Cisco Ise 13 User Guide
Have a look at the manual Cisco Ise 13 User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
Posture Conditions Apostureconditioncanbeanyoneofthefollowingsimpleconditions:afile,aregistry,anapplication,a service,oradictionarycondition.Oneormoreconditionsfromthesesimpleconditionsformacompound condition,whichcanbeassociatedtoaposturerequirement. WhenyoudeployCiscoISEonyournetworkforthefirsttime,youcandownloadpostureupdatesfromthe webforthefirsttime.Thisprocessiscalledtheinitialpostureupdate. Afteraninitialpostureupdate,CiscoISEalsocreatesCiscodefinedsimpleandcompoundconditions.Cisco definedsimpleconditionshavepc_astheirprefixesandcompoundconditionshavepr_astheirprefixes. YoucanalsoconfigureCiscoISEtodownloadtheCisco-definedconditionsperiodicallyasaresultofdynamic postureupdatesthroughtheweb.YoucannotdeleteoreditCiscodefinedpostureconditions. AuserdefinedconditionoraCiscodefinedconditionincludesbothsimpleconditionsandcompoundconditions. Simple Posture Conditions YoucanusethePosturenavigationpanetomanagethefollowingsimpleconditions: •FileConditions—Aconditionthatcheckstheexistenceofafile,thedateofafile,andtheversionsofa fileontheclient. •RegistryConditions—Aconditionthatchecksfortheexistenceofaregistrykeyorthevalueofthe registrykeyontheclient. •ApplicationConditions—Aconditionthatchecksifanapplication(process)isrunningornotrunning ontheclient. •ServiceConditions—Aconditionthatchecksifaserviceisrunningornotrunningontheclient. •DictionaryConditions—Aconditionthatchecksadictionaryattributewithavalue. • Related Topics FileConditionSettings,onpage826 RegistryConditionSettings,onpage827 ApplicationConditionSettings,onpage828 ServiceConditionsSettings,onpage829 DictionarySimpleConditionsSettings,onpage833 Create Simple Posture Conditions Youcancreatefile,registry,application,service,anddictionarysimpleconditionsthatcanbeusedinposture policiesorinothercompoundconditions. Before You Begin Toperformthefollowingtask,youmustbeaSuperAdminorPolicyAdmin. Cisco Identity Services Engine Administrator Guide, Release 1.3 405 Posture Conditions
Procedure Step 1ChoosePolicy>PolicyElements>Conditions>Posture. Step 2Chooseanyoneofthefollowing:File,Registry,Application,Service,orDictionarySimpleCondition. Step 3ClickAdd. Step 4Entertheappropriatevaluesinthefields. Step 5ClickSubmit. Compound Posture Conditions Compoundconditionsaremadeupofoneormoresimpleconditions,orcompoundconditions.Youcanmake useofthefollowingcompoundconditionswhiledefiningaPosturepolicy. •CompoundConditions—Containsoneormoresimpleconditions,orcompoundconditionsofthetype File,Registry,Application,orServicecondition •AntivirusCompoundConditions—ContainsoneormoreAVconditions,orAVcompoundconditions •AntispywareCompoundConditions—ContainsoneormoreASconditions,orAScompoundconditions •DictionaryCompoundConditions—Containsoneormoredictionarysimpleconditionsordictionary compoundconditions • Cisco-Predefined Condition for Enabling Automatic Updates in Windows Clients Thepr_AutoUpdateCheck_RuleisaCiscopredefinedcondition,whichisdownloadedtotheCompound Conditionspage.Thisconditionallowsyoutocheckwhethertheautomaticupdatesfeatureisenabledon Windowsclients.IfaWindowsclientfailstomeetthisrequirement,thentheNetworkAccessControl(NAC) AgentsenforcetheWindowsclienttoenable(remediate)theautomaticupdatesfeature.Afterthisremediation