Cisco Ise 13 User Guide
Have a look at the manual Cisco Ise 13 User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
Export Egress Policy Procedure Step 1ChoosePolicy>TrustSec>EgressPolicy>Matrix. Step 2ClickExport. Step 3SavetheCSVfiletoyourlocalsystem. Import Egress Policy YoucancreatetheegresspolicyofflineandthenimportitintoCiscoISE.Ifyouhavealargenumberof securitygrouptags,thencreatingthesecuritygroupACLmappingonebyonemighttakesometime.Instead, creatingtheegresspolicyofflineandimportingitintoCiscoISEsavestimeforyou.Duringimport,Cisco ISEappendstheentriesfromtheCSVfiletotheegresspolicymatrixanddoesnotoverwritethedata. Egresspolicyimportfailsifthe: •SourceordestinationSGTsdonotexist •SGACLdoesnotexist •MonitorstatusisdifferentthanwhatiscurrentlyconfiguredinCiscoISEforthatcell Procedure Step 1ChoosePolicy>TrustSec>EgressPolicy>Matrix. Step 2ClickGenerateaTemplate. Step 3Downloadthetemplate(CSVfile)fromtheEgressPolicypageandenterthefollowinginformationinthe CSVfile: •SourceSGT •DestinationSGT •SGACL •Monitorstatus(enabled,disabled,ormonitored) Step 4ChecktheStopImportonFirstErrorcheckboxforCiscoISEtoaborttheimportifitencountersanyerrors. Step 5ClickImport. Configure SGT from Egress Policy YoucancreateSecurityGroupsdirectlyfromtheEgressPolicypage. Cisco Identity Services Engine Administrator Guide, Release 1.3 605 Egress Policy
Procedure Step 1ChoosePolicy>TrustSec>EgressPolicy. Step 2FromtheSourceorDestinationTreeViewpage,chooseConfigure>CreateNewSecurityGroup. Step 3EntertherequireddetailsandclickSubmit. Monitor Mode TheMonitorAlloptionintheegresspolicyallowsyoutochangetheentireegresspolicyconfigurationstatus tomonitormodewithasingleclick.ChecktheMonitorAllcheckboxintheegresspolicypagetochange theegresspolicyconfigurationstatusofallthecellstomonitormode.WhenyouchecktheMonitorAllcheck box,thefollowingchangestakeplaceintheconfigurationstatus: •ThecellswhosestatusisEnabledwillactasmonitoredbutappearsasiftheyareenabled. •ThecellswhosestatusisDisablewillnotbeaffected. •ThecellswhosestatusisMonitorwillremainMonitored. UnchecktheMonitorAllcheckboxtorestoretheoriginalconfigurationstatus.Itdoesnotchangetheactual statusofthecellinthedatabase.WhenyoudeselectMonitorAll,eachcellintheegresspolicyregainsits originalconfigurationstatus. Features of Monitor Mode Themonitoringfunctionalityofthemonitormodehelpsyouto: •Knowhowmuchtrafficisfilteredbutmonitoredbythemonitormode •KnowthatSGT-DGTpairisinmonitormodeorenforcemode,andobserveifthereisanyunusual packetdropishappeninginthenetwork •UnderstandthatSGACLdropisactuallyenforcedbyenforcemodeorpermittedbymonitormode •Createcustomreportsbasedonthetypeofmode(monitor,enforce,orboth) •IdentifywhichSGACLhasbeenappliedonNADanddisplaydiscrepancy,ifany The Unknown Security Group TheUnknownsecuritygroupisapre-configuredsecuritygroupthatcannotbemodifiedandrepresentsthe Trustsecwithtagvalue0. TheCiscosecuritygroupnetworkdevicesrequestforcellsthatrefertotheunknownSGTwhentheydonot haveanSGTofeithersourceordestination.Ifonlythesourceisunknown,therequestappliestothecell.Ifonlythedestinationisunknown,therequestappliestothe cell.Ifboththesourceanddestinationareunknown,therequestappliestothecell. Cisco Identity Services Engine Administrator Guide, Release 1.3 606 Egress Policy
