Cisco Ise 13 User Guide
Have a look at the manual Cisco Ise 13 User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
Werecommendthatyouuseonlythree,oratmostfourdatabasesinanidentitysourcesequence. Figure 29: Rule-Based Authentication Policy Flow Supported Dictionaries for Rule-Based Authentication Policies CiscoISEsupportsthefollowingdictionaries: •System-defineddictionaries ◦CERTIFICATE ◦DEVICE ◦RADIUS •RADIUSvendordictionaries Cisco Identity Services Engine Administrator Guide, Release 1.3 415 Rule-Based Authentication Policies
◦Airespace ◦Cisco ◦Cisco-BBSM ◦Cisco-VPN3000 ◦Microsoft ◦Networkaccess Attributes Supported by Dictionaries Thetableliststhefixedattributesthataresupportedbydictionaries,whichcanbeusedinpolicyconditions. Notalloftheseattributesareavailableforcreatingalltypesofconditions. Forexample,whilecreatingaconditiontochoosetheaccessserviceinauthenticationpolicies,youwillonly seethefollowingnetworkaccessattributes:DeviceIPAddress,ISEHostName,NetworkDeviceName, Protocol,andUseCase. Youcanusetheattributeslistedinthefollowingtableinpolicyconditions. Identity RulesAllowed Protocol Rules and Proxy AttributesDictionary YesYesDeviceType(predefinednetworkdevicegroup)Device DeviceLocation(predefinednetworkdevice group) OtherCustomNetworkDeviceGroup SoftwareVersion ModelName YesYesAllattributesRADIUS Cisco Identity Services Engine Administrator Guide, Release 1.3 416 Rule-Based Authentication Policies
Identity RulesAllowed Protocol Rules and Proxy AttributesDictionary YesYesISEHostNameNetworkAccess YesNoAuthenticationMethod NoNoAuthenticationStatus NoNoCTSDeviceID YesYesDeviceIPAddress YesNoEapAuthentication(theEAPmethodthatisused duringauthenticationofauserofamachine) YesNoEapTunnel(theEAPmethodthatisusedfortunnel establishment) YesYesProtocol YesYesUseCase YesNoUserName NoNoWasMachineAuthenticated Cisco Identity Services Engine Administrator Guide, Release 1.3 417 Rule-Based Authentication Policies
Identity RulesAllowed Protocol Rules and Proxy AttributesDictionary YesNoCommonNameCertificate Country E-mail LocationSubject Organization OrganizationUnit SerialNumber StateorProvince Subject SubjectAlternativeName SubjectAlternativeName-DNS SubjectAlternativeName-E-mail SubjectAlternativeName-OtherName SubjectSerialNumber Issuer Issuer-CommonName Issuer-Organization Issuer-OrganizationUnit Issuer-Location Issuer-Country Issuer-Email Issuer-SerialNumber Issuer-StateorProvince Issuer-StreetAddress Cisco Identity Services Engine Administrator Guide, Release 1.3 418 Rule-Based Authentication Policies
Identity RulesAllowed Protocol Rules and Proxy AttributesDictionary Issuer-DomainComponent Issuer-UserID Protocol Settings for Authentication YoumustdefineglobalprotocolsettingsinCiscoISEbeforeyoucanusetheseprotocolstocreate,saveand implementapolicysettoprocessanauthenticationrequest.YoucanusetheProtocolSettingspagetodefine globaloptionsfortheExtensibleAuthenticationProtocol-FlexibleAuthenticationviaSecureTunneling (EAP-FAST),ExtensibleAuthenticationProtocol-TransportLayerSecurity(EAP-TLS),andProtected ExtensibleAuthenticationProtocol(PEAP)protocols,whichcommunicatewiththeotherdevicesinyour network. Guidelines for Using EAP-FAST as Authentication Protocol FollowtheseguidelineswhenusingEAP-FASTasanauthenticationprotocol: •ItishighlyrecommendedtoenableEAP-TLSinnermethodwhentheEAP-FASTacceptclientcertificate isenabledonauthenticatedprovisioning.EAP-FASTacceptclientcertificateonauthenticatedprovisioning