Cisco Ise 13 User Guide
Have a look at the manual Cisco Ise 13 User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
onCiscoISEmaintainsacost-basedroutingtabletomakethebestuseoftheRSAserversintherealm.You can,however,choosetooverridethisroutingwithamanualconfigurationforeachCiscoISEserverforthe realmusingatextfilecalledsdopts.recthroughtheAdminportal.RefertotheRSAdocumentationfor informationonhowtocreatethisfile. RSA Node Secret Reset Thesecuridfileisasecretnodekeyfile.WhenRSAisinitiallysetup,itusesasecrettovalidatetheagents. WhentheRSAagentthatresidesinCiscoISEsuccessfullyauthenticatesagainsttheRSAserverforthefirst time,itcreatesafileontheclientmachinecalledsecuridandusesittoensurethatthedataexchangedbetween themachinesisvalid.Attimes,youmayhavetodeletethesecuridfilefromaspecificCiscoISEserverora groupofserversinyourdeployment(forexample,afterakeyresetontheRSAserver).YoucanusetheCisco ISEAdminportaltodeletethisfilefromaCiscoISEserverfortherealm.WhentheRSAagentinCiscoISE authenticatessuccessfullythenexttime,itcreatesanewsecuridfile. IfauthenticationsfailafterupgradingtoalatestreleaseofCiscoISE,resettheRSAsecret.Note RSA Automatic Availability Reset Thesdstatus.12fileprovidesinformationabouttheavailabilityofRSAserversintherealm.Forexample,it providesinformationonwhichserversareactiveandwhicharedown.TheagentmoduleworkswiththeRSA serversintherealmtomaintainthisavailabilitystatus.Thisinformationisseriallylistedinthesdstatus.12 file,whichissourcedinawell-knownlocationintheCiscoISEfilesystem.Sometimesthisfilebecomesold andthecurrentstatusisnotreflectedinthisfile.Youmustremovethisfilesothatthecurrentstatuscanbe recreated.YoucanusetheAdminportaltodeletethefilefromaspecificCiscoISEserverforaspecificrealm. CiscoISEcoordinateswiththeRSAagentandensurescorrectrestartphasing. Theavailabilityfilesdstatus.12isdeletedwheneverthesecuridfileisreset,orthesdconf.recorsdopts.rec filesareupdated. Add RSA Identity Sources TocreateanRSAidentitysource,youmustimporttheRSAconfigurationfile(sdconf.rec).Youmustobtain thesdconf.recfilefromyourRSAadministrator.Toperformthistask,youmustbeaSuperAdminorSystem Admin. AddinganRSAidentitysourceinvolvesthefollowingtasks: Import the RSA Configuration File YoumustimporttheRSAconfigurationfiletoaddanRSAidentitysourceinCiscoISE. Procedure Step 1ChooseAdministration>IdentityManagement>ExternalIdentitySources>RSASecurID>Add. Step 2ClickBrowsetochoosetheneworupdatedsdconf.recfilefromthesystemthatisrunningyourclientbrowser. Cisco Identity Services Engine Administrator Guide, Release 1.3 285 RSA Identity Sources
WhenyoucreatetheRSAidentitysourceforthefirsttime,theImportnewsdconf.recfilefieldwillbea mandatoryfield.Fromthenon,youcanreplacetheexistingsdconf.recfilewithanupdatedone,butreplacing theexistingfileisoptional. Step 3Entertheservertimeoutvalueinseconds.CiscoISEwillwaitforaresponsefromtheRSAserverforthe amountoftimespecifiedbeforeittimesout.Thisvaluecanbeanyintegerfrom1to199.Thedefaultvalue is30seconds. Step 4ChecktheReauthenticateonChangePINcheckboxtoforceareauthenticationwhenthePINischanged. Step 5ClickSave. CiscoISEalsosupportsthefollowingscenarios: •ConfiguringtheOptionsFileforaCiscoISEServerandResettingSecurIDandsdstatus.12Files. •ConfiguringAuthenticationControlOptionsforRSAIdentitySource. Configure the Options File for a Cisco ISE Server and Resetting SecurID and sdstatus.12 Files Procedure Step 1LogintotheCiscoISEserver. Step 2ChooseAdministration>IdentityManagement>ExternalIdentitySources>RSASecurID>Add. Step 3ClicktheRSAInstanceFilestab. Thispageliststhesdopts.recfilesforalltheCiscoISEserversinyourdeployment. Step 4Clicktheradiobuttonnexttothesdopts.recfileforaparticularCiscoISEserver,andclickUpdateOptions File. TheexistingfileisdisplayedintheCurrentFileregion. Step 5Chooseoneofthefollowing: •UsetheAutomaticLoadBalancingstatusmaintainedbytheRSAagent—Choosethisoptionifyouwant theRSAagenttoautomaticallymanageloadbalancing. •OverridetheAutomaticLoadBalancingstatuswiththesdopts.recfileselectedbelow—Choosethis optionifyouwanttomanuallyconfigureloadbalancingbasedonyourspecificneeds.Ifyouchoose thisoption,youmustclickBrowseandchoosethenewsdopts.recfilefromthesystemthatisrunning yourclientbrowser. Step 6ClickOK. Step 7ClicktherowthatcorrespondstotheCiscoISEservertoresetthesecuridandsdstatus.12filesforthatserver: a)Clickthedrop-downarrowandchooseRemoveonSubmitintheResetsecuridFileandResetsdstatus.12 Filecolumns. TheResetsdstatus.12Filefieldishiddenfromyourview.Usingtheverticalandhorizontalscroll barsintheinnermostframe,scrolldownandthentoyourrighttoviewthisfield. Note Cisco Identity Services Engine Administrator Guide, Release 1.3 286 RSA Identity Sources
b)ClickSaveinthisrowtosavethechanges. Step 8ClickSave. Configure Authentication Control Options for RSA Identity Source YoucanspecifyhowCiscoISEdefinesauthenticationfailuresandenableidentitycaching.TheRSAidentity sourcedoesnotdifferentiatebetween“Authenticationfailed”and“Usernotfound”errorsandsendsan Access-Rejectresponse. YoucandefinehowCiscoISEshouldhandlesuchfailureswhileprocessingrequestsandreportingfailures. IdentitycachingenablesCiscoISEtoprocessrequeststhatfailtoauthenticateagainsttheCiscoISEserver thesecondtime.Theresultsandtheattributesretrievedfromthepreviousauthenticationareavailableinthe cache. Procedure Step 1ChooseAdministration>IdentityManagement>ExternalIdentitySources>RSASecurID>Add. Step 2ClicktheAuthenticationControltab. Step 3Chooseoneofthefollowing: •TreatRejectsas“authenticationfailed”—Choosethisoptionifyouwanttherejectedrequeststobe treatedasfailedauthentications. •TreatRejectsas“usernotfound”—Choosethisoptionifyouwanttherejectedrequeststobetreatedas usernotfounderrors. Step 4ClickSavetosavetheconfiguration. Configure RSA Prompts CiscoISEallowsyoutoconfigureRSApromptsthatarepresentedtotheuserwhileprocessingrequestssent totheRSASecurIDserver. Before You Begin Toperformthefollowingtask,youmustbeaSuperAdminorSystemAdmin. Procedure Step 1ChooseAdministration>IdentityManagement>ExternalIdentitySources>RSASecurID. Step 2ClickPrompts. Step 3EnterthevaluesasdescribedinRSASecurIDIdentitySourceSettings. Step 4ClickSubmit. Cisco Identity Services Engine Administrator Guide, Release 1.3 287 RSA Identity Sources
