Cisco Ise 13 User Guide
Have a look at the manual Cisco Ise 13 User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
Add Customer Created Resources for AnyConnect from a Local Machine AddcustomercreatedresourceslikeAnyConnectcustomizationandlocalizationpackagesandAnyConnect profilesfromthelocalmachinetoCiscoISE. Before You Begin EnsurethatcustomercreatedresourcesforAnyConnectarezippedfilesandavailableinyourlocaldisk. Procedure Step 1ChoosePolicy>PolicyElements>Results>Clientprovisioning>Resources. Step 2ClickAdd. Step 3ChooseAgentResourcesfromlocaldisk. Step 4ChooseCustomerCreatedPackagesfromtheCategorydrop-down. Step 5EnterthenameanddescriptionforAnyConnectresources. Step 6ClickBrowsetothedirectoryonyourlocalmachinewheretheresourcefilethatyouwanttodownloadto CiscoISEresides. Step 7ChoosethefollowingAnyConnectresourcestouploadtoCiscoISE: •AnyConnectcustomizationbundle •AnyConnectlocalizationbundle •AnyConnectprofile Step 8ClickSubmit. TheUploadedAnyConnectResourcestabledisplaysAnyConnectresourcesthatyouaddtoCiscoISE. What to Do Next CreateAnyConnectagentprofile Create Native Supplicant Profiles YoucancreatenativesupplicantprofilestoenableuserstobringtheirowndevicesintotheCiscoISEnetwork. Whentheusersignsin,CiscoISEusestheprofilethatyouassociatedwiththatuser’sauthorizationrequirements tochoosethenecessarysupplicantprovisioningwizard.Thewizardrunsandsetsuptheuser’spersonaldevice toaccessthenetwork. Theprovisioningwizardonlyconfiguresinterfaceswhichareactive.Becauseofthis,userswithWired andWirelessconnectionswillnotbeprovisionedforbothinterfaces,unlesstheyarebothactive. Note Cisco Identity Services Engine Administrator Guide, Release 1.3 525 Add Customer Created Resources for AnyConnect from a Local Machine
Before You Begin •IfyouintendtouseaTLSdeviceprotocolforremotedeviceregistration,setupatleastoneSimple CertificateEnrollmentProtocol(SCEP)profile. •OpenupTCPport8909andUDPport8909toenableinstallationofCiscoNACAgent,CiscoNAC WebAgent,andsupplicantprovisioningwizard.Formoreinformationaboutportusage,seethe“Cisco ISEAppliancePortsReference”appendixintheCiscoIdentityServicesEngineHardwareInstallation Guide. Procedure Step 1ChoosePolicy>PolicyElements>Results>ClientProvisioning>Resources. Step 2ChooseAdd>NativeSupplicantProfile. Step 3Createaprofile,usingthedescriptionsdescribedinNativeSupplicantProfileSettings,onpage526 What to Do Next Enableself-provisioningcapabilitiesthatallowemployeestodirectlyconnecttheirpersonaldevicestothe network,asdescribedintheSupportformultipleGuestPortalssection. Native Supplicant Profile Settings WhenyouchoosePolicy>PolicyElements>Results>ClientProvisioningResources,andaddaNative SupplicantProfile,youwillseethefollowingsettings. •Name—Nameofthenativesupplicantprofilethatyouarecreating,andselectwhichoperatingsystem(s) thisprofileshouldapplyto.EachprofiledefinessettingsforanetworkconnectionthatISEwillapply totheclient'snativesupplicant. Wireless Profile(s) ConfigureoneormoreWirelessprofiles,oneforeachSSIDthatyouwanttomakeavailabletotheclient. •SSIDName—NameoftheSSIDthattheclientwillconnectto. •Security—ConfiguretheclienttouseWPAorWPA2. •AllowedProcotol—Configurewhichprotocoltheclientshouldusetoconnecttotheauthentication server;PEAPorEAP-TLS. •CertificateTemplate—ForTLS,chooseoneofthecertificatetemplatesdefinedonAdministration> SystemCertificates>CertificateAuthority>CertificateTemplates. OptionalSettingsaredescribedinthesectionOptionalSettings-forWindows. iOSSettings •Enableiftargetnetworkishidden Cisco Identity Services Engine Administrator Guide, Release 1.3 526 Create Native Supplicant Profiles
