Americas HeadquartersCisco Systems, Inc.170 West Tasman DriveSan Jose, CA 95134-1706 USAhttp://www.cisco.comTel: 408 526-4000

800 553-NETS (6387)Fax: 408 527-0883

Cisco Identity Services Engine User Guide, Release 1.1.xDecember 2012

Text Part Number: OL-26134-01

THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.

THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.

The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCBs public domain version of the UNIX operating system. All rights reserved. Copyright 1981, Regents of the University of California.

NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED AS IS WITH ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE.

IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)

Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.

Cisco Identity Services Engine User Guide, Release 1.1.x 2012 Cisco Systems, Inc. All rights reserved.

OL-26134-01

Page-Level HelpProviding Feedback

Introducing the DashboaDashboard ElementsDrilling Down for De-11

2-11

C O N T E N T S

Preface xxix

Audience xxix

Document Organization Map xxx

Document Conventions xxxi

Documentation Updates xxxii

Related Documentation xxxiiRelease-Specific Documents xxxiiPlatform-Specific Documents xxxiii

Notices xxxivOpenSSL/Open SSL Project xxxiv

License Issues xxxiv

Obtaining Documentation and Submitting a Service Request xxxvi

Whats New in This Release xxxvii

Related Documentation xxxvii

P A R T 1 Introducing Cisco ISE

C H A P T E R 1 Overview of Cisco ISE 1-1

C H A P T E R 2 Understanding the User Interface 2-1

Cisco ISE Internationalization and Localization 2-1

Inherent Usability 2-6

Elements of the User Interface 2-7Primary Navigation Tabs and Menus 2-8The Global Toolbar 2-9Task Navigators 2-9Getting Help 2-11

Global Help 2iiiCisco Identity Services Engine User Guide, Release 1.1.x

to Cisco 2-12

rd 2-122-13

tails 2-15

Contents

Common User Interface Patterns 2-16

Understanding the Impact of Roles and Admin Groups 2-19

P A R T 2 Administering Cisco ISE

C H A P T E R 3 Cisco ISE Task Navigator 3-1

Navigating Multiple Task Procedures 3-1

Setup 3-3

Profiling 3-5

Basic User Authorization 3-6

Client Provisioning and Posture 3-7

Basic Guest Authorization 3-9

Advanced User Authorization 3-10

Advanced Guest Authorization 3-12

Device Registration 3-15

C H A P T E R 4 Managing Identities and Admin Access 4-1

Configuring Access for Users, Endpoints, Admins, Groups, Permissions, and Accounts 4-2

Understanding User Identities, Groups, and Admin Access 4-2

Understanding Identity Management Terminology 4-4Managing User Identity and Group Identity Types Using the User Interface 4-5

Network Access Users 4-9Configuring Network Access and Sponsor Users 4-9

Endpoints 4-15Configuring Endpoints 4-17

Filtering Endpoints 4-17Creating an Endpoint 4-19Editing an Endpoint 4-20Deleting an Endpoint 4-21Importing Endpoints 4-22Importing Endpoints from an LDAP Server 4-23Exporting Endpoints 4-26

Latest Network Scan Results 4-27

Understanding Admin Access Terminology 4-27Managing Admin Access Types Using the User Interface 4-30Configuring Cisco ISE Administrators 4-34ivCisco Identity Services Engine User Guide, Release 1.1.x

OL-26134-01

Configuring Admin Groups 4-37

Contents

Configuring User Identity Groups 4-41Configuring Cisco ISE for Administrator Access Using an External Identity Store 4-44

External Authentication + External Authorization 4-45External Authentication + Internal Authorization 4-48

Managing Admin Access (RBAC) Policies 4-50

Configuring RBAC Permissions 4-50Configuring Menu Access Permissions 4-50

Viewing Predefined Menu Access Permissions 4-51Creating Custom Menu Access Permissions 4-52Updating Menu Access Permissions 4-53Duplicating Menu Access Permissions 4-53Deleting Menu Access Permissions 4-54

Configuring Data Access Permissions 4-54Viewing Predefined Data Access Permissions 4-54Creating Custom Data Access Permissions 4-55Updating Data Access Permissions 4-56Duplicating Data Access Permissions 4-56Deleting Data Access Permissions 4-57

Configuring RBAC Policies 4-57Using Predefined RBAC Policies 4-57Creating Custom RBAC Policy 4-58

Configuring Settings for Accounts 4-61Administrator Access Settings 4-61

Restricting Administrative Access to the Management Interfaces 4-62Configuring a Password Policy for Administrator Accounts 4-63Configuring Session Timeout for Administrators 4-65Changing Administrator Name 4-66

Configuring Network Access for User Accounts 4-66User Custom Attributes Policy 4-67User Password Policy 4-68

Configuring Network Access User Accounts 4-68

Endpoint Identity Groups 4-71

Filtering, Creating, Editing, and Deleting Endpoint Identity Groups 4-73Filtering Endpoint Identity Groups 4-73Creating, Editing, and Deleting an Endpoint Identity Group 4-75

Filtering, Adding and Removing Endpoints in an Endpoint Identity Group 4-77Filtering Endpoints in an Endpoint Identity Group 4-77Adding Endpoints in an Endpoint Identity Group 4-79vCisco Identity Services Engine User Guide, Release 1.1.x

OL-26134-01

Removing Endpoints in an Endpoint Identity Group 4-79

Contents

C H A P T E R 5 Managing External Identity Sources 5-1

Certificate Authentication Profiles 5-2Adding or Editing a Certificate Authentication Profile 5-2

Microsoft Active Directory 5-4Key Features of the Integration of Cisco ISE and Active Directory 5-4Integrating Cisco ISE with Active Directory 5-6Enabling Active Directory Debug Logs 5-15Supplemental Information 5-16

Configure Group Policy in Active Directory 5-16Configure Odyssey 5.X Supplicant for EAP-TLS Machine Authentications Against Active Directory 5-17Configure AnyConnect Agent for Machine Authentication 5-17

LDAP 5-18Key Features of Integration of Cisco ISE and LDAP 5-18Adding and Editing LDAP Identity Sources 5-22

RADIUS Token Identity Sources 5-32Key Features of the Integration of Cisco ISE and RADIUS Identity Source 5-33Adding or Editing a RADIUS Token Server 5-36Deleting a RADIUS Token Server 5-39

RSA Identity Sources 5-39Integrating Cisco ISE with RSA SecurID Server 5-40Adding and Editing RSA Identity Sources 5-42Configuring RSA Prompts 5-48Configuring RSA Messages 5-49

Identity Source Sequences 5-51Creating Identity Source Sequences 5-52Deleting Identity Source Sequences 5-53

Viewing and Monitoring the Identity Sources 5-54

C H A P T E R 6 Managing Network Devices 6-1

Managing Network Devices 6-1Adding and Editing Devices 6-3Deleting a Device 6-6Filtering Network Devices on the Network Devices Page 6-7Configuring a Default Device 6-9

Managing Network Device Groups 6-10Creating a Network Device Group 6-11Editing a Network Device Group 6-12viCisco Identity Services Engine User Guide, Release 1.1.x

OL-26134-01

Deleting a Network Device Group 6-12

Contents

Importing Network Devices and Network Device Groups 6-13

Exporting Network Devices and Network Device Groups 6-20

C H A P T E R 7 Managing Resources 7-1

Dictionaries and Dictionary Attributes 7-1Dictionary and Attribute User Interface 7-2

Configuring Dictionaries and Dictionary Attributes 7-2Managing Dictionary Attributes in System-Defined Dictionaries 7-2Configuring User-Defined Dictionaries and Dictionary Attributes 7-4

Configuring RADIUS Vendors 7-8Creating and Editing RADIUS Vendors 7-9Creating and Editing RADIUS VSAs 7-9Deleting RADIUS Vendors 7-10Importing and Exporting RADIUS Vendor Dictionary 7-11

C H A P T E R 8 Administering Cisco ISE 8-1

Logging In 8-1Administrator Lockout Following Failed Login Attempts 8-2

Enabling FIPS Mode in Cisco ISE 8-2Cisco NAC Agent Requirements when FIPS Mode is Enabled 8-4

Configuring Cisco ISE for Administrator CAC Authentication 8-4Preliminary Setup Done by Cisco ISE Administrator 8-5Step 1: Enable FIPS Mode 8-5Step 2: Configure Active Directory 8-6Step 3: Create Certificate Authentication Profile 8-9Step 4: Import CA Certificates into Cisco ISE Certificate Trust Store 8-9Step 5: Configure CA Certificates for Revocation Status Check 8-10Step 6: Enable Client Certificate-Based Authentication 8-12Step 7: Configure Admin Group to AD Group Mapping 8-13Step 8: Configure Admin Authorization Policy 8-16

Specifying Proxy Settings in Cisco ISE 8-17

System Time and NTP Server Settings 8-18

Configuring E-mail Settings 8-20

Configuring System Alarm Settings 8-21

Configuring Alarm Syslog Targets 8-22

Managing Software Patches 8-24Installing a Software Patch 8-24viiCisco Identity Services Engine User Guide, Release 1.1.x

OL-26134-01

Rolling Back Software Patches 8-28

Contents

Viewing Patch Install and Rollback Changes in the Audit Report 8-29

C H A P T E R 9 Setting Up Cisco ISE in a Distributed Environment 9-1

Understanding Node Types, Personas, Roles, and Services 9-2Cisco Cisco ISE Deployment Terminology 9-2Types of Nodes 9-2Cisco Cisco ISE Nodes and Available Menu Options 9-4

Understanding Distributed Deployment 9-5

Guidelines for Setting Up a Distributed Deployment 9-7

Configuring a Cisco Cisco ISE Node 9-7Configuring a Primary Administration Cisco ISE Node 9-11Registering and Configuring a Secondary Node 9-13

