Cisco Ise 13 User Guide
Have a look at the manual Cisco Ise 13 User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
Usage GuidelinesFields CheckthecheckboxandenteranattributevaluethatidentifiesavirtualLAN (VLAN)IDthatyouwantassociatedwiththenewauthorizationprofileyouare creating(bothintegerandstringvaluesaresupportedfortheVLANID).Theformat forthisentrywouldbeTunnel-Private-Group-ID:VLANnumber. IfyoudonotselectaVLANID,CiscoISEusesadefaultvalueofVLAN ID=1.Forexample,ifyouonlyentered123asyourVLANnumber,the AttributesDetailspanereflectsthefollowingvalue: Tunnel-Private-Group-ID=1:123. Note VLAN Checkthecheckboxtoenablethevendor-specificattribute(VSA)of“cisco-av-pair” tobeassociatedwithavalueof“device-traffic-class=voice”.Inamulti-domain authorizationmode,ifthenetworkswitchreceivesthisVSA,theendpointisplaced ontoavoicedomainafterauthorization. VoiceDomain Permission CheckthecheckboxtoenablearedirectionprocessusedforPosturediscoveryin CiscoISE,andenteranACLonthedevicethatyouwanttoassociatewiththis authorizationprofile.Forexample,ifthevalueyouenteredisacl119,thisisreflected intheAttributesDetailspaneas:cisco-av-pair=url-redirect-acl=acl119.The AttributesDetailspanealsodisplays:cisco-av-pair= url-redirect=https://ip:8443/guestportal/gateway?sessionid= SessionValueIdValue&action=cpp. PostureDiscovery CheckthecheckboxtoenablearedirectionprocessthatissimilartoPosture discovery,butitredirectsguestuseraccessrequeststotheGuestserverinCisco ISE.EnteranACLonthedevicethatyouwanttoassociatewiththisauthorization profile,andselectDefaultorManualastheredirectoption.Forexample,ifthe valueyouenteredisacl-999,thisisreflectedintheAttributesDetailspaneas: cisco-av-pair=url-redirect-acl=acl-99.TheAttributesDetailspanealsodisplays: cisco-av-pair= url-redirect=https://ip:8443/guestportal/gateway?sessionid=SessionValueIdValue&action=cwa. ChecktheStaticIP/HostNamecheckboxtospecifyanexactIPaddressor hostnametowhichyouwanttheusertoberedirectedto.Ifthischeckboxisnot checked,theuserwillberedirectedtotheFQDNofthepolicyservicenodethat receivedthisrequest. CentralizedWeb Authentication WebRedirection (CWA,DRW,MDM, NSP,CPP) CheckthecheckboxtoenableAutoSmartPortfunctionalityandentera correspondingeventnamevalueinthetextbox.ThisenablestheVSAcisco-av-pair withavalueforthisoptionas“auto-smart-port=event_name”.Yourchoiceis reflectedintheAttributesDetailspane. AutoSmartPort CheckthecheckboxtoenableaRADIUSfilterattributethatsendstheACLname thatyoudefineinthetextbox(whichisautomaticallyappendedwith“.in”).Your choiceisreflectedintheAttributesDetailspane. Filter-ID Cisco Identity Services Engine Administrator Guide, Release 1.3 845 Results
Usage GuidelinesFields Checkthecheckboxandenteravalueinsecondsformaintainingconnectivity duringreauthentication.YoucanalsochooseattributevaluesfromtheTimer drop-downlist.Youchoosetomaintainconnectivityduringreauthenticationby choosingtouseeitherthedefault(avalueof0)orRADIUS-Request(avalueof 1).SettingthistotheRADIUS-Requestvaluemaintainsconnectivityduringthe reauthenticationprocess. Reauthentication CheckthecheckboxtoenabletheMACSecencryptionpolicywhenevera MACSec-enabledclientconnectstoCiscoISE,andchooseoneofthefollowing threeoptions:must-secure,should-secure,ormust-not-secure.Forexample, yourchoiceisreflectedintheAttributesDetailspaneas:cisco-av-pair= linksec-policy=must-secure. MACSecPolicy