Default Policy DefaultPolicyreferstothecell.AnysourceSGTismappedtoanydestinationSGT.Here,the ANYSGTcannotbemodifiedanditisnotlistedinanysourceordestinationSGTs.TheANYSGTcanonly bepairedwithANYSGT.ItcannotbepairedwithanyotherSGTs.ATrustSecnetworkdeviceattachesthe defaultpolicytotheendofthespecificcellpolicy. •Ifacellisempty,thatmeansitcontainsthedefaultpolicyalone. •Ifacellcontainssomepolicy,theresultingpolicyisacombinationofthecellspecificpolicyfollowed bythedefaultpolicy. AccordingtoCiscoISE,thecellpolicyandthedefaultpolicyaretwoseparatesetsofSGACLsthatthedevices getinresponsetotwoseparatepolicyqueries. Configurationofthedefaultpolicyisdifferentfromothercells: •Statuscantakeonlytwovalues,EnabledorMonitored. •SecurityGroupACLsisanoptionalfieldforthedefaultpolicy,socanbeleftempty. •FinalCatchAllRulecanbeanyofthefollowing:PermitIP,DenyIP,PermitIPlog,orDenyIPlog. ClearlytheNoneoptionisnotavailableherebecausethereisnosafetynetbeyondthedefaultpolicy. Push Button ThePushoptionintheegresspolicyinitiatesaCoAnotificationthatcallstheTrustsecdevicestoimmediately requestforupdatesfromCiscoISEregardingtheconfigurationchangesintheegresspolicy. SGT Assignment CiscoISEallowsyoutoassignanSGTtoaTrustSecdeviceifyouknowthedevicehostnameorIPaddress. WhenadevicewiththespecifichostnameorIPaddressjoinsthenetwork,CiscoISEwillassigntheSGT beforeauthenticatingit. Sometimes,devicesneedtobemanuallyconfiguredtomapthesecuritygrouptagstotheendpoint.Youcan createthismappingfromtheSecurityGroupMappingspage.Beforeyouperformthisaction,ensurethatyou havereservedarangeofSGTs. ISEallowsyoutocreateupto10,000IP-to-SGTmappings.YoucancreateIP-to-SGTmappinggroupsto logicallygroupsuchlargescalemappings.EachgroupofIP-to-SGTmappingscontainsalistofIPaddresses, asinglesecuritygroupitwouldmaptoandanetworkdeviceornetworkdevicegroupwhichisthedeployment targetforthosemappings. NDAC Authorization YoucanconfiguretheTrustSecpolicybyassigningSGTstodevices.Youcanassignsecuritygroupsto devicesbasedonTrustSecdeviceIDattribute. Cisco Identity Services Engine Administrator Guide, Release 1.3 607 SGT Assignment
Configure NDAC Authorization Before You Begin •Ensurethatyoucreatethesecuritygroupsforuseinthepolicy. •Toperformthefollowingtask,youmustbeaSuperAdminorSystemAdmin. Procedure Step 1ChoosePolicy>TrustSec>NetworkDeviceAuthorization. Step 2ClicktheActioniconontheright-handsideoftheDefaultRulerow,andclickInsertNewRowAbove. Step 3Enterthenameforthisrule. Step 4Clicktheplussign(+)nexttoConditionstoaddapolicycondition. Step 5YoucanclickCreateNewCondition(AdvanceOption)andcreateanewcondition. Step 6FromtheSecurityGroupdrop-downlist,selecttheSGTthatyouwanttoassignifthisconditionevaluates totrue. Step 7ClicktheActioniconfromthisrowtoaddadditionalrulesbasedondeviceattributeseitheraboveorbelow thecurrentrule.YoucanrepeatthisprocesstocreatealltherulesthatyouneedfortheTrustSecpolicy.You candraganddroptherulestoreorderthembyclickingtheicon.Youcanalsoduplicateanexisting condition,butensurethatyouchangethepolicyname. Thefirstrulethatevaluatestotruedeterminestheresultoftheevaluation.Ifnoneoftherulesmatch,the defaultrulewillbeapplied;youcaneditthedefaultruletospecifytheSGTthatmustbeappliedtothedevice ifnoneoftherulesmatch. Step 8ClickSavetosaveyourTrustSecpolicy. IfaTrustSecdevicetriestoauthenticateafteryouhaveconfiguredthenetworkdevicepolicy,thedevicewill getitsSGTandtheSGTofitspeersandwillbeabletodownloadalltherelevantdetails. Configure End User Authorization CiscoISEallowsyoutoassignasecuritygroupastheresultofanauthorizationpolicyevaluation.Usingthis option,youcanassignasecuritygrouptousersandendpoints. Before You Begin •Readtheinformationonauthorizationpolicies. •Toperformthefollowingtask,youmustbeaSuperAdminorSystemAdmin. Cisco Identity Services Engine Administrator Guide, Release 1.3 608 SGT Assignment
