Cisco Ise 13 User Guide
Have a look at the manual Cisco Ise 13 User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
Usage GuidelinesFields Checkthischeckboxtoenableanyoneorallofthefollowingservices: •EnableSessionServices—Checkthischeckboxtoenablenetworkaccess,posture, guest,andclientprovisioningservices.ChoosethegrouptowhichthisPolicy ServicenodebelongsfromtheIncludeNodeinNodeGroupdrop-downlist. ChooseifyoudonotwantthisPolicyServicenodetobepartofanygroup. Allthenodeswithinthesamenodegroupshouldbeconfiguredonthenetwork accessdevice(NAD)asRADIUSclientsandauthorizedforCoA,becauseanyone ofthemcanissueaCoArequestforthesessionsthatareestablishedthroughany nodeinthenodegroup.Ifyouarenotusingaloadbalancer,thenodesinanode groupshouldbethesameas,orasubsetoftheRADIUSserversandclients configuredontheNAD.ThesenodeswouldalsobeconfiguredasRADIUSservers. WhileasingleNADcanbeconfiguredwithmanyISEnodesasRADIUSservers anddynamic-authorizationclients,itisnotnecessaryforallthenodestobeinthe samenodegroup. Themembersofanodegroupshouldbeconnectedtoeachotherusinghigh-speed LANconnectionsuchasGigabitEthernet.Thenodegroupmembersneednotbe L2adjacent,butL2adjacencyishighlyrecommendedtoensuresufficientbandwidth andreachability.SeeCreateaPolicyServiceNodeGroup,onpage50sectionfor moredetails. •EnableProfilingService—CheckthischeckboxtoenabletheProfilerservice.If youenabletheProfilingservice,youmustclicktheProfilingConfigurationtab andenterthedetailsasrequired.Whenyouenableordisableanyoftheservices thatrunonthePolicyServicenodeormakeanychangestothisnode,youwillbe restartingtheapplicationserverprocessesonwhichtheseservicesrun.Youmust expectadelaywhiletheseservicesrestart.Youcandeterminewhentheapplication serverhasrestartedonanodebyusingtheshowapplicationstatusisecommand fromtheCLI. PolicyService CheckthischeckboxtoenablepxGridpersona.CiscopxGridisusedtosharethe context-sensitiveinformationfromCiscoISEsessiondirectorytootherpolicynetwork systemssuchasCiscoAdaptiveSecurityAppliance(ASA).ThepxGridframeworkcan alsobeusedtoexchangepolicyandconfigurationdatabetweennodeslikesharingtags andpolicyobjectsbetweenISEandthirdpartyvendors,andfornon-ISErelated informationexchangessuchasthreatinformation. pxGrid Related Topics PersonasinDistributedCiscoISEDeployments,onpage32 AdministrationNode,onpage38 PolicyServiceNode,onpage40 MonitoringNode,onpage41 pxGridNode,onpage43 SynchronizePrimaryandSecondaryCiscoISENodes,onpage49 CreateaPolicyServiceNodeGroup,onpage50 Cisco Identity Services Engine Administrator Guide, Release 1.3 685 System Administration
DeploypxGridNode,onpage51 ChangeNodePersonasandServices,onpage49 ConfigureMonitoringNodesforAutomaticFailover,onpage51 Profiling Node Settings ThefollowingtabledescribesthefieldsontheProfilingConfigurationpage,whichyoucanusetoconfigure theprobesfortheprofilerservice.Thenavigationpathforthispageis:Administration>System> Deployment>ISENode>Edit>ProfilingConfiguration. Table 57: Profiling Node Settings Usage GuidelinesFields CheckthischeckboxifyouwanttoenableNetFlowperCiscoISEnodethathasassumed thePolicyServicepersonatoreceiveNetflowpacketssentfromtherouters.Choosethese options: •Interface—ChoosetheinterfaceontheISEnode. •Port—EntertheNetFlowlistenerportnumberonwhichNetFlowexportsare receivedfromtherouters.Thedefaultportis9996. NetFlow CheckthischeckboxifyouwanttoenableDHCPperCiscoISEnodethathasassumed thePolicyServicepersonatolistenforDHCPpacketsfromIPhelper.Choosethese options:Port—EntertheDHCPserverUDPportnumber.Thedefaultportis67. •Interface—ChoosetheinterfaceontheISEnode. •Port—EntertheDHCPserverUDPportnumber.Thedefaultportis67. DHCP CheckthischeckboxifyouwanttoenableDHCPSPANperCiscoISEnodethathas assumedthePolicyServicepersonatocollectDHCPpackets. •Interface—ChoosetheinterfaceontheISEnode. DHCPSPAN CheckthischeckboxifyouwanttoenableHTTPperCiscoISEnodethathasassumed thePolicyServicepersonatoreceiveandparseHTTPpackets. •Interface—ChoosetheinterfaceontheISEnode. HTTP CheckthischeckboxifyouwanttoenableRADIUSperISEnodethathasassumedthe PolicyServicepersonatocollectRADIUSsessionattributesaswellasCDP,LLDP attributesfromtheIOSSensorenableddevices. RADIUS CheckthisboxtoenabletheNMAPprobe.NetworkScan (NMAP) Cisco Identity Services Engine Administrator Guide, Release 1.3 686 System Administration
