Cisco Ise 13 User Guide
Have a look at the manual Cisco Ise 13 User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
Mobility/MobilityUpgradelicenseisalwaysdisplayedasBase/Plus/Apexintheuserinterfacewithits correspondingnumberofendpoints. Note IfyourCiscoISEnodeneedstosupport: •Alargernumberofconcurrentusersthanthenumberforwhichyouhavelicenses •Wired(LAN)access,andyoursystemhasonlytheMobilitylicense Youwillneedtoupgradeyourlicense(s)forthatnode.ThisprocessiscarriedoutbyyourCiscopartneror accountteamonly. Remove Licenses Before You Begin Keepthefollowinginmindbeforeattemptingtoremovealicense: •IfyouhaveinstalledaMobilityUpgradelicenseafteraMobilitylicense,youmustremovetheMobility UpgradelicensebeforeyoucanremovetheunderlyingMobilitylicense. •Ifyouinstallacombinedlicense,allrelatedinstallationsintheBase,Plus,andApexpackagesarealso removed. Procedure Step 1ChooseAdministration>System>Licensing Step 2IntheLicenseFilessection,clickthechecknexttotherelevantfilename,andclickDeleteLicense. Step 3ClickOK. Cisco Identity Services Engine Administrator Guide, Release 1.3 125 Manage License Files
Cisco Identity Services Engine Administrator Guide, Release 1.3 126 Manage License Files
CHAPTER 8 Manage Certificates •CertificateManagementinCiscoISE,page127 •CiscoISECAService,page152 •OCSPServices,page169 Certificate Management in Cisco ISE Acertificateisanelectronicdocumentthatidentifiesanindividual,aserver,acompany,orotherentityand associatesthatentitywithapublickey.Aself-signedcertificateissignedbyitsowncreator.Certificatescan beself-signedordigitallysignedbyanexternalCertificateAuthority(CA).ACA-signeddigitalcertificate isconsideredindustrystandardandmoresecure. Certificatesareusedinanetworktoprovidesecureaccess.CiscoISEusescertificatesforinternode communication,andforcommunicatingwithexternalserverssuchasthesyslogserver,feedserver,andall theend-userportals(guest,sponsor,andpersonaldevicesportals).CertificatesidentifyaCiscoISEnodeto anendpointandsecuresthecommunicationbetweenthatendpointandtheCiscoISEnode. YoucanusetheAdminportaltomanagecertificatesforallthenodesinyourdeployment. Certificates Enable Cisco ISE to Provide Secure Access TheCiscoIdentityServicesEngine(ISE)reliesonpublickeyinfrastructure(PKI)toprovidesecure communicationwithbothendpointsandadministrators,aswellasbetweenCiscoISEnodesinamultinode deployment.PKIreliesonX.509digitalcertificatestotransferpublickeysforencryptionanddecryptionof messages,andtoverifytheauthenticityofothercertificatesrepresentingusersanddevices.CiscoISEprovides theAdminPortaltomanagethefollowingtwocategoriesofX.509certificates: •Systemcertificates—TheseareservercertificatesthatidentifyaCiscoISEnodetoclientapplications. EveryCiscoISEnodehasitsownsystemcertificates,eachofwhicharestoredonthenodealongwith thecorrespondingprivatekey. •Trustedcertificates—Thesearecertificateauthority(CA)certificatesusedtoestablishtrustforthepublic keysreceivedfromusersanddevices.TheTrustedCertificatesStorealsocontainscertificatesthatare distributedbytheSimpleCertificateEnrollmentProtocol(SCEP),whichenablesregistrationofmobile devicesintotheenterprisenetwork.CertificatesintheTrustedCertificatesStorearemanagedonthe Cisco Identity Services Engine Administrator Guide, Release 1.3 127
