Cisco Ise 13 User Guide
Have a look at the manual Cisco Ise 13 User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
Full NameAbbreviated NameIDLanguage Finnishfi1035Finnish Frenchfr1036French French-Canadianfr-ca3084FrenchCanadian Germande1031German Hungarianhu1038Hungarian Italianit1040Italian Japaneseja1041Japanese Korean(ExtendedWansung)ko1042Korean Norwegianno1044Norwegian Polishpl1045Polish Portuguesept2070Portuguese Russianru1049Russian Serbian(Latin)sr2074SerbianLatin Serbian(Cyrillic)src3098SerbianCyrillic Spanish(Traditional)es1034Spanish Swedishsv1053Swedish Turkishtr1055Turkish Client IP Address Refresh Configuration ThefollowingtabledescribesthefieldsintheNACAnyConnectPostureProfilepage,whichallowsyouto configureparametersfortheclienttoreneworrefreshitsIPaddressafterVLANchange.Thenavigationpath forthispageisPolicy>PolicyElements>Resilts>ClientProvisioning>Resources>Add>NACor AnyConnectPostureProfile. Cisco Identity Services Engine Administrator Guide, Release 1.3 535 Client IP Address Refresh Configuration
Usage GuidelinesMode (Applies only to Cisco NAC Agent) Default ValueField Thissettingisthe intervalatwhichthe agentcheckforthe VLANchange. FortheWindows NACagent,the defaultvalueis0. Bydefault,the accessto authentication VLANchange featureisdisabled forWindows.The validrangeis0to5 seconds. FortheMacOSX agent,thedefault valueis5.By default,theaccess toauthentication VLANchange featureisenabled with VlanDetectInteval as5secondsfor MacOSX.The validrangeis5to 900seconds. 0—Accessto Authentication VLANchange featureisdisabled. 1to5—Agentsends anInternetControl MessageProtocol (ICMP)orAddress ResolutionProtocol (ARP)queryevery 5seconds. 6to900—AnICMP orARPqueryis senteveryx seconds. Merge0,5VLANdetectioninterval Cisco Identity Services Engine Administrator Guide, Release 1.3 536 Client IP Address Refresh Configuration
Usage GuidelinesMode (Applies only to Cisco NAC Agent) Default ValueField Thissettingenables ordisablesVLAN detectionevenwhen theuserisnot loggedin. No—VLANdetect featureisdisabled. Yes—VLANdetect featureisenabled. MergeNoEnableVLANdetection withoutUI(Notapplicable foraMacOSXclient) IftheInternet ControlMessage Protocol(ICMP)or AddressResolution Protocol(ARP) pollingfails,this settingconfigures theagenttoretryx timesbefore refreshingtheclient IPaddress. Merge3Retrydetectioncount Thissetting specifiesthemethod usedfordetecting theclientIPaddress change. 0—PollusingICMP 1—PollusingARP 2—PollusingICMP first,then(ifICMP fails)ARP Merge0 Thevalidrangeis0to2. PingorARP PollusingICMP, andifthereisno responsewithinthe specifiedtime,then declareanICMP pollingfailure. Merge1 Thevalidrangeis1to10 seconds. Maximumtimeoutfor ping Cisco Identity Services Engine Administrator Guide, Release 1.3 537 Client IP Address Refresh Configuration
Usage GuidelinesMode (Applies only to Cisco NAC Agent) Default ValueField Thissetting specifieswhetheror nottheclient machinetorenewor refreshitsIP addressafterthe switch(orWLC) changestheVLAN fortheloginsession oftheclientonthe respectiveswitch port. OverwriteYes(Default)EnableagentIPrefresh Thissetting specifiesthatthe clientmachinewaits beforeattemptingto requestforanewIP addressfromthe networkDHCP server. Overwrite0 Thevalidrangeis0to60 seconds. DHCPrenewdelay Thesettingspecifies thattheclient machinewaits beforereleasingits currentIPaddress. Overwrite0 Thevalidrangeis0to60 seconds. DHCPreleasedelay Mergeparametervalueswithexistingagentprofilesettingsoroverwritethemtoappropriatelyconfigure clientsonWindowsandMacOSXclientsforrefreshingIPaddresses. Note Posture Protocol Settings ThefollowingtabledescribesthefieldsintheNACorAnyConnectProfilepage,whichallowsyoutoconfigure thepostureprotocolsettings.ThenavigationpathforthispageisPolicy>PolicyElements>Results> ClientProvisioning>Resources>Add>NACAgentorAnyConnectPostureProfile. Cisco Identity Services Engine Administrator Guide, Release 1.3 538 Posture Protocol Settings
