Cisco Ise 13 User Guide
Have a look at the manual Cisco Ise 13 User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
Procedure Step 1ChooseAdministration>NetworkResources>NetworkDevices. Step 2ClickAdd. Step 3Completeallmandatoryfields. Step 4ChecktheAuthenticationSettingscheckboxtoconfigureRADIUSprotocolforauthentication. Step 5(Optional)ChecktheSNMPSettingscheckboxtoconfiguretheSimpleNetworkManagementProtocolfor theProfilingservicetocollectdeviceinformation. Step 6(Optional)ChecktheAdvancedTrustsecSettingscheckboxtoconfigureaTrustsec-enableddevice. Step 7ClickSubmit. Import Network Devices into Cisco ISE YoucanimportalistofdevicedefinitionsintoaCiscoISEnodeusingacomma-separatedvalue(CSV)file. YoumustfirstupdatetheimportedtemplatebeforeyoucanimportnetworkdevicesintoCiscoISE.You cannotrunanimportofthesameresourcetypeatthesametime.Forexample,youcannotconcurrentlyimport networkdevicesfromtwodifferentimportfiles. YoucandownloadtheCSVtemplatefromtheAdminportal,enteryourdevicedefinitiondetailsinthetemplate, andsaveitasaCSVfile,whichyoucanthenimportthisbackintoCiscoISE. Whileimportingdevices,youcancreatenewrecordsorupdateexistingrecords.CiscoISEdisplaysthe summaryofthenumberofdevicesthatareimportedandalsoreportsanyerrorsthatwerefoundduringthe importprocess.Whenyouimportdevices,youcanalsodefinewhetheryouwantCiscoISEtooverwritethe existingdevicedefinitionswiththenewdefinitionsorstoptheimportprocesswhenCiscoISEencounters thefirsterror. YoucannotimportnetworkdevicesthatareexportedinpreviousreleasesofCiscoISE,astheimporttemplate forthesereleasesaredifferent. Procedure Step 1ChooseAdministration>NetworkResources>NetworkDevices. Step 2ClickImport. Step 3ClickBrowsetochoosetheCSVfilefromthesystemthatisrunningtheclientbrowser. Step 4ChecktheOverwriteExistingDatawithNewDatacheckbox. Step 5ChecktheStopImportonFirstErrorcheckbox. Step 6ClickImport. Cisco Identity Services Engine Administrator Guide, Release 1.3 175 Import Network Devices into Cisco ISE
Export Network Devices from Cisco ISE YoucanexportnetworkdevicesconfiguredinCiscoISEintheformofaCSVfilethatyoucanusetoimport thesenetworkdevicesintoanotherCiscoISEnode. Procedure Step 1ChooseAdministration>NetworkResources>NetworkDevices. Step 2ClickExport. Step 3Toexportnetworkdevices,youcandooneofthefollowing: •Checkthecheckboxesnexttothedevicesthatyouwanttoexport,andchooseExport>ExportSelected. •ChooseExport>ExportAlltoexportallthenetworkdevicesthataredefined. Step 4Savetheexport.csvfiletoyourlocalharddisk. Network Device Groups CiscoISEallowsyoutocreatehierarchicalNetworkDeviceGroups(NDGs).NDGscanbeusedtologically groupnetworkdevicesbasedonvariouscriteria,suchasgeographiclocation,devicetype,ortherelativeplace inthenetwork(AccessLayer,DataCenter,andsoon).Forexample,toorganizeyournetworkdevicesbased ongeographiclocation,youcangroupthembycontinent,region,orcountry: •Africa->Southern->Namibia •Africa->Southern->SouthAfrica •Africa->Southern->Botswana Youcanalsogroupthenetworkdevicesbasedonthedevicetype: •Africa->Southern->Botswana->Firewalls •Africa->Southern->Botswana->Routers •Africa->Southern->Botswana->Switches NetworkdevicescanbeassignedtooneormorehierarchicalNDGs.Thus,whenCiscoISEprocessesthe orderedlistofconfiguredNDGstodeterminetheappropriategrouptoassigntoaparticulardevice,itmay findthatthesamedeviceprofileappliestomultipleDeviceGroups,andwillapplythefirstDeviceGroup matched. ThereisnolimitonthemaximumnumberofNDGsthatcanbecreated.Thereisalsonorestrictiononthe maximumnumberofhierarchylevels. Root Network Device Groups CiscoISEincludestwopredefinedrootNDGs:AllDeviceTypesandAllLocations.Youcannotedit,duplicate, ordeletethesepredefinedNDGs,butyoucanaddnewdevicegroupsunderthem. Cisco Identity Services Engine Administrator Guide, Release 1.3 176 Export Network Devices from Cisco ISE
