Policy User Interface Reference

Similar documents
Managing External Identity Sources

Set Up Policy Conditions

ISE Primer.

Vendor: Cisco. Exam Code: Exam Name: Implementing Cisco Secure Access Solutions. Version: Demo

Data Structure Mapping

Data Structure Mapping

Network Access Flows APPENDIXB

Integrating Meraki Networks with

Cisco ISE Features. Cisco Identity Services Engine Administrator Guide, Release 1.4 1

Data Structure Mapping

Authentication and Authorization Policies

Data Structure Mapping

Data Structure Mapping

802.1x Port Based Authentication

ForeScout CounterACT. Configuration Guide. Version 4.3

Configuring Client Posture Policies

Manage Authorization Policies and Profiles

Forescout. Configuration Guide. Version 4.4

Data Structure Mapping

Configure Client Posture Policies

Data Structure Mapping

Configure Client Posture Policies

DumpsFree. DumpsFree provide high-quality Dumps VCE & dumps demo free download

Managing Certificates

ONE POLICY. Tengku Shahrizam, CCIE Asia Borderless Network Security 20 th June 2013

Cisco ISE Features Cisco ISE Features

Configuring EAP-FAST CHAPTER

Manage Authorization Policies and Profiles

RADIUS Configuration Note WINS : Wireless Interoperability & Network Solutions

Monitor Mode Deployment with Cisco Identity Services Engine. Secure Access How -To Guides Series

ISE Version 1.3 Self Registered Guest Portal Configuration Example

Cisco TrustSec How-To Guide: Central Web Authentication

Cisco TrustSec How-To Guide: Monitor Mode

Cisco TrustSec How-To Guide: Universal Configuration for the Cisco Wireless LAN Controller

PROTECTED EXTENSIBLE AUTHENTICATION PROTOCOL

Posture Services on the Cisco ISE Configuration Guide Contents

Configuring 802.1X Settings on the WAP351

Support Device Access

Setting Up Cisco SSC. Introduction CHAPTER

ISE Version 1.3 Hotspot Configuration Example

PASS4TEST. IT Certification Guaranteed, The Easy Way! We offer free update service for one year

Wireless LAN Profile Setup

User Databases. ACS Internal Database CHAPTER

Cisco Exam Questions & Answers

Question: 1 The NAC Agent uses which port and protocol to send discovery packets to an ISE Policy Service Node?

Switch and Wireless LAN Controller Configuration Required to Support Cisco ISE Functions

ACCP-V6.2Q&As. Aruba Certified Clearpass Professional v6.2. Pass Aruba ACCP-V6.2 Exam with 100% Guarantee

P ART 3. Configuring the Infrastructure

Guest Access User Interface Reference

Protected EAP (PEAP) Application Note

MCSA Guide to Networking with Windows Server 2016, Exam

Identity Based Network Access

Support Device Access

Configure Network Access Manager

Configure Posture. Note

Wired Dot1x Version 1.05 Configuration Guide

Request for Comments: 5422 Category: Informational H. Zhou Cisco Systems March 2009

Troubleshooting Cisco ISE

Wireless BYOD with Identity Services Engine

CounterACT 802.1X Plugin

Configure Client Posture Policies

Configure Guest Flow with ISE 2.0 and Aruba WLC

Central Web Authentication on the WLC and ISE Configuration Example

Contents. Introduction

Table of Contents. Why doesn t the phone pass 802.1X authentication?... 16

User Identity Sources

The table below lists the protocols supported by Yealink SIP IP phones with different versions.

802.1X: Deployment Experiences and Obstacles to Widespread Adoption

Configuring 802.1X Port-Based Authentication

BEST PRACTICE - NAC AUF ARUBA SWITCHES. Rollenbasierte Konzepte mit Aruba OS Switches in Verbindung mit ClearPass Vorstellung Mobile First Features

Manage Certificates. Certificate Management in Cisco ISE. Certificates Enable Cisco ISE to Provide Secure Access

Cisco Secure ACS for Windows v3.2 With PEAP MS CHAPv2 Machine Authentication

Configuring IEEE 802.1x Port-Based Authentication

Realms and Identity Policies

Configuring IEEE 802.1x Port-Based Authentication

Firepower Threat Defense Remote Access VPNs

Configure Client Provisioning

Guest Management. Overview CHAPTER

Pulse Policy Secure X Network Access Control (NAC) White Paper

User Guide for Cisco Secure ACS to Cisco ISE Migration Tool, Release 2.2

Install Certificate on the Cisco Secure ACS Appliance for PEAP Clients

Configuring FlexConnect Groups

RADIUS Servers for AAA

Index. Numerics. Index 1

Cisco Exam Questions & Answers

Universal Wireless Controller Configuration for Cisco Identity Services Engine. Secure Access How-To Guide Series

Realms and Identity Policies

About 802.1X... 3 Yealink IP Phones Compatible with 802.1X... 3 Configuring 802.1X Settings... 5 Configuring 802.1X using configuration files...

Configuring Network Admission Control

Set Up Cisco ISE in a Distributed Environment

Configuring IEEE 802.1x Port-Based Authentication

Network Security 1. Module 7 Configure Trust and Identity at Layer 2

NCP Secure Enterprise Management for Windows Release Notes

Identity-Based Networking Services Command Reference, Cisco IOS XE Release 3SE (Catalyst 3850 Switches)

Manage Users and External Identity Sources

Manage Users and External Identity Sources

ITCertMaster. Safe, simple and fast. 100% Pass guarantee! IT Certification Guaranteed, The Easy Way!

