Cisco Ise 13 User Guide
Have a look at the manual Cisco Ise 13 User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
804580428031802280218011801080098008 819481938192818181808100809980938080-8090 838383338300829282918290825482228200 865486528651864986008500844384028400 900290019000899488998888887388008701 908190809071905090409011901090099003 911191109103910291019100909990919090 950295009485941894159290922092079200 987696669618959595949593957595359503 996899449943992999179900989898789877 1001010009100041000310002100011000099999998 106161056610243102151018010082100251002410012 119671111111110107781062910628106261062110617 140001378313782137221345612345122651217412000 157421566015004150031500215000144421444114238 169931699216113160801601816016160121600116000 193501931519283191011898818101180401798817877 208282022220221200312000520000198421980119780 270002621425735257342480024444235022293921571 309513071830000282012771527356273552735327352 327743277332772327713277032769327683133731038 327833278232781327803277932778327773277632775 355003460134573345723457133899333543278532784 444434444244176425104151140911401933829236869 491574915649155491544915349152480804510044501 Cisco Identity Services Engine Administrator Guide, Release 1.3 475 Profiling Network Scan Actions
491764917549167491654916349161491604915949158 503895030050006500035000250001500004999949400 528695284852822526735149351103508005063650500 572945673856737556005555555056550555432854045 646236333162078619006153260443600205808057797 65389651296500064680 NMAP SNMP Port Scan TheSNMPPortsAndOS-scantypescansanoperatingsystem(andOSversion)thatanendpointisrunning andtriggersanSNMPQuerywhenSNMPports(161and162)areopen.Itcanbeusedforendpointsthatare identifiedandmatchedinitiallywithanUnknownprofileforbetterclassification. ThefollowingNMAPcommandscansSNMPports(UDP161and162)whenyouassociatetheScanSNMP Portwithanendpointprofilingpolicy: nmap-sU-pU:161,162-oN/opt/CSCOcpm/logs/nmap.log--append-output-oX- Table 31: NMAP Commands for an Endpoint SNMP Port Scan UDPscan.-sU Scansonlyspecifiedports.Forexample,scansUDPports161and16.2-p Normaloutput.oN XMLoutput.oX IP-addressofanendpointthatisscanned.IP-address NMAP Common Ports Scan TheCommanPortsAndOS-scantypescansanoperatingsystem(andOSversion)thatanendpointisrunning andcommonports(TCPandUDP),butnotSNMPports.ThefollowingNMAPcommandscanscommon portswhenyouassociateScanCommonPortwithanendpointprofilingpolicy:nmap-sTU-p T:21,22,23,25,53,80,110,135,139,143,443,445,3306,3389,8080,U:53,67,68,123,135,137,138,139,161,445,500,520,631,1434,1900 -oN/opt/CSCOcpm/logs/nmap.log--append-output-oX- Table 32: NMAP Commands for an Endpoint Common Ports Scan BothTCPconnectscanandUDPscan.-sTU ScansTCPports:21,22,23,25,53,80,110,135,139,143,443,445,3306,3389,8080andUDP ports:53,67,68,123,135,137,138,139,161,445,500,520,631,1434,1900 -p Normaloutput.oN Cisco Identity Services Engine Administrator Guide, Release 1.3 476 Profiling Network Scan Actions
