Cisco Ise 13 User Guide
Have a look at the manual Cisco Ise 13 User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
Import Cisco ISE Internal Users YoucanimportnewuserdataintoISEwithacsvfiletocreatenewinternalaccounts.Atemplatecsvfileis availablefordownloadonthepageswhereyoucanimportuseraccounts.Youcanimportuserson Administration>IdentityManagement>Identities>Users. Procedure Step 1ChooseAdministration>IdentityManagement>Identities>Users. Step 2ClickImporttoimportusersfromacomma-delimitedtextfile. Ifyoudonothaveacomma-delimitedtextfile,clickGenerateaTemplatetocreateacsvfilewiththe headingrowsfilledin. Step 3IntheFiletextbox,enterthefilenamecontainingtheuserstoimport,orclickBrowseandnavigatetothe locationwherethefileresides. Step 4ChecktheCreatenewuser(s)andupdateexistinguser(s)withnewdatacheckboxesifyouwanttoboth createnewusersandupdateexistingusers. Step 5ClickSavetosaveyourchangestotheCiscoISEinternaldatabase. Werecommendthatyoudonotdeleteallthenetworkaccessusersatatime,becausethismayleadto CPUspikeandtheservicestocrash,especiallyifyouareusingaverylargedatabase. Note Create a User Identity Group Youmustcreateauseridentitygroupbeforeyoucanassignausertoit. Procedure Step 1ChooseAdministration>IdentityManagement>Groups>IdentityGroups>UserIdentityGroups >Add. Step 2EntervaluesintheNameandDescriptionfields.SupportedcharactersfortheNamefieldarespace#$&‘( )*+-./@_. Step 3ClickSubmit. Related Topics UserIdentityGroups,onpage242 Cisco Identity Services Engine Administrator Guide, Release 1.3 245 Cisco ISE Users
Export User Identity Groups CiscoISEallowsyoutoexportlocallyconfigureduseridentitygroupsintheformofacsvfile. Procedure Step 1ChooseAdministration>IdentityManagement>Groups>IdentityGroups>UserIdentityGroups. Step 2Checkthecheckboxthatcorrespondstotheuseridentitygroupthatyouwanttoexport,andclickExport. Step 3ClickOK. Import User Identity Groups CiscoISEallowsyoutoimportuseridentitygroupsintheformofacsvfile. Procedure Step 1ChooseAdministration>IdentityManagement>Groups>IdentityGroups>UserIdentityGroups. Step 2ClickGenerateaTemplatetogetatemplatetousefortheimportfile. Step 3ClickImporttoimportnetworkaccessusersfromacomma-delimitedtextfile. Step 4ChecktheOverwriteexistingdatawithnewdatacheckboxifyouwanttobothaddanewuseridentity groupandupdateexistinguseridentitygroups. Step 5ClickImport. Step 6ClickSavetosaveyourchangestotheCiscoISEdatabase. Internal and External Identity Sources IdentitysourcescontainuserinformationthatCiscoISEusestovalidatecredentialsduringuserauthentication, andtoretrievegroupinformationandotherattributesthatareassociatedwiththeuserforuseinauthorization policies.Theyaredatabasesthatstoreuserinformationintheformofrecords.Youcanadd,edit,anddelete userinformationfromidentitysources. CiscoISEsupportsinternalandexternalidentitysources.Bothsourcescanbeusedasanauthenticationsource forsponsor-userandguest-userauthentication. Internal Identity Sources CiscoISEhasaninternaluserdatabasethatyoucanusetostoreuserinformation.Usersintheinternaluser databasearecalledinternalusers.CiscoISEalsohasaninternalendpointdatabasethatstoresinformation aboutallthedevicesandendpointsthatconnecttoit. Cisco Identity Services Engine Administrator Guide, Release 1.3 246 Internal and External Identity Sources
External Identity Sources CiscoISEallowsyoutoconfiguretheexternalidentitysourcethatcontainsuserinformation.CiscoISE connectstoanexternalidentitysourcetoobtainuserinformationforauthentication.Externalidentitysources alsoincludecertificateinformationfortheCiscoISEserverandcertificateauthenticationprofiles.CiscoISE usesauthenticationprotocolstocommunicatewithexternalidentitysources.Thefollowingtablelists authenticationprotocolsandtheexternalidentitysourcesthattheysupport. Table 15: Authentication Protocols and Supported External Identity Sources RADIUS Token Server or RSA LDAPActive DirectoryInternal Database Protocol (Authentication