AAA Administration. Setting up RADIUS. Information About RADIUS

Contents. Introduction. Prerequisites. Requirements. Components Used

Configuring the Client Adapter through Windows CE.NET

Transcription:

Authentication, page 1 Authorization Policy Settings, page 4 Endpoint Profiling Policies Settings, page 5 Dictionaries, page 9 Conditions, page 11 Results, page 22 Authentication This section describes the authentication policy page, which allows you to configure simple and rule-based authentication policies. Simple Authentication Policy Configuration Settings The following table describes the fields in the simple authentication policy page, which allows you to configure simple authentication policies. The navigation path for this page is: Policy > Authentication. Table 1: Simple Authentication Policy Configuration Settings Network Access Service Choose an allowed protocol that you have already created. Identity Source Choose the identity source that you want to use for authentication. You can also choose an identity source sequence if you have configured it. You can edit the default identity source that you want Cisco ISE to use in case none of the identity sources defined in this rule match the request. 1

Rule-Based Authentication Policy Configuration Settings Options Define a further course of action for authentication failure, user not found, or process failure events. You can choose one of the following options: Reject A reject response is sent. Drop No response is sent. Continue Cisco ISE proceeds with the authorization policy. Simple Authentication Policies Simple Authentication Policy Flow Guidelines for Configuring Simple Authentication Policies Configure a Simple Authentication Policy Rule-Based Authentication Policy Configuration Settings The following table describes the fields in the rule-based authentication policy page, which allows you to configure simple authentication policies. The navigation path for this page is: Policy > Authentication > Rule-Based. Table 2: Rule-Based Authentication Policy Configuration Settings Status Choose the status of this policy. It can be one of the following: Enabled This policy condition is active. Disabled This policy condition is inactive and will not be evaluated. Monitor Only This policy condition will be evaluated, but the result will not be enforced. You can view the results of this policy condition in the Live Log authentication page. In this, see the detailed report which will have the monitored step and attribute. For example, you may want to add a new policy condition, but are not sure if the condition would provide you with the correct results. In this situation, you can create the policy condition in monitored mode to view the results and then enable it if you are satisfied with the results. Standard Rule Enter a name for this policy and select condition and allowed protocol. 2

Rule-Based Authentication Policy Configuration Settings Conditions Click the plus [+] sign to expand the Conditions anchored overlay, and click the minus [-] sign, or click outside the anchored overlay to close it: Select Existing Condition from Library or Create New Condition (Advanced Option) Select Existing Condition from Library You can define an expression by selecting Cisco predefined conditions from the policy elements library. Create New Condition (Advanced Option) You can define an expression by selecting attributes from various system or user-defined dictionaries. Select Existing Condition from Library You can do the following: 1 You can choose the predefined conditions that you would have defined for authentication in the policy elements, and then use an AND or OR operator to add multiple conditions. You cannot select certain predefined conditions that contain the following dictionaries or attributes: Dictionary "Certificate", with any attribute Dictionary "Network Access", with the following attributes: Device IP Address ISE Host Name NetworkDeviceName Protocol UseCase In case such conditions are available, the first entry in the select box will be "Only relevant conditions are selectable". 2 Click the Action icon to do the following in the subsequent steps: Add Attribute/Value You can add ad-hoc attribute/value pairs Add Condition from Library You can add Cisco predefined conditions Duplicate Create a copy of the selected condition Add Condition to Library You can save ad-hoc attribute/value pairs that you create to the policy elements library Delete Delete the selected condition 3

Authorization Policy Settings Create New Condition (Advance Option) You can do the following: 1 You can add ad-hoc attribute/value pairs to your expression, and then use an AND or OR operator to add multiple conditions. 2 Click the Action icon to do the following in the subsequent steps: Add Attribute/Value You can add ad-hoc attribute/value pairs Add Condition from Library You can add Cisco predefined conditions Duplicate Create a copy of the selected condition Add Condition to Library You can save ad-hoc attribute/value pairs that you create to the policy elements library Delete Delete the selected condition.here, you can use the AND or OR operator Select Network Access Arrow Button Identity Source Sequence Choose from allowed protocols or RADIUS server sequence. Click to define conditions for the identity source selection. You can do the following: 1 Click the action icon in the default identity source row, and click Insert new row above. 2 Enter a name for your identity source rule. 3 Click the button to define the conditions based on which you want to choose the identity source. 4 Choose the identity source sequence or the identity source and the action that you want Cisco ISE to take. Rule-Based Authentication Policies Rule-Based Authentication Policy Flow Configure a Rule-Based Authentication Policy Authorization Policy Settings The following table describes the fields in the authorization policy page, which allows you to configure authorization policies. The navigation path for this page is: Policy > Authorization. 4

Endpoint Profiling Policies Settings Table 3: Authorization Policy Settings Status Choose one of the following to enforce the policies: Enabled This policy condition is active. Disabled This policy condition is inactive and will not be evaluated. Monitor Only This policy condition will be evaluated, but the result will not be enforced. You can view the results of this policy condition in the Live Log authentication page. In this, see the detailed report which will have the monitored step and attribute. For example, you may want to add a new policy condition, but are not sure if the condition would provide you with the correct results. In this situation, you can create the policy condition in monitored mode to view the results and then enable it if you are satisfied with the results. Rule Name Conditions (identity groups and other conditions) Permissions Enter a name for the Rule Name. Choose an identity group from the first drop-down. Choose a condition from the second drop-down. You can either select from the existing conditions or create a new condition. Choose an authorization profile from the Standard category. Cisco ISE Authorization Policies Guidelines for Configuring Authorization Policies and Profiles Configure Authorization Policies Endpoint Profiling Policies Settings The following table describes the fields in the Endpoint Policies page. The navigation path for this page is: Policy > Profiling > Profiling Policies. Table 4: Endpoint Profiling Policies Settings Name Enter the name of the endpoint profiling policy that you want to create. Enter the description of the endpoint profiling policy that you want to create. 5

