Cisco Ise 13 User Guide
Have a look at the manual Cisco Ise 13 User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
Procedure Step 1ChooseAdministration>System>Certificates>CertificateSigningRequests Step 2EnterthevaluesforgeneratingaCSR.SeeCertificateSigningRequestSettings,onpage692forinformation oneachofthefields. Step 3ClickGeneratetogeneratetheCSR. TheCSRisgenerated. Step 4ClickExporttoopentheCSRinaNotepad. Step 5Copyallthetextfrom“-----BEGINCERTIFICATEREQUEST-----”through“-----ENDCERTIFICATE REQUEST-----.” Step 6PastethecontentsoftheCSRintothecertificaterequestofachosenCA. Step 7Downloadthesignedcertificate. SomeCAsmightemailthesignedcertificatetoyou.Thesignedcertificateisintheformofazipfilethat containsthenewlyissuedcertificateandthepublicsigningcertificatesoftheCAthatyoumustaddtothe CiscoISEtrustedcertificatesstore.Thedigitally-signedCAcertificate,rootCAcertificate,andother intermediateCAcertificate(ifapplicable)aredownloadedtothelocalsystemrunningyourclientbrowser. Bind the CA-Signed Certificate to the CSR AfteryouhavethedigitallysignedcertificatereturnedbytheCA,youmustbindittothecertificatesigning request(CSR).YoucanperformthebindoperationforallthenodesinyourdeploymentfromtheAdmin portal. Before You Begin •Youmusthavethedigitallysignedcertificate,andtherelevantrootintermediateCAcertificatesreturned bytheCA. •ImporttherelevantrootandintermediateCAcertificatesintotheTrustedCertificatesStore (Administration>System>Certificates>TrustedCertificates). Procedure Step 1ChooseAdministration>System>Certificates>CertificateSigningRequests CheckthecheckboxnexttothenodeforwhichyouarebindingtheCSRwiththeCA-signedcertificate. Step 2ClickBind. Step 3ClickBrowsetochoosetheCA-signedcertificate. Step 4SpecifyaFriendlyNameforthecertificate. Step 5ChecktheAllowWildcardCertificatescheckboxtobindacertificatethatcontainsthewildcardcharacter, asterisk(*)inanyCNintheSubjectorDNSintheSubjectAlternativeName. Step 6ChecktheEnableValidationofCertificateExtensionscheckboxifyouwantCiscoISEtovalidatecertificate extensions. Cisco Identity Services Engine Administrator Guide, Release 1.3 145 Certificate Management in Cisco ISE
IfyouenabletheEnableValidationofCertificateExtensionsoption,andthecertificatethatyouareimporting containsabasicconstraintsextensionwiththeCAflagsettotrue,ensurethatthekeyusageextensionis present,andthatthekeyEnciphermentbitorthekeyAgreementbit,orboth,arealsoset. Step 7ChecktheserviceforwhichthiscertificatewillbeusedintheUsagearea. Thisinformationisautopopulated,ifyouhaveenabledtheUsageoptionwhilegeneratingtheCSR. Step 8ClickSubmittobindtheCA-signedcertificate. IfyouhavechosentousethiscertificateforCiscoISEinternodecommunication,theapplicationserveron theCiscoISEnodeisrestarted. RepeatthisprocesstobindtheCSRwiththeCA-signedcertificateontheothernodes. What to Do Next ImporttheRootCertificatestotheTrustedCertificateStore,onpage143 Export a Certificate Signing Request Youcanusethispagetoexportcertificatesigningrequests. Before You Begin Toperformthefollowingtask,youmustbeaSuperAdminorSystemAdmin. Procedure Step 1ChooseAdministration>System>Certificates>CertificateSigningRequests Step 2Checkthecheckboxnexttothecertificatesthatyouwanttoexport,andclickExport. Step 