Cisco Ise 13 User Guide
Have a look at the manual Cisco Ise 13 User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
permittcpanyhosteqwww permittcpanyhosteq443 permittcpanyhosteq8443 permittcpanyhosteq8905 permitudpanyhosteq8905 permitudpanyhosteq8906 permittcpanyhosteq8080 permitudpanyhosteq9996 remarkDropalltherest denyipanyanylog ! !TheACLtoallowURL-redirectionforWebAuth ipaccess-listextendedACL-WEBAUTH-REDIRECT permittcpanyanyeqwww permittcpanyanyeq443 ThisconfigurationontheWLCmyincreaseCPUutilizationandraisestheriskofsysteminstability.This isanIOSissueanddoesnotadverselyaffectCiscoISE. Note Enable Switch Ports for 802.1X and MAB Toenableswitchportsfor802.1XandMAB: Cisco Identity Services Engine Administrator Guide, Release 1.3 885 Enable Switch Ports for 802.1X and MAB
Procedure Step 1Enterconfigurationmodeforalloftheaccessswitchports: interfacerangeFastEthernet0/1-8 Step 2Enabletheswitchportsforaccessmode(insteadoftrunkmode): switchportmodeaccess Step 3StaticallyconfiguretheaccessVLAN.ThisprovideslocalprovisioningtheaccessVLANsandisrequired foropen-modeauthentication: switchportaccess Step 4StaticallyconfigurethevoiceVLAN: switchportvoice Step 5Enableopen-modeauthentication.Open-modeallowstraffictobebridgedontothedataandvoiceVLANs beforeauthenticationiscompleted.Westronglyrecommendusingaport-basedACLinaproduction environmenttopreventunauthorizedaccess. !Enablespre-authaccessbeforeAAAresponse;subjecttoportACLauthenticationopen Step 6Applyaport-basedACLtodeterminewhichtrafficshouldbebridgedbydefaultfromunauthenticated endpointsontotheaccessVLAN.Becauseyoushouldallowallaccessfirstandenforcepolicylater,you shouldapplyACL-ALLOWtopermitalltrafficthroughtheswitchport.Youhavealreadycreatedadefault ISEauthorizationtoallowalltrafficfornowbecausewewantcompletevisibilityanddonotwanttoimpact theexistingend-userexperienceyet. !AnACLmustbeconfiguredtoprependdACLsfromAAAserver.ipaccess-groupACL-ALLOWin PriortoCiscoIOSsoftwareRelease12.2(55)SEonDSBUswitches,aportACLisrequiredfor dynamicACLsfromaRADIUSAAAservertobeapplied.FailuretohaveadefaultACLwillresult inassigneddACLsbeingignoredbytheswitch.WithCiscoIOSsoftwareRelease12.2(55)SE,a defaultACLwillbeautomaticallygeneratedandapplied. Note WeareusingACL-ALLOWatthispointinthelabbecausewewanttoenable802.1Xport-based authentication,butwithoutanyimpacttotheexistingnetwork.Inalaterexercise,wewillapplya differentACL-DEFAULT,whichblocksundesiredtrafficforaproductionenvironment. Note Step 7EnableMulti-Authhostmode.Multi-AuthisessentiallyasupersetofMulti-DomainAuthentication(MDA). MDAonlyallowsasingleendpointinthedatadomain.Whenmulti-authisconfigured,asingleauthenticated phoneisallowedinthevoicedomain(aswithMDA)butanunlimitednumberofdatadevicescanbe authenticatedinthedatadomain. !Allowvoice+multipleendpointsonsamephysicalaccessportauthenticationhost-modemulti-auth Multipledatadevices(whethervirtualizeddevicesorphysicaldevicesconnectedtoahub)behind anIPphonecanexacerbatetheaccessports’physicallink-stateawareness. Note Step 