Cisco Ise 13 User Guide
Have a look at the manual Cisco Ise 13 User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
Table 81: Endpoint Settings Usage GuidelinesFields EntertheMACaddressinhexadecimalformattocreateanendpointstatically. TheMACaddressisthedeviceidentifierfortheinterfacethatisconnectedtothe CiscoISEenablednetwork MACAddress Checkthischeckboxwhenyouwanttocreateanendpointstaticallyinthe Endpointspageandthestatusofstaticassignmentissettostatic. Youcantogglethestatusofstaticassignmentofanendpointfromstatictodynamic orfromdynamictostatic. StaticAssignment (DisabledbydefaultunlesstheStaticAssignmentischecked)Chooseamatching endpointpolicyfromthePolicyAssignmentdrop-downlist. Youcandooneofthefollowing: •Ifyoudonotchooseamatchingendpointpolicy,butusethedefaultendpoint policyUnknown,thenthestaticassignmentstatusissettodynamicforthe endpointthatallowsdynamicprofilingofanendpoint. •IfyouchooseamatchingendpointpolicyotherthanUnknown,thenthe staticassignmentstatusissettostaticforthatendpointandtheStatic Assignmentcheckboxisautomaticallychecked. PolicyAssignment (DisabledbydefaultunlesstheStaticgroupAssignmentischecked)Checkthis checkboxwhenyouwanttoassignanendpointtoanidentitygroupstatically. Inyoucheckthischeckbox,theprofilingservicedoesnotchangetheendpoint identitygroupthenexttimeduringevaluationoftheendpointpolicyforthese endpoints,whichwerepreviouslyassigneddynamicallytootherendpointidentity groups. Ifyouuncheckthischeckbox,thentheendpointidentitygroupisdynamicas assignedbytheISEprofilerbasedonpolicyconfiguration.Ifyoudonotchoose theStaticGroupAssignmentoption,thentheendpointisautomaticallyassigned tothematchingidentitygroupthenexttimeduringevaluationoftheendpoint policy. StaticGroup Assignment Cisco Identity Services Engine Administrator Guide, Release 1.3 725 Identity Management
Usage GuidelinesFields Chooseanendpointidentitygrouptowhichyouwanttoassigntheendpoint. Youcanassignanendpointtoanidentitygroupwhenyoucreateanendpoint statically,orwhenyoudonotwanttousetheCreateMatchingIdentityGroup optionduringevaluationoftheendpointpolicyforanendpoint. CiscoISEincludesthefollowingsystemcreatedendpointidentitygroups: •Blacklist •GuestEndpoints •Profiled ◦CiscoIP-Phone ◦Workstation •RegisteredDevices •Unknown IdentityGroup Assignment Related Topics IdentifiedEndpoints,onpage499 CreateEndpointswithStaticAssignmentsofPoliciesandIdentityGroups,onpage495 Endpoint Import from LDAP Settings ThefollowingtabledescribesthefieldsontheImportfromLDAPpage,whichyoucanusetoimportendpoints fromanLDAPserver.Thenavigationpathforthispageis:Administration>IdentityManagement> Identities>Endpoints. Table 82: Endpoint Import from LDAP Settings Usage GuidelinesFields ConnectionSettings Enterthehostname,ortheIPaddressoftheLDAPserver.Host EntertheportnumberoftheLDAPserver.Youcanusethedefaultport389to importfromanLDAPserver,andthedefaultport636toimportfromanLDAP serveroverSSL. CiscoISEsupportsanyconfiguredportnumber.Theconfiguredvalue shouldmatchtheLDAPserverconnectiondetails. Note Port ChecktheEnableSecureConnectioncheckboxtoimportfromanLDAPserver overSSL. EnableSecure Connection Cisco Identity Services Engine Administrator Guide, Release 1.3 726 Identity Management
