Cisco Ise 13 User Guide
Have a look at the manual Cisco Ise 13 User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
Logging CategoryDescriptionReport Name AdministrativeandOperationalauditTheUserChangePasswordAudit reportdisplaysverificationabout employee'spasswordchanges. UserChangePassword Audit PostureandClientProvisioningAuditTheSupplicantProvisioning reportprovidesdetailsaboutthe supplicantsprovisionedto employee'spersonaldevices. SupplicantProvisioning —TheRegisteredEndpointsreport displaysallpersonaldevices registeredbyemployees. RegisteredEndpoints ChooseAdministration>System>Logging >LoggingCategoriesandselectProfiler. TheEndpointsPurgeActivities reportenablestheusertoreview thehistoryofendpointspurge activities.Thisreportrequiresthat theProfilerloggingcategoryis enabled.Itisenabledbydefault. EndpointsPurge Activities GuestAccessReports ChooseAdministration>System>Logging >LoggingCategoriesandselectGuest. TheAUPAcceptanceStatus reportprovidesdetailsofAUP acceptancesfromalltheGuest portals. AUPAcceptanceStatus ChooseAdministration>System>Logging >LoggingCategoriesandselectGuest. TheSponsorLoginandAudit reportprovidesdetailsofguest users'login,add,delete,enable, suspendandupdateoperations andtheloginactivitiesofthe sponsorsatthesponsorsportal. Ifguestusersareaddedinbulk, theyarevisibleunderthecolumn 'GuestUsers.'Thiscolumnis hiddenbydefault.Onexport, thesebulkusersarealsopresent intheexportedfile. SponsorLoginand Audit ChooseAdministration>System>Logging >LoggingCategoriesandselectMyDevices. TheMyDevicesLoginandAudit reportprovidesdetailsaboutthe loginactivitiesandtheoperations performedbytheusersonthe devicesinMyDevicesPortal. MyDevicesLoginand Audit Cisco Identity Services Engine Administrator Guide, Release 1.3 675 Available Reports
Logging CategoryDescriptionReport Name ChooseAdministration>System>Logging >LoggingCategoriesandselectPassed Authentications. TheMasterGuestReport combinesdatafromvariousGuest Accessreportsandenablesyouto exportdatafromdifferent reportingsources.TheMaster Guestreportalsoprovidesdetails aboutthewebsitesthatguestusers arevisiting.Youcanusethis reportforsecurityauditing purposestodemonstratewhen guestusersaccessedthenetwork andwhattheydidonit. YoumustalsoenableHTTP inspectiononthenetworkaccess device(NAD)usedforguest traffic.Thisinformationissent backtoCiscoISEbytheNAD. Tocheckwhentheclientsreach themaximumsimultaneous sessionslimit,fromtheAdmin portal,chooseAdministration> System>Logging>Logging Categoriesanddothefollowing: 1Increasetheloglevelof "AuthenticationFlow Diagnostics"loggingcategory fromWARNtoINFO. 2ChangeLogCollectorTarget fromAvailabletoSelected underthe"LoggingCategory" ofAAADiagnostics. MasterGuestReport —TheGuestAccountingreportisa subsetoftheRADIUS Accountingreport.Allusers assignedtotheActivatedGuest orGuestidentitygroupsappearin thisreport. GuestAccounting TrustSec Cisco Identity Services Engine Administrator Guide, Release 1.3 676 Available Reports