Usage GuidelinesFields CheckthischeckboxifyouwanttoenableDNSperISEnodethathasassumedthe PolicyServicepersonatoperformaDNSlookupfortheFQDN.Enterthetimeoutperiod inseconds. FortheDNSprobetoworkonaparticularCiscoISEnodeinadistributed deployment,youmustenableanyoneofthefollowingprobes:DHCP,DHCP SPAN,HTTP,RADIUS,orSNMP.ForDNSlookup,oneoftheprobes mentionedabovemustbestartedalongwiththeDNSprobe. Note DNS CheckthischeckboxifyouwanttoenableSNMPQueryperISEnodethathasassumed thePolicyServicepersonatopollnetworkdevicesatspecifiedintervals.Entervalues forthefollowingfields:Retries,Timeout,EventTimeout,andanoptionalDescription. InadditiontoconfiguringtheSNMPQueryprobe,youmustalsoconfigure otherSNMPsettingsinthefollowinglocation:Administration>Network Resources>NetworkDevices.WhenyouconfigureSNMPsettingsonthe networkdevices,ensurethatyouenabletheCiscoDeviceProtocol(CDP)and LinkLayerDiscoveryProtocol(LLDP)globallyonyournetworkdevices. Note SNMPQuery CheckthischeckboxifyouwanttoenableSNMPTrapprobeperISEnodethathas assumedthePolicyServicePersonatoreceivelinkUp,linkDown,andMACnotification trapsfromthenetworkdevices.Chooseanyofthefollowing: •LinkTrapQuery—Checkthischeckboxtoreceiveandinterpretlinkupand linkdownnotificationsreceivedthroughtheSNMPTrap. •MACTrapQuery—CheckthischeckboxtoreceiveandinterpretMACnotifications receivedthroughtheSNMPTrap. •Interface—ChooseaninterfaceontheISEnode. •Port—EntertheUDPportofthehosttouse.Thedefaultportis162. SNMPTrap ScansthedefinedActiveDirectoryserversforinformationaboutWindowsusers.ActiveDirectory Related Topics CiscoISEProfilingService,onpage452 NetworkProbesUsedbyProfilingService,onpage454 ConfigureProfilingServiceinCiscoISENodes,onpage453 Inline Posture Node Settings ThefollowingtabledescribesthefieldsontheDeploymentNodesListpageforanInlinePosturenode,which youcanusetoconfiguretheInlinePosturenodesinyourdeployment.Thenavigationpathforthispage is:Administration>System>Deployment>InlinePostureNode>Edit. Cisco Identity Services Engine Administrator Guide, Release 1.3 687 System Administration
Table 58: Inline Posture Node Settings Usage GuidelinesFields BasicInformation EntertheIPaddressoftheprimary,secondary,andtertiarytimesyncserver.TimeSyncServer EntertheIPaddressoftheprimary,secondary,andtertiaryDNSserver.DNSServer EntertheManagementVLANID(alltheotherinformationisautomaticallypopulated fortheseoptions) TrustedInterface (toprotected network) EntertheIPAddress,SubnetMask,DefaultGateway,andManagementVLANIDfor theuntrustedinterface. Untrusted Interface(to management network) DeploymentModes Choosethisoptionforthisnodetoproviderouter(hopinthewire)functionalityfor InlinePosture. RoutedMode ChoosethisoptionforthisnodetoprovideVLANmappingfunctionalityforthesubnets tobemanagedbyInlinePosture.AftercheckingtheBridgedModecheckbox,enterthe UntrustedNetworkandTrustedNetworkVLANIDinformation.ForVLANmapping, youshouldalsodothefollowing: •AddamappingformanagementtrafficbyenteringtheappropriateVLANIDfor thetrustedanduntrustednetworks. •AddamappingforclienttrafficbyenteringtheappropriateVLANIDforthe trustedanduntrustednetworks. BridgedMode Filters EntertheMACAddressofthedeviceonwhichtoavoidpolicies.Forsecurityreasons, werecommendthatyoualwaysincludetheIPaddressalongwiththeMACaddressin aMACfilterentry.DonotconfiguretheMACaddressinaMACfilterforadirectly connectedASAVPNdevicewithoutalsoenteringtheIPaddress.Withouttheaddition oftheoptionalIPaddress,VPNclientsareallowedtobypasspolicyenforcement.This bypasshappensbecausetheVPNisaLayer3hopforclients,andthedeviceusesits ownMACaddressasthesourceaddresstosendpacketsalongthenetworktowardthe InlinePosturenode. MACAddress EntertheIPAddressofthedeviceonwhichtoavoidpolicies.IPAddress EnteradescriptionoftheMACFilter.Description EnterthesubnetAddressofthedeviceonwhichtoavoidpolicies.SubnetAddress Cisco Identity Services Engine Administrator Guide, Release 1.3 688 System Administration
