Cisco Ise 13 User Guide
Have a look at the manual Cisco Ise 13 User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
•GlobalNoCoASettingoverridesPolicyCoA—GlobalNoCoAoverridesallconfigurationsettingsin endpointprofilingpoliciesasthereisnoCoAissuedinCiscoISEirrespectiveofCoAconfiguredper endpointprofilingpolicy. NoCoAandReauthCoAconfigurationsarenotaffected,andtheprofilerserviceapplies thesameCoAconfigurationforwiredandwirelessendpoints. Note Change of Authorization Issued for Each Type of CoA Configuration Table 28: Change of Authorization Issued for Each Type of CoA Configuration Additional Information Reauth Configuration Port Bounce Configuration No CoA Configuration Scenarios —ReauthenticationPortBounceNoCoAGlobalCoA configurationin CiscoISE(typical configuration) Changeof authorizationis determinedbythe RADIUSattribute Acct-Status-Type valueStop. NoCoANoCoANoCoAAnendpointis disconnectedon yournetwork Reauthentication avoids disconnectingother sessions. ReauthenticationReauthenticationNoCoAWiredwith multipleactive sessionsonthe sameswitchport SupporttoWireless LANController. ReauthenticationPacket-of-Disconnect CoA(Terminate Session) NoCoAWirelessendpoint Duetomissing RADIUSattributes. NoCoANoCoANoCoAIncompleteCoA data Attribute Filters for ISE Database Persistence and Performance CiscoISEimplementsfiltersforDynamicHostConfigurationProtocol(bothDHCPHelperandDHCPSPAN), HTTP,RADIUS,andSimpleNetworkManagementProtocolprobesexceptfortheNetFlowprobetoaddress performancedegradation.Eachprobefiltercontainsthelistofattributesthataretemporalandirrelevantfor endpointprofilingandremovesthoseattributesfromtheattributescollectedbytheprobes. Cisco Identity Services Engine Administrator Guide, Release 1.3 465 Attribute Filters for ISE Database Persistence and Performance
Theisebootstraplog(isebootstrap-yyyymmdd-xxxxxx.log)containsmessagesthathandlesthecreationof dictionariesandwithfilteringofattributesfromthedictionaries.Youcanalsoconfiguretologadebugmessage whenendpointsgothroughthefilteringphasetoindicatethatfilteringhasoccurred. TheCiscoISEprofilerinvokesthefollowingendpointattributefilters: •ADHCPfilterforboththeDHCPHelperandDHCPSPANcontainsalltheattributesthatarenot necessaryandtheyareremovedafterparsingDHCPpackets.Theattributesafterfilteringaremerged withexistingattributesintheendpointcacheforanendpoint. •AnHTTPfilterisusedforfilteringattributesfromHTTPpackets,wherethereisnosignificantchange inthesetofattributesafterfiltering. •ARADIUSfilterisusedoncethesyslogparsingiscompleteandendpointattributesaremergedinto theendpointcacheforprofiling. •SNMPfilterforSNMPQueryincludesseparateCDPandLLDPfilters,whichareallusedfor SNMP-Queryprobe. Global Setting to Filter Endpoint Attributes with Whitelist Youcanreducethenumberofpersistenceeventsandreplicationeventsbyreducingthenumberofendpoint attributesthatdonotchangefrequentlyatthecollectionpoint.EnablingtheEndPointAttributeFilterwill havetheCiscoISEprofileronlytokeepsignificantattributesanddiscardallotherattributes.Significant attributesarethoseusedbytheCiscoISEsystemorthoseusedspecificallyinaendpointprofilingpolicyor rule. Awhitelistisasetofattributesthatareusedincustomendpointprofilingpoliciesforprofilingendpoints, andthatareessentialforChangeofAuthorization(CoA),BringYourOwnDevice(BYOD),DeviceRegistration