Cisco Ise 13 User Guide
Have a look at the manual Cisco Ise 13 User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
WhenyouwanttochangetheauthorizationstateofanendpointthroughEPS,youmustprovidetheIP addressortheMACaddressfortheendpoint.IftheIPaddressortheMACaddressisnotfoundinthe activesessionfortheendpoint,thenyouwillseethefollowingerrormessage:Noactivesessionfound forthisMACaddress,IPAddressorSessionID. Note Externally Authenticated Administrators Cannot Perform EPS Operations IfanexternallyauthenticatedadministratortriestoissueCoA-Quarantinefromalivesession,CiscoISE returnsthefollowingerrormessage: CoAActionofQuarantineforxx:xx:xx:xx:xx:xxcannotbeinitiated.(Cause:Usernotfoundinternally. Possibleuseofunsupportedexternallyauthenticateduser IfanexternallyauthenticatedadministratorperformsanEPSoperationfromOperations>EndpointProtection ServiceintheCiscoISEAdminportalusingtheIPaddressorMACaddressoftheendpoint,CiscoISEreturns thefollowingerrormessage: Serverfailure:Usernotfoundinternally.Possibleuseofunsupportedexternallyauthenticateduser EPS Quarantine and Unquarantine Flow YoucanquarantineselectedendpointswithEPS,tolimittheiraccesstothenetwork.Youcanquarantine endpointsandestablishexceptionauthorizationpoliciesthatassigndifferentauthorizationprofiles,depending onthestatus.Anauthorizationprofileactsasacontainerforpermissionsthatyoudefineintheauthorization policiesthatallowaccesstospecifiednetworkservices.Whentheauthorizationiscomplete,thepermissions aregrantedforanetworkaccessrequest.Iftheendpointisthenvalidated,youcanunquarantinetheendpoint toallowitfullaccesstothenetwork. Thisfigureillustratesthequarantineflow,whichassumesthatauthorizationruleshavebeenconfiguredand theEPSsessionhasbeenestablished. Figure 20: EPS Quarantine Flow Cisco Identity Services Engine Administrator Guide, Release 1.3 235 EPS Quarantine and Unquarantine Flow
1Aclientdevicelogsontothenetworkthroughawirelessdevice(WLC),andaquarantineRESTAPIcall isissuedfromtheAdministrationnode(PAP)totheMonitoringnode(MnT). 2TheMonitoringnodethencallsPrRTthroughthePolicyServicesISEnode(PDP)toinvokeaCoA. 3Theclientdeviceisdisconnected. 4Theclientdevicethenreauthenticatesandreconnects. 5ARADIUSrequestfortheclientdeviceissentbacktotheMonitoringnode. 6Theclientdeviceisquarantinedwhilethecheckismade. 7TheQ-Profileauthorizationpolicyisapplied,andtheclientdeviceisvalidated. 8Theclientdeviceisunquarantined,andallowedfullaccesstothenetwork. EPS NAS Port Shutdown Flow YoucanshutdowntheNASporttowhichanendpointisconnectedbyusingtheendpointIPaddressorMAC address. ShutdownallowsyoutocloseaNASportbasedonaspecifiedIPaddressforaMACaddress,andyouhave tomanuallyreinstatetheporttobringtheendpointbackintothenetwork,whichiseffectiveonlyforendpoints thatareconnectedthroughwiredmedia. Shutdownmaynotbesupportedonalldevices.Mostswitchesshouldsupporttheshutdowncommand, however.YoucanusethegetResult()commandtoverifythattheshutdownexecutedsuccessfully. ThisfigureillustratestheEPSshutdownflow.Fortheclientdeviceintheillustration,theshutdownoperation isperformedontheNASthattheclientdeviceusestoaccessthenetwork. Figure 21: EPS Shutdown Flow Endpoints Purge Settings YoucandefinetheEndpointPurgePolicybyconfigurationrulesbasedonidentitygroupsandotherconditions usingAdministration>IdentityManagement>Settings>EndpointPurge.Youcanchoosenottopurge specifiedendpointsandtopurgeendpointsbasedonselectedprofilingconditions. Youcanscheduleanendpointpurgejob.Thisendpointpurgescheduleisenabledbydefault.CiscoISE,by default,deletesendpointsandregistereddevicesthatareolderthan30days.Thepurgejobrunsat1AMevery daybasedonthetimezoneconfiguredinthePrimaryPAN. Cisco Identity Services Engine Administrator Guide, Release 1.3 236 EPS NAS Port Shutdown Flow
