2. Computers & electronics
  3. Software
  4. Cisco
  5. Identity Services Engine

Cisco Identity Services Engine, Identity Services Engine 3.0 User guide

  • Hello! I am an AI chatbot trained to assist you with the Cisco Identity Services Engine User guide. I’ve already reviewed the document and can help you find the information you need or explain it in simple terms. Just ask your questions, and providing more details will help me assist you more effectively!
Cisco Identity Services Engine Administrator Guide, Release 3.0
Americas Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
http://www.cisco.com
Tel: 408 526-4000
800 553-NETS (6387)
Fax: 408 527-0883
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS,
INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND,
EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.
THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH
THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY,
CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.
The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB's public domain version of
the UNIX operating system. All rights reserved. Copyright ©1981, Regents of the University of California.
NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS" WITH ALL FAULTS.
CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE.
IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT
LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS
HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network
topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional
and coincidental.
All printed copies and duplicate soft copies of this document are considered uncontrolled. See the current online version for the latest version.
Cisco has more than 200 offices worldwide. Addresses and phone numbers are listed on the Cisco website at www.cisco.com/go/offices.
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL:
https://www.cisco.com/c/en/us/about/legal/trademarks.html. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a
partnership relationship between Cisco and any other company. (1721R)
©2020 Cisco Systems, Inc. All rights reserved.
CONTENTS
Full Cisco Trademarks with Software License ?
Overview 1
CHAPTER 1
Cisco ISE Overview 1
Cisco ISE Features 2
Cisco ISE Administrators 3
Force CLI Administrator to Use External Identity Store 3
Create a New Administrator 4
Cisco ISE Administrator Groups 5
Create an Admin Group 15
Administrative Access to Cisco ISE 16
Role-Based Admin Access Control in Cisco ISE 17
Role-Based Permissions 17
RBAC Policies 17
Default Menu Access Permissions 18
Configure Menu Access Permissions 18
Prerequisites for Granting Data Access Permissions 19
Default Data Access Permissions 19
Configure Data Access Permissions 21
Read-Only Admin Policy 21
Customize Menu Access for the Read-Only Administrator 21
Licensing 23
CHAPTER 2
Cisco ISE Licenses 23
Tier Licenses 24
Device Administration Licenses 26
Cisco Identity Services Engine Administrator Guide, Release 3.0
iii
Virtual Appliance Licenses 26
Evaluation Licenses 27
Cisco ISE Smart Licensing 27
Register and Activate Smart Licenses 28
Manage Smart Licensing in Cisco ISE 29
Smart Licensing for Air-Gapped Networks 30
Configure Smart Software Manager On-Prem for Smart Licensing 30
Unregistered License Consumption 31
Deployment 33
CHAPTER 3
Cisco ISE Deployment Terminology 33
Personas in Distributed Cisco ISE Deployments 34
Configure a Cisco ISE Node 34
Configure a Primary Policy Administration Node (PAN) 35
Register a Secondary Cisco ISE Node 35
Support for Multiple Deployment Scenarios 37
Cisco ISE Distributed Deployment 37
Cisco ISE Deployment Setup 37
Data Replication from Primary to Secondary ISE Nodes 37
Cisco ISE Node Deregistration 38
Guidelines for Setting Up a Distributed Deployment 38
Menu Options Available on Primary and Secondary Nodes 39
Deployment and Node Settings 40
Deployment Nodes List Window 41
General Node Settings 42
Profiling Node Settings 48
Logging Settings 50
Remote Logging Target Settings 50
Configure Logging Categories 52
Admin Access Settings 53
Administrator Password Policy Settings 53
