Cisco Ise 13 User Guide
Have a look at the manual Cisco Ise 13 User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
![Page 795
Usage GuidelinesFields
SpecifytheformatyouwanttousetoentertheCiscoISEencryptionkey,sothat
itmatchestheconfigurationthatisavailableontheWLANcontroller.(Thevalue
youspecifymustbethecorrect[full]lengthforthekeyasdefinedbelow—shorter
valuesarenotpermitted.)
•ASCII—TheKeyEncryptionKeymustbe16characters(bytes)long,and
theMessageAuthenticatorCodeKeymustbe20characters(bytes)long.
•Hexadecimal—TheKeyEncryptionKeymustbe32byteslong,andthe
MessageAuthenticatorCodeKeymustbe40byteslong.
KeyInputFormat...](http://img.usermanuals.tech/thumb/17/104725/w64_ise-13-user-guide-1524841621_d-794.png "Page 795
Usage GuidelinesFields
SpecifytheformatyouwanttousetoentertheCiscoISEencryptionkey,sothat
itmatchestheconfigurationthatisavailableontheWLANcontroller.(Thevalue
youspecifymustbethecorrect[full]lengthforthekeyasdefinedbelow—shorter
valuesarenotpermitted.)
•ASCII—TheKeyEncryptionKeymustbe16characters(bytes)long,and
theMessageAuthenticatorCodeKeymustbe20characters(bytes)long.
•Hexadecimal—TheKeyEncryptionKeymustbe32byteslong,andthe
MessageAuthenticatorCodeKeymustbe40byteslong.
KeyInputFormat...")
Usage GuidelinesFields Chooseoneofthefollowingformats: •ASCII—TheKeyEncryptionKeymustbe16characters(bytes)long,and theMessageAuthenticatorCodeKeymustbe20characters(bytes)long. •Hexadecimal—TheKeyEncryptionKeymustbe32byteslong,andthe MessageAuthenticatorCodeKeymustbe40byteslong. KeyInputFormat Related Topics DefaultNetworkDeviceDefinitioninCiscoISE,onpage174 Third-PartyNetworkDeviceSupportinCiscoISE NetworkDeviceGroups,onpage176 CreateaNetworkDeviceDefinitioninCiscoISE,onpage174 ConfigureThird-PartyNetworkDeviceinCiscoISE Device Security Settings SpecifytheminimumlengthfortheRADIUSsharedsecret.Fornewinstallationandupgradeddeployment, bydefault,thisvalueis4characters.FortheRADIUSserver,bestpracticeistohave22characters. ThelengthofthesharedsecretenteredintheNetworkDevicespagemustbeequaltoorgreaterthanthe valueconfiguredintheMinimumRADIUSSharedSecretLengthfieldintheDeviceSecuritySettings page. Note Related Topics NetworkDeviceDefinitionSettings,onpage738 Network Device Import Settings ThefollowingtabledescribesthefieldsontheNetworkDeviceImportPage,whichyoucanusetoimport networkdevicedetailsintoCiscoISE.Thenavigationpathforthispageis:Administration>Network Resources>NetworkDevices. Table 98: Network Devices Import Settings Usage GuidelinesFields Clickthislinktocreateacomma-separatedvalue(.csv)templatefile. Youmustupdatethetemplatewithnetworkdevicesinformationinthesame format,andsaveitlocallytoimportthosenetworkdevicesintoanyCiscoISE deployment. GenerateaTemplate Cisco Identity Services Engine Administrator Guide, Release 1.3 745 Network Resources
Usage GuidelinesFields ClickBrowsetothelocationofthecomma-separatedvaluefilethatyoumight havecreatedorpreviouslyexportedfromanyCiscoISEdeployment. YoucanimportnetworkdevicesinanotherCiscoISEdeploymentwithnewand updatednetworkdevicesinformationusingimport. File CheckthischeckboxifyouwantCiscoISEtoreplaceexistingnetworkdevices withthedevicesinyourimportfile. Ifyoudonotcheckthischeckbox,newnetworkdevicedefinitionsthatare availableintheimportfileareaddedtothenetworkdevicerepository.Duplicate entriesareignored. OverwriteExistingData withNewData CheckthischeckboxifyouwantCiscoISEtodiscontinueimportwhenit