Cisco Ise 13 User Guide
Have a look at the manual Cisco Ise 13 User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
Procedure Step 1ChoosePolicy>PolicyElements>Results>Authorization>AuthorizationProfiles. Step 2ClickAddtocreateanewauthorizationprofile. Step 3Enteranamefortheauthorizationprofile. Step 4FromtheAccessTypedrop-downlist,chooseACCESS_ACCEPT. Step 5ClickAddtoaddtheauthorizationprofilesforcentralwebauthentication,centralwebauthenticationfor GooglePlay,nativesupplicantprovisioning,andnativesupplicantprovisioningforGoogle. Step 6ClickSave. What to Do Next CreateAuthorizationPolicyRules,onpage165 Create Authorization Policy Rules CiscoISEevaluatestheauthorizationpolicyrulesandgrantstheuseraccesstothenetworkresourcesbased ontheauthorizationprofilespecifiedinthepolicyrule. Before You Begin Ensurethatyouhavecreatedtherequiredauthorizationprofiles. Procedure Step 1ChoosePolicy>Authorization. Step 2Insertadditionalpolicyrulesabovethedefaultrule. Step 3ClickSave. CA Service Policy Reference Thissectionprovidesreferenceinformationfortheauthorizationandclientprovisioningpolicyrulesthatyou mustcreatebeforeyoucanenabletheCiscoISECAservice. Client Provisioning Policy Rules for Certificate Services ThissectionliststheclientprovisioningpolicyrulesthatyoumustcreatewhileusingtheCiscoISEcertificate services.Thefollowingtableprovidesthedetails. Cisco Identity Services Engine Administrator Guide, Release 1.3 165 Cisco ISE CA Service
ResultsOther ConditionsOperating SystemsIdentity GroupsRule Name EAP_TLS_INTERNAL (thenative supplicantprofile thatyoucreated earlier).Ifyouare usinganexternal CA,selectthe nativesupplicant profilethatyouhave createdforthe externalCA. Condition(s)AppleiOSAllAnyiOS EAP_TLS_INTERNAL (thenative supplicantprofile thatyoucreated earlier).Ifyouare usinganexternal CA,selectthe nativesupplicant profilethatyouhave createdforthe externalCA. Condition(s)AndroidAnyAndroid Cisco Identity Services Engine Administrator Guide, Release 1.3 166 Cisco ISE CA Service
ResultsOther ConditionsOperating SystemsIdentity GroupsRule Name UndertheNative Supplicant Configuration, specifythe following: 1ConfigWizard: Selectthe MACOSX supplicant wizardthatyou downloaded fromtheCisco site. 2WizardProfile: Choosethe EAP_TLS_INTERNAL nativesupplicant profilethatyou createdearlier. Ifyouareusing anexternalCA, selectthenative supplicant profilethatyou havecreatedfor theexternalCA. Condition(s)MACOSXAnyMACOSX Authorization Profiles for Certificate Services Thissectionliststheauthorizationprofilesthatyoumustcreateforenablingcertificate-basedauthentication inCiscoISE.YoumusthavealreadycreatedtheACLs(NSP-ACLandNSP-ACL-Google)onthewireless LANcontroller(WLC). •CWA-Thisprofileisfordevicesthatgothroughthecentralwebauthenticationflow.ChecktheWeb Authenticationcheckbox,chooseCentralizedfromthedrop-downlist,andenterNSP-ACLintheACL textbox. •CWA_GooglePlay-ThisprofileisforAndroiddevicesthatgothroughthecentralwebauthentication flow.ThisprofileenablesAndroiddevicestoaccessGooglePlayStoreanddownloadtheCiscoNetwork SetupAssistant.ChecktheWebAuthenticationcheckbox,chooseCentralizedfromthedrop-down list,andenterNSP-ACL-GoogleintheACLtextbox. •NSP-Thisprofileisfornon-Androiddevicesthatgothroughthesupplicantprovisioningflow.Check theWebAuthenticationcheckbox,chooseSupplicantProvisioningfromthedrop-downlist,andenter NSP-ACLintheACLtextbox. Cisco Identity Services Engine Administrator Guide, Release 1.3 167 Cisco ISE CA Service
