Cisco Ise 13 User Guide
Have a look at the manual Cisco Ise 13 User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
createandapplyCiscoISEserviceswheretheyareneededinthenetwork.Theresultisacomprehensive CiscoISEdeploymentthatoperatesasafullyfunctionalandintegratedsystem. CiscoISEnodescanbedeployedwithoneormoreoftheAdministration,Monitoring,andPolicyService personas—eachoneperformingadifferentvitalpartinyouroverallnetworkpolicymanagementtopology. InstallingCiscoISEwithanAdministrationpersonaallowsyoutoconfigureandmanageyournetworkfrom acentralizedportaltopromoteefficiencyandeaseofuse. CiscoISEplatformcanalsobedeployedasanInlinePosturenodetoperformpolicyenforcementandexecute ChangeofAuthorization(CoA)requestswhereusersareaccessingthenetworkviaWLCsand/orVPN concentratorsthatdonotsupportthenecessaryfunctionalitytofacilitateCiscoISEpolicymanagement. Support for UCS Hardware InadditiontoCiscoISE3300Seriesappliance,CiscoISE1.3supportstheUCSC220M3hardwareandis availableonthefollowingplatforms: •SNS-3415(small) •SNS-3495(large) RefertoTable3intheCiscoIdentityServicesEngineDataSheetforthehardwarespecifications. Basic User Authentication and Authorization UserauthenticationpoliciesinCiscoISEenableyoutoprovideauthenticationforanumberofuserlogin sessiontypesusingavarietyofstandardauthenticationprotocolsincluding,butnotlimitedto,Password AuthenticationProtocol(PAP),Challenge-HandshakeAuthenticationProtocol(CHAP),ProtectedExtensible AuthenticationProtocol(PEAP),andExtensibleAuthenticationProtocol(EAP).CiscoISEspecifiesthe allowableprotocol(s)thatareavailabletothenetworkdevicesonwhichtheusertriestoauthenticateand specifiestheidentitysourcesfromwhichuserauthenticationisvalidated. CiscoISEallowsforawiderangeofvariableswithinauthorizationpoliciestoensurethatonlyauthorized userscanaccesstheappropriateresourceswhentheyaccessthenetwork.TheinitialreleaseofCiscoISE supportsonlyRADIUS-governedaccesstotheinternalnetworkanditsresources. Atthemostfundamentallevel,CiscoISEsupports802.1X,MACauthenticationbypass(MAB),and browser-basedWebauthenticationloginforbasicuserauthenticationandaccessviabothwiredandwireless networks.Uponreceivinganauthenticationrequest,the“outerpart”oftheauthenticationpolicyisusedto selectthesetofprotocolsthatareallowedwhenprocessingtherequest.Then,the“innerpart”ofthe authenticationpolicyisusedtoselecttheidentitysourcethatisusedtoauthenticatetherequest.Theidentity sourcemayconsistofaspecificidentitystoreoranidentitystoresequencethatlistsasetofaccessibleidentities untiltheuserreceivedadefinitiveauthorizationresponse. Onceauthenticationsucceeds,thesessionflowproceedstotheauthorizationpolicy.(Therearealsooptions availablethatallowCiscoISEtoprocesstheauthorizationpolicyevenwhentheauthenticationdidnot succeed.)CiscoISEenablesyoutoconfigurebehaviorfor“authenticationfailed,”“usernotfound,”and“process failed”cases,andalsotodecidewhethertorejecttherequest,droptherequest(noresponseisissued),or continuetotheauthorizationpolicy.IncaseswhereCiscoISEcontinuestoperformauthorization,youcan usethe“AuthenticationStaus”attributeinthe“NetworkAccess”dictionarytoincorporatetheauthentication resultaspartoftheauthorizationpolicy. Cisco Identity Services Engine Administrator Guide, Release 1.3 5 Support for UCS Hardware
