Cisco Ise 13 User Guide
Have a look at the manual Cisco Ise 13 User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
![Page 493
Supported Downloadable ACL Format for Inline Posture Node
ThefollowingformatissupportedforDACLs:
ACTIONPROTOCOLSOURCE_SUBNETWILDCARD_MASK[OPERATOR[PORT]]DEST_SUBNET
WILDCARD_MASK[OPERATOR[PORT]][ICMP_TYPE_CODE]
Table 24: DACL Format - Options
DescriptionOption
Specifieswhetherthepolicyelementpermissionsshould
permitordenyaccess.
ACTION
Specifiesanyoneofthefollowingprotocols:
•ICMP
•UDP
•TCP
•IP
PROTOCOL
Specifiesthesourcesubnetformatas‘any’.SOURCE_SUBNET
Specifiesanyoneofthefollowingdestinationsubnet...](http://img.usermanuals.tech/thumb/17/104725/w64_ise-13-user-guide-1524841621_d-492.png "Page 493
Supported Downloadable ACL Format for Inline Posture Node
ThefollowingformatissupportedforDACLs:
ACTIONPROTOCOLSOURCE_SUBNETWILDCARD_MASK[OPERATOR[PORT]]DEST_SUBNET
WILDCARD_MASK[OPERATOR[PORT]][ICMP_TYPE_CODE]
Table 24: DACL Format - Options
DescriptionOption
Specifieswhetherthepolicyelementpermissionsshould
permitordenyaccess.
ACTION
Specifiesanyoneofthefollowingprotocols:
•ICMP
•UDP
•TCP
•IP
PROTOCOL
Specifiesthesourcesubnetformatas‘any’.SOURCE_SUBNET
Specifiesanyoneofthefollowingdestinationsubnet...")
![Page 494
DescriptionOption
SpecifiesanyoneofthefollowingICMPtypecodes:
•0—Echoreply
•8—Echorequest
•3:[0-15]—Destinationunreachable
•5:[0-3]—ICMPredirects
ICMP_TYPE_CODE
Examples of acceptable ACL Format:
permittcpanyhost192.168.1.100eq80—permitswwwtrafficfromanywheretohost192.168.1.100
permitudpanyeq68anyeq67—permitsdhcptraffic
permiticmpanyany8,permiticmpanyany0—allowsicmpecho-requestandecho-reply
denyicmpanyany5:0—deniesicmpnetworkredirects...](http://img.usermanuals.tech/thumb/17/104725/w64_ise-13-user-guide-1524841621_d-493.png "Page 494
DescriptionOption
SpecifiesanyoneofthefollowingICMPtypecodes:
•0—Echoreply
•8—Echorequest
•3:[0-15]—Destinationunreachable
•5:[0-3]—ICMPredirects
ICMP_TYPE_CODE
Examples of acceptable ACL Format:
permittcpanyhost192.168.1.100eq80—permitswwwtrafficfromanywheretohost192.168.1.100
permitudpanyeq68anyeq67—permitsdhcptraffic
permiticmpanyany8,permiticmpanyany0—allowsicmpecho-requestandecho-reply
denyicmpanyany5:0—deniesicmpnetworkredirects...")
