Home > Cisco > Interface > Cisco Ise 13 User Guide

Cisco Ise 13 User Guide

Add to Favourites
    Download as PDF

    Here you can view all the pages of manual Cisco Ise 13 User Guide. The Cisco manuals for Interface are available online for free. You can easily download all the documents as PDF.

    Overview View all the pages Comments

    Page 931

    Page 931 permittcpanyhosteqwww permittcpanyhosteq443 permittcpanyhosteq8443 permittcpanyhosteq8905 permitudpanyhosteq8905 permitudpanyhosteq8906 permittcpanyhosteq8080 permitudpanyhosteq9996 remarkDropalltherest denyipanyanylog ! !TheACLtoallowURL-redirectionforWebAuth ipaccess-listextendedACL-WEBAUTH-REDIRECT permittcpanyanyeqwww permittcpanyanyeq443 ThisconfigurationontheWLCmyincreaseCPUutilizationandraisestheriskofsysteminstability.This isanIOSissueanddoesnotadverselyaffectCiscoISE. Note Enable Switch Ports... 
    permittcpanyhosteqwww
permittcpanyhosteq443
permittcpanyhosteq8443
permittcpanyhosteq8905
permitudpanyhosteq8905
permitudpanyhosteq8906
permittcpanyhosteq8080
permitudpanyhosteq9996
remarkDropalltherest
denyipanyanylog
!
!TheACLtoallowURL-redirectionforWebAuth
ipaccess-listextendedACL-WEBAUTH-REDIRECT
permittcpanyanyeqwww
permittcpanyanyeq443
ThisconfigurationontheWLCmyincreaseCPUutilizationandraisestheriskofsysteminstability.This
isanIOSissueanddoesnotadverselyaffectCiscoISE.
Note
Enable Switch Ports...

    Page 932

    Page 932 Procedure Step 1Enterconfigurationmodeforalloftheaccessswitchports: interfacerangeFastEthernet0/1-8 Step 2Enabletheswitchportsforaccessmode(insteadoftrunkmode): switchportmodeaccess Step 3StaticallyconfiguretheaccessVLAN.ThisprovideslocalprovisioningtheaccessVLANsandisrequired foropen-modeauthentication: switchportaccess Step 4StaticallyconfigurethevoiceVLAN: switchportvoice Step 5Enableopen-modeauthentication.Open-modeallowstraffictobebridgedontothedataandvoiceVLANs... 
    Procedure
Step 1Enterconfigurationmodeforalloftheaccessswitchports:
interfacerangeFastEthernet0/1-8
Step 2Enabletheswitchportsforaccessmode(insteadoftrunkmode):
switchportmodeaccess
Step 3StaticallyconfiguretheaccessVLAN.ThisprovideslocalprovisioningtheaccessVLANsandisrequired
foropen-modeauthentication:
switchportaccess
Step 4StaticallyconfigurethevoiceVLAN:
switchportvoice
Step 5Enableopen-modeauthentication.Open-modeallowstraffictobebridgedontothedataandvoiceVLANs...

    Page 933

    Page 933 !Enables802.1Xauthenticationontheinterfacedot1xpaeauthenticator Step 12Settheretransmitperiodto10seconds: dot1xtimeouttx-period10 Thedot1xtx-periodtimeoutshouldbesetto10seconds.Donotchangethisunlessyouunderstand theimplications. Note Step 13Enabletheportfastfeature: spanning-treeportfast Command to Enable EPM Logging Setupstandardloggingfunctionsontheswitchtosupportpossibletroubleshooting/recordingforCiscoISE functions: epmlogging Command to Enable SNMP Traps... 
    !Enables802.1Xauthenticationontheinterfacedot1xpaeauthenticator
Step 12Settheretransmitperiodto10seconds:
dot1xtimeouttx-period10
Thedot1xtx-periodtimeoutshouldbesetto10seconds.Donotchangethisunlessyouunderstand
theimplications.
Note
Step 13Enabletheportfastfeature:
spanning-treeportfast
Command to Enable EPM Logging
Setupstandardloggingfunctionsontheswitchtosupportpossibletroubleshooting/recordingforCiscoISE
functions:
epmlogging
Command to Enable SNMP Traps...

