Cisco Ise 13 User Guide
Have a look at the manual Cisco Ise 13 User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
Usage GuidelinesField Choosetheserviceforwhichyouaregoingtousethecertificate: CiscoISEIdentityCertificates •Admin—Usedforserverauthentication(tosecurecommunicationwiththe AdminportalandbetweenISEnodesinadeployment).Thecertificatetemplate onthesigningCAisoftencalledaWebServercertificatetemplate.This templatehasthefollowingproperties: ◦KeyUsage:DigitalSignature(Signing) ◦ExtendedKeyUsage:TLSWebServerAuthentication(1.3.6.1.5.5.7.3.1) •EAPAuthentication—Usedforserverauthentication.Thecertificatetemplate onthesigningCAisoftencalledaComputerorMachinecertificatetemplate. Thistemplatehasthefollowingproperties: ◦KeyUsage:DigitalSignature(Signing) ◦ExtendedKeyUsage:TLSWebServerAuthentication(1.3.6.1.5.5.7.3.1) •Portal—Usedforserverauthentication(tosecurecommunicationwithallISE webportals).ThecertificatetemplateonthesigningCAisoftencalleda ComputerorMachinecertificatetemplate.Thistemplatehasthefollowing properties: ◦KeyUsage:DigitalSignature(Signing) ◦ExtendedKeyUsage:TLSWebServerAuthentication(1.3.6.1.5.5.7.3.1) •pxGrid—Usedforbothclientandserverauthentication(tosecure communicationbetweenthepxGridclientandserver).Thecertificatetemplate onthesigningCAisoftencalledaComputerorMachinecertificatetemplate. Thistemplatehasthefollowingproperties: ◦KeyUsage:DigitalSignature(Signing) ◦ExtendedKeyUsage:TLSWebServerAuthentication(1.3.6.1.5.5.7.3.1) andTLSWebClientAuthentication(1.3.6.1.5.5.7.3.2) Werecommendthatyoudonotuseacertificatethatcontainsthevalueof 2.5.29.37.0fortheAnyPurposeobjectidentifierintheExtendedKeyUsage Note attribute.Ifyouuseacertificatethatcontainsthevalueof2.5.29.37.0for theAnyPurposeobjectidentifierintheExtendedKeyUsageattribute,the certificateisconsideredinvalidandthefollowingerrormessageisdisplayed: source=local;type=fatal;message="unsupportedcertificate" CiscoISECertificateAuthorityCertificates •ISERootCA—(ApplicableonlyfortheinternalCAservice)Usedfor regeneratingtheentireinternalCAcertificatechainincludingtherootCAon thePrimaryPANandsubordinateCAsonthePSNs. •ISEIntermediateCA—(ApplicableonlyfortheinternalCAservicewhenISE Cisco Identity Services Engine Administrator Guide, Release 1.3 695 System Administration
Usage GuidelinesField actsasanintermediateCAofanexternalPKI)Usedtogenerateanintermediate CAcertificateonthePrimaryPANandsubordinateCAcertificatesonthe PSNs.ThecertificatetemplateonthesigningCAisoftencalledaSubordinate CertificateAuthority.Thistemplatehasthefollowingproperties: ◦BasicConstraints:Critical,IsaCertificateAuthority ◦KeyUsage:CertificateSigning,DigitalSignature ◦ExtendedKeyUsage:OCSPSigning(1.3.6.1.5.5.7.3.9) •RenewISEOCSPResponderCertificates—(Applicableonlyfortheinternal CAservice)UsedtorenewtheISEOCSPrespondercertificatefortheentire deployment(andisnotacertificatesigningrequest).Forsecurityreasons,we recommendthatyourenewtheISEOCSPrespondercertificateseverysix months. Checkthischeckboxtouseawildcardcharacter(*)intheCNand/ortheDNSname intheSANfieldofthecertificate.Ifyoucheckthischeckbox,allthenodesinthe deploymentareselectedautomatically.Youmustusetheasterisk(*)wildcard characterintheleft-mostlabelposition.Ifyouusewildcardcertificates,we recommendthatyoupartitionyourdomainspaceforgreatersecurity.Forexample, insteadof*.example.com,youcanpartitionitas*.amer.example.com.Ifyoudonot partitionyourdomain,itcanleadtosecurityissues. AllowWildcard Certificates Checkthecheckboxesnexttothenodesforwhichyouwanttogeneratethecertificate. TogenerateaCSRforselectnodesinthedeployment,youmustunchecktheAllow WildcardCertificatesoption. GenerateCSRsfor theseNodes Bydefault,thecommonnameistheFQDNoftheISEnodeforwhichyouare generatingtheCSR.