Cisco Ise 13 User Guide
Have a look at the manual Cisco Ise 13 User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
Usage GuidelinesFields AllowsyoutodisplaytheinstallationwizardontheclientduringWSUS updates: •ShowUI—DisplaystheWindowsUpdateInstallationWizardprogress onWindowsclients.UsersmusthaveAdministratorprivilegesonclients toviewtheinstallationwizardduringWSUSupdates. •NoUI—HidestheWindowsUpdateInstallationWizardprogresson Windowsclients. YoumustselecttheNoUIoption,ifyouwanttoallowusers withoutAdministratorprivilegestouseWSUSremediationto installWindowsupdates. Note InstallationWizardInterface Setting Related Topics AddaWindowsServerUpdateServicesRemediation,onpage585 CreatePostureRequirementinClientlessMode Client Posture Requirements ThefollowingtabledescribesthefieldsinthePostureRequirementspage.Thenavigationpathis:Policy> PolicyElements>Results>Posture>Requirements. Table 132: Posture Requirement Usage GuidelinesFields Enteranamefortherequirement.Name Chooseanoperatingsystem. Clickplus[+]toassociatemorethanoneoperatingsystemtothepolicy. Clickminus[-]toremovetheoperatingsystemfromthepolicy. OperatingSystems ChooseaConditionfromthelist. YoucanalsocreateanyuserdefinedconditionbyclickingtheActionIconand associateitwiththerequirement.Youcannotedittheassociatedparentoperating systemwhilecreatinguserdefinedconditions. Thepr_WSUSRuleisadummycompoundcondition,whichisusedinaposture requirementwithanassociatedWindowsServerUpdateServices(WSUS)remediation. TheassociatedWSUSremediationactionmustbeconfiguredtovalidateWindows updatesbyusingtheseverityleveloption.Whenthisrequirementfails,theNAC AgentthatisinstalledontheWindowsclientenforcestheWSUSremediationaction basedontheseveritylevelthatyoudefineintheWSUSremediation. Thepr_WSUSRulecannotbeviewedintheCompoundconditionslistpage.Youcan onlyselectthepr_WSUSRulefromtheConditionswidget. Conditions Cisco Identity Services Engine Administrator Guide, Release 1.3 855 Results
Usage GuidelinesFields ChooseaRemediationfromthelist. Youcanalsocreatearemediationactionandassociateitwiththerequirement. Youhaveatextboxforalltheremediationtypesthatcanbeusedtocommunicateto theAgentusers.Inadditiontoremediationactions,youcancommunicatetoAgent usersaboutthenoncomplianceofclientswithmessages. TheMessageTextOnlyoptioninformsAgentusersaboutthenoncompliance.Italso providesoptionalinstructionstotheusertocontacttheHelpdeskformoreinformation, ortoremediatetheclientmanually.Inthisscenario,theNACAgentdoesnottrigger anyremediationaction. RemediationActions Related Topics ConfigureAcceptableUsePoliciesforPostureAssessment,onpage573 CreateClientPostureRequirements,onpage587 Cisco Identity Services Engine Administrator Guide, Release 1.3 856 Results
CHAPTER 31 Operations User Interface Reference •RecentRADIUSAuthentications,page857 •ShowLiveSessions,page858 •DiagnosticTools,page860 Recent RADIUS Authentications ThefollowingtabledescribesthefieldsontheAuthenticationspage,whichdisplaysrecentRADIUS authentications.Thenavigationpathforthispageis:Operations>Authentications>ShowLive Authentication. Table 133: Live Authentications Usage GuidelinesOption Showsthetimethatthelogwasreceivedbythemonitoringandtroubleshooting collectionagent.Thiscolumnisrequiredandcannotbedeselected. Time Showsiftheauthenticationwassuccessfulorafailure.Thiscolumnisrequiredand cannotbedeselected.Greenisusedtorepresentpassedauthentications.Redisused torepresentfailedauthentications. Status Bringsupareportwhenyouclickthemagnifyingglassicon,allowingyoutodrill downandviewmoredetailedinformationontheselectedauthenticationscenario.This columnisrequiredandcannotbedeselected. Details Showsthenumberoftimetheauthenticationrequestswererepeatedinlast24hours, withoutanychangeinthecontextofidentity,networkdevices,andauthorization RepeatCounter ClicktoresettheRetryoptionsforalltheendpointsResetRepeat Counts Showstheusernamethatisassociatedwiththeauthentication.Identity Showstheuniqueidentifierforanendpoint,usuallyaMACorIPaddress.EndpointID Cisco Identity Services Engine Administrator Guide, Release 1.3 857