Type) YesYesYesYesEAP-GTC,PAP(plaintextpassword) NoNoYesYesMS-CHAPpasswordhash: MSCHAPv1/v2 EAP-MSCHAPv2(asinnermethodofPEAPor EAP-FAST) LEAP NoNoNoYesEAP-MD5 CHAP NoYesYesNoEAP-TLS PEAP-TLS (certificateretrieval) ForTLSauthentications(EAP-TLSand PEAP-TLS),identitysourcesarenot requiredbutcanoptionallybeaddedfor authorizationpolicyconditions. Note Create an External Identity Source CiscoISEcanconnectwithexternalidentitysourcessuchasActiveDirectory,LDAP,RADIUSToken,and RSASecurIDserverstoobtainuserinformationforauthenticationandauthorization.Externalidentitysources alsoincludescertificateauthenticationprofilesthatyouneedforcertificate-basedauthentications. Procedure Step 1ChooseAdministration>IdentityManagement>ExternalIdentitySources. Step 2Chooseoneoftheseoptions: •CertificateAuthenticationProfileforcertificate-basedauthentications. •ActiveDirectorytoconnecttoanActiveDirectoryasanexternalidentitysource(seeActiveDirectory asanExternalIdentitySource,onpage249formoredetails). Cisco Identity Services Engine Administrator Guide, Release 1.3 247 Internal and External Identity Sources
•LDAPtoaddanLDAPidentitysource(seeLDAP,onpage271formoredetails). •RADIUSTokentoaddaRADIUSTokenserver(seeRADIUSTokenIdentitySources,onpage279 formoredetails). •RSASecurIDtoaddanRSASecurIDserver(seeRSAIdentitySources,onpage283formoredetails). Certificate Authentication Profiles Foreachprofile,youmustspecifythecertificatefieldthatshouldbeusedastheprincipalusernameand whetheryouwantabinarycomparisonofthecertificates. Add a Certificate Authentication Profile YoumustcreateacertificateauthenticationprofileifyouwanttousetheExtensibleAuthentication Protocol-TransportLayerSecurity(EAP-TLS)certificate-basedauthenticationmethod.Insteadofauthenticating viathetraditionalusernameandpasswordmethod,CiscoISEcomparesacertificatereceivedfromaclient withoneintheservertoverifytheauthenticityofauser. Before You Begin YoumustbeaSuperAdminorSystemAdmin. Procedure Step 1ChooseAdministration>IdentityManagement>ExternalIdentitySources>CertificateAuthentication Profile>Add. Step 2Enterthenameandanoptionaldescriptionforthecertificateauthenticationprofile. Step 3Selectanidentitystorefromthedrop-downlist. Basiccertificatecheckingdoesnotrequireanidentitysource.Ifyouwantbinarycomparisoncheckingfor thecertificates,youmustselectanidentitysource.IfyouselectActiveDirectoryasanidentitysource,subject andcommonnameandsubjectalternativename(allvalues)canbeusedtolookupauser. Step 4SelecttheuseofidentityfromCertificateAttributeorAnySubjectorAlternativeNameAttributesin theCertificate.Thiswillbeusedinlogsandforlookups. IfyouchooseAnySubjectorAlternativeNameAttributesintheCertificate,ActiveDirectoryUPNwill beusedastheusernameforlogsandallsubjectnamesandalternativenamesinacertificatewillbetriedto lookupauser.ThisoptionisavailableonlyifyouchooseActiveDirectoryastheidentitysource. Step 5ChoosewhenyouwanttoMatchClientCertificateAgainstCertificateInIdentityStore.Forthisyou mustselectanidentitysource(LDAPorActiveDirectory.)IfyouselectActiveDirectory,youcanchooseto matchcertificatesonlytoresolveidentityambiguity. •Never—Thisoptionneverperformsabinarycomparison. •Onlytoresolveidentityambiguity—Thisoptionperformsthebinarycomparisonofclientcertificateto certificateonaccountinActiveDirectoryonlyifambiguityisencountered.Forexample,severalActive Directoryaccountsmatchingtoidentitynamesfromcertificatearefound. Cisco Identity Services Engine Administrator Guide, Release 1.3 248 Certificate Authentication Profiles
