Cisco Ise 13 User Guide
Have a look at the manual Cisco Ise 13 User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
Procedure Step 1ClickSetupAssistantintheupper-rightcorneroftheAdminportal. Step 2Followtheon-screeninstructionstocompletetheconfiguration. Setup Assistant Overwrites Previous Configurations EachtimeyouruntheSetupAssistant,CiscoISEoverwritesprevioussettings,whichcancriticallyimpact yourconfigurationinthefollowingways: •Allauthentication,authorization,clientprovisioning,andposturepoliciesaredeletedandreplaced, includinganythatyouaddedwithoutusingtheSetupAssistant. •Othersettings,suchaspolicyelementsandwebportalcustomizations,areoverwrittenwithanynewly specifiedvalues.Ifyoudonotenteranythingfortheoptionalsettings,theSetupAssistantresetsthem totheirdefaultvalues. Identify Policy Requirements Page in Setup Assistant Wired or Wireless Youmustindicatewhetheryouwanttosupportwiredorwirelessconnections,orboth.Ifyouareusinga CiscoISEWirelessLicense,thewiredoptionisunavailable. ThesechoicesimpactthepoliciesthatCiscoISEcreates,andalsodictateotherrequiredresponses.Forexample, ifyouchoosewired,youcanalsoindicatewhetheryournetworksupportsIPphones. Youmustalsoindicatewhetherornotthewiredconnectionsaremonitoredorifnetworkaccessmustbe enforcedbasedoncompliance: •Monitorgeneratesnon-compliancelogsandreports,butdoesnotrequirethatusersordevicescomply withthedefinedpolicies. Inmonitoringmode,postureandguestpoliciesareignored.Ifyousupportwiredconnectionsin monitoringmode,theSetupAssistantdisablestheguestandposturechoicesonthenextpagetoprevent unauthorizedcomputerandguestaccess. Ifyousupportwiredandwirelessconnections,youcanenabletheguestandposturefeatures,butthey willapplyonlytothewirelessconnections.Thewirelessconnectionsalwaysrunsinenforcementmode. •Enforcerequirescompliancewiththedefinedpolicies. Protected Subnets Youmustindicatewhichsubnetsshouldareinaccessiblebyguestsornoncompliantendpoints.Thisinformation isusedwhencreatingthedownloadableACLs. Cisco Identity Services Engine Administrator Guide, Release 1.3 15 Setup Assistant
Configure Network Access Service Page in Setup Assistant User Authentication Usersbelongingtothesegroupswillbegrantednetworkaccessasemployeesandbeallowedtocreateguest accountsusingtheSponsorportal. •Internalusers—Ifyouchoosetocreateaninternaluser,CiscoISEcreatesasingleuserusingthename youenterandassignstheusertothedefaultEmployeeandALL_ACCOUNTSuseridentitygroups. YoucanverifythisintheAdministration>IdentityManagement>Identities>Userspageafter setupcompletes. BecausetheSetupAssistantprovidesonlythebasicCiscoISEconfigurationtodemonstrateits functionalityinyournetwork,youcannotuseittoimportadditionalusersintotheinternaluserdatabase. YoucanaddadditionalinternalusersusingtheAdminportalafteryoucompletetheSetupAssistant. •ActiveDirectory—IfyouchoosetojointheActiveDirectorydomain,CiscoISEaddstheindicatedAD domainandjoinstoit.Afterjoiningthedomain,youmustchooseanActiveDirectorygroup.Allusers belongingtothisgroupwillbeabletoauthenticateusingDot1xandcreateguestsusingtheSponsor portal.YoucanverifythisfromtheAdministration>IdentityManagement>ExternalIdentity Sources>ActiveDirectorypageaftersetupcompletes. Posture Compliance WhenyouenablepostureusingtheSetupAssistant,CiscoISEchecksforantispywareandantivirusdefinitions andinstallationsonconnectedendpoints. Youmustindicatewhetheryouwanttoassessorassessandenforceposturecomplianceforemployeesand guests: •Assessgeneratesreportsaboutnoncompliantusers,butallowsthemtobeauthenticated. •Enforcepreventsauthentication. IfyouwanttoforceCiscoISEtoredirectnoncompliantendpointstoaremediationserverbeforegranting networkaccess,entertheproxyserverIPaddress. Ifyouenableposturecompliance,CiscoISEwill: •DownloadtheCiscoNACagentsandupdatethePolicy>PolicyElements>Results>Client Provisioning>Resourcespage. •CreatethedownloadableACLsonthePolicy>PolicyElements>Results>Authorization> DownloadableACLspage.AllDACLscreatedbytheSetupAssistantincludetheprefixAutoGen, suchas:AutoGen_DACL_PrePostureWired. •CreateauthorizationprofilesonthePolicy>PolicyElements>Results>Authorization> AuthorizationProfilespage.AuthorizationprofilescreatedbytheSetupAssistantincludetheprefix AutoGen,suchas:AutoGen_profile_Byod_CWA. •CreateauthorizationconditionsonthePolicy>PolicyElements>Conditions>Authorization> SimpleConditionsandPolicy>PolicyElements>Conditions>Authorization>Compound Conditionspages.AuthorizationconditionscreatedbytheSetupAssistantincludetheprefixAutoGen, suchas:AutoGen_condition_Android_DevicesorAutoGen_condition_GuestWired. Cisco Identity Services Engine Administrator Guide, Release 1.3 16 Setup Assistant
•CreateclientprovisioningpoliciesonthePolicy>ClientProvisioningpage.Clientprovisioning policiescreatedbytheSetupAssistantincludetheprefixAutoGen,suchas:AutoGen_Provisioning. •DownloadpostureupdatesfromtheAdministration>System>Settings>Posture>Updatespage. •CreateposturepoliciesonthePolicy>Posturepage.PosturepoliciescreatedbytheSetupAssistant includetheprefixAutoGen,suchas:AutoGen_Policy_Check_For_AS_Definition_Mac_Employee. •CreateauthorizationpoliciesonthePolicy>Authorizationpage.Authorizationpoliciescreatedby theSetupAssistantincludetheprefixAutoGen,suchas:AutoGen_policy_Registered_Wireless_Devices. •CreateauthenticationpoliciesonthePolicy>Authenticationpage.Authorizationpoliciescreatedby theSetupAssistantincludetheprefixAutoGen,suchas:AutoGen_AuthNPolicy_MAB. Endpoint Profiling Endpointprofilingdiscovers,identifies,anddeterminesthecapabilitiesofallattachedendpointsonyour network.Ifyouenableendpointprofiling,CiscoISEwill: •EnabletheseendpointprofilingfeaturesontheAdministration>System>Deployment>EditNode >ProfilingConfigurationpage. ◦DHCP ◦RADIUS ◦NetworkScan(NMAP) ◦SNMPQueryProbes •ConfigureSNMPontheAdministration>NetworkResources>NetworkDevicespage. Proxy Settings CiscoISEusestheproxyservertodownloadCisco-definedposturechecksandclientprovisioningresources requiredforassessingpostureofendpointsandallowingpersonaldevicesonthenetwork.Ifyouconfigure theseproxysettings,CiscoISEwillupdatethesettingsontheAdministration>System>Settings>Proxy page. Guest User Support Tosupportguestusers,youmustcreateasponsoruser.CiscoISEcreatesasingleuserusingthenameyou enterandassignstheusertothedefaultALL_ACCOUNTSuseridentitygroup,whichdefinestheuserasa sponsoruser.YoucanverifythisfromtheAdministration>IdentityManagement>Identities>Userspage aftersetupcompletes. IfyouaddasimplifiedURL,CiscoISEupdatesthePortalNamesettingsatthetopoftheGuestAccess> Configure>SponsorPortals>Editpage. Support for Personal Devices YoucanaddasimplifiedURLforemployeestousetoaccesstheMyDevicesportal,andCiscoISEupdates thePortalNamesettingsatthetopofthetheAdministration>DevicePortalManagement>MyDevices >Editpage. Cisco Identity Services Engine Administrator Guide, Release 1.3 17 Setup Assistant
