Cisco Ise 13 User Guide
Have a look at the manual Cisco Ise 13 User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
•TurnoffAutomaticUpdates—WindowsallowsclientstoturnofftheWindowsAutomaticUpdates feature.Here,clientsarevulnerableunlessclientsinstallupdatesregularly,whichcanbedonefromthe WindowsUpdateWebsitelink. YoucancheckwhetherornottheWindowsupdatesservice(wuaserv)isstartedorstoppedinanyWindows clientbyusingthepr_AutoUpdateCheck_Rule.ThisisapredefinedCiscorule,whichcanbeusedtocreate aposturerequirement.Iftheposturerequirementfails,theWindowsupdateremediationthatyouassociate totherequirementenforcestheWindowsclienttoremediatebyusingoneoftheoptionsinAutomaticUpdates. Add a Windows Update Remediation TheWindowsUpdateRemediationspagedisplaysalltheWindowsupdateremediationsalongwiththeirname anddescriptionandtheirmodesofremediation. Procedure Step 1ChoosePolicy>PolicyElements>Results>>Posture. Step 2ClickRemediationActions. Step 3ClickWindowsUpdateRemediation. Step 4ClickAdd. Step 5ModifythevaluesintheNewWindowsUpdateRemediationpage. Step 6ClickSubmit. Add a Windows Server Update Services Remediation YoucanconfigureWindowsclientstoreceivethelatestWSUSupdatesfromalocallyadministeredora Microsoft-managedWSUSserverforcompliance.AWindowsServerUpdateServices(WSUS)remediation installslatestWindowsservicepacks,hotfixes,andpatchesfromalocallymanagedWSUSserverora Microsoft-managedWSUSserver. YoucancreateaWSUSremediationwheretheclientagentintegrateswiththelocalWSUSAgenttocheck whethertheendpointisup-to-dateforWSUSupdates. Procedure Step 1ChoosePolicy>PolicyElements>Results>Posture. Step 2ClickRemediationActions. Step 3ClickWindowsServerUpdateServicesRemediation. Step 4ClickAdd. Step 5ModifythevaluesintheNewWindowsServerUpdateServicesRemediationpage. Step 6ClickSubmit. Cisco Identity Services Engine Administrator Guide, Release 1.3 585 Custom Posture Remediation Actions
Posture Assessment Requirements Aposturerequirementisasetofcompoundconditionswithanassociatedremediationactionthatcanbe linkedwitharoleandanoperatingsystem.Alltheclientsconnectingtoyournetworkmustmeetmandatory requirementsduringpostureevaluationtobecomecompliantonthenetwork. Posture-policyrequirementscanbesettomandatory,optional,oraudittypesinposturepolicies.Ifrequirements areoptionalandclientsfailtheserequirements,thentheclientshaveanoptiontocontinueduringposture evaluationofendpoints. Figure 34: Posture Policy Requirement Types Mandatory Requirements Duringpolicyevaluation,theagentprovidesremediationoptionstoclientswhofailtomeetthemandatory requirementsdefinedintheposturepolicy.Endusersmustremediatetomeettherequirementswithinthe timespecifiedintheremediationtimersettings. Forexample,youhavespecifiedamandatoryrequirementwithauser-definedconditiontochecktheexistence ofC:\temp\text.fileintheabsolutepath.Ifthefiledoesnotexist,themandatoryrequirementfailsandtheuser willbemovedtoNon-Compliantstate. Optional Requirements Duringpolicyevaluation,theagentprovidesanoptiontoclientstocontinue,whentheyfailtomeetthe optionalrequirementsspecifiedintheposturepolicy.Endusersareallowedtoskipthespecifiedoptional requirements. Forexample,youhavespecifiedanoptionalrequirementwithauser-definedconditiontocheckforan applicationrunningontheclientmachine,suchasCalc.exe.Although,theclientfailstomeetthecondition, theagentpromptsanoptiontocontinuefurthersothattheoptionalrequirementisskippedandtheenduser