Cisco Ise 13 User Guide

							CHAPTER 30
Policy User Interface Reference
•Authentication,page815
•AuthorizationPolicySettings,page818
•EndpointProfilingPoliciesSettings,page819
•Dictionaries,page823
•Conditions,page825
•Results,page836
Authentication
Thissectiondescribestheauthenticationpolicypage,whichallowsyoutoconfiguresimpleandrule-based
authenticationpolicies.
Simple Authentication Policy Configuration Settings
Thefollowingtabledescribesthefieldsinthesimpleauthenticationpolicypage,whichallowsyoutoconfigure
simpleauthenticationpolicies.Thenavigationpathforthispageis:Policy>Authentication.
Table 105: Simple Authentication Policy Configuration Settings
Usage GuidelinesFields
Chooseanallowedprotocolthatyouhavealreadycreated.NetworkAccessService
Choosetheidentitysourcethatyouwanttouseforauthentication.Youcanalso
chooseanidentitysourcesequenceifyouhaveconfiguredit.
YoucaneditthedefaultidentitysourcethatyouwantCiscoISEtouseincase
noneoftheidentitysourcesdefinedinthisrulematchtherequest.
IdentitySource
Cisco Identity Services Engine Administrator Guide, Release 1.3    
815 
						

							Usage GuidelinesFields
Defineafurthercourseofactionforauthenticationfailure,usernotfound,or
processfailureevents.Youcanchooseoneofthefollowingoptions:
•Reject—Arejectresponseissent.
•Drop—Noresponseissent.
•Continue—CiscoISEproceedswiththeauthorizationpolicy.
Options
Related Topics
SimpleAuthenticationPolicies,onpage412
SimpleAuthenticationPolicyFlow,onpage413
GuidelinesforConfiguringSimpleAuthenticationPolicies,onpage414
ConfigureaSimpleAuthenticationPolicy,onpage427
Rule-Based Authentication Policy Configuration Settings
Thefollowingtabledescribesthefieldsintherule-basedauthenticationpolicypage,whichallowsyouto
configuresimpleauthenticationpolicies.Thenavigationpathforthispageis:Policy>Authentication>
Rule-Based.
Table 106: Rule-Based Authentication Policy Configuration Settings
Usage GuidelinesFields
Choosethestatusofthispolicy.Itcanbeoneofthefollowing:
•Enabled—Thispolicyconditionisactive.
•Disabled—Thispolicyconditionisinactiveandwillnotbeevaluated.
•MonitorOnly—Thispolicyconditionwillbeevaluated,buttheresultwill
notbeenforced.Youcanviewtheresultsofthispolicyconditioninthe
LiveLogauthenticationpage.Inthis,seethedetailedreportwhichwill
havethemonitoredstepandattribute.Forexample,youmaywanttoadd
anewpolicycondition,butarenotsureiftheconditionwouldprovideyou
withthecorrectresults.Inthissituation,youcancreatethepolicycondition
inmonitoredmodetoviewtheresultsandthenenableitifyouaresatisfied
withtheresults.
Status
Enteranameforthispolicyandselectconditionandallowedprotocol.StandardRule
   Cisco Identity Services Engine Administrator Guide, Release 1.3
816
Authentication 
						

