Cisco Ise 13 User Guide
Have a look at the manual Cisco Ise 13 User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
Procedure Step 1ForSelf-RegisteredGuestorSponsorportals,chooseGuestAccess>Configure>GuestorSponsor Portals>Edit>PortalPageCustomization>SMSReceiptorSMSNotification. Step 2Usethemini-editorandHTMLtagstocustomizetheMessageText.Usepredefinedvariablestospecifythe guestaccountinformationtobeincludedintheSMStextmessage. Step 3UnderSettings,youcan: •Sendusernameandpasswordseparatelyindifferenttextmessages.Ifyouselectthisoption,two separatetabsappearinPageCustomizationsforcustomizingtheUsernameMessageandPassword Messagenotifications. •SendTestMessagetoacellphonetopreviewyourcustomizationtoensurethattheinformationappears asitshould.Thesupportedphonenumberformatsinclude:+1##########,###-###-####,(###)### ####,##########,1##########andsoon. Step 4ClickSaveandthenClose. Customize Print Notifications Youcancustomizetheinformationthatisprintedforguests. Withineachportal,theprintnotificationlogoisinheritedfromtheemailnotificationlogosetting.Note Before You Begin EnsurethatEnableportalcustomizationwithHTMLisenabledbydefaultinAdministration>System >AdminAccess>Settings>PortalCustomization. Procedure Step 1ForSelf-RegisteredGuestandSponsorportals,chooseGuestAccess>Configure>GuestorSponsor Portals>Edit>PortalPageCustomization>PrintReceiptorPrintNotification. Step 2SpecifythePrintIntroductionText.Usepredefinedvariablestospecifytheguestaccountinformationto beincludedintheemailmessage.Usethemini-editorandHTMLtagstocustomizethetext. Step 3PreviewyourcustomizationinthethumbnailorclickPrintPreview.YoucannotviewanyHTML customizationinthethumbnail. IfyouselectthePrintPreviewoption,awindowappearsfromwhichyoucanprinttheaccountdetailsto ensurethattheinformationappearsasitshould. Step 4ClickSaveandthenClose. Cisco Identity Services Engine Administrator Guide, Release 1.3 395 Customization of Guest Notifications, Approvals, and Error Messages
Customize Approval Request Email Notifications Youcanrequiresponsorstoapproveself-registeringguestsbeforetheiraccountsarecreatedandbeforethey canobtaintheirlogincredentials.Youcancustomizetheinformationthatissentviaemailtosponsors requestingtheirapproval.Thisnotificationonlydisplaysifyouhavespecifiedthatself-registeringguests usingtheSelf-RegisteredGuestportalsrequireapprovalbeforetheyaregrantednetworkaccess. Before You Begin •ConfiguretheSMTPservertoenableemailnotifications.ChooseAdministration>Systems>Settings >SMTPServer. •Configuresupportforemailnotificationstoguests.ChooseGuestAccess>Settings>GuestEmail Settings.CheckEnableemailnotificationstoguests. •IfyouwantaSponsortoapproveself-registeredaccountrequests,checkRequireself-registeredguests tobeapprovedunderSelf-RegistrationPageSettingsonthePortalBehaviorandFlowSettingstab. ThatenablestheApprovalRequestEmailtabunderNotificationsinPortalPageCustomization,where youcancustomizetheemailthatgoestotheSponsor. Procedure Step 1ChooseGuestAccess>Self-RegisteredGuestPortals>Edit>PortalPageCustomization>Approval RequestEmail.Hereyoucan: a)ChangethedefaultLogothatisspecifiedunderGlobalPageCustomizations. b)SpecifytheSubjectandEmailbody.Usepredefinedvariablestospecifytheguestaccountinformation tobeincludedintheemailmessage.Usethemini-editorandHTMLtagstocustomizethetext.Forexample, toincludealinktotheSponsorportalintherequestapprovalemail,clicktheCreateaLinkbutton,add