Cisco Ise 13 User Guide
Have a look at the manual Cisco Ise 13 User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
CHAPTER 16 Support Device Access •PersonalDevicesonaCorporateNetwork(BYOD),page335 •PersonalDevicePortals,page336 •SupportDeviceRegistrationUsingNativeSupplicants,page341 •DevicePortalsConfigurationTasks,page342 •ManagePersonalDevicesAddedbyEmployees,page355 •MonitorMyDevicesPortalsandEndpointsActivity,page356 Personal Devices on a Corporate Network (BYOD) Whensupportingpersonaldevicesonacorporatenetwork,youmustprotectnetworkservicesandenterprise databyauthenticatingandauthorizingusers(employees,contractors,andguests)andtheirdevices.Cisco ISEprovidesthetoolsyouneedtoallowemployeestosecurelyusepersonaldevicesonacorporatenetwork. GuestscanautomaticallyregistertheirdeviceswhenloggingintoGuestportals.Guestscanregisteradditional devicesuptothemaximumlimitthatyoudefineintheirguesttype.Thesedevicesareregisteredintoendpoint identitygroupsbasedontheportalconfiguration. Guestscanaddtheirpersonaldevicestothenetworkbyrunningthenativesupplicantprovisioning(Network SetupAssistant),orbyaddingtheirdevicestotheMyDevicesportal.Youcancreatenativesupplicantprofiles, whichdeterminethepropernativesupplicantprovisioningwizardtouse,basedontheoperatingsystem. Becausenativesupplicantprofilesarenotavailableforalldevices,userscanusetheMyDevicesportalto addthesedevicesmanually;oryoucanconfigureBYODrulestoregisterthesedevices. End-User Device Portals in a Distributed Environment CiscoISEend-userwebportalsdependontheAdministration,PolicyServices,andMonitoringpersonasto provideconfiguration,sessionsupport,andreporting. •AdministrationNode—Configurationchangesthatyoumaketousers,devices,andend-userportals arewrittentotheAdministrationnode. •PolicyServicesNode—Theend-userportalsrunonaPolicyServicesNode,whichhandlesallsession traffic,including:networkaccess,clientprovisioning,guestservices,posture,andprofiling.IfaPolicy Cisco Identity Services Engine Administrator Guide, Release 1.3 335
ServiceNodeispartofanodegroup,andonenodefails,theothernodesdetectthefailureandresetany pendingsessions. •MonitoringNode—TheMonitoringnodecollects,aggregates,andreportsdataabouttheend-userand deviceactivityontheMyDevices,Sponsor,andGuestportals.IftheprimaryMonitoringnodefails, thesecondaryMonitoringnodeautomaticallybecomestheprimaryMonitoringnode. Global Settings for Device Portals ChooseWorkCenters>BYOD>Settings>EmployeeRegisteredDevicesorAdministration>Device PortalManagement>Settings. YoucanconfigurethefollowinggeneralsettingsfortheBYODandMyDevicesportals: •EmployeeRegisteredDevices—Enterthemaximumnumberofdevicesthatanemployeecanregister inRestrictemployeesto.Bydefault,thisvalueissetto5devices. •RetryURL—EnteraURLthatcanbeusedtoredirectthedevicebacktoCiscoISEinRetryURLfor onboarding. Onceyouconfigurethesegeneralsettings,theyapplytoallBYODandMyDevicesportalsthatyousetup foryourcompany. Related Topics LimittheNumberofPersonalDevicesRegisteredbyEmployees ProvideaURLtoReconnectwithBYODRegistration,onpage342 End-UserDevicePortalsinaDistributedEnvironment,onpage335 Personal Device Portals CiscoISEprovidesseveralweb-basedportalstosupportemployee-ownedpersonaldevices.TheseDevice portalsdonotparticipateintheguestorsponsorportalflows. Usetheseportalsto: •BlacklistPortal—Provideinformationaboutpersonaldevicesthatare“blacklisted”andcannotbeused togainaccesstothenetwork. •BYODPortals—Enableemployeestoregistertheirpersonaldevicesusingnativesupplicantprovisioning