Todefineauthorizationconditionsthatarebasedonanendpointidentitygroupthathasbeenpreviously authenticated,CiscoISEsupportsauthorizationthatwasdefinedduringendpointidentitygroup802.1X authenticationstatus.WhenCiscoISEperforms802.1Xauthentication,itextractstheMACaddressfromthe “Calling-Station-ID”fieldintheRADIUSrequestandusesthisvaluetolookupandpopulatethesession cacheforthedevice'sendpointidentitygroup(definedasanendpointIDgroupattribute). ThisprocessmakestheendpointIDgroupattributeavailableforuseincreatingauthorizationpolicyconditions, andallowsyoutodefineanauthorizationpolicybasedonendpointidentitygroupinformationusingthis attribute,inadditiontouserinformation. TheconditionfortheendpointidentitygroupcanbedefinedintheIDGroupscolumnoftheauthorization policyconfigurationpage.Conditionsthatarebasedonuser-relatedinformationneedtobedefinedinthe “OtherConditions”sectionoftheauthorizationpolicy.Ifuserinformationisbasedoninternaluserattributes, thenusetheIDGroupattributeintheinternaluserdictionary.Forexample,youcanenterthefullvaluepath intheidentitygroupusingavaluelike“UserIdentityGroup:Employee:US”. Time and Date Conditions UsethePolicyElementsConditionspagetodisplay,create,modify,delete,duplicate,andsearchtimeand datepolicyelementconditions.Policyelementsaresharedobjectsthatdefineaconditionthatisbasedon specifictimeanddateattributesettingsthatyouconfigure. TimeanddateconditionsletyousetorlimitpermissiontoaccessCiscoISEsystemresourcestospecifictimes anddaysasdirectedbytheattributesettingsyoumake. Permissions for Authorization Profiles Beforeyoustartconfiguringpermissionsforauthorizationprofiles,makesureyou: •Understandtherelationshipbetweenauthorizationpoliciesandprofiles •ArefamiliarwiththeAuthorizationProfilepage •Knowthebasicguidelinestofollowwhenconfiguringpoliciesandprofiles •Understandwhatcomprisespermissionsinanauthorizationprofile ToworkwithAuthorizationProfiles,choosePolicy>PolicyElements>Results.Fromthemenuontheleft, chooseAuthorization>AuthorizationProfiles. UsetheResultsnavigationpaneasyourstartingpointintheprocessfordisplaying,creating,modifying, deleting,duplicating,orsearchingpolicyelementpermissionsforthedifferenttypesofauthorizationprofiles onyournetwork.TheResultspaneinitiallydisplaysAuthentication,Authorization,Profiling,Posture,Client Provisioning,andTrustsecoptions. AuthorizationprofilesletyouchoosetheattributestobereturnedwhenaRADIUSrequestisaccepted.Cisco ISEprovidesamechanismwhereyoucanconfigureCommonTaskssettingstosupportcommonly-used attributes.YoumustenterthevaluefortheCommonTasksattributes,whichCiscoISEtranslatestothe underlyingRADIUSvalues. Cisco Identity Services Engine Administrator Guide, Release 1.3 445 Permissions for Authorization Profiles
Configure Permissions for New Standard Authorization Profiles
Procedure
Step 1ChoosePolicy>PolicyElements>Results>Authorization>AuthorizationProfiles.
Step 2ClickAdd.
Step 3Entervaluesasrequiredtoconfigureanewauthorizationprofile.Supportedcharactersforthenamefieldare:
space,!#$%&‘()*+,-./;=?@_{.
Step 4ClickSubmittosaveyourchangestotheCiscoISEsystemdatabasetocreateanauthorizationprofile.
Downloadable ACLs
YoucandefineDACLsfortheAccess-Acceptmessagetoreturn.UseACLstopreventunwantedtrafficfrom
enteringthenetwork.ACLscanfiltersourceanddestinationIPaddresses,transportprotocols,andmoreby
usingtheRADIUSprotocol.
AfteryoucreateDACLsasnamedpermissionobjects,youcanaddthemtoauthorizationprofiles,whichyou
canthenspecifyastheresultofanauthorizationpolicy.
YoucanduplicateaDACLifyouwanttocreateanewDACLthatisthesame,orsimilarto,anexisting
downloadableACL.
Afterduplicationiscomplete,youaccesseachDACL(originalandduplicated)separatelytoeditordelete
them.
WhilecreatingDACL,thekeywordAnymustbethesourceinallACEinDACL.OncetheDACLis
pushed,theAnyinthesourceisreplacedwiththeIPaddressoftheclientthatisconnectingtotheswitch.