YoucancreatearootNetworkDeviceGroup(NDG),andthencreatechildNDGsundertherootgroupinthe NetworkDeviceGroupspage.WhenyoucreateanewrootNDG,youmustprovidethenameandtypeofthe NDG.ThisinformationisnotrequiredwhenyoucreateachildundertherootNDG. Network Device Attributes Used By Cisco ISE in Policy Evaluation Whenyoucreateanewnetworkdevicegroup,anewnetworkdeviceattributeisaddedtotheDevicedictionary definedinthesystem,whichyoucanuseinpolicydefinitions.CiscoISEallowsyoutoconfigureauthentication andauthorizationpoliciesbasedonDevicedictionaryattributes,suchasdevicetype,location,modelname, andsoftwareversionthatisrunningonthenetworkdevice. Import Network Device Groups in to Cisco ISE YoucanimportnetworkdevicegroupsintoaCiscoISEnodeusingacomma-separatedvalue(CSV)file. Youcannotrunimportofthesameresourcetypeatthesametime.Forexample,youcannotconcurrently importnetworkdevicegroupsfromtwodifferentimportfiles. YoucandownloadtheCSVtemplatefromtheAdminportal,enteryourdevicegroupdetailsinthetemplate, andsavethetemplateasaCSVfile,whichyoucanthenimportbackintoCiscoISE. Whileimportingdevicegroups,youcancreatenewrecordsorupdateexistingrecords.Whenyouimport devicegroups,youcanalsodefinewhetheryouwantCiscoISEtooverwritetheexistingdevicegroupswith thenewgroupsorstoptheimportprocesswhenCiscoISEencountersthefirsterror. Procedure Step 1ChooseAdministration>NetworkResources>NetworkDeviceGroups>Groups. Step 2ClickImport. Step 3ClickBrowsetochoosetheCSVfilefromthesystemthatisrunningtheclientbrowser. Step 4ChecktheOverwriteExistingDatawithNewDatacheckbox. Step 5ChecktheStopImportonFirstErrorcheckbox. Step 6ClickImportorclicktheNetworkDeviceGroupsListlinktoreturntotheNetworkDeviceGroupslist page. Export Network Device Groups from Cisco ISE YoucanexportnetworkdevicegroupsconfiguredinCiscoISEintheformofaCSVfilethatyoucanuseto importthesenetworkdevicegroupsintoanotherCiscoISEnode. Procedure Step 1ChooseAdministration>NetworkResources>NetworkDeviceGroups>Groups. Step 2Toexportthenetworkdevicegroups,youcandooneofthefollowing: Cisco Identity Services Engine Administrator Guide, Release 1.3 177 Import Network Device Groups in to Cisco ISE
•Checkthecheckboxesnexttothedevicegroupsthatyouwanttoexport,andchoosemExport>Export Selected. •ChooseExport>ExportAlltoexportallthenetworkdevicegroupsthataredefined. Step 3Savetheexport.csvfiletoyourlocalharddisk. Import Templates in Cisco ISE CiscoISEallowsyoutoimportalargenumberofnetworkdevicesandnetworkdevicegroupsusing comma-separatedvalue(CSV)files.Thetemplatecontainsaheaderrowthatdefinestheformatofthefields. Theheaderrowshouldnotbeedited,andshouldbeusedasis. Bydefault,youcanusetheGenerateaTemplatelinktodownloadaCSVfileintheMicrosoftOfficeExcel applicationandsavethefileformatlocallyonyoursystem.WhenyouclicktheGenerateaTemplatelink, theCiscoISEserverdisplaystheOpeningtemplate.csvdialog.Thisdialogallowsyoutoopenthetemplate.csv fileandsavethetemplate.csvfilelocallyonyoursystemwithanappropriatenamefornetworkdevicesand networkdevicegroups.Ifyouchoosetoopenthetemplate.csvfilefromthedialog,thefileopensinthe MicrosoftOfficeExcelapplicationbydefault. Network Devices Import Template Format ThefollowingtableliststhefieldsinthetemplateheaderandprovidesadescriptionofthefieldsintheNetwork DeviceCSVfile. Table 10: CSV Template Fields and Description for Network Devices DescriptionField (Required)Thisfieldisthenetworkdevicename.Itisan alphanumericstring,withamaximumof32charactersin length. Name:String(32): Thisfieldisanoptionaldescriptionforthenetworkdevice. Astring,withamaximumof256charactersinlength. Description:String(256) (Required)ThisfieldistheIPaddressandsubnetmaskof thenetworkdevice.