Cisco Ise 13 User Guide
Have a look at the manual Cisco Ise 13 User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
NavigatetoAdministration>pxGridServices>LiveLogtoviewthelistofevents.Youcanalsoclearthe logsandresynchronizeorrefreshthelist. ISE pxGrid Identity Mapping IdentityMappingenablesyoutomonitorusersthatareauthenticatedbyaDomainController(DC)andnot byCiscoISE.InnetworkswhereCiscoISEdoesnotactivelyauthenticateusersfornetworkaccess,itis possibletouseIdentityMappingtocollectuserauthenticationinformationfromtheactivedirectory(AD) DomainController.TheIdentityMappingconnectstoWindowssystemusingtheMSWMIinterfaceand querieslogsfromtheWindowseventmessaging.Onceauserlogsintothenetworkandisauthenticatedwith anActiveDirectory,theDomainControllergeneratesaneventlogthatincludestheusernameandIPaddress allocatedfortheuser. IdentitymappingcanalsobeactivatedevenifCiscoISEplaysanactiveroleforauthentication.Insuchcases, thesamesessionmaybeidentifiedtwice.Theoperationaldatahasasessionattributethatindicatesthesource. YoucangotoOperations>AuthenticationsandclickShowLiveSessionstochecktheSessionSource. TheIdentityMappingcomponentretrievestheuserloginsfromtheDomainControllerandimportstheminto theCiscoISEsessiondirectory.SousersauthenticatedwithActiveDirectory(AD)areshownintheCisco ISElivesessionsview,andcanbequeriedfromthesessiondirectoryusingCiscopxGridinterfacebythird-party applications.Theknowninformationistheusername,IPaddress,andtheADDChostnameandtheADDC NetBiosname. TheCiscoISEplaysonlyapassiveroleanddoesnotperformtheauthentication.WhenIdentityMappingis active,CiscoISEcollectsthelogininformationfromtheADandincludesthedataintothesessiondirectory. Key Features •IdentityMappingisconfiguredfromtheCiscoISEadministrationconsole.Theconfigurationincludes thefollowingsettings: ◦DefinitionofalltheDCsfromwhichIdentityMappingistocollectuserauthenticationinformation. ThisalsoincludesimportandexportoftheDClistusing*.csvfiles ◦DCconnectioncharacteristicssuchasauthenticationsecurityprotocol(NTLMv1orNTLMv2) andusersessionagingtime ◦Connectiontesting,toverifytheDCissetcorrectlytoinitializevalidconnectionwithIdentity Mapping •IdentityMappingreport.ThisreportprovidesinformationabouttheIdentityMappingcomponentfor troubleshooting •IdentityMappingdebuglogs •CiscoISEsessiondirectorymaintainsthecollecteduserinformation,sothatcustomerscanviewitfrom theLiveSessionsandqueryitfromthepxGridinterface •UsingtheCLIcommandshowapplicationstatusprovidesthehealthstatusofnodesthatuseIdentity Mapping •SupportsHighAvailability Cisco Identity Services Engine Administrator Guide, Release 1.3 45 ISE pxGrid Identity Mapping
Configuring Identity Mapping IDMappingrequiresconfigurationinISE,andtheActiveDirectoryDomainServermusthavetheright patchesandconfiguration. Configure Identity Mapping ISEmustbeabletoestablishaconnectionwithanADDomainController(DC). Before You Begin EnablepxGridservicestoconfigureIdentityMapping.ChooseAdministration>System>Deploymentto enablepxGridservices. ToaddanewDomainController(DC)forIdentityMapping,youneedthelogincredentialsofthatDC. MakesuretheDomainControllerisproperlyconfiguredforISEIdentityMapping. Procedure Step 1ChooseAdministration>pxGridIdentityMapping>ADDomainController. Step 2ClickGeneralSettings. Step 3TheActiveDirectoryGeneralSettingspop-upisdisplayed.SettherequiredvaluesandclickSave. •HistoryintervalisthetimeduringwhichIdentityMappingreadsuserlogininformationthatalready occurred.ThisisrequireduponstartuporrestartofIdentityMappingtocatchupwitheventsgenerated whileitwasunavailable. •Usersessionagingtimeistheamountoftimetheusercanbeloggedin.IdentityMappingidentifies newuserlogineventsfromtheDC,howevertheDCdoesnotreportwhentheuserlogsoff.Theaging