$FQDN$denotestheFQDNoftheISEnode.Whenyougenerate CSRsformultiplenodesinthedeployment,theCommonNamefieldintheCSRs isreplacedwiththeFQDNoftherespectiveISEnodes. CommonName(CN) OrganizationalUnitname.Forexample,Engineering.OrganizationalUnit (OU) Organizationname.Forexample,Cisco.Organization(O) (Donotabbreviate)Cityname.Forexample,SanJose.City(L) (Donotabbreviate)Statename.Forexample,California.State(ST) Countryname.Youmustenterthetwo-letterISOcountrycode.Forexample,US.Country(C) Cisco Identity Services Engine Administrator Guide, Release 1.3 696 System Administration
Usage GuidelinesField AvailableoptionsforSANinclude: •DNSName—IfyouchoosetheDNSname,enterthefullyqualifieddomain nameoftheISEnode.IfyouhaveenabledtheAllowWildcardCertificates option,specifythewildcardnotation(anasteriskandaperiodbeforethedomain name).Forexample,*.amer.example.com. •IPAddress—IPaddressoftheISEnodetobeassociatedwiththecertificate. AnIPaddressorDNSnamethatisassociatedwiththecertificate. SubjectAlternative Name(SAN) Choose2048orgreaterifyouplantogetapublicCA-signedcertificate.KeyLength Chooseoneofthefollowinghashingalgorithm:SHA-1orSHA-256.DigesttoSignWith Related Topics CertificateSigningRequests,onpage144 CreateaCertificateSigningRequestandSubmittheCSRtoaCertificateAuthority,onpage144 BindtheCA-SignedCertificatetotheCSR,onpage145 Endpoint Certificate Overview Page ThefollowingtabledescribesthefieldsontheCertificateManagementOverviewpage.ThePSNnodesin yourdeploymentissuecertificatestoendpoints.Thispageprovidesyouinformationabouttheendpoint certificatesissuedbyeachofthePSNnodesinyourdeployment.Thenavigationpathforthispageis: Administration>System>Certificates>Overview. Usage GuidelinesFields NameofthePolicyServicenode(PSN)thatissuedthecertificate.NodeName NumberofendpointcertificatesissuedbythePSNnode.EndpointCertificates Issued Numberofrevokedendpointcertificates(certificatesthatwereissuedbythePSN node). EndpointCertificates Revoked Numberofcertificate-basedauthenticationrequestsprocessedbythePSNnode.EndpointCertificates Requests NumberoffailedauthenticationrequestsprocessedbythePSNnode.EndpointCertificates Failed Related Topics EndpointCertificates,onpage154 Cisco Identity Services Engine Administrator Guide, Release 1.3 697 System Administration
UserandEndpointCertificateRenewal,onpage149 ConfigureCiscoISEtoUseCertificatesforAuthenticatingPersonalDevices,onpage158 ConfigureCiscoISEtoAllowUserstoRenewCertificates,onpage150 RevokeanEndpointCertificate,onpage169 System Certificate Import Settings ThefollowingtabledescribesthefieldsintheImportSystemCertificatepagethatyoucanusetoimporta servercertificate.Thenavigationpathforthispageis:Administration>System>Certificates>System Certificates>Import. DescriptionFields (Required)ChoosetheCiscoISEnodeonwhichyouwanttoimportthesystem certificate. SelectNode (Required)ClickBrowsetoselectthecertificatefilefromyourlocalsystem.CertificateFile (Required)ClickBrowsetoselecttheprivatekeyfile.PrivateKeyFile (Required)Enterthepasswordtodecrypttheprivatekeyfile.Password Enterafriendlynameforthecertificate.Ifyoudonotspecifyaname,CiscoISE automaticallycreatesanameintheformat## whereisauniquefive-digitnumber. FriendlyName Checkthischeckboxifyouwanttoimportawildcardcertificate(acertificatethat containsanasterisk(*)inanyCommonNameintheSubjectand/ortheDNSnamein theSubjectAlternativeName.Forexample,DNSnameassignedtotheSANcanbe *.amer.cisco.com.Ifyoucheckthischeckbox,CiscoISEimportsthiscertificateto alltheothernodesinthedeployment. AllowWildcard Certificates CheckthischeckboxifyouwantCiscoISEtovalidatethecertificateextensions.If