PrimaryAdministrationNode(PAN),andareautomaticallyreplicatedtoallothernodesinanCisco ISEdeployment. Inadistributeddeployment,youmustimportthecertificateonlyintothecertificatetrustlist(CTL)ofthe PAN.Thecertificategetsreplicatedtothesecondarynodes. Ingeneral,toensurecertificateauthenticationinCiscoISEisnotimpactedbyminordifferencesin certificate-drivenverificationfunctions,uselowercasehostnamesforallCiscoISEnodesdeployedina network. Certificate Usage WhenyouaddorimportacertificateintoCiscoISE,youshouldspecifythepurposeforwhichthecertificate istobeused: •Admin:ForinternodecommunicationandauthenticatingtheAdminportal •EAP:ForTLS-basedEAPauthentication •Portal:ForcommunicatingwithallCiscoISEend-userportals •xGrid:ForcommunicatingwiththepxGridcontroller YoucanassociatedifferentcertificatesfromeachnodeforcommunicatingwiththeAdminportal(Admin), thepxGridcontroller(xGrid),andforTLS-basedEAPauthentication(EAP).However,youcanassociate onlyonecertificatefromeachnodeforeachofthesepurposes. WithmultiplePolicyServicenodes(PSNs)inadeploymentthatcanserviceawebportalrequest,CiscoISE needsauniqueidentifiertoidentifythecertificatethathastobeusedforportalcommunication.Whenyou addorimportcertificatesthataredesignatedforportaluse,youmustdefineacertificategrouptagandassociate itwiththecorrespondingcertificateoneachnodeinyourdeployment.Youmustassociatethiscertificate grouptagtothecorrespondingend-userportals(guest,sponsor,andpersonaldevicesportals).Thiscertificate grouptagistheuniqueidentifierthathelpsCiscoISEidentifythecertificatethathastobeusedwhen communicatingwitheachoftheseportals.Youcandesignateonecertificatefromeachnodeforeachofthe portals. Cisco Identity Services Engine Administrator Guide, Release 1.3 128 Certificate Management in Cisco ISE
EAP-TLSclientcertificateshouldhaveKeyUsage=KeyAgreementandExtendedKeyUsage=Client Authenticationforthefollowingciphers: Note •ECDHE-ECDSA-AES128-GCM-SHA256 •ECDHE-ECDSA-AES256-GCM-SHA384 •ECDHE-ECDSA-AES128-SHA256 •ECDHE-ECDSA-AES256-SHA384 EAP-TLSclientcertificateshouldhaveKeyUsage=KeyEnciphermentandExtendedKeyUsage=Client Authenticationforthefollowingciphers: •AES256-SHA256 •AES128-SHA256 •AES256-SHA •AES128-SHA •DHE-RSA-AES128-SHA •DHE-RSA-AES256-SHA •DHE-RSA-AES128-SHA256 •DHE-RSA-AES256-SHA256 •ECDHE-RSA-AES256-GCM-SHA384 •ECDHE-RSA-AES128-GCM-SHA256 •ECDHE-RSA-AES256-SHA384 •ECDHE-RSA-AES128-SHA256 •ECDHE-RSA-AES256-SHA •ECDHE-RSA-AES128-SHA •EDH-RSA-DES-CBC3-SHA •DES-CBC3-SHA •RC4-SHA •RC4-MD5 Certificate Matching in Cisco ISE WhenyousetupCiscoISEnodesinadeployment,thosetwonodescommunicatewitheachother.Thesystem checkstheFQDNofeachISEnodetoensuretheymatch(forexampleise1.cisco.comandise2.cisco.comor ifyouusewildcardcertificatesthen*.cisco.com).Inaddition,whenanexternalmachinepresentsacertificate toanISEserver,theexternalcertificatethatispresentedforauthenticationischecked(ormatched)against thecertificateintheISEserver.Ifthetwocertificatesmatch,theauthenticationsucceeds. Cisco Identity Services Engine Administrator Guide, Release 1.3 129 Certificate Management in Cisco ISE
For,matchingisperformedbetweenthenodes(iftherearetwo)andbetweentheandpxGrid. CiscoISEchecksforamatchingsubjectnameasfollows: 1CiscoISElooksatthesubjectalternativename(SAN)extensionofthecertificate.IftheSANcontains oneormoreDNSnames,thenoneoftheDNSnamesmustmatchtheFQDNoftheCiscoISEnode.Ifa wildcardcertificateisused,thenthewildcarddomainnamemustmatchthedomainintheCiscoISEnode’s FQDN. 2IftherearenoDNSnamesintheSAN,oriftheSANismissingentirely,thentheCommonName(CN) intheSubjectfieldofthecertificateorthewildcarddomainintheSubjectfieldofthecertificatemust matchtheFQDNofthenode. 