Cisco Ise 13 User Guide
Have a look at the manual Cisco Ise 13 User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
Posture Reassessment Configuration Settings ThefollowingtabledescribesthefieldsinthePostureReassessmentConfigurationsPage,whichyoucanuse toconfigureposturereassessment.Thenavigationpathforthispageis:Administration>System>Settings >Posture>Reassessments. Table 71: Posture Reassessment Configuration Settings Usage GuidelinesFields EnterthenameofPRAconfiguration.ConfigurationName EnteradescriptionforPRAconfiguration.ConfigurationDescription CheckthecheckboxtoapplythePRAconfigurationsfortheuseridentity groups. UseReassessment Enforcement? Choosetheactiontobeenforced: •Continue—Theusercontinuestohavetheprivilegedaccesswithout anyuserinterventiontoremediatetheclientirrespectiveoftheposture requirement. •Logoff—Iftheclientisnotcompliant,theuserisforcedtologofffrom thenetwork.Whentheclientlogsinagain,thecompliancestatusis unknown. •Remediate—Iftheclientisnotcompliant,theagentwaitsfora specifiedtimefortheremediationtohappen.Oncetheclienthas remediated,theagentsendsthePRAreporttothepolicyservicenode. Iftheremediationisignoredontheclient,thentheagentsendsalogoff requesttothepolicyservicenodetoforcetheclienttologofffromthe network. Iftheposturerequirementissettomandatory,thentheRADIUSsession willbeclearedasaresultofthePRAfailureactionandanewRADIUS sessionhastostartfortheclienttobeposturedagain. Iftheposturerequirementissettooptional,thentheNACAgentallows theusertoclickthecontinueoptionfromtheagent.Theusercancontinue tostayinthecurrentnetworkwithoutanyrestriction. EnforcementType EnteratimeintervalinminutestoinitiatePRAontheclientsafterthefirst successfullogin. Thedefaultvalueis240minutes.Minimumvalueis60minutesandmaximum is1440minutes. Interval Cisco Identity Services Engine Administrator Guide, Release 1.3 715 System Administration
Usage GuidelinesFields Enteratimeintervalinminutestoallowtheclienttocompleteremediation. Thegracetimecannotbezero,andshouldbegreaterthanthePRAinterval. Itcanrangebetweenthedefaultminimuminterval(5minutes)andthe minimumPRAinterval. Theminimumvalueis5minutesandthemaximumvalueis60minutes. Thegracetimeisenabledonlywhentheenforcementtypeissetto remediateactionaftertheclientfailstheposturereassessment. Note Gracetime ChooseauniquegrouporauniquecombinationofgroupsforyourPRA configuration. SelectUserIdentityGroups DisplaysexistingPRAconfigurationsanduseridentitygroupsassociatedto PRAconfigurations. PRAconfigurations Related Topics PostureLease,onpage571 PeriodicReassessments,onpage571 PostureAssessmentOptions PostureRemediationOptions,onpage580 CustomConditionsforPosture,onpage581 CustomPostureRemediationActions,onpage581 ConfigurePeriodicReassessments,onpage571 Posture Acceptable Use Policy Configuration Settings ThefollowingtabledescribesthefieldsinthePostureAcceptableUsePolicyConfigurationsPage,which youcanusetoconfigureanacceptableusepolicyforposture.Thenavigationpathforthispageis: Administration>System>Settings>Posture>AcceptableUsePolicy. Table 72: Posture AUP Configurations Settings Usage GuidelinesFields EnterthenameoftheAUPconfigurationthatyouwanttocreate.ConfigurationName EnterthedescriptionoftheAUPconfigurationthatyouwanttocreate.ConfigurationDescription Ifchecked,theShowAUPtoAgentuserscheckboxdisplaysusers(for NACAgents,andWebAgentsonWindowsonly)thelinktonetwork usagetermsandconditionsforyournetworkandclickittoviewtheAUP uponsuccessfulauthenticationandpostureassessment. ShowAUPtoAgentusers(for NACAgentandWebAgenton Windowsonly) Whenselected,youmustentertheURLtotheAUPmessageintheAUP URL,whichclientsmustaccessuponsuccessfulauthenticationandposture assessment. UseURLforAUPmessage radiobutton Cisco Identity Services Engine Administrator Guide, Release 1.3 716 System Administration
