Cisco Ise 13 User Guide
Have a look at the manual Cisco Ise 13 User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
![Page 863
Usage GuidelinesFields
Clicktheplus[+]signtoexpandtheConditionsanchoredoverlay,andclickthe
minus[-]sign,orclickoutsidetheanchoredoverlaytocloseit:
•SelectExistingConditionfromLibraryorCreateNewCondition
(AdvancedOption)
•SelectExistingConditionfromLibrary—Youcandefineanexpression
byselectingCiscopredefinedconditionsfromthepolicyelementslibrary.
•CreateNewCondition(AdvancedOption)—Youcandefineanexpression
byselectingattributesfromvarioussystemoruser-defineddictionaries.
Conditions
Youcandothefollowing:...](http://img.usermanuals.tech/thumb/17/104725/w64_ise-13-user-guide-1524841621_d-862.png "Page 863
Usage GuidelinesFields
Clicktheplus[+]signtoexpandtheConditionsanchoredoverlay,andclickthe
minus[-]sign,orclickoutsidetheanchoredoverlaytocloseit:
•SelectExistingConditionfromLibraryorCreateNewCondition
(AdvancedOption)
•SelectExistingConditionfromLibrary—Youcandefineanexpression
byselectingCiscopredefinedconditionsfromthepolicyelementslibrary.
•CreateNewCondition(AdvancedOption)—Youcandefineanexpression
byselectingattributesfromvarioussystemoruser-defineddictionaries.
Conditions
Youcandothefollowing:...")
CHAPTER 30 Policy User Interface Reference •Authentication,page815 •AuthorizationPolicySettings,page818 •EndpointProfilingPoliciesSettings,page819 •Dictionaries,page823 •Conditions,page825 •Results,page836 Authentication Thissectiondescribestheauthenticationpolicypage,whichallowsyoutoconfiguresimpleandrule-based authenticationpolicies. Simple Authentication Policy Configuration Settings Thefollowingtabledescribesthefieldsinthesimpleauthenticationpolicypage,whichallowsyoutoconfigure simpleauthenticationpolicies.Thenavigationpathforthispageis:Policy>Authentication. Table 105: Simple Authentication Policy Configuration Settings Usage GuidelinesFields Chooseanallowedprotocolthatyouhavealreadycreated.NetworkAccessService Choosetheidentitysourcethatyouwanttouseforauthentication.Youcanalso chooseanidentitysourcesequenceifyouhaveconfiguredit. YoucaneditthedefaultidentitysourcethatyouwantCiscoISEtouseincase noneoftheidentitysourcesdefinedinthisrulematchtherequest. IdentitySource Cisco Identity Services Engine Administrator Guide, Release 1.3 815
Usage GuidelinesFields Defineafurthercourseofactionforauthenticationfailure,usernotfound,or processfailureevents.Youcanchooseoneofthefollowingoptions: •Reject—Arejectresponseissent. •Drop—Noresponseissent. •Continue—CiscoISEproceedswiththeauthorizationpolicy. Options Related Topics SimpleAuthenticationPolicies,onpage412 SimpleAuthenticationPolicyFlow,onpage413 GuidelinesforConfiguringSimpleAuthenticationPolicies,onpage414 ConfigureaSimpleAuthenticationPolicy,onpage427 Rule-Based Authentication Policy Configuration Settings Thefollowingtabledescribesthefieldsintherule-basedauthenticationpolicypage,whichallowsyouto configuresimpleauthenticationpolicies.Thenavigationpathforthispageis:Policy>Authentication> Rule-Based. Table 106: Rule-Based Authentication Policy Configuration Settings Usage GuidelinesFields Choosethestatusofthispolicy.Itcanbeoneofthefollowing: •Enabled—Thispolicyconditionisactive. •Disabled—Thispolicyconditionisinactiveandwillnotbeevaluated. •MonitorOnly—Thispolicyconditionwillbeevaluated,buttheresultwill