8Enablevariousauthenticationmethodoptions: !Enablere-authenticationauthenticationperiodic!Enablere-authenticationviaRADIUSSession-Timeout authenticationtimerreauthenticateserverauthenticationeventfailactionnext-methodauthentication eventserverdeadactionreinitializeauthenticationeventserveraliveactionreinitialize !IOSFlex-Authauthenticationshoulddo802.1XthenMABauthenticationorderdot1xmabauthentication prioritydot1xmab Step 9Enable802.1Xportcontrolontheswitchport: !Enablesport-basedauthenticationontheinterfaceauthenticationport-controlautoauthenticationviolation restrict Step 10EnableMACAuthenticationBypass(MAB): !EnableMACAuthenticationBypass(MAB)mab Step 11Enable802.1Xontheswitchport Cisco Identity Services Engine Administrator Guide, Release 1.3 886 Enable Switch Ports for 802.1X and MAB
!Enables802.1Xauthenticationontheinterfacedot1xpaeauthenticator Step 12Settheretransmitperiodto10seconds: dot1xtimeouttx-period10 Thedot1xtx-periodtimeoutshouldbesetto10seconds.Donotchangethisunlessyouunderstand theimplications. Note Step 13Enabletheportfastfeature: spanning-treeportfast Command to Enable EPM Logging Setupstandardloggingfunctionsontheswitchtosupportpossibletroubleshooting/recordingforCiscoISE functions: epmlogging Command to Enable SNMP Traps EnsuretheswitchisabletoreceiveSNMPtraptransmissionsfromCiscoISEovertheappropriateVLANin thisnetworksegment: snmp-servercommunitypublicRO snmp-servertrap-source Command to Enable SNMP v3 Query for Profiling ConfiguretheswitchtoensureSNMPv3pollingtakesplaceasintendedtosupportCiscoISEprofiling services.First,configuretheSNMPsettingsinCiscoISEbychoosingAdministration>NetworkResources >NetworkDevices>Add|Edit>SNMPSettings. Snmp-serveruserv3authmd5privdes snmp-servergroupv3priv snmp-servergroupv3privcontextvlan-1 Thesnmp-servergroupv3privcontextvlan-1commandmustbeconfiguredforeachcontext. Thesnmpshowcontextcommandlistsallthecontextinformation. Note IftheSNMPRequesttimesoutandthereisnoconnectivityissue,thenyoucanincreasetheTimeoutvalue. Cisco Identity Services Engine Administrator Guide, Release 1.3 887 Command to Enable EPM Logging
Command to Enable MAC Notification Traps for Profiler to Collect ConfigureyourswitchtotransmittheappropriateMACnotificationtrapssothattheCiscoISEProfiler functionisabletocollectinformationonnetworkendpoints: macaddress-tablenotificationchange macaddress-tablenotificationmac-move snmptrapmac-notificationchangeadded snmptrapmac-notificationchangeremoved RADIUS Idle-Timeout Configuration on the Switch ToconfiguretheRADIUSIdle-timeoutonaswitch,usethefollowingcommand: Switch(config-if)#authenticationtimerinactivity whereinactivityisintervalofinactivityinseconds,afterwhichclientactivityisconsideredunauthorized. InCiscoISE,youcanenablethisoptionforanyAuthorizationPoliciestowhichsuchasessioninactivity timershouldapplyfromPolicy>PolicyElements>Results>Authorization>AuthorizationProfiles. Wireless LAN Controller Configuration for iOS Supplicant Provisioning For Single SSID