Cisco Ise 13 User Guide
Have a look at the manual Cisco Ise 13 User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
1InISE,chooseWorkCenters>GuestAccess>Portals&Components>SponsorPortals,andedityour sponsorportal. 2SelectthePortalPageCustomizationtab. 3ScrolldownandselectCreateAccountforKnownGuests. •OnthePreviewdisplayontheright,selectSettings. Thesesettingsdeterminewhichfieldsdisplayandarerequiredforguestaccountswhentheyarecreated onthesponsorportal. ThisconfigurationappliestoKnown,Random,andImportedguesttypes.Thetemplatethatthesponsor downloadstoimportnewusersiscreateddynamically,sothatonlythefieldssetinKnownGuestsareincluded. Sponsors Cannot Log In to the Sponsor Portal Problem ThefollowingerrormessageappearswhenasponsortriestologintotheSponsorportal: “Invalidusernameorpassword.Pleasetryagain.” Causes •Thesponsorhasenteredinvalidcredentials. •Thesponsorisnotvalidbecausetheuserrecordisnotpresentinthedatabase(InternalUsersorActive Directory). •Thesponsorgrouptowhichthesponsorbelongsisdisabled. •TheSponsor'suseraccountisnotamemberofanactive/enabledSponsorGroup,whichmeansthe Sponsoruser'sIdentityGroupisnotamemberofanySponsorGroup. •Thesponsor’sinternaluseraccountisdisabled(suspended). Solution •Verifytheuser’scredentials. •Enablethesponsorgroup. •Reinstatetheuseraccountifdisabled. •Addthesponsoruser'sIdentityGroupasamemberofaSponsorGroup. Monitor Guest and Sponsor Activity CiscoISEprovidesvariousreportsandlogsthatallowyoutoviewendpointandusermanagementinformation andguestandsponsoractivity.SomeoftheCiscoISE1.2reportshavebeendeprecated,buttheinformation canbeviewedinotherreports. Youcanrunthesereportseitherondemandoronascheduledbasis. Cisco Identity Services Engine Administrator Guide, Release 1.3 325 Monitor Guest and Sponsor Activity
Procedure Step 1ChooseOperations>Reports. Step 2UndertheReportSelector,expandtheGuestAccessReportsandEndpointsandUsersselectionstoview thevariousguest,sponsor,andendpointrelatedreports. Step 3SelectthereportandchoosethedatawithwhichyouwanttosearchusingtheFiltersdrop-downlist. Youcanusefiltersonusername,portalname,devicename,endpointidentitygroupandothersuchdata. Step 4SelecttheTimeRangeduringwhichyouwanttoviewthedata. Step 5ClickRun. Metrics Dashboard CiscoISEprovidesanat-a-glanceviewofAuthenticatedGuestsandActiveEndpointsinthenetworkina metricsdashboardthatappearsontheCiscoISEHomepage. AUP Acceptance Status Report TheAUPAcceptanceStatusreportdisplaystheacceptancestatusoftheAcceptableUsePolicy(AUP)by guestsfromalltheGuestportals.Thisreportisavailableat:Operations>Reports>GuestAccessReports >AUPAcceptanceStatus. YoucanusethereporttotrackalltheacceptedanddeniedAUPconnectionsforagivenperiodoftime. Guest Accounting Report TheGuestAccountingreportdisplaystheguestloginhistoryforanindicatedtimeperiod.Thisreportis availableat:Operations>Reports>GuestAccessReports>GuestAccounting. Master Guest Report TheMasterGuestreportcombinesdatafromvariousreportsintoasingleviewenablingyoutoexportdata fromdifferentreportingsources.Youcanaddmoredatacolumnsandremovetheonesyoudonotwantto vieworexport.ThisreportisavailableatOperations>Reports>GuestAccessReports>MasterGuest. ItnowincludesinformationthatusedtobeinthedeprecatedGuestActivityReport. Thisreportcollectsallguestactivityandprovidesdetailsaboutthewebsitesthatguestusersvisit.Youcan usethisreportforsecurityauditingpurposestoseewhenguestusersaccessedthenetworkandwhattheydid onit.Toviewtheguests’Internetactivity,suchastheURLsofthewebsitesthattheyvisited,youmustfirst: •Enablethepassedauthenticationsloggingcategory.ChooseAdministration>System>Logging> LoggingCategoriesandselectPassedauthentications. •Enabletheseoptionsonthefirewallusedforguesttraffic: Cisco Identity Services Engine Administrator Guide, Release 1.3 326 Monitor Guest and Sponsor Activity
