Cisco Ise 13 User Guide
Have a look at the manual Cisco Ise 13 User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
Step 4Deregisterthenodetobebackedup. Step 5RestoretheMonitoringbackuptothenewlyderegisterednode. Step 6RegisterthenewlyrestorednodewiththecurrentAdministrationnode. Step 7PromotethenewlyrestoredandregisterednodeasthePAN. Restore a Monitoring Backup with a Monitoring Persona YoucanrestoreaMonitoringbackupinadistributedenvironmentwithonlyMonitoringpersona. Before You Begin •Purgetheoldmonitoringdata. •Scheduleabackuporperformanon-demandbackup. Procedure Step 1PreparetoderegisterthenodetoberestoredbyassigningtheMonitoringpersonatoanothernodeinthe deployment. AdeploymentmusthaveatleastonefunctioningMonitoringnode. Step 2Deregisterthenodetoberestored. Waituntilthederegistrationiscompletebeforeproceedingwiththerestore.Thenodemustbeina standalonestatebeforeyoucancontinuewiththerestore. Note Step 3RestoretheMonitoringbackuptothenewlyderegisterednode. Step 4RegisterthenewlyrestorednodewiththecurrentAdministrationnode. Step 5PromotethenewlyrestoredandregisterednodeasthePAN. Restore History Youcanobtaininformationaboutallrestoreoperations,logevents,andstatusesfromtheOperationsAudit report. However,theOperationsAuditreportdoesnotprovideinformationaboutthestarttimescorresponding tothepreviousrestoreoperations. Note Fortroubleshootinginformation,youhavetorunthebackup-logscommandfromtheCiscoISECLIand lookattheADE.logfile. Whiletherestoreoperationisinprogress,allCiscoservicesarestopped.Youcanusetheshowrestorestatus CLIcommandtochecktheprogressoftherestoreoperation. Cisco Identity Services Engine Administrator Guide, Release 1.3 225 Cisco ISE Restore Operation
Export Authentication and Authorization Policy Configuration YoucanexportauthenticationandauthorizationpolicyconfigurationintheformofanXMLfilethatyoucan readofflinetoidentifyanyconfigurationerrorsandusefortroubleshootingpurposes.ThisXMLfileincludes authenticationandauthorizationpolicyrules,simpleandcompoundpolicyconditions,dACLs,andauthorization profiles.YoucanchoosetoemailtheXMLfileorsaveittoyourlocalsystem. Procedure Step 1ChooseAdministration>System>Backup&Restore. Step 2ClickPolicyExport. Step 3Enterthevaluesasneeded. Step 4ClickExport. UseatexteditorsuchasWordPadtoviewthecontentsoftheXMLfile. Synchronize Primary and Secondary Nodes in a Distributed Environment Inadistributedenvironment,sometimesSometimestheCiscodatabaseintheprimaryandsecondarynodes arenotsynchronizedautomaticallyafterrestoringabackupfileonthePAN.Ifthishappens,youcanmanually forceafullreplicationfromthePANtothesecondarynodes.Youcanforceasynchronizationonlyfromthe PANtothesecondarynodes.Duringthesync-upoperation,youcannotmakeanyconfigurationchanges. CiscoallowsyoutonavigatetootherCiscoAdminportalpagesandmakeanyconfigurationchangesonly afterthesynchronizationiscomplete. Before You Begin Toperformthefollowingtask,youmustbeaSuperAdminorSystemAdmin. Procedure Step 1ChooseAdministration>System>Deployment. Step 2CheckthecheckboxesnexttothesecondaryISEnodeswithanOutofSyncreplicationstatus. Step 3ClickSyncupandwaituntilthenodesaresynchronizedwiththePAN.Youwillhavetowaituntilthisprocess iscompletebeforeyoucanaccesstheCiscoAdminportalagain. Recovery of Lost Nodes in Standalone and Distributed Deployments Thissectionprovidestroubleshootinginformationthatyoucanusetorecoverlostnodesinstandaloneand distributeddeployments.Someofthefollowingusecasesusethebackupandrestorefunctionalityandothers usethereplicationfeaturetorecoverlostdata. Cisco Identity Services Engine Administrator Guide, Release 1.3 226 Export Authentication and Authorization Policy Configuration