							Usage GuidelinesFields
Clicktheplus[+]signtoexpandtheConditionsanchoredoverlay,andclickthe
minus[-]sign,orclickoutsidetheanchoredoverlaytocloseit:
•SelectExistingConditionfromLibraryorCreateNewCondition
(AdvancedOption)
•SelectExistingConditionfromLibrary—Youcandefineanexpression
byselectingCiscopredefinedconditionsfromthepolicyelementslibrary.
•CreateNewCondition(AdvancedOption)—Youcandefineanexpression
byselectingattributesfromvarioussystemoruser-defineddictionaries.
Conditions
Youcandothefollowing:
1Youcanchoosethepredefinedconditionsthatyouwouldhavedefinedfor
authenticationinthepolicyelements,andthenuseanANDorORoperator
toaddmultipleconditions.
Youcannotselectcertainpredefinedconditionsthatcontainthefollowing
dictionariesorattributes:
•Dictionary"Certificate",withanyattribute
•Dictionary"NetworkAccess",withthefollowingattributes:
◦DeviceIPAddress
◦ISEHostName
◦NetworkDeviceName
◦Protocol
◦UseCase
Incasesuchconditionsareavailable,thefirstentryintheselectboxwillbe
"Onlyrelevantconditionsareselectable".
2ClicktheActionicontodothefollowinginthesubsequentsteps:
•AddAttribute/Value—Youcanaddad-hocattribute/valuepairs
•AddConditionfromLibrary—YoucanaddCiscopredefinedconditions
•Duplicate—Createacopyoftheselectedcondition
•AddConditiontoLibrary—Youcansavead-hocattribute/valuepairs
thatyoucreatetothepolicyelementslibrary
•Delete—Deletetheselectedcondition
SelectExistingCondition
fromLibrary
Cisco Identity Services Engine Administrator Guide, Release 1.3    
817
Authentication 
						

							Usage GuidelinesFields
Youcandothefollowing:
1Youcanaddad-hocattribute/valuepairstoyourexpression,andthenusean
ANDorORoperatortoaddmultipleconditions.
2ClicktheActionicontodothefollowinginthesubsequentsteps:
•AddAttribute/Value—Youcanaddad-hocattribute/valuepairs
•AddConditionfromLibrary—YoucanaddCiscopredefinedconditions
•Duplicate—Createacopyoftheselectedcondition
•AddConditiontoLibrary—Youcansavead-hocattribute/valuepairs
thatyoucreatetothepolicyelementslibrary
•Delete—Deletetheselectedcondition.Here,youcanusetheANDor
ORoperator
CreateNewCondition
(AdvanceOption)
ChoosefromallowedprotocolsorRADIUSserversequence.SelectNetworkAccess
Clicktodefineconditionsfortheidentitysourceselection.ArrowButton
Youcandothefollowing:
1Clicktheactioniconinthedefaultidentitysourcerow,andclickInsertnew
rowabove.
2Enteranameforyouridentitysourcerule.
3Clickthebuttontodefinetheconditionsbasedonwhichyouwanttochoose
theidentitysource.
4Choosetheidentitysourcesequenceortheidentitysourceandtheactionthat
youwantCiscoISEtotake.
IdentitySourceSequence
Related Topics
Rule-BasedAuthenticationPolicies,onpage414
Rule-BasedAuthenticationPolicyFlow,onpage414
ConfigureaRule-BasedAuthenticationPolicy,onpage428
Authorization Policy Settings
Thefollowingtabledescribesthefieldsintheauthorizationpolicypage,whichallowsyoutoconfigure
authorizationpolicies.Thenavigationpathforthispageis:Policy>Authorization.
   Cisco Identity Services Engine Administrator Guide, Release 1.3
818
Authorization Policy Settings 
						

