Cisco Ise 13 User Guide
Have a look at the manual Cisco Ise 13 User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
◦Useraccountisrestricted(disabled,lockedout,expired,passwordexpired,andsoon) ◦InitializationErrors—UsetheLDAPservertimeoutsettingstoconfigurethenumberofseconds thatCiscoISEshouldwaitforaresponsefromanLDAPserverbeforedeterminingthatthe connectionorauthenticationonthatserverhasfailed. PossiblereasonsforanLDAPservertoreturnaninitializationerrorare: ◦LDAPisnotsupported. ◦Theserverisdown. ◦Theserverisoutofmemory. ◦Theuserhasnoprivileges. ◦Administratorcredentialsareconfiguredincorrectly. Thefollowingerrorsareloggedasexternalresourceerrors,indicatingapossibleproblemwiththeLDAP server: •Aconnectionerroroccurred •Thetimeoutexpired •Theserverisdown •Theserverisoutofmemory ThefollowingerrorisloggedasanUnknownUsererror: •Auserdoesnotexistinthedatabase ThefollowingerrorisloggedasanInvalidPassworderror,wheretheuserexists,butthepasswordsentis invalid: •Aninvalidpasswordwasentered LDAP User Lookup CiscoISEsupportstheuserlookupfeaturewithanLDAPserver.Thisfeatureallowsyoutosearchforauser intheLDAPdatabaseandretrieveinformationwithoutauthentication.Theuserlookupprocessincludesthe followingactions: •SearchingtheLDAPserverforanentrythatmatchestheusernameintherequest •Retrievingauser’sgroupmembershipinformationforuseinpolicies •Retrievingvaluesforspecifiedattributesforuseinpoliciesandauthorizationprofiles LDAP MAC Address Lookup CiscoISEsupportstheMACaddresslookupfeature.ThisfeatureallowsyoutosearchforaMACaddress intheLDAPdatabaseandretrieveinformationwithoutauthentication.TheMACaddresslookupprocess includesthefollowingactions: Cisco Identity Services Engine Administrator Guide, Release 1.3 275 LDAP
•SearchingtheLDAPserverforanentrythatmatchestheMACaddressofthedevice •RetrievingaMACAddressgroupinformationforthedeviceforuseinpolicies •Retrievingvaluesforspecifiedattributesforuseinpolicies Add LDAP Identity Sources Before You Begin •Toperformthefollowingtask,youmustbeaSuperAdminorSystemAdmin. •CiscoISEalwaysusestheprimaryLDAPservertoobtaingroupsandattributesforuseinauthorization policies.Therefore,yourprimaryLDAPservermustbereachablewhenyouconfiguretheseitems. Procedure Step 1ChooseAdministration>IdentityManagement>ExternalIdentitySources>LDAP>Add. Step 2Enterthevalues. Step 3ClickSubmittocreateanLDAPinstance. Configure Primary and Secondary LDAP Servers AfteryoucreateanLDAPinstance,youmustconfiguretheconnectionsettingsfortheprimaryLDAPserver. ConfiguringasecondaryLDAPserverisoptional. Procedure Step 1ChooseAdministration>IdentityManagement>ExternalIdentitySources>LDAP. Step 2CheckthecheckboxnexttotheLDAPinstancethatyouwanttoeditandclickEdit. Step 3ClicktheConnectiontabtoconfiguretheprimaryandsecondaryservers. Step 4EnterthevaluesasdescribedinLDAPIdentitySourceSettings. Step 5ClickSubmittosavetheconnectionparameters. Enable Cisco ISE to Obtain Attributes from the LDAP Server ForCiscoISEtoobtainuserandgroupdatafromanLDAPserver,youmustconfigureLDAPdirectorydetails inCiscoISE.ForLDAPidentitysource,thefollowingthreesearchesareapplicable: •Searchforallgroupsingroupsubtreeforadministration •Searchforuserinsubjectsubtreetolocateuser •Searchforgroupsinwhichtheuserisamember Cisco Identity Services Engine Administrator Guide, Release 1.3 276 LDAP
