Home > Cisco > Interface > Cisco Ise 13 User Guide

Cisco Ise 13 User Guide

Add to Favourites
    Download as PDF Print this page Share this page

    Have a look at the manual Cisco Ise 13 User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.

    View all the pages
    Page
    of 946
    Add page 491 to Favourites
    image text
    Enable zoom 
    							Todefineauthorizationconditionsthatarebasedonanendpointidentitygroupthathasbeenpreviously
authenticated,CiscoISEsupportsauthorizationthatwasdefinedduringendpointidentitygroup802.1X
authenticationstatus.WhenCiscoISEperforms802.1Xauthentication,itextractstheMACaddressfromthe
“Calling-Station-ID”fieldintheRADIUSrequestandusesthisvaluetolookupandpopulatethesession
cacheforthedevice'sendpointidentitygroup(definedasanendpointIDgroupattribute).
ThisprocessmakestheendpointIDgroupattributeavailableforuseincreatingauthorizationpolicyconditions,
andallowsyoutodefineanauthorizationpolicybasedonendpointidentitygroupinformationusingthis
attribute,inadditiontouserinformation.
TheconditionfortheendpointidentitygroupcanbedefinedintheIDGroupscolumnoftheauthorization
policyconfigurationpage.Conditionsthatarebasedonuser-relatedinformationneedtobedefinedinthe
“OtherConditions”sectionoftheauthorizationpolicy.Ifuserinformationisbasedoninternaluserattributes,
thenusetheIDGroupattributeintheinternaluserdictionary.Forexample,youcanenterthefullvaluepath
intheidentitygroupusingavaluelike“UserIdentityGroup:Employee:US”.
Time and Date Conditions
UsethePolicyElementsConditionspagetodisplay,create,modify,delete,duplicate,andsearchtimeand
datepolicyelementconditions.Policyelementsaresharedobjectsthatdefineaconditionthatisbasedon
specifictimeanddateattributesettingsthatyouconfigure.
TimeanddateconditionsletyousetorlimitpermissiontoaccessCiscoISEsystemresourcestospecifictimes
anddaysasdirectedbytheattributesettingsyoumake.
Permissions for Authorization Profiles
Beforeyoustartconfiguringpermissionsforauthorizationprofiles,makesureyou:
•Understandtherelationshipbetweenauthorizationpoliciesandprofiles
•ArefamiliarwiththeAuthorizationProfilepage
•Knowthebasicguidelinestofollowwhenconfiguringpoliciesandprofiles
•Understandwhatcomprisespermissionsinanauthorizationprofile
ToworkwithAuthorizationProfiles,choosePolicy>PolicyElements>Results.Fromthemenuontheleft,
chooseAuthorization>AuthorizationProfiles.
UsetheResultsnavigationpaneasyourstartingpointintheprocessfordisplaying,creating,modifying,
deleting,duplicating,orsearchingpolicyelementpermissionsforthedifferenttypesofauthorizationprofiles
onyournetwork.TheResultspaneinitiallydisplaysAuthentication,Authorization,Profiling,Posture,Client
Provisioning,andTrustsecoptions.
AuthorizationprofilesletyouchoosetheattributestobereturnedwhenaRADIUSrequestisaccepted.Cisco
ISEprovidesamechanismwhereyoucanconfigureCommonTaskssettingstosupportcommonly-used
attributes.YoumustenterthevaluefortheCommonTasksattributes,whichCiscoISEtranslatestothe
underlyingRADIUSvalues.
Cisco Identity Services Engine Administrator Guide, Release 1.3    
445
Permissions for Authorization Profiles
    Add page 492 to Favourites
    image text
    Enable zoom 
    							Configure Permissions for New Standard Authorization Profiles
Procedure
Step 1ChoosePolicy>PolicyElements>Results>Authorization>AuthorizationProfiles.
Step 2ClickAdd.
Step 3Entervaluesasrequiredtoconfigureanewauthorizationprofile.Supportedcharactersforthenamefieldare:
space,!#$%&‘()*+,-./;=?@_{.
Step 4ClickSubmittosaveyourchangestotheCiscoISEsystemdatabasetocreateanauthorizationprofile.
Downloadable ACLs
YoucandefineDACLsfortheAccess-Acceptmessagetoreturn.UseACLstopreventunwantedtrafficfrom
enteringthenetwork.ACLscanfiltersourceanddestinationIPaddresses,transportprotocols,andmoreby
usingtheRADIUSprotocol.
