Cisco Ise 13 User Guide
Have a look at the manual Cisco Ise 13 User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
Endpoint Profiling Policies Grouped into Logical Profiles Alogicalprofileisacontainerforacategoryofprofilesorassociatedprofiles,irrespectiveofCisco-provided oradministrator-createdendpointprofilingpolicies.Anendpointprofilingpolicycanbeassociatedtomultiple logicalprofiles. Youcanusethelogicalprofileinanauthorizationpolicyconditiontohelpcreateanoverallnetworkaccess policyforacategoryofprofiles.Youcancreateasimpleconditionforauthorization,whichcanbeincluded intheauthorizationrule.Theattribute-valuepairthatyoucanuseintheauthorizationconditionisthelogical profile(attribute)andthenameofthelogicalprofile(value),whichcanbefoundintheEndPointssystems dictionary. Forexample,youcancreatealogicalprofileforallmobiledeviceslikeAndroid,AppleiPhone,orBlackberry byassigningmatchingendpointprofilingpoliciesforthatcategorytothelogicalprofile.CiscoISEcontains IP-Phone,adefaultlogicalprofileforalltheIPphones,whichincludesIP-Phone,Cisco-IP-Phone, Nortel-IP-Phone-2000-Series,andAvaya-IP-Phoneprofiles. Create Logical Profiles Youcancreatealogicalprofilethatyoucanusetogroupacategoryofendpointprofilingpolicies,which allowsyoutocreateanoverallcategoryofprofilesorassociatedprofiles.Youcanalsoremovetheendpoint profilingpoliciesfromtheassignedsetmovingthembacktotheavailableset.Formoreinformationabout LogicalProfiles,seeEndpointProfilingPoliciesGroupedintoLogicalProfiles,onpage485. Procedure Step 1ChoosePolicy>Profiling>Profiling>LogicalProfiles. Step 2ClickAdd. Step 3EnteranameanddescriptionforthenewlogicalprofileinthetextboxesforNameandDescription. Step 4ChooseendpointprofilingpoliciesfromtheAvailablePoliciestoassigntheminalogicalprofile. Step 5ClicktherightarrowtomovetheselectedendpointprofilingpoliciestotheAssignedPolicies. Step 6ClickSubmit. Profiling Exception Actions Anexceptionactionisasingleconfigurableactionthatcanbereferredtoinanendpointprofilingpolicy,and thatistriggeredwhentheexceptionconditionsthatareassociatedwiththeactionaremet. ExceptionActionscanbeanyoneofthefollowingtypes: •Cisco-provided—YoucannotdeleteCisco-providedexceptionactions.CiscoISEtriggersthefollowing noneditableprofilingexceptionactionsfromthesystemwhenyouwanttoprofileendpointsinCisco ISE: ◦AuthorizationChange—Theprofilingserviceissuesachangeofauthorizationwhenanendpoint isaddedorremovedfromanendpointidentitygroupthatisusedbyanauthorizationpolicy. Cisco Identity Services Engine Administrator Guide, Release 1.3 485 Endpoint Profiling Policies Grouped into Logical Profiles
◦EndpointDelete—AnexceptionactionistriggeredinCiscoISEandaCoAisissuedwhenan endpointisdeletedfromthesystemintheEndpointspage,orreassignedtotheunknownprofile fromtheeditpageonaCiscoISEnetwork. ◦FirstTimeProfiled—AnexceptionactionistriggeredinCiscoISEandaCoAisissuedwhenan endpointisprofiledinCiscoISEforthefirsttime,wheretheprofileofthatendpointchangesfrom anunknownprofiletoanexistingprofilebutthatendpointisnotsuccessfullyauthenticatedona CiscoISEnetwork. •Administrator-created—CiscoISEtriggersprofilingexceptionactionsthatyoucreate. Create Exception Actions Youcandefineandassociateoneormoreexceptionrulestoasingleprofilingpolicy.Thisassociationtriggers anexceptionaction(asingleconfigurableaction)whentheprofilingpolicymatchesandatleastoneofthe exceptionrulesmatchesintheprofilingendpointsinCiscoISE. Procedure Step 1ChoosePolicy>PolicyElements>Results>Profiling>ExceptionActions. Step 2ClickAdd. Step 3EnteranameanddescriptionfortheexceptionactioninthetextboxesforNameandDescription. Step 