							Table 107: Authorization Policy Settings
Usage GuidelinesFields
Chooseoneofthefollowingtoenforcethepolicies:
•Enabled—Thispolicyconditionisactive.
•Disabled—Thispolicyconditionisinactiveandwillnotbeevaluated.
•MonitorOnly—Thispolicyconditionwillbeevaluated,buttheresultwill
notbeenforced.Youcanviewtheresultsofthispolicyconditioninthe
LiveLogauthenticationpage.Inthis,seethedetailedreportwhichwill
havethemonitoredstepandattribute.Forexample,youmaywanttoadd
anewpolicycondition,butarenotsureiftheconditionwouldprovideyou
withthecorrectresults.Inthissituation,youcancreatethepolicycondition
inmonitoredmodetoviewtheresultsandthenenableitifyouaresatisfied
withtheresults.
Status
EnteranamefortheRuleName.RuleName
Chooseanidentitygroupfromthefirstdrop-down.
Chooseaconditionfromtheseconddrop-down.
Youcaneitherselectfromtheexistingconditionsorcreateanewcondition.
Conditions(identity
groupsandother
conditions)
ChooseanauthorizationprofilefromtheStandardcategory.Permissions
Related Topics
CiscoISEAuthorizationPolicies,onpage437
GuidelinesforConfiguringAuthorizationPoliciesandProfiles,onpage440
ConfigureAuthorizationPolicies,onpage443
Endpoint Profiling Policies Settings
ThefollowingtabledescribesthefieldsintheEndpointPoliciespage.Thenavigationpathforthispageis:
Policy>Profiling>ProfilingPolicies.
Table 108: Endpoint Profiling Policies Settings
Usage GuidelinesFields
Enterthenameoftheendpointprofilingpolicythatyouwanttocreate.Name
Enterthedescriptionoftheendpointprofilingpolicythatyouwanttocreate.Description
Cisco Identity Services Engine Administrator Guide, Release 1.3    
819
Endpoint Profiling Policies Settings 
						

							Usage GuidelinesFields
Bydefault,thePolicyEnabledcheckboxischeckedtoassociateamatching
profilingpolicywhenyouprofileanendpoint.
Whenunchecked,theendpointprofilingpolicyisexcludedwhenyouprofilean
endpoint.
PolicyEnabled
Entertheminimumvaluethatyouwanttoassociatewiththeprofilingpolicy.
Thedefaultvalueis10.
MinimumCertainty
Factor
Chooseanexceptionaction,whichyouwanttoassociatewiththeconditions
whendefiningaruleintheprofilingpolicy.
ThedefaultisNONE.Theexceptionactionsaredefinedinthefollowinglocation:
Policy>PolicyElements>Results>Profiling>ExceptionActions.
ExceptionAction
Chooseanetworkscanactionfromthelist,whichyouwanttoassociatewiththe
conditionswhendefiningaruleintheprofilingpolicy,ifrequired.
ThedefaultisNONE.Theexceptionactionsaredefinedinthefollowinglocation:
Policy>PolicyElements>Results>Profiling>NetworkScan(NMAP)Actions.
NetworkScan(NMAP)
Action
Checkoneofthefollowingoptionstocreateanendpointidentitygroup:
•Yes,creatematchingIdentityGroup
•No,useexistingIdentityGrouphierarchy
CreateanIdentityGroup
forthepolicy
Choosethisoptiontouseanexistingprofilingpolicy.
Thisoptioncreatesamatchingidentitygroupforthoseendpointsandtheidentity
groupwillbethechildoftheProfiledendpointidentitygroupwhenanendpoint
profilematchesanexistingprofilingpolicy.
Forexample,theXerox-DeviceendpointidentitygroupiscreatedintheEndpoints
IdentityGroupspagewhenendpointsdiscoveredonyournetworkmatchthe
Xerox-Deviceprofile.
Yes,creatematching
IdentityGroup
   Cisco Identity Services Engine Administrator Guide, Release 1.3
820
Endpoint Profiling Policies Settings 
						