◦InspectHTTPtrafficandsenddatatoCiscoISEMonitoringnode.CiscoISErequiresonlytheIP addressandaccessedURLfortheGuestActivityreport;so,limitthedatatoincludejustthis information,ifpossible. ◦SendsyslogstoCiscoISEMonitoringnode. Sponsor Login and Audit Report TheSponsorLoginandAuditreportisacombinedreportthattracks: •LoginactivitybythesponsorsattheSponsorportal. •Guest-relatedoperationsperformedbythesponsorsintheSponsorportal. ThisreportisavailableatOperations>Reports>GuestAccessReports>SponsorLoginandAudit. Audit Logging for Guest and Sponsor Portals DuringspecificactionswithintheGuestandSponsorportals,auditlogmessagesaresenttotheunderlying auditsystem.Bydefault,thesemessagesappearinthe/opt/CSCOcpm/logs/localStore/iseLocalStore.logfile. Youcanconfigurethesemessagestobesentbysyslogtothemonitoringandtroubleshootingsystemandlog collector.Themonitoringsubsystempresentsthisinformationintheappropriatesponsoranddeviceaudit logsandguestactivitylogs. Guestloginflowisloggedintheauditlogsregardlessofwhethertheguestloginhaspassedorfailed. Guest Access Web Authentication Options CiscoISEsupportsseveraldeploymentoptionstoenablesecureguestaccessthroughCiscoISEGuestand WebAuthenticationServices.YoucanprovidewiredorwirelessguestconnectivityusingLocalorCentral WebAuthenticationandDeviceRegistrationWebAuthentication. •CentralWebAuthentication(CentralWebAuth)—AppliestoallGuestportals.Webauthenticationis donebyacentralCiscoISERADIUSserverforbothwiredandwirelessconnectionrequests. Authenticationoftheguestdeviceisdoneafteranoptionalaccesscodeisenteredbytheguestatthe HotspotGuestportalsandausernameandpasswordareenteredbytheguestattheCredentialedGuest portals. •LocalWebAuthentication(LocalWebAuth)—AppliestotheCredentialedGuestportals.Servingofthe webpagestotheguestisdonelocallyeitheronanetworkaccessdevice(NAD)suchasaswitchfora wiredconnectionorbythewirelessLANcontroller(WLC)forawirelessconnection.Authentication oftheguestdeviceisdoneafterausernameandpasswordareenteredbytheguestattheCredentialed Guestportals. •DeviceRegistrationWebAuthentication(DeviceRegistrationWebAuth)—AppliesonlytotheHotspot Guestportal.Webauthenticationisdoneaftertheguestdeviceisregisteredandauthorizedforuseby CiscoISE.GuestsaredirectedtotheHotspotGuestportalwheretheycangainaccesstothenetwork througheitherawiredorwirelessconnection(withoutenteringausernameorpassword). Cisco Identity Services Engine Administrator Guide, Release 1.3 327 Guest Access Web Authentication Options
NAD with Central WebAuth Process Inthisscenario,thenetworkaccessdevice(NAD)makesanewauthorizationrequesttotheCiscoISERADIUS serverfromanunknownendpointconnection.Theendpointthenreceivesaurl-redirecttoCiscoISE. webauth-vrf-awarecommandissupportedonlyinIOSXE3.7E,IOS15.2(4)Eorlaterversions.Other switchesdonotsupportWebAuthURLredirectinvirtualroutingandforwarding(VRF)environment.In suchcases,asaworkaround,youcanaddarouteintheglobalroutingtabletoleakthetrafficbackinto theVRF. Note IftheguestdeviceisconnectedtoaNAD,theguestserviceinteractiontakestheformofaMACAuthentication Bypass(MAB)requestthatleadstoaGuestportalCentralWebAuthlogin.Thefollowingisanoutlineofthe subsequentCentralWebAuthentication(CentralWebAuth)process,whichappliestobothwirelessandwired networkaccessdevices. 1TheguestdeviceconnectstotheNADthroughahard-wiredconnection.Thereisno802.1Xsupplicant ontheguestdevice. 