(Itcantakeonmorethanonevalue separatedbyapipe“|”symbol). IPAddress:Subnets(a.b.c.d/m|...) (Required)Thisfieldisthenetworkdevicemodelname. Itisastring,withamaximumof32charactersinlength. ModelName:String(32): (Required)Thisfieldisthenetworkdevicesoftware version.Itisastring,withamaximumof32charactersin length. SoftwareVersion:String(32): Cisco Identity Services Engine Administrator Guide, Release 1.3 178 Import Templates in Cisco ISE
DescriptionField (Required)Thisfieldshouldbeanexistingnetworkdevice group.Itcanbeasubgroup,butmustincludeboththe parentandsubgroupseparatedbyaspace.Itisastring, withamaximumof100characters,forexample, Location#AllLocation#US NetworkDeviceGroups:String(100): Thisisanoptionalfield.Itistheprotocolthatyouwantto useforauthentication.TheonlyvalidvalueisRADIUS (notcasesensitive). Authentication:Protocol:String(6) (Required,ifyouenteravaluefortheAuthentication Protocolfield)Thisfieldisastring,withamaximumof 128charactersinlength. Authentication:SharedSecret:String(128) Thisisanoptionalfield.Itisenabledonlywhenitis supportedonthenetworkdevice.Validvalueistrueor false. EnableKeyWrap:Boolean(true|false) (Required,ifyouenableKeyWrap)Indicatestheencryption keythatisusedforsessionencryption. ASCII—16characters(bytes)long Hexadecimal—32characters(bytes)long. EncryptionKey:String(ascii:16|hexa:32) (Required,ifyouenableKeyWrap).Indicatesthekeyed HashedMessageAuthenticationCode(HMAC)calculation overRADIUSmessages. ASCII—20characters(bytes)long Hexadecimal—40characters(bytes)long. AuthenticationKey:String(ascii:20|hexa:40) Indicatesencryptionandauthenticationkeysinputformat. ValidvalueisASCIIorHexadecimal. InputFormat:String(32) Thisisanoptionalfield,usedbytheProfilerservice.Itis theversionoftheSNMPprotocol.Validvalueis1,2c,or 3. SNMP:Version:Enumeration(|2c|3) (Required,ifyouenteravaluefortheSNMPVersionfield) SNMPReadOnlycommunity.Itisastring,witha maximumof32charactersinlength. SNMP:ROCommunity:String(32) (Required,ifyouenteravaluefortheSNMPVersionfield) SNMPReadWritecommunity.Itisastring,witha maximumof32charactersinlength. SNMP:RWCommunity:String(32) Thisisanoptionalfield.Itisastring,withamaximumof 32charactersinlength. SNMP:Username:String(32) Cisco Identity Services Engine Administrator Guide, Release 1.3 179 Import Templates in Cisco ISE
DescriptionField (RequiredifyouchooseSNMPversion3)Validvalueis Auth,NoAuth,orPriv. SNMP:SecurityLevel:Enumeration(Auth|No Auth|Priv) (RequiredifyouhaveenteredAuthorPrivfortheSNMP securitylevel)ValidvalueisMD5orSHA. SNMP:Authentication Protocol:Enumeration(MD5|SHA) (RequiredifyouhaveenteredAuthfortheSNMPsecurity level)Itisastring,withamaximumof32charactersin length. SNMP:AuthenticationPassword:String(32) (RequiredifyouhaveenteredPrivfortheSNMPsecurity level)ValidvalueisDES,AES128,AES192,AES256,or 3DES. SNMP:Privacy Protocol:Enumeration(DES|AES128|AES192|AES256|3DES) (RequiredifyouhaveenteredPrivfortheSNMPsecurity level)Itisastring,withamaximumof32charactersin length. SNMP:PrivacyPassword:String(32) ThisisanoptionalfieldtosettheSNMPpollinginterval. Validvalueisanintegerbetween600and86400. SNMP:PollingInterval:Integer:600-86400 seconds ThisisanoptionalfieldtoenableordisabletheSNMP linktrap.Validvalueistrueorfalse. SNMP:IsLinkTrapQuery:Boolean(true|false) ThisisanoptionalfieldtoenableordisabletheSNMP MACtrap.Validvalueistrueorfalse. SNMP:IsMACTrapQuery:Boolean(true|false) Thisisanoptionalfield.IndicateswhichISEservertobe usedtopollforSNMPdata.Bydefault,itisautomatic, butyoucanoverwritethesettingbyassigningdifferent