Cisco Ise 13 User Guide
Have a look at the manual Cisco Ise 13 User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
TheInlinePosturenode’suntrustedinterfaceshouldbedisconnectedwhentheInlinePosturenodeisbeing configured.IftheInlinePosturenode’strustedanduntrustedinterfacesareconnectedtothesameVLAN duringinitialconfigurationandtheInlinePosturenodeinitiallystartsafterchangingitspersona,multicast packettrafficgetsfloodedoutoftheuntrustedinterface.Thismulticaststormcanpotentiallybringdown devicesthatareconnectedtothesamesubnetorVLAN.TheInlinePosturenodeatthistimeisin Maintenancemode. Caution Cisco Identity Services Engine Administrator Guide, Release 1.3 65 Inline Posture Node Guidelines
Inline Posture Node Authorization ThefollowingimagesillustratetheclientauthorizationflowandsessionrecoveryusingLazyFetchmechanism forInlinePosturenode. Figure 8: Inline Posture Node Client Authorization Flow Cisco Identity Services Engine Administrator Guide, Release 1.3 66 Inline Posture Node Authorization
Figure 9: Inline Posture Node Session Recovery Using Lazy Fetch Mechanism Cisco Identity Services Engine Administrator Guide, Release 1.3 67 Inline Posture Node Authorization
InlinePostureNodeSessionRemovalduetoClientDisconnect WhenawirelessclientiswanderingofffromtheWLCcontrol,theWLCisrequiredtosendaRADIUS AccountingStopsimilartotheVPNgatewaytoensurethattheInlinePosturenodecleansupthesession correspondingtotheclient. Deploy an Inline Posture Node TheinitialprocessfordeployinganInlinePosturenodeisthesame,whetheritisintendedtobeastandalone nodeorpartofanactive-standbypair. InlinePostureissupportedontheCiscoISE3415,ISE3315,ISE3355,andISE3395platforms.Note Procedure Step 1ConfigureanInlinePosturenode. Step 2CreateInlinePostureDownloadableAccessControlLists. Step 3CreateInlinePosturenodeprofiles. Step 4CreateanInlinePostureauthorizationpolicy. Configure an Inline Posture Node InlinePostureisadedicatednoderegisteredtotheAdministrationnode.YouconfigureInlinePosturefrom theadministrationconsole,andthatconfigurationisthenreplicatedtotheInlinePosturenode.Acopyofthe Cisco Identity Services Engine Administrator Guide, Release 1.3 68 Deploy an Inline Posture Node
configurationisstoredlocallyintheadministrationdatabase.AfteranInlinePosturenodeisregistered,itis rebooted. TointroduceanInlinePosturenodeinyourCiscoISEnetwork,youmustfirstregistertheInlinePosturenode withthePAN,configuretheInlinePosturesettings,andthencreateauthorizationprofilesandpoliciesthat establishtheInlinePosturegatekeepingpolicies. TheInlinePosturenodeisaRADIUSproxythatinterfaceswithNADsastheirRADIUSserver,makingthe NADs(VPNgateway,WLC)RADIUSclients.Asaproxy,InlinePostureinterfaceswiththePolicyService nodeasaclientmakingthePolicyServicenodeitsRADIUSserver. Aftercompletingthefollowingprocedure,aNADentryisautomaticallycreatedfortheInlinePosture node.Forastandalonenode,theIPaddressforthatnodeisused.Forahigh-availabilitypair,theservice IPaddressfortheactivenodeisused. Note Before You Begin Toperformthefollowingtask,youmustbeaSuperAdminorSystemAdmin. InlinePostureisnotsupportedontheCiscoISE3495platform.EnsurethatyouinstallInlinePostureonany oneofthefollowingsupportedplatforms:ISE3315,ISE3355,ISE3395,orISE3415. FollowandapplytheguidelinesforconfiguringcertificatesforInlinePosture.RefertoCiscoIdentityServices EngineHardwareInstallationGuide,Release1.2fordetails. RegistertheInlinePosturenodewiththePAN.AllnodesmustberegisteredwiththePANtofunctionasa memberoftheCiscoISEdistributedsystem. RADIUSconfigurationismandatory.Atleastoneclientandoneserverconfigurationisnecessary.Youneed thecorrespondingsharedsecretinformationforbothsidestocompletethisprocedure. Haveallnecessaryconfigurationinformationforyourinstallationonhand.Forexample,youmightneedthe