functionality. •ClientProvisioningPortals—Forceemployeestodownloadapostureagentontheirdevicesthatchecks forcompliance. •MDMPortals—EnableemployeestoenrolltheirmobiledeviceswithanexternalMobileDevice Management(MDM)system. •MyDevicesPortals—Enableemployeestoaddandregisterpersonaldevices,includingthosethatdo notsupportnativesupplicantprovisioning,andthenmanagethem. CiscoISEprovidesyouwiththeabilitytohostmultipledeviceportalsontheCiscoISEserver,includinga predefinedsetofdefaultportals.ThedefaultportalthemeshavestandardCiscobrandingthatyoucancustomize throughtheAdminportal.Youcanalsochoosetofurthercustomizeaportalbyuploadingimages,logos,and cascadingstylesheets(CSS)filesthatarespecifictoyourorganization. Cisco Identity Services Engine Administrator Guide, Release 1.3 336 Personal Device Portals
Access Device Portals Procedure Step 1ToaccessanyoftheDeviceportals,youcaneither: •ClickAdministration>DevicePortalManagement.TheConfigureandCustomizeDevicePortals pagedisplaysthelistofsupportedDeviceportals. •ChooseAdministration>DevicePortalManagement.ThesupportedDeviceportalsdisplayinthe drop-downmenu. Step 2Selectthespecificdeviceportalthatyouwanttoconfigure. Blacklist Portal Employeesdonotaccessthisportaldirectly,butareredirectedtoit. Ifemployeeslosetheirpersonaldeviceoritisstolen,theycanupdateitsstatusintheMyDevicesportal, whichaddsittotheBlacklistendpointidentitygroup.Thispreventsothersfromusingthedevicetoobtain unauthorizednetworkaccess.Ifanyoneattemptstoconnecttothenetworkusingoneofthesedevices,they areredirectedtotheBlacklistportalwhichinformsthemthatthedeviceisdeniedaccesstothenetwork.If thedeviceisfound,employeescanreinstateit(intheMyDevicesportal)andregainnetworkaccesswithout havingtoregisterthedeviceagain.Dependingonwhetherthedevicewaslostorstolen,additionalprovisioning mayberequiredbeforethedevicecanbeconnectedtothenetwork. Youcanconfiguretheportsettings(defaultisport8444)fortheBlacklistportal.Ifyouchangetheport number,makesureitisnotbeingusedbyanotherend-userportal. ForinformationaboutconfiguringaBlacklistportal,seeEdittheBlacklistPortal,onpage346. Bring Your Own Device Portal Employeesdonotaccessthisportaldirectly. EmployeesareredirectedtotheBringYourOwnDevice(BYOD)portalwhenregisteringpersonaldevices usingnativesupplicants.Thefirsttimeemployeesattempttoaccessthenetworkusingapersonaldevice,they maybepromptedtomanuallydownloadandlaunchtheNetworkSetupAssistant(NSA)wizardandbeguided throughregisteringandinstallingthenativesupplicant.Aftertheyhaveregisteredadevice,theycanusethe MyDevicesportaltomanageit. BYODflowisnotsupportedwhenadeviceisconnectedtoanetworkusingAnyConnectNetworkAccess Manager(NAM). Note Related Topics CreateaBYODPortal,onpage348 Cisco Identity Services Engine Administrator Guide, Release 1.3 337 Personal Device Portals
PersonalDevicesonaCorporateNetwork(BYOD),onpage335 Client Provisioning Portal Employeesdonotaccessthisportaldirectly,butareredirectedtoit. TheClientProvisioningsystemprovidespostureassessmentsandremediationsfordevicesthatareattempting togainaccesstoyourcorporatenetwork.Whenemployeesrequestnetworkaccessusingtheirdevices,you canroutethemtoaClientProvisioningportalandrequirethemtofirstdownloadthepostureagent.The postureagentscansthedeviceforcompliance,suchasverifyingthatvirusprotectionsoftwareisinstalledon itandthatitsoperatingsystemissupported. Related Topics CreateaClientProvisioningPortal,onpage350 