Web Portal Customizations YoucanuploadanimagetouseasacustomlogofortheSponsor,Guest,andMyDevicesportals.CiscoISE alsowilluploadtheimagetotheappropriatepage: •Guestportals:GuestAccess>Configure>GuestPortals>Edit>PortalPageCustomization. •Sponsorportals:GuestAccess>Configure>SponsorPortals>Edit>PortalPageCustomization •Administration>DevicePortalManagement>MyDevices>Edit>PortalPageCustomization Select Network Device Types Page in Setup Assistant Switches and Wireless Controllers CiscoISEaddstheswitchesandwirelesscontrollerstotheAdministration>NetworkResources>Network Devicespage,updatestheSNMPsettings,andaddstheRADIUSsharedsecrettotheAuthenticationSettings option. Dependingonthechoicesyoumadepreviously,youmustconfiguretheswitchesandwirelesscontrollers. ClicktheWiredorWirelessNetworkDiagramlinkstodisplaysamplenetworktopologiesthatillustrate therequiredconfigurationdetails. Review and Confirm Your Choices Page in Setup Assistant Review Your Selection Youcanverifyyourresponsestoeachofthequestions. Network Device Configuration ConfigurationdetailsforeachconfiguredswitchandWLCdisplayseparately.CiscoISEdoesnotautomatically updatetheseconfigurationsonthedevices.Ifyouwanttocompletelyreplacethecurrentdeviceconfiguration, copyandpastetheentireconfiguration.Alternatively,youcanjustcopythespecificsectionswiththe configurationchangesyouneed.YoucanaccessthemostcurrentcopyofthesettingsafterexitingtheSetup AssistantbychoosingSetupAssistant>Viewnetworkdeviceconfiguration. ISE Configuration TheISEConfigurationtabdisplaysdetailsabouteachsetting,policy,profile,DACL,andnetworkdevice addedtoCiscoISE. Filter Data on Listing Pages Listingpagesincludetoolsthatenableyoutofilterandcustomizethedisplayedinformation. Cisco Identity Services Engine Administrator Guide, Release 1.3 18 Filter Data on Listing Pages
Data Filters in Listing Pages Youcancustomizeandfiltertheinformationthatdisplaysinthelistingpagesusingthesettingsandfilter icons. Figure 3: Data Filters Example Customize the Displayed Field Attributes Youcancustomizethefieldattributesdisplayedinthelistingpages.Theavailableanddefaultoptionsvary basedonthespecificlistingpage. Procedure Step 1ClicktheSettingsiconandchooseColumns. Step 2Selecttheitemstoaddorremove.Acheckmarkdisplaysnexttotheselecteditems. Step 3ClickClose. Filter Data by Field Attributes Using the Quick Filter TheQuickFilterallowsyoutoenteravalueforanyofthefieldattributesdisplayedinthelistingpage,refreshes thepage,andlistsonlythoserecordsthatmatchyourfiltercriteria. Procedure Step 1ClicktheShowdrop-downlistandchooseQuickFilter. Step 2Entersearchcriteriainoneormoreoftheattributefields,andtheentriesthatmatchthespecifiedattributes displayautomatically. Filter Data by Conditions Using the Advanced Filter TheAdvancedFilterallowsyoutofilterinformationbasedonspecifiedconditions,suchas,FirstName= MikeandUserGroup=Employee.Youcanspecifymorethanonecondition. Cisco Identity Services Engine Administrator Guide, Release 1.3 19 Filter Data on Listing Pages
Procedure Step 1ClicktheShowdrop-downlistandchooseAdvancedFilter. Step 2Specifysearchthesearchattributes,suchasfields,operators,andvaluesfromtheFiltermenus. Step 3Click+toaddadditionalconditions. Step 4ClickGotodisplaytheentriesthatmatchthespecifiedattributes. Create Custom Filters Youcancreateandsavecustomfiltersandmodifythefiltercriteriainpresetfilters.Customfiltersarenot savedintheCiscoISEdatabase.Youcanonlyaccessthemusingthesamecomputerandbrowserusedto createthem. Procedure Step 1ClicktheShowdrop-downlistandchooseAdvancedFilter. Step 2Specifythesearchattributes,suchasfields,operators,andvaluesfromtheFiltermenus. Step 