Cisco Ise 13 User Guide
Have a look at the manual Cisco Ise 13 User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
•AuthenticationSummary Cisco Identity Services Engine Administrator Guide, Release 1.3 435 View Authentication Results
Cisco Identity Services Engine Administrator Guide, Release 1.3 436 View Authentication Results
CHAPTER 20 Manage Authorization Policies and Profiles •CiscoISEAuthorizationPolicies,page437 •CiscoISEAuthorizationProfiles,page437 •DefaultAuthorizationPolicy,Rule,andProfileConfiguration,page441 •ConfigureAuthorizationPolicies,page443 •PermissionsforAuthorizationProfiles,page445 •DownloadableACLs,page446 •MachineAccessRestrictionforActiveDirectoryUserAuthorization,page448 Cisco ISE Authorization Policies AuthorizationpoliciesareacomponentoftheCiscoISEnetworkauthorizationservice.Thisserviceallows youtodefineauthorizationpoliciesandconfigureauthorizationprofilesforspecificusersandgroupsthat accessyournetworkresources. Authorizationpoliciescancontainconditionalrequirementsthatcombineoneormoreidentitygroupsusing acompoundconditionthatincludesauthorizationchecksthatcanreturnoneormoreauthorizationprofiles. Inaddition,conditionalrequirementscanexistapartfromtheuseofaspecificidentitygroup(suchasinusing thedefault“Any”). AuthorizationpoliciesareusedwhencreatingauthorizationprofilesinCiscoIdentityServicesEngine(Cisco ISE).Anauthorizationpolicyiscomposedofauthorizationrules.Authorizationruleshavethreeelements: name,attributes,andpermissions.Thepermissionelementisthatmapstoanauthorizationprofile. Cisco ISE Authorization Profiles Authorizationpoliciesassociateruleswithspecificuserandgroupidentitiestocreatethecorresponding profiles.Whenevertheserulesmatchtheconfiguredattributes,thecorrespondingauthorizationprofilethat grantspermissionisreturnedbythepolicyandnetworkaccessisauthorizedaccordingly. Forexample,authorizationprofilescanincludearangeofpermissionsthatarecontainedinthefollowing types: Cisco Identity Services Engine Administrator Guide, Release 1.3 437
•Standardprofiles •Exceptionprofiles •Device-basedprofiles Profilesconsistofattributeschosenfromasetofresources,whicharestoredinanyoftheavailablevendor dictionaries,andthesearereturnedwhenthecompoundconditionforthespecificauthorizationpolicymatches. Becauseauthorizationpoliciescanincludecompoundconditionmappingtoasinglenetworkservicerule, thesecanalsoincludealistofauthorizationchecks. Forsimplescenarios,allauthorizationchecksaremadeusingtheANDBooleanoperatorwithintherule.For advancedscenarios,anytypeofauthorizationverificationexpressioncanbeused,butalltheseauthorization verificationsmustcomplywiththeauthorizationprofilestobereturned.Authorizationverificationstypically compriseoneormoreconditions,includingauser-definednamethatcanbeaddedtoalibrary,whichcan thenbereusedbyotherauthorizationpolicies. Authorization Policy Terminology YoucandefineauthorizationprofilesandpoliciesfornetworkauthorizationofuserstoaccessCiscoISE networkanditsresources.CiscoISEalsousesdownloadableACL(DACLs). Network Authorization Networkauthorizationcontrolsuseraccesstothenetworkanditsresourcesandwhateachusercandoonthe systemwiththoseresources.ActivatenetworkauthorizationfromCiscoISEbydefiningsetsofpermissions thatauthorizeread,write,andexecuteprivileges.CiscoISEletsyoucreateanumberofdifferentauthorization policiestosuityournetworkneeds.ThisreleasesupportsonlyRADIUSaccesstotheCiscoISEnetworkand