TosupportAppleiOS-baseddevices(iPhone/iPad)switchingfromoneSSIDtoanotheronthesamewireless accesspoint,configuretheWirelessLANController(WLC)toenablethe“FASTSSIDchange”function. ThisfunctionhelpsensureiOS-baseddevicesareabletomorequicklyswitchbetweenSSIDs. For Dual SSID BYOD FastSSIDmustbeenabledtosupportdualSSIDBYOD.WhenFastSSIDchangingisenabled,thewireless controllerallowsclientstomovefasterbetweenSSIDs.WhenfastSSIDisenabled,thecliententryisnot clearedandthedelayisnotenforced.FormoreinformationaboutFastSSID,seehttp://www.cisco.com/c/en/ us/td/docs/wireless/controller/8-3/config-guide/b_cg83/b_cg83_chapter_0100001.htmlfordetailsabout configuringFastSSIDonaCiscoWLC. Example WLC Configuration WLC(config)#FASTSSIDchange Youmightseethefollowingerrormessagewhiletryingtoconnecttoawirelessnetworkforsomeofthe AppleiOS-baseddevices: CouldnotscanforWirelessNetworks. Youcanignorethiserrormessagebecausethisdoesnotaffecttheauthenticationofthedevice. Cisco Identity Services Engine Administrator Guide, Release 1.3 888 Command to Enable MAC Notification Traps for Profiler to Collect
Wireless LAN Controller Support for Apple Devices AppledevicesincludetheAppleCaptiveNetworkAssistant(CNA)feature,whichdetectscaptivenetworks (liketheCiscoISEWebAuthpage),butitinterfereswiththeportalredirectionrequiredtosupportguestsand personaldevices. Youcanbypassthisfeaturebyenablingtheweb-authcaptive-bypasscommandontheWirelessLAN Controller(WLC): WLC>confignetworkweb-authcaptive-bypassenable Web-authsupportforCaptive-Bypasswillbeenabled. Youmustresetsystemforthissettingtotakeeffect. WLC>saveconfig Areyousureyouwanttosave?(y/n)y ConfigurationSaved! WLC> Configuring ACLs on the Wireless LAN Controller for MDM Interoperability YoumustconfigureACLsonthewirelessLANcontrollerforuseinauthorizationpolicytoredirect nonregistereddevicesandcertificateprovisioning.YourACLsshouldbeinthefollowingsequence. Procedure Step 1Allowalloutboundtrafficfromservertoclient. Step 2(Optional)AllowICMPinboundtrafficfromclienttoserverfortroubleshooting. Step 3AllowaccesstoMDMserverforunregisteredandnoncompliantdevicestodownloadtheMDMagentand proceedwithcompliancechecks. Step 4AllowallinboundtrafficfromclienttoservertoISEforWebPortalandsupplicant,andcertificateprovisioning flows. Step 5AllowinboundDNStrafficfromclienttoserverfornameresolution. Step 6AllowinboundDHCPtrafficfromclienttoserverforIPaddresses. Step 7DenyallinboundtrafficfromclienttoservertocorporateresourcesforredirectiontoISE(asperyourcompany policy). Step 8(Optional)Permittherestofthetraffic. Cisco Identity Services Engine Administrator Guide, Release 1.3 889 Wireless LAN Controller Support for Apple Devices
ThefollowingexampleshowstheACLsforredirectinganonregistereddevicetotheBYODflow.Inthis example,theCiscoISEipaddressis10.35.50.165,theinternalcorporatenetworkipaddressis192.168.0.0 and172.16.0.0(toredirect),andtheMDMserversubnetis204.8.168.0. Figure 46: ACLs for Redirecting Nonregistered Device Cisco Identity Services Engine Administrator Guide, Release 1.3 890 Configuring ACLs on the Wireless LAN Controller for MDM Interoperability