Endpoint Profiling Policies Settings Policy Enabled Minimum Certainty Factor Exception Action Network Scan (NMAP) Action Create an Identity Group for the policy By default, the Policy Enabled check box is checked to associate a matching profiling policy when you profile an endpoint. When unchecked, the endpoint profiling policy is excluded when you profile an endpoint. Enter the minimum value that you want to associate with the profiling policy. The default value is 10. Choose an exception action, which you want to associate with the conditions when defining a rule in the profiling policy. The default is NONE. The exception actions are defined in the following location: Policy > Policy Elements > Results > Profiling > Exception Actions. Choose a network scan action from the list, which you want to associate with the conditions when defining a rule in the profiling policy, if required. The default is NONE. The exception actions are defined in the following location: Policy > Policy Elements > Results > Profiling > Network Scan (NMAP) Actions. Check one of the following options to create an endpoint identity group: Yes, create matching Identity Group No, use existing Identity Group hierarchy Yes, create matching Identity Group Choose this option to use an existing profiling policy. This option creates a matching identity group for those endpoints and the identity group will be the child of the Profiled endpoint identity group when an endpoint profile matches an existing profiling policy. For example, the Xerox-Device endpoint identity group is created in the Endpoints Identity Groups page when endpoints discovered on your network match the Xerox-Device profile. 6

Endpoint Profiling Policies Settings No, use existing Identity Group hierarchy Check this check box to assign endpoints to the matching parent endpoint identity group using hierarchical construction of profiling policies and identity groups. This option allows you to make use of the endpoint profiling policies hierarchy to assign endpoints to one of the matching parent endpoint identity groups, as well as to the associated endpoint identity groups to the parent identity group. For example, endpoints that match an existing profile are grouped under the appropriate parent endpoint identity group. Here, endpoints that match the Unknown profile are grouped under Unknown, and endpoints that match an existing profile are grouped under the Profiled endpoint identity group. For example, If endpoints match the Cisco-IP-Phone profile, then they are grouped under the Cisco-IP-Phone endpoint identity group. If endpoints match the Workstation profile, then they are grouped under the Workstation endpoint identity group. The Cisco-IP-Phone and Workstation endpoint identity groups are associated to the Profiled endpoint identity group in the system. Parent Policy Associated CoA Type Choose a parent profiling policy that are defined in the system to which you want to associate the new endpoint profiling policy. You can choose a parent profiling policy from which you can inherit rules and conditions to its child. Choose one of the following CoA types that you want to associate with the endpoint profiling policy: No CoA Port Bounce Reauth Global Settings that is applied from the profiler configuration set in Administration > System > Settings > Profiling Rules One or more rules that are defined in endpoint profiling policies determine the matching profiling policy for endpoints, which allows you to group endpoints according to their profiles. One or more profiling conditions from the policy elements library are used in rules for validating endpoint attributes and their values for the overall classification. 7

Endpoint Profiling Policies Settings Conditions Click the plus [+] sign to expand the Conditions anchored overlay, and click the minus [-] sign, or click outside the anchored overlay to close it. Click Select Existing Condition from Library or Create New Condition (Advanced Option). Select Existing Condition from Library---You can define an expression by selecting Cisco predefined conditions from the policy elements library. Create New Condition (Advanced Option)---You can define an expression by selecting attributes from various system or user-defined dictionaries. You can associate one of the following with the profiling conditions: An integer value for the certainty factor for each condition Either an exception action or a network scan action for that condition Choose one of the following predefined settings to associate with the profiling condition: Certainty Factor Increases Enter the certainty value for each rule, which can be added for all the matching rules with respect to the overall classification. Take Exception Action Triggers an exception action that is configured in the Exception Action field for this endpoint profiling policy. Take Network Scan Action Triggers a network scan action that is configured in the Network Scan (NMAP) Action field for this endpoint profiling policy. Select Existing Condition from Library You can do the following: You can choose Cisco predefined conditions that are available in the policy elements library, and then use an AND or OR operator to add multiple conditions. Click the Action icon to do the following in the subsequent steps: Add Attribute/Value You can add ad-hoc attribute/value pairs Add Condition from Library You can add Cisco predefined conditions Duplicate Create a copy of the selected condition Add Condition to Library You can save ad-hoc attribute/value pairs that you create to the policy elements library Delete Delete the selected condition. 8

Dictionaries Create New Condition (Advance Option) You can do the following: You can add ad-hoc attribute/value pairs to your expression, and then use an AND or OR operator to add multiple conditions. Click the Action icon to do the following in the subsequent steps: Add Attribute/Value You can add ad-hoc attribute/value pairs Add Condition from Library You can add Cisco predefined conditions Duplicate Create a copy of the selected condition Add Condition to Library You can save ad-hoc attribute/value pairs that you create to the policy elements library Delete Delete the selected condition.here, you can use the AND or OR operator Cisco ISE Profiling Service Create Endpoint Profiling Policies Dictionaries This section describes RADIUS vendor dictionaries used in Cisco ISE. The following table describes the fields in the Dictionary page for RADIUS vendors, which allows you to configure dictionary attributes for the RADIUS vendors. The navigation path for this page is: Policy > Policy Elements > Dictionaries > System > RADIUS > RADIUS Vendors. Table 5: RADIUS Vendor Dictionary Attribute Settings Attribute Name Internal Name Enter the vendor specific attribute name for the selected RADIUS vendor. Enter an optional description for the vendor specific attribute. Enter the name for the vendor specific attribute that refers to it internally in the database. 9