isdone,theWindowsclientbecomesposturecompliant.TheWindowsupdateremediationthatyouassociate intheposturepolicyoverridestheWindowsadministratorsetting,iftheautomaticupdatesfeatureisnot enabledontheWindowsclient. Cisco-Preconfigured Antivirus and Antispyware Conditions CiscoISEloadspreconfiguredantivirusandantispywarecompoundconditionsintheAVandASCompound Conditionpages,whicharedefinedintheantivirusandantispywaresupportchartsforWindowsandMacintosh operatingsystems.Thesecompoundconditionscancheckifthespecifiedantivirusandantispywareproducts existonalltheclients.YoucanalsocreatenewantivirusandantispywarecompoundconditionsinCiscoISE. Antivirus and Antispyware Support Chart CiscoISEusesanantivirusandantispywaresupportchart,whichprovidesthelatestversionanddateinthe definitionfilesforeachvendorproduct.Usersmustfrequentlypollantivirusandantispywaresupportcharts Cisco Identity Services Engine Administrator Guide, Release 1.3 406 Posture Conditions
forupdates.Theantivirusandantispywarevendorsfrequentlyupdateantivirusandantispywaredefinition files,lookforthelatestversionanddateinthedefinitionfilesforeachvendorproduct. Eachtimetheantivirusandantispywaresupportchartisupdatedtoreflectsupportfornewantivirusand antispywarevendors,products,andtheirreleases,theNACAgentsreceiveanewantivirusandantispyware library.IthelpsNACAgentstosupportneweradditions.OncetheNACAgentsretrievethissupport information,theycheckthelatestdefinitioninformationfromtheperiodicallyupdatedse-checks.xmlfile (whichispublishedalongwiththese-rules.xmlfileinthese-templates.tar.gzarchive),anddeterminewhether clientsarecompliantwiththeposturepolicies.Dependinguponwhatissupportedbytheantivirusand antispywarelibraryforaparticularantivirus,orantispywareproduct,theappropriaterequirementswillbe senttotheNACAgentsforvalidatingtheirexistence,andthestatusofparticularantivirusandantispyware productsontheclientsduringposturevalidation. TheantivirusandantispywaresupportchartisavailableonCisco.com. Create Compound Posture Conditions Youcancreatecompoundconditionsthatcanbeusedinposturepoliciesforpostureassessmentandvalidation. Before You Begin Toperformthefollowingtask,youmustbeaSuperAdminorPolicyAdmin. Procedure Step 1ChoosePolicy>PolicyElements>Conditions>Posture>CompoundConditions>Add. Step 2Enterappropriatevaluesforthefields. Step 3ClickValidateExpressiontovalidatethecondition. Step 4ClickSubmit. Create Time and Date Conditions UsethePolicyElementsConditionspagetodisplay,create,modify,delete,duplicate,andsearchtimeand datepolicyelementconditions.Policyelementsaresharedobjectsthatdefineaconditionthatisbasedon specifictimeanddateattributesettingsthatyouconfigure. TimeanddateconditionsletyousetorlimitpermissiontoaccessCiscoISEsystemresourcestospecifictimes anddaysasdirectedbytheattributesettingsyoumake. Before You Begin Toperformthefollowingtask,youmustbeaSuperAdminorPolicyAdmin. Procedure Step 1ChoosePolicy>PolicyElements>Conditions>TimeandDate>Add. Step 2Enterappropriatevaluesinthefields. Cisco Identity Services Engine Administrator Guide, Release 1.3 407 Create Time and Date Conditions
•IntheStandardSettingsarea,specifythetimeanddatetoprovideaccess. •IntheExceptionsarea,specifythetimeanddaterangetolimitaccess. Step 3ClickSubmit. Cisco Identity Services Engine Administrator Guide, Release 1.3 408 Create Time and Date Conditions