Session Timeout and Session Information Settings 56
Administration Node 56
High Availability for the Administrative Node 56
Cisco Identity Services Engine Administrator Guide, Release 3.0
iv
Contents
High-Availability Health Check Nodes 58
Health Check Nodes 58
Automatic Failover to the Secondary PAN 59
Sample Scenarios when Automatic Failover is Avoided 60
Functionalities Affected by the PAN Automatic Failover Feature 60
Configure Primary PAN for Automatic Failover 62
Manually Promote Secondary PAN to Primary 63
Reusing a Node of an Existing Cisco ISE Deployment as a Primary PAN for a New Cisco ISE
Deployment 64
Restoring Service to the Primary PAN 64
Support for Automatic Failover for the Administration Node 64
Policy Service Node 64
High Availability in Policy Service Nodes 65
Load Balancer to Distribute Requests Evenly Among PSNs 65
Session Failover in Policy Service Nodes 65
Number of Nodes in a Policy Service Node Group 66
Light Data Distribution 66
RADIUS Session Directory 67
Endpoint Owner Directory 67
Monitoring Node 67
Manually Modify the MnT Role 68
Syslog over Cisco ISE Messaging Service 68
Automatic Failover in MnT Nodes 70
Monitoring Database 71
Back Up and Restore the Monitoring Database 71
Monitoring Database Purge 72
Guidelines for Purging the Monitoring Database 72
Operational Data Purging 72
Purge Older Operational Data 73
Configure MnT Nodes for Automatic Failover 74
Cisco pxGrid Node 74
Deploy Cisco pxGrid Node 76
Configure Cisco pxGrid Settings 77
Generate Cisco pxGrid Certificate 77
Cisco Identity Services Engine Administrator Guide, Release 3.0
v
Contents
Control Permissions for Cisco pxGrid Clients 79
View Nodes in a Deployment 80
Download Endpoint Statistical Data from MnT Nodes 80
Database Crash or File Corruption Issues 81
Device Configuration for Monitoring 81
Synchronize Primary and Secondary Cisco ISE Nodes 81
Change Node Personas and Services 82
Effects of Modifying Nodes in Cisco ISE 82
Create a Policy Service Node Group 82
Remove a Node from Deployment 83
Shut Down a Cisco ISE Node 84
Change the Hostname or IP Address of a Standalone Cisco ISE Node 85
Basic Setup 87
CHAPTER 4
Administration Portal 88
Cisco ISE Home Dashboards 92
Configuring Home Dashboards 93
Context Visibility Views 94
Attributes in Context Visibility 95
The Application Dashboard 96
The Hardware Dashboard 97
Dashlets 99
Filtering Displayed Data in a View 100
Create Custom Filters 102
Filter Data by Conditions Using the Advanced Filter 102
Filter Data by Field Attributes Using the Quick Filter 102
Endpoint Actions in Dashlet Views 102
Cisco ISE Dashboard 103
Cisco ISE Internationalization and Localization 106
Supported Languages 106
End-User Web Portal Localization 107
Support for UTF-8 Character Data Entry 107
UTF-8 Credential Authentication 107
UTF-8 Policies and Posture Assessment 108
Cisco Identity Services Engine Administrator Guide, Release 3.0
vi
Contents
UTF-8 Support for Messages Sent to Supplicant 108
Reports and Alerts UTF-8 Support 108
UTF-8 Character Support in the Portals 108
UTF-8 Support Outside the Cisco ISE User Interface 111
Support for Importing and Exporting UTF-8 Values 112
UTF-8 Support on REST 112
UTF-8 Support for Identity Stores Authorization Data 112
MAC Address Normalization 112
Cisco ISE Deployment Upgrade 113
Administrator Access Console 113
Administrator Login Browser Support 113
Administrator Lockout Due to Failed Login Attempts 114
Configure Proxy Settings in Cisco ISE 114
Ports Used by the Administration Portal 115
Set Up the Cisco ISE Application Programming Interface Gateway 115
Enable External RESTful Services Application Programming Interface 116
Enable External AD Access for External RESTful Services Application Programming Interface
117
External RESTful Services Software Development Kit 118
Specify System Time and Network Time Protocol Server Settings 118
Change the System Time Zone 119
Configure SMTP Server to Support Notifications 120
Interactive Help 121
Enable Secure Unlock Client Mechanism 121
Federal Information Processing Standard Mode Support 123
Enable Federal Information Processing Standard Mode in Cisco ISE 124
