Home > Cisco > Interface > Cisco Ise 13 User Guide

Cisco Ise 13 User Guide

Add to Favourites
    Download as PDF

    Here you can view all the pages of manual Cisco Ise 13 User Guide. The Cisco manuals for Interface are available online for free. You can easily download all the documents as PDF.

    Overview View all the pages Comments

    Page 741

    Page 741 Usage GuidelinesField Choosetheserviceforwhichyouaregoingtousethecertificate: CiscoISEIdentityCertificates •Admin—Usedforserverauthentication(tosecurecommunicationwiththe AdminportalandbetweenISEnodesinadeployment).Thecertificatetemplate onthesigningCAisoftencalledaWebServercertificatetemplate.This templatehasthefollowingproperties: ◦KeyUsage:DigitalSignature(Signing) ◦ExtendedKeyUsage:TLSWebServerAuthentication(1.3.6.1.5.5.7.3.1) •EAPAuthentication—Usedforserverauthentication.Thecertificatetemplate... 
    Usage GuidelinesField
Choosetheserviceforwhichyouaregoingtousethecertificate:
CiscoISEIdentityCertificates
•Admin—Usedforserverauthentication(tosecurecommunicationwiththe
AdminportalandbetweenISEnodesinadeployment).Thecertificatetemplate
onthesigningCAisoftencalledaWebServercertificatetemplate.This
templatehasthefollowingproperties:
◦KeyUsage:DigitalSignature(Signing)
◦ExtendedKeyUsage:TLSWebServerAuthentication(1.3.6.1.5.5.7.3.1)
•EAPAuthentication—Usedforserverauthentication.Thecertificatetemplate...

    Page 742

    Page 742 Usage GuidelinesField actsasanintermediateCAofanexternalPKI)Usedtogenerateanintermediate CAcertificateonthePrimaryPANandsubordinateCAcertificatesonthe PSNs.ThecertificatetemplateonthesigningCAisoftencalledaSubordinate CertificateAuthority.Thistemplatehasthefollowingproperties: ◦BasicConstraints:Critical,IsaCertificateAuthority ◦KeyUsage:CertificateSigning,DigitalSignature ◦ExtendedKeyUsage:OCSPSigning(1.3.6.1.5.5.7.3.9) •RenewISEOCSPResponderCertificates—(Applicableonlyfortheinternal... 
    Usage GuidelinesField
actsasanintermediateCAofanexternalPKI)Usedtogenerateanintermediate
CAcertificateonthePrimaryPANandsubordinateCAcertificatesonthe
PSNs.ThecertificatetemplateonthesigningCAisoftencalledaSubordinate
CertificateAuthority.Thistemplatehasthefollowingproperties:
◦BasicConstraints:Critical,IsaCertificateAuthority
◦KeyUsage:CertificateSigning,DigitalSignature
◦ExtendedKeyUsage:OCSPSigning(1.3.6.1.5.5.7.3.9)
•RenewISEOCSPResponderCertificates—(Applicableonlyfortheinternal...

    Page 743

    Page 743 Usage GuidelinesField AvailableoptionsforSANinclude: •DNSName—IfyouchoosetheDNSname,enterthefullyqualifieddomain nameoftheISEnode.IfyouhaveenabledtheAllowWildcardCertificates option,specifythewildcardnotation(anasteriskandaperiodbeforethedomain name).Forexample,*.amer.example.com. •IPAddress—IPaddressoftheISEnodetobeassociatedwiththecertificate. AnIPaddressorDNSnamethatisassociatedwiththecertificate. SubjectAlternative Name(SAN) Choose2048orgreaterifyouplantogetapublicCA-signedcertificate.KeyLength... 
    Usage GuidelinesField
AvailableoptionsforSANinclude:
•DNSName—IfyouchoosetheDNSname,enterthefullyqualifieddomain
nameoftheISEnode.IfyouhaveenabledtheAllowWildcardCertificates
option,specifythewildcardnotation(anasteriskandaperiodbeforethedomain
name).Forexample,*.amer.example.com.
•IPAddress—IPaddressoftheISEnodetobeassociatedwiththecertificate.
AnIPaddressorDNSnamethatisassociatedwiththecertificate.
SubjectAlternative
Name(SAN)
Choose2048orgreaterifyouplantogetapublicCA-signedcertificate.KeyLength...

