Home > Cisco > Interface > Cisco Ise 13 User Guide

Cisco Ise 13 User Guide

Add to Favourites
    Download as PDF

    Here you can view all the pages of manual Cisco Ise 13 User Guide. The Cisco manuals for Interface are available online for free. You can easily download all the documents as PDF.

    Overview View all the pages Comments

    Page 651

    Page 651 Export Egress Policy Procedure Step 1ChoosePolicy>TrustSec>EgressPolicy>Matrix. Step 2ClickExport. Step 3SavetheCSVfiletoyourlocalsystem. Import Egress Policy YoucancreatetheegresspolicyofflineandthenimportitintoCiscoISE.Ifyouhavealargenumberof securitygrouptags,thencreatingthesecuritygroupACLmappingonebyonemighttakesometime.Instead, creatingtheegresspolicyofflineandimportingitintoCiscoISEsavestimeforyou.Duringimport,Cisco... 
    Export Egress Policy
Procedure
Step 1ChoosePolicy>TrustSec>EgressPolicy>Matrix.
Step 2ClickExport.
Step 3SavetheCSVfiletoyourlocalsystem.
Import Egress Policy
YoucancreatetheegresspolicyofflineandthenimportitintoCiscoISE.Ifyouhavealargenumberof
securitygrouptags,thencreatingthesecuritygroupACLmappingonebyonemighttakesometime.Instead,
creatingtheegresspolicyofflineandimportingitintoCiscoISEsavestimeforyou.Duringimport,Cisco...

    Page 652

    Page 652 Procedure Step 1ChoosePolicy>TrustSec>EgressPolicy. Step 2FromtheSourceorDestinationTreeViewpage,chooseConfigure>CreateNewSecurityGroup. Step 3EntertherequireddetailsandclickSubmit. Monitor Mode TheMonitorAlloptionintheegresspolicyallowsyoutochangetheentireegresspolicyconfigurationstatus tomonitormodewithasingleclick.ChecktheMonitorAllcheckboxintheegresspolicypagetochange theegresspolicyconfigurationstatusofallthecellstomonitormode.WhenyouchecktheMonitorAllcheck... 
    Procedure
Step 1ChoosePolicy>TrustSec>EgressPolicy.
Step 2FromtheSourceorDestinationTreeViewpage,chooseConfigure>CreateNewSecurityGroup.
Step 3EntertherequireddetailsandclickSubmit.
Monitor Mode
TheMonitorAlloptionintheegresspolicyallowsyoutochangetheentireegresspolicyconfigurationstatus
tomonitormodewithasingleclick.ChecktheMonitorAllcheckboxintheegresspolicypagetochange
theegresspolicyconfigurationstatusofallthecellstomonitormode.WhenyouchecktheMonitorAllcheck...

    Page 653

    Page 653 Default Policy DefaultPolicyreferstothecell.AnysourceSGTismappedtoanydestinationSGT.Here,the ANYSGTcannotbemodifiedanditisnotlistedinanysourceordestinationSGTs.TheANYSGTcanonly bepairedwithANYSGT.ItcannotbepairedwithanyotherSGTs.ATrustSecnetworkdeviceattachesthe defaultpolicytotheendofthespecificcellpolicy. •Ifacellisempty,thatmeansitcontainsthedefaultpolicyalone. •Ifacellcontainssomepolicy,theresultingpolicyisacombinationofthecellspecificpolicyfollowed bythedefaultpolicy.... 
    Default Policy
DefaultPolicyreferstothecell.AnysourceSGTismappedtoanydestinationSGT.Here,the
ANYSGTcannotbemodifiedanditisnotlistedinanysourceordestinationSGTs.TheANYSGTcanonly
bepairedwithANYSGT.ItcannotbepairedwithanyotherSGTs.ATrustSecnetworkdeviceattachesthe
defaultpolicytotheendofthespecificcellpolicy.
•Ifacellisempty,thatmeansitcontainsthedefaultpolicyalone.
•Ifacellcontainssomepolicy,theresultingpolicyisacombinationofthecellspecificpolicyfollowed
bythedefaultpolicy....