Procedure Step 1ChooseAdministration>IdentityManagement>ExternalIdentitySources>LDAP. Step 2CheckthecheckboxnexttotheLDAPinstancethatyouwanttoeditandclickEdit. Step 3ClicktheDirectoryOrganizationtab. Step 4EnterthevaluesasdescribedinLDAPIdentitySourceSettings. Step 5ClickSubmittosavetheconfiguration. Retrieve Group Membership Details from the LDAP Server YoucanaddnewgroupsorselectgroupsfromtheLDAPdirectory. Procedure Step 1ChooseAdministration>IdentityManagement>ExternalIdentitySources>LDAP. Step 2CheckthecheckboxnexttotheLDAPinstancethatyouwanttoeditandclickEdit. Step 3ClicktheGroupstab. Step 4ChooseAdd>AddGrouptoaddanewgrouporchooseAdd>SelectGroupsFromDirectorytoselect thegroupsfromtheLDAPdirectory. a)Ifyouchoosetoaddagroup,enteranameforthenewgroup. b)Ifyouareselectingfromthedirectory,enterthefiltercriteria,andclickRetrieveGroups.Yoursearch criteriacancontaintheasterisk(*)wildcardcharacter. Step 5CheckthecheckboxesnexttothegroupsthatyouwanttoselectandclickOK. ThegroupsthatyouhaveselectedwillappearintheGroupspage. Step 6ClickSubmittosavethegroupselection. ActiveDirectorybuilt-ingroupsarenotsupportedwhenActiveDirectoryisconfiguredasLDAPIdentity StoreinCiscoISE. Note Retrieve User Attributes From the LDAP Server YoucanobtainuserattributesfromtheLDAPserverforuseinauthorizationpolicies. Cisco Identity Services Engine Administrator Guide, Release 1.3 277 LDAP
Procedure Step 1ChooseAdministration>IdentityManagement>ExternalIdentitySources>LDAP. Step 2CheckthecheckboxnexttotheLDAPinstancethatyouwanttoeditandclickEdit. Step 3ClicktheAttributestab. Step 4ChooseAdd>AddAttributetoaddanewattributeorchooseAdd>SelectAttributesFromDirectory toselectattributesfromtheLDAPserver. a)Ifyouchoosetoaddanattribute,enteranameforthenewattribute. b)Ifyouareselectingfromthedirectory,enteranexampleuserandclickRetrieveAttributestoretrieve theuser’sattributes.Youcanusetheasterisk(*)wildcardcharacter. Step 5Checkthecheckboxesnexttotheattributesthatyouwanttoselect,thenclickOK. Step 6ClickSubmittosavetheattributeselections. Enable Secure Authentication with LDAP Identity Source WhenyouchoosetheSecureAuthenticationoptionintheLDAPconfigurationpage,CiscoISEusesSSLto securecommunicationwiththeLDAPidentitysource.SecureconnectiontoLDAPidentitysourceisestablished using: •SSLtunnel—UsingSSLv3orTLSv1(thestrongestversionsupportedbytheLDAPserver) •Serverauthentication(authenticationofLDAPserver)—Certificatebased •Clientauthentication(authenticationofCiscoISE)—None(AdministratorbindisusedinsidetheSSL tunnel) •Ciphersuites—AllciphersuitessupportedbyCiscoISE WerecommendthatyouuseTLSv1withthestrongestencryptionandciphersthatCiscoISEsupports. ToenableCiscoISEtocommunicatesecurelywiththeLDAPidentitysource: Before You Begin •CiscoISEmustbeconnectedtoanLDAPserver •TCPport636shouldbeopen Procedure Step 1ImportthefullCertificateAuthority(CA)chainoftheCAthatissuedtheservercertificatetotheLDAPserver intoCiscoISE(Administration>System>Certificates>TrustedCertificates). ThefullCAchainreferstotherootCAandintermediateCAcertificates;nottheLDAPservercertificate. Cisco Identity Services Engine Administrator Guide, Release 1.3 278 LDAP
