Cisco Ise 13 User Guide
Have a look at the manual Cisco Ise 13 User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
•EnsurethatyouhavecreatedtheMDMserverdefinitioninCiscoISE.Onlyafteryousuccessfully integrateISEwiththeMDMserver,theMDMdictionarygetspopulatedandyoucancreateauthorization policyusingtheMDMdictionaryattributes. •ConfigureACLsontheWirelessLANControllerforredirectingunregisteredornoncompliantdevices. Procedure Step 1ChoosePolicy>Authorization>InsertNewRuleBelow. Step 2ChoosePolicy>PolicySets,andexpandthepolicysettoviewtheauthorizationpolicyrules. Step 3Addthefollowingrules: •MDM_Un_Registered_Non_Compliant—FordevicesthatarenotyetregisteredwithanMDMserver orcompliantwithMDMpolicies.Oncearequestmatchesthisrule,theISEMDMpageappearswith informationonregisteringthedevicewithMDM. •PERMIT—IfthedeviceisregisteredwithCiscoISE,registeredwithMDM,andiscompliantwithCisco ISEandMDMpolicies,itwillbegrantedaccesstothenetworkbasedontheaccesscontrolpolicies configuredinCiscoISE. Thefollowingillustrationshowsanexampleofthisconfiguration. Figure 19: Authorization Policy Rules for the MDM Use Cases Step 4ClickSave. Wipe or Lock a Device CiscoISEallowsyoutowipeorturnonpinlockforadevicethatislost.YoucandothisfromtheEndpoints page. Procedure Step 1ChooseAdministration>IdentityManagement>Identities>Endpoints. Step 2Checkthecheckboxnexttothedevicethatyouwanttowipeorlock. Step 3FromtheMDMAccessdrop-downlist,chooseanyoneofthefollowingoptions: •FullWipe—DependingontheMDMvendor,thisoptioneitherremovesthecorporateappsorresetsthe devicetothefactorysettings. •CorporateWipe—RemovesapplicationsthatyouhaveconfiguredintheMDMserverpolicies Cisco Identity Services Engine Administrator Guide, Release 1.3 195 Set Up MDM Servers With Cisco ISE
•PINLock—Locksthedevice Step 4ClickYestowipeorlockthedevice. View Mobile Device Manager Reports CiscoISErecordsalladditions,updates,anddeletionsofMDMserverdefinitions.Youcanviewtheseevent inthe“ChangeConfigurationAudit”report,whichprovidesalltheconfigurationchangesfromanysystem administratorforaselectedtimeperiod. ChooseOperations>Reports>ChangeConfigurationAudit>MDM,andspecifytheperiodoftimeto displayintheresultingreport. View Mobile Device Manager Logs YoucanusetheMessageCatalogpagetoviewMobileDeviceManagerlogmessages.ChooseAdministration >System>Logging>MessageCatalog.ThedefaultreportinglevelforMDMlogentriesis"INFO."You canchangethereportinglevelto"DEBUB"or"TRACE." Cisco Identity Services Engine Administrator Guide, Release 1.3 196 Set Up MDM Servers With Cisco ISE
CHAPTER 10 Manage Resources •DictionariesandDictionaryAttributes,page197 •RADIUS-VendorDictionaries,page199 Dictionaries and Dictionary Attributes Dictionariesaredomain-specificcatalogsofattributesandallowedvaluesthatcanbeusedtodefineaccess policiesforadomain.Anindividualdictionaryisahomogeneouscollectionofattributetype.Attributesthat aredefinedinadictionaryhavethesameattributetypeandthetypeindicatesthesourceorcontextofagiven attribute. Attributetypescanbeoneofthefollowing: •MSG_ATTR •ENTITY_ATTR •PIP_ATTR Inadditiontoattributesandallowedvalues,adictionarycontainsinformationabouttheattributessuchasthe nameanddescription,datatype,andthedefaultvalues.Anattributecanhaveoneofthefollowingdatatypes: BOOLEAN,FLOAT,INTEGER,IPv4,OCTET_STRING,STRING,UNIT32,andUNIT64. CiscoISEcreatessystemdictionariesduringinstallationandallowsyoutocreateuserdictionaries. System Defined Dictionaries and Dictionary Attributes CiscoISEcreatessystemdictionariesduringinstallationthatyoucanfindintheSystemDictionariespage. System-defineddictionaryattributesareread-onlyattributes.Becauseoftheirnature,youcanonlyview existingsystem-defineddictionaries.Youcannotcreate,edit,ordeletesystem-definedvaluesoranyattributes inasystemdictionary. Asystem-defineddictionaryattributeisdisplayedwiththedescriptivenameoftheattribute,aninternalname asunderstoodbythedomain,andallowedvalues. CiscoISEalsocreatesdictionarydefaultsfortheIETFRADIUSsetofattributesthatarealsoapartofthe system-defineddictionaries,whicharedefinedbytheInternetEngineeringTaskForce(IETF).Youcanedit allfreeIETFRADIUSattributefieldsexcepttheID. Cisco Identity Services Engine Administrator Guide, Release 1.3 197
