Cisco Identity Services Engine User guide

Brand: Cisco

Model: Identity Services Engine

Category: Software

Type: User guide

This manual is also suitable for

Identity Services Engine 3.0

Cisco Identity Services Engine Administrator Guide, Release 3.0

Americas Headquarters

Cisco Systems, Inc.

170 West Tasman Drive

San Jose, CA 95134-1706

USA

http://www.cisco.com

Tel: 408 526-4000

800 553-NETS (6387)

Fax: 408 527-0883

THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS,

INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND,

EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.

THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH

THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY,

CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.

The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB's public domain version of

NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS" WITH ALL FAULTS.

CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF

MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE.

IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT

LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS

HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network

topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional

and coincidental.

All printed copies and duplicate soft copies of this document are considered uncontrolled. See the current online version for the latest version.

Cisco has more than 200 offices worldwide. Addresses and phone numbers are listed on the Cisco website at www.cisco.com/go/offices.

Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL:

https://www.cisco.com/c/en/us/about/legal/trademarks.html. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a

partnership relationship between Cisco and any other company. (1721R)

CONTENTS

Full Cisco Trademarks with Software License ?

Overview 1

CHAPTER 1

Cisco ISE Overview 1

Cisco ISE Features 2

Cisco ISE Administrators 3

Force CLI Administrator to Use External Identity Store 3

Create a New Administrator 4

Cisco ISE Administrator Groups 5

Create an Admin Group 15

Administrative Access to Cisco ISE 16

Role-Based Admin Access Control in Cisco ISE 17

Role-Based Permissions 17

RBAC Policies 17

Default Menu Access Permissions 18

Configure Menu Access Permissions 18

Prerequisites for Granting Data Access Permissions 19

Default Data Access Permissions 19

Configure Data Access Permissions 21

Read-Only Admin Policy 21

Customize Menu Access for the Read-Only Administrator 21

Licensing 23

CHAPTER 2

Cisco ISE Licenses 23

Tier Licenses 24

Device Administration Licenses 26

Cisco Identity Services Engine Administrator Guide, Release 3.0

iii

Virtual Appliance Licenses 26

Evaluation Licenses 27

Cisco ISE Smart Licensing 27

Manage Smart Licensing in Cisco ISE 29

Smart Licensing for Air-Gapped Networks 30

Configure Smart Software Manager On-Prem for Smart Licensing 30

Unregistered License Consumption 31

Deployment 33

CHAPTER 3

Cisco ISE Deployment Terminology 33

Personas in Distributed Cisco ISE Deployments 34

Configure a Cisco ISE Node 34

Configure a Primary Policy Administration Node (PAN) 35

Support for Multiple Deployment Scenarios 37

Cisco ISE Distributed Deployment 37

Cisco ISE Deployment Setup 37

Data Replication from Primary to Secondary ISE Nodes 37

Cisco ISE Node Deregistration 38

Guidelines for Setting Up a Distributed Deployment 38

Menu Options Available on Primary and Secondary Nodes 39

Deployment and Node Settings 40

Deployment Nodes List Window 41

General Node Settings 42

Profiling Node Settings 48

Logging Settings 50

Remote Logging Target Settings 50

Configure Logging Categories 52

Admin Access Settings 53

Administrator Password Policy Settings 53

Session Timeout and Session Information Settings 56

Administration Node 56

High Availability for the Administrative Node 56

Cisco Identity Services Engine Administrator Guide, Release 3.0

Contents

High-Availability Health Check Nodes 58

Health Check Nodes 58

Automatic Failover to the Secondary PAN 59

Sample Scenarios when Automatic Failover is Avoided 60

Functionalities Affected by the PAN Automatic Failover Feature 60

Configure Primary PAN for Automatic Failover 62

Manually Promote Secondary PAN to Primary 63

Reusing a Node of an Existing Cisco ISE Deployment as a Primary PAN for a New Cisco ISE

