Cisco Ise 13 User Guide
Have a look at the manual Cisco Ise 13 User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
•EndpointPostureAgentResourcesDownload •CRL(CertificateRevocationList)Download TheCiscoISEproxyconfigurationsupportsbasicauthenticationforproxyservers.NTLANManager(NTLM) authenticationisnotsupported. Procedure Step 1ChooseAdministration>System>Settings>Proxy. Step 2EntertheproxyIPaddressorDNS-resolvablehostmaneandspecifytheportthroughwhichproxytraffic travelstoandfromCiscoISEinProxyhostserver:port. Step 3CheckPasswordrequiredcheckbox,ifrequired. Step 4EntertheusernameandpasswordusedtoauthenticatetotheproxyserversintheUserNameandPassword fields. Step 5EntertheIPaddressoraddressrangeofhostsordomainstobebypassedinBypassproxyforthesehosts anddomain. Step 6ClickSave. Ports Used by the Admin Portal TheAdminportalissettouseHTTPport80andHTTPSport443,andyoucannotchangethesesettings. CiscoISEalsopreventsyoufromassigninganyoftheend-userportalstousethesameports,whichreduces therisktotheAdminportal. Enable External RESTful Services APIs TheExternalRESTfulServicesAPIsarebasedonHTTPSprotocolandRESTmethodologyandusesport 9060. TheExternalRESTfulServicesAPIssupportbasicauthentication.Theauthenticationcredentialsareencrypted andarepartoftherequestheader. YoucanuseanyRESTclientlikeJAVA,curllinuxcommand,pythonoranyotherclienttoinvokeExternal RESTfulServicesAPIcalls. TheISEadministratormustassignspecialprivilegestoausertoperformoperationsusingtheExternalRESTful ServicesAPIs.ToperformoperationsusingtheExternalRESTfulServicesAPIs(exceptfortheGuestAPI), theusersmustbeassignedtooneofthefollowingAdminGroupsandmustbeauthenticatedagainstthe credentialsstoredintheCiscoISEinternaldatabase(internaladminusers): •ExternalRESTfulServicesAdmin—FullaccesstoallERSAPIs(GET,POST,DELETE,PUT).This usercanCreate,Read,Update,andDeleteERSAPIrequests. •ExternalRESTfulServicesOperator-ReadOnlyaccess(GETrequestonly). TheExternalRESTfulServicesAPIsarenotenabledbydefault.IfyoutrytoevoketheExternalRESTful ServicesAPIcallsbeforeenablingthem,youwillreceiveanerrorresponse.YoumustenabletheCiscoISE Cisco Identity Services Engine Administrator Guide, Release 1.3 85 Ports Used by the Admin Portal
RESTAPIinorderforapplicationsdevelopedforaCiscoISERESTAPItobeabletoaccessCiscoISE.The CiscoRESTAPIsusesHTTPSport9060,whichisclosedbydefault.IftheCiscoISERESTAPIsarenot enabledontheCiscoISEadminserver,theclientapplicationwillreceiveatime-outerrorfromtheserverfor anyGuestRESTAPIrequest. Procedure Step 1ChooseAdministration>Settings>ERSSettings. Step 2ChooseEnableERSforRead/WriteforthePrimaryAdministrationNode. Step 3ChooseEnableERSforReadforAllOtherNodesifthereareanysecondarynodes. ExternalRESTfulServicerequestsofalltypesarevalidonlyfortheprimaryISEnode.Secondarynodeshave read-access(GETrequests). Step 4ClickSubmit. AllRESToperationsareauditedandthelogsareloggedinthesystemlogs.ExternalRESTfulServicesAPIs haveadebugloggingcategory,whichyoucanenablefromthedebugloggingpageoftheCiscoISEGUI. Related Topics ExternalRESTfulServicesSDK,onpage86 External RESTful Services SDK YoucanusetheExternalRESTfulServicesSDKtostartbuildingyourowntools.YoucanaccesstheExternal RESTfulServicesSDKfromthefollowingURL:https://:9060/ers/sdk.External RESTfulServicesSDKcanbeaccessedbytheExternalRESTfulServicesAdminusersonly. TheSDKconsiststhefollowingcomponents: •QuickreferenceAPIdocumentation •CompletelistofallavailableAPIoperations •Schemafilesavailablefordownload •SampleapplicationinJavaavailablefordownload •Usecasesincurlscriptformat •Usecasesinpythonscriptformat •InstructionsonusingChromePostman Specify System Time and NTP Server Settings CiscoISEallowsyoutoconfigureuptothreeNetworkTimeProtocol(NTP)servers.YoucanusetheNTP serverstomaintainaccuratetimeandsynchronizetimeacrossdifferenttimezones.Youcanalsospecify whetherornotCiscoISEshoulduseonlyauthenticatedNTPservers,andyoucanenteroneormore authenticationkeysforthatpurpose. Cisco Identity Services Engine Administrator Guide, Release 1.3 86 External RESTful Services SDK