trustedanduntrustedIPaddresses,serviceIPaddress,IPaddressesforotherCiscoISEnodes,sharedsecret informationfortheRADIUSconfiguration,managementVLANID,WLC,orVPNIPaddress,andsoon. Checkwithyoursystemarchitectforacompletelistoftheinformationyouwillneed. DonotconfiguretheMACaddressinaMACFilterforadirectlyconnectedASAVPNdevicewithout alsoenteringtheIPaddress.WithouttheadditionoftheoptionalIPaddress,VPNclientsareallowedto bypasspolicyenforcement.ThisaccesshappensbecausetheVPNisaLayer3hopforclients,andthe deviceusesitsownMACaddressasthesourceaddresstosendpacketsalongthenetworktowardthe InlinePosturenode. Caution Procedure Step 1ChooseAdministration>System>Deployment. Step 2ChecktheInlinePosturenodecheckboxintheDeploymentNodespageandclickEdit. Step 3ChecktheInlinePEPcheckboxontheGeneralSettingstab.TheAdministration,Monitoring,andPolicy Servicecheckboxesareautomaticallyunchecked. ThetabschangetoGeneralSettings,BasicInformation,DeploymentModes,Filters,RadiusConfig,Managed Subnets,StaticRoutes,Logging,andFailover. Cisco Identity Services Engine Administrator Guide, Release 1.3 69 Deploy an Inline Posture Node
AnewlyregisteredInlinePosturenodecomesupwithadefaultIPaddressof192.168.1.100,asubnet maskof255.255.255.0,andadefaultgatewayof192.168.1.1.Changethesevaluestofityour deploymentinStep3. Note Step 4Clickthefollowingtabsandentertheappropriateinformationforthefieldsinthetabs. •BasicInformation •DeploymentModes—AnewlyregisteredInlinePosturenodecomesupinmaintenancemode.For productionpurposes,youmustchoosetheRoutedorBridgedmode. •Filters—Enterthesubnetaddressandsubnetmaskfortheclientdevice,ortheMACaddressandIP addressofthedeviceonwhichtofilter.YoucanuseMACandsubnetfilterstobypassInlinePosture enforcementtocertainendpointsordevicesontheuntrustedsideofthenetwork.Forexample,ifVPN orWLCmanagementtrafficisrequiredtopassthroughInlinePosture,youwouldnotwanttosubject thoseparticularNADstoCiscoISEpolicyenforcement.ByprovidingtheMACaddressandIPaddress fortheseNADsonafilter,youcanthenaccesstheuserinterfaceorconfigurationterminalbywayof InlinePosturewithoutrestrictions. •RadiusConfig—RADIUSconfigurationismandatory.Atleastoneclientandoneserverconfiguration isnecessaryforInlinePosture. •ManagedSubnets—ForsubnetsofendpointsthatareinLayer2proximitytotheInlinePosturenode (suchasaWLC),youmustconfiguremanagedsubnets.ThisconfigurationrequiresanunusedIPaddress inthesamesubnetasthemanagedsubnet,alongwiththeVLAN(ifany)ofthesubnet.Youcanhave multiplemanagedsubnetentries.Youmustenterthefollowingvalues:IPAddress,SubnetMask,VLAN ID,andDescription. ◦StaticRoutes—Enterthesubnetaddress,subnetmask,andchooseTrustedorUntrustedfrom theInterfaceTypedrop-downlist.Repeatthisstepasneededforyourconfiguration. WhenthesubnetsoftheendpointsunderCiscoISEcontrolareLayer3awayfromtheInline Posturenode,astaticrouteentryisneeded.Forexample,ifaVPNgatewaydevice(thatsends managedsubnettraffictotheInlinePostureuntrustedinterface)istwohopsaway,itsclientsubnet needstohaveastaticroutedefinedforInlinePosture.Thenetworkonthetrustedsideshouldknow tosendtraffictotheInlinePosturetrustedinterface. ◦Logging—ClicktheLoggingtabandentertheIPaddressandportnumberfortheloggingserver, whichistypicallytheMonitoringnode. AnIPaddressandport(default20514)forloggingInlinePostureeventsaremandatory.This requirementensuresthattheviablestatusoftheInlinePosturenodeisdisplayedintheCiscoISE dashboardintheSystemSummarydashlet,andthatotherloginformationregardingthenodesis available. ◦Failover—ThistabisforInlinePostureHighAvailabilityconfiguration. Step 5ClickSave.TheInlinePosturenoderestartsautomatically. Step 6ToverifytheautomaticallygeneratedInlinePostureNADlisting,gotoAdministration>NetworkResources >DefaultDevice. Forastandalonenode,theIPaddressforthatnodeisused.Forahigh-availabilitypair,theserviceIPaddress fortheactivenodeisused. Cisco Identity Services Engine Administrator Guide, Release 1.3 70 Deploy an Inline Posture Node