Usage GuidelinesFields Whenselected,youmustbrowsetothelocationanduploadafileina zippedformatintheAUPFile,whichcontainstheindex.htmlatthetop level. The.zipfilecanincludeotherfilesandsubdirectoriesinadditiontothe index.htmlfile.ThesefilescanreferenceeachotherusingHTMLtags. UsefileforAUPmessageradio button EntertheURLtotheAUP,whichclientsmustaccessuponsuccessful authenticationandpostureassessment. AUPURL IntheAUPFile,browsetothefileanduploadittotheCiscoISEserver. Itshouldbeazippedfileandthezippedfileshouldcontaintheindex.html fileatthetoplevel. AUPFile IntheSelectUserIdentityGroupsdrop-downlist,chooseauniqueuser identitygroup,orauniquecombinationofuseridentitygroups,foryour AUPconfiguration. NotethefollowingwhilecreatinganAUPconfiguration: •PostureAUPisnotapplicableforaguestflow •Eachconfigurationmusthaveauniqueuseridentitygroup,ora uniquecombinationofuseridentitygroups •Notwoconfigurationshaveanyuseridentitygroupincommon •IfyouwanttocreateaAUPconfigurationwithauseridentitygroup “Any”,thendeleteallotherAUPconfigurationsfirst •IfyoucreateaAUPconfigurationwithauseridentitygroup“Any”, thenyoucannotcreateotherAUPconfigurationswithauniqueuser identitygroup,oruseridentitygroups.TocreateanAUP configurationwithauseridentitygroupotherthanAny,eitherdelete anexistingAUPconfigurationwithauseridentitygroup“Any”first, orupdateanexistingAUPconfigurationwithauseridentitygroup “Any”withauniqueuseridentitygroup,oruseridentitygroups. SelectUserIdentityGroups ListsexistingAUPconfigurationsandenduseridentitygroupsassociated withAUPconfigurations. Acceptableusepolicy configurations—Configurations list Related Topics PostureService,onpage566 ConfigureAcceptableUsePoliciesforPostureAssessment,onpage573 Cisco Identity Services Engine Administrator Guide, Release 1.3 717 System Administration
EAP-FAST Settings ThefollowingtabledescribesthefieldsontheProtocolSettingspage,whichyoucanusetoconfigurethe EAP-FAST,EAP-TLS,andPEAPprotocols.Thenavigationpathforthispageis:Administration>System >Settings>Protocols>EAP-FAST>EAPFASTSettings. Table 73: Configuring EAP-FAST Settings Usage GuidelinesFields Enterauser-friendlystringthatdescribestheCiscoISEnodethatsends credentialstoaclient.TheclientcandiscoverthisstringintheProtected AccessCredentials(PAC)informationfortype,length,andvalue(TLV). ThedefaultvalueisIdentityServicesEngine. AuthorityIdentityInfo Description Specifiesthemasterkeygenerationperiodinseconds,minutes,hours,days, orweeks.Thevaluemustbeapositiveintegerintherange1to2147040000 seconds.Thedefaultis604800seconds,whichisequivalenttooneweek. MasterKeyGenerationPeriod ClickRevoketorevokeallmasterkeysandPACs.Revokeallmasterkeysand PACs CheckthischeckboxifyouwanttouseEAP-FASTwithoutthePACfiles.EnablePAC-lessSession Resume SpecifiesthetimeinsecondsafterwhichthePAC-lesssessionresumetimes out.Thedefaultis7200seconds. PAC-lessSessionTimeout Related Topics ProtocolSettingsforAuthentication,onpage419 GuidelinesforUsingEAP-FASTasAuthenticationProtocol,onpage419 BenefitsofEAP-FAST,onpage878 ConfigureEAP-FASTSettings,onpage420 Generate PAC for EAP-FAST Settings ThefollowingtabledescribesthefieldsontheGeneratePACpage,whichyoucanusetoconfigureprotected accesscredentialsforEAP-FASTauthentication.Thenavigationpathforthispageis:Administration> System>Settings>Protocols>EAP-FAST>GeneratePAC. Table 74: Generating PAC for EAP-FAST Settings Usage GuidelinesFields ClickthisradiobuttontogenerateatunnelPAC.TunnelPAC ClickthisradiobuttontogenerateamachinePAC.MachinePAC Cisco Identity Services Engine Administrator Guide, Release 1.3 718 System Administration