CHAPTER 19 Manage Authentication Policies •CiscoISEAuthenticationPolicies,page409 •SimpleAuthenticationPolicies,page412 •Rule-BasedAuthenticationPolicies,page414 •ProtocolSettingsforAuthentication,page419 •NetworkAccessService,page422 •CiscoISEActingasaRADIUSProxyServer,page424 •PolicyModes,page426 •ConfigureaSimpleAuthenticationPolicy,page427 •ConfigureaRule-BasedAuthenticationPolicy,page428 •PolicySets,page429 •AuthenticationPolicyBuilt-InConfigurations,page431 •ViewAuthenticationResults,page433 Cisco ISE Authentication Policies AuthenticationpoliciesdefinetheprotocolsthatCiscoISEusestocommunicatewiththenetworkdevices, andtheidentitysourcesthatitusesforauthentication.Apolicyisasetofconditionsandaresult.Apolicy conditionconsistsofanoperand(attribute),anoperator(equalto,notequalto,greaterthan,andsoon),and avalue.CompoundconditionsaremadeupofoneormoresimpleconditionsthatareconnectedbytheAND orORoperator.Atruntime,CiscoISEevaluatesapolicyconditionandthenappliestheresultthatyouhave definedbasedonwhetherthepolicyevaluationreturnsatrueorafalsevalue. Anauthenticationpolicyconsistsofthefollowing: •NetworkAccessService—Thisservicecanbeoneofthefollowing: ◦Anallowedprotocolsservicetochoosetheprotocolstohandletheinitialrequestandprotocol negotiation. ◦AproxyservicethatwillproxyrequeststoanexternalRADIUSserverforprocessing. Cisco Identity Services Engine Administrator Guide, Release 1.3 409
•IdentitySource—Anidentitysourceoranidentitysourcesequencetobeusedforauthentication. Afterinstallation,adefaultidentityauthenticationpolicyisavailableinCiscoISEthatisusedfor authentications.Anyupdatestotheauthenticationpolicywilloverridethedefaultsettings. Policy Condition Evaluation Duringpolicyconditionevaluation,CiscoISEcomparesanattributewithavalue.Itispossibletorunintoa situationwheretheattributespecifiedinthepolicyconditionmaynothaveavalueassignedintherequest. Insuchcases,iftheoperatorthatisusedforcomparisonis“notequalto,”thentheconditionwillevaluateto true.Inallothercases,theconditionwillevaluatetofalse. Forexample,foraconditionRadius.Calling_Station_IDNotEqualto1.1.1.1,iftheCallingStationIDisnot presentintheRADIUSrequest,thenthisconditionwillevaluatetotrue.Thisevaluationisnotuniquetothe RADIUSdictionaryandoccursbecauseoftheusageofthe“NotEqualto”operator. Supported Authentication Protocols Thefollowingisalistofprotocolsthatyoucanchoosewhiledefiningyourauthenticationpolicy: •PasswordAuthenticationProtocol(PAP) •ProtectedExtensibleAuthenticationProtocol(PEAP) •MicrosoftChallengeHandshakeAuthenticationProtocolVersion2(MS-CHAPv2) •ExtensibleAuthenticationProtocol-MessageDigest5(EAP-MD5) •ExtensibleAuthenticationProtocol-TransportLayerSecurity(EAP-TLS) •ExtensibleAuthenticationProtocol-FlexibleAuthenticationviaSecureTunneling(EAP-FAST) •ProtectedExtensibleAuthenticationProtocol-TransportLayerSecurity(PEAP-TLS) Supported Authentication Types and Database Theauthenticationtypeisbasedontheprotocolsthatarechosen.Theauthenticationtypeispasswordbased, wheretheauthenticationisperformedagainstadatabasewiththeusernameandpasswordthatispresented intherequest. Theidentitymethod,whichistheresultoftheauthenticationpolicy,canbeanyoneofthefollowing: •Denyaccess—Accesstotheuserisdeniedandnoauthenticationisperformed. •Identitydatabase—Asingleidentitydatabasethatcanbeanyoneofthefollowing: ◦Internalusers ◦Guestusers ◦Internalendpoints ◦ActiveDirectory ◦LightweightDirectoryAccessProtocol(LDAP)database ◦RADIUStokenserver(RSAorSafeWordserver) Cisco Identity Services Engine Administrator Guide, Release 1.3 410 Cisco ISE Authentication Policies