itsresources. Policy Elements Policyelementsarecomponentsthatdefineanauthorizationpolicyandareasfollows: •Rulename •Identitygroups •Conditions •Permissions Thesepolicyelementsarereferencedwhenyoucreatepolicyrulesandyourchoiceofconditionsandattributes cancreatespecifictypesofauthorizationprofiles. Authorization Profile Anauthorizationprofileactsasacontainerwhereanumberofspecificpermissionsallowaccesstoasetof networkservices.Theauthorizationprofileiswhereyoudefineasetofpermissionstobegrantedforanetwork accessrequestandcaninclude: •Aprofilename •Aprofiledescription Cisco Identity Services Engine Administrator Guide, Release 1.3 438 Cisco ISE Authorization Profiles
•AnassociatedDACL •AnassociatedVLAN •AnassociatedSGACL •Anynumberofotherdictionary-basedattributes Authorization Policy Anauthorizationpolicycanconsistofasingleruleorasetofrulesthatareuser-defined.Theserulesactto createaspecificpolicy.Forexample,astandardpolicycanincludetherulenameusinganIf-Thenconvention thatlinksavalueenteredforidentitygroupswithspecificconditionsorattributestoproduceaspecificsetof permissionsthatcreateauniqueauthorizationprofile.Therearetwoauthorizationpolicyoptionsyoucanset: •FirstMatchedRulesApply •MultipleMatchedRuleApplies ThesetwooptionsdirectCiscoISEtouseeitherthefirstmatchedorthemultiplematchedruletypelistedin thestandardpolicytablewhenitmatchestheuser’ssetofpermissions.Thesearethetwotypesofauthorization policiesthatyoucanconfigure: •Standard—Standardpoliciesarepoliciescreatedtoremainineffectforlongperiodsoftime,toapply toalargergroupofusers,devices,orgroups,andtoallowaccesstospecificorallnetworkendpoints. Standardpoliciesareintendedtobestableandapplytoalargegroupsofusers,devices,andgroupsthat shareacommonsetofprivileges. Standardpoliciescanbeusedastemplatesthatyoumodifytoservetheneedsofaspecificidentitygroup, usingspecificconditionsorpermissions,tocreateanothertypeofstandardpolicytomeettheneedsof newdivisions,orusergroups,devices,ornetworkgroups. •Exception—Bycontrast,exceptionpoliciesareappropriatelynamedbecausethistypeofpolicyactsas anexceptiontothestandardpolicies.Exceptionpolicesareintendedforauthorizinglimitedaccessthat isbasedonavarietyoffactors,suchasshort-termpolicyduration,specifictypesofnetworkdevices, networkendpointsorgroups,ortheneedtomeetspecialconditionsorpermissionsoranimmediate requirement. Exceptionpoliciesarecreatedtomeetanimmediateorshort-termneed,suchasauthorizingalimited numberofusers,devices,orgroupstoaccessnetworkresources.Anexceptionpolicyletsyoucreatea specificsetofcustomizedvaluesforanidentitygroup,condition,orpermissionthataretailoredforone userorasubsetofusers.Thisallowsyoutocreatedifferentorcustomizedpoliciestomeetyourcorporate, group,ornetworkneeds. Access Control Lists Anaccesscontrollist(ACL)intheCiscoISEsystemisalistofpermissionsattachedtoaspecificobjector networkresource.AnACLspecifieswhichusersorgroupsaregrantedaccesstoanobject,aswellaswhat operationsareallowedonagivenobjectornetworkresource.EachentryinatypicalACLspecifiesasubject andanoperationorprovidesthestate(suchas,PermitorDeny). Authorization Policies and Supported Dictionaries Forauthorizationpolicytypes,theverificationmustcomplywiththeauthorizationprofilestobereturned. Cisco Identity Services Engine Administrator Guide, Release 1.3 439 Cisco ISE Authorization Profiles