Dictionaries Data Type Choose one of the following data types for the vendor specific attribute: STRING OCTET_STRING UNIT32 UNIT64 IPV4 Enable MAC option Direction ID Allow Tagging Allow multiple instances of this attribute in a profile Check this check box to enable the comparison of RADIUS attribute as MAC address. By default, for the RADIUS attribute calling-station-id this option is marked as enabled and you cannot disable it. For other dictionary attributes (of string types) within the RADIUS vendor dictionary, you can enable or disable this option. Once you enable this option, while setting the authentication and authorization conditions, you can define whether the comparison is clear string by selecting the Text option or whether it is MAC address by selecting the MAC address option. Choose one of the options that applies to RADIUS messages: Enter the vendor attribute ID. The valid range is 0 to 255. Check this check box to mark the attribute as being permitted to have a tag, as defined in RFC2868. The purpose of the tag is to allow grouping of attributes for tunnelled users. See RFC2868 for more details. The tagged attributes support ensures that all attributes pertaining to a given tunnel contain the same value in their respective tag fields, and that each set includes an appropriately-valued instance of the Tunnel-Preference attribute. This conforms to the tunnel attributes that are to be used in a multi-vendor network environment, thereby eliminating interoperability issues among Network Access Servers (NASs) manufactured by different vendors. Check this check box when you want multiple instances of this RADIUS vendor specific attribute in profiles. System Defined Dictionaries and Dictionary Attributes User-Defined Dictionaries and Dictionary Attributes RADIUS-Vendor Dictionaries Create RADIUS-Vendor Dictionaries 10

Conditions Conditions Profiler Condition Settings This section describes policy conditions used for profiling endpoints, posture clients, and to limit or extend permission to access to Cisco ISE system resources. The following table describes the fields in the Profiler Condition page. The navigation path for this page is: Policy > Policy Elements > Conditions > Profiling. Table 6: Profiler Condition Settings Name Type Attribute Name Operator Attribute Value System Type Name of the profiler condition. of the profiler condition. Choose any one of the predefined types. Choose an attribute on which to base the profiler condition. Choose an operator. Enter the value for the attribute that you have chosen. For Attribute Names that contain pre-defined Attribute Values, this option displays a drop-down list with the pre-defined values, and you can choose a value. Profiling conditions can be any one of the following types: Cisco Provided Profiling conditions that are provided by Cisco ISE when deployed are identified as Cisco Provided. You cannot edit or delete them from the system. Administrator Created Profiling conditions that you create as an administrator of Cisco ISE are identified as Administrator Created. Cisco ISE Profiling Service Profiler Conditions Profiler Feed Service Create a Profiler Condition 11

Posture Conditions Settings Posture Conditions Settings This section describes simple and compound conditions used for posture. Posture Service Posture Conditions Custom Conditions for Posture Configure Posture Policies Create Posture Condition File Condition Settings The following table describes the fields in the File Conditions page. The navigation path for this page is: Policy > Policy Elements > Conditions > Posture > File Condition. Table 7: File Condition Settings Name File Path Enter the name of the file condition. Enter a description for the file condition. Choose one of the predefined settings: ABSOLUTE_PATH Checks the file in the fully qualified path of the file. For example, C:\<directory>\file name. For other settings, enter only the file name. SYSTEM_32 Checks the file in the C:\WINDOWS\system32 directory. Enter the file name. SYSTEM_DRIVE Checks the file in the C:\ drive. Enter the file name. SYSTEM_PROGRAMS Checks the file in the C:\Program Files. Enter the file name. SYSTEM_ROOT Checks the file in the root path for Windows system. Enter the file name. File Type Choose one of the predefined settings: FileExistence Checks whether a file exists on the system. FileDate Checks whether a file with a particular file-created or file-modified date exists on the system. FileVersion Checks whether a particular version of a file exists on the system. File Date Type (Available only if you select FileDate as the File Type) Choose a file data type. 12

Posture Conditions Settings File Operator/Operator The File Operator options change according to the settings you select in the File Type. Choose the settings appropriately: FileExistence Exists DoesNotExist FileDate EarlierThan LaterThan EqualTo FileVersion EarlierThan LaterThan EqualTo Date and Time File Version Operating System (Available only if you select FileDate as the File Type) Enter the date and time of the client system in mm/dd/yyyy and hh:mm:ss format. (Available only if you have selected FileVersion as the File Type) Enter the version of the file to be checked. Select the operating system to which the file condition should be applied. Simple Posture Conditions Compound Posture Conditions Create Posture Condition Registry Condition Settings The following table describes the fields in the Registry Conditions page. The navigation path for this page is: Policy > Policy Elements > Conditions > Posture > Registry Condition. Table 8: Registry Condition Settings Name Enter the name of the registry condition. Enter a description for the registry condition. 13

Posture Conditions Settings Registry Type Registry Root Key Sub Key Value Name Value Data Type Choose one of the predefined settings as the registry type. Choose one of the predefined settings as the registry root key. Enter the sub key without the backslash ( \ ) to check the registry key in the path specified in the Registry Root Key. For example, SOFTWARE\Symantec\Norton AntiVirus\version will check the key in the following path: HKLM\SOFTWARE\Symantec\NortonAntiVirus\version (Available only if you select RegistryValue or RegistryValueDefault as the Registry Type) Enter the name of the registry key value to be checked for RegistryValue. This is the default field for RegistryValueDefault. (Available only if you select RegistryValue or RegistryValueDefault as the Registry Type) Choose one of the following settings: Unspecified Checks whether the registry key value exists or not. This option is available only for RegistryValue. Number Checks the specified number in the registry key value String Checks the string in the registry key value Version Checks the version in the registry key value Value Operator Value Data Operating System Choose the settings appropriately. (Available only if you select RegistryValue or RegistryValueDefault as the Registry Type) Enter the value of the registry key according to the data type you have selected in Value Data Type. Select the operating system to which the registry condition should be applied. Simple Posture Conditions Compound Posture Conditions Application Condition Settings The following table describes the fields in the Application Conditions page. The navigation path for this page is: Policy > Policy Elements > Conditions > Posture > Application Condition. 14