notbeenforced.Youcanviewtheresultsofthispolicyconditioninthe LiveLogauthenticationpage.Inthis,seethedetailedreportwhichwill havethemonitoredstepandattribute.Forexample,youmaywanttoadd anewpolicycondition,butarenotsureiftheconditionwouldprovideyou withthecorrectresults.Inthissituation,youcancreatethepolicycondition inmonitoredmodetoviewtheresultsandthenenableitifyouaresatisfied withtheresults. Status Enteranameforthispolicyandselectconditionandallowedprotocol.StandardRule Cisco Identity Services Engine Administrator Guide, Release 1.3 816 Authentication
Usage GuidelinesFields Clicktheplus[+]signtoexpandtheConditionsanchoredoverlay,andclickthe minus[-]sign,orclickoutsidetheanchoredoverlaytocloseit: •SelectExistingConditionfromLibraryorCreateNewCondition (AdvancedOption) •SelectExistingConditionfromLibrary—Youcandefineanexpression byselectingCiscopredefinedconditionsfromthepolicyelementslibrary. •CreateNewCondition(AdvancedOption)—Youcandefineanexpression byselectingattributesfromvarioussystemoruser-defineddictionaries. Conditions Youcandothefollowing: 1Youcanchoosethepredefinedconditionsthatyouwouldhavedefinedfor authenticationinthepolicyelements,andthenuseanANDorORoperator toaddmultipleconditions. Youcannotselectcertainpredefinedconditionsthatcontainthefollowing dictionariesorattributes: •Dictionary"Certificate",withanyattribute •Dictionary"NetworkAccess",withthefollowingattributes: ◦DeviceIPAddress ◦ISEHostName ◦NetworkDeviceName ◦Protocol ◦UseCase Incasesuchconditionsareavailable,thefirstentryintheselectboxwillbe "Onlyrelevantconditionsareselectable". 2ClicktheActionicontodothefollowinginthesubsequentsteps: •AddAttribute/Value—Youcanaddad-hocattribute/valuepairs •AddConditionfromLibrary—YoucanaddCiscopredefinedconditions •Duplicate—Createacopyoftheselectedcondition •AddConditiontoLibrary—Youcansavead-hocattribute/valuepairs thatyoucreatetothepolicyelementslibrary •Delete—Deletetheselectedcondition SelectExistingCondition fromLibrary Cisco Identity Services Engine Administrator Guide, Release 1.3 817 Authentication
Usage GuidelinesFields Youcandothefollowing: 1Youcanaddad-hocattribute/valuepairstoyourexpression,andthenusean ANDorORoperatortoaddmultipleconditions. 2ClicktheActionicontodothefollowinginthesubsequentsteps: •AddAttribute/Value—Youcanaddad-hocattribute/valuepairs •AddConditionfromLibrary—YoucanaddCiscopredefinedconditions •Duplicate—Createacopyoftheselectedcondition •AddConditiontoLibrary—Youcansavead-hocattribute/valuepairs thatyoucreatetothepolicyelementslibrary •Delete—Deletetheselectedcondition.Here,youcanusetheANDor ORoperator CreateNewCondition (AdvanceOption) ChoosefromallowedprotocolsorRADIUSserversequence.SelectNetworkAccess Clicktodefineconditionsfortheidentitysourceselection.ArrowButton Youcandothefollowing: 1Clicktheactioniconinthedefaultidentitysourcerow,andclickInsertnew rowabove. 2Enteranameforyouridentitysourcerule. 3Clickthebuttontodefinetheconditionsbasedonwhichyouwanttochoose theidentitysource. 4Choosetheidentitysourcesequenceortheidentitysourceandtheactionthat youwantCiscoISEtotake. IdentitySourceSequence Related Topics Rule-BasedAuthenticationPolicies,onpage414 Rule-BasedAuthenticationPolicyFlow,onpage414 ConfigureaRule-BasedAuthenticationPolicy,onpage428 Authorization Policy Settings Thefollowingtabledescribesthefieldsintheauthorizationpolicypage,whichallowsyoutoconfigure authorizationpolicies.Thenavigationpathforthispageis:Policy>Authorization. Cisco Identity Services Engine Administrator Guide, Release 1.3 818 Authorization Policy Settings
