Cisco Identity Services Engine User guide

Category
Software
Type
User guide

This manual is also suitable for

Cisco Identity Services Engine Administrator Guide, Release 2.7
Americas Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
http://www.cisco.com
Tel: 408 526-4000
800 553-NETS (6387)
Fax: 408 527-0883
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS,
INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND,
EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.
THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH
THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY,
CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.
The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB's public domain version of
the UNIX operating system. All rights reserved. Copyright ©1981, Regents of the University of California.
NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS" WITH ALL FAULTS.
CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE.
IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT
LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS
HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network
topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional
and coincidental.
All printed copies and duplicate soft copies of this document are considered uncontrolled. See the current online version for the latest version.
Cisco has more than 200 offices worldwide. Addresses and phone numbers are listed on the Cisco website at www.cisco.com/go/offices.
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL:
https://www.cisco.com/c/en/us/about/legal/trademarks.html. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a
partnership relationship between Cisco and any other company. (1721R)
©2019 Cisco Systems, Inc. All rights reserved.
CONTENTS
Full Cisco Trademarks with Software License ?
Overview 1
CHAPTER 1
Cisco ISE Overview 1
Cisco ISE Features 2
Cisco ISE Administrators 3
Force CLI Administrator to Use External Identity Store 3
Create a New Administrator 4
Cisco ISE Administrator Groups 5
Create an Admin Group 15
Administrative Access to Cisco ISE 16
Role-Based Admin Access Control in Cisco ISE 17
Role-Based Permissions 17
RBAC Policies 17
Default Menu Access Permissions 18
Configure Menu Access Permissions 18
Prerequisites for Granting Data Access Permissions 19
Default Data Access Permissions 19
Configure Data Access Permissions 21
Read-Only Admin Policy 21
Customize Menu Access for the Read-Only Administrator 21
Licensing 23
CHAPTER 2
Cisco ISE Licenses 23
Cisco ISE Smart Licensing 24
Activate and Register Smart Licensing in Cisco ISE 25
Cisco Identity Services Engine Administrator Guide, Release 2.7
iii
Smart Licensing for Air-Gapped Networks 27
Configure Smart Software Manager On-Prem for Smart Licensing 27
Manage Smart Licensing in Cisco ISE 28
Manage Traditional License Files 29
Cisco ISE Licensing Model 29
Traditional License Consumption 33
View License Consumption 34
Unregistered License Consumption 35
Manage License Files 36
Register Licenses 36
Re-Host Licenses 37
Renew Licenses 37
Migrate and Upgrade Licenses 37
Remove Licenses 38
Deployment 39
CHAPTER 3
Cisco ISE Deployment Terminology 39
Personas in Distributed Cisco ISE Deployments 40
Configure a Cisco ISE Node 40
Configure a Primary Policy Administration Node (PAN) 41
Register a Secondary Cisco ISE Node 41
Support for Multiple Deployment Scenarios 42
Cisco ISE Distributed Deployment 43
Cisco ISE Deployment Setup 43
Data Replication from Primary to Secondary ISE Nodes 43
Cisco ISE Node Deregistration 44
Guidelines for Setting Up a Distributed Deployment 44
Menu Options Available on Primary and Secondary Nodes 45
Deployment and Node Settings 46
Deployment Nodes List Window 46
General Node Settings 48
Profiling Node Settings 53
Logging Settings 55
Remote Logging Target Settings 55
Cisco Identity Services Engine Administrator Guide, Release 2.7
iv
Contents
Configure Logging Categories 57
Admin Access Settings 58
Administrator Password Policy Settings 58
Session Timeout and Session Information Settings 61