Usage GuidelinesFields Clickthedrop-downarrowtoviewthetrustedCAcertificates. TheRootCACertificateNamereferstothetrustedCAcertificatethatisrequired toconnecttoanLDAPserver.Youcanadd(import),edit,delete,andexport trustedCAcertificatesinCiscoISE. RootCACertificate Name ChecktheAnonymousBindcheckboxtoenabletheanonymousbind. YoumustenableeithertheAnonymousBindcheckbox,orentertheLDAP administratorcredentialsfromtheslapd.confconfigurationfile. AnonymousBind Enterthedistinguishedname(DN)configuredfortheLDAPadministratorinthe slapd.confconfigurationfile. AdminDNformatexample:cn=Admin,dc=cisco.com,dc=com AdminDN EnterthepasswordconfiguredfortheLDAPadministratorintheslapd.conf configurationfile. Password Enterthedistinguishednameoftheparententry. BaseDNformatexample:dc=cisco.com,dc=com. BaseDN QuerySettings Enterthequeryfilter,whichisusedforimportingtheMACaddress.Forexample, ieee802Device. MACAddress objectClass Enterthereturnedattributenameforimport.Forexample,macAddress.MACAddressAttribute Name EnterthenameoftheLDAPattribute.Thisattributeholdsthepolicynamefor eachendpointentrythatisdefinedintheLDAPserver. WhenyouconfiguretheProfileAttributeNamefield,considerthefollowing: •IfyoudonotspecifythisLDAPattributeintheProfileAttributeNamefield orconfigurethisattributeincorrectly,thenendpointsaremarked“Unknown” duringanimportoperation,andtheseendpointsareprofiledseparatelyto thematchingendpointprofilingpolicies. •IfyouconfigurethisLDAPattributeintheProfileAttributeNamefield,the attributevaluesarevalidatedtoensurethattheendpointpolicymatcheswith anexistingpolicyinCiscoISE,andendpointsareimported.Iftheendpoint policydoesnotmatchwithanexistingpolicy,thenthoseendpointswillnot beimported. ProfileAttributeName Enterthetimeinsecondsbetween1and60seconds.TimeOut[seconds] Cisco Identity Services Engine Administrator Guide, Release 1.3 727 Identity Management
Related Topics IdentifiedEndpoints,onpage499 ImportEndpointsfromLDAPServer,onpage498 Groups Thesepagesenableyoutoconfigureandmanageendpointidentitygroups. Endpoint Identity Group Settings ThefollowingtabledescribesthefieldsontheEndpointIdentityGroupspage,whichyoucanusetocreate anendpointgroup.Thenavigationpathforthispageis:Administration>IdentityManagement>Groups> EndpointIdentityGroups. Table 83: Endpoint Identity Group Settings Usage GuidelinesFields Enterthenameoftheendpointidentitygroupthatyouwanttocreate.Name Enteradescriptionfortheendpointidentitygroupthatyouwanttocreate.Description ChooseanendpointidentitygroupfromtheParentGroupdrop-downlisttowhichyou wanttoassociatethenewlycreatedendpointidentitygroup. CiscoISEincludesthefollowingfiveendpointidentitygroups: •Blacklist •GuestEndpoints •Profiled •RegisteredDevices •Unknown Inaddition,itcreatestwomoreidentitygroups,Cisco-IP-PhoneandWorkstation,which areassociatedtotheProfiled(parent)identitygroup. ParentGroup Related Topics IdentifiedEndpointsGroupedinEndpointIdentityGroups,onpage502 CreateEndpointIdentityGroups,onpage501 External Identity Sources ThesepagesenableyoutoconfigureandmanageexternalidentitysourcesthatcontainuserdatathatCisco ISEusesforauthenticationandauthorization. Cisco Identity Services Engine Administrator Guide, Release 1.3 728 Identity Management