TheauthorizationpolicyresultisCiscoISEassigninganauthorizationprofilethatmightalsoinvolvea downloadableACLspecifyingtrafficmanagementonthenetworkpolicyenforcementdevice.Thedownloadable ACLspecifiestheRADIUSattributesthatarereturnedduringauthenticationandthatdefinetheuseraccess privilegesgrantedonceauthenticatedbyCiscoISE. CiscoISEprocessestheattributesinthefollowingorderwhileidentifyingtheAuthenticationsessionfor theincomingaccountingpacket: Note •ForCiscodevices: 1Class/State 2audit-session-id •Forthirdpartydevices: 1Class/State 2Calling-Station-ID 3Iftheauthenticationsessioncannotbeidentified,CiscoISEcreatesanewsessionIDbasedon theCalling-Station-ID,NAS-Port,andNAS-IP-Address. Policy Sets CiscoISEsupportspolicysets,whichletyougroupsetsofauthenticationandauthorizationpolicies.As opposedtothebasicauthenticationandauthorizationpolicymodel,whichisaflatlistofauthenticationand authorizationrules,policysetsletyoulogicallydefinetheorganization’sITbusinessusecasesintopolicy groupsorservices,suchasVPNand802.1x,suchthatitiseasierforconfiguration,deployment,and troubleshooting. YoumustenablePolicySetsonAdministration>System>Settings>PolicySettingstomakethemavailable onthePolicymenu. Support for Common Access Card Functions CiscoISEsupportsU.S.governmentuserswhoauthenticatethemselvesusingCommonAccessCard(CAC) authenticationdevices.ACACisanidentificationbadgewithanelectronicchipcontainingasetofX.509 clientcertificatesthatidentifyaparticularemployeeof,forexample,theU.S.DepartmentofDefense(DoD). AccessviatheCACrequiresacardreaderintowhichtheuserinsertsthecardandentersaPIN.Thecertificates fromthecardarethentransferredintotheWindowscertificatestore,wheretheyareavailabletoapplications suchasthelocalbrowserrunningCiscoISE. BenefitsofusingaCACcardtoauthenticateincludethese: •CommonAccessCardX.509certificatesaretheidentitysourcefor802.1XEAP-TLSauthentication. •CommonAccessCardX.509certificatesarealsotheidentitysourceforauthenticationandauthorization toCiscoISEadministration. Cisco Identity Services Engine Administrator Guide, Release 1.3 6 Policy Sets
CiscoISEonlysupportslogintotheAdminportal.ItdoesnotsupportCACauthenticationforthefollowing accessmethods: •YoucannotuseCACauthenticationlogintomanagetheCiscoISECommandLineInterface. •ExternalRESTAPI(MonitoringandTroubleshooting)andEndpointProtectionServicesAPIsareoutside thescopeoftheCACauthentication. •GuestServicesandGuestSponsorAdministrationaccessdoesnotsupporttheCACauthentication methodinCiscoISE. Client Posture Assessment Toensurethattheimposednetworksecuritymeasuresremainrelevantandeffective,CiscoISEenablesyou tovalidateandmaintainsecuritycapabilitiesonanyclientmachinethataccessestheprotectednetwork.By employingposturepoliciesthataredesignedtoensurethatthemostup-to-datesecuritysettingsorapplications areavailableonclientmachines,theCiscoISEadministratorcanensurethatanyclientmachinethataccesses thenetworkmeets,andcontinuestomeet,thedefinedsecuritystandardsforenterprisenetworkaccess.Posture compliancereportsprovideCiscoISEwithasnapshotofthecomplianceleveloftheclientmachineatthe timeofuserlogin,aswellasanytimeaperiodicreassessmentoccurs. PostureassessmentandcomplianceoccursusingoneofthefollowingagenttypesavailableinCiscoISE: •CiscoNACWebAgent—Atemporalagentthattheusersinstallontheirsystematthetimeofloginand thatisnolongervisibleontheclientmachineoncetheloginsessionterminates. •CiscoNACAgent—Apersistentagentthat,onceinstalled,remainsonaWindowsorMacOSXclient machinetoperformallsecuritycompliancefunctions. •AnyConnectISEAgent—ApersistentagentthatcanbeinstalledonWindowsorMacOSXclientto performposturecompliancefunctions. Network Access for Guests CiscoISEadministratorsandemployeeswhoaregrantedappropriateaccesstotheCiscoISEguestregistration portalasguestsponsorscancreatetemporaryguestloginaccountsandspecifyavailablenetworkresources