Table 107: Authorization Policy Settings Usage GuidelinesFields Chooseoneofthefollowingtoenforcethepolicies: •Enabled—Thispolicyconditionisactive. •Disabled—Thispolicyconditionisinactiveandwillnotbeevaluated. •MonitorOnly—Thispolicyconditionwillbeevaluated,buttheresultwill notbeenforced.Youcanviewtheresultsofthispolicyconditioninthe LiveLogauthenticationpage.Inthis,seethedetailedreportwhichwill havethemonitoredstepandattribute.Forexample,youmaywanttoadd anewpolicycondition,butarenotsureiftheconditionwouldprovideyou withthecorrectresults.Inthissituation,youcancreatethepolicycondition inmonitoredmodetoviewtheresultsandthenenableitifyouaresatisfied withtheresults. Status EnteranamefortheRuleName.RuleName Chooseanidentitygroupfromthefirstdrop-down. Chooseaconditionfromtheseconddrop-down. Youcaneitherselectfromtheexistingconditionsorcreateanewcondition. Conditions(identity groupsandother conditions) ChooseanauthorizationprofilefromtheStandardcategory.Permissions Related Topics CiscoISEAuthorizationPolicies,onpage437 GuidelinesforConfiguringAuthorizationPoliciesandProfiles,onpage440 ConfigureAuthorizationPolicies,onpage443 Endpoint Profiling Policies Settings ThefollowingtabledescribesthefieldsintheEndpointPoliciespage.Thenavigationpathforthispageis: Policy>Profiling>ProfilingPolicies. Table 108: Endpoint Profiling Policies Settings Usage GuidelinesFields Enterthenameoftheendpointprofilingpolicythatyouwanttocreate.Name Enterthedescriptionoftheendpointprofilingpolicythatyouwanttocreate.Description Cisco Identity Services Engine Administrator Guide, Release 1.3 819 Endpoint Profiling Policies Settings
Usage GuidelinesFields Bydefault,thePolicyEnabledcheckboxischeckedtoassociateamatching profilingpolicywhenyouprofileanendpoint. Whenunchecked,theendpointprofilingpolicyisexcludedwhenyouprofilean endpoint. PolicyEnabled Entertheminimumvaluethatyouwanttoassociatewiththeprofilingpolicy. Thedefaultvalueis10. MinimumCertainty Factor Chooseanexceptionaction,whichyouwanttoassociatewiththeconditions whendefiningaruleintheprofilingpolicy. ThedefaultisNONE.Theexceptionactionsaredefinedinthefollowinglocation: Policy>PolicyElements>Results>Profiling>ExceptionActions. ExceptionAction Chooseanetworkscanactionfromthelist,whichyouwanttoassociatewiththe conditionswhendefiningaruleintheprofilingpolicy,ifrequired. ThedefaultisNONE.Theexceptionactionsaredefinedinthefollowinglocation: Policy>PolicyElements>Results>Profiling>NetworkScan(NMAP)Actions. NetworkScan(NMAP) Action Checkoneofthefollowingoptionstocreateanendpointidentitygroup: •Yes,creatematchingIdentityGroup •No,useexistingIdentityGrouphierarchy CreateanIdentityGroup forthepolicy Choosethisoptiontouseanexistingprofilingpolicy. Thisoptioncreatesamatchingidentitygroupforthoseendpointsandtheidentity groupwillbethechildoftheProfiledendpointidentitygroupwhenanendpoint profilematchesanexistingprofilingpolicy. Forexample,theXerox-DeviceendpointidentitygroupiscreatedintheEndpoints IdentityGroupspagewhenendpointsdiscoveredonyournetworkmatchthe Xerox-Deviceprofile. Yes,creatematching IdentityGroup Cisco Identity Services Engine Administrator Guide, Release 1.3 820 Endpoint Profiling Policies Settings