CheckthecheckboxtoenableNetworkEdgeAccessTopology(NEAT),afeature thatextendsidentityrecognitionbetweennetworks.Checkingthischeckboxdisplays thefollowingvalueintheAttributesDetailspane:cisco-av-pair= device-traffic-class=switch. NEAT Checkthecheckboxtoenablelocalwebauthenticationforthisauthorizationprofile. ThisvalueletstheswitchrecognizeauthorizationforwebauthenticationbyCisco ISEsendingaVSAalongwithaDACL.TheVSAiscisco-av-pair=priv-lvl=15 andthisisreflectedintheAttributesDetailspane. WebAuthentication (LocalWebAuth) CheckthecheckboxandenteranACLnameinthetextfield.Thisvalueisused inarequiredAirespaceVSAtoauthorizetheadditionofalocallydefinedACLto aconnectionontheWLC.Forexample,ifyouenteredrsa-1188,thiswouldbe reflectedintheAttributesDetailspaneas:Airespace-ACL-Name=rsa-1188. WirelessLAN Controller(WLC) CheckthecheckboxtoenableanAdaptiveSecurityAppliances(ASA)VPNgroup policy.FromtheAttributelist,chooseavaluetoconfigurethissetting. ASAVPN AdvancedAttributesSettings Clickthedown-arrowicontodisplaytheavailableoptionsintheDictionaries window.Clicktoselectthedesireddictionaryandattributetoconfigureinthefirst field. Dictionaries Clickthedown-arrowicontodisplaytheavailableoptionsintheAttributeValues window.Clicktoselectthedesiredattributegroupandattributevalueforthesecond field.Thisvaluematchestheoneselectedinthefirstfield.AnyAdvancedAttributes setting(s)thatyouconfigurewillbedisplayedintheAttributeDetailspanel. Tomodifyordeleteanyoftheread-onlyvaluesthataredisplayedinthe AttributesDetailspane,youmustmodifyordeletethesevaluesinthe correspondingCommonTasksfieldorintheattributethatyouselectedin theAttributeValuestextboxintheAdvancedAttributesSettingspane. Note AttributeValues Cisco Identity Services Engine Administrator Guide, Release 1.3 846 Results
Usage GuidelinesFields Thispanedisplaysanyoftheconfiguredattributevaluesthatyousetforthe CommonTasksandAdvancedAttributes. ThevaluesdisplayedintheAttributesDetailspaneareread-onlyand cannotbeeditedordeletedinthispane. Note AttributesDetails Related Topics CiscoISEAuthorizationProfiles,onpage437 PermissionsforAuthorizationProfiles,onpage445 ConfigureanAuthorizationProfileforRedirectingNonregisteredDevices,onpage194 CreateAuthorizationProfiles,onpage314 Profiling Exception Action Settings ThefollowingtabledescribesthefieldsintheNewProfilerExceptionActionpage.Thenavigationpathfor thispageis:Policy>PolicyElements>Results>Profiling>ExceptionActions. Table 124: Creating an Exception Action Usage GuidelinesFields Enterthenameoftheexceptionactionthatyouwanttocreate.Name Enterthedescriptionoftheexceptionactionthatyouwanttocreate.Description ChecktheCoAActioncheckboxtoenforceCoA. Whenyouassociateanexceptionactionintheendpointprofilingpolicyand enforceaCoA,youmustconfigureCoAgloballyinCiscoISEthatcanbedone inthefollowinglocation:Administration>System>Settings>Profiling. CoAActiontoenforce CoA ClickthePolicyAssignmentdrop-downlistthatdisplaysendpointprofiling policiesthatareconfiguredinCiscoISE,andchoosetheprofilingpolicyagainst whichtheendpointwillbeprofiledwhentheexceptionactionistriggered, regardlessofitsmatchedvalue. PolicyAssignment ExceptionActionscanbeanyoneofthefollowingtypes: •CiscoProvided—IncludesAuthorizationChange,EndpointDelete,and FirstTimeProfile •AdministratorCreated—Includesthatarecreatedbyyouasanadministrator ofCiscoISE. SystemType Related Topics ProfilingExceptionActions,onpage485 Cisco Identity Services Engine Administrator Guide, Release 1.3 847 Results