WebAuth(DRW),andsoontofunctioninCiscoISEasexpected.Thewhitelistisalwaysusedasacriteria whenownershipchangesfortheendpoint(whenattributesarecollectedbymultiplePolicyServicenodes) evenwhendisabled. Bydefault,thewhitelistisdisabledandtheattributesaredroppedonlywhentheattributefilterisenabled. Thewhitelistisdynamicallyupdatedwhenendpointprofilingpolicieschangeincludingfromthefeedto includenewattributesintheprofilingpolicies.Anyattributethatisnotpresentinthewhitelistisdropped immediatelyatthetimeofcollection,andtheattributecannotparticipateinprofilingendpoints.Whencombined withthebuffering,thenumberofpersistenceeventscanbereduced. Youmustensurethatthewhitelistcontainsasetofattributesdeterminedfromthefollowingtwosources: •Asetofattributesthatareusedinthedefaultprofilessothatyoucanmatchendpointstotheprofiles. •AsetofattributesthatareessentialforChangeofAuthorization(CoA),BringYourOwnDevice(BYOD), DeviceRegistrationWebAuth(DRW),andsoontofunctionasexpected. Table 29: Whitelist Attributes BYODRegistrationAAA-Server CertificateExpirationDateCalling-Station-ID CertificateIssuerNameCertificateIssueDate DescriptionCertificateSerialNumber Cisco Identity Services Engine Administrator Guide, Release 1.3 466 Attribute Filters for ISE Database Persistence and Performance
DeviceIdentifierDestinationIPAddress DeviceRegistrationStatusDeviceName EndPointPolicyIDEndPointPolicy EndPointSourceEndPointProfilerServer FirstCollectionFQDN IdentityGroupFramed-IP-Address IdentityStoreGUIDIdentityGroupID L4_DST_PORTIdentityStoreName MACAddressLastNmapScanTime MatchedPolicyIDMatchedPolicy NAS-IP-AddressNADAddress NAS-Port-TypeNAS-Port-Id NmapSubnetScanIDNmapScanCount OUIOSVersion PortalUserPolicyVersion ProductPostureApplicable —RegistrationTimeStamp StaticGroupAssignmentStaticAssignment TotalCertaintyFactorTimeToProfile cdpCacheAddressUser-Agent cdpCacheDeviceIdcdpCacheCapabilities cdpCacheVersioncdpCachePlatform dhcp-class-identifierciaddr host-namedhcp-requested-address ifIndexhrDeviceDescr Cisco Identity Services Engine Administrator Guide, Release 1.3 467 Attribute Filters for ISE Database Persistence and Performance
lldpCacheCapabilitiesip lldpSystemDescriptionlldpCapabilitiesMapSupported sysDescroperating-system —161-udp Attributes Collection from IOS Sensor Embedded Switches AnIOSsensorintegrationallowsCiscoISEruntimeandtheCiscoISEprofilertocollectanyorallofthe attributesthataresentfromtheswitch.YoucancollectDHCP,CDP,andLLDPattributesdirectlyfromthe switchbyusingtheRADIUSprotocol.TheattributesthatarecollectedforDHCP,CDP,andLLDParethen parsedandmappedtoattributesintheprofilerdictionariesinthefollowinglocation:Policy>PolicyElements >Dictionaries. ForinformationaboutthesupportedCatalystplatformsforDevicesensors,see https://communities.cisco.com/docs/DOC-72932. IOS Sensor Embedded Network Access Devices IntegratingIOSsensorembeddednetworkaccessdeviceswithCiscoISEinvolvesthefollowingcomponents: •AnIOSsensor •Datacollectorthatisembeddedinthenetworkaccessdevice(switch)forgatheringDHCP,CDP,and LLDPdata •Analyzersforprocessingthedataanddeterminingthedevice-typeofendpoints Therearetwowaysofdeployingananalyzer,buttheyarenotexpectedtobeusedinconjunctionwith eachother: ◦AnanalyzercanbedeployedinCiscoISE ◦Analyzerscanbeembeddedintheswitchasthesensor Configuration Checklist for IOS Sensor-Enabled Network Access Devices ThissectionsummarizesalistoftasksthatyoumustconfigureintheIOSsensor-enabledswitchesandCisco ISEtocollectDHCP,CDP,andLLDPattributesdirectlyfromtheswitch: •EnsurethattheRADIUSprobeisenabledinCiscoISE. •EnsurethatnetworkaccessdevicessupportanIOSsensorforcollectingDHCP,CDP,andLLDP information. Cisco Identity Services Engine Administrator Guide, Release 1.3 468 Attributes Collection from IOS Sensor Embedded Switches