Note
Configure Permissions for Downloadable ACLs
Procedure
Step 1ChoosePolicy>PolicyElements>Results>Authorization>DownloadableACLs.
Step 2ClicktheactioniconandselectCreateDACLorclickAddintheDACLManagementpage.
Step 3EnterthedesiredvaluesfortheDACL.Supportedcharactersforthenamefieldare:space,!#$%&‘()*
+,-./;=?@_{.
Step 4ClickSubmit.
Cisco Identity Services Engine Administrator Guide, Release 1.3
446
Downloadable ACLs
Supported Downloadable ACL Format for Inline Posture Node ThefollowingformatissupportedforDACLs: ACTIONPROTOCOLSOURCE_SUBNETWILDCARD_MASK[OPERATOR[PORT]]DEST_SUBNET WILDCARD_MASK[OPERATOR[PORT]][ICMP_TYPE_CODE] Table 24: DACL Format - Options DescriptionOption Specifieswhetherthepolicyelementpermissionsshould permitordenyaccess. ACTION Specifiesanyoneofthefollowingprotocols: •ICMP •UDP •TCP •IP PROTOCOL Specifiesthesourcesubnetformatas‘any’.SOURCE_SUBNET Specifiesanyoneofthefollowingdestinationsubnet formats: •any •hostx.x.x.x • DEST_SUBNET Specifiestheinverseofthesubnetmask.Forexample, 0.0.0.255. WILDCARD_MASK Specifiesanyoneofthefollowingoperators: •eq •lt •gt •neq •range OPERATOR Specifiestheport.Thevalidrangeisfrom1to65535.PORT Cisco Identity Services Engine Administrator Guide, Release 1.3 447 Downloadable ACLs
DescriptionOption SpecifiesanyoneofthefollowingICMPtypecodes: •0—Echoreply •8—Echorequest •3:[0-15]—Destinationunreachable •5:[0-3]—ICMPredirects ICMP_TYPE_CODE Examples of acceptable ACL Format: permittcpanyhost192.168.1.100eq80—permitswwwtrafficfromanywheretohost192.168.1.100 permitudpanyeq68anyeq67—permitsdhcptraffic permiticmpanyany8,permiticmpanyany0—allowsicmpecho-requestandecho-reply denyicmpanyany5:0—deniesicmpnetworkredirects permitipany67.2.2.00.0.0.255—permitsalltrafficfromthehostto67.2.2.0subnet permitudpanyanyrange1638432767—permitsvoicetrafficusingrangeofudpports Examples of incorrect syntax permitip192.168.2.100192.168.1.100—host/wildcardkeywordmissing permittcphost192.168.2.100host192.168.1.100eq883896364543268326910251026(Youcannotclub multipleportsusingeqoperator,andthisACLneedstobesplitintomultiplelinesoneforeachdestination port) ThesourceaddressforallACEsmustbedefinedasANY.Note Machine Access Restriction for Active Directory User Authorization CiscoISEcontainsaMachineAccessRestriction(MAR)componentthatprovidesanadditionalmeansof controllingauthorizationforMicrosoftActiveDirectory-authenticationusers.Thisformofauthorizationis basedonthemachineauthenticationofthecomputerusedtoaccesstheCiscoISEnetwork.Foreverysuccessful machineauthentication,CiscoISEcachesthevaluethatwasreceivedintheRADIUSCalling-Station-ID attribute(attribute31)asevidenceofasuccessfulmachineauthentication. CiscoISEretainseachCalling-Station-IDattributevalueincacheuntilthenumberofhoursthatwasconfigured inthe“TimetoLive”parameterintheActiveDirectorySettingspageexpires.Oncetheparameterhasexpired, CiscoISEdeletesitfromitscache. Whenauserauthenticatesfromanend-userclient,CiscoISEsearchesthecacheforaCalling-Station-ID valuefromsuccessfulmachineauthenticationsfortheCalling-Station-IDvaluethatwasreceivedintheuser authenticationrequest.IfCiscoISEfindsamatchinguser-authenticationCalling-Station-IDvalueinthe Cisco Identity Services Engine Administrator Guide, Release 1.3 448 Machine Access Restriction for Active Directory User Authorization