Deployment 64

Restoring Service to the Primary PAN 64

Support for Automatic Failover for the Administration Node 64

Policy Service Node 64

High Availability in Policy Service Nodes 65

Load Balancer to Distribute Requests Evenly Among PSNs 65

Session Failover in Policy Service Nodes 65

Number of Nodes in a Policy Service Node Group 66

Light Data Distribution 66

RADIUS Session Directory 67

Endpoint Owner Directory 67

Monitoring Node 67

Manually Modify the MnT Role 68

Syslog over Cisco ISE Messaging Service 68

Automatic Failover in MnT Nodes 70

Monitoring Database 71

Back Up and Restore the Monitoring Database 71

Monitoring Database Purge 72

Guidelines for Purging the Monitoring Database 72

Operational Data Purging 72

Purge Older Operational Data 73

Configure MnT Nodes for Automatic Failover 74

Cisco pxGrid Node 74

Deploy Cisco pxGrid Node 76

Configure Cisco pxGrid Settings 77

Generate Cisco pxGrid Certificate 77

Cisco Identity Services Engine Administrator Guide, Release 3.0

Contents

Control Permissions for Cisco pxGrid Clients 79

View Nodes in a Deployment 80

Download Endpoint Statistical Data from MnT Nodes 80

Database Crash or File Corruption Issues 81

Device Configuration for Monitoring 81

Synchronize Primary and Secondary Cisco ISE Nodes 81

Change Node Personas and Services 82

Effects of Modifying Nodes in Cisco ISE 82

Create a Policy Service Node Group 82

Remove a Node from Deployment 83

Shut Down a Cisco ISE Node 84

Change the Hostname or IP Address of a Standalone Cisco ISE Node 85

Basic Setup 87

CHAPTER 4

Administration Portal 88

Cisco ISE Home Dashboards 92

Configuring Home Dashboards 93

Context Visibility Views 94

Attributes in Context Visibility 95

The Application Dashboard 96

The Hardware Dashboard 97

Dashlets 99

Filtering Displayed Data in a View 100

Create Custom Filters 102

Filter Data by Conditions Using the Advanced Filter 102

Filter Data by Field Attributes Using the Quick Filter 102

Endpoint Actions in Dashlet Views 102

Cisco ISE Dashboard 103

Cisco ISE Internationalization and Localization 106

Supported Languages 106

End-User Web Portal Localization 107

Support for UTF-8 Character Data Entry 107

UTF-8 Credential Authentication 107

UTF-8 Policies and Posture Assessment 108

Cisco Identity Services Engine Administrator Guide, Release 3.0

Contents

UTF-8 Support for Messages Sent to Supplicant 108

Reports and Alerts UTF-8 Support 108

UTF-8 Character Support in the Portals 108

UTF-8 Support Outside the Cisco ISE User Interface 111

Support for Importing and Exporting UTF-8 Values 112

UTF-8 Support on REST 112

UTF-8 Support for Identity Stores Authorization Data 112

MAC Address Normalization 112

Cisco ISE Deployment Upgrade 113

Administrator Access Console 113

Administrator Login Browser Support 113

Administrator Lockout Due to Failed Login Attempts 114

Configure Proxy Settings in Cisco ISE 114

Ports Used by the Administration Portal 115

Set Up the Cisco ISE Application Programming Interface Gateway 115

Enable External RESTful Services Application Programming Interface 116

Enable External AD Access for External RESTful Services Application Programming Interface

117

External RESTful Services Software Development Kit 118

Specify System Time and Network Time Protocol Server Settings 118

Change the System Time Zone 119

Configure SMTP Server to Support Notifications 120

Interactive Help 121

Enable Secure Unlock Client Mechanism 121

Federal Information Processing Standard Mode Support 123

Enable Federal Information Processing Standard Mode in Cisco ISE 124

Configure Cisco ISE for Administrator Common Access Card Authentication 124

Secure SSH Key Exchange Using Diffie-Hellman Algorithm 127

Configure Cisco ISE to Send Secure Syslog 127

Configure Secure Syslog Remote Logging Target 127

Remote Logging Target Settings 128

Enable Logging Categories to Send Auditable Events to the Secure Syslog Target 129