3ClickOKtosavethefiletothefilesystemthatisrunningtheclientbrowser. Install Trusted Certificates for Cisco ISE Inter-node Communication Whenyousetupthedeployment,beforeyouregisterasecondarynode,youmustpopulatethePAN'sCertificate TrustList(CTL)withappropriateCAcertificatesthatareusedtovalidatetheAdmincertificateofthesecondary node.TheproceduretopopulatetheCTLofthePANisdifferentfordifferentscenarios: •IfthesecondarynodeisusingaCA-signedcertificatetocommunicatewiththeAdminportal,youmust importtheCA-signedcertificateofthesecondarynode,therelevantintermediatecertificates(ifany), andtherootCAcertificate(oftheCAthatsignedthesecondarynode'scertificate)intotheCTLofthe PAN. •Ifthesecondarynodeisusingaself-signedcertificatetocommunicatewiththeAdminportal,youcan importtheself-signedcertificateofthesecondarynodeintotheCTLofthePAN. Cisco Identity Services Engine Administrator Guide, Release 1.3 146 Certificate Management in Cisco ISE
Note•IfyouchangetheAdmincertificateonaregisteredsecondarynode,youmust obtainappropriateCAcertificatesthatcanbeusedtovalidatethesecondarynode’s AdmincertificateandimportitintotheCTLofthePAN. •Ifyouuseself-signedcertificatestosecurecommunicationbetweenaclientand PSNinadeployment,whenBYODusersmovefromonelocationtoanother, EAP-TLSuserauthenticationfails.Forsuchauthenticationrequeststhathaveto beservicedbetweenafewPSNs,youmustsecurecommunicationbetweenthe clientandPSNwithanexternally-signedCAcertificateorusewildcardcertificates signedbyanexternalCA. EnsurethatthecertificateissuedbytheexternalCAhasbasicconstraintsdefinedandtheCAflagsettotrue. ToinstallCA-signedcertificatesforinter-nodecommunication: Procedure Step 1CreateaCertificateSigningRequestandSubmittheCSRtoaCertificateAuthority,onpage144 Step 2ImporttheRootCertificatestotheTrustedCertificateStore,onpage143 Step 3BindtheCA-SignedCertificatetotheCSR,onpage145 Set Up Certificates for Portal Use WithmultiplePolicyServicenodes(PSNs)inadeploymentthatcanserviceawebportalrequest,CiscoISE needsauniqueidentifiertoidentifythecertificatethathastobeusedforportalcommunication.Whenyou addorimportcertificatesthataredesignatedforportaluse,youmustdefineacertificategrouptagandassociate itwiththecorrespondingcertificateoneachnodeinyourdeployment.Youmustassociatethiscertificate grouptagtothecorrespondingend-userportals(guest,sponsor,andpersonaldevicesportals).Thiscertificate grouptagistheuniqueidentifierthathelpsCiscoISEidentifythecertificatethathastobeusedwhen communicatingwitheachoftheseportals.Youcandesignateonecertificatefromeachnodeforeachofthe portals. CiscoISEpresentsthePortalcertificateonTCPport8443(ortheportthatyouhaveconfiguredforportal use). Note Procedure Step 1CreateaCertificateSigningRequestandSubmittheCSRtoaCertificateAuthority,onpage144. YoumustchooseaCertificateGroupTagthatyouhavealreadydefinedorcreateanewonefortheportal. Forexample,mydevicesportal. Cisco Identity Services Engine Administrator Guide, Release 1.3 147 Certificate Management in Cisco ISE