Usage GuidelinesFields Checkthischeckboxtoassignendpointstothematchingparentendpointidentity groupusinghierarchicalconstructionofprofilingpoliciesandidentitygroups. Thisoptionallowsyoutomakeuseoftheendpointprofilingpolicieshierarchy toassignendpointstooneofthematchingparentendpointidentitygroups,as wellastotheassociatedendpointidentitygroupstotheparentidentitygroup. Forexample,endpointsthatmatchanexistingprofilearegroupedunderthe appropriateparentendpointidentitygroup.Here,endpointsthatmatchthe UnknownprofilearegroupedunderUnknown,andendpointsthatmatchan existingprofilearegroupedundertheProfiledendpointidentitygroup.For example, •IfendpointsmatchtheCisco-IP-Phoneprofile,thentheyaregroupedunder theCisco-IP-Phoneendpointidentitygroup. •IfendpointsmatchtheWorkstationprofile,thentheyaregroupedunder theWorkstationendpointidentitygroup. TheCisco-IP-PhoneandWorkstationendpointidentitygroupsareassociated totheProfiledendpointidentitygroupinthesystem. No,useexistingIdentity Grouphierarchy Chooseaparentprofilingpolicythataredefinedinthesystemtowhichyouwant toassociatethenewendpointprofilingpolicy. Youcanchooseaparentprofilingpolicyfromwhichyoucaninheritrulesand conditionstoitschild. ParentPolicy ChooseoneofthefollowingCoAtypesthatyouwanttoassociatewiththe endpointprofilingpolicy: •NoCoA •PortBounce •Reauth •GlobalSettingsthatisappliedfromtheprofilerconfigurationsetin Administration>System>Settings>Profiling AssociatedCoAType Oneormorerulesthataredefinedinendpointprofilingpoliciesdeterminethe matchingprofilingpolicyforendpoints,whichallowsyoutogroupendpoints accordingtotheirprofiles. Oneormoreprofilingconditionsfromthepolicyelementslibraryareusedin rulesforvalidatingendpointattributesandtheirvaluesfortheoverall classification. Rules Cisco Identity Services Engine Administrator Guide, Release 1.3 821 Endpoint Profiling Policies Settings
Usage GuidelinesFields Clicktheplus[+]signtoexpandtheConditionsanchoredoverlay,andclickthe minus[-]sign,orclickoutsidetheanchoredoverlaytocloseit. ClickSelectExistingConditionfromLibraryorCreateNewCondition (AdvancedOption). SelectExistingConditionfromLibrary---Youcandefineanexpressionby selectingCiscopredefinedconditionsfromthepolicyelementslibrary. CreateNewCondition(AdvancedOption)---Youcandefineanexpressionby selectingattributesfromvarioussystemoruser-defineddictionaries. Youcanassociateoneofthefollowingwiththeprofilingconditions: •Anintegervalueforthecertaintyfactorforeachcondition •Eitheranexceptionactionoranetworkscanactionforthatcondition Chooseoneofthefollowingpredefinedsettingstoassociatewiththeprofiling condition: •CertaintyFactorIncreases—Enterthecertaintyvalueforeachrule,which canbeaddedforallthematchingruleswithrespecttotheoverall classification. •TakeExceptionAction—Triggersanexceptionactionthatisconfiguredin theExceptionActionfieldforthisendpointprofilingpolicy. •TakeNetworkScanAction—Triggersanetworkscanactionthatis configuredintheNetworkScan(NMAP)Actionfieldforthisendpoint profilingpolicy. Conditions Youcandothefollowing: •YoucanchooseCiscopredefinedconditionsthatareavailableinthepolicy elementslibrary,andthenuseanANDorORoperatortoaddmultiple conditions. •ClicktheActionicontodothefollowinginthesubsequentsteps: ◦AddAttribute/Value—Youcanaddad-hocattribute/valuepairs ◦AddConditionfromLibrary—YoucanaddCiscopredefined conditions ◦Duplicate—Createacopyoftheselectedcondition ◦AddConditiontoLibrary—Youcansavead-hocattribute/valuepairs thatyoucreatetothepolicyelementslibrary ◦Delete—Deletetheselectedcondition. SelectExistingCondition fromLibrary Cisco Identity Services Engine Administrator Guide, Release 1.3 822 Endpoint Profiling Policies Settings
