Cisco Ise 13 User Guide
Have a look at the manual Cisco Ise 13 User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
ForWindows,MACandAndroiddevices,controlisgiventotheSelf-ProvisioningWizardapp,which doesprovisioning.Therefore,thesedevicesarenotredirectedtotheoriginatingURL.However,iOS (dot1X)andunsupporteddevices(thatareallowednetworkaccess)areredirectedtothisURL. •AuthenticationSuccesspage—Notificationofsuccessfulauthenticationoftheuser. •URL—Aftersuccessfullyauthenticatingtothenetwork,redirecttheuser'sbrowsertothespecifiedURL, suchasyourcompany’swebsite. IfyouredirectaGuesttoanexternalURLafterauthentication,theremaybeadelaywhiletheURLaddress isresolvedandthesessionisredirected.MakesurethattheredirectURLisallowedtoworkonport8443 ofthePSNbytheaccess-controllistontheNADandbyauthorizationprofilesconfiguredinISEforthat NAD. Note Support Information Page Settings for Guest Portals ThenavigationpathforthispageisGuestAccess>Configure>GuestPortals>Create,EditorDuplicate >PortalBehaviorandFlowSettings>SupportInformationPageSettings. UsethesesettingstodisplaytheinformationthatyourHelpDeskcanusetotroubleshootaccessissues experiencedbyusers(guests,sponsorsoremployeesasapplicable). Usage GuidelinesField Displayalinktoaninformationpage,suchas ContactUs,onallenabledpagesfortheportal. IncludeaSupportInformationPage IncludetheMACaddressofthedeviceontheSupport Informationpage. MACaddress IncludetheIPaddressofthedeviceontheSupport Informationpage. IPaddress Includethebrowserdetailssuchastheproductname andversion,layoutengineandversionoftheuser agentoriginatingtherequestontheSupport Informationpage. Browseruseragent IncludetheIPaddressoftheISEPolicyServiceNode (PSN)thatisservingthisportalontheSupport Informationpage. Policyserver Ifavailable,includethecorrespondingnumberfrom thelogmessagecatalog.Youcanaccessandview themessagecatalogbynavigatingtoAdministration >System>Logging>MessageCatalog. Failurecode Cisco Identity Services Engine Administrator Guide, Release 1.3 785 Guest Portal Settings
Usage GuidelinesField DonotdisplayanyfieldlabelsontheSupport Informationpageiftheinformationthattheywould containisnon-existent.Forexample,ifthefailure codeisunknown,andthereforeblank,donotdisplay Failurecode,evenifitisselected. Hidefield DisplayallselectedfieldlabelsontheSupport Informationpage,eveniftheinformationthatthey wouldcontainisnon-existent.Forexample,ifthe failurecodeisunknown,displayFailurecode,even ifitisblank. Displaylabelwithnovalue DisplaythistextinanyselectedfieldontheSupport Informationpage,iftheinformationthattheywould containisnon-existent.Forexample,ifyouenterNot Availableinthisfield,andthefailurecodeis unknown,theFailurecodedisplaysNotAvailable. Displaylabelwithdefaultvalue Sponsor Portal Application Settings Portal Identification Settings ThenavigationpathforthesesettingsisGuestAccess>Configure>GuestPortalsorSponsorPortals> Create,EditorDuplicate>GuestPortalsorSponsorPortalsSettingsandCustomization. •PortalName—Enterauniqueportalnametoaccessthisportal.Donotusethisportalnameforany otherSponsorandGuestportalsandnon-guestportals,suchasBlacklist,BringYourOwnDevice (BYOD),ClientProvisioning,MobileDeviceManagement(MDM),orMyDevicesportals. Thisnameappearsintheauthorizationprofileportalselectionforredirectionchoices,andisusedinthe listofportalsforeasyidentificationamongotherportals. •Description—Optional. •PortaltestURL—Asystem-generatedURLdisplaysasalinkafteryouclickSave.Useittotestthe