Configuring Administration Cisco ISE Nodes for High Availability 9-15

Viewing Nodes in a Deployment 9-17

Managing Node Groups 9-19Creating, Editing, and Deleting Node Groups 9-21

Changing Node Personas and Services 9-23

Configuring Monitoring ISE Nodes for Automatic Failover 9-24

Removing a Node from Deployment 9-26

Changing the IP Address of the Monitoring Node 9-27

Replacing the Cisco Cisco ISE Appliance Hardware 9-28

C H A P T E R 10 Setting Up Inline Posture 10-1

Inline Posture Known Limitations 10-1

Understanding the Role of Inline Posture 10-1

Planning an Inline Posture Deployment 10-4About Inline Posture Configuration 10-4Choosing an Inline Posture Operating Mode 10-5Best Practices for Inline Posture 10-7Standalone Mode or High Availability 10-8Inline Posture High Availability 10-9Inline Posture Guidelines for Distributed Deployment 10-11

Deploying an Inline Posture Node 10-12

Configuring Inline Posture for High Availability 10-25Configuring a High Availability Pair 10-25Syncing an Inline Posture Node 10-29viiiCisco Identity Services Engine User Guide, Release 1.1.x

OL-26134-01

Adding Inline Posture as a RADIUS Client 10-30

Contents

Monitoring an Inline Posture Node 10-30

Removing an Inline Posture Node from Deployment 10-31

Remote Access VPN Use Case 10-31Configuring a Cisco ISE Deployment Using an Inline Posture Node 10-33

C H A P T E R 11 Setting Up Endpoint Protection Services 11-1

About Endpoint Protection Services 11-1

EPS Functional Overview 11-1

Enabling and Disabling EPS 11-3

EPS Authorization 11-4

Controlling Endpoints 11-6

Monitoring EPS Data 11-8

C H A P T E R 12 Managing Licenses 12-1

Understanding Licensing 12-1

Viewing Current Licenses 12-2Viewing Licensing History 12-3

Adding and Upgrading Licenses 12-3

Removing Licenses 12-4

C H A P T E R 13 Managing Certificates 13-1

Local Server Certificates 13-2Viewing Local Certificates 13-3Adding a Local Certificate 13-4

Importing a Server Certificate 13-5Generating a Self-Signed Certificate 13-7Generating a Certificate Signing Request 13-8Binding a CA-Signed Certificate 13-10

Editing a Local Certificate 13-11Deleting a Local Certificate 13-13Exporting a Local Certificate 13-13

Certificate Signing Requests 13-15Viewing and Exporting Certificate Signing Requests 13-15Deleting a Certificate Signing Request 13-16

Certificate Authority Certificates 13-16Viewing Certificate Authority Certificates 13-17Adding a Certificate Authority Certificate 13-18ixCisco Identity Services Engine User Guide, Release 1.1.x

OL-26134-01

Editing a Certificate Authority Certificate 13-19

Contents

Deleting a Certificate Authority Certificate 13-22Exporting a Certificate Authority Certificate 13-22Importing Certificate Chains 13-23Creating Certificate Trust Lists in the Primary Cisco ISE Node 13-23

Importing Root and CA Certificates into the CTL of the Primary Node 13-24Importing the CA-Signed Certificate from the Secondary Node into the Primary Nodes CTL 13-24Importing the Self-Signed Certificate from the Secondary Node into the CTL of the Primary Node 13-25

Simple Certificate Enrollment Protocol Profiles 13-25Adding and Modifying Simple Certificate Enrollment Protocol Profiles 13-25Deleting Simple Certificate Enrollment Protocol Profiles 13-26

OCSP Services 13-27OCSP Certificate Status Values 13-27OCSP High Availability 13-28OCSP Failures 13-28Viewing OCSP Services 13-28Adding, Editing, or Duplicating OCSP Services 13-29Deleting an OCSP Service 13-32OCSP Statistics Counters 13-32Monitoring OCSP 13-33

OCSP Monitoring Report 13-33

C H A P T E R 14 Logging 14-1

Understanding Logging 14-1Configuring Local Log Settings 14-2Understanding Remote Logging Targets 14-2

Configuring Remote Logging Targets 14-2Understanding Logging Categories 14-5

Searching Logging Categories 14-6Editing Logging Categories 14-7

Viewing Message Catalog 14-8Understanding Debug Log Configuration 14-8

Configuring Debug Log Level 14-9Viewing Log Collection Status 14-11

Viewing Log Collection Details 14-11

C H A P T E R 15 Managing Cisco Cisco ISE Backup and Restore Operations 15-1

Overview of Cisco Cisco ISE Backup and Restore 15-1xCisco Identity Services Engine User Guide, Release 1.1.x

OL-26134-01

Contents

Supported Scenarios for Backup, Restore, and Upgrade 15-3

Configuring Repositories 15-3Creating Repositories 15-3Deleting Repositories 15-5

On-Demand Backup 15-5Running On-Demand Backup 15-5

Scheduled Backups 15-7Scheduling a Backup 15-7Deleting a Scheduled Backup 15-9

Viewing Backup History 15-10

Restoring Data from a Backup 15-11

Viewing Restore History 15-12

Synchronizing Primary and Secondary Nodes in a Distributed Environment 15-13

Recovering Lost Nodes in Standalone and Distributed Deployments 15-14Loss of All Nodes in a Distributed Setup, Recovery Using Existing IP Addresses and Hostnames 15-14Loss of All Nodes in a Distributed Deployment, Recovery Using New IP Addresses and Hostnames 15-15Standalone Deployment, Recovery Using Existing IP Address and Hostname 15-15Standalone Deployment, Recovery Using New IP Address and Hostname 15-16Configuration Rollback 15-16Primary Node Failure in a Distributed Deployment 15-17Secondary Node Failure in a Distributed Deployment 15-17

P A R T 3 Managing Cisco ISE Policy Models

C H A P T E R 16 Managing Authentication Policies 16-1

Understanding Authentication Policies 16-1Authentication Type, Protocols, and Databases 16-2Authentication Policy Terminology 16-3Simple Authentication Policies 16-4Rule-Based Authentication Policies 16-5

Protocol Settings 16-10Configuring EAP-FAST Settings 16-10Generating the PAC for EAP-FAST 16-11Configuring EAP-TLS Settings 16-12Configuring PEAP Settings 16-12

Network Access Service 16-13xiCisco Identity Services Engine User Guide, Release 1.1.x

OL-26134-01

Allowed Protocols 16-13

Contents

Defining Allowed Protocols 16-14Deleting Allowed Protocols 16-21

Proxy Service 16-21Defining an External RADIUS Server 16-22Creating RADIUS Servers 16-23Editing RADIUS Servers 16-24Deleting RADIUS Servers 16-25Defining a RADIUS Server Sequence 16-25Creating, Editing, and Duplicating RADIUS Server Sequences 16-25

Configuring the Simple Authentication Policy 16-27Configuring a Simple Policy Using RADIUS Server Sequence 16-29

Configuring the Rule-Based Authentication Policy 16-30Understanding the Authentication Policy User Interface Elements 16-30Simple Conditions 16-32

Creating Simple Conditions 16-32Deleting Simple Conditions 16-33

Compound Conditions 16-34Creating Compound Conditions 16-34Deleting Compound Conditions 16-36

Creating a Rule-Based Authentication Policy 16-37

Authentication Policy Built-In Configurations 16-39

Viewing Authentication Results 16-42

C H A P T E R 17 Managing Authorization Policies and Profiles 17-1

Understanding Authorization Policies 17-1Understanding Authorization Policy Terminology 17-2

Cisco ISE Authorization Policies and Profiles 17-5Authorization Policy Page 17-5Authorization Policies and Supported Dictionaries 17-8Authorization Profile Page 17-8Authorization Policy and Profile Guidelines 17-9Authorization Policy and Profile User Interface 17-10

Authorization Policy, Rule, and Profile Configuration Defaults 17-10

Configuring Authorization Policies 17-14

Configuring Policy Elements Conditions 17-17Simple Conditions 17-18Compound Conditions 17-18

Configuring Authorization Policy Conditions 17-19xiiCisco Identity Services Engine User Guide, Release 1.1.x

OL-26134-01

Configuring Time and Date Conditions 17-24

Contents

Configuring Permissions for Authorization Profiles 17-28

Configuring Permissions for Downloadable ACLs 17-34Configuring DACLs 17-34

Configuring Policies for SGACLs 17-37

Machine Access Restriction and Active Directory Users 17-37

C H A P T E R 18 Configuring Endpoint Profiling Policies 18-1

Profiling Service in Cisco ISE 18-2

Understanding the Profiling Service 18-2Endpoint Profiling 18-3Licenses for the Profiling Service 18-4Deploying the Profiling Service 18-4

Configuring the Profiling Service in Cisco ISE 18-6Profiled Endpoints Dashlet 18-7Viewing Profiler Reports 18-8

Change of Authorization 18-9CoA Exemptions 18-10CoA Global Configuration 18-12

Configuring the Probes 18-13

Filtering Endpoint Attributes 18-14Global Setting for Endpoint Attribute Filter 18-15Configuring Endpoint Attribute Filter 18-16Configuring the NetFlow Probe 18-17Configuring the DHCP Probe 18-19Configuring the DHCP SPAN Probe 18-21Configuring the HTTP Probe 18-21Configuring the RADIUS Probe 18-22Configuring the Network Scan (NMAP) Probe 18-23

A Network Scan 18-24Latest Network Scan Results 18-25

Configuring the DNS Probe 18-25Configuring the SNMP Query Probe 18-28

CDP Attributes Collection 18-28LLDP Attributes Collection 18-29LLDP-MIB (v1) 18-30

Configuring the SNMP Trap Probe 18-31Simple Network Management Protocol 18-32

Endpoint Profiling Policies 18-37xiiiCisco Identity Services Engine User Guide, Release 1.1.x

OL-26134-01

Filtering, Creating, Editing, Duplicating, Importing, and Exporting Endpoint Profiling Policies 18-39

Contents

Filtering Endpoint Policies 18-40Creating an Endpoint Profiling Policy 18-42A Quick Reference to Creating a New Endpoint Profiling Policy in Cisco ISE 18-46Draeger Medical Devices 18-51Editing an Endpoint Profiling Policy 18-52Deleting an Endpoint Profiling Policy 18-52Duplicating an Endpoint Profiling Policy 18-53Exporting Endpoint Profiling Policies 18-54Importing Endpoint Profiling Policies 18-54