youcheckthischeckboxandthecertificatethatyouareimportingcontainsabasic constraintsextensionwiththeCAflagsettotrue,ensurethatthekeyusageextension ispresent,andthatthekeyEnciphermentbitorthekeyAgreementbit,orboth,arealso set. EnableValidation ofCertificate Choosetheserviceforwhichthissystemcertificateshouldbeused: •Admin—ServercertificateusedtosecurecommunicationwiththeAdminportal andbetweenISEnodesinadeployment •EAPAuthentication—ServercertificateusedforauthenticationsthatusetheEAP protocolforSSL/TLStunneling •pxGrid—Clientandservercertificatetosecurecommunicationbetweenthe pxGridclientandserver •Portal—ServercertificateusedtosecurecommunicationwithallCiscoISEweb portals Usage Cisco Identity Services Engine Administrator Guide, Release 1.3 698 System Administration
Related Topics SystemCertificates,onpage135 ViewSystemCertificates,onpage136 ImportaSystemCertificate,onpage136 Trusted Certificate Store Page ThefollowingtabledescribesthefieldsontheTrustedCertificatesStorepage,whichyoucanusetoviewthe certificatesthatareaddedtotheAdministrationnode.Thenavigationpathforthispageis:Administration> System>Certificates>TrustedCertificates. Table 59: Certificate Store Page Usage GuidelinesFields Displaysthenameofthecertificate.FriendlyName EnabledorDisabled.IfDisabled,ISEwillnotusethecertificateforestablishingtrust.Status Displaystheserviceforwhichthecertificateisused.Trustedfor CommonName(CN)ofthecertificatesubject.IssuedTo CommonName(CN)ofthecertificateissuer.IssuedBy The“NotBefore”certificateattribute.ValidFrom The“NotAfter”certificateattribute.ExpirationDate Providesinformationaboutthestatusofthecertificateexpiration.Therearefiveicons andcategoriesofinformationalmessagethatappearinthiscolumn: •Green—Expiringinmorethan90days •Blue—Expiringin90daysorless •Yellow—Expiringin60daysorless •Orange—Expiringin30daysorless •Red—Expired ExpirationStatus Related Topics TrustedCertificatesStore,onpage139 ViewTrustedStoreCertificates,onpage141 ChangetheStatusofaCertificateinTrustedCertificatesStore,onpage141 AddaCertificatetoTrustedCertificatesStore,onpage142 Cisco Identity Services Engine Administrator Guide, Release 1.3 699 System Administration
Edit Certificate Settings ThefollowingtabledescribesthefieldsontheCertificateStoreEditCertificatepage,whichyoucanuseto edittheCertificateAuthority(CA)certificateattributes.Thenavigationpathforthispageis:Administration >System>Certificates>CertificateStore>Certificate>Edit. Table 60: Certificate Store Edit Settings Usage GuidelinesFields CertificateIssuer Enterafriendlynameforthecertificate.FriendlyName ChooseEnabledorDisabled.IfDisabled,ISEwillnotusethecertificatefor establishingtrust. Status Enteranoptionaldescription.Description Usage Checkthecheckboxifyouwantthiscertificatetoverifyservercertificates (fromotherISEnodesorLDAPservers). Trustforauthentication withinISE (ApplicableonlyifyouchecktheTrustforauthenticationwithinISEcheck box)Checkthecheckboxifyouwantthiscertificatetobeusedto: •AuthenticateendpointsthatconnecttoISEusingtheEAPprotocol •TrustaSyslogserver Trustforclientauthentication andSyslog Checkthischeckboxifyouwantthiscertificatetobeusedtotrustexternal Ciscoservicessuchasthefeedservice. Trustforauthenticationof CiscoServices ISEsupportstwowaysofcheckingtherevocationstatusofaclientorserver certificatethatisissuedbyaparticularCA.Thefirstistovalidatethe certificateusingtheOnlineCertificateStatusProtocol(OCSP),whichmakes arequesttoanOCSPservicemaintainedbytheCA.Thesecondistovalidate thecertificateagainstaCertificateRevocationList(CRL)whichis downloadedfromtheCAintoISE.Bothofthesemethodscanbeenabled, inwhichcaseOCSPisusedfirst,andonlyifastatusdeterminationcannot bemadethentheCRLisused. CertificateStatusValidation CheckthecheckboxtovalidatethecertificateagainstOCSPservices.You mustfirstcreateanOCSPServicetobeabletocheckthisbox. ValidateAgainstOCSP Service Checkthecheckboxtorejecttherequestifcertificatestatusisnotdetermined byOCSP.Ifyoucheckthischeckbox,anunknownstatusvaluereturnedby theOCSPservicewillcauseISEtorejecttheclientorservercertificate currentlybeingevaluated. RejecttherequestifOCSP returnsUNKNOWNstatus Cisco Identity Services Engine Administrator Guide, Release 1.3 700 System Administration
