Cisco Ise 13 User Guide
Here you can view all the pages of manual Cisco Ise 13 User Guide. The Cisco manuals for Interface are available online for free. You can easily download all the documents as PDF.
Page 661
4IfthedevicedoesnotholdaTrustSecAAAserverlist,orthegenerationIDisdifferentfromthegeneration IDthatisreceived,thedevicesendsanotherrequesttogettheAAAserverlistcontent. 5IfthedevicedoesnotholdanSGTtablelistedintheresponse,orthegenerationIDisdifferentfromthe generationIDthatisreceived,thedevicesendsanotherrequesttogetthecontentofthatSGTtable. Environment CoA Triggers AnEnvironmentCoAcanbetriggeredfor: •Networkdevices •Securitygroups •AAAservers Trigger Environment CoA for Network Devices...
Page 662
Procedure Step 1ChooseAdministration>NetworkResources>TrustSecAAAServers. Step 2IntheTrustSecAAAServerspagecreate,deleteorupdatetheconfigurationofaTrustSecAAAserver.This triggersanenvironmentchange. Step 3ClickthePushbuttontoinitiateanenvironmentCoAnotificationafteryouconfiguremultipleTrustSecAAA servers.ThisenvironmentCoAnotificationgoestoallTrustSecnetworkdevicesandprovidesanupdateof allTrustSecAAAserversthatwerechanged. Trigger Environment CoA for NDAC Policy...
Page 663
IftheSGACLispartofanegresscellthatthedeviceholds.Thedeviceholdsasubsetoftheegresspolicy data,whicharethecellsrelatedtotheSGTsofitsneighboringdevicesandendpoints(egresspolicy columnsofselecteddestinationSGTs). ThegenerationIDintheCoAnotificationisdifferentfromthegenerationIDthatthedeviceholdsforthis SGACL. 3InresponsetotheSGACLdatarequest,CiscoISEreturnsthecontentoftheSGACL(theACE). Initiate an Update SGACL Named List CoA TotriggeranUpdateSGACLNamedListCoA,completethefollowingsteps: Procedure Step...
Page 664
Policies Update CoA Notification Flow ThefollowingfiguredepictsthePoliciesCoANotificationflow. Figure 38: Policies CoA Notification flow 1CiscoISEsendsanupdatepoliciesCoAnotificationtoaTrustSecnetworkdevice.Thenotificationmay containmultipleSGACLnamesandtheirgenerationIDs,andmultipleSGTvaluesandtheirgeneration IDs. 2ThedevicemayreplaywithmultipleSGACLdatarequestsand/ormultipleSGTdata. 3InresponsetoeachSGACLdatarequestorSGTdatarequest,CiscoISEreturnstherelevantdata. Cisco Identity Services Engine...
Page 665
Update SGT Matrix CoA Flow ThefollowingfiguredepictstheUpdateSGTMatrixCoAflow. Figure 39: Update SGT Matrix CoA flow 1CiscoISEsendsanupdatedSGTmatrixCoAnotificationtoaTrustSecnetworkdevice.Thenotification containstheSGTvalueandthegenerationID. 2ThedevicemayreplaywithanSGTdatarequestifboththefollowingtermsarefulfilled: IftheSGTistheSGTofaneighboringdeviceorendpoint,thedevicedownloadsandholdthecellsrelated toSGTsofneighboringdevicesandendpoints(adestinationSGT)....
Page 666
TrustSec CoA Summary ThefollowingtablesummarizesthevariousscenariosthatmayrequireinitiatingaTrustSecCoA,thetypeof CoAusedineachscenario,andtherelatedUIpages. Table 51: TrustSec CoA Summary Send toCoA typeHow it is triggeredOperation that triggers CoA UI Page Thespecific networkdevice EnvironmentUponsuccessfulSubmit ofTrustSecnetwork device Changingtheenvironment TTLintheTrustSec sectionofthepage NetworkDevice AllTrustSec networkdevices EnvironmentAccumulativechanges canbepushedby clickingthePushbutton...
Page 667
Run Top N RBACL Drops by User Report YoucanruntheTopNRBACLDropsbyUserreporttoseethepolicyviolations(basedonpacketdrops)by specificusers. Procedure Step 1FromtheCiscoISEAdmindashboard,selectOperations>Reports>ISEReports>TrustSec. Step 2ClickTopNRBACLDropsbyUser. Step 3FromtheFiltersdrop-downmenu,addtherequiredmonitormodes. Step 4Enterthevaluesfortheselectedparametersaccordingly.YoucanspecifythemodefromtheEnforcement modedrop-downlistasEnforce,Monitor,orBoth. Step...
Page 668
Cisco Identity Services Engine Administrator Guide, Release 1.3 622 Run Top N RBACL Drops by User Report
Page 669
PART VI Monitoring and Troubleshooting Cisco ISE •MonitoringandTroubleshooting,page625 •Reports,page661
Page 670