Recovery of Lost Nodes Using Existing IP Addresses and Hostnames in a Distributed Deployment Scenario Inadistributeddeployment,anaturaldisasterleadstoalossofallthenodes.Afterrecovery,youwanttouse theexistingIPaddressesandhostnames. Forexample,youhavetwonodes:N1(PrimaryPolicyAdministrationNodeorPrimaryPAN)andN2 (SecondaryPolicyAdministrationNodeorSecondaryPAN.)AbackupoftheN1node,whichwastakenat timeT1,isavailable.Later,bothN1andN2nodesfailbecauseofanaturaldisaster. Assumption AllCisconodesinthedeploymentweredestroyed.Thenewhardwarewasimagedusingthesamehostnames andIPaddresses. Resolution Steps 1YouhavetoreplaceboththeN1andN2nodes.N1andN2nodeswillnowhaveastandaloneconfiguration. 2ObtainalicensewiththeUDIoftheN1andN2nodesandinstallitontheN1node. 3YoumustthenrestorethebackuponthereplacedN1node.Therestorescriptwilltrytosyncthedataon N2,butN2isnowastandalonenodeandthesynchronizationfails.DataonN1willberesettotimeT1. 4YoumustlogintotheN1AdminportaltodeleteandreregistertheN2node.BoththeN1andN2nodes willhavedataresettotimeT1. Recovery of Lost Nodes Using New IP Addresses and Hostnames in a Distributed Deployment Scenario Inadistributeddeployment,anaturaldisasterleadstolossofallthenodes.Thenewhardwareisreimaged atanewlocationandrequiresnewIPaddressesandhostnames. Forexample,youhavetwonodes:N1(PrimaryPolicyAdministrationNodeorPrimaryPAN)andN2 (SecondaryPolicyServiceNode.)AbackupoftheN1nodewhichwastakenattimeT1,isavailable.Later, bothN1andN2nodesfailbecauseofanaturaldisaster.TheCisconodesarereplacedatanewlocationand thenewhostnamesareN1A(PrimaryPAN)andN2A(SecondaryPolicyServiceNode).N1AandN2Aare standalonenodesatthispointintime. Assumptions AllCisconodesinthedeploymentweredestroyed.Thenewhardwarewasimagedatadifferentlocation usingdifferenthostnamesandIPaddresses. Resolution Steps 1ObtaintheN1backupandrestoreitonN1A.Therestorescriptwillidentifythehostnamechangeand domainnamechange,andwillupdatethehostnameanddomainnameinthedeploymentconfiguration basedonthecurrenthostname. Cisco Identity Services Engine Administrator Guide, Release 1.3 227 Recovery of Lost Nodes in Standalone and Distributed Deployments
2Youmustgenerateanewself-signedcertificate. 3YoumustlogintotheCiscoAdminportalonN1A,chooseAdministration>System>Deployment, anddothefollowing: DeletetheoldN2node. RegisterthenewN2Anodeasasecondarynode.DatafromtheN1AnodewillbereplicatedtotheN2A node. Recovery of a Node Using Existing IP Address and Hostname in a Standalone Deployment Scenario Astandaloneadministrationnodeisdown. Forexample,youhaveastandaloneadministrationnode,N1.AbackupoftheN1databasewastakenattime T1.TheN1nodegoesdownbecauseofaphysicalfailureandmustbereimagedoranewhardwareisrequired. TheN1nodemustbebroughtbackupwiththesameIPaddressandhostname. Assumptions ThisdeploymentisastandalonedeploymentandtheneworreimagedhardwarehasthesameIPaddressand hostname. Resolution Steps OncetheN1nodeisupafterareimageoryouhaveintroducedanewCisconodewiththesameIPaddress andhostname,youmustrestorethebackuptakenfromtheoldN1node.Youdonothavetomakeanyrole changes. Recovery of a Node Using New IP Address and Hostname in a Standalone Deployment Scenario