Cisco Ise 13 User Guide
Have a look at the manual Cisco Ise 13 User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
•MatchedValue •StaticAssignment •StaticGroupAssignment •MatchedPolicyID •NmapSubnetScanID •PortalUser •DeviceRegistrationStatus •BYODRegistration WhenanendpointiseditedandsavedintheAdministrationnode,theattributesareretrievedfromthecurrent owneroftheendpoint. Create Endpoint Identity Groups CiscoISEgroupsendpointsthatitdiscoversintothecorrespondingendpointidentitygroups.CiscoISE comeswithseveralsystem-definedendpointidentitygroups.Youcanalsocreateadditionalendpointidentity groupsfromtheEndpointIdentityGroupspage.Youcaneditordeletetheendpointidentitygroupsthatyou havecreated.Youcanonlyeditthedescriptionofthesystem-definedendpointidentitygroups;youcannot editthenameofthesegroupsordeletethem. Procedure Step 1ChooseAdministration>IdentityManagement>Groups>EndpointIdentityGroups. Step 2ClickAdd. Step 3Enterthenamefortheendpointidentitygroupthatyouwanttocreate(donotincludespacesinthenameof theendpointidentitygroup). Step 4Enterthedescriptionfortheendpointidentitygroupthatyouwanttocreate. Step 5ClicktheParentGroupdrop-downlisttochooseanendpointidentitygrouptowhichyouwanttoassociate thenewlycreatedendpointidentitygroup. Step 6ClickSubmit. Identified Endpoints Grouped in Endpoint Identity Groups CiscoISEgroupsdiscoveredendpointsintotheircorrespondingendpointidentitygroupsbasedontheendpoint profilingpolicies.Profilingpoliciesarehierarchical,andtheyareappliedattheendpointidentifygroupslevel inCiscoISE.Bygroupingendpointstoendpointidentitygroups,andapplyingprofilingpoliciestoendpoint identitygroups,CiscoISEenablesyoutodeterminethemappingofendpointstotheendpointprofilesby checkingcorrespondingendpointprofilingpolicies. CiscoISEcreatesasetofendpointidentitygroupsbydefault,andallowsyoutocreateyourownidentity groupstowhichendpointscanbeassigneddynamicallyorstatically.Youcancreateanendpointidentity groupandassociatetheidentitygrouptooneofthesystem-createdidentitygroups.Youcanalsoassignan endpointthatyoucreatestaticallytoanyoneoftheidentitygroupsthatexistsinthesystem,andtheprofiling servicecannotreassigntheidentitygroup. Cisco Identity Services Engine Administrator Guide, Release 1.3 515 Identified Endpoints
Default Endpoint Identity Groups Created for Endpoints CiscoISEcreatesthefollowingfiveendpointidentitygroupsbydefault:Blacklist,GuestEndpoints,Profiled, RegisteredDevices,andUnknown.Inaddition,itcreatestwomoreidentitygroups,suchasCisco-IP-Phone andWorkstation,whichareassociatedtotheProfiled(parent)identitygroup.Aparentgroupisthedefault identitygroupthatexistsinthesystem. CiscoISEcreatesthefollowingendpointidentitygroups: •Blacklist—Thisendpointidentitygroupincludesendpointsthatarestaticallyassignedtothisgroupin CiscoISEandendpointsthatareblacklistedinthedeviceregistrationportal.Anauthorizationprofile canbedefinedinCiscoISEtopermit,ordenynetworkaccesstoendpointsinthisgroup. •GuestEndpoints—Thisendpointidentitygroupincludesendpointsthatareusedbyguestusers. •Profiled—Thisendpointidentitygroupincludesendpointsthatmatchendpointprofilingpoliciesexcept CiscoIPphonesandworkstationsinCiscoISE. •RegisteredDevices—Thisendpointidentitygroupincludesendpoints,whichareregistereddevicesthat areaddedbyanemployeethroughthedevicesregistrationportal.Theprofilingservicecontinuesto profilethesedevicesnormallywhentheyareassignedtothisgroup.Endpointsarestaticallyassigned tothisgroupinCiscoISE,andtheprofilingservicecannotreassignthemtoanyotheridentitygroup. Thesedeviceswillappearlikeanyotherendpointintheendpointslist.Youcanedit,delete,andblacklist