Administration Node 61
High Availability for the Administrative Node 61
High-Availability Health Check Nodes 63
Health Check Nodes 63
Automatic Failover to the Secondary PAN 64
Sample Scenarios when Automatic Failover is Avoided 65
Functionalities Affected by the PAN Automatic Failover Feature 65
Configure Primary PAN for Automatic Failover 67
Manually Promote Secondary PAN to Primary 68
Reusing a Node of an Existing Cisco ISE Deployment as a Primary PAN for a New Cisco ISE
Deployment 69
Restoring Service to the Primary PAN 69
Support for Automatic Failover for the Administration Node 69
Policy Service Node 69
High Availability in Policy Service Nodes 70
Load Balancer to Distribute Requests Evenly Among PSNs 70
Session Failover in Policy Service Nodes 70
Number of Nodes in a Policy Service Node Group 70
Light Data Distribution 71
RADIUS Session Directory 72
Endpoint Owner Directory 72
Monitoring Node 72
Manually Modify the MnT Role 73
Syslog over Cisco ISE Messaging Service 73
Automatic Failover in MnT Nodes 75
Monitoring Database 76
Back Up and Restore the Monitoring Database 76
Monitoring Database Purge 77
Guidelines for Purging the Monitoring Database 77
Operational Data Purging 77
Cisco Identity Services Engine Administrator Guide, Release 2.7
v
Contents
Purge Older Operational Data 78
Configure MnT Nodes for Automatic Failover 79
Cisco pxGrid Node 79
Cisco pxGrid Client and Capability Management 81
Enable pxGrid Service 82
Enable pxGrid Capabilities 82
Deploy Cisco pxGrid Node 82
Cisco pxGrid Live Logs 83
Configure Cisco pxGrid Settings 83
Generate Cisco pxGrid Certificate 84
Control Permissions for Cisco pxGrid Clients 85
View Nodes in a Deployment 86
Download Endpoint Statistical Data from MnT Nodes 87
Database Crash or File Corruption Issues 87
Device Configuration for Monitoring 88
Synchronize Primary and Secondary Cisco ISE Nodes 88
Change Node Personas and Services 88
Effects of Modifying Nodes in Cisco ISE 89
Create a Policy Service Node Group 89
Remove a Node from Deployment 90
Shut Down a Cisco ISE Node 91
Change the Hostname or IP Address of a Standalone Cisco ISE Node 91
Basic Setup 93
CHAPTER 4
Administration Portal 93
Cisco ISE Home Dashboards 97
Configuring Home Dashboards 98
Context Visibility Views 98
Attributes in Context Visibility 100
The Application Dashboard 101
The Hardware Dashboard 103
Dashlets 105
Filtering Displayed Data in a View 106
Create Custom Filters 108
Cisco Identity Services Engine Administrator Guide, Release 2.7
vi
Contents
Filter Data by Conditions Using the Advanced Filter 108
Filter Data by Field Attributes Using the Quick Filter 109
Endpoint Actions in Dashlet Views 109
Cisco ISE Dashboard 110
Cisco ISE Internationalization and Localization 112
Supported Languages 112
End-User Web Portal Localization 113
Support for UTF-8 Character Data Entry 113
UTF-8 Credential Authentication 114
UTF-8 Policies and Posture Assessment 114
UTF-8 Support for Messages Sent to Supplicant 114
Reports and Alerts UTF-8 Support 114
UTF-8 Character Support in the Portals 115
UTF-8 Support Outside the Cisco ISE User Interface 118
Support for Importing and Exporting UTF-8 Values 118
UTF-8 Support on REST 118
UTF-8 Support for Identity Stores Authorization Data 119
MAC Address Normalization 119
Cisco ISE Deployment Upgrade 119
Administrator Access Console 120
Administrator Login Browser Support 120
Administrator Lockout Due to Failed Login Attempts 120
Configure Proxy Settings in Cisco ISE 121
Ports Used by the Administration Portal 121
Enable External RESTful Services Application Programming Interface 122
Enable External AD Access for External RESTful Services Application Programming Interface
123
External RESTful Services Software Development Kit 124
Specify System Time and Network Time Protocol Server Settings 124
Change the System Time Zone 125
Configure SMTP Server to Support Notifications 126
Interactive Help 127
Enable Secure Unlock Client Mechanism 127
Federal Information Processing Standard Mode Support 128
Cisco Identity Services Engine Administrator Guide, Release 2.7
