Cisco Ise 13 User Guide
Have a look at the manual Cisco Ise 13 User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
Table 104: Manage Device Settings for My Devices Portals Usage GuidelinesField Foralldevices. Enableemployeestoindicatethattheirdeviceislost.This actionupdatesthedevicestatusintheMyDevicesportal toLostandaddsthedevicetotheBlacklistendpoint identitygroup. Lost Foralldevices. Thisactionreinstatesablacklisted,lostorstolendevice andresetsitstatustoitslastknownvalue.Thisactionresets thestatusofastolendevicetoNotRegistered,sinceithas toundergoadditionalprovisioningbeforeitcanconnect tothenetwork. Ifyouwanttopreventemployeesreinstatingdevicesthat youhaveblacklisted,donotenablethisoptionintheMy Devicesportal. Reinstate Foralldevices. Enableemployeestodeletearegistereddevicefromthe MyDevicesportalortodeleteunusedandaddnewdevices, oncethemaximumnumberofregistereddevicesisreached. Thisactionremovesthedevicefromthelistofdevices displayedintheMyDevicesportal,butthedeviceremains intheCiscoISEdatabaseandcontinuestobelistedinthe Endpointslist. Todefinethemaximumnumberofpersonaldevicesthat employeescanregisterusingeithertheBYODorMy Devicesportals,chooseAdministration>DevicePortal Management>Settings>EmployeeRegisteredDevices. TopermanentlydeletethedevicefromtheCiscoISE database,chooseAdministration>IdentityManagement >Identities>Endpoints. Delete Foralldevices. Enableemployeestoindicatethattheirdeviceisstolen. ThisactionupdatesthedevicestatusintheMyDevices portaltoStolen,addsthedevicetotheBlacklistendpoint identitygroup,andremovesitscertificate. Stolen Cisco Identity Services Engine Administrator Guide, Release 1.3 765 Device Portal Management
Usage GuidelinesField ForMDMenrolleddevicesonly. Enableemployeestoimmediatelylocktheirdevice remotelyfromtheMyDevicesportal,intheeventitislost orstolen.Thisactionpreventsunauthorizeduseofthe device. However,thePINcannotbesetintheMyDevicesportal andshouldhavealreadybeenconfiguredbytheemployee ontheirmobiledeviceinadvance. Devicelock ForMDMenrolleddevicesonly. Enableemployeestochoosethisoptioniftheynolonger needtousetheirdeviceatwork.Thisactionremovesonly thoseapplicationsandsettingsinstalledbyyourcompany, whileretainingotherappsanddataontheemployee's mobiledevice. Unenroll ForMDMenrolleddevicesonly. Enableemployeestochoosethisoptioniftheyhavelost theirdeviceorarereplacingitwithanewone.Thisaction resetstheemployee'smobiledevicetoitsdefaultfactory settings,removinginstalledappsanddata. Fullwipe Related Topics ManagePersonalDevicesAddedbyEmployees,onpage355 MyDevicesPortal,onpage338 Add, Edit, and Locate Device Customization for My Devices Portals ThenavigationpathforthesesettingsareAdministration>DevicePortalManagement>MyDevices Portals>Create,EditorDuplicate>PortalPageCustomization>AddDevices,EditDevicesorLocate Devices. UnderPageCustomizations,youcancustomizethemessages,titles,content,instructions,andfieldand buttonlabelsthatappearontheAdd,EditandLocatetabsoftheMyDevicesportal. Related Topics MyDevicesPortal,onpage338 CreateaMyDevicesPortal,onpage352 Support Information Page Settings for Device Portals ThenavigationpathforthispageisAdministration>DevicePortalManagement>BYODPortals,Client ProvisioningPortals,MDMPortals,orMyDevicesPortals>Create,EditorDuplicate>PortalBehavior andFlowSettings>SupportInformationPageSettings. Cisco Identity Services Engine Administrator Guide, Release 1.3 766 Device Portal Management