thesedevicesthatyouaddedthroughthedeviceregistrationportalfromtheendpointslistintheEndpoints pageinCiscoISE.Devicesthatyouhaveblacklistedinthedeviceregistrationportalareassignedtothe Blacklistendpointidentitygroup,andanauthorizationprofilethatexistsinCiscoISEredirectsblacklisted devicestoanURL,whichdisplays“UnauthorisedNetworkAccess”,adefaultportalpagetotheblacklisted devices. •Unknown—ThisendpointidentitygroupincludesendpointsthatdonotmatchanyprofileinCiscoISE. Inadditiontotheabovesystemcreatedendpointidentitygroups,CiscoISEcreatesthefollowingendpoint identitygroups,whichareassociatedtotheProfiledidentitygroup: •Cisco-IP-Phone—AnidentitygroupthatcontainsalltheprofiledCiscoIPphonesonyournetwork. •Workstation—Anidentitygroupthatcontainsalltheprofiledworkstationsonyournetwork. Endpoint Identity Groups Created for Matched Endpoint Profiling Policies Ifyouhaveanendpointpolicythatmatchesanexistingpolicy,thentheprofilingservicecancreateamatching endpointidentitygroup.ThisidentitygroupbecomesthechildoftheProfiledendpointidentitygroup.When youcreateanendpointpolicy,youcanchecktheCreateMatchingIdentityGroupcheckboxintheProfiling Policiespagetocreateamatchingendpointidentitygroup.Youcannotdeletethematchingidentitygroup unlessthemappingoftheprofileisremoved. Add Static Endpoints in Endpoint Identity Groups Youcanaddorremovestaticallyaddedendpointsinanyendpointidentitygroup. YoucanaddendpointsfromtheEndpointswidgetonlytoaspecificidentitygroup.Ifyouaddanendpoint tothespecificendpointidentitygroup,thentheendpointismovedfromtheendpointidentitygroupwhereit wasdynamicallygroupedearlier. Uponremovalfromtheendpointidentitygroupwhereyourecentlyaddedanendpoint,theendpointisreprofiled backtotheappropriateidentitygroup.Youdonotdeleteendpointsfromthesystembutonlyremovethem fromtheendpointidentitygroup. Cisco Identity Services Engine Administrator Guide, Release 1.3 516 Identified Endpoints
Procedure Step 1ChooseAdministration>IdentityManagement>Groups>EndpointIdentityGroups. Step 2Chooseanendpointidentitygroup,andclickEdit. Step 3ClickAdd. Step 4ChooseanendpointintheEndpointswidgettoaddtheselectedendpointintheendpointidentitygroup. Step 5ClicktheEndpointGroupListlinktoreturntotheEndpointIdentityGroupspage. Dynamic Endpoints Reprofiled After Adding or Removing in Identity Groups Ifanendpointidentitygroupassignmentisnotstatic,thenendpointsarereprofiledafteryouaddorremove themfromanendpointidentitygroup.EndpointsthatareidentifieddynamicallybytheISEprofilerappear inappropriateendpointidentitygroups.Ifyouremovedynamicallyaddedendpointsfromanendpointidentity group,CiscoISEdisplaysamessagethatyouhavesuccessfullyremovedendpointsfromtheidentitygroup butreprofilesthembackintheendpointidentitygroup. Endpoint Identity Groups Used in Authorization Rules Youcaneffectivelyuseendpointidentitygroupsintheauthorizationpoliciestoprovideappropriatenetwork accessprivilegestothediscoveredendpoints.Forexample,anauthorizationruleforalltypesofCiscoIP PhonesisavailablebydefaultinCiscoISEinthefollowinglocation:Policy>Authorization>Standard. Youmustensurethattheendpointprofilingpoliciesareeitherstandalonepolicies(notaparenttoother endpointprofilingpolicies),ortheirparentpoliciesoftheendpointprofilingpoliciesarenotdisabled. Profiler Feed Service Profilerconditions,exceptionactions,andNMAPscanactionsareclassifiedasCisco-providedor administrator-created(seetheSystemTypeattribute).Also,theendpointprofilingpoliciesareclassifiedas Ciscoprovided,administratorcreated,oradministratormodified(seetheSystemTypeattribute). Youcanperformdifferentoperationsontheprofilerconditions,exceptionactions,NMAPscanactions,and