vii
Contents
Enable Federal Information Processing Standard Mode in Cisco ISE 130
Configure Cisco ISE for Administrator Common Access Card Authentication 130
Secure SSH Key Exchange Using Diffie-Hellman Algorithm 132
Configure Cisco ISE to Send Secure Syslog 133
Configure Secure Syslog Remote Logging Target 133
Remote Logging Target Settings 134
Enable Logging Categories to Send Auditable Events to the Secure Syslog Target 135
Configure Logging Categories 136
Disable TCP Syslog and UDP Syslog Collectors 137
Default Secure Syslog Collector 137
Offline Maintenance 138
Certificate Management in Cisco ISE 139
Configure Certificates in Cisco ISE to Enable Secure Access 139
Certificate Usage 140
Certificate Matching in Cisco ISE 141
Validity of X.509 Certificates 142
Enable Public Key Infrastructure in Cisco ISE 142
Wildcard Certificates 143
Wildcard Certificate Support in Cisco ISE 144
Wildcard Certificates for HTTPS and Extensible Authentication Protocol Communication 144
Fully Qualified Domain Name in URL Redirection 145
Advantages of Using Wildcard Certificates 146
Disadvantages of Using Wildcard Certificates 146
Wildcard Certificate Compatibility 147
Certificate Hierarchy 147
System Certificates 147
View System Certificates 149
Import a System Certificate 149
System Certificate Import Settings 150
Generate a Self-Signed Certificate 151
Self-Signed Certificate Settings 152
Edit a System Certificate 153
Delete System Certificate 154
Export a System Certificate 155
Cisco Identity Services Engine Administrator Guide, Release 2.7
viii
Contents
Trusted Certificates Store 155
Certificates in Trusted Certificates Store 157
List of Trusted Certificates 157
Trusted Certificate Naming Constraint 158
View Trusted Certificates 159
Change the Status of a Certificate in Trusted Certificates Store 159
Add a Certificate to Trusted Certificates Store 159
Edit a Trusted Certificate 160
Trusted Certificate Settings 160
Delete Trusted Certificates 162
Export a Certificate from the Trusted Certificates Store 163
Import the Root Certificates to the Trusted Certificate Store 163
Trusted Certificate Import Settings 164
Certificate Chain Import 165
Install Trusted Certificates for Cisco ISE Inter-node Communication 165
Default Trusted Certificates in Cisco ISE 166
Certificate Signing Requests 169
Create a Certificate Signing Request and Submit it to a Certificate Authority 169
Bind the CA-Signed Certificate to the Certificate Signing Request 170
Export a Certificate Signing Request 171
Certificate Signing Request Settings 171
Set Up Certificates for Portal Use 176
Reassign Default Portal Certificate Group Tag to CA-Signed Certificate 177
Associate the Portal Certificate Tag Before You Register a Node 177
User and Endpoint Certificate Renewal 178
Dictionary Attributes Used in Policy Conditions for Certificate Renewal 179
Authorization Policy Condition for Certificate Renewal 179
CWA Redirect to Renew Certificates 179
Configure Cisco ISE to Allow Users to Renew Certificates 179
Update the Allowed Protocol Configuration 179
Create an Authorization Policy Profile for CWA Redirection 180
Create an Authorization Policy Rule to Renew Certificates 181
Enable BYOD Settings in the Guest Portal 181
Certificate Renewal Fails for Apple iOS Devices 182
Cisco Identity Services Engine Administrator Guide, Release 2.7
ix
Contents
Certificate Periodic Check Settings 182
Cisco ISE CA Service 182
ISE CA Certificates Provisioned on Administration and Policy Service Nodes 183
ISE CA Chain Regeneration 184
Elliptical Curve Cryptography Certificates Support 184
Cisco ISE Certificate Authority Certificates 186
Edit a Cisco ISE CA Certificate 186
Export a Cisco ISE CA Certificate 187
Import a Cisco ISE CA Certificate 187
Certificate Templates 188
Certificate Template Name Extension 188
Use Certificate Template Name in Authorization Policy Conditions 188
Deploy Cisco ISE CA Certificates for pxGrid Controller 188
Simple Certificate Enrollment Protocol Profiles 189
Issued Certificates 190
Issued and Revoked Certificates 190
