Cisco Ise 13 User Guide
Have a look at the manual Cisco Ise 13 User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
•CiscoISESubCAcertificate •CiscoISEEndpointRAcertificate •CiscoISEOCSPRespondercertificate YoumustbackupandrestoreCiscoISECAcertificatesandkeyswhenyou: •HaveaSecondaryAdministrationNodeinthedeployment •ReplacetheentireCiscoISECArootchain •ConfigureCiscoISErootCAtoactasasubordinateCAofanexternalPKI •UpgradefromRelease1.2toalaterrelease •Restoredatafromaconfigurationbackup.Inthiscase,youmustfirstregeneratetheCiscoISECAroot chainandthenbackupandrestoretheISECAcertificatesandkeys. Export Cisco ISE CA Certificates and Keys YoumustexporttheCAcertificatesandkeysfromthePANtoimportthemontheSecondaryAdministration Node.ThisoptionenablestheSecondaryAdministrationNodetoissueandmanagecertificatesforendpoints whenthePANisdownandyoupromotetheSecondaryAdministrationNodetobethePAN. Before You Begin EnsurethatyouhavecreatedarepositorytostoretheCAcertificatesandkeys. Procedure Step 1EnterapplicationconfigureisecommandfromtheCiscoISECLI. Step 2Enter7toexportthecertificatesandkeys. Step 3Entertherepositoryname. Step 4Enteranencryptionkey. Asuccessmessageappearswiththelistofcertificatesthatwereexported,alongwiththesubject,issuer,and serialnumber. Example:Thefollowing4CAkeypairswereexportedtorepository'sftp'at'ise_ca_key_pairs_of_ise-vm1':Subject:CN=CiscoISESelf-SignedCAofise-vm1Issuer:CN=CiscoISESelf-SignedCAofise-vm1Serial#:0x621867df-568341cd-944cc77f-c9820765 Subject:CN=CiscoISEEndpointCAofise-vm1Issuer:CN=CiscoISESelf-SignedCAofise-vm1Serial#:0x7027269d-d80a406d-831d5c26-f5e105fa Subject:CN=CiscoISEEndpointRAofise-vm1Issuer:CN=CiscoISEEndpointCAofise-vm1Serial#:0x1a65ec14-4f284da7-9532f0a0-8ae0e5c2 Subject:CN=CiscoISEOCSPResponderCertificateofise-vm1Issuer:CN=CiscoISESelf-SignedCAofise-vm1 Cisco Identity Services Engine Administrator Guide, Release 1.3 155 Cisco ISE CA Service
Serial#:0x6f6d4097-21f74c4d-8832ba95-4c320fb1ISECAkeysexportcompletedsuccessfully Import Cisco ISE CA Certificates and Keys AfteryouregistertheSecondaryAdministrationNode,youmustexporttheCAcertificatesandkeysfrom thePANandimportthemintotheSecondaryAdministrationNode. Procedure Step 1EnterapplicationconfigureisecommandfromtheCiscoISECLI. Step 2Enter8toimporttheCAcertificatesandkeys. Step 3Entertherepositoryname. Step 4Enterthenameofthefilethatyouwanttoimport. Step 5Entertheencryptionkeytodecryptthefile. Asuccessmessageappears. Example:Thefollowing4CAkeypairswereimported:Subject:CN=CiscoISESelf-SignedCAofise-vm1Issuer:CN=CiscoISESelf-SignedCAofise-vm1Serial#:0x21ce1000-8008472c-a6bc4fd9-272c8da4 Subject:CN=CiscoISEEndpointCAofise-vm1Issuer:CN=CiscoISESelf-SignedCAofise-vm1Serial#:0x05fa86d0-092542b4-8ff68ed4-f1964a56 Subject:CN=CiscoISEEndpointRAofise-vm1Issuer:CN=CiscoISEEndpointCAofise-vm1Serial#:0x77932e02-e8c84b3d-b27e2f1c-e9f246ca Subject:CN=CiscoISEOCSPResponderCertificateofise-vm1Issuer:CN=CiscoISESelf-SignedCAofise-vm1Serial#:0x5082017f-330e412f-8d63305d-e13fd2a5 StoppingISECertificateAuthorityService...StartingISECertificateAuthorityService...ISECAkeysimportcompletedsuccessfully Generate Root CA and Subordinate CAs on the Primary PAN and PSN Whenyousetupthedeployment,CiscoISEgeneratesarootCAonthePrimaryPANandsubordinateCA certificatesonthePolicyServiceNodes(PSNs)fortheCiscoISECAservice.However,whenyouchange thedomainnameorthehostnameofthePrimaryPANorPSN,youmustregeneraterootCAonthePrimary PANandsubCAsonthePSNsrespectively. IfyouwanttochangethehostnameonaPSN,insteadofregeneratingtherootCAandsubordinateCAson thePrimaryPANandPSNsrespectively,youcanderegisterthePSNbeforechangingthehostname,and registeritback.AnewsubordinatecertificategetsprovisionedautomaticallyonthePSN. Cisco Identity Services Engine Administrator Guide, Release 1.3 156 Cisco ISE CA Service