CiscorecommendsthatyousetallCiscoISEnodestotheCoordinatedUniversalTime(UTC) timezone—especiallyifyourCiscoISEnodesareinstalledinadistributeddeployment.Thisprocedureensures thatthereportsandlogsfromthevariousnodesinyourdeploymentarealwaysinsyncwithregardtothe timestamps. Before You Begin YoumusthaveeithertheSuperAdminorSystemAdminadministratorroleassigned. IfyouhavebothaprimaryandasecondaryCiscoISEnode,youmustlogintotheuserinterfaceofthe secondarynodeandconfigurethesystemtimeandNTPserversettingsoneachCiscoISEnodeinyour deploymentindividually. Procedure Step 1ChooseAdministration>System>Settings>SystemTime. Step 2EnteruniqueIPaddressesforyourNTPservers. Step 3ChecktheOnlyallowauthenticatedNTPserverscheckboxifyouwanttorestrictCiscoISEtouseonly authenticatedNTPserverstokeepsystemandnetworktime. Step 4(Optional)IfyouwanttoauthenticatetheNTPserverusingprivatekeys,clicktheNTPAuthenticationKeys tabandspecifyoneormoreauthenticationkeysifanyoftheserversthatyouspecifyrequiresauthentication viaanauthenticationkey,asfollows: a)ClickAdd. b)EnterthenecessaryKeyIDandKeyValue,specifywhetherthekeyinquestionistrustedbyactivating ordeactivatingtheTrustedKeyoption,andclickOK.TheKeyIDfieldsupportsnumericvaluesbetween 1to65535andtheKeyValuefieldsupportsupto15alphanumericcharacters. c)ReturntotheNTPServerConfigurationtabwhenyouarefinishedenteringtheNTPServerAuthentication Keys. Step 5ClickSave. Change the System Time Zone Onceset,youcannoteditthetimezonefromtheAdminportal.Tochangethetimezonesetting,youmust enterthefollowingcommandintheCiscoISECLI: clocktimezonetimezone CiscousesPOSIX-stylesignsinthetimezonenamesandtheoutputabbreviations.Therefore,zoneswest ofGreenwichhaveapositivesignandzoneseastofGreenwichhaveanegativesign.Forexample, TZ='Etc/GMT+4'correspondsto4hoursbehindUniversalTime(UT). Note Cisco Identity Services Engine Administrator Guide, Release 1.3 87 Change the System Time Zone
ChangingthetimezoneonaCiscoapplianceafterinstallationrequiresservicestoberestartedonthat particularnode.Hencewerecommendthatyouperformsuchchangeswithinamaintenancewindow. Also,itisimportanttohaveallthenodesinasingledeploymentconfiguredtothesametimezone.Ifyou havenodeslocatedindifferentgeographicallocationsortimezones,youshoulduseaglobaltimezone suchasUTConallthenodes. Caution Formoreinformationontheclocktimezonecommand,refertotheCiscoIdentityServicesEngineCLI ReferenceGuide. Configure SMTP Server to Support Notifications YoumustsetupaSimpleMailTransferProtocol(SMTP)servertosende-mailnotificationsforalarms,to enablesponsorstosendemailnotificationtoguestswiththeirlogincredentialsandpasswordresetinstructions, andtoenablegueststoautomaticallyreceivetheirlogincredentialsaftertheysuccessfullyregisterthemselves andwithactionstotakebeforetheirguestaccountsexpire. Procedure Step 1ChooseAdministration>System>Settings>SMTPServer. Step 2ChooseSettings>SMTPServer. Step 3EnterthehostnameoftheoutboundSMTPserverintheSMTPserverfield.ThisSMTPhostservermust beaccessiblefromtheCiscoserver.Themaximumlengthforthisfieldis60characters. Step 4Chooseoneoftheseoptions: •UseemailaddressfromSponsortosendguestnotificatione-mailfromthee-mailaddressofthesponsor andchooseEnableNotifications. •UseDefaultemailaddresstospecifyaspecifice-mailaddressfromwhichtosendallguestnotifications