Display System Dictionaries and Dictionary Attributes Youcannotcreate,edit,ordeleteanysystem-definedattributeinasystemdictionary.Youcanonlyview system-definedattributes.Youcanperformaquicksearchthatisbasedonadictionarynameanddescription oranadvancedsearchthatisbasedonasearchrulethatyoudefine. Procedure Step 1ChoosePolicy>PolicyElements>Dictionaries>System. Step 2ChooseasystemdictionaryintheSystemDictionariespage,andclickView. Step 3ClickDictionaryAttributes. Step 4Chooseasystemdictionaryattributefromthelist,andclickView. Step 5ClicktheDictionarieslinktoreturntotheSystemDictionariespage. User-Defined Dictionaries and Dictionary Attributes CiscoISEdisplaystheuser-defineddictionariesthatyoucreateintheUserDictionariespage.Youcannot modifythevaluesforDictionaryNameorDictionaryTypeforanexistinguserdictionaryoncecreatedand savedinthesystem. YoucandothefollowingintheUserDictionariespage: •Editanddeleteuserdictionaries. •Searchuserdictionariesbasedonnameanddescription. •Add,edit,anddeleteuser-defineddictionaryattributesintheuserdictionaries. •Addorremoveallowedvaluesfordictionaryattributes. Create User-Defined Dictionaries Youcancreate,edit,ordeleteuser-defineddictionaries. Procedure Step 1ChoosePolicy>PolicyElements>Dictionaries>User. Step 2ClickAdd. Step 3Enterthenamefortheuserdictionary,anoptionaldescription,andaversionfortheuserdictionary. Step 4ChoosetheattributetypefromtheDictionaryAttributeTypedrop-downlist. Step 5ClickSubmit. Cisco Identity Services Engine Administrator Guide, Release 1.3 198 Dictionaries and Dictionary Attributes
Create User-Defined Dictionary Attributes Youcanadd,edit,anddeleteuser-defineddictionaryattributesinuserdictionariesaswellasaddorremove allowedvaluesforthedictionaryattributes. Procedure Step 1ChoosePolicy>PolicyElements>Dictionaries>User. Step 2ChooseauserdictionaryfromtheUserDictionariespage,andclickEdit. Step 3ClickDictionaryAttributes. Step 4ClickAdd. Step 5Enterthenameforanattributename,anoptionaldescription,andaninternalnameforthedictionaryattribute. Step 6ChooseadatatypefromtheDataTypedrop-downlist. Step 7ClickAddtoconfigurethename,allowedvalue,andsetthedefaultstatusintheAllowedValuestable. Step 8ClickSubmit. RADIUS-Vendor Dictionaries CiscoISEallowsyoutodefineasetofRADIUS-vendordictionaries,anddefineasetofattributesforeach one.Eachvendordefinitioninthelistcontainsthevendorname,thevendorID,andabriefdescription. CiscoISEprovidesyouthefollowingRADIUS-vendordictionariesbydefault: •Airespace •Cisco •Cisco-BBSM •Cisco-VPN3000 •Microsoft TheRADIUSprotocolsupportsthesevendordictionaries,andthevendor-specificattributesthatcanbeused inauthorizationprofilesandinpolicyconditions. Create RADIUS-Vendor Dictionaries Youcanalsocreate,edit,delete,export,andimportRADIUS-vendordictionaries. Cisco Identity Services Engine Administrator Guide, Release 1.3 199 RADIUS-Vendor Dictionaries