4ChecktheCoAActioncheckbox. Step 5ClickthePolicyAssignmentdrop-downlisttochooseanendpointpolicy. Step 6ClickSubmit. Cisco ISE Integration with Cisco NAC Appliance CiscoISEsupportsintegrationonlywiththeCiscoNetworkAdmissionControl(NAC)ApplianceRelease 4.9andisavailablewhenyouhaveinstalledanAdvancedorWirelesslicenseinCiscoISE. TheCiscoISEprofilerissimilartotheCiscoNetworkAdmissionControl(NAC)Profilerthatmanages endpointsinaCiscoNACdeployment.ThisintegrationallowsyoutoreplacetheexistingCiscoNACProfiler thatisinstalledinaCiscoNACdeployment.ItallowsyoutosynchronizeprofilenamesfromtheCiscoISE profilerandtheresultofendpointclassificationintotheCiscoCleanAccessManager(CAM). Cisco Clean Access Manager Configuration in Administration Nodes CiscoISEallowsyoutoregistermultipleCleanAccessManagers(CAMs)onthePrimaryPANinadistributed deploymentforRESTAPIscommunicationsettings.ThelistofCAMsthatisregisteredinCiscoISEisthe listtowhichalltheprofilerconfigurationchangesarenotified.ThePrimaryPANisresponsibleforallthe communicationbetweenCiscoISEandtheCiscoNACAppliance.YoucanconfigureCAMsonlyinthe PrimaryPANinCiscoISE.ThecredentialsthatareusedatthetimeofregisteringoneormoreCAMsinthe PrimaryPANareusedtoauthenticateconnectivitywithCAMs. Cisco Identity Services Engine Administrator Guide, Release 1.3 486 Cisco ISE Integration with Cisco NAC Appliance
ThecommunicationbetweenCiscoISEandtheCiscoNACApplianceissecureoverSecureSocketsLayer (SSL).Itisalsobidirectionalinnature,becauseCiscoISEpushestheprofilerconfigurationchangestoCAMs, andCAMsperiodicallypullthelistofMACaddressesofendpointsandtheircorrespondingprofilesandthe listofalltheprofilenames,fromCiscoISE. YoumustexportthecontentsoftheX509CertificatefromtheCleanAccessManagerinAdministration> CleanAccessManager>SSL,andimportitintothePrimaryPANunderAdministration>System>Certificates >TrustedCertificatesStoreinCiscoISEforapropersecurecommunicationbetweenCiscoISEandCAM. FormoreinformationonhowtosetupapairofCAMsforhighavailability,seethelinkbelow. Cisco ISE Profiler and Cisco Clean Access Manager Communication TheCiscoISEprofilernotifiestheprofilerconfigurationchangestoalltheregisteredCleanAccessManagers (CAMs)fromthePrimaryPAN.ItavoidsduplicatingnotificationinaCiscoISEdistributeddeployment.It usestheRESTAPIstonotifytheprofilerconfigurationchangeswhenendpointsareaddedorremoved,and endpointprofilingpolicieschanged,intheCiscoISEdatabase.Duringanimportofendpoints,theCiscoISE profilernotifiesCAMsonlyaftertheimportiscomplete. ThefollowingRESTAPIflowisimplementedtopushtheprofilerconfigurationchangestoCAMs: CiscoISEprofilerendpointchangepush—Whenendpointsareprofiledandtherearechangesintheprofiles ofendpointsinCiscoISE,thentheCiscoISEprofilernotifiesalltheregisteredCAMsaboutthechangesin theendpointprofiles. YoucanconfigureCiscoISEinCAMs,whichallowsyoutosynchronizeCAMswithCiscoISE,depending onyourSyncSettingsinCAMs.Youmustcreaterules,whereyoucanselectoneormorematchingprofiles fromthelistofCiscoISEprofilesandmapendpointstoanyoneoftheAccessTypesinCAMs.CAMs periodicallyretrieveendpointsandtheircorrespondingprofilesandthelistofalltheprofilenames,fromthe CiscoISEprofiler. ThefollowingRESTAPIflowsareimplementedtopulltheprofilerconfigurationchangesfromtheCisco ISEprofiler: •NACManagerendpointpull—PullsthelistofMACaddressesofendpointsandtheircorresponding profilesofknownendpoints. •NACManagerprofilepull—PullstheprofilenamesfromtheCiscoISEprofiler. TheCiscoISEprofilernotifiestheCiscoISEMonitoringpersonaofalltheeventsthatcanbeusedtomonitor andtroubleshootCiscoISEandCiscoNACApplianceRelease4.9integration. TheCiscoISEprofilerlogcapturesthefollowingeventsformonitoringandtroubleshootingintegration: •ConfigurationchangesforNACSettings(Information) •NACnotificationeventfailure(Error) Add Cisco Clean Access Managers IntegratingCiscoISEwiththeCiscoNACAppliance,Release4.9allowsyoutoutilizetheCiscoISEprofiling serviceinaCiscoNACdeployment.toutilizetheCiscoISEprofilingserviceinaCiscoNACdeployment. TheNACManagerspageallowsyoutoconfiguremultipleCiscoAccessManagers(CAMs),whichprovides anoptiontofiltertheCAMsthatyouhaveregistered.ThispageliststheCAMsalongwiththeirnames, Cisco Identity Services Engine Administrator Guide, Release 1.3 487 Cisco ISE Integration with Cisco NAC Appliance
descriptions,IPaddresses,andthestatusthatdisplayswhetherendpointnotificationisenabledornotforthose CAMs. Procedure Step 1ChooseAdministration>NetworkResources>NACManagers. Step 2ClickAdd. Step 3EnterthenamefortheCiscoAccessManager. Step 4ClicktheStatuscheckboxtoenableRESTAPIcommunicationfromtheCiscoISEprofilerthatauthenticates connectivitytotheCAM. Step 5EntertheIPaddressfortheCAMexceptthefollowingIPaddresses:0.0.0.0and255.255.255.255. Step 6EntertheusernameandpasswordoftheCAMadministratorthatyouusetologintotheuserinterfaceofthe CAM. Step 7ClickSubmit. Profiling Network Scan Actions Anendpointscanactionisaconfigurableactionthatcanbereferredtoinanendpointprofilingpolicy,and thatistriggeredwhentheconditionsthatareassociatedwiththenetworkscanactionaremet. AnendpointscanisusedtoscanendpointsinordertolimitresourcesusageintheCiscoISEsystem.Anetwork scanactionscansasingleendpoint,unlikeresource-intensivenetworkscans.Itimprovestheoverall classificationofendpoints,andredefinesanendpointprofileforanendpoint.Endpointscanscanbeprocessed onlyoneatatime. Youcanassociateasinglenetworkscanactiontoanendpointprofilingpolicy.CiscoISEpredefinesthree scanningtypesforanetworkscanaction,whichcanincludeoneorallthreescanningtypes:forinstance,an OS-scan,anSNMPPortsAndOS-scan,andaCommonPortsAndOS-scan.YoucannoteditordeleteOS-scan, SNMPPortsAndOS-scan,andCommonPortsAndOS-scans,whicharepredefinednetworkscanactionsin CiscoISE.Youcanalsocreateanewnetworkscanactionofyourown. Onceanendpointisappropriatelyprofiled,theconfigurednetworkscanactioncannotbeusedagainstthat endpoint.Forexample,scanninganApple-DeviceallowsyoutoclassifythescannedendpointtoanApple device.OnceanOS-scandeterminestheoperatingsystemthatanendpointisrunning,itisnolongermatched toanApple-Deviceprofile,butitismatchedtoanappropriateprofileforanAppledevice. Create a New Network Scan Action Anetworkscanactionthatisassociatedwithanendpointprofilingpolicyscansanendpointforanoperating system,SimpleNetworkManagementProtocol(SNMP)ports,andcommonports.Ciscoprovidesnetwork scanactionsforthemostcommonNMAPscans,butyoucanalsocreateoneofyourown. Whenyoucreateanewnetworkscan,youdefinethetypeofinformationthattheNMAPprobewillscanfor. Before You Begin TheNetworkScan(NMAP)probemustbeenabledbeforeyoucandefinearuletotriggeranetworkscan action.TheprocedureforthatisdescribedinConfigureProbesperCiscoISENode. Cisco Identity Services Engine Administrator Guide, Release 1.3 488 Cisco ISE Integration with Cisco NAC Appliance
