Cisco Identity Services Engine User Guide, Release 1.1.x
Managing Authentication Policies
Downloads: This chapterpdf (PDF - 750.0KB) The complete bookPDF (PDF - 25.83MB) | Feedback

Table of Contents

Managing Authentication Policies

Understanding Authentication Policies

Authentication Type, Protocols, and Databases

Authentication Policy Terminology

Simple Authentication Policies

Rule-Based Authentication Policies

Protocol Settings

Configuring EAP-FAST Settings

Generating the PAC for EAP-FAST

Configuring EAP-TLS Settings

Configuring PEAP Settings

Network Access Service

Allowed Protocols

Defining Allowed Protocols

Deleting Allowed Protocols

Proxy Service

Defining an External RADIUS Server

Creating RADIUS Servers

Editing RADIUS Servers

Deleting RADIUS Servers

Defining a RADIUS Server Sequence

Creating, Editing, and Duplicating RADIUS Server Sequences

Configuring the Simple Authentication Policy

Configuring a Simple Policy Using RADIUS Server Sequence

Configuring the Rule-Based Authentication Policy

Understanding the Authentication Policy User Interface Elements

Simple Conditions

Creating Simple Conditions

Deleting Simple Conditions

Compound Conditions

Creating Compound Conditions

Deleting Compound Conditions

Creating a Rule-Based Authentication Policy

Authentication Policy Built-In Configurations

Viewing Authentication Results

Managing Authentication Policies

This chapter describes how network access is granted to users who request access to your network resources. Using the Cisco Identity Services Engine (Cisco ISE) user interface, you can define authentication policies that determine who accesses the resources on your network. This chapter contains the following topics:

Understanding Authentication Policies

Authentication policies define the protocols that Cisco ISE should use to communicate with the network devices, and the identity sources that it should use for authentication. A policy is a set of conditions and a result. A policy condition consists of an operand (attribute), an operator (equal to, not equal to, greater than, and so on), and a value. Compound conditions are made up of one or more simple conditions that are connected by the AND or OR operator. At runtime, Cisco ISE evaluates the policy condition and then applies the result that you have defined based on whether the policy evaluation returns a true or a false value.


Note During policy condition evaluation, Cisco ISE compares an attribute with a value. It is possible to run into a situation where the attribute specified in the policy condition may not have a value assigned in the request. In such cases, if the operator that is used for comparison is “not equal to,” then the condition will evaluate to true. In all other cases, the condition will evaluate to false.

For example, for a condition Radius.Calling_Station_ID Not Equal to 1.1.1.1, if the Calling Station ID is not present in the RADIUS request, then this condition will evaluate to true. This evaluation is not unique to the RADIUS dictionary and occurs because of the usage of the “Not Equal to” operator.


 

An authentication policy consists of the following:

  • Network Access Service—This service can be one of the following:

An allowed protocols service to choose the protocols to handle the initial request and protocol negotiation.

A proxy service that will proxy requests to an external RADIUS server for processing.

  • Identity Source—An identity source or an identity source sequence to be used for authentication.

After installation, a default identity authentication policy will be available in Cisco ISE that will be used for authentications. Any updates to the authentication policy will override the default settings.

The following is a list of protocols that you can choose while defining your authentication policy:

  • Password Authentication Protocol (PAP)
  • Protected Extensible Authentication Protocol (PEAP)
  • Microsoft Challenge Handshake Authentication Protocol Version 2 (MS-CHAPv2)
  • Extensible Authentication Protocol-Message Digest 5 (EAP-MD5)
  • Extensible Authentication Protocol-Transport Layer Security (EAP-TLS)
  • Extensible Authentication Protocol-Flexible Authentication via Secure Tunneling (EAP-FAST)
  • Protected Extensible Authentication Protocol-Transport Layer Security (PEAP-TLS)

By default, the identity source that Cisco ISE will look up for user information is the internal users database.

This section contains the following topics:

Authentication Type, Protocols, and Databases

The authentication type is based on the protocols that are chosen. Table 5-1 lists the authentication type and the protocols that are supported by the various databases.

