Cisco Ise 13 User Guide
Have a look at the manual Cisco Ise 13 User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
Pleaselaunchtherequiredremediationprogram(s)beforeaccessingthenetworkPleaseupdatethevirusdefinitionfileofthespecifiedantivirussoftwarebeforeaccessingthenetwork(optional)Pleaseupdatethevirusdefinitionfileofthespecifiedantivirussoftwarebeforeaccessingthenetwork(required)Pleaseupdatethespywaredefinitionfileofthespecifiedanti-spywaresoftwarebeforeaccessingthenetwork(optional)Pleaseupdatethespywaredefinitionfileofthespecifiedanti-spywaresoftwarebeforeaccessingthenetwork(required)PleasedownloadandinstalltheoptionalwindowsupdatesbeforeaccessingthenetworkPleasedownloadandinstalltherequiredwindowsupdatesbeforeaccessingthenetworkLaunchingRemediationProgram(s)...LaunchingRemediationURL...UpdatingVirusDefinition...UpdatingSpywareDefinition...LaunchingWindowsautoUpdate(s)...Downloadedat%1.%br%Pleaseopenthisfolder&double-clickexecutablefiletoinstalltherequiredsoftware.DiscoveryHostListofAntivirus&Anti-SpywareProductsDetectedbytheAgentNo.DescriptionValueProductTypeProductNameProductVersionDefinitionVersionDefinitionDate Cisco Identity Services Engine Administrator Guide, Release 1.3 555 Create an Agent Customization File for the Cisco NAC Agent
MandatorySystemRebootRequiredYouneedtorebootyoursysteminorderforthechangestotakeeffect.UnabletoremediateparticularrequirementTheremediationyouareattemptingisreportinganaccessdeniederror.Thisisusuallyduetoaprivilegeissue.Pleasecontactyoursystemadministrator.Theremediationyouareattemptinghasfailedwithaninternalerror.Pleasecontactyoursystemadministrator.Theremediationyouareattemptingrequireselevation.Pleasecontactyoursystemadministrator.Theremediationyouareattemptinghadafailure.Iftheproblempersistscontactyoursystemadministrator.Theremediationyouareattemptinghasreportedaninternalerror.Ifthisproblempersistspleasecontactyoursystemadministrator.Theremediationyouareattemptingisnotimplementedforthisproduct.Pleasecontactyoursystemadministrator.Theremediationyouareattemptingisnotsupportedforthisproduct.Pleasecontactyoursystemadministrator.TheAV/ASupdatehasfailed.Pleasetryagainandifthismessagecontinuestodisplaycontactyoursystemadministrator.TheAV/ASupdatefailedduetoanetworkingissue.Pleasetryagainandifthismessagecontinuestodisplaycontactyoursystemadministrator.Theremediationyouareattemptinghastimedoutwaitingfortheoperationtofinish.Ifthiscontinuespleasecontactyoursystemadministrator.Thesizeofthedownloadedfiledoesnotmatchthepackage!Pleasediscarddownloadedfileandcheckwithyouradministrator.Thefilethathasbeenrequestedwasnotdigitallysigned.Pleasetryagainandifthismessagecontinuestodisplaycontactyoursystemadministrator.Thelocationforthefiletobesavedtocannotbewritten.Pleasechooseadifferentlocation.Therequestedfileisnotfound.Pleasetryagainandifthisproblempersists,contactyoursystemadministrator.Thefilethathasbeenrequestedcouldnotbelaunchedeitherbecauseitcouldnotbefoundortherewasaproblemlaunchingit.Pleasecontactyoursystemadministrator.ThefilethatistryingtobedownloadedhasanincorrectURL.Pleasecontactyoursystemadministrator. Cisco Identity Services Engine Administrator Guide, Release 1.3 556 Create an Agent Customization File for the Cisco NAC Agent
Therehasbeenanetworkerror,pleasetrytheremediationagain.Ifthismessagecontinuestobeseencontactyoursystemadministrator.Theremediationyouaretryingtodocannotbeaccomplishedatyouruserlevel.Pleasecontactyoursystemadministrator.TheWSUSsearchfailed.Thisisprobablyduetoanetworkissue.Pleasetryagainandifthismessagecontinuestodisplaycontactyoursystemadministrator.AgentencounteredproblemslogginguserNetworkError:NACServercouldnotestablishasecureconnectiontoNACManager.Thiscouldbeduetooneormoreofthefollowingreasons:1)NACManagercertificatehasexpiredor2)NACManagercertificatecannotbetrustedor3)NACManagercannotbereachedor4)NACManagerisnotrespondingPleasereportthistoyournetworkadministrator.InvalidprovidernameFailedtoaddusertoonlinelistServercommunicationerrorInvalidusernameorpasswordUnknownuserAccountexpiredAccountcurrentlydisabledExceedquotalimitInsufficientCleanAccesspackagesinstalledAccesstonetworkisblockedbytheadministratorVulnerabilitiesnotfixedThisclientversionisoldandnotcompatible.Pleaseloginfromwebbrowsertoseethedownloadlinkforthenewversion.NetworkpolicyisnotacceptedInvalidswitchconfigurationToomanyusersusingthisaccountInvalidsession Cisco Identity Services Engine Administrator Guide, Release 1.3 557 Create an Agent Customization File for the Cisco NAC Agent