theFQDNtotheSponsorportal. c)PreviewyourcustomizationonalldevicesusingSendTestEmailtoensurethatitappearsasitshould. d)Don'tforgettoclickSaveandthenClose. Step 2CustomizethecontentoftheapprovalemailsentbytheSponsor.ChooseGuestAccess>Configure> SponsorPortals,choosePortalPageCustomization,andthentheEmailNotificationtab. Edit Error Messages YoucanfullycustomizetheerrormessagesthatappearontheFailurepagesdisplayedforguests,sponsors andemployees.Failurepagesareavailablewithallend-userwebportals,excepttheBlacklistportal. Procedure Step 1Dooneofthefollowing: •ForGuestportals,chooseGuestAccess>Configure>GuestPortals>Edit>PortalPage Customizations>Messages>ErrorMessages. Cisco Identity Services Engine Administrator Guide, Release 1.3 396 Customization of Guest Notifications, Approvals, and Error Messages
•ForSponsorPortals,chooseGuestAccess>Configure>SponsorPortals>Edit>PortalPage Customizations>Messages>ErrorMessages. •ForDeviceportals,chooseAdminsitration>DevicePortalsManagement>(anyportals)>Edit >PortalPageCustomizations>Messages>ErrorMessages. Step 2FromtheViewIndrop-downlist,choosethelanguageinwhichyouwanttoviewthetextwhilecustomizing themessages. Thedrop-downlistincludesallthelanguagesinthelanguagefileassociatedwithaspecificportal.Makesure thatyouupdateanychangesmadewhilecustomizingtheportalpageintothesupportedlanguagesproperties files. Step 3Updatetheerrormessagetext.Youcansearchforspecificerrormessagesbytypinginkeywordssuchasaup tofindAUPrelatederrormessages. Step 4ClickSaveandClose. Cisco Identity Services Engine Administrator Guide, Release 1.3 397 Customization of Guest Notifications, Approvals, and Error Messages
Cisco Identity Services Engine Administrator Guide, Release 1.3 398 Customization of Guest Notifications, Approvals, and Error Messages
PART V Enable and Configure Cisco ISE Services •SetUpPolicyConditions,page401 •ManageAuthenticationPolicies,page409 •ManageAuthorizationPoliciesandProfiles,page437 •CiscoISEEndpointProfilingPolicies,page451 •ConfigureClientProvisioning,page521 •ConfigureClientPosturePolicies,page565 •CiscoTrustSecPoliciesConfiguration,page591
CHAPTER 18 Set Up Policy Conditions •PolicyConditions,page401 •SimpleandCompoundConditions,page401 •PolicyEvaluation,page402 •CreateSimpleConditions,page402 •CreateCompoundConditions,page403 •ProfilerConditions,page404 •PostureConditions,page405 •CreateTimeandDateConditions,page407 Policy Conditions CiscoISEisapolicy-based,network-access-controlsolution,whichoffersthefollowingservices: network-access,guest,posture,clientprovisioning,andprofilerservices.WhileconfiguringCiscoISE,you createauthentication,authorization,guest,posture,andprofilerpolicies.Policyconditionsarebasicbuilding blocksofpolicies.Therearetwotypesofpolicyconditions,simpleandcompound. ThischapterdescribesthepolicyconditionsandhowyoucancreatethemforthevariousservicesthatCisco ISEoffers. Simple and Compound Conditions CiscoISEusesrule-basedpoliciestoprovidenetworkaccess,profiler,posture,andguestservices.These rule-basedpoliciesconsistofrulesthataremadeupofconditions.CiscoISEallowsyoutocreateconditions asindividual,reusablepolicyelementsthatcanbereferredfromotherrule-basedpolicies.Therearetwotypes ofconditions: •Simplecondition—Asimpleconditionconsistsofanoperand(attribute),anoperator(equalto,notequal to,greaterthan,andsoon),andavalue.Youcansavesimpleconditionsandusetheminotherrule-based policies. Cisco Identity Services Engine Administrator Guide, Release 1.3 401