Step 2ImporttheRootCertificatestotheTrustedCertificateStore,onpage143. Step 3BindtheCA-SignedCertificatetotheCSR,onpage145. Associate the Portal Certificate Tag Before You Register a Node Ifyouusethe"DefaultPortalCertificateGroup"tagforalltheportalsinyourdeployment,beforeyouregister anewISEnode,ensurethatyouimporttherelevantCA-signedcertificate,choose"Portal"asaservice,and associatethe"DefaultPortalCertificateGroup"tagwiththiscertificate. Whenyouaddanewnodetoadeployment,thedefaultself-signedcertificateisassociatedwiththe"Default PortalCertificateGroup"tagandtheportalsareconfiguredtousethistag. Afteryouregisteranewnode,youcannotchangetheCertificateGrouptagassociation.Therefore,before youregisterthenodetothedeployment,youmustdothefollowing: Procedure Step 1Createaself-signedcertificate,choose"Portal"asaservice,andassignadifferentcertificategrouptag(for example,tempportaltag). Step 2Changetheportalconfigurationtousethenewlycreatedcertificategrouptag(tempportaltag). Step 3Editthedefaultself-signedcertificateandremovethePortalrole. ThisoptionremovestheDefaultPortalCertificateGrouptagassociationwiththedefaultself-signedcertificate. Step 4Dooneofthefollowing: DescriptionOption WhenyougeneratetheCSR: 1Choose"Portal"asaserviceforwhichyouwillusethiscertificateand associatethe"DefaultPortalCertificateGroup"tag. 2SendtheCSRtoaCAandobtainthesignedcertificate. 3ImporttherootandanyotherintermediatecertificatesoftheCAthatsigned yourcertificateintotheTrustedCertificatesstore. 4BindtheCA-signedcertificatewiththeCSR. GenerateaCSR WhenyouimporttheCA-signedcertificate: 1Choose"Portal"asaserviceforwhichyouwillusethiscertificateand associatethe"DefaultPortalCertificateGroup"tag. 2ImporttherootandanyotherintermediatecertificatesoftheCAthatsigned yourcertificateintotheTrustedCertificatesstore. Importtheprivatekeyand theCA-signedcertificate Cisco Identity Services Engine Administrator Guide, Release 1.3 148 Certificate Management in Cisco ISE
DescriptionOption WhenyouedittheexistingCA-signedcertificate: Choose"Portal"asaserviceforwhichyouwillusethiscertificateandassociate the"DefaultPortalCertificateGroup"tag. EditanexistingCA-signed certificate. Step 5RegistertheISEnodetothedeployment. Theportalconfigurationinthedeploymentisconfiguredtothe"DefaultPortalCertificateGroup"tagand theportalsareconfiguredtousetheCA-signedcertificateassociatedwiththe"DefaultPortalCertificate Group"tagonthenewnode. User and Endpoint Certificate Renewal Bydefault,CiscoISErejectsarequestthatcomesfromadevicewhosecertificatehasexpired.However,you canchangethisdefaultbehaviorandconfigureISEtoprocesssuchrequestsandprompttheusertorenewthe certificate. Ifyouchoosetoallowtheusertorenewthecertificate,Ciscorecommendsthatyouconfigureanauthorization policyrulewhichchecksifthecertificatehasbeenrenewedbeforeprocessingtherequestanyfurther.Processing arequestfromadevicewhosecertificatehasexpiredmayposeapotentialsecuritythreat.Hence,youmust configureappropriateauthorizationprofilesandrulestoensurethatyourorganization’ssecurityisnot compromised. Somedevicesallowyoutorenewthecertificatesbeforeandaftertheirexpiry.ButonWindowsdevices,you canrenewthecertificatesonlybeforeitexpires.AppleiOS,MacOSX,andAndroiddevicesallowyouto renewthecertificatesbeforeoraftertheirexpiry. Dictionary Attributes Used in Policy Conditions for Certificate Renewal CiscoISEcertificatedictionarycontainsthefollowingattributesthatareusedinpolicyconditionstoallowa usertorenewthecertificate: •DaystoExpiry:Thisattributeprovidesthenumberofdaysforwhichthecertificateisvalid.Youcan