Cisco Ise 13 User Guide
Have a look at the manual Cisco Ise 13 User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
Usage GuidelinesFields ChooseanAND,oranORoperatortologicallycombinedictionarysimple conditions,whichcanbeaddedfromthelibrary. ClicktheActionicontodothefollowing: •AddAttribute/Value •AddConditionfromLibrary •Delete ANDorORoperator Selectattributesfromvarioussystemoruser-defineddictionaries. Youcanalsoaddpredefinedconditionsfromthepolicyelementslibraryinthe subsequentsteps. CreateNewCondition (AdvanceOption) Chooseadictionarysimpleconditionthatyouhavealreadycreated.ConditionName FromtheExpressiondrop-downlist,youcancreateadictionarysimplecondition.Expression Chooseanoperatortoassociateavaluetoanattribute.Operator Enteravaluethatyouwanttoassociatetothedictionaryattribute,orchoosea valuefromthedrop-downlist. Value Related Topics DictionariesandDictionaryAttributes,onpage197 SimpleandCompoundConditions,onpage401 CompoundPostureConditions,onpage406 CreateCompoundPostureConditions,onpage407 Time and Date Condition Settings ThefollowingtabledescribesthefieldsintheTimeandDateConditionspage.Thenavigationpathforthis pageis:Policy>PolicyElements>Conditions>Common>TimeandDate. Table 120: Time and Date Condition Settings Usage GuidelinesFields Enterthenameofthetimeanddatecondition.ConditionName Enteradescriptionofthetimeanddatecondition.Description StandardSettings (Default)Setfortheentireday.AllDay Cisco Identity Services Engine Administrator Guide, Release 1.3 835 Conditions
Usage GuidelinesFields Configurehours,minutes,andAM/PMtosetato-and-fromtimerange.SpecificHours (Default)Setforeveryday.EveryDay Configureoneormorespecificdaysoftheweek.SpecificDays (Default)Setwithnostartorenddate.NoStartandEndDates Configurethemonth,day,andyeartosetato-and-fromdaterange.SpecificDateRange Configureaspecificmonth,day,andyear.SpecificDate Exceptions Configurethehours,minutes,andAM/PMtosetato-and-fromtimerange.TimeRange Configureoneormorespecificdaysoftheweek.WeekDays Chooseonthefollowingtwooptions: •SpecificDateRange—Providesdrop-downlistsyoucanusetoconfigurea specificto-and-fromdaterangebymonth,day,andyear. •SpecificDate—Providesdrop-downlistsyoucanusetoconfigureaspecific month,day,andyear. DateRange Related Topics TimeandDateConditions,onpage445 CreateTimeandDateConditions,onpage407 Results ThissectiondescribesrequirementsforCiscoISEservices. Allowed Protocols ThefollowingtabledescribesthefieldsintheAllowedProtocolspage,whichallowsyoutoconfigurethe protocolstobeusedduringauthentication.Thenavigationpathforthispageis:Policy>PolicyElements >Results>Authentication>AllowedProtocols. Inthefollowingtable,PACstandsforProtectedAccessCredentials. Cisco Identity Services Engine Administrator Guide, Release 1.3 836 Results
Table 121: Allowed Protocols Usage GuidelinesFields AllowedProtocols>AuthenticationBypass CheckthischeckboxifyouwantCiscoISEtoprocesstheHostLookuprequest.TheHost LookuprequestisprocessedforPAP/CHAPprotocolwhentheRADIUSService-Typeequals 10(Call-Check)andtheusernameisequaltoCalling-Station-ID.TheHostLookuprequest isprocessedforEAP-MD5protocolwhentheService-Typeequals1(Framed)andthe usernameisequaltoCalling-Station-ID.UncheckthischeckboxifyouwantCiscoISEto ignoretheHostLookuprequestandusetheoriginalvalueofthesystemusernameattribute forauthentication.Whenunchecked,messageprocessingisdoneaccordingtotheprotocol (forexample,PAP). UncheckingtheProcessHostLookupboxcouldresultinthefailureofexistingMAB authentications. Note ProcessHost Lookup AllowedProtocols>AuthenticationProtocols