Step 2ConfigureCiscoISEtousesecureauthenticationwhencommunicatingwiththeLDAPidentitysource (Administration>IdentityManagement>ExternalIdentitySources>LDAP;besuretocheckthe SecureAuthenticationcheckboxintheConnectionSettingstab). Step 3SelecttherootCAcertificateintheLDAPidentitystore. RADIUS Token Identity Sources AserverthatsupportstheRADIUSprotocolandprovidesauthentication,authorization,andaccounting(AAA) servicestousersanddevicesiscalledaRADIUSserver.ARADIUSidentitysourceissimplyanexternal identitysourcethatcontainsacollectionofsubjectsandtheircredentialsandusestheRADIUSprotocolfor communication.Forexample,theSafewordtokenserverisanidentitysourcethatcancontainseveralusers andtheircredentialsasone-timepasswordsthatprovidesaninterfacethatyoucanqueryusingtheRADIUS protocol. CiscoISEsupportsanyRADIUSRFC2865-compliantserverasanexternalidentitysource.CiscoISEsupports multipleRADIUStokenserveridentities,forexampletheRSASecurIDserverandtheSafeWordserver. RADIUSidentitysourcescanworkwithanyRADIUStokenserverthatisusedtoauthenticateauser.RADIUS identitysourcesusetheUserDatagramProtocol(UDP)portforauthenticationsessions.ThesameUDPport isusedforallRADIUScommunication. RADIUS Token Server Supported Authentication Protocols CiscoISEsupportsthefollowingauthenticationprotocolsforRADIUSidentitysources: •RADIUSPAP •ProtectedExtensibleAuthenticationProtocol(PEAP)withinnerExtensibleAuthentication Protocol-GenericTokenCard(EAP-GTC) •EAP-FASTwithinnerEAP-GTC Ports Used By the RADIUS Token Servers for Communication RADIUStokenserversusetheUDPportforauthenticationsessions.ThisportisusedforallRADIUS communication.ForCiscoISEtosendRADIUSone-timepassword(OTP)messagestoaRADIUS-enabled tokenserver,youmustensurethatthegatewaydevicesbetweenCiscoISEandtheRADIUS-enabledtoken serverallowcommunicationovertheUDPport.YoucanconfiguretheUDPportthroughtheAdminportal. RADIUS Shared Secret YoumustprovideasharedsecretwhileconfiguringRADIUSidentitysourcesinCiscoISE.Thissharedsecret shouldbethesameasthesharedsecretthatisconfiguredontheRADIUStokenserver. Cisco Identity Services Engine Administrator Guide, Release 1.3 279 RADIUS Token Identity Sources
Failover in RADIUS Token Servers CiscoISEallowsyoutoconfiguremultipleRADIUSidentitysources.EachRADIUSidentitysourcecan haveprimaryandsecondaryRADIUSservers.WhenCiscoISEisunabletoconnecttotheprimaryserver,it usesthesecondaryserver. Configurable Password Prompt in RADIUS Token Servers RADIUSidentitysourcesallowyoutoconfigurethepasswordprompt.Youcanconfigurethepassword promptthroughtheAdminportal. RADIUS Token Server User Authentication CiscoISEobtainstheusercredentials(usernameandpasscode)andpassesthemtotheRADIUStokenserver. CiscoISEalsorelaystheresultsoftheRADIUStokenserverauthenticationprocessingtotheuser. User Attribute Cache in RADIUS Token Servers RADIUStokenservers,bydefault,donotsupportuserlookups.However,theuserlookupfunctionalityis essentialforthefollowingCiscoISEfeatures: •PEAPsessionresume—ThisfeatureallowsthePEAPsessiontoresumeaftersuccessfulauthentication duringEAPsessionestablishment. •EAP/FASTfastreconnect—Thisfeatureallowsfastreconnectionaftersuccessfulauthenticationduring