UsethesesettingstodisplaytheinformationthatyourHelpDeskcanusetotroubleshootaccessissues experiencedbyusers(guests,sponsorsoremployeesasapplicable). Usage GuidelinesField Displayalinktoaninformationpage,suchas ContactUs,onallenabledpagesfortheportal. IncludeaSupportInformationPage IncludetheMACaddressofthedeviceontheSupport Informationpage. MACaddress IncludetheIPaddressofthedeviceontheSupport Informationpage. IPaddress Includethebrowserdetailssuchastheproductname andversion,layoutengineandversionoftheuser agentoriginatingtherequestontheSupport Informationpage. Browseruseragent IncludetheIPaddressoftheISEPolicyServiceNode (PSN)thatisservingthisportalontheSupport Informationpage. Policyserver Ifavailable,includethecorrespondingnumberfrom thelogmessagecatalog.Youcanaccessandview themessagecatalogbynavigatingtoAdministration >System>Logging>MessageCatalog. Failurecode DonotdisplayanyfieldlabelsontheSupport Informationpageiftheinformationthattheywould containisnon-existent.Forexample,ifthefailure codeisunknown,andthereforeblank,donotdisplay Failurecode,evenifitisselected. Hidefield DisplayallselectedfieldlabelsontheSupport Informationpage,eveniftheinformationthatthey wouldcontainisnon-existent.Forexample,ifthe failurecodeisunknown,displayFailurecode,even ifitisblank. Displaylabelwithnovalue DisplaythistextinanyselectedfieldontheSupport Informationpage,iftheinformationthattheywould containisnon-existent.Forexample,ifyouenterNot Availableinthisfield,andthefailurecodeis unknown,theFailurecodedisplaysNotAvailable. Displaylabelwithdefaultvalue Related Topics MonitorMyDevicesPortalsandEndpointsActivity,onpage356 AccessDevicePortals,onpage337 Cisco Identity Services Engine Administrator Guide, Release 1.3 767 Device Portal Management
Cisco Identity Services Engine Administrator Guide, Release 1.3 768 Device Portal Management
CHAPTER 28 Guest Access User Interface Reference •GuestPortalSettings,page769 •SponsorPortalApplicationSettings,page786 •GlobalSettings,page792 Guest Portal Settings Portal Identification Settings ThenavigationpathforthesesettingsisGuestAccess>Configure>GuestPortalsorSponsorPortals> Create,EditorDuplicate>GuestPortalsorSponsorPortalsSettingsandCustomization. •PortalName—Enterauniqueportalnametoaccessthisportal.Donotusethisportalnameforany otherSponsorandGuestportalsandnon-guestportals,suchasBlacklist,BringYourOwnDevice (BYOD),ClientProvisioning,MobileDeviceManagement(MDM),orMyDevicesportals. Thisnameappearsintheauthorizationprofileportalselectionforredirectionchoices,andisusedinthe listofportalsforeasyidentificationamongotherportals. •Description—Optional. •PortaltestURL—Asystem-generatedURLdisplaysasalinkafteryouclickSave.Useittotestthe portal. ClickthelinktoopenanewbrowsertabthatdisplaystheURLforthisportal.Inorderforthistowork, PolicyServicesNode(PSN)withPolicyServicesmustbeturnedon.IfPolicyServicesarenotturned on,thePSNonlydisplaystheAdminportal. ThetestportaldoesnotsupportRADIUSsessions,soyouwon'tseetheentireportal flowforallportals.BYODandClientProvisioningareexamplesofportalsthatdepend onRADIUSsessions.Forexample,aredirecttoanexternalURLwillnotwork. Note •LanguageFile—Eachportaltypesupports15languagesbydefault,whichareavailableasindividual propertiesfilesbundledtogetherinasinglezippedlanguagefile.Exportorimportthezippedlanguage Cisco Identity Services Engine Administrator Guide, Release 1.3 769