LDAP Identity Source Settings ThefollowingtabledescribesthefieldsontheLDAPIdentitySourcespage,whichyoucanusetocreatean LDAPinstanceandconnecttoit.Thenavigationpathforthispageis:Administration>IdentityManagement >ExternalIdentitySources>LDAP. LDAP General Settings ThefollowingtabledescribesthefieldsintheGeneraltab. Table 84: LDAP General Settings Usage GuidelinesFields EnteranamefortheLDAPinstance.Thisvalueisusedinsearchestoobtainthe subjectDNandattributes.Thevalueisoftypestringandthemaximumlengthis64 characters. Name EnteradescriptionfortheLDAPinstance.Thisvalueisoftypestring,andhasa maximumlengthof1024characters. Description Youcanchooseanyoneofthefollowingbuilt-inschematypesorcreateacustom schema: •ActiveDirectory •SunDirectoryServer •NovelleDirectory YoucanclickthearrownexttoSchematoviewtheschemadetails. Ifyouedittheattributesofthepredefinedschema,CiscoISEautomatically createsaCustomschema. Schema ThefollowingfieldscanbeeditedonlywhenyouchoosetheCustomschema.Note EnteravaluetobeusedinsearchestoobtainthesubjectDNandattributes.Thevalue isoftypestringandthemaximumlengthis256characters. SubjectObjectclass Enterthenameoftheattributecontainingtheusernameintherequest.Thevalueis oftypestringandthemaximumlengthis256characters. SubjectName Attribute Entertheattributethatcontainsthecertificatedefinitions.Forcertificate-based authentication,thesedefinitionsareusedtovalidatecertificatesthatarepresentedby clients. CertificateAttribute Enteravaluetobeusedinsearchestospecifytheobjectsthatarerecognizedasgroups. Thevalueisoftypestringandthemaximumlengthis256characters. GroupObjectclass Specifiestheattributethatcontainsthemappinginformation.Thisattributecanbea userorgroupattributebasedonthereferencedirectionthatischosen. GroupMapAttribute Cisco Identity Services Engine Administrator Guide, Release 1.3 729 Identity Management
Usage GuidelinesFields Clickthisradiobuttonifthesubjectobjectscontainanattributethatspecifiesthe grouptowhichtheybelong. SubjectObjects ContainReference ToGroups Clickthisradiobuttonifthegroupobjectscontainanattributethatspecifiesthe subject.Thisvalueisthedefaultvalue. GroupObjects ContainReference ToSubjects (OnlyavailablewhenyouselecttheGroupObjectsContainReferenceToSubjects radiobutton)Specifieshowmembersaresourcedinthegroupmemberattributeand defaultstotheDN. SubjectsinGroups AreStoredin MemberAttribute As LDAP Connection Settings ThefollowingtabledescribesthefieldsintheConnectionSettingstab. Table 85: LDAP Connection Settings Usage GuidelinesFields CheckthisoptiontoenablethesecondaryLDAPservertobeusedasabackupifthe primaryLDAPserverfails.Ifyoucheckthischeckbox,youmustenterconfiguration parametersforthesecondaryLDAPserver. EnableSecondary Server PrimaryandSecondaryServers EntertheIPaddressorDNSnameofthemachinethatisrunningtheLDAPsoftware. Thehostnamecancontainfrom1to256charactersoravalidIPaddressexpressedas astring.Theonlyvalidcharactersforhostnamesarealphanumericcharacters(atoz, AtoZ,0to9),thedot(.),andthehyphen(-). Hostname/IP EntertheTCP/IPportnumberonwhichtheLDAPserverislistening.Validvaluesare from1to65,535.Thedefaultis389,asstatedintheLDAPspecification.Ifyoudo notknowtheportnumber,youcanfindthisinformationfromtheLDAPserver administrator. Port AnonymousAccess—ClicktoensurethatsearchesontheLDAPdirectoryoccur anonymously.Theserverdoesnotdistinguishwhotheclientisandwillallowtheclient readaccesstoanydatathatisconfiguredasaccessibletoanyunauthenticatedclient. Intheabsenceofaspecificpolicypermittingauthenticationinformationtobesentto aserver,aclientshoulduseananonymousconnection. AuthenticatedAccess—ClicktoensurethatsearchesontheLDAPdirectoryoccur withadministrativecredentials.Ifso,enterinformationfortheAdminDNandPassword fields. Access Cisco Identity Services Engine Administrator Guide, Release 1.3 730 Identity Management