CHAPTER 34 Supported Management Information Bases in Cisco ISE •IF-MIB,page891 •SNMPv2-MIB,page892 •IP-MIB,page892 •CISCO-CDP-MIB,page893 •CISCO-VTP-MIB,page894 •CISCO-STACK-MIB,page894 •BRIDGE-MIB,page895 •OLD-CISCO-INTERFACE-MIB,page895 •CISCO-LWAPP-AP-MIB,page895 •CISCO-LWAPP-DOT11-CLIENT-MIB,page897 •CISCO-AUTH-FRAMEWORK-MIB,page898 •EEE8021-PAE-MIB:RFCIEEE802.1X,page898 •HOST-RESOURCES-MIB,page898 •LLDP-MIB,page899 IF-MIB Table 145: OIDObject 1.3.6.1.2.1.2.2.1.1ifIndex 1.3.6.1.2.1.2.2.1.2ifDescr Cisco Identity Services Engine Administrator Guide, Release 1.3 891
OIDObject 1.3.6.1.2.1.2.2.1.3ifType 1.3.6.1.2.1.2.2.1.5ifSpeed 1.3.6.1.2.1.2.2.1.6ifPhysAddress 1.3.6.1.2.1.2.2.1.7ifAdminStatus 1.3.6.1.2.1.2.2.1.8ifOperStatus SNMPv2-MIB Table 146: OIDObject 1.3.6.1.2.1.1system 1.3.6.1.2.1.1.1.0sysDescr 1.3.6.1.2.1.1.2.0sysObjectID 1.3.6.1.2.1.1.3.0sysUpTime 1.3.6.1.2.1.1.4.0sysContact 1.3.6.1.2.1.1.5.0sysName 1.3.6.1.2.1.1.6.0sysLocation 1.3.6.1.2.1.1.7.0sysServices 1.3.6.1.2.1.1.8.0sysORLastChange 1.3.6.1.2.1.1.9.0sysORTable IP-MIB Table 147: OIDObject 1.3.6.1.2.1.4.20.1.2ipAdEntIfIndex Cisco Identity Services Engine Administrator Guide, Release 1.3 892 SNMPv2-MIB
OIDObject 1.3.6.1.2.1.4.20.1.3ipAdEntNetMask 1.3.6.1.2.1.4.22.1.2ipNetToMediaPhysAddress CISCO-CDP-MIB Table 148: OIDObject 1.3.6.1.4.1.9.9.23.1.2.1.1cdpCacheEntry 1.3.6.1.4.1.9.9.23.1.2.1.1.1cdpCacheIfIndex 1.3.6.1.4.1.9.9.23.1.2.1.1.2cdpCacheDeviceIndex 1.3.6.1.4.1.9.9.23.1.2.1.1.3cdpCacheAddressType 1.3.6.1.4.1.9.9.23.1.2.1.1.4cdpCacheAddress 1.3.6.1.4.1.9.9.23.1.2.1.1.5cdpCacheVersion 1.3.6.1.4.1.9.9.23.1.2.1.1.6cdpCacheDeviceId 1.3.6.1.4.1.9.9.23.1.2.1.1.7cdpCacheDevicePort 1.3.6.1.4.1.9.9.23.1.2.1.1.8cdpCachePlatform 1.3.6.1.4.1.9.9.23.1.2.1.1.9cdpCacheCapabilities 1.3.6.1.4.1.9.9.23.1.2.1.1.10cdpCacheVTPMgmtDomain 1.3.6.1.4.1.9.9.23.1.2.1.1.11cdpCacheNativeVLAN 1.3.6.1.4.1.9.9.23.1.2.1.1.12cdpCacheDuplex 1.3.6.1.4.1.9.9.23.1.2.1.1.13cdpCacheApplianceID 1.3.6.1.4.1.9.9.23.1.2.1.1.14cdpCacheVlanID 1.3.6.1.4.1.9.9.23.1.2.1.1.15cdpCachePowerConsumption 1.3.6.1.4.1.9.9.23.1.2.1.1.16cdpCacheMTU 1.3.6.1.4.1.9.9.23.1.2.1.1.17cdpCacheSysName Cisco Identity Services Engine Administrator Guide, Release 1.3 893 CISCO-CDP-MIB
OIDObject 1.3.6.1.4.1.9.9.23.1.2.1.1.18cdpCacheSysObjectID 1.3.6.1.4.1.9.9.23.1.2.1.1.19cdpCachePrimaryMgmtAddrType 1.3.6.1.4.1.9.9.23.1.2.1.1.20cdpCachePrimaryMgmtAddr 1.3.6.1.4.1.9.9.23.1.2.1.1.21cdpCacheSecondaryMgmtAddrType 1.3.6.1.4.1.9.9.23.1.2.1.1.22cdpCacheSecondaryMgmtAddr 1.3.6.1.4.1.9.9.23.1.2.1.1.23cdpCachePhysLocation 1.3.6.1.4.1.9.9.23.1.2.1.1.24cdpCacheLastChange CISCO-VTP-MIB Table 149: OIDObject 1.3.6.1.4.1.9.9.46.1.3.1.1.18.1vtpVlanIfIndex 1.3.6.1.4.1.9.9.46.1.3.1.1.4.1vtpVlanName 1.3.6.1.4.1.9.9.46.1.3.1.1.2.1vtpVlanState CISCO-STACK-MIB Table 150: OIDObject 1.3.6.1.4.1.9.5.1.4.1.1.11portIfIndex 1.3.6.1.4.1.9.5.1.9.3.1.3.1vlanPortVlan Cisco Identity Services Engine Administrator Guide, Release 1.3 894 CISCO-VTP-MIB