Cisco Ise 13 User Guide
Have a look at the manual Cisco Ise 13 User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
Procedure Step 1ChooseAdministration>System>Settings>TrustSecSettings. Step 2Enterthevaluesinthefields. Step 3ClickSave. What to Do Next •ConfigureTrustSecDevices,onpage595 Configure TrustSec Devices ForCiscoISEtoprocessrequestsfromTrustSec-enableddevices,youmustdefinetheseTrustSec-enabled devicesinCiscoISE. Procedure Step 1ChooseAdministration>NetworkResources>NetworkDevices. Step 2ClickAdd. Step 3EntertherequiredinformationintheNetworkDevicessection. Step 4ChecktheAdvancedTrustsecSettingscheckboxtoconfigureaTrustsec-enableddevice. Step 5ClickSubmit. OOB TrustSec PAC AllTrustSecnetworkdevicespossessaTrustSecPACaspartoftheEAP-FASTprotocol.Thisisalsoutilized bythesecureRADIUSprotocolwheretheRADIUSsharedsecretisderivedfromparameterscarriedbythe PAC.Oneoftheseparameters,Initiator-ID,holdstheTrustSecnetworkdeviceidentity,namelytheDevice ID. IfadeviceisidentifiedusingTrustSecPACandthereisnomatchbetweentheDeviceID,asconfiguredfor thatdeviceonCiscoISE,andtheInitiator-IDonthePAC,theauthenticationfails. SomeTrustSecdevices(forexample,CiscofirewallASA)donotsupporttheEAP-FASTprotocol.Therefore, CiscoISEcannotprovisionthesedeviceswithTrustSecPACoverEAP-FAST.Instead,theTrustSecPACis generatedonCiscoISEandmanuallycopiedtothedevice;hencethisiscalledastheOutofBand(OOB) TrustSecPACgeneration. WhenyougenerateaPACfromCiscoISE,aPACfileencryptedwiththeEncryptionKeyisgenerated. Thissectiondescribesthefollowing: Cisco Identity Services Engine Administrator Guide, Release 1.3 595 Configure TrustSec Devices
Generate a TrustSec PAC from the Settings Screen YoucangenerateaTrustSecPACfromtheSettingsscreen. Procedure Step 1ChooseAdministration>System>Settings. Step 2FromtheSettingsnavigationpaneontheleft,clickProtocols. Step 3ChooseEAP-FAST>GeneratePAC. Step 4GenerateTrustSecPAC. Generate a TrustSec PAC from the Network Devices Screen YoucangenerateaTrustSecPACfromtheNetworkDevicesscreen. Procedure Step 1ChooseAdministration>NetworkResources>NetworkDevices. Step 2ClickAdd.YoucanalsoclickAddnewdevicefromtheactioniconontheNetworkDevicesnavigationpane. Step 3Ifyouareaddinganewdevice,provideadevicename. Step 4ChecktheAdvancedTrustSecSettingscheckboxtoconfigureaTrustSecdevice. Step 5UndertheOutofBand(OOB)TrustSecPACsubsection,clickGeneratePAC. Step 6Providethefollowingdetails: •PACTimetoLive—Enteravalueindays,weeks,months,oryears.Bydefault,thevalueisoneyear. Theminimumvalueisonedayandthemaximumistenyears. •EncryptionKey—Enteranencryptionkey.Thelengthofthekeymustbebetween8and256characters. Thekeycancontainuppercaseorlowercaseletters,ornumbers,oracombinationofalphanumeric characters. TheEncryptionKeyisusedtoencryptthePACinthefilethatisgenerated.Thiskeyisalsousedto decryptthePACfileonthedevices.Therefore,itisrecommendedthattheadministratorsavesthe EncryptionKeyforlateruse. TheIdentityfieldspecifiestheDeviceIDofaTrustSecnetworkdeviceandisgivenaninitiatorIDby theEAP-FASTprotocol.IftheIdentitystringenteredheredoesnotmatchthatDeviceIDdefinedunder TrustSecsectionintheNetworkDevicecreationpage,authenticationwillfail. TheexpirationdateiscalculatedbasedonthePACTimetoLive. Step 7ClickGeneratePAC. Cisco Identity Services Engine Administrator Guide, Release 1.3 596 Configure TrustSec Devices