Usage GuidelinesFields EntertheDNoftheadministrator.TheAdminDNistheLDAPaccountthathas permissiontosearchallrequiredusersundertheUserDirectorySubtreeandtosearch groups.Iftheadministratorspecifieddoesnothavepermissiontoseethegroupname attributeinsearches,groupmappingfailsforuserswhoareauthenticatedbythatLDAP server. AdminDN EntertheLDAPadministratoraccountpassword.Password ClicktouseSSLtoencryptcommunicationbetweenCiscoISEandtheprimaryLDAP server.VerifythatthePortfieldcontainstheportnumberusedforSSLontheLDAP server.Ifyouenablethisoption,youmustchoosearootCA. Secure Authentication Chooseatrustedrootcertificateauthorityfromthedrop-downlisttoenablesecure authenticationwithacertificate. LDAPServerRoot CA EnterthenumberofsecondsthatCiscoISEwaitsforaresponsefromtheprimary LDAPserverbeforedeterminingthattheconnectionorauthenticationwiththatserver hasfailed.Validvaluesare1to99.Thedefaultis10. ServerTimeout Enterthemaximumnumberofconcurrentconnections(greaterthan0)withLDAP administratoraccountpermissionsthatcanrunforaspecificLDAPconfiguration. TheseconnectionsareusedtosearchthedirectoryforusersandgroupsundertheUser DirectorySubtreeandtheGroupDirectorySubtree.Validvaluesare1to99.The defaultis20. Max.Admin Connections ClicktotestandensurethattheLDAPserverdetailsandcredentialscansuccessfully bind.Ifthetestfails,edityourLDAPserverdetailsandretest. TestBindtoServer Failover ClickthisoptionifyouwantCiscoISEtoalwaysaccesstheprimaryLDAPserverfirst forauthenticationsandauthorizations. AlwaysAccess PrimaryServer First IftheprimaryLDAPserverthatCiscoISEattemptstocontactcannotbereached,Cisco ISEattemptstocontactthesecondaryLDAPserver.IfyouwantCiscoISEtousethe primaryLDAPserveragain,clickthisoptionandenteravalueinthetextbox. FailbacktoPrimary ServerAfter LDAP Directory Organization Settings ThefollowingtabledescribesthefieldsintheDirectoryOrganizationtab. Cisco Identity Services Engine Administrator Guide, Release 1.3 731 Identity Management
Table 86: LDAP Directory Organization Settings Usage GuidelinesFields EntertheDNforthesubtreethatcontainsallsubjects.Forexample: o=corporation.com IfthetreecontainingsubjectsisthebaseDN,enter: o=corporation.com or dc=corporation,dc=com asapplicabletoyourLDAPconfiguration.Formoreinformation,refertoyourLDAP databasedocumentation. SubjectSearch Base EntertheDNforthesubtreethatcontainsallgroups.Forexample: ou=organizationalunit,ou=nextorganizationalunit,o=corporation.com IfthetreecontaininggroupsisthebaseDN,type: o=corporation.com or dc=corporation,dc=com asapplicabletoyourLDAPconfiguration.Formoreinformation,refertoyourLDAP databasedocumentation. GroupSearch Base EnteraMACAddressformatforCiscoISEtouseforsearchintheLDAPdatabase. MACaddressesininternalidentitysourcesaresourcedintheformatxx-xx-xx-xx-xx-xx. MACaddressesinLDAPdatabasescanbesourcedindifferentformats.However,when