The authentication type is password based, where the authentication is performed against a database with the username and password that is presented in the request. The identity method, which is the result of the authentication policy, can be any one of the following:

  • Deny access—Access to the user is denied and no authentication is performed.
  • Identity database—A single identity database that can be any one of the following:

Internal users

Internal endpoints

Active Directory

Lightweight Directory Access Protocol (LDAP) database

RADIUS token server (RSA or SafeWord server)

Certificate authentication profile

  • Identity source sequences—A sequence of identity databases that is used for authentication.

If you choose deny access, a reject message is sent as a response to the request. If you choose an identity database or an identity source sequence and the authentication succeeds, the processing continues to the authorization policy. Some of the authentications fail and these are classified as follows:

  • Authentication failed—Received explicit response that authentication has failed such as bad credentials, disabled user, and so on. The default course of action is reject.
  • User not found—No such user was found in any of the identity databases. The default course of action is reject.
  • Process failed—Unable to access the identity database or databases. The default course of action is drop.

Cisco ISE allows you to configure any one of the following courses of action for authentication failures such as authentication failed, user not found, or process failures:

  • Reject—A reject response is sent.
  • Drop—No response is sent.
  • Continue—Cisco ISE continues with the authorization policy.

Note Even when you choose the Continue option, there might be instances where Cisco ISE cannot continue processing the request due to restrictions on the protocol that is being used. When authentication fails, it is possible to continue to process the authorization policy for PAP/ASCII, EAP-TLS, or MAC authentication bypass (MAB or host lookup).

For all other authentication protocols, when authentication fails, the following happens:

  • Authentication failed—A reject response is sent.
  • User or host not found—A reject response is sent.
  • Process failure—No response is sent and the request is dropped.


 

Authentication Policy Terminology

Table 16-1 lists some of the commonly used terms in the authentication policy pages.

.

Table 16-1 Authentication Policy Terminology

Term
Description

Allowed Protocols

Allowed protocols define the set of protocols that Cisco ISE can use to communicate with the device that requests access to the network resources.

Identity Source

Identity source defines which database Cisco ISE should use for user information. The database could be an internal database or an external identity source, such as Active Directory or LDAP. You can add a sequence of databases to an identity source sequence and list this sequence as the identity source in your policy. Cisco ISE will search for the credentials in the order in which the databases are listed in this sequence.

Failover Options

You can define what course of action Cisco ISE should take if the authentication fails, the user is not found, or if the process fails.

Simple Authentication Policies

A simple authentication policy allows you to statically define the allowed protocols and the identity source or identity source sequence that Cisco ISE should use for communication. You cannot define any condition for simple policies. Cisco ISE assumes that all conditions are met and uses the following definitions to determine the result:

  • You can create simple policies in situations where you can statically define the allowed protocols and the identity source that must be used always, and no condition needs to be checked.
  • You can also create proxy service-based simple policies. Cisco ISE proxies the request to a policy server to determine which identity source should be used for user authentication. If the request is proxied to a different policy server, the protocol negotiation does not happen. The policy server evaluates which identity source should be used for authentication and returns the response to Cisco ISE.

Note Host authentication is performed with the MAC address only (MAB).


The result of a simple policy can be any one of the following:

  • Deny access
  • Identity database
  • Identity sequence

Figure 16-1 shows the simple authentication policy flow.

Figure 16-1 Simple Authentication Policy Flow

 

Rule-Based Authentication Policies

Rule-based authentication policies consist of attribute-based conditions that determine the allowed protocols and the identity source or identity source sequence to be used for processing the requests. In a simple authentication policy, you can define the allowed protocols and identity source statically. In a rule-based policy, you can define conditions that allows Cisco ISE to dynamically choose the allowed protocols and identity sources. You can define one or more conditions using any of the attributes from the Cisco ISE dictionary. Cisco ISE supports the following dictionaries:

Airespace

CERTIFICATE

Cisco

Cisco-BBSM

Cisco-VPN3000

DEVICE

Microsoft

Network access

RADIUS

where CERTIFICATE, DEVICE, and RADIUS are system-defined dictionaries and Airespace, Cisco, Cisco-BBSM, Cisco-VPN3000, Microsoft , and Network Access are RADIUS vendor dictionaries.

See the “Dictionaries and Dictionary Attributes” section for more information on the dictionaries in Cisco ISE.

