Cisco Ise 13 User Guide
Have a look at the manual Cisco Ise 13 User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
Self-Registration Page Settings for Credentialed Guest Portals ThenavigationpathforthispageisGuestAccess>Configure>GuestPortals>Create,EditorDuplicate >PortalBehaviorandFlowSettings>SelfRegistrationPageSettings.Usethesesettingstoenableguests toregisterthemselvesandspecifytheinformationtheyneedtoprovideontheSelf-Registrationform. Usage GuidelinesField Choosetheguesttypetowhichalltheself-registered guestsusingthisportalshouldbeassigned. Assignself-registeredgueststoguesttype Specifythedurationfortheaccountindays,hours, orminutesafterwhichtheaccountwillexpireunless youorthesponsorextendtheaccountdurationinthe Sponsorportal. Accountvalidfor Assignacodethattheself-registeringguestsmust entertosuccessfullysubmittheirSelf-Registration form.Similartotheaccesscode,theregistrationcode isprovidedtotheguestofflinetopreventsomeone whoisoutsidethepremisesfromaccessingthe system. Requirearegistrationcodeforselfregistration Checkthefieldsthatyouwanttodisplayonthe Self-Registrationform.Thencheckwhichfieldsare mandatoryforthegueststocompleteinorderto submittheformandreceiveaguestaccount.You maywanttorequirefieldssuchasSMSService ProviderandPersonbeingVisitedtogather importantinformationfromself-registeringguests. Fieldstoinclude/Required Enterlocationsthattheself-registeringguestscan selectatregistrationtimeusingthelistoflocations thatyouhavedefined.Thisautomaticallyassignsthe relatedtimezonesasthevalidaccesstimesforthese guests.Thelocationnamesshouldbecleartoavoid ambiguityduringselection(forexample,Boston Office,500ParkAveNewYork,Singapore,etc.) Ifyouonlyprovidedonelocation,itisautomatically assignedasthedefaultlocationanddoesnotdisplay intheportalforgueststoview.Additionally, LocationisdisabledinthelistofFieldstoinclude. Guestscanchoosefromtheselocationstosettheir timezone DisplaySMSprovidersontheSelf-Registrationform toenableself-registeringgueststochoosetheirown SMSprovider.Youcanthenusetheguest’sSMS servicetosendthemSMSnotificationstominimize expensesforyourcompany. SMSServiceProvider Cisco Identity Services Engine Administrator Guide, Release 1.3 775 Guest Portal Settings
Usage GuidelinesField SelecttheSMSprovidersthatshoulddisplayonthe Self-Registrationform. IfyouonlyselectedoneasthedefaultSMSprovider fortheguesttouse,itwillnotdisplayonthe Self-Registrationform. GuestscanchoosefromtheseSMSproviders Selectadditionalinformationthatyouwouldlike collectfromtheself-registeringguests.Thencheck whichfieldsaremandatoryforthegueststocomplete inordertosubmittheSelf-Registrationformand receiveaguestaccount.Thesefieldsarelistedin alphabeticalorderbyname. CustomFields Displayyourcompany’snetwork-usagetermsand conditions,eitherastextonthepagecurrentlybeing displayedfortheuserorasalinkthatopensanew taborwindowwithAUPtext. IncludeanAUP(onpage/aslink) RequireuserstoacceptanAUPbeforetheiraccount isfullyenabled.TheLoginbuttonisnotenabled unlesstheuseracceptstheAUP.Ifusersdonot accepttheAUP,theywillnotobtainnetworkaccess. Requireacceptance ThisoptiondisplaysonlyifIncludeanAUPonpage isenabled. EnsurethattheuserhasreadtheAUPcompletely. TheAcceptbuttonactivatesonlyaftertheuserhas scrolledtotheendoftheAUP. RequirescrollingtoendofAUP Specifythewhitelistedemailaddressdomainsfrom