Home > Cisco > Interface > Cisco Ise 13 User Guide

Cisco Ise 13 User Guide

Add to Favourites
    Download as PDF

    Here you can view all the pages of manual Cisco Ise 13 User Guide. The Cisco manuals for Interface are available online for free. You can easily download all the documents as PDF.

    Overview View all the pages Comments

    Page 731

    Page 731 Usage GuidelinesFields Checkthischeckboxtoenableanyoneorallofthefollowingservices: •EnableSessionServices—Checkthischeckboxtoenablenetworkaccess,posture, guest,andclientprovisioningservices.ChoosethegrouptowhichthisPolicy ServicenodebelongsfromtheIncludeNodeinNodeGroupdrop-downlist. ChooseifyoudonotwantthisPolicyServicenodetobepartofanygroup. Allthenodeswithinthesamenodegroupshouldbeconfiguredonthenetwork accessdevice(NAD)asRADIUSclientsandauthorizedforCoA,becauseanyone... 
    Usage GuidelinesFields
Checkthischeckboxtoenableanyoneorallofthefollowingservices:
•EnableSessionServices—Checkthischeckboxtoenablenetworkaccess,posture,
guest,andclientprovisioningservices.ChoosethegrouptowhichthisPolicy
ServicenodebelongsfromtheIncludeNodeinNodeGroupdrop-downlist.
ChooseifyoudonotwantthisPolicyServicenodetobepartofanygroup.
Allthenodeswithinthesamenodegroupshouldbeconfiguredonthenetwork
accessdevice(NAD)asRADIUSclientsandauthorizedforCoA,becauseanyone...

    Page 732

    Page 732 DeploypxGridNode,onpage51 ChangeNodePersonasandServices,onpage49 ConfigureMonitoringNodesforAutomaticFailover,onpage51 Profiling Node Settings ThefollowingtabledescribesthefieldsontheProfilingConfigurationpage,whichyoucanusetoconfigure theprobesfortheprofilerservice.Thenavigationpathforthispageis:Administration>System> Deployment>ISENode>Edit>ProfilingConfiguration. Table 57: Profiling Node Settings Usage GuidelinesFields CheckthischeckboxifyouwanttoenableNetFlowperCiscoISEnodethathasassumed... 
    DeploypxGridNode,onpage51
ChangeNodePersonasandServices,onpage49
ConfigureMonitoringNodesforAutomaticFailover,onpage51
Profiling Node Settings
ThefollowingtabledescribesthefieldsontheProfilingConfigurationpage,whichyoucanusetoconfigure
theprobesfortheprofilerservice.Thenavigationpathforthispageis:Administration>System>
Deployment>ISENode>Edit>ProfilingConfiguration.
Table 57: Profiling Node Settings
Usage GuidelinesFields
CheckthischeckboxifyouwanttoenableNetFlowperCiscoISEnodethathasassumed...

    Page 733

    Page 733 Usage GuidelinesFields CheckthischeckboxifyouwanttoenableDNSperISEnodethathasassumedthe PolicyServicepersonatoperformaDNSlookupfortheFQDN.Enterthetimeoutperiod inseconds. FortheDNSprobetoworkonaparticularCiscoISEnodeinadistributed deployment,youmustenableanyoneofthefollowingprobes:DHCP,DHCP SPAN,HTTP,RADIUS,orSNMP.ForDNSlookup,oneoftheprobes mentionedabovemustbestartedalongwiththeDNSprobe. Note DNS CheckthischeckboxifyouwanttoenableSNMPQueryperISEnodethathasassumed... 
    Usage GuidelinesFields
CheckthischeckboxifyouwanttoenableDNSperISEnodethathasassumedthe
PolicyServicepersonatoperformaDNSlookupfortheFQDN.Enterthetimeoutperiod
inseconds.
FortheDNSprobetoworkonaparticularCiscoISEnodeinadistributed
deployment,youmustenableanyoneofthefollowingprobes:DHCP,DHCP
SPAN,HTTP,RADIUS,orSNMP.ForDNSlookup,oneoftheprobes
mentionedabovemustbestartedalongwiththeDNSprobe.
Note
DNS
CheckthischeckboxifyouwanttoenableSNMPQueryperISEnodethathasassumed...