AfteryoucreateDACLsasnamedpermissionobjects,youcanaddthemtoauthorizationprofiles,whichyou
canthenspecifyastheresultofanauthorizationpolicy.
YoucanduplicateaDACLifyouwanttocreateanewDACLthatisthesame,orsimilarto,anexisting
downloadableACL.
Afterduplicationiscomplete,youaccesseachDACL(originalandduplicated)separatelytoeditordelete
them.
WhilecreatingDACL,thekeywordAnymustbethesourceinallACEinDACL.OncetheDACLis
pushed,theAnyinthesourceisreplacedwiththeIPaddressoftheclientthatisconnectingtotheswitch.
Note
Configure Permissions for Downloadable ACLs
Procedure
Step 1ChoosePolicy>PolicyElements>Results>Authorization>DownloadableACLs.
Step 2ClicktheactioniconandselectCreateDACLorclickAddintheDACLManagementpage.
Step 3EnterthedesiredvaluesfortheDACL.Supportedcharactersforthenamefieldare:space,!#$%&‘()*
+,-./;=?@_{.
Step 4ClickSubmit.
   Cisco Identity Services Engine Administrator Guide, Release 1.3
446
Downloadable ACLs
    Add page 493 to Favourites
    image text
    Enable zoom 
    							Supported Downloadable ACL Format for Inline Posture Node
ThefollowingformatissupportedforDACLs:
ACTIONPROTOCOLSOURCE_SUBNETWILDCARD_MASK[OPERATOR[PORT]]DEST_SUBNET
WILDCARD_MASK[OPERATOR[PORT]][ICMP_TYPE_CODE]
Table 24: DACL Format - Options
DescriptionOption
Specifieswhetherthepolicyelementpermissionsshould
permitordenyaccess.
ACTION
Specifiesanyoneofthefollowingprotocols:
•ICMP
•UDP
•TCP
•IP
PROTOCOL
Specifiesthesourcesubnetformatas‘any’.SOURCE_SUBNET
Specifiesanyoneofthefollowingdestinationsubnet
formats:
•any
•hostx.x.x.x
•
DEST_SUBNET
Specifiestheinverseofthesubnetmask.Forexample,
0.0.0.255.
WILDCARD_MASK
Specifiesanyoneofthefollowingoperators:
•eq
•lt
•gt
•neq
•range
OPERATOR
Specifiestheport.Thevalidrangeisfrom1to65535.PORT
Cisco Identity Services Engine Administrator Guide, Release 1.3    
447
Downloadable ACLs
    Add page 494 to Favourites
    image text
    Enable zoom 
    							DescriptionOption
SpecifiesanyoneofthefollowingICMPtypecodes:
•0—Echoreply
•8—Echorequest
•3:[0-15]—Destinationunreachable
•5:[0-3]—ICMPredirects
ICMP_TYPE_CODE
Examples of acceptable ACL Format:
permittcpanyhost192.168.1.100eq80—permitswwwtrafficfromanywheretohost192.168.1.100
permitudpanyeq68anyeq67—permitsdhcptraffic
permiticmpanyany8,permiticmpanyany0—allowsicmpecho-requestandecho-reply
denyicmpanyany5:0—deniesicmpnetworkredirects
permitipany67.2.2.00.0.0.255—permitsalltrafficfromthehostto67.2.2.0subnet
permitudpanyanyrange1638432767—permitsvoicetrafficusingrangeofudpports
Examples of incorrect syntax
permitip192.168.2.100192.168.1.100—host/wildcardkeywordmissing
permittcphost192.168.2.100host192.168.1.100eq883896364543268326910251026(Youcannotclub
multipleportsusingeqoperator,andthisACLneedstobesplitintomultiplelinesoneforeachdestination
port)
ThesourceaddressforallACEsmustbedefinedasANY.Note
Machine Access Restriction for Active Directory User Authorization
CiscoISEcontainsaMachineAccessRestriction(MAR)componentthatprovidesanadditionalmeansof
controllingauthorizationforMicrosoftActiveDirectory-authenticationusers.Thisformofauthorizationis
basedonthemachineauthenticationofthecomputerusedtoaccesstheCiscoISEnetwork.Foreverysuccessful
machineauthentication,CiscoISEcachesthevaluethatwasreceivedintheRADIUSCalling-Station-ID
attribute(attribute31)asevidenceofasuccessfulmachineauthentication.