Usage GuidelinesOption Showsthetypeofendpointthatisprofiled,forexample,profiledtobeaniPhone, Android,MacBook,Xbox,andsoon. EndpointProfile Showsthenameofthepolicyselectedforspecificauthentication.Authentication Policy ShowstheIPaddressoftheendpointdevice.IPAddress ShowstheIPaddressoftheNetworkAccessDevice.NetworkDevice Showstheportnumberatwhichtheendpointisconnected.DevicePort Showsanauthorizationprofilethatwasusedforauthentication.Authorization Profiles Showstheidentitygroupthatisassignedtotheuserorendpoint,forwhichthelog wasgenerated. IdentityGroup Showsthestatusofposturevalidationanddetailsontheauthentication.PostureStatus Showstheeventstatus.Event Showsadetailedreasonforfailure,iftheauthenticationfailed.FailureReason ShowstheauthenticationmethodthatisusedbytheRADIUSprotocol,suchas MicrosoftChallengeHandshakeAuthenticationProtocolversion2(MS-CHAPv2), IEE802.1xordot1x,andthelike. AuthMethod Showstheauthenticationprotocolused,suchasProtectedExtensibleAuthentication Protocol(PEAP),ExtensibleAuthenticationProtocol(EAP),andthelike. Authentication Protocol Showsthegroupthatisidentifiedbytheauthenticationlog.SecurityGroup IndicatesthePolicyServicefromwhichthelogwasgenerated.Server ShowsthesessionID.SessionID Show Live Sessions Thefollowingtabledescribesthefieldsonthelivesessionspage,whichdisplaysliveauthenticationsessions. Thenavigationpathforthispageis:Operations>Authentications>ShowLiveSessions. Cisco Identity Services Engine Administrator Guide, Release 1.3 858 Show Live Sessions
Table 134: Live Sessions DescriptionField Showsthetimestampwhentheauthenticationsessionwasinitiated.Initiated Showsthetimestampwhenthesessionwaslastupdatedduetoanychange,likeaCoA action. Updated Showsthetimespan(inseconds)ofauser'ssession.AccountSession Time Showsthecurrentstatusoftheendpointdevice.SessionStatus UsethistodynamicallychangetheauthorizationofanactiveRADIUSsessionor disconnectanactiveRADIUSsession. CoAAction Showsthenumberoftimesthesessionhasbeenretried.RepeatCount Showstheuniqueidentifierforanendpoint,usuallyaMACorIPaddress.EndpointID Showstheusernameoftheendpointdevice.Identity ShowstheIPaddressoftheendpointdevice.IPAddress ShowsauniquesessionidentifierprovidedbyNAS.AuditSessionID ShowsauniqueIDprovidedbyNAS.AccountSessionID Showstheendpointprofileforthedevice.EndpointProfile Showsthestatusofposturevalidationanddetailsontheauthentication.PostureStatus Showsthegroupthatisidentifiedbytheauthenticationlog.SecurityGroup IndicatesthePolicyServicefromwhichthelogwasgenerated.Server ShowstheauthenticationmethodthatisusedbytheRADIUSprotocol,suchas PasswordAuthenticationProtocol(PAP),ChallengeHandshakeAuthenticationProtocol (CHAP),IEE802.1xordot1x,andthelike. AuthMethod Showstheauthenticationprotocolused,suchasProtectedExtensibleAuthentication Protocol(PEAP),ExtensibleAuthenticationProtocol(EAP),andthelike. Authentication Protocol ShowsIPaddressofthenetworkdevices.NASIPAddress Showstheconnectedporttothenetworkdevice.DevicePort Showstheperiodicreassessmentactiontakenonaclientafteritissuccessfullypostured forcomplianceonyournetwork. PRAAction Cisco Identity Services Engine Administrator Guide, Release 1.3 859 Show Live Sessions