Procedure Step 1ChoosePolicy>PolicyElements>Results>Profiling>NetworkScan(NMAP)Actions. Step 2ClickAdd. Step 3Enteranameanddescriptionforthenetworkscanactionthatyouwanttocreate. Step 4Checkoneormorecheckboxeswhenyouwanttoscananendpointforthefollowing: •ScanOS—Toscanforanoperatingsystem •ScanSNMPPort—ToscanSNMPports(161,162) •ScanCommonPort—Toscancommonports. Step 5ClickSubmit. NMAPOperatingSystemScan Theoperatingsystemscan(OS-scan)typescansforanoperatingsystem(andOSversion)thatanendpoint isrunning.Thisisaresourceintensivescan. TheNMAPtoolhaslimitationsonOS-scanwhichmaycauseunreliableresults.Forexample,whenscanning anoperatingsystemofnetworkdevicessuchasswitchesandrouters,theNMAPOS-scanmayprovidean incorrectoperating-systemattributeforthosedevices.CiscoISEdisplaystheoperating-systemattribute,even iftheaccuracyisnot100%. YoushouldconfigureendpointprofilingpoliciesthatusetheNMAPoperating-systemattributeintheirrules tohavelowcertaintyvalueconditions(CertaintyFactorvalues).Werecommendthatwheneveryoucreate anendpointprofilingpolicybasedontheNMAP:operating-systemattribute,includeanANDconditionto helpfilteroutfalseresultsfromNMAP. ThefollowingNMAPcommandscanstheoperatingsystemwhenyouassociateScanOSwithanendpoint profilingpolicy: nmap-sS-O-F-oN/opt/CSCOcpm/logs/nmap.log-append-output-oX- ThefollowingNMAPcommandscansasubnetandsendstheoutputtonmapSubnet.log: nmap-O-sU-pU:161,162-oN/opt/CSCOcpm/logs/nmapSubnet.log--append-output-oX- Table 35: NMAP Commands for a Manual Subnet Scan EnablesOSdetection-O UDPscan-sU Scansonlyspecifiedports.Forexample,U:161,162-p NormaloutputoN XMLoutputoX OperatingSystemPorts Cisco Identity Services Engine Administrator Guide, Release 1.3 489 Cisco ISE Integration with Cisco NAC Appliance
ThefollowingtableliststheTCPportsthatNMAPusesforOSscanning.Inaddition,NMAPusesICMPand UDPport51824. 191713976431 323026252423222120 807970534943423733 999089888584838281 135125119113111110109106100 211199179163161146144143139 301280264259256255254222212 417416407406389366340311306 481465464458445444443427425 543541524515514513512500497 616593587563555554548545544 668667666648646636631625617 722720714711705700691687683 808801800787783777765749726 903902901900898888880873843 999995993992990987981912911 102210211011101010091007100210011000 103110301029102810271026102510241023 1040-110010391038103710361035103410331032 111211111110110811071106110511041102 112611241123112211211119111711141113 114811471145114111381137113211311130 116911661165116411631154115211511149 119911981192118711861185118311751174 Cisco Identity Services Engine Administrator Guide, Release 1.3 490 Cisco ISE Integration with Cisco NAC Appliance
124412361234123312181217121612131201 130012961287127712721271125912481247 141713521334132813221311131013091301 150315011500149414611455144314341433 164116001594158315801556153315241521 172017191718171717001688168716661658 181218051801178317821761175517231721 193519141900187518641863186218401839 2021202020131998-201019841974197219711947 20652045-20492040-2043203820352034203320302022 21262121211921112105-21072103210020992068 219621912190217921702161216021442135 2381-238323662323230122882260225122222200 255725252522250024922401239923942393 270227012638260826072605260426022601 287528692811280928002725271827172710 300330013000299829682967292029102909 305230313030301730133011300730063005 326832613260322132113168312830773071 332533243323332233063301330032833269 339033893372337133703369336733513333 365935803551354635273517349334763404 380938013800378437663737370336903689 388038783871386938513828382738263814 399539863971394539203918391439053889 Cisco Identity Services Engine Administrator Guide, Release 1.3 491 Cisco ISE Integration with Cisco NAC Appliance