    Page 654

    Page 654 Configure NDAC Authorization Before You Begin •Ensurethatyoucreatethesecuritygroupsforuseinthepolicy. •Toperformthefollowingtask,youmustbeaSuperAdminorSystemAdmin. Procedure Step 1ChoosePolicy>TrustSec>NetworkDeviceAuthorization. Step 2ClicktheActioniconontheright-handsideoftheDefaultRulerow,andclickInsertNewRowAbove. Step 3Enterthenameforthisrule. Step 4Clicktheplussign(+)nexttoConditionstoaddapolicycondition. Step 5YoucanclickCreateNewCondition(AdvanceOption)andcreateanewcondition. Step... 
    Configure NDAC Authorization
Before You Begin
•Ensurethatyoucreatethesecuritygroupsforuseinthepolicy.
•Toperformthefollowingtask,youmustbeaSuperAdminorSystemAdmin.
Procedure
Step 1ChoosePolicy>TrustSec>NetworkDeviceAuthorization.
Step 2ClicktheActioniconontheright-handsideoftheDefaultRulerow,andclickInsertNewRowAbove.
Step 3Enterthenameforthisrule.
Step 4Clicktheplussign(+)nexttoConditionstoaddapolicycondition.
Step 5YoucanclickCreateNewCondition(AdvanceOption)andcreateanewcondition.
Step...

    Page 655

    Page 655 Procedure Step 1ChoosePolicy>Authorization. Step 2Createanewauthorizationpolicy. Step 3Selectasecuritygroup,forPermissions. Iftheconditionsspecifiedinthisauthorizationpolicyistrueforauserorendpoint,thenthissecuritygroup willbeassignedtothatuserorendpointandalldatapacketsthataresentbythisuserorendpointwillbe taggedwiththisparticularSGT. Add Single IP-to-SGT Mappings Before You Begin Toperformthefollowingtask,youmustbeaSuperAdminorSystemAdmin. Procedure Step... 
    Procedure
Step 1ChoosePolicy>Authorization.
Step 2Createanewauthorizationpolicy.
Step 3Selectasecuritygroup,forPermissions.
Iftheconditionsspecifiedinthisauthorizationpolicyistrueforauserorendpoint,thenthissecuritygroup
willbeassignedtothatuserorendpointandalldatapacketsthataresentbythisuserorendpointwillbe
taggedwiththisparticularSGT.
Add Single IP-to-SGT Mappings
Before You Begin
Toperformthefollowingtask,youmustbeaSuperAdminorSystemAdmin.
Procedure
Step...

    Page 656

    Page 656 Procedure Step 1ChoosePolicy>PolicyElements>Results>TrustSec>SecurityGroupMappings>Groups. Step 2ClickAddtoaddanewgroupIP-SGTmapping. Step 3EnteraNameandaDescriptionforthenewgroup. Step 4EntertheSecurityGroupTagtowhichthisgroupwillbemappedto. Step 5Choosethedestinationnetworkdeviceonwhichyouwanttodeploythismapping.Youcandeploythe mappingsonalltrustsecdevices,onselectednetworkdevicegroups,oronselectednetworkdevices. Step 6ClickSubmit. Import Security Group Mappings Hosts... 
    Procedure
Step 1ChoosePolicy>PolicyElements>Results>TrustSec>SecurityGroupMappings>Groups.
Step 2ClickAddtoaddanewgroupIP-SGTmapping.
Step 3EnteraNameandaDescriptionforthenewgroup.
Step 4EntertheSecurityGroupTagtowhichthisgroupwillbemappedto.
Step 5Choosethedestinationnetworkdeviceonwhichyouwanttodeploythismapping.Youcandeploythe
mappingsonalltrustsecdevices,onselectednetworkdevicegroups,oronselectednetworkdevices.
Step 6ClickSubmit.
Import Security Group Mappings Hosts...

    Page 657

    Page 657 Procedure Step 1ChoosePolicy>PolicyElements>Results>TrustSec>SecurityGroupMappings>Hosts. Step 2ClickExport. Step 3Toexportsecuritygroupmappingshosts,youcandooneofthefollowing: •Checkthecheckboxesnexttothehoststhatyouwanttoexport,andchooseExport>ExportSelected. •ChooseExport>ExportAlltoexportallthesecuritygroupmappingshoststhataredefined. Step 4Savetheexport.csvfiletoyourlocalharddisk. Deploy IP-to-SGT Mappings AfteryouaddIP-to-SGTmappingstoCiscoISEyoumustdeploythesetothetargetnetworkdevice.You... 
    Procedure
Step 1ChoosePolicy>PolicyElements>Results>TrustSec>SecurityGroupMappings>Hosts.
Step 2ClickExport.
Step 3Toexportsecuritygroupmappingshosts,youcandooneofthefollowing:
•Checkthecheckboxesnexttothehoststhatyouwanttoexport,andchooseExport>ExportSelected.
•ChooseExport>ExportAlltoexportallthesecuritygroupmappingshoststhataredefined.
Step 4Savetheexport.csvfiletoyourlocalharddisk.
Deploy IP-to-SGT Mappings
AfteryouaddIP-to-SGTmappingstoCiscoISEyoumustdeploythesetothetargetnetworkdevice.You...

