Cisco Ise 13 User Guide
Have a look at the manual Cisco Ise 13 User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
Create External Identity Sources CiscoISEcanconnectwithexternalidentitysourcessuchasActiveDirectory,LDAP,RADIUSToken,and RSASecurIDserverstoobtainuserinformationforauthenticationandauthorization.Externalidentitysources alsoincludescertificateauthenticationprofilesthatyouneedforcertificate-basedauthentications. Procedure Step 1ChooseAdministration>IdentityManagement>ExternalIdentitySources. Step 2Chooseoneoftheseoptions: •CertificateAuthenticationProfileforcertificate-basedauthentications. •ActiveDirectorytoconnecttoanActiveDirectoryasanexternalidentitysource(seeActiveDirectory asanExternalIdentitySource,onpage249formoredetails). •LDAPtoaddanLDAPidentitysource(seeLDAP,onpage271formoredetails). •RADIUSTokentoaddaRADIUSTokenserver(seeRADIUSTokenIdentitySources,onpage279 formoredetails). •RSASecurIDtoaddanRSASecurIDserver(seeRSAIdentitySources,onpage283formoredetails). Create Identity Source Sequences Before You Begin EnsurethatyouhaveconfiguredyourexternalidentitysourcesinCiscoISE. Toperformthefollowingtask,youmustbeaSuperAdminorSystemAdmin. ForallowingguestuserstoauthenticatethroughLocalWebAuth,youmustconfigureboththeGuestPortal authenticationsourceandtheidentitysourcesequencetocontainthesameidentitystores. Procedure Step 1ChooseAdministration>IdentityManagement>IdentitySourceSequences>Add. Step 2Enteranamefortheidentitysourcesequence.Youcanalsoenteranoptionaldescription. Step 3ChecktheSelectCertificateAuthenticationProfilecheckboxandchooseacertificateauthenticationprofile forcertificate-basedauthentication. Step 4ChoosethedatabaseordatabasesthatyouwanttoincludeintheidentitysourcesequenceintheSelectedList box. Step 5RearrangethedatabasesintheSelectedlistintheorderinwhichyouwantCiscoISEtosearchthedatabases. Step 6ChooseoneofthefollowingoptionsintheAdvancedSearchListarea: Cisco Identity Services Engine Administrator Guide, Release 1.3 345 Device Portals Configuration Tasks
•DonotaccessotherstoresinthesequenceandsettheAuthenticationStatusattributetoProcessError —IfyouwantCiscoISEtodiscontinuethesearch,iftheuserisnotfoundinthefirstselectedidentity source. •Treatasiftheuserwasnotfoundandproceedtothenextstoreinthesequence—IfyouwantCisco ISEtocontinuesearchingtheotherselectedidentitysourcesinsequence,iftheuserisnotfoundinthe firstselectedidentitysource. Whileprocessingarequest,CiscoISEsearchestheseidentitysourcesinsequence.Ensurethatyouhave theidentitysourcesintheSelectedlistboxlistedintheorderinwhichyouwantCiscoISEtosearch them. Step 7ClickSubmittocreatetheidentitysourcesequencethatyoucanthenuseinpolicies. Create Endpoint Identity Groups CiscoISEgroupsendpointsthatitdiscoversintothecorrespondingendpointidentitygroups.CiscoISE comeswithseveralsystem-definedendpointidentitygroups.Youcanalsocreateadditionalendpointidentity groupsfromtheEndpointIdentityGroupspage.Youcaneditordeletetheendpointidentitygroupsthatyou havecreated.Youcanonlyeditthedescriptionofthesystem-definedendpointidentitygroups;youcannot editthenameofthesegroupsordeletethem. Procedure Step 1ChooseAdministration>IdentityManagement>Groups>EndpointIdentityGroups. Step 2ClickAdd. Step 3Enterthenamefortheendpointidentitygroupthatyouwanttocreate(donotincludespacesinthenameof theendpointidentitygroup). Step 4Enterthedescriptionfortheendpointidentitygroupthatyouwanttocreate. Step 