Cisco ISE allows you to create conditions as individual, reusable policy elements that can be referred from other rule-based policies. You can also create conditions from within the policy creation page. There are two types of conditions:

  • Simple condition—A simple condition takes the form attribute operand value . These can be saved and reused in other rule-based policies. The simple condition can take the form: A operand B, where A can be any attribute from the Cisco ISE dictionary and B can be one of the values that the attribute A can take.

This is an example of a simple condition: DEVICE:Device Type Equals All Device Types

See the “Simple Conditions” section for more information.

  • Compound condition—A compound condition is made up of one or more simple conditions with an AND or OR relationship. These are built on top of simple conditions. These can be saved and reused in other rule-based policies. The compound conditions take any one of the following forms:

(X operand Y) AND (A operand B) AND (X operand Z) AND so on

(X operand Y) OR (A operand B) OR (X operand Z) OR so on

where X and A are attributes from the ISE dictionary such as username, device type, and so on.

This is an example of a compound condition: DEVICE:Model Name Matches Catalyst6K AND Network Access:Use Case Equals Host Lookup.

See the “Compound Conditions” section for more information.

Table 16-2 lists the fixed attributes that are supported by these dictionaries, which can be used in policy conditions.

 

Table 16-2 List of Attributes Supported by the Dictionaries

Dictionary
Attributes
Allowed Protocol Rules and Proxy
Identity Rules

Device

Device Type (predefined network device group)

Yes

Yes

Device Location (predefined network device group)

Other Custom Network Device Group

Software Version

Model Name

RADIUS

All attributes

Yes

Yes

Network Access1

Cisco ISE Host Name

Yes

Yes

AuthenticationMethod

No

Yes

AuthenticationStatus

No

No

CTSDeviceID

No

No

Device IP Address

Yes

Yes

EapAuthentication (the EAP method that is used during authentication of a user of a machine)

No

Yes

EapTunnel (the EAP method that is used for tunnel establishment)

No

Yes

Protocol

Yes

Yes

UseCase

Yes

Yes

UserName

No

Yes

WasMachineAuthenticated

No

No

Certificate

Common Name

No

Yes

Country

E-mail

LocationSubject

Organization

Organization Unit

Serial Number

State or Province

Subject

Subject Alternative Name

Subject Alternative Name - DNS

Subject Alternative Name - E-mail

Subject Alternative Name - Other Name

Subject Serial Number

1.Not all of these attributes are available for creating all types of conditions. For example, while creating a condition to choose the access service in authentication policies, you would only see the following network access attributes: Device IP Address, ISE Host Name, Network Device Name, Protocol, and Use Case.

shows the rule-based authentication policy flow.

Figure 16-2 Rule-Based Authentication Policy Flow

 

In rule-based policies, you can define multiple rules as illustrated in . The identity database is selected based on the first rule that matches the criteria.

You can also define an identity source sequence consisting of different databases. You can define the order in which you want Cisco ISE to look up these databases. Cisco ISE will access these databases in sequence until the authentication succeeds. If there are multiple instances of the same user in an external database, the authentication fails. There can only be one user record in an identity source.


Note We recommend that you use only three, or at most four databases in an identity source sequence.



Note If you want to switch between the simple and rule-based policies, you must reconfigure the policies because the policy data will no longer be available.


Protocol Settings

You must define global protocol settings in Cisco ISE before you can use these protocols to process an authentication request. You can use the Protocol Settings page to define global options for the Extensible Authentication Protocol-Flexible Authentication via Secure Tunneling (EAP-FAST), Extensible Authentication Protocol-Transport Layer Security (EAP-TLS), and Protected Extensible Authentication Protocol (PEAP) protocols, which communicate with the other devices in your network. This section contains the following topics:

Configuring EAP-FAST Settings

Prerequisite:

Every Cisco ISE administrator account is assigned one or more administrative roles. To perform the operations described in the following procedure, you must have one of the following roles assigned: Super Admin or System Admin. See Cisco ISE Admin Group Roles and Responsibilities for more information on the various administrative roles and the privileges associated with each of them.

To configure EAP-FAST settings, complete the following steps:


Step 1 Choose Administration > System > Settings .

Step 2 From the Settings navigation pane on the left, click Protocols .