							Usage GuidelinesFields
Checkthischeckboxtoassignendpointstothematchingparentendpointidentity
groupusinghierarchicalconstructionofprofilingpoliciesandidentitygroups.
Thisoptionallowsyoutomakeuseoftheendpointprofilingpolicieshierarchy
toassignendpointstooneofthematchingparentendpointidentitygroups,as
wellastotheassociatedendpointidentitygroupstotheparentidentitygroup.
Forexample,endpointsthatmatchanexistingprofilearegroupedunderthe
appropriateparentendpointidentitygroup.Here,endpointsthatmatchthe
UnknownprofilearegroupedunderUnknown,andendpointsthatmatchan
existingprofilearegroupedundertheProfiledendpointidentitygroup.For
example,
•IfendpointsmatchtheCisco-IP-Phoneprofile,thentheyaregroupedunder
theCisco-IP-Phoneendpointidentitygroup.
•IfendpointsmatchtheWorkstationprofile,thentheyaregroupedunder
theWorkstationendpointidentitygroup.
TheCisco-IP-PhoneandWorkstationendpointidentitygroupsareassociated
totheProfiledendpointidentitygroupinthesystem.
No,useexistingIdentity
Grouphierarchy
Chooseaparentprofilingpolicythataredefinedinthesystemtowhichyouwant
toassociatethenewendpointprofilingpolicy.
Youcanchooseaparentprofilingpolicyfromwhichyoucaninheritrulesand
conditionstoitschild.
ParentPolicy
ChooseoneofthefollowingCoAtypesthatyouwanttoassociatewiththe
endpointprofilingpolicy:
•NoCoA
•PortBounce
•Reauth
•GlobalSettingsthatisappliedfromtheprofilerconfigurationsetin
Administration>System>Settings>Profiling
AssociatedCoAType
Oneormorerulesthataredefinedinendpointprofilingpoliciesdeterminethe
matchingprofilingpolicyforendpoints,whichallowsyoutogroupendpoints
accordingtotheirprofiles.
Oneormoreprofilingconditionsfromthepolicyelementslibraryareusedin
rulesforvalidatingendpointattributesandtheirvaluesfortheoverall
classification.
Rules
Cisco Identity Services Engine Administrator Guide, Release 1.3    
821
Endpoint Profiling Policies Settings 
						

							Usage GuidelinesFields
Clicktheplus[+]signtoexpandtheConditionsanchoredoverlay,andclickthe
minus[-]sign,orclickoutsidetheanchoredoverlaytocloseit.
ClickSelectExistingConditionfromLibraryorCreateNewCondition
(AdvancedOption).
SelectExistingConditionfromLibrary---Youcandefineanexpressionby
selectingCiscopredefinedconditionsfromthepolicyelementslibrary.
CreateNewCondition(AdvancedOption)---Youcandefineanexpressionby
selectingattributesfromvarioussystemoruser-defineddictionaries.
Youcanassociateoneofthefollowingwiththeprofilingconditions:
•Anintegervalueforthecertaintyfactorforeachcondition
•Eitheranexceptionactionoranetworkscanactionforthatcondition
Chooseoneofthefollowingpredefinedsettingstoassociatewiththeprofiling
condition:
•CertaintyFactorIncreases—Enterthecertaintyvalueforeachrule,which
canbeaddedforallthematchingruleswithrespecttotheoverall
classification.
•TakeExceptionAction—Triggersanexceptionactionthatisconfiguredin
theExceptionActionfieldforthisendpointprofilingpolicy.
•TakeNetworkScanAction—Triggersanetworkscanactionthatis
configuredintheNetworkScan(NMAP)Actionfieldforthisendpoint
profilingpolicy.
Conditions
Youcandothefollowing:
•YoucanchooseCiscopredefinedconditionsthatareavailableinthepolicy
elementslibrary,andthenuseanANDorORoperatortoaddmultiple
conditions.
•ClicktheActionicontodothefollowinginthesubsequentsteps:
◦AddAttribute/Value—Youcanaddad-hocattribute/valuepairs
◦AddConditionfromLibrary—YoucanaddCiscopredefined
conditions
◦Duplicate—Createacopyoftheselectedcondition
◦AddConditiontoLibrary—Youcansavead-hocattribute/valuepairs
thatyoucreatetothepolicyelementslibrary
◦Delete—Deletetheselectedcondition.
SelectExistingCondition
fromLibrary
   Cisco Identity Services Engine Administrator Guide, Release 1.3
822
Endpoint Profiling Policies Settings 
						