Endpoint Profiling 18-55Filtering, Creating, Editing, and Deleting a Profiling Condition 18-55

Filtering Conditions 18-55Creating a Profiling Condition 18-57Editing a Profiling Condition 18-59Deleting a Profiling Condition 18-59

Profiling Results 18-59

Profiling Exception Actions 18-60Filtering, Creating, Editing, and Deleting a Profiling Exception Action 18-61

Filtering Exception Actions 18-61Creating an Exception Action 18-63Editing an Exception Action 18-64Deleting an Exception Action 18-65

Profiling Network Scan Actions 18-65Filtering, Creating, Editing, and Deleting a Profiling Network Scan Action 18-66

Filtering Network Scan Actions 18-66Creating a Network Scan Action 18-68Editing a Network Scan Action 18-70Deleting a Network Scan Action 18-71

Endpoint Profiling by Integrating Network Mapper in Cisco ISE 18-71

Endpoint Scan 18-72

Endpoint Profiling by Using an IOS Sensor on a Network Access Device 18-73Integrating an IOS Sensor with Cisco ISE 18-73

An IOS Sensor and Analyzers 18-74Endpoint Profiling in Cisco ISE with an IOS Sensor Enabled on NADs 18-75Auto Smartports Configuration in Cisco ISE 18-76macro auto execute 18-77RADIUS Accounting Reports 18-78

Excluding Static Endpoints in Advanced Licenses 18-78xivCisco Identity Services Engine User Guide, Release 1.1.x

OL-26134-01

IP Address and MAC Address Binding in Cisco ISE 18-79

Contents

Integrating Cisco ISE with Cisco Network Admission Control Appliance 18-79Configuring Cisco Clean Access Managers in Cisco ISE 18-80Filtering, Adding, Editing, and Deleting Clean Access Managers in Cisco ISE 18-81

Filtering Cisco Clean Access Managers in Cisco ISE 18-82Adding Cisco Clean Access Managers to Cisco ISE 18-84Editing Cisco Clean Access Managers in Cisco ISE 18-84Deleting Cisco Clean Access Managers in Cisco ISE 18-85

C H A P T E R 19 Configuring Client Provisioning Policies 19-1

Client Provisioning Overview 19-1Cisco ISE Agents 19-2

Cisco NAC Agent for Windows Clients 19-2Cisco NAC Agent for Macintosh Clients 19-2Cisco NAC Web Agent 19-3

Agent and Client Machine Operating System Compatibility 19-3

Adding and Removing Agents and Other Resources 19-3Viewing and Displaying Client Provisioning Resources 19-4Adding Client Provisioning Resources to Cisco ISE 19-5

Adding Client Provisioning Resources from a Remote Source 19-5Adding Client Provisioning Resources from a Local Machine 19-6

Creating Agent Profiles 19-12Creating Windows Agent Profiles in Cisco ISE 19-12Creating Mac OS X Agent Profiles in Cisco ISE 19-14Modifying Windows and Mac OS X Agent Profiles in Cisco ISE 19-15Agent Profile Parameters and Applicable Values 19-16Creating Native Supplicant Profiles 19-24

Deleting Client Provisioning Resources 19-26Provisioning Client Machines with the Cisco NAC Agent MSI Installer 19-26

Setting Up Global Client Provisioning Functions 19-28Enabling and Disabling the Client Provisioning Service 19-28Downloading Client Provisioning Resources Automatically 19-29Configuring Personal Device Registration Behavior 19-30

Configuring Client Provisioning Resource Policies 19-31

Client-side Agent Installation and LoginCisco NAC Agent 19-33

Accessing the Network and Registering Personal Devices 19-39Logging In Via Standard Native Supplicant Provisioning 19-39

Accessing the Network with an iPhone or iPad 19-41Accessing the Network with an Android Device 19-44xvCisco Identity Services Engine User Guide, Release 1.1.x

OL-26134-01

Logging In Without Supplicant Provisioning 19-47

Contents

Viewing Client Provisioning Reports and Events 19-48Viewing Client Provisioning Reports in Cisco ISE 19-48Viewing Client Provisioning Event Logs in Cisco ISE 19-52

C H A P T E R 20 Configuring Client Posture Policies 20-1

Posture Service 20-2Understanding the Posture Service 20-3Posture and Client Provisioning Services 20-4

Posture and Client Provisioning Policies Flow 20-5Licenses for the Posture Service 20-5Deploying the Posture Service 20-6

Configuring the Posture Service in Cisco ISE 20-6Posture Compliance Dashlet 20-8Viewing Posture Reports 20-8

Posture Administration Settings in Cisco ISE 20-9Posture General Settings 20-10Posture Reassessments 20-12

Initiating and Requesting a PRA 20-13PRA Failure Actions 20-13User Identity Group (Role) Assignment 20-14PRA Report Tracking and Enforcement 20-15PRA Enforcement During Distributed System Failure 20-15

Configuring Client Posture Periodic Reassessments 20-15Posture Updates 20-22Dynamic Posture Updates 20-22Offline Posture Updates 20-24Posture Acceptable Use Policy 20-25Configuring Acceptable Use Policies 20-26

Client Posture Assessments in Cisco ISE 20-32

Client Posture Assessment Policies 20-33Simplified Posture Policy Configuration 20-34Creating, Duplicating, and Deleting Client Posture Policies 20-35

Creating a New Posture Policy 20-36Duplicating a Posture Policy 20-40Deleting a Posture Policy 20-40

Posture Assessment and Remediation Options in Cisco ISE 20-41

Custom Conditions for Posture 20-42

File Conditions 20-44xviCisco Identity Services Engine User Guide, Release 1.1.x

OL-26134-01

Configuring File Conditions 20-44

Contents

Viewing File Conditions 20-44Creating, Duplicating, Editing, and Deleting a File Condition of FileExistence Type 20-45Creating, Duplicating, Editing, and Deleting a File Condition of FileDate Type 20-48Creating, Duplicating, Editing, and Deleting a File Condition of FileVersion Type 20-51Filtering File Conditions 20-53

Registry Conditions 20-56

Configuring Registry Conditions 20-56Viewing Registry Conditions 20-57Creating, Duplicating, Editing, and Deleting a Registry Condition of RegistryKey Type 20-57Creating, Duplicating, Editing, and Deleting a Registry Condition of RegistryValue Type 20-60Creating, Duplicating, Editing, and Deleting a Registry Condition of RegistryValueDefault Type 20-63Filtering Registry Conditions 20-66

Application Conditions 20-68

Configuring Application Conditions 20-69Viewing Application Conditions 20-69Creating, Duplicating, Editing, and Deleting an Application Condition 20-69Filtering Application Conditions 20-71

Service Conditions 20-74

Configuring Service Conditions 20-75Viewing Service Conditions 20-75Creating, Duplicating, Editing, and Deleting a Service Condition 20-75Filtering Service Conditions 20-77

Compound Conditions 20-80

Configuring Compound Conditions 20-80Viewing Compound Conditions 20-80Creating, Duplicating, Editing, and Deleting a Compound Condition 20-81Filtering Compound Conditions 20-84

Antivirus and Antispyware Compound Conditions 20-86

Antivirus Compound Conditions 20-88

Configuring Antivirus Compound Conditions 20-88Creating, Duplicating, Editing, and Deleting an Antivirus Compound Condition 20-89Filtering Antivirus Compound Conditions 20-92

Antispyware Compound Conditions 20-94

Configuring Antispyware Compound Conditions 20-95Creating, Duplicating, Editing, and Deleting an Antispyware Compound Condition 20-95Filtering Antispyware Compound Conditions 20-98xviiCisco Identity Services Engine User Guide, Release 1.1.x

OL-26134-01

Dictionary Simple Conditions 20-100

Contents

Configuring Dictionary Simple Conditions 20-100Creating, Duplicating, Editing, and Deleting a Dictionary Simple Condition 20-100Filtering Dictionary Simple Conditions 20-103

Dictionary Compound Conditions 20-105Configuring Dictionary Compound Conditions 20-105Creating, Duplicating, Editing, and Deleting a Dictionary Compound Condition 20-105Filtering Dictionary Compound Conditions 20-109

Posture Results 20-112

Custom Posture Remediation Actions 20-113

Configuring Custom Posture Remediation Actions 20-114

File Remediation 20-115

Viewing, Adding, and Deleting a File Remediation 20-115Filtering File Remediations 20-117

Link Remediation 20-119

Adding, Duplicating, Editing, and Deleting a Link Remediation 20-119Filtering Link Remediations 20-121

Antivirus Remediation 20-123

Adding, Duplicating, Editing, and Deleting an Antivirus Remediation 20-124Filtering Antivirus Remediations 20-126

Antispyware Remediation 20-128

Adding, Duplicating, Editing, and Deleting an Antispyware Remediation 20-128Filtering Antispyware Remediations 20-131

Launch Program Remediation 20-133

Adding, Duplicating, Editing, and Deleting a Launch Program Remediation 20-133Filtering Launch Program Remediations 20-136

Windows Update Remediation 20-138

Adding, Duplicating, Editing, and Deleting a Windows Update Remediation 20-139Filtering Windows Update Remediations 20-142

Windows Server Update Services Remediation 20-145

Adding, Duplicating, Editing, and Deleting a Windows Server Update Services Remediation 20-145Filtering Windows Server Update Services Remediations 20-149

Client Posture Assessment Requirements 20-151Creating, Duplicating, and Deleting Client Posture Requirements 20-153

Creating a New Posture Requirement 20-153Duplicating a Posture Requirement 20-157Deleting a Posture Requirement 20-157xviiiCisco Identity Services Engine User Guide, Release 1.1.x

OL-26134-01

Custom Authorization Policies for Posture 20-157

Contents

Standard Authorization Policies for a Posture 20-158Creating, Duplicating, and Deleting a Standard Authorization Policy for a Posture 20-159