EAPsessionestablishment. CiscoISEcachestheresultsofsuccessfulauthenticationstoprocessuserlookuprequestsforthesefeatures. Foreverysuccessfulauthentication,thenameoftheauthenticateduserandtheretrievedattributesarecached. Failedauthenticationsarenotwrittentothecache. ThecacheisavailableinthememoryatruntimeandisnotreplicatedbetweenCiscoISEnodesinadistributed deployment.YoucanconfiguretheTimetoLive(TTL)limitforthecachethroughtheAdminportal.You mustenabletheidentitycachingoptionandsettheagingtimeinminutes.Thecacheisavailableinthememory forthespecifiedamountoftime. RADIUS Identity Source in Identity Sequence YoucanaddtheRADIUSidentitysourceforauthenticationsequenceinanidentitysourcesequence.However, youcannotaddtheRADIUSidentitysourceforattributeretrievalsequencebecauseyoucannotquerythe RADIUSidentitysourcewithoutauthentication.CiscoISEcannotdistinguishamongdifferenterrorswhile authenticatingwithaRADIUSserver.RADIUSserversreturnanAccess-Rejectmessageforallerrors.For example,whenauserisnotfoundintheRADIUSserver,insteadofreturningaUserUnknownstatus,the RADIUSserverreturnsanAccess-Rejectmessage. RADIUS Server Returns the Same Message for All Errors WhenauserisnotfoundintheRADIUSserver,theRADIUSserverreturnsanAccess-Rejectmessage.Cisco ISEprovidesanoptiontoconfigurethismessagethroughtheAdminportalaseitheranAuthenticationFailed Cisco Identity Services Engine Administrator Guide, Release 1.3 280 RADIUS Token Identity Sources
oraUserNotFoundmessage.However,thisoptionreturnsaUserNotFoundmessagenotonlyforcases wheretheuserisnotknown,butforallfailurecases. ThefollowingtableliststhedifferentfailurecasesthatarepossiblewithRADIUSidentityservers. Table 17: Error Handling Reasons for FailureFailure Cases •Userisunknown. •Userattemptstologinwithanincorrect passcode. •Userloginhoursexpired. AuthenticationFailed •RADIUSserverisconfiguredincorrectlyin CiscoISE. •RADIUSserverisunavailable. •RADIUSpacketisdetectedasmalformed. •Problemduringsendingorreceivingapacket fromtheRADIUSserver. •Timeout. ProcessFailed AuthenticationfailedandtheFailonRejectoptionis settofalse. UnknownUser Safeword Server Supports Special Username Format TheSafewordtokenserversupportsauthenticationwiththefollowingusernameformat: Username—Username,OTP AssoonasCiscoISEreceivestheauthenticationrequest,itparsestheusernameandconvertsittothefollowing username: Username—Username TheSafeWordtokenserverssupportbothoftheseformats.CiscoISEworkswithvarioustokenservers.While configuringaSafeWordserver,youmustchecktheSafeWordServercheckboxintheAdminportalforCisco ISEtoparsetheusernameandconvertittothespecifiedformat.ThisconversionisdoneintheRADIUS tokenserveridentitysourcebeforetherequestissenttotheRADIUStokenserver. Authentication Request and Response in RADIUS Token Servers WhenCiscoISEforwardsanauthenticationrequesttoaRADIUS-enabledtokenserver,theRADIUS authenticationrequestcontainsthefollowingattributes: Cisco Identity Services Engine Administrator Guide, Release 1.3 281 RADIUS Token Identity Sources
