Home > Cisco > Interface > Cisco Ise 13 User Guide

Cisco Ise 13 User Guide

Add to Favourites
    Download as PDF

    Here you can view all the pages of manual Cisco Ise 13 User Guide. The Cisco manuals for Interface are available online for free. You can easily download all the documents as PDF.

    Overview View all the pages Comments

    Page 881

    Page 881 Usage GuidelinesFields ChooseanAND,oranORoperatortologicallycombinedictionarysimple conditions,whichcanbeaddedfromthelibrary. ClicktheActionicontodothefollowing: •AddAttribute/Value •AddConditionfromLibrary •Delete ANDorORoperator Selectattributesfromvarioussystemoruser-defineddictionaries. Youcanalsoaddpredefinedconditionsfromthepolicyelementslibraryinthe subsequentsteps. CreateNewCondition (AdvanceOption) Chooseadictionarysimpleconditionthatyouhavealreadycreated.ConditionName... 
    Usage GuidelinesFields
ChooseanAND,oranORoperatortologicallycombinedictionarysimple
conditions,whichcanbeaddedfromthelibrary.
ClicktheActionicontodothefollowing:
•AddAttribute/Value
•AddConditionfromLibrary
•Delete
ANDorORoperator
Selectattributesfromvarioussystemoruser-defineddictionaries.
Youcanalsoaddpredefinedconditionsfromthepolicyelementslibraryinthe
subsequentsteps.
CreateNewCondition
(AdvanceOption)
Chooseadictionarysimpleconditionthatyouhavealreadycreated.ConditionName...

    Page 882

    Page 882 Usage GuidelinesFields Configurehours,minutes,andAM/PMtosetato-and-fromtimerange.SpecificHours (Default)Setforeveryday.EveryDay Configureoneormorespecificdaysoftheweek.SpecificDays (Default)Setwithnostartorenddate.NoStartandEndDates Configurethemonth,day,andyeartosetato-and-fromdaterange.SpecificDateRange Configureaspecificmonth,day,andyear.SpecificDate Exceptions Configurethehours,minutes,andAM/PMtosetato-and-fromtimerange.TimeRange Configureoneormorespecificdaysoftheweek.WeekDays... 
    Usage GuidelinesFields
Configurehours,minutes,andAM/PMtosetato-and-fromtimerange.SpecificHours
(Default)Setforeveryday.EveryDay
Configureoneormorespecificdaysoftheweek.SpecificDays
(Default)Setwithnostartorenddate.NoStartandEndDates
Configurethemonth,day,andyeartosetato-and-fromdaterange.SpecificDateRange
Configureaspecificmonth,day,andyear.SpecificDate
Exceptions
Configurethehours,minutes,andAM/PMtosetato-and-fromtimerange.TimeRange
Configureoneormorespecificdaysoftheweek.WeekDays...

    Page 883

    Page 883 Table 121: Allowed Protocols Usage GuidelinesFields AllowedProtocols>AuthenticationBypass CheckthischeckboxifyouwantCiscoISEtoprocesstheHostLookuprequest.TheHost LookuprequestisprocessedforPAP/CHAPprotocolwhentheRADIUSService-Typeequals 10(Call-Check)andtheusernameisequaltoCalling-Station-ID.TheHostLookuprequest isprocessedforEAP-MD5protocolwhentheService-Typeequals1(Framed)andthe usernameisequaltoCalling-Station-ID.UncheckthischeckboxifyouwantCiscoISEto... 
    Table 121: Allowed Protocols
Usage GuidelinesFields
AllowedProtocols>AuthenticationBypass
CheckthischeckboxifyouwantCiscoISEtoprocesstheHostLookuprequest.TheHost
LookuprequestisprocessedforPAP/CHAPprotocolwhentheRADIUSService-Typeequals
10(Call-Check)andtheusernameisequaltoCalling-Station-ID.TheHostLookuprequest
isprocessedforEAP-MD5protocolwhentheService-Typeequals1(Framed)andthe
usernameisequaltoCalling-Station-ID.UncheckthischeckboxifyouwantCiscoISEto...

    Page 884

    Page 884 Usage GuidelinesFields CheckthischeckboxtoenablePEAPauthenticationprotocolandPEAPsettings.Thedefault innermethodisMS-CHAPv2. WhenyouchecktheAllowPEAPcheckbox,youcanconfigurethefollowingPEAPinner methods: •AllowEAP-MS-CHAPv2—CheckthischeckboxtouseEAP-MS-CHAPv2astheinner method. ◦AllowPasswordChange—CheckthischeckboxforCiscoISEtosupportpassword changes. ◦RetryAttempts—SpecifieshowmanytimesCiscoISErequestsusercredentials beforereturningloginfailure.Validvaluesare0to3.... 
    Usage GuidelinesFields
CheckthischeckboxtoenablePEAPauthenticationprotocolandPEAPsettings.Thedefault
innermethodisMS-CHAPv2.
WhenyouchecktheAllowPEAPcheckbox,youcanconfigurethefollowingPEAPinner
methods:
•AllowEAP-MS-CHAPv2—CheckthischeckboxtouseEAP-MS-CHAPv2astheinner
method.
◦AllowPasswordChange—CheckthischeckboxforCiscoISEtosupportpassword
changes.
◦RetryAttempts—SpecifieshowmanytimesCiscoISErequestsusercredentials
beforereturningloginfailure.Validvaluesare0to3....