Usage GuidelinesFields CheckthecheckboxfortheCiscoISEtodownloadaCRL.DownloadCRL EntertheURLtodownloadtheCRLfromaCA.Thisfieldwillbe automaticallypopulatedifitisspecifiedinthecertificateauthoritycertificate. TheURLmustbeginwith“http”,“https”,or“ldap.” CRLDistributionURL TheCRLcanbedownloadedautomaticallyorperiodically.Configurethe timeintervalbetweendownloads. RetrieveCRL ConfigurethetimeintervaltowaitbeforeCiscoISEtriestodownloadthe CRLagain. Ifdownloadfailed,wait Checkthischeckbox,fortheclientrequeststobeacceptedbeforetheCRL isreceived.Ifyouuncheckthischeckbox,allclientrequeststhatuse certificatessignedbytheselectedCAwillberejecteduntilCiscoISEreceives theCRLfile. BypassCRLVerificationif CRLisnotReceived CheckthischeckboxifyouwantCiscoISEtoignorethestartdateand expirationdateandcontinuetousethenotyetactiveorexpiredCRLand permitorrejecttheEAP-TLSauthenticationsbasedonthecontentsofthe CRL. UncheckthischeckboxifyouwantCiscoISEtochecktheCRLfileforthe startdateintheEffectiveDatefieldandtheexpirationdateintheNextUpdate field.IftheCRLisnotyetactiveorhasexpired,allauthenticationsthatuse certificatessignedbythisCAarerejected. IgnorethatCRLisnotyet validorexpired Related Topics TrustedCertificatesStore,onpage139 EditaTrustedCertificate,onpage142 Trusted Certificate Import Settings ThefollowingtabledescribesthefieldsontheTrustedCertificateImportpage,whichyoucanusetoadd CertificateAuthority(CA)certificatestoCiscoISE.Thenavigationpathforthispageis:Administration> System>Certificates>TrustedCertificates>Import. Table 61: Trusted Certificate Import Settings DescriptionFields ClickBrowsetochoosethecertificatefilefromthecomputerthatis runningthebrowser. Browse Cisco Identity Services Engine Administrator Guide, Release 1.3 701 System Administration
DescriptionFields Enterafriendlynameforthecertificate.Ifyoudonotspecifyaname, CiscoISEautomaticallycreatesanameintheformat##,whereisauniquefive-digit number. FriendlyName Checkthecheckboxifyouwantthiscertificatetobeusedtoverify servercertificates(fromotherISEnodesorLDAPservers). TrustforauthenticationwithinISE (ApplicableonlyifyouchecktheTrustforauthenticationwithinISE checkbox)Checkthecheckboxifyouwantthiscertificatetobeused to: •AuthenticateendpointsthatconnecttoISEusingtheEAP protocol •TrustaSyslogserver Trustforclientauthenticationand Syslog Checkthischeckboxifyouwantthiscertificatetobeusedtotrust externalCiscoservicessuchasthefeedservice. TrustforauthenticationofCisco Services (OnlyifyoucheckboththeTrustforclientauthenticationandEnable ValidationofCertificateExtensionsoptions)Ensurethatthe“keyUsage” extensionispresentandthe“keyCertSign”bitisset,andthatthebasic constraintsextensionispresentwiththeCAflagsettotrue. EnableValidationofCertificate Extensions Enteranoptionaldescription.Description Related Topics TrustedCertificatesStore,onpage139 CertificateChainImport,onpage144 ImporttheRootCertificatestotheTrustedCertificateStore,onpage143 OCSP Client Profile Settings ThefollowingtabledescribesthefieldsontheOCSPClientProfilepage,whichyoucanusetoconfigure OCSPclientprofiles.ThenavigationpathforthispageisAdministration>Certificates>Certificate Management>OCSPProfile. Usage GuidelinesField NameoftheOCSPClientProfile.Name Enteranoptionaldescription.Description CheckthischeckboxtoenableasecondaryOCSPserverforhigh availability. EnableSecondaryServer Cisco Identity Services Engine Administrator Guide, Release 1.3 702 System Administration