andenteritintheDefaultemailaddressfield. Step 5ClickSave. Therecipientofalarmnotificationscanbeanyinternaladminuserswith“Includesystemalarmsinemails” optionenabled.Thesender’semailaddressforsendingalarmnotificationsishardcodedasise@. Install a Software Patch YoucaninstallpatchesonCiscoserversinyourdeploymentfromthePrimaryPAN.Toinstallapatchfrom thePrimaryPAN,youmustdownloadthepatchfromCisco.comtothesystemthatrunsyourclientbrowser. CiscoISEallowsyoutoinstallapatchonanInlinePosturenodeonlythroughtheCLI.Note ToinstallpatchesfromtheCLI,refertoCiscoIdentityServicesEngineCLIReferenceGuide. Cisco Identity Services Engine Administrator Guide, Release 1.3 88 Configure SMTP Server to Support Notifications
Before You Begin •YoumusthavetheSuperAdminorSystemAdminadministratorroleassigned. Procedure Step 1ChooseAdministration>System>Maintenance>PatchManagement>Install. Step 2ClickBrowseandchoosethepatchthatyoudownloadedfromCisco.com. Step 3ClickInstalltoinstallthepatch. AfterthepatchisinstalledonthePAN,Ciscologsyououtandyouhavetowaitforafewminutesbeforeyou canloginagain. Whenpatchinstallationisinprogress,ShowNodeStatusistheonlyfunctionthatisaccessibleon thePatchManagementpage. Note Step 4ChooseAdministration>System>Maintenance>PatchManagementtoreturntothePatchInstallation page. Step 5ClicktheradiobuttonnexttothepatchthatyouhaveinstalledonanysecondarynodeandclickShowNode Statustoverifywhetherinstallationiscomplete. What to Do Next Ifyouneedtoinstallthepatchononeormoresecondarynodes,ensurethatthenodesareupandrepeatthe processtoinstallthepatchontheremainingnodes. Cisco Software Patches Ciscosoftwarepatchesareusuallycumulative.Ciscoallowsyoutoperformpatchinstallationandrollback fromCLIorGUI. Related Topics SoftwarePatchInstallationGuidelines,onpage89 SoftwarePatchRollbackGuidelines,onpage90 InstallaSoftwarePatch,onpage88 RollBackSoftwarePatches,onpage90 Software Patch Installation Guidelines WhenyouinstallorrollbackapatchfromastandaloneorPrimaryPAN,Ciscorestartstheapplication.You mighthavetowaitforafewminutesbeforeyoucanloginagain. EnsurethatyouinstallpatchesthatareapplicablefortheCiscoversionthatisdeployedinyournetwork. Ciscoreportsanymismatchinversionsaswellasanyerrorsinthepatchfile. YoucannotinstallapatchwithaversionthatislowerthanthepatchthatiscurrentlyinstalledonCisco. Similarly,youcannotrollbackchangesofalower-versionpatchifahigherversioniscurrentlyinstalledon Cisco.Forexample,ifpatch3isinstalledonyourCiscoservers,youcannotinstallorrollbackpatch1or2. Cisco Identity Services Engine Administrator Guide, Release 1.3 89 Install a Software Patch
WhenyouinstallapatchfromthePrimaryPANthatispartofadistributeddeployment,CiscoISEinstalls thepatchontheprimarynodeandthenallthesecondarynodesinthedeployment.Ifthepatchinstallationis successfulonthePrimaryPAN,CiscoISEthencontinuespatchinstallationonthesecondarynodes.Ifitfails onthePrimaryPAN,theinstallationdoesnotproceedtothesecondarynodes.However,iftheinstallation failsonanyofthesecondarynodesforanyreason,itstillcontinueswiththenextsecondarynodeinyour deployment.SecondaryCiscoISEnodesarerestartedconsecutivelyafterthepatchisinstalledonthosenodes. Whileinstallingapatchonsecondarynodes,youcancontinuetoperformtasksonthePrimaryPAN. WhenyouinstallapatchfromthePrimaryPANthatispartofatwo-nodedeployment,Ciscoinstallsthe patchontheprimarynodeandthenonthesecondarynode.IfthepatchinstallationissuccessfulonthePrimary PAN,Ciscothencontinuespatchinstallationonthesecondarynode.IfitfailsonthePrimaryPAN,the installationdoesnotproceedtothesecondarynode.Whileinstallingapatchonasecondarynode,youcan