DescriptionField ShowstheEndpointProtectionServicestatusofadeviceasQuarantine,Unquarantine, orShutdown. EPSStatus Showstheboolean(Y/N)usedtotrackthatanendpointhasbeenhandedoffduring roaming,fromoneWLCtoanother.Ithasthevalueofcisco-av-pair=nas-update=Y orN. WLCRoam Showsthenumberofpacketsreceived.PacketsIn Showsthenumberofpacketssent.PacketsOut Showsthenumberofbytesreceived.BytesIn Showsthenumberofbytessent.BytesOut ShowsiftheendpointwasauthenticatedviaRADIUSorIdentityMapping.SessionSource Diagnostic Tools RADIUS Authentication Troubleshooting Settings ThefollowingtabledescribesthefieldsontheRADIUSauthenticationtroubleshootingpagewhichallow youtoidentifyandresolveRADIUSauthenticationproblems.Thenavigationpathforthispageis:Operations >Troubleshoot>DiagnosticTools>GeneralTools>RADIUSAuthenticationTroubleshooting. Table 135: RADIUS Authentication Troubleshooting Settings Usage GuidelinesOption Entertheusernameoftheuserwhoseauthenticationyouwanttotroubleshoot.Username EntertheMACaddressofthedevicethatyouwanttotroubleshoot.MACAddress EntertheauditsessionIDthatyouwanttotroubleshoot.AuditSessionID EntertheNASIPaddress.NASIP EntertheNASportnumber.NASPort ChoosethestatusofyourRADIUSauthentication.AuthenticationStatus EnterthefailurereasonorclickSelecttochooseafailurereasonfromalist. ClickCleartoclearthefailurereason. FailureReason Cisco Identity Services Engine Administrator Guide, Release 1.3 860 Diagnostic Tools
Usage GuidelinesOption Selectatimerange.TheRADIUSauthenticationrecordsthatarecreatedduring thistimerangeareused. TimeRange IfyouchooseCustomTimeRange,enterthestartdateandtime,orclickthe calendaricontoselectthestartdateandtime.Thedateshouldbeinthe mm/dd/yyyyformatandtimeinthehh:mmformat. StartDate-Time IfyouchooseCustomTimeRange,entertheenddateandtime,orclickthe calendaricontoselecttheenddateandtime.Thedateshouldbeinthe mm/dd/yyyyformatandtimeinthehh:mmformat. EndDate-Time Choosethenumberofrecordsthatyouwanttofetchfromthedrop-downlist: 10,20,50,100,200,or500. FetchNumberofRecords Related Topics TroubleshootUnexpectedRADIUSAuthenticationResults,onpage648 RADIUSAuthenticationTroubleshootingTool,onpage647 Execute Network Device Command Settings ThefollowingtabledescribesthefieldsontheExecuteNetworkDeviceCommandpage,whichyouuseto executetheshowcommandonanetworkdevice.Thenavigationpathforthispageis:Operations> Troubleshoot>DiagnosticTools>GeneralTools>ExecuteNetworkDevice. Table 136: Execute Network Device Command Settings Usage GuidelinesOption EnterInformation EntertheIPaddressofthenetworkdeviceonwhichyouwanttorun thecommand. NetworkDeviceIP Entertheshowcommand.Command Related Topics ExecuteIOSShowCommandstoCheckConfiguration,onpage648 ExecuteNetworkDeviceTool,onpage648 Evaluate Configuration Validator Settings ThefollowingtabledescribesthefieldsontheEvaluateConfigurationValidatorpage,whichyouuseto evaluatetheconfigurationofanetworkdeviceandidentifyanyconfigurationproblems.Thenavigationpath Cisco Identity Services Engine Administrator Guide, Release 1.3 861 Diagnostic Tools
forthispageis:Operations>Troubleshoot>DiagnosticTools>GeneralTools>EvaluateConfiguration Validator. Table 137: Evaluate Configuration Validator Settings Usage GuidelinesOption EnterInformation EntertheIPaddressofthenetworkdevicewhoseconfigurationyou wanttoevaluate. NetworkDeviceIP Selecttheconfigurationitemsbelowthatyouwanttocompareagainsttherecommendedtemplate. Thisoptionisselectedbydefault.AAA Thisoptionisselectedbydefault.RADIUS Thisoptionisselectedbydefault.DeviceDiscovery Thisoptionisselectedbydefault.Logging Checkthischeckboxtocomparethewebauthenticationconfiguration.WebAuthentication CheckthischeckboxtocomparetheProfilerconfiguration.ProfilerConfiguration CheckthischeckboxifyouwanttocompareTrustsecconfiguration.Trustsec Checkthischeckboxifyouwanttocomparethe802.1Xconfiguration, andchooseoneoftheavailableoptions. 