•NSP-Google-ThisprofileisforAndroiddevicesthatgothroughthesupplicantprovisioningflow. ChecktheWebAuthenticationcheckbox,chooseSupplicantProvisioningfromthedrop-downlist, andenterNSP-ACL-GoogleintheACLtextbox. ReviewthedefaultBlackhole_Wireless_Accessauthorizationprofile.TheAdvancedAttributesSettings shouldbe: •Cisco:cisco-av-pair=url-redirect=https://ip:port/blacklistportal/gateway?portal=PortalID •Cisco:cisco-av-pair=url-redirect-acl=BLACKHOLE Authorization Policy Rules for Certificate Services ThissectionliststheauthorizationpolicyrulesthatyoumustcreatewhileenablingtheCiscoISECAservice. •CorporateAssets-ThisruleisforcorporatedevicesthatconnecttothecorporatewirelessSSIDusing 802.1XandMSCHAPV2protocol. •Android_SingleSSID-ThisruleisforAndroiddevicesthataccesstheGooglePlayStoretodownload theCiscoNetworkSetupAssistantforprovisioning.ThisruleisspecifictosingleSSIDsetup. •Android_DualSSID-ThisruleisforAndroiddevicesthataccesstheGooglePlayStoretodownloadthe CiscoNetworkSetupAssistantforprovisioning.ThisruleisspecifictodualSSIDsetup. •CWA-Thisruleisfordevicesthatgothroughthecentralwebauthenticationflow. •NSP-Thisruleisfordevicesthatgothroughthenativesupplicantprovisioningflowusingacertificate forEAP-TLSauthentication. •EAP-TLS-Thisruleisfordevicesthathavecompletedthesupplicantprovisioningflowandare provisionedwithacertificate.Theywillbegivenaccesstothenetwork. Thefollowingtableliststheattributesandvaluesthatyoumustchoosewhileconfiguringauthorizationpolicy rulesfortheCiscoISECAservice.Thisexampleassumesthatyouhavethecorrespondingauthorization profilesconfiguredinCiscoISEaswell. Permissions (authorization profiles to be applied) ConditionsRule Name PermitAccessCorp_AssetsAND(Wireless 802.1XANDNetwork Access:AuthenticationMethod EQUALSMSCHAPV2) CorporateAssets NSP_Google(Wireless802.1XANDNetwork Access:AuthenticationMethod EQUALSMSCHAPV2AND Session:Device-OSEQUALS Android) Android_SingleSSID CWA_GooglePlay(Wireless_MABAND Session:Device-OSEQUALS Android) Android_DualSSID CWAWireless_MABCWA Cisco Identity Services Engine Administrator Guide, Release 1.3 168 Cisco ISE CA Service
Permissions (authorization profiles to be applied) ConditionsRule Name NSP(Wireless802.1XANDNetwork Access:AuthenticationMethod EQUALSMSCHAPV2) NSP PermitAccess(Wireless802.1XANDNetwork Access:AuthenticationMethod EQUALSx509_PKI EAP-TLS Revoke an Endpoint Certificate Ifyouneedtorevokeacertificateissuedtoanemployee'spersonaldevice,youcanrevokeitfromtheEndpoint Certificatespage.Forexample,ifanemployee'sdevicehasbeenstolenorlost,youcanlogintotheCisco ISEAdminportalandrevokethecertificateissuedtothatdevicefromtheEndpointCertificatespage.You canfilterthedataonthispagebasedontheFriendlyName,DeviceUniqueId,orSerialNumber.IfaPSN (subCA)iscompromised,youcanrevokeallcertificatesissuedbythatPSNbyfilteringontheIssuedBy fieldfromtheEndpointCertificatespage. Procedure Step 1ChooseAdministration>System>CAService>EndpointCertificates. Step 2CheckthecheckboxnexttotheendpointcertificatethatyouwanttorevokeandclickRevoke. YoucansearchforthecertificatebasedontheFriendlyNameandDeviceType. Step 3Enterthereasonforrevokingthecertificate. Step 4ClickYes. OCSP Services TheOnlineCertificateStatusProtocol(OCSP)isaprotocolthatisusedforcheckingthestatusofx.509digital certificates.ThisprotocolisanalternativetotheCertificateRevocationList(CRL)andaddressesissuesthat resultinhandlingCRLs. CiscoISEhasthecapabilitytocommunicatewithOCSPserversoverHTTPtovalidatethestatusofcertificates