Mobile Device Management Portal Employeesdonotaccessthisportaldirectly,butareredirectedtoit. ManycompaniesuseaMobileDeviceManagement(MDM)systemtomanageemployees’mobiledevices. CiscoISEallowsintegrationwithexternalMDMsystemsthatemployeescanusetoenrolltheirmobiledevice andgainaccesstoyourcorporatenetwork.CiscoprovidesanexternalMDMinterfacethatemployeescan enrollintoregistertheirdevicesandthenconnecttothenetwork. TheMDMportalenablesemployeestoenrollinanexternalMDMsystem. EmployeescanthenusetheMyDevicesportaltomanagetheirmobiledevices,suchaslocktheirdevices withapincode,resettheirdevicetoitsdefaultfactorysettings,orremoveapplicationsandsettingsthatwere installedwhenregisteringthedevice. ForinformationaboutconfiguringMDMserverstoworkwithISE,seeCreateanMDMPortal,onpage351. My Devices Portal EmployeescanaccesstheMyDevicesportaldirectly. Somenetworkdevicesthatneednetworkaccessarenotsupportedbynativesupplicantprovisioningand cannotberegisteredusingtheBYODportal.However,employeescanaddandregisterpersonaldevices, whoseoperatingsystemsarenotsupportedordonothavewebbrowsers(suchasprinters,Internetradios, andotherdevices),usingtheMyDevicesportal. EmployeescanaddandmanagenewdevicesbyenteringtheMACaddressforthedevice.Whenemployees adddevicesusingtheMyDevicesportal,CiscoISEaddsthedevicestotheEndpointspageasmembersof theRegisteredDevicesendpointidentitygroup(unlessalreadystaticallyassignedtoadifferentendpoint identitygroup).ThedevicesareprofiledlikeanyotherendpointinCiscoISEandgothrougharegistration processfornetworkaccess. WhentwoMACaddressesfromonedeviceareenteredintotheMyDevicesPortalbyauser,profiling determinesthattheyhavethesamehostname,andtheyaremergedtogetherasasingleentryinISE.For example,auserregistersalaptopwithwiredandwirelessaddresses.Anyoperationsonthatdevice,suchas delete,actsonbothaddresses. Whenaregistereddeviceisdeletedfromtheportal,theDeviceRegistrationStatusandBYODRegistration StatusattributeschangetoNotRegisteredandNo,respectively.However,theseattributesremainunchanged Cisco Identity Services Engine Administrator Guide, Release 1.3 338 Personal Device Portals
whenaguest(whoisnotanemployee)registersadeviceusingtheGuestDeviceRegistrationpageinthe credentialedGuestportals,becausetheseareBYODattributesusedonlyduringemployeedeviceregistration. RegardlessofwhetheremployeesregistertheirdevicesusingtheBYODortheMyDevicesportals,theycan usetheMyDevicesportaltomanagethem. Related Topics CreateaMyDevicesPortal,onpage352 BYOD Deployment Options and Status Flow TheBYODdeploymentflowsthatsupportpersonaldevicesvaryslightlybasedonthesefactors: •SingleordualSSID—WithsingleSSID,thesameWLANisusedforcertificateenrollment,provisioning, andnetworkaccess.InadualSSIDdeployment,therearetwoSSIDs:oneprovidesenrollmentand provisioning,andtheotherprovidessecurenetworkaccess. •Windows,MacOS,iOS,orAndroiddevice—Thenativesupplicantflowstartssimilarly,regardlessof thedevicetype,byredirectingemployeesusingasupportedpersonaldevicetotheBYODportalto confirmtheirdeviceinformation.Theprocessdivergesbasedondevicetype. Employee Connects to Network 1EmployeeCredentialsAreAuthenticated—CiscoISEauthenticatestheemployeeagainstthecorporate ActiveDirectoryorothercorporateidentitystoresandprovidesanauthorizationpolicy. 2DeviceIsRedirectedtotheBYODPortal—ThedeviceisredirectedtotheBYODportal.Thedevice’s MACaddressfieldisautomaticallypreconfigured,andtheusercanaddadevicenameanddescription. 