Usage GuidelinesFields EnterthesubnetMaskofthedeviceonwhichtoavoidpoliciesSubnetMask EnteradescriptionoftheSubnetFilter.Description RADIUSConfig EntertheIPaddress,sharedsecret,timeoutinseconds,andnumberofretriesforthe primaryRADIUSserver,usuallythePolicyServicenode. Thetimeoutandretryvaluesshouldbebasedonthetimeoutandretriesthatyoudefine ontheclientsuchasWLCorASA.Werecommendthefollowing:(IPNRADIUSConfig Timeout*No.ofRetries)
Usage GuidelinesFields ChoosetheHAPeerNodefromthedrop-downlist.AlistofeligiblestandaloneInline Posturenodesappearfromwhichtochoose.Thesecondarynodesyncstotheprimary node. •ReplicationStatus—(Onlyappearsforsecondarynodes)Indicateswhether incrementalreplicationfromtheprimarynodetothesecondarynodeiscomplete ornot.Youwillseeoneofthefollowingstates: ◦Failed—Incrementaldatabasereplicationhasfailed. ◦In-Progress—Incrementaldatabasereplicationiscurrentlyinprogress. ◦Complete—Incrementaldatabasereplicationiscomplete.Not Applicable—DisplayediftheCiscoISEnodeisastandaloneorprimarynode. ◦NotApplicable—DisplayediftheCiscoISEnodeisastandaloneorprimary node. •SyncStatus—(OnlyappearsforsecondaryCiscoISEnodes)Indicateswhether replicationfromtheprimarynodetothesecondarynodeiscompleteornot.A replicationhappenswhenanodeisregisteredassecondaryorwhenyouclick Syncuptoforceareplication.Youwillseeoneofthefollowingstates: ◦SyncCompleted—Fulldatabasereplicationiscomplete. ◦SyncinProgress—Databasereplicationiscurrentlyinprogress. ◦OutofSync—Databasewasdownwhenthesecondarynodewasregistered withtheprimaryCiscoISEnode. ◦NotApplicable—DisplayediftheCiscoISEnodeisastandalonenode. HAPeerNode EntertheTrustedServiceIPaddress(eth0)forthetrafficinterfaceoftheprimarynode.ServiceIP (Trusted) EntertheUntrustedServiceIPaddress(eth1)forthetrafficinterfaceoftheprimary node.Inthebridgedmode,theserviceIPaddressisthesameforbothtrustedanduntrusted networks. ServiceIP (Untrusted) EntertheIPaddress(optional,butrecommendedasabestpractice)fortheLink-Detect systemforthetrustedanduntrustedsides.ThisaddressisusuallytheIPaddressofthe PolicyServicenode,becauseboththeactiveandstandbynodesshouldalwaysbeable toreachthePolicyServicenode. LinkDetect (Trusted) EntertheIPaddressfortheLink-Detectsystemfortheuntrustedside.LinkDetect (Untrusted) Cisco Identity Services Engine Administrator Guide, Release 1.3 690 System Administration
Usage GuidelinesFields EnteraLink-DetectTimeoutvalue.Thedefaultvalueof30secondsisrecommended. However,thereisnomaximumvalue.Link-detectensuresthattheInlinePosturenode maintainscommunicationwiththePolicyServicenode.Iftheactivenodedoesnot receivenotification(ping)fromthePolicyServicenodeatthespecifiedintervals,the activenodefailsovertothestandbynode. LinkDetect Timeout EnteraHeartBeatTimeoutvalue.Thedefaultvalueof30secondsisrecommended. However,thereisnomaximumvalue.Theheartbeatisamessagethatissentbetween thetwoInlinePosturenodesatspecifiedintervals.Theheartbeathappensoneth2and eth3interfaces.Iftheheartbeatstopsordoesnotreceivearesponseintheallottedtime, failoveroccurs. HeartBeat Timeout Ifthesyncstatusforanysecondarynodeisoutofsync,clickSyncupPeerNodetoforce afulldatabasereplication. YoumustusetheSyncupoptiontoforceafullreplicationiftheSyncStatusis OutofSyncortheReplicationStatusisFailed. Note SyncupPeer Node Certificate Store Settings TheCertificateStorepageenablesyoutoconfigurecertificatesinCiscoISEthatcanbeusedforauthentication. Self-Signed Certificate