ThisoptionenablesPAP/ASCII.PAPusescleartextpasswords(thatis,unencryptedpasswords) andistheleastsecureauthenticationprotocol. Allow PAP/ASCII ThisoptionenablesCHAPauthentication.CHAPusesachallenge-responsemechanismwith passwordencryption.CHAPdoesnotworkwithMicrosoftActiveDirectory. Allow CHAP CheckthischeckboxtoenableMS-CHAPv1.Allow MS-CHAPv1 CheckthischeckboxtoenableMS-CHAPv2.Allow MS-CHAPv2 CheckthischeckboxtoenableEAP-basedMD5passwordhashedauthentication.Allow EAP-MD5 CheckthischeckboxtoenableEAP-TLSAuthenticationprotocolandconfiguresEAP-TLS settings.YoucanspecifyhowCiscoISEwillverifytheuseridentityaspresentedintheEAP identityresponsefromtheend-userclient.Useridentityisverifiedagainstinformationinthe certificatethattheend-userclientpresents.ThiscomparisonoccursafteranEAP-TLStunnel isestablishedbetweenCiscoISEandtheend-userclient. EAP-TLSisacertificate-basedauthenticationprotocol.EAP-TLSauthentication canoccuronlyafteryouhavecompletedtherequiredstepstoconfigurecertificates. Note •AllowauthenticationofexpiredcertificatestoallowcertificaterenewalinAuthorization Policy—Checkthischeckbox,ifyouwanttoallowuserstorenewcertificates.Ifyou checkthischeckbox,ensurethatyouconfigureappropriateauthorizationpolicyrules tocheckifthecertificatehasbeenrenewedbeforeprocessingtherequestanyfurther. Allow EAP-TLS CheckthischeckboxtoenableLightweightExtensibleAuthenticationProtocol(LEAP) authentication. AllowLEAP Cisco Identity Services Engine Administrator Guide, Release 1.3 837 Results
Usage GuidelinesFields CheckthischeckboxtoenablePEAPauthenticationprotocolandPEAPsettings.Thedefault innermethodisMS-CHAPv2. WhenyouchecktheAllowPEAPcheckbox,youcanconfigurethefollowingPEAPinner methods: •AllowEAP-MS-CHAPv2—CheckthischeckboxtouseEAP-MS-CHAPv2astheinner method. ◦AllowPasswordChange—CheckthischeckboxforCiscoISEtosupportpassword changes. ◦RetryAttempts—SpecifieshowmanytimesCiscoISErequestsusercredentials beforereturningloginfailure.Validvaluesare0to3. •AllowEAP-GTC—CheckthischeckboxtouseEAP-GTCastheinnermethod. ◦AllowPasswordChange—CheckthischeckboxforCiscoISEtosupportpassword changes. ◦RetryAttempts—SpecifieshowmanytimesCiscoISErequestsusercredentials beforereturningloginfailure.Validvaluesare0to3. •AllowEAP-TLS—CheckthischeckboxtouseEAP-TLSastheinnermethod. ChecktheAllowauthenticationofexpiredcertificatestoallowcertificaterenewal inAuthorizationPolicycheckbox,ifyouwanttoallowuserstorenewcertificates.If youcheckthischeckbox,ensurethatyouconfigureappropriateauthorizationpolicy rulestocheckifthecertificatehasbeenrenewedbeforeprocessingtherequestany further. •AllowPEAPv0onlyforlegacyclients—CheckthischeckboxtoallowPEAPsupplicants tonegotiateusingPEAPv0.SomelegacyclientsdonotconformtothePEAPv1protocol standards.ToensurethatsuchPEAPconversationsarenotdropped,checkthischeck box. AllowPEAP Cisco Identity Services Engine Administrator Guide, Release 1.3 838 Results
Usage GuidelinesFields Allow EAP-FAST Cisco Identity Services Engine Administrator Guide, Release 1.3 839 Results
Usage GuidelinesFields CheckthischeckboxtoenableEAP-FASTauthenticationprotocolandEAP-FASTsettings. TheEAP-FASTprotocolcansupportmultipleinternalprotocolsonthesameserver.The defaultinnermethodisMS-CHAPv2. WhenyouchecktheAllowEAP-FASTcheckbox,youcanconfigureEAP-FASTastheinner method: •AllowEAP-MS-CHAPv2 ◦AllowPasswordChange—CheckthischeckboxforCiscoISEtosupportpassword changes. ◦RetryAttempts—SpecifieshowmanytimesCiscoISErequestsusercredentials beforereturningloginfailure.Validvaluesare0-3. •AllowEAP-GTC AllowPasswordChange—CheckthischeckboxforCiscoISEtosupportpassword