Simpleconditiontakestheform:AoperandB,whereAcanbeanyattributefromtheCiscoISEdictionary andBcanbeoneofthevaluesthattheattributeAcantake.TheDeviceTypeisusedasanattributefor allnetworkdevicesthatcanincludealldevicetypesasitsvalue,whichmeansthatAEqualsBinthe followingform: DEVICE:DeviceTypeEqualsAllDeviceTypes •Compoundcondition—Acompoundconditionismadeupofoneormoresimpleconditionsthatare connectedbytheANDorORoperator.Compoundconditionsarebuiltontopofsimpleconditions.You cansaveandreusecompoundconditionsinotherrule-basedpolicies. Compoundconditioncantakeanyoneofthefollowingforms: ◦(XoperandY)AND(AoperandB)AND(XoperandZ)ANDsoon ◦(XoperandY)OR(AoperandB)OR(XoperandZ)ORsoon whereXandAareattributesfromtheCiscoISEdictionarysuchastheusernameanddevicetype. Thisisanexampleofacompoundcondition: DEVICE:ModelNameMatchesCatalyst6KANDNetworkAccess:UseCaseEqualsHostLookup. Youcannotdeleteconditionsthatareusedinapolicyorarepartofacompoundcondition. Policy Evaluation Policiesconsistofrules,whereeachruleconsistsofconditionstobesatisfiedthatallowactionstobeperformed suchasaccesstonetworkresources.Rule-basedconditionsformthebasisofpolicies,thesetsofrulesused whenevaluatingrequests. Atrun-time,CiscoISEevaluatesthepolicyconditionsandthenappliestheresultthatyoudefinebasedon whetherthepolicyevaluationreturnsatrueorafalsevalue. Duringpolicy-conditionevaluation,CiscoISEcomparesanattributewithavalue.Itispossiblethatwhere theattributespecifiedinthepolicyconditionmaynothaveavalueassignedintherequest.Insuchcases,if theoperatorthatisusedforcomparisonis“notequalto,”thentheconditionwillevaluatetotrue.Inallother cases,theconditionwillevaluatetofalse. Forexample,intheconditionRadius.Calling_Station_IDNotEqualto1.1.1.1,iftheCallingStationIDis notpresentintheRADIUSrequest,thenthisconditionwillevaluatetotrue.Thisevaluationisnotuniqueto theRADIUSdictionaryandoccursbecauseoftheusageofthe“NotEqualto”operator. InISE,thePolicySetstableprovidesalistofallpolicysetscurrentlyconfiguredinthesystem.Theorderof theenabledpolicysetsdeterminestheorderbywhichthesystemsearchesfortherelevantpolicysetevery timeanendpointrequestsaccess.ThelastrowinthePolicypageisthedefaultpolicythatwillbeappliedif noneoftherulesmatchtherequestinanyoftheotherconfiguredpolicysets.Youcanedittheallowed protocolsandidentitysourceselectionindefaultpolicyset,butyoucannotdeleteit. Create Simple Conditions Youcancreatesimpleconditionsandreusethemwhenyoudefineauthentication,authorization,orguest policies. Cisco Identity Services Engine Administrator Guide, Release 1.3 402 Policy Evaluation
Before You Begin Toperformthefollowingtask,youmustbeaSuperAdminorPolicyAdmin. Procedure Step 1ChoosePolicy>PolicyElements>Conditions. Step 2ClickthearrownexttoAuthenticationorAuthorizationorGuest,andthenclickSimpleConditions. Step 3ClickAdd. Step 4EnterappropriatevaluesfortheName,Description,Attribute,Operator,andValuefields. IfyouspecifyanyIdentityGroupinsimpleconditions,ensurethatyourepresentedtheminFQDNform,like thefollowing:(InternalUser:IdentityGroup):Equal:(UserIdentityGroups:IdentityGroupName) CiscoISEwillnotaccuratelyresolveIdentityGroupentriesinthefollowingform:(InternalUser:IdentityGroup) :Equal:(IdentityGroupName). Step 