Custom Permissions for Posture 20-163

C H A P T E R 21 User Access Management 21-1

Overview 21-2

Guest Services Functionality 21-2NAD with Central WebAuth 21-3Wireless LAN Controller with Local WebAuth 21-4Wired NAD with Local WebAuth 21-5Device Registration WebAuth 21-8Cisco ISE Guest Service Components 21-11

Cisco ISE Guest Service Default Portals 21-11

Guest Licensing 21-12

Guest High Availability and Replication 21-13

Guest Service Control 21-14

Operating System and Browser Support 21-14

Configuring Guest Policy Conditions 21-14Simple Conditions 21-14

Creating Simple Conditions 21-15Compound Conditions 21-15

Creating Compound Conditions 21-16

Sponsor Group Policy 21-16Creating a New Sponsor Group Policy 21-17

Sponsor Groups 21-20Creating and Editing Sponsor Groups 21-21Deleting the Sponsor Group 21-22

Mapping Active Directory Groups to Sponsor Groups 21-23

Creating and Testing Sponsor User to Access the Sponsor Portal 21-24

Creating Guest Users 21-25

SMTP Server Settings for E-mail Notifications 21-25

General Settings 21-26Setting Ports for the Sponsor and Guest Portals 21-26Purging Guest User Records 21-27

Sponsor Settings 21-28Specifying an Authentication Source 21-28Specifying a Simple URL for Sponsor Portal Access 21-29xixCisco Identity Services Engine User Guide, Release 1.1.x

OL-26134-01

Creating a Custom Portal Theme 21-29

Contents

Applying Language Templates 21-32Internationalization and Localization 21-33Configuring Sponsor Language Templates 21-35Configuring a Template to Create a Single Guest Account 21-38Configuring a Template for Guest Notification 21-39

Guest Settings 21-43Configuring the Details Policy 21-43Configuring Guest Language Templates 21-45Multi-Portal Configurations 21-47

Hosting Multiple Portals 21-48Sample HTML Code for Creating Portal Pages 21-52

Configuring Guest Portal Policy 21-67Configuring Guest Password Policy 21-68Time Profiles 21-69

Adding, Editing, or Duplicating Time Profiles 21-69Deleting Time Profiles 21-71

Configuring Guest Username Policy 21-71

Monitoring Sponsor and Guest Activity 21-72

Audit Logging 21-73

C H A P T E R 22 Device Access Management 22-1

Overview 22-1

Configuring the My Devices Portal 22-2General Settings 22-3

Customizing the Portal Theme 22-3Setting Ports for the My Devices Portal 22-5Specifying a Simple URL for the My Devices Portal 22-5

My Devices Portal Settings 22-6Authentication Sequence 22-6Language Templates 22-7Portal Configuration 22-10

Using the My Devices Portal 22-11Connecting to the My Devices Portal 22-11Registering, Editing, Reinstating, and Deleting a New Device 22-12

Managing Devices Added to the My Devices Portal 22-14Displaying Devices Added by Employees 22-15Registered Endpoints Report 22-15xxCisco Identity Services Engine User Guide, Release 1.1.x

OL-26134-01

Contents

C H A P T E R 23 Configuring Cisco Security Group Access Policies 23-1

Understanding the SGA Architecture 23-1SGA Features and Terminology 23-2SGA Requirements 23-4

Configuring Cisco ISE to Enable the SGA Solution 23-5Configuring SGA Settings on the Switches 23-6Configuring SGA Devices 23-6Configuring Security Group Access Settings 23-8Configuring Security Group Access AAA Servers 23-9

Adding and Editing Security Group Access AAA Servers 23-10Configuring Security Groups 23-11

Adding and Editing Security Groups 23-11Configuring Security Group Access Control Lists 23-12

Adding and Editing Security Group Access Control Lists 23-13Mapping Security Groups to Devices 23-14

Adding and Editing Security Group Mappings 23-15Configuring SGA Policy by Assigning SGTs to Devices 23-16

Assigning Security Groups to Users and End Points 23-18

Egress Policy 23-18Viewing the Egress Policy 23-19

Source Tree 23-20Destination Tree 23-20Matrix View 23-20

Sorting and Filtering Egress Policy Table 23-22Quick Filter 23-23Advanced Filter 23-23Presetting Filters 23-25

Configuring Egress Policy Table Cells 23-25Adding and Editing the Mapping of Egress Policy Cells 23-25Editing the Default Policy 23-26Deleting a Mapping of a Cell 23-27

Configuring SGT and SGACL from Egress Policy 23-27Push Button 23-28Monitor Mode 23-28

Monitoring the Monitor Mode 23-28The Unknown Security Group 23-30Default Policy 23-30

OOB SGA PAC 23-31xxiCisco Identity Services Engine User Guide, Release 1.1.x

OL-26134-01

SGA PAC Provisioning 23-31

Contents

Generating an SGA PAC from the Settings Screen 23-31Generating an SGA PAC from the Network Devices Screen 23-32Generating an SGA PAC from the Network Devices List Screen 23-33

Monitoring SGA PAC 23-33PAC Provisioning Report 23-33

SGA CoA 23-34CoA Supported Network Devices 23-34Environment CoA 23-35

Initiating Environment CoA 23-36Per Policy CoA 23-37

Update RBACL Named List CoA 23-37Update SGT Matrix CoA 23-38Policies Update CoA 23-39

SGA CoA Summary 23-40Monitoring SGA CoA 23-40

SGA CoA Alarms 23-41SGA CoA Report 23-41

P A R T 4 Monitoring and Troubleshooting Cisco ISE

C H A P T E R 24 Monitoring and Troubleshooting 24-1

Understanding Monitoring and Troubleshooting 24-1User Roles and Permissions 24-2Monitoring and Troubleshooting Database 24-3

Configuring Devices for Monitoring 24-3

Cisco ISE Dashboard Monitoring 24-3Dashlets 24-4Metric Meters 24-9

Monitoring the Network 24-10Monitoring Network Process Status 24-10Managing Alarms 24-11

Understanding Alarms 24-11Viewing, Editing, and Resolving Alarms 24-13Viewing and Filtering Alarm Schedules 24-14Creating, Editing, and Deleting Alarm Schedules 24-15Creating, Assigning, Disabling, and Deleting Alarm Rules 24-16

Available Alarm Rules 24-18Passed Authentication 24-19xxiiCisco Identity Services Engine User Guide, Release 1.1.x

OL-26134-01

Failed Authentication 24-19

Contents

Authentication Inactivity 24-20ISE Configuration Changes 24-20ISE System Diagnostics 24-21ISE Process Status 24-21ISE Health System 24-21ISE AAA Health 24-22Authenticated But No Accounting Start 24-22Unknown NAD 24-22External DB Unavailable 24-23RBACL Drops 24-24NAD-Reported AAA Down 24-24

Monitoring Live Authentications 24-25Monitoring Guest Activity 24-27Monitoring Data Collections 24-28

Troubleshooting the Network 24-29Viewing and Editing Failure Reasons 24-29Troubleshooting Network Access 24-29Performing Connectivity Tests 24-30Using Diagnostic Troubleshooting Tools 24-31

Troubleshooting RADIUS Authentications 24-31Executing a Network Device Command 24-32Evaluating a Network Device Configuration 24-33Troubleshooting Posture Data 24-34Troubleshooting with TCP Dump 24-35Comparing SGACL Policies 24-37Comparing SXP-IP Mappings 24-37Comparing IP-SGT Pairs 24-38Comparing SGT Devices 24-39

Obtaining Additional Troubleshooting Information 24-40Downloading Support Bundles 24-40

Support Bundle in Cisco ISE 24-43Downloading Debug Logs 24-47

Monitoring Administration 24-49Backing Up and Restoring the Monitoring Database 24-49

Configuring Data Purging 24-50Scheduling Full and Incremental Backups 24-53Performing On-Demand Backups 24-55Restoring the Monitoring Database 24-56xxiiiCisco Identity Services Engine User Guide, Release 1.1.x

OL-26134-01

Viewing Log Collections 24-58

Contents

Specifying Email Settings 24-58Configuring System Alarm Settings 24-58Configuring Alarm Syslog Targets 24-59

C H A P T E R 25 Reporting 25-1

Report Basics 25-1Understanding Reports View and Interactive Viewer 25-2Running, Viewing, and Navigating Reports 25-3Exporting and Printing Reports 25-4Deleting Reports 25-5

Catalog Reports 25-5Accessing Catalog Reports 25-6Customizing Catalog Reports 25-6Restoring Default Report Settings 25-7

Favorite Reports 25-8Adding Favorite Reports 25-8Viewing Report Parameters 25-9Editing or Deleting Favorite Reports 25-9

Shared Reports 25-10

System Reports 25-10

Organizing and Formatting Report Data 25-11Working with the Interactive Viewer Toolbar 25-12Grouping, Sorting, and Hiding Data 25-12

Grouping Data 25-13Sorting Data 25-14Hiding and Displaying Report Items 25-15Hiding and Displaying Column Data 25-16

Changing Column Layouts 25-17Creating Report Calculations 25-20Filtering Report Data 25-23Working with Aggregate Data 25-27Working with Charts 25-28Formatting Reports 25-31

Editing and Formatting Labels 25-31Formatting Data Types 25-32Applying Conditional Formats 25-35Setting and Removing Page Breaks 25-36

Saving Customized Reports 25-38xxivCisco Identity Services Engine User Guide, Release 1.1.x

OL-26134-01

Working with Active RADIUS Sessions 25-38

Contents

Available Reports 25-41

P A R T 5 Reference

A P P E N D I X A User Interface Reference A-1

Operations A-1Authentications A-1Alarms A-3

Alarms Inbox A-3Rules A-5Schedules A-14

Reports A-15Catalog A-15Favorites A-23Report Context Menus A-24Data Formatting A-26Filters A-38

Troubleshoot A-40General Tools A-40Security Group Access Tools A-47

Policy A-54Authentication A-54

Administration A-58System > Settings > Monitoring A-58

Alarm Syslog Targets A-59Email Settings A-59Failure Reasons Editor A-59System Alarm Settings A-60

System > Maintenance > Data Management > Monitoring Node A-61Full Backup On Demand A-61Scheduled Backup A-62Data Purging A-62Data Restore A-63

