Cisco Ise 13 User Guide
Have a look at the manual Cisco Ise 13 User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
Related Topics UseTCPDumptoMonitorNetworkTraffic,onpage650 SaveaTCPDumpFile,onpage651 TCPDumpUtilitytoValidatetheIncomingTraffic,onpage650 SXP-IP Mappings ThefollowingtabledescribesthefieldsontheSXP-IPmappingspage,whichyouusetocomparemappings betweenadeviceanditspeers.Thenavigationpathforthispageis:Operations>Troubleshoot>Diagnostic Tools>TrustsecTools>SXP-IPMappings. Peer SXP Devices Table 140: Peer SXP Devices for SXP-IP Mappings Usage GuidelinesOption PeerSXPDevices IPaddressofthepeerSXPdevice.PeerIPAddress TheVRFinstanceofthepeerdevice.VRF TheSXPmodeofthepeerdevice;forexample,whetheritisaspeakerora listener. PeerSXPMode TheSXPmodeofthenetworkdevice;forexample,whetheritisaspeakeror alistener. SelfSXPMode Thestatusoftheconnection.ConnectionState CommonConnectionParameters Checkthischeckboxtoenablecommonconnectionparametersforallthe peerSXPdevices. Ifthecommonconnectionparametersarenotspecifiedoriftheydo notworkforsomereason,theExpertTroubleshooteragainprompts youforconnectionparametersforthatparticularpeerdevice. Note UserCommonConnection Parameters EntertheusernameofthepeerSXPdevice.Username Enterthepasswordtogainaccesstothepeerdevice.Password •Choosetheprotocol. Telnetisthedefaultoption.IfyouchooseSSHv2,youmust ensurethatSSHconnectionsareenabledonthenetworkdevice. Note Protocol Cisco Identity Services Engine Administrator Guide, Release 1.3 865 Diagnostic Tools
Usage GuidelinesOption •Entertheportnumber.ThedefaultportnumberforTelnetis23andSSH is22. Port Entertheenablepasswordifitisdifferentfromyourloginpassword.EnablePassword Checkthischeckboxifyourenablepasswordisthesameasyourlogin password. Sameasloginpassword Related Topics TroubleshootConnectivityIssuesinaTrustsec-EnabledNetworkwithSXP-IPMappings,onpage652 SupportforSXP IP User SGT ThefollowingtabledescribesthefieldsontheIPUserSGTpage,whichyouusetocompareIP-SGTvalues onadevicewithanISEassignedSGT.Thenavigationpathforthispageis:Operations>Troubleshoot> DiagnosticTools>TrustSecTools>IPUserSGT. Table 141: IP User SGT Usage GuidelinesOption EnterInformation EntertheIPaddressofthenetworkdevice.NetworkDeviceIP FilterResults Entertheusernameoftheuserwhoserecordsyouwantto troubleshoot. Username EntertheIPaddressoftheuserwhoserecordsyouwantto troubleshoot. UserIPAddress EntertheuserSGTvalue.SGT Related Topics TroubleshootConnectivityIssuesinaTrustsec-EnabledNetworkwithIP-SGTMappings,onpage652 SecurityGroupsConfiguration,onpage598 Cisco Identity Services Engine Administrator Guide, Release 1.3 866 Diagnostic Tools
Device SGT Settings ThefollowingtabledescribesthefieldsontheDeviceSGTpage,whichyouusetocomparethedeviceSGT withthemostrecentlyassignedvalue.Thenavigationpathforthispageis:Operations>Troubleshoot> DiagnosticTools>TrustsecTools>DeviceSGT. Table 142: Device SGT Settings Usage GuidelinesOption EnterInformation EnterthenetworkdeviceIPaddresses(whosedeviceSGTyouwant tocomparewithanISE-assigneddeviceSGT)separatedbycommas. NetworkDeviceIPs(comma-separated list) CommonConnectionParameters Selectthischeckboxtousethefollowingcommonconnection parametersforcomparison: •Username—Entertheusernameofthenetworkdevice. •Password—Enterthepassword. •Protocol—Choosetheprotocol. Telnetisthedefaultoption.IfyouchooseSSHv2, SSHconnectionsmustbeenabledonthenetwork device. Note •Port—Entertheportnumber.Thedefaultportnumberfor Telnetis23andSSHis22. UseCommonConnectionParameters Entertheenablepasswordifitisdifferentfromyourloginpassword.EnablePassword