Thefollowingaresomeoftheconditionswithexamplesyoucanuseforpurgingtheendpoints: •InactivityDays—Numberofdayssincelastprofilingactivityorupdateonendpoint. ◦Thisconditionpurgesstaledevicesthathaveaccumulatedovertime,commonlytransientguestor personaldevices,orretireddevices.Theseendpointstendtorepresentnoiseinmostdeployments astheyarenolongeractiveonnetworkorlikelytobeseeninnearfuture.Iftheydohappento connectagain,thentheywillberediscovered,profiled,registered,etcasneeded. ◦Whenthereareupdatesfromendpoint,InactivityDayswillberesetto0onlyifprofilingisenabled. •ElapsedDays—Numbersdayssinceobjectiscreated. ◦Thisconditioncanbeusedforendpointsthathavebeengrantedunauthenticatedorconditional accessforasettimeperiod,suchasaguestorcontractorendpoint,oremployeesleveragingwebauth fornetworkaccess.Aftertheallowedconnectgraceperiod,theymustbefullyreauthenticatedand registered. •PurgeDate—Datetopurgetheendpoint. ◦Thisoptioncanbeusedforspecialeventsorgroupswhereaccessisgrantedforaspecifictime, regardlessofcreationorstarttime.Thisallowsallendpointstobepurgedatsametime.Forexample, atradeshow,aconference,oraweeklytrainingclasswithnewmemberseachweek,whereaccess isgrantedforspecificweekormonthratherthanabsolutedays/weeks/months. Cisco Identity Services Engine Administrator Guide, Release 1.3 237 Endpoints Purge Settings
Cisco Identity Services Engine Administrator Guide, Release 1.3 238 Endpoints Purge Settings
PART IV Manage Users and End-User Portals •ManageUsersandExternalIdentitySources,page241 •ConfigureGuestAccess,page291 •SupportDeviceAccess,page335 •CustomizeEnd-UserWebPortals,page359
CHAPTER 14 Manage Users and External Identity Sources •CiscoISEUsers,page241 •InternalandExternalIdentitySources,page246 •CertificateAuthenticationProfiles,page248 •ActiveDirectoryasanExternalIdentitySource,page249 •ISEpxGridIdentityMapping,page269 •LDAP,page271 •RADIUSTokenIdentitySources,page279 •RSAIdentitySources,page283 •IdentitySourceSequences,page288 •IdentitySourceDetailsinReports,page290 Cisco ISE Users Inthischapter,thetermuserreferstoemployeesandcontractorswhoaccessthenetworkregularlyaswell assponsorandguestusers.Asponsoruserisanemployeeorcontractoroftheorganizationwhocreatesand managesguest-useraccountsthroughthesponsorportal.Aguestuserisanexternalvisitorwhoneedsaccess totheorganization’snetworkresourcesforalimitedperiodoftime. YoumustcreateanaccountforanyusertogainaccesstoresourcesandservicesontheCiscoISEnetwork. Employees,contractors,andsponsorusersarecreatedfromtheAdminportal. User Identity Useridentityislikeacontainerthatholdsinformationaboutauserandformstheirnetworkaccesscredentials. Eachuser’sidentityisdefinedbydataandincludes:ausername,e-mailaddress,password,accountdescription, associatedadministrativegroup,usergroup,androle. Cisco Identity Services Engine Administrator Guide, Release 1.3 241
User Groups Usergroupsareacollectionofindividualuserswhoshareacommonsetofprivilegesthatallowthemto accessaspecificsetofCiscoISEservicesandfunctions. User Identity Groups Auser’sgroupidentityiscomposedofelementsthatidentifyanddescribeaspecificgroupofusersthatbelong tothesamegroup.Agroupnameisadescriptionofthefunctionalrolethatthemembersofthisgrouphave. Agroupisalistingoftheusersthatbelongtothisgroup. Default User Identity Groups CiscoISEcomeswiththefollowingpredefineduseridentitygroups: •Employee—Employeesofyourorganizationbelongtothisgroup. •SponsorAllAccount—SponsoruserswhocansuspendorreinstateallguestaccountsintheCiscoISE network. •SponsorGroupAccounts—Sponsoruserswhocansuspendguestaccountscreatedbysponsorusersfrom thesamesponsorusergroup. •SponsorOwnAccounts—Sponsoruserswhocanonlysuspendtheguestaccountsthattheyhavecreated. •Guest—Avisitorwhoneedstemporaryaccesstoresourcesinthenetwork. •ActivatedGuest—Aguestuserwhoseaccountisenabledandactive. User Role Auserroleisasetofpermissionsthatdeterminewhattasksausercanperformandwhatservicestheycan accessontheCiscoISEnetwork.Auserroleisassociatedwithausergroup.Forexample,anetworkaccess