Cisco Ise 13 User Guide
Have a look at the manual Cisco Ise 13 User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
RestrictionsPermissionsAccess LevelAdmin Group Role Theroleismeantonlyfor ERSauthorization supportingInternalUsers, IdentityGroups,Endpoints, EndpointGroups,andSGT •CanonlyReadERS APIrequests Read-onlyaccesstoERSAPI, onlyGET External RESTful Services(ERS) Operator Related Topics CiscoISEAdministrators,onpage97 Create Admin Groups TheAdminGroupspageallowsyoutoview,create,modify,delete,duplicate,orfilterCiscoISEnetwork admingroups. Before You Begin Toconfigureanexternaladministratorgrouptype,youmusthavealreadyspecifiedoneormoreexternal identitystores. Procedure Step 1ChooseAdministration>System>AdminAccess>Administrators>AdminGroups. Step 2ClickAdd,andenteraNameandDescription.Supportedspecialcharactersforthenamefieldare:space,# $&‘()*+-./@_. Step 3SpecifytheTypeofadministratorgroupyouareconfiguring: •Internal—Administratorsassignedtothisgrouptypewillauthenticateagainstthecredentialsthatare storedintheCiscoISEinternaldatabase. •External—Administratorsthatyouassigntothisgroupwillauthenticateagainstthecredentialsthatare containedintheexternalidentitystorethatyouspecifyintheattributeselector.AfterchoosingExternal, specifytheidentitystorefromwhichCiscoISEshouldimporttheexternalgroupinformation. Step 4ClickAddtoadduserstotheAdminGroupUserstable.FromtheUserslist,selecttheuserstobeaddedto theadmingroup. Step 5TodeleteusersfromtheAdminGroupUserstable,checkthecheckboxcorrespondingtotheuserthatyou wanttodelete,andclickRemove. Step 6ClickSubmittosaveanychangesmadetotheadmingroupthatyoucreatedintheCiscoISEdatabase. Cisco Identity Services Engine Administrator Guide, Release 1.3 105 Cisco ISE Administrator Groups
Ifaninternaluserisconfiguredwithanexternalidentitystoreforauthentication,whileloggingintothe ISEAdminportal,theinternalusermustselecttheexternalidentitystoreastheIdentitySource. AuthenticationwillfailifInternalIdentitySourceisselected. Note Administrative Access to Cisco ISE CiscoISEadministratorscanperformvariousadministrativetasksbasedontheadministrativegrouptowhich theybelong.Theseadministrativetasksarecriticalandyoumustensurethatadministrativeaccessisrestricted touserswhoareauthorizedtoadministerCiscoISEinyournetwork. CiscoISEallowsyoutocontroladministrativeaccesstoitswebinterfacethroughthefollowingoptions: Role-Based Access Control in Cisco ISE Role-basedaccesscontrolpolicies(knownasadminaccess)areaccesscontrolpoliciesthatyoudefineto providelimitedaccesstotheCiscoISEadministrativeinterface.Theseadminaccesspoliciesallowyouto customizetheamountandtypeofaccessonaper-administratororper-admingroupbasisusingspecified role-basedaccesspermissionsettingsthatapplytoanindividualadminuseroranadmingroup. Role-basedaccessdetermineswhateachentitycanaccess,whichiscontrolledwithanaccesscontrolpolicy. Role-basedaccessalsodeterminestheadministrativerolethatisinuse,theadmingrouptowhichtheentity belongs,andthecorrespondingpermissionsandsettingsthatareappliedbasedupontheroleoftheentity. Role-Based Permissions CiscoISEallowsyoutoconfigurepermissionsatthemenuanddatalevels,calledthemenuaccessanddata accesspermissions. ThemenuaccesspermissionsallowyoutoshoworhidethemenuitemsoftheCiscoISEadministrative