CiscoISEretainseachCalling-Station-IDattributevalueincacheuntilthenumberofhoursthatwasconfigured
inthe“TimetoLive”parameterintheActiveDirectorySettingspageexpires.Oncetheparameterhasexpired,
CiscoISEdeletesitfromitscache.
Whenauserauthenticatesfromanend-userclient,CiscoISEsearchesthecacheforaCalling-Station-ID
valuefromsuccessfulmachineauthenticationsfortheCalling-Station-IDvaluethatwasreceivedintheuser
authenticationrequest.IfCiscoISEfindsamatchinguser-authenticationCalling-Station-IDvalueinthe
   Cisco Identity Services Engine Administrator Guide, Release 1.3
448
Machine Access Restriction for Active Directory User Authorization
    Add page 495 to Favourites
    image text
    Enable zoom 
    							cache,thisaffectshowCiscoISEassignspermissionsfortheuserthatrequestsauthenticationinthefollowing
ways:
•IftheCalling-Station-IDvaluematchesonefoundintheCiscoISEcache,thentheauthorizationprofile
forasuccessfulauthorizationisassigned.
•IftheCalling-Station-IDvalueisnotfoundtomatchoneintheCiscoISEcache,thentheauthorization
profileforasuccessfuluserauthenticationwithoutmachineauthenticationisassigned.
Cisco Identity Services Engine Administrator Guide, Release 1.3    
449
Machine Access Restriction for Active Directory User Authorization
    Add page 496 to Favourites
    image text
    Enable zoom 
    							   Cisco Identity Services Engine Administrator Guide, Release 1.3
450
Machine Access Restriction for Active Directory User Authorization
    Add page 497 to Favourites
    image text
    Enable zoom 
    							CHAPTER 21
Cisco ISE Endpoint Profiling Policies
•CiscoISEProfilingService,page452
•ConfigureProfilingServiceinCiscoISENodes,page453
•NetworkProbesUsedbyProfilingService,page454
•ConfigureProbesperCiscoISENode,page462
•SetupCoA,SNMPROCommunity,andEndpointAttributeFilter,page462
•AttributeFiltersforISEDatabasePersistenceandPerformance,page465
•AttributesCollectionfromIOSSensorEmbeddedSwitches,page468
•ProfilerConditions,page470
•ProfilingNetworkScanActions,page470
•CreateaProfilerCondition,page477
•EndpointProfilingPolicyRules,page478
•CreateEndpointProfilingPolicies,page479
•PredefinedEndpointProfilingPolicies,page482
•EndpointProfilingPoliciesGroupedintoLogicalProfiles,page485
•ProfilingExceptionActions,page485
•CiscoISEIntegrationwithCiscoNACAppliance,page486
•CreateEndpointswithStaticAssignmentsofPoliciesandIdentityGroups,page495
•IdentifiedEndpoints,page499
•CreateEndpointIdentityGroups,page501
•ProfilerFeedService,page504
•ProfilerReports,page507
•CiscoISEIntegrationwithCiscoNACAppliance,page507
•CreateEndpointswithStaticAssignmentsofPoliciesandIdentityGroups,page509
•IdentifiedEndpoints,page513
Cisco Identity Services Engine Administrator Guide, Release 1.3    
451
    Add page 498 to Favourites
    image text
    Enable zoom 
    							•ProfilerReports,page520
Cisco ISE Profiling Service
TheprofilingserviceinCiscoIdentityServicesEngine(ISE)identifiesthedevicesthatconnecttoyournetwork
andtheirlocation.TheendpointsareprofiledbasedontheendpointprofilingpoliciesconfiguredinCisco
ISE.CiscoISEthengrantspermissiontotheendpointstoaccesstheresourcesinyournetworkbasedonthe
resultofthepolicyevaluation.
Theprofilingservice:
•Facilitatesanefficientandeffectivedeploymentandongoingmanagementofauthenticationbyusing
IEEEstandard802.1Xport-basedauthenticationaccesscontrol,MACAuthenticationBypass(MAB)
authentication,andNetworkAdmissionControl(NAC)foranyenterprisenetworkofvaryingscaleand
complexity.
•Identifies,locates,anddeterminesthecapabilitiesofalloftheattachednetworkendpointsregardlessof
endpointtypes.
•Protectsagainstinadvertentlydenyingaccesstosomeendpoints.