user. User Account Custom Attributes and Password Policies CiscoISEallowsyoutorestrictauser’snetworkaccessbasedonuserattributes.CiscoISEcomeswithaset ofpredefineduserattributesandalsoallowsyoutocreatecustomattributes.Bothtypesofattributescanbe usedinconditionsthatdefinetheauthenticationpolicy.Youcanalsodefineapasswordpolicyforuseraccounts sothatpasswordsmeetspecifiedcriteria. Custom User Attributes OntheUserCustomAttributesSettingpage,youcanusetheCustomAttributespanetodefineadditional user-accountattributes.CiscoISEprovidesalistofpredefinedattributesthatarenotconfigurable.However, youcandefinecustomattributesbyconfiguringthefollowing: •Attributename •Datatype Cisco Identity Services Engine Administrator Guide, Release 1.3 242 Cisco ISE Users
User Password Policy Settings Youcandefinethecriteriathatuser-accountpasswordsmustmeetintheUserPasswordPolicypage.Choose Administration>IdentityManagement>Settings>UserPasswordPolicy. ThefollowingtabledescribesthefieldsintheUserPasswordPolicypage. Table 14: User Password Policy Settings DescriptionFields Setstheminimumlengthofthepassword(in characters) Minimumlength Restrictstheuseoftheusernameoritscharactersin reverseorder Passwordmustnotcontain Restrictstheuseof“cisco”oritscharactersinreverse order Passwordshouldnotcontain"cisco"oritscharacters inreversedorder Restrictstheuseofanywordthatyoudefineorits charactersinreverseorder. Passwordshouldnotcontain_______oritscharacters inreverseorder Restrictstheuseofcharactersrepeatedfourormore timesconsecutively Passwordshouldnotcontainrepeatedcharactersfour ormoretimesconsecutively Specifiesthattheuserpasswordmustincludeatleast onecharacterofeachofthefollowingtypes: •Lowercasealphabeticcharacters •Uppercasealphabeticcharacters •Numericcharacters •Non-alphanumericcharacters Ifauser-passwordpolicyrequiresupperorlowercase charactersandtheuser’slanguagedoesnotsupport thesecharacters,theusercannotsetapassword.For theuserpasswordfieldtosupportUTF-8characters, youmustuncheckthefollowingcheckboxoptions: •Lowercasealphabeticcharacters •Uppercasealphabeticcharacters Requiredcharacters Specifiesthenumberofpreviousversionsfromwhich thepasswordmustbedifferenttopreventrepeated useofthesamepassword PasswordHistory Cisco Identity Services Engine Administrator Guide, Release 1.3 243 Cisco ISE Users
DescriptionFields Setsthefollowingoptionstoforceuserstochange passwordsafteraspecifiedtimeperiod: •Time(indays)beforetheuseraccountis disabledifthepasswordisnotchanged •Reminder(indays)beforetheuseraccountis disabled PasswordLifetime Add Users CiscoISEallowsyoutoview,create,modify,duplicate,delete,changethestatus,import,export,orsearch forattributesofCiscoISEusers. IfyouareusingaCiscoISEinternaldatabase,youmustcreateanaccountforanynewuserwhoneedsaccess toresourcesorservicesonaCiscoISEnetwork. Procedure Step 1ChooseAdministration>IdentityManagement>Identities>Users. Step 2ClickAdd(+)tocreateanewuser. Step 3Entervaluesforthefields. Donotincludespace,+,and*charactersintheusername.IfyouusetheCiscoISEInternalCertificate Authority(CA)forBYOD,theusernamethatyouprovidehereisusedastheCommonNamefortheendpoint certificate.CiscoISEInternalCAdoesnotsupport"+"or"*"charactersintheCommonNamefield. Step 4ClickSubmittocreateanewuserintheCiscoISEinternaldatabase. Export Cisco ISE User Data YoumighthavetoexportuserdatafromtheCiscoISEinternaldatabase.CiscoISEallowsyoutoexportuser dataintheformofapassword-protectedcsvfile. Procedure Step 1ChooseAdministration>IdentityManagement>Identities>Users. Step 2Checkthecheckboxthatcorrespondstotheuser(s)whosedatayouwanttoexport. Step 3ClickExportSelected. Step 4EnterakeyforencryptingthepasswordintheKeyfield. Step 5ClickStartExporttocreateausers.csvfile. Step 6ClickOKtoexporttheusers.csvfile. Cisco Identity Services Engine Administrator Guide, Release 1.3 244 Cisco ISE Users