Configure Logging Categories 130

Disable TCP Syslog and UDP Syslog Collectors 131

Cisco Identity Services Engine Administrator Guide, Release 3.0

vii

Contents

Default Secure Syslog Collector 131

Offline Maintenance 132

Configure Endpoint Login Credentials 133

Certificate Management in Cisco ISE 133

Configure Certificates in Cisco ISE to Enable Secure Access 133

Certificate Usage 134

Certificate Matching in Cisco ISE 135

Validity of X.509 Certificates 136

Enable Public Key Infrastructure in Cisco ISE 136

Wildcard Certificates 137

Wildcard Certificate Support in Cisco ISE 138

Wildcard Certificates for HTTPS and Extensible Authentication Protocol Communication 138

Fully Qualified Domain Name in URL Redirection 139

Advantages of Using Wildcard Certificates 140

Disadvantages of Using Wildcard Certificates 140

Wildcard Certificate Compatibility 141

Certificate Hierarchy 141

System Certificates 141

View System Certificates 143

Import a System Certificate 143

System Certificate Import Settings 144

Generate a Self-Signed Certificate 145

Self-Signed Certificate Settings 146

Edit a System Certificate 148

Delete System Certificate 149

Export a System Certificate 150

Trusted Certificates Store 150

Certificates in Trusted Certificates Store 151

List of Trusted Certificates 152

Trusted Certificate Naming Constraint 153

View Trusted Certificates 154

Change the Status of a Certificate in Trusted Certificates Store 154

Add a Certificate to Trusted Certificates Store 154

Edit a Trusted Certificate 155

Cisco Identity Services Engine Administrator Guide, Release 3.0

viii

Contents

Trusted Certificate Settings 155

Delete Trusted Certificates 157

Export a Certificate from the Trusted Certificates Store 158

Import the Root Certificates to the Trusted Certificate Store 158

Trusted Certificate Import Settings 159

Certificate Chain Import 160

Install Trusted Certificates for Cisco ISE Inter-node Communication 160

Default Trusted Certificates in Cisco ISE 161

Certificate Signing Requests 164

Create a Certificate Signing Request and Submit it to a Certificate Authority 164