Step 3 Choose EAP-FAST > EAP Fast Settings .

The EAP-FAST Global Settings page appears.

Step 4 Enter the information as described:

    • Authority Identity Info Description—(Required) A user-friendly string that describes the Cisco ISE node that sends credentials to a client. The client can discover this string in the Protected Access Credentials (PAC) information for type, length, and value (TLV). The default value is Identity Services Engine.
    • Master Key Generation Period—(Required) Specifies the master key generation period in seconds, minutes, hours, days, or weeks. The value must be a positive integer in the range 1 to 2147040000 seconds. The default is 604800 seconds, which is equivalent to one week.

 

Step 5 Click Revoke if you want to revoke all the previously generated master keys and PACs.

Step 6 Click Save to save the EAP-FAST settings.


 

Generating the PAC for EAP-FAST

You can use the Generate PAC option in the Cisco ISE to generate a tunnel or machine PAC for the EAP-FAST protocol.

Prerequisite:

Every Cisco ISE administrator account is assigned one or more administrative roles. To perform the operations described in the following procedure, you must have one of the following roles assigned: Super Admin or System Admin. See Cisco ISE Admin Group Roles and Responsibilities for more information on the various administrative roles and the privileges associated with each of them.

To generate the PAC for EAP-FAST, complete the following steps:


Step 1 Choose Administration > System > Settings .

Step 2 From the Settings navigation pane on the left, click Protocols .

Step 3 Choose EAP-FAST > Generate PAC .

The Generate PAC page appears.

Step 4 Enter information as described:

    • Tunnel PAC—(Either tunnel PAC or machine PAC is required) Click this radio button to generate a tunnel PAC. This option is the default.
    • Machine PAC—Click this radio button to generate a machine PAC.
    • SGA PAC—Click this radio button to generate an SGA PAC.
    • Identity—(Required) For the Tunnel and Machine PAC identity field, this specifies the username or machine name that is presented as the “inner username” by the EAP-FAST protocol. If the identity string does not match that username, authentication fails.

If you are generating the SGA PAC, the Identity field specifies the Device ID of an SGA network device and is provided with an initiator ID by the EAP-FAST protocol. The Identity string must match the device hostname otherwise the authentication will fail and the device cannot import the PAC file. See the “OOB SGA PAC” sectionfor more information on SGA PAC.

    • PAC Time to Live—(Required) For the Tunnel and Machine PAC, enter a value in seconds that specifies the expiration time for the PAC. The default is 604800 seconds, which is equivalent to one week. This value must be a positive integer between 1 and 157680000 seconds.

For the SGA PAC, enter a value in days, weeks, months, or years. By default, the value is one year. The minimum value is one day and the maximum is 10 years.

    • Encryption Key—(Required) Enter an encryption key. The length of the key must be between 8 and 256 characters. The key can contain uppercase or lowercase letters, or numbers, or a combination of alphanumeric characters.
    • Expiration Data—(For SGA PAC only) The expiration date is calculated based on the PAC Time to Live.

Step 5 Click Generate PAC to generate the PAC.


 

Configuring EAP-TLS Settings

You can configure the runtime characteristics of the EAP-TLS protocol from the Global Options page.

Prerequisite:

Every Cisco ISE administrator account is assigned one or more administrative roles. To perform the operations described in the following procedure, you must have one of the following roles assigned: Super Admin or System Admin. See Cisco ISE Admin Group Roles and Responsibilities for more information on the various administrative roles and the privileges associated with each of them.

To configure EAP-TLS settings, complete the following steps:


Step 1 Choose Administration > System > Settings .

Step 2 From the Settings navigation pane on the left, click Protocols .

Step 3 Choose EAP-TLS .

The EAP-TLS settings page appears.

Step 4 Enter the information as described:

    • Enable EAP-TLS Session Resume—Check this check box to support an abbreviated reauthentication of a user who has passed full EAP-TLS authentication. This feature provides reauthentication of the user with only a Secure Sockets Layer (SSL) handshake and without applying the certificates. EAP-TLS session resume works only if the EAP-TLS session has not timed out.
    • EAP-TLS Session Timeout—Specifies the time in seconds after which the EAP-TLS session times out. The default value is 7200 seconds.