Configure Cisco ISE for Administrator Common Access Card Authentication 124
Secure SSH Key Exchange Using Diffie-Hellman Algorithm 127
Configure Cisco ISE to Send Secure Syslog 127
Configure Secure Syslog Remote Logging Target 127
Remote Logging Target Settings 128
Enable Logging Categories to Send Auditable Events to the Secure Syslog Target 129
Configure Logging Categories 130
Disable TCP Syslog and UDP Syslog Collectors 131
Cisco Identity Services Engine Administrator Guide, Release 3.0
vii
Contents
Default Secure Syslog Collector 131
Offline Maintenance 132
Configure Endpoint Login Credentials 133
Certificate Management in Cisco ISE 133
Configure Certificates in Cisco ISE to Enable Secure Access 133
Certificate Usage 134
Certificate Matching in Cisco ISE 135
Validity of X.509 Certificates 136
Enable Public Key Infrastructure in Cisco ISE 136
Wildcard Certificates 137
Wildcard Certificate Support in Cisco ISE 138
Wildcard Certificates for HTTPS and Extensible Authentication Protocol Communication 138
Fully Qualified Domain Name in URL Redirection 139
Advantages of Using Wildcard Certificates 140
Disadvantages of Using Wildcard Certificates 140
Wildcard Certificate Compatibility 141
Certificate Hierarchy 141
System Certificates 141
View System Certificates 143
Import a System Certificate 143
System Certificate Import Settings 144
Generate a Self-Signed Certificate 145
Self-Signed Certificate Settings 146
Edit a System Certificate 148
Delete System Certificate 149
Export a System Certificate 150
Trusted Certificates Store 150
Certificates in Trusted Certificates Store 151
List of Trusted Certificates 152
Trusted Certificate Naming Constraint 153
View Trusted Certificates 154
Change the Status of a Certificate in Trusted Certificates Store 154
Add a Certificate to Trusted Certificates Store 154
Edit a Trusted Certificate 155
Cisco Identity Services Engine Administrator Guide, Release 3.0
viii
Contents
Trusted Certificate Settings 155
Delete Trusted Certificates 157
Export a Certificate from the Trusted Certificates Store 158
Import the Root Certificates to the Trusted Certificate Store 158
Trusted Certificate Import Settings 159
Certificate Chain Import 160
Install Trusted Certificates for Cisco ISE Inter-node Communication 160
Default Trusted Certificates in Cisco ISE 161
Certificate Signing Requests 164
Create a Certificate Signing Request and Submit it to a Certificate Authority 164
Bind the CA-Signed Certificate to the Certificate Signing Request 165
Export a Certificate Signing Request 166
Certificate Signing Request Settings 166
Set Up Certificates for Portal Use 171
Reassign Default Portal Certificate Group Tag to CA-Signed Certificate 172
Associate the Portal Certificate Tag Before You Register a Node 172
User and Endpoint Certificate Renewal 173
Dictionary Attributes Used in Policy Conditions for Certificate Renewal 174
Authorization Policy Condition for Certificate Renewal 174
CWA Redirect to Renew Certificates 174
Configure Cisco ISE to Allow Users to Renew Certificates 174
Update the Allowed Protocol Configuration 174
Create an Authorization Policy Profile for CWA Redirection 175
Create an Authorization Policy Rule to Renew Certificates 176
Enable BYOD Settings in the Guest Portal 176
Certificate Renewal Fails for Apple iOS Devices 177
Certificate Periodic Check Settings 177
Cisco ISE CA Service 177
Cisco ISE Certificate Fingerprinting 178
Create a Policy with SHA-256 fingerprint 179
Create and Map the Authentication Policy with SHA-256 Fingerprint 179
Create an Authorization Policy 180
Verify PRRT Logs 180
ISE CA Certificates Provisioned on Administration and Policy Service Nodes 180
Cisco Identity Services Engine Administrator Guide, Release 3.0
ix
Contents
Requirements for CA to Interoperate with Cisco ISE 182
ISE CA Chain Regeneration 183
Cisco ISE Messaging Certificate Support with External CA 183
Elliptical Curve Cryptography Certificates Support 184
Cisco ISE Certificate Authority Certificates 185
Edit a Cisco ISE CA Certificate 186
Export a Cisco ISE CA Certificate 186
Import a Cisco ISE CA Certificate 186
Certificate Templates 187
Certificate Template Name Extension 187
