Cisco Ise 13 User Guide
Have a look at the manual Cisco Ise 13 User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
Usage GuidelinesFields ClickthisradiobuttontospecifytheamountoftimeinminutesthatCisco ISEcanauthenticateusingthesecondaryRADIUStokenserverifthe primaryservercannotbereached.Afterthistimeelapses,CiscoISE reattemptstoauthenticateagainsttheprimaryserver. FallbacktoPrimaryServerafter PrimaryServer EntertheIPaddressoftheprimaryRADIUStokenserver.Thisfieldcan takeasinputavalidIPaddressthatisexpressedasastring.Validcharacters thatareallowedinthisfieldarenumbersanddot(.). HostIP EnterthesharedsecretthatisconfiguredontheprimaryRADIUStoken serverforthisconnection. SharedSecret EntertheportnumberonwhichtheprimaryRADIUStokenserveris listening.Validvaluesarefrom1to65,535.Thedefaultis1812. AuthenticationPort SpecifythetimeinsecondsthatCiscoISEshouldwaitforaresponsefrom theprimaryRADIUStokenserverbeforeitdeterminesthattheprimary serverisdown.Validvaluesare1to300.Thedefaultis5. ServerTimeout SpecifythenumberofattemptsthatCiscoISEshouldmaketoreconnect totheprimaryserverbeforemovingontothesecondaryserver(ifdefined) ordroppingtherequestifasecondaryserverisnotdefined.Validvalues are1to9.Thedefaultis3. ConnectionAttempts SecondaryServer EntertheIPaddressofthesecondaryRADIUStokenserver.Thisfield cantakeasinputavalidIPaddressthatisexpressedasastring.Valid charactersthatareallowedinthisfieldarenumbersanddot(.). HostIP EnterthesharedsecretconfiguredonthesecondaryRADIUStokenserver forthisconnection. SharedSecret EntertheportnumberonwhichthesecondaryRADIUStokenserveris listening.Validvaluesarefrom1to65,535.Thedefaultis1812. AuthenticationPort SpecifythetimeinsecondsthatCiscoISEshouldwaitforaresponsefrom thesecondaryRADIUStokenserverbeforeitdeterminesthatthesecondary serverisdown.Validvaluesare1to300.Thedefaultis5. ServerTimeout SpecifythenumberofattemptsthatCiscoISEshouldmaketoreconnect tothesecondaryserverbeforedroppingtherequest.Validvaluesare1to 9.Thedefaultis3. ConnectionAttempts Related Topics RADIUSTokenIdentitySources,onpage279 Cisco Identity Services Engine Administrator Guide, Release 1.3 735 Identity Management
AddaRADIUSTokenServer,onpage282 RSA SecurID Identity Source Settings ThefollowingtabledescribesthefieldsontheRSASecurIDIdentitySourcespage,whichyoucanuseto createandconnecttoanRSASecurIDidentitysource.Thenavigationpathforthispageis:Administration >IdentityManagement>ExternalIdentitySources>RSASecurID. RSA Prompt Settings ThefollowingtabledescribesthefieldsintheRSAPromptstab. Table 90: RSA Prompt Settings Usage GuidelinesFields Enteratextstringtoobtainthepasscode.EnterPasscode Prompt Enteratextstringtorequestthenexttoken.EnterNextToken Code EnteratextstringtorequestthePINtype.ChoosePINType Enteratextstringtoacceptthesystem-generatedPIN.AcceptSystemPIN EnteratextstringtorequestanalphanumericPIN.EnterAlphanumeric PIN EnteratextstringtorequestanumericPIN.EnterNumericPIN Enteratextstringtorequesttheusertore-enterthePIN.Re-enterPIN RSA Message Settings ThefollowingtabledescribesthefieldsintheRSAMessagestab. Table 91: RSA Messages Settings Usage GuidelinesFields EnteratextstringtolabelthesystemPINmessage.DisplaySystemPIN Message EnteratextstringtoinformtheusertorememberthenewPIN.DisplaySystemPIN Reminder EnteramessagethatinstructsuserstoenteronlynumbersforthePIN.MustEnterNumericError Cisco Identity Services Engine Administrator Guide, Release 1.3 736 Identity Management