portal. ClickthelinktoopenanewbrowsertabthatdisplaystheURLforthisportal.Inorderforthistowork, PolicyServicesNode(PSN)withPolicyServicesmustbeturnedon.IfPolicyServicesarenotturned on,thePSNonlydisplaystheAdminportal. ThetestportaldoesnotsupportRADIUSsessions,soyouwon'tseetheentireportal flowforallportals.BYODandClientProvisioningareexamplesofportalsthatdepend onRADIUSsessions.Forexample,aredirecttoanexternalURLwillnotwork. Note •LanguageFile—Eachportaltypesupports15languagesbydefault,whichareavailableasindividual propertiesfilesbundledtogetherinasinglezippedlanguagefile.Exportorimportthezippedlanguage Cisco Identity Services Engine Administrator Guide, Release 1.3 786 Sponsor Portal Application Settings
filetousewiththeportal.Thezippedlanguagefilecontainsalltheindividuallanguagefilesthatyou canusetodisplaytextfortheportal. Thelanguagefilecontainsthemappingtotheparticularbrowserlocalesetting(forexample,forFrench: fr,fr-fr,fr-ca)alongwithallofthestringsettingsfortheentireportalinthatlanguage.Asinglelanguage filecontainsallthesupportedlanguages,sothatitcaneasilybeusedfortranslationandlocalization purposes. Ifyouchangethebrowserlocalesettingforonelanguage,thechangeisappliedtoalltheotherend-user webportals.Forexample,ifyouchangetheFrench.propertiesbrowserlocalefromfr,fr-fr,fr-catofr,fr-fr intheHotspotGuestportal,thechangeisappliedtotheMyDevicesportalalso. AnalerticondisplayswhenyoucustomizeanyoftheportalpagetextonthePortalPageCustomizations tab.Thealertmessageremindsyoutoupdateanychangesmadetoonelanguagewhilecustomizingthe portalintoallthesupportedlanguagespropertiesfiles.Youcanmanuallydismissthealerticonusing thedrop-downlistoption;oritisautomaticallydismissedafteryouimporttheupdatedzippedlanguage file. Portal Settings for Sponsor Portals Configurethesesettingstoidentifytheportalandselectthelanguagefilestobeusedforalltheportalpages. •HTTPSport—Enteraportvaluebetween8000to8999;thedefaultvalueis8443forallthedefault portals,excepttheBlacklistPortal,whichis8444.Ifyouupgradedwithportvaluesoutsidethisrange, theyarehonoreduntilyoumodifythispage.Ifyoumodifythispage,updatetheportsettingtocomply withthisrestriction. IfyouassignPortsusedbyanon-guest(suchasMyDevices)portaltoaguestportal,anerrormessage displays. Forpostureassessmentsandremediationonly,theClientProvisioningportalalsousesPorts8905and 8909.Otherwise,itusesthesamePortsassignedtotheGuestportal. PortalsassignedtothesameHTTPSportcanusethesameGigabitEthernetinterfaceoranotherinterface. Iftheyusethesameportandinterfacecombination,theymustusethesamecertificategrouptag.For example: ◦Validcombinationsinclude,usingtheSponsorportalasanexample: ◦Sponsorportal:Port8443,Interface0,CertificatetagAandMyDevicesportal:Port8443, Interface0,CertificategroupA. ◦Sponsorportal:Port8443,Interface0,CertificategroupAandMyDevicesportal:Port8445, Interface0,CertificategroupB. ◦Sponsorportal:Port8444,Interface1,CertificategroupAandBlacklistportal:Port8444, Interface0,CertificategroupB. ◦Invalidcombinationsinclude: ◦Sponsorportal:Port8443,Interface0,CertificategroupAandMyDevicesportal:8443, Interface0,CertificategroupB. ◦Sponsorportal:Port8444,Interface0,CertificatetagAandBlacklistportal:Port8444, Interface0,CertificategroupA. Cisco Identity Services Engine Administrator Guide, Release 1.3 787 Sponsor Portal Application Settings