•Alwaysperformbinarycomparison—Thisoptionalwaysperformsthebinarycomparisonofclient certificatetocertificateonaccountinidentitystore(ActiveDirectoryorLDAP). Step 6ClickSubmittoaddthecertificateauthenticationprofileorsavethechanges. Active Directory as an External Identity Source CiscoISEusesMicrosoftActiveDirectoryasanexternalidentitysourcetoaccessresourcessuchasusers, machines,groups,andattributes.UserandmachineauthenticationinActiveDirectoryallowsnetworkaccess onlytousersanddevicesthatarelistedinActiveDirectory. Active Directory Supported Authentication Protocols and Features ActiveDirectorysupportsfeaturessuchasuserandmachineauthentications,changingActiveDirectoryuser passwordswithsomeprotocols.Thefollowingtableliststheauthenticationprotocolsandtherespective featuresthataresupportedbyActiveDirectory. Table 16: Authentication Protocols Supported by Active Directory FeaturesAuthentication Protocols Userandmachineauthenticationwiththeabilityto changepasswordsusingEAP-FASTandPEAPwith aninnermethodofMS-CHAPv2andEAP-GTC EAP-FASTandpasswordbasedProtectedExtensible AuthenticationProtocol(PEAP) UserandmachineauthenticationPasswordAuthenticationProtocol(PAP) UserandmachineauthenticationMicrosoftChallengeHandshakeAuthentication ProtocolVersion1(MS-CHAPv1) UserandmachineauthenticationMicrosoftChallengeHandshakeAuthentication ProtocolVersion2(MS-CHAPv2) UserandmachineauthenticationExtensibleAuthenticationProtocol-GenericToken Card(EAP-GTC) •Userandmachineauthentication •Groupsandattributesretrieval •Binarycertificatecomparison ExtensibleAuthenticationProtocol-TransportLayer Security(EAP-TLS) •Userandmachineauthentication •Groupsandattributesretrieval •Binarycertificatecomparison ExtensibleAuthenticationProtocol-Flexible AuthenticationviaSecureTunneling-TransportLayer Security(EAP-FAST-TLS) Cisco Identity Services Engine Administrator Guide, Release 1.3 249 Active Directory as an External Identity Source
FeaturesAuthentication Protocols •Userandmachineauthentication •Groupsandattributesretrieval •Binarycertificatecomparison ProtectedExtensibleAuthentication Protocol-TransportLayerSecurity(PEAP-TLS) UserauthenticationLightweightExtensibleAuthenticationProtocol (LEAP) Active Directory Attribute and Group Retrieval for Use in Authorization Policies CiscoISEretrievesuserormachineattributesandgroupsfromActiveDirectoryforuseinauthorization policyrules.TheseattributescanbeusedinCiscoISEpoliciesanddeterminetheauthorizationlevelfora userormachine.CiscoISEretrievesuserandmachineActiveDirectoryattributesaftersuccessfulauthentication andcanalsoretrieveattributesforanauthorizationthatisindependentofauthentication. CiscoISEmayusegroupsinexternalidentitystorestoassignpermissionstousersorcomputers;forexample, tomapuserstosponsorgroups.YoushouldnotethefollowingrestrictionsongroupmembershipsinActive Directory: •Policyruleconditionsmayreferenceanyofthefollowing:auser’sorcomputer’sprimarygroup,the groupsofwhichauserorcomputerisadirectmember,orindirect(nested)groups. •Domainlocalgroupsoutsideauser’sorcomputer’saccountdomainarenotsupported. Attributesandgroupsareretrievedandmanagedperjoinpoint.Theyareusedinauthorizationpolicy(by selectingfirstthejoinpointandthentheattribute).Youcannotdefineattributesorgroupsperscopefor authorization,butyoucanusescopesforauthenticationpolicy.Whenyouuseascopeinauthenticationpolicy, itispossiblethatauserisauthenticatedviaonejoinpoint,butattributesand/orgroupsareretrievedviaanother joinpointthathasatrustpathtotheuser'saccountdomain.Youcanuseauthenticationdomainstoensure thatnotwojoinpointsinonescopehaveanyoverlapinauthenticationdomains. SeeMicrosoft-imposedlimitsonthemaximumnumberofusableActiveDirectorygroups: http://technet.microsoft.com/en-us/library/active-directory-maximum-limits-scalability(v=WS.10).aspx Note AnauthorizationpolicyfailsiftherulecontainsanActiveDirectorygroupnamewithspecialcharacterssuch as/,!,@,\,#,$,%,^,&,*,(,),_,+,or~. Active Directory Certificate Retrieval for Certificate-Based Authentication CiscoISEsupportscertificateretrievalforuserandmachineauthenticationthatusestheEAP-TLSprotocol. TheuserormachinerecordonActiveDirectoryincludesacertificateattributeofthebinarydatatype.This certificateattributecancontainoneormorecertificates.CiscoISEidentifiesthisattributeasuserCertificate anddoesnotallowyoutoconfigureanyothernameforthisattribute.CiscoISEretrievesthiscertificateand usesittoperformbinarycomparison. Cisco Identity Services Engine Administrator Guide, Release 1.3 250 Active Directory as an External Identity Source