    Page 734

    Page 734 Table 58: Inline Posture Node Settings Usage GuidelinesFields BasicInformation EntertheIPaddressoftheprimary,secondary,andtertiarytimesyncserver.TimeSyncServer EntertheIPaddressoftheprimary,secondary,andtertiaryDNSserver.DNSServer EntertheManagementVLANID(alltheotherinformationisautomaticallypopulated fortheseoptions) TrustedInterface (toprotected network) EntertheIPAddress,SubnetMask,DefaultGateway,andManagementVLANIDfor theuntrustedinterface. Untrusted Interface(to management network) DeploymentModes... 
    Table 58: Inline Posture Node Settings
Usage GuidelinesFields
BasicInformation
EntertheIPaddressoftheprimary,secondary,andtertiarytimesyncserver.TimeSyncServer
EntertheIPaddressoftheprimary,secondary,andtertiaryDNSserver.DNSServer
EntertheManagementVLANID(alltheotherinformationisautomaticallypopulated
fortheseoptions)
TrustedInterface
(toprotected
network)
EntertheIPAddress,SubnetMask,DefaultGateway,andManagementVLANIDfor
theuntrustedinterface.
Untrusted
Interface(to
management
network)
DeploymentModes...

    Page 735

    Page 735 Usage GuidelinesFields EnterthesubnetMaskofthedeviceonwhichtoavoidpoliciesSubnetMask EnteradescriptionoftheSubnetFilter.Description RADIUSConfig EntertheIPaddress,sharedsecret,timeoutinseconds,andnumberofretriesforthe primaryRADIUSserver,usuallythePolicyServicenode. Thetimeoutandretryvaluesshouldbebasedonthetimeoutandretriesthatyoudefine ontheclientsuchasWLCorASA.Werecommendthefollowing:(IPNRADIUSConfig Timeout*No.ofRetries) 
    Usage GuidelinesFields
EnterthesubnetMaskofthedeviceonwhichtoavoidpoliciesSubnetMask
EnteradescriptionoftheSubnetFilter.Description
RADIUSConfig
EntertheIPaddress,sharedsecret,timeoutinseconds,andnumberofretriesforthe
primaryRADIUSserver,usuallythePolicyServicenode.
Thetimeoutandretryvaluesshouldbebasedonthetimeoutandretriesthatyoudefine
ontheclientsuchasWLCorASA.Werecommendthefollowing:(IPNRADIUSConfig
Timeout*No.ofRetries)

    Page 736

    Page 736 Usage GuidelinesFields ChoosetheHAPeerNodefromthedrop-downlist.AlistofeligiblestandaloneInline Posturenodesappearfromwhichtochoose.Thesecondarynodesyncstotheprimary node. •ReplicationStatus—(Onlyappearsforsecondarynodes)Indicateswhether incrementalreplicationfromtheprimarynodetothesecondarynodeiscomplete ornot.Youwillseeoneofthefollowingstates: ◦Failed—Incrementaldatabasereplicationhasfailed. ◦In-Progress—Incrementaldatabasereplicationiscurrentlyinprogress.... 
    Usage GuidelinesFields
ChoosetheHAPeerNodefromthedrop-downlist.AlistofeligiblestandaloneInline
Posturenodesappearfromwhichtochoose.Thesecondarynodesyncstotheprimary
node.
•ReplicationStatus—(Onlyappearsforsecondarynodes)Indicateswhether
incrementalreplicationfromtheprimarynodetothesecondarynodeiscomplete
ornot.Youwillseeoneofthefollowingstates:
◦Failed—Incrementaldatabasereplicationhasfailed.
◦In-Progress—Incrementaldatabasereplicationiscurrentlyinprogress....