Use Certificate Template Name in Authorization Policy Conditions 187
Deploy Cisco ISE CA Certificates for pxGrid Controller 188
Simple Certificate Enrollment Protocol Profiles 188
Issued Certificates 189
Issued and Revoked Certificates 189
Backup and Restore of Cisco ISE CA Certificates and Keys 190
Export Cisco ISE CA Certificates and Keys 191
Import Cisco ISE CA Certificates and Keys 191
Generate Root CA and Subordinate CAs on the Primary PAN and PSN 192
Configure Cisco ISE Root CA as Subordinate CA of an External PKI 192
Configure Cisco ISE to Use Certificates for Authenticating Personal Devices 193
Add Users to the Employee User Group 194
Create a Certificate Authentication Profile for TLS-Based Authentication 194
Create an Identity Source Sequence for TLS-Based Authentication 195
Configure Certificate Authority Settings 195
Create a CA Template 196
Internal CA Settings 198
Create a Native Supplicant Profile to be Used in Client Provisioning Policy 198
Download Agent Resources from Cisco Site for Windows and MAC OS X Operating Systems
199
Create Client Provisioning Policy Rules for Apple iOS, Android, and MACOSX Devices 200
Configure the Dot1X Authentication Policy Rule for TLS-Based Authentication 200
Create Authorization Profiles for Central Web Authentication and Supplicant Provisioning Flows
201
Cisco Identity Services Engine Administrator Guide, Release 3.0
x
Contents
Create Authorization Policy Rules 202
CA Service Policy Reference 202
Client Provisioning Policy Rules for Certificate Services 202
Authorization Profiles for Certificate Services 203
Authorization Policy Rules for Certificate Services 204
ISE CA Issues Certificates to ASA VPN Users 205
VPN Connection Certificate Provisioning Flow 205
Configure Cisco ISE CA to Issue Certificates to ASA VPN Users 206
Revoke an Endpoint Certificate 209
OCSP Services 209
Cisco ISE CA Service Online Certificate Status Protocol Responder 210
OCSP Certificate Status Values 210
OCSP High Availability 210
OCSP Failures 211
Add OCSP Client Profiles 211
OCSP Client Profile Settings 212
OCSP Statistics Counters 214
Configure Admin Access Policies 215
Administrator Access Settings 216
Configure the Maximum Number of Concurrent Administrative Sessions and Login Banners 216
Allow Administrative Access to Cisco ISE from Select IP Addresses 217
Allow Access to the MnT Section in Cisco ISE 217
Configure a Password Policy for Administrator Accounts 218
Configure Account Disable Policy for Administrator Accounts 219
Configure Lock or Suspend Settings for Administrator Accounts 219
Configure Session Timeout for Administrators 220
Terminate an Active Administrative Session 220
Change Administrator Name 220
Admin Access Settings 221
Administrator Password Policy Settings 221
Session Timeout and Session Information Settings 224
Maintain and Monitor 225
CHAPTER 5
Adaptive Network Control 226
Cisco Identity Services Engine Administrator Guide, Release 3.0
xi
Contents
Enable Adaptive Network Control in Cisco ISE 227
Configure Network Access Settings 227
Create Authorization Profiles for Network Access through ANC 228
ANC Quarantine and Unquarantine Flow 228
ANC NAS Port Shutdown Flow 229
Endpoints Purge Settings 230
Quarantined Endpoints Do Not Renew Authentication Following Policy Change 231
ANC Operations Fail when IP Address or MAC Address is not Found 231
Externally Authenticated Administrators Cannot Perform ANC Operations 232
Backup Data Type 232
Backup and Restore Repositories 233
Create Repositories 234
Repository Settings 236
Enable RSA Public Key Authentication in SFTP Repository 237
On-Demand and Scheduled Backups 237
Perform an On-Demand Backup 237
On-Demand Backup Settings 239
Schedule a Backup 240
Scheduled Backup Settings 241
Backup Using the CLI 242
Backup History 242
Backup Failures 242
Cisco ISE Restore Operation 243
Guidelines for Data Restoration 243
Restoration of Configuration or Monitoring (Operational) Backup from the CLI 244
Restore Configuration Backups from the GUI 246
Restoration of Monitoring Database 247
Restore a Monitoring (Operational) Backup in a Standalone Environment 247