Procedure Step 1Administration>System>Certificates>CertificateSigningRequests Step 2ClickGenerateCertificateSigningRequests(CSR). Step 3ChooseISERootCAfromtheCertificate(s)willbeusedfordrop-downlist. Step 4ClickReplaceISERootCACertificatechain. TherootCAandsubordinateCAcertificatesgetgeneratedforallthenodesinyourdeployment. What to Do Next IfyouhaveaSecondaryPANinthedeployment,obtainabackupoftheCiscoISECAcertificatesandkeys fromthePrimaryPANandrestoreitontheSecondaryPAN.ThisensuresthattheSecondaryPANcanfunction astherootCAincaseofaPrimaryPANfailureandyoupromotetheSecondaryPANtobethePrimaryPAN. Configure Cisco ISE Root CA as Subordinate CA of an External PKI IfyouwanttherootCAonthePrimaryPANtoactasasubordinateCAofanexternalPKI,generateanISE intermediateCAcertificatesigningrequest,sendittotheexternalCA,obtaintherootandCA-signed certificates,importtherootCAcertificateintotheTrustedCertificatesStore,andbindtheCA-signedcertificate totheCSR.Inthiscase,theexternalCAistherootCA,thePrimaryPANisasubordinateCAoftheexternal CA,andthePSNsaresubordinateCAsofthePrimaryPAN. Procedure Step 1ChooseAdministration>System>Certificates>CertificateSigningRequests. Step 2ClickGenerateCertificateSigningRequests(CSR). Step 3ChooseISEIntermediateCAfromtheCertificate(s)willbeusedfordrop-downlist. Step 4ClickGenerate. Step 5ExporttheCSR,sendittotheexternalCA,andobtaintheCA-signedcertificate. Step 6ImporttherootCAcertificatefromtheexternalCAintotheTrustedCertificatesstore. Step 7BindtheCA-signedcertificatewiththeCSR. What to Do Next IfyouhaveaSecondaryPANinthedeployment,obtainabackupoftheCiscoISECAcertificatesandkeys fromthePrimaryPANandrestoreitontheSecondaryPAN.ThisensuresthattheSecondaryPANcanfunction assubordinateCAoftheexternalPKIincaseofaPrimaryPANfailureandyoupromotetheSecondaryPAN tobethePrimaryPAN. Cisco Identity Services Engine Administrator Guide, Release 1.3 157 Cisco ISE CA Service
Configure Cisco ISE to Use Certificates for Authenticating Personal Devices YoucanconfigureCiscoISEtoissueandmanagecertificatesforendpoints(personaldevices)thatconnect toyournetwork.YoucanusetheinternalCiscoISECertificateAuthority(CA)servicetosignthecertificate signingrequest(CSR)fromendpointsorforwardtheCSRtoanexternalCA. Before You Begin •ObtainabackupoftheCiscoISECAcertificatesandkeysfromthePrimaryPANandstorethemina securelocationfordisasterrecoverypurposes. •IfyouhaveaSecondaryPANinthedeployment,backuptheCiscoISECAcertificatesandkeysfrom thePrimaryPANandrestorethemontheSecondaryPAN. Procedure Step 1AddUserstotheEmployeeUserGroup,onpage158 YoucanadduserstotheinternalidentitystoreortoanexternalidentitystoresuchasActiveDirectory. Step 2CreateaCertificateAuthenticationProfileforTLS-BasedAuthentication,onpage159 Step 3CreateanIdentitySourceSequenceforTLS-BasedAuthentication,onpage159 Step 4Creatingaclientprovisioningpolicy. a)ConfigureCertificateAuthoritySettings,onpage160 b)CreateaCATemplate,onpage161 c)CreateaNativeSupplicantProfiletobeUsedinClientProvisioningPolicy,onpage162 d)DownloadAgentResourcesfromCiscoSiteforWindowsandMACOSXOperatingSystems,onpage 163 e)CreateClientProvisioningPolicyRulesforAppleiOS,Android,andMACOSXDevices,onpage163 Step 5ConfiguretheDot1XAuthenticationPolicyRuleforTLS-BasedAuthentication,onpage164 Step 6ConfigureauthorizationpolicyrulesforTLS-basedauthentications. a)CreateAuthorizationProfilesforCentralWebAuthenticationandSupplicantProvisioningFlows,on page164 b)CreateAuthorizationPolicyRules,onpage165 Add Users to the Employee User Group ThefollowingproceduredescribeshowtoadduserstotheEmployeeusergroupintheCiscoISEidentity store.Ifyouareusinganexternalidentitystore,makesurethatyouhaveanEmployeeusergrouptowhich youcanaddusers. Cisco Identity Services Engine Administrator Guide, Release 1.3 158 Cisco ISE CA Service