    Page 934

    Page 934 Command to Enable MAC Notification Traps for Profiler to Collect ConfigureyourswitchtotransmittheappropriateMACnotificationtrapssothattheCiscoISEProfiler functionisabletocollectinformationonnetworkendpoints: macaddress-tablenotificationchange macaddress-tablenotificationmac-move snmptrapmac-notificationchangeadded snmptrapmac-notificationchangeremoved RADIUS Idle-Timeout Configuration on the Switch ToconfiguretheRADIUSIdle-timeoutonaswitch,usethefollowingcommand:... 
    Command to Enable MAC Notification Traps for Profiler to Collect
ConfigureyourswitchtotransmittheappropriateMACnotificationtrapssothattheCiscoISEProfiler
functionisabletocollectinformationonnetworkendpoints:
macaddress-tablenotificationchange
macaddress-tablenotificationmac-move
snmptrapmac-notificationchangeadded
snmptrapmac-notificationchangeremoved
RADIUS Idle-Timeout Configuration on the Switch
ToconfiguretheRADIUSIdle-timeoutonaswitch,usethefollowingcommand:...

    Page 935

    Page 935 Wireless LAN Controller Support for Apple Devices AppledevicesincludetheAppleCaptiveNetworkAssistant(CNA)feature,whichdetectscaptivenetworks (liketheCiscoISEWebAuthpage),butitinterfereswiththeportalredirectionrequiredtosupportguestsand personaldevices. Youcanbypassthisfeaturebyenablingtheweb-authcaptive-bypasscommandontheWirelessLAN Controller(WLC): WLC>confignetworkweb-authcaptive-bypassenable Web-authsupportforCaptive-Bypasswillbeenabled. Youmustresetsystemforthissettingtotakeeffect. WLC>saveconfig... 
    Wireless LAN Controller Support for Apple Devices
AppledevicesincludetheAppleCaptiveNetworkAssistant(CNA)feature,whichdetectscaptivenetworks
(liketheCiscoISEWebAuthpage),butitinterfereswiththeportalredirectionrequiredtosupportguestsand
personaldevices.
Youcanbypassthisfeaturebyenablingtheweb-authcaptive-bypasscommandontheWirelessLAN
Controller(WLC):
WLC>confignetworkweb-authcaptive-bypassenable
Web-authsupportforCaptive-Bypasswillbeenabled.
Youmustresetsystemforthissettingtotakeeffect.
WLC>saveconfig...

    Page 936

    Page 936 ThefollowingexampleshowstheACLsforredirectinganonregistereddevicetotheBYODflow.Inthis example,theCiscoISEipaddressis10.35.50.165,theinternalcorporatenetworkipaddressis192.168.0.0 and172.16.0.0(toredirect),andtheMDMserversubnetis204.8.168.0. Figure 46: ACLs for Redirecting Nonregistered Device Cisco Identity Services Engine Administrator Guide, Release 1.3 890 Configuring ACLs on the Wireless LAN Controller for MDM Interoperability 
    ThefollowingexampleshowstheACLsforredirectinganonregistereddevicetotheBYODflow.Inthis
example,theCiscoISEipaddressis10.35.50.165,theinternalcorporatenetworkipaddressis192.168.0.0
and172.16.0.0(toredirect),andtheMDMserversubnetis204.8.168.0.
Figure 46: ACLs for Redirecting Nonregistered Device
   Cisco Identity Services Engine Administrator Guide, Release 1.3
890
Configuring ACLs on the Wireless LAN Controller for MDM Interoperability

