Cisco Ise 13 User Guide
Have a look at the manual Cisco Ise 13 User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
1TheadministratorsendsanRSASecurIDchallenge. 2RSASecurIDreturnsachallengeresponse. 3TheadministratorentersausernameandtheRSASecurIDchallengeresponseintheCiscoISElogin dialog,asifenteringtheuserIDandpassword. 4TheadministratorensuresthatthespecifiedIdentityStoreistheexternalRSASecurIDresource. 5TheadministratorclicksLogin. Uponloggingin,theadministratorseesonlythemenuanddataaccessitemsthatarespecifiedintheRBAC policy. Configure a Password-Based Authentication Using an External Identity Store Youmustfirstconfigurepassword-basedauthenticationforadministratorswhoauthenticateusinganexternal identitystoresuchasActiveDirectoryorLDAP. Procedure Step 1ChooseAdministration>System>AdminAccess>Authentication. Step 2OntheAuthenticationMethodtab,selectPasswordBasedandchooseoneoftheexternalidentitysources youshouldhavealreadyconfigured.Forexample,theActiveDirectoryinstancethatyouhavecreated. Step 3Configureanyotherspecificpasswordpolicysettingsthatyouwantforadministratorswhoauthenticateusing anexternalidentitystore. Step 4ClickSave. Create an External Administrator Group YouwillneedtocreateanexternalActiveDirectoryorLDAPadministratorgroup.ThisensuresthatCisco ISEusestheusernamethatisdefinedintheexternalActiveDirectoryorLDAPidentitystoretovalidatethe administratorusernameandpasswordthatyouentereduponlogin. CiscoISEimportstheActiveDirectoryorLDAPgroupinformationfromtheexternalresourceandstoresit asadictionaryattribute.Youcanthenspecifythatattributeasoneofthepolicyelementswhenitistimeto configuretheRBACpolicyforthisexternaladministratorauthenticationmethod. Procedure Step 1ChooseAdministration>System>AdminAccess>Administrators>AdminGroups. Step 2ClickAdd. Step 3Enteranameandoptionaldescription. Step 4ChoosetheExternalradiobutton. IfyouhaveconnectedandjoinedtoanActiveDirectorydomain,yourActiveDirectoryinstancenameappears intheNamefield. Cisco Identity Services Engine Administrator Guide, Release 1.3 115 Administrative Access to Cisco ISE
Step 5FromtheExternalGroupsdrop-downlistbox,choosetheActiveDirectorygroupthatyouwanttomapfor thisexternaladministratorgroup. Clickthe“+”signtomapadditionalActiveDirectorygroupstothisexternaladministratorgroup. Step 6ClickSave. Configure Menu Access and Data Access Permissions for the External Administrator Group Youmustconfiguremenuaccessanddataaccesspermissionsthatcanbeassignedtotheexternaladministrator group. Procedure Step 1ChooseAdministration>System>AdminAccess>Permissions. Step 2Clickoneofthefollowing: •MenuAccess—Alladministratorswhobelongtotheexternaladministratorgroupcanbegranted permissionatthemenuorsubmenulevel.Themenuaccesspermissiondeterminesthemenusorsubmenus thattheycanaccess. •DataAccess—Alladministratorswhobelongtotheexternaladministratorgroupcanbegrantedpermission atthedatalevel.Thedataaccesspermissiondeterminesthedatathattheycanaccess. Step 3Specifymenuaccessordataaccesspermissionsfortheexternaladministratorgroup. Step 4ClickSave. Create an RBAC Policy for External Administrator Authentication InordertoconfigureCiscoISEtoauthenticatetheadministratorusinganexternalidentitystoreandtospecify custommenuanddataaccesspermissionsatthesametime,youmustconfigureanewRBACpolicy.This