate.Youcanexpand anysourceSGTtoseetheinternaltablethatlistsallinformationrelatedtothatselectedsourceSGT.This... 
    EachcombinationofasourceSGTtoadestinationSGTisacellintheEgressPolicy.
YoucanviewtheEgressPolicyinthePolicy>TrustSec>EgressPolicypage.
YoucanviewtheEgresspolicyinthreedifferentways:
•SourceTreeView
•DestinationTreeView
•MatrixView
Source Tree View
TheSourceTreeviewlistsacompactandorganizedviewofsourceSGTsinacollapsedstate.Youcanexpand
anysourceSGTtoseetheinternaltablethatlistsallinformationrelatedtothatselectedsourceSGT.This...

    Page 649

    Page 649 •Unmappedcells—WhenasourceanddestinationpairofSGTsisnotrelatedtoanySGACLsandhas nospecifiedstatus. TheEgressPolicycelldisplaysthesourceSGT,thedestinationSGT,andtheFinalCatchAllRuleasasingle listunderSGACLs,separatedbycommas.TheFinalCatchAllRuleisnotdisplayedifitissettoNone.An emptycellinamatrixrepresentsanunmappedcell. IntheEgressPolicymatrixview,youcanscrollacrossthematrixtoviewtherequiredsetofcells.Thebrowser doesnotloadtheentirematrixdataatonce.Thebrowserrequeststheserverforthedatathatfallsinthearea... 
    •Unmappedcells—WhenasourceanddestinationpairofSGTsisnotrelatedtoanySGACLsandhas
nospecifiedstatus.
TheEgressPolicycelldisplaysthesourceSGT,thedestinationSGT,andtheFinalCatchAllRuleasasingle
listunderSGACLs,separatedbycommas.TheFinalCatchAllRuleisnotdisplayedifitissettoNone.An
emptycellinamatrixrepresentsanunmappedcell.
IntheEgressPolicymatrixview,youcanscrollacrossthematrixtoviewtherequiredsetofcells.Thebrowser
doesnotloadtheentirematrixdataatonce.Thebrowserrequeststheserverforthedatathatfallsinthearea...

    Page 650

    Page 650 Procedure Step 1ChoosePolicy>TrustSec>EgressPolicy. Step 2FromtheSourceorDestinationTreeViewpage,chooseConfigure>CreateNewSecurityGroupACL. Step 3EntertherequireddetailsandclickSubmit. Egress Policy Table Cells Configuration CiscoISEallowsyoutoconfigurecellsusingvariousoptionsthatareavailableinthetoolbar.CiscoISE doesnotallowacellconfigurationiftheselectedsourceanddestinationSGTsareidenticaltoamappedcell. Add the Mapping of Egress Policy Cells YoucanaddthemappingcellforEgressPolicyfromthePolicypage.... 
    Procedure
Step 1ChoosePolicy>TrustSec>EgressPolicy.
Step 2FromtheSourceorDestinationTreeViewpage,chooseConfigure>CreateNewSecurityGroupACL.
Step 3EntertherequireddetailsandclickSubmit.
Egress Policy Table Cells Configuration
CiscoISEallowsyoutoconfigurecellsusingvariousoptionsthatareavailableinthetoolbar.CiscoISE
doesnotallowacellconfigurationiftheselectedsourceanddestinationSGTsareidenticaltoamappedcell.
Add the Mapping of Egress Policy Cells
YoucanaddthemappingcellforEgressPolicyfromthePolicypage....
    Start reading Cisco Ise 13 User Guide

    Related Manuals for Cisco Ise 13 User Guide

    All Cisco manuals