What to Do Next TocompletethedeploymentoftheInlinePosturenode,youmustcreateDACLs,authorizationprofiles,and authorizationpolicyrules:unknown,compliant,andnoncompliant. Itisimportanttoassociatetheappropriatedownloadableaccesscontrollist(DACL)withthecorresponding profile.Forexample,theunknownDACLshouldbeassociatedwiththeunknownauthorizationprofile. Note Create Inline Posture Downloadable Access Control Lists Downloadableaccesscontrollists(DACLs)arebuildingblocksforauthorizationprofiles,andtheyprovide therulesfortheprofilestofollow.Accesscontrollists(ACLs)preventunwantedtrafficfromenteringthe networkbyfilteringsourceanddestinationIPaddresses,transportprotocols,andothervariables,usingthe RADIUSprotocol. AfteryoucreateDACLsasnamedpermissionobjects,addthemtoauthorizationprofiles,whichyouthen specifyastheresultofanauthorizationpolicy. Before You Begin Toperformthefollowingtask,youmustbeaSuperAdminorSystemAdmin. Procedure Step 1ChoosePolicy>PolicyElements>Results>Authorization>DownloadableACLs. Step 2ClickAdd. Step 3EnterthenameoftheDACLanditsdescription. Step 4CreatethefollowingDACLs: •ipn-compliant(PermitAll):Usethefollowingsyntax:permitipanyany •ipn-noncompliant(DenyAll):Usethefollowingsyntax:denyipanyany •ipn-unknown(Pre-Posture):UseatleastoneACLtoallowsupplicantsandthePolicyServicenodeto haveaccesstoeachotherforpostureevaluation.ThisDACLcanbeusedtoblockorquarantineusers untiltheypassauthentication.Hereisanexamplesyntax: denytcpanyanyeq80 denytcpanyanyeq443 permitipany10.1.2.40.0.0.0 permitudpanyanyeq53 denyipanyany Step 5SavetheDACLs. Cisco Identity Services Engine Administrator Guide, Release 1.3 71 Deploy an Inline Posture Node
What to Do Next
CreateInlinePosturenodeprofiles.
Create Inline Posture Node Profiles
YoumustcreatethreeInlinePostureauthorizationprofiles,aswellasanauthorizationprofileforaNAD.
AllInlinePostureinboundprofilesareautomaticallysettocisco-av-pair=ipep-authz=truesothattheInline
PosturenodeappliestheserulesinsteadofproxyingthemontotheNADs.TheURLredirectisessentialfor
clientprovisioning,aswellasagentdiscoveryredirection.
Before You Begin
Toperformthefollowingtask,youmustbeaSuperAdmin,SystemAdmin,orPolicyAdmin.
Procedure
Step 1ChoosePolicy>PolicyElements>Results>Authorization>InlinePostureNodeProfiles.
Step 2ClickAdd.
Step 3Enteranameanddescriptionfortheauthorizationprofile.Supportedcharactersforthenamefieldare:space,
!#$%&‘()*+,-./;=?@_{.
YoucanconfigureaRADIUSReplyMessage=NADProfile,toseeNADProfileintheRADIUS
logmessagesforInlinePosture.Thisconfigurationcanbehelpfulfortroubleshootingatalatertime.
Note
Step 4CreatethefollowingauthorizationprofilesforInlinePosturethatcorrespondtotheDACLsyoucreated.
SpecifytheappropriateDACLforeachofthefollowingauthorizationprofiles:
•IPN-Unknown-Compliant(Pre-Posture):ThisprofilerequiresthatyouenteraURLredirect.Todothis,
checktheURLRedirectcheckbox.
TheURLredirectappearsintheAttributesDetailsfield.
Youareredirectedtoawebpagewhereyoudownloadandinstallanagent.Theagentthenscansyour
system.Ifyoursystempasses,youareautomaticallygrantedfullaccess.Ifyoursystemdoesnotpass,
youaredeniedaccess.
•IPN-Compliant(PermitAll)
•IPN-Noncompliant(DenyAll).
Step 5ClickSubmit.
What to Do Next
CreateanInlinePostureauthorizationpolicy.
Create an Inline Posture Authorization Policy
Authorizationpoliciesprovidethemeansforcontrollingaccesstothenetworkanditsresources.CiscoISE
letsyoudefineanumberofruleswhencreatingauthorizationpolicies.