policymusthavetheexternaladministratorgroupforauthenticationandtheCiscoISEmenuanddataaccess permissionstomanagetheexternalauthenticationandauthorization. Youcannotmodifyanexisting(system-preset)RBACpolicytospecifythesenewexternalattributes.If youhaveanexistingpolicythatyouwouldliketouseasa“template,”besuretoduplicatethatpolicy, renameit,andthenassignthenewattributes. Note Procedure Step 1ChooseAdministration>System>AdminAccess>Authorization>Policy. Step 2Specifytherulename,externaladministratorgroup,andpermissions. Rememberthattheappropriateexternaladministratorgroupmustbeassignedtothecorrectadministrator userIDs.Ensurethattheadministratorinquestionisassociatedwiththecorrectexternaladministratorgroup. Cisco Identity Services Engine Administrator Guide, Release 1.3 116 Administrative Access to Cisco ISE
Step 3ClickSave. Ifyouloginasanadministrator,andtheCiscoISERBACpolicyisnotabletoauthenticateyouradministrator identity,CiscoISEdisplaysan“unauthenticated”message,andyoucannotaccesstheAdminportal. Configure Admin Access Using an External Identity Store for Authentication with Internal Authorization Thismethodrequiresyoutoconfigurethesameusernameinboththeexternalidentitystoreandthelocal CiscoISEdatabase.WhenyouconfigureCiscoISEtoprovideadministratorauthenticationusinganexternal RSASecurIDidentitystore,administratorcredentialauthenticationisperformedbytheRSAidentitystore. However,authorization(policyapplication)isstilldoneaccordingtotheCiscoISEinternaldatabase.In addition,therearetwoimportantfactorstorememberthataredifferentfromexternalauthenticationand authorization: •Youdonotneedtospecifyanyparticularexternaladministratorgroupsfortheadministrator. •YoumustconfigurethesameusernameinboththeexternalidentitystoreandthelocalCiscoISE database. Procedure Step 1ChooseAdministration>System>AdminAccess>Administrators>AdminUsers. Step 2EnsurethattheadministratorusernameintheexternalRSAidentitystoreisalsopresentinCiscoISE.Ensure thatyouclicktheExternaloptionunderPassword. YoudonotneedtospecifyapasswordforthisexternaladministratoruserID,norareyourequired toapplyanyspeciallyconfiguredexternaladministratorgrouptotheassociatedRBACpolicy. Note Step 3ClickSave. Cisco Identity Services Engine Administrator Guide, Release 1.3 117 Administrative Access to Cisco ISE
Cisco Identity Services Engine Administrator Guide, Release 1.3 118 Administrative Access to Cisco ISE
CHAPTER 7 Cisco ISE Licenses ThischapterdescribesthelicensingmechanismandschemesthatareavailableforCiscoISEandhowto addandupgradelicenses. •CiscoISELicenses,page119 •LicenseConsumption,page121 •ManageLicenseFiles,page123 Cisco ISE Licenses CiscoISElicensingprovidestheabilitytomanagetheapplicationfeaturesandaccess,suchasthenumberof concurrentendpointsthatcanuseCiscoISEnetworkresources. Tomaximizeeconomyforcustomers,licensinginCiscoISEissuppliedindifferentpackagesasBase,Plus, Apex,andMobilityUpgrade. AllCiscoISEappliancesaresuppliedwitha90-dayEvaluationlicense.TocontinuetouseCiscoISEservices afterthe90-dayEvaluationlicenseexpires,andtosupportmorethan100concurrentendpointsonthenetwork, youmustobtainandregisterBaselicensesforthenumberofconcurrentusersonyoursystem.Ifyourequire