Endpoint Inventory Using Profiling Service
Youcanusetheprofilingservicetodiscover,locate,anddeterminethecapabilitiesofalltheendpoints
connectedtoyournetwork.Youcanensureandmaintainappropriateaccessofendpointstotheenterprise
network,regardlessoftheirdevicetypes.
Theprofilingservicecollectsattributesofendpointsfromthenetworkdevicesandthenetwork,classifies
endpointsintoaspecificgroupaccordingtotheirprofiles,andstoresendpointswiththeirmatchedprofiles
intheCiscoISEdatabase.Alltheattributesthatarehandledbytheprofilingserviceneedtobedefinedinthe
profilerdictionaries.
Theprofilingserviceidentifieseachendpointonyournetwork,andgroupsthoseendpointsaccordingtotheir
profilestoanexistingendpointidentitygroupinthesystem,ortoanewgroupthatyoucancreateinthe
system.Bygroupingendpoints,andapplyingendpointprofilingpoliciestotheendpointidentitygroup,you
candeterminethemappingofendpointstothecorrespondingendpointprofilingpolicies.
Cisco ISE Profiler Queue Limit Configuration
CiscoISEprofilercollectsasignificantamountofendpointdatafromthenetworkinashortperiodoftime.
ItcausesJavaVirtualMachine(JVM)memoryutilizationtogoupduetoaccumulatedbacklogwhensome
oftheslowerCiscoISEcomponentsprocessthedatageneratedbytheprofiler,whichresultsinperformance
degradationandstabilityissues.
ToensurethattheprofilerdoesnotincreasetheJVMmemoryutilizationandpreventJVMtogooutofmemory
andrestart,limitsareappliedtothefollowinginternalcomponentsoftheprofiler:
•EndpointCache—Internalcacheislimitedinsizethathastobepurgedperiodically(basedonleast
recentlyusedstrategy)whenthesizeexceedsthelimit.
•Forwarder—Themainingressqueueofendpointinformationcollectedbytheprofiler.
   Cisco Identity Services Engine Administrator Guide, Release 1.3
452
Cisco ISE Profiling Service
    Add page 499 to Favourites
    image text
    Enable zoom 
    							•EventHandler—Aninternalqueuethatdisconnectsafastcomponent,whichfeedsdatatoaslower
processingcomponent(typicallyrelatedtoadatabasequery).
Endpoint Cache
•maxEndPointsInLocalDb=100000(endpointobjectsincache)
•endPointsPurgeIntervalSec=300(endpointcachepurgethreadintervalinseconds)
•numberOfProfilingThreads=8(numberofthreads)
Thelimitisapplicabletoallprofilerinternaleventhandlers.Amonitoringalarmistriggeredwhenqueuesize
limitisreached.
Cisco ISE Profiler Queue Size Limits
•forwarderQueueSize=5000(endpointcollectionevents)
•eventHandlerQueueSize=10000(events)
Event Handlers
•NetworkDeviceEventHandler—Fornetworkdeviceevents,inadditiontofilteringduplicateNetwork
AccessDevice(NAD)IPaddresses,whicharealreadycached.
•ARPCacheEventHandler—ForARPCacheevents.
Configure Profiling Service in Cisco ISE Nodes
Youcanconfiguretheprofilingservicethatprovidesyouacontextualinventoryofalltheendpointsthatare
usingyournetworkresourcesinanyCiscoISE-enablednetwork.
YoucanconfiguretheprofilingservicetorunonasingleCiscoISEnodethatassumesallAdministration,
Monitoring,andPolicyServicepersonasbydefault.
Inadistributeddeployment,theprofilingservicerunsonlyonCiscoISEnodesthatassumethePolicyService
personaanddoesnotrunonotherCiscoISEnodesthatassumetheAdministrationandMonitoringpersonas.
Procedure
Step 1ChooseAdministration>System>Deployment.
Step 2ChooseaCiscoISEnodethatassumesthePolicyServicepersona.
Step 3ClickEditintheDeploymentNodespage.
Step 4OntheGeneralSettingstab,checkthePolicyServicecheckbox.IfthePolicyServicecheckboxisunchecked,
boththesessionservicesandtheprofilingservicecheckboxesaredisabled.
Step 5Performthefollowingtasks:
a)ChecktheEnableSessionServicescheckboxtoruntheNetworkAccess,Posture,Guest,andClient
Provisioningsessionservices.