continuetoperformtasksonthePrimaryPAN. Roll Back Software Patches WhenyourollbackapatchfromthePANthatispartofadistributeddeployment,Ciscorollsbackthepatch ontheprimarynodeandthenallthesecondarynodesinthedeployment. Before You Begin •YoumusthaveeithertheSuperAdminorSystemAdminadministratorroleassigned. Procedure Step 1ChooseAdministration>System>Maintenance>PatchManagement. Step 2ClicktheradiobuttonforthepatchversionwhosechangesyouwanttorollbackandclickRollback. Whenapatchrollbackisinprogress,ShowNodeStatusistheonlyfunctionthatisaccessibleon thePatchManagementpage. AfterthepatchisrolledbackfromthePAN,CiscoISElogsyououtandyouhavetowaitafew minutesbeforeyoucanloginagain. Note Step 3Afteryoulogin,clicktheAlarmslinkatthebottomofthepagetoviewthestatusoftherollbackoperation. Step 4ChooseAdministration>System>Maintenance>PatchManagement. Step 5Toviewtheprogressofthepatchrollback,choosethepatchinthePatchManagementpageandclickShow NodeStatus. Step 6ClicktheradiobuttonforthepatchandclickShowNodeStatusonasecondarynodetoensurethatthepatch isrolledbackfromallthenodesinyourdeployment. Ifthepatchisnotrolledbackfromanyofthesecondarynodes,ensurethatthenodeisupandrepeatthe processtorollbackthechangesfromtheremainingnodes.Ciscoonlyrollsbackthepatchfromthenodes thatstillhavethisversionofthepatchinstalled. Software Patch Rollback Guidelines TorollbackapatchfromCiscoISEnodesinadeployment,youmustfirstrollbackthechangefromthePAN. Ifthisissuccessful,thepatchisthenrolledbackfromthesecondarynodes.Iftherollbackprocessfailson Cisco Identity Services Engine Administrator Guide, Release 1.3 90 Roll Back Software Patches
thePAN,thepatchesarenotrolledbackfromthesecondarynodes.However,ifthepatchrollbackfailson anysecondarynode,itstillcontinuestorollbackthepatchfromthenextsecondarynodeinyourdeployment. WhileCiscoISErollsbackthepatchfromthesecondarynodes,youcancontinuetoperformothertasksfrom thePANGUI.Thesecondarynodeswillberestartedaftertherollback. View Patch Install and Rollback Changes ThemonitoringandtroubleshootingcomponentofCiscoISEprovidesinformationonthepatchinstallation androllbackoperationsthatareperformedonyourCiscoISEnodesaccordingtoatimeperiodthatyou specify. Before You Begin YoumusthaveeithertheSuperAdminorSystemAdminadministratorroleassigned. Procedure Step 1ChooseOperations>Reports>Catalog>ServerInstance. Step 2ClicktheServerOperationsAuditradiobutton,clickRun,andchoosethetimeperiodforwhichyouwant togeneratethereport. Step 3ClicktheLaunchInteractiveViewerlinkintheupperrightcornerofthepagetoview,sort,andfilterthe datainthisreport. FIPS Mode Support CiscoISERelease1.3doesnotsupportFIPSmode. Configure Cisco ISE for Administrator CAC Authentication Before You Begin Beforebeginningconfiguration,dothefollowing: •Ensurethatthedomainnameserver(DNS)inCiscoISEissetforActiveDirectory. •EnsurethatActiveDirectoryuserandusergroupmembershiphasbeendefinedforeachadministrator certificate. ToensurethatCiscoISEcanauthenticateandauthorizeanadministratorbasedontheCAC-basedclient certificatethatissubmittedfromthebrowser,besurethatyouhaveconfiguredthefollowing: •Theexternalidentitysource(ActiveDirectoryinthefollowingexample) •TheusergroupsinActiveDirectorytowhichtheadministratorbelongs •Howtofindtheuser'sidentityinthecertificate •ActiveDirectoryusergroupstoCiscoISERBACpermissionsmapping Cisco Identity Services Engine Administrator Guide, Release 1.3 91 View Patch Install and Rollback Changes
