Cisco Ise 13 User Guide
Have a look at the manual Cisco Ise 13 User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
•sponsor.ise.company.local Wildcard Certificate Compatibility WildcardcertificatesareusuallycreatedwiththewildcardlistedastheCommonName(CN)oftheCertificate Subject.CiscoISEsupportsthistypeofconstruction.However,notallendpointsupplicantssupportthe wildcardcharacterintheCertificateSubject. AllMicrosoftnativesupplicantstested(includingWindowsMobile)donotsupportwildcardcharacterinthe CertificateSubject. Youcanuseanothersupplicant,suchasCiscoAnyConnectNetworkAccessManager(NAM)thatmight allowtheuseofwildcardcharacterintheSubjectfield. YoucanalsousespecialwildcardcertificatessuchasDigiCert'sWildcardPlusthatisdesignedtoworkwith incompatibledevicesbyincludingspecificsubdomainsintheSubjectAlternativeNameofthecertificate. AlthoughtheMicrosoftsupplicantlimitationappearstobeadeterrenttousingwildcardcertificates,thereare alternativewaystocreatethewildcardcertificatethatallowittoworkwithalldevicestestedforsecureaccess, includingtheMicrosoftnativesupplicants. Todothis,insteadofusingthewildcardcharacterintheSubject,youmustusethewildcardcharacterinthe SubjectAlterativeName(SAN)fieldinstead.TheSANfieldmaintainsanextensiondesignedforchecking thedomainname(DNSname).SeeRFCs6125and2128formoreinformation. System Certificates CiscoISEsystemcertificatesareservercertificatesthatidentifyaCiscoISEnodetoothernodesinthe deploymentandtoclientapplications.Systemcertificatesare: •Usedforinter-nodecommunicationinaCiscoISEdeployment.ChoosetheAdminoptionintheUsage fieldforthesecertificates. •UsedbybrowserandRESTclientswhoconnecttoCiscoISEwebportals.ChoosethePortaloptionin theUsagefieldforthesecertificates. •UsedtoformtheouterTLStunnelwithPEAPandEAP-FAST.ChoosetheEAPoptionintheUsage fieldformutualauthenticationwithEAP-TLS,PEAP,andEAP-FAST. •UsedtocommunicatewiththepxGridcontroller.ChoosethepxGridoptionintheUsagefieldforthese certificates. YoumustinstallvalidsystemcertificatesoneachnodeinyourCiscoISEdeployment.Bydefault,aself-signed certificateiscreatedonaCiscoISEnodeduringinstallationtime,andthiscertificateisdesignatedforEAP, Admin,Portal,andpxGriduse(ithasakeylengthof1024andisvalidforoneyear). Whenyouexportawildcardsystemcertificatetobeimportedintotheothernodes(forinter-node communication),ensurethatyouexportthecertificateandprivatekey,andspecifyanencryptionpassword. Duringimport,youwillneedthecertificate,privatekey,andencryptionpassword. Note Ciscorecommendsthatyoureplacetheself-signedcertificatewithaCA-signedcertificatesforgreatersecurity. ToobtainaCA-signedcertificate,youmust: 1Createacertificatesigningrequest(CSR) Cisco Identity Services Engine Administrator Guide, Release 1.3 135 Certificate Management in Cisco ISE
2SubmitittoaCertificateAuthority(CA) 3Obtainthesignedcertificate 4ImporttherelevantrootandintermediateCAcertificatesintotheTrustedCertificatesStore 5BindthesignedcertificatewiththeCSR View System Certificates TheSystemCertificatepagelistsallthesystemcertificatesaddedtoCiscoISE. Before You Begin Toperformthefollowingtask,youmustbeaSuperAdminorSystemAdmin. Procedure Step 1ChooseAdministration>System>Certificates>SystemCertificates. TheSystemCertificatespageappearsandprovidesthefollowinginformationforthelocalcertificates: •FriendlyName—Nameofthecertificate. •UsedBy—Serviceforwhichthiscertificateisused. •Portalgrouptag—Applicableonlyforcertificatesthataredesignatedforportaluse.Specifieswhich certificatehastobeusedfortheportals. •IssuedTo—CommonNameofthecertificatesubject. •IssuedBy—CommonNameofthecertificateissuer •ValidFrom—Dateonwhichthecertificatewascreated,alsoknownastheNotBeforecertificateattribute. •ExpirationDate—Expirationdateofthecertificate,alsoknownastheNotAftercertificateattribute. Indicateswhenthecertificateexpires.Therearefivecategoriesalongwithanassociatediconthatappear here: ◦Expiringinmorethan90days(greenicon) ◦Expiringin90daysorless(blueicon) ◦Expiringin60daysorless(yellowicon) ◦Expiringin30daysorless(orangeicon) ◦Expired(redicon) Step 2SelectacertificateandchooseViewtodisplaythecertificatedetails. Import a System Certificate YoucanimportasystemcertificateforanyCiscoISEnodefromtheAdminportal. Cisco Identity Services Engine Administrator Guide, Release 1.3 136 Certificate Management in Cisco ISE
Before You Begin •Ensurethatyouhavethesystemcertificateandtheprivatekeyfileonthesystemthatisrunningthe clientbrowser. •IfthesystemcertificatethatyouimportissignedbyanexternalCA,importtherelevantrootCAand intermediateCAcertificatesintotheTrustedCertificatesStore(Administration>System>Certificates >TrustedCertificates). •CiscoISEdoesnotsupportcertificatesthataresignedwithahashalgorithmgreaterthanSHA-256. Hence,youmustnotimportaservercertificatethatissignedwithahashalgorithmgreaterthanSHA-256. •IfthesystemcertificatethatyouimportcontainsthebasicconstraintsextensionwiththeCAflagsetto true,ensurethatthekeyusageextensionispresent,andthekeyEnciphermentbitorthekeyAgreement bitorbothareset. •Toperformthefollowingtask,youmustbeaSuperAdminorSystemAdmin. Procedure Step 1ChooseAdministration>System>Certificates>SystemCertificates. Step 2ClickImport. TheImportServerCertificatescreenopens. Step 3Enterthevaluesforthecertificatethatyouaregoingtoimport. Step 4ClickSubmit. Generate a Self-Signed Certificate Youcanaddanewlocalcertificatebygeneratingaself-signedcertificate.Ciscorecommendsthatyouonly employself-signedcertificatesforyourinternaltestingandevaluationneeds.Ifyouareplanningtodeploy CiscoISEinaproductionenvironment,besuretouseCA-signedcertificateswheneverpossibletoensure moreuniformacceptancearoundaproductionnetwork. Ifyouareusingaself-signedcertificateandyoumustchangethehostnameofyourCiscoISEnode,you mustlogintotheAdminportaloftheCiscoISEnode,deletetheself-signedcertificatethathastheold hostname,andgenerateanewself-signedcertificate.Otherwise,CiscoISEwillcontinuetousethe self-signedcertificatewiththeoldhostname. Note Before You Begin Toperformthefollowingtask,youmustbeaSuperAdminorSystemAdmin. Procedure Step 1ChooseAdministration>System>Certificates>SystemCertificates. Cisco Identity Services Engine Administrator Guide, Release 1.3 137 Certificate Management in Cisco ISE