Generate a TrustSec PAC from the Network Devices List Screen YoucangenerateaTrustSecPACfromtheNetworkDeviceslistscreen. Procedure Step 1ChooseAdministration>NetworkResources>NetworkDevices. Step 2ClickNetworkDevices. Step 3CheckthecheckboxnexttoadeviceforwhichyouwanttogeneratetheTrustSecPACandclickGenerate PAC. Step 4Providethedetailsinthefields. Step 5ClickGeneratePAC. Push Button ThePushoptionintheegresspolicyinitiatesaCoAnotificationthatcallstheTrustsecdevicestoimmediately requestforupdatesfromCiscoISEregardingtheconfigurationchangesintheegresspolicy. Configure TrustSec AAA Servers YoucanconfigurealistofCiscoISEserversinyourdeploymentintheAAAserverlisttoallowTrustSec devicestobeauthenticatedagainstanyoftheseservers.WhenyouaddCiscoISEserverstothislist,allthese serverdetailsaredownloadedtotheTrustSecdevice.WhenaTrustSecdevicetriestoauthenticate,itchooses anyCiscoISEserverfromthislistand,ifthefirstserverisdownorbusy,theTrustSecdevicecanauthenticate itselfagainstanyoftheotherserversfromthislist.Bydefault,theprimaryCiscoISEserverisaTrustSec AAAserver.WerecommendthatyouconfigureadditionalCiscoISEserversinthisAAAserverlistsothat ifoneserverisbusy,anotherserverfromthislistcanhandletheTrustSecrequest. ThispageliststheCiscoISEserversinyourdeploymentthatyouhaveconfiguredasyourTrustSecAAA servers. YoucanclickthePushbuttontoinitiateanenvironmentCoAnotificationafteryouconfiguremultiple TrustSecAAAservers.ThisenvironmentCoAnotificationgoestoallTrustSecnetworkdevicesandprovides anupdateofallTrustSecAAAserversthatwerechanged. Before You Begin Toperformthefollowingtask,youmustbeaSuperAdminorSystemAdmin. Procedure Step 1ChooseAdministration>NetworkResources>TrustSecAAAServers. Step 2ClickAdd. Step 3Enterthevaluesasdescribed: Cisco Identity Services Engine Administrator Guide, Release 1.3 597 Configure TrustSec AAA Servers
•Name—NamethatyouwanttoassigntotheCiscoISEserverinthisAAAServerlist.Thisnamecan bedifferentfromthehostnameoftheCiscoISEserver. •Description—Anoptionaldescription. •IP—IPaddressoftheCiscoISEserverthatyouareaddingtotheAAAServerlist. •Port—PortoverwhichcommunicationbetweentheTrustSecdeviceandservershouldtakeplace.The defaultis1812. Step 4ClickSubmit. What to Do Next ConfigureSecurityGroups. Security Groups Configuration ASecurityGroup(SG)orSecurityGroupTag(SGT)isanelementthatisusedinTrustSecpolicyconfiguration. SGTsareattachedtopacketswhentheymovewithinatrustednetwork.Thesepacketsaretaggedwhenthey enteratrustednetwork(ingress)anduntaggedwhentheyleavethetrustednetwork(egress). SGTsaregeneratedinasequentialmanner,butyouhavetheoptiontoreservearangeofSGTsforIPtoSGT mapping.CiscoISEskipsthereservednumberswhilegeneratingSGTs. TrustSecserviceusestheseSGTstoenforcetheTrustSecpolicyategress. YoucanconfiguresecuritygroupsfromthefollowingpagesintheAdminportal: •Policy>PolicyElements>Results>Trustsec>SecurityGroups. •DirectlyfromegresspolicypageatConfigure>CreateNewSecurityGroup. YoucanclickthePushbuttontoinitiateanenvironmentCoAnotificationafterupdatingmultipleSGTs.This environmentCoAnotificationgoestoallTrustSecnetworkdevicesforcingthemtostartapolicy/datarefresh request. Add Security Groups EachsecuritygroupinyourTrustSecsolutionshouldbeassignedauniqueSGT.EventhoughCiscoISE supports65,535SGTs,havingfewernumberofSGTswouldenableyoutodeployandmanagetheTrustSec solutioneasily.Werecommendamaximumof4,000SGTs. Before You Begin Toperformthefollowingtask,youmustbeaSuperAdminorSystemAdmin. Cisco Identity Services Engine Administrator Guide, Release 1.3 598 Security Groups Configuration