isnotaseparateauthenticationmethodbutashorterformofclientcertificateauthenticationthatuses thesamecertificatecredentialstypetoauthenticateauserbutdoesnotrequiretorunaninnermethod. •AcceptclientcertificateonauthenticatedprovisioningworkswithPAC-lessfullhandshakeand authenticatedPACprovisioning.ItdoesnotworkforPAC-lesssessionresume,anonymousPAC provisioning,andPAC-basedauthentication. •EAPattributesaredisplayedperidentity(soinEAPchainingdisplayedtwice)areshowninauthentication detailsinmonitoringtoolinorderuserthenmachineevenifauthenticationhappensindifferentorder. •WhenEAP-FASTauthorizationPACisusedthenEAPauthenticationmethodshowninlivelogsis equaltotheauthenticationmethodusedforfullauthentication(asinPEAP)andnotasLookup. •InEAPchainingmodewhentunnelPACisexpiredthenISEfallsbacktoprovisioningandACrequests UserandMachineauthorizationPACs-MachineAuthorizationPACcannotbeprovisioned.Itwillbe provisionedinthesubsequentPAC-basedauthenticationconversationwhenACrequestsit. •WhenCiscoISEisconfiguredforchainingandACforsinglemodethenACresponsewithIdentityType TLVtoISE.However,thesecondidentityauthenticationfails.Youcanseefromthisconversationthat clientissuitabletoperformchainingbutcurrentlyisconfiguredforsinglemode. •CiscoISEsupportsretrievalattributesandgroupsforbothmachineanduserinEAP-FASTchaining onlyforAD.ForLDAPandInternalDBISEusesonlythelastidentityattributes. Cisco Identity Services Engine Administrator Guide, Release 1.3 419 Protocol Settings for Authentication
“EAP-FASTcryptobindingverificationfailed”messagemightbeseenifEAP-FASTauthenticationprotocol isusedforHighSierraMACOSXdevices.WerecommendthatyouconfigurethePreferredEAPProtocol fieldintheAllowedProtocolspagetousePEAPorEAP-TLSinsteadofEAP-FASTforHighSierraMAC OSXdevices. Note Configure EAP-FAST Settings Before You Begin Toperformthefollowingtask,youmustbeaSuperAdminorSystemAdmin. Procedure Step 1ChooseAdministration>System>Settings>Protocols>EAP-FAST>EAPFastSettings. Step 2EnterthedetailsasrequiredtodefinetheEAP-FASTprotocol. Step 3ClickRevokeifyouwanttorevokeallthepreviouslygeneratedmasterkeysandPACs. Step 4ClickSavetosavetheEAP-FASTsettings. Generate the PAC for EAP-FAST YoucanusetheGeneratePACoptionintheCiscoISEtogenerateatunnelormachinePACfortheEAP-FAST protocol. Before You Begin Toperformthefollowingtask,youmustbeaSuperAdminorSystemAdmin. Procedure Step 1ChooseAdministration>System>Settings. Step 2FromtheSettingsnavigationpaneontheleft,clickProtocols. Step 3ChooseEAP-FAST>GeneratePAC. Step 4EnterthedetailsasrequiredtogeneratemachinePACfortheEAP-FASTprotocol. Step 5ClickGeneratePAC. Configure EAP-TLS Settings Before You Begin Toperformthefollowingtask,youmustbeaSuperAdminorSystemAdmin. Cisco Identity Services Engine Administrator Guide, Release 1.3 420 Protocol Settings for Authentication
Procedure Step 1ChooseAdministration>System>Settings>Protocols>EAP-TLS. Step 2EnterthedetailsasrequiredtodefinetheEAP-TLSprotocol. Step 3ClickSavetosavetheEAP-TLSsettings. Configure PEAP Settings Before You Begin Toperformthefollowingtask,youmustbeaSuperAdminorSystemAdmin. Procedure Step 1ChooseAdministration>System>Settings. Step 2FromtheSettingsnavigationpaneontheleft,clickProtocols. Step 3ChoosePEAP. Step 4EnterthedetailsasrequiredtodefinethePEAPprotocol. Step 5ClickSavetosavethePEAPsettings. Configure RADIUS Settings YoucanconfiguretheRADIUSsettingstodetecttheclientsthatfailtoauthenticateandtosuppressthe repeatedreportingofsuccessfulauthentications. Procedure Step 1ChooseAdministration>System>Settings. Step 2FromtheSettingsnavigationpane,clickProtocols. Step 3ChooseRADIUS. Step 4EnterthedetailsasrequiredtodefinetheRADIUSsettings. Step 5ClickSavetosavethesettings. Cisco Identity Services Engine Administrator Guide, Release 1.3 421 Protocol Settings for Authentication