usethisattributetocreateaconditionthatcanbeusedinauthorizationpolicy.Thisattributecantakea valuefrom0to15.Avalueof0indicatesthatthecertificatehasalreadyexpired.Avalueof1indicates thatthecertificatehaslessthan1daybeforeitexpires. •IsExpired:ThisBooleanattributeindicateswhetheracertificatehasexpiredornot.Ifyouwanttoallow certificaterenewalonlywhenthecertificateisnearexpiryandnotafterithasexpired,usethisattribute inauthorizationpolicycondition. Authorization Policy Condition for Certificate Renewal YoucanusetheCertRenewalRequiredsimplecondition(availablebydefault)inauthorizationpolicytoensure thatacertificate(expiredorabouttoexpire)isrenewedbeforeCiscoISEprocessestherequestfurther. Cisco Identity Services Engine Administrator Guide, Release 1.3 149 Certificate Management in Cisco ISE
CWA Redirect to Renew Certificates Ifausercertificateisrevokedbeforeitsexpiry,CiscoISEcheckstheCRLpublishedbytheCAandrejects theauthenticationrequest.Incase,ifarevokedcertificatehasexpired,theCAmaynotpublishthiscertificate initsCRL.Inthisscenario,itispossibleforCiscoISEtorenewacertificatethathasbeenrevoked.Toavoid this,beforeyourenewacertificate,ensurethattherequestgetsredirectedtoCentralWebAuthentication (CWA)forafullauthentication.YoumustcreateanauthorizationprofiletoredirecttheuserforCWA. Configure Cisco ISE to Allow Users to Renew Certificates YoumustcompletethetaskslistedinthisproceduretoconfigureCiscoISEtoallowuserstorenewcertificates. Before You Begin ConfigurealimitedaccessACLontheWLCtoredirectaCWArequest. Procedure Step 1UpdatetheAllowedProtocolConfiguration,onpage150 Step 2CreateanAuthorizationPolicyProfileforCWARedirection,onpage151 Step 3CreateanAuthorizationPolicyRuletoRenewCertificates,onpage151 Step 4EnableBYODSettingsintheGuestPortal,onpage152 Update the Allowed Protocol Configuration Procedure Step 1ChoosePolicy>PolicyElements>Results>Authentication>AllowedProtocols>DefaultNetwork Access. Step 2ChecktheAllowAuthenticationofexpiredcertificatestoallowcertificaterenewalinAuthorization PolicycheckboxundertheEAP-TLSprotocolandEAP-TLSinnermethodsforPEAPandEAP-FAST protocols. RequeststhatusetheEAP-TLSprotocolwillgothroughtheNSPflow. ForPEAPandEAP-FASTprotocols,youmustmanuallyconfigureCiscoAnyConnectforCiscoISEtoprocess therequest. Step 3ClickSubmit. What to Do Next CreateanAuthorizationPolicyProfileforCWARedirection,onpage151 Cisco Identity Services Engine Administrator Guide, Release 1.3 150 Certificate Management in Cisco ISE
Create an Authorization Policy Profile for CWA Redirection Before You Begin EnsurethatyouhaveconfiguredalimitedaccessACLontheWLC. Procedure Step 1ChoosePolicy>PolicyElements>Results>Authorization>AuthorizationProfiles. Step 2ClickAdd. Step 3Enteranamefortheauthorizationprofile.Forexample,CertRenewal_CWA. Step 4ChecktheWebRedirection(CWA,DRW,MDM,NSP,CPP)checkboxintheCommonTasksarea. Step 5ChooseCentralizedWebAuthfromthedrop-downlistandthelimitedaccessACL. Step 6ChecktheDisplayCertificatesRenewalMessagecheckbox. TheURL-redirectattributevaluechangesandincludesthenumberofdaysforwhichthecertificateisvalid. Step 7ClickSubmit. IfyouhaveconfiguredthefollowingDeviceRegistrationWebAuth(DRW)policiesforwirelessdevices inCiscoISE1.2: Note •DRW-RedirectpolicywithCondition=(Wireless_MABANDNetworkAccess:UseCaseEQUALS