Procedure Step 1ChoosePolicy>PolicyElements>Dictionaries>System>Radius>RadiusVendors. Step 2ClickAdd. Step 3EnteranamefortheRADIUS-vendordictionary,anoptionaldescription,andthevendorIDasapprovedby theInternetAssignedNumbersAuthority(IANA)fortheRADIUSvendor. Step 4ChoosethenumberofbytestakenfromtheattributevaluetospecifytheattributetypefromtheVendor AttributeTypeFieldLengthdrop-downlist.Validvaluesare1,2,and4.Thedefaultvalueis1. Step 5ChoosethenumberofbytestakenfromtheattributevaluetospecifytheattributelengthfromtheVendor AttributeSizeFieldLengthdrop-downlist.Validvaluesare0and1.Thedefaultvalueis1. Step 6ClickSubmit. Create RADIUS-Vendor Dictionary Attributes Youcancreate,edit,anddeleteRADIUSvendorattributesthatCiscoISEsupports.EachRADIUS-vendor attributehasaname,datatype,description,anddirection,whichspecifieswhetheritisrelevanttorequests only,responsesonly,orboth. Procedure Step 1ChoosePolicy>PolicyElements>Dictionaries>System>Radius>RadiusVendors. Step 2ChooseaRADIUS-vendordictionaryfromtheRADIUSvendordictionarieslist,andclickEdit. Step 3ClickDictionaryAttributes,andthenclickAdd. Step 4EntertheattributenamefortheRADIUSvendorattributeandanoptionaldescription. Step 5ChoosethedatatypefromtheDataTypedrop-downlist. Step 6ChecktheEnableMACoptioncheckbox. Step 7ChoosethedirectionthatappliestoRADIUSrequestsonly,RADIUSresponsesonly,orbothfromtheDirection drop-downlist. Step 8EnterthevendorattributeIDintheIDfield. Step 9ChecktheAllowTaggingcheckbox. Step 10ChecktheAllowmultipleinstancesofthisattributeinaprofilecheckbox. Step 11ClickAddtoaddtheallowedvalueforthevendorattributeintheAllowedValuestable. Step 12ClickSubmit. Cisco Identity Services Engine Administrator Guide, Release 1.3 200 RADIUS-Vendor Dictionaries
CHAPTER 11 Logging Mechanism •CiscoLoggingMechanism,page201 •CiscoISESystemLogs,page202 •ConfigureRemoteSyslogCollectionLocations,page207 •CiscoISEMessageCodes,page208 •CiscoISEMessageCatalogs,page209 •DebugLogs,page209 •EndpointDebugLogCollector,page210 •CollectionFilters,page211 Cisco Logging Mechanism Ciscoprovidesaloggingmechanismthatisusedforauditing,faultmanagement,andtroubleshooting.The loggingmechanismhelpsyoutoidentifyfaultconditionsindeployedservicesandtroubleshootissues efficiently.Italsoproducesloggingoutputfromthemonitoringandtroubleshootingprimarynodeinaconsistent fashion. YoucanconfigureaCiscoISEnodetocollectthelogsinthelocalsystemsusingavirtualloopbackaddress. Tocollectlogsexternally,youconfigureexternalsyslogservers,whicharecalledtargets.Logsareclassified intovariouspredefinedcategories.Youcancustomizeloggingoutputbyeditingthecategorieswithrespect totheirtargets,severitylevel,andsoon. IftheMonitoringnodeisconfiguredasthesyslogserverforanetworkdevice,ensurethatthelogging sourcesendsthecorrectnetworkaccessserver(NAS)IPaddressinthefollowingformat: sequence_number:NAS_IP_address:timestamp:syslog_type: Otherwise,thismightimpactfunctionalitiesthatdependontheNASIPaddress. Note Cisco Identity Services Engine Administrator Guide, Release 1.3 201
Configure Local Log Purge Settings Usethisprocesstosetlocallog-storageperiodsandtodeletelocallogsafteracertainperiodoftime. Procedure Step 1ChooseAdministration>System>Logging>LocalLogSettings. Step 2IntheLocalLogStoragePeriodfield,enterthemaximumnumberofdaystokeepthelogentriesinthe configurationsource. Step 3ClickDeleteLogsNowtodeletetheexistinglogfilesatanytimebeforetheexpirationofthestorageperiod. Step 4ClickSave. Cisco ISE System Logs InCiscoISE,systemlogsarecollectedatlocationscalledloggingtargets.TargetsrefertotheIPaddresses oftheserversthatcollectandstorelogs.Youcangenerateandstorelogslocally,oryoucanusetheFTP facilitytotransferthemtoanexternalserver.CiscoISEhasthefollowingdefaulttargets,whicharedynamically configuredintheloopbackaddressesofthelocalsystem: •LogCollector—DefaultsyslogtargetfortheLogCollector. •ProfilerRadiusProbe—DefaultsyslogtargetfortheProfilerRadiusProbe. Bydefault,AAADiagnosticssubcategoriesandSystemDiagnosticssubcategoriesloggingtargetsaredisabled duringafreshCiscoISEinstallationoranupgradetoreducethediskspace.Youcanconfigureloggingtargets manuallyforthesesubcategoriesbutlocalloggingforthesesubcategoriesarealwaysenabled. YoucanusethedefaultloggingtargetsthatareconfiguredlocallyattheendoftheCiscoISEinstallationor youcancreateexternaltargetstostorethelogs. Related Topics CiscoISEMessageCodes,onpage208 Local Store Syslog Message Format Logmessagesaresenttothelocalstorewiththissyslogmessageformat: timestampsequence_nummsg_odemsg_sevmsg_classmsg_textattr=value Cisco Identity Services Engine Administrator Guide, Release 1.3 202 Cisco ISE System Logs