3Ifnomatchisfound,thecertificateisrejected. X.509certificatesimportedtoCiscoISEmustbeinprivacy-enhancedmail(PEM)ordistinguished encodingrule(DER)format.Filescontainingacertificatechain,whichisasystemcertificatealongwith thesequenceoftrustcertificatesthatsignit,canbeimported,subjecttocertainrestrictions. Note Validity of X.509 Certificates X.509certificatesareonlyvaliduntilaspecificdate.Whenasystemcertificateexpires,theCiscoISE functionalitythatdependsonthecertificateisimpacted.CiscoISEnotifiesyouaboutthependingexpiration ofasystemcertificatewhentheexpirationdateiswithin90days.Thisnotificationappearsinseveralways: •ColoredexpirationstatusiconsappearintheSystemCertificatespage. •ExpirationmessagesappearintheCiscoISESystemDiagnosticreport. •Expirationalarmsaregeneratedat90days,60days,andeverydayinthefinal30daysbeforeexpiration. Iftheexpiringcertificateisaself-signedcertificate,youcanextenditsexpirationdatebyeditingthecertificate. ForaCA-signedcertificate,youmustallowsufficienttimetoacquirereplacementcertificatefromyourCA. Enable PKI in Cisco ISE PublicKeyInfrastructure(PKI)isacryptographictechniquethatenablessecurecommunicationandverifies theidentityofauserusingdigitalsignatures. Procedure Step 1EstablishsystemcertificatesoneachdeploymentnodeforTLS-enabledauthenticationprotocolssuchas EAP-TLS,forauthenticatingtheAdminportal,forbrowserandRESTclientstoaccesstheCiscoISEweb portals,andforthepxGridcontroller. Bydefault,aCiscoISEnodeispreinstalledwithaself-signedcertificatethatisusedforEAPauthentication, Adminportal,portals,andpxGridcontroller.Inatypicalenterpriseenvironment,thiscertificateisreplaced withservercertificatesthataresignedbyatrustedCA. Step 2PopulatetheTrustedCertificatesStorewiththeCAcertificatesthatarenecessarytoestablishtrustwiththe useraswellasdevicecertificatesthatwillbepresentedtoCiscoISE. Cisco Identity Services Engine Administrator Guide, Release 1.3 130 Certificate Management in Cisco ISE
IfacertificatechainconsistsofarootCAcertificateplusoneormoreintermediateCAcertificates,tovalidate theauthenticityofauserordevicecertificate,youmustimporttheentirechainintotheTrustedCertificates Store. Forinter-nodecommunication,youmustpopulatetheTrustedCertificatesStorewiththetrustcertificate(s) neededtovalidatetheAdminsystemcertificatebelongingtoeachnodeintheCiscoISEdeployment.Ifyou wanttousethedefaultself-signedcertificateforinternodecommunication,thenyoumustexportthiscertificate fromtheSystemCertificatespageofeachCiscoISEnodeandimportitintotheTrustedCertificatesStore. Ifyoureplacetheself-signedcertificateswithCA-signedcertificates,itisonlynecessarytopopulatethe TrustedCertificatesStorewiththeappropriaterootCAandintermediateCAcertificates.Beawarethatyou cannotregisteranodeinaCiscoISEdeploymentuntilyoucompletethisstep. AfteryouobtainabackupfromastandaloneCiscoISEnodeorthePAN,ifyouchangethecertificate configurationononeormorenodesinyourdeployment,youmustobtainanotherbackuptorestore data.Otherwise,ifyoutrytorestoredatausingtheolderbackup,communicationbetweenthenodes mightfail. Note Wildcard Certificates Awildcardcertificateusesawildcardnotation(anasteriskandperiodbeforethedomainname)andallows thecertificatetobesharedacrossmultiplehostsinanorganization.Forexample,theCNvaluefortheCertificate Subjectwouldbesomegenerichostnamesuchasaaa.ise.localandtheSANfieldwouldincludethesame generichostnameandthewildcardnotationsuchasDNS.1=aaa.ise.localandDNS.2=*.ise.local. Ifyouconfigureawildcardcertificatetouse*.ise.local,youcanusethesamecertificatetosecureanyother hostwhoseDNSnameendswith“.ise.local,”suchas: •aaa.ise.local •psn.ise.local •mydevices.ise.local •sponsor.ise.local Wildcardcertificatessecurecommunicationinthesamewayasaregularcertificate,andrequestsareprocessed usingthesamevalidationmethods. Cisco Identity Services Engine Administrator Guide, Release 1.3 131 Certificate Management in Cisco ISE