interface.Thisfeatureletsyoucreatepermissionssothatyoucanrestrictorenableaccessatthemenulevel. Thedataaccesspermissionsallowyoutograntread/write,ornoaccesstothefollowingdataintheCiscoISE interface:AdminGroups,UserIdentityGroups,EndpointIdentityGroups,Locations,andDeviceTypes. RBAC Policies RBACpoliciesdetermineifanadministratorcanbegrantedaspecifictypeofaccesstoamenuitemorother identitygroupdataelements.Youcangrantordenyaccesstoamenuitemoridentitygroupdataelementto anadministratorbasedontheadmingroupbyusingRBACpolicies.WhenadministratorslogintotheAdmin portal,theycanaccessmenusanddatathatarebasedonthepoliciesandpermissionsdefinedfortheadmin groupswithwhichtheyareassociated. RBACpoliciesmapadmingroupstomenuaccessanddataaccesspermissions.Forexample,youcanprevent anetworkadministratorfromviewingtheAdminAccessoperationsmenuandthepolicydataelements.This canbeachievedbycreatingacustomRBACpolicyfortheadmingroupwithwhichthenetworkadministrator isassociated. Cisco Identity Services Engine Administrator Guide, Release 1.3 106 Administrative Access to Cisco ISE
Default Menu Access Permissions CiscoISEprovidesanoutoftheboxsetofpermissionsthatareassociatedwithasetofpredefinedadmin groups.Havingpredefinedadmingrouppermissionsallowyoutosetpermissionssothatamemberofany admingroupcanhavefullorlimitedaccesstothemenuitemswithintheadministrativeinterface(knownas menuaccess)andtodelegateanadmingrouptousethedataaccesselementsofotheradmingroups(known asdataaccess).ThesepermissionsarereusableentitiesthatcanbefurtherusedtoformulateRBACpolicies forvariousadmingroups.CiscoISEprovidesasetofsystemdefinedmenuaccesspermissionsthatarealready usedinthedefaultRBACpolicies.Thefollowingtableliststhedefaultmenuaccesspermissions.Apartfrom thepredefinedmenuaccesspermissions,CiscoISEalsoallowsyoutocreatecustommenuaccesspermissions thatyoucanuseinRBACpolicies. Table 5: Default Menu Access Permissions Permissible Set of Menu ItemsRBAC GroupMenu Access Name Operations>Allmenuitems Policy>Allmenuitems Administration>Allmenuitems SuperAdminSuperAdminMenu Access Operations>Allmenuitems Policy>Allmenuitems Administration>IdentityManagement>Allmenuitems System>Settings PolicyAdminPolicyAdminMenu Access Operations>AllmenuitemsHelpdeskAdminHelpdeskAdminMenu Access Operations>Allmenuitems Administration>IdentityManagement>Allmenuitems IdentityAdminIdentityAdminMenu Access Operations>Allmenuitems Administration>NetworkResources>Allmenuitems NetworkDeviceAdminNetworkDeviceMenu Access Operations>Authentications,Alarms,Reports,and Troubleshoot Administration>System>Allmenuitems SystemAdminSystemAdminMenu Access Operations>AllmenuitemsexceptEndpointProtection Services Administration>AdminAccess>Allmenuitems RBACAdminRBACAdminMenu Access Operations>AllmenuitemsMnTAdminMnTAdminMenu Access Cisco Identity Services Engine Administrator Guide, Release 1.3 107 Administrative Access to Cisco ISE