filetousewiththeportal.Thezippedlanguagefilecontainsalltheindividuallanguagefilesthatyou canusetodisplaytextfortheportal. Thelanguagefilecontainsthemappingtotheparticularbrowserlocalesetting(forexample,forFrench: fr,fr-fr,fr-ca)alongwithallofthestringsettingsfortheentireportalinthatlanguage.Asinglelanguage filecontainsallthesupportedlanguages,sothatitcaneasilybeusedfortranslationandlocalization purposes. Ifyouchangethebrowserlocalesettingforonelanguage,thechangeisappliedtoalltheotherend-user webportals.Forexample,ifyouchangetheFrench.propertiesbrowserlocalefromfr,fr-fr,fr-catofr,fr-fr intheHotspotGuestportal,thechangeisappliedtotheMyDevicesportalalso. AnalerticondisplayswhenyoucustomizeanyoftheportalpagetextonthePortalPageCustomizations tab.Thealertmessageremindsyoutoupdateanychangesmadetoonelanguagewhilecustomizingthe portalintoallthesupportedlanguagespropertiesfiles.Youcanmanuallydismissthealerticonusing thedrop-downlistoption;oritisautomaticallydismissedafteryouimporttheupdatedzippedlanguage file. Portal Settings for Hotspot Guest Portals ThenavigationpathforthesesettingsisGuestAccess>Configure>GuestPortals>Create,Editor Duplicate>PortalBehaviorandFlowSettings>PortalSettings. •HTTPSport—Enteraportvaluebetween8000to8999;thedefaultvalueis8443forallthedefault portals,excepttheBlacklistPortal,whichis8444.Ifyouupgradedwithportvaluesoutsidethisrange, theyarehonoreduntilyoumodifythispage.Ifyoumodifythispage,updatetheportsettingtocomply withthisrestriction. IfyouassignPortsusedbyanon-guest(suchasMyDevices)portaltoaguestportal,anerrormessage displays. Forpostureassessmentsandremediationonly,theClientProvisioningportalalsousesPorts8905and 8909.Otherwise,itusesthesamePortsassignedtotheGuestportal. PortalsassignedtothesameHTTPSportcanusethesameGigabitEthernetinterfaceoranotherinterface. Iftheyusethesameportandinterfacecombination,theymustusethesamecertificategrouptag.For example: ◦Validcombinationsinclude,usingtheSponsorportalasanexample: ◦Sponsorportal:Port8443,Interface0,CertificatetagAandMyDevicesportal:Port8443, Interface0,CertificategroupA. ◦Sponsorportal:Port8443,Interface0,CertificategroupAandMyDevicesportal:Port8445, Interface0,CertificategroupB. ◦Sponsorportal:Port8444,Interface1,CertificategroupAandBlacklistportal:Port8444, Interface0,CertificategroupB. ◦Invalidcombinationsinclude: ◦Sponsorportal:Port8443,Interface0,CertificategroupAandMyDevicesportal:8443, Interface0,CertificategroupB. ◦Sponsorportal:Port8444,Interface0,CertificatetagAandBlacklistportal:Port8444, Interface0,CertificategroupA. Cisco Identity Services Engine Administrator Guide, Release 1.3 770 Guest Portal Settings