additionalfunctionality,youwillneedPlusand/orApexlicencestoenablethatfunctionality. LicensesareuploadedtothePrimaryPANandpropagatedtotheotherCiscoISEnodesinthecluster.Licenses arecentrallymanagedbythePAN.IfyouhavetwoPANsdeployedinahigh-availabilitypair,obtainalicense basedonthehardwareIDs(UIDs)ofboththePrimaryandSecondaryPANs.Afteryouobtainthelicense, additonlytothePrimaryPAN.ThelicensegetsreplicatedtotheSecondaryPAN. AfteryouinstalltheCiscoISEsoftwareandinitiallyconfiguretheapplianceasthePrimaryPAN,youmust obtainalicenseforCiscoISEandthenregisterthatlicense.YouregisteralllicensestotheCiscoISEPrimary PANviathePrimaryandSecondaryPANhardwareUID.ThePrimaryPANthencentrallymanagesallthe licensesthatareregisteredforyourdeployment. CiscorecommendsinstallingbothBaseandPlusorApexlicensesatthesametime. •UsingaPlusorApexlicenserequiresalsousingaBaselicense.However,youdonotneedaPluslicense inordertohaveanApexlicenseorviceversa,sincethereisnooverlapintheirfunctionality. •WhenyouinstallaBaseorMobilityUpgradelicense,CiscoISEcontinuestousethedefaultEvaluation licenseasaseparatelicensefortheremainderofitsduration. Cisco Identity Services Engine Administrator Guide, Release 1.3 119
•YoucannotupgradetheEvaluationlicensetoanPlusand/orApexlicensewithoutfirstinstallingthe Baselicense. •CiscoISEallowsyoutousemorePlusand/orApexlicensesonthesystemthanBaselicenses.For example,youcanhave100BaselicensesandPluslicenses. •WhenyouinstallaMobilityUpgradelicense,CiscoISEenablesallWired,Wireless,andVPNservices. Table 7: Cisco ISE License Packages NotesISEFunctionalityCoveredPerpetual/Subscription (TermsAvailable) ISELicensePackages •Basicnetworkaccess: AAA,IEEE-802.1X •Guestmanagement •Linkencryption (MACSec) •TrustSec •ISEApplication ProgrammingInterfaces PerpetualBase DoesnotincludeBase services;aBase licenseisrequiredto installthePluslicense. •BringYourOwnDevice (BYOD). •ProfilingandFeed Services •EndpointProtection Service(EPS) •CiscopxGrid •MSEintegrationfor locationservices Subscription(1,3,or5 years) Plus DoesnotincludeBase services;aBase licenseisrequiredto installtheApex license. •ThirdPartyMobileDevice Management(MDM) •PostureCompliance Subscription(1,3,or5 years) Apex Cannotcoexistona CiscoPANwithBase, Plus,orApex Licenses. CombinationofBase,Plus,and ApexforwirelessandVPN endpoints Subscription(1,3,or5 years) Mobility Cisco Identity Services Engine Administrator Guide, Release 1.3 120 Cisco ISE Licenses
Youcanonlyinstalla MobilityUpgrade Licenseontopofan existingMobility license. Provideswiredsupportto Mobilitylicense Subscription(1,3,or5 years) MobilityUpgrade AllCiscoISE appliancesaresupplied withanEvaluation license. FullCiscoISEfunctionalityis providedfor100endpoints. Temporary(90days)Evaluation License Consumption Youpurchaselicensesforthenumberofconcurrentusersonthesystem.ACiscoISEuserconsumesalicense duringanactivesession(alwaysaBase;andaPlusandanApexlicense,ifyouusethefunctionalitycovered bytheselicenses).Oncethesessionends,thelicenseisreleasedforreusebyotherusers. CiscoISElicensearchitectureconsumptionlogicreliesonauthorizationpolicyconstructs.CiscoISEuses thedictionariesandattributeswithinauthorizationrulestodeterminethelicensetouse. Restriction TheCiscoISElicenseiscountedasfollows: •ABaselicenseisconsumedforeveryactivesession.ThesameendpointalsoconsumesPlusandApex