ForSuperAdminUser,allthemenuitemsareavailable.ForotherAdminUsers,alltheMenuItemsin thiscolumnareavailableforStandalonedeploymentandPrimaryNodeinDistributedDeployment.For SecondaryNodeinDistributedDeployment,theMenuItemsundertheAdministrationtabarenotavailable. Note Configure Menu Access Permissions CiscoISEallowsyoutocreatecustommenuaccesspermissionsthatyoucanmaptoanRBACpolicy. Dependingontheroleoftheadministrators,youcanallowthemtoaccessonlyspecificmenuoptions. Procedure Step 1ChooseAdministration>System>AdminAccess>Authorization>Permissions>MenuAccess. Step 2ClickAdd,andentervaluesfortheNameandDescriptionfields. a)Clicktoexpandthemenuitemuptothedesiredlevel,andclickthemenuitem(s)onwhichyouwantto createpermissions. b)InthePermissionsforMenuAccessarea,clickShow. Step 3ClickSubmit. Default Data Access Permissions CiscoISEcomeswithasetofpredefineddataaccesspermissions.Thedataaccesspermissionsenablemultiple administratorstohavethedataaccesspermissionswithinthesameuserpopulation.Youcanenableorrestrict theuseofdataaccesspermissionstooneormoreadmingroups.Thisprocessallowsautonomousdelegated controltoadministratorsofoneadmingrouptoreusedataaccesspermissionsofthechosenadmingroups throughselectiveassociation.Dataaccesspermissionsrangefromfullaccesstonoaccessforviewingselected admingroupsorthenetworkdevicegroups.Thefollowingtableliststhedefaultdataaccesspermissions. RBACpoliciesaredefinedbasedontheadministrator(RBAC)group,menuaccess,anddataaccesspermissions. YoufirstcreatemenuaccessanddataaccesspermissionsandthencreateanRBACpolicythatassociatesan admingroupwiththecorrespondingmenuaccessanddataaccesspermissions.TheRBACpolicytakesthe form:Ifadmin_group=SuperAdminthenassignSuperAdminMenuAccesspermission+SuperAdminData Accesspermission.Apartfromthepredefineddataaccesspermissions,CiscoISEalsoallowsyoutocreate customdataaccesspermissionsthatyoucanassociatewithanRBACpolicy. Table 6: Default Data Access Permissions Permissible Network Device Groups Permissible Admin GroupsRBAC GroupData Access Name AllLocations,AllDevice Types AdminGroups,UserIdentity Groups,EndpointIdentity Groups SuperAdminSuperAdminData Access NoneUserIdentityGroups, EndpointIdentityGroups PolicyAdminPolicyAdminData Access Cisco Identity Services Engine Administrator Guide, Release 1.3 108 Administrative Access to Cisco ISE
Permissible Network Device Groups Permissible Admin GroupsRBAC GroupData Access Name NoneUserIdentityGroups, EndpointIdentityGroups IdentityAdminIdentityAdminData Access AllLocations,AllDevice Types NoneNetworkDevice Admin NetworkAdminData Access NoneAdminGroupsSystemAdminSystemAdminData Access NoneAdminGroupsRBACAdminRBACAdminData Access Configure Data Access Permissions CiscoISEallowsyoutocreatecustomdataaccesspermissionsthatyoucanmaptoanRBACpolicy.Based ontheroleoftheadministrator,youcanchoosetoprovidethemaccessonlytoselectdata. Procedure Step 1ChooseAdministration>System>AdminAccess>Authorization>Permissions. Step 2ChoosePermissions>DataAccess. Step 3ClickAdd,andentervaluesfortheNameandDescriptionfields. a)Clicktoexpandtheadmingroupandselectthedesiredadmingroup. b)ClickFullAccess. Step 4ClickSave. Configure Admin Access Policies AnAdminAccess(RBAC)policyisrepresentedinanif-thenformat,whereifistheRBACAdminGroup valueandthenistheRBACPermissionsvalue. TheRBACpoliciespage(Administration>System>AdminAccess>Authorization>Policy)containsa listofdefaultpolicies.Youcannoteditordeletethesedefaultpolicies.TheRBACpoliciespagealsoallows youtocreatecustomRBACpoliciesforanadmingroupspecificallyforyourworkplace,andapplyto personalizedadmingroups. Whenyouassignlimitedmenuaccess,makesurethatthedataaccesspermissionsallowtheadministratorto accessthedatathatisrequiredtousethespecifiedmenus.Forexample,ifyougivemenuaccesstothe MyDevicesportal,butdon'tallowdataaccesstoEndpointIdentityGroups,thenthatadministratorcannot modifytheportal. Cisco Identity Services Engine Administrator Guide, Release 1.3 109 Administrative Access to Cisco ISE