•Allowedinterfaces—SelectthePSNinterfaceswhichaPANcanusetorunaportal.Whenarequest toopenaportalismadeonthePAN,thePANlooksforanavailableallowedPortonthePSN.Youmust configuretheEthernetinterfacesusingIPaddressesondifferentsubnets. TheseinterfacesmustbeavailableonallthePSNs,includingVM-basedones,thathavePolicyServices turnedon.ThisisarequirementbecauseanyofthesePSNscanbeusedfortheredirectatthestartof theguestsession. ◦TheEthernetinterfacesmustuseIPaddressesondifferentsubnets. ◦TheinterfacesyouenableheremustbeavailableonallyourPSNs,includingVM-basedoneswhen PolicyServicesturnedon.ThisisrequiredbecauseanyofthesePSNscanbeusedforaredirect atthestartoftheguestsession. ◦TheportalcertificateSubjectName/AlternateSubjectNamemustresolvetotheinterfaceIP. ◦Configureiphostx.x.x.xyyy.domain.cominISECLItomapsecondaryinterfaceIPtoFQDN, whichisusedtomatchCertificateSubjectName/AlternateSubjectName. •Certificategrouptag—Pickacertificategrouptagthatspecifiesthecertificatetousefortheportal’s HTTPStraffic. •Endpointidentitygroup—Chooseanendpointidentitygrouptotrackguestdevices.CiscoISEprovides theGuestEndpointsendpointidentitygrouptouseasadefault.Youcanalsocreatemoreendpoint identitygroupsifyouchoosetonotusethedefault. Chooseanendpointidentitygrouptotrackemployeedevices.CiscoISEprovidestheRegisteredDevices endpointidentitygrouptouseasadefault.Youcanalsocreatemoreendpointidentitygroupsifyou choosetonotusethedefault. •Purgeendpointsinthisidentitygroupwhentheyreach__days—Changethenumberofdayssince theregistrationofauser'sdevicebeforeitispurgedfromtheCiscoISEdatabase.Purgingisdoneona dailybasisandthepurgeactivityissynchronizedwiththeoverallpurgetiming.Thechangeisapplied globallyforthisendpointidentitygroup. IfchangesaremadetotheEndpointPurgePolicybasedonotherpolicyconditions,thissettingisno longeravailableforuse. •DisplayLanguage ◦Usebrowserlocale—Usethelanguagespecifiedintheclientbrowser'slocalesettingasthedisplay languageoftheportal.Ifbrowserlocale'slanguageisnotsupportedbyISE,thentheFallback Languageisusedasthelanguageportal. ◦Fallbacklanguage—Choosethelanguagetousewhenlanguagecannotbeobtainedfromthe browserlocale,orifthebrowserlocalelanguageisnotsupportedbyISE. ◦Alwaysuse—Choosethedisplaylanguagetousefortheportal.ThissettingoverridestheUser browserlocaleoption. SSIDsavailabletosponsors—EnterthenamesortheSSIDs(SessionServiceIdentifiers)ofthenetworks thatasponsorcannotifyguestsasthecorrectnetworkstoconnecttofortheirvisit. Cisco Identity Services Engine Administrator Guide, Release 1.3 771 Guest Portal Settings
Acceptable Use Policy (AUP) Page Settings for Hotspot Guest Portals ThenavigationpathforthispageisGuestAccess>Configure>GuestPortals>Create,EditorDuplicate >PortalBehaviorandFlowSettings>AcceptableUsePolicy(AUP)PageSettings •IncludeanAUPpage—Displayyourcompany’snetwork-usagetermsandconditionsonaseparate pagetotheuser. •Requireanaccesscode—Assignanaccesscodeasthelogincredentialthatmultipleguestsshoulduse togainaccesstothenetwork.Anaccesscodeisprimarilyalocallyknowncodethatisgiventophysically presentguests(eithervisuallyviaawhiteboardorverballybyalobbyambassador).Itwouldnotbe knownandusedbysomeoneoutsidethepremisestoaccessthenetwork. Youcanusethisoptioninadditiontotheusernamesandpasswordsthatareprovidedasthelogin credentialstoindividualguests. •RequirescrollingtoendofAUP—EnsurethattheuserhasreadtheAUPcompletely.TheAcceptbutton activatesonlyaftertheuserhasscrolledtotheendoftheAUP.ConfigurewhentheAUPappearstothe user. Post-Access Banner Page Settings for Hotspot Portals ThenavigationpathforthispageisGuestAccess>Configure>GuestPortals>Create,EditorDuplicate >PortalBehaviorandFlowSettings>Post-AccessBannerPageSettings. Usethissettingtoinformguestsoftheiraccessstatusandanyotheradditionalactions,ifrequired. Usage GuidelinesField Displayadditionalinformationaftertheguestsare successfullyauthenticatedandbeforetheyaregranted networkaccess. IncludeaPost-AccessBannerpage Portal Settings for Credentialed Guest Portals Thenavigationpathforthesesettingsis:GuestAccess>Configure>GuestPortals>Create,Editor Duplicate>PortalBehaviorandFlowSettings>PortalSettings. •HTTPSport—Enteraportvaluebetween8000to8999;thedefaultvalueis8443forallthedefault portals,excepttheBlacklistPortal,whichis8444.Ifyouupgradedwithportvaluesoutsidethisrange, theyarehonoreduntilyoumodifythispage.Ifyoumodifythispage,updatetheportsettingtocomply withthisrestriction. IfyouassignPortsusedbyanon-guest(suchasMyDevices)portaltoaguestportal,anerrormessage displays. Forpostureassessmentsandremediationonly,theClientProvisioningportalalsousesPorts8905and 8909.Otherwise,itusesthesamePortsassignedtotheGuestportal. PortalsassignedtothesameHTTPSportcanusethesameGigabitEthernetinterfaceoranotherinterface. Iftheyusethesameportandinterfacecombination,theymustusethesamecertificategrouptag.For example: Cisco Identity Services Engine Administrator Guide, Release 1.3 772 Guest Portal Settings
◦Validcombinationsinclude,usingtheSponsorportalasanexample: ◦Sponsorportal:Port8443,Interface0,CertificatetagAandMyDevicesportal:Port8443, Interface0,CertificategroupA. ◦Sponsorportal:Port8443,Interface0,CertificategroupAandMyDevicesportal:Port8445, Interface0,CertificategroupB. ◦Sponsorportal:Port8444,Interface1,CertificategroupAandBlacklistportal:Port8444, Interface0,CertificategroupB. ◦Invalidcombinationsinclude: ◦Sponsorportal:Port8443,Interface0,CertificategroupAandMyDevicesportal:8443, Interface0,CertificategroupB. ◦Sponsorportal:Port8444,Interface0,CertificatetagAandBlacklistportal:Port8444, Interface0,CertificategroupA. •Allowedinterfaces—SelectthePSNinterfaceswhichaPANcanusetorunaportal.Whenarequest toopenaportalismadeonthePAN,thePANlooksforanavailableallowedPortonthePSN.Youmust configuretheEthernetinterfacesusingIPaddressesondifferentsubnets. TheseinterfacesmustbeavailableonallthePSNs,includingVM-basedones,thathavePolicyServices turnedon.ThisisarequirementbecauseanyofthesePSNscanbeusedfortheredirectatthestartof theguestsession. ◦TheEthernetinterfacesmustuseIPaddressesondifferentsubnets. ◦TheinterfacesyouenableheremustbeavailableonallyourPSNs,includingVM-basedoneswhen PolicyServicesturnedon.ThisisrequiredbecauseanyofthesePSNscanbeusedforaredirect atthestartoftheguestsession. ◦TheportalcertificateSubjectName/AlternateSubjectNamemustresolvetotheinterfaceIP. ◦Configureiphostx.x.x.xyyy.domain.cominISECLItomapsecondaryinterfaceIPtoFQDN, whichisusedtomatchCertificateSubjectName/AlternateSubjectName. •TheportalcertificateSubjectName/AlternateSubjectNamemustresolvetotheinterfaceIP. •Identitysourcesequence—Choosewhichidentitysourcesequence(ISS)touseforuserauthentication. TheISSisalistofIdentityStoresthataresearchedinsequencetoverifyusercredentials.Someexamples include:InternalGuestUsers,InternalUsers,ActiveDirectory,LDAPDirectory. CiscoISEincludesadefaultsponsorIdentitySourceSequenceforsponsorportals, Sponsor_Portal_Sequence. ToconfigureanIdentitySourceSequence,chooseAdministration>IdentityManagement>Identity