Usage GuidelinesModeValueField Ifthevalueissetto No,thissettingturns offcheckingthe certificaterevocation list(CRL)during discoveryand negotiation. OverwriteYesAllowCRLChecks (Notapplicablefora MacOSXclient) Ifyouspecifyoneor moreMACaddresses inthssetting,theagent doesnotadvertise thoseMACaddresses toCiscoISEduring loginand authenticationtohelp preventsending unnecessaryMAC addressesoverth network. MergeEnterMACaddresses separatedbyacomma. Forexample, AA:BB:CC:DD:EE:FF, 11:22:33:44:55:66 MACAddress ExemptionList(Not applicableforaMac OSXclient) Thissettingspecifies theDiscoveryHost addressorresolvable domainnamethatthe agentusestoconnect toCiscoISEina Layer3deployment. OverwriteEntertheIPaddressor thefullyqualified domainname(FQDN) DiscoveryHost(Not applicableforaMac OSXclient) Yes—Usercanspecify acustomvalueinthe DiscoveryHostfield intheagentProperties dialogbox. No—Ensurethatthe usercannotupdatethe valueintheDiscovery Hostfieldontheclient machine. OverwriteYesEnableDiscoveryHost (Notapplicablefora MacOSXclient) Cisco Identity Services Engine Administrator Guide, Release 1.3 539 Posture Protocol Settings
Usage GuidelinesModeValueField Thisfieldconsistsof comma-separated namesofassociated CiscoISEservers.The agentusesthenames inthislisttoauthorize CiscoISEaccess points.Ifthislistis empty,then authorizationisnot performed.ifanyof thenamesisnotfound, thenanerroris reported. MergeEnterthefully qualifieddomainname (FQDN)oftheCisco ISEserverthatare separatedbyacomma. ServerNameRules Thissettingsupports Evolution-Data Optimizedconnectson theclientmachine.if theclientmachine doesnothavean activenetwork interfacecard,the agentcreatesadummy MACaddressforthe system. Merge—Auto-generatedMAC Address(Not applicableforaMac OSXclient) Ifthevalueissetto greaterthanone,the agentwaitsthe additionalnumberof secondsforaSWISS UDPdiscovery responsepacketfrom CiscoISEbefore sendinganother discoverypacket.The agentmakesthis actiontoensurethat thenetworklatencyis notdelayingthe responsepacketen route.(SWISS TimeoutonlyforUDP SWISSTimeouts) Merge1—Agentperforms SWISSdiscoveryas designedandno additionalUDP responsepacketdelay timeoutvalueis introduced. SWISSTimeout(Not applicableforaMac OSXclient) Cisco Identity Services Engine Administrator Guide, Release 1.3 540 Posture Protocol Settings
Usage GuidelinesModeValueField Ifthissettingissetto Yes,theagentdisables theabilitytoincrease thetransmission intervalforLayer3 discoverypackets. Therefore,theLayer3 discoverypackets repeatedlygoout every5seconds,just likeLayer2packets. MergeNoDisableL3SWISS delay(Notapplicable foraMacOSXclient) Thissettingspecifies theHTTPdiscovery timeoutforwhichthe HTTPSdiscovery fromtheagentwaits forthediscovery responsefromCisco ISE.ifthereisno responseforthe specifiedtime,then thediscoveryprocess timesout. Ifthevalueissetto0, thenthedefaultclient machineoperating systemtimeout settingsareused. Ifthevalueissetto1 or2,automaticallythe valueissetto3. Merge30(Defaultfor Windowsclients) Thevalidrangeis3 secondsandabove. HTTPDiscovery Timeout(Not applicableforaMac OSXclient) Cisco Identity Services Engine Administrator Guide, Release 1.3 541 Posture Protocol Settings