Before You Begin •EnsurethatyouhavecreatedalladmingroupsforwhichyouwanttodefinetheRBACpolicies. •Ensurethattheseadmingroupsaremappedtotheindividualadminusers. •EnsurethatyouhaveconfiguredtheRBACpermissions,suchasmenuaccessanddataaccesspermissions. Procedure Step 1ChooseAdministration>System>AdminAccess>Authorization>Policy. TheRBACPoliciespagecontainsasetofready-to-usepredefinedpoliciesfordefaultadmingroups.You cannoteditordeletethesedefaultpolicies. Step 2ClickActionsnexttoanyofthedefaultRBACpolicyrule. Here,youcaninsertnewRBACpolicies,duplicateanexistingRBACpolicy,anddeleteanexistingRBAC policy. Step 3ClickInsertnewpolicy. Step 4EntervaluesfortheRuleName,RBACGroup(s),andPermissionsfields. YoucannotselectmultiplemenuaccessanddataaccesspermissionswhencreatinganRBACpolicy. Step 5ClickSave. Administrator Access Settings CiscoISEallowsyoutodefinesomerulesforadministratoraccountstoenhancesecurity.Youcanrestrict accesstothemanagementinterfaces,forceadministratorstousestrongpasswords,regularlychangetheir passwords,andsoon.ThepasswordpolicythatyoudefineundertheAdministratorAccountSettingsinCisco ISEappliestoalladministratoraccounts. CiscoISEdoesnotsupportadministratorpasswordswithUTF-8characters. Configure the Maximum Number of Concurrent Administrative Sessions and Login Banners YoucanconfigurethemaximumnumberofconcurrentadministrativeGUIorCLI(SSH)sessionsandlogin bannersthathelpandguideadministratorswhoaccessyouradministrativeweborCLIinterface.Youcan configureloginbannersthatappearbeforeandafteranadministratorlogsin.Bydefault,theseloginbanners aredisabled. Before You Begin Toperformthefollowingtask,youmustbeaSuperAdminorSystemAdmin. Cisco Identity Services Engine Administrator Guide, Release 1.3 110 Administrative Access to Cisco ISE
Procedure Step 1ChooseAdministration>System>AdminAccess>Settings>Access>Session. Step 2EnterthemaximumnumberofconcurrentadministrativesessionsthatyouwanttoallowthroughtheGUI andCLIinterfaces.ThevalidrangeforconcurrentadministrativeGUIsessionsisfrom1to20.Thevalid rangeforconcurrentadministrativeCLIsessionsis1to10. Step 3IfyouwantCiscoISEtodisplayamessagebeforeanadministratorlogsin,checkthePre-loginbannercheck boxandenteryourmessageinthetextbox. Step 4IfyouwantCiscoISEtodisplayamessageafteranadministratorlogsin,checkthePost-loginbannercheck boxandenteryourmessageinthetextbox. Step 5ClickSave. Related Topics AllowAdministrativeAccesstoCiscoISEfromSelectIPAddresses,onpage111 Allow Administrative Access to Cisco ISE from Select IP Addresses CiscoISEallowsyoutoconfigurealistofIPaddressesfromwhichadministratorscanaccesstheCiscoISE managementinterfaces. TheadministratoraccesscontrolsettingsareonlyapplicableforCiscoISEnodesthatassumethe Administration,PolicyService,orMonitoringpersonas.Theserestrictionsarereplicatedfromtheprimaryto thesecondarynodes.TheserestrictionsarenotapplicablefortheInlinePosturenodes. Before You Begin Toperformthefollowingtask,youmustbeaSuperAdminorSystemAdmin. Procedure Step 1ChooseAdministration>System>AdminAccess>Settings>Access>IPAccess. Step 2SelectAllowonlylistedIPaddressestoconnect. Step 