5ClicktheParentGroupdrop-downlisttochooseanendpointidentitygrouptowhichyouwanttoassociate thenewlycreatedendpointidentitygroup. Step 6ClickSubmit. Edit the Blacklist Portal CiscoISEprovidesasingleBlacklistportalthatdisplaysinformationwhenalostorstolendevicethatis blacklistedinCiscoISEisattemptingtoaccessyourcorporatenetwork. Youcanonlyeditthedefaultportalsettingsandcustomizethedefaultmessagethatdisplaysfortheportal. YoucannotcreateanewBlacklistportal,orduplicateordeletethedefaultportal. Before You Begin Ensurethatyouhavetherequiredcertificatesconfiguredforusewiththisportal. Cisco Identity Services Engine Administrator Guide, Release 1.3 346 Device Portals Configuration Tasks
Procedure Step 1ChooseAdministration>DevicePortalManagement>BlacklistPortal>Edit. Step 2ProvideauniquePortalNameandaDescriptionfortheportal. Ensurethattheportalnamethatyouusehereisnotusedforanyotherend-userportals. Step 3UsetheLanguagesmenutoexportandimportlanguagefilestousewiththeportal. Step 4Updatethedefaultvaluesforcertificategrouptags,languagesandsooninPortalSettings,anddefinebehavior thatappliestotheoverallportal. •HTTPSport—Enteraportvaluebetween8000to8999;thedefaultvalueis8443forallthedefault portals,excepttheBlacklistPortal,whichis8444.Ifyouupgradedwithportvaluesoutsidethisrange, theyarehonoreduntilyoumodifythispage.Ifyoumodifythispage,updatetheportsettingtocomply withthisrestriction. IfyouassignPortsusedbyanon-guest(suchasMyDevices)portaltoaguestportal,anerrormessage displays. Forpostureassessmentsandremediationonly,theClientProvisioningportalalsousesPorts8905and 8909.Otherwise,itusesthesamePortsassignedtotheGuestportal. PortalsassignedtothesameHTTPSportcanusethesameGigabitEthernetinterfaceoranotherinterface. Iftheyusethesameportandinterfacecombination,theymustusethesamecertificategrouptag.For example: ◦Validcombinationsinclude,usingtheSponsorportalasanexample: ◦Sponsorportal:Port8443,Interface0,CertificatetagAandMyDevicesportal:Port8443, Interface0,CertificategroupA. ◦Sponsorportal:Port8443,Interface0,CertificategroupAandMyDevicesportal:Port8445, Interface0,CertificategroupB. ◦Sponsorportal:Port8444,Interface1,CertificategroupAandBlacklistportal:Port8444, Interface0,CertificategroupB. ◦Invalidcombinationsinclude: ◦Sponsorportal:Port8443,Interface0,CertificategroupAandMyDevicesportal:8443, Interface0,CertificategroupB. ◦Sponsorportal:Port8444,Interface0,CertificatetagAandBlacklistportal:Port8444, Interface0,CertificategroupA. •Allowedinterfaces—SelectthePSNinterfaceswhichaPANcanusetorunaportal.Whenarequest toopenaportalismadeonthePAN,thePANlooksforanavailableallowedPortonthePSN.Youmust configuretheEthernetinterfacesusingIPaddressesondifferentsubnets. TheseinterfacesmustbeavailableonallthePSNs,includingVM-basedones,thathavePolicyServices turnedon.ThisisarequirementbecauseanyofthesePSNscanbeusedfortheredirectatthestartof theguestsession. ◦TheEthernetinterfacesmustuseIPaddressesondifferentsubnets. Cisco Identity Services Engine Administrator Guide, Release 1.3 347 Device Portals Configuration Tasks