encountersanerrorduringimport,butCiscoISEimportsnetworkdevicesuntil thattimeofanerror. Ifthischeckboxisnotcheckedandanerrorisencountered,theerrorisreported, andCiscoISEcontinuestoimportdevices. StopImportonFirst Error Related Topics NetworkDevicesDefinitionsinCiscoISE,onpage173 Third-PartyNetworkDeviceSupportinCiscoISE ImportNetworkDevicesintoCiscoISE,onpage175 Network Device Groups Thesepagesenableyoutoconfigureandmanagenetworkdevicegroups. Network Device Group Settings ThefollowingtabledescribesthefieldsontheNetworkDeviceGroupsPage,whichyoucanusetocreate networkdevicegroups.Thenavigationpathforthispageis:Administration>NetworkResources> NetworkDeviceGroups>Groups. Table 99: Network Device Group Settings Usage GuidelinesFields EnterthenamefortherootNetworkDeviceGroup(NDG).Forallsubsequent childnetworkdevicegroupsundertherootNDG,enterthenameofthenew networkdevicegroup. ThefullnameoftheNetworkDeviceGroupthatcanhaveamaximumof100 characters.Forexample,ifyouarecreatingasubgroupIndiaundertheparent groupsGlobal>Asia,thenthefullnameoftheNDGthatyouarecreatingwould beGlobal#Asia#Indiaandthisfullnameshouldnotexceed100characters.Ifthe fullnameoftheNDGexceeds100characters,theNDGcreationfails. Name Cisco Identity Services Engine Administrator Guide, Release 1.3 746 Network Resources
Usage GuidelinesFields EnterthedescriptionfortherootorthechildNetworkDeviceGroup.Description EnterthetypefortherootNetworkDeviceGroup. ForallsubsequentchildnetworkdevicegroupsundertherootNDG,thetypeis inheritedfromtheparentNDGandthereforeallthechildNDGsunderarootNDG willbeofthesametype. IfthisNDGisarootNDG,thenthetypewillbeavailableasanattributeinthe devicedictionary.Youcandefineconditionsbasedonthisattribute.Thenameof theNDGisoneofthevaluesthatthisattributecantake. Type Related Topics NetworkDeviceGroups,onpage176 NetworkDeviceAttributesUsedByCiscoISEinPolicyEvaluation,onpage177 CreateaNetworkDeviceDefinitioninCiscoISE,onpage174 Network Device Group Import Settings ThefollowingtabledescribesthefieldsontheNetworkDeviceGroupImportPage,whichyoucanuseto importnetworkdevicegroupsintoCiscoISE.Thenavigationpathforthispageis:Administration>Network Resources>NetworkDeviceGroups>Groups. Table 100: Network Device Groups Import Settings Usage GuidelinesFields Clickthislinktocreateacomma-separatedvalue(.csv)templatefile. Youmustupdatethetemplatewithnetworkdevicegroupsinformationinthe sameformat,andsaveitlocallytoimportthosenetworkdevicegroupsinto anyCiscoISEdeployment. GenerateaTemplate ClickBrowsetothelocationofthecomma-separatedvaluefilethatyou mighthavecreatedorpreviouslyexportedfromanyCiscoISEdeployment. YoucanimportnetworkdevicegroupsinanotherCiscoISEdeploymentwith newandupdatednetworkdevicegroupsinformationusingimport. File CheckthischeckboxifyouwantCiscoISEtoreplaceexistingnetwork devicegroupswiththedevicegroupsinyourimportfile. Ifyoudonotcheckthischeckbox,newnetworkdevicegroupthatare availableintheimportfileareaddedtothenetworkdevicegrouprepository. Duplicateentriesareignored. OverwriteExistingDatawith NewData Cisco Identity Services Engine Administrator Guide, Release 1.3 747 Network Resources