    Page 658

    Page 658 TrustSec Configuration and Policy Push CiscoISEsupportsChangeofAuthorization(CoA)whichallowsCiscoISEtonotifyTrustSecdevicesabout TrustSecconfigurationandpolicychanges,sothatthedevicescanreplywithrequeststogettherelevantdata. ACoAnotificationcantriggeraTrustSecnetworkdevicetosendeitheranEnvironmentCoAoraPolicy CoA. YoucanalsopushaconfigurationchangetodevicesthatdonotintrinsicallysupporttheTrustSecCoAfeature. CoA Supported Network Devices CiscoISEsendsCoAnotificationstothefollowingnetworkdevices:... 
    TrustSec Configuration and Policy Push
CiscoISEsupportsChangeofAuthorization(CoA)whichallowsCiscoISEtonotifyTrustSecdevicesabout
TrustSecconfigurationandpolicychanges,sothatthedevicescanreplywithrequeststogettherelevantdata.
ACoAnotificationcantriggeraTrustSecnetworkdevicetosendeitheranEnvironmentCoAoraPolicy
CoA.
YoucanalsopushaconfigurationchangetodevicesthatdonotintrinsicallysupporttheTrustSecCoAfeature.
CoA Supported Network Devices
CiscoISEsendsCoAnotificationstothefollowingnetworkdevices:...

    Page 659

    Page 659 Step 3ScrolldowntoAdvancedTrustSecSettings,andintheTrustSecNotificationsandUpdatessection,check theSendconfigurationchangestodevicecheckbox,andclicktheCLI(SSH)radiobutton. Step 4(Optional)ProvideanSSHkey. Step 5ChecktheIncludethisdevicewhendeployingSecurityGroupTagMappingUpdatescheckbox,forthis SGAdevicetoobtaintheIP-SGTmappingsusingdeviceinterfacecredentials. Step 6EntertheusernameandpasswordoftheuserhavingprivilegestoeditthedeviceconfigurationintheExec mode. Step... 
    Step 3ScrolldowntoAdvancedTrustSecSettings,andintheTrustSecNotificationsandUpdatessection,check
theSendconfigurationchangestodevicecheckbox,andclicktheCLI(SSH)radiobutton.
Step 4(Optional)ProvideanSSHkey.
Step 5ChecktheIncludethisdevicewhendeployingSecurityGroupTagMappingUpdatescheckbox,forthis
SGAdevicetoobtaintheIP-SGTmappingsusingdeviceinterfacecredentials.
Step 6EntertheusernameandpasswordoftheuserhavingprivilegestoeditthedeviceconfigurationintheExec
mode.
Step...

    Page 660

    Page 660 b)ScrolldowntoAdvancedTrustSecSettings,andintheTrustSecNotificationsandUpdatessection, checktheSendconfigurationchangestodevicecheckbox,andclicktheCLI(SSH)radiobutton. c)IntheSSHKeyfield,pastetheSSHkeyretrievedpreviouslyfromthenetworkdevice. d)ClickSubmitatthebottomofthepage. ThenetworkdeviceisnowcommunicatingwiththeCiscoISEusingSSHkeyvalidation. Environment CoA Notification Flow ThefollowingfiguredepictstheEnvironmentCoAnotificationflow. Figure 36: Environment CoA Notification Flow... 
    b)ScrolldowntoAdvancedTrustSecSettings,andintheTrustSecNotificationsandUpdatessection,
checktheSendconfigurationchangestodevicecheckbox,andclicktheCLI(SSH)radiobutton.
c)IntheSSHKeyfield,pastetheSSHkeyretrievedpreviouslyfromthenetworkdevice.
d)ClickSubmitatthebottomofthepage.
ThenetworkdeviceisnowcommunicatingwiththeCiscoISEusingSSHkeyvalidation.
Environment CoA Notification Flow
ThefollowingfiguredepictstheEnvironmentCoAnotificationflow.
Figure 36: Environment CoA Notification Flow...
    Start reading Cisco Ise 13 User Guide

    Related Manuals for Cisco Ise 13 User Guide

    All Cisco manuals