◦TheinterfacesyouenableheremustbeavailableonallyourPSNs,includingVM-basedoneswhen PolicyServicesturnedon.ThisisrequiredbecauseanyofthesePSNscanbeusedforaredirect atthestartoftheguestsession. ◦TheportalcertificateSubjectName/AlternateSubjectNamemustresolvetotheinterfaceIP. ◦Configureiphostx.x.x.xyyy.domain.cominISECLItomapsecondaryinterfaceIPtoFQDN, whichisusedtomatchCertificateSubjectName/AlternateSubjectName. •Certificategrouptag—Pickacertificategrouptagthatspecifiesthecertificatetousefortheportal’s HTTPStraffic. •DisplayLanguage ◦Usebrowserlocale—Usethelanguagespecifiedintheclientbrowser'slocalesettingasthedisplay languageoftheportal.Ifbrowserlocale'slanguageisnotsupportedbyISE,thentheFallback Languageisusedasthelanguageportal. ◦Fallbacklanguage—Choosethelanguagetousewhenlanguagecannotbeobtainedfromthe browserlocale,orifthebrowserlocalelanguageisnotsupportedbyISE. ◦Alwaysuse—Choosethedisplaylanguagetousefortheportal.ThissettingoverridestheUser browserlocaleoption. SSIDsavailabletosponsors—EnterthenamesortheSSIDs(SessionServiceIdentifiers)ofthenetworks thatasponsorcannotifyguestsasthecorrectnetworkstoconnecttofortheirvisit. Step 5OnthePortalPageCustomizationtab,customizethepagetitleandmessagetextthatappearsintheportal whenanunauthorizeddeviceisattemptingtogainaccesstothenetwork. Step 6ClickSaveandthenClose. Create a BYOD Portal YoucanprovideaBringYourOwnDevice(BYOD)portaltoenableemployeestoregistertheirpersonal devices,sothatregistrationandsupplicantconfigurationcanbedonebeforeallowingaccesstothenetwork. YoucancreateanewBYODportal,oryoucaneditorduplicateanexistingone.YoucandeleteanyBYOD portal,includingthedefaultportalprovidedbyCiscoISE. AnychangesthatyoumaketothePageSettingsonthePortalBehaviorandFlowSettingstabarereflected inthegraphicalflowinthedeviceportalflowdiagram.Ifyouenableapage,suchastheSupportInformation page,itappearsintheflowandtheemployeewillexperienceitintheportal.Ifyoudisableit,itisremoved fromtheflow. Before You Begin Ensurethatyouhavetherequiredcertificatesandendpointidentitygroupsconfiguredforusewiththisportal. Cisco Identity Services Engine Administrator Guide, Release 1.3 348 Device Portals Configuration Tasks
Procedure Step 1ChooseAdministration>DevicePortalManagement>BYODPortals>Create,EditorDuplicate. Step 2ProvideauniquePortalNameandaDescriptionfortheportal. Ensurethattheportalnamethatyouusehereisnotusedforanyotherend-userportals. Step 3UsetheLanguageFiledrop-downmenutoexportandimportlanguagefilestousewiththeportal. Step 4Updatethedefaultvaluesforports,certificategrouptags,endpointidentitygroupsandsooninPortalSettings, anddefinebehaviorthatappliestotheoverallportal. Step 5UpdatetheSupportInformationPageSettingstohelpemployeesprovideinformationthattheHelpDesk canusetotroubleshootnetworkaccessissues. Step 6OnthePortalPageCustomizationtab,customizetheContentAreamessagetextthatappearsonthe followingpagesduringtheprovisioningprocess: •BYODWelcomepage: ◦DeviceConfigurationRequired—WhenthedeviceisredirectedtotheBYODportalforthefirst timeandrequirescertificateprovisioning. ◦CertificateNeedsRenewal—Whenthepreviouscertificateneedstoberenewed. •BYODDeviceInformationpage: ◦MaximumDevicesReached—Whenthemaximumlimitofdevicesthatanemployeecanregister isreached. ◦RequiredDeviceInformation—Whenrequestingdeviceinformationthatisrequiredtoenablean employeetoregisterthedevice. •BYODInstallationpage: ◦DesktopInstallation—Whenprovidinginstallationinformationforadesktopdevice. ◦iOSInstallation—WhenprovidinginstallationinstructionsforaniOSmobiledevice. ◦AndroidInstallation—WhenprovidinginstallationinstructionsforanAndroidmobiledevice •BYODSuccesspage: ◦Success—Whenthedeviceisconfiguredandautomaticallyconnectedtothenetwork. ◦Success:ManualInstructions—Whenthedeviceissuccessfullyconfiguredandanemployeemust manuallyconnecttothenetwork. ◦Success:UnsupportedDevice—Whenanunsupporteddeviceisallowedtoconnecttothenetwork. Step 7ClickSaveandthenClose. What to Do Next Youmustauthorizetheportalinordertouseit.Youcanalsocustomizeyourportaleitherbeforeorafteryou authorizeitforuse. Cisco Identity Services Engine Administrator Guide, Release 1.3 349 Device Portals Configuration Tasks