XMLoutput.oX IPaddressofanendpointthatisscanned.IPaddress Common Ports ThefollowingtableliststhecommonportsthatNMAPusesforscanning. Table 33: Common Ports UDP PortsTCP Ports ServicePortsServicePorts domain53/udpftp21/tcp dhcps67/udpssh22/tcp dhcpc68/udptelnet23/tcp ntp123/udpsmtp25/tcp msrpc135/udpdomain53/tcp netbios-ns137/udphttp80/tcp netbios-dgm138/udppop3110/tcp netbios-ssn139/udpmsrpc135/tcp snmp161/udpnetbios-ssn139/tcp microsoft-ds445/udpimap143/tcp isakmp500/udphttps443/tcp route520/udpmicrosoft-ds445/tcp ms-sql-m1434/udpms-term-serv3389/tcp upnp1900/udphttp-proxy8080/tcp Create a Profiler Condition EndpointprofilingpoliciesinCiscoISEallowyoutocategorizediscoveredendpointsonyournetwork,and assignthemtospecificendpointidentitygroups.Theseendpointprofilingpoliciesaremadeupofprofiling conditionsthatCiscoISEevaluatestocategorizeandgroupendpoints. Before You Begin Toperformthefollowingtask,youmustbeaSuperAdminorPolicyAdmin. Cisco Identity Services Engine Administrator Guide, Release 1.3 477 Create a Profiler Condition
Procedure Step 1ChoosePolicy>PolicyElements>Conditions>Profiling>Add. Step 2EntervaluesforthefieldsasdescribedintheEndpointProfilingPoliciesSettings,onpage819. Step 3ClickSubmittosavetheprofilercondition. Step 4Repeatthisproceduretocreatemoreconditions. Endpoint Profiling Policy Rules Youcandefinearulethatallowsyoutochooseoneormoreprofilingconditionsfromthelibrarythatare previouslycreatedandsavedinthepolicyelementslibrary,andtoassociateanintegervalueforthecertainty factorforeachcondition,orassociateeitheranexceptionactionoranetworkscanactionforthatcondition. TheexceptionactionorthenetworkscanactionisusedtotriggertheconfigurableactionwhileCiscoISEis evaluatingtheprofilingpolicieswithrespecttotheoverallclassificationofendpoints. WhentherulesinagivenpolicyareevaluatedseparatelywithanORoperator,thecertaintymetricforeach rulecontributestotheoverallmatchingoftheendpointprofilesintoaspecificcategoryofendpoints.Ifthe rulesofanendpointprofilingpolicymatch,thentheprofilingpolicyandthematchedpolicyarethesamefor thatendpointwhentheyaredynamicallydiscoveredonyournetwork. Logically Grouped Conditions in Rules Anendpointprofilingpolicy(profile)containsasingleconditionoracombinationofmultiplesingleconditions thatarelogicallycombinedusinganANDorORoperator,againstwhichyoucancheck,categorize,andgroup endpointsforagivenruleinapolicy. Aconditionisusedtocheckthecollectedendpointattributevalueagainstthevaluespecifiedinthecondition foranendpoint.Ifyoumapmorethanoneattribute,youcanlogicallygrouptheconditions,whichhelpsyou tocategorizeendpointsonyournetwork.Youcancheckendpointsagainstoneormoresuchconditionswith acorrespondingcertaintymetric(anintegervaluethatyoudefine)associatedwithitinaruleortriggeran exceptionactionthatisassociatedtotheconditionoranetworkscanactionthatisassociatedtothecondition. Certainty Factor Theminimumcertaintymetricintheprofilingpolicyevaluatesthematchingprofileforanendpoint.Each ruleinanendpointprofilingpolicyhasaminimumcertaintymetric(anintegervalue)associatedtotheprofiling conditions.Thecertaintymetricisameasurethatisaddedforallthevalidrulesinanendpointprofilingpolicy, whichmeasureshoweachconditioninanendpointprofilingpolicycontributestoimprovetheoverall classificationofendpoints. Thecertaintymetricforeachrulecontributestotheoverallmatchingoftheendpointprofilesintoaspecific categoryofendpoints.Thecertaintymetricforallthevalidrulesareaddedtogethertoformthematching certainty.Itmustexceedtheminimumcertaintyfactorthatisdefinedinanendpointprofilingpolicy.By default,theminimumcertaintyfactorforallnewprofilingpolicyrulesandpredefinedprofilingpoliciesis 10. Cisco Identity Services Engine Administrator Guide, Release 1.3 478 Endpoint Profiling Policy Rules