Thefollowingfigureshowsanexampleofawildcardcertificatethatisusedtosecureawebsite. Figure 13: Wildcard Certificate Example Wildcard Certificate Support in Cisco ISE CiscoISEsupportswildcardcertificates.Inearlierreleases,CiscoISEverifiedanycertificateenabledfor HTTPStoensuretheCNfieldmatchestheFullyQualifiedDomainName(FQDN)ofthehostexactly.Ifthe fieldsdidnotmatch,thecertificatecouldnotbeusedforHTTPScommunication. Inearlierreleases,CiscoISEusedthatCNvaluetoreplacethevariableintheurl-redirectA-Vpairstring. ForallCentralizedWebAuthentication(CWA),onboarding,postureredirection,andsoon,theCNvalue wasused. CiscoISEusesthehostnameoftheISEnodeastheCN. Wildcard Certificates for HTTPS and EAP Communication YoucanusewildcardservercertificatesinCiscoISEforAdmin(web-basedservice)andEAPprotocolsthat useSSL/TLStunneling.Withtheuseofwildcardcertificates,younolongerhavetogenerateauniquecertificate foreachCiscoISEnode.Also,younolongerhavetopopulatetheSANfieldwithmultipleFQDNvaluesto preventcertificatewarnings.Usinganasterisk(*)intheSANfieldallowsyoutoshareasinglecertificate acrossmultiplenodesinadeploymentandhelpspreventcertificatenamemismatchwarnings.However,use ofwildcardcertificatesisconsideredlesssecurethanassigningauniqueservercertificateforeachCiscoISE node. Cisco Identity Services Engine Administrator Guide, Release 1.3 132 Certificate Management in Cisco ISE
Ifyouusewildcardcertificates,westronglyrecommendthatyoupartitionyourdomainspaceforgreater security.Forexample,insteadof*.example.com,youcanpartitionitas*.amer.example.com.Ifyoudo notpartitionyourdomain,itcanleadtoserioussecurityissues. Note Wildcardcertificateusesanasterisk(*)andaperiodbeforethedomainname.Forexample,theCNvaluefor acertificate’sSubjectNamewouldbeagenerichostnamesuchasaaa.ise.localandtheSANfieldwouldhave thewildcardcharactersuchas*.ise.local.CiscoISEsupportswildcardcertificationsinwhichthewildcard character(*)istheleftmostcharacterinthepresentedidentifier.Forexample,*.example.comor *.ind.example.com.CiscoISEdoesnotsupportcertificatesinwhichthepresentedidentifiercontainsadditional charactersalongwiththewildcardcharacter.Forexample,abc*.example.comora*b.example.comor *abc.example.com. Fully Qualified Domain Name in URL Redirection WhenCiscoISEbuildsanauthorizationprofileredirect(forcentralwebauthentication,deviceregistration webauthentication,nativesupplicantprovisioning,mobiledevicemanagement,andclientprovisioningand postureservices),theresultingcisco-av-pairincludesastringsimilartothefollowing: url-redirect=https://ip:port/guestportal/gateway?sessionId=SessionIdValue&action=cwa Whenprocessingthisrequest,CiscoISEsubstitutesactualvaluesforsomekeywordsinthisstring.For example,SessionIdValueisreplacedwiththeactualsessionIDoftherequest.Foreth0interface,CiscoISE replacestheIPintheURLwiththeFQDNoftheCiscoISEnode.Fornon-eth0interfaces,CiscoISEuses theIPaddressintheURL.Youcanassignahostalias(name)forinterfaceseth1througheth3,whichCisco ISEcanthensubstituteinplaceofIPaddressduringURLredirection. Todothis,youcanusetheiphostcommandintheconfigurationmodefromtheCiscoISECLIISE /admin(config)#prompt: iphostIP_addresshost-aliasFQDN-string whereIP_addressistheIPaddressofthenetworkinterface(eth1oreth2oreth3)andhost-aliasisthename thatyouassigntothenetworkinterface.FQDN-stringisthefullyqualifieddomainnameofthenetwork interface.Usingthiscommand,youcanassignahost-aliasoranFQDN-stringorbothtoanetworkinterface. Hereisanexampleusingtheiphostcommand:iphosta.b.c.dsalessales.amerxyz.com Afteryouassignahostaliastothenon-eth0interface,youmustrestarttheapplicationservicesonCiscoISE