3Click+toaddadditionalconditions. Step 4ClickGotodisplaytheentriesthatmatchthespecifiedattributes. Step 5ClicktheSaveicontosavethefilter. Step 6EnteranameandclickSave.ThefilternowappearsintheShowdrop-downlist. Cisco ISE Internationalization and Localization CiscoISEinternationalizationadaptstheuserinterfaceforsupportedlanguages.Localizationoftheuser interfaceincorporateslocale-specificcomponentsandtranslatedtext. InCiscoISE,internalizationandlocalizationsupportfocusesonsupportfornon-EnglishtextinUTF-8 encodingtotheend-userfacingportalsandonselectivefieldsintheAdminportal. Supported Languages CiscoISE,provideslocalizationandinternalizationsupportforthefollowinglanguagesandbrowserlocales: Browser LocaleLanguage zh-twChinesetraditional zh-cnChinesesimplified cs-czCzech Cisco Identity Services Engine Administrator Guide, Release 1.3 20 Cisco ISE Internationalization and Localization
Browser LocaleLanguage nl-nlDutch enEnglish fr-frFrench de-deGerman hu-huHungarian it-itItalian ja-jpJapanese ko-krKorean pl-plPolish pt-brPortuguese(Brazil) ru-ruRussian es-esSpanish Support for UTF-8 Character Data Entry CiscoISEfieldsthatareexposedtotheenduser(throughtheCiscoNACagent,orsupplicants,orthrough theSponsor,Guest,MyDevices,andClientProvisioningportals)supportUTF-8charactersetsforalllanguages. UTF-8isamultibyte-characterencodingfortheunicodecharacterset,whichincludesmanydifferentlanguage charactersets,suchasHebrew,Sanskrit,andArabic. CharactervaluesarestoredinUTF-8intheadministrationconfigurationdatabase,andtheUTF-8characters displaycorrectlyinreportsanduserinterfacecomponents. UTF-8 Credential Authentication NetworkaccessauthenticationsupportsUTF-8usernameandpasswordcredentials.ThisincludesRADIUS, EAP,RADIUSproxy,RADIUStoken,andwebauthenticationfromtheGuestandAdministrativeportallogin authentications.UTF-8supportforusernameandpasswordappliestoauthenticationagainstthelocalidentity storeaswellasexternalidentitystores. UTF-8authenticationdependsontheclientsupplicantthatisusedfornetworklogin.SomeWindowsnative supplicantsdonotsupportUTF-8credentials. Cisco Identity Services Engine Administrator Guide, Release 1.3 21 Cisco ISE Internationalization and Localization
RSAdoesnotsupportUTF-8users,henceUTF-8authenticationwithRSAisnotsupported.Likewise, RSAservers,whicharecompatiblewithCiscoISE,donotsupportUTF-8. Note UTF-8 Policies and Posture Assessment PolicyrulesinCiscoISEthatareconditionedonattributevaluesmayincludeUTF-8text.Ruleevaluation supportsUTF-8attributevalues.Inaddition,youcanconfigureconditionswithUTF-8valuesthroughthe Administrativeportal. PosturerequirementscanbemodifiedasFile,Application,andServiceconditionsbasedonaUTF-8character set.ThisincludessendingUTF-8requirementvaluestotheNACagent.TheNACagentthenassessesthe endpointaccordingly,andreportsUTF-8values,whenapplicable. Cisco NAC and MAC Agent UTF-8 Support TheCiscoNACagentsupportsinternationalizationoftext,messages,andanyUTF-8datathatisexchanged withCiscoISE.Thisincludesrequirementmessages,requirementnames,andfileandprocessnamesthatare usedinconditions. Thefollowinglimitationsapply: •UTF-8supportappliestoWindows-basedNACagentsonly. •CiscoNACandMACagentinterfacescurrentlydonotsupportlocalization. •WebAgentdoesnotsupportUTF-8basedrulesandrequirements. •Ifanacceptableusepolicy(AUP)isconfigured,thepolicypagesareprovidedontheclientside,based onthebrowserlocaleandthesetoflanguagesthatarespecifiedintheconfiguration.Youareresponsible forprovidingalocalizedAUPbundleorsiteURL. UTF-8 Support