◦Certificateauthenticationprofile •Identitysourcesequences—Asequenceofidentitydatabasesthatisusedforauthentication. Bydefault,theidentitysourcethatCiscoISEwilllookupforuserinformationistheinternalusersdatabase. Types of Authentication Failures—Failovers Ifyouchoosetheidentitymethodasdenyaccess,arejectmessageissentasaresponsetotherequest.Ifyou chooseanidentitydatabaseoranidentitysourcesequenceandtheauthenticationsucceeds,theprocessing continuestotheauthorizationpolicy.Someoftheauthenticationsfailandtheseareclassifiedasfollows: •Authenticationfailed—Receivedexplicitresponsethatauthenticationhasfailedsuchasbadcredentials, disableduser,andsoon.Thedefaultcourseofactionisreject. •Usernotfound—Nosuchuserwasfoundinanyoftheidentitydatabases.Thedefaultcourseofaction isreject. •Processfailed—Unabletoaccesstheidentitydatabaseordatabases.Thedefaultcourseofactionisdrop. CiscoISEallowsyoutoconfigureanyoneofthefollowingcoursesofactionforauthenticationfailures: •Reject—Arejectresponseissent. •Drop—Noresponseissent. •Continue—CiscoISEcontinueswiththeauthorizationpolicy. EvenwhenyouchoosetheContinueoption,theremightbeinstanceswhereCiscoISEcannotcontinue processingtherequestduetorestrictionsontheprotocolthatisbeingused.ForauthenticationsusingPEAP, LEAP,EAP-FAST,EAP-TLS,orRADIUSMSCHAP,itisnotpossibletocontinueprocessingtherequest whenauthenticationfailsoruserisnotfound. Whenauthenticationfails,itispossibletocontinuetoprocesstheauthorizationpolicyforPAP/ASCIIand MACauthenticationbypass(MABorhostlookup).Forallotherauthenticationprotocols,whenauthentication fails,thefollowinghappens: •Authenticationfailed—Arejectresponseissent. •Userorhostnotfound—Arejectresponseissent. •Processfailure—Noresponseissentandtherequestisdropped. Authentication Policy Terminology Thefollowingaresomeofthecommonlyusedtermsintheauthenticationpolicypages: •AllowedProtocols—AllowedprotocolsdefinethesetofprotocolsthatCiscoISEcanusetocommunicate withthedevicethatrequestsaccesstothenetworkresources. •IdentitySource—IdentitysourcedefineswhichdatabaseCiscoISEshoulduseforuserinformation.The databasecouldbeaninternaldatabaseoranexternalidentitysource,suchasActiveDirectoryorLDAP. Youcanaddasequenceofdatabasestoanidentitysourcesequenceandlistthissequenceastheidentity sourceinyourpolicy.CiscoISEwillsearchforthecredentialsintheorderinwhichthedatabasesare listedinthissequence. Cisco Identity Services Engine Administrator Guide, Release 1.3 411 Cisco ISE Authentication Policies