inauthentications.TheOCSPconfigurationisconfiguredinareusableconfigurationobjectthatcanbe referencedfromanycertificateauthority(CA)certificatethatisconfiguredinCiscoISE. YoucanconfigureCRLand/orOCSPverificationperCA.Ifbothareselected,thenCiscoISEfirstperforms verificationoverOCSP.IfacommunicationproblemisdetectedwithboththeprimaryandsecondaryOCSP servers,orifanunknownstatusisreturnedforagivencertificate,CiscoISEswitchestocheckingtheCRL. Cisco ISE CA Service Online Certificate Status Protocol Responder TheCiscoISECAOCSPresponderisaserverthatcommunicateswithOCSPclients.TheOCSPclientsfor theCiscoISECAincludetheinternalCiscoISEOCSPclientandOCSPclientsontheAdaptiveSecurity Cisco Identity Services Engine Administrator Guide, Release 1.3 169 OCSP Services
Appliance(ASA).TheOCSPclientsshouldcommunicatewiththeOCSPresponderusingtheOCSP request/responsestructuredefinedinRFC2560,5019. TheCiscoISECAissuesacertificatetotheOCSPresponder.TheOCSPresponderlistensonport2560for anyincomingrequests.ThisportisconfiguredtoallowonlyOCSPtraffic. TheOCSPresponderacceptsarequestthatfollowsthestructuredefinedinRFC2560,5019.Nonceextension issupportedintheOCSPrequest.TheOCSPresponderobtainsthestatusofthecertificateandcreatesan OCSPresponseandsignsit.TheOCSPresponseisnotcachedontheOCSPresponder,althoughyoucan cachetheOCSPresponseontheclientforamaximumperiodof24hours.TheOCSPclientshouldvalidate thesignatureintheOCSPresponse. Theself-signedCAcertificate(ortheintermediateCAcertificateifISEactsasanintermediateCAofan externalCA)onthePANissuestheOCSPrespondercertificate.ThisCAcertificateonthePANissuesthe OCSPcertificatesonthePANandPSNs.Thisself-signedCAcertificateisalsotherootcertificateforthe entiredeployment.AlltheOCSPcertificatesacrossthedeploymentareplacedintheTrustedCertificates StoreforISEtovalidateanyresponsesignedusingthesecertificates. OCSP Certificate Status Values OCSPservicesreturnthefollowingvaluesforagivencertificaterequest: •Good—Indicatesapositiveresponsetothestatusinquiry.Itmeansthatthecertificateisnotrevoked, andthestateisgoodonlyuntilthenexttimeinterval(timetolive)value. •Revoked—Thecertificatewasrevoked. •Unknown—Thecertificatestatusisunknown.OCSPservicereturnsthisvalueifthecertificatewasnot issuedbytheCAofthisOCSPresponder. •Error—NoresponsewasreceivedfortheOCSPrequest. OCSP High Availability CiscoISEhasthecapabilitytoconfigureuptotwoOCSPserversperCA,andtheyarecalledprimaryand secondaryOCSPservers.EachOCSPserverconfigurationcontainsthefollowingparameters: •URL—TheOCSPserverURL. •Nonce—Arandomnumberthatissentintherequest.Thisoptionensuresthatoldcommunications cannotbereusedinreplayattacks. •Validateresponse—CiscoISEvalidatestheresponsesignaturethatisreceivedfromtheOCSPserver. Incaseoftimeout(whichis5seconds),whenCiscoISEcommunicateswiththeprimaryOCSPserver,it switchestothesecondaryOCSPserver. CiscoISEusesthesecondaryOCSPserverforaconfigurableamountoftimebeforeattemptingtousethe primaryserveragain. OCSP Failures ThethreegeneralOCSPfailurescenariosareasfollows: •FailedOCSPcacheorOCSPclientside(CiscoISE)failures. Cisco Identity Services Engine Administrator Guide, Release 1.3 170 OCSP Services