Bind the CA-Signed Certificate to the Certificate Signing Request 165

Export a Certificate Signing Request 166

Certificate Signing Request Settings 166

Set Up Certificates for Portal Use 171

Reassign Default Portal Certificate Group Tag to CA-Signed Certificate 172

Associate the Portal Certificate Tag Before You Register a Node 172

User and Endpoint Certificate Renewal 173

Dictionary Attributes Used in Policy Conditions for Certificate Renewal 174

Authorization Policy Condition for Certificate Renewal 174

CWA Redirect to Renew Certificates 174

Configure Cisco ISE to Allow Users to Renew Certificates 174

Update the Allowed Protocol Configuration 174

Create an Authorization Policy Profile for CWA Redirection 175

Create an Authorization Policy Rule to Renew Certificates 176

Enable BYOD Settings in the Guest Portal 176

Certificate Renewal Fails for Apple iOS Devices 177

Certificate Periodic Check Settings 177

Cisco ISE CA Service 177

Cisco ISE Certificate Fingerprinting 178

Create a Policy with SHA-256 fingerprint 179

Create and Map the Authentication Policy with SHA-256 Fingerprint 179

Create an Authorization Policy 180

Verify PRRT Logs 180

ISE CA Certificates Provisioned on Administration and Policy Service Nodes 180

Cisco Identity Services Engine Administrator Guide, Release 3.0

Contents

Requirements for CA to Interoperate with Cisco ISE 182

ISE CA Chain Regeneration 183

Cisco ISE Messaging Certificate Support with External CA 183

Elliptical Curve Cryptography Certificates Support 184

Cisco ISE Certificate Authority Certificates 185

Edit a Cisco ISE CA Certificate 186

Export a Cisco ISE CA Certificate 186

Import a Cisco ISE CA Certificate 186

Certificate Templates 187

Certificate Template Name Extension 187

Use Certificate Template Name in Authorization Policy Conditions 187

Deploy Cisco ISE CA Certificates for pxGrid Controller 188

Simple Certificate Enrollment Protocol Profiles 188

Issued Certificates 189

Issued and Revoked Certificates 189

Backup and Restore of Cisco ISE CA Certificates and Keys 190

Export Cisco ISE CA Certificates and Keys 191

Import Cisco ISE CA Certificates and Keys 191

Generate Root CA and Subordinate CAs on the Primary PAN and PSN 192

Configure Cisco ISE Root CA as Subordinate CA of an External PKI 192

Configure Cisco ISE to Use Certificates for Authenticating Personal Devices 193

Add Users to the Employee User Group 194

Create a Certificate Authentication Profile for TLS-Based Authentication 194

Create an Identity Source Sequence for TLS-Based Authentication 195

Configure Certificate Authority Settings 195

Create a CA Template 196

Internal CA Settings 198

Create a Native Supplicant Profile to be Used in Client Provisioning Policy 198

Download Agent Resources from Cisco Site for Windows and MAC OS X Operating Systems

199

Create Client Provisioning Policy Rules for Apple iOS, Android, and MACOSX Devices 200

Configure the Dot1X Authentication Policy Rule for TLS-Based Authentication 200

Create Authorization Profiles for Central Web Authentication and Supplicant Provisioning Flows

201

Cisco Identity Services Engine Administrator Guide, Release 3.0

Contents

Create Authorization Policy Rules 202

CA Service Policy Reference 202

Client Provisioning Policy Rules for Certificate Services 202

Authorization Profiles for Certificate Services 203

Authorization Policy Rules for Certificate Services 204

ISE CA Issues Certificates to ASA VPN Users 205

VPN Connection Certificate Provisioning Flow 205

Configure Cisco ISE CA to Issue Certificates to ASA VPN Users 206

Revoke an Endpoint Certificate 209

OCSP Services 209

Cisco ISE CA Service Online Certificate Status Protocol Responder 210

OCSP Certificate Status Values 210

OCSP High Availability 210

OCSP Failures 211

Add OCSP Client Profiles 211

OCSP Client Profile Settings 212

OCSP Statistics Counters 214

Configure Admin Access Policies 215

Administrator Access Settings 216

Configure the Maximum Number of Concurrent Administrative Sessions and Login Banners 216