whichtheself-registeringguestscanenterinEmail Addressandsuccessfullyreceivetheiraccount credentials;forexample,cisco.com,example.com. Inthisexample,iftheguestsentered [email protected],after successfulaccountcreation,theyreceivetheirlogin credentials.However,iftheyentered [email protected](oranyotheraddressnotfrom cisco.comorexample.com),noaccountiscreated andtheydonotgetcredentials. Leavingthisfieldblankallowsregistrationfromany domain,unlessthereareblacklistdomainslistedin Donotallowguestswithemailaddressfrom. Onlyallowguestswithanemailaddressfrom Cisco Identity Services Engine Administrator Guide, Release 1.3 776 Guest Portal Settings
Usage GuidelinesField Specifytheblacklistedemailaddressdomainsfrom whichtheself-registeringguestscannotenterin EmailAddressandsuccessfullyreceivetheiraccount credentials;forexample,cisco.com,example.com. Inthisexample,iftheguestsentered [email protected],no accountiscreatedandtheydonotgetcredentials. Donotallowguestswithanemailaddressfrom Specifythattheself-registeringguestsusingthis portalrequireapprovalfromasponsorbefore receivingtheirguestcredentials. ThenspecifyoneoftheoptionsunderAfter registrationsubmission,directguesttointhispage: •Self-RegistrationSuccesspage •Loginpagewithinstructionsabouthowto obtainlogincredentials •URL Ifenabled,youshouldalsoenableoneorboth:Email orSMSunderSendcredentialnotificationupon approvalusinginthispage. EnablingRequireself-registeredgueststobe approvedenablesthefollowingextraconfiguaration fields,whichhavethefollowingattributes: Approve/DenyLinkSettings—Additionalsettings allowyoutoconfigure: •Linksarevalidfor,numberofdays. •Requireapprovertoenterausernameand passwordforauthentication—Authenticate sponsorsbasedonthefollowingorderedlistof sponsorportals •Authenticatesponsorsbasedonthefollowing orderedlistofsponsorportals—Ifthereare multiplesponsorsthatcanapprovethisaccount, thenchosetheportalthatthesponsormustlog ontoinordertoapprovetheaccount. Requireself-registeredgueststobeapproved Cisco Identity Services Engine Administrator Guide, Release 1.3 777 Guest Portal Settings
Usage GuidelinesField Ifyouselect: •sponsoremailaddresseslistedbelow,enter theemailaddressesofsponsorsdesignatedas approvers,oranemailaddressoramailerto whichALLguestapprovalrequestsshouldbe sent. •personbeingvisited,thePersonbeingvisited andRequiredoptionsinFieldstoincludewill alsobeenabled(iftheywerepreviously disabled).Thesefieldswillbedisplayedonthe Self-Registrationformrequestingthis informationfromtheself-registeringguests. Thesepersonswillreceiveanemailnotification statingthatself-registeringguestsrequireapproval. Emailapprovalrequestto Directsuccessfullyself-registeredgueststothe Self-RegistrationSuccesspage,whichdisplaysthe fieldsandmessagesyouhavespecifiedinSelf RegistrationSuccessPageSettings. Itmaynotbedesirabletodisplayalltheinformation, becausethesystemmaybeawaitingaccountapproval (ifenabledonthispage)ordeliveringthelogin credentialstoanemailaddressorphonenumber basedonthewhitelistedandblacklisteddomains specifiedinthispage. IfyouenabledAllowgueststologindirectlyfrom theSelf-RegistrationSuccesspagein Self-RegistrationSuccessPageSettings, successfullyself-registeredguestscanlogindirectly fromthispage.Ifitisnotenabled,theyaredirected totheportal'sLoginpageaftertheSelf-Registration Successpageisdisplayed. Self-RegistrationSuccesspage Cisco Identity Services Engine Administrator Guide, Release 1.3 778 Guest Portal Settings