endpointprofilingpoliciesdependingontheSystemTypeattribute.YoucannoteditordeleteCisco-provided conditions,exceptionactions,andnmapscanactions.EndpointpoliciesthatareprovidedbyCiscocannotbe deleted.Whenpoliciesareedited,theyareconsideredasadministrator-modified.whenadministrator-modified policiesaredeleted,theyarereplacedbytheup-to-dateversionoftheCisco-providedpolicythatitwasbased on. YoucanretrievenewandupdatedendpointprofilingpoliciesandtheupdatedOUIdatabaseasafeedfrom adesignatedCiscofeedserverthroughasubscriptionintoCiscoISE.Youcanalsoreceivee-mailnotifications tothee-mailaddressasanadministratorofCiscoISEthatyouhaveconfiguredforapplied,success,and failuremessages.Youcanalsoprovideadditionalsubscriberinformationtoreceivenotifications.Youcan sendthesubscriberinformationbacktoCiscoformaintainingtherecordsandtheyaretreatedasprivileged andconfidential. Bydefault,theprofilerfeedserviceisdisabled,anditrequiresaPluslicensetoenabletheservice.Whenyou enabletheprofilerfeedservice,CiscoISEdownloadsthefeedservicepoliciesandOUIdatabaseupdates everydayat1:00A.MofthelocalCiscoISEservertimezone.CiscoISEautomaticallyappliesthese downloadedfeedserverpolicies,whichalsostoresthesetofchangessothatyoucanrevertthesechanges backtothepreviousstate.Whenyourevertfromthesetofchangesthatyoulastapplied,endpointprofiling Cisco Identity Services Engine Administrator Guide, Release 1.3 517 Identified Endpoints
policiesthatarenewlyaddedareremovedandendpointprofilingpoliciesthatareupdatedarerevertedtothe previousstate.Inaddition,theprofilerfeedserviceisautomaticallydisabled. Whentheupdatesoccur,onlytheCiscoprovidedprofilingpoliciesandtheendpointprofilingpolicieswhich weremodifiedbythepreviousupdate,areupdated.Ciscoprovideddisabledprofilingpoliciesarealsoupdated buttheyremaindisabled.AdministratorCreatedorAdministratorModifiedprofilingpoliciesarenot overwritten.IfyouwanttorevertanyAdministratorModifiedendpointprofilingpolicytoanyCiscoProvided endpointprofilingpolicy,thenyoumustdeleteorreverttheAdministratorModifiedendpointprofilingpolicy tothepreviousCiscoProvidedendpointprofilingpolicy. OUI Feed Service ThedesignatedCiscofeedserverdownloadstheupdatedOUIdatabasefrom http://standards.ieee.org/develop/regauth/oui/oui.txt,whichisthelistofvendorsassociatedtotheMACOUI. TheupdatedOUIdatabaseisavailableforanyISEdeploymentasafeedthatCiscoISEdownloadstoitsown database.CiscoISEupdatesendpointsandthenstartsreprofilingendpoints. ThedesignatedCiscofeedserverislocatedathttps://ise.cisco.com:8443/feedserver/.Ifyouhaveanyissues accessingtheservice,ensurethatyournetworksecuritycomponents(likeafirewallorproxyserver,for example)allowdirectaccesstothisURL. Configure Profiler Feed Service TheProfilerFeedServiceretrievesnewandupdatedendpointprofilingpoliciesandMACOUIdatabase updatesfromtheCiscoFeedserver.IftheFeedServiceisunavailableorothererrorshaveoccurred,itis reportedintheOperationsAuditreport. YoucanconfigureCiscoISEtosendthefeedserviceusagereportbacktoCisco,whichsendsthefollowing informationtoCisco: •Hostname-CiscoISEhostname •MaxCount-Totalnumberofendpoints •ProfiledCount-Profiledendpointscount •UnknownCount-Unknownendpointscount •MatchSystemProfilesCount-CiscoProvidedprofilescount •UserCreatedProfiles-Usercreatedprofilescount YoucanchangetheCoAtypeinaCisco-providedprofilingpolicy.Whenthefeedserviceupdatesthatpolicy, theCoAtypewillnotbechanged,buttherestofthatpolicy'sattributeswillbestillbeupdated. Before You Begin TheProfilerfeedservicecanonlybeconfiguredfromtheCiscoISEAdminportalinadistributeddeployment orinastandaloneISEnode. SetupaSimpleMailTransferProtocol(SMTP)serverifyouplantosende-mailnotificationsfromtheAdmin portalaboutfeedupdates(Administration>System>Settings). Cisco Identity Services Engine Administrator Guide, Release 1.3 518 Identified Endpoints