Selectthischeckboxifyourenablepasswordisthesameasyour loginpassword. Sameasloginpassword Related Topics TroubleshootConnectivityIssuesinaTrustsec-EnabledNetworkbyComparingDeviceSGTMappings, onpage653 DeviceSGTTool,onpage653 Progress Details Settings ThefollowingtabledescribesthefieldsontheProgressDetailspage,whichisdisplayedwhenyouclickthe UserInputRequiredbuttoninanyofthediagnostictools.Thispagedisplaysdetailedtroubleshooting information.Thenavigationpathforthispageis:Operations>Troubleshoot>DiagnosticTools>Any DiagnosticTool. Cisco Identity Services Engine Administrator Guide, Release 1.3 867 Diagnostic Tools
Table 143: Progress Details Settings Usage GuidelinesOption SpecifyConnectionParametersforNetworkDevicea.b.c.d Entertheusernameforloggingintothenetworkdevice.Username Enterthepassword.Password Choosetheprotocol. Telnetisthedefaultoption.IfyouchooseSSHv2,youmustensure thatSSHconnectionsareenabledonthenetworkdevice. Note Protocol Entertheportnumber.Port Entertheenablepassword.EnablePassword Checkthischeckboxiftheenablepasswordisthesameasthelogin password. SameAsLoginPassword Selectthischeckboxtousetheconsoleserver.UseConsoleServer (IftheUseConsoleServercheckboxisselected)EntertheconsoleIP address. ConsoleIPAddress Advanced(Useifthereisan“Expecttimeouterror”orthedevicehasnon-standardpromptstrings) TheAdvancedoptionsappearonlyforsomeofthetroubleshooting tools. Note Enterthestringthatthenetworkdeviceusestopromptforusername;for example,Username:,Login:,andsoon. UsernameExpectString Enterthestringthatthenetworkdeviceusestopromptforpassword;for example,Password:. PasswordExpectString Enterthepromptthatthenetworkdeviceuses.Forexample,#,>,[email protected] Enterthestringthatthenetworkdevicereturnswhenthereisan authenticationfailure;forexample,Incorrectpassword,Logininvalid,and soon. AuthenticationFailureExpect String Related Topics TroubleshootUnexpectedRADIUSAuthenticationResults,onpage648 ExecuteIOSShowCommandstoCheckConfiguration,onpage648 TroubleshootNetworkDeviceConfigurationIssues,onpage649 TroubleshootConnectivityIssuesinaTrustsec-EnabledNetworkwithSXP-IPMappings,onpage652 TroubleshootConnectivityIssuesinaTrustsec-EnabledNetworkwithIP-SGTMappings,onpage652 Cisco Identity Services Engine Administrator Guide, Release 1.3 868 Diagnostic Tools
DiagnosticTroubleshootingTools,onpage647 Results Summary Thefollowingtabledescribesthefieldsontheresultssummarypage,whichisdisplayedasaresultwhenyou useanydiagnostictool. Table 144: RADIUS Authentication Troubleshooting Results Summary Usage GuidelinesOption DiagnosisandResolution Thediagnosisfortheproblemislistedhere.Diagnosis Thestepsforresolutionoftheproblemaredetailedhere.Resolution TroubleshootingSummary Astep-by-stepsummaryoftroubleshootinginformationisprovidedhere.You canexpandanysteptoviewfurtherdetails. Anyconfigurationerrorsareindicatedbyredtext. Summary Related Topics TroubleshootUnexpectedRADIUSAuthenticationResults,onpage648 RADIUSAuthenticationTroubleshootingTool,onpage647 Cisco Identity Services Engine Administrator Guide, Release 1.3 869 Diagnostic Tools
Cisco Identity Services Engine Administrator Guide, Release 1.3 870 Diagnostic Tools