Backup and Restore of Cisco ISE CA Certificates and Keys 190
Export Cisco ISE CA Certificates and Keys 191
Import Cisco ISE CA Certificates and Keys 192
Generate Root CA and Subordinate CAs on the Primary PAN and PSN 193
Configure Cisco ISE Root CA as Subordinate CA of an External PKI 193
Configure Cisco ISE to Use Certificates for Authenticating Personal Devices 194
Add Users to the Employee User Group 194
Create a Certificate Authentication Profile for TLS-Based Authentication 195
Create an Identity Source Sequence for TLS-Based Authentication 195
Configure Certificate Authority Settings 196
Create a CA Template 197
Internal CA Settings 198
Create a Native Supplicant Profile to be Used in Client Provisioning Policy 199
Download Agent Resources from Cisco Site for Windows and MAC OS X Operating Systems
200
Create Client Provisioning Policy Rules for Apple iOS, Android, and MACOSX Devices 200
Configure the Dot1X Authentication Policy Rule for TLS-Based Authentication 200
Cisco Identity Services Engine Administrator Guide, Release 2.7
x
Contents
Create Authorization Profiles for Central Web Authentication and Supplicant Provisioning Flows
201
Create Authorization Policy Rules 202
CA Service Policy Reference 202
Client Provisioning Policy Rules for Certificate Services 202
Authorization Profiles for Certificate Services 204
Authorization Policy Rules for Certificate Services 205
ISE CA Issues Certificates to ASA VPN Users 206
VPN Connection Certificate Provisioning Flow 206
Configure Cisco ISE CA to Issue Certificates to ASA VPN Users 207
Revoke an Endpoint Certificate 210
OCSP Services 210
Cisco ISE CA Service Online Certificate Status Protocol Responder 211
OCSP Certificate Status Values 211
OCSP High Availability 211
OCSP Failures 212
Add OCSP Client Profiles 212
OCSP Client Profile Settings 213
OCSP Statistics Counters 215
Configure Admin Access Policies 216
Administrator Access Settings 217
Configure the Maximum Number of Concurrent Administrative Sessions and Login Banners 217
Allow Administrative Access to Cisco ISE from Select IP Addresses 218
Allow Access to the MnT Section in Cisco ISE 218
Configure a Password Policy for Administrator Accounts 219
Configure Account Disable Policy for Administrator Accounts 220
Configure Lock or Suspend Settings for Administrator Accounts 220
Configure Session Timeout for Administrators 221
Terminate an Active Administrative Session 221
Change Administrator Name 221
Admin Access Settings 222
Administrator Password Policy Settings 222
Session Timeout and Session Information Settings 225
Cisco Identity Services Engine Administrator Guide, Release 2.7
xi
Contents
Maintain and Monitor 227
CHAPTER 5
Adaptive Network Control 228
Enable Adaptive Network Control in Cisco ISE 229
Configure Network Access Settings 229
Create Authorization Profiles for Network Access through ANC 230
ANC Quarantine and Unquarantine Flow 230
ANC NAS Port Shutdown Flow 231
Endpoints Purge Settings 232
Quarantined Endpoints Do Not Renew Authentication Following Policy Change 233
ANC Operations Fail when IP Address or MAC Address is not Found 233
Externally Authenticated Administrators Cannot Perform ANC Operations 234
Cisco ISE Software Patches 234
Software Patch Installation Guidelines 235
Install a Software Patch 235
Roll Back Software Patches 236
Software Patch Rollback Guidelines 237
View Patch Install and Rollback Changes 237
Backup Data Type 237
Backup and Restore Repositories 238
Create Repositories 239
Repository Settings 241
Enable RSA Public Key Authentication in SFTP Repository 242
On-Demand and Scheduled Backups 242
Perform an On-Demand Backup 242
On-Demand Backup Settings 244
Schedule a Backup 244
Scheduled Backup Settings 246
Backup Using the CLI 247
Backup History 247
Backup Failures 247
Cisco ISE Restore Operation 248
Guidelines for Data Restoration 248
Restoration of Configuration or Monitoring (Operational) Backup from the CLI 249
Cisco Identity Services Engine Administrator Guide, Release 2.7
xii
Contents
Restore Configuration Backups from the GUI 251