3NativeSupplicantIsConfigured(MacOS,Windows,iOS,Android)—Thenativesupplicantis configured;buttheprocessvariesbydevice: •MacOSandWindowsdevices—EmployeeclicksRegisterintheBYODportaltodownloadand installthesupplicantprovisioningwizard(NetworkSetupAssistant),whichconfiguresthesupplicant andprovidesthecertificate(ifnecessary)usedforEAP-TLScertificate-basedauthentication.The issuedcertificateisembeddedwiththedevice'sMACaddressandemployee'susername. NetworkSetupAssistantcannotbedownloadedtoaWindowsdevice,unlessthethe userofthatdevicehasadministrativepriveleges.Ifyoucannotgrantendusers administrativepriveleges,thenuseyourGPOtopushthecertificatetotheuser'sdevice, insteadofusingtheBYODflow. Note •iOSdevices—TheCiscoISEpolicyserversendsanewprofileusingApple’siOSovertheairtothe IOSdevice,whichincludes: ◦Theissuedcertificate(ifconfigured)isembeddedwiththeIOSdevice'sMACaddressand employee'susername. ◦AWi-FisupplicantprofilethatenforcestheuseofEAP-TLSfor802.1Xauthentication. •Androiddevices—CiscoISEpromptsandroutesemployeetodownloadtheCiscoNetworkSetup Assistant(NSA)fromtheGooglePlaystore.Afterinstallingtheapp,theemployeecanopenNSA Cisco Identity Services Engine Administrator Guide, Release 1.3 339 Personal Device Portals
andstartthesetupwizard,whichgeneratesthesupplicantconfigurationandissuedcertificateused toconfigurethedevice. 4ChangeofAuthorizationIssued—Aftertheusergoesthroughtheonboardingflow,CiscoISEinitiates aChangeofAuthorization(CoA).ThiscausestheMacOSX,Windows,andAndroiddevicestoreconnect tothesecure802.1Xnetwork.ForsingleSSID,iOSdevicesalsoconnectautomatically,butfordualSSID, thewizardpromptsiOSuserstomanuallyconnecttothenewnetwork. YoucanconfigureaBYODflowthatdoesnotusesupplicants.SeetheCiscoISECommunitydocument https://supportforums.cisco.com/blog/12705471/ ise-byod-registration-only-without-native-supplicant-or-certificate-provisioning. Note ChecktheEnableifTargetNetworkisHiddencheckboxonlywhentheactualWi-Finetworkishidden. Otherwise,Wi-FinetworkconfigurationmaynotbeprovisionedproperlyforcertainiOSdevices,especially inthesingleSSIDflow(wherethesameWi-Finetwork/SSIDisusedforbothonboardingandconnectivity). Note BYOD Session Endpoint Attribute ThestateoftheendpointattributeBYODRegistrationchangesduringtheBYODflowtothefollowingstates. •Unknown—ThedevicehasnotbeenthroughaBYODflow. •Yes—ThedevicehasbeenthroughBYODflow,andisregistered. •No—ThedevicehasbeenthroughBYODflow,butisnotregistered.Thismeansthatthedevicewas deleted. Device Registration Status Endpoint Attribute ThestateoftheendpointattributeDeviceRegistrationStatuschangesduringdeviceregistrationtothefollowing states. •Registered—ThedevicehasbeenthroughBYODflow,anditisregistered.Thereisa20-minutedelay beforetheattributechangesfrompendingtoregistered. •Pending—ThedevicehasbeenthroughBYODflow,anditisregistered.But,ISEhasnotseenitonthe network. •NotRegistered—ThedevicehasnotbeenthroughBYODflow.Thisisthedefaultstateofthisattribute. •Stolen—TheuserlogsontotheMyDevicesportal,andmarksacurrentlyonboardeddeviceasStolen. Whenthishappens: ◦Ifthedevicewasonboardedbyprovisioningacertificateandaprofile,ISErevokesthecertificate thatwasprovisionedtothedevice,andassignsthedevice’smacaddresstotheBlacklistidentity group.Thatdevicenolongerhasnetworkaccess. ◦Ifthedevicewasonboardedbyprovisioningaprofile(nocertificate),ISEassignsthedeviceto theBlacklistendpointidentitygroup.Thedevicewillstillhavenetworkaccess,unlessyoucreate Cisco Identity Services Engine Administrator Guide, Release 1.3 340 Personal Device Portals