changes. RetryAttempts—SpecifieshowmanytimesCiscoISErequestsusercredentialsbefore returningloginfailure.Validvaluesare0-3. •UsePACs—ChoosethisoptiontoconfigureCiscoISEtoprovisionauthorizationPACs forEAP-FASTclients.AdditionalPACoptionsappear. •Don'tusePACs—ChoosethisoptiontoconfigureCiscoISEtouseEAP-FASTwithout issuingoracceptinganytunnelormachinePACs.AllrequestsforPACsareignored andCiscoISErespondswithaSuccess-TLVwithoutaPAC. Whenyouchoosethisoption,youcanconfigureCiscoISEtoperformmachine authentication. •AllowEAP-TLS—CheckthischeckboxtouseEAP-TLSastheinnermethod. ChecktheAllowauthenticationofexpiredcertificatestoallowcertificaterenewal inAuthorizationPolicycheckbox,ifyouwanttoallowuserstorenewcertificates.If youcheckthischeckbox,ensurethatyouconfigureappropriateauthorizationpolicy rulestocheckifthecertificatehasbeenrenewedbeforeprocessingtherequestany further. •EnableEAPChaining—CheckthischeckboxtoenableEAPchaining. EAPchainingallowsCiscoISEtocorrelatetheresultsofuserandmachineauthentication andapplytheappropriateauthorizationpolicyusingtheEAPChainingResultattribute. EAPchainingrequiresasupplicantthatsupportsEAPchainingontheclientdevice. CiscoISEsupportsAnyConnect4.0.ChoosetheUserandMachineAuthentication optioninthesupplicant. EAPchainingisavailablewhenyouchoosetheEAP-FASTprotocol(bothinPAC basedandPAClessmode). ForPAC-basedauthentication,youcanuseuserauthorizationPACormachine authorizationPAC,orbothtoskiptheinnermethod. Forcertificate-basedauthentication,ifyouenabletheAcceptClientCertificatefor ProvisioningoptionfortheEAP-FASTprotocol(intheAllowedProtocolservice),and Cisco Identity Services Engine Administrator Guide, Release 1.3 840 Results
Usage GuidelinesFields iftheendpoint(AnyConnect)isconfiguredtosendtheusercertificateinsidethetunnel, thenduringtunnelestablishment,ISEauthenticatestheuserusingthecertificate(the innermethodisskipped),andmachineauthenticationisdonethroughtheinnermethod. Iftheseoptionsarenotconfigured,EAP-TLSisusedastheinnermethodforuser authentication. AfteryouenableEAPchaining,updateyourauthorizationpolicyandaddacondition usingtheNetworkAccess:EapChainingResultattributeandassignappropriate permissions.Forexample: ◦IfEapChainingResultequalUserandmachinebothsucceeded-Fullaccess ◦IfEapChainingResultequalUserpassedandmachinefailed-Restrictedaccess ◦IfEapChainingResultequalUserfailedandmachinepassed-Restrictedaccess ◦IfEapChainingResultequalUserandmachinebothfailed-Authenticationfails. CiscoISEdoesnotprocesstheauthorizationpolicyandsendsarejectaccess message. CheckthischeckboxtochooseyourpreferredEAPprotocolsfromanyofthefollowing options:EAP-FAST,PEAP,LEAP,EAP-TLS,EAP-TTLS,andEAP-MD5.Ifyoudonot specifythepreferredprotocol,EAP-TLSisusedbydefault. Preferred EAP Protocol Related Topics DefineAllowedProtocolsforNetworkAccess,onpage422 PAC Options ThefollowingtabledescribesthefieldsafteryouselectUsePACsintheAllowedProtocolsServicesList page.Thenavigationpathforthispageis:Policy>PolicyElements>Results>Authentication>Allowed Protocols. Cisco Identity Services Engine Administrator Guide, Release 1.3 841 Results
Table 122: PAC Options Usage GuidelinesFields UsePAC Cisco Identity Services Engine Administrator Guide, Release 1.3 842 Results
