Cisco Ise 13 User Guide
Have a look at the manual Cisco Ise 13 User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
Usage GuidelinesFields CiscoISEnodepersonasthatareenabledonthenoderunningtheCAservice.For example,Administration,PolicyService,etc. Personas Therole(s)assumedbytheCiscoISEnoderunningtheCAservice.Forexample, StandaloneorPrimaryorSecondary. Role(s) EnabledordisabledCA&OCSP ResponderStatus URLforCiscoISEnodetoaccesstheOCSPserver.OCSPResponder URL Related Topics CiscoISECAService,onpage152 ConfigureCiscoISEtoUseCertificatesforAuthenticatingPersonalDevices,onpage158 Certificate Template Settings ThefollowingtabledescribesthefieldsintheCACertificateTemplatepage,whichyoucanusetodefinea SCEPRAprofilethatwillbeusedbytheclientprovisioningpolicy.Thenavigationpathforthispageis: Administration>System>Certificates>CertificateTemplates>Add. WedonotsupportUTF-8charactersinthecertificatetemplatefields(OrganizationalUnit,Organization, City,State,andCountry).CertificateprovisioningfailsifUTF-8charactersareusedinthecertificate template. Note Usage GuidelinesFields (Required)Enteranameforthecertificatetemplate.Forexample, Internal_CA_Template. Name (Optional)Enteradescription.Description (Displayonly)Commonnameisautopopulatedwiththeusername.CommonName (CN) OrganizationalUnitname.Forexample,Engineering.OrganizationalUnit (OU) Organizationname.Forexample,Cisco.Organization(O) (Donotabbreviate)Cityname.Forexample,SanJose.City(L) (Donotabbreviate)Statename.Forexample,California.State(ST) Cisco Identity Services Engine Administrator Guide, Release 1.3 705 System Administration
Usage GuidelinesFields Countryname.Youmustenterthetwo-letterISOcountrycode.Forexample,US.Country(C) (Displayonly)MACaddressoftheendpoint.SubjectAlternative Name(SAN) Specifyakeysizeof1024orhigher.KeySize ChoosetheISEInternalCAoranexternalSCEPRAprofilethatyouhavecreated.SCEPRAProfile Enterthenumberofdaysafterwhichthecertificateexpires.ValidPeriod Related Topics CertificateTemplates CertificateTemplateNameExtension ConfigureCiscoISEtoUseCertificatesforAuthenticatingPersonalDevices,onpage158 DeployCiscoISECACertificatesforpxGridController UseCertificateTemplateNameinAuthorizationPolicyConditions Logging Settings Thesepagesallowyoutoconfiguretheseverityofdebuglogs,createanexternallogtarget,andenableCisco ISEtosendlogmessagestotheseexternallogtargets. Remote Logging Target Settings ThefollowingtabledescribesthefieldsontheRemoteLoggingTargetspage,whichyoucanusetocreate externallocations(syslogservers)tostoreloggingmessages.Thenavigationpathforthispageis: Administration>System>Logging>RemoteLoggingTargets. Table 62: Remote Logging Target Settings Usage GuidelinesFields Enterthenameofthenewtarget.Name Selectthetargettype.BydefaultitissettoUDPSyslog.TargetType Enterabriefdescriptionofthenewtarget.Description EntertheIPaddressofthedestinationmachinewhereyouwanttostorethe logs. IPAddress Entertheportnumberofthedestinationmachine.Port Cisco Identity Services Engine Administrator Guide, Release 1.3 706 System Administration
Usage GuidelinesFields Choosethesyslogfacilitycodetobeusedforlogging.ValidoptionsareLocal0 throughLocal7. FacilityCode Enterthemaximumlengthoftheremotelogtargetmessages.Validoptionsare from200to1024bytes. MaximumLength Checkthischeck-boxifyouwantCiscoISEtobufferthesyslogmessageswhen TCPsyslogtargetsandsecuresyslogtargetsareunavailable.ISEretriessending themessagestothetargetwhentheconnectionresumes.Aftertheconnection resumes,messagesaresentbytheorderfromoldesttonewestandbuffered messagesarealwayssentbeforenewmessages.Ifthebufferisfull,oldmessages arediscarded. BufferMessageWhen ServerDown Setthebuffersizeforeachtarget.Bydefault,itissetto100MB.Changing thebuffersizeclearsthebufferandallexistingbufferedmessagesforthe specifictargetarelost. BufferSize(MB) GiveinsecondshowlongwilltheTCPandsecuresyslogsbekeptbeforebeing discarded,whentheserverisdown. ReconnectTimeout(Sec) Selectaclientcertificate.SelectCACertificate