anauthorizationpolicyforthissituation.Forexample,IFEndpointIdentityGroupisBlacklist ANDBYOD_is_RegisteredTHENDenyAccess. AnAdministratorperformsanactionthatdisablesnetworkaccessforseveraldevices,suchasdeleting orrevokingacertificate. Ifauserreinstatesastolendevice,thestatusrevertstonotregistered.Theusermustdeletethatdevice, andaddthatitback.Thatstartstheonboardingprocess. •Lost—TheuserlogsontotheMyDevicesportal,andmarksacurrentlyonboardeddeviceasLost.That causesthefollowingactions: ◦ThatdeviceisassignedtoBlacklistidentitygroup. ◦Certificatesprovisionedtothedevicearenotrevoked. ◦ThedevicestatusisupdatedtoLost. ◦“BYODRegistration”isupdatedtoNo. Alostdevicestillhasnetworkaccessunlessyoucreateanauthorizationpolicytoblocklostdevices. YoucanusetheBlacklistidentitygrouportheendpoint:BYODRegistrationattributeinyourrule.For example,IFEndpointIdentityGroupisBlacklistANDEndPoints:BYODRegistrationsEqualsNo THENBYOD.Formoregranularaccess,youcanalsoaddNetworkAccess:EAPAuthenticationMethod EqualsPEAPorEAP-TLSorEAP-FAST”,InternalUser:IdentityGroupEqualstotheIF partoftherule. Support Device Registration Using Native Supplicants YoucancreatenativesupplicantprofilestosupportpersonaldevicesontheCiscoISEnetwork.Basedonthe profilethatyouassociatewithauser’sauthorizationrequirements,CiscoISEprovidesthenecessarysupplicant provisioningwizardtosetuptheuser’spersonaldevicetoaccessthenetwork. Thefirsttimeemployeesattempttoaccessthenetworkusingapersonaldevice,theyareguidedautomatically throughregistrationandsupplicantconfiguration.Aftertheyhaveregisteredthedevice,theycanusetheMy Devicesportaltomanagetheirdevices. Operating Systems Supported by Native Supplicants Nativesupplicantsaresupportedfortheseoperatingsystems: •Android(excludingAmazonKindle,B&NNook) •MacOSX(forAppleMaccomputers) •AppleiOSdevices(AppleiPod,iPhone,andiPad) •MicrosoftWindows7,8(excludingRT),Vista,and10 Cisco Identity Services Engine Administrator Guide, Release 1.3 341 Support Device Registration Using Native Supplicants
Allow Employees to Register Personal Devices Using Credentialed Guest Portals EmployeesusingcredentialedGuestportalscanregistertheirpersonaldevices.Theself-provisioningflow suppliedbytheBYODportalenablesemployeestoconnectdevicestothenetworkdirectlyusingnative supplicants,whichareavailableforWindows,MacOS,iOS,andAndroiddevices. Before You Begin Youmustcreatethenativesupplicantprofiles. Procedure Step 1ChooseGuestAccess>Configure>GuestPortals. Step 2ChoosethecredentialedGuestportalthatyouwanttoallowemployeestousetoregistertheirdevicesusing nativesupplicantsandclickEdit. Step 3OnthePortalBehaviorandFlowSettingstabandinBYODSettings,checkAllowemployeestouse personaldevicesonthenetwork. Step 4ClickSaveandthenClose. Provide a URL to Reconnect with BYOD Registration Youcanprovideinformationthatenablesemployees,whoencounteraproblemwhileregisteringtheirpersonal devicesusingtheBYODportaltoreconnectwiththeregistrationprocess. Procedure Step 1ChooseAdministration>DevicePortalManagement>Settings>RetryURL. Step 2ChangetheIPaddressorenteraURLthatcanbeusedtoredirectthedevicebacktoCiscoISEinRetryURL foronboarding. Whentheemployee’sdeviceencountersaproblemduringtheregistrationprocess,ittriestoreconnecttothe Internetautomatically.Atthispoint,theIPaddressordomainnamethatyouenterhereredirectsthedevice toCiscoISE,whichreinitiatestheonboardingprocess.Thedefaultvalueis1.1.1.1. Step 