Usage GuidelinesFields CheckthischeckboxifyouwantCiscoISEtodiscontinueimportwhenit encountersanerrorduringimport,butCiscoISEimportsnetworkdevice groupsuntilthattimeofanerror. Ifthischeckboxisnotcheckedandanerrorisencountered,theerroris reported,andCiscoISEcontinuestoimportdevicegroups. StopImportonFirstError Related Topics NetworkDeviceGroups,onpage176 NetworkDeviceAttributesUsedByCiscoISEinPolicyEvaluation,onpage177 ImportNetworkDeviceGroupsintoCiscoISE,onpage177 External RADIUS Server Settings ThefollowingtabledescribesthefieldsontheExternalRADIUSServerpage,whichyoucanusetoconfigure aRADIUSserver.ForCiscoISEtoactasaRADIUSserver,youmustconfigureitinthispage.Thenavigation pathforthispageis:Administration>NetworkResources>ExternalRADIUSServers. Table 101: External RADIUS Server Settings Usage GuidelinesFields EnterthenameoftheexternalRADIUSserver.Name EnteradescriptionoftheexternalRADIUSserver.Description EntertheIPaddressoftheexternalRADIUSserver.HostIP EnterthesharedsecretbetweenCiscoISEandtheexternalRADIUSserverthat isusedforauthenticatingtheexternalRADIUSserver.Asharedsecretisan expectedstringoftextthatausermustprovidetoenablethenetworkdeviceto authenticateausernameandpassword.Theconnectionisrejecteduntiltheuser suppliesthesharedsecret.Thesharedsecretcanbeupto128charactersinlength. SharedSecret EnablethisoptiontoincreasetheRADIUSprotocolsecurityviaanAESKeyWrap algorithm. EnableKeyWrap (OnlyifyouchecktheEnableKeyWrapcheckbox)Enterakeytobeusedfor sessionencryption(secrecy). KeyEncryptionKey (OnlyifyouchecktheEnableKeyWrapcheckbox)Enterakeytobeusedfor keyedHMACcalculationoverRADIUSmessages. MessageAuthenticator CodeKey Cisco Identity Services Engine Administrator Guide, Release 1.3 748 Network Resources
Usage GuidelinesFields SpecifytheformatyouwanttousetoentertheCiscoISEencryptionkey,sothat itmatchestheconfigurationthatisavailableontheWLANcontroller.(Thevalue youspecifymustbethecorrect[full]lengthforthekeyasdefinedbelow—shorter valuesarenotpermitted.) •ASCII—TheKeyEncryptionKeymustbe16characters(bytes)long,and theMessageAuthenticatorCodeKeymustbe20characters(bytes)long. •Hexadecimal—TheKeyEncryptionKeymustbe32byteslong,andthe MessageAuthenticatorCodeKeymustbe40byteslong. KeyInputFormat EntertheRADIUSauthenticationportnumber.Thevalidrangeisfrom1to 65535.Thedefaultis1812. AuthenticationPort EntertheRADIUSaccountingportnumber.Thevalidrangeisfrom1to65535. Thedefaultis1813. AccountingPort EnterthenumberofsecondsthattheCiscoISEwaitsforaresponsefromthe externalRADIUSserver.Thedefaultis5seconds.Validvaluesarefrom5to 120. ServerTimeout EnterthenumberoftimesthattheCiscoISEattemptstoconnecttotheexternal RADIUSserver.Thedefaultis3attempts.Validvaluesarefrom1to9. ConnectionAttempts Related Topics CiscoISEActingasaRADIUSProxyServer,onpage424 ConfigureExternalRADIUSServers,onpage425 RADIUS Server Sequences ThefollowingtabledescribesthefieldsontheRADIUSServerSequencespage,whichyoucanusetocreate aRADIUSserversequence.Thenavigationpathforthispageis:Administration>NetworkResources> RADIUSServerSequences>Add. Table 102: RADIUS Server Sequences Usage GuidelinesFields EnterthenameoftheRADIUSserversequence.Name Enteranoptionaldescription.Description EntertheIPaddressoftheexternalRADIUSserver.HostIP ChoosetheexternalRADIUSserversthatyouwanttouseaspolicyserversfrom theAvailablelistboxandmovethemtotheSelectedlistbox. UserSelectedService Type Cisco Identity Services Engine Administrator Guide, Release 1.3 749 Network Resources