Configure RSA Messages CiscoISEallowsyoutoconfiguremessagesthatarepresentedtotheuserwhileprocessingrequestssentto theRSASecurIDserver. Before You Begin Toperformthefollowingtask,youmustbeaSuperAdminorSystemAdmin. Procedure Step 1ChooseAdministration>IdentityManagement>ExternalIdentitySources>RSASecurID. Step 2ClickPrompts. Step 3ClicktheMessagestab. Step 4EnterthevaluesasdescribedinRSASecurIDIdentitySourceSettings. Step 5ClickSubmit. Identity Source Sequences IdentitysourcesequencesdefinetheorderinwhichCiscoISElooksforusercredentialsinthedifferent databases.CiscoISEsupportsthefollowingidentitysources: •InternalUsers •GuestUsers •ActiveDirectory •LDAP •RSA •RADIUSTokenServers •CertificateAuthenticationProfiles IfyouhaveuserinformationinmorethanoneofthedatabasesthatareconnectedtoCiscoISE,youcandefine theorderinwhichyouwantCiscoISEtolookforinformationintheseidentitysources.Onceamatchis found,CiscoISEdoesnotlookanyfurther,butevaluatesthecredentials,andreturnstheresulttotheuser. Thispolicyisthefirstmatchpolicy. Create Identity Source Sequences Before You Begin EnsurethatyouhaveconfiguredyourexternalidentitysourcesinCiscoISE. Toperformthefollowingtask,youmustbeaSuperAdminorSystemAdmin. Cisco Identity Services Engine Administrator Guide, Release 1.3 288 Identity Source Sequences
ForallowingguestuserstoauthenticatethroughLocalWebAuth,youmustconfigureboththeGuestPortal authenticationsourceandtheidentitysourcesequencetocontainthesameidentitystores. Procedure Step 1ChooseAdministration>IdentityManagement>IdentitySourceSequences>Add. Step 2Enteranamefortheidentitysourcesequence.Youcanalsoenteranoptionaldescription. Step 3ChecktheSelectCertificateAuthenticationProfilecheckboxandchooseacertificateauthenticationprofile forcertificate-basedauthentication. Step 4ChoosethedatabaseordatabasesthatyouwanttoincludeintheidentitysourcesequenceintheSelectedList box. Step 5RearrangethedatabasesintheSelectedlistintheorderinwhichyouwantCiscoISEtosearchthedatabases. Step 6ChooseoneofthefollowingoptionsintheAdvancedSearchListarea: •DonotaccessotherstoresinthesequenceandsettheAuthenticationStatusattributetoProcessError —IfyouwantCiscoISEtodiscontinuethesearch,iftheuserisnotfoundinthefirstselectedidentity source. •Treatasiftheuserwasnotfoundandproceedtothenextstoreinthesequence—IfyouwantCisco ISEtocontinuesearchingtheotherselectedidentitysourcesinsequence,iftheuserisnotfoundinthe firstselectedidentitysource. Whileprocessingarequest,CiscoISEsearchestheseidentitysourcesinsequence.Ensurethatyouhave theidentitysourcesintheSelectedlistboxlistedintheorderinwhichyouwantCiscoISEtosearch them. Step 7ClickSubmittocreatetheidentitysourcesequencethatyoucanthenuseinpolicies. Delete Identity Source Sequences Youcandeleteidentitysourcesequencesthatyounolongeruseinpolicies. Before You Begin •Ensurethattheidentitysourcesequencethatyouareabouttodeleteisnotusedinanyauthentication policy. •Toperformthefollowingtask,youmustbeaSuperAdminorSystemAdmin. Procedure Step 1ChooseAdministration>IdentityManagement>IdentitySourceSequences. Step 2Checkthecheckboxnexttotheidentitysourcesequenceorsequencesthatyouwanttodelete,thenclick Delete. Step 3ClickOKtodeletetheidentitysourcesequenceorsequences. Cisco Identity Services Engine Administrator Guide, Release 1.3 289 Identity Source Sequences