Logging CategoryDescriptionReport Name —TheRBACLDropSummary reportisspecifictotheTrustSec feature,whichisavailableonly withanAdvancedCiscoISE license. Thisreportalsorequiresthatyou configurethenetworkdevicesto sendNetFloweventsfordropped eventstoCiscoISE. Ifauserviolatesaparticular policyoraccess,packetsare droppedandindicatedinthis report. RBACLDropSummary —TheTopNRBACLDropsBy Userreportisspecifictothe TrustSecfeature,whichis availableonlywithanAdvanced CiscoISElicense. Thisreportalsorequiresthatyou configurethenetworkdevicesto sendNetFloweventsfordropped eventstoCiscoISE. Thisreportdisplayspolicy violations(basedonpacketdrops) byspecificusers. TopNRBACLDrops ByUser Cisco Identity Services Engine Administrator Guide, Release 1.3 677 Available Reports
Cisco Identity Services Engine Administrator Guide, Release 1.3 678 Available Reports
PART VII Reference •AdministrationUserInterfaceReference,page681 •GuestAccessUserInterfaceReference,page769 •WebPortalsCustomizationReference,page801 •PolicyUserInterfaceReference,page815 •OperationsUserInterfaceReference,page857 •NetworkAccessFlows,page871 •SwitchandWirelessLANControllerConfigurationRequiredtoSupportCiscoISEFunctions,page 879 •SupportedManagementInformationBasesinCiscoISE,page891
CHAPTER 27 Administration User Interface Reference •SystemAdministration,page681 •IdentityManagement,page724 •NetworkResources,page738 •DevicePortalManagement,page752 System Administration Deployment Settings TheDeploymentNodespageenablesyoutoconfigureCiscoISE(Administration,PolicyService,and Monitoring)nodesandInlinePosturenodesandtosetupadeployment. Deployment Nodes List Page ThefollowingtabledescribesthefieldsontheDeploymentNodesListpage,whichyoucanusetoconfigure CiscoISEandInlinePosturenodesinadeployment.Thenavigationpathforthispageis:Administration> System>Deployment. Usage GuidelinesFields Displaysthehostnameofthenode.Hostname Displaysthenodetype.Itcanbeoneofthefollowing: •CiscoISE(Administration,PolicyService,andMonitoring)nodes •InlinePosturenode NodeType (OnlyappearsifthenodetypeisCiscoISE)ListsthepersonasthatanCiscoISEnode hasassumed.Forexample,Administration,PolicyService. Personas Cisco Identity Services Engine Administrator Guide, Release 1.3 681
Usage GuidelinesFields Indicatestherole(primary,secondary,orstandalone)thattheAdministrationand Monitoringpersonashaveassumed,ifthesepersonasareenabledonthisnode.Therole canbeanyoneormoreofthefollowing: •PRI(A)—ReferstothePrimaryPAN •SEC(A)—ReferstotheSecondaryPAN •PRI(M)—ReferstothePrimaryMonitoringNode •SEC(M)—ReferstotheSecondaryMonitoringNode Role (OnlyappearsifthePolicyServicepersonaisenabled)Liststheservicesthatrunonthis CiscoISEnode.Servicescanincludeanyoneofthefollowing: •Session •Profiling •All Services IndicatesthestatusofeachISEnodeinadeploymentfordatareplication. •Green(Connected)—IndicatesthatanISEnode,whichisalreadyregisteredinthe deploymentisinsyncwiththePrimaryPAN. •Red(Disconnected)—IndicatesthatanISEnodeisnotreachableorisdownor datareplicationisnothappening. •Orange(InProgress)—IndicatesthatanISEnodeisnewlyregisteredwiththe PrimaryPANoryouhaveperformedamanualsyncoperationortheISEnodeis notinsync(outofsync)withthePrimaryPAN. Formoredetails,clickthequickviewiconforeachISEnodeintheNodeStatuscolumn. NodeStatus Related Topics CiscoISEDistributedDeployment,onpage32 CiscoISEDeploymentTerminology,onpage31 ConfigureaCiscoISENode,onpage35 RegisteraSecondaryCiscoISENode,onpage36 General Node Settings ThefollowingtabledescribesthefieldsontheGeneralNodeSettingspage,whichyoucanusetosetupyour deploymentandconfigureservicestoberunoneachofthenodes.Thenavigationpathforthistabis: Administration>System>Deployment>ISENode>Edit>GeneralSettings. Cisco Identity Services Engine Administrator Guide, Release 1.3 682 System Administration