ismovedtoCompliantstate. Audit Requirements Auditrequirementsarespecifiedforinternalpurposesandtheagentdoesnotpromptanymessageorinput fromendusers,regardlessofthepassorfailstatusduringpolicyevaluation. Forexample,youareintheprocessofcreatingamandatorypolicyconditiontocheckifendusershavethe latestversionoftheantivirusprogram.Ifyouwanttofindoutthenon-compliantendusersbeforeactually enforcingitasapolicycondition,youcanspecifyitasanauditrequirement. Cisco Identity Services Engine Administrator Guide, Release 1.3 586 Posture Assessment Requirements
Client System Stuck in Noncompliant State Ifaclientmachineisunabletoremediateamandatoryrequirement,theposturestatuschangesto“noncompliant” andtheagentsessionisquarantined.Togettheclientmachinepastthis“noncompliant”state,youneedto restarttheposturesessionsothattheagentstartspostureassessmentontheclientmachineagain.Youcan restarttheposturesessionasfollows: •InwiredandwirelessChangeofAuthorization(CoA)inan802.1Xenvironment: ◦YoucanconfiguretheReauthenticationtimerforaspecificauthorizationpolicywhenyoucreate anewauthorizationprofileintheNewAuthorizationProfilespage.“ConfiguringPermissionsfor DownloadableACLs”sectiononpage20-11formoreinformation.Thismethodisnotsupported inInlinePosturedeployments. ◦Wireduserscangetoutofthequarantinestateoncetheydisconnectandreconnecttothenetwork. Inawirelessenvironment,theusermustdisconnectfromthewirelesslancontroller(WLC)and waituntiltheuseridletimeoutperiodhasexpiredbeforeattemptingtoreconnecttothenetwork. •InaVPNenvironment—DisconnectandreconnecttheVPNtunnel. Create Client Posture Requirements YoucancreatearequirementintheRequirementspagewhereyoucanassociateuser-definedconditionsand Ciscodefinedconditions,andremediationactions.OncecreatedandsavedintheRequirementspage, user-definedconditionsandremediationactionscanbeviewedfromtheirrespectivelistpages. Before You Begin •Youmusthaveanunderstandingofacceptableusepolicies(AUPs)foraposture. Procedure Step 1ChoosePolicy>PolicyElements>Results>Posture>Requirements. Step 2EnterthevaluesintheRequirementspage. Step 3ClickDonetosavetheposturerequirementinread-onlymode. Step 4ClickSave. Custom Permissions for Posture AcustompermissionisastandardauthorizationprofilethatyoudefineinCiscoISE.Standardauthorization profilessetaccessprivilegesbasedonthematchingcompliancestatusoftheendpoints.Thepostureservice broadlyclassifiesthepostureintounknown,compliant,andnoncompliantprofiles.Theposturepoliciesand theposturerequirementsdeterminethecompliancestatusoftheendpoint. Youmustcreatethreedifferentauthorizationprofilesforanunknown,compliant,andnoncompliantposture statusofendpointsthatcanhavedifferentsetofVLANs,DACLsandotherattributevaluepairs.Theseprofiles Cisco Identity Services Engine Administrator Guide, Release 1.3 587 Custom Permissions for Posture