Step 5 Click Save to save the EAP-TLS settings.


 

Configuring PEAP Settings

You can configure the runtime characteristics of the PEAP protocol from the Global Options page.

Prerequisite:

Every Cisco ISE administrator account is assigned one or more administrative roles. To perform the operations described in the following procedure, you must have one of the following roles assigned: Super Admin or System Admin. See Cisco ISE Admin Group Roles and Responsibilities for more information on the various administrative roles and the privileges associated with each of them.

To configure PEAP settings, complete the following steps:


Step 1 Choose Administration > System > Settings .

Step 2 From the Settings navigation pane on the left, click Protocols .

Step 3 Choose PEAP .

The PEAP Settings page appears.

Step 4 Enter the information as described:

    • Enable PEAP Session Resume—Check this check box for the Cisco ISE to cache the TLS session that is created during phase one of PEAP authentication, provided the user successfully authenticates in phase two of PEAP. If a user needs to reconnect and the original PEAP session has not timed out, the Cisco ISE uses the cached TLS session, resulting in faster PEAP performance and a reduced AAA server load.

You must specify a PEAP session timeout value for the PEAP session resume features to work.

    • PEAP Session Timeout—Specifies the time in seconds after which the PEAP session times out. The default value is 7200 seconds.
    • Enable Fast Reconnect—Check this check box to allow a PEAP session to resume in the Cisco ISE without checking user credentials when the session resume feature is enabled.

Step 5 Click Save to save the PEAP settings.


 

Network Access Service

A network access service contains the authentication policy conditions for requests. You can create separate network access services for different use cases. For example, Wired 802.1X, Wired MAB, and so on. These are the two types of network access services that you can use in authentication policies:

Allowed Protocols

Allowed protocols define the set of protocols that Cisco ISE can use to communicate with the device that requests access to the network resources. An allowed protocols access service is an independent entity that you should create before you configure authentication policies. Allowed protocols access service is an object that contains your chosen protocols for a particular use case.

The Allowed Protocols Services page lists all the allowed protocols services that you create. There is a default network access service that is predefined in the Cisco ISE.

Related Topics

Defining Allowed Protocols

Prerequisites:

Before you begin this procedure, you should have a basic understanding of the protocol services that are used for authentication. Review the information and the sections noted in the following:

  • The Note in Understanding Authentication Policies to understand authentication type and the protocols that are supported by various databases.
  • The Allowed Protocols Service and PAC Options sections, to understand the functions and options for each protocol service, so you can make the selections that are appropriate for your network.
  • Ensure that you have defined the global protocol settings. See the “Protocol Settings” section for more information.
  • Every Cisco ISE administrator account is assigned one or more administrative roles. To perform the operations described in the following procedure, you must have one of the following roles assigned: Super Admin or Policy Admin. See Cisco ISE Admin Group Roles and Responsibilities for more information on the various administrative roles and the privileges associated with each of them.

To define an allowed protocols service, complete the following steps:


Step 1 Choose Policy > Policy Elements > Results .

Step 2 Click the arrow next to Authentication in the Results navigation pane on the left.

Step 3 Click Allowed Protocols . The Allowed Protocols Services page appears.


Note If Cisco ISE is set to operate in FIPS mode, some protocols are disabled be default and cannot be configured.


Step 4 Click Add .

Step 5 Enter the following information:

    • Name—(Required) Enter the name of the allowed protocols service.
    • Description—Enter an optional description for the allowed protocol service.

Step 6 Select the appropriate Authentication Protocols and options for your network, as described in Table 16-3 .

Figure 16-3 shows an example of an allowed protocol selection.

Step 7 If you choose to use PACs, make the appropriate selections, as described in Table 16-4 .


Note To enable Anonymous PAC Provisioning, you must choose both the inner methods, EAP-MSCHAPv2 and Extensible Authentication Protocol-Generic Token Card (EAP-GTC). Also, be aware that Cisco ISE only supports Active Directory as an external identity source for machine authentication.


Step 8 Click Submit to save the allowed protocols service.

The allowed protocols service appears as an independent object in the simple and rule-based authentication policy pages. You can use this object in different rules.

Step 9 You can now create a simple or rule-based authentication policy.