Usage GuidelinesModeValueField Thissettingspecifies theHTTPtimeoutfor whichtheHTTP requestfromtheagent waitsfortheresponse. ifthereisnoresponse forthespecifiedtime, thentherequesttimes out,andthediscovery processtimesout. Ifthevalueissetto0, thenthedefaultclient machineoperating systemtimeout settingsareused. Ifthevalueissetto1 or2,automaticallythe valueissetto3. Merge120(Defaultfor Windowsclients) Thevalidrangeis3 secondsandabove. HTTPTimeout(Not applicableforaMac OSXclient) Client Login Session Criteria CiscoISElooksatvariouselementswhenclassifyingthetypeofloginsessionthroughwhichusersaccess theinternalnetwork,including: •Clientmachineoperatingsystemandversion •Clientmachinebrowsertypeandversion •Grouptowhichtheuserbelongs •Conditionevaluationresults(basedonapplieddictionaryattributes) AfterCiscoISEclassifiesaclientmachine,itusesclientprovisioningresourcepoliciestoensurethatthe clientmachineissetupwithanappropriateagentversion,up-to-datecompliancemodulesforantivirusand antispywarevendorsupport,andcorrectagentcustomizationpackagesandprofiles,ifnecessary. Agent Download Issues on Client Machine Problem Theclientmachinebrowserdisplaysa“nopolicymatched”errormessageafteruserauthenticationand authorization.Thisissueappliestousersessionsduringtheclientprovisioningphaseofauthentication. Possible Causes Theclientprovisioningpolicyismissingrequiredsettings. Cisco Identity Services Engine Administrator Guide, Release 1.3 542 Client Login Session Criteria
Posture Agent Download Issues Rememberthatdownloadingthepostureagentinstallerrequiresthefollowing: •TheusermustallowtheActiveXinstallerinthebrowsersessionthefirsttimeanagentisinstalledon theclientmachine.(Theclientprovisioningdownloadpagepromptsforthis.) •TheclientmachinemusthaveInternetaccess. Resolution •EnsurethataclientprovisioningpolicyexistsinCiscoISE.Ifyes,verifythepolicyidentitygroup, conditions,andtypeofagent(s)definedinthepolicy.(Alsoensurewhetherornotthereisanyagent profileconfiguredunderPolicy>PolicyElements>Results>ClientProvisioning>Resources> Add>NACorAnyConnectPostureProfile,evenaprofilewithalldefaultvalues.) •Tryre-authenticatingtheclientmachinebybouncingtheportontheaccessswitch. Provision Client Machines with the Cisco NAC Agent MSI Installer YoucanplacetheMSIinstallerinadirectoryorazipversionofthesameinstallerontheclientmachinealong withanAgentconfigurationXMLfile(namedNACAgentCFG.xml)containingtheappropriateAgentprofile informationrequiredtocoincidewithyournetwork. Procedure Step 1Downloadthenacagentsetup-win.msiornacagentsetup-win.zipinstallerfilefromtheCiscoSoftware Downloadsitefromhttp://software.cisco.com/download/navigator.htmlandnavigatetoSecurity>Access ControlandPolicy>CiscoIdentitytServicesEngine>CiscoIdentityServicesEngineSoftware> Release1.x. Step 2Placethenacagentsetup-win.msifileinaspecificdirectoryontheclientmachine(forexample, C:\temp\nacagentsetup-win.msi): •IfyouarecopyingtheMSIinstallerdirectlyovertotheclient,placethenacagentsetup-win.msifile intoadirectoryontheclientmachinefromwhichyouplantoinstalltheCiscoNACAgent. •Ifyouareusingthenacagentsetup-win.zipinstaller,extractthecontentsofthezipfileintothedirectory ontheclientmachinefromwhichyouplantoinstalltheCiscoNACAgent. Step 