    Page 937

    Page 937 CHAPTER 34 Supported Management Information Bases in Cisco ISE •IF-MIB,page891 •SNMPv2-MIB,page892 •IP-MIB,page892 •CISCO-CDP-MIB,page893 •CISCO-VTP-MIB,page894 •CISCO-STACK-MIB,page894 •BRIDGE-MIB,page895 •OLD-CISCO-INTERFACE-MIB,page895 •CISCO-LWAPP-AP-MIB,page895 •CISCO-LWAPP-DOT11-CLIENT-MIB,page897 •CISCO-AUTH-FRAMEWORK-MIB,page898 •EEE8021-PAE-MIB:RFCIEEE802.1X,page898 •HOST-RESOURCES-MIB,page898 •LLDP-MIB,page899 IF-MIB Table 145: OIDObject 1.3.6.1.2.1.2.2.1.1ifIndex 1.3.6.1.2.1.2.2.1.2ifDescr... 
    CHAPTER 34
Supported Management Information Bases in
Cisco ISE
•IF-MIB,page891
•SNMPv2-MIB,page892
•IP-MIB,page892
•CISCO-CDP-MIB,page893
•CISCO-VTP-MIB,page894
•CISCO-STACK-MIB,page894
•BRIDGE-MIB,page895
•OLD-CISCO-INTERFACE-MIB,page895
•CISCO-LWAPP-AP-MIB,page895
•CISCO-LWAPP-DOT11-CLIENT-MIB,page897
•CISCO-AUTH-FRAMEWORK-MIB,page898
•EEE8021-PAE-MIB:RFCIEEE802.1X,page898
•HOST-RESOURCES-MIB,page898
•LLDP-MIB,page899
IF-MIB
Table 145:
OIDObject
1.3.6.1.2.1.2.2.1.1ifIndex
1.3.6.1.2.1.2.2.1.2ifDescr...

    Page 938

    Page 938 OIDObject 1.3.6.1.2.1.2.2.1.3ifType 1.3.6.1.2.1.2.2.1.5ifSpeed 1.3.6.1.2.1.2.2.1.6ifPhysAddress 1.3.6.1.2.1.2.2.1.7ifAdminStatus 1.3.6.1.2.1.2.2.1.8ifOperStatus SNMPv2-MIB Table 146: OIDObject 1.3.6.1.2.1.1system 1.3.6.1.2.1.1.1.0sysDescr 1.3.6.1.2.1.1.2.0sysObjectID 1.3.6.1.2.1.1.3.0sysUpTime 1.3.6.1.2.1.1.4.0sysContact 1.3.6.1.2.1.1.5.0sysName 1.3.6.1.2.1.1.6.0sysLocation 1.3.6.1.2.1.1.7.0sysServices 1.3.6.1.2.1.1.8.0sysORLastChange 1.3.6.1.2.1.1.9.0sysORTable IP-MIB Table 147: OIDObject... 
    OIDObject
1.3.6.1.2.1.2.2.1.3ifType
1.3.6.1.2.1.2.2.1.5ifSpeed
1.3.6.1.2.1.2.2.1.6ifPhysAddress
1.3.6.1.2.1.2.2.1.7ifAdminStatus
1.3.6.1.2.1.2.2.1.8ifOperStatus
SNMPv2-MIB
Table 146:
OIDObject
1.3.6.1.2.1.1system
1.3.6.1.2.1.1.1.0sysDescr
1.3.6.1.2.1.1.2.0sysObjectID
1.3.6.1.2.1.1.3.0sysUpTime
1.3.6.1.2.1.1.4.0sysContact
1.3.6.1.2.1.1.5.0sysName
1.3.6.1.2.1.1.6.0sysLocation
1.3.6.1.2.1.1.7.0sysServices
1.3.6.1.2.1.1.8.0sysORLastChange
1.3.6.1.2.1.1.9.0sysORTable
IP-MIB
Table 147:
OIDObject...