2AnauthenticationpolicywithaservicetypeforMABallowsaMABfailuretocontinueandreturna restrictednetworkprofilecontainingaurl-redirectfortheCentralWebAuthuserinterface. 3TheNADisconfiguredtoauthenticateMABrequeststotheCiscoISERADIUSserver. 4TheCiscoISERADIUSserverprocessestheMABrequestanddoesnotfindanendpointfortheguest device. ThisMABfailureresolvestotherestrictednetworkprofileandreturnstheurl-redirectvalueintheprofile totheNADinanaccess-accept.Tosupportthisfunction,ensurethatanauthorizationpolicyexistsand featurestheappropriatewiredorwirelessMAB(undercompoundconditions)and,optionally, “Session:PostureStatus=Unknown”conditions.TheNADusesthisvaluetoredirectallguestHTTPS trafficonthedefaultport8443totheurl-redirectvalue. ThestandardURLvalueinthiscaseis:https://ip:port/guestportal/ gateway?sessionId=NetworkSessionId&portal=&action=cwa. 5TheguestdeviceinitiatesanHTTPrequesttoredirectURLviaawebbrowser. 6TheNADredirectstherequesttotheurl-redirectvaluereturnedfromtheinitialaccess-accept. 7ThegatewayURLvaluewithactionCWAredirectstotheGuestportalloginpage. 8Theguestenterstheirlogincredentialsandsubmitstheloginform. 9Theguestserverauthenticatesthelogincredentials. 10Dependingonthetypeofflow,thefollowingoccurs: •Ifitisanon-postureflow(authenticationwithoutfurthervalidation),wheretheGuestportalisnot configuredtoperformclientprovisioning,theguestserversendsaCoAtotheNAD.ThisCoAcauses theNADtoreauthenticatetheguestdeviceusingtheCiscoISERADIUSserver.Anewaccess-accept isreturnedtotheNADwiththeconfigurednetworkaccess.Ifclientprovisioningisnotconfigured andtheVLANneedstobechanged,theGuestportalperformsVLANIPrenew.Theguestdoesnot havetore-enterlogincredentials.Theusernameandpasswordenteredfortheinitialloginareused automatically. Cisco Identity Services Engine Administrator Guide, Release 1.3 328 Guest Access Web Authentication Options
•Ifitisapostureflow,wheretheGuestportalisconfiguredtoperformclientprovisioning,theguest devicewebbrowserdisplaystheClientProvisioningpageforpostureagentinstallationand compliance.(Youcanalsooptionallyconfiguretheclientprovisioningresourcepolicytofeaturea “NetworkAccess:UseCase=GuestFlow”condition.) BecausethereisnoclientprovisioningorpostureagentforLinux,theGuestportalredirectstotheClient Provisioningportal,whichinturnredirectsbacktoaguestauthenticationservlettoperformoptionalIP release/renewandthenCoA. WithredirectiontotheClientProvisioningportal,theClientProvisioningservicedownloadsanon-persistent webagenttotheguestdeviceandperformsaposturecheckofthedevice.(Youcanoptionallyconfigurethe posturepolicywitha“NetworkAccess:UseCase=GuestFlow”condition.) Iftheguestdeviceisnon-compliant,ensurethatyouhaveconfiguredanauthorizationpolicythatfeatures “NetworkAccess:UseCase=GuestFlow”and“Session:PostureStatus=NonCompliant”conditions. Whentheguestdeviceiscompliant,ensurethatyouhaveanauthorizationpolicyconfiguredwiththeconditions “NetworkAccess:UseCase=GuestFlow”and“Session:PostureStatus=Compliant.”Fromhere,theClient ProvisioningserviceissuesaCoAtotheNAD.ThisCoAcausestheNADtoreauthenticatetheguestusing theCiscoISERADIUSserver.Anewaccess-acceptisreturnedtotheNADwiththeconfigurednetwork access. “NetworkAccess:UseCase=GuestFlow”canalsoapplyforActiveDirectory(AD)andLDAPuserswho loginasguests. Note Wireless LAN Controller with Local WebAuth Process Inthisscenario,theguestlogsinandisdirectedtothewirelessLANcontroller(WLC).TheWLCthen redirectstheguesttoaGuestportal,wheretheyarepromptedtoentertheirlogincredentials,acceptanoptional AcceptableUsePolicy(AUP),andperformanoptionalpasswordchange.Whenthisiscomplete,theguest device’sbrowserisredirectedbacktotheWLCtoprovidelogincredentialsviaaPOST. TheWLCcannowlogtheguestinviatheCiscoISERADIUSserver.Whenthisiscomplete,theWLC redirectstheguestdevice'sbrowsertotheoriginalURLdestination.TheWirelessLANController(WLC) andthenetworkaccessdevices(NAD)requirementstosupporttheoriginalURLredirectforguestportals Cisco Identity Services Engine Administrator Guide, Release 1.3 329 Guest Access Web Authentication Options