Create a Client Provisioning Portal YoucanprovideaClientProvisioningportaltoenableemployeestodownloadeithertheCiscoAnyConnect posturecomponentortheCiscoNACagent,whichverifiestheposturecomplianceofthedevicebefore allowingaccesstothenetwork. YoucancreateanewClientProvisioningportal,oryoucaneditorduplicateanexistingone.Youcandelete anyClientProvisioningportal,includingthedefaultportalprovidedbyCiscoISE. AnychangesthatyoumaketothePageSettingsonthePortalBehaviorandFlowSettingstabarereflected inthegraphicalflowinthedeviceportalflowdiagram.Ifyouenableapage,suchastheSupportInformation page,itappearsintheflowandtheemployeewillexperienceitintheportal.Ifyoudisableit,itisremoved fromtheflow. Before You Begin Ensurethatyouhavetherequiredcertificatesandclientprovisioningpoliciesconfiguredforusewiththis portal. Procedure Step 1ChooseAdministration>DevicePortalManagement>ClientProvisioningPortals>Create,Editor Duplicate. Step 2ProvideauniquePortalNameandaDescriptionfortheportal. Ensurethattheportalnamethatyouusehereisnotusedforanyotherend-userportals. Step 3UsetheLanguageFiledrop-downmenutoexportandimportlanguagefilestousewiththeportal. Step 4Updatethedefaultvaluesforports,certificategrouptags,endpointidentitygroupsandsooninPortalSettings, anddefinebehaviorthatappliestotheoverallportal. Step 5UpdatetheSupportInformationPageSettingstohelpemployeesprovideinformationthattheHelpDesk canusetotroubleshootnetworkaccessissues. Step 6OnthePortalPageCustomizationtab,customizetheContentAreamessagetextthatappearsintheClient Provisioningportalduringtheprovisioningprocess: a)OntheClientProvisioningpage: •Checking,ScanningandCompliant—Whenthepostureagentissuccessfullyinstalledandchecks, scansandverifiesthatthedeviceiscompliantwithposturerequirements. •Non-compliant—Whenthepostureagentdeterminesthatthedeviceisnotcompliantwithposture requirements. b)OntheClientProvisioning(AgentNotFound)page: •AgentNotFound—Whenthepostureagentisnotdetectedonthedevice. •ManualInstallationInstructions—WhendevicesdonothaveJavaorActiveXsoftwareinstalledon them,instructionsonhowtomanuallydownloadandinstallthepostureagent. •Install,NoJava/ActiveX—WhendevicesdonothaveJavaorActiveXsoftwareinstalledonthem, instructionsonhowtodownloadandinstalltheJavaplug-in. •AgentInstalled—Whenthepostureagentisdetectedonthedevice,instructionsonhowtostartthe postureagent,whichchecksthedeviceforcompliancewithposturerequirements. Cisco Identity Services Engine Administrator Guide, Release 1.3 350 Device Portals Configuration Tasks
Step 7ClickSaveandthenClose. What to Do Next Youmustauthorizetheportalinordertouseit.Youcanalsocustomizeyourportaleitherbeforeorafteryou authorizeitforuse. Related Topics AuthorizePortals,onpage314 CustomizeDevicePortals,onpage355 Create an MDM Portal YoucanprovideaMobileDeviceManagement(MDM)portaltoenableemployeestomanagetheirmobile devicesthatareregisteredforuseonyourcorporatenetwork. YoucancreateanewMDMportal,oryoucaneditorduplicateanexistingone.YoucandeleteanyMDM portal,includingthedefaultportalprovidedbyCiscoISE.Thedefaultportalisforthird-partyMDMproviders. AnychangesthatyoumaketothePageSettingsonthePortalBehaviorandFlowSettingstabarereflected