Home > Cisco > Interface > Cisco Ise 13 User Guide

Cisco Ise 13 User Guide

Add to Favourites
    Download as PDF Print this page Share this page

    Have a look at the manual Cisco Ise 13 User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.

    View all the pages
    Page
    of 946
    Add page 41 to Favourites
    image text
    Enable zoom 
    							CHAPTER 32 NetworkAccessFlows871
Password-BasedAuthentication871
SecureAuthenticationUsingEncryptedPasswordsandCryptographicTechniques871
AuthenticationMethodsandAuthorizationPrivileges872
RADIUSProtocolSupportinCiscoISE872
NetworkAccessforUsers872
RADIUS-BasedProtocolsWithoutEAP872
RADIUS-BasedNon-EAPAuthenticationFlow873
PasswordAuthenticationProtocol873
RADIUS-BasedPAPAuthenticationinCiscoISE873
ChallengeHandshakeAuthenticationProtocol874
MicrosoftChallengeHandshakeAuthenticationProtocolVersion1874
MicrosoftChallengeHandshakeAuthenticationProtocolVersion2874
RADIUS-BasedEAPProtocols874
RADIUS-BasedEAPAuthenticationFlow875
ExtensibleAuthenticationProtocol-MessageDigest5875
LightweightExtensibleAuthenticationProtocol876
ProtectedExtensibleAuthenticationProtocol876
AdvantagesofUsingPEAP876
SupportedSupplicantsforthePEAPProtocol876
PEAPProtocolFlow877
ExtensibleAuthenticationProtocol-FlexibleAuthenticationviaSecureTunneling877
BenefitsofEAP-FAST878
EAP-FASTFlow878
CHAPTER 33 SwitchandWirelessLANControllerConfigurationRequiredtoSupportCiscoISE
Functions879
EnableYourSwitchtoSupportStandardWebAuthentication880
LocalUsernameandPasswordDefinitionforSyntheticRADIUSTransactions880
NTPServerConfigurationtoEnsureAccurateLogandAccountingTimestamps880
CommandtoEnableAAAFunctions880
RADIUSServerConfigurationontheSwitch881
ConfiguretheSwitchtoSendRADIUSAccountingStart/StoptoInlinePostureNodes882
CommandtoEnableRADIUSChangeofAuthorization(CoA)882
Cisco Identity Services Engine Administrator Guide, Release 1.3    
xli
Contents
    Add page 42 to Favourites
    image text
    Enable zoom 
    							CommandtoEnableDeviceTrackingandDHCPSnooping882
CommandtoEnable802.1XPort-BasedAuthentication883
CommandtoEnableEAPforCriticalAuthentications883
CommandtoThrottleAAARequestsUsingRecoveryDelay883
VLANDefinitionsBasedonEnforcementStates883
Local(Default)ACLsDefinitionontheSwitch884
EnableSwitchPortsfor802.1XandMAB885
CommandtoEnableEPMLogging887
CommandtoEnableSNMPTraps887
CommandtoEnableSNMPv3QueryforProfiling887
CommandtoEnableMACNotificationTrapsforProfilertoCollect888
RADIUSIdle-TimeoutConfigurationontheSwitch888
WirelessLANControllerConfigurationforiOSSupplicantProvisioning888
WirelessLANControllerSupportforAppleDevices889
ConfiguringACLsontheWirelessLANControllerforMDMInteroperability889
CHAPTER 34 SupportedManagementInformationBasesinCiscoISE891
IF-MIB891
SNMPv2-MIB892
IP-MIB892
CISCO-CDP-MIB893
CISCO-VTP-MIB894
CISCO-STACK-MIB894
BRIDGE-MIB895
OLD-CISCO-INTERFACE-MIB895
CISCO-LWAPP-AP-MIB895
CISCO-LWAPP-DOT11-CLIENT-MIB897
CISCO-AUTH-FRAMEWORK-MIB898
EEE8021-PAE-MIB:RFCIEEE802.1X898
HOST-RESOURCES-MIB898
LLDP-MIB899
   Cisco Identity Services Engine Administrator Guide, Release 1.3
xlii
Contents
    Add page 43 to Favourites
    image text
    Enable zoom 
    							Preface
•Purpose,pagexliii
•Audience,pagexliii
•DocumentOrganization,pagexliii
•DocumentConventions,pagexliv
•DocumentationUpdates,pagexlv
•ObtainingDocumentationandSubmittingaServiceRequest,pagexlv
Purpose
ThisprefaceintroducestheCiscoIdentityServicesEngineAdministratorGuide,Release1.3.
Audience
Thisguideiswrittenfornetworksecurityadministratorswhoareresponsibleforsettingupandmaintaining
networkandapplicationsecurity.Thisguideassumesthatyouhaveaworkingknowledgeofnetworking
principlesandapplications,andhaveexperienceasanetworksystemadministrator.
Document Organization
Chapter
Introduction,onpage1
DeployCiscoISENodes,onpage29
SetupCiscoISEManagementAccess,onpage81
ManageUsersandEnd-UserPortals,onpage239
EnableandConfigureCiscoISEServices,onpage399
Cisco Identity Services Engine Administrator Guide, Release 1.3    
xliii
    Add page 44 to Favourites
    image text
    Enable zoom 
    							Chapter
MonitoringandTroubleshootingCiscoISE,onpage623
Reference,onpage679
Document Conventions
DescriptionConvention
Boththe^symbolandCtrlrepresenttheControl(Ctrl)keyonakeyboard.
Forexample,thekeycombination^DorCtrl-Dmeansholddownthe
Controlkey,thenpresstheDkey.(Keylabelsareincapitallettersbut
arenotcasesensitive.)
^orCtrl
Commandsandkeywordsthattheusermustenterappearinboldfont.Boldfont
Documenttitles,neworemphasizedterms,andargumentsforwhichyou
supplyvaluesareinitalicfont.
Italicfont
Terminalsessionsandinformationthesystemdisplaysappearincourier
font.
Courierfont
BoldCourierfontindicatestextthattheusermustenter.BoldCourierfont
Elementsinsquarebracketsareoptional.[x]
Anellipsis(threeconsecutivenonboldedperiodswithoutspaces)after
asyntaxelementindicatesthattheelementcanberepeated.
...
Adecisionbarindicatesachoicewithinasetofkeywordsorarguments.|
Optionalalternativeelementsaregroupedinbracketsandseparatedby
decisionbars.
[x|y]
Requiredalternativeelementsaregroupedinbracesandseparatedby
decisionbars.
{x|y}
Anonquotedsetofcharacters.Donotusequotationmarksaroundthe
stringorthestringwillincludethequotationmarks.
string
Anglebracketsindicateacharacterstringthattheuserentersbutdoes
notappearonthescreen,suchasapassword.