42424224412941264125411140454000-40063998 455044494446444544444443434343214279 503050095000-5004499849004899484846624567 510050875080506150605054505150505033 522552225221521452005190512051025101 543254315414540553575298528052695226 563155665560555555505544551055005440 580258015800573057185679567856665633 587758625859585058255822581558115810 595959525950592559225915591159105900-5907 6106610161006059602560095998-60075987-59895960-5963 654365106502638963466156612961236112 66896669666866676666664665806565-65676547 690168816839679267896788677966996692 707070257019700770047002700170006969 749674437435740272017200710671037100 791178007778777777417676762776257512 800780028001800079997938793779217920 804580428031802280218011801080098008 819481938192818181808100809980938080-8090 838383338300829282918290825482228200 865486528651864986008500844384028400 900290019000899488998888887388008701 908190809071905090409011901090099003 911191109103910291019100909990919090 Cisco Identity Services Engine Administrator Guide, Release 1.3 492 Cisco ISE Integration with Cisco NAC Appliance
950295009485941894159290922092079200 987696669618959595949593957595359503 996899449943992999179900989898789877 1001010009100041000310002100011000099999998 106161056610243102151018010082100251002410012 119671111111110107781062910628106261062110617 140001378313782137221345612345122651217412000 157421566015004150031500215000144421444114238 169931699216113160801601816016160121600116000 193501931519283191011898818101180401798817877 208282022220221200312000520000198421980119780 270002621425735257342480024444235022293921571 309513071830000282012771527356273552735327352 327743277332772327713277032769327683133731038 327833278232781327803277932778327773277632775 355003460134573345723457133899333543278532784 444434444244176425104151140911401933829236869 491574915649155491544915349152480804510044501 491764917549167491654916349161491604915949158 503895030050006500035000250001500004999949400 528695284852822526735149351103508005063650500 572945673856737556005555555056550555432854045 646236333162078619006153260443600205808057797 65389651296500064680 NMAPSNMPPortScan Cisco Identity Services Engine Administrator Guide, Release 1.3 493 Cisco ISE Integration with Cisco NAC Appliance
TheSNMPPortsAndOS-scantypescansanoperatingsystem(andOSversion)thatanendpointisrunning andtriggersanSNMPQuerywhenSNMPports(161and162)areopen.Itcanbeusedforendpointsthatare identifiedandmatchedinitiallywithanUnknownprofileforbetterclassification. ThefollowingNMAPcommandscansSNMPports(UDP161and162)whenyouassociatetheScanSNMP Portwithanendpointprofilingpolicy: nmap-sU-pU:161,162-oN/opt/CSCOcpm/logs/nmap.log--append-output-oX- Table 36: NMAP Commands for an Endpoint SNMP Port Scan UDPscan.-sU Scansonlyspecifiedports.Forexample,scansUDPports161and16.2-p Normaloutput.oN XMLoutput.oX IP-addressofanendpointthatisscanned.IP-address NMAPCommonPortsScan TheCommanPortsAndOS-scantypescansanoperatingsystem(andOSversion)thatanendpointisrunning andcommonports(TCPandUDP),butnotSNMPports.ThefollowingNMAPcommandscanscommon portswhenyouassociateScanCommonPortwithanendpointprofilingpolicy:nmap-sTU-p T:21,22,23,25,53,80,110,135,139,143,443,445,3306,3389,8080,U:53,67,68,123,135,137,138,139,161,445,500,520,631,1434,1900 -oN/opt/CSCOcpm/logs/nmap.log--append-output-oX- Table 37: NMAP Commands for an Endpoint Common Ports Scan BothTCPconnectscanandUDPscan.-sTU ScansTCPports:21,22,23,25,53,80,110,135,139,143,443,445,3306,3389,8080andUDP ports:53,67,68,123,135,137,138,139,161,445,500,520,631,1434,1900 -p Normaloutput.oN XMLoutput.oX IPaddressofanendpointthatisscanned.IPaddress CommonPorts ThefollowingtableliststhecommonportsthatNMAPusesforscanning. Table 38: Common Ports UDP PortsTCP Ports ServicePortsServicePorts domain53/udpftp21/tcp dhcps67/udpssh22/tcp dhcpc68/udptelnet23/tcp Cisco Identity Services Engine Administrator Guide, Release 1.3 494 Cisco ISE Integration with Cisco NAC Appliance