    Page 744

    Page 744 UserandEndpointCertificateRenewal,onpage149 ConfigureCiscoISEtoUseCertificatesforAuthenticatingPersonalDevices,onpage158 ConfigureCiscoISEtoAllowUserstoRenewCertificates,onpage150 RevokeanEndpointCertificate,onpage169 System Certificate Import Settings ThefollowingtabledescribesthefieldsintheImportSystemCertificatepagethatyoucanusetoimporta servercertificate.Thenavigationpathforthispageis:Administration>System>Certificates>System Certificates>Import. DescriptionFields... 
    UserandEndpointCertificateRenewal,onpage149
ConfigureCiscoISEtoUseCertificatesforAuthenticatingPersonalDevices,onpage158
ConfigureCiscoISEtoAllowUserstoRenewCertificates,onpage150
RevokeanEndpointCertificate,onpage169
System Certificate Import Settings
ThefollowingtabledescribesthefieldsintheImportSystemCertificatepagethatyoucanusetoimporta
servercertificate.Thenavigationpathforthispageis:Administration>System>Certificates>System
Certificates>Import.
DescriptionFields...

    Page 745

    Page 745 Related Topics SystemCertificates,onpage135 ViewSystemCertificates,onpage136 ImportaSystemCertificate,onpage136 Trusted Certificate Store Page ThefollowingtabledescribesthefieldsontheTrustedCertificatesStorepage,whichyoucanusetoviewthe certificatesthatareaddedtotheAdministrationnode.Thenavigationpathforthispageis:Administration> System>Certificates>TrustedCertificates. Table 59: Certificate Store Page Usage GuidelinesFields Displaysthenameofthecertificate.FriendlyName... 
    Related Topics
SystemCertificates,onpage135
ViewSystemCertificates,onpage136
ImportaSystemCertificate,onpage136
Trusted Certificate Store Page
ThefollowingtabledescribesthefieldsontheTrustedCertificatesStorepage,whichyoucanusetoviewthe
certificatesthatareaddedtotheAdministrationnode.Thenavigationpathforthispageis:Administration>
System>Certificates>TrustedCertificates.
Table 59: Certificate Store Page
Usage GuidelinesFields
Displaysthenameofthecertificate.FriendlyName...

    Page 746

    Page 746 Edit Certificate Settings ThefollowingtabledescribesthefieldsontheCertificateStoreEditCertificatepage,whichyoucanuseto edittheCertificateAuthority(CA)certificateattributes.Thenavigationpathforthispageis:Administration >System>Certificates>CertificateStore>Certificate>Edit. Table 60: Certificate Store Edit Settings Usage GuidelinesFields CertificateIssuer Enterafriendlynameforthecertificate.FriendlyName ChooseEnabledorDisabled.IfDisabled,ISEwillnotusethecertificatefor establishingtrust. Status... 
    Edit Certificate Settings
ThefollowingtabledescribesthefieldsontheCertificateStoreEditCertificatepage,whichyoucanuseto
edittheCertificateAuthority(CA)certificateattributes.Thenavigationpathforthispageis:Administration
>System>Certificates>CertificateStore>Certificate>Edit.
Table 60: Certificate Store Edit Settings
Usage GuidelinesFields
CertificateIssuer
Enterafriendlynameforthecertificate.FriendlyName
ChooseEnabledorDisabled.IfDisabled,ISEwillnotusethecertificatefor
establishingtrust.
Status...

    Page 747

    Page 747 Usage GuidelinesFields CheckthecheckboxfortheCiscoISEtodownloadaCRL.DownloadCRL EntertheURLtodownloadtheCRLfromaCA.Thisfieldwillbe automaticallypopulatedifitisspecifiedinthecertificateauthoritycertificate. TheURLmustbeginwith“http”,“https”,or“ldap.” CRLDistributionURL TheCRLcanbedownloadedautomaticallyorperiodically.Configurethe timeintervalbetweendownloads. RetrieveCRL ConfigurethetimeintervaltowaitbeforeCiscoISEtriestodownloadthe CRLagain. Ifdownloadfailed,wait... 
    Usage GuidelinesFields
CheckthecheckboxfortheCiscoISEtodownloadaCRL.DownloadCRL
EntertheURLtodownloadtheCRLfromaCA.Thisfieldwillbe
automaticallypopulatedifitisspecifiedinthecertificateauthoritycertificate.
TheURLmustbeginwith“http”,“https”,or“ldap.”
CRLDistributionURL
TheCRLcanbedownloadedautomaticallyorperiodically.Configurethe
timeintervalbetweendownloads.
RetrieveCRL
ConfigurethetimeintervaltowaitbeforeCiscoISEtriestodownloadthe
CRLagain.
Ifdownloadfailed,wait...