A P P E N D I X B Network Access Flows B-1

Network Access Use Cases B-2RADIUS-Based Protocols Without EAP B-2

Password Authentication Protocol B-3xxvCisco Identity Services Engine User Guide, Release 1.1.x

OL-26134-01

Challenge Handshake Authentication Protocol B-4

Contents

Microsoft Challenge Handshake Authentication Protocol Version 1 B-4Microsoft Challenge Handshake Authentication Protocol Version 2 B-4

RADIUS-Based EAP Protocols B-5Extensible Authentication Protocol-Message Digest 5 B-6Lightweight Extensible Authentication Protocol B-6Protected Extensible Authentication Protocol B-6Extensible Authentication Protocol-Flexible Authentication via Secure Tunneling B-8

A P P E N D I X C Switch and Wireless LAN Controller Configuration Required to Support Cisco ISE Functions C-1

Enable Your Switch to Support Standard Web Authentication C-2

Define a Local Username and Password for Synthetic RADIUS Transactions C-2

Set the NTP Server to Ensure Accurate Log and Accounting Timestamps C-2

Enable AAA Functions C-3

RADIUS Server Configuration C-3

Configure Switch to Send RADIUS Accounting Start/Stop to Inline Posture Nodes C-4

Enable RADIUS Change of Authorization (CoA) C-4

Enable Device Tracking and DHCP Snooping C-4

Enable 802.1X Port-Based Authentication C-4

Use EAP for Critical Authentications C-4

Throttle AAA Requests Using Recovery Delay C-5

Define VLANs Based on Enforcement States C-5

Define Local (Default) ACLs on the Switch C-5

Enable Cisco Security Group Access Switch Ports C-6

Send Syslog Messages to Cisco ISE C-8

Enable EPM Logging C-8

Enable SNMP Traps C-8

Enable SNMP v3 Query for Profiling C-8

Enable MAC Notification Traps for Profiler to Collect C-9

Set the logging source-interface for ISE Monitoring C-9

Configure NADs for ISE Monitoring C-10

Configure the RADIUS Idle-Timeout C-10

Set Up Wireless LAN Controller for iOS Supplicant Provisioning C-11

FIPS Support on Wireless LAN Controller with Inline Posture Node C-11

A P P E N D I X D Troubleshooting Cisco ISE D-1

Installation and Network Connection Issues D-2xxviCisco Identity Services Engine User Guide, Release 1.1.x

OL-26134-01

Contents

Unknown Network Device D-3CoA Not Initiating on Client Machine D-3Users Are Assigned to Incorrect VLAN During Network Access Sessions D-3Client Machine URL Redirection Function Not Working D-4Cisco ISE Profiler is Not Able to Collect Data for Endpoints D-5RADIUS Accounting Packets (Attributes) Not Coming from Switch D-5Policy Service ISE Node Not Passing Traffic D-6Registered Nodes in Cisco ISE-Managed List Following Standalone Reinstallation D-7Primary and Secondary Inline Posture Nodes Heartbeat Link Not Working D-7

Licensing and Administrator Access D-8Certificate Expired D-8

Configuration and Operation (Including High Availability) D-9Client Machines Are Unable to Authenticate D-9Users Are Not Appropriately Redirected to URL D-9Cannot Download Remote Client Provisioning Resources D-10Lost Monitoring and Troubleshooting Data After Registering Policy Service ISE Node to Administration ISE Node D-10Cisco ISE Monitoring Dashlets Not Visible with Internet Explorer 8 D-11Data Out of Sync Between Primary And Secondary ISE Nodes D-11

External Authentication Sources D-12User Authentication Failed D-12Missing User for RADIUS-Server Test Username in Cisco ISE Identities D-12Connectivity Issues Between the Network Access Device (Switch) and Cisco ISE D-13Active Directory Disconnected D-13Cisco ISE Node Not Authenticating with Active Directory D-14RADIUS Server Error Message Entries Appearing in Cisco ISE D-14RADIUS Server Connectivity Issues (No Error Message Entries Appearing in Cisco ISE) D-15

Client Access, Authentication, and Authorization D-17Cannot Authenticate on Profiled Endpoint D-17Quarantined Endpoints Do Not Renew Authentication Following Policy Change D-18Endpoint Does Not Align to the Expected Profile D-19User is Unable to Authenticate Against the Local Cisco ISE Identity Store D-19Certificate-Based User Authentication via Supplicant Failing D-20802.1X Authentication Fails D-21Users Are Reporting Unexpected Network Access Issues D-22Authorization Policy Not Working D-23Switch is Dropping Active AAA Sessions D-24URL Redirection on Client Machine Fails D-24Agent Download Issues on Client Machine D-26xxviiCisco Identity Services Engine User Guide, Release 1.1.x

OL-26134-01

Contents

Agent Login Dialog Not Appearing D-27Agent Fails to Initiate Posture Assessment D-27Agent Displays Temporary Access D-28Cisco ISE Does Not Issue CoA Following Authentication D-28

Error Messages D-29ACTIVE_DIRECTORY_USER_INVALID_CREDENTIALS D-29ACTIVE_DIRECTORY_USER_AUTH_FAILED D-29ACTIVE_DIRECTORY_USER_PASSWORD_EXPIRED D-30ACTIVE_DIRECTORY_USER_WRONG_PASSWORD D-30ACTIVE_DIRECTORY_USER_ACCOUNT_DISABLED D-30ACTIVE_DIRECTORY_USER_RESTRICTED_LOGON_HOURS D-30ACTIVE_DIRECTORY_USER_NON_COMPLIANT_PASSWORD D-30ACTIVE_DIRECTORY_USER_UNKNOWN_DOMAIN D-31ACTIVE_DIRECTORY_USER_ACCOUNT_EXPIRED D-31ACTIVE_DIRECTORY_USER_ACCOUNT_LOCKED_OUT D-31ACTIVE_DIRECTORY_GROUP_RETRIEVAL_FAILED D-31ACTIVE_DIRECTORY_MACHINE_AUTHENTICATION_DISABLED D-31ACTIVE_DIRECTORY_ATTRIBUTE_RETRIEVAL_FAILED D-32ACTIVE_DIRECTORY_PASSWORD_CHANGE_DISABLED D-32ACTIVE_DIRECTORY_USER_UNKNOWN D-32ACTIVE_DIRECTORY_CONNECTION_FAILED D-32ACTIVE_DIRECTORY_BAD_PARAMETER D-32ACTIVE_DIRECTORY_TIMEOUT D-33

Troubleshooting APIs D-33

Contacting the Cisco Technical Assistance Center D-34

G L O S S A R Y

I N D E XxxviiiCisco Identity Services Engine User Guide, Release 1.1.x

OL-26134-01

Preface

Revised: December 2012, OL-26134-01

This preface introduces the Cisco Identity Services Engine User Guide, Release 1.1.x and contains the following sections:

Audience, page xxix Document Organization Map, page xxx Document Conventions, page xxxi Documentation Updates, page xxxii Related Documentation, page xxxii Notices, page xxxiv

Obtaining Documentation and Submitting a Service Request, page xxxvi

AudienceThis guide is written for network security administrators who are responsible for setting up and maintaining network and application security. This guide assumes that you have a working knowledge of networking principles and applications, and have experience as a network system administrator.xxixCisco Identity Services Engine User Guide, Release 1.1.x

OL-26134-01

Preface Document Organization MapThe topics in this guide are grouped into introduction, functional tasks, and reference categories, and are organized in the following way:

Part Chapter

Part 1: Introducing Cisco ISE

Overview of Cisco ISEUnderstanding the User Interface

Part 2: Administering Cisco ISE

Cisco ISE Task NavigatorManaging Identities and Admin AccessManaging External Identity SourcesManaging Network DevicesManaging ResourcesAdministering Cisco ISESetting Up Cisco ISE in a Distributed EnvironmentSetting Up Inline PostureSetting Up Endpoint Protection ServicesManaging LicensesManaging CertificatesLoggingManaging Cisco Cisco ISE Backup and Restore Operations

Part 3: Managing Cisco ISE Policy Models

Managing Authentication PoliciesManaging Authorization Policies and ProfilesConfiguring Endpoint Profiling PoliciesConfiguring Client Provisioning PoliciesConfiguring Client Posture PoliciesUser Access ManagementDevice Access ManagementConfiguring Cisco Security Group Access Policies

Part 4: Monitoring and Troubleshooting Cisco ISE

Monitoring and TroubleshootingReportingxxxCisco Identity Services Engine User Guide, Release 1.1.x

OL-26134-01

PrefaceNote Cisco sometimes updates the printed and electronic documentation after original publication. Therefore, you should also review the documentation on Cisco.com for any updates.

Document ConventionsThe symbol ^ represents the key labeled Control. For example, the key combination ^z means Hold down the Control key while you press the z key.Command descriptions use these conventions:1. Option > Option: Used to select a series of menu options.2. Variables for which you must supply a value are shown in italic font.3. Examples that contain system prompts denote interactive sessions and indicate the commands that

you should enter at the prompt. The system prompt indicates the current level of the EXEC command interpreter. For example, the prompt Router> indicates that you should be at the user level, and the prompt Router# indicates that you should be at the privileged level. Access to the privileged level usually requires a password.

Examples use these conventions: Terminal sessions and sample console screen displays are in screen font. Information you enter is in boldface screen font. Commands and keywords are in boldface font. Arguments for which you supply values are in italic font. Elements in square brackets ([ ]) are optional. Alternative keywords from which you must choose one are grouped in braces ({}) and separated by

vertical bars (|). Nonprinting characters, such as passwords, are in angle brackets (< >). Default responses to system prompts are in square brackets ([]). An exclamation point (!) at the beginning of a line indicates a comment line.

Caution Means reader be careful. You are capable of doing something that might result in equipment damage or loss of data.

Part 5: Reference

Appendix A, User Interface ReferenceAppendix B, Network Access FlowsAppendix C, Switch and Wireless LAN Controller Configuration Required to Support Cisco ISE FunctionsAppendix D, Troubleshooting Cisco ISEGlossary

Part ChapterxxxiCisco Identity Services Engine User Guide, Release 1.1.x

OL-26134-01

Preface Timesaver Means the described action saves time. You can save time by performing the action described in the paragraph.