Astandaloneadministrationnodeisdown. Forexample,youhaveastandaloneadministrationnode,N1.AbackupoftheN1databasetakenattimeT1 isavailable.TheN1nodeisdownbecauseofaphysicalfailureandwillbereplacedbyanewhardwareata differentlocationwithadifferentIPaddressandhostname. Assumptions ThisisastandalonedeploymentandthereplacedhardwarehasadifferentIPaddressandhostname. Resolution Steps 1ReplacetheN1nodewithanewhardware.Thisnodewillbeinastandalonestateandthehostnameis N1B. 2YoucanrestorethebackupontheN1Bnode.Norolechangesarerequired. Cisco Identity Services Engine Administrator Guide, Release 1.3 228 Recovery of Lost Nodes in Standalone and Distributed Deployments
Configuration Rollback Problem Theremaybeinstanceswhereyouinadvertentlymakeconfigurationchangesthatyoulaterdeterminewere incorrect.Forexample,youmaydeleteseveralNADsormodifysomeRADIUSattributesincorrectlyand realizethisissueseveralhourslater.Inthiscase,youcanrevertbacktotheoriginalconfigurationbyrestoring abackupthatwastakenbeforeyoumadethechanges. Possible Causes Therearetwonodes:N1(PrimaryPolicyAdministrationNodeorPrimaryPAN)andN2(SecondaryPolicy AdministrationNodeorSecondaryPAN)andabackupoftheN1nodeisavailable.Youmadesomeincorrect configurationchangesonN1andwanttoremovethechanges. Solution ObtainabackupoftheN1nodethatwastakenbeforetheincorrectconfigurationchangesweremade.Restore thisbackupontheN1node.TherestorescriptwillsynchronizethedatafromN1toN2. Recovery of Primary Node in Case of Failure in a DistributedDeployment Scenario Inamultinodedeployment,thePANfails. Forexample,youhavetwoCisconodes,N1(PAN)andN2(SecondaryAdministrationNode).N1failsbecause ofhardwareissues. Assumptions Onlytheprimarynodeinadistributeddeploymenthasfailed. Resolution Steps 1LogintotheN2Adminportal.ChooseAdministration>System>DeploymentandconfigureN2as yourprimarynode. TheN1nodeisreplacedwithanewhardware,reimaged,andisinthestandalonestate. 2FromtheN2Adminportal,registerthenewN1nodeasasecondarynode. Now,theN2nodebecomesyourprimarynodeandtheN1nodebecomesyoursecondarynode. IfyouwishtomaketheN1nodetheprimarynodeagain,logintotheN1Adminportalandmakeitthe primarynode.N2automaticallybecomesasecondaryserver.Thereisnodataloss. Recovery of Secondary Node in Case of Failure in a Distributed Deployment Scenario Inamultinodedeployment,asinglesecondarynodehasfailed.Norestoreisrequired. Cisco Identity Services Engine Administrator Guide, Release 1.3 229 Recovery of Lost Nodes in Standalone and Distributed Deployments
Forexample,youhavemultiplenodes:N1(PrimaryPAN),N2(SecondaryPAN),N3(SecondaryPolicy ServiceNode),N4(SecondaryPolicyServiceNode).Oneofthesecondarynodes,N3,fails. Resolution Steps 1ReimagethenewN3Anodetothedefaultstandalonestate. 2LogintotheN1AdminportalanddeletetheN3node. 3ReregistertheN3Anode. DataisreplicatedfromN1toN3A.Norestoreisrequired. Cisco Identity Services Engine Administrator Guide, Release 1.3 230 Recovery of Lost Nodes in Standalone and Distributed Deployments
CHAPTER 13 Setup Endpoint Protection Service •EnableEndpointProtectionServiceinCiscoISE,page231 •ConfigureNetworkAccessSettings,page231 •EndpointProtectionService,page233 •EPSQuarantineandUnquarantineFlow,page235 •EPSNASPortShutdownFlow,page236 •EndpointsPurgeSettings,page236 Enable Endpoint Protection Service in Cisco ISE EndpointProtectionService(EPS)isdisabledbydefault.YoumustenableEPSmanually,anditremains enableduntilyoumanuallydisabletheserviceintheAdminportal. YoumusthaveSuperAdminandPolicyAdminroleprivilegestoenableEPSinCiscoISE. Procedure