toallowguests,visitors,contractors,consultants,andcustomerstogetrestrictedaccesstothespecifiednetwork resourcesandInternet.Guestaccesssessionshaveexpirationtimersassociatedwiththem,sotheyareeffective incontrollingguestaccesstoaspecificday,timeperiod,andsoforth. Allaspectsofaguestusersession(includingaccountcreationandtermination)aretrackedandrecordedin CiscoISEsothatyoucanprovideauditinformationandtroubleshootsessionaccess,asnecessary. Support for Personal Devices CiscoISEallowsemployeestoconnecttheirpersonaldevices,suchaslaptopcomputers,mobilephones, tablets,printers,andothernetworkdevicesontheenterprisenetwork. Supportingthesedevicespresentsdifficultiesinprotectingnetworkservicesandenterprisedata,soyoumust ensurethatboththeemployeesandtheirdevicesareauthenticatedandauthorizedfornetworkaccess.With Cisco Identity Services Engine Administrator Guide, Release 1.3 7 Client Posture Assessment
aPluslicense,CiscoISEprovidesyouwiththetoolsyouneedtoallowemployeestosecurelyusetheir personaldevicesonyourcorporatenetwork. Mobile Device Manager Interoperability with Cisco ISE MobileDeviceManagement(MDM)serverssecure,monitor,manage,andsupportmobiledevicesdeployed acrossmobileoperators,serviceproviders,andenterprises.MDMenforcespolicyonendpoints,butitcannot forceuserstoregistertheirdeviceorforceremediation.ISEretrievespoliciesfromtheMDMserver,and enforcesthosepolicieswhenusersregistertheirdevices.IftheISEdevicepolicyrequiresMDM,andthe deviceisnotcompliantwithMDM,thenISEredirectstheusertotheMDMon-boardingportal,andprompts theusertoupdatethedevicefornetworkaccess.ISEcanalsoallowinternet-onlyaccesstouserswhodecline MDMcompliance. Wireless and VPN Traffic with Inline Posture Nodes InlinePosturenodesaregatekeepingnodesthatenforceCiscoISEaccesspoliciesandhandleChangeof Authorization(CoA)requests.Afterinitialauthentication(usingEAP/802.1XandRADIUS),clientmachines muststillgothroughpostureassessment.Thepostureassessmentprocessdetermineswhethertheclientshould berestricted,denied,orallowedfullaccesstothenetwork.Whenaclientaccessesthenetworkthrougha WLCorVPNdevice,theInlinePosturenodehastheresponsibilityforthepolicyenforcementandCoAthat theothernetworkdevicesareunabletoaccommodate.Consequently,aCiscoISEcanbedeployedasanInline Posturenodebehindothernetworkaccessdevicesonyournetwork,suchasWLCsandVPNconcentrators. Profiled Endpoints on the Network TheProfilerserviceassistsinidentifying,locating,anddeterminingthecapabilitiesofallendpointsonyour network(knownasidentitiesinCiscoISE),regardlessoftheirdevicetypes,toensureandmaintainappropriate accesstoyourenterprisenetwork.TheCiscoISEProfilerfunctionusesanumberofprobestocollectattributes forallendpointsonyournetwork,andpassthemtotheProfileranalyzer,wheretheknownendpointsare classifiedaccordingtotheirassociatedpoliciesandidentitygroups. TheProfilerFeedserviceallowsadministratorstoretrievenewandupdatedendpointprofilingpoliciesand theupdatedOUIdatabaseasafeedfromadesignatedCiscofeedserverthroughasubscriptionintoCisco ISE. pxGrid Persona CiscopxGridisusedtoenablethesharingofcontextual-basedinformationfromCiscoISEsessiondirectory tootherpolicynetworksystemssuchasCiscoAdaptiveSecurityAppliance(ASA).ThepxGridframework canalsobeusedtoexchangepolicyandconfigurationdatabetweennodeslikesharingtagsandpolicyobjects betweenISEandthirdpartyvendors,andfornon-ISErelatedinformationexchangessuchasthreatinformation. Cisco Identity Services Engine Administrator Guide, Release 1.3 8 Mobile Device Manager Interoperability with Cisco ISE