Allow Administrative Access to Cisco ISE from Select IP Addresses 217

Allow Access to the MnT Section in Cisco ISE 217

Configure a Password Policy for Administrator Accounts 218

Configure Account Disable Policy for Administrator Accounts 219

Configure Lock or Suspend Settings for Administrator Accounts 219

Configure Session Timeout for Administrators 220

Terminate an Active Administrative Session 220

Change Administrator Name 220

Admin Access Settings 221

Administrator Password Policy Settings 221

Session Timeout and Session Information Settings 224

Maintain and Monitor 225

CHAPTER 5

Adaptive Network Control 226

Cisco Identity Services Engine Administrator Guide, Release 3.0

Contents

Enable Adaptive Network Control in Cisco ISE 227

Configure Network Access Settings 227

Create Authorization Profiles for Network Access through ANC 228

ANC Quarantine and Unquarantine Flow 228

ANC NAS Port Shutdown Flow 229

Endpoints Purge Settings 230

Quarantined Endpoints Do Not Renew Authentication Following Policy Change 231

ANC Operations Fail when IP Address or MAC Address is not Found 231

Externally Authenticated Administrators Cannot Perform ANC Operations 232

Backup Data Type 232

Backup and Restore Repositories 233

Create Repositories 234

Repository Settings 236

Enable RSA Public Key Authentication in SFTP Repository 237

On-Demand and Scheduled Backups 237

Perform an On-Demand Backup 237

On-Demand Backup Settings 239

Schedule a Backup 240

Scheduled Backup Settings 241

Backup Using the CLI 242

Backup History 242

Backup Failures 242

Cisco ISE Restore Operation 243

Guidelines for Data Restoration 243

Restoration of Configuration or Monitoring (Operational) Backup from the CLI 244

Restore Configuration Backups from the GUI 246

Restoration of Monitoring Database 247

Restore a Monitoring (Operational) Backup in a Standalone Environment 247

Restore a Monitoring Backup with Administration and Monitor Personas 248

Restore a Monitoring Backup with a Monitoring Persona 248

Restore History 249

Export Authentication and Authorization Policy Configuration 249

Schedule Policy Export Settings 250

Synchronize Primary and Secondary Nodes in a Distributed Environment 250

Cisco Identity Services Engine Administrator Guide, Release 3.0

xii

Contents

Recovery of Lost Nodes in Standalone and Distributed Deployments 251

Recovery of Lost Nodes Using Existing IP Addresses and Hostnames in a Distributed Deployment

251

Recovery of Lost Nodes Using New IP Addresses and Hostnames in a Distributed Deployment 252

Recovery of a Node Using Existing IP Address and Hostname in a Standalone Deployment 252

Recovery of a Node Using New IP Address and Hostname in a Standalone Deployment 253

Configuration Rollback 253

Recovery of Primary Node in Case of Failure in a Distributed Deployment 254

Recovery of Secondary Node in Case of Failure in a Distributed Deployment 254

Cisco ISE Logging Mechanism 254

Configure Syslog Purge Settings 255

Cisco ISE System Logs 255

Configure Remote Syslog Collection Locations 256

Cisco ISE Message Codes 257

Set Severity Levels for Message Codes 258

Cisco ISE Message Catalogs 258

Endpoint Debug Log Collector 258

Download Debug Logs for a Specific Endpoint 258

Collection Filters 259

Configure Collection Filters 259

Event Suppression Bypass Filter 260

Cisco ISE Reports 260

Report Filters 260

Create the Quick Filter Criteria 261

Create the Advanced Filter Criteria 261

Run and View Reports 262

Reports Navigation 262

Export Reports 262

Schedule and Save Cisco ISE Reports 263

Cisco ISE Active RADIUS Sessions 264

Change Authorization for RADIUS Sessions 265

Available Reports 266

RADIUS Live Logs 286

Authentication Latency 289

Cisco Identity Services Engine Administrator Guide, Release 3.0

xiii

Contents

RADIUS Live Sessions 289

TACACS Live Logs 293

Export Summary 295

Device Administration 297

CHAPTER 6

TACACS+ Device Administration 297

Device Administration Work Center 298

Device Administration Deployment Settings 299

Device Admin Policy Sets 299

Create Device Administration Policy Sets 300

TACACS+ Authentication Settings and Shared Secret 301

Device Administration - Authorization Policy Results 303

Allowed Protocols in FIPS and Non-FIPS Modes for TACACS+ Device Administration 303