Procedure Step 1ChooseAdministration>Certificates>TrustedCertificates,andcheckifVerisignClass3PublicPrimary CertificationAuthorityandVerisignClass3ServerCA-G3areenabled. Step 2ChooseAdministration>FeedService>Profiler. Step 3ChecktheEnableProfilerFeedServicecheckbox. Step 4EntertimeinHH:MMformat(localtimezoneoftheCiscoISEserver)intheFeedServiceSchedulersection. Bydefault,CiscoISEfeedserviceisscheduledat1.00AMeveryday. Step 5ChecktheNotifyadministratorwhendownloadoccurscheckboxintheAdministratorNotificationOptions sectionandenteryoure-mailaddressasanadministratorofCiscoISEintheAdministratoremailaddress textbox. Step 6ChecktheProvidesubscriberinformationtoCiscocheckboxintheFeedServiceSubscriberInformation sectionandenteryourdetailsasanadministratorofCiscoISEandanalternateCiscoISEadministratordetails. Step 7ClickAccept. Step 8ClickSave. Step 9ClickUpdateNow. InstructsCiscoISEtocontactCiscofeedserverfornewandupdatedprofilescreatedsincethelastfeedservice update.Thisre-profilesallendpointsinthesystem,whichmaycauseanincreasetheloadonthesystem.Due toupdatedendpointprofilingpolicies,theremaybechangesintheauthorizationpolicyforsomeendpoints thatarecurrentlyconnectedtoCiscoISE. TheUpdateNowbuttonisdisabledwhenyouupdatenewandupdatedprofilescreatedsincethelastfeed serviceandenabledonlyafterthedownloadiscompleted.Youmustnavigateawayfromtheprofilerfeed serviceConfigurationpageandreturntothispage. Step 10ClickYes. Related Topics ConfigureProfilerFeedServicesOffline Remove Updates to Endpoint Profiling Policies Youcanrevertendpointprofilingpoliciesthatwereupdatedinthepreviousupdateandremoveendpoint profilingpoliciesthatarenewlyaddedthroughthepreviousupdateoftheprofilerfeedservicebutOUIupdates arenotchanged. Anendpointprofilingpolicy,ifmodifiedafteranupdatefromthefeedserverisnotchangedinthesystem. Cisco Identity Services Engine Administrator Guide, Release 1.3 519 Identified Endpoints
Procedure Step 1ChooseAdministration>FeedService>Profiler. Step 2ChecktheEnableProfilerFeedServicecheckbox. Step 3ClickGotoUpdateReportPageifyouwanttoviewtheconfigurationchangesmadeintheChange ConfigurationAuditreport. Step 4ClickUndoLatest. Profiler Reports CiscoISEprovidesyouwithvariousreportsonendpointprofiling,andtroubleshootingtoolsthatyoucanuse tomanageyournetwork.Youcangeneratereportsforhistoricalaswellascurrentdata.Youmaybeableto drilldownonapartofthereporttoviewmoredetails.Forlargereports,youcanalsoschedulereportsand downloadtheminvariousformats. YoucanrunthefollowingreportsforendpointsfromOperations>Reports>EndpointsandUsers: •EndpointSessionHistory •ProfiledEndpointSummary •EndpointProfileChanges •TopAuthorizationsbyEndpoint •RegisteredEndpoints Cisco Identity Services Engine Administrator Guide, Release 1.3 520 Profiler Reports