Identity Source Details in Reports CiscoISEprovidesinformationabouttheidentitysourcesthroughtheAuthenticationsdashletandIdentity Sourcereports. Authentications Dashlet FromtheAuthenticationsdashlet,youcandrilldowntofindmoreinformationincludingfailurereasons. ChooseOperations>Authenticationstoviewreal-timeauthenticationsummary.Formoreinformation,see RecentRADIUSAuthentications,onpage857. Identity Source Reports CiscoISEprovidesvariousreportsthatincludeinformationaboutidentitysources.SeetheAvailableReports sectionforadescriptionofthesereportsAvailableReports,onpage666. Cisco Identity Services Engine Administrator Guide, Release 1.3 290 Identity Source Details in Reports
CHAPTER 15 Configure Guest Access •CiscoISEGuestServices,page291 •GuestandSponsorAccounts,page292 •GuestPortals,page303 •SponsorPortals,page316 •MonitorGuestandSponsorActivity,page325 •GuestAccessWebAuthenticationOptions,page327 Cisco ISE Guest Services CiscoIdentityServicesEngine(ISE)guestservicesenableyoutoprovidesecurenetworkaccesstoguests suchasvisitors,contractors,consultants,andcustomers.YoucansupportguestswithbaseCiscoISElicenses, andyoucanchoosefromseveraldeploymentoptionsdependingonyourcompany’sinfrastructureandfeature requirements. CiscoISEprovidesweb-basedandmobileportalstoprovideon-boardingforguestsandemployeestoyour company’snetworkandinternalresourcesandservices. FromtheAdminportal,youcancreateandeditguestandsponsorportals,configureguestaccessprivileges bydefiningtheirguesttype,andassignsponsorprivilegesforcreatingandmanagingguestaccounts. •GuestPortals,onpage303 •GuestTypesandUserIdentityGroups,onpage292 •SponsorPortals,onpage316 •SponsorGroups,onpage317 End-User Guest and Sponsor Portals in Distributed Environment CiscoISEend-userwebportalsdependontheAdministration,PolicyServices,andMonitoringpersonasto provideconfiguration,sessionsupport,andreporting. Cisco Identity Services Engine Administrator Guide, Release 1.3 291
•AdministrationNode—Configurationchangesthatyoumaketousers,devices,andend-userportals arewrittentotheAdministrationnode. •PolicyServicesNode—Theend-userportalsrunonaPolicyServicesNode,whichhandlesallsession traffic,including:networkaccess,clientprovisioning,guestservices,posture,andprofiling.IfaPolicy ServiceNodeispartofanodegroup,andonenodefails,theothernodesdetectthefailureandresetany pendingsessions. •MonitoringNode—TheMonitoringnodecollects,aggregates,andreportsdataabouttheend-userand deviceactivityontheMyDevices,Sponsor,andGuestportals.IftheprimaryMonitoringnodefails, thesecondaryMonitoringnodeautomaticallybecomestheprimaryMonitoringnode. Guest and Sponsor Accounts •GuestAccounts—Gueststypicallyrepresentauthorizedvisitors,contractors,customers,orotherusers whorequiretemporaryaccesstoyournetwork.Youcanalsouseguestaccountsforemployeesifyou prefertouseoneoftheguestdeploymentscenariostoallowemployeestoaccessthenetwork.Youcan accesstheSponsorportaltoviewguestaccountscreatedbyasponsorandbyself-registeringguests. •SponsorAccounts—UsetheSponsorportaltocreatetemporaryaccountsforauthorizedvisitorsto securelyaccessyourcorporatenetworkortheInternet.Aftercreatingtheguestaccounts,youalsocan usetheSponsorportaltomanagetheseaccountsandprovideaccountdetailstotheguests. Guestaccountscanbecreatedby: •Sponsors—OntheAdminportal,youcandefinetheaccessprivilegesandfeaturesupportforsponsors, whocanaccesstheSponsorportaltocreateandmanageguestaccounts. •Guests—GuestscanalsocreatetheirownaccountsbyregisteringthemselvesontheSelf-Registered Guestportal.Basedontheportalconfiguration,theseself-registeringguestsmayneedsponsorapproval beforetheyreceivetheirlogincredentials. GuestscanalsochoosetoaccessthenetworkusingtheHotspotGuestportal,whichdoesnotrequire thecreationofguestaccountsandlogincredentials,suchasusernameandpassword. •Employees—Employeeswhoareincludedinidentitystores(suchasActiveDirectory,LDAP,Internal Users)canalsogainaccessthroughthecredentialedGuestportals(Sponsored-GuestandSelf-Registered Guestportals),ifconfigured. Aftertheirguestaccountsarecreated,guestscanusetheSponsored-Guestportaltologinandgainaccessto thenetwork. Guest Types and User Identity Groups Eachguestaccountmustbeassociatedwithaguesttype.Guesttypesallowasponsortoassigndifferentlevels ofaccessanddifferentnetworkconnectiontimestoaguestaccount.Theseguesttypesareassociatedwith particularnetworkaccesspolicies.CiscoISEincludesthesedefaultguesttypes: •Contractor—Userswhoneedaccesstothenetworkforanextendedamountoftime,uptoayear. •Daily—Guestswhoneedaccesstotheresourcesonthenetworkforjust1to5days. •Weekly—Userswhoneedaccesstothenetworkforacoupleofweeks. Cisco Identity Services Engine Administrator Guide, Release 1.3 292 Guest and Sponsor Accounts
Whencreatingguestaccounts,certainsponsorgroupscanberestrictedtousingspecificguesttypes.Members ofsuchagroupcancreateguestswithonlythefeaturesspecifiedfortheirguesttype.Forinstance,thesponsor group,ALL_ACCOUNTS,canbesetuptouseonlytheContractorguesttype,andthesponsorgroups, OWN_ACCOUNTSandGROUP_ACCOUNTS,canbesetuptouseDailyandWeeklyguesttypes.Also, sinceself-registeringguestsusingtheSelf-RegisteredGuestportaltypicallyneedaccessforjustaday,you canassignthemtheDailyguesttype. Theguesttypedefinestheuseridentitygroupforaguest. Formoreinformation,see: •UserIdentityGroups,onpage242 •CreateaUserIdentityGroup,onpage245 Create or Edit a Guest Type Besidescreatingnewguesttypes,youcaneditthedefaultGuestTypes'defaultaccessprivilegesandsettings. ThechangesthatyoumakewillbeappliedtotheexistingGuestaccountsthatwerecreatedusingthisGuest Type.Guestuserswhoareloggedinwillnotseethesechangesuntiltheylogoutandloginagain.Youcan alsoduplicateaGuestTypetocreateadditionalGuestTypeswiththesameaccessprivileges. EachGuestTypehasaname,description,andalistofsponsorgroupsthatcancreateguestaccountswiththis guesttype.Youcandesignatesomeguesttypesasfollows:usejustforself-registeringguests,ordonotuse tocreateGuestaccounts(byanysponsorgroup). Procedure Fillinthefollowingfields. •Guesttypename—Provideaname(from1to256characters)thatdistinguishesthisGuestTypefrom theotherGuestTypes. •Description—Provideadditionalinformation(maximumof2000characters)abouttherecommended useofthisGuestType,forexample,Useforself-registeringGuests.DonotuseforGuestaccount creation,andsoforth. •LanguageFile—Thisfieldallowsyoutoexportandimportthelanguagefile,whichcontainscontent foremailsubject,emailmessage,andSMSmessagesinallsupportedlanguages.Theselanguagesand contentareusedinnotificationsaboutanexpiredaccount,andaresenttoguestswhoareassignedto