Procedure Step 1ChooseAdministration>IdentityManagement>Identities>Users. Step 2ClickAdd. Step 3Entertheuserdetails. Step 4SelectEmployeefromtheUserGroupdrop-downlist. AlluserswhobelongtotheEmployeeusergroupsharethesamesetofprivileges. Step 5ClickSubmit. What to Do Next CreateaCertificateAuthenticationProfileforTLS-BasedAuthentication,onpage159 Create a Certificate Authentication Profile for TLS-Based Authentication Tousecertificatesforauthenticatingendpointsthatconnecttoyournetwork,youmustdefineacertificate authenticationprofileinCiscoISEoreditthedefaultPreloaded_Certificate_Profile.Thecertificate authenticationprofileincludesthecertificatefieldthatshouldbeusedastheprincipalusername.Forexample, iftheusernameisintheCommonNamefield,thenyoucandefineacertificateauthenticationprofilewith thePrincipalUsernamebeingtheSubject-CommonName,whichcanbeverifiedagainsttheidentitystore. Procedure Step 1ChooseAdministration>IdentityManagement>ExternalIdentitySources>CertificateAuthentication Profile. Step 2Enteranameforyourcertificateauthenticationprofile.Forexample,CAP. Step 3ChooseSubject-CommonNameasthePrincipalUsernameX509Attribute. Step 4ClickSave. What to Do Next CreateanIdentitySourceSequenceforTLS-BasedAuthentication,onpage159 Create an Identity Source Sequence for TLS-Based Authentication Afteryoucreateacertificateauthenticationprofile,youmustaddittotheidentitysourcesequencesothat CiscoISEcanobtaintheattributefromthecertificateandmatchitagainsttheidentitysourcesthatyouhave definedintheidentitysourcesequence. Before You Begin Ensurethatyouhavecompletedthefollowingtasks: •AdduserstotheEmployeeusergroup. •Createacertificateauthenticationprofileforcertificate-basedauthentication. Cisco Identity Services Engine Administrator Guide, Release 1.3 159 Cisco ISE CA Service
Procedure Step 1ChooseAdministration>IdentityManagement>IdentitySourceSequences. Step 2ClickAdd. Step 3Enteranamefortheidentitysourcesequence.Forexample,Dot1X. Step 4ChecktheSelectCertificateAuthenticationProfilecheckboxandselectthecertificateauthenticationprofile thatyoucreatedearlier,namelyCAP. Step 5MovetheidentitysourcethatcontainsyouruserinformationtotheSelectedlistboxintheAuthentication SearchListarea. YoucanaddadditionalidentitysourcesandCiscoISEsearchesthesedatastoressequentiallyuntilamatch isfound. Step 6ClicktheTreatasiftheuserwasnotfoundandproceedtothenextstoreinthesequenceradiobutton. Step 7ClickSubmit. What to Do Next ConfigureCertificateAuthoritySettings,onpage160 Configure Certificate Authority Settings YoumustconfiguretheexternalCAsettingsifyouaregoingtouseanexternalCAforsigningtheCSRs. TheexternalCAsettingswasknownastheSCEPRAprofileinpreviousreleasesofCiscoISE.Ifyouare usingtheCiscoISECA,thenyoudonothavetoexplicitlyconfiguretheCAsettings.Youcanreviewthe InternalCAsettingsatAdministration>System>Certificates>InternalCASettings. Onceusers’devicesreceivetheirvalidatedcertificate,theyresideonthedeviceasdescribedinthefollowing table. Table 8: Device Certificate Location Access MethodCertificate Storage LocationDevice Settings>General>ProfileStandardcertificatestoreiPhone/iPad Invisibletoendusers. Certificatescanberemovedusing Settings>Location&Security>Clear Storage. Note EncryptedcertificatestoreAndroid Launchmmc.exefromthe/cmdpromptorview inthecertificatesnap-in. StandardcertificatestoreWindows Application>Utilities>KeychainAccessStandardcertificatestoreMac Cisco Identity Services Engine Administrator Guide, Release 1.3 160 Cisco ISE CA Service