cache,thisaffectshowCiscoISEassignspermissionsfortheuserthatrequestsauthenticationinthefollowing ways: •IftheCalling-Station-IDvaluematchesonefoundintheCiscoISEcache,thentheauthorizationprofile forasuccessfulauthorizationisassigned. •IftheCalling-Station-IDvalueisnotfoundtomatchoneintheCiscoISEcache,thentheauthorization profileforasuccessfuluserauthenticationwithoutmachineauthenticationisassigned. Cisco Identity Services Engine Administrator Guide, Release 1.3 449 Machine Access Restriction for Active Directory User Authorization
Cisco Identity Services Engine Administrator Guide, Release 1.3 450 Machine Access Restriction for Active Directory User Authorization
CHAPTER 21 Cisco ISE Endpoint Profiling Policies •CiscoISEProfilingService,page452 •ConfigureProfilingServiceinCiscoISENodes,page453 •NetworkProbesUsedbyProfilingService,page454 •ConfigureProbesperCiscoISENode,page462 •SetupCoA,SNMPROCommunity,andEndpointAttributeFilter,page462 •AttributeFiltersforISEDatabasePersistenceandPerformance,page465 •AttributesCollectionfromIOSSensorEmbeddedSwitches,page468 •ProfilerConditions,page470 •ProfilingNetworkScanActions,page470 •CreateaProfilerCondition,page477 •EndpointProfilingPolicyRules,page478 •CreateEndpointProfilingPolicies,page479 •PredefinedEndpointProfilingPolicies,page482 •EndpointProfilingPoliciesGroupedintoLogicalProfiles,page485 •ProfilingExceptionActions,page485 •CiscoISEIntegrationwithCiscoNACAppliance,page486 •CreateEndpointswithStaticAssignmentsofPoliciesandIdentityGroups,page495 •IdentifiedEndpoints,page499 •CreateEndpointIdentityGroups,page501 •ProfilerFeedService,page504 •ProfilerReports,page507 •CiscoISEIntegrationwithCiscoNACAppliance,page507 •CreateEndpointswithStaticAssignmentsofPoliciesandIdentityGroups,page509 •IdentifiedEndpoints,page513 Cisco Identity Services Engine Administrator Guide, Release 1.3 451
•ProfilerReports,page520 Cisco ISE Profiling Service TheprofilingserviceinCiscoIdentityServicesEngine(ISE)identifiesthedevicesthatconnecttoyournetwork andtheirlocation.TheendpointsareprofiledbasedontheendpointprofilingpoliciesconfiguredinCisco ISE.CiscoISEthengrantspermissiontotheendpointstoaccesstheresourcesinyournetworkbasedonthe resultofthepolicyevaluation. Theprofilingservice: •Facilitatesanefficientandeffectivedeploymentandongoingmanagementofauthenticationbyusing IEEEstandard802.1Xport-basedauthenticationaccesscontrol,MACAuthenticationBypass(MAB) authentication,andNetworkAdmissionControl(NAC)foranyenterprisenetworkofvaryingscaleand complexity. •Identifies,locates,anddeterminesthecapabilitiesofalloftheattachednetworkendpointsregardlessof endpointtypes. •Protectsagainstinadvertentlydenyingaccesstosomeendpoints. Endpoint Inventory Using Profiling Service Youcanusetheprofilingservicetodiscover,locate,anddeterminethecapabilitiesofalltheendpoints connectedtoyournetwork.Youcanensureandmaintainappropriateaccessofendpointstotheenterprise network,regardlessoftheirdevicetypes. Theprofilingservicecollectsattributesofendpointsfromthenetworkdevicesandthenetwork,classifies