CHAPTER 22 Configure Client Provisioning •ConfigureClientProvisioninginCiscoISE,page522 •ClientProvisioningResources,page523 •AddClientProvisioningResourcesfromCisco,page523 •AddCiscoProvidedClientProvisioningResourcesfromaLocalMachine,page524 •AddCustomerCreatedResourcesforAnyConnectfromaLocalMachine,page525 •CreateNativeSupplicantProfiles,page525 •CreateAnyConnectConfiguration,page527 •CreateAnyConnectandCiscoNACAgentProfiles,page528 •AgentProfileConfigurationGuidelines,page529 •ClientIPAddressRefreshConfiguration,page535 •PostureProtocolSettings,page538 •ClientLoginSessionCriteria,page542 •ProvisionClientMachineswiththeCiscoNACAgentMSIInstaller,page543 •CiscoISEPostureAgents,page544 •AnyConnect,page546 •CiscoNACAgentXMLFileInstallationDirectories,page546 •CiscoNACAgentforWindowsClients,page546 •CiscoNACAgentforMacintoshClients,page548 •CiscoWebAgent,page548 •CiscoNACAgentLogs,page549 •CreateanAgentCustomizationFilefortheCiscoNACAgent,page549 •ConfigureClientProvisioningResourcePolicies,page561 •ClientProvisioningReports,page563 •ClientProvisioningEventLogs,page564 Cisco Identity Services Engine Administrator Guide, Release 1.3 521
Configure Client Provisioning in Cisco ISE Enableclientprovisioningtoallowuserstodownloadclientprovisioningresourcesandconfigureagent profiles.YoucanconfigureagentprofilesforWindowsclients,MacOSXclients,andnativesupplicant profilesforpersonaldevices.Ifyoudisableclientprovisioning,usersattemptingtoaccessthenetworkwill receiveawarningmessageindicatingthattheyarenotabletodownloadclientprovisioningresources. Before You Begin Ifyouareusingaproxy,andhostingclientprovisioningresourcesonaremotesystem,verifythattheproxy allowsclientstoaccessthatremotelocation. Procedure Step 1ChooseAdministration>System>Settings>ClientProvisioning. Step 2FromtheEnableProvisioningdrop-downlist,chooseEnableorDisable. Step 3FromtheEnableAutomaticDownloaddrop-downlist,chooseEnable. Feeddownloadsincludealltheavailableclientprovisioningresources.Someofoftheseresourcesmaynot bepertinenttoyourdeployment.Ciscorecommendsmanuallydownloadingresourceswheneverpossible insteadofsettingthisoption. Step 4UpdateFeedURL—SpecifytheURLwhereCiscoISEsearchesforsystemupdatesintheUpdateFeedURL textbox.Forexample,thedefaultURLfordownloadingclient-provisioningresourcesis https://www.cisco.com/web/secure/pmbu/provisioning-update.xml. IfyournetworkrestrictsURL-redirectionfunctions(viaaproxyserver,forexample)andyouareexperiencing difficultyaccessingthedefaultURL,tryalsopointingyourCiscoISEtothefollowingURL: https://www.perfigo.com/ise/provisioning-update.xml. Step 5NativeSupplicantProvisioningPolicyUnavailable—Whenthereisnoclientprovisioningresourcefora device,decideherehowtoproceedintheflow: •AllowNetworkAccess—Usersareallowedtoregistertheirdeviceonthenetworkwithouthavingto installandlaunchthenativesupplicantwizard. •ApplyDefinedAuthorizationPolicy—UsersmusttrytoaccesstheCiscoISEnetworkviastandard authenticationandauthorizationpolicyapplication(outsideofthenativesupplicantprovisioningprocess). Ifyouenablethisoption,theuserdevicegoesthroughstandardregistrationaccordingtoany client-provisioningpolicyappliedtotheuser’sID.Iftheuser’sdevicerequiresacertificatetoaccessthe CiscoISEnetwork,youmustalsoprovidedetailedinstructionstotheuserdescribinghowtoobtainand applyavalidcertificateusingthecustomizableuser-facingtextfields,asdescribedinthe“Addinga CustomLanguageTemplate”sectionintheChapter15,SettingupandCustomizingEnd_UserWeb Portals. Step 6ClickSave. What to Do Next Configureclientprovisioningresourcepolicies. Cisco Identity Services Engine Administrator Guide, Release 1.3 522 Configure Client Provisioning in Cisco ISE