•Allowedinterfaces—SelectthePSNinterfaceswhichaPANcanusetorunaportal.Whenarequest toopenaportalismadeonthePAN,thePANlooksforanavailableallowedPortonthePSN.Youmust configuretheEthernetinterfacesusingIPaddressesondifferentsubnets. TheseinterfacesmustbeavailableonallthePSNs,includingVM-basedones,thathavePolicyServices turnedon.ThisisarequirementbecauseanyofthesePSNscanbeusedfortheredirectatthestartof theguestsession. ◦TheEthernetinterfacesmustuseIPaddressesondifferentsubnets. ◦TheinterfacesyouenableheremustbeavailableonallyourPSNs,includingVM-basedoneswhen PolicyServicesturnedon.ThisisrequiredbecauseanyofthesePSNscanbeusedforaredirect atthestartoftheguestsession. ◦TheportalcertificateSubjectName/AlternateSubjectNamemustresolvetotheinterfaceIP. ◦Configureiphostx.x.x.xyyy.domain.cominISECLItomapsecondaryinterfaceIPtoFQDN, whichisusedtomatchCertificateSubjectName/AlternateSubjectName. •Certificategrouptag—Pickacertificategrouptagthatspecifiesthecertificatetousefortheportal’s HTTPStraffic. •FullyQualifiedDomainName(FQDN)—EnteratleastoneuniqueFQDNand/orhostnameforyour SponsororMyDevicesportal.Forexample,youcanentersponsorportal.yourcompany.com,sponsor,so thatwhentheuserenterseitherofthoseintoabrowser,thesponsorportaldisplays.Separatenameswith commas,butdonotincludespacesbetweenentries. IfyouchangethedefaultFQDN,thenalsodothefollowing: ◦UpdateyourDNSsothattheFQDNofthenewURLresolvestoavalidPolicyServicesNode (PSN)IPaddress.Optionally,thisaddresscouldpointtoaloadbalancervirtualIPaddressthat servesapoolofPSNs. ◦Toavoidcertificatewarningmessagesduetonamemismatches,includetheFQDNofthecustomized URL,orawildcard,inthesubjectalternativename(SAN)attributeofthelocalservercertificate oftheCiscoISEPSN. •Identitysourcesequence—Choosewhichidentitysourcesequence(ISS)touseforuserauthentication. TheISSisalistofIdentityStoresthataresearchedinsequencetoverifyusercredentials.Someexamples include:InternalGuestUsers,InternalUsers,ActiveDirectory,LDAPDirectory. CiscoISEincludesadefaultsponsorIdentitySourceSequenceforsponsorportals, Sponsor_Portal_Sequence. ToconfigureanIdentitySourceSequence,chooseAdministration>IdentityManagement>Identity SourceSequences. •Idletimeout—EnterthetimeinminutesthatyouwantCiscoISEtowaitbeforeitlogsouttheuserif thereisnoactivityintheportal.Thevalidrangeisfrom1to30minutes. •AllowKerberos—UseKerberostoauthenticateasponsorforaccesstothesponsorportal.Kerberos SSOisperformedinsidethesecuretunnelafterthebrowserestablishestheSSLconnectionwithISE. Cisco Identity Services Engine Administrator Guide, Release 1.3 788 Sponsor Portal Application Settings
Kerberosauthenticationrequiresthefollowingitemstobeinthesamedomain:Note •Sponsor'sPC •ISEPSN •FQDNconfiguredforthissponsorportal KerberosauthenticationisNOTsupportedfortheGuestportal.Note •DisplayLanguage ◦Usebrowserlocale—Usethelanguagespecifiedintheclientbrowser'slocalesettingasthedisplay languageoftheportal.Ifbrowserlocale'slanguageisnotsupportedbyISE,thentheFallback Languageisusedasthelanguageportal. ◦Fallbacklanguage—Choosethelanguagetousewhenlanguagecannotbeobtainedfromthe browserlocale,orifthebrowserlocalelanguageisnotsupportedbyISE. ◦Alwaysuse—Choosethedisplaylanguagetousefortheportal.ThissettingoverridestheUser browserlocaleoption. SSIDsavailabletosponsors—EnterthenamesortheSSIDs(SessionServiceIdentifiers)ofthenetworks thatasponsorcannotifyguestsasthecorrectnetworkstoconnecttofortheirvisit. •SSIDsavailabletosponsors—EnterthenamesortheSSIDs(SessionServiceIdentifiers)ofthenetworks thatasponsorcannotifyguestsasthecorrectnetworkstoconnecttofortheirvisit. Login Settings for Sponsor Portals Login Page Settings for Sponsor Portals ThenavigationpathforthispageisGuestAccess>Configure>SponsorPortals>Create,EditorDuplicate >PortalBehaviorandFlowSettings>LoginPageSettings •Maximumfailedloginattemptsbeforeratelimiting—Specifythenumberoffailedloginattempts fromasinglebrowsersessionbeforeCiscoISEstartstothrottlethataccount.Thisdoesnotcausean accountlockout.ThethrottledrateisconfiguredinTimebetweenloginattemptswhenratelimiting. •Timebetweenloginattemptswhenratelimiting—Setthelengthoftimeinminutesthatausermust waitbeforeattemptingtologinagain(throttledrate),afterfailingtologinthenumberoftimesdefined inMaximumfailedloginattemptsbeforeratelimiting. •IncludeanAUP—Addaacceptableusepolicypagetotheflow.YoucanaddtheAUPtothepage,or linktoanotherpage.Addingthischangesthepictureoftheflowontheright. ◦requireacceptance—ForcetheusertoagreetotheAUPbeforecontinuingtheflow. Cisco Identity Services Engine Administrator Guide, Release 1.3 789 Sponsor Portal Application Settings
Acceptable Use Policy (AUP) Settings for Sponsor Portals ThenavigationpathforthispageisGuestAccess>Configure>SponsorPortals>Create,EditorDuplicate >PortalBehaviorandFlowSettings>AcceptableUsePolicy(AUP)PageSettings. UsethesesettingstodefinetheAUPexperiencefortheusers(guests,sponsorsoremployeesasapplicable). Usage GuidelinesField Displayyourcompany’snetwork-usagetermsand conditionsonaseparatepagetotheuser. IncludeanAUPpage EnsurethattheuserhasreadtheAUPcompletely. TheAcceptbuttonactivatesonlyaftertheuserhas scrolledtotheendoftheAUP. RequirescrollingtoendofAUP DisplayanAUPwhentheuserlogsintothenetwork orportalforthefirsttimeonly. Onfirstloginonly DisplayanAUPeachtimetheuserlogsintothe networkorportal. Oneverylogin DisplayanAUPperiodicallyaftertheuserfirstlogs intothenetworkorportal. Every__days(startingatfirstlogin) Sponsor Change Password Settings for Sponsor Portals ThenavigationpathforthispageisGuestAccess>Configure>SponsorPortals>Create,EditorDuplicate >PortalBehaviorandFlowSettings>SponsorChangePasswordSettings.Usethesesettingstodefine thepasswordrequirementsforsponsorsusingtheSponsorportal. Tosetthesponsorpasswordpolicy,chooseAdministration>IdentityManagement>Settings>User PasswordPolicy. Usage GuidelinesField Allowsponsorstochangetheirpasswordsafterthey logintotheSponsorportal.Thisoptionwilldisplay aChangePasswordpageonlyifthesponsorsarepart oftheInternalUsersdatabase. Allowsponsorstochangetheirownpasswords Post-Login Banner Settings for Sponsor Portals ThenavigationpathforthispageisGuestAccess>Configure>GuestPortalsorSponsorPortals>Create, EditorDuplicate>PortalBehaviorandFlowSettings>Post-LoginBannerPageSettings. Usethissettingtonotifyusers(guests,sponsorsoremployeesasapplicable)ofadditionalinformationafter theyloginsuccessfully. Cisco Identity Services Engine Administrator Guide, Release 1.3 790 Sponsor Portal Application Settings
Usage GuidelinesField Displayadditionalinformationaftertheusers successfullyloginandbeforetheyaregranted networkaccess. IncludeaPost-LoginBannerpage Support Information Page Settings for Sponsor Portals ThenavigationpathforthispageisGuestAccess>Configure>SponsorPortals>Create,EditorDuplicate >PortalBehaviorandFlowSettings>SupportInformationPageSettings. UsethesesettingstodisplaytheinformationthatyourHelpDeskcanusetotroubleshootaccessissues experiencedbyusers(guests,sponsorsoremployeesasapplicable). Usage GuidelinesField Displayalinktoaninformationpage,suchas ContactUs,onallenabledpagesfortheportal. IncludeaSupportInformationPage IncludetheMACaddressofthedeviceontheSupport Informationpage. MACaddress IncludetheIPaddressofthedeviceontheSupport Informationpage. IPaddress Includethebrowserdetailssuchastheproductname