Usage GuidelinesFields ClickthisradiobuttontogenerateaTrustsecPAC.TrustsecPAC (FortheTunnelandMachinePACidentityfield)Specifiestheusernameormachine namethatispresentedasthe“innerusername”bytheEAP-FASTprotocol.Iftheidentity stringdoesnotmatchthatusername,authenticationfails.Thisisthehostnameasdefined ontheAdaptiveSecurityAppliance(ASA).TheidentitystringmustmatchtheASA hostnameotherwise,ASAcannotimportthePACfilethatisgenerated.Ifyouare generatingaTrustsecPAC,theIdentityfieldspecifiestheDeviceIDofaTrustsec networkdeviceandisprovidedwithaninitiatorIDbytheEAP-FASTprotocol.Ifthe IdentitystringenteredheredoesnotmatchthatDeviceID,authenticationfails. Identity (FortheTunnelandMachinePAC)Enteravalueinsecondsthatspecifiestheexpiration timeforthePAC.Thedefaultis604800seconds,whichisequivalenttooneweek.This valuemustbeapositiveintegerbetween1and157680000seconds.FortheTrustsec PAC,enteravalueindays,weeks,months,oryears.Bydefault,thevalueisoneyear. Theminimumvalueisonedayandthemaximumis10years. PACTimeto Live Enteranencryptionkey.Thelengthofthekeymustbebetween8and256characters. Thekeycancontainuppercaseorlowercaseletters,ornumbers,oracombinationof alphanumericcharacters. EncryptionKey (ForTrustsecPAConly)TheexpirationdateiscalculatedbasedonthePACTimeto Live. ExpirationData Related Topics ProtocolSettingsforAuthentication,onpage419 GuidelinesforUsingEAP-FASTasAuthenticationProtocol,onpage419 GeneratethePACforEAP-FAST,onpage420 EAP-TLS Settings ThefollowingtabledescribesthefieldsontheEAP-TLSSettingspage,whichyoucanusetoconfigurethe EAP-TLSprotocolsettings.Thenavigationpathforthispageis:Administration>System>Settings> Protocols>EAP-TLS. Table 75: EAP-TLS Settings Usage GuidelinesFields Checkthischeckboxtosupportanabbreviatedreauthenticationofauser whohaspassedfullEAP-TLSauthentication.Thisfeatureprovides reauthenticationoftheuserwithonlyaSecureSocketsLayer(SSL) handshakeandwithoutapplyingthecertificates.EAP-TLSsessionresume worksonlyiftheEAP-TLSsessionhasnottimedout. EnableEAP-TLSSession Resume SpecifiesthetimeinsecondsafterwhichtheEAP-TLSsessiontimesout. Thedefaultvalueis7200seconds. EAP-TLSSessionTimeout Cisco Identity Services Engine Administrator Guide, Release 1.3 719 System Administration
Related Topics ProtocolSettingsforAuthentication,onpage419 ConfigureEAP-TLSSettings,onpage420 PEAP Settings ThefollowingtabledescribesthefieldsonthePEAPSettingspage,whichyoucanusetoconfigurethePEAP protocolsettings.Thenavigationpathforthispageis:Administration>System>Settings>Protocols> PEAP. Table 76: PEAP Settings Usage GuidelinesFields CheckthischeckboxfortheCiscoISEtocachetheTLSsessionthatiscreatedduring phaseoneofPEAPauthentication,providedtheusersuccessfullyauthenticatesinphase twoofPEAP.IfauserneedstoreconnectandtheoriginalPEAPsessionhasnottimed out,theCiscoISEusesthecachedTLSsession,resultinginfasterPEAPperformance andareducedAAAserverload.YoumustspecifyaPEAPsessiontimeoutvalueforthe PEAPsessionresumefeaturestowork. EnablePEAP SessionResume SpecifiesthetimeinsecondsafterwhichthePEAPsessiontimesout.Thedefaultvalue is7200seconds. PEAPSession Timeout CheckthischeckboxtoallowaPEAPsessiontoresumeintheCiscoISEwithout checkingusercredentialswhenthesessionresumefeatureisenabled. EnableFast Reconnect Related Topics ProtocolSettingsforAuthentication,onpage419 