inthegraphicalflowinthedeviceportalflowdiagram.Ifyouenableapage,suchastheSupportInformation page,itappearsintheflowandtheemployeewillexperienceitintheportal.Ifyoudisableit,itisremoved fromtheflow. Before You Begin Ensurethatyouhavetherequiredcertificatesandendpointidentitygroupsconfiguredforusewiththisportal. Procedure Step 1ChooseAdministration>DevicePortalManagement>MDMPortals>Create,EditorDuplicate. Step 2ProvideauniquePortalNameandaDescriptionfortheportal. Ensurethattheportalnamethatyouusehereisnotusedforanyotherend-userportals. Step 3UsetheLanguageFiledrop-downmenutoexportandimportlanguagefilestousewiththeportal. Step 4Updatethedefaultvaluesforports,certificategrouptags,endpointidentitygroupsandsooninPortalSettings, anddefinebehaviorthatappliestotheoverallportal. Step 5Updatethefollowingsettingsthatapplytoeachofthespecificpages: •InEmployeeMobileDeviceManagementSettings,accessthelinkprovidedtoconfigurethird-party MDMprovidersandthendefinetheacceptancepolicybehaviorforemployeesusingtheMDMportals. •SupportInformationPageSettingstohelpguestsprovideinformationthattheHelpDeskcanuseto troubleshootnetworkaccessissues. Step 6OnthePortalPageCustomizationtab,customizetheContentAreamessagesthatappearsintheMDM portalduringthedeviceenrollmentprocess: •Unreachable—WhentheselectedMDMsystemcannotbereached. Cisco Identity Services Engine Administrator Guide, Release 1.3 351 Device Portals Configuration Tasks
•Non-compliant—WhenthedevicebeingenrolledisnotcompliantwiththerequirementsoftheMDM system. •Continue—Whenthedeviceshouldtryconnectingtothenetworkincaseofconnectivityissues. •Enroll—WhenthedevicerequirestheMDMagentandneedstobeenrolledintheMDMsystem. Step 7ClickSaveandthenClose. What to Do Next Youmustauthorizetheportalinordertouseit.Youcanalsocustomizeyourportaleitherbeforeorafteryou authorizeitforuse.Alsoseethefollowingtopics: •AddCertificates,onpage344 •CreateEndpointIdentityGroups,onpage346 •CreateAuthorizationProfiles,onpage353 •CustomizeDevicePortals,onpage355 Create a My Devices Portal YoucanprovideaMyDevicesportaltoenableemployeestoaddandregistertheirpersonaldevicesthatdo notsupportnativesupplicantsandcannotbeaddedusingtheBringYourOwnDevice(BYOD)portal.You canthenusetheMyDevicesportaltomanagealldevicesthathavebeenaddedusingeitherportal. YoucancreateanewMyDevicesportal,oryoucaneditorduplicateanexistingone.YoucandeleteanyMy Devicesportal,includingthedefaultportalprovidedbyCiscoISE. AnychangesthatyoumaketothePageSettingsonthePortalBehaviorandFlowSettingstabarereflected inthegraphicalflowinthedeviceportalflowdiagram.Ifyouenableapage,suchastheSupportInformation page,itappearsintheflowandtheemployeewillexperienceitintheportal.Ifyoudisableit,itisremoved fromtheflow. Before You Begin Ensurethatyouhavetherequiredcertificates,externalidentitystores,identitysourcesequences,andendpoint identitygroupsconfiguredforusewiththisportal. Procedure Step 1ChooseAdministration>DevicePortalManagement>MyDevicesPortals>Create,EditorDuplicate. Step 2ProvideauniquePortalNameandaDescriptionfortheportal. Ensurethattheportalnamethatyouusehereisnotusedforanyotherend-userportals. Step 3UsetheLanguageFiledrop-downmenutoexportandimportlanguagefilestousewiththeportal. Step 4Updatethedefaultvaluesforports,certificategrouptags,identitysourcesequences,endpointidentitygroups, andsooninPortalSettings,anddefinebehaviorthatappliestotheoverallportal. Step 5Updatethefollowingsettingsthatapplytoeachofthespecificpages: •LoginPageSettings—Specifyemployeecredentialandloginguidelines. Cisco Identity Services Engine Administrator Guide, Release 1.3 352 Device Portals Configuration Tasks