802.1X Related Topics TroubleshootNetworkDeviceConfigurationIssues,onpage649 EvaluateConfigurationValidatorTool,onpage649 Posture Troubleshooting Settings ThefollowingtabledescribesthefieldsonthePosturetroubleshootingpage,whichyouusetofindandresolve postureproblemsonthenetwork.Thenavigationpathforthispageis:Operations>Troubleshoot> DiagnosticTools>GeneralTools>PostureTroubleshooting. Table 138: Posture Troubleshooting Settings Usage GuidelinesOption SearchandSelectaPostureeventfortroubleshooting Entertheusernametofilteron.Username Cisco Identity Services Engine Administrator Guide, Release 1.3 862 Diagnostic Tools
Usage GuidelinesOption EntertheMACaddresstofilteron,usingformat:xx-xx-xx-xx-xx-xxMACAddress Selecttheauthenticationstatustofilteron:PostureStatus EnterthefailurereasonorclickSelecttochooseafailurereason fromalist.ClickCleartoclearthefailurereason. FailureReason Selectatimerange.TheRADIUSauthenticationrecordsthatare createdduringthistimerangeareused. TimeRange (AvailableonlywhenyouchooseCustomTimeRange)Enterthe startdateandtime,orclickthecalendaricontoselectthestartdate andtime.Thedateshouldbeinthemm/dd/yyyyformatandtimein thehh:mmformat. StartDate-Time: (AvailableonlywhenyouchooseCustomTimeRange)Enterthe enddateandtime,orclickthecalendaricontoselectthestartdate andtime.Thedateshouldbeinthemm/dd/yyyyformatandtimein thehh:mmformat. EndDate-Time: Selectthenumberofrecordstodisplay:10,20,50,100,200,500FetchNumberofRecords SearchResult TimeoftheeventTime PosturestatusStatus UsernameassociatedwiththeeventUsername MACaddressofthesystemMACAddress FailurereasonfortheeventFailureReason Related Topics TroubleshootEndpointPostureFailure,onpage649 PostureTroubleshootingTool,onpage649 TCP Dump Settings Thefollowingtabledescribesthefieldsonthetcpdumputilitypage,whichyouusetomonitorthecontents ofpacketsonanetworkinterfaceandtroubleshootproblemsonthenetworkastheyappear.Thenavigation pathforthispageis:Operations>Troubleshoot>DiagnosticTools>GeneralTools>TCPDump. Cisco Identity Services Engine Administrator Guide, Release 1.3 863 Diagnostic Tools
Table 139: TCP Dump Settings Usage GuidelinesOption •Stopped—thetcpdumputilityisnotrunning •Start—Clicktostartthetcpdumputilitymonitoringthe network. •Stop—Clicktostopthetcpdumputility Status Choosethenameofthehosttomonitorfromthedrop-downlist. InlinePostureNodesarenot supported. Note HostName Choosethenetworkinterfacetomonitorfromthedrop-downlist. Youmustconfigureallnetworkinterfacecards(NICs)with anIPv4orIPv6addresssothattheyaredisplayedinthe CiscoISEAdminportal. Note NetworkInterface •On—Clicktoturnonpromiscuousmode(default). •Off—Clicktoturnoffpromiscuousmode. Promiscuousmodeisthedefaultpacketsniffingmode.Itis recommendedthatyouleaveitsettoOn.Inthismodethenetwork interfaceispassingalltraffictothesystem’sCPU. PromiscuousMode Enterabooleanexpressiononwhichtofilter.Supportedstandard tcpdumpfilterexpressions: iphost10.77.122.123 iphost10.77.122.123andnot10.177.122.119 iphostISE123 Filter Selectaformatforthetcpdumpfile.Format Displaysdataonthelastdumpfile,suchasthefollowing: LastcreatedonWedApr2720:42:38UTC2011byadmin Filesize:3,744bytesFormat:RawPacketDataHostName:PositronNetworkInterface:GigabitEthernet0PromiscuousMode:On •Download—Clicktodownloadthemostrecentdumpfile. •Delete—Clicktodeletethemostrecentdumpfile. DumpFile Cisco Identity Services Engine Administrator Guide, Release 1.3 864 Diagnostic Tools