•FailedOCSPresponderscenarios,forexample: ThefirstprimaryOCSPrespondernotresponding,andthesecondaryOCSPresponderrespondingto theCiscoISEOCSPrequest. ErrorsorresponsesnotreceivedfromCiscoISEOCSPrequests. AnOCSPrespondermaynotprovidearesponsetotheCiscoISEOCSPrequestoritmayreturnan OCSPResponseStatusasnotsuccessful.OCSPResponseStatusvaluescanbeasfollows: ◦tryLater ◦signRequired ◦unauthorized ◦internalError ◦malformedRequest Therearemanydate-timechecks,signaturevaliditychecksandsoon,intheOCSPrequest.For moredetails,refertoRFC2560X.509InternetPublicKeyInfrastructureOnlineCertificateStatus Protocol-OCSPwhichdescribesallthepossiblestates,includingtheerrorstates. •FailedOCSPreports Add OCSP Client Profiles YoucanusetheOCSPClientProfilepagetoaddnewOCSPclientprofilestoCiscoISE. Before You Begin IftheCertificateAuthority(CA)isrunningtheOCSPserviceonanonstandardport(otherthan80or443), youmustconfigureACLsontheswitchtoallowforcommunicationbetweenCiscoISEandtheCAonthat port.Forexample: permittcpeq Procedure Step 1ChooseAdministration>System>Certificates>CertificateManagement>OCSPClientProfile. Step 2EnterthevaluestoaddanOCSPClientProfile. Step 3ClickSubmit. OCSP Statistics Counters CiscoISEusesOCSPcounterstologandmonitorthedataandhealthoftheOCSPservers.Loggingoccurs everyfiveminutes.CiscoISEsendsasyslogmessagetotheMonitoringnodeanditispreservedinthelocal store.Thelocalstorecontainsdatafromthepreviousfiveminutes.AfterCiscoISEsendsthesyslogmessage, thecountersarerecalculatedforthenextinterval.Thismeans,afterfiveminutes,anewfive-minutewindow intervalstartsagain. ThefollowingtableliststheOCSPsyslogmessagesandtheirdescriptions. Cisco Identity Services Engine Administrator Guide, Release 1.3 171 OCSP Services
Table 9: OCSP Syslog Messages DescriptionMessage ThenumberofnonresponsiveprimaryrequestsOCSPPrimaryNotResponsiveCount ThenumberofnonresponsivesecondaryrequestsOCSPSecondaryNotResponsiveCount Thenumberof‘good’certificatesthatarereturnedfora givenCAusingtheprimaryOCSPserver OCSPPrimaryCertsGoodCount Thenumberof‘good’statusesthatarereturnedforagiven CAusingtheprimaryOCSPserver OCSPSecondaryCertsGoodCount Thenumberof‘revoked’statusesthatarereturnedfora givenCAusingtheprimaryOCSPserver OCSPPrimaryCertsRevokedCount Thenumberof‘revoked’statusesthatarereturnedfora givenCAusingthesecondaryOCSPserver OCSPSecondaryCertsRevokedCount Thenumberof‘Unknown’statusesthatarereturnedfora givenCAusingtheprimaryOCSPserver OCSPPrimaryCertsUnknownCount Thenumberof‘Unknown’statusesthatarereturnedfora givenCAusingthesecondaryOCSPserver OCSPSecondaryCertsUnknownCount Thenumberofcertificatesthatwerefoundincachefrom aprimaryorigin OCSPPrimaryCertsFoundCount Thenumberofcertificatesthatwerefoundincachefrom asecondaryorigin OCSPSecondaryCertsFoundCount Howmanytimesclearcachewastriggeredsincethe interval ClearCacheInvokedCount HowmanycachedentrieswerecleanedsincethetintervalOCSPCertsCleanedUpCount NumberofthefulfilledrequestsfromthecacheNumOfCertsFoundInCache NumberofcertificatesthatwerefoundintheOCSPcacheOCSPCacheCertsCount Cisco Identity Services Engine Administrator Guide, Release 1.3 172 OCSP Services
CHAPTER 9 Manage Network Devices •NetworkDevicesDefinitionsinCiscoISE,page173 •DefaultNetworkDeviceDefinitioninCiscoISE,page174 •CreateaNetworkDeviceDefinitioninCiscoISE,page174 •ImportNetworkDevicesintoCiscoISE,page175 •ExportNetworkDevicesfromCiscoISE,page176 •NetworkDeviceGroups,page176 •ImportNetworkDeviceGroupsintoCiscoISE,page177 •ExportNetworkDeviceGroupsfromCiscoISE,page177 •ImportTemplatesinCiscoISE,page178 •MobileDeviceManagerInteroperabilitywithCiscoISE,page182 •SetUpMDMServersWithCiscoISE,page187 Network Devices Definitions in Cisco ISE Anetworkdevicesuchasaswitchorarouterisanauthentication,authorization,andaccounting(AAA)client