Posture Conditions Settings Table 9: Application Condition Settings Name Process Name Application Operator Operating System Enter the name of the application condition. Enter a description of the application condition. Enter the name of the application to be checked. Choose the status to be checked. Select the operating system to which the application condition should be applied. Simple Posture Conditions Simple Posture Conditions Compound Posture Conditions Service Conditions Settings The following table describes the fields in the Service Conditions page. The navigation path for this page is: Policy > Policy Elements > Conditions > Posture > Service Condition. Table 10: Service Conditions Settings Name Service Name Service Operator Operating System Enter a name for the service condition. Enter a description of the service condition. Enter the name of the service to be checked. Choose the status to be checked. Select the operating system to which the service condition should be applied. Simple Posture Conditions Compound Posture Conditions 15

Posture Conditions Settings Posture Compound Condition Settings The following table describes the fields in the Compound Conditions page. The navigation path for this page is: Policy > Policy Elements > Conditions > Posture > Compound Condition. Table 11: Posture Compound Condition Settings Name Operating System Parentheses ( ) Enter the name of the compound condition that you want to create. Enter the description of the compound condition that you want to create. Select one or more Windows operating systems. This allow you to associate Windows operating systems to which the condition is applied. Click the parentheses to combine two simple conditions from the following simple condition types: file, registry, application, and service conditions. ( & ) AND operator (use & for an AND operator, without the quotes) ( ) OR operator (use for an OR operator, without the quotes) You can use the AND operator (ampersand [ & ]) in a compound condition. For example, enter Condition1 & Condition2. You can use the OR operator (horizontal bar [ ]) in a compound condition. For example, enter Condition1 & Condition2. (! ) NOT operator (use! for a NOT operator, without the quotes) Simple Conditions You can use the NOT operator (exclamation point [! ]) in a compound conditions. For example, enter Condition1 & Condition2. Choose from a list of simple conditions of the following types: file, registry, application, and service conditions. You can also create simple conditions of file, registry, application and service conditions from the object selector. Click the quick picker (down arrow) on the Action button to create simple conditions of file, registry, application, and service conditions. Posture Conditions Create Compound Posture Conditions Anti-Virus Condition Settings The following table describes the fields in the Anti-Virus Condition page. The navigation path for this page is: Policy > Policy Elements > Conditions > Posture > Anti-Virus Condition. 16

Posture Conditions Settings Table 12: Anti-Virus Condition Settings Name Operating System Vendor Check Type Installation Definition Check against latest AV definition file version, if available. (Otherwise check against latest definition file date). Allow virus definition file to be (Enabled) days older than latest file date Enter the name of the antivirus condition that you want to create. Enter the description of the antivirus condition that you want to create. Select an operating system to check the installation of an antivirus programs on your client, or check the latest antivirus definition file updates to which the condition is applied. Choose a vendor from the drop-down list. The selection of Vendor retrieves their antivirus products and versions, which are displayed in the Products for Selected Vendor table. Choose whether to check an installation or check the latest definition file update on the client. Choose to check only the installation of an antivirus program on the client. Choose to check only the latest definition file update of an antivirus product on the client. (Available only when you choose Definition check type) Choose to check the antivirus definition file version on the client against the latest antivirus definition file version, if available as a result of posture updates in Cisco ISE. Otherwise, this option allows you to check the definition file date on the client against the latest definition file date in Cisco ISE. (Available only when you choose Definition check type) Choose to check the antivirus definition file version and the latest antivirus definition file date on the client. The latest definition file date cannot be older than that you define in the next field (days older than field) from the latest antivirus definition file date of the product or the current system date. If unchecked, Cisco ISE allows you to check only the version of the antivirus definition file using the Check against latest AV definition file version, if available option. Define the number of days that the latest antivirus definition file date on the client can be older from the latest antivirus definition file date of the product or the current system date. The default value is zero (0). Choose to check the antivirus definition file date on the client, which can be older by the number of days that you define in the days older than field. If you set the number of days to the default value (0), then the antivirus definition file date on the client should not be older than the latest antivirus definition file date of the product. 17

Posture Conditions Settings current system date Products for Selected Vendor Choose to check the antivirus definition file date on the client, which can be older by the number of days that you define in the days older than field. If you set the number of days to the default value (0), then the antivirus definition file date on the client should not be older than the current system date. Choose an antivirus product from the table. Based on the vendor that you select in the New Anti-virus Condition page, the table retrieves information on their antivirus products and their version, remediation support that they provide, latest definition file date and its version. The selection of a product from the table allows you to check for the installation of an antivirus program, or check for the latest antivirus definition file date, and its latest version. Compound Posture Conditions Cisco-Preconfigured Antivirus and Antispyware Conditions Antivirus and Antispyware Support Chart Antispyware Compound Condition Settings The following table describes the fields in the AS Compound Conditions page. The navigation path for this page is: Policy > Policy Elements > Conditions > AS Compound Condition. Table 13: Antispyware Compound Condition Settings Name Operating System Vendor Check Type Enter the name of the antispyware compound condition that you want to create. Enter the description of the antispyware compound condition that you want to create. Selecting an operating system allows you to check the installation of an antispyware programs on your client, or check the latest antispyware definition file updates to which the condition is applied. Choose a vendor from the drop-down list. The selection of Vendor retrieves their antispyware products and versions, which are displayed in the Products for Selected Vendor table. Choose if you want to choose a type whether to check an installation, or check the latest definition file update on the client. 18