Checkthischeck-boxifyouwantISEtoignoreservercertificateauthentication andacceptanysyslogserver. IgnoreServerCertificate Validation Related Topics CiscoLoggingMechanism,onpage201 CiscoISESystemLogs,onpage202 RemoteSyslogMessageFormat,onpage204 CiscoISEMessageCatalogs,onpage209 CollectionFilters,onpage211 EventSuppressionBypassFilter,onpage211 ConfigureRemoteSyslogCollectionLocations,onpage207 ConfigureCollectionFilters,onpage211 Logging Category Settings ThefollowingtabledescribesthefieldsontheLoggingCategoriespage,whichyoucanusetoconfigurethe logseveritylevelandchooseloggingtargetsforthelogsofselectedcategoriestobestored.Thenavigation pathforthispageis:Administration>System>Logging>LoggingCategories. Cisco Identity Services Engine Administrator Guide, Release 1.3 707 System Administration
Table 63: Logging Category Settings Usage GuidelinesFields Displaysthenameoftheloggingcategory.Name Allowsyoutochoosetheseveritylevelforthediagnosticloggingcategoriesfromthe followingoptions: •FATAL—Emergency.ThisoptionmeansthatCiscoISEcannotbeusedandyou musttakeactionimmediately •ERROR—Thisoptionindicatesacriticalorerrorcondition. •WARN—Thisoptionindicatesanormalbutsignificantcondition.Thisisthe defaultcondition. •INFO—Thisoptionindicatesaninformationalmessage. •DEBUG—Thisoptionindicatesadiagnosticbugmessage. LogSeverity Level Checkthischeckboxtoenableloggingeventforthecategoryonthelocalnode.LocalLogging Allowsyoutochangethetargetsforacategorybytransferringthetargetsbetweenthe AvailableandtheSelectedboxesusingtheleftandrighticons.TheAvailableboxcontains theexistingloggingtargets,bothlocal(predefined)andexternal(user-defined).The Selectedbox,whichisinitiallyempty,containstheselectedtargetsforthespecific category. Target Related Topics RemoteSyslogMessageFormat,onpage204 CiscoISEMessageCodes,onpage208 ConfigureRemoteSyslogCollectionLocations,onpage207 SetSeverityLevelsforMessageCodes,onpage208 Maintenance Settings Thesepageshelpyoutomanagedatausingthebackup,restore,anddatapurgefeatures. Repository Settings ThefollowingtabledescribesthefieldsontheRepositoryListpage,whichyoucanusetocreaterepositories tostoreyourbackupfiles.Thenavigationpathforthispageis:Administration>System>Maintenance> Repository. Cisco Identity Services Engine Administrator Guide, Release 1.3 708 System Administration
Table 64: Repository Settings Usage GuidelinesFields Enterthenameoftherepository.Alphanumericcharactersareallowedandthemaximum lengthis80characters. Repository Chooseoneoftheavailableprotocolsthatyouwanttouse.Protocol (RequiredforTFTP,HTTP,HTTPS,FTP,SFTP,andNFS)EnterthehostnameorIPv4 addressoftheserverwhereyouwanttocreatetherepository. ServerName Enterthepathtoyourrepository.Thepathmustbevalidandmustexistatthetimeyou createtherepository. Thisvaluecanstartwithtwoforwardslashes(//)orasingleforwardslash(/)denoting therootdirectoryoftheserver.However,fortheFTPprotocol,asingleforwardslash (/)denotestheFTPuser'shomedirectoryandnottherootdirectory. Path (RequiredforFTP,SFTP,andNFS)Entertheusernamethathaswritepermissiontothe specifiedserver.Onlyalphanumericcharactersareallowed. UserName (RequiredforFTP,SFTP,andNFS)Enterthepasswordthatwillbeusedtoaccessthe specifiedserver.Passwordscanconsistofthefollowingcharacters:0through9,athrough z,AthroughZ,-,.,|,@,#,$,%,^,&,*,(,),+,and=. Password Table 65: Repository Settings Usage GuidelinesFields Enterthenameoftherepository.Alphanumericcharactersareallowedandthemaximum lengthis80characters. Repository Chooseoneoftheavailableprotocolsthatyouwanttouse.Protocol (RequiredforTFTP,HTTP,HTTPS,FTP,SFTP,andNFS)EnterthehostnameorIPv4 addressoftheserverwhereyouwanttocreatetherepository. Host Enterthepathtoyourrepository.Thepathmustbevalidandmustexistatthetimeyou createtherepository. Thisvaluecanstartwithtwoforwardslashes(//)orasingleforwardslash(/)denoting therootdirectoryoftheserver.However,fortheFTPprotocol,asingleforwardslash (/)denotestheFTPuser'shomedirectoryandnottherootdirectory. Path Related Topics BackupandRestoreRepositories,onpage213 CreateRepositories,onpage214 Cisco Identity Services Engine Administrator Guide, Release 1.3 709 System Administration