HostLookup)andProfile=Wireless-drw-redirect •DRW-AllowpolicywithCondition=(Wireless_MABANDNetworkAccess:UseCaseEQUALS HostLookup)andProfile=Wireless-Permit AfterupgradingtoISE1.3oraboveversion,youmustupdatetheDRW-Allowpolicyconditionasfollows: •Condition=(Wireless_MABANDNetworkAccess:UseCaseEQUALSGuestFlow)andProfile= Wireless-Permit What to Do Next CreateanAuthorizationPolicyRuletoRenewCertificates,onpage151 Create an Authorization Policy Rule to Renew Certificates Before You Begin Ensurethatyouhavecreatedanauthorizationprofileforcentralwebauthenticationredirection. EnablePolicySetsonAdministration>System>Settings>PolicySettings. Cisco Identity Services Engine Administrator Guide, Release 1.3 151 Certificate Management in Cisco ISE
Procedure Step 1ChoosePolicy>PolicySets. Step 2ClickCreateAbove. Step 3Enteranameforthenewrule. Step 4Choosethefollowingsimpleconditionandresult: IfCertRenewalRequiredEQUALSTrue,thenchoosetheauthorizationprofilethatyoucreatedearlier (CertRenewal_CWA)forthepermission. Step 5ClickSave. What to Do Next Whenyouaccessthecorporatenetworkwithadevicewhosecertificatehasexpired,clickRenewtoreconfigure yourdevice. Enable BYOD Settings in the Guest Portal Forausertobeabletorenewapersonaldevicecertificate,youmustenabletheBYODsettingsinthechosen guestportal. Procedure Step 1ChooseWorkCenters>GuestAccess>Configure>GuestPortals. a)SelectthechosenCWAportalandclickEdit. Step 2FromBYODSettings,checktheAllowemployeestousepersonaldevicesonthenetworkcheckbox. Step 3ClickSave. Certificate Renewal Fails for Apple iOS Devices WhenyouuseISEtorenewtheendpointcertificatesonAppleiOSdevices,youmightseea“ProfiledFailed toInstall”errormessage.Thiserrormessageappearsiftheexpiringorexpirednetworkprofilesweresigned byadifferentAdminHTTPScertificatethantheonethatisusedinprocessingtherenewal,eitheronthesame PolicyServiceNode(PSN)oronanotherPSN. Asaworkaround,useamulti-domainSSLcertificate,whichiscommonlyreferredtoasUnified CommunicationsCertificate(UCC),orawildcardcertificateforAdminHTTPSonallPSNsinthedeployment. Cisco ISE CA Service Certificatescanbeself-signedordigitallysignedbyanexternalCertificateAuthority(CA).TheCiscoISE InternalCertificateAuthority(ISECA)issuesandmanagesdigitalcertificatesforendpointsfromacentralized Cisco Identity Services Engine Administrator Guide, Release 1.3 152 Cisco ISE CA Service
consoletoallowemployeestousetheirpersonaldevicesonthecompany'snetwork.ACA-signeddigital certificateisconsideredindustrystandardandmoresecure.TheISECAoffersthefollowingfunctionalities: •CertificateIssuance:ValidatesandsignsCertificateSigningRequests(CSRs)forendpointsthatconnect toyournetwork. •KeyManagement:GeneratesandsecurelystoreskeysandcertificatesonbothPANandPSNnodes. •CertificateStorage:Storescertificatesissuedtousersanddevices. •OnlineCertificateStatusProtocol(OCSP)Support:ProvidesanOCSPrespondertocheckforthevalidity ofcertificates. Certificates Provisioned on Primary Policy Administration Node and Policy Service Nodes Afterinstallation,aCiscoISEnodeisprovisionedwithself-signedCAandsubordinateCA(subCA)certificates fortheCiscoISEnodetoissueandmanagecertificatesforendpoints.AnyPSNthatyouregisterwithyour PrimaryPANisprovisionedwithasubCAcertificatethatissignedbythePrimaryPAN.Whenyouusethe CiscoISEinternalCAserviceandendpointsaccessyournetwork,thenthesubCAonthePSNnodeissues certificatestoendpoints. Figure 14: Certificates Provisioned At Node Registration - PSNs get an Endpoint CA and an OCSP certificates from the Primary PAN Cisco Identity Services Engine Administrator Guide, Release 1.3 153 Cisco ISE CA Service