•EnsurethatnetworkaccessdevicesrunthefollowingCDPandLLDPcommandstocaptureCDPand LLDPinformationfromendpoints: cdpenablelldprun •EnsurethatsessionaccountingisenabledseparatelybyusingthestandardAAAandRADIUScommands. Forexample,usethefollowingcommands: aaanew-modelaaaaccountingdot1xdefaultstart-stopgroupradius radius-serverhostauth-portacct-portkeyradius-servervsasendaccounting •EnsurethatyourunIOSsensor-specificcommands. ◦EnablingAccountingAugmentation YoumustenablethenetworkaccessdevicestoaddIOSsensorprotocoldatatotheRADIUS accountingmessagesandtogenerateadditionalaccountingeventswhenitdetectsnewsensor protocoldata.ThismeansthatanyRADIUSaccountingmessageshouldincludeallCDP,LLDP, andDHCPattributes. Enterthefollowingglobalcommand: device-sensoraccounting ◦DisablingAccountingAugmentation Todisable(accounting)networkaccessdevicesandaddIOSsensorprotocoldatatotheRADIUS accountingmessagesforsessionsthatarehostedonagivenport(iftheaccountingfeatureis globallyenabled),enterthefollowingcommandattheappropriateport: nodevice-sensoraccounting ◦TLVChangeTracking Bydefault,foreachsupportedpeerprotocol,clientnotificationsandaccountingeventsaregenerated onlywhenanincomingpacketincludesatype,length,andvalue(TLV)thathasnotbeenreceived previouslyinthecontextofagivensession. YoumustenableclientnotificationsandaccountingeventsforallTLVchangeswherethereare eithernewTLVs,orwherepreviouslyreceivedTLVshavedifferentvalues.Enterthefollowing command: device-sensornotifyall-changes •BesurethatyoudisabletheIOSDeviceClassifier(localanalyzer)inthenetworkaccessdevices. Enterthefollowingcommand: nomacroautomonitor ThiscommandpreventsnetworkaccessdevicesfromsendingtwoidenticalRADIUS accountingmessagesperchange. Note Cisco Identity Services Engine Administrator Guide, Release 1.3 469 Attributes Collection from IOS Sensor Embedded Switches
Profiler Conditions Profilingconditionsarepolicyelementsandaresimilartootherconditions.Howeverunlikeauthentication, authorization,andguestconditions,theprofilingconditionscanbebasedonalimitednumberofattributes. TheProfilerConditionspageliststheattributesthatareavailableinCiscoISEandtheirdescription. Profilerconditionscanbeoneofthefollowing: •CiscoProvided—CiscoISEincludespredefinedprofilingconditionswhendeployedandtheyare identifiedasCiscoProvidedintheProfilerConditionspage.YoucannotdeleteCiscoProvidedprofiling conditions. YoucanalsofindCiscoProvidedconditionsintheSystemprofilerdictionariesinthefollowinglocation: Policy>PolicyElements>Dictionaries>System. Forexample,MACdictionary.Forsomeproducts,theOUI(OrganizationallyUniqueIdentifier)isan uniqueattributethatyoucanuseitfirstforidentifyingthemanufacturingorganizationofdevices.Itis acomponentofthedeviceMACaddress.TheMACdictionarycontainstheMACAddressandOUI attributes. •AdministratorCreated—ProfilerconditionsthatyoucreateasanadministratorofCiscoISEorpredefined profilingconditionsthatareduplicatedareidentifiedasAdministratorCreated.Youcancreateaprofiler