values. SNMP:OriginatingPolicyServices Node:String(32) Thisisanoptionalfield.ItistheTrustsecdeviceID,and isastring,withamaximumof32charactersinlength. Trustsec:DeviceId:String(32) (RequiredifyouhaveenteredTrustsecdeviceID)Thisis theTrustsecdevicepasswordandisastring,witha maximumof256charactersinlength. Trustsec:DevicePassword:String(256) Thisisanoptionalfield.ItistheTrustsecenvironment datadownloadinterval.Validvalueisanintegerbetween 1and24850. Trustsec:EnvironmentDataDownload Interval:Integer:1-2147040000seconds Thisisanoptionalfield.ItistheTrustsecpeer authorizationpolicydownloadinterval.Validvalueisan integerbetween1and24850. Trustsec:PeerAuthorizationPolicyDownload Interval:Integer:1-2147040000seconds Thisisanoptionalfield.ItistheTrustsecreauthentication interval.Validvalueisanintegerbetween1and24850. Trustsec:Reauthentication Interval:Integer:1-2147040000seconds Cisco Identity Services Engine Administrator Guide, Release 1.3 180 Import Templates in Cisco ISE
DescriptionField Thisisanoptionalfield.ItistheTrustsecSGACLlist downloadinterval.Validvalueisanintegerbetween1and 24850. Trustsec:SGACLListDownload Interval:Integer:1-2147040000seconds Thisisanoptionalfield.IndicateswhetherTrustsecis trusted.Validvalueistrueorfalse. Trustsec:IsOtherTrustsecDevices Trusted:Boolean(true|false) Thisisanoptionalfield.NotifiesTrustsecconfiguration changestotheTrustsecdevice.Validvalueis ENABLE_ALLorDISABLE_ALL Trustsec:NotifythisdeviceaboutTrustsec configuration changes:String(ENABLE_ALL|DISABLE_ALL) Thisisanoptionalfield.ItistheTrustsecdeviceincluded onSGT.Validvalueistrueorfalse. Trustsec:Includethisdevicewhendeploying SecurityGroupTagMapping Updates:Boolean(true|false) Thisisanoptionalfield.Itistheusernamethathas privilegestoeditthedeviceconfiguration.Itisastring, withamaximumof32charactersinlength. Deployment:ExecutionMode Username:String(32) Thisisanoptionalfield.Itisthedevicepasswordandis astring,withamaximumof32charactersinlength. Deployment:ExecutionMode Password:String(32) Thisisanoptionalfield.Itistheenablepasswordofthe devicethatwouldallowyoutoedititsconfigurationand isastring,withamaximumof32charactersinlength. Deployment:EnableModePassword:String(32) Thisisthefieldthatdisplaystheissuingdateofthelast TrustsecPACthathasbeengeneratedbyCiscoISEfor theTrustsecdevice. Trustsec:PACissuedate:Date Thisisthefieldthatdisplaystheexpirationdateofthelast TrustsecPACthathasbeengeneratedbyCiscoISEfor theTrustsecdevice. Trustsec:PACexpirationdate:Date Thisisafieldthatdisplaysthenameoftheissuer(a Trustsecadministrator)ofthelastTrustsecPACthathas beengeneratedbyCiscoISEfortheTrustsecdevice.Itis astring. Trustsec:PACissuedby:String Network Device Groups Import Template Format ThefollowingtableliststhefieldsinthetemplateheaderandprovidesadescriptionofthefieldsintheNetwork DeviceGroupCSVfile. Cisco Identity Services Engine Administrator Guide, Release 1.3 181 Import Templates in Cisco ISE
Table 11: CSV Template Fields and Description for Network Device Groups DescriptionField (Required)Thisfieldisthenetworkdevicegroupname.Itisastringwith amaximumof100charactersinlength.ThefullnameofanNDGcanhave amaximumof100charactersinlength.Forexample,ifyouarecreatinga subgroupIndiaundertheparentgroupsGlobal>Asia,thenthefullname oftheNDGthatyouarecreatingwouldbeGlobal#Asia#Indiaandthisfull namecannotexceed100charactersinlength.IfthefullnameoftheNDG exceeds100charactersinlength,theNDGcreationfails. Name:String(100): Thisisanoptionalnetworkdevicegroupdescription.Itisastring,witha maximumof1024charactersinlength. Description:String(1024) (Required)Thisfieldisthenetworkdevicegrouptype.Itisastring,witha maximumof64charactersinlength. Type:String(64): (Required)Thisisafieldthatdeterminesifthespecificnetworkdevice groupisarootgroup.Validvalueistrueorfalse. IsRoot:Boolean(true|false): Mobile Device Manager Interoperability with Cisco ISE MobileDeviceManagement(MDM)serverssecure,monitor,manage,andsupportmobiledevicesdeployed acrossmobileoperators,serviceproviders,andenterprises.MDMserversactasapolicyserverthatcontrols theuseofsomeapplicationsonamobiledevice(forexample,ane-mailapplication)inthedeployed environment.However,thenetworkistheonlyentitythatcanprovidegranularaccesstoendpointsbasedon ACLs.CiscoISEqueriestheMDMserversforthenecessarydeviceattributestocreateACLsthatprovide networkaccesscontrolforthosedevices. Cisco Identity Services Engine Administrator Guide, Release 1.3 182 Mobile Device Manager Interoperability with Cisco ISE
Inthisillustration,CiscoISEistheenforcementpointandtheMDMpolicyserveristhepolicyinformation point.CiscoISEobtainsdatafromtheMDMservertoprovideacompletesolution. Figure 15: MDM Interoperability with Cisco ISE ThefollowingtableliststhecomponentsthatareusedintheMDMsetup. Table 12: Components Used in the MDM Setup SpecificationComponent Anyofthefollowing:ISE3315,3355,3395,3415, 3495,orVMware CiscoIdentityServicesEngine,Release1.3 —MDMServer AsperMicrosoftspecification(Windows2008R2 EnterpriseSP2,Windows2012R2) (Optional)CertificateAuthorityServer •Hardware:5500Series,2500Series,WLSM-2 •Software:UnifiedWirelessNetworkSoftware, Release7.2,WLC8.1 WirelessLANController(WLC) DevicessupportedbytheMDMvendor. Forexample,AppleiOS5.0andhigher,Google Android3.xandhigher. MobileDevices Cisco Identity Services Engine Administrator Guide, Release 1.3 183 Mobile Device Manager Interoperability with Cisco ISE
YoucanconfigureCiscoISEtointeroperatewithanexternalMobileDeviceManager(MDM)server.By settingupthistypeofthird-partyconnection,youcanleveragethedetailedinformationavailableintheMDM database.CiscoISEusesRESTAPIcallsoverHTTPStopullthevariouspiecesofinformationfromthe externalMDMserver.CiscoISEappliesappropriateaccesscontrolpoliciestoswitches,accessrouters, wirelessaccesspoints,andothernetworkaccesspointstoachievegreatercontrolofremotedeviceaccessto yourCiscoISEnetwork. ThesupportedMDMvendorsarelistedhere:SupportedMDMServers,onpage185. Supported MDM Use Cases ThefunctionsCiscoISEperformsinconjunctionwiththeexternalMDMserverareasfollows: •Facilitatingdeviceregistration—Unregisteredendpointsaccessingthenetworkareredirectedtoa registrationpagehostedontheMDMserverforregistrationbasedonuserrole,devicetype,andsoon. •Handlingdeviceremediation—Endpointsaregrantedonlyrestrictedaccess. •Augmentingendpointdata—UpdatetheendpointdatabasewithinformationfromtheMDMserverthat youcannotgatherusingtheCiscoISEProfiler.CiscoISEusessixdeviceattributesyoucanviewusing theAdministration>IdentityManagement>Identities>EndpointspageifanendpointisaMDM monitoreddevice.Forexample: ◦MDMImei:990001001608033 ◦MDMManufacturer:Apple ◦MDMModel:iPhone ◦MDMOSVersion:iOS6.0.0 ◦MDMPhoneNumber:9783148806 ◦MDMSerialNumber:DNPGQZGUDTF9 •CiscoISEpollstheMDMserveronceeveryfourhoursfordevicecompliancedata.Thisisconfigurable bytheadministrator. •IssuingdeviceinstructionsthroughtheMDMserver—Issuesremoteactionsforusers’devicesthrough theMDMserver.AdministratorsinitiateremoteactionsfromtheISEconsole. CiscoISEallowsyoutoconfigureMDMpolicybasedonthefollowingattributes: •DeviceRegisterStatus •DeviceCompliantStatus •DiskEncryptionStatus •PinLockStatus •JailBrokenStatus •Manufacturer •IMEI •SerialNumber •OsVersion Cisco Identity Services Engine Administrator Guide, Release 1.3 184 Mobile Device Manager Interoperability with Cisco ISE