Restoration of Monitoring Database 252
Restore a Monitoring (Operational) Backup in a Standalone Environment 252
Restore a Monitoring Backup with Administration and Monitor Personas 253
Restore a Monitoring Backup with a Monitoring Persona 253
Restore History 254
Export Authentication and Authorization Policy Configuration 254
Schedule Policy Export Settings 254
Synchronize Primary and Secondary Nodes in a Distributed Environment 254
Recovery of Lost Nodes in Standalone and Distributed Deployments 255
Recovery of Lost Nodes Using Existing IP Addresses and Hostnames in a Distributed Deployment
255
Recovery of Lost Nodes Using New IP Addresses and Hostnames in a Distributed Deployment 256
Recovery of a Node Using Existing IP Address and Hostname in a Standalone Deployment 256
Recovery of a Node Using New IP Address and Hostname in a Standalone Deployment 257
Configuration Rollback 257
Recovery of Primary Node in Case of Failure in a Distributed Deployment 258
Recovery of Secondary Node in Case of Failure in a Distributed Deployment 258
Cisco ISE Logging Mechanism 259
Configure Syslog Purge Settings 259
Cisco ISE System Logs 260
Configure Remote Syslog Collection Locations 260
Cisco ISE Message Codes 261
Set Severity Levels for Message Codes 262
Cisco ISE Message Catalogs 262
Debug Logs 262
View Logging Components for a Node 263
Configure Debug Log Severity Level 263
Endpoint Debug Log Collector 263
Download Debug Logs for a Specific Endpoint 264
Collection Filters 264
Configure Collection Filters 264
Event Suppression Bypass Filter 265
Cisco ISE Reports 265
Cisco Identity Services Engine Administrator Guide, Release 2.7
xiii
Contents
Report Filters 266
Create the Quick Filter Criteria 266
Create the Advanced Filter Criteria 267
Run and View Reports 267
Reports Navigation 268
Export Reports 268
Schedule and Save Cisco ISE Reports 269
Cisco ISE Active RADIUS Sessions 270
Change Authorization for RADIUS Sessions 270
Available Reports 271
RADIUS Live Logs 291
RADIUS Live Sessions 294
TACACS Live Logs 298
Export Summary 300
Device Administration 303
CHAPTER 6
TACACS+ Device Administration 303
Device Administration Work Center 305
Device Administration Deployment Settings 305
Device Admin Policy Sets 306
Create Device Administration Policy Sets 306
TACACS+ Authentication Settings and Shared Secret 307
Device Administration - Authorization Policy Results 309
Allowed Protocols in FIPS and Non-FIPS Modes for TACACS+ Device Administration 309
TACACS+ Command Sets 309
Wildcards and Regex in Command Sets 309
Command Line and Command Set List Match 310
Process Rules with Multiple Command Sets 311
Create TACACS+ Command Sets 311
TACACS+ Profile 312
Create TACACS+ Profiles 312
Common Tasks Settings 313
Access the Command-Line Interface to Change the Enable Password 315
Configure Global TACACS+ Settings 316
Cisco Identity Services Engine Administrator Guide, Release 2.7
xiv
Contents
Data Migration from Cisco Secure ACS to Cisco ISE 316
Monitor Device Administration Activity 317
TACACS Live Logs 317
Guest and Secure WiFi 321
CHAPTER 7
Cisco ISE Guest Services 321
End-User Guest and Sponsor Portals in Distributed Environment 322
Guest and Sponsor Accounts 322
Guest Types and User Identity Groups 323
Create or Edit Guest Types 323
Disable a Guest Type 326
Configure Maximum Simultaneous Logins for Endpoint Users 327
Schedule When to Purge Expired Guest Accounts 328
Add Custom Fields for Guest Account Creation 328
Specify Email Addresses and SMTP Servers for Email Notifications 329
Assign Guest Locations and SSIDs 329
Rules for Guest Password Policies 330
Set the Guest Password Policy and Expiration 331
Rules for Guest Username Policies 331
Set the Guest Username Policy 331
SMS Providers and Services 332
Configure SMS Gateways to Send SMS Notifications to Guests 332
Social Login for Self-Registered Guests 333
Configuring Social Login 335
Guest Portals 337
Credentials for Guest Portals 337
Guest Access with Hotspot Guest Portals 338
Guest Access with Credentialed Guest Portals 338
Employee Access with Credentialed Guest Portals 339