canbeassociatedwiththreedifferentauthorizationpolicies.Todifferentiatetheseauthorizationpolicies,you canusetheSession:PostureStatusattributealongwithotherconditions. Unknown Profile Ifnomatchingposturepolicyisdefinedforanendpoint,thentheposturecompliancestatusoftheendpoint maybesettounknown.Aposturecompliancestatusofunknowncanalsoapplytoanendpointwherea matchingposturepolicyisenabledbutpostureassessmenthasnotyetoccurredforthatendpointand,therefore nocompliancereporthasbeenprovidedbytheclientagent. Compliant Profile Ifamatchingposturepolicyisdefinedforanendpoint,thentheposturecompliancestatusoftheendpointis settocompliant.Whenthepostureassessmentoccurs,theendpointmeetsallthemandatoryrequirements thataredefinedinthematchingposturepolicy.Foranendpointthatisposturedcompliant,itcanbegranted privilegednetworkaccessonyournetwork. Noncompliant Profile Theposturecompliancestatusofanendpointissettononcompliantwhenamatchingposturepolicyisdefined forthatendpointbutitfailstomeetallthemandatoryrequirementsduringpostureassessment.Anendpoint thatisposturednoncompliantmatchesaposturerequirementwitharemediationaction,anditshouldbe grantedlimitednetworkaccesstoremediationresourcesinordertoremediateitself. Configure Standard Authorization Policies YoucandefinetwotypesofauthorizationpoliciesintheAuthorizationPolicypage,standardexceptions authorizationpolicies.Thestandardauthorizationpoliciesthatarespecifictopostureareusedtomakepolicy decisionsbasedonthecompliancestatusofendpoints. Procedure Step 1ChoosePolicy>Authorization. Step 2Chooseoneofthematchingruletypetoapplyfromthedrop-downlistshownatthetopoftheAuthorization Policypage. •FirstMatchedRuleApplies—Thisoptionsetsaccessprivilegeswithasingleauthorizationpolicy thatisfirstmatchedduringevaluationfromthelistofstandardauthorizationpolicies.Oncethefirst matchingauthorizationpolicyisfound,therestofthestandardauthorizationpoliciesarenotevaluated. Cisco Identity Services Engine Administrator Guide, Release 1.3 588 Configure Standard Authorization Policies
•MultipleMatchedRuleApplies—Thisoptionsetsaccessprivilegeswithmultipleauthorizationpolicies thatarematchedduringevaluationfromthelistofallthestandardauthorizationpolicies Step 3ClickthedownarrownexttoEditinthedefaultstandardauthorizationpolicyrow. Step 4ClickInsertNewRuleAbove. Step 5Enterarulename,chooseidentitygroupsandotherconditions,andassociateanauthorizationprofileinthe newauthorizationpolicyrowthatappearsabovethedefaultstandardauthorizationpolicyrow. Step 6ClickDonetocreateanewstandardauthorizationpolicyinread-onlymode. Step 7ClickSave. Cisco Identity Services Engine Administrator Guide, Release 1.3 589 Configure Standard Authorization Policies
Cisco Identity Services Engine Administrator Guide, Release 1.3 590 Configure Standard Authorization Policies
CHAPTER 24 Cisco TrustSec Policies Configuration •TrustSecArchitecture,page591 •ConfigureTrustSecGlobalSettings,page594 •ConfigureTrustSecDevices,page595 •ConfigureTrustSecAAAServers,page597 •SecurityGroupsConfiguration,page598 •EgressPolicy,page601 •SGTAssignment,page607 •TrustSecConfigurationandPolicyPush,page612 •RunTopNRBACLDropsbyUserReport,page621 TrustSec Architecture TheCiscoTrustSecsolutionestablishescloudsoftrustednetworkdevicestobuildsecurenetworks.Each deviceintheCiscoTrustSeccloudisauthenticatedbyitsneighbors(peers).Communicationbetweenthe devicesintheTrustSeccloudissecuredwithacombinationofencryption,messageintegritychecks,and data-pathreplayprotectionmechanisms.TheTrustSecsolutionusesthedeviceanduseridentityinformation thatitobtainsduringauthenticationtoclassify,orcolor,thepacketsastheyenterthenetwork.Thispacket classificationismaintainedbytaggingpacketswhentheyentertheTrustSecnetworksothattheycanbe properlyidentifiedforthepurposeofapplyingsecurityandotherpolicycriteriaalongthedatapath.Thetag, alsocalledthesecuritygrouptag(SGT),allowsCiscoISEtoenforceaccesscontrolpoliciesbyenablingthe endpointdevicetoactupontheSGTtofiltertraffic. Cisco Identity Services Engine Administrator Guide, Release 1.3 591