conditionofDHCP,MAC,SNMP,IP,RADIUS,NetFlow,CDP,LLDP,andNMAPtypesusingthe profilerdictionariesintheProfilerConditionspage. Although,therecommendedupperlimitforthenumberofprofilingpoliciesis1000,youcanstretchupto 2000profilingpolicies. Profiling Network Scan Actions Anendpointscanactionisaconfigurableactionthatcanbereferredtoinanendpointprofilingpolicy,and thatistriggeredwhentheconditionsthatareassociatedwiththenetworkscanactionaremet. AnendpointscanisusedtoscanendpointsinordertolimitresourcesusageintheCiscoISEsystem.Anetwork scanactionscansasingleendpoint,unlikeresource-intensivenetworkscans.Itimprovestheoverall classificationofendpoints,andredefinesanendpointprofileforanendpoint.Endpointscanscanbeprocessed onlyoneatatime. Youcanassociateasinglenetworkscanactiontoanendpointprofilingpolicy.CiscoISEpredefinesthree scanningtypesforanetworkscanaction,whichcanincludeoneorallthreescanningtypes:forinstance,an OS-scan,anSNMPPortsAndOS-scan,andaCommonPortsAndOS-scan.YoucannoteditordeleteOS-scan, SNMPPortsAndOS-scan,andCommonPortsAndOS-scans,whicharepredefinednetworkscanactionsin CiscoISE.Youcanalsocreateanewnetworkscanactionofyourown. Onceanendpointisappropriatelyprofiled,theconfigurednetworkscanactioncannotbeusedagainstthat endpoint.Forexample,scanninganApple-DeviceallowsyoutoclassifythescannedendpointtoanApple device.OnceanOS-scandeterminestheoperatingsystemthatanendpointisrunning,itisnolongermatched toanApple-Deviceprofile,butitismatchedtoanappropriateprofileforanAppledevice. Cisco Identity Services Engine Administrator Guide, Release 1.3 470 Profiler Conditions
Create a New Network Scan Action Anetworkscanactionthatisassociatedwithanendpointprofilingpolicyscansanendpointforanoperating system,SimpleNetworkManagementProtocol(SNMP)ports,andcommonports.Ciscoprovidesnetwork scanactionsforthemostcommonNMAPscans,butyoucanalsocreateoneofyourown. Whenyoucreateanewnetworkscan,youdefinethetypeofinformationthattheNMAPprobewillscanfor. Before You Begin TheNetworkScan(NMAP)probemustbeenabledbeforeyoucandefinearuletotriggeranetworkscan action.TheprocedureforthatisdescribedinConfigureProbesperCiscoISENode. Procedure Step 1ChoosePolicy>PolicyElements>Results>Profiling>NetworkScan(NMAP)Actions. Step 2ClickAdd. Step 3Enteranameanddescriptionforthenetworkscanactionthatyouwanttocreate. Step 4Checkoneormorecheckboxeswhenyouwanttoscananendpointforthefollowing: •ScanOS—Toscanforanoperatingsystem •ScanSNMPPort—ToscanSNMPports(161,162) •ScanCommonPort—Toscancommonports. Step 5ClickSubmit. NMAP Operating System Scan Theoperatingsystemscan(OS-scan)typescansforanoperatingsystem(andOSversion)thatanendpoint isrunning.Thisisaresourceintensivescan. TheNMAPtoolhaslimitationsonOS-scanwhichmaycauseunreliableresults.Forexample,whenscanning anoperatingsystemofnetworkdevicessuchasswitchesandrouters,theNMAPOS-scanmayprovidean incorrectoperating-systemattributeforthosedevices.CiscoISEdisplaystheoperating-systemattribute,even iftheaccuracyisnot100%. YoushouldconfigureendpointprofilingpoliciesthatusetheNMAPoperating-systemattributeintheirrules tohavelowcertaintyvalueconditions(CertaintyFactorvalues).Werecommendthatwheneveryoucreate anendpointprofilingpolicybasedontheNMAP:operating-systemattribute,includeanANDconditionto helpfilteroutfalseresultsfromNMAP. ThefollowingNMAPcommandscanstheoperatingsystemwhenyouassociateScanOSwithanendpoint profilingpolicy: nmap-sS-O-F-oN/opt/CSCOcpm/logs/nmap.log-append-output-oX- ThefollowingNMAPcommandscansasubnetandsendstheoutputtonmapSubnet.log: nmap-O-sU-pU:161,162-oN/opt/CSCOcpm/logs/nmapSubnet.log--append-output-oX- Cisco Identity Services Engine Administrator Guide, Release 1.3 471 Profiling Network Scan Actions