ConfigurePEAPSettings,onpage421 AdvantagesofUsingPEAP,onpage876 SupportedSupplicantsforthePEAPProtocol,onpage876 PEAPProtocolFlow,onpage877 RADIUS Settings ThefollowingtabledescribesthefieldsontheRADIUSSettingspage.Thenavigationpathforthispage is:Administration>System>Settings>Protocols>RADIUS. Whenyouenableanomalousclientsuppressionandanendpointauthenticationfailstwicewithintheconfigured detectioninterval,CiscoISEmarksthesupplicantasmisconfiguredandsuppressesadditionalfailed authenticationswiththesamefailurereason.Youcanfindmoredetailsaboutthesuppressionbyclickingthe MisconfiguredSupplicantCounterlinkontheLiveAuthenticationspage.Asuccessfulauthenticationfrom asuppressedendpointclearsthesuppression,andresultsinadecreaseintheMisconfiguredSupplicantCounter valueontheLiveAuthenticationspage.Also,ifthereisnoauthenticationactivityfromthesuppressedendpoint foraperiodofsixhours,thesuppressionisclearedautomatically. Cisco Identity Services Engine Administrator Guide, Release 1.3 720 System Administration
CiscoISEallowsyoutoenablestrongsuppressionbyenablingtheRejectRequestsAfterDetectionoption. IfyouchecktheRejectRequestsAfterDetectioncheckbox,andanendpointauthenticationfailsfivetimes withthesamefailurereason,CiscoISEactivatesstrongsuppression.Allsubsequentauthentications,whether successfulornot,aresuppressed,andauthenticationdoesnotoccur.This“strong”suppressionisclearedafter theconfiguredRequestRejectionIntervalelapsesoraftersixhoursofauthenticationinactivityfromthe endpoint. Table 77: RADIUS Settings Usage GuidelinesFields Checkthischeckboxtodetecttheclientsforwhichtheauthenticationsfailrepeatedly.A summaryofthefailureswillbereportedeveryReportingInterval. Suppress Anomalous Clients Enterthetimeintervalinminutesfortheclientstobedetected.Detection Interval Enterthetimeintervalinminutesforthefailedauthenticationstobereported.Reporting Interval Checkthischeckboxtorejecttherequestsfromaclientthatisidentifiedasanomalous ormisconfigured.TherequestsfromanomalousclientswillberejectedduringtheRequest RejectionInterval. RejectRequests AfterDetection Enterthetimeintervalinminutesforwhichtherequestsaretoberejected.Thisoptionis availableonlywhenyouhavecheckedRejectRequestsAfterDetectioncheckbox. Request Rejection Interval Checkthischeckboxtopreventrepeatedreportingofsuccessfulauthenticationrequests inlast24hoursthathavenochangeinidentitycontext,networkdevice,andauthorization. Suppress Repeated Successful Authentications Enterthetimeintervalinsecondsforwhichthereportingofaccountingrequeststobe suppressed. Accounting Suppression Interval Enterthetimeintervalinmilliseconds.Thestepsaredisplayedinauthenticationdetails reports.Ifexecutionofasinglestepexceedsthespecifiedthreshold,thenitwillbe highlightedintheauthenticationdetailsreport. LongProcessing StepThreshold Interval Related Topics ProtocolSettingsforAuthentication,onpage419 RADIUSProtocolSupportinCiscoISE,onpage872 ConfigureRADIUSSettings,onpage421 Cisco Identity Services Engine Administrator Guide, Release 1.3 721 System Administration