andversion,layoutengineandversionoftheuser agentoriginatingtherequestontheSupport Informationpage. Browseruseragent IncludetheIPaddressoftheISEPolicyServiceNode (PSN)thatisservingthisportalontheSupport Informationpage. Policyserver Ifavailable,includethecorrespondingnumberfrom thelogmessagecatalog.Youcanaccessandview themessagecatalogbynavigatingtoAdministration >System>Logging>MessageCatalog. Failurecode DonotdisplayanyfieldlabelsontheSupport Informationpageiftheinformationthattheywould containisnon-existent.Forexample,ifthefailure codeisunknown,andthereforeblank,donotdisplay Failurecode,evenifitisselected. Hidefield DisplayallselectedfieldlabelsontheSupport Informationpage,eveniftheinformationthatthey wouldcontainisnon-existent.Forexample,ifthe failurecodeisunknown,displayFailurecode,even ifitisblank. Displaylabelwithnovalue Cisco Identity Services Engine Administrator Guide, Release 1.3 791 Sponsor Portal Application Settings
Usage GuidelinesField DisplaythistextinanyselectedfieldontheSupport Informationpage,iftheinformationthattheywould containisnon-existent.Forexample,ifyouenterNot Availableinthisfield,andthefailurecodeis unknown,theFailurecodedisplaysNotAvailable. Displaylabelwithdefaultvalue Notify Guests Customization for Sponsor Portals ThenavigationpathforthesesettingsisGuestAccess>Configure>SponsorPortals>Create,Editor Duplicate>PortalPageCustomization>NotifyGuests. UnderPageCustomizations,youcancustomizethemessages,titles,content,instructions,andfieldand buttonlabelsthatappearonthenotificationsthatsponsorssendtoguestsfromtheSponsorportal. UnderSettings,youcanspecifywhethersponsorscansendusernamesandpasswordsseparatelytoguests usingemailorSMS.YoucanalsospecifywhethersponsorscandisplayaSupportInformationpageforguests toprovideinformationthatahelpdeskcanusetotroubleshootaccessissues. Manage and Approve Customization for Sponsor Portals ThenavigationpathforthesesettingsisGuestAccess>Configure>SponsorPortals>Create,Editor Duplicate>PortalPageCustomization>ManageandApprove. UnderPageCustomizations,youcancustomizethemessages,titles,content,instructions,andfieldand buttonlabelsthatappearontheManageandApprovetabsoftheSponsorportal. Theseincludetheaccounts(registeredandpending)summaryanddetailedviews,thepop-updialogsthat displaybasedontheoperationsthesponsorperformsonguestaccountssuchasedit,extend,suspendandso on,andalsogeneralportalandaccountactionmessages. Global Settings Global Settings for Guest and Sponsor Portals ChooseGuestAccess>Settings.YoucanconfigurethefollowinggeneralsettingsthatapplytoGuestand Sponsorportals,guesttypes,andsponsorgroupsinCiscoISE: •Policiesforpurgingguestaccountsandgeneratingusernamesandpasswords. •SMTPserversandSMSgatewaystousewhensendingemailandSMSnotificationstoguestsand sponsors. •Locations,timezones,SSIDs,andcustomfieldstoselectfromwhencreatingguestaccountsandwhen registeringguestsusingSelf-RegistrationGuestportals. Onceyouconfiguretheseglobalsettings,youcanusethemasneededwhenconfiguringspecificGuestand Sponsorportals,guesttypes,andsponsorgroups. ThefollowingtabsareonthePortalsettingspage: Cisco Identity Services Engine Administrator Guide, Release 1.3 792 Global Settings