CHAPTER 32 Network Access Flows •Password-BasedAuthentication,page871 •RADIUSProtocolSupportinCiscoISE,page872 •NetworkAccessforUsers,page872 Password-Based Authentication Authenticationverifiesuserinformationtoconfirmuseridentity.Traditionalauthenticationusesanameand afixedpassword.Thisisthemostpopular,simplest,andleast-expensivemethodofauthentication.The disadvantageisthatthisinformationcanbetoldtosomeoneelse,guessed,orcaptured.Anapproachthatuses simple,unencryptedusernamesandpasswordsisnotconsideredastrongauthenticationmechanism,butit canbesufficientforlow-authorizationorlow-privilegelevelssuchasInternetaccess. Secure Authentication Using Encrypted Passwords and Cryptographic Techniques Youshoulduseencryptiontoreducetheriskofpasswordcaptureonthenetwork.Clientandserveraccess controlprotocols,suchasRADIUS,encryptpasswordstopreventthemfrombeingcapturedwithinanetwork. However,RADIUSoperatesonlybetweentheauthentication,authorization,andaccounting(AAA)client andCiscoISE.Beforethispointintheauthenticationprocess,unauthorizedpersonscanobtaincleartext passwordssuchasinthefollowingexamples: •Inthecommunicationbetweenanend-userclientthatdialsupoveraphoneline •OnanISDNlinethatterminatesatanetworkaccessserver •OveraTelnetsessionbetweenanend-userclientandthehostingdevice More-securemethodsusecryptographictechniques,suchasthoseusedinsidetheChallengeAuthentication HandshakeProtocol(CHAP),one-timepassword(OTP),andadvancedEAP-basedprotocols.CiscoISE supportsavarietyoftheseauthenticationmethods. Cisco Identity Services Engine Administrator Guide, Release 1.3 871
Authentication Methods and Authorization Privileges Afundamentalimplicitrelationshipexistsbetweenauthenticationandauthorization.Themoreauthorization privilegesthataregrantedtoauser,thestrongertheauthenticationshouldbe.CiscoISEsupportsthis relationshipbyprovidingvariousmethodsofauthentication. RADIUS Protocol Support in Cisco ISE RADIUSisaclient/serverprotocolthroughwhichremote-accessserverscommunicatewithacentralserver toauthenticatedial-inusersandauthorizetheiraccesstotherequestedsystemorservice.YoucanuseRADIUS tomaintainuserprofilesinacentraldatabasethatallremoteserverscanshare.Thisprotocolprovidesbetter security,andyoucanuseittosetupapolicythatisappliedatasingleadministerednetworkpoint. RADIUSalsofunctionsasaRADIUSclientinCiscoISEtoproxyrequeststoaremoteRADIUSserver,and itprovidesChangeofAuthorization(CoA)activitiesduringanactivesession. CiscoISEsupportsRADIUSprotocolflowaccordingtoRFC2865andgenericsupportforallgeneralRADIUS attributesasdescribedinRFC2865anditsextension.CiscoISEsupportsparsingofvendor-specificattributes onlyforvendorsthataredefinedintheCiscoISEdictionary. RADIUSinterfacesupportsthefollowingattributedatatypesthataredefinedinRFC2865: •Text(UnicodeTransformationFormat[UTF]) •String(binary) •Address(IP) •Integer •Time Network Access for Users Fornetworkaccess,ahostconnectstothenetworkdeviceandrequeststousenetworkresources.Thenetwork deviceidentifiesthenewlyconnectedhost,and,usingtheRADIUSprotocolasatransportmechanism,requests CiscoISEtoauthenticateandauthorizetheuser. CiscoISEsupportsnetworkaccessflowsdependingontheprotocolthatistransportedovertheRADIUS protocol. RADIUS-Based Protocols Without EAP RADIUS-basedprotocolsthatdonotincludeEAPincludethefollowing: •PasswordAuthenticationProtocol(PAP) •CHAP •MicrosoftChallengeHandshakeAuthenticationProtocolversion1(MS-CHAPv1) •MS-CHAPversion2(MS-CHAPv2) Cisco Identity Services Engine Administrator Guide, Release 1.3 872 RADIUS Protocol Support in Cisco ISE
