Cisco Ise 13 User Guide
Have a look at the manual Cisco Ise 13 User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
Synchronize an Inline Posture Node Whenanodeinahigh-availabilitypairisdownandconfigurationchangesaremadetothesingleactivenode, thereisnomechanismthatautomaticallypopulatesthefailednodewiththenewconfigurationwhenitcomes backup.TheSync-upPeerNodebuttonthatappearsintheInlinePosturehigh-availabilityuserinterfaceon theactivenode,allowsyoutomanuallysynchronizethestandbynodewiththelatestInlinePosturedatabase fromtheactivenode. Before You Begin •YoumustbeaSuperAdminorSystemAdmin. •YoumustconfiguretwoInlinePosturenodes. •Youmustestablisharelationshipbetweenthetwonodes. Procedure Step 1ChooseAdministration>System>Deployment. Step 2CheckthecheckboxnexttotheInlinePosturenodethatyouwanttosyncwiththeothernode(usuallythe activenode),andclicktheEditicon. Step 3ClicktheFailovertab. Step 4ClickSyncPeerNode.Datafromtheselectednodeisautomaticallytransferredtoitspeernode. Configure Inline Posture Node as RADIUS Client in Administration Node ForanInlinePosturenodetoactasaRADIUSproxy,youmustadditasaRADIUSclientintheAdministration node. Before You Begin •YoumustbeaSuperAdminorSystemAdmin. •YoumustdeployInlinePostureinyourCiscoISEdeployment. Procedure Step 1ChooseAdministration>NetworkResources>NetworkDevices. Step 2IntheNetworkDevicesnavigationpanel,clickNetworkDevices. Step 3EnteraNameandanoptionalDescriptionforthedevice. Step 4EntertheIPaddressoftheInlinePosturenode. •ForastandaloneInlinePosturenode,entertheIPaddressforthetrustedinterface. •Forahighavailabilitypair,entertheserviceIPaddressforthetrustedinterface. Cisco Identity Services Engine Administrator Guide, Release 1.3 75 Configure Inline Posture Node as RADIUS Client in Administration Node
Step 5EnteraModelNameandSoftwareVersion,asnecessary. Step 6FortheNetworkDeviceGroup,specifyaLocationandDeviceType,asnecessary. Step 7ChecktheAuthenticationSettingscheckbox,andentertheRADIUSsharedsecretinformation. Step 8ClickSave. Remove an Inline Posture Node from Deployment ToremoveanInlinePosturenodefromadeployment,youmustfirstchangeitsdeploymenttomaintenance modeandthenderegisterit.Maintenancemodeisaneutralstatethatallowsthenodetosmoothlytransition tothenetworkorfromadeployment. Before You Begin Toperformthefollowingtask,youmustbeaSuperAdminorSystemAdmin. Procedure Step 1ChooseAdministration>System>Deployment. Step 2CheckthecheckboxnexttotheInlinePosturenodethatyouwanttoremovefromthedeployment,andclick Edit. Step 3ClicktheDeploymentModestab. Step 4ClicktheMaintenanceModeradiobutton,andthenclickSave. Step 5ClickDeploymentontheleftpane,andthencheckthecheckboxnexttotheInlinePosturenodethatyou wanttoremovefromthedeployment. Step 6ClickDeregister. Step 7ClickOK. Health of an Inline Posture Node YoucanmonitorthehealthofadeployedInlinePosturenodefromtheCiscoISEdashboardthatisrunning ontheAdministrationnode.TheInlinePosturenodeappearsontheSystemSummarydashlet.Agreenicon withacheckmarkmeansthatthesystemishealthy.Ayellowiconindicatesawarning,andarediconindicates ofacriticalsystemfailure.SparklinesindicatetheutilizationofCPU,memory,andlatencyovertime.You canchoosetodisplaydataforthepast24hoursorthelast60minutes. Cisco Identity Services Engine Administrator Guide, Release 1.3 76 Remove an Inline Posture Node from Deployment