Usage GuidelinesField Directsuccessfullyself-registeredguestsbacktothe portal’sLoginpageanddisplayamessage,suchas “Pleasewaitforyourguestcredentialstobedelivered eitherviaemail,SMS,orprintformatandproceed withloggingin.” Tocustomizethedefaultmessage,clickonthePortal PageCustomizationtabandselectSelf-Registration PageSettings. Thesystemmaybeawaitingaccountapproval(if enabledonthispage)ordeliveringthelogin credentialstoanemailaddressorphonenumber basedonthewhitelistedandblacklisteddomains specifiedinthispage. Loginpagewithinstructionsabouthowtoobtainlogin credentials Directsuccessfullyself-registeredgueststothe specifiedURLwhilewaitingfortheiraccount credentialstobedelivered. Thesystemmaybeawaitingaccountapproval(if enabledonthispage)ordeliveringthelogin credentialstoanemailaddressorphonenumber basedonthewhitelistedandblacklisteddomains specifiedinthispage. URL Chooseemailastheoptionbywhichsuccessfully self-registeredguestsreceivetheirlogincredential information.Ifyouchoosethisoption,Emailaddress becomesarequiredfieldinthelistofFieldsto includeandyoucannolongerdisablethisoption. Email ChooseSMSastheoptionbywhichsuccessfully self-registeredguestsreceivetheirlogincredential information.Ifyouchoosethisoption,SMSService ProviderbecomesarequiredfieldinthelistofFields toincludeandyoucannolongerdisablethisoption. SMS Self Registration Success Page Settings ThenavigationpathforthispageisGuestAccess>Configure>GuestPortals>Create,EditorDuplicate >PortalBehaviorandFlowSettings>SelfRegistrationSuccessPageSettings.Usethesesettingsto notifysuccessfullyself-registeredguestsofthecredentialstheyneedtogainaccesstothenetwork. Cisco Identity Services Engine Administrator Guide, Release 1.3 779 Guest Portal Settings
Usage GuidelinesField Checkthefieldsthatyouwanttodisplayforthe successfullyself-registeredguestsonthe Self-RegistrationSuccesspage. Ifsponsorapprovaloftheguestisnotrequired,check UsernameandPasswordtodisplaythesecredentials fortheguest.Ifsponsorapprovalisrequired,these fieldsaredisabled,becausethecredentialscanonly bedeliveredtotheguestaftertheyhavebeen approved. IncludethisinformationontheSelf-Registration Successpage Checktheoptionsbywhichthesuccessfully self-registeredguestcansendcredentialinformation tothemselves:Print,Email,orSMS. Allowguesttosendinformationtoselfusing Displayyourcompany’snetwork-usagetermsand conditions,eitherastextonthepagecurrentlybeing displayedfortheuserorasalinkthatopensanew taborwindowwithAUPtext. IncludeanAUP(onpage/aslink) RequireuserstoacceptanAUPbeforetheiraccount isfullyenabled.TheLoginbuttonisnotenabled unlesstheuseracceptstheAUP.Ifusersdonotaccept theAUP,theywillnotobtainnetworkaccess. Requireacceptance ThisfielddisplaysifyouchosetheAUPonpage option. EnsurethattheuserhasreadtheAUPcompletely. TheAcceptbuttonactivatesonlyaftertheuserhas scrolledtotheendoftheAUP. RequirescrollingtoendofAUP DisplayaLoginbuttonatthebottomofthe Self-RegistrationSuccesspage.Thisenablestheguest tobypasstheLoginpageandautomaticallydeliver thelogincredentialstotheportalanddisplaythenext pageintheportalflow(forinstance,theAUPpage). Allowgueststologindirectlyfromthe Self-RegistrationSuccesspage Acceptable Use