endpointsintoaspecificgroupaccordingtotheirprofiles,andstoresendpointswiththeirmatchedprofiles intheCiscoISEdatabase.Alltheattributesthatarehandledbytheprofilingserviceneedtobedefinedinthe profilerdictionaries. Theprofilingserviceidentifieseachendpointonyournetwork,andgroupsthoseendpointsaccordingtotheir profilestoanexistingendpointidentitygroupinthesystem,ortoanewgroupthatyoucancreateinthe system.Bygroupingendpoints,andapplyingendpointprofilingpoliciestotheendpointidentitygroup,you candeterminethemappingofendpointstothecorrespondingendpointprofilingpolicies. Cisco ISE Profiler Queue Limit Configuration CiscoISEprofilercollectsasignificantamountofendpointdatafromthenetworkinashortperiodoftime. ItcausesJavaVirtualMachine(JVM)memoryutilizationtogoupduetoaccumulatedbacklogwhensome oftheslowerCiscoISEcomponentsprocessthedatageneratedbytheprofiler,whichresultsinperformance degradationandstabilityissues. ToensurethattheprofilerdoesnotincreasetheJVMmemoryutilizationandpreventJVMtogooutofmemory andrestart,limitsareappliedtothefollowinginternalcomponentsoftheprofiler: •EndpointCache—Internalcacheislimitedinsizethathastobepurgedperiodically(basedonleast recentlyusedstrategy)whenthesizeexceedsthelimit. •Forwarder—Themainingressqueueofendpointinformationcollectedbytheprofiler. Cisco Identity Services Engine Administrator Guide, Release 1.3 452 Cisco ISE Profiling Service
•EventHandler—Aninternalqueuethatdisconnectsafastcomponent,whichfeedsdatatoaslower processingcomponent(typicallyrelatedtoadatabasequery). Endpoint Cache •maxEndPointsInLocalDb=100000(endpointobjectsincache) •endPointsPurgeIntervalSec=300(endpointcachepurgethreadintervalinseconds) •numberOfProfilingThreads=8(numberofthreads) Thelimitisapplicabletoallprofilerinternaleventhandlers.Amonitoringalarmistriggeredwhenqueuesize limitisreached. Cisco ISE Profiler Queue Size Limits •forwarderQueueSize=5000(endpointcollectionevents) •eventHandlerQueueSize=10000(events) Event Handlers •NetworkDeviceEventHandler—Fornetworkdeviceevents,inadditiontofilteringduplicateNetwork AccessDevice(NAD)IPaddresses,whicharealreadycached. •ARPCacheEventHandler—ForARPCacheevents. Configure Profiling Service in Cisco ISE Nodes Youcanconfiguretheprofilingservicethatprovidesyouacontextualinventoryofalltheendpointsthatare usingyournetworkresourcesinanyCiscoISE-enablednetwork. YoucanconfiguretheprofilingservicetorunonasingleCiscoISEnodethatassumesallAdministration, Monitoring,andPolicyServicepersonasbydefault. Inadistributeddeployment,theprofilingservicerunsonlyonCiscoISEnodesthatassumethePolicyService personaanddoesnotrunonotherCiscoISEnodesthatassumetheAdministrationandMonitoringpersonas. Procedure Step 1ChooseAdministration>System>Deployment. Step 2ChooseaCiscoISEnodethatassumesthePolicyServicepersona. Step 3ClickEditintheDeploymentNodespage. Step 4OntheGeneralSettingstab,checkthePolicyServicecheckbox.IfthePolicyServicecheckboxisunchecked, boththesessionservicesandtheprofilingservicecheckboxesaredisabled. Step 5Performthefollowingtasks: a)ChecktheEnableSessionServicescheckboxtoruntheNetworkAccess,Posture,Guest,andClient Provisioningsessionservices. Cisco Identity Services Engine Administrator Guide, Release 1.3 453 Configure Profiling Service in Cisco ISE Nodes