timeenablesCiscoISEtodeterminethetimeintervalforwhichtheuserisloggedin. •YoucanselecteitherNTLMv1orNTLMv2asthecommunicationsprotocolbetweentheISEandthe DC. Step 4ClickAdd. Step 5IntheGeneralSettingssection,entertheDisplayName,DomainFQDN,andHostFQDNoftheDC. Step 6IntheCredentialssection,entertheUsernameandPasswordoftheDC. Step 7(Optional)TesttheconnectiontothespecifieddomainbyclickingVerifyDCConnectionSettings. ThistestensuresthattheconnectiontotheDCishealthy.HoweveritdoesnotcheckwhetherCiscoISEcan fetchtheuserinformationuponlogin. Step 8ClickSubmit.Anupdatedtableisdisplayedwiththenewly-definedDCincludedinthelistofDCs.The statuscolumnindicatesthedifferentstatesofDC. YoucanalsoImportorExporttheDClist. Whileimporting,youneedtoprovidethepasswordinthetemplate.Asthefilecontainspassword, theimporttemplateshouldbetreatedassensitive.TheExportoptiondoesnotexportthepassword. Note Cisco Identity Services Engine Administrator Guide, Release 1.3 46 ISE pxGrid Identity Mapping
Filter Identity Mapping Youcanfiltercertainusers,basedontheirnameorIPaddress.Youcanaddasmanyfiltersasneeded.The “OR”logicoperatorappliesbetweenfilters.Ifboththefieldsarespecifiedinasinglefilter,the“AND”logic operatorappliesbetweenthesefields.TheMonitoringlivesessionshowsIdentityMappingcomponentsthat arenotfilteredoutbytheMappingFilters. Procedure Step 1ChooseAdministration>pxGridIdentityMapping>MappingFilters. Step 2ClickAdd,entertheUsernameandorIPaddressoftheuseryouwanttofilterandclickSubmit. Step 3Toviewthenon-filteredusersthatarecurrentlyloggedintotheMonitoringsessiondirectory,choose Operations>Authentications. Inline Posture Node AnInlinePosturenodeisagatekeepingnodethatispositionedbehindnetworkaccessdevicessuchasWireless LANControllers(WLC)andVPNconcentratorsonthenetwork.TheInlinePosturenodeenforcesaccess policiesafterauserhasbeenauthenticatedandgrantedaccess,andhandleschangeofauthorization(CoA) requeststhataWLCorVPNareunabletoaccommodate.CiscoISEallowsyoutohavetwoInlinePosture nodesthatcantakeonprimaryorsecondaryrolesforhighavailability. TheInlinePosturenodemustbeadedicatednode.Itmustbededicatedsolelyforinlinepostureservice,and cannotoperateconcurrentlywithotherCiscoISEservices.Likewise,duetothespecializednatureofits service,anInlinePosturenodecannotassumeanypersona.Forexample,itcannotactasanAdministration nodethatoffersadministrationservice,oraPolicyServicenodethatoffersnetworkaccess,posture,profile, andguestservices,oraMonitoringnodethatoffersmonitoringandtroubleshootingservicesforaCiscoISE network. TheInlinePosturepersonaisnotsupportedontheCiscoISE3495platform.EnsurethatyouinstalltheInline Posturepersonaonanyoneofthefollowingsupportedplatforms:CiscoISE3315,CiscoISE3355,Cisco ISE3395,orCiscoISE3415. Youcannotaccesstheweb-baseduserinterfaceoftheInlinePosturenodes.Youcanconfigurethemonly fromthePAN. Inline Posture Node Installation YoumustdownloadtheInlinePostureISO(IPNISO)imagefromCisco.comandinstallitonanyofthe supportedplatforms.YoumustthenconfigurecertificatesthroughtheCommandLineInterface(CLI).You canthenregisterthisnodefromtheAdminportal. ThereisnoseparateInlinePostureISOimageforRelease1.3.Usethe1.2IPNISOimagetoinstalland setupaninlineposturenode. Note Cisco Identity Services Engine Administrator Guide, Release 1.3 47 Inline Posture Node
AfteryouinstallandsetuptheInlinePostureapplication,youmustconfigurecertificatesbeforeyoucan registertheInlinePosturenodes.SeetheCiscoIdentityServicesEngineHardwareInstallationGuideformore information. Register an Inline Posture Node Werecommendthatyoudecideonthetypeofnode(CiscoISEorInlinePosture)atthetimeofregistration. Ifyouwanttochangethenodetypelater,youhavetoderegisterthenodefromthedeployment,restartCisco ISEonthestandalonenode,andthenreregisterit. Before You Begin •Ensurethattheprimarynode’sCertificateTrustList(CTL)hastheappropriatecertificateauthority(CA) certificatestovalidatetheHTTPScertificateofthesecondarynodethatyouaregoingtoregister. •Afteryouregisterthesecondarynodetotheprimarynode,ifyouchangetheHTTPScertificateonthe secondarynode,youmustimporttheappropriateCAcertificatesintotheCTLoftheprimarynode. Procedure Step 1LogintothePAN. Step 2ChooseAdministration>System>Deployment. Step 3ClickDeploymentfromthenavigationpaneontheleft. Step 4ChooseRegister>RegisteranInlinePostureNodetoregisterasecondaryInlinePosturenode. View Nodes in a Deployment IntheDeploymentNodespage,youcanviewalltheCiscoISEnodes,primaryandsecondary,thatarepart ofyourdeployment. Procedure Step 1LogintotheprimaryCiscoISEAdminportal. Step 2ChooseAdministration>System>Deployment. Step 3ClickDeploymentfromthenavigationpaneontheleft. AlltheCiscoISEnodesthatarepartofyourdeploymentarelisted. Cisco Identity Services Engine Administrator Guide, Release 1.3 48 View Nodes in a Deployment
Synchronize Primary and Secondary Cisco ISE Nodes YoucanmakeconfigurationchangestoCiscoISEonlythroughthePrimaryPAN.Theconfigurationchanges getreplicatedtoallthesecondarynodes.If,forsomereason,thisreplicationdoesnotoccurproperly,you canmanuallysynchronizetheSecondaryPANwiththePrimaryPAN. Before You Begin YoumustclicktheSyncupbuttontoforceafullreplicationiftheSyncStatusissettoOutofSyncorifthe ReplicationStatusisFailedorDisabled. Procedure Step 1LogintothePrimaryPAN. Step 2ChooseAdministration>System>Deployment. Step 3CheckthecheckboxnexttothenodethatyouwanttosynchronizewiththePrimaryPAN,andclickSyncup toforceafulldatabasereplication. Change Node Personas and Services YoucanedittheCiscoISEnodeconfigurationtochangethepersonasandservicesthatrunonthenode. Before You Begin •WhenyouenableordisableanyoftheservicesthatrunonaPolicyServicenodeormakeanychanges toaPolicyServicenode,youwillberestartingtheapplicationserverprocessesonwhichtheseservices run.Expectadelaywhiletheseservicesrestart. Procedure Step 1LogintothePrimaryPAN. Step 2ChooseAdministration>System>Deployment. Step 3Checkthecheckboxnexttothenodewhosepersonasorservicesyouwanttochange,andthenclickEdit. Step 4Choosethepersonasandservicesthatyouwant. Step 5ClickSave. Step 6VerifyreceiptofanalarmonyourPrimaryPANtoconfirmthepersonaorservicechange.Ifthepersonaor servicechangeisnotsavedsuccessfully,analarmisnotgenerated. Cisco Identity Services Engine Administrator Guide, Release 1.3 49 Synchronize Primary and Secondary Cisco ISE Nodes
Effects of Modifying Nodes in Cisco ISE WhenyoumakeanyofthefollowingchangestoanodeinaCiscoISEISE,thatnoderestarts,whichcauses adelay: •Registeranode(StandalonetoSecondary) •Deregisteranode(SecondarytoStandalone) •ChangeaprimarynodetoStandalone(ifnoothernodesareregisteredwithit;PrimarytoStandalone) •PromoteanAdministrationnode(SecondarytoPrimary) •Changethepersonas(whenyouassignorremovethePolicyServiceorMonitoringpersonafromanode) •ModifytheservicesinthePolicyServicenode(enableordisablethesessionandprofilerservices) •Restoreabackupontheprimaryandasyncupoperationistriggeredtoreplicatedatafromprimaryto secondarynodes Create a Policy Service Node Group WhentwoormorePolicyServicenodes(PSNs)areconnectedtothesamehigh-speedLocalAreaNetwork (LAN),werecommendthatyouplacetheminthesamenodegroup.Thisdesignoptimizesthereplicationof endpointprofilingdatabyretaininglesssignificantattributeslocaltothegroupandreducingtheinformation thatisreplicatedtotheremotenodesinthenetwork.Nodegroupmembersalsocheckontheavailabilityof peergroupmembers.Ifthegroupdetectsthatamemberhasfailed,itattemptstoresetandrecoverall URL-redirectedsessionsonthefailednode. WerecommendthatyoumakeallPSNsinthesamelocalnetworkpartofthesamenodegroup.PSNs neednotbepartofaload-balancedclustertojointhesamenodegroup.However,eachlocalPSNina load-balancedclustershouldtypicallybepartofthesamenodegroup. Note BeforeyoucanaddPSNsasmemberstoanodegroup,youmustcreatethenodegroupfirst.Youcancreate, edit,anddeletePolicyServicenodegroupsfromtheDeploymentpagesoftheAdminportal. Before You Begin NodegroupmemberscancommunicateoverTCP/7800andTCP/7802. Procedure Step 1ChooseAdministration>System>Deployment. Step 2Clicktheactionicon,andthenclickCreateNodeGroup. Step 3Enterauniquenameforyournodegroup. Step 4(Optional)Enteradescriptionforyournodegroup. Step 5ClickSubmittosavethenodegroup. Cisco Identity Services Engine Administrator Guide, Release 1.3 50 Effects of Modifying Nodes in Cisco ISE
Afteryousavethenodegroup,itshouldappearinthenavigationpaneontheleft.Ifyoudonotseethenode groupintheleftpane,itmaybehidden.ClicktheExpandbuttononthenavigationpanetoviewthehidden objects. What to Do Next Addanodetoanodegroup.EditthenodebychoosingthenodegroupfromtheMemberofNodeGroup drop-downlist. Deploy pxGrid Node YoucanenableCiscopxGridpersonabothonastandalonenodeanddistributeddeploymentnode. Before You Begin •YouneedaPluslicensetoenabletheCiscopxGridpersona. •CiscopxGridservicesrunningonaCiscoISESNS3415/3495ApplianceorinVMWare. •AllnodesareconfiguredtousetheCAcertificateforpxGridusage.Ifdefaultcertificateisusedfor pxGridbeforeupgrade,itwillbereplacedbytheinternalCAcertificateafterupgrade. •IfyouareusingadistributeddeploymentorupgradingfromCiscoISE1.2,thenyouneedtoenablethe pxGridUsageoptionforthecertificates.ToenablethepxGridUsageoption,gotoAdministration> Certificates>SystemCertificates.ChoosethecertificatebeingusedinthedeploymentandclickEdit. CheckthepxGrid:usecertificateforthepxGridControllercheckbox. Procedure Step 1ChooseAdministration>System>Deployment. Step 2IntheDeploymentNodespage,checkthecheckboxnexttothenodetowhichyouwanttoenablethepxGrid services,andclickEdit. Step 3ClicktheGeneralSettingstabandcheckthepxGridcheckbox. Step 4ClickSave. Whenyouupgradefromthepreviousversion,theSaveoptionmightbedisabled.Thishappenswhenthe browsercachereferstotheoldfilesfromthepreviousversionofCiscoISE.Clearthebrowsercachetoenable theSaveoption. Configure Monitoring Nodes for Automatic Failover IfyouhavetwoMonitoringnodesinadeployment,youcanconfigureaprimary-secondarypairforautomatic failovertoavoiddowntimeintheCiscoISEMonitoringservice.Aprimary-secondarypairensuresthata secondaryMonitoringnodeautomaticallyprovidesmonitoringshouldtheprimarynodefail. Before You Begin •BeforeyoucanconfigureMonitoringnodesforautomaticfailover,theymustberegisteredasCiscoISE nodes. Cisco Identity Services Engine Administrator Guide, Release 1.3 51 Deploy pxGrid Node
•Configuremonitoringrolesandservicesonbothnodesandnamethemfortheirprimaryandsecondary roles,asappropriate. •ConfigurerepositoriesforbackupanddatapurgingonboththeprimaryandsecondaryMonitoringnodes. Forthebackupandpurgingfeaturestoworkproperly,usethesamerepositoriesforboththenodes. Purgingtakesplaceonboththeprimaryandsecondarynodesofaredundantpair.Forexample,ifthe primaryMonitoringnodeusestworepositoriesforbackupandpurging,youmustspecifythesame repositoriesforthesecondarynode. ConfigureadatarepositoryforaMonitoringnodeusingtherepositorycommandinthesystemCLI. ForscheduledbackupandpurgetoworkproperlyonthenodesofaMonitoringredundant pair,configurethesamerepository,orrepositories,onboththeprimaryandsecondary nodesusingtheCLI.Therepositoriesarenotautomaticallysyncedbetweenthetwo nodes. Caution FromtheCiscoISEdashboard,verifythattheMonitoringnodesareready.TheSystemSummarydashlet