    Page 737

    Page 737 Usage GuidelinesFields EnteraLink-DetectTimeoutvalue.Thedefaultvalueof30secondsisrecommended. However,thereisnomaximumvalue.Link-detectensuresthattheInlinePosturenode maintainscommunicationwiththePolicyServicenode.Iftheactivenodedoesnot receivenotification(ping)fromthePolicyServicenodeatthespecifiedintervals,the activenodefailsovertothestandbynode. LinkDetect Timeout EnteraHeartBeatTimeoutvalue.Thedefaultvalueof30secondsisrecommended. However,thereisnomaximumvalue.Theheartbeatisamessagethatissentbetween... 
    Usage GuidelinesFields
EnteraLink-DetectTimeoutvalue.Thedefaultvalueof30secondsisrecommended.
However,thereisnomaximumvalue.Link-detectensuresthattheInlinePosturenode
maintainscommunicationwiththePolicyServicenode.Iftheactivenodedoesnot
receivenotification(ping)fromthePolicyServicenodeatthespecifiedintervals,the
activenodefailsovertothestandbynode.
LinkDetect
Timeout
EnteraHeartBeatTimeoutvalue.Thedefaultvalueof30secondsisrecommended.
However,thereisnomaximumvalue.Theheartbeatisamessagethatissentbetween...

    Page 738

    Page 738 Usage GuidelinesFields AnIPaddressorDNSnamethatisassociatedwiththecertificate.SubjectAlternative Name(SAN) Choose2048ifyouplantogetapublicCA-signedcertificate.KeyLength Chooseoneofthefollowinghashingalgorithm:SHA-1orSHA-256.DigesttoSignWith Specifythenumberofdaysafterwhichthecertificatewillexpire.ExpirationTTL Enterafriendlynameforthecertificate.Ifyoudonotspecifyaname,CiscoISE automaticallycreatesanameintheformat## whereisauniquefive-digitnumber. FriendlyName... 
    Usage GuidelinesFields
AnIPaddressorDNSnamethatisassociatedwiththecertificate.SubjectAlternative
Name(SAN)
Choose2048ifyouplantogetapublicCA-signedcertificate.KeyLength
Chooseoneofthefollowinghashingalgorithm:SHA-1orSHA-256.DigesttoSignWith
Specifythenumberofdaysafterwhichthecertificatewillexpire.ExpirationTTL
Enterafriendlynameforthecertificate.Ifyoudonotspecifyaname,CiscoISE
automaticallycreatesanameintheformat##
whereisauniquefive-digitnumber.
FriendlyName...

    Page 739

    Page 739 nodesinadeploymentandhelpspreventcertificatenamemismatchwarnings.However,useofwildcard certificatesisconsideredlesssecurethanassigningauniqueservercertificateforeachCiscoISEnode. ThefollowingtabledescribesthefieldsintheCertificateSigningRequest(CSR)page,whichyoucanuseto generateaCSRthatcanbesignedbyaCertificateAuthority(CA).Thenavigationpathforthispageis: Administration>System>Certificates>CertificateManagement>CertificateSigningRequest. Cisco Identity Services Engine Administrator Guide, Release 1.3... 
    nodesinadeploymentandhelpspreventcertificatenamemismatchwarnings.However,useofwildcard
certificatesisconsideredlesssecurethanassigningauniqueservercertificateforeachCiscoISEnode.
ThefollowingtabledescribesthefieldsintheCertificateSigningRequest(CSR)page,whichyoucanuseto
generateaCSRthatcanbesignedbyaCertificateAuthority(CA).Thenavigationpathforthispageis:
Administration>System>Certificates>CertificateManagement>CertificateSigningRequest.
Cisco Identity Services Engine Administrator Guide, Release 1.3...

    Page 740

    Page 740 Usage GuidelinesField Certificate(s)willbe usedfor Cisco Identity Services Engine Administrator Guide, Release 1.3 694 System Administration 
    Usage GuidelinesField
Certificate(s)willbe
usedfor
   Cisco Identity Services Engine Administrator Guide, Release 1.3
694
System Administration
    Start reading Cisco Ise 13 User Guide

    Related Manuals for Cisco Ise 13 User Guide

    All Cisco manuals