Network Access Service Anetworkaccessservicecontainstheauthenticationpolicyconditionsforrequests.Youcancreateseparate networkaccessservicesfordifferentusecases,forexample,Wired802.1X,WiredMAB,andsoon.Tocreate anetworkaccessservice,configureallowedprotocolsorserversequences. Define Allowed Protocols for Network Access AllowedprotocolsdefinethesetofprotocolsthatCiscoISEcanusetocommunicatewiththedevicethat requestsaccesstothenetworkresources.Anallowedprotocolsaccessserviceisanindependententitythat youshouldcreatebeforeyouconfigureauthenticationpolicies.Allowedprotocolsaccessserviceisanobject thatcontainsyourchosenprotocolsforaparticularusecase. TheAllowedProtocolsServicespagelistsalltheallowedprotocolsservicesthatyoucreate.Thereisadefault networkaccessservicethatispredefinedintheCiscoISE. Before You Begin Beforeyoubeginthisprocedure,youshouldhaveabasicunderstandingoftheprotocolservicesthatareused forauthentication. •ReviewtheCiscoISEAuthenticationPoliciessectioninthischaptertounderstandauthenticationtype andtheprotocolsthataresupportedbyvariousdatabases. •ReviewthePACOptionstounderstandthefunctionsandoptionsforeachprotocolservice,soyoucan maketheselectionsthatareappropriateforyournetwork. •Ensurethatyouhavedefinedtheglobalprotocolsettings. Toperformthefollowingtask,youmustbeaSuperAdminorSystemAdmin. Procedure Step 1ChoosePolicy>PolicyElements>Results>Authentication>AllowedProtocols. Step 2ClickAdd. Step 3Entertherequiredinformation. Step 4Selecttheappropriateauthenticationprotocolsandoptionsforyournetwork. Step 5IfyouchoosetousePACs,maketheappropriateselections. ToenableAnonymousPACProvisioning,youmustchooseboththeinnermethods,EAP-MSCHAPv2and ExtensibleAuthenticationProtocol-GenericTokenCard(EAP-GTC).Also,beawarethatCiscoISEonly supportsActiveDirectoryasanexternalidentitysourceformachineauthentication. Step 6ClickSubmittosavetheallowedprotocolsservice. Theallowedprotocolsserviceappearsasanindependentobjectinthesimpleandrule-basedauthentication policypages.Youcanusethisobjectindifferentrules. Youcannowcreateasimpleorrule-basedauthenticationpolicy. IfyoudisableEAP-MSCHAPasinnermethodandenableEAP-GTCandEAP-TLSinnermethodsforPEAP orEAP-FAST,ISEstartsEAP-GTCinnermethodduringinnermethodnegotiation.BeforethefirstEAP-GTC messageissenttotheclient,ISEexecutesidentityselectionpolicytoobtainGTCpasswordfromtheidentity store.Duringtheexecutionofthispolicy,EAPauthenticationisequaltoEAP-GTC.IfEAP-GTCinner Cisco Identity Services Engine Administrator Guide, Release 1.3 422 Network Access Service
methodisrejectedbytheclientandEAP-TLSisnegotiated,identitystorepolicyisnotexecutedagain.In caseidentitystorepolicyisbasedonEAPauthenticationattribute,itmighthaveunexpectedresultssincethe realEAPauthenticationisEAP-TLSbutwassetafteridentitypolicyevaluation. Enable MAB from Non-Cisco Devices ConfigurethefollowingsettingssequentiallytoconfigureMABfromnon-Ciscodevices. Procedure Step 1EnsurethattheMACaddressoftheendpointsthataretobeauthenticatedareavailableintheEndpoints database.YoucanaddtheseendpointsorhavethemprofiledautomaticallybytheProfilerservice. Step 2CreateanAllowedProtocolservicebasedonthetypeofMACauthenticationusedbythenon-Ciscodevice (PAP,CHAP,orEAP-MD5). a)ChoosePolicy>PolicyElements>Results>Authentication>AllowedProtocols b)EnteranamefortheAllowedProtocolservice.Forexample,MABforNonCiscoDevices. c)SelecttheprotocolbasedontheMACauthenticationtypeusedbythenon-Ciscodevice: •PAP—ChecktheAllowPAP/ASCIIcheckboxandchecktheDetectPAPasHostLookupcheck box. •CHAP—ChecktheAllowCHAPcheckboxandchecktheDetectCHAPasHostLookupcheckbox. •EAP-MD5—ChecktheAllowEAP-MD5checkboxandcheckDetectEAP-MD5asHostLookup checkbox. Foreachoftheprotocollistedabove,itisrecommendedtocheckthefollowingcheckboxes: •CheckPassword—EnablethisforcheckingofthetrivialMABpasswordtoauthenticatethesending networkdevice. •CheckCalling-Station-IdequalsMACaddress—Enablethisasanextrasecuritycheck,when Calling-Station-Idisbeingsent. Step 3ConfigureanauthenticationpolicyruleforenablingMABfromnon-Ciscodevices. a)ChoosePolicy>Authentication. b)SelecttheRule-Basedauthenticationpolicy. c)InsertanewruleforMAB. d)SelecttheAllowedProtocolservice(MABforNonCiscoDevices)thatyoucreatedinStep2inthisrule. e)SelecttheInternalEndpointsdatabaseastheIdentitySourceinthisrule. f)Savetheauthenticationpolicy. Enable MAB from Cisco Devices ConfigurethefollowingsettingssequentiallytoconfigureMABfromCiscodevices. Cisco Identity Services Engine Administrator Guide, Release 1.3 423 Network Access Service
Procedure Step 1EnsurethattheMACaddressoftheendpointsthataretobeauthenticatedareavailableintheEndpoints database.YoucanaddtheseendpointsorhavethemprofiledautomaticallybytheProfilerservice. Step 2CreateanAllowedProtocolservicebasedonthetypeofMACauthenticationusedbytheCiscodevice(PAP, CHAP,orEAP-MD5). a)ChoosePolicy>PolicyElements>Results>Authentication>AllowedProtocols b)EnteranamefortheAllowedProtocolservice.Forexample,MABforCiscoDevices. c)ChecktheProcessHostLookupcheckbox. d)SelecttheprotocolbasedontheMACauthenticationtypeusedbytheCiscodevice: •PAP—ChecktheAllowPAP/ASCIIcheckboxandchecktheDetectPAPasHostLookupcheck box. •CHAP—ChecktheAllowCHAPcheckboxandchecktheDetectCHAPasHostLookupcheckbox. •EAP-MD5—ChecktheAllowEAP-MD5checkboxandcheckDetectEAP-MD5asHostLookup checkbox. Foreachoftheprotocollistedabove,itisrecommendedtocheckthefollowingcheckboxes: •CheckPassword—EnablethisforcheckingofthetrivialMABpasswordtoauthenticatethesending networkdevice. •CheckCalling-Station-IdequalsMACaddress—Enablethisasanextrasecuritycheck,when Calling-Station-Idisbeingsent. e)SavetheAllowedProtocolservice. Step 3ConfigureanauthenticationpolicyruleforenablingMABfromCiscodevices. a)ChoosePolicy>Authentication. b)SelecttheRule-Basedauthenticationpolicy. c)InsertanewruleforMAB. d)SelecttheAllowedProtocolservice(MABforCiscoDevices)thatyoucreatedinStep2inthisrule. e)SelecttheInternalEndpointsdatabaseastheIdentitySourceinthisrule. f)Savetheauthenticationpolicy. Cisco ISE Acting as a RADIUS Proxy Server CiscoISEcanfunctionbothasaRADIUSserverandasaRADIUSproxyserver.Whenitactsasaproxy server,CiscoISEreceivesauthenticationandaccountingrequestsfromthenetworkaccessserver(NAS)and forwardsthemtotheexternalRADIUSserver.CiscoISEacceptstheresultsoftherequestsandreturnsthem totheNAS. CiscoISEcansimultaneouslyactasaproxyservertomultipleexternalRADIUSservers.Youcanusethe externalRADIUSserversthatyouconfigurehereinRADIUSserversequences.TheExternalRADIUSServer pagelistsalltheexternalRADIUSserversthatyouhavedefinedinCiscoISE.Youcanusethefilteroption Cisco Identity Services Engine Administrator Guide, Release 1.3 424 Cisco ISE Acting as a RADIUS Proxy Server