CreateExceptionActions,onpage486 File Remediation ThefollowingtabledescribesthefieldsintheFileRemediationpage.Thenavigationpathis:Policy>Policy Elements>Results>Posture>RemediationActions>FileRemediation. Table 125: File Remediation Usage GuidelinesFields Enteranameforthefileremediation.Oncecreatedandsaved,youcannotedit thenameofthefileremediation. FileRemediationName Enteradescriptionforthefileremediation.FileRemediation Description Enterthefileversion.Version ClickBrowsetolocatethenameofthefiletobeuploadedtotheCiscoISE server.Thisisthefilethatwillbedownloadedtotheclientwhenthefile remediationactionistriggered. Filetoupload Related Topics AddaFileRemediation,onpage581 Link Remediation ThefollowingtabledescribesthefieldsintheLinkRemediationpage.Thenavigationpathis:Policy>Policy Elements>Results>Posture>RemediationActions>LinkRemediation. Table 126: Link Remediation Usage GuidelinesFields Enteranameforlinkremediation.LinkRemediationName Enteradescriptionforthelinkremediation.LinkRemediation Description Chooseoneofthefollowing: •Automatic—Whenselected,youshouldentervaluesfortheInterval andRetryCount. •Manual—Whenselected,RetryCountandIntervalfieldsarenoteditable. RemediationType Enterthenumberofattemptsthatclientscantrytoremediatefromthelink.RetryCount Cisco Identity Services Engine Administrator Guide, Release 1.3 848 Results
Usage GuidelinesFields Enterthetimeintervalinsecondsthatclientscantrytoremediatefromthe linkafterpreviousattempts. Interval(inseconds) EnteravalidURLthatleadstoaremediationpageorresource.URL Related Topics AddaLinkRemediation,onpage582 Anti-Virus Remediation ThefollowingtabledescribesthefieldsintheAnti-VirusRemediationpage.ThenavigationpathisPolicy >PolicyElements>Results>Posture>RemediationActions>Anti-VirusRemediation. Table 127: Anti-Virus Remediation Usage GuidelinesFields Enteranamefortheantivirusremediation.Name Enteradescriptionfortheantivirusremediation.Description Chooseoneofthefollowing: •Automatic—Whenselected,youshouldentervaluesfortheIntervalandRetry Count. •Manual—Whenselected,RetryCountandIntervalfieldsarenoteditable. RemediationType Enterthetimeintervalinsecondsthatclientscantrytoremediateafterprevious attempts. Interval(inseconds) Enterthenumberofattemptsthatclientscantrytoupdateanantivirusdefinition.RetryCount Chooseoneofthefollowing: •Windows •Macintosh—whenselectedRemediationType,Interval,andRetryCountfields arenoteditable OperatingSystem Choosetheantivirusvendor.AVVendorName Related Topics AddanAntivirusRemediation,onpage582 CreatePostureRequirementinClientlessMode Cisco Identity Services Engine Administrator Guide, Release 1.3 849 Results
Antispyware Remediation ThefollowingtabledescribesthefieldsintheASRemediationpage.ThenavigationpathisPolicy>Policy Elements>Results>Posture>RemediationActions>ASRemediation. Table 128: Antispyware Remediation Usage GuidelinesFields Enteranamefortheantispywareremediation.Name Enteradescriptionfortheantispywareremediation.Description Chooseoneofthefollowing: •Automatic—Whenselected,youshouldentervaluesfortheIntervalandRetry Count. •Manual—Whenselected,RetryCountandIntervalfieldsarenoteditable. RemediationType Enterthetimeintervalinsecondsthatclientscantrytoremediateafterprevious attempts. Interval(inseconds) Enterthenumberofattemptsthatclientscantrytoupdateanantispywaredefinition.RetryCount