Guest Device Compliance 339
Guest Portals Configuration Tasks 339
Enable Policy Services 340
Add Certificates for Guest Portals 340
Create External Identity Sources 340
Cisco Identity Services Engine Administrator Guide, Release 2.7
xv
Contents
Create Identity Source Sequences 342
Create Endpoint Identity Groups 342
Create a Hotspot Guest Portal 343
Create a Sponsored-Guest Portal 344
Create a Self-Registered Guest Portal 344
Authorize Portals 346
Customize Guest Portals 347
Configure Periodic AUP Acceptance 348
Forcing Periodic AUP 348
Guest Remember Me 348
Sponsor Portals 349
Managing Guest Accounts on the Sponsor Portal 349
Managing Sponsor Accounts 350
Configure Account Content for Sponsor Account Creation 354
Configure a Sponsor Portal Flow 355
Enable Policy Services 356
Add Certificates for Guest Services 356
Create External Identity Sources 356
Create Identity Source Sequences 357
Create a Sponsor Portal 357
Customize Sponsor Portals 358
Configuring Account Content for Sponsor Account Creation 358
Configuring the Time Settings Available to Sponsors 359
Kerberos Authentication for the Sponsor Portal 360
Sponsors Cannot Log In to the Sponsor Portal 362
Monitor Guest and Sponsor Activity 362
Metrics Dashboard 363
AUP Acceptance Status Report 363
Guest Accounting Report 363
Primary Guest Report 363
Sponsor Login and Audit Report 364
Audit Logging for Guest and Sponsor Portals 364
Guest Access Web Authentication Options 364
NAD with Central WebAuth Process 365
Cisco Identity Services Engine Administrator Guide, Release 2.7
xvi
Contents
Wireless LAN Controller with Local WebAuth Process 366
Wired NAD with Local WebAuth Process 367
IP Address and Port Values Required for the Login.html Page 367
HTTPS Server Enabled on the NAD 368
Support for Customized Authentication Proxy Web Pages on the NAD 368
Configure Web Authentication on the NAD 368
Device Registration WebAuth Process 369
Guest Portal Settings 371
Portal Identification Settings 371
Portal Settings for Hotspot Guest Portals 372
Acceptable Use Policy (AUP) Page Settings for Hotspot Guest Portals 374
Post-Access Banner Page Settings for Hotspot Portals 374
Portal Settings for Credentialed Guest Portals 374
Login Page Settings for Credentialed Guest Portals 376
Self-Registration Page Settings 378
Self Registration Success Page Settings 380
Acceptable Use Policy (AUP) Page Settings for Credentialed Guest Portals 381
Guest Change Password Settings for Credentialed Guest Portals 382
Guest Device Registration Settings for Credentialed Guest Portals 382
BYOD Settings for Credentialed Guest Portals 382
Post-Login Banner Page Settings for Credentialed Guest Portals 383
Guest Device Compliance Settings for Credentialed Guest Portals 384
VLAN DHCP Release Page Settings for Guest Portals 384
Authentication Success Settings for Guest Portals 385
Support Information Page Settings for Guest Portals 385
Sponsor Portal Application Settings 386
Portal Identification Settings 386
Portal Settings for Sponsor Portals 387
Login Settings for Sponsor Portals 390
Acceptable Use Policy (AUP) Settings for Sponsor Portals 390
Sponsor Change Password Settings for Sponsor Portals 391
Post-Login Banner Settings for Sponsor Portals 391
Support Information Page Settings for Sponsor Portals 391
Notify Guests Customization for Sponsor Portals 392
Cisco Identity Services Engine Administrator Guide, Release 2.7
xvii
Contents
Manage and Approve Customization for Sponsor Portals 393
Global Settings for Guest and Sponsor Portals 393
Guest Type Settings 394
Sponsor Group Settings 396
End-User Portals 399
Customization of End-User Web Portals 399
Portal Content Types 402
Basic Customization of Portals 402
Modify the Portal Theme Colors 403
Change the Portal Display Language 403
Change the Portal Icons, Images, and Logos 404
Update the Portal Banner and Footer Elements 404
Change the Titles, Instructions, Buttons, and Label Text 405
Format and Style Text Box Content 405
Variables for Portal Pages Customization 406
View Your Customization 409
Custom Portal Files 410