    Page 748

    Page 748 DescriptionFields Enterafriendlynameforthecertificate.Ifyoudonotspecifyaname, CiscoISEautomaticallycreatesanameintheformat##,whereisauniquefive-digit number. FriendlyName Checkthecheckboxifyouwantthiscertificatetobeusedtoverify servercertificates(fromotherISEnodesorLDAPservers). TrustforauthenticationwithinISE (ApplicableonlyifyouchecktheTrustforauthenticationwithinISE checkbox)Checkthecheckboxifyouwantthiscertificatetobeused to: •AuthenticateendpointsthatconnecttoISEusingtheEAP protocol... 
    DescriptionFields
Enterafriendlynameforthecertificate.Ifyoudonotspecifyaname,
CiscoISEautomaticallycreatesanameintheformat##,whereisauniquefive-digit
number.
FriendlyName
Checkthecheckboxifyouwantthiscertificatetobeusedtoverify
servercertificates(fromotherISEnodesorLDAPservers).
TrustforauthenticationwithinISE
(ApplicableonlyifyouchecktheTrustforauthenticationwithinISE
checkbox)Checkthecheckboxifyouwantthiscertificatetobeused
to:
•AuthenticateendpointsthatconnecttoISEusingtheEAP
protocol...

    Page 749

    Page 749 Usage GuidelinesField Usethisoptiontochecktheprimaryserverbeforetryingtomovetothe secondaryserver.Eveniftheprimarywascheckedearlierandfoundto beunresponsive,CiscoISEwilltrytosendarequesttotheprimary serverbeforemovingtothesecondaryserver. AlwaysAccessPrimaryServer First UsethisoptionwhenyouwantCiscoISEtomovetothesecondary serverandthenfallbacktotheprimaryserveragain.Inthiscase,all otherrequestsareskipped,andthesecondaryserverisusedforthe amountoftimethatisconfiguredinthetextbox.Theallowedtimerange... 
    Usage GuidelinesField
Usethisoptiontochecktheprimaryserverbeforetryingtomovetothe
secondaryserver.Eveniftheprimarywascheckedearlierandfoundto
beunresponsive,CiscoISEwilltrytosendarequesttotheprimary
serverbeforemovingtothesecondaryserver.
AlwaysAccessPrimaryServer
First
UsethisoptionwhenyouwantCiscoISEtomovetothesecondary
serverandthenfallbacktotheprimaryserveragain.Inthiscase,all
otherrequestsareskipped,andthesecondaryserverisusedforthe
amountoftimethatisconfiguredinthetextbox.Theallowedtimerange...

    Page 750

    Page 750 Usage GuidelinesField Enterthetimeinminutesafterwhichthecacheentryexpires. EachresponsefromtheOCSPserverholdsanextUpdatevalue.This valueshowswhenthestatusofthecertificatewillbeupdatednexton theserver.WhentheOCSPresponseiscached,thetwovalues(onefrom theconfigurationandanotherfromresponse)arecompared,andthe responseiscachedfortheperiodoftimethatisthelowestvalueofthese two.IfthenextUpdatevalueis0,theresponseisnotcachedatall. CiscoISEwillcacheOCSPresponsesfortheconfiguredtime.Thecache... 
    Usage GuidelinesField
Enterthetimeinminutesafterwhichthecacheentryexpires.
EachresponsefromtheOCSPserverholdsanextUpdatevalue.This
valueshowswhenthestatusofthecertificatewillbeupdatednexton
theserver.WhentheOCSPresponseiscached,thetwovalues(onefrom
theconfigurationandanotherfromresponse)arecompared,andthe
responseiscachedfortheperiodoftimethatisthelowestvalueofthese
two.IfthenextUpdatevalueis0,theresponseisnotcachedatall.
CiscoISEwillcacheOCSPresponsesfortheconfiguredtime.Thecache...
    Start reading Cisco Ise 13 User Guide

    Related Manuals for Cisco Ise 13 User Guide

    All Cisco manuals