Wired Profile •AllowedProtocol—Configurewhichprotocoltheclientshouldusetoconnecttotheauthentication server;PEAPorEAP-TLS. •CertificateTemplate—ForTLS,chooseoneofthecertificatetemplatesthatdefinedonAdministration SystemCertificatesCertificateAuthorityCertificateTemplates Optional Settings - for Windows IfyouexpandOptional,thefollowingfieldsarealsoavailableforWindowsclients. •Automaticallyuselogonnameandpassword(anddomainifany)—IfyouselectedUserfor authenticationmode,usethelogonandpasswordtowithoutpromptingtheuser,ifthatinformationis available. •EnableFastReconnect—AllowaPEAPsessiontoresumewithoutcheckingusercredentialswhenthe sessionresumefeatureisenabledinthePEAPprotocoloptions,whichisconfiguredonAdministration >System>Settings>Protocols>PEAP. •EnableQuarantineChecks—Checkiftheclienthasbeenquarantined. •DisconnectifserverdoesnotpresentcryptobindingTLV—DisconnectifcryptobindingTLVisnot supportedforthenetworkconnection. •Donotpromptusertoauthorizenewserversortrustedcertificationauthorities—Automatically acceptusercertificates;donotprompttheuser. •Connectevenifthenetworkisnotbroadcastingitsname(SSID)—ForWirelessprofilesonly. Create AnyConnect Configuration AnyConnectconfigurationincludesAnyConnectsoftwareanditsassociatedconfigurationfiles.This configurationcanbeusedintheclientprovisioningpolicythatallowsuserstodownloadandinstallAnyConnect resourcesontheclients.IfyouusebothISEandanASAtodeployAnyConnect,thentheconfigurationsmust matchonbothheadends. TopushtheISEposturemodulewhenconnectedtoaVPN,Ciscorecommendsthatyouinstallthe AnyConnectagentthroughCiscoAdaptiveSecurityAppliance(ASA),whichusestheCisco'sAdaptive SecurityDeviceManager(ASDM)GUItool.ASAdoestheinstallationusingtheVPNdownloader.With thedownload,theISEpostureprofileispushedviaASA,andthediscoveryhostneededforlater provisioningtheprofileisavailablebeforetheISEposturemodulecontactsISE.WhereaswithISE,the ISEposturemodulewillgettheprofileonlyafterISEisdiscovered,whichcouldresultinerrors.Therefore, ASAisrecommendedtopushtheISEposturemodulewhenconnectedtoaVPN. Note Before You Begin YoumustuploadtheAnyConnectpackage,compliancemodule,profiles,andoptionallyanycustomization andlocalizationbundlesbeforeconfiguringanAnyConnectConfigurationobject. Cisco Identity Services Engine Administrator Guide, Release 1.3 527 Create AnyConnect Configuration
Procedure Step 1ChoosePolicy>PolicyElements>Results>ClientProvision>Resources. Step 2ClickAddtocreateanAnyConnectconfiguration. Step 3ChooseAnyConnectConfiguration. Step 4ChooseanAnyConnectPackage,whichyoupreviouslyuploaded.Forexample,AnyConnectDesktopWindows xxx.x.xxxxx.x. Step 5EnterthenameforthecurrentAnyConnectConfiguration.Forexample,ACConfigxxx.x.xxxxx.x. Step 6Choosethecompliancemodule,whichyoupreviouslyuploaded.Forexample, AnyConnectComplianceModulewindowsx.x.xxxx.x Step 7CheckoneormoreAnyConnectmodulescheckboxes.Forexample,chooseoneormoremodulesfromthe following:ISEPosture,VPN,NetworkAccessManager,WebSecurity,ASAPosture,StartBeforeLogon (onlyforWindowsOS),andDiagnosticandReportingTool. Un-checkingtheVPNmoduleunderAnyConnectModuleSelectiondoesnotdisabletheVPNtile intheprovisionedclient.YoumustconfigureVPNDisable_ServiceProfile.xmltodisabletheVPN tileonAnyConnectGUI.InasystemwhereAnyConnectisinstalledatthedefaultlocation,youcan findthisfileunderC:\ProgramFiles\Cisco.IfAnyConnectisinstalledatadifferentlocation,then thefilewillbeavailableunder\Cisco. Note