•User-Name(RADIUSattribute1) •User-Password(RADIUSattribute2) •NAS-IP-Address(RADIUSattribute4) CiscoISEexpectstoreceiveanyoneofthefollowingresponses: •Access-Accept—Noattributesarerequired,however,theresponsecancontainavarietyofattributes basedontheRADIUStokenserverconfiguration. •Access-Reject—Noattributesarerequired. •Access-Challenge—TheattributesthatarerequiredperRADIUSRFCarethefollowing: ◦State(RADIUSattribute24) ◦Reply-Message(RADIUSattribute18) ◦Oneormoreofthefollowingattributes:Vendor-Specific,Idle-Timeout(RADIUSattribute28), Session-Timeout(RADIUSattribute27),Proxy-State(RADIUSattribute33) NootherattributesareallowedinAccess-Challenge. Add a RADIUS Token Server Before You Begin Toperformthefollowingtask,youmustbeaSuperAdminorSystemAdmin. Procedure Step 1ChooseAdministration>IdentityManagement>ExternalIdentitySources>RADIUSToken> Add. Step 2EnterthevaluesintheGeneralandConnectiontabs. Step 3ClicktheAuthenticationtab. ThistaballowsyoutocontroltheresponsestoanAccess-RejectmessagefromtheRADIUStokenserver. Thisresponsecouldeithermeanthatthecredentialsareinvalidorthattheuserisnotknown.CiscoISEaccepts oneofthefollowingresponses:FailedauthenticationorUsernotfound.Thistabalsoallowsyoutoenable identitycachingandtosettheagingtimeforthecache.Youcanalsoconfigureaprompttorequestthe password. a)ClicktheTreatRejectsas‘authenticationfailed’radiobuttonifyouwanttheAccess-Rejectresponse fromtheRADIUStokenservertobetreatedasafailedauthentication. b)ClicktheTreatRejectsas‘usernotfound’radiobuttonifyouwanttheAccess-Rejectresponsefrom theRADIUStokenservertobetreatedasanunknownuserfailure. Step 4ClicktheAuthorizationtab. ThistaballowsyoutoconfigureanamethatwillappearfortheattributethatisreturnedbytheRADIUS tokenserverwhilesendinganAccess-AcceptresponsetoCiscoISE.Thisattributecanbeusedinauthorization policyconditions.ThedefaultvalueisCiscoSecure-Group-Id. Step 5ClickSubmit. Cisco Identity Services Engine Administrator Guide, Release 1.3 282 RADIUS Token Identity Sources
Delete a RADIUS Token Server Before You Begin •Toperformthefollowingtask,youmustbeaSuperAdminorSystemAdmin. •EnsurethatyoudonotselecttheRADIUStokenserversthatarepartofanidentitysourcesequence.If youselectaRADIUStokenserverthatispartofanidentitysourcesequencefordeletion,thedelete operationfails. Procedure Step 1ChooseAdministration>IdentityManagement>ExternalIdentitySources>RADIUSToken. Step 2CheckthecheckboxnexttotheRADIUStokenserverorserversthatyouwanttodelete,thenclickDelete. Step 3ClickOKtodeletetheRADIUStokenserverorserversthatyouhaveselected. IfyouselectmultipleRADIUStokenserversfordeleting,andoneofthemisusedinanidentitysource sequence,thedeleteoperationfailsandnoneoftheRADIUStokenserversaredeleted. RSA Identity Sources CiscoISEsupportstheRSASecurIDserverasanexternaldatabase.RSASecurIDtwo-factorauthentication consistsofthePINoftheuserandanindividuallyregisteredRSASecurIDtokenthatgeneratessingle-use tokencodesbasedonatimecodealgorithm.Adifferenttokencodeisgeneratedatfixedintervals(usually eachat30or60seconds).TheRSASecurIDservervalidatesthisdynamicauthenticationcode.EachRSA SecurIDtokenisunique,anditisnotpossibletopredictthevalueofafuturetokenbasedonpasttokens. Thus,whenacorrecttokencodeissuppliedtogetherwithaPIN,thereisahighdegreeofcertaintythatthe