•AcceptableUsePolicy(AUP)PageSettings—AddaseparateAUPpageanddefinetheacceptableuse policybehaviorforemployees. •Post-LoginBannerPageSettings—Notifyemployeesofadditionalinformationaftertheylogintothe portal. •EmployeeChangePasswordSettings—Allowemployeestochangetheirownpasswords.Thisoption isenabledonlyiftheemployeeispartoftheInternalUsersdatabase. Step 6InthePortalPageCustomizationtab,customizethefollowinginformationthatappearsintheMyDevices portalduringregistrationandmanagement: •Titles,instructions,content,fieldandbuttonlabels •Errormessagesandnotificationmessages Step 7ClickSaveandthenClose. What to Do Next Youcancustomizetheportalifyouwanttochangeitsappearance.See Related Topics CustomizeDevicePortals,onpage355 MyDevicesPortal,onpage338 DisplayDevicesAddedbyanEmployee,onpage355 Create Authorization Profiles Whenyouauthorizeaportal,youaresettingupthenetworkauthorizationprofilesandrulesfornetwork access. Before You Begin Youmustcreateaportalbeforeyoucanauthorizeit. Procedure Step 1Setupaspecialauthorizationprofilefortheportal. Step 2Createanauthorizationpolicyrulefortheprofile. Create Authorization Profiles Eachportalrequiresthatyousetupaspecialauthorizationprofileforit. Cisco Identity Services Engine Administrator Guide, Release 1.3 353 Device Portals Configuration Tasks
Before You Begin Ifyoudonotplantouseadefaultportal,youmustfirstcreatetheportalsoyoucanassociatetheportalname withtheauthorizationprofile. Procedure Step 1ChoosePolicy>PolicyElements>Results>Authorization>AuthorizationProfiles. Step 2Createanauthorizationprofileusingthenameoftheportalthatyouwanttoauthorizeforuse. What to Do Next Youshouldcreateaportalauthorizationpolicyrulethatusesthenewlycreatedauthorizationprofile. Create Authorization Policy Rules ToconfiguretheredirectionURLforaportaltousewhenrespondingtotheusers'(guests,sponsors,employees) accessrequests,defineanauthorizationpolicyruleforthatportal. Theurl-redirecttakesthefollowingformbasedontheportaltype,where: ip:port=theIPaddressandportnumber PortalID=theuniqueportalname ForaHotspotGuestportal: https://ip:port/guestportal/gateway?sessionID=SessionIdValue&portal=PortalID&action=cwa&type=drw ForaMobileDeviceManagement(MDM)portal: https://ip:port/mdmportal/gateway?sessionID=SessionIdValue&portal=PortalID&action=mdm Procedure Step 1ChoosePolicy>AuthorizationtocreateanewauthorizationpolicyruleunderStandardpolicies. IfyouenabledPolicySets,choosePolicy>PolicySet,pickthePolicySetyouplantouseforthisportal, expandAuthorizationPolicy,andaddanewrule. Step 2ForConditions,selectanendpointidentitygroupthatyouwanttousefortheportalvalidation.Forexample, fortheHotspotGuestportal,selectthedefaultGuestEndpointsendpointidentitygroupand,fortheMDM portal,selectthedefaultRegisteredDevicesendpointidentitygroup. BecausetheHotspotGuestportalonlyissuesaTerminationCoA,donotuseNetworkAccess:UseCase EQUALSGuestFlowasoneofthevalidationconditionsintheGuestauthorizationpolicy.Instead, matchtheIdentityGroupthattheendpointbelongstoforvalidation.Forexample, Note •If"GuestEndpoint"+WirelessMABthenPermitAccess •IfWirelessMABthenHotSpotRedirect Step 3ForPermissions,selecttheportalauthorizationprofilethatyoucreated. Cisco Identity Services Engine Administrator Guide, Release 1.3 354 Device Portals Configuration Tasks