Chooseoneofthefollowing: •Windows •Macintosh—whenselected,RemediationType,Interval,andRetryCount fieldsarenoteditable OperatingSystem Choosetheantispywarevendor.ASVendorName Related Topics AddanAntispywareRemediation,onpage583 CreatePostureRequirementinClientlessMode Launch Program Remediation ThefollowingtabledescribesthefieldsintheLaunchProgramRemediationpage.Thenavigationpathis: Policy>PolicyElements>Results>Posture>RemediationActions>LaunchProgramRemediation. Table 129: Launch Program Remediation Usage GuidelinesFields Enteranameforthelaunchprogramremediation.Name Cisco Identity Services Engine Administrator Guide, Release 1.3 850 Results
Usage GuidelinesFields Enteradescriptionforthelaunchprogramremediationthatyouwanttocreate.Description Chooseoneofthefollowing: •Automatic—Whenselected,youshouldentertheRetryCountandInterval options. •Manual—Whenselected,IntervalandRetryCountfieldsarenoteditable. RemediationType Enterthetimeintervalinsecondsthatclientscantrytoremediateafterprevious attempts. Interval(inseconds) Enterthenumberofattemptsthatclientscantrytolaunchrequiredprograms.RetryCount Fromthedrop-downlist,choosethepathwheretheremediationprogramhastobe installed. •ABSOLUTE_PATH—remediationprogramisinstalledinthefullyqualified pathofthefile.Forexample,C:\\ •SYSTEM_32—remediationprogramisinstalledintheC:\WINDOWS\system32 directory •SYSTEM_DRIVE—remediationprogramisinstalledintheC:\drive •SYSTEM_PROGRAMS—remediationprogramisinstalledintheC:\Program Files •SYSTEM_ROOT—remediationprogramisinstalledintherootpathof Windowssystem ProgramInstallation Path Enterthenameoftheremediationprogramexecutable,oraninstallationfile.ProgramExecutable Enterrequiredparametersfortheremediationprograms.ProgramParameters ExistingProgramstabledisplaystheinstallationpaths,nameoftheremediation programs,andparametersifany. •ClickAddtoaddremediationprogramstotheExistingProgramslist. •Clickthedeleteicontoremovetheremediationprogramsfromthelist. ExistingPrograms Related Topics AddaLaunchProgramRemediation,onpage583 TroubleshootLaunchProgramRemediation,onpage584 CreatePostureRequirementinClientlessMode Cisco Identity Services Engine Administrator Guide, Release 1.3 851 Results
Windows Update Remediation ThefollowingtabledescribesthefieldsintheWindowsUpdateRemediationpage.Thenavigationpathis: Policy>PolicyElements>Results>Posture>RemediationActions>WindowsUpdateRemediation. Table 130: Windows Update Remediation Usage GuidelinesFields EnteranamefortheWindowsupdateremediation.Name EnteradescriptionfortheWindowsupdateremediation.Description Chooseoneofthefollowing: •Automatic—Whenselected,youshouldentertheRetryCountand Intervaloptions. •Manual—Whenselected,IntervalandRetryCountfieldsarenot editable. RemediationType Enterthetimeintervalinsecondsthatclientscantrytoremediateafter previousattempts. Interval(inseconds) EnterthenumberofattemptsthatWindowsclientscantryforWindows updates. RetryCount Choosefromthefollowing: •Donotchangesetting—TheWindowsAutomaticUpdatesclient configurationdoesnotchangeduringorafterWindowsupdate remediation. •Notifytodownloadandinstall—Windowsonlynotifiesclients,but doesnotautomaticallydownload,orinstallthem. •Automaticallydownloadandnotifytoinstall—Windowsdownloads updatesforclients,andnotifiesclientstoinstallWindowsupdates. •Automaticallydownloadandinstall—Windowsautomatically downloads,andinstallsWindowsupdates.Thisisthehighly recommendedsettingforWindowsclients. WindowsUpdateSetting Cisco Identity Services Engine Administrator Guide, Release 1.3 852 Results