Usage GuidelinesFields Enteramessagethatinstructsuserstoenteronlyalphanumericcharactersfor PINs. MustEnterAlphaError EnteramessagethattheusersseewhentheirPINisacceptedbythesystem.PINAcceptedMessage EnteramessagethattheusersseewhenthesystemrejectstheirPIN.PINRejectedMessage EnteramessagethattheusersseewhentheyenteranincorrectPIN.UserPinsDifferError EnteramessagethattheusersseewhenthesystemacceptstheirPIN.SystemPINAccepted Message EnteramessagethattheusersseewhenthePINthattheyspecifydoesnotfall withintherangespecifiedinthePINlengthpolicy. BadPasswordLengthError Related Topics RSAIdentitySources,onpage283 CiscoISEandRSASecurIDServerIntegration,onpage284 AddRSAIdentitySources,onpage285 Identity Management Settings User Password Policy Settings ThefollowingtabledescribesthefieldsontheUserPasswordPolicypage,whichyoucanusetodefinea criteriaforuserpasswords.Thenavigationpathforthispageis:Administration>IdentityManagement> Settings>PasswordPolicy. Table 92: User Password Policy Settings DescriptionOption Setstheminimumlengthofpassword(incharacters)MinimumLength Restrictstheuseoftheusernameoritscharactersinreversed order Username Restrictstheuseof“cisco”oritscharactersinreversedorderCisco Restrictstheuseofspecialcharactersthatyoudefineinreverse order Specialcharacters Restrictstheuseofcharactersrepeatedfourormoretimes consecutively Repeatedcharacters Cisco Identity Services Engine Administrator Guide, Release 1.3 737 Identity Management
DescriptionOption Requiresthatthepasswordincludeatleastoneofeachofthe followingtypes: •Lowercasealphabeticcharacters •Uppercasealphabeticcharacters •Numericcharacters •Non-alphanumericcharacters Requiredcharacters Enterthenumberofpreviousversionsfromwhichthepassword mustbedifferenttopreventtherepeateduseofthesame password Youcanalsoenterthenumberofcharactersthatmustbe differentfromthepreviouspassword Enterthenumberofdaysbeforewhichyoucannotreusea password PasswordHistory Setsthefollowingoptionstoforceuserstochangepasswords afteraspecifiedtimeperiod: •Time(indays)beforetheuseraccountisdisabledifthe passwordisnotchanged •Reminder(indays)beforetheuseraccountisdisabled PasswordLifetime SpecifiesthenumberoftimesCiscoISErecordsincorrect administratorpasswordsbeforelockingtheadministratorout ofCiscoISE,andsuspendingordisablingaccountcredentials. Ane-mailissenttotheadministratorwhoseaccountgetslocked out.Youcanenteracustome-mailremediationmessage. LockorSuspendAccountwithIncorrect LoginAttempts Network Resources Network Devices Thesepagesenableyoutoaddandmanagenetworkdevices. Network Device Definition Settings ThefollowingtabledescribesthefieldsintheNetworkDevicespage,whichyoucanusetoconfigurea networkaccessdeviceinCiscoISE.Thenavigationpathforthispageis:Administration>NetworkResources >NetworkDevices. Cisco Identity Services Engine Administrator Guide, Release 1.3 738 Network Resources
Network Device Settings ThefollowingtabledescribesthefieldsintheNetworkDevicesection. Table 93: Network Device Settings DescriptionFields Enterthenameforthenetworkdevice. Youcanprovideadescriptivenametothenetworkdevicethatcanbedifferent fromthehostnameofthedevice.Thedevicenameisalogicalidentifier. Youcannoteditthenameofadeviceonce configured. Note Name Enterthedescriptionforthedevice.Description EnterasingleIPaddressandasubnetmask. ThefollowingaretheguidelinesthatmustbefollowedwhiledefiningtheIP addressesandsubnetmasks: •YoucandefineaspecificIPaddress,orarangewithasubnetmask.Ifdevice AhasanIPaddressrangedefined,youcanconfigureanotherdeviceBwith anindividualaddressfromtherangethatisdefinedindeviceA. •YoucannotdefinetwodeviceswiththesamespecificIPaddresses. •YoucannotdefinetwodeviceswiththesameIPrange.TheIPrangesmust notoverlapeitherpartiallyorcompletely. IPAddress/Mask Clickthedrop-downlisttochoosethedevicemodel,forexample. Youcanusethemodelnameasoneoftheparameterswhilecheckingforconditions inrule-basedpolicies.Thisattributeispresentinthedevicedictionary. ModelName Clickthedrop-downlistdtochoosetheversionofthesoftwarerunningonthe networkdevice. Youcanusethesoftwareversionasoneoftheparameterswhilecheckingfor conditionsinrule-basedpolicies.Thisattributeispresentinthedevicedictionary. SoftwareVersion ClicktheLocationandDeviceTypedrop-downliststochoosealocationand devicetypethatcanbeassociatedwiththenetworkdevice. Ifyoudonotspecificallyassignadevicetoagroupwhenyouconfigureit,it becomesapartofthedefaultdevicegroups(rootNDGs),whichisAllLocations bylocationandAllDeviceTypesbydevicetypeandthedefaultdevicegroups (rootNDGs)areassigned.Forexample,AllLocationsandAllDeviceGroups. NetworkDeviceGroup RADIUS Authentication Settings ThefollowingtabledescribesthefieldsintheRADIUSAuthenticationSettingssection. Cisco Identity Services Engine Administrator Guide, Release 1.3 739 Network Resources
Table 94: RADIUS Authentication Settings Usage GuidelinesFields DisplaysRADIUSastheselectedprotocol.Protocol Enterasharedsecret,whichcanbeupto127charactersinlength. Thesharedsecretisthekeythatyouhaveconfiguredonthenetworkdeviceusing theradius-hostcommandwiththepacoption. SharedSecret Checkthischeckboxonlywhensupportedonthenetworkdevice,whichincreases RADIUSsecurityviaanAESKeyWrapalgorithm. WhenyourunCiscoISEinFIPSmode,youmustenableKeyWrapon thenetworkdevice. Note EnableKeyWrap (OnlyappearswhenyouenableKeyWrap)Enteranencryptionkeythatisused forsessionencryption(secrecy). KeyEncryptionKey (OnlyappearswhenyouenableKeyWrap)Enterthekeythatisusedforkeyed HashedMessageAuthenticationCode(HMAC)calculationoverRADIUS messages. MessageAuthenticator CodeKey Chooseoneofthefollowingformats: •ASCII—TheKeyEncryptionKeymustbe16characters(bytes)long,and theMessageAuthenticatorCodeKeymustbe20characters(bytes)long. •Hexadecimal—TheKeyEncryptionKeymustbe32byteslong,andthe MessageAuthenticatorCodeKeymustbe40byteslong. YoucanspecifythekeyinputformatthatyouwanttousetoentertheCiscoISE FIPSencryptionkey,sothatitmatchestheconfigurationthatisavailableonthe WLC.(Thevaluethatyouspecifymustbethecorrect[full]lengthforthekey, andshortervaluesarenotpermitted.) KeyInputFormat SNMP Settings ThefollowingtabledescribesthefieldsintheSNMPSettingssection. Cisco Identity Services Engine Administrator Guide, Release 1.3 740 Network Resources
Table 95: SNMP Settings Usage GuidelinesFields ChooseanSNMPversionfromtheVersiondrop-downlisttobeusedforrequests. Versionincludesthefollowing: •1—SNMPv1doesnotsupportinforms. •2c •3—SNMPv3isthemostsecuremodelbecauseitallowspacketencryption whenyouchoosethePrivsecuritylevel. IfyouhaveconfiguredyournetworkdevicewithSNMPv3 parameters,youcannotgeneratetheNetworkDeviceSessionStatus SummaryreportthatisprovidedbytheMonitoringservice (Operations>Reports>Catalog>NetworkDevice>SessionStatus Summary).Youcangeneratethisreportsuccessfullyifyournetwork deviceisconfiguredwithSNMPv1orSNMPv2cparameters. Note SNMPVersion (OnlyforSNMPVersions1and2cwhenselected)EntertheReadOnly CommunitystringthatprovidesCiscoISEwithaparticulartypeofaccesstothe device. SNMPROCommunity (OnlyforSNMPVersion3)EnterSNMPusername.SNMPUsername (OnlyforSNMPVersion3)Choosethesecuritylevelfromthefollowing: •Auth—EnablesMessageDigest5orSecureHashAlgorithm(SHA)packet authentication •NoAuth—Noauthenticationandnoprivacysecuritylevel •Priv—EnablesDataEncryptionStandard(DES)packetencryption SecurityLevel (OnlyforSNMPVersion3whenthesecuritylevelsAuthandPrivareselected) Choosetheauthenticationprotocolthatyouwantthenetworkdevicetouse. AuthenticationProtocolincludesoneofthefollowingforsecuritylevelsofAuth andPriv: •MD5 •SHA AuthProtocol (OnlyforSNMPVersion3whenthesecuritylevelsAuthandPrivareselected) Entertheauthenticationkeythatmustbeatleast8charactersinlength. ClickShowtodisplaytheAuthPasswordthatisalreadyconfiguredforthedevice. AuthPassword Cisco Identity Services Engine Administrator Guide, Release 1.3 741 Network Resources
Usage GuidelinesFields (OnlyforSNMPVersion3whenthesecuritylevelPrivisselected)Choosethe privacyprotocolthatyouwantthenetworkdevicetouse. PrivacyProtocolsareoneofthefollowing: •DES •AES128 •AES192 •AES256 •3DES PrivacyProtocol (OnlyforSNMPVersion3whenthesecuritylevelPrivisselected)Enterthe privacykey. ClickShowtodisplaythePrivacyPasswordthatisalreadyconfiguredforthe device. PrivacyPassword Enterthepollingintervalinseconds.Thedefaultis3600seconds.PollingInterval Checkthischeckboxtoreceiveandinterpretlinkupandlinkdownnotifications receivedthroughtheSNMPTrap. LinkTrapQuery CheckthischeckboxtoreceiveandinterpretMACnotificationsreceivedthrough theSNMPTrap MacTrapQuery IndicateswhichISEservertobeusedtopollforSNMPdata.Bydefault,itis automatic,butyoucanoverwritethesettingbyassigningdifferentvalues. OriginatingPolicy ServiceNode Advanced TrustSec Settings ThefollowingtabledescribesthefieldsintheAdvancedTrustSecSettingssection. Table 96: Advanced TrustSec Settings Usage GuidelinesFields TrustSecDeviceNotificationandUpdatesSettings Checkthischeckboxifyouwantthedevicenametobelistedasthedevice identifierintheDeviceIDfield. UseDeviceIDfor TrustSecIdentification YoucanenterthedeviceIDinthisfieldonlyifyouhavenotcheckedtheUse DeviceIDforTrustSecIdentificationcheckbox. DeviceID Cisco Identity Services Engine Administrator Guide, Release 1.3 742 Network Resources
Usage GuidelinesFields EnterthepasswordthatyouhaveconfiguredontheTrustSecdeviceCLIto authenticatetheTrustSecdevice. ClickShowtodisplaythepasswordthatisusedtoauthenticatetheTrustSec device. Password Specifythetimeintervalatwhichthedevicemustdownloaditsenvironmentdata fromCiscoISE.Youcanspecifythetimeinseconds,minutes,hours,weeks,or days.Thedefaultvalueis1day. Download EnvironmentData Every Specifythetimeintervalatwhichthedevicemustdownloadthepeerauthorization policyfromCiscoISE.Youcanspecifythetimeinseconds,minutes,hours, weeks,ordays.Thedefaultvalueis1day. DownloadPeer AuthorizationPolicy Every SpecifythetimeintervalatwhichthedevicereauthenticatesitselfagainstCisco ISEaftertheinitialauthentication.Youcanconfigurethetimeintervalinseconds, minutes,hours,weeksordays.Forexample,ifyouenter1000seconds,thedevice willauthenticateitselfagainstCiscoISEevery1000seconds.Thedefaultvalue is1day. Reauthentication Every SpecifythetimeintervalatwhichthedevicedownloadsSGACLlistsfromCisco ISE.Youcanconfigurethetimeintervalinseconds,minutes,hours,weeksor days.Thedefaultvalueis1day. DownloadSGACL ListsEvery CheckthischeckboxifyouwantallthepeerdevicestotrustthisTrustSecdevice. Ifyouuncheckthischeckbox,thepeerdevicesdonottrustthisdevice,andall thepacketsthatarrivefromthisdevicearecoloredortaggedaccordingly. OtherTrustSec DevicestoTrustThis Device(TrustSec Trusted) CheckthischeckboxifyouwantCiscoISEtosendTrustSecCoAnotifications tothisTrustSecdevice. Notifythisdeviceabout TrustSecconfiguration changes DeviceConfigurationDeploymentSettings CheckthischeckboxifyouwanttheTrustSecdevicetoobtaintheIP-SGT mappingsusingdeviceinterfacecredentials. Includethisdevice whendeploying SecurityGroupTag MappingUpdates EntertheusernamethatyouusetologintotheTrustSecdevice.EXECModeUsername Enterthedevicepassword.EXECModePassword (Optional)Entertheenablepasswordthatisusedtoedittheconfigurationofthe TrustSecdeviceinprivilegedmode. EnableModePassword OutOfBandTrustSecPACDisplay Cisco Identity Services Engine Administrator Guide, Release 1.3 743 Network Resources
Usage GuidelinesFields DisplaystheissuingdateofthelastTrustSecPACthathasbeengeneratedby CiscoISEfortheTrustSecdevice. IssueDate DisplaystheexpirationdateofthelastTrustSecPACthathasbeengeneratedby CiscoISEfortheTrustSecdevice. ExpirationDate Displaysthenameoftheissuer(aTrustSecadministrator)ofthelastTrustSec PACthathasbeengeneratedbyCiscoISEfortheTrustSecdevice. IssuedBy Clickthisoptiontogeneratetheout-of-bandTrustSecPACfortheTrustSecdevice.GeneratePAC Related Topics NetworkDevicesDefinitionsinCiscoISE,onpage173 Third-PartyNetworkDeviceSupportinCiscoISE NetworkDeviceGroups,onpage176 CreateaNetworkDeviceDefinitioninCiscoISE,onpage174 ConfigureThird-PartyNetworkDeviceinCiscoISE Default Network Device Definition Settings ThefollowingtabledescribesthefieldsontheDefaultNetworkdevicepage,whichallowsyoutoconfigure adefaultnetworkdevicethatCiscoISEcanuseforRADIUSauthentications.Thenavigationpathforthis pageis:Administration>NetworkResources>NetworkDevices>DefaultDevice. Table 97: Default Network Device Definition Settings Usage GuidelinesFields ChooseEnablefromtheDefaultNetworkDeviceStatusdrop-downlisttoenable thedefaultnetworkdevicedefinition. DefaultNetworkDevice Status DisplaysRADIUSastheselectedprotocol.Protocol Enterthesharedsecretthatcanbeupto128charactersinlength. Thesharedsecretisthekeythatyouhaveconfiguredonthenetworkdeviceusing theradius-hostcommandwiththepacoption. SharedSecret Checkthischeckboxonlywhensupportedonthenetworkdevice,whichincreases RADIUSsecurityviaanAESKeyWrapalgorithm. EnableKeyWrap Enteranencryptionkeythatisusedforsessionencryption(secrecy)whenyou enableKeyWrap. KeyEncryptionKey EnterthekeythatisusedforkeyedHashedMessageAuthenticationCode(HMAC) calculationoverRADIUSmessageswhenyouenableKeyWrap. MessageAuthenticator CodeKey Cisco Identity Services Engine Administrator Guide, Release 1.3 744 Network Resources