Create Endpoint Profiling Policies YoucanusetheProfilingPoliciespagetomanageendpointprofilingpoliciesthatyoucreateasanadministrator ofCiscoISE,andalsoendpointprofilingprofilesthatareprovidedbyCiscoISEwhendeployed. YoucancreatenewprofilingpoliciestoprofileendpointsbyusingthefollowingoptionsintheNewProfiler Policypage: •PolicyEnabled •CreateanIdentityGroupforthepolicytocreateamatchingendpointidentitygrouporusetheendpoint identitygrouphierarchy •ParentPolicy •AssociatedCoAType WhenyouchoosetocreateanendpointpolicyintheProfilingPoliciespage,donotuse theStopbuttononyourwebbrowsers.Thisactionleadstothefollowing:stopsloading theNewProfilerPolicypage,loadsotherlistpagesandthemenuswithinthelistpages whenyouaccessthem,andpreventsyoufromperformingoperationsonallthemenus withinthelistpagesexcepttheFiltermenus.YoumightneedtologoutofCiscoISE, andthenloginagaintoperformoperationsonallthemenuswithinthelistpages. Note Youcancreateasimilarcharacteristicprofilingpolicybyduplicatinganendpointprofilingpolicythrough whichyoucanmodifyanexistingprofilingpolicyinsteadofcreatinganewprofilingpolicybyredefiningall conditions. Procedure Step 1ChoosePolicy>Profiling>ProfilingPolicies. Step 2ClickAdd. Step 3Enteranameanddescriptionforthenewendpointpolicythatyouwanttocreate.ThePolicyEnabledcheck boxischeckedbydefaulttoincludetheendpointprofilingpolicyforvalidationwhenyouprofileanendpoint. Step 4Enteravaluefortheminimumcertaintyfactorwithinthevalidrange1to65535. Step 5ClickthearrownexttotheExceptionActiondrop-downlisttoassociateanexceptionactionorclickthe arrownexttotheNetworkScan(NMAP)Actiondrop-downlisttoassociateanetworkscanaction. Step 6ChooseoneofthefollowingoptionsforCreateanIdentityGroupforthepolicy: •Yes,creatematchingIdentityGroup •No,useexistingIdentityGrouphierarchy Cisco Identity Services Engine Administrator Guide, Release 1.3 479 Create Endpoint Profiling Policies
Step 7ClickthearrownexttotheParentPolicydrop-downlisttoassociateaparentpolicytothenewendpoint policy. Step 8ChooseaCoAtypetobeassociatedintheAssociatedCoATypedrop-downlist. Step 9Clickintheruletoaddconditionsandassociateanintegervalueforthecertaintyfactorforeachconditionor associateeitheranexceptionactionoranetworkscanactionforthatconditionfortheoverallclassification ofanendpoint. Step 10ClickSubmittoaddanendpointpolicyorclicktheProfilerPolicyListlinkfromtheNewProfilerPolicy pagetoreturntotheProfilingPoliciespage. Change of Authorization Configuration per Endpoint Profiling Policy Inadditiontotheglobalconfigurationofchangeofauthorization(CoA)typesinCiscoISE,youcanalso configuretoissueaspecifictypeofCoAassociatedforeachendpointprofilingpolicy. TheglobalNoCoAtypeconfigurationoverrideseachCoAtypeconfiguredinanendpointprofilingpolicy. IftheglobalCoAtypeissetotherthantheNoCoAtype,theneachendpointprofilingpolicyisallowedto overridetheglobalCoAconfiguration. WhenaCoAistriggered,eachendpointprofilingpolicycandeterminetheactualCoAtype,asfollows: •GeneralSetting—ThisisthedefaultsettingforalltheendpointprofilingpoliciesthatissuesaCoAper globalconfiguration. •NoCoA—ThissettingoverridesanyglobalconfigurationanddisablesCoAfortheprofile. •PortBounce—ThissettingoverridestheglobalPortBounceandReauthconfigurationtypes,andissues portbounceCoA. •Reauth—ThissettingoverridestheglobalPortBounceandReauthconfigurationtypes,andissues reauthenticationCoA. IftheprofilerglobalCoAconfigurationissettoPortBounce(orReauth),ensurethat youconfigurecorrespondingendpointprofilingpolicieswithNoCoA,theper-policy