Note Means reader take note. Notes identify important information that you should think about before continuing, contain helpful suggestions, or provide references to materials not contained in the document.

Documentation UpdatesTable 1 lists the creation and update history of this guide.

Related DocumentationThis section provides lists of the following types of documents that are relevant to this release of Cisco ISE and contains the following topics:

Release-Specific Documents, page xxxii Platform-Specific Documents, page xxxiii

Release-Specific DocumentsTable 2 lists the product documentation available for the Cisco ISE release. General product information for Cisco ISE is available at http://www.cisco.com/go/ise. End-user documentation is available on Cisco.com at http://www.cisco.com/en/US/products/ps11640/tsd_products_support_series_home.html.

Table 1 Updates to Cisco Identity Services Engine User Guide, Release 1.1.x

Date Description

10/31/12 Cisco Identity Services Engine, Release 1.1.29/27/12 Resolved defects CSCub55838, CSCub69080, CSCuc14822, CSCuc14863,

CSCuc149268/31/12 Resolved defects CSCua12292, CSCub543098/16/12 Resolved defects CSCtz86916, CSCub05495, and CSCub539237/10/12 Cisco Identity Services Engine, Release 1.1.1

Table 2 Product Documentation for Cisco Identity Services Engine

Document Title Location

Release Notes for the Cisco Identity Services Engine, Release 1.1.x

http://www.cisco.com/en/US/products/ps11640/prod_release_notes_list.html

Cisco Identity Services Engine Network Component Compatibility, Release 1.1.x

http://www.cisco.com/en/US/products/ps11640/products_device_support_tables_list.htmlxxxiiCisco Identity Services Engine User Guide, Release 1.1.x

OL-26134-01

PrefacePlatform-Specific DocumentsThis section provides useful links to platform-specific documents. Policy Management Business Unit documentation are available on www.cisco.com at the following URLs:

Cisco ISEhttp://www.cisco.com/en/US/products/ps11640/prod_installation_guides_list.html

Cisco Secure ACShttp://www.cisco.com/en/US/products/ps9911/tsd_products_support_series_home.html

Cisco NAC Appliancehttp://www.cisco.com/en/US/products/ps6128/tsd_products_support_series_home.html

Cisco NAC Profilerhttp://www.cisco.com/en/US/products/ps8464/tsd_products_support_series_home.html

Cisco NAC Guest Serverhttp://www.cisco.com/en/US/products/ps10160/tsd_products_support_series_home.html

Cisco Identity Services Engine User Guide, Release 1.1.x

http://www.cisco.com/en/US/products/ps11640/products_user_guide_list.html

Cisco Identity Services Engine Hardware Installation Guide, Release 1.1.x

http://www.cisco.com/en/US/products/ps11640/prod_installation_guides_list.html

Cisco Identity Services Engine Upgrade Guide, Release 1.1.x

http://www.cisco.com/en/US/products/ps11640/prod_installation_guides_list.html

Cisco Identity Services Engine Migration Guide for Cisco Secure ACS 5.1 and 5.2, Release 1.1.x

http://www.cisco.com/en/US/products/ps11640/prod_installation_guides_list.html

Cisco Identity Services Engine Sponsor Portal User Guide, Release 1.1.x

http://www.cisco.com/en/US/products/ps11640/products_user_guide_list.html

Cisco Identity Services Engine CLI Reference Guide, Release 1.1.x

http://www.cisco.com/en/US/products/ps11640/prod_command_reference_list.html

Cisco Identity Services Engine API Reference Guide, Release 1.1.x

http://www.cisco.com/en/US/products/ps11640/prod_command_reference_list.html

Cisco Identity Services Engine Troubleshooting Guide, Release 1.1.x

http://www.cisco.com/en/US/products/ps11640/prod_troubleshooting_guides_list.html

Regulatory Compliance and Safety Information for Cisco Identity Services Engine, Cisco 1121 Secure Access Control System, Cisco NAC Appliance, Cisco NAC Guest Server, and Cisco NAC Profiler

http://www.cisco.com/en/US/products/ps11640/prod_installation_guides_list.html

Cisco Identity Services Engine In-Box Documentation and China RoHS Pointer Card

http://www.cisco.com/en/US/products/ps11640/products_documentation_roadmaps_list.html

Table 2 Product Documentation for Cisco Identity Services Engine (continued)

Document Title LocationxxxiiiCisco Identity Services Engine User Guide, Release 1.1.x

OL-26134-01

Preface NoticesThe notices in this section pertain to this software license.

OpenSSL/Open SSL ProjectThis product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/).This product includes cryptographic software written by Eric Young (eay@cryptsoft.com).This product includes software written by Tim Hudson (tjh@cryptsoft.com).

License Issues

The OpenSSL toolkit stays under a dual license, both the conditions of the OpenSSL License and the original SSLeay license apply to the toolkit. See the following information for the actual license texts. Both licenses are BSD-style Open Source licenses. In case of any license issues related to OpenSSL, please contact openssl-core@openssl.org.

OpenSSL License:

Copyright 1998-2007 The OpenSSL Project. All rights reserved.Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:1. Redistributions of source code must retain the copyright notice, this list of conditions and the

following disclaimer.2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions, and

the following disclaimer in the documentation and/or other materials provided with the distribution.3. All advertising materials mentioning features or use of this software must display the following

acknowledgment: This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/).

4. The names OpenSSL Toolkit and OpenSSL Project must not be used to endorse or promote products derived from this software without prior written permission. For written permission, please contact openssl-core@openssl.org.

5. Products derived from this software may not be called OpenSSL nor may OpenSSL appear in their names without prior written permission of the OpenSSL Project.

6. Redistributions of any form whatsoever must retain the following acknowledgment:This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/).

THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT AS IS' AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT xxxivCisco Identity Services Engine User Guide, Release 1.1.x

OL-26134-01

PrefaceLIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.This product includes cryptographic software written by Eric Young (eay@cryptsoft.com). This product includes software written by Tim Hudson (tjh@cryptsoft.com).

Original SSLeay License:

Copyright 1995-1998 Eric Young (eay@cryptsoft.com). All rights reserved.This package is an SSL implementation written by Eric Young (eay@cryptsoft.com).The implementation was written so as to conform with Netscapes SSL.This library is free for commercial and non-commercial use as long as the following conditions are adhered to. The following conditions apply to all code found in this distribution, be it the RC4, RSA, lhash, DES, etc., code; not just the SSL code. The SSL documentation included with this distribution is covered by the same copyright terms except that the holder is Tim Hudson (tjh@cryptsoft.com).Copyright remains Eric Youngs, and as such any Copyright notices in the code are not to be removed. If this package is used in a product, Eric Young should be given attribution as the author of the parts of the library used. This can be in the form of a textual message at program startup or in documentation (online or textual) provided with the package.Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:1. Redistributions of source code must retain the copyright notice, this list of conditions and the

following disclaimer.2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and

the following disclaimer in the documentation and/or other materials provided with the distribution.3. All advertising materials mentioning features or use of this software must display the following

acknowledgement:This product includes cryptographic software written by Eric Young (eay@cryptsoft.com).The word cryptographic can be left out if the routines from the library being used are not cryptography-related.

4. If you include any Windows specific code (or a derivative thereof) from the apps directory (application code) you must include an acknowledgement: This product includes software written by Tim Hudson (tjh@cryptsoft.com).

THIS SOFTWARE IS PROVIDED BY ERIC YOUNG AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.The license and distribution terms for any publicly available version or derivative of this code cannot be changed. i.e. this code cannot simply be copied and put under another distribution license [including the GNU Public License].xxxvCisco Identity Services Engine User Guide, Release 1.1.x

OL-26134-01

Preface Obtaining Documentation and Submitting a Service RequestFor information on obtaining documentation, submitting a service request, and gathering additional information, see the monthly Whats New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at:http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.htmlSubscribe to the Whats New in Cisco Product Documentation as an RSS feed and set content to be delivered directly to your desktop using a reader application. The RSS feeds are a free service. Cisco currently supports RSS Version 2.0.xxxviCisco Identity Services Engine User Guide, Release 1.1.x

OL-26134-01

Whats New in This Release

This section describes new features, updates, and changes that have been added to the Cisco Identity Services Engine (ISE) documentation for this release.

New in Cisco Identity Services Engine, Release 1.1.2

New in Cisco Identity Services Engine, Release 1.1.1

Table 1 Updates for the Cisco Identity Services Engine User Guide, Release 1.1.2

Feature Location

Globally configure endpoint attribute filtering

Global Setting for Endpoint Attribute Filter, page 18-15

Table 2 Updates for the Cisco Identity Services Engine User Guide, Release 1.1.1

Feature Location

Client Provisioning Configuring Personal Device Registration Behavior, page 19-30 Creating Native Supplicant Profiles, page 19-24 Simple Certificate Enrollment Protocol Profiles, page 13-25 Device Registration, page 3-15

Guest Wireless LAN Controller with Local WebAuth, page 21-4Profiling Change of Authorization, page 18-9My Devices Portal Chapter 22, Device Access ManagementRADIUS Proxy Attribute Creating, Editing, and Duplicating RADIUS Server Sequences,

page 16-25EAP Chaining Defining Allowed Protocols, page 16-14xxxviiCisco Identity Services Engine User Guide, Release 1.1.x

OL-26134-01

Related Documentation General product information for Cisco ISE is available at http://www.cisco.com/go/ise.

Reports Supplicant Provisioning Requests, page 19-51 Registered Endpoints Report, page 22-15

Whats New in This Release End-user documentation is available on Cisco.com at http://www.cisco.com/en/US/products/ps11640/tsd_products_support_series_home.html.xxxviiiCisco Identity Services Engine User Guide, Release 1.1.x

OL-26134-01

P A R T 1

Introducing Cisco ISE

CiscoOL-26134-01

Cisco ISE determines whether users are accessing the network on an authorized, policy-compliant device.

Cisco ISE establishes user identity, location, aand reporting.