3ClickSave.Ifyoudonotwanttosaveanyupdatesyoumadetothesettings,clickResettoreverttothelast savedvalues. Device Portals Configuration Tasks Youcanuseadefaultportalanditsdefaultsettingssuchascertificates,endpointidentitygroup,identity sourcesequence,portalthemes,images,andotherdetailsprovidedbyCiscoISE.Ifyoudonotwanttouse thedefaultsettings,youshouldcreateanewportaloreditanexistingonetomeetyourneeds.Youcanduplicate aportalifyouwanttocreatemultipleportalswiththesamesettings. Cisco Identity Services Engine Administrator Guide, Release 1.3 342 Device Portals Configuration Tasks
Aftercreatinganewportaloreditingadefaultone,youmustauthorizetheportalforuse.Onceyouauthorize aportalforuse,anysubsequentconfigurationchangesyoumakeareeffectiveimmediately. YoudonotneedtoauthorizetheMyDevicesportalforuse. Ifyouchoosetodeleteaportal,youmustfirstdeleteanyauthorizationpolicyrulesandauthorizationprofiles associatedwithitormodifythemtouseanotherportal. UsethistableforthetasksrelatedtoconfiguringthedifferentDeviceportals. My Devices Portal MDM PortalClient Provisioning Portal BYOD PortalBlacklist Portal Task RequiredRequiredRequiredRequiredRequiredEnablePolicy Services,onpage 344 RequiredRequiredRequiredRequiredRequiredAddCertificates, onpage344 RequiredNotRequiredNotRequiredNotRequiredNotRequiredCreateExternal IdentitySources, onpage345 RequiredNotRequiredNotRequiredNotRequiredNotRequiredCreateIdentity Source Sequences,on page345 RequiredRequiredNotRequiredRequiredNotRequiredCreateEndpoint IdentityGroups, onpage346 NotapplicableNotapplicableNotapplicableNotapplicableRequiredEdittheBlacklist Portal,onpage 346 NotapplicableNotapplicableNotapplicableRequiredNotapplicableCreateaBYOD Portal,onpage 348 NotapplicableNotapplicableRequiredNotapplicableNotapplicableCreateaClient Provisioning Portal,onpage 350 NotapplicableRequiredNotapplicableNotapplicableNotapplicableCreateanMDM Portal,onpage 351 RequiredNotapplicableNotapplicableNotapplicableNotapplicableCreateaMy DevicesPortal,on page352 Cisco Identity Services Engine Administrator Guide, Release 1.3 343 Device Portals Configuration Tasks
My Devices Portal MDM PortalClient Provisioning Portal BYOD PortalBlacklist Portal Task NotRequiredRequiredRequiredRequiredNotapplicableCreate Authorization Profiles,onpage 353 OptionalOptionalOptionalOptionalOptionalCustomizeDevice Portals,onpage 355 Enable Policy Services TosupporttheCiscoISEend-userwebportals,youmustenableportal-policyservicesonthenodeonwhich youwanttohostthem. Procedure Step 1ChooseAdministration>System>Deployment Step 2ClickthenodeandclickEdit. Step 3OntheGeneralSettingstab,checkPolicyService. Step 4ChecktheEnableSessionServicesoption. Step 5ClickSave. Add Certificates Ifyoudonotwanttousethedefaultcertificates,youcanaddavalidcertificateandassignittoacertificate grouptag.Thedefaultcertificategrouptagusedforallend-userwebportalsisDefaultPortalCertificate Group. Procedure Step 1ChoseAdministration>System>Certificates>SystemCertificates. Step 2Addasystemcertificateandassignittoacertificategrouptagthatyouwanttousefortheportal. Thiscertificategrouptagwillbeavailabletoselectduringportalcreationorediting. Step 3ChooseAdministration>DevicePortalManagement>(anyportals)>CreateorEdit>PortalSettings. Step 4SelectthespecificcertificategrouptagfromtheCertificateGroupTagdrop-downlistthatisassociated withthenewlyaddedcertificate. Cisco Identity Services Engine Administrator Guide, Release 1.3 344 Device Portals Configuration Tasks