Procedure Step 1ChoosePolicy>Authorization. Step 2Createanewauthorizationpolicy. Step 3Selectasecuritygroup,forPermissions. Iftheconditionsspecifiedinthisauthorizationpolicyistrueforauserorendpoint,thenthissecuritygroup willbeassignedtothatuserorendpointandalldatapacketsthataresentbythisuserorendpointwillbe taggedwiththisparticularSGT. Add Single IP-to-SGT Mappings Before You Begin Toperformthefollowingtask,youmustbeaSuperAdminorSystemAdmin. Procedure Step 1ChoosePolicy>PolicyElements>Results>TrustSec>SecurityGroupMappings>Hosts. Step 2ClickAddtoaddanewsingleIP-SGTmapping. Step 3ChooseifyouwanttoentertheHostnameortheIPAddressofthedevice.Youcanalsoenterthesubnet maskfortheIPaddress. Step 4Chooseoneofthefollowing: •GroupMapping—TosettheIPmappingtobepartofexistingMappingGroup. •SecurityGroupTag—TocreateaflatmappingbetweenthisIPandSGT. Step 5Choosethedestinationnetworkdeviceonwhichyouwanttodeploythismapping.Youcandeploythe mappingsonalltrustsecdevices,onselectednetworkdevicegroups,oronselectednetworkdevices. Step 6ClickSubmit. Add Group IP-to-SGT Mappings Before You Begin Toperformthefollowingtask,youmustbeaSuperAdminorSystemAdmin. Cisco Identity Services Engine Administrator Guide, Release 1.3 609 SGT Assignment
Procedure Step 1ChoosePolicy>PolicyElements>Results>TrustSec>SecurityGroupMappings>Groups. Step 2ClickAddtoaddanewgroupIP-SGTmapping. Step 3EnteraNameandaDescriptionforthenewgroup. Step 4EntertheSecurityGroupTagtowhichthisgroupwillbemappedto. Step 5Choosethedestinationnetworkdeviceonwhichyouwanttodeploythismapping.Youcandeploythe mappingsonalltrustsecdevices,onselectednetworkdevicegroups,oronselectednetworkdevices. Step 6ClickSubmit. Import Security Group Mappings Hosts YoucanimportalistofsecuritygroupmappingshostsintoaCiscoISEnodeusingacomma-separatedvalue (CSV)file.Youcannotrunanimportofthesameresourcetypeatthesametime.Forexample,youcannot concurrentlyimportsecuritygroupmappingshostsfromtwodifferentimportfiles. YoucandownloadtheCSVtemplatefromthePolicy>PolicyElements>Results>Trustsec>Security GroupMappings>Hosts>Importpage.Enteryoursecuritygroupmappingshostsdetailsinthetemplate, andsaveitasaCSVfile,whichyoucanthenimportthisbackintoCiscoISE. Whileimportinghosts,youcancreatenewrecordsorupdateexistingrecords.CiscoISEdisplaysthesummary ofthenumberofhoststhatareimportedandalsoreportsanyerrorsthatwerefoundduringtheimportprocess. Whenyouimporthosts,youcanalsodefinewhetheryouwantCiscoISEtostoptheimportprocesswhen CiscoISEencountersthefirsterror. Procedure Step 1ChoosePolicy>PolicyElements>Results>TrustSec>SecurityGroupMappings>Hosts. Step 2ClickImport. Step 3ClickBrowsetochoosetheCSVfilefromthesystemthatisrunningtheclientbrowser. Step 4ChecktheStopImportonFirstErrorcheckbox,ifrequired. Step 5ClickImport. Export Security Group Mappings Hosts YoucanexportsecuritygroupmappingshostsconfiguredinCiscoISEintheformofaCSVfilethatyoucan usetoimportthesehostsintoanotherCiscoISEnode. Cisco Identity Services Engine Administrator Guide, Release 1.3 610 SGT Assignment