TACACS+ Command Sets 303

Wildcards and Regex in Command Sets 303

Command Line and Command Set List Match 304

Process Rules with Multiple Command Sets 305

Create TACACS+ Command Sets 305

TACACS+ Profile 306

Create TACACS+ Profiles 306

Common Tasks Settings 307

Access the Command-Line Interface to Change the Enable Password 309

Configure Global TACACS+ Settings 310

Data Migration from Cisco Secure ACS to Cisco ISE 311

Monitor Device Administration Activity 311

TACACS Live Logs 311

Guest and Secure WiFi 315

CHAPTER 7

Cisco ISE Guest Services 315

End-User Guest and Sponsor Portals in Distributed Environment 316

Guest and Sponsor Accounts 316

Guest Types and User Identity Groups 317

Create or Edit Guest Types 317

Disable a Guest Type 320

Cisco Identity Services Engine Administrator Guide, Release 3.0

xiv

Contents

Configure Maximum Simultaneous Logins for Endpoint Users 321

Schedule When to Purge Expired Guest Accounts 322

Add Custom Fields for Guest Account Creation 323

Specify Email Addresses and SMTP Servers for Email Notifications 323

Assign Guest Locations and SSIDs 324

Rules for Guest Password Policies 325

Set the Guest Password Policy and Expiration 326

Rules for Guest Username Policies 327

Set the Guest Username Policy 327

SMS Providers and Services 328

Configure SMS Gateways to Send SMS Notifications to Guests 328

Social Login for Self-Registered Guests 330

Configuring Social Login 332

Guest Portals 334

Credentials for Guest Portals 334

Guest Access with Hotspot Guest Portals 335

Guest Access with Credentialed Guest Portals 335

Employee Access with Credentialed Guest Portals 336

Guest Device Compliance 336

Guest Portals Configuration Tasks 336

Enable Policy Services 337

Add Certificates for Guest Portals 337

Create External Identity Sources 338

Create Identity Source Sequences 339

Create Endpoint Identity Groups 340

Create a Hotspot Guest Portal 340

Create a Sponsored-Guest Portal 340

Create a Self-Registered Guest Portal 342

Authorize Portals 346

Customize Guest Portals 347

Configure Periodic AUP Acceptance 347

Forcing Periodic AUP 347

Guest Remember Me 348

Sponsor Portals 348

Cisco Identity Services Engine Administrator Guide, Release 3.0

Contents

Managing Guest Accounts on the Sponsor Portal 348

Managing Sponsor Accounts 350

Configure Account Content for Sponsor Account Creation 354

Configure a Sponsor Portal Flow 355

Enable Policy Services 355

Add Certificates for Guest Services 356

Create External Identity Sources 356

Create Identity Source Sequences 357

Create a Sponsor Portal 357

Customize Sponsor Portals 358

Configuring Account Content for Sponsor Account Creation 358

Configuring the Time Settings Available to Sponsors 359

Kerberos Authentication for the Sponsor Portal 359

Sponsors Cannot Log In to the Sponsor Portal 361

Monitor Guest and Sponsor Activity 361

Metrics Dashboard 362

AUP Acceptance Status Report 362

Guest Accounting Report 362

Primary Guest Report 362

Sponsor Login and Audit Report 363

Audit Logging for Guest and Sponsor Portals 363

Guest Access Web Authentication Options 363

NAD with Central WebAuth Process 364

Wireless LAN Controller with Local WebAuth Process 365

Wired NAD with Local WebAuth Process 366

IP Address and Port Values Required for the Login.html Page 366

HTTPS Server Enabled on the NAD 367

Support for Customized Authentication Proxy Web Pages on the NAD 367

Configure Web Authentication on the NAD 367

Device Registration WebAuth Process 368

Guest Portal Settings 370

Portal Identification Settings 370

Portal Settings for Hotspot Guest Portals 371

Acceptable Use Policy (AUP) Page Settings for Hotspot Guest Portals 373

Cisco Identity Services Engine Administrator Guide, Release 3.0

xvi

Contents

Post-Access Banner Page Settings for Hotspot Portals 373

Portal Settings for Credentialed Guest Portals 373

Self-Registration Page Settings 377

Self Registration Success Page Settings 379

Acceptable Use Policy (AUP) Page Settings for Credentialed Guest Portals 380

Guest Change Password Settings for Credentialed Guest Portals 381

Guest Device Registration Settings for Credentialed Guest Portals 381

BYOD Settings for Credentialed Guest Portals 381