 

Allowed Protocols Service

Table 16-3 explains the protocol options you specify when Defining Allowed Protocols.

 

Table 16-3 Allowed Protocols Service

Option
Description
Allowed Protocols

Process Host Lookup

Check this check box to configure Cisco ISE to process the Host Lookup field (for example, when the RADIUS Service-Type equals 10) and use the System UserName attribute from the RADIUS Calling-Station-ID attribute. Uncheck this check box if you want Cisco ISE to ignore the Host Lookup request and use the original value of the system UserName attribute for authentication. When unchecked, message processing is done according to the protocol (for example, PAP).

Note When you want to use the Microsoft Active Directory for MAB authentication, you must uncheck the Process Host Lookup check box from the allowed protocol service that is associated to an authentication policy. You can find the allowed protocol services that you have created in the following location: Policy > Policy Elements > Results > Authentication > Allowed Protocols > Allowed Protocols Services.

Authentication Protocols

Allow PAP/ASCII

This option enables PAP/ASCII. PAP uses cleartext passwords (that is, unencrypted passwords) and is the least secure authentication protocol.

When you check the Allow PAP/ASCII check box, you can check the Detect PAP as Host Lookup check box to configure Cisco ISE to detect this type of request as a Host Lookup (instead of PAP) request.

Allow CHAP

This option enables CHAP authentication. CHAP uses a challenge-response mechanism with password encryption. CHAP does not work with Microsoft Active Directory.

Allow MS-CHAPv1

This option enables MS-CHAPv1.

Allow MS-CHAPv2

This option enables MS-CHAPv2.

Allow EAP-MD5

This option enables EAP-based MD5 hashed authentication.

When you check the Allow EAP-MD5 check box, you can check the Detect EAP-MD5 as Host Lookup check box to configure Cisco ISE to detect this type of request as a Host Lookup (instead of EAP-MD5) request.

Allow EAP-TLS

This option enables the EAP-TLS Authentication protocol and configures EAP-TLS settings. You can specify how Cisco ISE will verify the user identity as presented in the EAP identity response from the end-user client. User identity is verified against information in the certificate that the end-user client presents. This comparison occurs after an EAP-TLS tunnel is established between Cisco ISE and the end-user client.

Note EAP-TLS is a certificate-based authentication protocol. EAP-TLS authentication can occur only after you have completed the required steps to configure certificates. Refer to Chapter 13, “Managing Certificates” for more information on certificates.

Allow LEAP

This option enables Lightweight Extensible Authentication Protocol (LEAP) authentication.

Allow PEAP

This option enables the PEAP authentication protocol and PEAP settings. The default inner method is MS-CHAPv2.

When you check the Allow PEAP check box, you can configure the following PEAP inner methods:

  • Allow EAP-MS-CHAPv2 —Check this check box to use EAP-MS-CHAPv2 as the inner method.

Allow Password Change —Check this check box for Cisco ISE to support password changes.

Retries —Specifies how many times Cisco ISE requests user credentials before returning login failure. Valid values are 1 to 3.

  • Allow EAP-GTC —Check this check box to use EAP-GTC as the inner method.

Allow Password Change —Check this check box for Cisco ISE to support password changes.

Retries —Specifies how many times Cisco ISE requests user credentials before returning login failure. Valid values are 1 to 3.

  • Allow EAP-TLS —Check this check box to use EAP-TLS as the inner method.

Allow EAP-FAST

This option enables the EAP-FAST authentication protocol and EAP-FAST settings. The EAP-FAST protocol can support multiple internal protocols on the same server. The default inner method is MS-CHAPv2.

When you check the Allow EAP-FAST check box, you can configure EAP-FAST as the inner method:

  • Allow EAP-MS-CHAPv2

Allow Password Change —Check this check box for Cisco ISE to support password changes in phase zero and phase two of EAP-FAST.

Retries —Specifies how many times Cisco ISE requests user credentials before returning login failure. Valid values are 1-3.