Cisco ISE Certificate Authority CiscoISEprovidesanativeCertificateAuthority(CA)thatissuesandmanagesdigitalcertificatesforendpoints fromacentralizedconsoletoallowemployeestoconnecttothecompany'snetworkusingtheirpersonal devices.CiscoISECAsupportsstandaloneandsubordinatedeployments. Support for Active Directory Multidomain Forests CiscoISEsupportsActiveDirectorywithmultidomainforests.CiscoISEconnectstoasingledomain,but canaccessresourcesfromtheotherdomainsintheActiveDirectoryforestiftrustrelationshipsareestablished betweenthedomaintowhichCiscoISEisconnectedandtheotherdomains. Support for SAnet Devices CiscoISEprovideslimitedsupportforSessionAwareNetworking(SAnet),asessionmanagementframework ontheswitchesthatprovidesmoreconsistentandflexiblemanagementofaccess-sessions,includingvisibility, authentication,andauthorization.SAnetdefinesthenotionofaservicetemplatewhichisanauthorization objectacceptedbothbyISEaswellasbythedevice.ThisisincontradistinctiontoCiscoISEauthorization profileswhicharecontainersofRADIUSauthorizationattributesthataremergedandflattenedintoalistof attributesbeforetheyaresenttothedevice.Similarly,SAnetservicetemplatesarealsocontainersofRADIUS authorizationattributesbuttheyarenotflattenedintoalistbeforesendingtothedevice.Instead,CiscoISE sendsthenameoftheservicetemplateandthedevicedownloadsthecontent(RADIUSattributes)ifitdoes notalreadyhaveacachedorstaticallydefinedversionofit.Inaddition,CiscoISEsendsCoAnotifications tothedeviceifthedefinitionofaservicetemplatehaschanged,thatis,ifaRADIUSattributewasadded, removedorchanged. CiscoISEimplementsservicetemplatesasauthorizationprofilesthatcontainaspecialflagthatmarksthem as“ServiceTemplate”compatible.Thiswaytheservicetemplate,whichisalsoanauthorizationprofile,can beusedinasinglepolicystatementthatwillsupportsessionsconnectingfromSAnetcapabledevicesaswell aslegacydevices. Support for Installation on Multiple Hardware and VMware Platforms CiscoISEcomespreinstalledonarangeofphysicalapplianceswithvariousperformancecharacteristics.The CiscoApplicationDeploymentEngine(ADE)andCiscoISEsoftwareruneitheronadedicatedSNS-3400 Seriesapplianceoronavirtualmachine(CiscoISEVM).TheCiscoISEsoftwareimagedoesnotsupport theinstallationofanyotherpackagesorapplicationsonthisdedicatedplatform.Theinherentscalabilityof CiscoISEallowsyoutoaddappliancestoadeploymentandincreaseperformanceandresiliency,asneeded. Cisco Identity Services Engine Administrator Guide, Release 1.3 9 Cisco ISE Certificate Authority
Cisco Identity Services Engine Administrator Guide, Release 1.3 10 Support for Installation on Multiple Hardware and VMware Platforms
CHAPTER 2 Navigate the Admin portal •AdminPortal,page12 •SetupAssistant,page14 •FilterDataonListingPages,page18 •CiscoISEInternationalizationandLocalization,page20 •MACAddressNormalization,page26 •AdminFeaturesLimitedbyRole-BasedAccessControlPolicies,page27 Cisco Identity Services Engine Administrator Guide, Release 1.3 11
Admin Portal TheAdminportalisanadministrationconsolefromwhichyoucanmanagevariousidentityservices.The followingfigureshowsthemainelementsofthisportal. Figure 1: Admin portal Accesstoolsforviewing,monitoring,andmanagingdifferentCiscoISEoptions: •Home:Accessthedashboard,whichisareal-timeviewofalltheservices runningintheCiscoISEnetwork. •Operations:Accesstoolsformonitoringreal-timealarmsandlive authentications,queryinghistoricaldatathroughreports,andtroubleshooting networkservices. •Policy:Accesstoolsformanagingnetworksecurityintheareasof authentication,authorization,profiling,posture,andclientprovisioning. •Administration:AccesstoolsformanagingCiscoISEnodes,licenses, certificates,networkdevices,users,endpoints,andguestservices. MenuBar1 ViewtheconnectedCiscoISEnode.Clicktheappropriateoptionstoeditaccount information,logout,andprovidefeedbacktoCisco. TopRightPanel2 Searchforendpointsanddisplaytheirdistributionbyprofiles,failures,identity stores,location,devicetype,andsoon. Search3 AccesswizardtocreateabasicconfigurationtodemonstrateCiscoISEfeature functionalityinyournetwork. SetupAssistant4 Cisco Identity Services Engine Administrator Guide, Release 1.3 12 Admin Portal