Post-Login Banner Page Settings for Credentialed Guest Portals 382

Guest Device Compliance Settings for Credentialed Guest Portals 383

VLAN DHCP Release Page Settings for Guest Portals 383

Authentication Success Settings for Guest Portals 384

Support Information Page Settings for Guest Portals 384

Sponsor Portal Application Settings 385

Portal Identification Settings 385

Portal Settings for Sponsor Portals 386

Acceptable Use Policy (AUP) Settings for Sponsor Portals 389

Sponsor Change Password Settings for Sponsor Portals 390

Post-Login Banner Settings for Sponsor Portals 390

Support Information Page Settings for Sponsor Portals 390

Notify Guests Customization for Sponsor Portals 391

Manage and Approve Customization for Sponsor Portals 392

Global Settings for Guest and Sponsor Portals 392

Guest Type Settings 393

Sponsor Group Settings 395

End-User Portals 398

Customization of End-User Web Portals 398

Portal Content Types 400

Basic Customization of Portals 400

Modify the Portal Theme Colors 401

Change the Portal Display Language 401

Change the Portal Icons, Images, and Logos 402

Cisco Identity Services Engine Administrator Guide, Release 3.0

xvii

Contents

Update the Portal Banner and Footer Elements 402

Change the Titles, Instructions, Buttons, and Label Text 403

Format and Style Text Box Content 403

Variables for Portal Pages Customization 404

View Your Customization 407

Custom Portal Files 408

Advanced Customization of Portals 408

Enable Advanced Portal Customization 409

Portal Theme and Structure CSS Files 409

About Changing Theme Colors with jQuery Mobile 410

Change Theme Colors with jQuery Mobile 411

Location Based Customization 412

User Device Type Based Customization 413

Export a Portal’s Default Theme CSS File 413

Create a Custom Portal Theme CSS File 413

Embed Links in Portal Content 414

Insert Variables for Dynamic Text Updates 415

Use Source Code to Format Text and Include Links 416

Add an Image as an Advertisement 416

Set Up Carousel Advertising 417

Customize Greetings Based on Guest Location 419

Customize Greetings Based on User Device Type 420

Modify the Portal Page Layout 421

Import the Custom Portal Theme CSS File 422

Delete a Custom Portal Theme 423

View Your Customization 423

Portal Language Customization 424

Export the Language File 425

Add or Delete Languages from the Language File 425

Import the Updated Language File 426

Customization of Guest Notifications, Approvals, and Error Messages 427

Customize Email Notifications 427

Customize SMS Text Message Notifications 428

Customize Print Notifications 429

Cisco Identity Services Engine Administrator Guide, Release 3.0

xviii

Contents

Customize Approval Request Email Notifications 429

Edit Error Messages 430

Portal Pages Titles, Content and Labels Character Limits 430

Character Limits for Portal Pages Titles, Content and Labels 431

Portal Customization 432

CSS Classes and Descriptions for End-User Portals Page Layout 432

HTML Support for a Portal Language File 433

HTML Support for the Blocked List Portal Language File 433

HTML Support for Bring Your Own Device Portals Language Files 433

HTML Support for Certificate Provisioning Portal Language Files 435

HTML Support for Client Provisioning Portals Language Files 435

HTML Support for Credential Guest Portals Language Files 436

HTML Support for Hotspot Guest Portals Language Files 439

HTML Support for Mobile Device Management Portals Language Files 440

HTML Support for My Devices Portals Language Files 440

HTML Support for Sponsor Portals Language Files 442

Asset Visibility 445

CHAPTER 8

Administrative Access to Cisco ISE Using an External Identity Store 446

External Authentication and Authorization 447

Configure a Password-Based Authentication Using an External Identity Store 447

Create an External Administrator Group 448

Create an Internal Read-Only Admin 448

Map External Groups to the Read-Only Admin Group 448

Configure Menu Access and Data Access Permissions for External Administrator Group 449

Create a RBAC Policy for External Administrator Authentication 449

Configure Admin Access Using an External Identity Store for Authentication with Internal