Procedure Step 1ChoosePolicy>PolicyElements>Results>TrustSec>SecurityGroupMappings>Hosts. Step 2ClickExport. Step 3Toexportsecuritygroupmappingshosts,youcandooneofthefollowing: •Checkthecheckboxesnexttothehoststhatyouwanttoexport,andchooseExport>ExportSelected. •ChooseExport>ExportAlltoexportallthesecuritygroupmappingshoststhataredefined. Step 4Savetheexport.csvfiletoyourlocalharddisk. Deploy IP-to-SGT Mappings AfteryouaddIP-to-SGTmappingstoCiscoISEyoumustdeploythesetothetargetnetworkdevice.You mustdothisexplicitlyeventhoughyouhavesavedthemappingsearlier.CiscoISEprovidesyoutheoption todeployalloronlyasubsetofthemappings. Before You Begin YoumusthaveaddedIP-to-SGTmappingstoCiscoISEorcreatedIP-to-SGTmappingsgroupsthatcontain IP-to-SGTmappings. Procedure Step 1TodeployIP-to-SGTmappingstodevices,youcandooneofthefollowing: •ChoosePolicy>PolicyElements>Results>Trustsec>SecurityGroupMappings>Groups,if youwanttodeployIP-to-SGTmappinggroupstodevices. •ChoosePolicy>PolicyElements>Results>Trustsec>SecurityGroupMappings>Hosts,ifyou wanttodeploysingleIP-to-SGTmappingstodevices. Step 2Dooneofthefollowing: •Checkthecheckboxnexttothegroupormappingthatyouwanttodeploy,andchooseDeploytodeploy onlytheselectedmappings. •ChooseDeploytodeployalltheIP-to-SGTmappingsconfiguredinCiscoISE. CiscoISEdeploysthemappingstothespecificnetworkdevicesdefinedinthegroupormapping.Italso displaysareportwithdetailssuchasdeployeddevices,configuration,deploymentstatusandfailurereason ifany. Cisco Identity Services Engine Administrator Guide, Release 1.3 611 SGT Assignment
TrustSec Configuration and Policy Push CiscoISEsupportsChangeofAuthorization(CoA)whichallowsCiscoISEtonotifyTrustSecdevicesabout TrustSecconfigurationandpolicychanges,sothatthedevicescanreplywithrequeststogettherelevantdata. ACoAnotificationcantriggeraTrustSecnetworkdevicetosendeitheranEnvironmentCoAoraPolicy CoA. YoucanalsopushaconfigurationchangetodevicesthatdonotintrinsicallysupporttheTrustSecCoAfeature. CoA Supported Network Devices CiscoISEsendsCoAnotificationstothefollowingnetworkdevices: •NetworkdevicewithsingleIPaddress(subnetsarenotsupported) •NetworkdeviceconfiguredasaTrustSecdevice •NetworkdevicesetasCoAsupported WhenCiscoISEisdeployedinadistributedenvironmentwherethereareseveralsecondariesthatinteroperate withdifferentsetsofdevices,CoArequestsaresentfromCiscoISEprimarynodetoallthenetworkdevices. Therefore,TrustSecnetworkdevicesneedtobeconfiguredwiththeCiscoISEprimarynodeastheCoA client. ThedevicesreturnCoANAKorACKbacktotheCiscoISEprimarynode.However,thefollowingTrustSec sessioncomingfromthenetworkdevicewouldbesenttotheCiscoISEnodetowhichthenetworkdevise sendsallit'sotherAAArequestsandnotnecessarilytotheprimarynode. Push Configuration Changes to Non-CoA Supporting Devices SomeplatformsdonotsupportCiscoISE's"Push"featureforChangeofAuthorization(CoA),forexample: someversionsoftheNexusnetworkdevice.Forthiscase,ISEwillconnecttothenetworkdeviceandmake ittotriggeranupdatedconfigurationrequesttowardsISE.Toachievethis,ISEopensanSSHv2tunneltothe networkdevice,andtheCiscoISEsendsacommandthattriggersarefreshoftheTrustSecpolicymatrix. ThismethodcanalsobecarriedoutonnetworkplatformsthatsupportCoApushing. Procedure Step 1ChooseDeviceAdministration>NetworkResources>NetworkDevices. Step 2CheckthecheckboxnexttotherequirednetworkdeviceandclickEdit. Verifythatthenetworkdevice'sname,IPaddress,RADIUSandTrustSecsettingsareproperlyconfigured. Cisco Identity Services Engine Administrator Guide, Release 1.3 612 TrustSec Configuration and Policy Push