Verificationstypicallyincludeoneormoreconditionsthatincludeauser-definednamethatcanthenbeadded toalibraryandreusedbyotherpolicies.YoudefineconditionsusingtheattributesfromtheCiscoISE dictionary,whichsupportsthefollowingdictionaries: •System-defineddictionary: ◦RADIUS •RADIUS-vendordictionaries ◦Airespace ◦Cisco ◦Cisco-BBSM ◦Cisco-VPN3000 ◦Microsoft Guidelines for Configuring Authorization Policies and Profiles Observethefollowingguidelineswhenmanagingoradministeringauthorizationpolicesandprofiles: •Rulenamesyoucreatemustuseonlythefollowingsupportedcharacters: ◦Symbols:plus(+),hyphen(-),underscore(_),period(.),andaspace(). ◦Alphabeticcharacters:A-Zanda-z. ◦Numericcharacters:0-9. •Identitygroupsdefaultto“Any”(youcanusethisglobaldefaulttoapplytoallusers). •Conditionsallowyoutosetoneormorepolicyvalues.However,conditionsareoptionalandarenot requiredtocreateanauthorizationpolicy.Thesearethetwomethodsforcreatingconditions: ◦Chooseanexistingconditionorattributefromacorrespondingdictionaryofchoices. ◦Createacustomconditionthatallowsyoutoselectasuggestedvalueoruseatextboxtoentera customvalue. •Conditionnamesyoucreatemustuseonlythefollowingsupportedcharacters: ◦Symbols:hyphen(-),underscore(_),andperiod(.). ◦Alphabeticcharacters:A-Zanda-z. ◦Numericcharacters:0-9. •Permissionsareimportantwhenchoosinganauthorizationprofiletouseforapolicy.Apermissioncan grantaccesstospecificresourcesorallowyoutoperformspecifictasks.Forexample,ifauserbelongs toaspecificidentitygroup(suchasDeviceAdmins),andtheusermeetsthedefinedconditions(such asasiteinBoston),thenthisuserisgrantedthepermissionsassociatedwiththatgroup(suchasaccess toaspecificsetofnetworkresourcesorpermissiontoperformaspecificoperationonadevice). •MakesurethatyouclickSavetosavethenewormodifiedpolicyorprofileintheCiscoISEdatabase. Cisco Identity Services Engine Administrator Guide, Release 1.3 440 Cisco ISE Authorization Profiles
Default Authorization Policy, Rule, and Profile Configuration TheCiscoISEsoftwarecomesinstalledwithanumberofpreinstalleddefaultconditions,rules,andprofiles thatprovidecommonsettingsthatmakeiteasierforyoutocreatetherulesandpoliciesrequiredinCiscoISE authorizationpoliciesandprofiles. Thetabledescribesbuilt-inconfigurationdefaultsthatcontainspecifiedvaluesinCiscoISE. Table 23: Authorization Policy, Profile, and Rule Configuration Defaults Additional InformationDescriptionPath in the User Interface Name AuthorizationPolicyConfigurationDefaults Youcanusetherelatedattributes forcreatingauthorization policies: •Wired802.1x •WiredMAB •Wireless802.1x •CatalystSwitchLocalWeb authentication •WLCWebauthentication Thesearepreinstalledconfiguration defaultsforconditions,rules,andprofiles tobeusedinauthorizationpolicies. Policy> Policy Elements> Conditions> Authorization Default Compound Conditionsfor Authorization Policies Thiscompoundconditionisused intheWiredMABauthorization policy. Anyrequestthatmatchesthe criteriaspecifiedinthispolicy wouldbeevaluatedbasedonthe WiredMABauthorization policy. Thiscompoundconditionchecksforthe followingattributesandvalues: •RADIUS:Service-Type= Call-Check •RADIUS:NAS-Port-Type= Ethernet Policy> Policy Elements> Conditions> Authorization >Compound Conditions WiredMAB Compound Condition Thiscompoundconditionisused intheWireless802.1X authorizationpolicy. Anyrequestthatmatchesthe criteriaspecifiedinthispolicy wouldbeevaluatedbasedonthe Wireless802.1Xauthorization policy. Thiscompoundconditionchecksforthe followingattributesandvalues: •RADIUS:Service-Type=Framed •RADIUS:NAS-Port-Type= Wireless-IEEE802.11 Policy> Policy Elements> Conditions> Authorization >Compound Conditions Wireless 802.1X Compound Condition AuthorizationProfileConfigurationDefaults Cisco Identity Services Engine Administrator Guide, Release 1.3 441 Default Authorization Policy, Rule, and Profile Configuration