Before You Begin IfyouaregoingtouseanexternalCertificateAuthority(CA)forsigningthecertificatesigningrequest(CSR), thenyoumusthavetheURLoftheexternalCA. Procedure Step 1ChooseAdministration>System>Certificates>ExternalCASettings. Step 2ClickAdd. Step 3EnteranamefortheexternalCAsetting.Forexample,EXTERNAL_SCEP. Step 4EntertheexternalCAserverURLintheURLtextbox. ClickTestConnectiontocheckiftheexternalCAisreachable.Clickthe+buttontoenteradditionalCA serverURLs. Step 5ClickSubmit. What to Do Next CreateaCATemplate,onpage161 Create a CA Template ThecertificatetemplatedefinestheSCEPRAprofilethatmustbeused(fortheinternalorexternalCA),, Subject,SubjectAlternativeName(SAN),validityperiodofthecertificate,andtheExtendedKeyUsage. ThisexampleassumesthatyouaregoingtousetheinternalCiscoISECA.ForanexternalCAtemplate,the validityperiodisdeterminedbytheexternalCAandyoucannotspecifyit. YoucancreateanewCAtemplateoreditthedefaultcertificatetemplate, EAP_Authentication_Certificate_Template. Before You Begin EnsurethatyouhaveconfiguredtheCAsettings. Procedure Step 1ChooseAdministration>System>CAService>InternalCACertificateTemplate. Step 2EnteranamefortheinternalCAtemplate.Forexample,Internal_CA_Template. Step 3(Optional)EntervaluesfortheOrganizationalUnit,Organization,City,State,andCountryfields. WedonotsupportUTF-8charactersinthecertificatetemplatefields(OrganizationalUnit,Organization, City,State,andCountry).CertificateprovisioningfailsifUTF-8charactersareusedinthecertificatetemplate. TheusernameoftheinternalusergeneratingthecertificateisusedastheCommonNameofthecertificate. CiscoISEInternalCAdoesnotsupport"+"or"*"charactersintheCommonNamefield.Ensurethatyour usernamedoesnotinclude"+"or"*"specialcharacters. Cisco Identity Services Engine Administrator Guide, Release 1.3 161 Cisco ISE CA Service
Step 4SpecifytheSubjectAlternativeName(SAN)andthevalidityperiodofthecertificate. Step 5Specifyakeysize.Youmustchoose1024orahigherkeysize. Step 6SpecifytheExtendedKeyUsage.ChecktheClientAuthenticationcheckboxifyouwantthecertificateto beusedforclientauthentication.ChecktheServerAuthenticationcheckboxifyouwantthecertificateto beusedforserverauthentication. Step 7ClickSubmit. TheinternalCAcertificatetemplateiscreatedandwillbeusedbytheclientprovisioningpolicy. What to Do Next CreateaNativeSupplicantProfiletobeUsedinClientProvisioningPolicy,onpage162 Create a Native Supplicant Profile to be Used in Client Provisioning Policy YoucancreatenativesupplicantprofilestoenableuserstobringpersonaldevicestoyourCorporatenetwork. CiscoISEusesdifferentpolicyrulesfordifferentoperatingsystems.Eachclientprovisioningpolicyrule containsanativesupplicantprofile,whichspecifieswhichprovisioningwizardistobeusedforwhichoperating system. Before You Begin •ConfiguretheCAcertificatetemplateinCiscoISE. •OpenupTCPport8905andUDPport8905toenableCiscoNACAgent,CiscoNACWebAgent,and supplicantprovisioningwizardinstallation.Formoreinformationonportusage,seethe"CiscoISE AppliancePortsReference"appendixintheCiscoIdentityServicesEngineHardwareInstallationGuide. Procedure Step 1ChoosePolicy>PolicyElements>Results>ClientProvisioning>Resources. Step 2ChooseAdd>NativeSupplicantProfile. Step 3Enteranameforthenativesupplicantprofile.Forexample,EAP_TLS_INTERNAL. Step 4ChooseALLfromtheOperatingSystemdrop-downlist. Step 5ChecktheWiredorWirelesscheckbox. Step 6ChooseTLSfromtheAllowedProtocoldrop-downlist. Step 7ChoosetheCAcertificatetemplatethatyoucreatedearlier. Step 8ClickSubmit. What to Do Next DownloadAgentResourcesfromCiscoSiteforWindowsandMACOSXOperatingSystems,onpage163 Cisco Identity Services Engine Administrator Guide, Release 1.3 162 Cisco ISE CA Service