Step 8ChooseAnyConnectprofilesforselectedAnyConnectmodules.Forexample,ISEPosture,VPN,NAM,and WebSecurity. Step 9ChooseAnyConnectcustomizationandlocalizationbundles. Step 10ClickSubmit. Create AnyConnect and Cisco NAC Agent Profiles UsethisproceduretocreateanAnyConnectoraNACpostureagentprofilewhereyoucanspecifyparameters thatdefinetheagentbehavior,parametersthatarerelatedtowhetherornottorefreshtheclientIPaddress, andforthepostureprotocol. Procedure Step 1ChoosePolicy>PolicyElements>Results>ClientProvisioning>Resources. Step 2ClickAdd. Step 3ChooseNACAnyConnectAgentPostureProfile. Step 4ChooseAnyConnectorNACAgent. Step 5Configureparametersforthefollowing: •CiscoISEpostureagentbehavior •ClientIPAddressChanges •CiscoISEpostureprotocol Cisco Identity Services Engine Administrator Guide, Release 1.3 528 Create AnyConnect and Cisco NAC Agent Profiles
Step 6ClickSubmit. Agent Profile Configuration Guidelines Ciscorecommendsconfiguringagentprofilestocontrolremediationtimers,networktransitiondelaytimers, andthetimerthatisusedtoautomaticallyclosetheloginsuccessscreenonclientmachinessothatthese settingsarepolicybased.However,whentherearenoagentprofilesconfiguredtomatchclientprovisioning policies,youcanusethesettingsintheAdministration>System>Settings>Posture>GeneralSettings toaccomplishthesamegoal. Onceyouconfigureanduploadanagentprofiletoaclientdeviceviapolicyenforcementoranothermethod, thatagentprofileremainsontheclientandaffectsloginandoperationbehavioruntilyouchangeittosomething else.Therefore,deletinganagentprofilefromCiscoISEdoesnotremovethatbehaviorfrompreviously affectedclients.Toaltertheloginandoperationalbehavior,youmustdefineanewagentprofilethatoverwrites thevaluesofexistingagentprofileparametersontheclientanduploaditviapolicyenforcement. IfCiscoISEhasadifferentagentprofilethanwhatispresentontheclient(whichisdeterminedusingMD5 checksum),thenCiscoISEdownloadsthenewagentprofiletotheclient.Iftheagentcustomizationfile originatingfromCiscoISEisdifferent,CiscoISEalsodownloadsthenewagentcustomizationfiletothe client. Agent Behavior Configuration ThefollowingtabledescribesthefieldsintheNACorAnyConnectPostureProfilepage,whichallowsyou toconfigureparametersforthepostureagent(AnyConnectandCiscoNACAgent).Thenavigationpathfor thispageisPolicy>PolicyElements>Results>ClientProvisioning>Resources>Add>NACor AnyConnectPostureProfile. Usage Guidelines Mode (Applies only to Cisco ISE NAC Agent) Default ValueField Ifthevalueisset toYes,this settingprevents usersfrom exitingtheagent viathesystem tray. MergeNoDisableAgentExit.(Not applicableforaMacOSX client) Cisco Identity Services Engine Administrator Guide, Release 1.3 529 Agent Profile Configuration Guidelines
Usage Guidelines Mode (Applies only to Cisco ISE NAC Agent) Default ValueField Ifthevalueisset toYes,this settingenables compatibility withtheJAWS screenreader. Usersmay experiencea slightimpacton performance whenthisfeature isenabled.The agentstill functions normallyifthis featureisenabled onaclient machinethat doesnothavethe JAWSscreen readerinstalled. MergeNo—Agentdoesnot interactwiththeJob AccesswithSpeech (JAWS) EnableAccessibilityMode(Not applicableforaMacOSX client) Ifthevalueisset toYes,this settingenables Windowsto checkthedigital signatureofthe executables beforelaunching theprogramsfor remediation. OverwriteNoEnablesignaturecheck(Not applicableforaMacOSX client) MergeYesBypassSummaryScreen(Not applicableforaMacOSX client) Cisco Identity Services Engine Administrator Guide, Release 1.3 530 Agent Profile Configuration Guidelines