licensesdependingonthefeaturesthatitisusing. •TheendpointconsumestheBaselicensebeforeitconsumesaPlusandApexlicense. •TheendpointconsumesthePluslicensebeforeitconsumesanApexlicense. •OnePluslicenseisconsumedperendpointforanyassortmentofthelicense'sfeatures.Likewise,one Apexlicenseisconsumedperendpointforanyassortmentofitsfeatures. •Licensesarecountedagainstconcurrent,activesessions. •Licensesarereleasedforallfeatureswhentheendpoint'ssessionends. •pxGridisusedtosharecontextcollectedbyISEwithotherproducts.APluslicenseisrequiredtoenable pxGridfunctionality.Thereisnosessioncountdecrementwhencontextforsessionisshared.However, tousepxGrid,thenumberofPlussessionslicensedmustbeequaltothenumberofBasesessionslicensed. Formoreinformation,seeCiscoISELicensesandServicessectioninCiscoIdentityServicesEngine OrderingGuide. •OneAnyConnectApexuserlicenseisconsumedbyeachuserwhousesAnyConnectregardlessofthe numberofdevicesthattheuserownsandwhetherornottheuserhasanactiveconnectiontothenetwork. Toavoidservicedisruption,CiscoISEcontinuestoprovideservicestoendpointsthatexceedlicenseentitlement. CiscoISEinsteadreliesonRADIUSaccountingfunctionstotrackconcurrentendpointsonthenetworkand generatesanalarmwhentheendpointcountofthepreviousdayexceededtheamountoflicenses. Cisco Identity Services Engine Administrator Guide, Release 1.3 121 License Consumption
View License Consumption Youcanviewyoursystem'scurrentlicenseconsumptionfromtheLicensingdashboardat:Administration >System>Licensing.Consumptionisportrayedasinthefollowingimage: Figure 12: Traditional License Consumption TheLicenseConsumptiongraph,intheLicenseUsagearea,isupdatedevery30minutes.Thiswindowalso displaysthetypeoflicensespurchased,thetotalnumberofconcurrentuserspermittedonthesystem,andthe expirydateofsubscriptionservices. Ifyouwanttoseeyoursystem'slicenseconsumptionovermultipleweeks,clickUsageOverTime.Eachbar inthegraphshowsthemaximumnumberoflicensesusedduringaperiodofoneweek. Unregistered License Consumption Problem Licenseconsumptionreliesontheattributesusedintheauthorizationpolicywithwhichtheendpointis matched. ConsideryouonlyhaveaBaselicenseregisteredonyoursystem(youdeletedthe90-dayEvaluationlicense). YouwillbeabletoseeandconfigurethecorrespondingBasemenuitemsandfeatures. Ifyouconfigure(mis-configure)anauthorizationpolicytouseafeature(forexample:Session:PostureStatus) thatrequiresanApexlicense,andifanendpointmatchesthisauthorizationpolicythen: •TheendpointwillconsumeanApexlicense,despitethefactthatanApexlicensehasnotbeenregistered onthesystem. •Notificationstothiseffectwillappearwheneveryoulogin. •CiscoISEwillgivenotificationsandalarms"Exceededlicenseusagethanallowed"(technically,this istobeexpectedastherearenoregisteredApexlicensesonthesystem,butanendpointisnever-the-less consumingone). Cisco Identity Services Engine Administrator Guide, Release 1.3 122 License Consumption