throughwhichAAAservicerequestsaresenttoCiscoISE.YoumustdefinenetworkdevicesforCiscoISE tointeractwiththenetworkdevices.YoucanconfigurenetworkdevicesforRADIUSAAA,SimpleNetwork ManagementProtocol(SNMP)fortheProfilingservicetocollectCiscoDiscoveryProtocolandLinkLayer DiscoveryProtocolattributesforprofilingendpoints,andTrustsecattributesforTrustsecdevices.Anetwork devicethatisnotdefinedinCiscoISEcannotreceiveAAAservicesfromCiscoISE. Inthenetworkdevicedefinition: •YoucanconfiguretheRADIUSprotocolforRADIUSauthentications.WhenCiscoISEreceivesa RADIUSrequestfromanetworkdevice,itlooksforthecorrespondingdevicedefinitiontoretrievethe sharedsecretthatisconfigured.Ifitfindsthedevicedefinition,itobtainsthesharedsecretthatis configuredonthedeviceandmatchesitagainstthesharedsecretintherequesttoauthenticateaccess. Ifthesharedsecretsmatch,theRADIUSserverwillprocesstherequestfurtherbaseduponthepolicy andconfiguration.Iftheydonotmatch,arejectresponseissenttothenetworkdevice.Afailed authenticationreportisgenerated,whichprovidesthefailurereason. Cisco Identity Services Engine Administrator Guide, Release 1.3 173
• •YoucanconfiguretheSimpleNetworkManagementProtocol(SNMP)inthenetworkdevicedefinition fortheProfilingservicetocommunicatewiththenetworkdevicesandprofileendpointsthatareconnected tothenetworkdevices. •YoumustdefineTrustsec-enableddevicesinCiscoISEtoprocessrequestsfromTrustsec-enabled devicesthatcanbepartoftheCiscoTrustsecsolution.AnyswitchthatsupportstheTrustsecsolution isanTrustsec-enableddevice. TrustsecdevicesdonotusetheIPaddress.Instead,youmustdefineothersettingssothatTrustsec devicescancommunicatewithCiscoISE. Trustsec-enableddevicesusetheTrustsecattributestocommunicatewithCiscoISE.Trustsec-enabled devices,suchastheNexus7000seriesswitches,Catalyst6000seriesswitches,Catalyst4000series switches,andCatalyst3000seriesswitchesareauthenticatedusingtheTrustsecattributesthatyoudefine whileaddingTrustsecdevices. Default Network Device Definition in Cisco ISE CiscoISEsupportsthedefaultdevicedefinitionforRADIUSauthentications.Youcandefineadefaultnetwork devicethatCiscoISEcanuseifitdoesnotfindadevicedefinitionforaparticularIPaddress.Thisfeature enablesyoutodefineadefaultRADIUSsharedsecretandthelevelofaccessfornewlyprovisioneddevices. WerecommendthatyouaddthedefaultdevicedefinitiononlyforbasicRADIUSauthentications.For advancedflows,youmustaddseparatedevicedefinitionforeachnetworkdevice. Note CiscoISElooksforthecorrespondingdevicedefinitiontoretrievethesharedsecretthatisconfiguredinthe networkdevicedefinitionwhenitreceivesaRADIUSrequestfromanetworkdevice. CiscoISEperformsthefollowingprocedurewhenaRADIUSrequestisreceived: 1LooksforaspecificIPaddressthatmatchestheoneintherequest. 2LooksuptherangestoseeiftheIPaddressintherequestfallswithintherangethatisspecified. 3Ifbothstep1and2fail,itusesthedefaultdevicedefinition(ifdefined)toprocesstherequest. CiscoISEobtainsthesharedsecretthatisconfiguredinthedevicedefinitionforthatdeviceandmatchesit againstthesharedsecretintheRADIUSrequesttoauthenticateaccess.Ifnodevicedefinitionsarefound, CiscoISEobtainsthesharedsecretfromthedefaultnetworkdevicedefinitionandprocessestheRADIUS request. Create a Network Device Definition in Cisco ISE YoucancreateanetworkdevicedefinitioninCiscoISEandusethedefaultnetworkdevicedefinitionwhen thereisnonetworkdevicedefinitioninCiscoISE. Cisco Identity Services Engine Administrator Guide, Release 1.3 174 Default Network Device Definition in Cisco ISE