areWLC5760andCiscoCatalyst3850,3650,2000,3000,and4000SeriesAccessSwitchesrunningreleases IOS-XE3.6.0.Eand15.2(2)E. Figure 22: WLC with Local WebAuth Non-Posture Flow Wired NAD with Local WebAuth Process Inthisscenario,theGuestportalredirectstheguestloginrequesttotheswitch(wiredNAD).Theloginrequest isintheformofanHTTPSURLpostedtotheswitchandcontainsthelogincredentials.Theswitchreceives theguestloginrequestandauthenticatestheguestusingtheconfiguredCiscoISERADIUSserver. 1CiscoISErequiresalogin.htmlfilewiththeHTMLredirecttobeuploadedtotheNAD.Thislogin.html fileisreturnedtothebrowseroftheguestdeviceforanyHTTPSrequestmade. 2ThebrowseroftheguestdeviceisredirectedtotheGuestportalwheretheguest’slogincredentialsare entered. 3AftertheAcceptableUsePolicy(AUP)andchangepasswordareprocessed,bothofwhichareoptional, theGuestportalredirectsthebrowseroftheguestdevicetopostthelogincredentialsontheNAD. 4TheNADmakesaRADIUSrequesttotheCiscoISERADIUSservertoauthenticateandauthorizethe guest. Cisco Identity Services Engine Administrator Guide, Release 1.3 330 Guest Access Web Authentication Options
IP Address and Port Values Required for the Login.html Page TheIPaddressandportvaluesmustbechangedinthefollowingHTMLcodeforthelogin.htmlpagetothose valuesbeingusedbytheCiscoISEPolicyServicesnodes.Thedefaultportis8443,butyoucanchangethis value,soensurethatthevalueyouassigntotheswitchmatchesthesettinginCiscoISE. ISEGuestPortal Redirecting...LoginISEGuestPortal Becausethecustomloginpageisapublicwebform,considertheseguidelines: •Theloginformmustacceptuserentriesfortheusernameandpasswordandmustshowthemasuname andpwd. •Thecustomloginpageshouldfollowbestpracticesforawebform,suchaspagetimeout,hidden password,andpreventionofredundantsubmissions. HTTPS Server Enabled on the NAD Touseweb-basedauthentication,youmustenabletheHTTPSserverwithintheswitchusingtheiphttp secure-servercommand. Support for Customized Authentication Proxy Web Pages on the NAD Youcanuploadcustompagesforsuccess,expiry,andfailuretotheNAD.CiscoISEdoesnotrequireany specificcustomization,soyoucancreatethesepagesusingthestandardconfigurationinstructionsincluded withtheNAD. Configure Web Authentication on the NAD YouneedtocompletethewebauthenticationontheNADbyreplacingthedefaultHTMLpageswithyour customfiles. Before You Begin Duringweb-basedauthentication,createfoursubstituteHTMLpagestouseinsteadoftheswitchdefault HTMLpages. Cisco Identity Services Engine Administrator Guide, Release 1.3 331 Guest Access Web Authentication Options
Procedure Step 1Tospecifytheuseofyourcustomauthenticationproxywebpages,firststoreyourcustomHTMLfileson theswitchflashmemory.TocopyyourHTMLfilestotheswitchflashmemory,runthefollowingcommand ontheswitch: copytftp/ftpflash Step 2AftercopyingyourHTMLfilestotheswitch,performthefollowingcommandsinglobalconfigurationmode: Specifiesthelocationintheswitchmemory filesystemofthecustomHTMLfiletouse inplaceofthedefaultloginpage.The device:isflashmemory. ipadmissionproxyhttploginpagefile device:login-filename a. SpecifiesthelocationofthecustomHTML filetouseinplaceofthedefaultlogin successpage. ipadmissionproxyhttpsuccesspagefile device:success-filename b. SpecifiesthelocationofthecustomHTML