CoAoptionsothattheBYODflowdoesnotbreakforyourmobiledevices. Note SeethesummaryofconfigurationbelowcombinedforalltheCoAtypesandtheactualCoAtypeissuedin eachcasebasedontheglobalandendpointprofilingpolicysettings. Table 34: CoA Type Issued for Various Combination of Configuration Reauth Type per Policy Port Bounce Type per Policy No coA Type per Policy Default CoA Type set per Policy Global CoA Type NoCoANoCoANoCoANoCoANoCoA Re-AuthPortBounceNoCoAPortBouncePortBounce Re-AuthPortBounceNoCoAReauthReauth Cisco Identity Services Engine Administrator Guide, Release 1.3 480 Create Endpoint Profiling Policies
Import Endpoint Profiling Policies YoucanimportendpointprofilingpoliciesfromafileinXMLbyusingthesameformatthatyoucancreate intheexportfunction.Ifyouimportnewlycreatedprofilingpoliciesthathaveparentpoliciesassociated,then youmusthavedefinedparentpoliciesbeforeyoudefinechildpolicies. Theimportedfilecontainsthehierarchyofendpointprofilingpoliciesthatcontaintheparentpolicyfirst,then theprofilethatyouimportednextalongwiththerulesandchecksthataredefinedinthepolicy. Procedure Step 1ChoosePolicy>Profiling>Profiling>ProfilingPolicies. Step 2ClickImport. Step 3ClickBrowsetolocatethefilethatyoupreviouslyexportedandwanttoimport. Step 4ClickSubmit. Step 5ClicktheProfilerPolicyListlinktoreturntotheProfilingPoliciespage. Export Endpoint Profiling Policies YoucanexportendpointprofilingpoliciestootherCiscoISEdeployments.Or,youcanusetheXMLfileas atemplateforcreatingyourownpoliciestoimport.Youcanalsodownloadthefiletoyoursysteminthe defaultlocation,whichcanbeusedforimportinglater. Adialogappearswhenyouwanttoexportendpointprofilingpolicies,whichpromptsyoutoopenthe profiler_policies.xmlwithanappropriateapplicationorsaveit.ThisisafileinXMLformatthatyoucan openinawebbrowser,orinotherappropriateapplications. Procedure Step 1ChoosePolicy>Profiling>Profiling>ProfilingPolicies. Step 2ChooseExport,andchooseoneofthefollowing: •ExportSelected—YoucanexportonlytheselectedendpointprofilingpoliciesintheProfilingPolicies page. •ExportSelectedwithEndpoints—Youcanexporttheselectedendpointprofilingpolicies,andthe endpointsthatareprofiledwiththeselectedendpointprofilingpolicies. •ExportAll—Bydefault,youcanexportalltheprofilingpoliciesintheProfilingPoliciespage. Step 3ClickOKtoexporttheendpointprofilingpoliciesintheprofiler_policies.xmlfile. Cisco Identity Services Engine Administrator Guide, Release 1.3 481 Create Endpoint Profiling Policies
Predefined Endpoint Profiling Policies CiscoISEincludespredefineddefaultprofilingpolicieswhenCiscoISEisdeployed,andtheirhierarchical constructionallowsyoutocategorizeidentifiedendpointsonyournetwork,andassignthemtoamatching endpointidentitygroups.Becauseendpointprofilingpoliciesarehierarchical,youcanfindthattheProfiling Policiespagedisplaysthelistofgeneric(parent)policiesfordevicesandchildpoliciestowhichtheirparent policiesareassociatedintheProfilingPolicieslistpage. TheProfilingPoliciespagedisplaysendpointprofilingpolicieswiththeirnames,type,descriptionandthe status,ifenabledornotforvalidation. Theendpointprofilingpolicytypesareclassifiedasfollows: •CiscoProvided—EndpointprofilingpoliciesthatarepredefinedinCiscoISEareidentifiedastheCisco Providedtype. ◦AdministratorModified—EndpointprofilingpoliciesareidentifiedastheAdministratorModified typewhenyoumodifypredefinedendpointprofilingpolicies.CiscoISEoverwriteschangesthat