Accesshelpforthecurrentlydisplayedpage.Context-Sensitive Help 5 AccessthecompleteCiscoISEonlineHelpsystem.Help6 Hoverthemousecursoroverthisoptiontoviewasummaryofnotifications.Notifications7 Cisco ISE Dashboard TheCiscoISEDashboarddisplaysliveconsolidatedandcorrelatedstatisticaldatathatisisessentialfor effectivemonitoringandtroubleshooting.Dashboardelementsshowactivityover24hours,unlessotherwise noted.ThefollowingfigureshowssomeoftheinformationavailableontheCiscoISEDashboard. Figure 2: Cisco ISE User Dashboard Dashboardelementthatdisplaysstatisticalsummariesaboutthedevicesanduser accessingthenetwork.Insomedashlets,colorediconsaredisplayedpriortothe devicenamestoconveythesystemhealth: •Green=Healthy •Yellow=Warning •Red=Critical •Gray=Noinformation Dashlets1 Depicttrendsovertime.Sparklines2 Displaythedistributionofparametersusingcolorasthedividingelement,soyou canseewhereoneparameterendsandanotherbegins.Displayislimitedtothe top10distributions.Ingeneral,stackedbarchartsusecolortomarktheboundary pointsbetweenonedatameasurementandanother. Stackedbarcharts3 Cisco Identity Services Engine Administrator Guide, Release 1.3 13 Admin Portal
Summarizethemostimportantstatisticsregardingthedevicesthatareaccessing thenetwork.Metricmetersprovideanat-a-glanceviewofnetworkhealthand performance.Youcanclickthenumberdisplayedabovethemetricsmeterto viewmoreinformationaboutthedevices. Metricmeters4 Setup Assistant TheSetupAssistantguidesyouthroughaseriesofquestionsinawizard-likeinterfaceretainingyourresponses andusingthemtoconfigureCiscoISEdirectly.ItenablesyoutosetupabasicworkingCiscoISEconfiguration asaproof-of-conceptforyournetwork.YouranswerstothequestionsimpacttheseCiscoISEfeatures: authentication,authorization,profiling,posture,clientprovisioning,guestservices,andsupportforpersonal devices. Cisco ISE Licensing Impact on Setup Assistant SetupAssistantfunctionalitydependsontheCiscoISElicensethatyouhaveappliedtoyourconfiguration. Select Network Device Types Configure Network Access Services Identify Policy Requirements Cisco ISE License —Theposture,endpointprofiling, andpersonaldevicesoptions arenotavailable. —Basic Ifyouchoosewiredonlyon thefirstpage,thewireless LANcontroller(WLC) informationdoesnotappear. Ifyouchoosewirelessonly onthefirstpage,switch informationdoesnotappear. Theguestandposturechoices arenotavailableifyouselect wired+monitoronthe previouspage. Ifyouchoosewired+ monitor,theguestand posturechoicesare disabledonthenextpage. Ifyouchoosewirelessand wired+monitor,theguest andposturechoicesonthe nextpageimpactwireless only. Advanced Switchinformationdoesnot appear. —Thewiredoptionisnot available. Wireless Run the Setup Assistant WhenyoustartCiscoISEforthefirsttime,youarepromptedtoruntheSetupAssistant.Ifyouchoosenot torunitthen,youcanrunitagainlater. Before You Begin Toperformthistask,youmustbeaSuperAdmin.YoucanonlyruntheSetupAssistantonthestandaloneor PrimaryAdministrationNode(PAN). Cisco Identity Services Engine Administrator Guide, Release 1.3 14 Setup Assistant