Policy (AUP) Page Settings for Credentialed Guest Portals ThenavigationpathforthispageisGuestAccess>Configure>GuestPortals>Create,EditorDuplicate >PortalBehaviorandFlowSettings>AcceptableUsePolicy(AUP)PageSettings. •IncludeanAUPpage—Displayyourcompany’snetwork-usagetermsandconditionsonaseparate pagetotheuser. •UsedifferentAUPforemployees—DisplayadifferentAUPandnetwork-usagetermsandconditions foremployeesonly.Ifyouchoosethisoption,youcannotalsochooseSkipAUPforemployees. Cisco Identity Services Engine Administrator Guide, Release 1.3 780 Guest Portal Settings
•SkipAUPforemployees—EmployeesarenotrequiredtoacceptanAUPbeforeaccessingthenetwork. Ifyouchoosethisoption,youcannotalsochooseUsedifferentAUPforemployees. •RequirescrollingtoendofAUP—ThisoptiondisplaysonlyifIncludeanAUPonpageisenabled. EnsurethattheuserhasreadtheAUPcompletely.TheAcceptbuttonactivatesonlyaftertheuserhas scrolledtotheendoftheAUP.ConfigurewhentheAUPappearstotheuser. ◦Onfirstloginonly—DisplayanAUPthefirsttimetheuserlogsintothenetworkorportal. ◦Oneverylogin—DisplayanAUPeverytimetheuserlogsintothenetworkorportal. ◦Every__days(startingatfirstlogin)—DisplayanAUPperiodicallyaftertheuserfirstlogsinto thenetworkorportal. Guest Change Password Settings for Credentialed Guest Portals Guest Change Password Settings ThenavigationpathforthispageisGuestAccess>Configure>GuestPortals>Create,EditorDuplicate >PortalBehaviorandFlowSettings>GuestChangePasswordSettings •Allowgueststochangepasswordafterlogin—Allowgueststochangetheirpasswordaftersuccessfully authenticatingandacceptingtheAUP,ifitisrequired. Ifguestschangetheirpasswords,sponsorscannotprovideguestswiththeirlogincredentialsiflost.The sponsorcanonlyresettheguest’spasswordbacktoarandompassword. Guest Device Registration Settings for Credentialed Guest Portals Guest Device Registration Settings ThenavigationpathforthispageisGuestAccess>Configure>GuestPortals>Create,EditorDuplicate >PortalBehaviorandFlowSettings>GuestDeviceRegistrationSettings UsethesesettingstoeitherensurethatCiscoISEautomaticallyregistersguestdeviceswhentheylogintoor toallowgueststomanuallyregistertheirdevicesaftertheylogin. ThemaximumnumberofdevicesisspecifiedforeachguesttypeinGuestAccess>Configure>Guest Types. •Automaticallyregisterguestdevices—Automaticallycreateanendpointforthedevicefromwhich theguestisaccessingthisportal.Theendpointisaddedtotheendpointidentitygroupspecifiedforthis portalandissubjecttotheidentitygroup'spurgepolicy. Anauthorizationrulecannowbecreatedtoallowaccesstoendpointsinthatidentitygroup,sothatweb authenticationisnolongerrequired. Ifthemaximumnumberofregistereddevicesisreached,thesystemautomaticallydeletesthefirst registereddevice,registersthedevicetheguestistryingtologinwith,andnotifiesthem.ChooseGuest Access>Configure>GuestTypestochangethemaximumnumberofdeviceswithwhichaguestcan register. •Allowgueststoregisterdevices—Guestscanregistertheirdevicesmanuallybyprovidinganame, descriptionandMACaddress.TheMACaddressisassociatedwithanendpointidentitygroup. Cisco Identity Services Engine Administrator Guide, Release 1.3 781 Guest Portal Settings