Defaultresponsestosystempromptsareinsquarebrackets.[]
Anexclamationpoint(!)orapoundsign(#)atthebeginningofaline
ofcodeindicatesacommentline.
!#
   Cisco Identity Services Engine Administrator Guide, Release 1.3
xliv
Preface
Document Conventions
    Add page 45 to Favourites
    image text
    Enable zoom 
    							Reader Alert Conventions
Thisdocumentusesthefollowingconventionsforreaderalerts:
Meansreadertakenote.Notescontainhelpfulsuggestionsorreferencestomaterialnotcoveredinthe
manual.
Note
Meansthefollowinginformationwillhelpyousolveaproblem,orcouldbesomeusefulinformation.Tip
Meansreaderbecareful.Inthissituation,youmightdosomethingthatcouldresultinequipmentdamage
orlossofdata.
Caution
Meansthedescribedactionsavestime.Youcansavetimebyperformingtheactiondescribedinthe
paragraph.
Timesaver
Meansreaderbewarned.Inthissituation,youmightperformanactionthatcouldresultinbodily
injury.
Warning
Documentation Updates
ThefollowingtableliststhedocumentationupdatesforthisCiscoIdentityServicesEngineproductrelease.
Table 1: Updates for Cisco Identity Services Engine Administrator Guide, Release 1.3
DescriptionDate
CiscoIdentityServicesEngineAdministratorGuide,
Release1.3
October2014
Obtaining Documentation and Submitting a Service Request
Forinformationaboutobtainingdocumentation,submittingaservicerequest,andgatheringadditional
information,seethemonthlyWhat’sNewinCiscoProductDocumentation,whichalsolistsallnewand
revisedCiscotechnicaldocumentation,at:
http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html
Cisco Identity Services Engine Administrator Guide, Release 1.3    
xlv
Preface
Documentation Updates
    Add page 46 to Favourites
    image text
    Enable zoom 
    							SubscribetoWhat’sNewinCiscoProductDocumentationasaReallySimpleSyndication(RSS)feedand
setcontenttobedelivereddirectlytoyourdesktopbyusingareaderapplication.TheRSSfeedsareafree
service,andCiscocurrentlysupportsRSSVersion2.0.
   Cisco Identity Services Engine Administrator Guide, Release 1.3
xlvi
Preface
Obtaining Documentation and Submitting a Service Request
    Add page 47 to Favourites
    image text
    Enable zoom 
    							PART I
Introduction
•CiscoISEFeatures,page3
•NavigatetheAdminportal,page11
    Add page 48 to Favourites
    Enable zoom
    Add page 49 to Favourites
    image text
    Enable zoom 
    							CHAPTER 1
Cisco ISE Features
•CiscoISEOverview,page3
•KeyFunctions,page4
•Identity-BasedNetworkAccess,page4
•SupportforMultipleDeploymentScenarios,page4
•SupportforUCSHardware,page5
•BasicUserAuthenticationandAuthorization,page5
•PolicySets,page6
•SupportforCommonAccessCardFunctions,page6
•ClientPostureAssessment,page7
•NetworkAccessforGuests,page7
•SupportforPersonalDevices,page7
•MobileDeviceManagerInteroperabilitywithCiscoISE,page8
•WirelessandVPNTrafficwithInlinePostureNodes,page8
•ProfiledEndpointsontheNetwork,page8
•pxGridPersona,page8
•CiscoISECertificateAuthority,page9
•SupportforActiveDirectoryMultidomainForests,page9
•SupportforSAnetDevices,page9