Usage Guidelines Mode (Applies only to Cisco ISE NAC Agent) Default ValueField Thedefault settingenables theagenttouse thelocale settingsfromthe clientoperating system. Ifthissettingis eithertheID,the abbreviated name,orthefull nameofa supported language,the agent automatically displaysthe appropriate localizedtextin theagentdialogs ontheclient machine. MergeDefaultLocale(NotapplicableforaMac OSXclient) Ifthevalueisset toDisplay Failed,theclient posture assessmentreport displayonly remediation errorswhenthe userclicksShow Detailsinthe agentdialog. Ifthevalueisset toDisplayAll, theclientposture assessmentreport displaysallthe resultswhenthe userclicksShow Detailsinthe agentdialog. MergeDisplayFailedPosturereportfilter(Not applicableforaMacOSX client) Cisco Identity Services Engine Administrator Guide, Release 1.3 531 Agent Profile Configuration Guidelines
Usage Guidelines Mode (Applies only to Cisco ISE NAC Agent) Default ValueField Thissetting specifiesthetime toremediateany failedposture assessment checksonthe clientmachine beforehavingto gothroughthe entirelogin processagain. Thevalidrange is1to300 minutes. Overwrite4Remediationtimer Thissetting specifiesthetime towaitforthe network transition(IP addresschange) tooccurbefore beginningthe remediation timercountdown. Thevaildrange is2-30seconds. Overwrite3Networktransitiondelay Cisco Identity Services Engine Administrator Guide, Release 1.3 532 Agent Profile Configuration Guidelines
Usage Guidelines Mode (Applies only to Cisco ISE NAC Agent) Default ValueField Thissetting specifiesfilesize inmegabytesfor theagentlog filesontheclient machine. Ifthelogfilesize issettozero,the agentdoesnot recordanylogin oroperation informationfor theusersession ontheclient machine. Ifthelogfilesize isotherthan zero,theagent recordsloginand session informationupto thespecified numberof megabytes. Merge5Logfilesize ifthissettingis settoYes,this settingallowsthe agentlogin dialogtoclose automatically followingthe user authentication. OverwriteNoEnableAutoClose.(Not applicableforAnyConnect) Cisco Identity Services Engine Administrator Guide, Release 1.3 533 Agent Profile Configuration Guidelines
Usage Guidelines Mode (Applies only to Cisco ISE NAC Agent) Default ValueField Thissetting enablestheagent loginscreento waitfora specifiedperiod oftimeandclose automatically followingthe user authentication. Thevalidrange is0to30 seconds. Overwrite0Autoclosetimer(Not applicableforAnyConnect) Mergeparametervalueswithexistingagentprofilesettingsoroverwritethemtoappropriatelyconfigure agentbehavioronWindowsandMacOSXclients. Note Agentlogfilesarestoredinadirectoryontheclientmachine.Afterthefirstloginsession,twofilesreside inthedirectory:onebackupfilefromthepreviousloginsession,andonenewfilecontainingloginand operationfromthecurrentsession.Ifthelogfileforthecurrentsessiongrowsbeyondthespecifiedfile size,thefirstsegmentofagentloginandoperationinformationautomaticallybecomesthebackupfilein thedirectoryandtheagentcontinuestorecordthelatestentriesinthecurrentsessionfile. Note Supported Languages Table 47: Supported Languages Full NameAbbreviated NameIDLanguage Englishen1033EnglishUS Catalan(Spain)ca1027Catalan Chinese(Simplified)zh_cn2052ChineseSimplified Chinese(Traditional)zh_tw1028ChineseTraditional Czechcs1029Czech Danishda1030Danish Dutch(Standard)nl1043Dutch Cisco Identity Services Engine Administrator Guide, Release 1.3 534 Agent Profile Configuration Guidelines