Client Provisioning Resources Clientprovisioningresourcesaredownloadedtoendpointsaftertheendpointconnectstothenetwork.Client provisioningresourcesconsistofcomplianceandpostureagentsfordesktops,andnativesupplicantprofiles forphonesandtablets.Clientprovisioningpoliciesassigntheseprovisioningresourcestoendpointstostart anetworksession. ClientprovisioningresourcesarelistedonPolicyElements>Results>ClientProvisioning>Resources. ThefollowingresourcetypescanbeaddedtothelistbyclickingtheAddbutton: •AgentresourcesfromCiscoSite—SelecttheNAC,AnyConnect,andSupplicantProvisioningwizards youwanttomakeavailableforclientprovisioningpolicies.Ciscoperiodicallyupdatesthislistof resources,addingnewonesandupdatingexistingones.YoucanalsosetupISEtodownloadallthe Ciscoresourcesandresourceupdatesautomatically,seeConfigureClientProvisioninginCiscoISE, onpage522formoreinformation. •Agentresourcesfromlocaldisk—SelectresourcesonyourPCthatyouwanttouploadtoISE,see AddCiscoProvidedClientProvisioningResourcesfromaLocalMachine,onpage524. •AnyConnectConfiguration—SelecttheAnyConnectPCclientsthatyouwanttomakeavailablefor clientprovisioning.SeeCreateAnyConnectConfigurationformoreinformation. •NativeSupplicantProfile—Configureasupplicantprofileforphonesandtabletsthatcontainssettings foryournetwork.Formoreinformation,seeCreateNativeSupplicantProfiles. •NACAgentorAnyConnectISEPostureProfile—ConfiguretheNACagentandAnyConnectISE Postureherewhenyoudon'twanttocreateanddistributeagentXMLprofiles.Formoreinformation abouttheAnyConnectISEPostureagent,seeAnyConnectAdminstratorsGuide,ISEPostureProfile Editor.FormoreinformationabouttheNACagentprofile,seeCreateanAgentCustomizationFilefor theCiscoNACAgent,onpage549. Aftercreatingclientprovisioningresources,createclientprovisioningpoliciesthatapplytheclientprovisioning resourcestotheendpoints.SeeConfigureClientProvisioningResourcePolicies,onpage561. Add Client Provisioning Resources from Cisco YoucanaddclientprovisioningresourcesfromCisco.comforAnyConnectandCiscoNACAgentforWindows andMACOSxclients,andCiscoWebagent.Dependingontheresourcesthatyouselectandavailable networkbandwidth,CiscoISEcantakeafewsecondsorevenafewminutestodownloadclientprovisioning resourcestoCiscoISE. Before You Begin •EnsurethatyouhavethecorrectproxysettingsconfiguredinCiscoISE. •EnableclientprovisioninginCiscoISE. Cisco Identity Services Engine Administrator Guide, Release 1.3 523 Client Provisioning Resources
Procedure Step 1ChoosePolicy>PolicyElements>Results>ClientProvisioning>Resources. Step 2ChooseAdd>AgentresourcesfromCiscosite. Step 3SelectoneormorerequiredclientprovisioningresourcesfromthelistavailableintheDownloadRemote Resourcesdialogbox. Step 4ClickSave. What to Do Next AfteryouhavesuccessfullyaddedclientprovisioningresourcestoCiscoISE,youcanbegintoconfigure clientprovisioningresourcepolicies. Add Cisco Provided Client Provisioning Resources from a Local Machine Youcanaddclientprovisioningresourcesfromthelocaldisk,whichyoumighthavepreviouslydownloaded fromCisco. Before You Begin Besuretouploadonlycurrent,supportedresourcestoCiscoISE.Older,unsupportedresources(olderversions oftheCiscoNACAgent,forexample)willlikelycauseseriousissuesforclientaccess. IfyouaredownloadingtheresourcefilesmanuallyfromtheCisco.com,referto“CiscoISEOfflineUpdates” sectionintheReleaseNotes. Procedure Step 1ChoosePolicy>PolicyElements>Results>ClientProvisioning>Resources. Step 2ChooseAdd>Agentresourcesfromlocaldisk. Step 3ChooseCiscoProvidedPackagesfromtheCategorydrop-down. Step 4ClickBrowsetothedirectoryonyourlocalmachinewheretheresourcefilethatyouwanttodownloadto CiscoISEresides. YoucanaddAnyConnect,CiscoNACAgent,andCiscoWebAgentresourcesthatyouhavepreviously downloadedfromCiscositeinyourlocalmachine. Step 5ClickSubmit. What to Do Next AfteryouhavesuccessfullyaddedclientprovisioningresourcestoCiscoISE,youcanbegintoconfigure clientprovisioningresourcepolicies. Cisco Identity Services Engine Administrator Guide, Release 1.3 524 Add Cisco Provided Client Provisioning Resources from a Local Machine