Posture Conditions Settings Installation Definition Allow virus definition file to be (Enabled) days older than The current system date Products for Selected Vendor Choose if you want to check only the installation of an antispyware program on the client. Choose if you want to check only the latest definition file update of an antispyware product on the client. Check this check box when you are creating antispyware definition check types, and disabled when creating antispyware installation check types. If checked, the selection allows you to check antispyware definition file version and the latest antispyware definition file date on the client. The latest definition file date cannot be older than that you define in the days older than field from the current system date. If unchecked, the selection allows you to check only the version of the antispyware definition file as the Allow virus definition file to be check box is not checked. Define the number of days that the latest antispyware definition file date on the client can be older from the current system date. The default value is zero (0). Choose to check the antispyware definition file date on the client, which can be older by the number of days that you define in the days older than field. If you set the number of days to the default value (0), then the antispyware definition file date on the client should not be older than the current system date. Choose an antispyware product from the table. Based on the vendor that you select in the New Anti-spyware Compound Condition page, the table retrieves information on their antispyware products and their version, remediation support that they provide, latest definition file date and its version. The selection of a product from the table allows you to check for the installation of an antispyware program, or check for the latest antispyware definition file date, and its latest version. Compound Posture Conditions Cisco-Preconfigured Antivirus and Antispyware Conditions Antivirus and Antispyware Support Chart 19

Posture Conditions Settings Dictionary Simple Conditions Settings The following table describes the fields in the Dictionary Simple Conditions page. The navigation path for this page is: Policy > Policy Elements > Conditions > Posture > Dictionary Simple Condition. Table 14: Dictionary Simple Condition Settings Name Attribute Operator Value Usage Guideline Enter the name of the dictionary simple condition that you want to create. Enter the description of the dictionary simple condition that you want to create. Choose an attribute from the dictionary. Choose an operator to associate a value to the attribute that you have selected. Enter a value that you want to associate to the dictionary attribute, or choose a predefined value from the drop-down list. Dictionaries and Dictionary Attributes Simple and Compound Conditions Simple Posture Conditions Create Simple Posture Conditions Dictionary Compound Condition Settings The following table describes the fields in the Dictionary Compound Conditions page. The navigation path for this page is: Policy > Policy Elements > Conditions > Posture > Dictionary Compound Condition. Table 15: Dictionary Compound Condition Settings Name Select Existing Condition from Library Condition Name Enter the name of the dictionary compound condition that you want to create. Enter the description of the dictionary compound condition that you want to create. Define an expression by selecting pre-defined conditions from the policy elements library or add ad-hoc attribute/value pairs to your expression in the subsequent steps. Choose dictionary simple conditions that you have already created from the policy elements library. 20

Time and Date Condition Settings Expression AND or OR operator The Expression is updated based on your selection from the Condition Name drop-down list. Choose an AND, or an OR operator to logically combine dictionary simple conditions, which can be added from the library. Click the Action icon to do the following: Add Attribute/Value Add Condition from Library Delete Create New Condition (Advance Option) Condition Name Expression Operator Value Select attributes from various system or user-defined dictionaries. You can also add predefined conditions from the policy elements library in the subsequent steps. Choose a dictionary simple condition that you have already created. From the Expression drop-down list, you can create a dictionary simple condition. Choose an operator to associate a value to an attribute. Enter a value that you want to associate to the dictionary attribute, or choose a value from the drop-down list. Dictionaries and Dictionary Attributes Simple and Compound Conditions Compound Posture Conditions Create Compound Posture Conditions Time and Date Condition Settings The following table describes the fields in the Time and Date Conditions page. The navigation path for this page is: Policy > Policy Elements > Conditions > Common > Time and Date. Table 16: Time and Date Condition Settings Condition Name Enter the name of the time and date condition. Enter a description of the time and date condition. 21

Results Standard Settings All Day Specific Hours Every Day Specific Days No Start and End Dates Specific Date Range Specific Date (Default) Set for the entire day. Configure hours, minutes, and AM/PM to set a to-and-from time range. (Default) Set for every day. Configure one or more specific days of the week. (Default) Set with no start or end date. Configure the month, day, and year to set a to-and-from date range. Configure a specific month, day, and year. Exceptions Time Range Week Days Date Range Configure the hours, minutes, and AM/PM to set a to-and-from time range. Configure one or more specific days of the week. Choose on the following two options: Specific Date Range Provides drop-down lists you can use to configure a specific to-and-from date range by month, day, and year. Specific Date Provides drop-down lists you can use to configure a specific month, day, and year. Time and Date Conditions Create Time and Date Conditions Results This section describes requirements for Cisco ISE services. Allowed Protocols The following table describes the fields in the Allowed Protocols page, which allows you to configure the protocols to be used during authentication. The navigation path for this page is: Policy > Policy Elements > Results > Authentication > Allowed Protocols. In the following table, PAC stands for Protected Access Credentials. 22

Allowed Protocols Table 17: Allowed Protocols Allowed Protocols > Authentication Bypass Process Host Lookup Check this check box if you want Cisco ISE to process the Host Lookup request. The Host Lookup request is processed for PAP/CHAP protocol when the RADIUS Service-Type equals 10 (Call-Check) and the username is equal to Calling-Station-ID. The Host Lookup request is processed for EAP-MD5 protocol when the Service-Type equals 1 (Framed) and the username is equal to Calling-Station-ID. Uncheck this check box if you want Cisco ISE to ignore the Host Lookup request and use the original value of the system username attribute for authentication. When unchecked, message processing is done according to the protocol (for example, PAP). Allowed Protocols > Authentication Protocols Allow PAP/ASCII Allow CHAP Allow MS-CHAPv1 Allow MS-CHAPv2 Allow EAP-MD5 Allow EAP-TLS This option enables PAP/ASCII. PAP uses cleartext passwords (that is, unencrypted passwords) and is the least secure authentication protocol. This option enables CHAP authentication. CHAP uses a challenge-response mechanism with password encryption. CHAP does not work with Microsoft Active Directory. Check this check box to enable MS-CHAPv1. Check this check box to enable MS-CHAPv2. Check this check box to enable EAP-based MD5 password hashed authentication. Check this check box to enable EAP-TLS Authentication protocol and configures EAP-TLS settings. You can specify how Cisco ISE will verify the user identity as presented in the EAP identity response from the end-user client. User identity is verified against information in the certificate that the end-user client presents. This comparison occurs after an EAP-TLS tunnel is established between Cisco ISE and the end-user client. Note EAP-TLS is a certificate-based authentication protocol. EAP-TLS authentication can occur only after you have completed the required steps to configure certificates. Allow authentication of expired certificates to allow certificate renewal in Authorization Policy Check this check box, if you want to allow users to renew certificates. If you check this check box, ensure that you configure appropriate authorization policy rules to check if the certificate has been renewed before processing the request any further. Allow LEAP Check this check box to enable Lightweight Extensible Authentication Protocol (LEAP) authentication. 23