5ClickSubmittosavethecondition. Create Compound Conditions Youcancreatecompoundconditionsandreusethemwhenyoudefineauthenticationpolicies. Before You Begin •CiscoISEincludespredefinedcompoundconditionsforsomeofthemostcommonusecases.Youcan editthesepredefinedconditionstosuityourrequirements. •Toperformthefollowingtask,youmustbeaSuperAdminorPolicyAdmin. Procedure Step 1ChoosePolicy>PolicyElements>Conditions. Step 2ClickthearrownexttoAuthenticationorAuthorizationorGuestandthenclickCompoundConditions. Step 3ClickAdd. Step 4Enteranameforthecompoundcondition.Youcanenteranoptionaldescription. Step 5ClickSelectExistingConditionfromLibrarytochooseanexistingsimpleconditionorclickCreateNew Conditiontochooseanattribute,operator,andvaluefromtheexpressionbuilder. Step 6Clicktheactioniconattheendofthisrowtoaddmoreconditions. Step 7ClickAddAttribute/ValuetocreateanewconditionorclickAddConditionfromLibrarytoaddanexisting simplecondition. Step 8Selectoperandfromthedrop-downlist.YoucanchooseANDorORandthesameoperandwillbeused betweenalltheconditionsinthiscompoundcondition. Step 9ClickSubmittocreatethecompoundcondition. Cisco Identity Services Engine Administrator Guide, Release 1.3 403 Create Compound Conditions
Profiler Conditions Profilingconditionsarepolicyelementsandaresimilartootherconditions.Howeverunlikeauthentication, authorization,andguestconditions,theprofilingconditionscanbebasedonalimitednumberofattributes. TheProfilerConditionspageliststheattributesthatareavailableinCiscoISEandtheirdescription. Profilerconditionscanbeoneofthefollowing: •CiscoProvided—CiscoISEincludespredefinedprofilingconditionswhendeployedandtheyare identifiedasCiscoProvidedintheProfilerConditionspage.YoucannotdeleteCiscoProvidedprofiling conditions. YoucanalsofindCiscoProvidedconditionsintheSystemprofilerdictionariesinthefollowinglocation: Policy>PolicyElements>Dictionaries>System. Forexample,MACdictionary.Forsomeproducts,theOUI(OrganizationallyUniqueIdentifier)isan uniqueattributethatyoucanuseitfirstforidentifyingthemanufacturingorganizationofdevices.Itis acomponentofthedeviceMACaddress.TheMACdictionarycontainstheMACAddressandOUI attributes. •AdministratorCreated—ProfilerconditionsthatyoucreateasanadministratorofCiscoISEorpredefined profilingconditionsthatareduplicatedareidentifiedasAdministratorCreated.Youcancreateaprofiler conditionofDHCP,MAC,SNMP,IP,RADIUS,NetFlow,CDP,LLDP,andNMAPtypesusingthe profilerdictionariesintheProfilerConditionspage. Although,therecommendedupperlimitforthenumberofprofilingpoliciesis1000,youcanstretchupto 2000profilingpolicies. Create a Profiler Condition EndpointprofilingpoliciesinCiscoISEallowyoutocategorizediscoveredendpointsonyournetwork,and assignthemtospecificendpointidentitygroups.Theseendpointprofilingpoliciesaremadeupofprofiling conditionsthatCiscoISEevaluatestocategorizeandgroupendpoints. Before You Begin Toperformthefollowingtask,youmustbeaSuperAdminorPolicyAdmin. Procedure Step 1ChoosePolicy>PolicyElements>Conditions>Profiling>Add. Step 2EntervaluesforthefieldsasdescribedintheEndpointProfilingPoliciesSettings,onpage819. Step 3ClickSubmittosavetheprofilercondition. Step 4Repeatthisproceduretocreatemoreconditions. Cisco Identity Services Engine Administrator Guide, Release 1.3 404 Profiler Conditions