Table 30: NMAP Commands for a Manual Subnet Scan EnablesOSdetection-O UDPscan-sU Scansonlyspecifiedports.Forexample,U:161,162-p NormaloutputoN XMLoutputoX Operating System Ports ThefollowingtableliststheTCPportsthatNMAPusesforOSscanning.Inaddition,NMAPusesICMPand UDPport51824. 191713976431 323026252423222120 807970534943423733 999089888584838281 135125119113111110109106100 211199179163161146144143139 301280264259256255254222212 417416407406389366340311306 481465464458445444443427425 543541524515514513512500497 616593587563555554548545544 668667666648646636631625617 722720714711705700691687683 808801800787783777765749726 903902901900898888880873843 999995993992990987981912911 102210211011101010091007100210011000 Cisco Identity Services Engine Administrator Guide, Release 1.3 472 Profiling Network Scan Actions
103110301029102810271026102510241023 1040-110010391038103710361035103410331032 111211111110110811071106110511041102 112611241123112211211119111711141113 114811471145114111381137113211311130 116911661165116411631154115211511149 119911981192118711861185118311751174 124412361234123312181217121612131201 130012961287127712721271125912481247 141713521334132813221311131013091301 150315011500149414611455144314341433 164116001594158315801556153315241521 172017191718171717001688168716661658 181218051801178317821761175517231721 193519141900187518641863186218401839 2021202020131998-201019841974197219711947 20652045-20492040-2043203820352034203320302022 21262121211921112105-21072103210020992068 219621912190217921702161216021442135 2381-238323662323230122882260225122222200 255725252522250024922401239923942393 270227012638260826072605260426022601 287528692811280928002725271827172710 300330013000299829682967292029102909 305230313030301730133011300730063005 Cisco Identity Services Engine Administrator Guide, Release 1.3 473 Profiling Network Scan Actions
326832613260322132113168312830773071 332533243323332233063301330032833269 339033893372337133703369336733513333 365935803551354635273517349334763404 380938013800378437663737370336903689 388038783871386938513828382738263814 399539863971394539203918391439053889 42424224412941264125411140454000-40063998 455044494446444544444443434343214279 503050095000-5004499849004899484846624567 510050875080506150605054505150505033 522552225221521452005190512051025101 543254315414540553575298528052695226 563155665560555555505544551055005440 580258015800573057185679567856665633 587758625859585058255822581558115810 595959525950592559225915591159105900-5907 6106610161006059602560095998-60075987-59895960-5963 654365106502638963466156612961236112 66896669666866676666664665806565-65676547 690168816839679267896788677966996692 707070257019700770047002700170006969 749674437435740272017200710671037100 791178007778777777417676762776257512 800780028001800079997938793779217920 Cisco Identity Services Engine Administrator Guide, Release 1.3 474 Profiling Network Scan Actions