usingtheapplicationstartisecommand. Usethenoformofthiscommandtoremovetheassociationofthehostaliaswiththenetworkinterface. noiphostIP_addresshost-aliasFQDN-string Usetheshowrunning-configcommandtoviewthehostaliasdefinitions. IfyouprovidetheFQDN-string,CiscoISEreplacestheIPaddressintheURLwiththeFQDN.Ifyouprovide onlythehostalias,CiscoISEcombinesthehostaliaswiththeconfiguredIPdomainnametoformacomplete FQDN,andreplacestheIPaddressintheURLwiththeFQDN.Ifyoudonotmapanetworkinterfacetoa hostalias,thenCiscoISEusestheIPaddressofthenetworkinterfaceintheURL. Whenyoumakeuseofnon-eth0interfacesforclientprovisioningornativesupplicantorguestflows,you havetomakesurethattheIPaddressorhostaliasfornon-eth0interfacesshouldbeconfiguredappropriately inthePolicyServicenodecertificate'sSANfields. Cisco Identity Services Engine Administrator Guide, Release 1.3 133 Certificate Management in Cisco ISE
Advantages of Using Wildcard Certificates •Costsavings.CertificatessignedbyathirdpartyCertificateAuthorityisexpensive,especiallyasthe numberofserversincrease.WildcardcertificatesmaybeusedonmultiplenodesintheCiscoISE deployment. •Operationalefficiency.WildcardcertificatesallowallPolicyServiceNode(PSN)EAPandwebservices tosharethesamecertificate.Inadditiontosignificantcostsavings,certificateadministrationisalso simplifiedbycreatingthecertificateonceandapplyingitonallthePSNs. •Reducedauthenticationerrors.WildcardcertificatesaddressissuesseenwithAppleiOSdeviceswhere theclientstorestrustedcertificateswithintheprofile,anddoesnotfollowtheiOSkeychainwherethe signingrootistrusted.WhenaniOSclientfirstcommunicateswithaPSN,itdoesnotexplicitlytrust thePSNcertificate,eventhoughatrustedCertificateAuthorityhassignedthecertificate.Usingawildcard certificate,thecertificatewillbethesameacrossallPSNs,sotheuseronlyhastoacceptthecertificate onceandsuccessiveauthenticationstodifferentPSNsproceedwithouterrororprompting. •Simplifiedsupplicantconfiguration.Forexample,MicrosoftWindowssupplicantwithPEAP-MSCHAPv2 andservercertificatetrustenabledrequiresthatyouspecifyeachoftheservercertificatetotrust,orthe usermaybepromptedtotrusteachPSNcertificatewhentheclientconnectsusingadifferentPSN.With wildcardcertificates,asingleservercertificatecanbetrustedratherthanindividualcertificatesfrom eachPSN. •Wildcardcertificatesresultinanimproveduserexperiencewithlesspromptingandmoreseamless connectivity. Disadvantages of Using Wildcard Certificates Thefollowingaresomeofthesecurityconsiderationsrelatedtowildcardcertificates: •Lossofauditabilityandnonrepudiation •Increasedexposureoftheprivatekey •Notcommonorunderstoodbyadministrators WildcardcertificatesareconsideredlesssecurethanauniqueservercertificateperISEnode.But,costand otheroperationalfactorsoutweighthesecurityrisk. SecuritydevicessuchasASAalsosupportwildcardcertificates. Youmustbecarefulwhendeployingwildcardcertificates.Forexample,ifyoucreateacertificatewith *.company.localandanattackerisabletorecovertheprivatekey,thatattackercanspoofanyserverinthe company.localdomain.Therefore,itisconsideredabestpracticetopartitionthedomainspacetoavoidthis typeofcompromise. Toaddressthispossibleissueandtolimitthescopeofuse,wildcardcertificatesmayalsobeusedtosecure aspecificsubdomainofyourorganization.Addanasterisk(*)inthesubdomainareaofthecommonname whereyouwanttospecifythewildcard. Forexample,ifyouconfigureawildcardcertificatefor*.ise.company.local,thatcertificatemaybeusedto secureanyhostwhoseDNSnameendsin“.ise.company.local”,suchas: •psn.ise.company.local •mydevices.ise.company.local Cisco Identity Services Engine Administrator Guide, Release 1.3 134 Certificate Management in Cisco ISE