Step 3ScrolldowntoAdvancedTrustSecSettings,andintheTrustSecNotificationsandUpdatessection,check theSendconfigurationchangestodevicecheckbox,andclicktheCLI(SSH)radiobutton. Step 4(Optional)ProvideanSSHkey. Step 5ChecktheIncludethisdevicewhendeployingSecurityGroupTagMappingUpdatescheckbox,forthis SGAdevicetoobtaintheIP-SGTmappingsusingdeviceinterfacecredentials. Step 6EntertheusernameandpasswordoftheuserhavingprivilegestoeditthedeviceconfigurationintheExec mode. Step 7(Optional)EnterthepasswordtoenableExecmodepasswordforthedevicethatwouldallowyoutoeditits configuration.YoucanclickShowtodisplaytheExecmodepasswordthatisalreadyconfiguredforthis device. Step 8ClickSubmitatthebottomofthepage. ThenetworkdeviceisnowconfiguredtopushTrustsecchanges.AfteryouchangeaCiscoISEpolicy,click Pushtohavethenewconfigurationreflectedonthenetworkdevice. SSH Key Validation YoumaywanttohardensecuritybyusinganSSHkey.CiscoISEsupportsthiswithitsSSHkeyvalidation feature. Tousethisfeature,youopenanSSHv2tunnelfromtheCiscoISEtothenetworkdevice,thenusethenetwork device'sownCLItoretrievetheSSHkey.YouthencopythiskeyandpasteitintoCiscoISEforvalidation. CiscoISEterminatestheconnectioniftheSSHkeyiswrong. Limitation:Currently,CiscoISEcanvalidateonlyoneIP(notonrangesofIP,orsubnetswithinanIP) Before You Begin Youwillrequire: •Logincredentials •CLIcommandtoretrievetheSSHkey forthenetworkdevicewithwhichyouwanttheCiscoISEtocommunicatesecurely. Procedure Step 1Onthenetworkdevice: a)LogontothenetworkdevicewithwhichyouwanttheCiscoISEtocommunicateusingSSHkeyvalidation. b)Usethedevice'sCLItoshowtheSSHkey. Example: ForCatalystdevices,thecommandis:shoipssh. c)CopytheSSHkeywhichisdisplayed. Step 2FromtheCiscoISEuserinterface: a)ChooseDeviceAdministration>NetworkResources>NetworkDevices,andverifytherequired networkdevice'sname,IPaddress,RADIUSandTrustSecsettingsareproperlyconfigured. Cisco Identity Services Engine Administrator Guide, Release 1.3 613 TrustSec Configuration and Policy Push
b)ScrolldowntoAdvancedTrustSecSettings,andintheTrustSecNotificationsandUpdatessection, checktheSendconfigurationchangestodevicecheckbox,andclicktheCLI(SSH)radiobutton. c)IntheSSHKeyfield,pastetheSSHkeyretrievedpreviouslyfromthenetworkdevice. d)ClickSubmitatthebottomofthepage. ThenetworkdeviceisnowcommunicatingwiththeCiscoISEusingSSHkeyvalidation. Environment CoA Notification Flow ThefollowingfiguredepictstheEnvironmentCoAnotificationflow. Figure 36: Environment CoA Notification Flow 1CiscoISEsendsanenvironmentCoAnotificationtotheTrustSecnetworkdevice. 2Thedevicereturnsanenvironmentdatarequest. 3Inresponsetotheenvironmentdatarequest,CiscoISEreturns: Theenvironmentdataofthedevicethatsenttherequest—ThisincludestheTrustSecdevice’sSGT(as inferredfromtheNDACpolicy)anddownloadenvironmentTTL. ThenameandgenerationIDoftheTrustSecAAAserverlist. ThenamesandgenerationIDsof(potentiallymultiple)SGTtables—ThesetableslistSGTnameversus SGTvalue,andtogetherthesetablesholdthefulllistofSGTs. Cisco Identity Services Engine Administrator Guide, Release 1.3 614 TrustSec Configuration and Policy Push