Advanced Customization of Portals 410
Enable Advanced Portal Customization 411
Portal Theme and Structure CSS Files 411
About Changing Theme Colors with jQuery Mobile 412
Change Theme Colors with jQuery Mobile 413
Location Based Customization 414
User Device Type Based Customization 415
Export a Portal’s Default Theme CSS File 415
Create a Custom Portal Theme CSS File 416
Embed Links in Portal Content 416
Insert Variables for Dynamic Text Updates 417
Use Source Code to Format Text and Include Links 418
Add an Image as an Advertisement 419
Set Up Carousel Advertising 420
Customize Greetings Based on Guest Location 422
Customize Greetings Based on User Device Type 423
Modify the Portal Page Layout 424
Cisco Identity Services Engine Administrator Guide, Release 2.7
xviii
Contents
Import the Custom Portal Theme CSS File 426
Delete a Custom Portal Theme 426
View Your Customization 427
Portal Language Customization 427
Export the Language File 429
Add or Delete Languages from the Language File 429
Import the Updated Language File 430
Customization of Guest Notifications, Approvals, and Error Messages 431
Customize Email Notifications 431
Customize SMS Text Message Notifications 432
Customize Print Notifications 432
Customize Approval Request Email Notifications 433
Edit Error Messages 434
Portal Pages Titles, Content and Labels Character Limits 434
Character Limits for Portal Pages Titles, Content and Labels 434
Portal Customization 436
CSS Classes and Descriptions for End-User Portals Page Layout 436
HTML Support for a Portal Language File 437
HTML Support for the Blacklist Portal Language File 437
HTML Support for Bring Your Own Device Portals Language Files 438
HTML Support for Certificate Provisioning Portal Language Files 439
HTML Support for Client Provisioning Portals Language Files 440
HTML Support for Credential Guest Portals Language Files 441
HTML Support for Hotspot Guest Portals Language Files 443
HTML Support for Mobile Device Management Portals Language Files 444
HTML Support for My Devices Portals Language Files 445
HTML Support for Sponsor Portals Language Files 446
Asset Visibility 449
CHAPTER 8
Administrative Access to Cisco ISE Using an External Identity Store 450
External Authentication and Authorization 451
Configure a Password-Based Authentication Using an External Identity Store 451
Create an External Administrator Group 452
Create an Internal Read-Only Admin 452
Cisco Identity Services Engine Administrator Guide, Release 2.7
xix
Contents
Map External Groups to the Read-Only Admin Group 452
Configure Menu Access and Data Access Permissions for External Administrator Group 453
Create a RBAC Policy for External Administrator Authentication 453
Configure Admin Access Using an External Identity Store for Authentication with Internal
Authorization 454
External Authentication Process Flow 454
External Identity Sources 454
LDAP Identity Source Settings 455
RADIUS Token Identity Sources Settings 462
RSA SecurID Identity Source Settings 462
Cisco ISE Users 463
User Identity 464
User Groups 464
User Identity Groups 464
User Role 464
User Account Custom Attributes 464
User Authentication Settings 465
Generate Automatic Password for Users and Administrators 467
Internal User Operations 467
Add Users 467
Export Cisco ISE User Data 468
Import Cisco ISE Internal Users 468
Endpoint Settings 469
Endpoint Import from LDAP Settings 470
Identity Group Operations 472
Create a User Identity Group 472
Export User Identity Groups 473
Import User Identity Groups 473
Endpoint Identity Group Settings 473
Configure Maximum Concurrent Sessions 474
Maximum Concurrent Sessions for a Group 474
Configure Counter Time Limit 475
Account Disable Policy 475
Disable Individual User Accounts 476
Cisco Identity Services Engine Administrator Guide, Release 2.7
xx
Contents
1 / 1

Cisco Identity Services Engine User guide

Category
Software
Type
User guide
This manual is also suitable for

Ask a question and I''ll find the answer in the document

Finding information in a document is now easier with AI

Ask the document