•TheCertificateAuthority(trust)certificatesthatsigntheclientcertificates •AmethodtodetermineifaclientcertificatehasbeenrevokedbytheCA YoucanuseaCommonAccessCard(CAC)toauthenticatecredentialswhenloggingintoCiscoISE. Procedure Step 1ConfigureanActiveDirectoryidentitysourceinCiscoISEandjoinallCiscoISEnodestoActiveDirectory. Step 2Configureacertificateauthenticationprofileaccordingtotheguidelines. BesuretoselecttheattributeinthecertificatethatcontainstheadministratorusernameinthePrincipalName X.509Attributefield.(ForCACcards,theSignatureCertificateonthecardisnormallyusedtolookupthe userinActiveDirectory.ThePrincipalNameisfoundinthiscertificateinthe"SubjectAlternativeName" extension,specificallyinafieldinthatextensionthatiscalled"OtherName."Sotheattributeselectionhere shouldbe"SubjectAlternativeName-OtherName.") IftheADrecordfortheusercontainstheuser'scertificate,andyouwanttocomparethecertificatethatis receivedfromthebrowseragainstthecertificateinAD,checktheBinaryCertificateComparisoncheckbox, andselecttheActiveDirectoryinstancenamethatwasspecifiedearlier. Step 3EnableActiveDirectoryforPassword-BasedAdminAuthentication.ChoosetheActiveDirectoryinstance namethatyouconnectedandjoinedtoCiscoISEearlier. Youmustusepassword-basedauthenticationuntilyoucompleteotherconfigurations.Then,youcan changetheauthenticationtypetoclientcertificatebasedattheendofthisprocedure. Note Step 4CreateanExternalAdministratorGroupandmapittoanActiveDirectoryGroup.ChooseAdministration >System>AdminAccess>Administrators>AdminGroups.Createanexternalsystemadministrator group. Step 5ConfigureanadminauthorizationpolicytoassignRBACpermissionstotheexternaladmingroups. WestronglyrecommendthatyoucreateanexternalSuperAdmingroup,mapittoanActive Directorygroup,andconfigureanadminauthorizationpolicywithSuperAdminpermissions (menuaccessanddataaccess),andcreateatleastoneuserinthatActiveDirectoryGroup.This mappingensuresthatatleastoneexternaladministratorhasSuperAdminpermissionsonceClient Certificate-BasedAuthenticationisenabled.Failuretodothismayleadtosituationswherethe CiscoISEadministratorislockedoutofcriticalfunctionalityintheAdminPortal. Caution Step 6ChooseAdministration>System>Certificates>CertificateStoretoimportcertificateauthority certificatesintotheCiscoISEcertificatetruststore. CiscoISEdoesnotacceptaclientcertificateunlesstheCAcertificatesintheclientcertificate’strustchain areplacedintheCiscoISECertificateStore.YoumustimporttheappropriateCAcertificatesintotheCisco ISECertificateStore. a)ClickBrowsetochoosethecertificate. b)ChecktheTrustforclientauthenticationcheckbox. c)ClickSubmit. CiscoISEpromptsyoutorestartallthenodesinthedeploymentafteryouimportacertificate.Youcan defertherestartuntilyouimportallthecertificates.However,afterimportingallthecertificates,youmust restartCiscoISEbeforeyouproceed. Step 7Configurethecertificateauthoritycertificatesforrevocationstatusverification. a)ChooseAdministration>System>Certificates>OSCPServices. b)EnterthenameofanOSCPserver,anoptionaldescription,andtheURLoftheserver. c)ChooseAdministration>System>Certificates>CertificateStore. Cisco Identity Services Engine Administrator Guide, Release 1.3 92 Configure Cisco ISE for Administrator CAC Authentication
d)ForeachCAcertificatethatcansignaclientcertificate,specifyhowtodotherevocationstatuscheckfor thatCA.ChooseaCAcertificatefromthelistandclickEdit.Ontheeditpage,chooseOCSPand/orCRL validation.IfyouchooseOCSP,chooseanOCSPservicetouseforthatCA.IfyouchooseCRL,specify theCRLDistributionURLandotherconfigurationparameters. Step 8Enableclientcertificate-basedauthentication.ChooseAdministration>System>AdminAccess> Authentication. a)ChooseClientCertificateBasedauthenticationtypeontheAuthenticationMethodtab. b)Choosethecertificateauthenticationprofilethatyouconfiguredearlier. c)SelecttheActiveDirectoryinstancename. d)ClickSave. Here,youswitchfrompassword-basedauthenticationtoclientcertificate-basedauthentication.The