Cisco Identity Services Engine Administrator Guide, Release 1.3    
453
Configure Profiling Service in Cisco ISE Nodes
    Add page 500 to Favourites
    image text
    Enable zoom 
    							b)ChecktheEnableProfilingServicescheckboxtoruntheprofilingservice.
Step 6ClickSavetosavethenodeconfiguration.
Network Probes Used by Profiling Service
Networkprobeisamethodusedtocollectanattributeorasetofattributesfromanendpointonyournetwork.
TheprobeallowsyoutocreateorupdateendpointswiththeirmatchedprofileintheCiscoISEdatabase.
CiscoISEcanprofiledevicesusinganumberofnetworkprobesthatanalyzethebehaviorofdevicesonthe
networkanddeterminethetypeofthedevice.Networkprobeshelpyoutogainmorenetworkvisibility.
IP Address and MAC Address Binding
YoucancreateorupdateendpointsonlybyusingtheirMACaddressesinanenterprisenetwork.Ifyoudo
notfindanentryintheARPcache,thenyoucancreateorupdateendpointsbyusingtheL2MACaddressof
anHTTPpacketandtheIN_SRC_MACofaNetFlowpacketinCiscoISE.Theprofilingserviceisdependent
onL2adjacencywhenendpointsareonlyahopaway.WhenendpointsareL2adjacent,theIPaddressesand
MACaddressesofendpointsarealreadymapped,andthereisnoneedforIP-MACcachemapping.Ifendpoints
arenotL2adjacentandaremultiplehopsaway,mappingmaynotbereliable.Someoftheknownattributes
ofNetFlowpacketsthatyoucollectincludePROTOCOL,L4_SRC_PORT,IPV4_SRC_ADDR,
L4_DST_PORT,IPV4_DST_ADDR,IN_SRC_MAC,OUT_DST_MAC,IN_SRC_MAC,and
OUT_SRC_MAC.WhenendpointsarenotL2adjacentandaremultipleL3hopsaway,theIN_SRC_MAC
attributescarryonlytheMACaddressesofL3networkdevices.WhentheHTTPprobeisenabledinCisco
ISE,youcancreateendpointsonlybyusingtheMACaddressesofHTTPpackets,becausetheHTTPrequest
messagesdonotcarryIPaddressesandMACaddressesofendpointsinthepayloaddata.CiscoISEimplements
anARPcacheintheprofilingservice,sothatyoucanreliablymaptheIPaddressesandtheMACaddresses
ofendpoints.FortheARPcachetofunction,youmustenableeithertheDHCPprobeortheRADIUSprobe.
TheDHCPandRADIUSprobescarrytheIPaddressesandtheMACaddressesofendpointsinthepayload
data.Thedhcp-requestedaddressattributeintheDHCPprobeandtheFramed-IP-addressattributeinthe
RADIUSprobecarrytheIPaddressesofendpoints,alongwiththeirMACaddresses,whichcanbemapped
andstoredintheARPcache.
NetFlow Probe
CiscoISEprofilerimplementsCiscoIOSNetFlowVersion9.WerecommendusingNetFlowVersion9,
whichhasadditionalfunctionalityneededtoenhancetheprofilertosupporttheCiscoISEprofilingservice.
YoucancollectNetFlowVersion9attributesfromtheNetFlow-enablednetworkaccessdevicestocreatean
endpoint,orupdateanexistingendpointintheCiscoISEdatabase.YoucanconfigureNetFlowVersion9to
attachthesourceanddestinationMACaddressesofendpointsandupdatethem.Youcanalsocreateadictionary
ofNetFlowattributestosupportNetFlow-basedprofiling.
FormoreinformationontheNetFlowVersion9RecordFormat,seeTable6,“NetFlowVersion9FieldType
Definitions”oftheNetFlowVersion9Flow-RecordFormatdocument.
Inaddition,CiscoISEsupportsNetFlowversionsearlierthanVersion5.IfyouuseNetFlowVersion5in
yournetwork,thenyoucanuseVersion5onlyontheprimarynetworkaccessdevice(NAD)attheaccess
layerbecauseitwillnotworkanywhereelse.
   Cisco Identity Services Engine Administrator Guide, Release 1.3
454
Network Probes Used by Profiling Service
    All Cisco manuals Comments (0)

    Related Manuals for Cisco Ise 13 User Guide