Procedure Step 1ChoosePolicy>PolicyElements>Results>TrustSec>SecurityGroups. Step 2ClickAddtoaddanewsecuritygroup. Step 3Enteranameanddescription(optional)forthenewsecuritygroup. Step 4EnteraTagValue.Tagvaluecanbesettobeenteredmanuallyorautogenerate.Youcanalsoreservearange fortheSGT.YoucanconfigureitfromtheTrustsecglobalsettingspageunderAdministration>System> Settings>TrustSecSettings. Step 5ClickSave. What to Do Next ConfigureSecurityGroupAccessControlLists Import Security Groups into Cisco ISE YoucanimportsecuritygroupsintoaCiscoISEnodeusingacomma-separatedvalue(CSV)file.Youmust firstupdatethetemplatebeforeyoucanimportsecuritygroupsintoCiscoISE.Youcannotrunimportofthe sameresourcetypeatthesametime.Forexample,youcannotconcurrentlyimportsecuritygroupsfromtwo differentimportfiles. YoucandownloadtheCSVtemplatefromtheAdminportal,enteryoursecuritygroupdetailsinthetemplate, andsavethetemplateasaCSVfile,whichyoucanthenimportbackintoCiscoISE. Whileimportingsecuritygroups,youcanstoptheimportprocesswhenCiscoISEencountersthefirsterror. Procedure Step 1ChoosePolicy>PolicyElements>Results>TrustSec>SecurityGroups. Step 2ClickImport. Step 3ClickBrowsetochoosetheCSVfilefromthesystemthatisrunningtheclientbrowser. Step 4ChecktheStopImportonFirstErrorcheckbox. Step 5ClickImport. Export Security Groups from Cisco ISE YoucanexportsecuritygroupsconfiguredinCiscoISEintheformofaCSVfilethatyoucanusetoimport thesesecuritygroupsintoanotherCiscoISEnode. Cisco Identity Services Engine Administrator Guide, Release 1.3 599 Security Groups Configuration
Procedure Step 1ChoosePolicy>PolicyElements>Results>TrustSec>SecurityGroups. Step 2ClickExport. Step 3Toexportsecuritygroups,youcandooneofthefollowing: •Checkthecheckboxesnexttothegroupthatyouwanttoexport,andchooseExport>ExportSelected. •ChooseExport>ExportAlltoexportallthesecuritygroupsthataredefined. Step 4Savetheexport.csvfiletoyourlocalharddisk. Add Security Group Access Control Lists Before You Begin Toperformthefollowingtask,youmustbeaSuperAdminorSystemAdmin. Procedure Step 1ChoosePolicy>PolicyElements>Results>TrustSec>SecurityGroupACLs. Step 2ClickAddtocreateanewSecurityGroupACL. Step 3Enterthefollowinginformation: •Name—NameoftheSGACL •Description—AnoptionaldescriptionoftheSGACL •IPVersion—IPversionthatthisSGACLsupports: ◦IPv4—SupportsIPversion4(IPv4) ◦IPv6—SupportsIPversion6(IPv6) ◦Agnostic—SupportsbothIPv4andIPv6 •SecurityGroupACLContent—Accesscontrollist(ACL)commands.Forexample: permiticmp denyip ThesyntaxofSGACLinputisnotcheckedwithinISE.Makesureyouareusingthecorrectsyntaxso thatswitches,routersandaccesspointscanapplythemwithouterrors.Thedefaultpolicycanbe configuredaspermitIP,permitiplog,denyip,ordenyiplog.ATrustSecnetworkdeviceattaches thedefaultpolicytotheendofthespecificcellpolicy. HerearetwoexamplesofSGACLsforguidance.Bothincludeafinalcatchallrule.Thefirstonedenies asthefinalcatchallrule,andthesecondonepermits. Cisco Identity Services Engine Administrator Guide, Release 1.3 600 Security Groups Configuration