Allowed Protocols Allow PEAP Check this check box to enable PEAP authentication protocol and PEAP settings. The default inner method is MS-CHAPv2. When you check the Allow PEAP check box, you can configure the following PEAP inner methods: Allow EAP-MS-CHAPv2 Check this check box to use EAP-MS-CHAPv2 as the inner method. Allow Password Change Check this check box for Cisco ISE to support password changes. Retry Attempts Specifies how many times Cisco ISE requests user credentials before returning login failure. Valid values are 0 to 3. Allow EAP-GTC Check this check box to use EAP-GTC as the inner method. Allow Password Change Check this check box for Cisco ISE to support password changes. Retry Attempts Specifies how many times Cisco ISE requests user credentials before returning login failure. Valid values are 0 to 3. Allow EAP-TLS Check this check box to use EAP-TLS as the inner method. Check the Allow authentication of expired certificates to allow certificate renewal in Authorization Policy check box, if you want to allow users to renew certificates. If you check this check box, ensure that you configure appropriate authorization policy rules to check if the certificate has been renewed before processing the request any further. Allow PEAPv0 only for legacy clients Check this check box to allow PEAP supplicants to negotiate using PEAPv0. Some legacy clients do not conform to the PEAPv1 protocol standards. To ensure that such PEAP conversations are not dropped, check this check box. 24

Allowed Protocols Allow EAP-FAST 25

Allowed Protocols Check this check box to enable EAP-FAST authentication protocol and EAP-FAST settings. The EAP-FAST protocol can support multiple internal protocols on the same server. The default inner method is MS-CHAPv2. When you check the Allow EAP-FAST check box, you can configure EAP-FAST as the inner method: Allow EAP-MS-CHAPv2 Allow Password Change Check this check box for Cisco ISE to support password changes. Retry Attempts Specifies how many times Cisco ISE requests user credentials before returning login failure. Valid values are 0-3. Allow EAP-GTC Allow Password Change Check this check box for Cisco ISE to support password changes. Retry Attempts Specifies how many times Cisco ISE requests user credentials before returning login failure. Valid values are 0-3. Use PACs Choose this option to configure Cisco ISE to provision authorization PACs for EAP-FAST clients. Additional PAC options appear. Don't use PACs Choose this option to configure Cisco ISE to use EAP-FAST without issuing or accepting any tunnel or machine PACs. All requests for PACs are ignored and Cisco ISE responds with a Success-TLV without a PAC. When you choose this option, you can configure Cisco ISE to perform machine authentication. Allow EAP-TLS Check this check box to use EAP-TLS as the inner method. Check the Allow authentication of expired certificates to allow certificate renewal in Authorization Policy check box, if you want to allow users to renew certificates. If you check this check box, ensure that you configure appropriate authorization policy rules to check if the certificate has been renewed before processing the request any further. Enable EAP Chaining Check this check box to enable EAP chaining. EAP chaining allows Cisco ISE to correlate the results of user and machine authentication and apply the appropriate authorization policy using the EAPChainingResult attribute. EAP chaining requires a supplicant that supports EAP chaining on the client device. Cisco ISE supports AnyConnect 4.0. Choose the User and Machine Authentication option in the supplicant. EAP chaining is available when you choose the EAP-FAST protocol (both in PAC based and PAC less mode). For PAC-based authentication, you can use user authorization PAC or machine authorization PAC, or both to skip the inner method. For certificate-based authentication, if you enable the Accept Client Certificate for Provisioning option for the EAP-FAST protocol (in the Allowed Protocol service), and 26

PAC Options if the endpoint (AnyConnect) is configured to send the user certificate inside the tunnel, then during tunnel establishment, ISE authenticates the user using the certificate (the inner method is skipped), and machine authentication is done through the inner method. If these options are not configured, EAP-TLS is used as the inner method for user authentication. After you enable EAP chaining, update your authorization policy and add a condition using the NetworkAccess:EapChainingResult attribute and assign appropriate permissions. For example: If EapChainingResult equal User and machine both succeeded - Full access If EapChainingResult equal User passed and machine failed - Restricted access If EapChainingResult equal User failed and machine passed - Restricted access If EapChainingResult equal User and machine both failed - Authentication fails. Cisco ISE does not process the authorization policy and sends a reject access message. Preferred EAP Protocol Check this check box to choose your preferred EAP protocols from any of the following options: EAP-FAST, PEAP, LEAP, EAP-TLS, EAP-TTLS, and EAP-MD5. If you do not specify the preferred protocol, EAP-TLS is used by default. Define Allowed Protocols for Network Access PAC Options The following table describes the fields after you select Use PACs in the Allowed Protocols Services List page. The navigation path for this page is: Policy > Policy Elements > Results > Authentication > Allowed Protocols. 27