Simple Certificate Enrollment Protocol Profiles Tohelpenablecertificateprovisioningfunctionsforthevarietyofmobiledevicesthatuserscanregisteron thenetwork,CiscoISEenablesyoutoconfigureoneormoreSimpleCertificateEnrollmentProtocol(SCEP) CertificateAuthority(CA)profiles(calledasCiscoISEExternalCASettings)topointCiscoISEtomultiple CAlocations.Thebenefitofallowingformultipleprofilesistohelpensurehighavailabilityandperform loadbalancingacrosstheCAlocationsthatyouspecify.IfarequesttoaparticularSCEPCAgoesunanswered threeconsecutivetimes,CiscoISEdeclaresthatparticularserverunavailableandautomaticallymovestothe CAwiththenextlowestknownloadandresponsetimes,thenitbeginsperiodicpollinguntiltheservercomes backonline. FordetailsonhowtosetupyourMicrosoftSCEPservertointeroperatewithCiscoISE,see http://www.cisco.com/en/US/solutions/collateral/ns340/ns414/ns742/ns744/docs/howto_60_byod_ certificates.pdf. Endpoint Certificates TheAdminportallistsallthecertificatesissuedbytheinternalISECAtoendpoints(Administration>System >Certificates>EndpointCertificates).TheEndpointCertificatespageprovidesyouanat-a-glanceviewof thecertificatestatus.YoucanmouseovertheStatuscolumntofindoutthereasonforrevocationifacertificate hasbeenrevoked.YoucanmouseovertheCertificateTemplatecolumntoviewadditionaldetailssuchas, Subject,SubjectAlternativeName(SAN),andValidityofthecertificate.Youcanclickontheendpoint certificatetoviewthecertificate. Forexample,ifyouwanttoviewthecertificatesissuedtouser7,enteruser7inthetextboxthatappearsbelow theFriendlyNamefield.AllthecertificatesissuedbyCiscoISEtothisuserappear.Removethesearchterm fromthetextboxtocancelthefilter.YoucanalsousetheAdvancedFilteroptiontoviewrecordsbasedon varioussearchcriteria. ThisEndpointCertificatespagealsoprovidesyoutheoptiontorevokeanendpointcertificate,ifnecessary. TheCertificateManagementOverviewpagedisplaysthetotalnumberofendpointcertificatesissuedbyeach PSNnodeinyourdeployment.Youcanalsoviewthetotalnumberofrevokedcertificatespernodeandthe totalnumberofcertificatesthathavefailed.Youcanfilterthedataonthispagebasedonanyoftheattributes. pxGridcertificatesarenotlistedintheEndpointCertificatespage.Note Backup and Restore of Cisco ISE CA Certificates and Keys YoumustbackuptheCiscoISECAcertificatesandkeyssecurelytobeabletorestorethembackona SecondaryAdministrationNodeincaseofaPANfailureandyouwanttopromotetheSecondaryAdministration NodetofunctionastherootCAorintermediateCAofanexternalPKI.TheCiscoISEconfigurationbackup doesnotincludetheCAcertificatesandkeys.Instead,youshouldusetheCommandLineInterface(CLI)to exporttheCAcertificatesandkeystoarepositoryandtoimportthem.Theapplicationconfigureisecommand nowincludesexportandimportoptionstobackupandrestoreCAcertificatesandkeys. ThefollowingcertificatesfromtheTrustedCertificatesStorearerestoredontheSecondaryAdministration Node: •CiscoISERootCAcertificate Cisco Identity Services Engine Administrator Guide, Release 1.3 154 Cisco ISE CA Service