Whenyouhoveryourmousecursoroverthehealthicon,aquickviewdialogappearsshowingdetailed informationonsystemhealth. Figure 10: System Summary Quick View Status Remote Access VPN Use Case ThissectiondescribeshowtouseanInlinePosturenodewithaVPNdevicesuchasASAinaCiscoISE network.ThefollowingfigureshowsaCiscoISEdeploymentthatusesanInlinePosturenodeforremote VPNaccess.ThetermiPEPinthisillustrationreferstotheInlinePosturenodeandPDPreferstothePolicy Servicenode.AllthetrafficfromtheVPNgatewaymustgothroughtheInlinePosturenodetoensurethat CiscoISEcanapplypoliciesandsecureanetwork. Figure 11: Cisco ISE Deployment with Inline Posture Node Process Flow 1RemoteuserauthenticatestoVPNgateway(ASA)usingtheRADIUSprotocol. 2AsaRADIUSclient,theASAsendsanauthenticationrequesttotheAAAserver(InlinePosturenode). 3AsaRADIUSproxy,theInlinePosturenoderelaystheRADIUSauthenticationrequesttotheCiscoISE nodethatactsastheRADIUSServer(PolicyServicenode). 4TheCiscoISEPolicyServicenodeauthenticatestheremoteuserusingtheconfiguredidentitystoreand returnstheRADIUSresponsetotheInlinePosturenodewhichinturnrelaysittotheASA(thenetwork accessdevice(NAD)). 5Basedontheauthorizationpolicythatisapplicablefortheuser,thePolicyServicenodereturnsthe appropriateattributestotheInlinePosturenodeand,optionally,totheASA. 6EachauthorizationpolicyruleentrycanreferenceseparateauthorizationprofilesforboththeInlinePosture nodeprofileandtheNAD(standardauthorizationprofile). InlinePosturenodeprofile:SpecifiesRADIUSattributestobeappliedtotheInlinePosturenodesuchas aURLforredirectiontotheClientProvisioningserviceanddownloadableaccesscontrollists(DACLs) forpolicyenforcementbytheInlinePosturenode. Standardauthorizationprofile:SpecifiesanyRADIUSattributesintendedfortheNAD,whichisASAin thisexample. Cisco Identity Services Engine Administrator Guide, Release 1.3 77 Remote Access VPN Use Case
7IftheauthorizationpolicydeterminesthattheendpointisNonCompliantwiththeposturepolicy,orifthe posturestatusisUnknown,thenthePolicyServicenodereturnsaURLredirectattributevaluetotheInline PosturenodealongwithaDACLtospecifythetraffictobeallowed.AllHTTP/HTTPStrafficdeniedby theDACLisredirectedtothespecifiedURL. 8WhentheposturebecomesCompliant,areauthorizationoccursandthePolicyServicenodesendsanew DACLtotheInlinePosturenode,whichprovidestheuserprivilegedaccesstotheinternalnetwork. Configure an Inline Posture Node with a VPN Device Before You Begin EnsurethatyournetworkinfrastructureisconfiguredcorrectlytorouteorswitchtraffictoandfromtheInline Posturenodeanditsdownstreamnetworks. Procedure Step 1ConfigureastandaloneCiscoISEnode. Step 2RegisterthestandaloneCiscoISEnodeasanInlinePosturenodetoanexistingPAN,andconfiguretheInline PosturenodefromthePAN. Step 3Optionally,youcanconfigureasecondInlinePosturenodeandconfigureanActive/Standbypair. Step 4SetupaPolicyServicenodetobetheRADIUSserverfortheInlinePosturenode.ConfigurethePolicy ServicenodewiththesameRADIUSsharedsecretthatisconfiguredontheInlinePosturenode. Step 5Configureauthorizationprofiles(InlinePosturenodeprofiles)forusebytheInlinePosturenode. Step 6(Optional)YoucanconfigurestandardauthorizationprofilesfortheNAD’suse. Step 7ConfigureanauthorizationpolicytoapplytheInlinePosturenodeprofilestoremoteVPNusersbasedon identityandposturestatus. Step 8AddtheVPNgateway’sinsideIPaddressasaRADIUSclientintheInlinePosturenode’sRADIUS configurationalongwiththeNAD’s(ASAinthisexample)RADIUSsharedsecret. Step 9ConfiguretheVPNgateway(ASA)forRADIUSauthenticationandaccountingwiththeInlinePosturenode configuredastheRADIUSserver.Todothis: a)ChoosePolicy>Authentication. b)EnsurethattheDefaultRuleisconfiguredtoauthenticateusersagainsttheidentitysourcethatcontains theuserrecords. c)ClickSave. Collection of Inline Posture Node Logs FromtheInlinePosturenodeCLI,allthelogscanbearchivedandcollectedusingthebackup-logscommand. PEP/admin#configterminalPEP/admin#repositoryremotelocPEP/admin#urlftp://myremoteserver/storePEP/admin#userpasswordplainPEP/admin#endPEP/admin#backup-logsmyipeplogsrepositoryremoteloc Cisco Identity Services Engine Administrator Guide, Release 1.3 78 Collection of Inline Posture Node Logs