Usage GuidelinesFields Checkthischeckboxtoenableaccountingintheremotepolicyserver.RemoteAccounting CheckthischeckboxtoenableaccountinginCiscoISE.LocalAccounting AdvancedAttributeSettings Checkthischeckboxtostriptheusernamefromtheprefix.Forexample,ifthe subjectnameisacme\userAandtheseparatoris\,theusernamebecomesuserA. StripStartofSubject NameuptotheFirst Occurrenceofthe Separator Checkthischeckboxtostriptheusernamefromthesuffix.Forexample,ifthe [email protected]@,theusernamebecomes userA. •YoumustenablethestripoptionstoextracttheusernamefromNetBIOS orUserPrincipleName(UPN)formatusernames([email protected] /domain/user),becauseonlyusernamesarepassedtotheRADIUSserver forauthenticatingtheuser. •Ifyouactivateboththe\and@strippingfunctions,andyouareusingCisco AnyConnect,CiscoISEdoesnotaccuratelytrimthefirst\fromthestring. However,eachstrippingfunctionthatisusedindividually,however,works asitisdesignedwithCiscoAnyConnect. StripEndofSubject NamefromtheLast Occurrenceofthe Separator CheckthischeckboxtoallowCiscoISEtomanipulateattributesthatcomefrom orgototheauthenticatedRADIUSserver. Theattributemanipulationoperationsincludethese: •Add—AddadditionalattributestotheoverallRADIUSrequest/response. •Update—Changetheattributevalue(fixedorstatic)orsubstituteanattribute byanotherattributevalue(dynamic). •Remove—Removeanattributeoranattribute-valuepair. •RemoveAny—Removeanyoccurrencesoftheattribute. ModifyAttributesinthe RequesttotheExternal RADIUSServer Checkthischeckboxtodiverttheproxyflowtoruntheauthorizationpolicyfor furtherdecisionmaking,basedonidentitystoregroupandattributeretrieval.If youenablethisoption,attributesfromtheresponseoftheexternalRADIUS serverwillbeapplicablefortheauthenticationpolicyselection.Attributesthat arealreadyinthecontextwillbeupdatedwiththeappropriatevaluefromthe AAAserveracceptresponseattribute. Continueto AuthorizationPolicy Checkthischeckboxtomodifytheattributejustbeforesendingaresponseback tothedevice. ModifyAttributesbefore sendanAccess-Accept Cisco Identity Services Engine Administrator Guide, Release 1.3 750 Network Resources
Related Topics CiscoISEActingasaRADIUSProxyServer,onpage424 DefineRADIUSServerSequences,onpage425 NAC Manager Settings ThefollowingtabledescribesthefieldsontheNewNACManagerspage,whichyoucanusetoaddaNAC Manager.Thenavigationpathforthispageis:Administration>NetworkResources>NACManagers. Table 103: NAC Manager Settings Usage GuidelinesFields EnterthenameoftheCiscoAccessManager(CAM).Name ClicktheStatuscheckboxtoenableRESTAPIcommunicationfromtheCiscoISE profilerthatauthenticatesconnectivitytotheCAM. Status EnterthedescriptionoftheCAM.Description EntertheIPaddressoftheCAM.OnceyouhavecreatedandsavedaCAMinCisco ISE,theIPaddressoftheCAMcannotbeedited. Youcannotuse0.0.0.0and255.255.255.255,astheyareexcludedwhenvalidatingthe IPaddressesoftheCAMsinCiscoISE,andso,theyarenotvalidIPaddressesthatyou canuseintheIPAddressfieldfortheCAM. YoucanusethevirtualserviceIPaddressthatapairofCAMsshareina high-availabilityconfiguration.ThisallowsafailoversupportofCAMsina high-availabilityconfiguration. Note IPAddress EntertheusernameoftheCAMadministratorthatallowsyoutologontotheuser interfaceoftheCAM. Username EnterthepasswordoftheCAMadministratorthatallowsyoutologontotheuser interfaceoftheCAM. Password Related Topics CiscoISEIntegrationwithCiscoNACAppliance,onpage486 AddCiscoCleanAccessManagers,onpage487 Cisco Identity Services Engine Administrator Guide, Release 1.3 751 Network Resources