Usage GuidelinesField Usethisoptiontochecktheprimaryserverbeforetryingtomovetothe secondaryserver.Eveniftheprimarywascheckedearlierandfoundto beunresponsive,CiscoISEwilltrytosendarequesttotheprimary serverbeforemovingtothesecondaryserver. AlwaysAccessPrimaryServer First UsethisoptionwhenyouwantCiscoISEtomovetothesecondary serverandthenfallbacktotheprimaryserveragain.Inthiscase,all otherrequestsareskipped,andthesecondaryserverisusedforthe amountoftimethatisconfiguredinthetextbox.Theallowedtimerange is1to999minutes. FallbacktoPrimaryServerAfter IntervalnMinutes EntertheURLoftheprimaryand/orsecondaryOCSPserver.URL YoucanconfigureanoncetobesentaspartoftheOCSPrequest.The Nonceincludesapseudo-randomnumberintheOCSPrequest.Itis verifiedthatthenumberthatisreceivedintheresponseisthesameas thenumberthatisincludedintherequest.Thisoptionensuresthatold communicationscannotbereusedinreplayattacks. EnableNonceExtensionSupport TheOCSPrespondersignstheresponsewithoneofthefollowing certificates: •TheCAcertificate •AcertificatedifferentfromtheCAcertificate InorderforCiscoISEtovalidatetheresponsesignature,theOCSP responderneedstosendtheresponsealongwiththecertificate, otherwisetheresponseverificationfails,andthestatusofthe certificatecannotbereliedon.AccordingtotheRFC,OCSPcan signtheresponseusingdifferentcertificates.Thisistrueaslong asOCSPsendsthecertificatethatsignedtheresponseforCisco ISEtovalidateit.IfOCSPsignstheresponsewithadifferent certificatethatisnotconfiguredinCiscoISE,theresponse verificationwillfail. ValidateResponseSignature Cisco Identity Services Engine Administrator Guide, Release 1.3 703 System Administration
Usage GuidelinesField Enterthetimeinminutesafterwhichthecacheentryexpires. EachresponsefromtheOCSPserverholdsanextUpdatevalue.This valueshowswhenthestatusofthecertificatewillbeupdatednexton theserver.WhentheOCSPresponseiscached,thetwovalues(onefrom theconfigurationandanotherfromresponse)arecompared,andthe responseiscachedfortheperiodoftimethatisthelowestvalueofthese two.IfthenextUpdatevalueis0,theresponseisnotcachedatall. CiscoISEwillcacheOCSPresponsesfortheconfiguredtime.Thecache isnotreplicatedorpersistent,sowhenCiscoISErestarts,thecacheis cleared. TheOCSPcacheisusedinordertomaintaintheOCSPresponsesand forthefollowingreasons: •ToreducenetworktrafficandloadfromtheOCSPserversonan already-knowncertificate •ToincreasetheperformanceofCiscoISEbycaching already-knowncertificatestatuses CacheEntryTimeToLiven Minutes ClickClearCachetoclearentriesofallthecertificateauthoritiesthat areconnectedtotheOCSPservice. Inadeployment,ClearCacheinteractswithallthenodesandperforms theoperation.Thismechanismupdateseverynodeinthedeployment. ClearCache Related Topics OCSPServices,onpage169 CiscoISECAServiceOnlineCertificateStatusProtocolResponder,onpage169 OCSPCertificateStatusValues,onpage170 OCSPHighAvailability,onpage170 OCSPFailures,onpage170 OCSPStatisticsCounters,onpage171 AddOCSPClientProfiles,onpage171 Internal CA Settings ThefollowingtabledescribesthefieldsintheinternalCAsettingspage.YoucanviewtheinternalCAsettings anddisabletheinternalCAservicefromthispage.Thenavigationpathforthispageis:Administration> System>Certificates>InternalCASettings. Usage GuidelinesFields ClickthisbuttontodisabletheinternalCAservice.DisableCertificate Authority HostnameoftheCiscoISEnodethatisrunningtheCAservice.HostName Cisco Identity Services Engine Administrator Guide, Release 1.3 704 System Administration