%Creatinglogbackupwithtimestampedfilename:myipeplogs-110317-1836.tar.gz CollectingInlinePosturenodelogsremotelyfromthePrimaryAdministrationUIisnotsupported.Note Kclick process in Inline Posture Node Clickkernelmoduleprocess,calledaskclickownsCPUschedulinginInlinePosturenode.Kclickprovides theCPUcyclesforotherprocessesthatrequestit.Duetothisthe'top'outputatanInlinePostureNodedisplays thekclickusingalltheCPUcyclesinthesystemincludingidlecycles. Cisco Identity Services Engine Administrator Guide, Release 1.3 79 Kclick process in Inline Posture Node
Cisco Identity Services Engine Administrator Guide, Release 1.3 80 Kclick process in Inline Posture Node
PART III Setup Cisco ISE Management Access •AdministerCiscoISE,page83 •ManageAdministratorsandAdminAccessPolicies,page97 •CiscoISELicenses,page119 •ManageCertificates,page127 •ManageNetworkDevices,page173 •ManageResources,page197 •LoggingMechanism,page201 •BackupandRestoreOperations,page213 •SetupEndpointProtectionService,page231
CHAPTER 5 Administer Cisco ISE •LogintoCiscoISE,page83 •SpecifyProxySettingsinCiscoISE,page84 •PortsUsedbytheAdminPortal,page85 •EnableExternalRESTfulServicesAPIs,page85 •ExternalRESTfulServicesSDK,page86 •SpecifySystemTimeandNTPServerSettings,page86 •ChangetheSystemTimeZone,page87 •ConfigureSMTPServertoSupportNotifications,page88 •InstallaSoftwarePatch,page88 •RollBackSoftwarePatches,page90 •ViewPatchInstallandRollbackChanges,page91 •FIPSModeSupport,page91 •ConfigureCiscoISEforAdministratorCACAuthentication,page91 •SecuringSSHKeyExchangeUsingDiffie-HellmanAlgorithm,page94 •ConfigureCiscoISEtoSendSecureSyslog,page94 •OfflineMaintenance,page96 Log in to Cisco ISE LogintoCiscoISEusingyouradministratorusernameandpassword. Duringtheinitialsetup,ifyoudonotenableSSHthenyouwillnotbeabletoaccesstheISEadminconsole viaSSH.ToenableSSH,entertheservicesshdenablecommandintheglobalconfigurationmode,by accessingtheCiscoISECLI.YoucandisableSSHbyusingthenoservicesshdcommandintheglobal configurationmode. Cisco Identity Services Engine Administrator Guide, Release 1.3 83
Procedure Step 1EntertheCiscoISEURLintheaddressbarofyourbrowser(forexample,https:///admin/). Step 2Entertheusernameandcase-sensitivepassword,thatwasspecifiedandconfiguredduringtheinitialCiscoISE setup. Step 3ClickLoginorpressEnter. Ifyourloginisunsuccessful,clicktheProblemloggingin?linkintheLoginpageandfollowtheinstructions. Administrator Login Browser Support TheCiscoISEAdminportalsupportsthefollowingHTTPS-enabledbrowsers: •MozillaFirefoxversions31.xESR,32.x,and33.x •MicrosoftInternetExplorer10.xand11.x AdobeFlashPlayer11.2.0.0orabovemustbeinstalledonthesystemrunningyourclientbrowser. TheminimumrequiredscreenresolutiontoviewtheAdminportalandforabetteruserexperienceis1280*800 pixels. Administrator Lockout Following Failed Login Attempts IfyouenteranincorrectpasswordforyourspecifiedadministratoruserIDenoughtimes,theAdminportal “locksyouout”ofthesystem,addsalogentryintheServerAdministratorLoginsreport,andsuspendsthe credentialsforthatadministratorIDuntilyouhaveanopportunitytoresetthepasswordthatisassociated withthatadministratorID,asdescribedinthe“PerformingPost-InstallationTasks”chapteroftheCisco IdentityServicesEngineHardwareInstallationGuide.Thenumberoffailedattemptsthatisrequiredtodisable theadministratoraccountisconfigurableaccordingtotheguidelinesthataredescribedin'UserAccount CustomAttributesandPasswordPolicies'section.Afteranadministratoruseraccountgetslockedout,an e-mailissenttotheassociatedadministratoruser. DisabledSystemadministrators'statuscanbeenabledbyanySuperAdmin,includingActiveDirectoryusers. Specify Proxy Settings in Cisco ISE IfyourexistingnetworktopologyrequiresyoutouseaproxyforCiscoISE,toaccessexternalresources(such astheremotedownloadsitewhereyoucanfindclientprovisioningandposture-relatedresources),youcan usetheAdminportaltospecifyproxyproperties. TheproxysettingsimpactthefollowingCiscoISEfunctions: •PartnerMobileManagement •EndpointProfilerFeedServiceUpdate •EndpointPostureUpdate Cisco Identity Services Engine Administrator Guide, Release 1.3 84 Specify Proxy Settings in Cisco ISE