3FromtheConfigureIPListforAccessRestrictionarea,clickAdd. Step 4EnterIPaddressesintheclasslessinterdomainrouting(CIDR)formatintheIPaddressfield. Step 5EnterthesubnetmaskintheNetmaskinCIDRformatfield. Step 6ClickOK.RepeattheprocesstoaddmoreIPaddressrangestothislist. Step 7ClickSavetosavethechanges. Configure a Password Policy for Administrator Accounts CiscoISEalsoallowsyoutocreateapasswordpolicyforadministratoraccountstoenhancesecurity.You candefinewhetheryouwantapasswordbasedorclientcertificatebasedadministratorauthentication.The passwordpolicythatyoudefinehereisappliedtoalladministratoraccountsinCiscoISE. Cisco Identity Services Engine Administrator Guide, Release 1.3 111 Administrative Access to Cisco ISE
CiscoISEdoesnotsupportadministratorpasswordswithUTF-8characters.Note Before You Begin •Toperformthefollowingtask,youmustbeaSuperAdminorSystemAdmin. Procedure Step 1ChooseAdministration>System>AdminAccess>Authentication. Step 2Selecteitheroftheseauthenticationmethods: •PasswordBased—IfyouwanttousethestandarduserIDandpasswordcredentialsforanadministrator login,choosethePasswordBasedoptionandspecifyeitherthe“Internal”or“External”authentication type. IfyouhaveconfiguredanexternalidentitysourcesuchasLDAPandwanttousethatasyour authenticationsourcetograntaccesstotheadminuser,youmustselectthatparticularidentity sourcefromtheIdentitySourcelistbox. Note •ClientCertificateBased—Ifyouwanttospecifyacertificate-basedpolicy,choosetheClientCertificate Basedoption,andselectanexistingCertificateAuthenticationProfile. Step 3ClickthePasswordPolicytabandenterthevalues. Step 4ClickSavetosavetheadministratorpasswordpolicy. Ifyouareusinganexternalidentitystoretoauthenticateadministratorsatlogin,rememberthateven ifthissettingisconfiguredforthepasswordpolicyappliedtotheadministratorprofile,theexternal identitystorewillstillvalidatetheadministrator’susernameandpassword. Note Related Topics AdministratorPasswordPolicySettings,onpage711 ConfigureAccountDisablePolicyforAdministratorAccounts Configure Session Timeout for Administrators CiscoISEallowsyoutodeterminethelengthoftimeanadministrationGUIsessioncanbeinactiveandstill remainconnected.YoucanspecifyatimeinminutesafterwhichCiscoISElogsouttheadministrator.After asessiontimeout,theadministratormustloginagaintoaccesstheCiscoISEAdminportal. Before You Begin Toperformthefollowingtask,youmustbeaSuperAdminorSystemAdmin. Cisco Identity Services Engine Administrator Guide, Release 1.3 112 Administrative Access to Cisco ISE
Procedure Step 1ChooseAdministration>System>AdminAccess>Settings>Session>SessionTimeout. Step 2EnterthetimeinminutesthatyouwantCiscoISEtowaitbeforeitlogsouttheadministratorifthereisno activity.Thedefaultvalueis60minutes.Thevalidrangeisfrom6to100minutes. Step 3ClickSave. Terminate an Active Administrative Session Ciscodisplaysallactiveadministrativesessionsfromwhichyoucanselectanysessionandterminateatany pointoftime,ifaneedtodosoarises.ThemaximumnumberofconcurrentadministrativeGUIsessionsis 20.IfthemaximumnumberofGUIsessionsisreached,anadministratorwhobelongstothesuperadmin groupcanloginandterminatesomeofthesessions. Before You Begin Toperformthefollowingtask,youmustbeaSuperAdmin. Procedure Step 1ChooseAdministration>System>AdminAccess>Settings>Session>SessionInfo. Step 