Step 1ChooseAdministration>System>Settings>EndpointProtectionService. Step 2ClicktheServiceStatusdrop-downlist,andchooseEnabled. Step 3ClickSave. Configure Network Access Settings EndpointProtectionService(EPS)allowsyoutoresetthenetworkaccessstatusofanendpointtoquarantine, unquarantine,orshutdownaport,whichdefinesauthorizationtothenetworkdependingonthenetworkaccess status. Youcanquarantineorunquarantineendpoints,orshutdownthenetworkaccessserver(NAS)portstowhich endpointsareconnected,byusingtheirendpointIPaddressesorMACaddresses.Youcanperformquarantine andunquarantineoperationsonthesameendpointmultipletimes,providedtheyarenotperformed Cisco Identity Services Engine Administrator Guide, Release 1.3 231
simultaneously.Ifyoudiscoverahostileendpointonyournetwork,youcanshutdowntheendpoint’saccess, usingEPStoclosetheNASport. Before You Begin •YoumustenableEPS. •YoumustcreateauthorizationprofilesandExceptiontypeauthorizationpoliciesforEPS. Procedure Step 1ChooseOperations>EndpointProtectionService. Step 2UnderEndpointOperation,entertheIPAddressorMACAddressofanendpoint. Step 3ClicktheOperationsdrop-downlisttochooseoneofthefollowingactions: •Quarantine—Isolatestheendpoint,restrictingaccessonthenetwork •Unquarantine—Reversesthequarantineprocess,allowingfullaccesstothenetwork •Shutdown—ClosestheNASporttowhichtheendpointisconnected Step 4ClickSubmit. Quarantined Endpoints Do Not Renew Authentication Following Policy Change Problem Authenticationhasfailedfollowingachangeinpolicyoradditionalidentityandnoreauthenticationistaking place.Authenticationfailsortheendpointinquestionremainsunabletoconnecttothenetwork.Thisissue oftenoccursonclientmachinesthatarefailingpostureassessmentpertheposturepolicythatisassignedto theuserrole. Possible Causes Theauthenticationtimersettingisnotcorrectlysetontheclientmachine,ortheauthenticationintervalisnot correctlysetontheswitch. Solution Thereareseveralpossibleresolutionsforthisissue: 1ChecktheSessionStatusSummaryreportinCiscoISEforthespecifiedNADorswitch,andensurethat theinterfacehastheappropriateauthenticationintervalconfigured. 2Enter“showrunningconfiguration”ontheNAD/switchandensurethattheinterfaceisconfiguredwith anappropriate“authenticationtimerrestart”setting.(Forexample,“authenticationtimerrestart15,”and “authenticationtimerreauthenticate15.”) 3Tryentering“interfaceshutdown”and“noshutdown”tobouncetheportontheNAD/switchandforce reauthenticationfollowingapotentialconfigurationchangeinCiscoISE. Cisco Identity Services Engine Administrator Guide, Release 1.3 232 Configure Network Access Settings
BecauseCoArequiresaMACaddressorsessionID,werecommendthatyoudonotbouncetheportthat isshownintheNetworkDeviceSNMPreport. Note Endpoint Protection Service EndpointProtectionService(EPS)isaservicethatrunsontheAdministrationnodethatcanbeusedfor monitoringandcontrollingnetworkaccessofendpoints.EPSisalsoknownasAdaptiveNetworkControl (ANC).EPScanbeinvokedbytheISEadministratorontheadminGUIandalsothroughpxGridfromthird partysystems.EPSsupportswiredandwirelessdeploymentsandrequiresaPlusLicense. YoucanuseEPStochangetheauthorizationstatewithouthavingtomodifytheoverallauthorizationpolicy ofthesystem.EPSallowsyoutosettheauthorizationstatewhenyouquarantineanendpointasaresultof establishedauthorizationpolicieswhereauthorizationpoliciesaredefinedtocheckforEPSStatustolimitor denynetworkaccess.Youcanunquarantineanendpointforfullnetworkaccess.Youcanalsoshutdownthe