Usage GuidelinesFields •TunnelPACTimeToLive—TheTimetoLive(TTL)valuerestrictsthelifetime ofthePAC.Specifythelifetimevalueandunits.Thedefaultis90days.The rangeisbetween1and1825days. •ProactivePACUpdateWhen:ofPACTTLisLeft—TheUpdatevalue ensuresthattheclienthasavalidPAC.CiscoISEinitiatesanupdateafterthe firstsuccessfulauthenticationbutbeforetheexpirationtimethatissetbythe TTL.TheupdatevalueisapercentageoftheremainingtimeintheTTL.The defaultis90%. •AllowAnonymousIn-bandPACProvisioning—CheckthischeckboxforCisco ISEtoestablishasecureanonymousTLShandshakewiththeclientandprovision itwithaPACbyusingphasezeroofEAP-FASTwithEAP-MSCHAPv2.To enableanonymousPACprovisioning,youmustchoosebothoftheinner methods,EAP-MSCHAPv2andEAP-GTC. •AllowAuthenticatedIn-bandPACProvisioning—CiscoISEusesSSLserver-side authenticationtoprovisiontheclientwithaPACduringphasezeroof EAP-FAST.Thisoptionismoresecurethananonymousprovisioningbut requiresthataservercertificateandatrustedrootCAbeinstalledonCiscoISE. Whenyoucheckthisoption,youcanconfigureCiscoISEtoreturnan Access-AcceptmessagetotheclientaftersuccessfulauthenticatedPAC provisioning. ◦ServerReturnsAccessAcceptAfterAuthenticatedProvisioning—Check thischeckboxifyouwantCiscoISEtoreturnanaccess-acceptpackage afterauthenticatedPACprovisioning. •AllowMachineAuthentication—CheckthischeckboxforCiscoISEtoprovision anend-userclientwithamachinePACandperformmachineauthentication (forend-userclientswhodonothavethemachinecredentials).Themachine PACcanbeprovisionedtotheclientbyrequest(in-band)orbytheadministrator (out-of-band).WhenCiscoISEreceivesavalidmachinePACfromtheend-user client,themachineidentitydetailsareextractedfromthePACandverifiedin theCiscoISEexternalidentitysource.CiscoISEonlysupportsActiveDirectory asanexternalidentitysourceformachineauthentication.Afterthesedetailsare correctlyverified,nofurtherauthenticationisperformed. Whenyoucheckthisoption,youcanenteravaluefortheamountoftimethat amachinePACisacceptableforuse.WhenCiscoISEreceivesanexpired machinePAC,itautomaticallyreprovisionstheend-userclientwithanew machinePAC(withoutwaitingforanewmachinePACrequestfromtheend-user client). •EnableStatelessSessionResume—CheckthischeckboxforCiscoISEto provisionauthorizationPACsforEAP-FASTclientsandskipphasetwoof EAP-FAST(default=enabled). Uncheckthischeckboxinthefollowingcases: ◦IfyoudonotwantCiscoISEtoprovisionauthorizationPACsfor Cisco Identity Services Engine Administrator Guide, Release 1.3 843 Results
Usage GuidelinesFields EAP-FASTclients ◦ToalwaysperformphasetwoofEAP-FAST Whenyoucheckthisoption,youcanentertheauthorizationperiodofthe userauthorizationPAC.Afterthisperiod,thePACexpires.WhenCisco ISEreceivesanexpiredauthorizationPAC,itperformsphasetwo EAP-FASTauthentication. Related Topics OOBTrustSecPAC,onpage595 GeneratethePACforEAP-FAST,onpage420 Authorization Profile Settings ThefollowingtabledescribesthefieldsintheStandardAuthorizationProfilespage.Thenavigationpathfor thispageis:Policy>PolicyElements>Results>Authorization>AuthorizationProfiles. Table 123: Authorization Profile settings Usage GuidelinesFields Enteranamethatidentifiesthenewauthorizationprofile.Name Enteradescriptionoftheauthorizationprofile.Description Choosetheaccesstypeoptions(ACCESS_ACCEPTorACCESS_REJECT).AccessType CheckthecheckboxtoenableCiscoISEtosupportsessionsconnectingfromSAnet capabledevices.ISEimplementsservicetemplatesasauthorizationprofilesthat containaspecialflagthatmarksthemas“ServiceTemplate”compatible.Thisway, theservicetemplate,whichisalsoanauthorizationprofile,canbeusedinasingle policytosupportconnectionwithSAnetaswellasnon-SAnetdevices. ServiceTemplate CommonTasks CheckthecheckboxandchooseexistingdownloadableACLoptionsavailable(for example,CiscoISEprovidestwodefaultvaluesinthedrop-downlist: PERMIT_ALL_TRAFFICorDENY_ALL_TRAFFIC).Thelistwillinclude allcurrentDACLsinthelocaldatabase. DACLName Cisco Identity Services Engine Administrator Guide, Release 1.3 844 Results