2CheckthecheckboxnexttothesessionIDthatyouwanttoterminateandclickInvalidate. Change Administrator Name CiscoISEallowsyoutochangeyourusernamefromtheGUI. Before You Begin Toperformthefollowingtask,youmustbeaSuperAdminorSystemAdmin. Procedure Step 1LogintotheAdminportal. Step 2ClickyourusernamethatappearsasalinkattheupperrightcorneroftheCiscoISEUI. Step 3EnterthenewusernameintheAdminUserpagethatappears. Step 4Editanyotherdetailsaboutyouraccountthatyouwanttochange. Step 5ClickSave. Cisco Identity Services Engine Administrator Guide, Release 1.3 113 Administrative Access to Cisco ISE
Administrative Access to Cisco ISE Using an External Identity Store InCiscoISE,youcanauthenticateadministratorsviaanexternalidentitystoresuchasActiveDirectory, LDAP,orRSASecureID.Therearetwomodelsyoucanusetoprovideauthenticationviaanexternalidentity store: •ExternalAuthenticationandAuthorization—TherearenocredentialsthatarespecifiedinthelocalCisco ISEdatabasefortheadministrator,andauthorizationisbasedonexternalidentitystoregroupmembership only.ThismodelisusedforActiveDirectoryandLDAPauthentication. •ExternalAuthenticationandInternalAuthorization—Theadministrator’sauthenticationcredentialscome fromtheexternalidentitysource,andauthorizationandadministratorroleassignmenttakeplaceusing thelocalCiscoISEdatabase.ThismodelisusedforRSASecurIDauthentication.Thismethodrequires youtoconfigurethesameusernameinboththeexternalidentitystoreandthelocalCiscoISEdatabase. Duringtheauthenticationprocess,CiscoISEisdesignedto“fallback”andattempttoperformauthentication fromtheinternalidentitydatabase,ifcommunicationwiththeexternalidentitystorehasnotbeenestablished orifitfails.Inaddition,wheneveranadministratorforwhomyouhavesetupexternalauthenticationlaunches abrowserandinitiatesaloginsession,theadministratorstillhastheoptiontorequestauthenticationviathe CiscoISElocaldatabasebychoosing“Internal”fromtheIdentityStoredrop-downselectorinthelogin dialog. YoucanconfigurethismethodofprovidingexternaladministratorauthenticationonlyviatheAdmin portal.TheCiscoISECommandLineInterface(CLI)doesnotfeaturethesefunctions. Note Ifyournetworkdoesnotalreadyhaveoneormoreexistingexternalidentitystores,ensurethatyouhave installedthenecessaryexternalidentitystoresandconfiguredCiscoISEtoaccessthoseidentitystores. External Authentication and Authorization Bydefault,CiscoISEprovidesinternaladministratorauthentication.Tosetupexternalauthentication,you mustcreateapasswordpolicyfortheexternaladministratoraccountsthatyoudefineintheexternalidentity stores.Youcanthenapplythispolicytotheexternaladministratorgroupsthateventuallybecomeapartof theexternaladministratorRBACpolicy. Inadditiontoprovidingauthenticationviaanexternalidentitystore,yournetworkmayalsorequireyouto useaCommonAccessCard(CAC)authenticationdevice. Toconfigureexternalauthentication,youmust: •Configurepassword-basedauthenticationusinganexternalidentitystore. •Createanexternaladministratorgroup. •Configuremenuaccessanddataaccesspermissionsfortheexternaladministratorgroup. •CreateanRBACpolicyforexternaladministratorauthentication. External Authentication Process Flow Whentheadministratorlogsin,theloginsessionpassesthroughthefollowingstepsintheprocess: Cisco Identity Services Engine Administrator Guide, Release 1.3 114 Administrative Access to Cisco ISE