On-Demand Backup Settings ThefollowingtabledescribesthefieldsontheOn-DemandBackuppage,whichyoucanusetoobtaina backupatanypointoftime.Thenavigationpathforthispageis:Administration>System>Backup& Restore. Table 66: On-Demand Backup Settings Usage GuidelinesFields Enterthenameofyourbackupfile.BackupName Selectoneofthefollowing: •Configurationbackup—containsbothapplication-specificandCiscoADEoperating systemconfigurationdata. •Operationalbackup—containsMonitoringandTroubleshootingdata. Type Repositorywhereyourbackupfileshouldbesaved.Youcannotenterarepositoryname here.Youcanonlychooseanavailablerepositoryfromthedrop-downlist.Ensurethat youcreatetherepositorybeforeyourunabackup. RepositoryName Thiskeyisusedtoencryptanddecryptthebackupfile.EncryptionKey Related Topics BackupDataType,onpage213 On-DemandandScheduledBackups,onpage215 BackupHistory,onpage219 BackupFailures,onpage219 CiscoISERestoreOperation,onpage220 ExportAuthenticationandAuthorizationPolicyConfiguration,onpage226 SynchronizePrimaryandSecondaryNodesinaDistributedEnvironment,onpage226 PerformanOn-DemandBackup,onpage215 Scheduled Backup Settings ThefollowingtabledescribesthefieldsontheScheduledBackupPage,whichyoucanusetorestoreafull orincrementalbackup.Thenavigationpathforthispageis:Administration>System>BackupandRestore. Cisco Identity Services Engine Administrator Guide, Release 1.3 710 System Administration
Table 67: Scheduled Backup Settings Usage GuidelinesFields Enteranameforyourbackupfile.Youcanenteradescriptivenameofyourchoice.Cisco ISEappendsthetimestamptothebackupfilenameandstoresitintherepository.You willhaveuniquebackupfilenamesevenifyouconfigureaseriesofbackups.Onthe ScheduledBackuplistpage,thebackupfilenamewillbeprependedwith“backup_occur” toindicatethatthefileisakronoccurrencejob . Name Enteradescriptionforthebackup.Description Selecttherepositorywhereyourbackupfileshouldbesaved.Youcannotenterarepository namehere.Youcanonlychooseanavailablerepositoryfromthedrop-downlist.Ensure thatyoucreatetherepositorybeforeyourunabackup. RepositoryName Enterakeytoencryptanddecryptthebackupfile.EncryptionKey Choosethefrequencyofyourscheduledbackupandfillintheotheroptionsaccordingly.ScheduleOptions Related Topics BackupDataType,onpage213 On-DemandandScheduledBackups,onpage215 BackupHistory,onpage219 BackupFailures,onpage219 CiscoISERestoreOperation,onpage220 ExportAuthenticationandAuthorizationPolicyConfiguration,onpage226 SynchronizePrimaryandSecondaryNodesinaDistributedEnvironment,onpage226 BackupUsingtheCLI,onpage219 ScheduleaBackup,onpage217 Admin Access Settings Thesepagesenableyoutoconfigureaccesssettingsforadministrators. Administrator Password Policy Settings ThefollowingtabledescribesthefieldsontheAdministratorPasswordPolicypage,whichyoucanuseto defineacriteriathatadministratorpasswordsshouldmeet.Thenavigationpathforthispageis:Administration >System>AdminAccess>Authentication>PasswordPolicy. Cisco Identity Services Engine Administrator Guide, Release 1.3 711 System Administration
Table 68: Administrator Password Policy Settings Usage GuidelinesFields Specifiestheminimumlengthofthepassword(incharacters). Thedefaultissixcharacters. MinimumLength Checkthischeckboxtorestricttheuseoftheadministrator usernameoritscharactersinreverseorder. Passwordshouldnotcontaintheadmin nameoritscharactersinreversedorder Checkthischeckboxtorestricttheuseoftheword“cisco”or itscharactersinreverseorder. Passwordshouldnotcontain“cisco”orits charactersinreversedorder Checkthischeckboxtorestricttheuseofanywordthatyou defineoritscharactersinreverseorder. Passwordshouldnotcontain________or itscharactersinreversedorder Checkthischeckboxtorestricttheuseofrepeatedcharacters fourormoretimesconsecutively. Passwordshouldnotcontainrepeated charactersfourormoretimesconsecutively Specifiesthattheadministratorpasswordmustcontainatleast