Table 56: General Node Settings Usage GuidelinesFields DisplaysthehostnameoftheCiscoISEnode.Hostname DisplaysthefullyqualifieddomainnameoftheCiscoISEnode.Forexample, ise1.cisco.com. FQDN DisplaystheIPaddressoftheCiscoISEnode.IPAddress Displaysthenodetype.Couldbeanyoneofthefollowing:IdentityServicesEngine (ISE),InlinePostureNode NodeType Personas CheckthischeckboxifyouwantaCiscoISEnodetoassumetheAdministrationpersona. YoucanenabletheAdministrationpersonaonlyonnodesthatarelicensedtoprovide theadministrativeservices. Role—DisplaystherolethattheAdministrationpersonahasassumedinthedeployment. Couldtakeonanyoneofthefollowingvalues:Standalone,Primary,Secondary MakePrimary—ClickthisbuttontomakethisnodeyourprimaryCiscoISEnode.You canhaveonlyoneprimaryCiscoISEnodeinadeployment.Theotheroptionsonthis pagewillbecomeactiveonlyafteryoumakethisnodeprimary.Youcanhaveonlytwo Administrationnodesinadeployment.IfthenodehasaStandalonerole,aMakePrimary buttonappearsnexttoit.IfthenodehasaSecondaryrole,aPromotetoPrimarybutton appearsnexttoit.IfthenodehasaPrimaryroleandtherearenoothernodesregistered withit,aMakeStandalonebuttonappearsnexttoit.Youcanclickthisbuttontomake yourprimarynodeastandalonenode. Administration Cisco Identity Services Engine Administrator Guide, Release 1.3 683 System Administration
Usage GuidelinesFields CheckthischeckboxifyouwantaCiscoISEnodetoassumetheMonitoringpersona andfunctionasyourlogcollector.TheremustbeatleastoneMonitoringnodeina distributeddeployment.AtthetimeofconfiguringyourPrimaryPAN,youmustenable theMonitoringpersona.AfteryouregisterasecondaryMonitoringnodeinyour deployment,youcaneditthePrimaryPANanddisabletheMonitoringpersona,if required.ToconfigureaCiscoISEnodeonaVMwareplatformasyourlogcollector, usethefollowingguidelinestodeterminetheminimumamountofdiskspacethatyou need:180KBperendpointinyournetwork,perday2.5MBperCiscoISEnodeinyour network,perday. Youcancalculatethemaximumdiskspacethatyouneedbasedonhowmanymonths ofdatayouwanttohaveinyourMonitoringnode.IfthereisonlyoneMonitoringnode inyourdeployment,itassumesthestandalonerole.IfyouhavetwoMonitoringnodes inyourdeployment,CiscoISEdisplaysthenameoftheothermonitoringnodeforyou toconfigurethePrimary-Secondaryroles.Toconfiguretheseroles,chooseoneofthe following: •Primary—ForthecurrentnodetobetheprimaryMonitoringnode. •Secondary—ForthecurrentnodetobethesecondaryMonitoringnode. •None—IfyoudonotwanttheMonitoringnodestoassumetheprimary-secondary roles. IfyouconfigureoneofyourMonitoringnodesasprimaryorsecondary,theother Monitoringnodeautomaticallybecomesthesecondaryorprimarynode,respectively. BoththeprimaryandsecondaryMonitoringnodesreceiveAdministrationandPolicy Servicelogs.IfyouchangetheroleforoneMonitoringnodetoNone,theroleofthe otherMonitoringnodealsobecomesNone,therebycancellingthehighavailabilitypair AfteryoudesignateanodeasaMonitoringnode,youwillfindthisnodelistedasa syslogtargetinthefollowingpage:Administration>System>Logging>Remote LoggingTargets Monitoring Cisco Identity Services Engine Administrator Guide, Release 1.3 684 System Administration