Additional InformationDescriptionPath in the User Interface Name Thisdefaultauthorizationprofile isappliedforallendpointsthat aredeclaredas“lost”intheMy DevicesPortal. Thisauthorizationprofilerejectsaccess todevicesthatareblacklisted.All blacklisteddevicesareredirectedtothe followingURL: https://ip:port/blacklistportal/gateway?portal=PortalID Policy> Policy Elements> Results> Authorization Profiles> Blacklist_Access Blacklist_Access Thisdefaultauthorizationprofile usestheDACLand vendor-specificattribute(VSA) toauthorizeall“voice”traffic (PERMIT_ALL_TRAFFIC). Thisauthorizationprofilesusesa configurationdefaultprofilewiththe followingvalues: •Name:CiscoIPPhones •DACL:PERMIT_ALL_TRAFFIC •VSA: cisco:av-pair:device-traffic-class=voice Thisprofilewillevaluaterequeststhat matchthecriteriaspecifiedinthisprofile. Policy> Policy Elements> Results> Authorization Profiles> Cisco_IP_Phones Cisco_IP_Phones AuthorizationPolicyConfigurationDefaults Thiscompoundconditionisused intheWired802.1X authorizationpolicy. Anyrequestthatmatchesthe criteriaspecifiedinthispolicy wouldbeevaluatedbasedonthe Wired802.1Xauthorization policy. Thiscompoundconditionchecksforthe followingattributesandvalues: •RADIUS:Service-Type=Framed •RADIUS:NAS-Port-Type= Ethernet Policy> Policy Elements> Conditions> Authorization >Compound Conditions Wired802.1X Compound Condition Tousethiscompoundcondition, youmustcreateanauthorization policythatwouldcheckforthis condition. Thiscompoundconditionchecksforthe followingattributesandvalues: •RADIUS:Service-Type=Outbound •RADIUS:NAS-Port-Type= Ethernet Policy> Policy Elements> Conditions> Authorization >Compound Conditions Catalyst SwitchLocal Web Authentication Compound Condition Tousethiscompoundcondition, youmustcreateanauthorization policythatwouldcheckforthis condition. Thiscompoundconditionchecksforthe followingattributesandvalues: •RADIUS:Service-Type=Outbound •RADIUS:NAS-Port-Type= Wireless-IEEE802.11 Policy> Policy Elements> Conditions> Authorization >Compound Conditions WirelessLan Controller (WLC)Local Web Authentication Compound Condition Cisco Identity Services Engine Administrator Guide, Release 1.3 442 Default Authorization Policy, Rule, and Profile Configuration
Additional InformationDescriptionPath in the User Interface Name Thisdefaultruleisdesignedto appropriatelyprovision“lost” userdevicesuntiltheyareeither removedfromthesystemor “reinstated.” Thisauthorizationpolicyusesa configurationdefaultrulewiththe followingvalues: •RuleName:BlackListDefault •EndpointIdentityGroup:Blacklist •Conditions:Any •Permissions/AuthorizationProfile: Blacklist_Access Policy> Authorization Policy BlackList Default Authorization Rule ThisdefaultruleusesCiscoIP Phonesasitsdefaultendpoint identitygroupandthevalues listedinthistable. Thisauthorizationpolicyusesa configurationdefaultrulewiththe followingvalues: •RuleName:ProfiledCiscoIP Phones •EndpointIdentityGroup: Cisco-IP-Phones •Conditions:Any •Permissions/AuthorizationProfile: Cisco_IP_Phones Policy> Authorization Policy ProfiledCisco IPPhones Authorization Rule AuthorizationRuleConfigurationDefaults Thisdefaultruleuses“any”asits defaultendpointidentitygroup andthevalueslistedinthistable. Thisauthorizationpolicyusesa configurationdefaultrulewiththe followingvalues: •RuleName:Default •EndpointIdentityGroup:Any •Conditions:Any •AuthorizationProfile:PermitAccess Policy> Authorization Policy Default Authorization Rule Configure Authorization Policies TheAuthorizationPolicypageletsyoudisplay,create,duplicate,modify,ordeleteauthorizationpolicies. Thefollowingauthorizationpolicyprofilesectionsreferenceexampleactionsdirectedatastandardauthorization policy.Youcanfollowthesameprocessformanaginganexceptionauthorizationpolicy. Cisco Identity Services Engine Administrator Guide, Release 1.3 443 Configure Authorization Policies
Before You Begin Beforeyoubeginthisprocedure,youshouldhaveabasicunderstandingofsimpleandrule-basedconditions, thebasicbuildingblocksofidentitygroups,conditions,andpermissions,andhowtheyareusedintheAdmin portal. Procedure Step 1ChoosePolicy>Authorization>Standard. Step 2Clickthedownarrowonthefar-rightandselecteitherInsertNewRuleAboveorInsertNewRuleBelow. Step 3Entertherulenameandselectidentitygroup,condition,attributeandpermissionfortheauthorizationpolicy. Notallattributesyouselectwillincludethe“Equals,”“NotEquals,”“Matches,”“StartsWith,”or“NotStarts With”operatoroptions. The“Matches”operatorsupportsandusesregularexpressions(REGEX)notwildcards. Youmustusethe“equals”operatorforstraightforwardcomparison.“Contains”operatorcanbeused formulti-valueattributes.“Matches”operatorshouldbeusedforregularexpressioncomparison. When“Matches”operatorisused,regularexpressionwillbeinterpretedforbothstaticanddynamic values. Note Step 4ClickDone. Step 5ClickSavetosaveyourchangestotheCiscoISEsystemdatabaseandcreatethisnewauthorizationpolicy. Authorization Policy Attributes and Conditions Toreuseavalidattributewhencreatingauthorizationpolicyconditions,selectitfromadictionarythatcontains thesupportedattributes.Forexample,CiscoISEprovidesanattributenamedAuthenticationIdentityStore, whichislocatedintheNetworkAccessdictionary.Thisattributeidentifiesthelastidentitysourcethatwas accessedduringtheauthenticationofauser: •Whenasingleidentitysourceisusedduringauthentication,thisattributeincludesthenameoftheidentity storeinwhichtheauthenticationsucceeded. •Whenanidentitysourcesequenceisusedduringauthentication,thisattributeincludesthenameofthe lastidentitysourceaccessed. YoucanusetheAuthenticationStatusattributeincombinationwiththeAuthenticationIdentityStoreattribute todefineaconditionthatidentifiestheidentitysourcetowhichauserhassuccessfullybeenauthenticated. Forexample,tocheckforaconditionwhereauserauthenticatedusinganLDAPdirectory(LDAP13)inthe authorizationpolicy,youcandefinethefollowingreusablecondition: IfNetworkAccess.AuthenticationStatusEQUALSAuthenticationPassedANDNetworkAccess.AuthenticationIdentityStoreEQUALSLDAP13 TheAuthenticationIdentityStorerepresentsatextfieldthatallowsyoutoenterdataforthecondition. Ensurethatyouenterorcopythenamecorrectlyintothisfield.Ifthenameoftheidentitysourcechanges, youmustensuretomodifythisconditiontomatchthechangetotheidentitysource. Note Cisco Identity Services Engine Administrator Guide, Release 1.3 444 Configure Authorization Policies