SourceSequences. •Employeesusingthisportalasguestsinheritloginoptionsfrom—ChoosetheGuestTypethat employeesareassignedwhentheylogontothisportal.Theemployee'sendpointdataisstoredinthe endpointidentitygroupconfiguredinthatguesttypefortheattributeStoredeviceinformationin endpointidentitygroup.Nootherattributesfromtheassociatedguesttypeareinherited. •DisplayLanguage Cisco Identity Services Engine Administrator Guide, Release 1.3 773 Guest Portal Settings
◦Usebrowserlocale—Usethelanguagespecifiedintheclientbrowser'slocalesettingasthedisplay languageoftheportal.Ifbrowserlocale'slanguageisnotsupportedbyISE,thentheFallback Languageisusedasthelanguageportal. ◦Fallbacklanguage—Choosethelanguagetousewhenlanguagecannotbeobtainedfromthe browserlocale,orifthebrowserlocalelanguageisnotsupportedbyISE. ◦Alwaysuse—Choosethedisplaylanguagetousefortheportal.ThissettingoverridestheUser browserlocaleoption. SSIDsavailabletosponsors—EnterthenamesortheSSIDs(SessionServiceIdentifiers)ofthenetworks thatasponsorcannotifyguestsasthecorrectnetworkstoconnecttofortheirvisit. Login Page Settings for Credentialed Guest Portals Thenavigationpathforthispageis:GuestAccess>Configure>GuestPortals>Create,EditorDuplicate >PortalBehaviorandFlowSettings>LoginPageSettings •Requireanaccesscode—Assignanaccesscodeasthelogincredentialthatmultipleguestsshoulduse togainaccesstothenetwork.Anaccesscodeisprimarilyalocallyknowncodethatisgiventophysically presentguests(eithervisuallyviaawhiteboardorverballybyalobbyambassador).Itwouldnotbe knownandusedbysomeoneoutsidethepremisestoaccessthenetwork. Youcanusethisoptioninadditiontotheusernamesandpasswordsthatareprovidedasthelogin credentialstoindividualguests. •Maximumfailedloginattemptsbeforeratelimiting—Specifythenumberoffailedloginattempts fromasinglebrowsersessionbeforeCiscoISEstartstothrottlethataccount.Thisdoesnotcausean accountlockout.ThethrottledrateisconfiguredinTimebetweenloginattemptswhenratelimiting. •Timebetweenloginattemptswhenratelimiting—Setthelengthoftimeinminutesthatausermust waitbeforeattemptingtologinagain(throttledrate),afterfailingtologinthenumberoftimesdefined inMaximumfailedloginattemptsbeforeratelimiting. •IncludeanAUP—Addaacceptableusepolicypagetotheflow.YoucanaddtheAUPtothepage,or linktoanotherpage.Addingthischangesthepictureoftheflowontheright. ◦requireacceptance—ForcetheusertoagreetotheAUPbeforecontinuingtheflow. •Allowgueststocreatetheirownaccounts—Provideanoptiononthisportal’sLoginpageforguests toregisterthemselves.Ifthisoptionisnotselected,sponsorscreateguestaccounts.Enablingthisalso enablestabsonthispageforyoutoconfigureSelf-RegistrationPageSettingsandSelf-Registration SuccessPageSettings. Ifguestschoosethisoption,theyarepresentedwiththeSelf-Registrationformwheretheycanenterthe requestedinformationtocreatetheirownguestaccounts. •Allowgueststochangepasswordafterlogin—Allowgueststochangetheirpasswordaftersuccessfully authenticatingandacceptingtheAUP,ifitisrequired. Ifguestschangetheirpasswords,sponsorscannotprovideguestswiththeirlogincredentialsiflost.The sponsorcanonlyresettheguest’spasswordbacktoarandompassword. Cisco Identity Services Engine Administrator Guide, Release 1.3 774 Guest Portal Settings