Togenerateaself-signedcertificatefromasecondarynode,chooseAdministration>System>Server Certificate. Step 2ClickGenerateSelfSignedCertificateandenterthedetailsintheGenerateSelfSignedCertificatepage. Step 3CheckthecheckboxesintheUsageareabasedontheserviceforwhichyouwanttousethiscertificate. Step 4ClickSubmittogeneratethecertificate. Torestartthesecondarynodes,fromtheCLI,enterthefollowingcommandsinthegivenorder: a)applicationstopise b)applicationstartise Edit a System Certificate Youcanusethispagetoeditasystemcertificateandtorenewaself-signedcertificate. Before You Begin Toperformthefollowingtask,youmustbeaSuperAdminorSystemAdmin. Procedure Step 1ChooseAdministration>System>Certificates>SystemCertificates. Step 2Checkthecheckboxnexttothecertificatethatyouwanttoedit,andclickEdit. Step 3Torenewaself-signedcertificate,checktheRenewSelfSignedCertificatecheckboxandentertheExpiration TTL(TimetoLive)indays,weeks,months,oryears. Step 4ClickSavetosaveyourchanges. IftheAdmincheckboxischecked,thentheapplicationserverontheCiscoISEnodewillberestarted.In addition,iftheCiscoISEnodeisthePANinadeployment,thentheapplicationserveronallothernodesin thedeploymentwillalsoberestarted.Thesystemrestartsonenodeatatime,afterthePrimaryAdministration Node(PAN)restarthascompleted. Export a System Certificate Youcanexportaselectedsystemcertificateoracertificateanditsassociatedprivatekey.Ifyouexporta certificateanditsprivatekeyforbackuppurposes,youcanreimportthemlaterifneeded. Before You Begin Toperformthefollowingtask,youmustbeaSuperAdminorSystemAdmin. Cisco Identity Services Engine Administrator Guide, Release 1.3 138 Certificate Management in Cisco ISE
Procedure Step 1ChooseAdministration>System>Certificates>SystemCertificates. Step 2CheckthecheckboxnexttothecertificatethatyouwanttoexportandthenclickExport. Step 3Choosewhethertoexportonlythecertificate,orthecertificateanditsassociatedprivatekey. Wedonotrecommendexportingtheprivatekeyassociatedwithacertificatebecauseitsvaluemay beexposed.Ifyoumustexportaprivatekey(forexample,whenyouexportawildcardsystem certificatetobeimportedintotheothernodesforinter-nodecommunication),specifyanencryption passwordfortheprivatekey.Youwillneedtospecifythispasswordwhileimportingthiscertificate intoanotherCiscoISEnodetodecrypttheprivatekey. Tip Step 4Enterthepasswordifyouhavechosentoexporttheprivatekey.Thepasswordshouldbeatleast8characters long. Step 5ClickExporttosavethecertificatetothefilesystemthatisrunningyourclientbrowser. Ifyouexportonlythecertificate,thecertificateisstoredintheprivacy-enhancedmailformat.Ifyouexport boththecertificateandprivatekey,thecertificateisexportedasa.zipfilethatcontainsthecertificateinthe privacy-enhancedmailformatandtheencryptedprivatekeyfile. Trusted Certificates Store TheTrustedCertificatesStorecontainsX.509certificatesthatareusedfortrustandforSimpleCertificate EnrollmentProtocol(SCEP). ThecertificatesintheTrustedCertificateStorearemanagedonthePAN,andarereplicatedtoeverynodein theCiscoISEdeployment.CiscoISEsupportswildcardcertificates. CiscoISEusesthetrustedcertificatesforthefollowingpurposes: •Toverifyclientcertificatesusedforauthenticationbyendpoints,andbyCiscoISEadministrators accessingISE-PICtheAdminPortalusingcertificate-basedadministratorauthentication. •ToenablesecurecommunicationbetweenCiscoISEnodesinadeployment.TheTrustedCertificates StoremustcontainthechainofCAcertificatesneededtoestablishtrustwiththesystemcertificateon eachnodeinadeployment. ◦Ifaself-signedcertificateisusedforthesystemcertificate,theself-signedcertificatefromeach nodemustbeplacedintheTrustedCertificatesStoreofthePAN. ◦IfaCA-signedcertificateisusedforthesystemcertificate,theCArootcertificate,aswellasany intermediatecertificatesinthetrustchain,mustbeplacedintheTrustedCertificatesStoreofthe PAN. •ToenablesecureLDAPauthentication,acertificatefromtheCertificateStoremustbeselectedwhen defininganLDAPidentitysourcethatwillbeaccessedoverSSL. •Todistributetopersonaldevicespreparingtoregisterinthenetworkusingthepersonaldevicesportals. CiscoISEimplementstheSCEPonPolicyServiceNodes(PSN)tosupportpersonaldeviceregistration. AregisteringdeviceusestheSCEPprotocoltorequestaclientcertificatefromaPSN.ThePSNcontains aregistrationauthority(RA)thatactsasanintermediary;itreceivesandvalidatestherequestfromthe Cisco Identity Services Engine Administrator Guide, Release 1.3 139 Certificate Management in Cisco ISE
registeringdevice,andthenforwardstherequesttoanexternalCAortheinternalCiscoISECA,which issuestheclientcertificate.TheCAsendsthecertificatebacktotheRA,whichreturnsittothedevice. EachSCEPCAusedbyCiscoISEisdefinedbyaSCEPRAProfile.WhenaSCEPRAProfileiscreated, twocertificatesareautomaticallyaddedtotheTrustedCertificatesStore: ◦ACAcertificate(aself-signedcertificate) ◦AnRAcertificate(aCertificateRequestAgentcertificate),whichissignedbytheCA. TheSCEPprotocolrequiresthatthesetwocertificatesbeprovidedbytheRAtoaregisteringdevice. ByplacingthesetwocertificatesintheTrustedCertificatesStore,theyarereplicatedtoallPSNnodes forusebytheRAonthosenodes. X.509certificatesimportedtoCiscoISEmustbeinPrivacy-EnhancedMail(PEM)orDistinguished EncodingRule(DER)format.Filescontainingacertificatechain,thatis,asystemcertificatealongwith thesequenceoftrustcertificatesthatsignit,canbeimported,subjecttocertainrestrictions. Note Certificates in Trusted Certificates Store TheTrustedCertificateStoreisprepopulatedwithtrustedcertificates:Manufacturingcertificate,Rootcertificate, EndpointCA,EndpointRA,andothertrustedcertificates.TheRootcertificate(CiscoRootCA)signsthe Manufacturing(CiscoCAManufacturing)certificate.Thesecertificatesaredisabledbydefault.Ifyouhave CiscoIPphonesasendpointsinyourdeployment,youshouldenablethesetwocertificatessotheCisco-signed clientcertificatesforthephonescanbeauthenticated. Trusted Certificate Naming Constraint AtrustedcertificateinCTLmaycontainanameconstraintextension.Thisextensiondefinesanamespace forvaluesofallsubjectnameandsubjectalternativenamefieldsofsubsequentcertificatesinacertificate chain.CiscoISEdoesnotcheckconstraintsspecifiedinarootcertificate. Thefollowingnameconstraintsaresupported: •Directoryname TheDirectorynameconstraintshouldbeaprefixofthedirectorynameinsubject/SAN.Forexample, ◦Correctsubjectprefix: CAcertificatenameconstraint:Permitted:O=Cisco Clientcertificatesubject:O=Cisco,CN=Salomon ◦Incorrectsubjectprefix: CAcertificatenameconstraint:Permitted:O=Cisco Clientcertificatesubject:CN=Salomon,O=Cisco •DNS •E-mail •URI(TheURIconstraintmuststartwithaURIprefixsuchashttp://,https://,ftp://,orldap://). Cisco Identity Services Engine Administrator Guide, Release 1.3 140 Certificate Management in Cisco ISE
Thefollowingnameconstraintsarenotsupported: •IPaddress •Othername Whenatrustedcertificatecontainsaconstraintthatisnotsupportedandcertificatethatisbeingverifieddoes notcontaintheappropriatefield,itisrejectedbecauseCiscoISEcannotverifyunsupportedconstraints. Thefollowingisanexampleofthenameconstraintsdefinitionwithinthetrustedcertificate: X509v3NameConstraints:criticalPermitted:othername:email:.abcde.atemail:.abcde.beemail:.abcde.bgemail:.abcde.byDNS:.dirDirName:DC=dir,DC=emeaDirName:C=AT,ST=EMEA,L=AT,O=ABCDEGroup,OU=DomesticDirName:C=BG,ST=EMEA,L=BG,O=ABCDEGroup,OU=DomesticDirName:C=BE,ST=EMEA,L=BN,O=ABCDEGroup,OU=DomesticDirName:C=CH,ST=EMEA,L=CH,O=ABCDEGroup,OU=ServiceZ100URI:.dirIP:172.23.0.171/255.255.255.255Excluded:DNS:.dirURI:.dir Anacceptableclientcertificatesubjectthatmatchestheabovedefinitionisasfollows: Subject:DC=dir,DC=emea,OU=+DE,OU=OU-Administration,OU=Users,OU=X1,CN=cwinwell View Trusted Store Certificates TheTrustedCertificatespagelistsallthetrustedcertificatesthathavebeenaddedtoCiscoISE.Toviewthe trustedcertificates,youmustbeaSuperAdminorSystemAdmin. Toviewallthecertificates,chooseChooseAdministration>System>Certificates>TrustedCertificates. TheTrustedCertificatespageappears,listingallthetrustedcertificates. Before You Begin Toperformthefollowingtask,youmustbeaSuperAdminorSystemAdmin. Change the Status of a Certificate in Trusted Certificates Store ThestatusofacertificatemustbeenabledsothatCiscoISEcanusethecertificateforestablishingtrust.When acertificateisimportedintotheTrustedCertificatesStore,itisautomaticallyenabled. Cisco Identity Services Engine Administrator Guide, Release 1.3 141 Certificate Management in Cisco ISE
Procedure Step 1ChooseAdministration>System>Certificates>TrustedCertificates. Step 2Checkthecheckboxnexttothecertificateyouwanttoenableordisable,andclickEdit. Step 3Changethestatus. Step 4ClickSave. Add a Certificate to Trusted Certificates Store TheCertificateStorepageallowsyoutoaddCAcertificatestoCiscoISE. Before You Begin •Toperformthefollowingtask,youmustbeaSuperAdminorSystemAdmin. •Ensurethatthecertificatestorecertificateresidesonthefilesystemofthecomputerwhereyourbrowser isrunning.ThecertificatemustbeinPEMorDERformat. •IfyouplantousethecertificateforAdminorEAPauthentication,ensurethatthebasicconstraintsare definedinthecertificateandtheCAflagissettotrue. Procedure Step 1ChooseAdministration>System>Certificates>TrustedCertificates. Step 2ClickImport. Step 3Configurethefieldvaluesasnecessary. Ifyouplantouseanysub-CAcertificateinthecertificatechainforEAPauthentication,ensurethatyoucheck theTrustforclientauthenticationandSyslogcheckboxwhileimportingallthecertificatesinthecertificate chainupuntiltheRootCA. Whenyouchangetheauthenticationtypefrompassword-basedauthenticationtocertificate-basedauthentication, CiscoISErestartstheapplicationserveroneachnodeinyourdeployment,startingwiththeapplicationserver onthePANandfollowed,one-by-one,byeachadditionalnode. Edit a Trusted Certificate AfteryouaddacertificatetotheTrustedCertificatesStore,youcanfurtheredititbyusingtheeditsettings. Before You Begin Toperformthefollowingtask,youmustbeaSuperAdminorSystemAdmin. Cisco Identity Services Engine Administrator Guide, Release 1.3 142 Certificate Management in Cisco ISE
Procedure Step 1ChooseAdministration>System>Certificates>TrustedCertificates. Step 2Checkthecheckboxnexttothecertificatethatyouwanttoedit,andclickEdit. Step 3Modifytheeditablefieldsasrequired. Step 4ClickSavetosavethechangesyouhavemadetothecertificatestore. Export a Certificate from the Trusted Certificates Store Before You Begin Toperformthefollowingtask,youmustbeaSuperAdminorSystemAdmin. Procedure Step 1ChooseAdministration>System>Certificates>TrustedCertificates.. Step 2Checkthecheckboxnexttothecertificatethatyouwanttoexport,andclickExport.Youcanexportonly onecertificateatatime. Step 3Savetheprivacy-enhancedmailfiletothefilesystemthatisrunningyourclientbrowser. Import the Root Certificates to the Trusted Certificate Store WhileimportingtherootCAandintermediateCAcertificates,youcanspecifytheservice(s)forwhichthe TrustedCAcertificatesaretobeused. Before You Begin YoumusthavetherootcertificateandotherintermediatecertificatesfromtheCertificateAuthoritythatsigned yourCSRsandreturnedthedigitallysignedCAcertificates. Procedure Step 1ChooseAdministration>System>Certificates>TrustedCertificates. Step 2ClickImport. Step 3ClickBrowsetoselecttherootCAcertificate. Step 4EnteraFriendlyName. Cisco Identity Services Engine Administrator Guide, Release 1.3 143 Certificate Management in Cisco ISE
IfyoudonotenteraFriendlyName,CiscoISEautopopulatesthisfieldwithaFriendlyNameoftheformat common-name#issuer#nnnnn,wherennnnnisauniquenumber.Youcaneditthecertificateagaintochange theFriendlyName. Step 5ChoosetherootcertificatereturnedbyyourCA. Step 6Checkthecheckboxesnexttotheservicesforwhichyouwanttousethistrustedcertificatefor. Step 7Enteradescription. Step 8ClickSubmit. What to Do Next ImporttheintermediateCAcertificatesintotheTrustedCertificatesstore(ifapplicable). Certificate Chain Import YoucanimportmultiplecertificatesfromasinglefilethatcontainsacertificatechainreceivedfromaCertificate store.AllcertificatesinthefilemustbeinPrivacy-EnhancedMail(PEM)format,andthecertificatesmust bearrangedinthefollowingorder: •ThelastcertificateinthefilemustbetheclientorservercertificatebeingissuedbytheCA. •AllprecedingcertificatesmustbetherootCAcertificateplusanyintermediateCAcertificatesinthe signingchainfortheissuedcertificate. Importingacertificatechainisatwo-stepprocess: 1ImportthecertificatechainfileintotheTrustedCertificateStoreintheAdminportal.Thisoperation importsallcertificatesfromthefileexceptthelastoneintotheTrustedCertificatesStore. 2ImportthecertificatechainfileusingtheBindaCA-SignedCertificateoperation.Thisoperationimports thelastcertificatefromthefileasalocalcertificate. Certificate Signing Requests Foracertificateauthority(CA)toissueasignedcertificate,youmustcreateacertificatesigningrequest(CSR) andsubmitittotheCA. ThelistofCertificateSigningRequests(CSRs)thatyouhavecreatedisavailableintheCertificateSigning Requestspage.ToobtainsignaturesfromaCertificateAuthority(CA),youmustexporttheCSRsandthen sendthecertificatestotheCA.TheCAsignsandreturnsyourcertificates. YoucanmanagethecertificatescentrallyfromtheAdminportal.YoucancreateCSRsforallnodesinthe deploymentandexportthem.ThenyoushouldsubmittheCSRstoaCA,obtaintheCA-signedcertificates fromtheCA,importtherootandintermediaryCAcertificatesreturnedbytheCAintotheTrustedCertificates Store,andbindtheCA-signedcertificatestotheCSRs. Create a Certificate Signing Request and Submit the CSR to a Certificate Authority Youcangenerateacertificatesigningrequest(CSR)toobtainaCA-signedcertificateforthenodesinyour deployment.YoucangeneratetheCSRforselectnodesinthedeploymentorforallthenodesinyour deployment. Cisco Identity Services Engine Administrator Guide, Release 1.3 144 Certificate Management in Cisco ISE