Download Agent Resources from Cisco Site for Windows and MAC OS X Operating Systems ForWindowsandMACOSXoperatingsystems,youmustdownloadtheremoteresourcesfromtheCisco site. Before You Begin Ensurethatyouareabletoaccesstheappropriateremotelocationtodownloadclientprovisioningresources toCiscoISE,byverifyingthattheproxysettingsforyournetworkarecorrectlyconfigured. Procedure Step 1ChoosePolicy>PolicyElements>Resources>ClientProvisioning>Resources. Step 2ChooseAdd>AgentresourcesfromCiscosite. Step 3CheckthecheckboxesnexttotheWindowsandMACOSXpackages.Besuretoincludethelatestversions. Step 4ClickSave. What to Do Next CreateClientProvisioningPolicyRulesforAppleiOS,Android,andMACOSXDevices,onpage163 Create Client Provisioning Policy Rules for Apple iOS, Android, and MACOSX Devices Clientprovisioningresourcepoliciesdeterminewhichusersreceivewhichversion(orversions)ofresources (agents,agentcompliancemodules,andagentcustomizationpackages/profiles)fromCiscoISEuponlogin andusersessioninitiation. Whenyoudownloadtheagentcompliancemodule,italwaysoverwritestheexistingone,ifany,availablein thesystem. ToenableemployeestobringiOS,Android,MACOSXdevices,youmustcreatepolicyrulesforeachofthese devicesontheClientProvisioningPolicypage. Before You Begin Youmusthaveconfiguredtherequirednativesupplicantprofilesanddownloadedtherequiredagentsfrom theClientProvisioningPolicypages. Procedure Step 1ChoosePolicy>ClientProvisioning. Step 2CreateclientprovisioningpolicyrulesforAppleiOS,Android,andMACOSXdevices. Step 3ClickSave. What to Do Next ConfiguretheDot1XAuthenticationPolicyRuleforTLS-BasedAuthentication,onpage164 Cisco Identity Services Engine Administrator Guide, Release 1.3 163 Cisco ISE CA Service
Configure the Dot1X Authentication Policy Rule for TLS-Based Authentication YoumustupdatetheDot1XauthenticationpolicyruleforTLS-basedauthentications. Before You Begin EnsurethatyouhavethecertificateauthenticationprofilecreatedforTLS-basedauthentication. Procedure Step 1ChoosePolicy>Authentication. Step 2ClicktheRule-Basedradiobutton. Thedefaultrule-basedauthenticationpolicyincludesaruleforDot1Xauthentication. Step 3EdittheDot1Xauthenticationpolicyrule. Step 4ChooseActions>InsertnewrowabovefromtheDot1Xpolicyrule. Step 5Enteranamefortherule.Forexample,eap-tls. Step 6UsetheExpressionBuildertocreatethefollowingpolicycondition:IfNetworkAccess:EapAuthentication EqualsEAP-TLS,thenusethecertificateauthenticationprofilethatyoucreatedearlier. Step 7Leavethedefaultruleasis. Step 8ClickSave. What to Do Next CreateAuthorizationProfilesforCentralWebAuthenticationandSupplicantProvisioningFlows,onpage 164 Create Authorization Profiles for Central Web Authentication and Supplicant Provisioning Flows Youmustdefineauthorizationprofilestodeterminetheaccessthatmustbegrantedtotheuserafterthe certificate-basedauthenticationissuccessful. Before You Begin Ensurethatyouhaveconfiguredtherequiredaccesscontrollists(ACLs)onthewirelessLANcontroller (WLC).RefertotheTrustSecHow-ToGuide:UsingCertificatesforDifferentiatedAccessforinformation onhowtocreatetheACLsontheWLC. ThisexampleassumesthatyouhavecreatedthefollowingACLsontheWLC. •NSP-ACL-Fornativesupplicantprovisioning •BLACKHOLE-Forrestrictingaccesstoblacklisteddevices •NSP-ACL-Google-ForprovisioningAndroiddevices Cisco Identity Services Engine Administrator Guide, Release 1.3 164 Cisco ISE CA Service