ThefollowingfigureshowsanexampleofaTrustSecnetworkcloud. Figure 35: TrustSec Architecture TrustSec Components ThekeyTrustSeccomponentsinclude: •NetworkDeviceAdmissionControl(NDAC)—Inatrustednetwork,duringauthentication,eachnetwork device(forexampleEthernetswitch)inaTrustSeccloudisverifiedforitscredentialandtrustworthiness byitspeerdevice.NDACusestheIEEE802.1Xport-basedauthenticationandusesExtensible AuthenticationProtocol-FlexibleAuthenticationviaSecureTunneling(EAP-FAST)asitsExtensible AuthenticationProtocol(EAP)method.SuccessfulauthenticationandauthorizationintheNDACprocess resultsinSecurityAssociationProtocolnegotiationforIEEE802.1AEencryption. •EndpointAdmissionControl(EAC)—Anauthenticationprocessforanendpointuseroradevice connectingtotheTrustSeccloud.EACtypicallyhappensattheaccesslevelswitch.Successful authenticationandauthorizationinEACprocessresultsinSGTassignmenttotheuserordevice.EAC accessmethodsforauthenticationandauthorizationincludes: ◦802.1Xport-basedauthentication ◦MACauthenticationbypass(MAB) ◦Webauthentication(WebAuth) •SecurityGroup(SG)—Agroupingofusers,endpointdevices,andresourcesthatshareaccesscontrol policies.SGsaredefinedbytheadministratorinCiscoISE.Asnewusersanddevicesareaddedtothe TrustSecdomain,CiscoISEassignsthesenewentitiestotheappropriatesecuritygroups. •SecurityGroupTag(SGT)—TrustSecserviceassignstoeachsecuritygroupaunique16-bitsecurity groupnumberwhosescopeisglobalwithinaTrustSecdomain.Thenumberofsecuritygroupsinthe switchislimitedtothenumberofauthenticatednetworkentities.Youdonothavetomanuallyconfigure securitygroupnumbers.Theyareautomaticallygenerated,butyouhavetheoptiontoreservearange ofSGTsforIP-to-SGTmapping. •SecurityGroupAccessControlList(SGACL)—SGACLsallowyoutocontroltheaccessandpermissions basedontheSGTsthatareassigned.Thegroupingofpermissionsintoarolesimplifiesthemanagement Cisco Identity Services Engine Administrator Guide, Release 1.3 592 TrustSec Architecture
ofsecuritypolicy.Asyouadddevices,yousimplyassignoneormoresecuritygroups,andthey immediatelyreceivetheappropriatepermissions.Youcanmodifythesecuritygroupstointroducenew privilegesorrestrictcurrentpermissions. •SecurityExchangeProtocol(SXP)—SGTExchangeProtocol(SXP)isaprotocoldevelopedforTrustSec servicetopropagatetheIP-SGTbindingsacrossnetworkdevicesthatdonothaveSGT-capablehardware supporttohardwarethatsupportsSGT/SGACL. •EnvironmentDataDownload—TheTrustSecdeviceobtainsitsenvironmentdatafromCiscoISEwhen itfirstjoinsatrustednetwork.Youcanalsomanuallyconfiguresomeofthedataonthedevice.The devicemustrefreshtheenvironmentdatabeforeitexpires.TheTrustSecdeviceobtainsthefollowing environmentdatafromCiscoISE: ◦Serverlists—ListofserversthattheclientcanuseforfutureRADIUSrequests(forboth authenticationandauthorization) ◦DeviceSG—Securitygrouptowhichthedeviceitselfbelongs ◦Expirytimeout—IntervalthatcontrolshowoftentheTrustSecdeviceshoulddownloadorrefresh itsenvironmentdata •SGTReservation—AnenhancementinCiscoISEtoreservearangeofSGTstoenableIPtoSGT mapping. •IP-to-SGTMapping—AnenhancementinCiscoISEtobindanendpointIPtoanSGTandprovisionit