thisguesttype.Ifyouarecreatinganewguesttype,thisfeatureisdisableduntilafteryousavetheguest type.Formoreinformationabouteditingthelanaguagefile,seePortalLanguageCustomization,on page390. •CollectAdditionalData—ClicktheCustomFields...buttontoselectwhichcustomfieldstouseto collectadditionaldatafromguestsusingthisGuestType. Tomanagecustomfields,chooseWorkCenters>GuestAccess>Settings>CustomFields. •MaximumAccessTime ◦Maximumaccountduration—Enterthenumberofdays,hours,orminutesthatguestsassigned tothisguesttypecanlogon. Cisco Identity Services Engine Administrator Guide, Release 1.3 293 Guest and Sponsor Accounts
Theaccountpurgepolicychecksforexpiredguestaccounts,andsendsexpiration notification.Thispolicyrunsevery20minutes,soifyousettheaccountdurationtoless than20mins,itispossiblethatexpirationnoticesmaynotbesentoutbeforetheaccount ispurged. Note Youcanspecifythedurationtimeandthedaysoftheweekwhenaccessisprovidedtotheguests ofthisGuestTypebyusingtheAllowaccessonlyonthesedaysandtimesoption. ◦Thedaysoftheweekthatyouselectlimitsaccesstothedatesthatareselectableinthe Sponsor'scalendar. ◦Maximumaccountdurationisenforcedinthesponsorportal,whentheSponsorpicksduration anddates. Thesettingsyoumakehereforaccesstimeaffectthetimesettingsthatareavailableonthesponsor portalwhencreatingaguestaccount. •LogonOptions ◦Maximumsimultaneouslogins—Enterthemaximumnumberofusersessionsthatusersassinged tothisGuestTypecanhaverunningconcurrently. ◦Whenguestexceedslimit—WhenyouselectMaximumsimultaneouslogins,youmustalso selecttheactiontotakewhenauserconnectsafterthemaximumnumberofloginsisreached. ◦Disconnecttheoldestconnection ◦Disconnectthenewestconnection—OptionallyselectRedirectusertoaportalpage showinganerrormessage:Anerrormessageisdisplayedforaconfigurableamountof time,thenthesessionisdisconnected,andtheuserisredirectedtotheGuestportal.Theerror page'scontentisconfiguredonthePortalPageCustomizationdialog,ontheMessages> ErrorMessagespage. ◦Maximumdevicesguestscanregister—Enterthemaximumnumberofdevicesthatcanbe registeredtoeachGuest.Youcansetthelimittoanumberlowerthanwhatisalreadyregistered fortheGuestsofthisGuestType.ThisonlyaffectsnewlycreatedGuestaccounts. ◦Endpointidentitygroupforguestdeviceregistration—Chooseanendpointidentitygroupto assigntoguestdevices.CiscoISEprovidestheGuestEndpointsendpointidentitygrouptouse asadefault.Youcanalsocreatemoreendpointidentitygroupsifyouchoosetonotusethedefault. ◦AllowguesttobypasstheGuestportal—Allowsuserstobypassthecredentialedguest-type captiveportal(webauthenticationpage),andaccessthenetworkbyprovidingcredentialstowired andwireless(dot1x)supplicantsorVPNclients.GuestaccountschangetotheActivestate, bypassingtheAwaitingInitialLoginstateandtheAUPpage,eveniftheAUPisrequired. Ifyoudonotenablethissetting,usersmustfirstloginthroughthecredentialedGuestcaptive portalbeforetheyareabletoaccessotherpartsofthenetwork. •AccountExpirationNotification ◦Sendaccountexpirationnotification__daysbeforeaccountexpires—Sendanotificationto Guestsbeforetheiraccountexpiresandspecifyhowmanydays,hours,orminutesbeforethe expiration. Cisco Identity Services Engine Administrator Guide, Release 1.3 294 Guest and Sponsor Accounts