3PlaceanAgentconfigurationXMLfileinthesamedirectoryastheCiscoNACAgentMSIpackage. IfyouarenotconnectedtoCiscoISE,youcancopytheNACAgentCFG.xmlfilefromaclientthathas alreadybeensuccessfullyprovisioned.ThefileislocatedatC:\ProgramFiles\Cisco\CiscoNAC Agent\NACAgentCFG.xml. AslongastheAgentconfigurationXMLfileexistsinthesamedirectoryastheMSIinstallerpackage,the installationprocessautomaticallyplacestheAgentconfigurationXMLfileintheappropriateCiscoNAC AgentapplicationdirectorysothattheagentcanpointtothecorrectLayer3networklocationwhenitisfirst launched. Step 4OpenaCommandpromptontheclientmachineandenterthefollowingtoexecutetheinstallation: msiexec.exe/iNACAgentSetup-win.msi/qn/l*vc:\temp\agent-install.log Cisco Identity Services Engine Administrator Guide, Release 1.3 543 Provision Client Machines with the Cisco NAC Agent MSI Installer
(The/qnqualifierinstallstheCiscoNACAgentcompletelysilently.The/l*vlogstheinstallationsessionin verbosemode.) TouninstalltheNACAgent,youcanexecutethefollowingcommand: msiexec/xNACAgentSetup-win-.msi/qn InstallinganewversionoftheAgentusingMSIwilluninstalltheoldversionandinstallthenewversion usingtheabovecommands. Step 5IfyouareusingAltiris/SMStodistributetheMSIinstaller,placetheAgentcustomizationfilesinasub-directory named“brand”inthedirectory“%TEMP%/CCAA”.WhentheCiscoNACAgentisinstalledintheclient,the customizationisappliedtotheAgent.Toremovethecustomization,sendaplainMSIwithoutthecustomization files. Cisco ISE Posture Agents AgentsareapplicationsthatresideonclientmachinesloggingintotheCiscoISEnetwork.Agentscanbe persistent(liketheAnyConnect,CiscoNACAgentforWindowsandMacOSX)andremainontheclient machineafterinstallation,evenwhentheclientisnotloggedintothenetwork.Agentscanalsobetemporal (liketheCiscoNACWebAgent),removingthemselvesfromtheclientmachineaftertheloginsessionhas terminated.Ineithercase,theAgenthelpstheusertologintothenetwork,receivetheappropriateaccess profile,andevenperformpostureassessmentontheclientmachinetoensureitcomplieswithnetworksecurity guidelinesbeforeaccessingthecoreofthenetwork. CurrentlyCiscoNACAgentandCiscoNACWebAgentsupportClientProvisioningPortalandNative SupplicantProvisioning.CiscoNACWebAgentsupportsCentralWebAuthenticationflow(CWA),but CiscoNACAgentdoesnotsupportCWA. Note Posture Agent Discovery Request and Cisco ISE Response CiscoISEsupportscoexistenceofAnyConnectandlegacyCiscoISENACagentsonWindowsandMacOS xclients.Agentsstarttheposturediscoveryprobeonlywhenthereisanychangeinthenetworkontheclients. CiscoISErespondstotheclient'sposturediscoveryprobebasedontheclientprovisioningpolicyandthe correspondingagentwillgetthediscoveryresponse,whichresultsinonlyoneagentbeingactive. Basedontheclientprovisioningpolicy,CiscoISEdiffersinrespondingtotheagentsposturediscoveryprobe asbelow: •Iftheendpointisconfiguredtousethelegacyagent(CiscoISENACagentforWindowsandMacOS x),theagentreceivesthediscoveryresponsewithastring"X-perfigo-CAS=FQDN"intheexisting format.AnyConnectstopsdiscovery,ifthediscoveryresponseisreceivedforthelegacyagent. •IftheendpointisconfiguredtouseAnyConnect,CiscoISErespondsinadifferentformat.Thiswillbe theCiscoISEPolicyServicenodeFQDNandtheAnyConnectConfigurationURL,AnyConnectpackage locationandversionbasedontheclientprovisioningpolicy.Thelegacyagentstopsdiscovery,ifthe responseisreceivedforAnyConnect. Cisco Identity Services Engine Administrator Guide, Release 1.3 544 Cisco ISE Posture Agents