CiscoISEreceivesahostlookuprequest,CiscoISEconvertstheMACaddressfrom theinternalformattotheformatthatisspecifiedinthisfield. Usethedrop-downlisttoenablesearchingforMACaddressesinaspecificformat, wherecanbeanyoneofthefollowing: •xxxx.xxxx.xxxx •xxxxxxxxxxxx •xx-xx-xx-xx-xx-xx •xx:xx:xx:xx:xx:xx TheformatyouchoosemustmatchtheformatoftheMACaddresssourcedintheLDAP server. SearchforMAC AddressinFormat Cisco Identity Services Engine Administrator Guide, Release 1.3 732 Identity Management
Usage GuidelinesFields Entertheappropriatetexttoremovedomainprefixesfromusernames. If,intheusername,CiscoISEfindsthedelimitercharacterthatisspecifiedinthisfield, itstripsallcharactersfromthebeginningoftheusernamethroughthedelimitercharacter. Iftheusernamecontainsmorethanoneofthecharactersthatarespecifiedinthe box,CiscoISEstripscharactersthroughthelastoccurrenceofthedelimiter character.Forexample,ifthedelimitercharacteristhebackslash(\)andtheusername isDOMAIN\user1,CiscoISEsubmitsuser1toanLDAPserver. Thecannotcontainthefollowingspecialcharacters:thepound sign(#),thequestionmark(?),thequotationmark(“),theasterisk(*),theright anglebracket(>),andtheleftanglebracket(),andtheleftanglebracket(AddGrouptoaddanewgroupor chooseAdd>SelectGroupsFromDirectoryto selectthegroupsfromtheLDAPdirectory. Ifyouchoosetoaddagroup,enteranameforthe newgroup.Ifyouareselectingfromthedirectory, enterthefiltercriteria,andclickRetrieveGroups. Checkthecheckboxesnexttothegroupsthatyou wanttoselectandclickOK.Thegroupsthatyouhave selectedwillappearintheGroupspage. Add Cisco Identity Services Engine Administrator Guide, Release 1.3 733 Identity Management
LDAP Attribute Settings Table 88: LDAP Attribute Settings Usage GuidelinesFields ChooseAdd>AddAttributetoaddanewattribute orchooseAdd>SelectAttributesFromDirectory toselectattributesfromtheLDAPserver. Ifyouchoosetoaddanattribute,enteranameforthe newattribute.Ifyouareselectingfromthedirectory, entertheusernameandclickRetrieveAttributesto retrievetheuser’sattributes.Checkthecheckboxes nexttotheattributesthatyouwanttoselect,andthen clickOK. Add Related Topics LDAPDirectoryService,onpage271 LDAPUserAuthentication,onpage273 LDAPUserLookup,onpage275 AddLDAPIdentitySources,onpage276 RADIUS Token Identity Sources Settings ThefollowingtabledescribesthefieldsontheRADIUSTokenIdentitySourcespage,whichyoucanuseto configureandconnecttoanexternalRADIUSidentitysource.Thenavigationpathforthispageis: Administration>IdentityManagement>ExternalIdentitySources>RADIUSToken. Table 89: RADIUS Token Identity Source Settings Usage GuidelinesFields EnteranamefortheRADIUStokenserver.Themaximumnumberof charactersallowedis64. Name EnteradescriptionfortheRADIUStokenserver.Themaximumnumber ofcharactersis1024. Description CheckthischeckboxifyourRADIUSidentitysourceisaSafeWordserver.SafeWordServer CheckthischeckboxtoenablethesecondaryRADIUStokenserverfor CiscoISEtouseasabackupincasetheprimaryfails.Ifyoucheckthis checkbox,youmustconfigureasecondaryRADIUStokenserver. EnableSecondaryServer ClickthisradiobuttonifyouwantCiscoISEtoalwaysaccesstheprimary serverfirst. AlwaysAccessPrimaryServer First Cisco Identity Services Engine Administrator Guide, Release 1.3 734 Identity Management