onecharacterofthetypethatyouchoosefromthefollowing choices: •Lowercasealphabeticcharacters •Uppercasealphabeticcharacters •Numericcharacters •Non-alphanumericcharacters RequiredCharacters Specifiesthenumberofpreviouspasswordsfromwhichthe newpasswordmustbedifferenttopreventtherepeateduseof thesamepassword. Also,specifiesthenumberofcharactersthatmustbedifferent fromthepreviouspassword. Enterthenumberofdaysbeforewhichyoucannotreusea password. PasswordHistory Specifiesthefollowingoptionstoforceuserstochange passwordsafteraspecifiedtimeperiod: •Time(indays)beforetheadministratoraccountisdisabled ifthepasswordisnotchanged.(Theallowablerangeis 0to2,147,483,647days.) •Reminder(indays)beforetheadministratoraccountis disabled. PasswordLifetime Cisco Identity Services Engine Administrator Guide, Release 1.3 712 System Administration
Usage GuidelinesFields SpecifiesthenumberoftimesCiscoISErecordsincorrect administratorpasswordsbeforelockingtheadministratorout ofCiscoISE,andsuspendingordisablingaccountcredentials. Ane-mailissenttotheadministratorwhoseaccountgetslocked out.Youcanenteracustome-mailremediationmessage. LockorSuspendAccountwithIncorrect LoginAttempts Related Topics CiscoISEAdministrators,onpage97 CreateaNewCiscoISEAdministrator,onpage98 Session Timeout and Session Info Settings ThefollowingtabledescribesthefieldsontheSessionpage,whichyoucanusetodefinesessiontimeoutand terminateanactiveadministrativesession.Thenavigationpathforthispageis:Administration>System> AdminAccess>Settings>Session. Table 69: Session Timeout and Session Info Settings Usage GuidelinesFields SessionTimeout EnterthetimeinminutesthatyouwantCiscoISEtowaitbeforeitlogsoutthe administratorifthereisnoactivity.Thedefaultvalueis60minutes.Thevalidrangeis from6to100minutes. SessionIdle Timeout SessionInfo CheckthecheckboxnexttothesessionIDthatyouwanttoterminateandclick Invalidate. Invalidate Related Topics AdministratorAccessSettings,onpage110 ConfigureSessionTimeoutforAdministrators,onpage112 TerminateanActiveAdministrativeSession,onpage113 Settings Thesepagesenableyoutoconfiguregeneralsettingsforthevariousservices. Cisco Identity Services Engine Administrator Guide, Release 1.3 713 System Administration
Posture General Settings ThefollowingtabledescribesthefieldsonthePostureGeneralSettingspage,whichyoucanusetoconfigure generalposturesettingssuchasremediationtimeandposturestatus.Thenavigationpathforthispage is:Administration>System>Settings>Posture>GeneralSettings. Table 70: Posture General Settings Usage GuidelinesFields Enteratimevalueinminutes.Thedefaultvalueis4minutes.Thevalidrange is1to300minutes. RemediationTimer Enteratimevalueinseconds.Thedefaultvalueis3seconds.Thevalidrange is2to30seconds. NetworkTransitionDelay ChooseCompliantorNoncompliant.Thenon-agentdeviceslikeLinuxassumes thisstatuswhileconnectingtothenetwork. DefaultPostureStatus Checkthecheckboxtoclosetheloginsuccessscreenautomaticallyafterthe specifiedtime. Enteratimevalueinseconds,inthefieldnexttothecheckbox. Youcanconfigurethetimertoclosetheloginscreenautomaticallybetween 0to300seconds.Ifthetimeissettozero,thentheNACAgentsandWeb Agentsdonotdisplaytheloginsuccessscreen. AutomaticallyCloseLogin SuccessScreenAfter PostureLease Selectthisoptiontoinitiatepostureassessmenteverytimetheuserconnects tonetwork Performpostureassessment everytimeauserconnects tothenetwork Selectthisoptiontoinitiatepostureassessmentafterthespecifiednumberof daysalthoughtheclientisalreadyposturedCompliant. Performpostureassessment everyndays Related Topics PostureService,onpage566 PostureAdministrationSettings,onpage569 PostureLease,onpage571 EnablePostureSessionServiceinCiscoISE,onpage568 SetRemediationTimerforClientstoRemediateWithinSpecifiedTime,onpage569 SetNetworkTransitionDelayTimerforClientstoTransition,onpage569 SetLoginSuccessWindowtoCloseAutomatically,onpage570 SetPostureStatusforNonagentDevices,onpage570 Cisco Identity Services Engine Administrator Guide, Release 1.3 714 System Administration