    Page 885

    Page 885 Usage GuidelinesFields Allow EAP-FAST Cisco Identity Services Engine Administrator Guide, Release 1.3 839 Results 
    Usage GuidelinesFields
Allow
EAP-FAST
Cisco Identity Services Engine Administrator Guide, Release 1.3    
839
Results

    Page 886

    Page 886 Usage GuidelinesFields CheckthischeckboxtoenableEAP-FASTauthenticationprotocolandEAP-FASTsettings. TheEAP-FASTprotocolcansupportmultipleinternalprotocolsonthesameserver.The defaultinnermethodisMS-CHAPv2. WhenyouchecktheAllowEAP-FASTcheckbox,youcanconfigureEAP-FASTastheinner method: •AllowEAP-MS-CHAPv2 ◦AllowPasswordChange—CheckthischeckboxforCiscoISEtosupportpassword changes. ◦RetryAttempts—SpecifieshowmanytimesCiscoISErequestsusercredentials beforereturningloginfailure.Validvaluesare0-3. •AllowEAP-GTC... 
    Usage GuidelinesFields
CheckthischeckboxtoenableEAP-FASTauthenticationprotocolandEAP-FASTsettings.
TheEAP-FASTprotocolcansupportmultipleinternalprotocolsonthesameserver.The
defaultinnermethodisMS-CHAPv2.
WhenyouchecktheAllowEAP-FASTcheckbox,youcanconfigureEAP-FASTastheinner
method:
•AllowEAP-MS-CHAPv2
◦AllowPasswordChange—CheckthischeckboxforCiscoISEtosupportpassword
changes.
◦RetryAttempts—SpecifieshowmanytimesCiscoISErequestsusercredentials
beforereturningloginfailure.Validvaluesare0-3.
•AllowEAP-GTC...

    Page 887

    Page 887 Usage GuidelinesFields iftheendpoint(AnyConnect)isconfiguredtosendtheusercertificateinsidethetunnel, thenduringtunnelestablishment,ISEauthenticatestheuserusingthecertificate(the innermethodisskipped),andmachineauthenticationisdonethroughtheinnermethod. Iftheseoptionsarenotconfigured,EAP-TLSisusedastheinnermethodforuser authentication. AfteryouenableEAPchaining,updateyourauthorizationpolicyandaddacondition usingtheNetworkAccess:EapChainingResultattributeandassignappropriate permissions.Forexample:... 
    Usage GuidelinesFields
iftheendpoint(AnyConnect)isconfiguredtosendtheusercertificateinsidethetunnel,
thenduringtunnelestablishment,ISEauthenticatestheuserusingthecertificate(the
innermethodisskipped),andmachineauthenticationisdonethroughtheinnermethod.
Iftheseoptionsarenotconfigured,EAP-TLSisusedastheinnermethodforuser
authentication.
AfteryouenableEAPchaining,updateyourauthorizationpolicyandaddacondition
usingtheNetworkAccess:EapChainingResultattributeandassignappropriate
permissions.Forexample:...

    Page 888

    Page 888 Table 122: PAC Options Usage GuidelinesFields UsePAC Cisco Identity Services Engine Administrator Guide, Release 1.3 842 Results 
    Table 122: PAC Options
Usage GuidelinesFields
UsePAC
   Cisco Identity Services Engine Administrator Guide, Release 1.3
842
Results

    Page 889

    Page 889 Usage GuidelinesFields •TunnelPACTimeToLive—TheTimetoLive(TTL)valuerestrictsthelifetime ofthePAC.Specifythelifetimevalueandunits.Thedefaultis90days.The rangeisbetween1and1825days. •ProactivePACUpdateWhen:ofPACTTLisLeft—TheUpdatevalue ensuresthattheclienthasavalidPAC.CiscoISEinitiatesanupdateafterthe firstsuccessfulauthenticationbutbeforetheexpirationtimethatissetbythe TTL.TheupdatevalueisapercentageoftheremainingtimeintheTTL.The defaultis90%.... 
    Usage GuidelinesFields
•TunnelPACTimeToLive—TheTimetoLive(TTL)valuerestrictsthelifetime
ofthePAC.Specifythelifetimevalueandunits.Thedefaultis90days.The
rangeisbetween1and1825days.
•ProactivePACUpdateWhen:ofPACTTLisLeft—TheUpdatevalue
ensuresthattheclienthasavalidPAC.CiscoISEinitiatesanupdateafterthe
firstsuccessfulauthenticationbutbeforetheexpirationtimethatissetbythe
TTL.TheupdatevalueisapercentageoftheremainingtimeintheTTL.The
defaultis90%....

    Page 890

    Page 890 Usage GuidelinesFields EAP-FASTclients ◦ToalwaysperformphasetwoofEAP-FAST Whenyoucheckthisoption,youcanentertheauthorizationperiodofthe userauthorizationPAC.Afterthisperiod,thePACexpires.WhenCisco ISEreceivesanexpiredauthorizationPAC,itperformsphasetwo EAP-FASTauthentication. Related Topics OOBTrustSecPAC,onpage595 GeneratethePACforEAP-FAST,onpage420 Authorization Profile Settings ThefollowingtabledescribesthefieldsintheStandardAuthorizationProfilespage.Thenavigationpathfor... 
    Usage GuidelinesFields
EAP-FASTclients
◦ToalwaysperformphasetwoofEAP-FAST
Whenyoucheckthisoption,youcanentertheauthorizationperiodofthe
userauthorizationPAC.Afterthisperiod,thePACexpires.WhenCisco
ISEreceivesanexpiredauthorizationPAC,itperformsphasetwo
EAP-FASTauthentication.
Related Topics
OOBTrustSecPAC,onpage595
GeneratethePACforEAP-FAST,onpage420
Authorization Profile Settings
ThefollowingtabledescribesthefieldsintheStandardAuthorizationProfilespage.Thenavigationpathfor...
    Start reading Cisco Ise 13 User Guide

    Related Manuals for Cisco Ise 13 User Guide

    All Cisco manuals