•GuestAccountPurgePolicy—Schedulewhentopurgeguestaccountsthathaveexpired.Formore information,seeScheduleWhentoPurgeExpiredGuestAccounts,onpage296. •CustomFields—AddcustomfieldstouseinGuestportals,toretrieveadditionalinformationfrom users.Formoreinformation,seeAddCustomFieldsforGuestAccountCreation,onpage297. •GuestEmailSettings—Decidewhethertoemailnotificationstoguestsaboutchangesintheiraccount. Formoreinformation,seeSpecifyEmailAddressesandSMTPServersforEmailNotifications,on page298. •GuestLocationsandSSIDs—ConfiguretheLocationsandtheServiceSetIdentifiers(SSIDs)ofthe networksthatguestscanuseattheseLocations.Formoreinformation,seeAssignGuestLocationsand SSIDs,onpage298. •GuestUsernamePolicy—Configurehowguestusernamesarecreated.Formoreinformation,seeSet theGuestUsernamePolicy,onpage301andRulesforGuestPasswordPolicies,onpage299. •GuestPasswordPolicy—DefinetheguestpasswordpoliciesforallGuestandSponsorportals.For moreinformation,seeSettheGuestPasswordPolicyandExpiration,onpage300. •SMSGatewaySettings—DefineSMSgatewaysthatwilldeliverSMSnotificationstoguestsand sponsors.Formoreinformation,seeConfigureSMSGatewaystoSendSMSNotificationstoGuests, onpage302. •Logging—GuestusersaretrackedbytheMACaddressoftheirdevice.Whenguestusersaredisplayed inreports,theusernameistheMACaddress.Ifyouselectthisoption,reportswillshowtheportaluser IDastheusername,insteadoftheMACaddress. Guest Type Settings ThenavigationpathforthesesettingsisGuestAccess>Configure>GuestTypes.Usethesesettingsto createthetypesofGueststhatcanaccessyournetworkandtheiraccessprivileges.Youcanalsospecifywhich SponsorGroupscancreatethistypeofGuest. Usage GuidelinesField Provideaname(from1-256characters)that distinguishesthisGuestTypefromthedefaultGuest Typesandothersthatyoucreate. Guesttypename Provideadditionalinformation(maximumof2000 characters)abouttherecommendeduseofthisGuest Type,forexample,Useforself-registeringGuests, DoNOTuseforGuestaccountcreation,etc. Description ExportorImportthelanguagefiletouseforportals usingthisGuestType. LanguageFile Selectcustomfieldstocollectadditionalinformation fromGuests. CustomfieldsaremanagedonGuestAccess> Settings>CustomFields. CollectAdditionalData Cisco Identity Services Engine Administrator Guide, Release 1.3 793 Global Settings
Usage GuidelinesField Enterthemaximumnumberofdays,hoursorminutes thatGuestsofthisGuestTypecanaccessandstay connectedtothenetwork. Ifyouchangethissetting,yourchangeswillnotapply toexistingGuestaccountscreatedusingthisGuest Type. Valuerangesfrom1to999. Maximumaccountduration Enterthetimerangesandselectthedaysoftheweek tospecifywhenthisGuestTypecanaccessthe network.Ifthisguesttyperemainsconnectedoutside thesetimeparameters,theywillbeloggedoff.The timerangesarerelatedtothetimezonesdefinedby thelocationsassignedtotheguestsusingthisGuest Type. Clickthe+and-foraddinganddeletingrestricted accesstimes. Allowaccessonlyonthesedaysandtimes Enterthemaximumnumberofusersessionsthatthis GuestTypecanhaverunningconcurrently. Maximumsimultaneouslogins WhenyouselectMaximumsimultaneouslogins, youalsomustalsoselecttheactiontotakewhena userconnectsafterthatlimitisreached. Whentheguestexceedslimit •Don'tconnect:Donotallowthelatestlogin attempttobesuccessful. •Removetheoldestconnection:Disconnectthe oldestusersessionthatisrunning. Whenguestexceedslimit Enterthemaximumnumberofdevicesthatcanbe registeredtoeachGuest.Youcansetthelimittoa numberlowerthanwhatisalreadyregisteredforthe GuestsofthisGuestType.Thiswillonlyaffectnewly createdGuestaccounts. Maximumdevicesguestscanregister Chooseanendpointidentitygrouptotrackguest devices.CiscoISEprovidestheGuestEndpoints endpointidentitygrouptouseasadefault.Youcan alsocreatemoreendpointidentitygroupsifyou choosetonotusethedefault. Storedeviceinformationinendpointidentitygroup Cisco Identity Services Engine Administrator Guide, Release 1.3 794 Global Settings