certificateauthenticationprofilethatyouconfiguredearlierdetermineshowtheadministrator’scertificate isauthenticated.Theadministratorisauthorizedusingtheexternalidentitysource,whichinthisexample isActiveDirectory. ThePrincipalNameattributefromthecertificateauthenticationprofileisusedtolookuptheadministrator inActiveDirectory. YouhavenowconfiguredCiscoISEforadministratorCACauthentication. Supported Common Access Card Standards CiscoISEsupportsU.S.governmentuserswhoauthenticatethemselvesusingCommonAccessCard(CAC) authenticationdevices.ACACisanidentificationbadgewithanelectronicchipcontainingasetofX.509 clientcertificatesthatidentifyaparticularemployee.AccessviatheCACrequiresacardreaderintowhich youinsertthecardandenteraPIN.ThecertificatesfromthecardarethentransferredintotheWindows certificatestore,wheretheyareavailabletoapplicationssuchasthelocalbrowserrunningCiscoISE. WindowsInternetExplorerVersion8and9usersrunningtheWindows7operatingsystemmustinstallthe ActiveIdentityActivClientVersion6.2.0.133third-partymiddlewaresoftwareproductforCiscoISEto interoperatewithCAC.FormoreinformationonActiveIdentitysecurityclientproducts,refertoActivID ActivClientSecuritySoftwareDatasheet. Common Access Card Operation in Cisco ISE TheAdminportalcanbeconfiguredsothatyouauthenticationwithCiscoISEispermittedonlybyusinga clientcertificate.Credentials-basedauthentication—suchasprovidingauserIDandpassword—isnotpermitted. Inclientcertificateauthentication,youinsertaCommonAccessCard(CAC)card,enteraPINandthenenter theCiscoISEAdminportalURLintothebrowseraddressfield.ThebrowserforwardsthecertificatetoCisco ISE,andCiscoISEauthenticatesandauthorizesyourloginsession,basedonthecontentsofthecertificate. Ifthisprocessissuccessful,youarepresentedwiththeCiscoISEMonitoringandTroubleshootinghome pageandgiventheappropriateRBACpermissions. Cisco Identity Services Engine Administrator Guide, Release 1.3 93 Configure Cisco ISE for Administrator CAC Authentication
Securing SSH Key Exchange Using Diffie-Hellman Algorithm YoucanconfigureCiscoISEtoonlyallowDiffie-Hellman-Group14-SHA1SSHkeyexchanges.Todothis, youmustenterthefollowingcommandsfromtheCiscoISECommand-LineInterface(CLI)Configuration Mode: servicesshdkey-exchange-algorithmdiffie-hellman-group14-sha1 Here’sanexample: ise/admin#conft ise/admin(config)#servicesshdkey-exchange-algorithmdiffie-hellman-group14-sha1 Configure Cisco ISE to Send Secure Syslog ToconfigureCiscoISEtosendonlyTLS-protectedsecuresyslogbetweentheCiscoISEnodesandtothe Monitoringnodes,youmustperformthefollowingtasks: Before You Begin •EnsurethatalltheCiscoISEnodesinyourdeploymentareconfiguredwithappropriateservercertificates. •EnsurethatthedefaultnetworkaccessauthenticationpolicydoesnotallowanyversionoftheSSL protocol. •EnsurethatallthenodesinyourdeploymentareregisteredwiththePrimaryPAN.Also,ensurethatat leastonenodeinyourdeploymenthastheMonitoringpersonaenabledtofunctionasthesecuresyslog receiver(TLSserver). Procedure Step 1Configuresecuresyslogremoteloggingtarget. Step 2EnableLoggingCategoriestosendauditableeventstothesecuresyslogremoteloggingtarget. Step 3DisableTCPSyslogandUDPsyslogcollectors.OnlyTLS-protectedsyslogcollectorsshouldbeenabled. Configure Secure Syslog Remote Logging Target CiscoISEsystemlogsarecollectedandstoredbylogcollectorsforvariouspurposes.Youmustchoosethe CiscoISEMonitoringnodeasyourlogcollectorforconfiguringasecuresyslogtarget. Cisco Identity Services Engine Administrator Guide, Release 1.3 94 Securing SSH Key Exchange Using Diffie-Hellman Algorithm