							Usage GuidelinesFields
Youcandothefollowing:
•Youcanaddad-hocattribute/valuepairstoyourexpression,andthenuse
anANDorORoperatortoaddmultipleconditions.
•ClicktheActionicontodothefollowinginthesubsequentsteps:
◦AddAttribute/Value—Youcanaddad-hocattribute/valuepairs
◦AddConditionfromLibrary—YoucanaddCiscopredefined
conditions
◦Duplicate—Createacopyoftheselectedcondition
◦AddConditiontoLibrary—Youcansavead-hocattribute/valuepairs
thatyoucreatetothepolicyelementslibrary
◦Delete—Deletetheselectedcondition.Here,youcanusetheANDor
ORoperator
CreateNewCondition
(AdvanceOption)
Related Topics
CiscoISEProfilingService,onpage452
CreateEndpointProfilingPolicies,onpage479
Dictionaries
ThissectiondescribesRADIUSvendordictionariesusedinCiscoISE.
ThefollowingtabledescribesthefieldsintheDictionarypageforRADIUSvendors,whichallowsyouto
configuredictionaryattributesfortheRADIUSvendors.Thenavigationpathforthispageis:Policy>Policy
Elements>Dictionaries>System>RADIUS>RADIUSVendors.
Table 109: RADIUS Vendor Dictionary Attribute Settings
Usage GuidelinesFields
EnterthevendorspecificattributenamefortheselectedRADIUSvendor.AttributeName
Enteranoptionaldescriptionforthevendorspecificattribute.Description
Enterthenameforthevendorspecificattributethatreferstoitinternallyinthe
database.
InternalName
Cisco Identity Services Engine Administrator Guide, Release 1.3    
823
Dictionaries 
						

							Usage GuidelinesFields
Chooseoneofthefollowingdatatypesforthevendorspecificattribute:
•STRING
•OCTET_STRING
•UNIT32
•UNIT64
•IPV4
DataType
CheckthischeckboxtoenablethecomparisonofRADIUSattributeasMAC
address.Bydefault,fortheRADIUSattributecalling-station-idthisoptionis
markedasenabledandyoucannotdisableit.Forotherdictionaryattributes(of
stringtypes)withintheRADIUSvendordictionary,youcanenableordisable
thisoption.
Onceyouenablethisoption,whilesettingtheauthenticationandauthorization
conditions,youcandefinewhetherthecomparisonisclearstringbyselecting
theTextoptionorwhetheritisMACaddressbyselectingtheMACaddress
option.
EnableMACoption
ChooseoneoftheoptionsthatappliestoRADIUSmessages:Direction
EnterthevendorattributeID.Thevalidrangeis0to255.ID
Checkthischeckboxtomarktheattributeasbeingpermittedtohaveatag,as
definedinRFC2868.Thepurposeofthetagistoallowgroupingofattributes
fortunnelledusers.SeeRFC2868formoredetails.
Thetaggedattributessupportensuresthatallattributespertainingtoagiven
tunnelcontainthesamevalueintheirrespectivetagfields,andthateachset
includesanappropriately-valuedinstanceoftheTunnel-Preferenceattribute.
Thisconformstothetunnelattributesthataretobeusedinamulti-vendornetwork
environment,therebyeliminatinginteroperabilityissuesamongNetworkAccess
Servers(NASs)manufacturedbydifferentvendors.
AllowTagging
CheckthischeckboxwhenyouwantmultipleinstancesofthisRADIUSvendor
specificattributeinprofiles.
Allowmultipleinstances
ofthisattributeina
profile
Related Topics
SystemDefinedDictionariesandDictionaryAttributes,onpage197
User-DefinedDictionariesandDictionaryAttributes,onpage198
RADIUS-VendorDictionaries,onpage199
CreateRADIUS-VendorDictionaries,onpage199
   Cisco Identity Services Engine Administrator Guide, Release 1.3
824
Dictionaries