Restore a Monitoring Backup with Administration and Monitor Personas 248
Restore a Monitoring Backup with a Monitoring Persona 248
Restore History 249
Export Authentication and Authorization Policy Configuration 249
Schedule Policy Export Settings 250
Synchronize Primary and Secondary Nodes in a Distributed Environment 250
Cisco Identity Services Engine Administrator Guide, Release 3.0
xii
Contents
Recovery of Lost Nodes in Standalone and Distributed Deployments 251
Recovery of Lost Nodes Using Existing IP Addresses and Hostnames in a Distributed Deployment
251
Recovery of Lost Nodes Using New IP Addresses and Hostnames in a Distributed Deployment 252
Recovery of a Node Using Existing IP Address and Hostname in a Standalone Deployment 252
Recovery of a Node Using New IP Address and Hostname in a Standalone Deployment 253
Configuration Rollback 253
Recovery of Primary Node in Case of Failure in a Distributed Deployment 254
Recovery of Secondary Node in Case of Failure in a Distributed Deployment 254
Cisco ISE Logging Mechanism 254
Configure Syslog Purge Settings 255
Cisco ISE System Logs 255
Configure Remote Syslog Collection Locations 256
Cisco ISE Message Codes 257
Set Severity Levels for Message Codes 258
Cisco ISE Message Catalogs 258
Endpoint Debug Log Collector 258
Download Debug Logs for a Specific Endpoint 258
Collection Filters 259
Configure Collection Filters 259
Event Suppression Bypass Filter 260
Cisco ISE Reports 260
Report Filters 260
Create the Quick Filter Criteria 261
Create the Advanced Filter Criteria 261
Run and View Reports 262
Reports Navigation 262
Export Reports 262
Schedule and Save Cisco ISE Reports 263
Cisco ISE Active RADIUS Sessions 264
Change Authorization for RADIUS Sessions 265
Available Reports 266
RADIUS Live Logs 286
Authentication Latency 289
Cisco Identity Services Engine Administrator Guide, Release 3.0
xiii
Contents
RADIUS Live Sessions 289
TACACS Live Logs 293
Export Summary 295
Device Administration 297
CHAPTER 6
TACACS+ Device Administration 297
Device Administration Work Center 298
Device Administration Deployment Settings 299
Device Admin Policy Sets 299
Create Device Administration Policy Sets 300
TACACS+ Authentication Settings and Shared Secret 301
Device Administration - Authorization Policy Results 303
Allowed Protocols in FIPS and Non-FIPS Modes for TACACS+ Device Administration 303
TACACS+ Command Sets 303
Wildcards and Regex in Command Sets 303
Command Line and Command Set List Match 304
Process Rules with Multiple Command Sets 305
Create TACACS+ Command Sets 305
TACACS+ Profile 306
Create TACACS+ Profiles 306
Common Tasks Settings 307
Access the Command-Line Interface to Change the Enable Password 309
Configure Global TACACS+ Settings 310
Data Migration from Cisco Secure ACS to Cisco ISE 311
Monitor Device Administration Activity 311
TACACS Live Logs 311
Guest and Secure WiFi 315
CHAPTER 7
Cisco ISE Guest Services 315
End-User Guest and Sponsor Portals in Distributed Environment 316
Guest and Sponsor Accounts 316
Guest Types and User Identity Groups 317
Create or Edit Guest Types 317
Disable a Guest Type 320
Cisco Identity Services Engine Administrator Guide, Release 3.0
xiv
Contents
Configure Maximum Simultaneous Logins for Endpoint Users 321
Schedule When to Purge Expired Guest Accounts 322
Add Custom Fields for Guest Account Creation 323
Specify Email Addresses and SMTP Servers for Email Notifications 323
Assign Guest Locations and SSIDs 324
Rules for Guest Password Policies 325
Set the Guest Password Policy and Expiration 326
Rules for Guest Username Policies 327
Set the Guest Username Policy 327
SMS Providers and Services 328
Configure SMS Gateways to Send SMS Notifications to Guests 328
Social Login for Self-Registered Guests 330
Configuring Social Login 332
Guest Portals 334
Credentials for Guest Portals 334
Guest Access with Hotspot Guest Portals 335
Guest Access with Credentialed Guest Portals 335
Employee Access with Credentialed Guest Portals 336
Guest Device Compliance 336
Guest Portals Configuration Tasks 336
Enable Policy Services 337
Add Certificates for Guest Portals 337
Create External Identity Sources 338