toaTrustSec-capabledevice.CiscoISEsupportsentering1000IP-to-SGTMappings. •Identity-to-PortMapping—Amethodforaswitchtodefinetheidentityonaporttowhichanendpoint isconnected,andtousethisidentitytolookupaparticularSGTvalueintheCiscoISEserver. TrustSec Terminology ThefollowingtablelistssomeofthecommontermsthatareusedintheTrustSecsolutionandtheirmeaning inanTrustSecenvironment. Table 50: TrustSec Terminology MeaningTerm Adevicethattriestojoinatrustednetwork.Supplicant Theprocessofverifyingtheidentityofeachdevicebeforeallowingitto bepartofthetrustednetwork. Authentication Theprocessofdecidingthelevelofaccesstoadevicethatrequestsaccess toaresourceonatrustednetworkbasedontheauthenticatedidentityofthe device. Authorization Theprocessofapplyingaccesscontrolonaper-packetbasisbasedonthe SGTthatisassignedtoeachpacket. Accesscontrol Theprocessofencryption,integrity,anddata-pathreplayprotectionfor securingthepacketsthatflowovereachlinkinatrustednetwork. Securecommunication Cisco Identity Services Engine Administrator Guide, Release 1.3 593 TrustSec Architecture
MeaningTerm AnyoftheCiscoCatalyst6000SeriesorCiscoNexus7000Seriesswitches thatsupporttheTrustSecsolution. TrustSecdevice ATrustSec-capabledevicewillhaveTrustSec-capablehardwareand software.Forexample,theNexus7000SeriesSwitcheswiththeNexus operatingsystem. TrustSec-capabledevice TheTrustSecdevicethatauthenticatesdirectlyagainsttheCiscoISEserver. Itactsasboththeauthenticatorandsupplicant. TrustSecseeddevice WhenpacketsfirstencounteraTrustSec-capabledevicethatispartofa networkwheretheCiscoTrustSecsolutionisenabled,theyaretaggedwith anSGT.Thispointofentryintothetrustednetworkiscalledtheingress. Ingress WhenpacketspassthelastTrustSec-capabledevicethatispartofanetwork wheretheCiscoTrustSecsolutionisenabled,theyareuntagged.Thispoint ofexitfromthetrustednetworkiscalledtheegress. Egress Supported Switches and Required Components for TrustSec TosetupaCiscoISEnetworkthatisenabledwiththeCiscoTrustSecsolution,youneedswitchesthatsupport theTrustSecsolutionandothercomponents.Apartfromtheswitches,youalsoneedothercomponentsfor identity-baseduseraccesscontrolusingtheIEEE802.1Xprotocol.Foracompleteup-to-datelistofthe Trustsec-supportedCiscoswitchplatformsandtherequiredcomponents,seeCiscoTrustSec-Enabled Infrastructure. Configure TrustSec Global Settings ForCiscoISEtofunctionasanTrustSecserverandprovideTrustSecservices,youmustdefinesomeglobal TrustSecsettings. Before You Begin •BeforeyouconfigureglobalTrustSecsettings,ensurethatyouhavedefinedglobalEAP-FASTsettings (chooseAdministration>System>Settings>Protocols>EAP-FAST>EAP-FASTSettings). YoumaychangetheAuthorityIdentityInfoDescriptiontoyourCiscoISEservername.Thisdescription isauser-friendlystringthatdescribestheCiscoISEserverthatsendscredentialstoanendpointclient. TheclientinaCiscoTrustSecarchitecturecanbeeithertheendpointrunningEAP-FASTasitsEAP methodforIEEE802.1XauthenticationorthesupplicantnetworkdeviceperformingNetworkDevice AccessControl(NDAC).Theclientcandiscoverthisstringintheprotectedaccesscredentials(PAC) type-length-value(TLV)information.ThedefaultvalueisIdentityServicesEngine.Youshouldchange thevaluesothattheCiscoISEPACinformationcanbeuniquelyidentifiedonnetworkdevicesupon NDACauthentication. •Toperformthefollowingtask,youmustbeaSuperAdminorSystemAdmin. Cisco Identity Services Engine Administrator Guide, Release 1.3 594 Configure TrustSec Global Settings