Cisco ISE assigns services based on the assiglocation, device type, and so on).nd access history, which can be used for compliance

ned user role, group, and associated policy (job role, C H A P T E R

1Overview of Cisco ISE

Cisco Identity Services Engine (Cisco ISE) is a next-generation identity and access control policy platform that enables enterprises to enforce compliance, enhance infrastructure security, and streamline their service operations. The unique architecture of Cisco Cisco ISE allows enterprises to gather real-time contextual information from networks, users, and devices. The administrator can then use that information to make proactive governance decisions by tying identity to various network elements including access switches, wireless LAN controllers (WLCs), Virtual Private Network (VPN) gateways, and data center switches. Cisco Cisco ISE is a key component of the Cisco Security Group Access Solution.Cisco ISE is a consolidated policy-based access control system that incorporates a superset of features available in existing Cisco policy platforms. Cisco ISE performs the following functions:

Combines authentication, authorization, accounting (AAA), posture, and profiler into one appliance Provides for comprehensive guest access management for the Cisco ISE administrator, sanctioned

sponsor administrators, or both Enforces endpoint compliance by providing comprehensive client provisioning measures and

assessing device posture for all endpoints that access the network, including 802.1X environments Provides support for discovery, profiling, policy-based placement, and monitoring of endpoint

devices on the network Enables consistent policy in centralized and distributed deployments that allows services to be

delivered where they are needed Employs advanced enforcement capabilities including security group access (SGA) through the use

of security group tags (SGTs) and security group access control lists (SGACLs) Supports scalability to support a number of deployment scenarios from small office to large

enterprise environmentsThe following key functions of Cisco ISE enable you to manage your entire access network.

Provide Identity-Based Network Access

The Cisco Cisco ISE solution provides context-aware identity management in the following areas:1-1 Identity Services Engine User Guide, Release 1.1.x

Chapter 1 Overview of Cisco ISE Cisco ISE grants authenticated users with access to specific segments of the network, or specific applications and services, or both, based on authentication results.

For more information, see Chapter 4, Managing Identities and Admin Access.

Manage Various Deployment Scenarios

You can deploy Cisco ISE across an enterprise infrastructure, supporting 802.1X wired, wireless, and Virtual Private Networks (VPNs).The Cisco Cisco ISE architecture supports both stand-alone and distributed (also known as high-availability or redundant) deployments where one machine assumes the primary role and another backup machine assumes the secondary role. Cisco Cisco ISE features distinct configurable personas, services, and roles, which allow you to create and apply Cisco ISE services where they are needed in the network. The result is a comprehensive Cisco Cisco ISE deployment that operates as a fully functional and integrated system.You can deploy Cisco ISE nodes with one or more of the Administration, Monitoring, and Policy Service personaseach one performing a different vital part in your overall network policy management topology. Installing Cisco Cisco ISE with an Administration persona allows you to configure and manage your network from a centralized portal to promote efficiency and ease of use.You can also choose to deploy the Cisco ISE platform as an Inline Posture node to perform policy enforcement and execute Change of Authorization (CoA) requests where users are accessing the network via WLCs and/or VPN concentrators that do not support the necessary functionality to facilitate Cisco ISE policy management.For more information, see the following:

Chapter 9, Setting Up Cisco ISE in a Distributed Environment Chapter 10, Setting Up Inline Posture

Provide Basic User Authentication and Authorization

User authentication policies in Cisco ISE enable you to provide authentication for a number of user login session types using a variety of standard authentication protocols including, but not limited to, Password Authentication Protocol (PAP), Challenge-Handshake Authentication Protocol (CHAP), Protected Extensible Authentication Protocol (PEAP), and Extensible Authentication Protocol (EAP). Cisco ISE specifies the allowable protocol(s) that are available to the network devices on which the user tries to authenticate and specifies the identity sources from which user authentication is validated. Cisco ISE allows for a wide range of variables within authorization policies to ensure that only authorized users can access the appropriate resources when they access the network. The initial release of Cisco ISE supports only RADIUS-governed access to the internal network and its resources.At the most fundamental level, Cisco ISE supports 802.1X, MAC authentication bypass (MAB), and browser-based Web authentication login for basic user authentication and access via both wired and wireless networks. Upon receiving an authentication request, the outer part of the authentication policy is used to select the set of protocols that are allowed to be used when processing the request. Then, the inner part of the authentication policy is used to select the identity source that is used to authenticate the request. The identity source may consist of a specific identity store or an identity store sequence that lists a set of accessible identities until the user received a definitive authorization response.Once authentication succeeds, the session flow proceeds to the authorization policy. (There are also options available that allow Cisco ISE to process the authorization policy even when the authentication did not succeed.) Cisco ISE enables you to configure behavior for authentication failed, user not found, and process failed cases, and also to decide whether to reject the request, drop the request (no 1-2Cisco Identity Services Engine User Guide, Release 1.1.x

OL-26134-01

Chapter 1 Overview of Cisco ISEresponse is issued), or continue to the authorization policy. In cases where Cisco ISE continues to perform authorization, you can use the AuthenicationStaus attribute in the NetworkAccess dictionary to incorporate the authentication result as part of the authorization policy.The authorization policy result is Cisco ISE assigning an authorization profile that might also involve a downloadable ACL specifying traffic management on the network policy enforcement device. The downloadable ACL specifies the RADIUS attributes that are returned during authentication and that define the user access privileges granted once authenticated by Cisco ISE.For more information, see the following:

Chapter 16, Managing Authentication Policies Chapter 17, Managing Authorization Policies and Profiles

Support for FIPS 140-2 Implementation

Cisco ISE, supports Federal Information Processing Standard (FIPS) 140-2 Common Criteria EAL2 compliance. FIPS 140-2 is a United States government computer security standard that is used to accredit cryptographic modules. Cisco ISE uses an embedded FIPS 140-2 implementation using validated C3M and Cisco ACS NSS modules, per FIPS 140-2 Implementation Guidance section G.5 guidelines.In addition, the FIPS standard places limitations on the use of certain algorithms, and in order to enforce this standard, you must enable FIPS operation in Cisco ISE. Cisco ISE enables FIPS 140-2 compliance via RADIUS Shared Secret and Key Management measures and provides SHA-256 encryption and decryption capabilities for certificates. While in FIPS mode, any attempt to perform functions using a non-FIPS compliant algorithm fails, and, as such, certain authentication functionality is disabled.When you turn on FIPS mode in Cisco ISE, the following functions are affected:

IEEE 802.1X environment EAP-Flexible Authentication via Secure Tunneling (EAP-FAST) EAP-Transport Layer Security (EAP-TLS) PEAP

RADIUS

Note Other protocols like EAP-Message Digest 5 (EAP-MD5), Lightweight Extensible Authentication Protocol (LEAP), and PAP are not compatible with a FIPS 140-2 compliant system and are disabled while Cisco ISE is in FIPS mode.

Turning on FIPS mode also automatically disables PAP and CHAP protocols, which the Guest login function of Cisco ISE requires. For information on addressing this issue with Layer-3 Guest login implementation, see Chapter 21, User Access Management.

Secure Shell (SSH) clients can only use SSHv2 Lightweight Directory Access Protocol (LDAP) over Secure Sockets Layer (SSL) Inline Posture node RADIUS Key Wrap HTTPS protocol communication for both Administrator ISE nodes and Inline Posture nodes

For more information, see the specific FIPS 140-2 configuration options: Chapter 6, Managing Network Devices Chapter 8, Administering Cisco ISE (Enabling FIPS Mode in Cisco ISE, page 8-2)1-3Cisco Identity Services Engine User Guide, Release 1.1.x

OL-26134-01

Chapter 1 Overview of Cisco ISE Chapter 13, Managing Certificates Chapter 16, Managing Authentication Policies

Support Common Access Card Functions

Cisco ISE supports U.S. government users who authenticate themselves using Common Access Card (CAC) authentication devices. A CAC is an identification badge with an electronic chip containing a set of X.509 client certificates that identify a particular employee of, for example, the U.S. Department of Defense (DoD). Access via the CAC requires a card reader into which the user inserts the card and enters a PIN. The certificates from the card are then transferred into the Windows certificate store, where they are available to applications such as the local browser running Cisco ISE.Benefits of using a CAC card to authenticate include these:

Common Access Card X.509 certificates are the identity source for 802.1X EAP-TLS authentication.

Common Access Card X.509 certificates are also the identity source for authentication and authorization to Cisco ISE administration.

Cisco ISE only supports login to the administrator user interface. It does not support CAC authentication for the following access methods:

You cannot use CAC authentication login to manage the Cisco ISE Command Line Interface. External REST API (Monitoring and Troubleshooting) and Endpoint Protection Services APIs are

outside the scope of the CAC authentication. Guest Services and Guest Sponsor Administration access does not support the CAC authentication

method in Cisco ISE.For more information on setting up Cisco ISE up for CAC authentication, see Chapter 8, Administering Cisco ISE.

Incorporate Client Posture Assessment

To ensure that the imposed network security measures remain relevant and effective, Cisco ISE enables you to validate and maintain security capabilities on any client machine that accesses the protected network. By employing posture policies that are designed to ensure that the most up-to-date security settings or applications are available on client machines, the Cisco ISE administrator can ensure that any client machine that accesses the network meets, and continues to meet, the defined security standards for enterprise network access. Posture compliance reports provide Cisco ISE with a snapshot of the compliance level of the client machine at the time of user login, as well as any time a periodic reassessment takes place.Posture assessment and compliance takes place using one of the following agent types available in Cisco ISE:

Cisco NAC Web AgentA temporal agent the user installs on his/her system at the time of login that is no longer visible on the client machine once the login session terminates.

Cisco NAC AgentA persistent agent that, once installed, remains on a Windows or Mac OS X client machine to perform all user login and security compliance functions for Windows XP, Windows Vista, Windows 7, or Mac OS 10.5 and 10.6 clients, respectively.