•SupportforInstallationonMultipleHardwareandVMwarePlatforms,page9
Cisco ISE Overview
CiscoISEisasecuritypolicymanagementplatformthatprovidessecureaccesstonetworkresources.Cisco
ISEfunctionsasapolicydecisionpointandenablesenterprisestoensurecompliance,enhanceinfrastructure
security,andstreamlineserviceoperations.CiscoISEallowsenterprisestogatherreal-timecontextual
Cisco Identity Services Engine Administrator Guide, Release 1.3    
3
    Add page 50 to Favourites
    image text
    Enable zoom 
    							informationfromnetworks,users,anddevices.Theadministratorcanthenusethatinformationtomake
governancedecisionsbytyingidentitytovariousnetworkelements,includingaccessswitches,wirelessLAN
controllers(WLCs),VirtualPrivateNetwork(VPN)gateways,anddatacenterswitches.CiscoISEactsas
thepolicymanagerintheCiscoTrustSecsolutionandsupportsTrustSecsoftware-definedsegmentation.
Key Functions
CiscoISEisaconsolidatedpolicy-basedaccesscontrolsystemthatincorporatesasupersetoffeaturesavailable
inexistingCiscopolicyplatforms.CiscoISEperformsthefollowingfunctions:
•Combinesauthentication,authorization,accounting(AAA),posture,andprofilerintooneappliance
•ProvidesforcomprehensiveguestaccessmanagementforCiscoISEadministrators,sanctionedsponsor
administrators,orboth
•Enforcesendpointcompliancebyprovidingcomprehensiveclientprovisioningmeasuresandassessing
thedevicepostureforallendpointsthataccessthenetwork,including802.1Xenvironments
•Providessupportfordiscovery,profiling,policy-basedplacement,andmonitoringofendpointdevices
onthenetwork
•Enablesconsistentpolicyincentralizedanddistributeddeploymentsthatallowsservicestobedelivered
wheretheyareneeded
•EmploysadvancedenforcementcapabilitiesincludingTrustsecthroughtheuseofSecurityGroupTags
(SGTs)andSecurityGroupAccessControlLists(SGACLs)
•Supportsscalabilitytosupportanumberofdeploymentscenariosfromsmallofficetolargeenterprise
environments
Identity-Based Network Access
TheCiscoISEsolutionprovidescontext-awareidentitymanagementinthefollowingareas:
•CiscoISEdetermineswhetherusersareaccessingthenetworkonanauthorized,policy-compliantdevice.
•CiscoISEestablishesuseridentity,location,andaccesshistory,whichcanbeusedforcomplianceand
reporting.
•CiscoISEassignsservicesbasedontheassigneduserrole,group,andassociatedpolicy(jobrole,
location,devicetype,andsoon).
•CiscoISEgrantsauthenticateduserswithaccesstospecificsegmentsofthenetwork,orspecific
applicationsandservices,orboth,basedonauthenticationresults.
Support for Multiple Deployment Scenarios
CiscoISEcanbedeployedacrossanenterpriseinfrastructure,supporting802.1Xwired,wireless,andVirtual
PrivateNetworks(VPNs).
TheCiscoISEarchitecturesupportsbothstandaloneanddistributed(alsoknownas“high-availability”or
“redundant”)deploymentswhereonemachineassumestheprimaryroleandanother“backup”machineassumes
thesecondaryrole.CiscoISEfeaturesdistinctconfigurablepersonas,services,androles,whichallowyouto
   Cisco Identity Services Engine Administrator Guide, Release 1.3
4
Key Functions
    All Cisco manuals Comments (0)