NullsessionInvaliduserroleInvalidloginpageEncodingfailureAsecurityenhancementisrequiredforyourAgent.PleaseupgradeyourAgentorcontactyournetworkadministrator.CannotfindserverreferenceUserrolecurrentlydisabledAuthenticationserverisnotreachableAgentuseroperatingsystemisnotsupportedTheAgenthasencounteredanunexpectederrorandisrestarting.CleanAccessServerisnotavailableonthenetwork.Authenticationinterruptedduetonetworkstatuschange.PressOKtoretry.CleanAccessServerisnotproperlyconfigured.Pleasecontactyouradministratoriftheproblempersists.SavingReportUnabletosavereportClickingCancelmaychangeyournetworkconnectivityandinterruptdownloadorrequiredupdates.Doyouwanttocontinue?DismisstocontinueSuccessfullyloggedoutfromthenetwork! Thereisnolimittothenumberofcharactersyoucanuseforthecustomizedtext.However,Cisco recommendsrestrictingthelengthsothatthesefieldsdonottakeuptoomuchspaceintheresulting customizedloginscreenasitappearsontheclient. Note Cisco Identity Services Engine Administrator Guide, Release 1.3 558 Create an Agent Customization File for the Cisco NAC Agent
Sample Extended nacStrings_xx.xml File FullNetworkAccessYourdeviceconformswithallthesecuritypoliciesforthisprotectednetworkOnlyoptionalrequirementsarefailing.Itisrecommendedthatyouupdateyoursystematyourearliestconvenience.RefreshingIPaddress.PleaseWait...RefreshingIPaddresssucceeded.ConnectingtoprotectedNetwork.PleaseWait...GuestNetworkAccessNetworkAccessDeniedThereisatleastonemandatoryrequirementfailing.Youarerequiredtoupdateyoursystembeforeyoucanaccessthenetwork.NetworkUsageTermsandConditionsarerejected.Youwillnotbeallowedtoaccessthenetwork.RestrictedNetworkAccessgranted.Youhavebeengrantedrestrictednetworkaccessbecauseyourdevicedidnotconformwithallthesecuritypoliciesforthisprotectednetworkandyouhaveoptedtodeferupdatingyoursystem.Itisrecommendedthatyouupdateyoursystematyourearliestconvenience.TemporaryNetworkAccess Pleasebepatientwhileyoursystemischeckedagainstthenetworksecuritypolicy.PerformingRe-assessmentThereisatleastonemandatoryrequirementfailing.Youarerequiredtoupdateyoursystemotherwiseyournetworkaccesswillberestricted.PerformingRe-assessmentOnlyoptionalrequirementsarefailing.Itisrecommendedthatyouupdateyoursystematyourearliestconvenience.LoggedoutTemporaryAccesstothenetworkhasexpired.Loggedout UpdateFeed.xml Descriptor File Template ThisisoneofthefilesthatisrequiredinyourAgentscreencustomizationpackage,allowsyoutocustomize thelogo,fields,andmessagetextcontainedinaCiscoNACAgentdialog,likethePropertiesscreen,tosuit yourspecificWindowsclientnetworkaccessrequirements. BeforeyoucancompleteyourAgentscreencustomizationpackage,youmustconstructasuitable updateFeed.xmlXMLdescriptorfile.UsethefollowingexampleasatemplatetosetuptheupdateFeed.xml descriptorfilerequiredforyourcustomizationpackage. ProvisioningUpdate2011-12-21T12:00:00Zhttps://www.cisco.com/web/secure/pmbu/[email protected] Cisco Identity Services Engine Administrator Guide, Release 1.3 559 Create an Agent Customization File for the Cisco NAC Agent