TrustSec Settings YoumustdefinetheglobalTrustSecsettingsforCiscoISEtofunctionasaTrustSecserverandprovide TrustSecservices.ThefollowingtabledescribesthefieldsintheTrustSecSettingswindow(Administration >System>Settings>TrustSecSettings). Table 78: Configuring TrustSec Settings Usage GuidelinesFields SpecifytheexpirytimeforthePAC.ThetunnelPACgeneratesatunnelforthe EAP-FASTprotocol.Youcanspecifythetimeinseconds,minutes,hours,days, orweeks.Thedefaultvalueis90days.Thefollowingarethevalidranges: •1-157680000seconds •1-2628000minutes •1-43800hours •1-1825days •1-260weeks TunnelPACTimeto Live CiscoISEproactivelyprovidesanewPACtoaclientaftersuccessful authenticationwhenaconfiguredpercentageoftheTunnelPACTTLremains. TheserverinitiatesthetunnelPACupdateifthefirstsuccessfulauthentication occursbeforethePACexpires.Thismechanismallowstheclienttobeupdated withavalidPAC.Thedefaultvalueis10%. ProactivePACUpdate WillOccurAfter Related Topics TrustSecArchitecture,onpage591 TrustSecComponents,onpage592 ConfigureTrustSecGlobalSettings,onpage594 SMS Gateway Settings ThenavigationpathforthesesettingsisGuestAccess>Settings>SMSGateway. UsethesesettingstoconfiguresendingSMSmessagestoguestsandsponsorsviaanemailserver. Table 79: SMS Gateway Settings for SMS Email Gateway Usage GuidelinesField Entertheproviderdomain,whichisusedasthehost portionandtheguestaccount'smobilenumberasthe userportionoftheemailaddresstosendthemessage totheprovider'sSMS/MMSgateway. SMSGatewayProviderDomain Cisco Identity Services Engine Administrator Guide, Release 1.3 722 System Administration
Usage GuidelinesField (Optional) Entertheaccountaddress,whichisusedastheFROM address(typicallytheaccountaddress)fortheemail andoverridestheDefaultEmailAddressglobal settinginGuestAccess>Settings. Provideraccountaddress (Optional) EntertheSMTPAPIDestinationAddress,ifyouare usinganSMTPSMSAPIthatrequiresaspecific accountrecipientaddress,suchasClickatellSMTP API. ThisisusedastheTOaddressfortheemailandthe guestaccount'smobilenumberissubstitutedintothe message'sbodytemplate. SMTPAPIdestinationaddress (Optional) EntertheSMTPAPIBodyTemplate,ifyouareusing anSMTPSMSAPIthatrequiresaspecificemail bodytemplateforsendingtheSMS,suchasClicketell SMTPAPI. Thesupporteddynamicsubstitutionsare $mobilenumber$,,and$message$. SMTPAPIbodytemplate ThenavigationpathforthesesettingsisGuestAccess>Settings>SMSGateway. UsethesesettingstoconfiguresendingSMSmessagestoguestsandsponsorsviaanHTTPAPI(GETor POSTmethod). Table 80: SMS Gateway Settings for SMS HTTP API Usage GuidelinesField EntertheURLfortheAPI. ThisfieldisnotURLencoded.Theguestaccount's mobilenumberissubstitutedintotheURL.The supporteddynamicsubstitutionsare$mobilenumber$ and$message$. IfyouareusingHTTPSwiththeHTTPAPI,include HTTPSintheURLstringanduploadyourprovider's trustedcertificatesintoCiscoISE.Choose Administration>System>Certificates>Trusted Certificates. URL Cisco Identity Services Engine Administrator Guide, Release 1.3 723 System Administration
Usage GuidelinesField EntertheData(Urlencodedportion)fortheGETor POSTrequest. ThisfieldisURLencoded.IfusingthedefaultGET method,thedataisappendedtotheURLspecified above. Data(Urlencodedportion) IfusingthePOSTmethod,checkthisoption. Thedataspecifiedaboveisusedasthecontentofthe POSTrequest. UseHTTPPOSTmethodfordataportion IfusingthePOSTmethod,specifythecontenttype suchas"plain/text"or"application/xml". HTTPPOSTdatacontenttype Enterthisinformation.HTTPSUsername HTTPSPassword HTTPSHostname HTTPSPortnumber Related Topics SMSProvidersandServices,onpage302 ConfigureSMSGatewaystoSendSMSNotificationstoGuests,onpage302 Identity Management ThesepagesenableyoutoconfigureandmanageidentitiesinCiscoISE. Endpoints Thesepagesenableyoutoconfigureandmanageendpointsthatconnecttoyournetwork. Endpoint Settings ThefollowingtabledescribesthefieldsontheEndpointspage,whichyoucanusetocreateendpointsand assignpoliciesforendpoints.Thenavigationpathforthispageis:Administration>IdentityManagement >Identities>Endpoints. Cisco Identity Services Engine Administrator Guide, Release 1.3 724 Identity Management