youhavemadeinthepredefinedendpointprofilingpoliciesduringupgrade. Youcandeleteadministrator-modifiedpoliciesbutCiscoISEreplacesthemwithup-to-dateversions ofCisco-providedpolicies. •AdministratorCreated—EndpointprofilingpoliciesthatyoucreateorwhenyouduplicateCisco-provided endpointprofilingpoliciesareidentifiedastheAdministratorCreatedtype. Werecommendthatyoucreateagenericpolicy(aparent)forasetofendpointsfromwhichitschildrencan inherittherulesandconditions.Ifanendpointhastobeclassified,thentheendpointprofilehastofirstmatch theparent,andthenitsdescendant(child)policieswhenyouareprofilinganendpoint. Forexample,Cisco-DeviceisagenericendpointprofilingpolicyforallCiscodevices,andotherpoliciesfor CiscodevicesarechildrenofCisco-Device.IfanendpointhastobeclassifiedasaCisco-IP-Phone7960,then theendpointprofileforthisendpointhastofirstmatchtheparentCisco-Devicepolicy,itschildCisco-IP-Phone policy,andthentheCisco-IP-Phone7960profilingpolicyforbetterclassification. Predefined Endpoint Profiling Policies Overwritten During Upgrade YoucaneditexistingendpointprofilingpoliciesintheProfilingPoliciespage.Youmustalsosaveallyour configurationsinacopyofthepredefinedendpointprofileswhenyouwanttomodifythepredefinedendpoint profilingpolicies. Duringanupgrade,CiscoISEoverwritesanyconfigurationthatyouhavesavedinthepredefinedendpoint profiles. Unable to Delete Endpoint Profiling Policies YoucandeleteselectedoralltheendpointprofilingpoliciesintheProfilingPoliciespage.Bydefault,you candeletealltheendpointprofilingpoliciesfromtheProfilingPoliciespage.Whenyouselectalltheendpoint profilingpoliciesandtrytodeletethemintheProfilingPoliciespage,someofthemmaynotbedeletedwhen theendpointprofilingpoliciesareaparentpolicymappedtootherendpointprofilingpoliciesormappedto anauthorizationpolicyandaparentpolicytootherendpointprofilingpolicies. Forexample, Cisco Identity Services Engine Administrator Guide, Release 1.3 482 Predefined Endpoint Profiling Policies
•YoucannotdeleteCiscoProvidedendpointprofilingpolicies, •YoucannotdeleteaparentprofileintheProfilingPoliciespagewhenanendpointprofileisdefinedas aparenttootherendpointprofiles.Forexample,Cisco-Deviceisaparenttootherendpointprofiling policiesforCiscodevices. •Youcannotdeleteanendpointprofilewhenitismappedtoanauthorizationpolicy.Forexample, Cisco-IP-PhoneismappedtotheProfiledCiscoIPPhonesauthorizationpolicy,anditisaparentto otherendpointprofilingpoliciesforCiscoIPPhones. Predefined Profiling Policies for Draeger Medical Devices CiscoISEcontainsdefaultendpointprofilingpoliciesthatincludeagenericpolicyforDraegermedical devices,apolicyforDraeger-Deltamedicaldevice,andapolicyforDraeger-M300medicaldevice.Boththe medicaldevicesshareports2050and2150,andthereforeyoucannotclassifytheDraeger-Deltaand Draeger-M300medicaldeviceswhenyouareusingthedefaultDraegerendpointprofilingpolicies. IftheseDraegerdevicesshareports2050and2150inyourenvironment,youmustaddaruleinadditionto checkingforthedevicedestinationIPaddressinthedefaultDraeger-DeltaandDraeger-M300endpoint profilingpoliciessothatyoucandistinquishthesemedicaldevices. CiscoISEincludesthefollowingprofilingconditionsthatareusedintheendpointprofilingpoliciesforthe Draegermedicaldevices: •Draeger-Delta-PortCheck1thatcontainsport2000 •Draeger-Delta-PortCheck2thatcontainsport2050 •Draeger-Delta-PortCheck3thatcontainsport2100 •Draeger-Delta-PortCheck4thatcontainsport2150 •Draeger-M300PortCheck1thatcontainsport1950 •Draeger-M300PortCheck2thatcontainsport2050 •Draeger-M300PortCheck3thatcontainsport2150 Endpoint Profiling Policy for Unknown Endpoints AnendpointthatdoesnotmatchexistingprofilesandcannotbeprofiledinCiscoISEisanunknownendpoint. Anunknownprofileisthedefaultsystemprofilingpolicythatisassignedtoanendpoint,whereanattribute orasetofattributescollectedforthatendpointdonotmatchwithexistingprofilesinCiscoISE. AnUnknownprofileisassignedinthefollowingscenarios: •WhenanendpointisdynamicallydiscoveredinCiscoISE,andthereisnomatchingendpointprofiling policyforthatendpoint,itisassignedtotheunknownprofile. •WhenanendpointisstaticallyaddedinCiscoISE,andthereisnomatchingendpointprofilingpolicy forastaticallyaddedendpoint,itisassignedtotheunknownprofile. Ifyouhavestaticallyaddedanendpointtoyournetwork,thestaticallyaddedendpointisnotprofiled bytheprofilingserviceinCiscoISE.Youcanchangetheunknownprofilelatertoanappropriateprofile andCiscoISEwillnotreassigntheprofilingpolicythatyouhaveassigned. Cisco Identity Services Engine Administrator Guide, Release 1.3 483 Predefined Endpoint Profiling Policies
Endpoint Profiling Policy for Statically Added Endpoints Fortheendpointthatisstaticallyaddedtobeprofiled,theprofilingservicecomputesaprofilefortheendpoint byaddinganewMATCHEDPROFILEattributetotheendpoint.Thecomputedprofileistheactualprofile ofanendpointifthatendpointisdynamicallyprofiled.Thisallowsyoutofindthemismatchbetweenthe computedprofileforstaticallyaddedendpointsandthematchingprofilefordynamicallyprofiledendpoints. Endpoint Profiling Policy for Static IP Devices IfyouhaveanendpointwithastaticallyassignedIPaddress,youcancreateaprofileforsuchstaticIPdevices. YoumustenabletheRADIUSprobeorSNMPQueryandSNMPTrapprobestoprofileanendpointthathas astaticIPaddress. Endpoint Profiling Policy Matching CiscoISEalwaysconsidersachosenpolicyforanendpointthatisthematchedpolicyratherthananevaluated policywhentheprofilingconditionsthataredefinedinoneormorerulesaremetinaprofilingpolicy.Here, thestatusofstaticassignmentforthatendpointissettofalseinthesystem.But,thiscanbesettotrueafter itisstaticallyreassignedtoanexistingprofilingpolicyinthesystem,byusingthestaticassignmentfeature duringanendpointediting. Thefollowingapplytothematchedpoliciesofendpoints: •Forstaticallyassignedendpoint,theprofilingservicecomputestheMATCHEDPROFILE. •Fordynamicallyassignedendpoints,theMATCHEDPROFILEsareidenticaltothematchingendpoint profiles. Youcandetermineamatchingprofilingpolicyfordynamicendpointsusingoneormorerulesthataredefined inaprofilingpolicyandassignappropriatelyanendpointidentitygroupforcategorization. Whenanendpointismappedtoanexistingpolicy,theprofilingservicesearchesthehierarchyofprofiling policiesfortheclosestparentprofilethathasamatchinggroupofpoliciesandassignstheendpointtothe appropriateendpointpolicy. Endpoint Profiling Policies Used for Authorization Youcanuseanendpointprofilingpolicyinauthorizationrules,whereyoucancreateanewconditionto includeacheckforanendpointprofilingpolicyasanattribute,andtheattributevalueassumesthenameof theendpointprofilingpolicy.YoucanselectanendpointprofilingpolicyfromtheEndPointsdictionary, whichincludesthefollowingattributes:PostureApplicable,EndPointPolicy,LogicalProfile,and BYODRegistration. YoucandefineanauthorizationrulethatincludesacombinationofEndPointPolicy,BYODRegistration,and identitygroups. Cisco Identity Services Engine Administrator Guide, Release 1.3 484 Predefined Endpoint Profiling Policies