http://foo.foo.com/foo/AgentCustomizationPackage/1/1/1/7AgentCustomizationPackage2010-06-07T12:00:00ZThisisEFAgentCustomizationPackage1.1.1.7AgentCustomizationPackage1.1.1.7WINDOWS_ALL NotethefollowingpointswhilecreatingtheupdateFeed.xmldescriptorfile: •—Youmustalwayssetthisattributeto“WINDOWS_ALL”toincludealltheWindowsOS versionsthataresupportedbyCiscoNACAgent.SeeSupportInformationforCiscoNACAppliance AgentsforthelistofWindowsOSversionsthataresupportedbyCiscoNACAgent. •—ThisreferstotheAgentCustomizationPackageversionthatyouwanttoupgrade to.Thisvalueshouldbefourdigitandshouldbegreaterthanthepackageversionthatis currentlyinstalled. •—Thisidcanbeanything,butshouldbeuniqueforeachAgentCustomizationPackage. Example XML File Generated Using the Create Profile Function 0301000displayFailed151default013012010 Thisfilealsocontainstwostatic(thatis,uneditablebytheuserorCiscoISEadministrator) “AgentCfgVersion”and“AgentBrandVersion”parametersusedtoidentifythecurrentversionoftheagent profileandagentcustomizationfile,respectively,ontheclient. Note Cisco Identity Services Engine Administrator Guide, Release 1.3 560 Create an Agent Customization File for the Cisco NAC Agent
Configure Client Provisioning Resource Policies Forclients,theclientprovisioningresourcepoliciesdeterminewhichusersreceivewhichversion(orversions) ofresources(agents,agentcompliancemodules,and/oragentcustomizationpackages/profiles)fromCisco ISEuponloginandusersessioninitiation. ForAnyConnect,resourcescanbeselectedeitherfromtheclientprovisioningresourcespagetocreatean AnyConnectconfigurationthatyoucanuseintheclientprovisioningpolicypage.AnyConnectconfiguration istheAnyConnectsoftwareanditsassociationwithdifferentconfigurationfilesthatincludesAnyConnect binarypackageforWindowsandMacOSXclients,compliancemodule.moduleprofiles,customizationand languagepackagesforAnyConnect. ForCiscoISENACagents,resourcescanbeselectedfromtheclientprovisioningpolicypage. Before You Begin •Beforeyoucancreateeffectiveclient-provisioningresourcepolicies,ensurethatyouhaveaddedresources toCiscoISE.Whenyoudownloadtheagentcompliancemodule,italwaysoverwritestheexistingone, ifany,availableinthesystem. •Checkthenativesupplicantprofilethatisusedintheclientprovisioningpolicyandensurethatthe wirelessSSIDiscorrect.ForiOSdevices,ifthenetworkthatyouaretryingtoconnecttoishidden, checktheEnableiftargetnetworkishiddencheckboxfromtheiOSSettingsarea. Procedure Step 1ChoosePolicy>ClientProvisioning. Step 2ChooseEnable,Disable,orMonitorfromthebehaviordrop-downlist: •Enable—EnsuresCiscoISEusesthispolicytohelpfulfillclient-provisioningfunctionswhenuserslog intothenetworkandconformtotheclient-provisioningpolicyguidelines. •Disable—CiscoISEdoesnotusethespecifiedresourcepolicytofulfillclient-provisioningfunctions. •Monitor—Disablesthepolicyand“watches”theclient-provisioningsessionrequeststoseehowmany timesCiscoISEtriestoinvokebasedonthe“Monitored”policy. Step 3EnteranameforthenewresourcepolicyintheRuleNametextbox. Step 4SpecifyoneormoreIdentityGroupstowhichauserwhologsintoCiscoISEmightbelong. YoucanchoosetospecifytheAnyidentitygrouptype,orchooseoneormoregroupsfromalistofexisting IdentityGroupsthatyouhaveconfigured. Step 5UsetheOperatingSystemsfieldtospecifyoneormoreoperatingsystemsthatmightberunningontheclient machineordevicethroughwhichtheuserisloggingintoCiscoISE. Youcanchoosetospecifyasingleoperatingsystemlike"Android","MaciOS',and"MacOSX"oran umbrellaoperatingsystemdesignationthataddressesanumberofclientmachineoperatingsystemslike "WindowsXP(All)"or"Windows7(All)." Step 6IntheOtherConditionsfield,specifyanewexpressionthatyouwanttocreateforthisparticularresource policy. Step 7Forclientmachines,useAgentConfigurationtospecifywhichagenttype,compliancemodule,agent customizationpackage,and/orprofiletomakeavailableandprovisionontheclientmachine. Cisco Identity Services Engine Administrator Guide, Release 1.3 561 Configure Client Provisioning Resource Policies
ItismandatorytoincludetheclientprovisioningURLinauthorizationpolicy,toenabletheNACAgentto popupintheclientmachines.Thispreventsrequestfromanyrandomclientsandensuresthatonlyclients withproperredirectURLcanrequestforpostureassessment. Step 8ClickSave. What to Do Next Onceyouhavesuccessfullyconfiguredoneormoreclientprovisioningresourcepolicies,youcanstartto configureCiscoISEtoperformpostureassessmentonclientmachinesduringlogin. Configure Cisco ISE Posture Agent in the Client Provisioning Policy Forclientmachines,configurewhichagenttype,compliancemodule,agentcustomizationpackage,and/or profiletomakeavailableandprovisionforuserstodownloadandinstallontheclientmachine. Before You Begin