Device Portal Management Configure Device Portal Settings Global Settings for Device Portals ChooseWorkCenters>BYOD>Settings>EmployeeRegisteredDevicesorAdministration>Device PortalManagement>Settings. YoucanconfigurethefollowinggeneralsettingsfortheBYODandMyDevicesportals: •EmployeeRegisteredDevices—Enterthemaximumnumberofdevicesthatanemployeecanregister inRestrictemployeesto.Bydefault,thisvalueissetto5devices. •RetryURL—EnteraURLthatcanbeusedtoredirectthedevicebacktoCiscoISEinRetryURLfor onboarding. Onceyouconfigurethesegeneralsettings,theyapplytoallBYODandMyDevicesportalsthatyousetup foryourcompany. Related Topics LimittheNumberofPersonalDevicesRegisteredbyEmployees ProvideaURLtoReconnectwithBYODRegistration,onpage342 End-UserDevicePortalsinaDistributedEnvironment,onpage335 Portal Identification Settings for Device Portals ThenavigationpathforthesesettingsisAdministration>DevicePortalManagment>BlacklistPortal, ClientProvisioningPortals,BYODPortals,MDMPortals,orMyDevicePortals>Create,Editor Duplicate>PortalsSettingsandCustomization. •PortalName—Enterauniqueportalnametoaccessthisportal.Donotusethisportalnameforany otherSponsorandGuestportalsandnon-guestportals,suchasBlacklist,BringYourOwnDevice (BYOD),ClientProvisioning,MobileDeviceManagement(MDM),orMyDevicesportals. Thisnameappearsintheauthorizationprofileportalselectionforredirectionchoices,andisusedinthe listofportalsforeasyidentificationamongotherportals. •Description—Optional. •PortaltestURL—Asystem-generatedURLdisplaysasalinkafteryouclickSave.Useittotestthe portal. ClickthelinktoopenanewbrowsertabthatdisplaystheURLforthisportal.Inorderforthistowork, PolicyServicesNode(PSN)withPolicyServicesmustbeturnedon.IfPolicyServicesarenotturned on,thePSNonlydisplaystheAdminportal. Cisco Identity Services Engine Administrator Guide, Release 1.3 752 Device Portal Management
ThetestportaldoesnotsupportRADIUSsessions,soyouwon'tseetheentireportal flowforallportals.BYODandClientProvisioningareexamplesofportalsthatdepend onRADIUSsessions.Forexample,aredirecttoanexternalURLwillnotwork. Note •LanguageFile—Eachportaltypesupports15languagesbydefault,whichareavailableasindividual propertiesfilesbundledtogetherinasinglezippedlanguagefile.Exportorimportthezippedlanguage filetousewiththeportal.Thezippedlanguagefilecontainsalltheindividuallanguagefilesthatyou canusetodisplaytextfortheportal. Thelanguagefilecontainsthemappingtotheparticularbrowserlocalesetting(forexample,forFrench: fr,fr-fr,fr-ca)alongwithallofthestringsettingsfortheentireportalinthatlanguage.Asinglelanguage filecontainsallthesupportedlanguages,sothatitcaneasilybeusedfortranslationandlocalization purposes. Ifyouchangethebrowserlocalesettingforonelanguage,thechangeisappliedtoalltheotherend-user webportals.Forexample,ifyouchangetheFrench.propertiesbrowserlocalefromfr,fr-fr,fr-catofr,fr-fr intheHotspotGuestportal,thechangeisappliedtotheMyDevicesportalalso. AnalerticondisplayswhenyoucustomizeanyoftheportalpagetextonthePortalPageCustomizations tab.Thealertmessageremindsyoutoupdateanychangesmadetoonelanguagewhilecustomizingthe portalintoallthesupportedlanguagespropertiesfiles.Youcanmanuallydismissthealerticonusing thedrop-downlistoption;oritisautomaticallydismissedafteryouimporttheupdatedzippedlanguage file. • Related Topics CreateAuthorizationPolicyRules,onpage354 CreateAuthorizationProfiles,onpage353 PersonalDevicePortals,onpage336 Portal Settings for the Blacklist Portal ThenavigationpathforthesesettingsisAdministration>DevicePortalManagement>BlacklistPortal >Edit>PortalBehaviorandFlowSettings>PortalSettings Usethesesettingstospecifyvaluesordefinebehaviorthatappliestotheoverallportal;notjusttospecific portalpagesthatdisplaytotheuser(guests,sponsors,oremployeesasapplicable). •HTTPSport—Enteraportvaluebetween8000to8999;thedefaultvalueis8443forallthedefault portals,excepttheBlacklistPortal,whichis8444.Ifyouupgradedwithportvaluesoutsidethisrange, theyarehonoreduntilyoumodifythispage.Ifyoumodifythispage,updatetheportsettingtocomply withthisrestriction. IfyouassignPortsusedbyanon-guest(suchasMyDevices)portaltoaguestportal,anerrormessage displays. Forpostureassessmentsandremediationonly,theClientProvisioningportalalsousesPorts8905and 8909.Otherwise,itusesthesamePortsassignedtotheGuestportal. PortalsassignedtothesameHTTPSportcanusethesameGigabitEthernetinterfaceoranotherinterface. Iftheyusethesameportandinterfacecombination,theymustusethesamecertificategrouptag.For example: Cisco Identity Services Engine Administrator Guide, Release 1.3 753 Device Portal Management
◦Validcombinationsinclude,usingtheSponsorportalasanexample: ◦Sponsorportal:Port8443,Interface0,CertificatetagAandMyDevicesportal:Port8443, Interface0,CertificategroupA. ◦Sponsorportal:Port8443,Interface0,CertificategroupAandMyDevicesportal:Port8445, Interface0,CertificategroupB. ◦Sponsorportal:Port8444,Interface1,CertificategroupAandBlacklistportal:Port8444, Interface0,CertificategroupB. ◦Invalidcombinationsinclude: ◦Sponsorportal:Port8443,Interface0,CertificategroupAandMyDevicesportal:8443, Interface0,CertificategroupB. ◦Sponsorportal:Port8444,Interface0,CertificatetagAandBlacklistportal:Port8444, Interface0,CertificategroupA. •Allowedinterfaces—SelectthePSNinterfaceswhichaPANcanusetorunaportal.Whenarequest toopenaportalismadeonthePAN,thePANlooksforanavailableallowedPortonthePSN.Youmust configuretheEthernetinterfacesusingIPaddressesondifferentsubnets. TheseinterfacesmustbeavailableonallthePSNs,includingVM-basedones,thathavePolicyServices turnedon.ThisisarequirementbecauseanyofthesePSNscanbeusedfortheredirectatthestartof theguestsession. ◦TheEthernetinterfacesmustuseIPaddressesondifferentsubnets. ◦TheinterfacesyouenableheremustbeavailableonallyourPSNs,includingVM-basedoneswhen PolicyServicesturnedon.ThisisrequiredbecauseanyofthesePSNscanbeusedforaredirect atthestartoftheguestsession. ◦TheportalcertificateSubjectName/AlternateSubjectNamemustresolvetotheinterfaceIP. ◦Configureiphostx.x.x.xyyy.domain.cominISECLItomapsecondaryinterfaceIPtoFQDN, whichisusedtomatchCertificateSubjectName/AlternateSubjectName. •Certificategrouptag—Pickacertificategrouptagthatspecifiesthecertificatetousefortheportal’s HTTPStraffic. •DisplayLanguage ◦Usebrowserlocale—Usethelanguagespecifiedintheclientbrowser'slocalesettingasthedisplay languageoftheportal.Ifbrowserlocale'slanguageisnotsupportedbyISE,thentheFallback Languageisusedasthelanguageportal. ◦Fallbacklanguage—Choosethelanguagetousewhenlanguagecannotbeobtainedfromthe browserlocale,orifthebrowserlocalelanguageisnotsupportedbyISE. ◦Alwaysuse—Choosethedisplaylanguagetousefortheportal.ThissettingoverridestheUser browserlocaleoption. SSIDsavailabletosponsors—EnterthenamesortheSSIDs(SessionServiceIdentifiers)ofthenetworks thatasponsorcannotifyguestsasthecorrectnetworkstoconnecttofortheirvisit. Cisco Identity Services Engine Administrator Guide, Release 1.3 754 Device Portal Management