DescriptionField Dateofthemessagegeneration,accordingto thelocalclockoftheoriginatingtheCiscoISE node,inthefollowingformat: YYYY-MM-DDhh:mm:ss:xxx+/-zh:zm. Possiblevaluesare: •YYYY=Numericrepresentationofthe year. •MM=Numericrepresentationofthe month.Forsingle-digitmonths(1to9) azeroprecedesthenumber. •DD=Numericrepresentationoftheday ofthemonth.Forsingle-digitdays(1to 9),azeroprecedesthenumber. •hh=Thehouroftheday—00to23. •mm=Theminuteofthehour—00to59. •ss=Thesecondoftheminute—00to 59. •xxx=Themillisecondofthe second—000to999. •+/-zh:zm=Thetimezoneoffsetfrom theCiscoISEserver’stimezone,where zhisthenumberofoffsethoursandzm isthenumberofminutesoftheoffset hour,allofwhichisprecededbyaminus orplussigntoindicatethedirectionof theoffset.Forexample,+02:00indicates thatthemessageoccurredatthetime indicatedbythetimestamp,andona CiscoISEnodethatistwohoursahead oftheCiscoISEserver’stimezone. timestamp Globalcounterofeachmessage.Ifone messageissenttothelocalstoreandthenext tothesyslogservertarget,thecounter incrementsby2.Possiblevaluesare 0000000001to999999999. sequence_num Messagecodeasdefinedinthelogging categories. msg_ode Messageseveritylevelofalogmessage.See Administration>System>Logging> LoggingCategories. msg_sev Cisco Identity Services Engine Administrator Guide, Release 1.3 203 Cisco ISE System Logs
DescriptionField
Messageclass,whichidentifiesgroupsof
messageswiththesamecontext.
msg_class
Englishlanguagedescriptivetextmessage.msg_text
Setofattribute-valuepairsthatprovidesdetails
abouttheloggedevent.Acomma(,)separates
eachpair.
AttributenamesareasdefinedintheCisco
ISEdictionaries.
ValuesoftheResponsedirectionAttributesSet
arebundledtooneattributecalledResponse
andareenclosedincurlybrackets{}.In
addition,theattribute-valuepairswithinthe
Responseareseparatedbysemicolons.
Forexample,
Response={RadiusPacketType=AccessAccept;
AuthenticationResult=UnknownUser;
cisco-av-pair=sga:security-group-tag=0000-00;}
attr=value
Remote Syslog Message Format
Youcanusethewebinterfacetoconfigureloggingcategorymessagessothattheyaresenttoremotesyslog
servertargets.Logmessagesaresenttotheremotesyslogservertargetsinaccordancewiththesyslogprotocol
standard(seeRFC-3164).ThesyslogprotocolisanunsecureUDP.
Amessageisgeneratedwhenaneventoccurs.Aneventmaybeonethatdisplaysastatus,suchasamessage
displayedwhenexitingaprogram,oranalarm.Therearedifferenttypesofeventmessagesgeneratedfrom
differentfacilitiessuchasthekernel,mail,userlevel,andsoon.Aneventmessageisassociatedwithaseverity
level,whichallowsanadministratortofilterthemessagesandprioritizeit.Numericalcodesareassignedto
thefacilityandtheseveritylevel.ASyslogserverisaneventmessagecollectorandcollectseventmessages
fromthesefacilities.Theadministratorcanselecttheeventmessagecollectortowhichmessageswillbe
forwardedbasedupontheirseveritylevel.RefertotheLoggingCategorySettingssectionfortheseverity
levelsinCiscoISE.
Logmessagesaresenttotheremotesyslogserverwiththissyslogmessageheaderformat,whichprecedes
thelocalstoresyslogmessageformat:
pri_numYYYYMmmDDhh:mm:ssxx:xx:xx:xx/host_namecat_namemsg_idtotal_segseg_num
Cisco Identity Services Engine Administrator Guide, Release 1.3
204
Cisco ISE System Logs