Possible Causes Duetoauthorizationpolicymis-configuration,theLicensingdashboardcanshowthatCiscoISEisconsuming alicenseyouhavenotpurchasedandregistered.BeforeyoupurchasePlusandApexlicenses,theISEuser interfacedoesnotdisplaythefunctionalitycoveredbythoselicenses.However,onceyouhavepurchased theselicenses,theuserinterfacecontinuestodisplaytheirfunctionalityevenafterthelicensehasexpiredor exceededitsendpointconsumption.Thus,youareabletoconfigurethemevenifyoudonothaveavalid licenseforthem. Solution ChoosePolicy>Authorization,identifytheauthorizationrulethatisusingthefeature(s)forwhichyoudo nothavearegisteredlicense,andreconfigurethatrule. Manage License Files Thissectionexplainshowtoregister,re-host,renew,migrate,upgrade,andremoveISElicenses: •RegisterLicenses,onpage123 •Re-HostLicenses,onpage124 •RenewLicenses,onpage124 •MigrateandUpgradeLicenses,onpage124 •RemoveLicenses,onpage125 Register Licenses Before You Begin ConsultyourCiscopartner/accountteamaboutthetypesoflicensesandnumberofconcurrentusersyou requireforyourinstallation,togetherwiththevariouspackagesyoucanpurchasetomaximizeeconomy. Procedure Step 1Fromtheorderingsystem(CiscoCommerceWorkspace-CCW)onCisco'swebsitewww.cisco.com,order therequiredlicenses. Afteraboutanhour,anemailconfirmationcontainingtheProductAuthorizationKey(PAK)issent. Step 2FromtheCiscoISEAdministrationportal,chooseAdministrationSystemLicensing.Makeanoteofthe nodeinformationintheLicensingDetailssection:ProductIdentifier(PID),VersionIdentifier(VID),and SerialNumber(SN). Step 3Gotowww.cisco.com/go/licensing,andwhereprompted,enterthePAKofthelicenseyoureceived,thenode information,andsomedetailsaboutyourcompany. Cisco Identity Services Engine Administrator Guide, Release 1.3 123 Manage License Files
Afteroneday,Ciscosendsyouthelicensefile. Step 4Savethislicensefiletoaknownlocationonyoursystem. Step 5FromtheCiscoISEAdministrationportal,chooseAdministration>System>Licensing.IntheLicense Filessection,clicktheImportLicensebutton. Step 6ClickChooseFileandselectthelicensefileyoupreviouslystoredonyoursystem. Step 7ClickImport. Thenewlicenseisnowinstalledonyoursystem. What to Do Next Choosethelicensingdashboard,Administration>System>Licensing,andverifythatthenewly-entered licenseappearswiththecorrectdetails. Re-Host Licenses Re-hostingmeansmovingalicensefromoneCiscoISEnodetoanother.Fromthelicensingportal,youselect thePAKofthelicenseyouwanttomoveandfollowtheinstructionsforre-hosting.Afteroneday,youare sentanemailwithanewPAK.YouthenregisterthisnewPAKforthenewnode,andremovetheoldlicense fromtheoriginalCiscoISEnode. Renew Licenses Subscriptionlicenses,suchasPlusandApexlicenses,areissuedfor1,3or5years.CiscoISEsendsanalarm whenlicensesareneartheirexpirationdateandagainwhenthelicensesexpire. Licensesmustberenewedaftertheyexpire.ThisprocessiscarriedoutbyyourCiscopartneroraccountteam only. Migrate and Upgrade Licenses CiscolicensingpolicysupportsmigrationfrompreviousCiscoISEversions,upgradingfromwirelessand VPNonlytoincludewireddeployments,andaddingconcurrentusersandfunctionality.Existing Wireless/WirelessUpgradedeploymentwillbemigratedtoMobility/MobilityUpgradepackageduringupgrade fromCiscoISEversion1.2to1.3.Youcanalsopurchasebundlesoflicensestominimizeyourongoing expenses.Thesescenariosareallcoveredinthelicensingsite,orformoreinformationcontactyourCisco partner/accountteam. IfyouhavemigratedfromCiscoISEversion1.2,yourAdvancedlicensecoversallthefeaturesinboth PlusandApexlicenses. Note AfterupgradingfromCiscoISEversion1.2,thesystemwillshowthedefaultEvaluationlicenseonlyif itexistedonthesystempriortoupgrade. Note Cisco Identity Services Engine Administrator Guide, Release 1.3 124 Manage License Files