for Messages Sent to Supplicant RSApromptsandmessagesareforwardedtothesupplicantusingaRADIUSattributeREPLY-MESSAGE, orwithinEAPdata.IfthetextcontainsUTF-8data,itisdisplayedbythesupplicant,basedontheclient’s localoperatingsystemlanguagesupport.SomeWindows-nativesupplicantsdonotsupportUTF-8credentials. CiscoISEpromptsandmessagesmaynotbeinsyncwiththelocaleoftheclientoperatingsystemonwhich thesupplicantisrunning.Youmustaligntheend-usersupplicantlocalewiththelanguagesthataresupported byCiscoISE. Reports and Alerts UTF-8 Support MonitoringandtroubleshootingreportsandalertssupportUTF-8valuesforrelevantattributes,forCiscoISE supportedlanguages,inthefollowingways: •Viewingliveauthentications •Viewingdetailedpagesofreportrecords •Exportingandsavingreports Cisco Identity Services Engine Administrator Guide, Release 1.3 22 Cisco ISE Internationalization and Localization
•ViewingtheCiscoISEdashboard •Viewingalertinformation •Viewingtcpdumpdata UTF-8 Character Support in the Portals ManymorecharactersetsaresupportedinCiscoISEfields(UTF-8)thanarecurrentlysupportedfor localizationsinportalsandend-usermessages.Forexample,CiscoISEdoesnotsupportright-to-leftlanguages, suchasHebreworArabic,eventhoughthecharactersetsthemselvesaresupported. ThefollowingtableliststhefieldsintheAdminandend-userportalsthatsupportUTF-8charactersfordata entryandviewing,withthefollowinglimitations: •CiscoISEdoesnotsupportguestpasswordswithUTF-8characters. •CiscoISEdoesnotsupportUTF-8charactersincertificates. Table 2: Admin Portal UTF-8 Character Fields UTF-8 FieldsAdmin Portal Element •Username •Firstname •Lastname •e-mail Networkaccessuserconfiguration •Allfilterfields •ValuesshownontheUserListpage •Valuesshownontheleftnavigationquickview Userlist Thepasswordscanbecomposedofanycombinationofupperand lowercaseletters,numbers,andspecialcharacters(thatinclude:“!”, “@”,“#”,“$”,“%”,“^”,“&”,“*”,“(“,and“)”.Passwordfieldacceptsany charactersincludingUTF-8characters,butitdoesn'tacceptcontrol characters. Somelanguagesdonothaveuppercaseorlowercasealphabets.If youruserpasswordpolicyrequirestheusertoenterapasswordwith uppercaseorlowercasecharacters,andiftheuser’slanguagedoesnot supportthesecharacters,theusercannotsetapassword.Fortheuser passwordfieldtosupportUTF-8characters,intheuserpassword policypage(Administration>IdentityManagement>Settings> UserPasswordPolicy),youmustuncheckthefollowingoptions: •Lowercasealphabeticcharacters •Uppercasealphabeticcharacters Userpasswordpolicy Cisco Identity Services Engine Administrator Guide, Release 1.3 23 Cisco ISE Internationalization and Localization
UTF-8 FieldsAdmin Portal Element •Allfilterfields •ValuesshownontheAdministratorListpage •Valuesshownontheleftnavigationquickview Administratorlist •UsernameAdminloginpage •Messages •Prompts RSA •Authenticationtab>PromptRADIUStoken •Name •Remediationaction>MessageshowntoAgentUser •Requirementlistdisplay PostureRequirement •Filecondition>Filepath •Applicationcondition>Processname •Servicecondition>Servicename •Conditionslistdisplay Postureconditions •Sponsor>LanguageTemplate:allsupportedlanguages,allfields •Guest>LanguageTemplate:allsupportedlanguages,allfields •MyDevices>LanguageTemplate:allsupportedlanguages,all fields GuestandMyDevicessettings •SMTPServer>Defaulte-mailaddressSystemsettings •Criteria>User •Notification>e-mailNotificationuserlist Operations>Alarms>Rule Cisco Identity Services Engine Administrator Guide, Release 1.3 24 Cisco ISE Internationalization and Localization