Create Identity Source Sequences 339
Create Endpoint Identity Groups 340
Create a Hotspot Guest Portal 340
Create a Sponsored-Guest Portal 340
Create a Self-Registered Guest Portal 342
Authorize Portals 346
Customize Guest Portals 347
Configure Periodic AUP Acceptance 347
Forcing Periodic AUP 347
Guest Remember Me 348
Sponsor Portals 348
Cisco Identity Services Engine Administrator Guide, Release 3.0
xv
Contents
Managing Guest Accounts on the Sponsor Portal 348
Managing Sponsor Accounts 350
Configure Account Content for Sponsor Account Creation 354
Configure a Sponsor Portal Flow 355
Enable Policy Services 355
Add Certificates for Guest Services 356
Create External Identity Sources 356
Create Identity Source Sequences 357
Create a Sponsor Portal 357
Customize Sponsor Portals 358
Configuring Account Content for Sponsor Account Creation 358
Configuring the Time Settings Available to Sponsors 359
Kerberos Authentication for the Sponsor Portal 359
Sponsors Cannot Log In to the Sponsor Portal 361
Monitor Guest and Sponsor Activity 361
Metrics Dashboard 362
AUP Acceptance Status Report 362
Guest Accounting Report 362
Primary Guest Report 362
Sponsor Login and Audit Report 363
Audit Logging for Guest and Sponsor Portals 363
Guest Access Web Authentication Options 363
NAD with Central WebAuth Process 364
Wireless LAN Controller with Local WebAuth Process 365
Wired NAD with Local WebAuth Process 366
IP Address and Port Values Required for the Login.html Page 366
HTTPS Server Enabled on the NAD 367
Support for Customized Authentication Proxy Web Pages on the NAD 367
Configure Web Authentication on the NAD 367
Device Registration WebAuth Process 368
Guest Portal Settings 370
Portal Identification Settings 370
Portal Settings for Hotspot Guest Portals 371
Acceptable Use Policy (AUP) Page Settings for Hotspot Guest Portals 373
Cisco Identity Services Engine Administrator Guide, Release 3.0
xvi
Contents
Post-Access Banner Page Settings for Hotspot Portals 373
Portal Settings for Credentialed Guest Portals 373
Login Page Settings for Credentialed Guest Portals 375
Self-Registration Page Settings 377
Self Registration Success Page Settings 379
Acceptable Use Policy (AUP) Page Settings for Credentialed Guest Portals 380
Guest Change Password Settings for Credentialed Guest Portals 381
Guest Device Registration Settings for Credentialed Guest Portals 381
BYOD Settings for Credentialed Guest Portals 381
Post-Login Banner Page Settings for Credentialed Guest Portals 382
Guest Device Compliance Settings for Credentialed Guest Portals 383
VLAN DHCP Release Page Settings for Guest Portals 383
Authentication Success Settings for Guest Portals 384
Support Information Page Settings for Guest Portals 384
Sponsor Portal Application Settings 385
Portal Identification Settings 385
Portal Settings for Sponsor Portals 386
Login Settings for Sponsor Portals 389
Acceptable Use Policy (AUP) Settings for Sponsor Portals 389
Sponsor Change Password Settings for Sponsor Portals 390
Post-Login Banner Settings for Sponsor Portals 390
Support Information Page Settings for Sponsor Portals 390
Notify Guests Customization for Sponsor Portals 391
Manage and Approve Customization for Sponsor Portals 392
Global Settings for Guest and Sponsor Portals 392
Guest Type Settings 393
Sponsor Group Settings 395
End-User Portals 398
Customization of End-User Web Portals 398
Portal Content Types 400
Basic Customization of Portals 400
Modify the Portal Theme Colors 401
Change the Portal Display Language 401
Change the Portal Icons, Images, and Logos 402
Cisco Identity Services Engine Administrator Guide, Release 3.0
xvii
Contents
Update the Portal Banner and Footer Elements 402
Change the Titles, Instructions, Buttons, and Label Text 403
Format and Style Text Box Content 403
Variables for Portal Pages Customization 404
View Your Customization 407
Custom Portal Files 408
Advanced Customization of Portals 408
Enable Advanced Portal Customization 409
Portal Theme and Structure CSS Files 409
About Changing Theme Colors with jQuery Mobile 410
Change Theme Colors with jQuery Mobile 411
Location Based Customization 412
User Device Type Based Customization 413