•FailoverOptions—YoucandefinewhatcourseofactionCiscoISEshouldtakeiftheauthentication fails,theuserisnotfound,oriftheprocessfails. Simple Authentication Policies Asimpleauthenticationpolicyallowsyoutostaticallydefinetheallowedprotocolsandtheidentitysource oridentitysourcesequencethatCiscoISEshoulduseforcommunication.Youcannotdefineanycondition forsimplepolicies.CiscoISEassumesthatallconditionsaremetandusesthefollowingdefinitionsto determinetheresult: •Youcancreatesimplepoliciesinsituationswhereyoucanstaticallydefinetheallowedprotocolsand theidentitysourcethatmustbeusedalways,andnoconditionneedstobechecked. •Youcanalsocreateproxyservice-basedsimplepolicies.CiscoISEproxiestherequesttoapolicyserver todeterminewhichidentitysourceshouldbeusedforuserauthentication.Iftherequestisproxiedtoa differentpolicyserver,theprotocolnegotiationdoesnothappen.Thepolicyserverevaluateswhich identitysourceshouldbeusedforauthenticationandreturnstheresponsetoCiscoISE. Cisco Identity Services Engine Administrator Guide, Release 1.3 412 Simple Authentication Policies
Simple Authentication Policy Flow Figure 28: Simple Authentication Policy Flow Theresultofasimplepolicycanbeanyoneofthefollowing: •Authenticationpassed •Authenticationfailed Anauthenticationcanfailhappensduetoanyofthefollowingreasons: •Badcredentialsordisableduser. •Usernotfound. Cisco Identity Services Engine Administrator Guide, Release 1.3 413 Simple Authentication Policies
•Authenticationprocessfails. Guidelines for Configuring Simple Authentication Policies Followtheseguidelineswhenconfiguringsimpleauthenticationpolicies: •IfyouwishtousetheRADIUSserversequence,thenyoumustdefinethisaccessservicebeforeyou definethepolicy. •Ifyourusersaredefinedinexternalidentitysources,ensurethatyouhaveconfiguredtheseidentity sourcesinCiscoISEbeforeyoudefinethepolicy. •Ifyouwanttouseanidentitysourcesequenceforauthenticatingusers,ensurethatyouhavecreatedthe identitysourcesequencebeforeyoudefinethepolicy. •Whenyouswitchbetweensimpleandrule-basedauthenticationpolicies,youwilllosethepolicythat youconfiguredearlier.Forexample,ifyouconfiguredasimpleauthenticationpolicyandyouwantto movetoarule-basedauthenticationpolicy,youwilllosethesimpleauthenticationpolicy.Also,when youmovefromarule-basedauthenticationpolicytoasimpleauthenticationpolicy,youwilllosethe rule-basedauthenticationpolicy. •HostauthenticationisperformedwiththeMACaddressonly(MAB). Rule-Based Authentication Policies Rule-basedauthenticationpoliciesconsistofattribute-basedconditionsthatdeterminetheallowedprotocols andtheidentitysourceoridentitysourcesequencetobeusedforprocessingtherequests.Inasimple authenticationpolicy,youcandefinetheallowedprotocolsandidentitysourcestatically.Inarule-based policy,youcandefineconditionsthatallowsCiscoISEtodynamicallychoosetheallowedprotocolsand identitysources.YoucandefineoneormoreconditionsusinganyoftheattributesfromtheCiscoISE dictionary. CiscoISEallowsyoutocreateconditionsasindividual,reusablepolicyelementsthatcanbereferredfrom otherrule-basedpolicies.Youcanalsocreateconditionsfromwithinthepolicycreationpage.Thetwotypes ofconditionsare: •Simplecondition •Compoundcondition Rule-Based Authentication Policy Flow Inrule-basedpolicies,youcandefinemultiplerules.Theidentitydatabaseisselectedbasedonthefirstrule thatmatchesthecriteria. Youcanalsodefineanidentitysourcesequenceconsistingofdifferentdatabases.Youcandefinetheorder inwhichyouwantCiscoISEtolookupthesedatabases.CiscoISEwillaccessthesedatabasesinsequence untiltheauthenticationsucceeds.Iftherearemultipleinstancesofthesameuserinanexternaldatabase,the authenticationfails.Therecanonlybeoneuserrecordinanidentitysource. Cisco Identity Services Engine Administrator Guide, Release 1.3 414 Rule-Based Authentication Policies