Ifthemaximumnumberofregistereddevicesisreached,theguestisrequiredtodeleteatleastone devicebeforebeingallowedtoregisteranotherdevice. BYOD Settings for Credentialed Guest Portals ThenavigationpathforthispageisGuestAccess>Portals&Components>Configure>GuestPortals >Create,EditorDuplicate>PortalBehaviorandFlowSettings>BYODSettings. UsethesesettingstoenableBringYourOwnDevice(BYOD)functionalityfornon-guests,suchasemployees, usingtheCredentialedGuestportalstoaccessyourcorporatenetwork. Usage GuidelinesField AddtheEmployeeBringYourOwnDevice(BYOD) Registrationpagetothisportalallowingemployees togothroughtheemployeedeviceregistration process,andpossiblynativesupplicantandcertificate provisioning,dependingonthesettingsforClient Provisioningfortheemployee’spersonaldevicetype (forexample,iOS,Android,Windows(excludingRT ormobile),OSX). Allowemployeestousepersonaldevicesonthe network Chooseanendpointidentitygrouptotrackguest devices.CiscoISEprovidestheGuestEndpoints endpointidentitygrouptouseasadefault.Youcan alsocreatemoreendpointidentitygroupsifyou choosetonotusethedefault. Endpointidentitygroup Changethenumberofdayssincetheregistrationof auser'sdevicebeforeitispurgedfromtheCiscoISE database.Purgingisdoneonadailybasisandthe purgeactivityissynchronizedwiththeoverallpurge timing.Thechangeisappliedgloballyforthis endpointidentitygroup. IfchangesaremadetotheEndpointPurgePolicy basedonotherpolicyconditions,thissettingisno longeravailableforuse. Purgeendpointsinthisidentitygroupwhentheyreach __days Letemployeesaccessyourguestnetworkandavoid additionalprovisioningandregistrationthatmaybe requiredtoaccessyourcorporatenetwork. Allowemployeestochoosetogetguestaccessonly DisplaythedeviceIDtotheuserduringthe registrationprocess,eventhoughthedeviceIDis pre-configuredandcannotbechangedwhileusing theBYODportal. DisplayDeviceIDfieldduringregistration Cisco Identity Services Engine Administrator Guide, Release 1.3 782 Guest Portal Settings
Usage GuidelinesField Aftersuccessfullyauthenticatingtothenetwork, redirecttheuser’sbrowsertotheoriginalwebsitethat theuseristryingtoaccess,ifavailable.Ifnot available,theAuthenticationSuccesspagedisplays. MakesurethattheredirectURLisallowedtowork onport8443ofthePSNbytheaccess-controlliston theNADandbyauthorizationprofilesconfiguredin ISEforthatNAD. ForWindows,MACandAndroiddevices,controlis giventotheSelf-ProvisioningWizardapp,which doesprovisioning.Therefore,thesedevicesarenot redirectedtotheoriginatingURL.However,iOS (dot1X)andunsupporteddevices(thatareallowed networkaccess)areredirectedtothisURL. OriginatingURL Displayapageindicatingthatthedeviceregistration wassuccessful. Successpage Aftersuccessfullyauthenticatingtothenetwork, redirecttheuser'sbrowsertothespecifiedURL,such asyourcompany’swebsite. URL Post-Login Banner Page Settings for Credentialed Guest Portals ThenavigationpathforthispageisGuestAccess>Configure>GuestPortalsorSponsorPortals>Create, EditorDuplicate>PortalBehaviorandFlowSettings>Post-LoginBannerPageSettings. Usethissettingtonotifyusers(guests,sponsorsoremployeesasapplicable)ofadditionalinformationafter theyloginsuccessfully. Usage GuidelinesField Displayadditionalinformationaftertheusers successfullyloginandbeforetheyaregranted networkaccess. IncludeaPost-LoginBannerpage Guest Device Compliance Settings for Credentialed Guest Portals ThenavigationpathforthispageisGuestAccess>Configure>GuestPortals>Create,EditorDuplicate >PortalBehaviorandFlowSettings>GuestDeviceComplianceSettings.Usethesesettingstorequire guests,andemployeesusingtheguestportal,toundergoclientprovisioningoftheirdevicesinordertogain accesstothenetwork. •Requireguestdevicecompliance—RedirectgueststotheClientProvisioningpage,whichrequires themtodownloadapostureagent.ThisaddsclientprovisioningtotheGuestflow,whereyouconfigure posturepoliciesforguests,suchascheckingforvirusprotectionsoftware. Cisco Identity Services Engine Administrator Guide, Release 1.3 783 Guest Portal Settings