Usage GuidelinesFields Youcandothefollowing: •Youcanaddad-hocattribute/valuepairstoyourexpression,andthenuse anANDorORoperatortoaddmultipleconditions. •ClicktheActionicontodothefollowinginthesubsequentsteps: ◦AddAttribute/Value—Youcanaddad-hocattribute/valuepairs ◦AddConditionfromLibrary—YoucanaddCiscopredefined conditions ◦Duplicate—Createacopyoftheselectedcondition ◦AddConditiontoLibrary—Youcansavead-hocattribute/valuepairs thatyoucreatetothepolicyelementslibrary ◦Delete—Deletetheselectedcondition.Here,youcanusetheANDor ORoperator CreateNewCondition (AdvanceOption) Related Topics CiscoISEProfilingService,onpage452 CreateEndpointProfilingPolicies,onpage479 Dictionaries ThissectiondescribesRADIUSvendordictionariesusedinCiscoISE. ThefollowingtabledescribesthefieldsintheDictionarypageforRADIUSvendors,whichallowsyouto configuredictionaryattributesfortheRADIUSvendors.Thenavigationpathforthispageis:Policy>Policy Elements>Dictionaries>System>RADIUS>RADIUSVendors. Table 109: RADIUS Vendor Dictionary Attribute Settings Usage GuidelinesFields EnterthevendorspecificattributenamefortheselectedRADIUSvendor.AttributeName Enteranoptionaldescriptionforthevendorspecificattribute.Description Enterthenameforthevendorspecificattributethatreferstoitinternallyinthe database. InternalName Cisco Identity Services Engine Administrator Guide, Release 1.3 823 Dictionaries
Usage GuidelinesFields Chooseoneofthefollowingdatatypesforthevendorspecificattribute: •STRING •OCTET_STRING •UNIT32 •UNIT64 •IPV4 DataType CheckthischeckboxtoenablethecomparisonofRADIUSattributeasMAC address.Bydefault,fortheRADIUSattributecalling-station-idthisoptionis markedasenabledandyoucannotdisableit.Forotherdictionaryattributes(of stringtypes)withintheRADIUSvendordictionary,youcanenableordisable thisoption. Onceyouenablethisoption,whilesettingtheauthenticationandauthorization conditions,youcandefinewhetherthecomparisonisclearstringbyselecting theTextoptionorwhetheritisMACaddressbyselectingtheMACaddress option. EnableMACoption ChooseoneoftheoptionsthatappliestoRADIUSmessages:Direction EnterthevendorattributeID.Thevalidrangeis0to255.ID Checkthischeckboxtomarktheattributeasbeingpermittedtohaveatag,as definedinRFC2868.Thepurposeofthetagistoallowgroupingofattributes fortunnelledusers.SeeRFC2868formoredetails. Thetaggedattributessupportensuresthatallattributespertainingtoagiven tunnelcontainthesamevalueintheirrespectivetagfields,andthateachset includesanappropriately-valuedinstanceoftheTunnel-Preferenceattribute. Thisconformstothetunnelattributesthataretobeusedinamulti-vendornetwork environment,therebyeliminatinginteroperabilityissuesamongNetworkAccess Servers(NASs)manufacturedbydifferentvendors. AllowTagging CheckthischeckboxwhenyouwantmultipleinstancesofthisRADIUSvendor specificattributeinprofiles. Allowmultipleinstances ofthisattributeina profile Related Topics SystemDefinedDictionariesandDictionaryAttributes,onpage197 User-DefinedDictionariesandDictionaryAttributes,onpage198 RADIUS-VendorDictionaries,onpage199 CreateRADIUS-VendorDictionaries,onpage199 Cisco Identity Services Engine Administrator Guide, Release 1.3 824 Dictionaries