Thecertificateauthenticationprofiledeterminesthefieldwheretheusernameistakenfrominordertolookup theuserinActiveDirectorytobeusedforretrievingcertificates,forexample,SubjectAlternativeName (SAN)orCommonName.AfterCiscoISEretrievesthecertificate,itperformsabinarycomparisonofthis certificatewiththeclientcertificate.Whenmultiplecertificatesarereceived,CiscoISEcomparesthecertificates tocheckforonethatmatches.Whenamatchisfound,theuserormachineauthenticationispassed. Active Directory User Authentication Process Flow Whenauthenticatingorqueryingauser,CiscoISEchecksthefollowing: •MS-CHAPandPAPauthenticationscheckiftheuserisdisabled,lockedout,expiredoroutoflogon hoursandtheauthenticationfailsifsomeoftheseconditionsaretrue. •EAP-TLSauthenticationschecksiftheuserisdisabledorlockedoutandtheauthenticationfailsifsome oftheseconditionsismet. Support for Active Directory Multidomain Forests CiscoISEsupportsActiveDirectorywithmultidomainforests.Withineachforest,CiscoISEconnectstoa singledomain,butcanaccessresourcesfromtheotherdomainsintheActiveDirectoryforestiftrust relationshipsareestablishedbetweenthedomaintowhichCiscoISEisconnectedandtheotherdomains. RefertoReleaseNotesforCiscoIdentityServicesEngineforalistofWindowsServerOperatingSystems thatsupportActiveDirectoryservices. CiscoISEdoesnotsupportMicrosoftActiveDirectoryserversthatresidebehindanetworkaddress translatorandhaveaNetworkAddressTranslation(NAT)address. Note Prerequisites for Integrating Active Directory and Cisco ThissectiondescribesthemanualstepsnecessaryinordertoconfigureActiveDirectoryforintegrationwith Cisco.However,inmostcases,youcanenableCiscotoautomaticallyconfigureActiveDirectory.The followingaretheprerequisitestointegrateActiveDirectorywithCisco. •EnsureyouhavetheprivilegesofaSuperAdminorSystemAdmininISE. •UsetheNetworkTimeProtocol(NTP)serversettingstosynchronizethetimebetweentheCiscoserver andActiveDirectory.YoucanconfigureNTPsettingsfromCiscoCLI. •CiscoISEcanconnectwithmultipleActiveDirectorydomainsthatdonothaveatwo-waytrustorhave zerotrustbetweenthem.Ifyouwanttoqueryotherdomainsfromaspecificjoinpoint,ensurethattrust relationshipsexistbetweenthejoinpointandtheotherdomainsthathaveuserandmachineinformation towhichyouneedaccess.Iftrustrelationshipsdoesnotexist,youmustcreateanotherjoinpointtothe untrusteddomain.Formoreinformationonestablishingtrustrelationships,refertoMicrosoftActive Directorydocumentation. •YoumusthaveatleastoneglobalcatalogserveroperationalandaccessiblebyCisco,inthedomainto whichyouarejoiningCisco. Cisco Identity Services Engine Administrator Guide, Release 1.3 251 Active Directory as an External Identity Source
Active Directory Account Permissions Required for Performing Various Operations Cisco Machine AccountsLeave OperationsJoin Operations ForthenewlycreatedCisco machineaccountthatisusedto communicatetotheActive Directoryconnection,thefollowing permissionsarerequired: •Abilitytochangeown password •Readtheuser/machine objectscorrespondingto users/machines •Querysomepartsofthe ActiveDirectorytolearn aboutrequiredinformation (forexample,trusted domains,alternativeUPN suffixesandsoon.) •AbilitytoreadtokenGroups attribute Youcanprecreatethemachine accountinActiveDirectory,andif theSAMnamematchestheCisco appliancehostname,itshouldbe locatedduringthejoinoperation andre-used. Ifmultiplejoinoperationsare performed,multiplemachine accountsaremaintainedinside Cisco,oneforeachjoin. Fortheaccountthatisusedto performtheleaveoperation,the followingpermissionsarerequired: •SearchActiveDirectory(to seeifaCiscomachine accountalreadyexists) •RemoveCiscomachine accountfromdomain Ifyouperformaforceleave(leave withoutthepassword),itwillnot removethemachineaccountfrom thedomain. Fortheaccountthatisusedto performthejoinoperation,the followingpermissionsarerequired: •SearchActiveDirectory(to seeifaCiscomachine accountalreadyexists) •CreateCiscomachine accounttodomain(ifthe machineaccountdoesnot alreadyexist) •Setattributesonthenew machineaccount(for example,Ciscomachine accountpassword,SPN, dnsHostname) ThecredentialsusedforthejoinorleaveoperationarenotstoredinCisco.OnlythenewlycreatedCisco machineaccountcredentialsarestored,andthisisinordertoenabletheEndpointprobetorunaswell. Note Cisco Identity Services Engine Administrator Guide, Release 1.3 252 Active Directory as an External Identity Source