RADIUS-Based Non-EAP Authentication Flow ThissectiondescribesRADIUS-basedflowwithoutEAPauthentication.RADIUS-basedflowwithPAP authenticationoccursinthefollowingprocess: 1Ahostconnectstoanetworkdevice. 2ThenetworkdevicesendsaRADIUSrequest(Access-Request)toCiscoISEthatcontainsRADIUS attributesthatareappropriatetothespecificprotocolthatisbeingused(PAP,CHAP,MS-CHAPv1,or MS-CHAPv2). 3CiscoISEusesanidentitystoretovalidateusercredentials. 4ARADIUSresponse(Access-AcceptorAccess-Reject)issenttothenetworkdevicethatwillapplythe decision. ThefollowingfigureshowsaRADIUS-basedauthenticationwithoutEAP. Figure 44: RADIUS-Based Authentication Without EAP Thenon-EAPprotocolssupportedbyCiscoISEare: Password Authentication Protocol PAPprovidesasimplemethodforuserstoestablishtheiridentitybyusingatwo-wayhandshake.ThePAP passwordisencryptedwithasharedsecretandistheleastsophisticatedauthenticationprotocol.PAPisnot astrongauthenticationmethodbecauseitofferslittleprotectionfromrepeatedtrial-and-errorattacks. RADIUS-Based PAP Authentication in Cisco ISE CiscoISEcheckstheusernameandpasswordpairagainsttheidentitystores,untiliteventuallyacknowledges theauthenticationorterminatestheconnection. YoucanusedifferentlevelsofsecurityconcurrentlywithCiscoISEfordifferentrequirements.PAPapplies atwo-wayhandshakingprocedure.Ifauthenticationsucceeds,CiscoISEreturnsanacknowledgment;otherwise, CiscoISEterminatestheconnectionorgivestheoriginatoranotherchance. Theoriginatorisintotalcontrolofthefrequencyandtimingoftheattempts.Therefore,anyserverthatcan useastrongerauthenticationmethodwilloffertonegotiatethatmethodpriortoPAP.RFC1334definesPAP. CiscoISEsupportsstandardRADIUSPAPauthenticationthatisbasedontheRADIUSUserPasswordattribute. RADIUSPAPauthenticationiscompatiblewithallidentitystores. TheRADIUS-with-PAP-authenticationflowincludesloggingofpassedandfailedattempts. Cisco Identity Services Engine Administrator Guide, Release 1.3 873 Network Access for Users
Challenge Handshake Authentication Protocol CHAPusesachallenge-responsemechanismwithone-wayencryptionontheresponse.CHAPenablesCisco ISEtonegotiatedownwardfromthemost-securetotheleast-secureencryptionmechanism,anditprotects passwordsthataretransmittedintheprocess.CHAPpasswordsarereusable.IfyouareusingtheCiscoISE internaldatabaseforauthentication,youcanusePAPorCHAP.CHAPdoesnotworkwiththeMicrosoft userdatabase.ComparedtoRADIUSPAP,CHAPallowsahigherlevelofsecurityforencryptingpasswords whencommunicatingfromanend-userclienttotheAAAclient. CiscoISEsupportsstandardRADIUSCHAPauthenticationthatisbasedontheRADIUSChapPassword attribute.CiscoISEsupportsRADIUSCHAPauthenticationonlywithinternalidentitystores. Microsoft Challenge Handshake Authentication Protocol Version 1 CiscoISEsupportstheRADIUSMS-CHAPv1authenticationandchange-passwordfeatures.RADIUS MS-CHAPv1containstwoversionsofthechange-passwordfeature:Change-Password-V1and Change-Password-V2.CiscoISEdoesnotsupportChange-Password-V1basedontheRADIUS MS-CHAP-CPW-1attribute,andsupportsonlyChange-Password-V2basedontheMS-CHAP-CPW-2 attribute.TheRADIUSMS-CHAPv1authenticationandchange-passwordfeaturesaresupportedwiththe followingidentitysources: •Internalidentitystores •MicrosoftActiveDirectoryidentitystore Microsoft Challenge Handshake Authentication Protocol Version 2 TheRADIUSMS-CHAPv2authenticationandchange-passwordfeaturesaresupportedwiththefollowing identitysources: •Internalidentitystores •MicrosoftActiveDirectoryidentitystore RADIUS-Based EAP Protocols EAPprovidesanextensibleframeworkthatsupportsvariousauthenticationtypes.Thissectiondescribesthe EAPmethodssupportedbyCiscoISEandcontainsthefollowingtopics: Simple EAP Methods •EAP-MessageDigest5 •LightweightEAP EAP Methods That Use Cisco ISE Server Certificate for Authentication •PEAP/EAP-MS-CHAPv2 •PEAP/EAP-GTC •EAP-FAST/EAP-MS-CHAPv2 Cisco Identity Services Engine Administrator Guide, Release 1.3 874 Network Access for Users