Authorization 450

External Authentication Process Flow 450

External Identity Sources 451

LDAP Identity Source Settings 451

RADIUS Token Identity Sources Settings 458

RSA SecurID Identity Source Settings 460

Cisco ISE Users 461

Cisco Identity Services Engine Administrator Guide, Release 3.0

xix

Contents

User Identity 461

User Groups 461

User Identity Groups 461

User Role 462

User Account Custom Attributes 462

User Authentication Settings 463

Generate Automatic Password for Users and Administrators 464

Internal User Operations 465

Add Users 465

Export Cisco ISE User Data 465

Import Cisco ISE Internal Users 465

Endpoint Settings 466

Endpoint Import from LDAP Settings 468

Identity Group Operations 470

Create a User Identity Group 470

Export User Identity Groups 471

Import User Identity Groups 471

Endpoint Identity Group Settings 471

Configure Maximum Concurrent Sessions 472

Maximum Concurrent Sessions for a Group 472

Configure Counter Time Limit 473

Account Disable Policy 473

Disable Individual User Accounts 474

Disable User Accounts Globally 474

Internal and External Identity Sources 475

Create an External Identity Source 477

Authenticate Internal User Against External Identity Store Password 477

Certificate Authentication Profiles 478

Add a Certificate Authentication Profile 478

Active Directory as an External Identity Source 479

Active Directory Supported Authentication Protocols and Features 479

Active Directory Attribute and Group Retrieval for Use in Authorization Policies 480

Support for Boolean Attributes 481

Active Directory Certificate Retrieval for Certificate-Based Authentication 481

Cisco Identity Services Engine Administrator Guide, Release 3.0

Contents

Page is loading ...

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
1001
1002
1003
1004
1005
1006
1007
1008
1009
1010
1011
1012
1013
1014
1015
1016
1017
1018
1019
1020
1021
1022
1023
1024
1025
1026
1027
1028
1029
1030
1031
1032
1033
1034
1035
1036
1037
1038
1039
1040
1041
1042
1043
1044
1045
1046
1047
1048
1049
1050
1051
1052
1053
1054
1055
1056
1057
1058
1059
1060
1061
1062
1063
1064
1065
1066
1067
1068
1069
1070
1071
1072
1073
1074
1075
1076
1077
1078
1079
1080
1081
1082
1083
1084
1085
1086
1087
1088
1089
1090
1091
1092
1093
1094
1095
1096
1097
1098
1099
1100
1101
1102
1103
1104
1105
1106
1107
1108
1109
1110
1111
1112
1113
1114
1115
1116
1117
1118
1119
1120
1121
1122
1123
1124
1125
1126
1127
1128
1129
1130
1131
1132
1133
1134
1135
1136
1137
1138
1139
1140
1141
1142
1143
1144
1145
1146
1147
1148
1149
1150
1151
1152
1153
1154
1155
1156
1157
1158
1159
1160
1161
1162
1163
1164
1165
1166
1167
1168
1169
1170
1171
1172
1173
1174
1175
1176
1177
1178
1179
1180
1181
1182
1183
1184
1185
1186
1187
1188
1189
1190
1191
1192
1193
1194
1195
1196
1197
1198
1199
1200
1201
1202
1203
1204
1205
1206
1207
1208
1209
1210
1211
1212
1213
1214
1215
1216
1217
1218
1219
1220
1221
1222
1223
1224
1225
1226
1227
1228
1229
1230
1231
1232
1233
1234
1235
1236
1237
1238
1239
1240
1241
1242
1243
1244
1245
1246
1247
1248
1249
1250
1251
1252
1253
1254
1255
1256
1257
1258
1259
1260

Cisco Identity Services Engine User guide

Brand: Cisco

Model: Identity Services Engine

Category: Software

Type: User guide

This manual is also suitable for

Identity Services Engine 3.0

Download PDF

report

Cisco Identity Services Engine User guide

This manual is also suitable for

Cisco Identity Services Engine User guide

Related papers

Other documents