personisavaliduser.Therefore,RSASecurIDserversprovideamorereliableauthenticationmechanism thanconventionalreusablepasswords. CiscoISEsupportsthefollowingRSAidentitysources: •RSAACE/Server6.xseries •RSAAuthenticationManager7.xand8.0series YoucanintegratewithRSASecurIDauthenticationtechnologyinanyoneofthefollowingways: •UsingtheRSASecurIDagent—Usersareauthenticatedwiththeirusernameandpasscodethroughthe RSAnativeprotocol. •UsingtheRADIUSprotocol—Usersareauthenticatedwiththeirusernameandpasscodethroughthe RADIUSprotocol. TheRSASecurIDtokenserverinCiscoISEconnectswiththeRSASecurIDauthenticationtechnologyby usingtheRSASecurIDAgent. Cisco Identity Services Engine Administrator Guide, Release 1.3 283 RSA Identity Sources
CiscoISEsupportsonlyoneRSArealm. Cisco ISE and RSA SecurID Server Integration ThesearethetwoadministrativerolesinvolvedinconnectingCiscoISEwithanRSASecurIDserver: •RSAServerAdministrator—ConfiguresandmaintainsRSAsystemsandintegration •CiscoISEAdministrator—ConfiguresCiscoISEtoconnecttotheRSASecurIDserverandmaintains theconfiguration ThissectiondescribestheprocessesthatareinvolvedinconnectingCiscoISEwiththeRSASecurIDserver asanexternalidentitysource.FormoreinformationonRSAservers,pleaserefertotheRSAdocumentation. RSA Configuration in Cisco ISE TheRSAadministrativesystemgeneratesansdconf.recfile,whichtheRSAsystemadministratorwillprovide toyou.ThisfileallowsyoutoaddCiscoISEserversasRSASecurIDagentsintherealm.Youhavetobrowse andaddthisfiletoCiscoISE.Bytheprocessofreplication,theprimaryCiscoISEserverdistributesthisfile toallthesecondaryservers. RSA Agent Authentication Against the RSA SecurID Server Afterthesdconf.recfileisinstalledonallCiscoISEservers,theRSAagentmoduleinitializes,and authenticationwithRSA-generatedcredentialsproceedsoneachoftheCiscoISEservers.Aftertheagenton eachoftheCiscoISEserversinadeploymenthassuccessfullyauthenticated,theRSAserverandtheagent moduletogetherdownloadthesecuridfile.ThisfileresidesintheCiscoISEfilesystemandisinawell-known placedefinedbytheRSAagent. RSA Identity Sources in a Distributed Cisco ISE Environment ManagingRSAidentitysourcesinadistributedCiscoISEenvironmentinvolvesthefollowing: •Distributingthesdconf.recandsdopts.recfilesfromtheprimaryservertothesecondaryservers. •Deletingthesecuridandsdstatus.12files. RSA Server Updates in a Cisco ISE Deployment Afteryouhaveaddedthesdconf.recfileinCiscoISE,theRSASecurIDadministratormightupdatethe sdconf.recfileincaseofdecommissioninganRSAserveroraddinganewRSAsecondaryserver.TheRSA SecurIDadministratorwillprovideyouwithanupdatedfile.YoucanthenreconfigureCiscoISEwiththe updatedfile.ThereplicationprocessinCiscoISEdistributestheupdatedfiletothesecondaryCiscoISE serversinthedeployment.CiscoISEfirstupdatesthefileinthefilesystemandcoordinateswiththeRSA agentmoduletophasetherestartprocessappropriately.Whenthesdconf.recfileisupdated,thesdstatus.12 andsecuridfilesarereset(deleted). Override Automatic RSA Routing YoucanhavemorethanoneRSAserverinarealm.Thesdopts.recfileperformstheroleofaloadbalancer. CiscoISEserversandRSASecurIDserversoperatethroughtheagentmodule.Theagentmodulethatresides Cisco Identity Services Engine Administrator Guide, Release 1.3 284 RSA Identity Sources