Export a Portal’s Default Theme CSS File 413
Create a Custom Portal Theme CSS File 413
Embed Links in Portal Content 414
Insert Variables for Dynamic Text Updates 415
Use Source Code to Format Text and Include Links 416
Add an Image as an Advertisement 416
Set Up Carousel Advertising 417
Customize Greetings Based on Guest Location 419
Customize Greetings Based on User Device Type 420
Modify the Portal Page Layout 421
Import the Custom Portal Theme CSS File 422
Delete a Custom Portal Theme 423
View Your Customization 423
Portal Language Customization 424
Export the Language File 425
Add or Delete Languages from the Language File 425
Import the Updated Language File 426
Customization of Guest Notifications, Approvals, and Error Messages 427
Customize Email Notifications 427
Customize SMS Text Message Notifications 428
Customize Print Notifications 429
Cisco Identity Services Engine Administrator Guide, Release 3.0
xviii
Contents
Customize Approval Request Email Notifications 429
Edit Error Messages 430
Portal Pages Titles, Content and Labels Character Limits 430
Character Limits for Portal Pages Titles, Content and Labels 431
Portal Customization 432
CSS Classes and Descriptions for End-User Portals Page Layout 432
HTML Support for a Portal Language File 433
HTML Support for the Blocked List Portal Language File 433
HTML Support for Bring Your Own Device Portals Language Files 433
HTML Support for Certificate Provisioning Portal Language Files 435
HTML Support for Client Provisioning Portals Language Files 435
HTML Support for Credential Guest Portals Language Files 436
HTML Support for Hotspot Guest Portals Language Files 439
HTML Support for Mobile Device Management Portals Language Files 440
HTML Support for My Devices Portals Language Files 440
HTML Support for Sponsor Portals Language Files 442
Asset Visibility 445
CHAPTER 8
Administrative Access to Cisco ISE Using an External Identity Store 446
External Authentication and Authorization 447
Configure a Password-Based Authentication Using an External Identity Store 447
Create an External Administrator Group 448
Create an Internal Read-Only Admin 448
Map External Groups to the Read-Only Admin Group 448
Configure Menu Access and Data Access Permissions for External Administrator Group 449
Create a RBAC Policy for External Administrator Authentication 449
Configure Admin Access Using an External Identity Store for Authentication with Internal
Authorization 450
External Authentication Process Flow 450
External Identity Sources 451
LDAP Identity Source Settings 451
RADIUS Token Identity Sources Settings 458
RSA SecurID Identity Source Settings 460
Cisco ISE Users 461
Cisco Identity Services Engine Administrator Guide, Release 3.0
xix
Contents
User Identity 461
User Groups 461
User Identity Groups 461
User Role 462
User Account Custom Attributes 462
User Authentication Settings 463
Generate Automatic Password for Users and Administrators 464
Internal User Operations 465
Add Users 465
Export Cisco ISE User Data 465
Import Cisco ISE Internal Users 465
Endpoint Settings 466
Endpoint Import from LDAP Settings 468
Identity Group Operations 470
Create a User Identity Group 470
Export User Identity Groups 471
Import User Identity Groups 471
Endpoint Identity Group Settings 471
Configure Maximum Concurrent Sessions 472
Maximum Concurrent Sessions for a Group 472
Configure Counter Time Limit 473
Account Disable Policy 473
Disable Individual User Accounts 474
Disable User Accounts Globally 474
Internal and External Identity Sources 475
Create an External Identity Source 477
Authenticate Internal User Against External Identity Store Password 477
Certificate Authentication Profiles 478
Add a Certificate Authentication Profile 478
Active Directory as an External Identity Source 479
Active Directory Supported Authentication Protocols and Features 479
Active Directory Attribute and Group Retrieval for Use in Authorization Policies 480
Support for Boolean Attributes 481
Active Directory Certificate Retrieval for Certificate-Based Authentication 481
Cisco Identity Services Engine Administrator Guide, Release 3.0
xx
Contents
/