Cisco Identity Services Engine Administrator Guide, Release 1.3
72
Deploy an Inline Posture Node
Theelementsthatdefinetheauthorizationpolicyarereferencedwhenyoucreatepolicyrules.Yourchoice ofconditionsandattributesdefinestheauthorizationprofile. Before You Begin Toperformthefollowingtask,youmustbeaSuperAdminorSystemAdmin. Procedure Step 1ChoosePolicy>Authorization. Step 2Leavethedefaultrulesasis. Step 3CreatethefollowingUnknownPostureStatusRule: •IdentityGroup:Any •Condition:Session:PostureStatusEQUALS=Unknown •Permissions:IPN-Unknown-Compliant+nad-authorization-profile Step 4CreatethefollowingCompliantPostureRule: •IdentityGroup:Any •Condition:Session:PostureStatusEQUALS=Compliant •Permissions:IPN-Compliant+nad-authorization-profile Step 5CreatethefollowingNoncompliantPostureRule: •IdentityGroup:Any •Condition:Session:PostureStatusEQUALS=Noncompliant •Permissions:IPN-Noncompliant+nad-authorization-profile Step 6Savethepolicy.TheInlinePosturenodedeploymentisnowcomplete. What to Do Next ConfigureInlinePosturenodeasRADIUSclientinAdministrationnode. Configure a High-Availability Pair WhenyouconfiguretwoInlinePosturenodesforhighavailability,youspecifyonenodeastheprimaryunit inthepairanditbecomestheactivenodebydefault.Theotherbecomesthesecondarynode,whichisa standbyunitincaseofdefault. Ahigh-availabilitynodefailoverpromptsthestandbynodetotakeovertheserviceIPaddress.Afterthis processoccurs,anadministratormustcorrectthefailedInlinePosturenodeandrevertittotheearlier configurationasneeded.Becausehigh-availabilityfailoverisstateless,allactivesessionsareautomatically reauthorizedafterafailoveroccurs. Cisco Identity Services Engine Administrator Guide, Release 1.3 73 Configure a High-Availability Pair
Intheexamplethatispresented,theserviceIPaddressusedforthebridgedmodehighavailabilitypairis differentfromthephysicalIPaddressesoftheInlinePosturenodes,effectivelycreatingacluster.TheWLC interactswiththeclusterasasingleunit,usingtheserviceIPaddress.Forthisreason,theserviceIPisdefined forthetrustedanduntrustednetworks. Bothnodesinahighavailabilitypairmustusethesamemode,eitherbridgedorrouter.Mixedmodesare notsupportedonInlinePosturehighavailabilitypairs. Note Before You Begin •Toperformthefollowingtask,youmustbeaSuperAdminorSystemAdmin. •Youshouldhavesuccessfullyconfiguredtwo(2)InlinePosturenodes,andregisteredthemontheCisco ISEnetwork. •Theeth2andeth3interfacesofbothnodesinanInlinePosturehighavailabilitypair(primaryand secondary)communicatewithheartbeatprotocolexchangestodeterminethehealthofthenodes.For theheartbeattowork,youmustconnecttheeth2interfaceoftheprimaryInlinePosturenodetotheeth2 interfaceofthesecondarynodeusinganEthernetcable.Likewise,theeth3interfaceoftheprimary InlinePosturenodemustbeconnectedtotheeth3interfaceofthesecondarynodewithanEthernet cable. •ForRADIUSpurposes,youneedaserviceIPaddressthatyouwillassigntoboththetrustedanduntrusted interfacesoftheInlinePostureactive-standbyclusterduringthecourseofthisprocedure. •Haveallnecessarynetworkconfigurationinformationforyourinstallationonhand.Checkwithyour systemarchitectforacompletelistofinformationyouwillneed. Procedure Step 1ChooseAdministration>System>Deployment. Step 2CheckthecheckboxnexttotheInlinePosturenodethatyouwanttodesignateastheprimarynode,andclick Edit. Step 3OntheGeneralSettingstab,verifythenodename,thattheInlinePEPcheckboxisselected,thenchoose ActiveastheHARolefromthedrop-downlist. Step 4ClicktheFailovertab,andchecktheHAEnabledcheckbox. Step 5Entertheappropriateinformationinthefields. Step 6ClickSave.BothInlinePosturenodesrestart.Whenthenodescomebackup,theyareconfiguredasprimary andsecondary,accordingtothesettingsyouspecified. Step 7Verifythenodestatusbycheckingthecheckboxnexttoit,andthenclickingtheFailovertab.Ensurethat yourprimaryandsecondaryInlinePosturenodesareconfiguredcorrectly. What to Do Next ConfigureInlinePosturenodeasRADIUSClientinadministrationnode. Cisco Identity Services Engine Administrator Guide, Release 1.3 74 Configure a High-Availability Pair