Permit_Web_SGACL permittcpdsteq80 permittcpdsteq443 denyip Deny_JumpHost_Protocols denytcpdsteq23 denytcpdsteq23 denytcpdsteq3389 permitip ThefollowingtablelistssyntaxforSGACLforIOS,IOSXEandNS-OSoperatintsystems. Syntax common across IOS, IOS XE, and NX-OSSGACL CLI and ACEs deny,exit,no,permitconfigacl ahp,eigrp,gre,icmp,igmp,ip,nos,ospf,pcp,pim,tcp,udpdeny permit dst,log,srcdenytcp denytcpsrc denytcpdst portnumberdenytcpdsteq denytcpsrceq Dst,log,srcdenyudp denyudpsrc denyudpdest portnumberdenytcpdsteqwww denytcpsrceqwww Step 4ClickSubmit. Egress Policy TheegresstableliststhesourceanddestinationSGTs,bothreservedandunreserved.Thispagealsoallows youtofiltertheegresstabletoviewspecificpoliciesandalsotosavethesepresetfilters.Whenthesource SGTtriestoreachthedestinationSGT,theTrustSec-capabledeviceenforcestheSGACLsbasedonthe TrustSecpolicyasdefinedintheEgressPolicy.CiscoISEcreatesandprovisionsthepolicy. AfteryoucreatetheSGTsandSGACLs,whicharethebasicbuildingblocksrequiredtocreateaTrustSec policy,youcanestablisharelationshipbetweenthembyassigningSGACLstosourceanddestinationSGTs. Cisco Identity Services Engine Administrator Guide, Release 1.3 601 Egress Policy
EachcombinationofasourceSGTtoadestinationSGTisacellintheEgressPolicy. YoucanviewtheEgressPolicyinthePolicy>TrustSec>EgressPolicypage. YoucanviewtheEgresspolicyinthreedifferentways: •SourceTreeView •DestinationTreeView •MatrixView Source Tree View TheSourceTreeviewlistsacompactandorganizedviewofsourceSGTsinacollapsedstate.Youcanexpand anysourceSGTtoseetheinternaltablethatlistsallinformationrelatedtothatselectedsourceSGT.This viewdisplaysonlythesourceSGTsthataremappedtodestinationSGTs.Ifyouexpandaspecificsource SGT,itlistsalldestinationSGTsthataremappedtothissourceSGTandandthecorrespondingpolicy (SGACLs)inatable. Youwillseethreedots(...)nexttosomefields.Thissignifiesthatthereismoreinformationcontainedinthe cell.Youcanpositionthecursoroverthethreedotstoviewtherestoftheinformationinaquickviewpopup. WhenyoupositionthecursoroveranSGTnameoranSGACLname,aquickviewpopupopenstodisplay thecontentofthatparticularSGTorSGACL. Destination Tree View TheDestinationTreeviewlistsacompactandorganizedviewofdestinationSGTsinacollapsedstate.You canexpandanydestinationSGTstoseetheinternaltablethatlistsallinformationrelatedtothatselected destinationSGT.ThisviewdisplaysonlythedestinationSGTsthataremappedtosourceSGTs.Ifyouexpand aspecificdestinationSGT,itlistsallsourceSGTsthataremappedtothisdestinationSGTandandthe correspondingpolicy(SGACLs)inatable. Youwillseethreedots(...)nexttosomefields.Thissignifiesthatthereismoreinformationcontainedinthe cell.Youcanpositionthecursoroverthethreedotstoviewtherestoftheinformationinaquickviewpopup. WhenyoupositionthecursoroveranSGTnameoranSGACLname,aquickviewpopupopenstodisplay thecontentofthatparticularSGTorSGACL. Matrix View TheMatrixViewoftheEgresspolicylookslikeaspreadsheet.Itcontainstwoaxis: •SourceAxis—TheverticalaxislistsallthesourceSGTs. •DestinationAxis—ThehorizontalaxislistsallthedestinationSGTs. ThemappingofasourceSGTtoadestinationSGTisrepresentedasacell.Ifacellcontainsdata,thenit representsthatthereisamappingbetweenthecorrespondingsourceSGTandthedestinationSGT.Thereare twotypesofcellsinthematrixview: •Mappedcells—WhenasourceanddestinationpairofSGTsisrelatedtoasetoforderedSGACLsand hasaspecifiedstatus. Cisco Identity Services Engine Administrator Guide, Release 1.3 602 Egress Policy
•Unmappedcells—WhenasourceanddestinationpairofSGTsisnotrelatedtoanySGACLsandhas nospecifiedstatus. TheEgressPolicycelldisplaysthesourceSGT,thedestinationSGT,andtheFinalCatchAllRuleasasingle listunderSGACLs,separatedbycommas.TheFinalCatchAllRuleisnotdisplayedifitissettoNone.An emptycellinamatrixrepresentsanunmappedcell. IntheEgressPolicymatrixview,youcanscrollacrossthematrixtoviewtherequiredsetofcells.Thebrowser doesnotloadtheentirematrixdataatonce.Thebrowserrequeststheserverforthedatathatfallsinthearea youarescrollingin.Thispreventsmemoryoverflowandperformanceissues. TheMatrixviewhasthesameGUIelementsastheSourceandDestinationviews.However,ithasthese additionalelements: Matrix Dimensions TheDimensiondrop-downlistintheMatrixviewenablesyoutosetthedimensionsofthematrix. Condensed View TheCondensedoptionintheegresspolicymatrixviewallowsyoutodisplaythematrixwithoutemptycells. ChecktheCondensedcheckboxtohideemptycells. Import/Export Matrix TheImportandExportbuttonsenableyoutoimportorexportthematrix. Matrix Operations Navigating through the Matrix Youcannavigatethroughthematrixeitherbydraggingthematrixcontentareawiththecursororbyusing horizontalandverticalscrollbars.Youcanclickandholdonacelltodragitalongwiththeentirematrix contentinanydirection.Thesourceanddestinationbarmovesalongwiththecells.Thematrixviewhighlights thecellandthecorrespondingrow(SourceSGT)andcolumn(DestinationSGT)whenacellisselected.The coordinates(SourceSGTandDestinationSGT)oftheselectedcellaredisplayedbelowthematrixcontent area. Selecting a Cell in the Matrix Toselectacellinthematrixview,clickonit.Theselectedcellisdisplayedindifferentcolor,andthesource anddestinationSGTsarehighlighted.Youcandeselectacelleitherbyclickingitagainorbyselectinganother cell.Multiplecellselectionisnotallowedinthematrixview.Double-clickthecelltoeditthecellconfiguration. Configure SGACL from Egress Policy YoucancreateSecurityGroupACLsdirectlyfromtheEgressPolicypage. Cisco Identity Services Engine Administrator Guide, Release 1.3 603 Egress Policy
Procedure Step 1ChoosePolicy>TrustSec>EgressPolicy. Step 2FromtheSourceorDestinationTreeViewpage,chooseConfigure>CreateNewSecurityGroupACL. Step 3EntertherequireddetailsandclickSubmit. Egress Policy Table Cells Configuration CiscoISEallowsyoutoconfigurecellsusingvariousoptionsthatareavailableinthetoolbar.CiscoISE doesnotallowacellconfigurationiftheselectedsourceanddestinationSGTsareidenticaltoamappedcell. Add the Mapping of Egress Policy Cells YoucanaddthemappingcellforEgressPolicyfromthePolicypage. Procedure Step 1ChoosePolicy>TrustSec>EgressPolicy. Step 2Toselectthematrixcells,dothefollowing: •Inthematrixview,clickacelltoselectit. •IntheSourceandDestinationtreeview,checkthecheckboxofarowintheinternaltabletoselectit. Step 3ClickAddtoaddanewmappingcell. Step 4Selectappropriatevaluesfor: •SourceSecurityGroup •DestinationSecurityGroup •Status,SecurityGroupACLs •FinalCatchAllRule Step 5ClickSave. Cisco Identity Services Engine Administrator Guide, Release 1.3 604 Egress Policy