PAC Options Table 18: PAC Options Use PAC 28

PAC Options Tunnel PAC Time To Live The Time to Live (TTL) value restricts the lifetime of the PAC. Specify the lifetime value and units. The default is 90 days. The range is between 1 and 1825 days. Proactive PAC Update When: <n%> of PAC TTL is Left The Update value ensures that the client has a valid PAC. Cisco ISE initiates an update after the first successful authentication but before the expiration time that is set by the TTL. The update value is a percentage of the remaining time in the TTL. The default is 90%. Allow Anonymous In-band PAC Provisioning Check this check box for Cisco ISE to establish a secure anonymous TLS handshake with the client and provision it with a PAC by using phase zero of EAP-FAST with EAP-MSCHAPv2. To enable anonymous PAC provisioning, you must choose both of the inner methods, EAP-MSCHAPv2 and EAP-GTC. Allow Authenticated In-band PAC Provisioning Cisco ISE uses SSL server-side authentication to provision the client with a PAC during phase zero of EAP-FAST. This option is more secure than anonymous provisioning but requires that a server certificate and a trusted root CA be installed on Cisco ISE. When you check this option, you can configure Cisco ISE to return an Access-Accept message to the client after successful authenticated PAC provisioning. Server Returns Access Accept After Authenticated Provisioning Check this check box if you want Cisco ISE to return an access-accept package after authenticated PAC provisioning. Allow Machine Authentication Check this check box for Cisco ISE to provision an end-user client with a machine PAC and perform machine authentication (for end-user clients who do not have the machine credentials). The machine PAC can be provisioned to the client by request (in-band) or by the administrator (out-of-band). When Cisco ISE receives a valid machine PAC from the end-user client, the machine identity details are extracted from the PAC and verified in the Cisco ISE external identity source. Cisco ISE only supports Active Directory as an external identity source for machine authentication. After these details are correctly verified, no further authentication is performed. When you check this option, you can enter a value for the amount of time that a machine PAC is acceptable for use. When Cisco ISE receives an expired machine PAC, it automatically reprovisions the end-user client with a new machine PAC (without waiting for a new machine PAC request from the end-user client). Enable Stateless Session Resume Check this check box for Cisco ISE to provision authorization PACs for EAP-FAST clients and skip phase two of EAP-FAST (default = enabled). Uncheck this check box in the following cases: If you do not want Cisco ISE to provision authorization PACs for 29

Authorization Profile Settings EAP-FAST clients To always perform phase two of EAP-FAST When you check this option, you can enter the authorization period of the user authorization PAC. After this period, the PAC expires. When Cisco ISE receives an expired authorization PAC, it performs phase two EAP-FAST authentication. OOB TrustSec PAC Generate the PAC for EAP-FAST Authorization Profile Settings The following table describes the fields in the Standard Authorization Profiles page. The navigation path for this page is: Policy > Policy Elements > Results > Authorization > Authorization Profiles. Table 19: Authorization Profile settings Name Access Type Service Template Enter a name that identifies the new authorization profile. Enter a description of the authorization profile. Choose the access type options (ACCESS_ACCEPT or ACCESS_REJECT). Check the check box to enable Cisco ISE to support sessions connecting from SAnet capable devices. ISE implements service templates as authorization profiles that contain a special flag that marks them as Service Template compatible. This way, the service template, which is also an authorization profile, can be used in a single policy to support connection with SAnet as well as non-sanet devices. Common Tasks DACL Name Check the check box and choose existing downloadable ACL options available (for example, Cisco ISE provides two default values in the drop-down list: PERMIT_ALL_TRAFFIC or DENY_ALL_TRAFFIC). The list will include all current DACLs in the local database. 30

Authorization Profile Settings VLAN Voice Domain Permission Posture Discovery Centralized Web Authentication Check the check box and enter an attribute value that identifies a virtual LAN (VLAN) ID that you want associated with the new authorization profile you are creating (both integer and string values are supported for the VLAN ID). The format for this entry would be Tunnel-Private-Group-ID:VLANnumber. Note If you do not select a VLAN ID, Cisco ISE uses a default value of VLAN ID = 1. For example, if you only entered 123 as your VLAN number, the Attributes Details pane reflects the following value: Tunnel-Private-Group-ID = 1:123. Check the check box to enable the vendor-specific attribute (VSA) of cisco-av-pair to be associated with a value of device-traffic-class=voice. In a multi-domain authorization mode, if the network switch receives this VSA, the endpoint is placed on to a voice domain after authorization. Check the check box to enable a redirection process used for Posture discovery in Cisco ISE, and enter an ACL on the device that you want to associate with this authorization profile. For example, if the value you entered is acl119, this is reflected in the Attributes Details pane as: cisco-av-pair = url-redirect-acl = acl119. The Attributes Details pane also displays: cisco-av-pair = url-redirect=https://ip:8443/guestportal/gateway?sessionid= SessionValueIdValue&action=cpp. Check the check box to enable a redirection process that is similar to Posture discovery, but it redirects guest user access requests to the Guest server in Cisco ISE. Enter an ACL on the device that you want to associate with this authorization profile, and select Default or Manual as the redirect option. For example, if the value you entered is acl-999, this is reflected in the Attributes Details pane as: cisco-av-pair = url-redirect-acl = acl-99. The Attributes Details pane also displays: cisco-av-pair = url-redirect=https://ip:8443/guestportal/gateway?sessionid=sessionvalueidvalue&action=cwa. Check the Static IP/Host Name check box to specify an exact IP address or hostname to which you want the user to be redirected to. If this check box is not checked, the user will be redirected to the FQDN of the policy service node that received this request. Web Redirection (CWA, DRW, MDM, NSP, CPP) Auto SmartPort Filter-ID Check the check box to enable Auto SmartPort functionality and enter a corresponding event name value in the text box. This enables the VSA cisco-av-pair with a value for this option as auto-smart-port=event_name. Your choice is reflected in the Attributes Details pane. Check the check box to enable a RADIUS filter attribute that sends the ACL name that you define in the text box (which is automatically appended with.in ). Your choice is reflected in the Attributes Details pane. 31

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback