Cisco Ise 13 User Guide
Have a look at the manual Cisco Ise 13 User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
UTF-8 FieldsAdmin Portal Element •Operations>LiveAuthentications>Filterfields •Operations>Reports>Catalog>Reportfilterfields Operations>Reports •GeneralTools>RADIUSAuthenticationTroubleshooting> Username Operations>Troubleshoot •Authentication>valuefortheavexpressionwithinpolicy conditions •Authorization/posture/clientprovisioning>otherconditions >valuefortheavexpressionwithinpolicyconditions Policies •Authentication>simplecondition/compoundcondition>value fortheavexpression •Authentication>simpleconditionlistdisplay •Authentication>simpleconditionlist>leftnavigationquick viewdisplay •Authorization>simplecondition/compoundcondition>value fortheavexpression •Authorization>simpleconditionlist>leftnavigationquick viewdisplay •Posture>Dictionarysimplecondition/Dictionarycompound condition>valuefortheavexpression •Guest>simplecondition/compoundcondition>valueforthe avexpression Attributevalueinpolicylibrary conditions UTF-8 Support Outside the User Interface ThissectioncontainstheareasoutsidetheCiscoISEuserinterfacethatprovideUTF-8support. Debug Log and CLI-Related UTF-8 Support Attributevaluesandpostureconditiondetailsappearinsomedebuglogs;therefore,alldebuglogsaccept UTF-8values.YoucandownloaddebuglogscontainingrawUTF-8datathatcanbeviewedwithaUTF-8 supportedviewer. ACS Migration UTF-8 Support CiscoISE,allowsforthemigrationofACSUTF-8configurationobjectsandvalues.MigrationofsomeUTF-8 objectsmaynotbesupportedbyCiscoISEUTF-8languages,whichmightrendersomeoftheUTF-8data Cisco Identity Services Engine Administrator Guide, Release 1.3 25 Cisco ISE Internationalization and Localization
thatisprovidedduringmigrationasunreadableusingAdministrativeportalorreportmethods.Youmust convertunreadableUTF-8values(thataremigratedfromACS)intoASCIItext.Formoreinformationabout migratingfromACStoISE,seetheISEMigrationGuidehttp://www.cisco.com/c/en/us/td/docs/security/ise/ 2-1/migration_guide/b_ise_MigrationGuide21.html. Related Topics http://www.cisco.com/c/en/us/td/docs/security/ise/2-2/migration_guide/b_acs_ise_MigrationTool_UG_22.html Support for Importing and Exporting UTF-8 Values TheAdminandSponsorportalssupportplaintextand.csvfileswithUTF-8valuestobeusedwhenimporting useraccountdetails.Exportedfilesareprovidedascsvfiles. UTF-8 Support on REST UTF-8valuesaresupportedonexternalRESTcommunication.Thisappliestoconfigurableitemsthathave UTF-8supportintheCiscoISEuserinterface,withtheexceptionofadminauthentication.Adminauthentication onRESTrequiresASCIItextcredentialsforlogin. Related Topics http://www.cisco.com/c/en/us/td/docs/security/ise/2-2/api_ref_guide/api_ref_book.html UTF-8 Support for Identity Stores Authorization Data CiscoISEallowsActiveDirectoryandLDAPtouseUTF-8datainauthorizationpoliciesforpolicyprocessing. MAC Address Normalization ISEsupportsnormalizationofMACaddressenteredbyyouinanyofthefollowingformats: •00-11-22-33-44-55 •0011.2233.4455 •00:11:22:33:44:55 •001122334455 •001122-334455 ForthefollowingISEwindows,youcanprovidefullorpartialMACaddress: •Policy>Authorization •Policy>PolicyElements>Conditions>Authorization •Authentications>Filters(EndpointandIdentitycolumns) •GlobalSearch •Operations>Reports>ReportsFilters •Operations>DiagnosticTools>GeneralTools>EndpointDebug Cisco Identity Services Engine Administrator Guide, Release 1.3 26 MAC Address Normalization
ForthefollowingISEwindows,youshouldprovidefullMACaddress(sixoctetsseparatedby‘:’or‘-’or‘.’): •Operations>EndpointProtectionServices •Operations>Troubleshooting>DiagnosticTools>GeneralTools>RADIUSAuthentication Troubleshooting •Operations>Troubleshooting>DiagnosticTools>GeneralTools>PostureTroubleshooting •Administration>Identities>Endpoints •Administration>System>Deployment •Administration>Logging>CollectionFilter RESTAPIsalsosupportnormalizationoffullMACaddress. Validoctetcancontainonly0-9,a-forA-F. Admin Features Limited by Role-Based Access Control Policies CiscoISEprovidesrole-basedaccesscontrol(RBAC)policiesthatensuresecuritybyrestrictingadministrative privileges.RBACpoliciesareassociatedwithdefaultadmingroupstodefinerolesandpermissions.Astandard setofpermissions(formenuaswellasdataaccess)ispairedwitheachofthepredefinedadmingroups,and istherebyalignedwiththeassociatedroleandjobfunction. Somefeaturesintheuserinterfacerequirecertainpermissionsfortheiruse.Ifafeatureisunavailable,oryou arenotallowedtoperformaspecifictask,youradmingroupmaynothavethenecessarypermissionsto performthetaskthatutilizesthefeature. Regardlessofthelevelofaccess,anyadministratoraccountcanmodifyordeleteobjectsforwhichithas permission,onanypagethatitcanaccess.Read-onlyfunctionalityisunavailableforanyadministrative access. Cisco Identity Services Engine Administrator Guide, Release 1.3 27 Admin Features Limited by Role-Based Access Control Policies
Cisco Identity Services Engine Administrator Guide, Release 1.3 28 Admin Features Limited by Role-Based Access Control Policies
PART II Deploy Cisco ISE Nodes •SetUpCiscoISEinaDistributedEnvironment,page31 •SetUpInlinePosture,page55
CHAPTER 3 Set Up Cisco ISE in a Distributed Environment •CiscoISEDeploymentTerminology,page31 •PersonasinDistributedCiscoISEDeployments,page32 •CiscoISEDistributedDeployment,page32 •ConfigureaCiscoISENode,page35 •AdministrationNode,page38 •PolicyServiceNode,page40 •MonitoringNode,page41 •pxGridNode,page43 •ISEpxGridIdentityMapping,page45 •InlinePostureNode,page47 •ViewNodesinaDeployment,page48 •SynchronizePrimaryandSecondaryCiscoISENodes,page49 •ChangeNodePersonasandServices,page49 •EffectsofModifyingNodesinCiscoISE,page50 •CreateaPolicyServiceNodeGroup,page50 •DeploypxGridNode,page51 •ConfigureMonitoringNodesforAutomaticFailover,page51 •RemoveaNodefromDeployment,page52 •ChangetheHostnameorIPAddressofaStandaloneCiscoISENode,page53 •ReplacetheCiscoISEApplianceHardware,page53 Cisco ISE Deployment Terminology ThefollowingtermsarecommonlyusedwhendiscussingCiscoISEdeploymentscenarios: Cisco Identity Services Engine Administrator Guide, Release 1.3 31
•Service—Aserviceisaspecificfeaturethatapersonaprovidessuchasnetworkaccess,profiler,posture, securitygroupaccess,monitoringandtroubleshooting,andsoon. •Node—AnodeisanindividualinstancethatrunstheCiscoISEsoftware.CiscoISEisavailableasan applianceandalsoasasoftwarethatcanberunonVMware.Eachinstance,applianceorVMwarethat runstheCiscoISEsoftwareiscalledanode. •Persona—Thepersonaorpersonasofanodedeterminetheservicesprovidedbyanode.ACiscoISE nodecanassumeanyofthefollowingpersonas:Administration,PolicyService,Monitoring,pxGrid, andInlinePosture.TheInlinePosturepersonarequiresadedicatedCiscoISEnode.Themenuoptions thatareavailablethroughtheAdminportalaredependentontheroleandpersonasthatanCiscoISE nodeassumes. •DeploymentModel—Determinesifyourdeploymentisdistributed,standalone,orhighavailabilityin standalone,whichisabasictwo-nodedeployment. Personas in Distributed Cisco ISE Deployments ACiscoISEnodecanassumetheAdministration,PolicyService,Monitoring,orInlinePosturepersonas. ACiscoISEnodecanprovidevariousservicesbasedonthepersonathatitassumes.Eachnodeinadeployment, withtheexceptionoftheInlinePosturenode,canassumetheAdministration,PolicyService,andMonitoring personas.Inadistributeddeployment,youcanhavethefollowingcombinationofnodesonyournetwork: •PrimaryandsecondaryAdministrationnodesforhighavailability •Asingleorapairofnon-administrationnodesforhealthcheckofAdministrationnodesforautomatic failover •ApairofhealthchecknodesorasinglehealthchecknodeforPANautomaticfailover •OneormorePolicyServicenodesforsessionfailover •ApairofInlinePosturenodesforhighavailability Cisco ISE Distributed Deployment AdeploymentthathasmorethanoneCiscoISEnodeiscalledadistributeddeployment.Tosupportfailover andtoimproveperformance,youcansetupyourdeploymentwithmultipleCiscoISEnodesinadistributed fashion.InCiscoISEdistributeddeployment,administrationandmonitoringactivitiesarecentralized,and processingisdistributedacrossthePolicyServicenodes.Dependingonyourperformanceneeds,youcan scaleyourdeployment.EachCiscoISEnodeinadeploymentcanassumeanyofthefollowingpersonas: Administration,PolicyService,andMonitoring.TheInlinePosturenodecannotassumeanyotherpersona, duetoitsspecializednature.TheInlinePosturenodemustbeadedicatednode. Cisco ISE Deployment Setup AfteryouinstallCiscoISEonallyournodes,asdescribedintheCiscoIdentityServicesEngineHardware InstallationGuide,thenodescomeupinastandalonestate.YoumustthendefineonenodeasyourPrimary PAN.WhiledefiningyourPrimaryPAN,youmustenabletheAdministrationandMonitoringpersonason thatnode.YoucanoptionallyenablethePolicyServicepersonaonthePrimaryPAN.Afteryoucompletethe Cisco Identity Services Engine Administrator Guide, Release 1.3 32 Personas in Distributed Cisco ISE Deployments
taskofdefiningpersonasonthePrimaryPAN,youcanthenregisterothersecondarynodestothePrimary PANanddefinepersonasforthesecondarynodes. AllCiscoISEsystemandfunctionality-relatedconfigurationsshouldbedoneonlyonthePrimaryPAN.The configurationchangesthatyouperformonthePrimaryPANarereplicatedtoallthesecondarynodesinyour deployment. TheremustbeatleastoneMonitoringnodeinadistributeddeployment.Atthetimeofconfiguringyour PrimaryPAN,youmustenabletheMonitoringpersona.AfteryouregisteraMonitoringnodeinyour deployment,youcaneditthePrimaryPANanddisabletheMonitoringpersona,ifrequired. Data Replication from Primary to Secondary ISE Nodes WhenyouregisteranCiscoISEnodeasasecondarynode,CiscoISEimmediatelycreatesadatareplication channelfromtheprimarytothesecondarynodeandbeginstheprocessofreplication.Replicationisthe processofsharingCiscoISEconfigurationdatafromtheprimarytothesecondarynodes.Replicationensures consistencyamongtheconfigurationdatapresentinallCiscoISEnodesthatarepartofyourdeployment. AfullreplicationtypicallyoccurswhenyoufirstregisteranISEnodeasasecondarynode.Incremental replicationoccursafterafullreplicationandensuresthatanynewchangessuchasadditions,modifications, ordeletionstotheconfigurationdatainthePANarereflectedinthesecondarynodes.Theprocessofreplication ensuresthatallCiscoISEnodesinadeploymentareinsync.Youcanviewthestatusofreplicationinthe NodeStatuscolumnfromthedeploymentpagesoftheCiscoISEAdminportal.WhenyouregisteraCisco ISEnodeasasecondarynodeorperformamanualsynchronizationwiththePAN,thenodestatusshowsan orangeiconindicatingthattherequestedactionisinprogress.Onceitiscomplete,thenodestatusturnsgreen indicatingthatthesecondarynodeissynchronizedwiththePAN.Afterthenodestatusturnsgreen,ittakes aboutfiveminutesfortheCiscoISEapplicationservertorestartandruntocompletethesecondaryISEnode configuration. Cisco ISE Node Deregistration Toremoveanodefromadeployment,youmustderegisterit.Whenyouderegisterasecondarynodefrom thePrimaryPAN,thestatusofthederegisterednodechangestostandaloneandtheconnectionbetweenthe primaryandthesecondarynodewillbelost.Replicationupdatesarenolongersenttothederegistered standalonenode. YoucannotderegisteraPrimaryPAN.Note Guidelines for Setting Up a Distributed Deployment ReadthefollowingstatementscarefullybeforeyousetupCiscoISEinadistributedenvironment. •Chooseanodetype,ISEnodeorInlinePosturenode.ForAdministration,PolicyService,andMonitoring capabilities,youmustchooseanISEnode.ForInlinePostureservice,youmustchoosetheInlinePosture node. •ChoosethesameNetworkTimeProtocol(NTP)serverforallthenodes.Toavoidtimezoneissuesamong thenodes,youmustprovidethesameNTPservernameduringthesetupofeachnode.Thissetting ensuresthatthereportsandlogsfromthevariousnodesinyourdeploymentarealwayssynchronized withtimestamps. Cisco Identity Services Engine Administrator Guide, Release 1.3 33 Cisco ISE Distributed Deployment
•ConfiguretheCiscoISEAdminpasswordwhenyouinstallCiscoISE.ThepreviousCiscoISEAdmin defaultlogincredentials(admin/cisco)arenolongervalid.Usetheusernameandpasswordthatwas createdduringtheinitialsetuporthecurrentpasswordifitwaschangedlater. •ConfiguretheDomainNameSystem(DNS)server.EntertheIPaddressesandfullyqualifieddomain names(FQDNs)ofalltheCiscoISEnodesthatarepartofyourdistributeddeploymentintheDNS server.Otherwise,noderegistrationwillfail. •ConfiguretheforwardandreverseDNSlookupforallCiscoISEnodesinyourdistributeddeployment intheDNSserver.Otherwise,youmayrunintodeploymentrelatedissueswhenregisteringandrestarting CiscoISEnodes.PerformancemightbedegradedifreverseDNSlookupisnotconfiguredforallthe nodes. •(Optional)DeregisterasecondaryCiscoISEnodefromthePrimaryPANtouninstallCiscoISEfrom it. •BackuptheprimaryMonitoringnode,andrestorethedatatothenewsecondaryMonitoringnode.This ensuresthatthehistoryoftheprimaryMonitoringnodeisinsyncwiththenewsecondarynodeasnew changesarereplicated. •EnsurethatthePrimaryPANandthestandalonenodethatyouareabouttoregisterasasecondarynode arerunningthesameversionofCiscoISE. •Ensurethatthedatabasepasswordsoftheprimaryandsecondarynodesarethesame.Ifthesepasswords aresetdifferentlyduringnodeinstallation,youcanmodifythemusingthefollowingcommands: ◦applicationreset-passwdiseinternal-database-admin ◦applicationreset-passwdiseinternal-database-user Menu Options Available on Primary and Secondary Nodes ThemenuoptionsavailableinCiscoISEnodesthatarepartofadistributeddeploymentdependonthepersonas thatareenabledonthem.YoumustperformalladministrationandmonitoringactivitiesthroughthePrimary PAN.Forothertasks,youmustusethesecondarynodes.Therefore,theuserinterfaceofthesecondarynodes provideslimitedmenuoptionsbasedonthepersonathatareenabledonthem. Ifanodeassumesmorethanonepersona,forexample,thePolicyServicepersona,andaMonitoringpersona withanActiverole,thenthemenuoptionslistedforPolicyServicenodesandActiveMonitoringnodewill beavailableonthatnode. ThefollowingtableliststhemenuoptionsthatareavailableonCiscoISEnodesthatassumedifferentpersona. Cisco Identity Services Engine Administrator Guide, Release 1.3 34 Cisco ISE Distributed Deployment