    Page 939

    Page 939 OIDObject 1.3.6.1.2.1.4.20.1.3ipAdEntNetMask 1.3.6.1.2.1.4.22.1.2ipNetToMediaPhysAddress CISCO-CDP-MIB Table 148: OIDObject 1.3.6.1.4.1.9.9.23.1.2.1.1cdpCacheEntry 1.3.6.1.4.1.9.9.23.1.2.1.1.1cdpCacheIfIndex 1.3.6.1.4.1.9.9.23.1.2.1.1.2cdpCacheDeviceIndex 1.3.6.1.4.1.9.9.23.1.2.1.1.3cdpCacheAddressType 1.3.6.1.4.1.9.9.23.1.2.1.1.4cdpCacheAddress 1.3.6.1.4.1.9.9.23.1.2.1.1.5cdpCacheVersion 1.3.6.1.4.1.9.9.23.1.2.1.1.6cdpCacheDeviceId 1.3.6.1.4.1.9.9.23.1.2.1.1.7cdpCacheDevicePort... 
    OIDObject
1.3.6.1.2.1.4.20.1.3ipAdEntNetMask
1.3.6.1.2.1.4.22.1.2ipNetToMediaPhysAddress
CISCO-CDP-MIB
Table 148:
OIDObject
1.3.6.1.4.1.9.9.23.1.2.1.1cdpCacheEntry
1.3.6.1.4.1.9.9.23.1.2.1.1.1cdpCacheIfIndex
1.3.6.1.4.1.9.9.23.1.2.1.1.2cdpCacheDeviceIndex
1.3.6.1.4.1.9.9.23.1.2.1.1.3cdpCacheAddressType
1.3.6.1.4.1.9.9.23.1.2.1.1.4cdpCacheAddress
1.3.6.1.4.1.9.9.23.1.2.1.1.5cdpCacheVersion
1.3.6.1.4.1.9.9.23.1.2.1.1.6cdpCacheDeviceId
1.3.6.1.4.1.9.9.23.1.2.1.1.7cdpCacheDevicePort...

    Page 940

    Page 940 OIDObject 1.3.6.1.4.1.9.9.23.1.2.1.1.18cdpCacheSysObjectID 1.3.6.1.4.1.9.9.23.1.2.1.1.19cdpCachePrimaryMgmtAddrType 1.3.6.1.4.1.9.9.23.1.2.1.1.20cdpCachePrimaryMgmtAddr 1.3.6.1.4.1.9.9.23.1.2.1.1.21cdpCacheSecondaryMgmtAddrType 1.3.6.1.4.1.9.9.23.1.2.1.1.22cdpCacheSecondaryMgmtAddr 1.3.6.1.4.1.9.9.23.1.2.1.1.23cdpCachePhysLocation 1.3.6.1.4.1.9.9.23.1.2.1.1.24cdpCacheLastChange CISCO-VTP-MIB Table 149: OIDObject 1.3.6.1.4.1.9.9.46.1.3.1.1.18.1vtpVlanIfIndex 1.3.6.1.4.1.9.9.46.1.3.1.1.4.1vtpVlanName... 
    OIDObject
1.3.6.1.4.1.9.9.23.1.2.1.1.18cdpCacheSysObjectID
1.3.6.1.4.1.9.9.23.1.2.1.1.19cdpCachePrimaryMgmtAddrType
1.3.6.1.4.1.9.9.23.1.2.1.1.20cdpCachePrimaryMgmtAddr
1.3.6.1.4.1.9.9.23.1.2.1.1.21cdpCacheSecondaryMgmtAddrType
1.3.6.1.4.1.9.9.23.1.2.1.1.22cdpCacheSecondaryMgmtAddr
1.3.6.1.4.1.9.9.23.1.2.1.1.23cdpCachePhysLocation
1.3.6.1.4.1.9.9.23.1.2.1.1.24cdpCacheLastChange
CISCO-VTP-MIB
Table 149:
OIDObject
1.3.6.1.4.1.9.9.46.1.3.1.1.18.1vtpVlanIfIndex
1.3.6.1.4.1.9.9.46.1.3.1.1.4.1vtpVlanName...
    Start reading Cisco Ise 13 User Guide

    Related Manuals for Cisco Ise 13 User Guide

    All Cisco manuals