IftheguestisanemployeeusingtheCredentialedGuestportalstoaccessthenetworkand: ◦IfyouenabledAllowemployeestousepersonaldevicesonthenetworkintheBYODSettings, theemployeeisredirectedtotheBYODflowandwillnotundergoclientprovisioning. ◦IfyouenabledbothAllowemployeestousepersonaldevicesonthenetworkandAllow employeestochoosetogetguestaccessonlyintheBYODSettings,andtheemployeechooses guestaccess,theyareroutedtotheClientProvisioningpage. VLAN DHCP Release Page Settings for Guest Portals ThenavigationpathforthispageisGuestAccess>Configure>GuestPortals>Create,EditorDuplicate >PortalBehaviorandFlowSettings>VLANDHCPReleasePageSettings. •EnableVLANDHCPrelease—Refreshaguest'sIPaddressforWindowsandMacOSdevicesafter aVLANchangeinbothwiredandwirelessenvironments. ThisaffectstheCentralWebAuth(CWA)flowduringfinalauthorization,whenthenetworkaccess changestheguestVLANtoanewVLAN.Theguest’soldIPaddressmustbereleasedbeforetheVLAN change,andanewguestIPaddressmustberequestedthroughDHCPwhentheguestconnectstothe newVLAN.TheIPaddressreleaserenewoperationvariesbythebrowserandoperatingsystemused; InternetExplorerusesActiveXcontrols,andFirefoxandGoogleChromeuseJavaapplets.For non-InternetExplorerbrowsers,Javamustbeinstalledandenabledonthebrowser. TheVLANDHCPReleaseoptiondoesnotworkonmobiledevices.Instead,guestsarerequestedto manuallyresettheIPaddress.Thismethodvariesbydevices.Forexample,onAppleiOSdevices,guests canselecttheWi-FinetworkandclicktheRenewLeasebutton. •Delaytorelease__seconds—Enterthedelaytoreleasetime.Werecommendashortvalue,because thereleasemustoccurimmediatelyaftertheappletisdownloaded,andbeforetheCiscoISEserver directstheNADtore-authenticatewithaCoArequest. •DelaytoCoA__seconds—EnterthetimetodelayCiscoISEfromexecutingtheCoA.Provideenough time(usethedefaultvalueasaguideline)toallowtheapplettodownloadandperformtheIPrelease ontheclient. •Delaytorenew__seconds—Enterthedelaytorenewvalue.ThistimeisaddedtotheIPreleasevalue anddoesnotbegintiminguntilthecontrolisdownloaded.Provideenoughtime(usethedefaultvalue asaguideline)sothattheCoAisallowedtoprocessandthenewVLANaccessgranted. Authentication Success Settings for Guest Portals ThenavigationpathforthispageisGuestAccess>Configure>GuestPortals>Create,EditorDuplicate >PortalBehaviorandFlowSettings>AuthenticationSuccessSettings. Thesesettingsnotifytheusers(guests,sponsors,oremployeesasapplicable)ofauthenticationsuccessor displayaURL.UnderOnceauthenticated,takeguestto:,configurethefollowingfields: •OriginatingURL—Aftersuccessfullyauthenticatingtothenetwork,redirecttheuser’sbrowsertothe originalwebsitethattheuseristryingtoaccess,ifavailable.Ifnotavailable,theAuthenticationSuccess pagedisplays.MakesurethattheredirectURLisallowedtoworkonport8443ofthePSNbythe access-controllistontheNADandbyauthorizationprofilesconfiguredinISEforthatNAD. Cisco Identity Services Engine Administrator Guide, Release 1.3 784 Guest Portal Settings