filetouseinplaceofthedefaultloginfailure page. ipadmissionproxyhttpfailurepagefile device:fail-filename c. SpecifiesthelocationofthecustomHTML filetouseinplaceofthedefaultlogin expiredpage. ipadmissionproxyhttploginexpiredpagefile device:expired-filename d. Step 3Configurethecustomizedauthenticationproxywebpagesfollowingtheguidelinesprovidedbytheswitch. Step 4Verifytheconfigurationofacustomauthenticationproxywebpage,asshowninthefollowingexample: Switch#showipadmissionconfiguration Authenticationproxywebpage Loginpage:flash:login.htm Successpage:flash:success.htm FailPage:flash:fail.htm LoginexpiredPage:flash:expired.htm Authenticationglobalcachetimeis60minutes Authenticationglobalabsolutetimeis0minutes Authenticationglobalinitstatetimeis2minutes AuthenticationProxySessionratelimitis100 AuthenticationProxyWatch-listisdisabled AuthenticationProxyAuditingisdisabled MaxLoginattemptsperuseris5 Cisco Identity Services Engine Administrator Guide, Release 1.3 332 Guest Access Web Authentication Options
Device Registration WebAuth Process UsingDeviceRegistrationWebAuthentication(DeviceRegistrationWebAuth)andtheHotspotGuestportal, youcanallowguestdevicestoconnecttoaprivatenetworkwithoutrequiringusernamesandpasswords. Inthisscenario,theguestconnectstothenetworkwithawirelessconnection.SeeFigure23:WirelessDevice RegistrationWebAuthenticationFlowforanexampleoftheDeviceRegistrationWebAuthprocessflow. ThefollowingisanoutlineofthesubsequentDeviceRegistrationWebAuthprocess,whichissimilarforboth wirelessandwiredconnections: 1Thenetworkaccessdevice(NAD)sendsaredirecttotheHotspotGuestportal. 2IftheMACaddressoftheguestdeviceisnotinanyendpointidentitygrouporisnotmarkedwithan AcceptableUsePolicy(AUP)acceptedattributesettotrue,CiscoISErespondswithaURLredirection specifiedinanauthorizationprofile. 3TheURLredirectionpresentstheguestwithanAUPpage(ifenabled)whentheguestattemptstoaccess anyURL. •IftheguestacceptstheAUP,theendpointassociatedwiththeirdeviceMACaddressisassignedto theconfiguredendpointidentitygroup.ThisendpointisnowmarkedwithanAUPacceptedattribute settotrue,totracktheguestacceptanceoftheAUP. •IftheguestdoesnotaccepttheAUPorifanerroroccurs,forinstance,whilecreatingorupdating theendpoint,anerrormessagedisplays. 4BasedontheHotspotGuestportalconfiguration,apost-accessbannerpage(ifenabled)withadditional informationmayappear. 5Aftertheendpointiscreatedorupdated,aChangeofAuthorization(CoA)terminationissenttotheNAD. 6AftertheCoA,theNADre-authenticatestheguestconnectionwithanewMACAuthBypass(MAB) request.Thenewauthenticationfindstheendpointwithitsassociatedendpointidentitygroup,andreturns theconfiguredaccesstotheNAD. 7BasedontheHotspotGuestportalconfiguration,theguestisdirectedtotheURLtowhichtheyrequested access,ortoacustomURLspecifiedbytheadministrator,ortoanAuthenticationSuccessPage. TheCoAtypeforbothwiredandwirelessisTerminationCoA.YoucanconfiguretheHotspotGuestportal toperformVLANDHCPRelease(andrenew),therebyre-authorizingtheCoAtypeforbothwiredandwireless toChangeofAuth. VLANDHCPReleasesupportisavailableforMacOSandWindowsondesktopdevicesonly.Itisnot availableformobiledevices.IfthedevicebeingregisteredismobileandtheVLANDHCPReleaseoption Cisco Identity Services Engine Administrator Guide, Release 1.3 333 Guest Access Web Authentication Options
isenabled,theguestisrequestedtomanuallyrenewtheirIPaddress.Formobiledeviceusers,werecommend usingAccessControlLists(ACLs)ontheWLC,ratherthanusingVLANs. Figure 23: Wireless Device Registration Web Authentication Flow Cisco Identity Services Engine Administrator Guide, Release 1.3 334 Guest Access Web Authentication Options