Usage GuidelinesFields Checkthischeckboxtoenforcetheadministrator-specifiedsettingfor WindowsAutomaticUpdatesonalltheclientsduring,andafterWindows updateremediation. Ifunchecked,thesettingenforcesthefollowing: •Theadministrator-specifiedsettingonlywhenAutomaticUpdates aredisabledonWindowsclients. •TheWindowsclients-specifiedsettingonlywhenWindows AutomaticUpdatesareenabledontheclient. OverrideUser’sWindows Updatesettingwith administrator’s Related Topics AddaWindowsUpdateRemediation,onpage585 CreatePostureRequirementinClientlessMode Windows Server Update Services Remediation ThefollowingtabledescribesthefieldsintheWindowsUpdateRemediationpage.Thenavigationpathis: Policy>PolicyElements>Results>Posture>RemediationActions>WindowsServerUpdate ServicesRemediation. Table 131: WSUS Remediation Usage GuidelinesFields EnteranamefortheWSUSremediation.Name EnteradescriptionfortheWSUSremediation.Description Choosefromthefollowing: •Automatic—TheNACAgentsautomaticallyupdatesWindowsclients withthelatestWSUSupdates. •Manual—Ifselected,theIntervalandRetryCountfieldsarenoreditable. TheusermanuallyupdatestheWindowsclientwiththelatestWSUS updatesfromaMicrosoft-managedWSUSserver,orfromthelocally administeredWSUSserverforcompliance. RemediationType Entertheintervalinseconds(thedefaultintervalis0)todelayWSUSupdates beforetheNACAgentsandWebAgentsattempttoretryaftertheprevious attempt. Interval(inseconds) EnterthenumberofattemptsthattheNACAgentsandwebAgentsretryto updateWindowsclientswithWSUSupdates. RetryCount Cisco Identity Services Engine Administrator Guide, Release 1.3 853 Results
Usage GuidelinesFields Choosefromthefollowing: •CiscoRules—Ifyouchoosethisoption,youcanselectcustomor preconfiguredrulesasconditionsintheposturerequirement •SeverityLevel—Ifyouchoosethisoption,youcanselectcustomor preconfiguredrulesasconditionsintheposturerequirement,butthey arenotused.Thepr_WSUSRulecanbeusedasaplaceholdercondition (adummycondition)intheposturerequirementthatspecifiesaWSUS remediation. ValidateWindowsupdates using Choosetheseveritylevel: •Critical—InstallsonlycriticalWindowsupdates •Express—InstallsimportantandcriticalWindowsupdates •Medium—Installsallcritical,important,andmoderateWindowsupdates •All—Installsallcritical,important,moderate,andlowWindowsupdates WhenyouassociateaWSUSremediationactiontoaposture requirementtovalidateWindowsupdatesbyusingtheseverity leveloption,youmustchoosethepr_WSUSRule(adummy compoundcondition)compoundconditionintheposture requirement.Whentheposturerequirementfails,theNAC Agentenforcestheremediationaction(Windowsupdates)based ontheseveritylevelthatyoudefineintheWSUSremediation. Note WindowsUpdatesSeverity Level CheckthischeckboxtoallowWSUSremediationinstallthelatestservice packavailablefortheclient'soperatingsystemautomatically. Theoperatingsystemservicepacksareupdatedautomatically irrespectiveoftheMediumandAllseverityleveloptionsselectedin WSUSremediation. Note UpdatetolatestOSService Pack SpecifiesthesourcefromwhereyouinstallWSUSupdatesonWindows clients: •Microsoftserver—Microsoft-managedWSUSserver •Managedserver—LocallyadministeredWSUSserver WindowsUpdates InstallationSource Cisco Identity Services Engine Administrator Guide, Release 1.3 854 Results