showstheMonitoringnodeswithagreencheckmarktotheleftwhentheirservicesareready. Procedure Step 1ChooseAdministration>System>Deployment. Step 2IntheDeploymentNodespage,checkthecheckboxnexttotheMonitoringnodethatyouwanttospecifyas active,andclickEdit. Step 3ClicktheGeneralSettingstabandchoosePrimaryfromtheRoledrop-downlist. WhenyouchooseaMonitoringnodeasprimary,theotherMonitoringnodeautomaticallybecomessecondary. Inthecaseofastandalonedeployment,primaryandsecondaryroleconfigurationisdisabled. Step 4ClickSave.Theactiveandstandbynodesrestart. Remove a Node from Deployment Toremoveanodefromadeployment,youmustderegisterit.Thederegisterednodebecomesastandalone CiscoISEnode. ItretainsthelastconfigurationthatitreceivedfromthePrimaryPANandassumesthedefaultpersonasofa standalonenodethatareAdministration,PolicyService,andMonitoring.IfyouderegisteraMonitoringnode, thisnodewillnolongerbeasyslogtarget. YoucanviewthesechangesfromtheDeploymentpageofthePrimaryPAN.However,expectadelayof5 minutesforthechangestotakeeffectandappearontheDeploymentpage. Before You Begin Beforeyouremoveanysecondarynodefromadeployment,performabackupofCiscoISEconfiguration, whichyoucanthenrestorelateron,ifneeded. Cisco Identity Services Engine Administrator Guide, Release 1.3 52 Remove a Node from Deployment
Procedure Step 1ChooseAdministration>System>Deployment. Step 2Checkthecheckboxnexttothesecondarynodethatyouwanttoremove,andthenclickDeregister. Step 3ClickOK. Step 4VerifyreceiptofanalarmonyourPrimaryPANtoconfirmthatthesecondarynodeisderegisteredsuccessfully. IfthesecondarynodefailstoderegisterfromthePrimaryPAN,thealarmisnotgenerated. Change the Hostname or IP Address of a Standalone Cisco ISE Node Youcanchangethehostname,IPaddress,ordomainnameofstandaloneCiscoISEnodes.Youcannotuse "localhost"asthehostnameforanode. Before You Begin IftheCiscoISEnodeispartofadistributeddeployment,youmustfirstremoveitfromthedeploymentand ensurethatitisastandalonenode. Procedure Step 1ChangethehostnameorIPaddressoftheCiscoISEnodeusingthehostname,ipaddress,oripdomain-name commandfromtheCiscoISECLI. Step 2ResettheCiscoISEapplicationconfigurationusingtheapplicationstopisecommandfromtheCiscoISE CLItorestartalltheservices. Step 3RegistertheCiscoISEnodetothePrimaryPANifitispartofadistributeddeployment. IfyouareusingthehostnamewhileregisteringtheCiscoISEnode,thefullyqualifieddomainname (FQDN)ofthestandalonenodethatyouaregoingtoregister,forexample,abc.xyz.commustbe DNS-resolvablefromthePrimaryPAN.Otherwise,noderegistrationfails.YoumustentertheIP addressesandFQDNsoftheCiscoISEnodesthatarepartofyourdistributeddeploymentinthe DNSserver. Note AfteryouregistertheCiscoISEnodeasasecondarynode,thePrimaryPANreplicatesthechangeintheIP address,hostname,ordomainnametotheotherCiscoISEnodesinyourdeployment. Replace the Cisco ISE Appliance Hardware YoushouldreplacetheCiscoISEappliancehardwareonlyifthereisanissuewiththehardware.Forany softwareissues,youcanreimagetheapplianceandreinstalltheCiscoISEsoftware. Cisco Identity Services Engine Administrator Guide, Release 1.3 53 Change the Hostname or IP Address of a Standalone Cisco ISE Node
Procedure Step 1Re-imageorre-installtheCiscoISEsoftwareonthenewnodes. Step 2ObtainalicensewiththeUDIforthePrimaryandSecondaryPANsandinstallitonthePrimaryPAN. Step 3RestorethebackuponthereplacedPrimaryPAN. TherestorescriptwilltrytosyncthedataontheSecondaryPAN,buttheSecondaryPANisnowastandalone nodeandthesyncwillfail.DataissettothetimethebackupwastakenonthePrimaryPAN. Step 4RegisterthenewnodeasasecondaryserverwiththePrimaryPAN. Cisco Identity Services Engine Administrator Guide, Release 1.3 54 Replace the Cisco ISE Appliance Hardware