Settings ThefollowingtabledescribesthefieldsintheGenerateSelfSignedCertificatepage.Thispageallowsyou tocreatesystemcertificatesforinter-nodecommunication,EAP-TLSauthentication,CiscoISEwebportals, andtocommunicatewiththepxGridcontroller.Thenavigationpathforthispageis:Administration>System >Certificates>SystemCertificates>GenerateSelfSignedCertificate. Usage GuidelinesFields (Required)Thenodeforwhichyouwanttogeneratethesystemcertificate.SelectNode (RequiredifyoudonotspecifyaSAN)Bydefault,thecommonnameistheFully QualifiedDomainNameoftheISEnodeforwhichyouaregeneratingtheself-signed certificate. CommonName(CN) OrganizationalUnitname.Forexample,Engineering.OrganizationalUnit (OU) Organizationname.Forexample,Cisco.Organization(O) (Donotabbreviate)Cityname.Forexample,SanJose.City(L) (Donotabbreviate)Statename.Forexample,California.State(ST) Countryname.Youmustenterthetwo-letterISOcountrycode.Forexample,US.Country(C) Cisco Identity Services Engine Administrator Guide, Release 1.3 691 System Administration
Usage GuidelinesFields AnIPaddressorDNSnamethatisassociatedwiththecertificate.SubjectAlternative Name(SAN) Choose2048ifyouplantogetapublicCA-signedcertificate.KeyLength Chooseoneofthefollowinghashingalgorithm:SHA-1orSHA-256.DigesttoSignWith Specifythenumberofdaysafterwhichthecertificatewillexpire.ExpirationTTL Enterafriendlynameforthecertificate.Ifyoudonotspecifyaname,CiscoISE automaticallycreatesanameintheformat## whereisauniquefive-digitnumber. FriendlyName Choosetheserviceforwhichthissystemcertificateshouldbeused: •Admin—ServercertificateusedtosecurecommunicationwiththeAdminportal andbetweenISEnodesinadeployment •EAPAuthentication—Servercertificateusedforauthenticationsthatusethe EAPprotocolforSSL/TLStunneling •pxGrid—Clientandservercertificatetosecurecommunicationbetweenthe pxGridclientandserver •Portal—ServercertificateusedtosecurecommunicationwithallCiscoISE webportals Usage Related Topics SystemCertificates,onpage135 ViewSystemCertificates,onpage136 GenerateaSelf-SignedCertificate,onpage137 Certificate Signing Request Settings CiscoISEallowsyoutogenerateCSRsforallthenodesinyourdeploymentfromtheAdminportalinasingle request.Also,youcanchoosetogeneratetheCSRforasinglenodeormultiplebothnodesinthedeployment. IfyouchoosetogenerateaCSRforasinglenode,ISEautomaticallysubstitutestheFullyQualifiedDomain Name(FQDN)oftheparticularnodeintheCN=fieldofthecertificatesubject.Ifyouchoosetoincludean entryintheSubjectAlternativeName(SAN)fieldofthecertificate,youmustentertheFQDNoftheISE nodeinadditiontootherSANattributes.IfyouchoosetogenerateCSRsforallthenodesinyourdeployment, checktheAllowWildcardCertificatescheckboxandenterthewildcardFQDNnotationintheSANfield (DNSname),forexample,*.amer.example.com.IfyouplantousethecertificateforEAPAuthentication,do notenterthewildcardvalueintheCN=field. Withtheuseofwildcardcertificates,younolongerhavetogenerateauniquecertificateforeachCiscoISE node.Also,younolongerhavetopopulatetheSANfieldwithmultipleFQDNvaluestopreventcertificate warnings.Usinganasterisk(*)intheSANfieldallowsyoutoshareasinglecertificateacrossmultipleboth Cisco Identity Services Engine Administrator Guide, Release 1.3 692 System Administration
nodesinadeploymentandhelpspreventcertificatenamemismatchwarnings.However,useofwildcard certificatesisconsideredlesssecurethanassigningauniqueservercertificateforeachCiscoISEnode. ThefollowingtabledescribesthefieldsintheCertificateSigningRequest(CSR)page,whichyoucanuseto generateaCSRthatcanbesignedbyaCertificateAuthority(CA).Thenavigationpathforthispageis: Administration>System>Certificates>CertificateManagement>CertificateSigningRequest. Cisco Identity Services Engine Administrator Guide, Release 1.3 693 System Administration
Usage GuidelinesField Certificate(s)willbe usedfor Cisco Identity Services Engine Administrator Guide, Release 1.3 694 System Administration