portonthenetworkattachedsystem(NAS)thatdisconnectstheendpointfromthenetwork. Therearenolimitstothenumberofusersthatcanbequarantinedatonetime,andtherearenotimeconstraints onthelengthofthequarantineperiod. YoucanperformthefollowingoperationstomonitorandcontrolnetworkaccessthroughEPS: •Quarantine—AllowsyoutouseExceptionpolicies(authorizationpolicies)tolimitordenyanendpoint accesstothenetwork.YoumustcreateExceptionpoliciestoassigndifferentauthorizationprofiles (permissions)dependingontheEPSStatus.SettingtotheQuarantinestateessentiallymovesanendpoint fromitsdefaultVLANtoaspecifiedQuarantineVLAN.YoumustdefinetheQuarantineVLAN previouslythatissupportedonthesameNASastheendpoint. •Unquarantine—Allowsyoutoreversethequarantinestatusthatpermitsfullaccesstothenetworkfor anendpointreturningtheendpointtoitsoriginalVLAN. •Shutdown—AllowsyoutodeactivateaportontheNASanddisconnecttheendpointfromthenetwork. OncetheportisshutdownontheNAStowhichanendpointisconnected,youmustmanuallyresetthe portontheNASagaintoallowanendpointtoconnecttothenetwork,whichisnotavailableforwireless deployments. Quarantineandunquarantineoperationscanbetriggeredfromthesessiondirectoryreportsforactiveendpoints. Ifaquarantinedsessionisunquarantined,theinitiationmethodforanewlyunquarantinedsessiondepends ontheauthenticationmethodthatisspecifiedbytheswitchconfiguration. Note Create Authorization Profiles for Network Access through EPS YoumustcreateanauthorizationprofileforusewithEPSandtheauthorizationprofileappearsinthelistof StandardAuthorizationProfiles.Anendpointcanbeauthenticatedandauthorizedinthenetwork,butrestricted toaccessnetwork. Cisco Identity Services Engine Administrator Guide, Release 1.3 233 Endpoint Protection Service
Procedure Step 1ChoosePolicy>PolicyElements>Authorization>AuthorizationProfiles. Step 2ClickAdd. Step 3Enterauniquenameanddescriptionfortheauthorizationprofile,andleavetheAccessTypeas ACCESS_ACCEPT. Step 4ChecktheDACLNamecheckbox,andchooseDENY_ALL_TRAFFICfromthedrop-downlist. Step 5ClickSubmit. Create Exception Policies for Network Access through EPS ForEPSauthorization,youmustcreateaquarantineexceptionpolicythatisprocessedbeforeallstandard authorizationpolicies.Exceptionauthorizationpolicesareintendedforauthorizinglimitedaccesstomeet specialconditionsorpermissionsoranimmediaterequirement.Standardauthorizationpoliciesareintended tobestableandapplytoalargegroupsofusers,devices,andgroupsthatshareacommonsetofprivileges. Before You Begin YoushouldhavesuccessfullycreatedstandardauthorizationprofilesforusewithEPS. Procedure Step 1ChoosePolicy>Authorization,andexpandExceptions. Step 2ChooseEnabledorDisabledorMonitorOnlyoption. Step 3ClickCreateaNewRule. Step 4Entertheexceptionrulename. Step 5Clicktheplus[+]signtochooseanidentitygroup. Step 6Clicktheplus[+]signtochooseCreateNewCondition(AdvancedOption). Step 7ClickthedownarrowiconinthefirstfieldtodisplaythedictionarieslistandchooseSession>EPSStatus. Step 8ChooseEqualsfromthedrop-downlistinthesecondfield. Step 9ChooseQuarantinefromthedrop-downlistinthethirdfield. Step 10ClickSave. EPS Operations Fail when IP Address or MAC Address is not Found AnEPSoperationthatyouperformonanendpointfailswhenanactivesessionforthatendpointdoesnot containinformationabouttheIPaddress.ThisalsoappliestotheMACaddressandsessionIDforthatendpoint. Cisco Identity Services Engine Administrator Guide, Release 1.3 234 Endpoint Protection Service