For more information, see the following:

Chapter 19, Configuring Client Provisioning Policies Chapter 20, Configuring Client Posture Policies1-4Cisco Identity Services Engine User Guide, Release 1.1.x

OL-26134-01

Chapter 1 Overview of Cisco ISEDefine Sponsors and Manage Guest Sessions

Cisco ISE administrators and employees that are granted appropriate access to the Cisco ISE guest registration portal as guest sponsors can create temporary guest login accounts and specify available network resources to allow guests, visitors, contractors, consultants, and customers to access the network. Guest access sessions have expiration timers associated with them, so they are effective in controlling guest access to a specific day, time period, and so forth.All aspects of a guest user session (including account creation and termination) are tracked and recorded in Cisco ISE so that you can provide audit information and troubleshoot session access, as necessary.For more information, see the following:

Chapter 21, User Access Management Cisco Identity Services Engine Sponsor Portal User Guide, Release 1.1.x

Manage Wireless and VPN Traffic with Inline Posture Nodes

Inline Posture nodes are gatekeeping nodes that enforce Cisco ISE access policies and handle CoA requests. After initial authentication (using EAP/802.1X and RADIUS), client machines must still go through posture assessment. The posture assessment process determines whether the client should be restricted, denied, or allowed full access to the network. When a client accesses the network through a WLC or VPN device, the Inline Posture node has the responsibility for the policy enforcement and CoA that the other network devices are unable to accommodate. It is for this reason that a Cisco ISE can be deployed as an Inline Posture node behind other network access devices on your network, such as WLCs and VPN concentrators.For more information, see Chapter 10, Setting Up Inline Posture.

Profile Endpoints on the Network

The Profiler service assists in identifying, locating, and determining the capabilities of all endpoints on your network (known as identities in Cisco ISE), regardless of their respective device types, to ensure and maintain appropriate access to your enterprise network. The Cisco ISE Profiler function uses a number of probes to collect attributes for all endpoints on your network, and pass them to the Profiler analyzer where the known endpoints are classified according to their associated policies and the identity groups.

For more information, see Chapter 18, Configuring Endpoint Profiling Policies.

Install on a Variety of Hardware and VMware Platforms

Cisco Cisco ISE comes preinstalled on a range of physical appliances with various performance characteristics. The Cisco Application Deployment Engine (ADE) and Cisco ISE software run on either a dedicated Cisco ISE 3300 Series appliance or on a VMware server (Cisco ISE VM). The Cisco ISE software image does not support the installation of any other packages or applications on this dedicated platform. The inherent scalability of Cisco Cisco ISE allows you to add appliances to a deployment and increase performance and resiliency, as needed.For more detailed information on hardware platforms and installing Cisco ISE, refer to the Cisco Identity Services Engine Hardware Installation Guide, Release 1.1.x1-5Cisco Identity Services Engine User Guide, Release 1.1.x

OL-26134-01

Chapter 1 Overview of Cisco ISE 1-6Cisco Identity Services Engine User Guide, Release 1.1.x

OL-26134-01

CiscoOL-26134-01

UTF-8 Support for Messages Sent to Supplicant, page 2-5 Reports and Alerts UTF-8 Support, page 2-5 UTF-8 Support Outside the User Interface, pa Support for Importing and Exporting UTF-8 Vge 2-6alues, page 2-6C H A P T E R

2Understanding the User Interface

This chapter introduces the Cisco Identity Service Engine (ISE) user interface and contains the following topics:

Cisco ISE Internationalization and Localization, page 2-1 Inherent Usability, page 2-6 Elements of the User Interface, page 2-7 Introducing the Dashboard, page 2-12 Common User Interface Patterns, page 2-16 Understanding the Impact of Roles and Admin Groups, page 2-19

Cisco ISE Internationalization and LocalizationCisco ISE internationalization adapts the user interface for supported languages. Localization of the user interface incorporates locale-specific components and translated text. In Cisco ISE, internalization and localization support is focused on the text and information that is presented to the end user (connecting to Cisco ISE). This includes support for non-English text in UTF-8 encoding to the end-user facing portals and on selective fields in the Cisco ISE Admin user interface.This section contains the following topics:

Supported Languages, page 2-2 UTF-8 Character Data Entry, page 2-2 Portal Localization, page 2-3 UTF-8 Credential Authentication, page 2-4 UTF-8 Policies and Posture Assessment, page 2-4 Cisco NAC and MAC Agent UTF-8 Support, page 2-52-1 Identity Services Engine User Guide, Release 1.1.x

Chapter 2 Understanding the User Interface Cisco ISE Internationalization and LocalizationSupported Languages

Cisco ISE, provides localization and internalization support for the following languages and browser locales:

Internationalization and localization applies to all supported internet browsers. For more information, see the Cisco Identity Services Engine Network Component Compatibility, Release 1.1.x.

UTF-8 Character Data Entry

Cisco ISE administrative user interface fields that are exposed to the end user through the Cisco NAC agent, supplicants, or the sponsor portal, guest portal, and client provisioning portals, support UTF-8 character sets for all languages. Character values are stored in UTF-8 in the administration configuration database, and are then viewed in UTF-8 as entered. UTF-8 is a multibyte character encoding for the unicode character set, which includes many different language character sets, including Hebrew, Sanskrit, Arabic, and many more. The Cisco ISE user interface supports UTF-8 characters in a number of input fields. When the user-entered UTF-8 characters appear in reports and user interface components, they are displayed correctly.

Note Many more character sets are supported in Cisco ISE user interface input fields (UTF-8) than are currently supported for localizations (for translated text) in portals and end-user messages.

For a complete list of UTF-8 character data entry fields, see UTF-8 Character Support in the User Interface, page 21-34.

Table 2-1 Supported Languages and Browser Locales

Language Browser Locale

Chinese traditional zh-twChinese simplified zh-cnEnglish enFrench fr-frGerman de-deItalian it-itJapanese ja-jpKorean ko-krPortuguese pt-br (Brazilian)Russian ru-ruSpanish es-es2-2Cisco Identity Services Engine User Guide, Release 1.1.x

OL-26134-01

Chapter 2 Understanding the User Interface Cisco ISE Internationalization and LocalizationPortal Localization

Internationalizing includes input that is configured by the end user, or Cisco ISE administrator configurations that are displayed in any of the following user portals:

Sponsor Portal, page 2-3 Guest Portal, page 2-3 Client Provisioning Portal, page 2-4

Sponsor Portal

The Sponsor portal user interface is localized into all supported languages and locales. This includes text, labels, messages, field names, and button labels. The predefined text per language is configurable in the Cisco ISE Admin user interface, and you can add additional languages. For more information, see Configuring Sponsor Language Templates, page 21-35.

Note If an undefined locale is requested by a client browser, the English locale default portal is displayed. This means that if the browser requests a locale that is not mapped to a template in Cisco ISE, the English template is presented. See Table 2-1 for a list of supported Languages and Browser Locales

Sponsor portal fields support UTF-8 char sets. UTF-8 values are stored in the administrative configuration database and viewed in UTF-8 in the Sponsor portal as entered. Guest accounts accept plain text and .csv files with UTF-8 values. The following table lists the UTF-8 Sponsor portal fields.

Guest Portal

The Guest portal can be localized to present user interface elements in all left-to right language locales. This includes text, field names, button labels, and messages. You can configure supported language templates on the administrative portal. For more information, see Configuring Sponsor Language Templates, page 21-35.

Note Currently, Cisco ISE does not support right-to-left languages, such as Hebrew or Arabic, even though the character sets themselves are supported.

You can customize the Guest portal by uploading HTML pages to Cisco ISE. When you upload customized pages, you are responsible for the appropriate localization support for your deployment. Cisco ISE provides a localization support example with sample HTML pages, which you can use as a guide. Cisco ISE provides the ability to upload, store, and render custom internationalized HTML pages.

Guest account list Filter value edit boxCreate guest account First name

Last name

Email address Company Optional data

Create random guest accounts User name prefixSettings customizations Email2-3Cisco Identity Services Engine User Guide, Release 1.1.x

OL-26134-01

Chapter 2 Understanding the User Interface Cisco ISE Internationalization and LocalizationDefault templates for supported languages are included in a standard Cisco ISE installation. If an undefined locale is requested by the client browser, the English locale default portal is displayed. The following are the Guest portal input fields to support UTF-8:

Login user name All fields on the self-registration page

Client Provisioning Portal

The Client Provisioning portal interface has been localized for all supported language locales. This includes text, labels, messages, field names, and button labels. If an undefined locale is requested by a client browser, the English locale default portal is displayed.Currently, language templates are not supported for the Client Provisioning portal, as they are for the Admin, Guest, and Sponsor portals.

Note NAC and MAC agent installers are not localized, nor are WebAgent pages.

For more information on client provisioning, see Chapter 19, Configuring Client Provisioning Policies.

UTF-8 Credential Authentication

Network access authentication supports UTF-8 username and password credentials. This includes RADIUS, EAP, RADIUS proxy, RADIUS token, web authentication from the Guest and Administrative portal login authentications. This provides end users network access with a UTF-8 user name and password, as well as administrators with UTF-8 credentials. UTF-8 support for user name and password applies to authentication against the local identity store as well as external identity stores.UTF-8 authentication depends on the client supplicant that is used for network login. Some Windows native supplicants do not support UTF-8 credentials. If you are experiencing difficulties with a Windows native supplicant, the following Windows hotfixes may be helpful:

http://support.microsoft.com/default.aspx?scid=kb;EN-US;957218 http://support.microsoft.com/default.aspx?scid=kb;EN-US;957424

Note RSA (Rivest, Shamir, and Adleman) does not support UTF-8 users, hence UTF-8 authentication with RSA is not supported. Likewise, RSA servers, which are compatible with Cisco ISE 1.1.x, do not support UTF-8.

UTF-8 Policies and Posture Assessment

Policy rules in Cisco ISE that are conditioned on attribute values may include UTF-8 text. Rule evaluation supports UTF-8 attribute values. In addition, you can configure conditions with UTF-8 values through the Administrative portal.Posture requirements can be modified as File, Application, and Service conditions based on a UTF-8 character set. This includes sending UTF-8 requirement values to the NAC agent. The NAC agent then assesses the endpoint accordingly, and reports UT