Network Ports That Must Be Open for Communication NotesAuthenticatedTargetPort (remote-local)Protocol —NoDNSServers/AD DomainControllers Randomnumber greaterthanorequal to49152 DNS(TCP/UDP) —YesDomainControllers445MSRPC MSAD/KDCYes(Kerberos)DomainControllers88Kerberos (TCP/UDP) —YesDomainControllers389LDAP(TCP/UDP) —YesGlobalCatalog Servers 3268LDAP(GC) —NoNTP Servers/Domain Controllers 123NTP —Yes(UsingRBAC credentials) OtherISENodesin theDeployment 80IPC DNS Server WhileconfiguringyourDNSserver,makesurethatyoutakecareofthefollowing: •TheDNSserversthatyouconfigureinCiscoISEmustbeabletoresolveallforwardandreverseDNS queriesforthedomainsthatyouwanttouse. •TheAuthoritativeDNSserverisrecommendedtoresolveActiveDirectoryrecords,asDNSrecursion cancausedelaysandhavesignificantnegativeimpactonperformance. •AllDNSserversmustbeabletoanswerSRVqueriesforDCs,GCs,andKDCswithorwithoutadditional Siteinformation. •CiscorecommendsthatyouaddtheserverIPaddressestoSRVresponsestoimproveperformance. •AvoidusingDNSserversthatquerythepublicInternet.Theycanleakinformationaboutyournetwork whenanunknownnamehastoberesolved. Configure Active Directory as an External Identity Source BeforeyouconfigureActiveDirectoryasanExternalIdentitySource,makesurethat: •CiscoISEhostnamesare15charactersorlessinlength.ActiveDirectorydoesnotallowhostnames largerthan15characters. Cisco Identity Services Engine Administrator Guide, Release 1.3 253 Active Directory as an External Identity Source
•TheMicrosoftActiveDirectoryserverdoesnotresidebehindanetworkaddresstranslatoranddoesnot haveaNetworkAddressTranslation(NAT)address. •TheMicrosoftActiveDirectoryaccountintendedforthejoinoperationisvalidandisnotconfigured withtheChangePasswordonNextLogin. •YouhavetheprivilegesofaSuperAdminorSystemAdmininISE. IfyouseeoperationalissueswhenCiscoISEisconnectedtoActiveDirectory,seetheADConnector OperationsReportunderOperations>Reports. Note YoumustperformthefollowingtaskstoconfigureActiveDirectoryasanexternalidentitysource. 1AddanActiveDirectoryJoinPointandJoinCiscoISENodetotheJoinPoint,onpage254 2ConfigureAuthenticationDomains,onpage256 3ConfigureActiveDirectoryUserGroups,onpage257 4ConfigureActiveDirectoryUserandMachineAttributes,onpage258 5(Optional)ModifyPasswordChanges,MachineAuthentications,andMachineAccessRestrictionSettings, onpage258 Add an Active Directory Join Point and Join Cisco ISE Node to the Join Point Before You Begin MakesurethattheCiscoISEnodecancommunicatewiththenetworkswheretheNTPservers,DNSservers, domaincontrollers,andglobalcatalogserversarelocated.Youcanchecktheseparametersbyrunningthe DomainDiagnostictool. JoinpointsmustbecreatedinordertoworkwithActiveDirectoryaswellaswiththeAgent,Syslog,SPAN andEndpointprobesofthePassiveIDWorkCenter. Procedure Step 1ChooseAdministration>IdentityManagement>ExternalIdentitySources>ActiveDirectory. Step 2ClickAddandenterthedomainnameandidentitystorenamefromtheActiveDirectoryJoinPointName settings. Step 3ClickSubmit. Apop-upappearsaskingifyouwanttojointhenewlycreatedjoinpointtothedomain.ClickYesifyouwant tojoinimmediately. IfyouclickedNo,thensavingtheconfigurationsavestheActiveDirectorydomainconfigurationglobally (intheprimaryandsecondarypolicyservicenodes),butnoneoftheCiscoISEnodesarejoinedtothedomain yet. Cisco Identity Services Engine Administrator Guide, Release 1.3 254 Active Directory as an External Identity Source