YoumusthaveaddedclientprovisioningresourcesforAnyConnectandCiscoISENACinCiscoISE. Procedure Step 1ChooseanavailableagentfromtheAgentdrop-downlistandspecifywhethertheagentupgrade(download) definedhereismandatoryfortheclientmachinebyenablingordisablingtheIsUpgradeMandatoryoption, asappropriate. TheIsUpgradeMandatorysettingonlyappliestoagentdownloads.Agentprofile,compliancemodule,and Agentcustomizationpackageupdatesarealwaysmandatory. Step 2ChooseanexistingagentprofilefromtheProfiledrop-downlist. Step 3ChooseanavailablecompliancemoduletodownloadtotheclientmachineusingtheComplianceModule drop-downlist. Step 4ChooseanavailableagentcustomizationpackagefortheclientmachinefromtheAgentCustomization Packagedrop-downlist. Configure Native Supplicants for Personal Devices Employeescanconnecttheirpersonaldevicestothenetworkdirectlyusingnativesupplicants,whichare availableforWindows,MacOS,iOS,andAndroiddevices.Forpersonaldevices,specifywhichNative Supplicantconfigurationtomakeavailableandprovisionontheregisteredpersonaldevice. Before You Begin Createnativesupplicantprofilessothatwhenuserlogin,basedontheprofilethatyouassociatewiththat usersauthorizationrequirements,CiscoISEprovidesthenecessarysupplicantprovisioningwizardtosetup theuserspersonaldevicestoaccessthenetwork. Cisco Identity Services Engine Administrator Guide, Release 1.3 562 Configure Client Provisioning Resource Policies
Procedure Step 1ChoosePolicy>ClientProvisioning. Step 2ChooseEnable,Disable,orMonitorfromthebehaviordrop-downlist: Step 3EnteranameforthenewresourcepolicyintheRuleNametextbox. Step 4Specifythefollowing: •UsetheIdentityGroupsfieldtospecifyoneormoreIdentityGroupstowhichauserwhologsintoCisco ISEmightbelong. •UsetheOperatingSystemfieldtospecifyoneormoreoperatingsystemsthatmightberunningonthe personaldevicethroughwhichtheuserisloggingintoCiscoISE. •UsetheOtherConditionsfieldtospecifyanewexpressionthatyouwanttocreateforthisparticular resourcepolicy. Step 5Forpersonaldevices,useNativeSupplicantConfigurationtochoosethespecificConfigurationWizard todistributetothesepersonaldevices. Step 6SpecifytheapplicableWizardProfileforthegivenpersonaldevicetype. Step 7ClickSave. Client Provisioning Reports YoucanaccesstheCiscoISEmonitoringandtroubleshootingfunctionstocheckonoveralltrendsforsuccessful orunsuccessfuluserloginsessions,gatherstatisticsaboutthenumberandtypesofclientmachineslogging intothenetworkduringaspecifiedtimeperiod,orcheckonanyrecentconfigurationchangesinclient provisioningresources. Client Provisioning Requests TheOperations>ReportsISEReportsEndpointsandUsersClientProvisioningreportdisplaysstatistics aboutsuccessfulandunsuccessfulclientprovisioningrequests.WhenyouchooseRunandspecifyoneofthe presettimeperiods,CiscoISEcombsthedatabaseanddisplaystheresultingclientprovisioningdata. Supplicant Provisioning Requests TheOperations>Reports>ISEReports>EndpointsandUsers>SupplicantProvisioningwindow displaysinformationaboutrecentsuccessfulandunsuccessfuluserdeviceregistrationandsupplicant provisioningrequests.WhenyouchooseRunandspecifyoneofthepresettimeperiods,CiscoISEcombs thedatabaseanddisplaystheresultingsupplicantprovisioningdata. TheSupplicantProvisioningreportprovidesinformationaboutalistofendpointsthatareregisteredthrough thedeviceregistrationportalforaspecificperiodoftime,includingdataliketheLoggedatDateandTime, Identity(userID),IPAddress,MACAddress(endpointID),Server,profile,EndpointOperatingSystem, SPWVersion,FailureReason(ifany),andtheStatusoftheregistration. Cisco Identity Services Engine Administrator Guide, Release 1.3 563 Client Provisioning Reports
Client Provisioning Event Logs Youcansearcheventlogentriestohelpdiagnoseapossibleproblemwithclientloginbehavior.Forexample, youmayneedtodeterminethesourceofanissuewhereclientmachinesonyournetworkarenotabletoget clientprovisioningresourceupdatesuponlogin.YoucanuseloggingentriesforPostureandClientProvisioning AuditandPostureandClientProvisioningDiagnostics. Cisco Identity Services Engine Administrator Guide, Release 1.3 564 Client Provisioning Event Logs