b)ChecktheEnableProfilingServicescheckboxtoruntheprofilingservice. Step 6ClickSavetosavethenodeconfiguration. Network Probes Used by Profiling Service Networkprobeisamethodusedtocollectanattributeorasetofattributesfromanendpointonyournetwork. TheprobeallowsyoutocreateorupdateendpointswiththeirmatchedprofileintheCiscoISEdatabase. CiscoISEcanprofiledevicesusinganumberofnetworkprobesthatanalyzethebehaviorofdevicesonthe networkanddeterminethetypeofthedevice.Networkprobeshelpyoutogainmorenetworkvisibility. IP Address and MAC Address Binding YoucancreateorupdateendpointsonlybyusingtheirMACaddressesinanenterprisenetwork.Ifyoudo notfindanentryintheARPcache,thenyoucancreateorupdateendpointsbyusingtheL2MACaddressof anHTTPpacketandtheIN_SRC_MACofaNetFlowpacketinCiscoISE.Theprofilingserviceisdependent onL2adjacencywhenendpointsareonlyahopaway.WhenendpointsareL2adjacent,theIPaddressesand MACaddressesofendpointsarealreadymapped,andthereisnoneedforIP-MACcachemapping.Ifendpoints arenotL2adjacentandaremultiplehopsaway,mappingmaynotbereliable.Someoftheknownattributes ofNetFlowpacketsthatyoucollectincludePROTOCOL,L4_SRC_PORT,IPV4_SRC_ADDR, L4_DST_PORT,IPV4_DST_ADDR,IN_SRC_MAC,OUT_DST_MAC,IN_SRC_MAC,and OUT_SRC_MAC.WhenendpointsarenotL2adjacentandaremultipleL3hopsaway,theIN_SRC_MAC attributescarryonlytheMACaddressesofL3networkdevices.WhentheHTTPprobeisenabledinCisco ISE,youcancreateendpointsonlybyusingtheMACaddressesofHTTPpackets,becausetheHTTPrequest messagesdonotcarryIPaddressesandMACaddressesofendpointsinthepayloaddata.CiscoISEimplements anARPcacheintheprofilingservice,sothatyoucanreliablymaptheIPaddressesandtheMACaddresses ofendpoints.FortheARPcachetofunction,youmustenableeithertheDHCPprobeortheRADIUSprobe. TheDHCPandRADIUSprobescarrytheIPaddressesandtheMACaddressesofendpointsinthepayload data.Thedhcp-requestedaddressattributeintheDHCPprobeandtheFramed-IP-addressattributeinthe RADIUSprobecarrytheIPaddressesofendpoints,alongwiththeirMACaddresses,whichcanbemapped andstoredintheARPcache. NetFlow Probe CiscoISEprofilerimplementsCiscoIOSNetFlowVersion9.WerecommendusingNetFlowVersion9, whichhasadditionalfunctionalityneededtoenhancetheprofilertosupporttheCiscoISEprofilingservice. YoucancollectNetFlowVersion9attributesfromtheNetFlow-enablednetworkaccessdevicestocreatean endpoint,orupdateanexistingendpointintheCiscoISEdatabase.YoucanconfigureNetFlowVersion9to attachthesourceanddestinationMACaddressesofendpointsandupdatethem.Youcanalsocreateadictionary ofNetFlowattributestosupportNetFlow-basedprofiling. FormoreinformationontheNetFlowVersion9RecordFormat,seeTable6,“NetFlowVersion9FieldType Definitions”oftheNetFlowVersion9Flow-RecordFormatdocument. Inaddition,CiscoISEsupportsNetFlowversionsearlierthanVersion5.IfyouuseNetFlowVersion5in yournetwork,thenyoucanuseVersion5onlyontheprimarynetworkaccessdevice(NAD)attheaccess layerbecauseitwillnotworkanywhereelse. Cisco Identity Services Engine Administrator Guide, Release 1.3 454 Network Probes Used by Profiling Service