  • Allow EAP-GTC
  • Allow Password Change —Check this check box for Cisco ISE to support password changes in phase zero and phase two of EAP-FAST.
  • Retries —Specifies how many times Cisco ISE requests user credentials before returning login failure. Valid values are 1-3.
  • Allow EAP-TLS —Check this check box to use EAP-TLS as the inner method.
  • Use PACs —Choose this option to configure Cisco ISE to provision authorization PACs Table 16-4 for PAC options.
  • Don't use PACs —Choose this option to configure Cisco ISE to use EAP-FAST without issuing or accepting any tunnel or machine PACs. All requests for PACs are ignored, and Cisco ISE responds with a Success-TLV without a PAC.

When you choose this option, you can configure Cisco ISE to perform machine authentication.

Preferred EAP Protocol

Check this check box to choose your preferred EAP protocols from any of the following options: EAP-FAST, PEAP, LEAP, EAP-TLS, and EAP-MD5. By default, LEAP is the preferred protocol to use if you do not enable this field.

PAC Options

Table 16-4 describes the PAC options you can choose from when Defining Allowed Protocols.

 

Table 16-4 PAC Options

Option
Description

Use PAC

  • Tunnel PAC Time to Live —The TTL3 value restricts the lifetime of the PAC. Specify the lifetime value and units. The default is 90 days. The range is between 1 and 1825 days.
  • Proactive PAC Update will occur after <n%> of PAC Time to Live Has Expired —The Update value ensures that the client has a valid PAC. Cisco ISE initiates an update after the first successful authentication but before the expiration time that is set by the TTL. The update value is a percentage of the remaining time in the TTL. The default is 90%.
  • Allow Anonymous In-band PAC Provisioning —Check this check box for Cisco ISE to establish a secure anonymous TLS handshake with the client and provision it with a PAC by using phase zero of EAP-FAST with EAP-MSCHAPv2.

Note To enable anonymous PAC provisioning, you must choose both of the inner methods, EAP-MSCHAPv2 and EAP-GTC.

  • Allow Authenticated In-band PAC Provisioning —Cisco ISE uses SSL server-side authentication to provision the client with a PAC during phase zero of EAP-FAST. This option is more secure than anonymous provisioning but requires that a server certificate and a trusted root CA be installed on Cisco ISE.

When you check this option, you can configure Cisco ISE to return an Access-Accept message to the client after successful authenticated PAC provisioning.

Server Returns Access Accept After Authenticated Provisioning —Check this check box if you want Cisco ISE to return an Access-Accept package after authenticated PAC provisioning.

Accept Client Certificate for Provisioning —Check this check box if you want Cisco ISE to use the client certificate (user or machine) to authenticate the client during EAP-FAST tunnel establishment or inside the tunnel.

Note Client certificate usage in EAP-FAST

– Works in EAP-FAST authenticated provisioning and PAC-less authentication

ISE sends TLS client certificate request during EAP-FAST tunnel establishment (like in EAP-TLS)

Three options:

a. Accept client certificate in clear during tunnel establishment, skip inner method

b. If it didn't receive client certificate then: Accept client certificate encrypted inside the tunnel, skip inner method

c. If it didn't receive client certificate then: Conduct inner method

  • Allow Machine Authentication —Check this check box for Cisco ISE to provision an end-user client with a machine PAC and perform machine authentication (for end-user clients who do not have the machine credentials). The machine PAC can be provisioned to the client by request (in-band) or by the administrator (out-of-band). When Cisco ISE receives a valid machine PAC from the end-user client, the machine identity details are extracted from the PAC and verified in the Cisco ISE external identity source. After these details are correctly verified, no further authentication is performed.

Note Cisco ISE supports only Active Directory as an external identity source for machine authentication.

Use PAC

(continued)

If a machine authentication using certificate happens during PAC provisioning and Anyconnect's profile contains protected identity specified as “host/[username]/[domain]” then the identity of the machine in the logs is displayed as it is specified in certificate subject. At the same time, when PAC based authentication happens the identity of machine is diaplayed in the live logs in the format of “host/machine.”

Note It is recommended to specify protected identity pattern in Anyconnect profile in the same way as it is specified in the certificate, without “host/”.

When you check this option, you can enter a value for the amount of time that a machine PAC is acceptable for use. When Cisco ISE receives an expired machine PAC, it automatically reprovisions the end-user client with a new machine PAC (without waiting for a new machine PAC request from the end-user client).

  • Enable Stateless Session Resume —Check this check box for Cisco ISE to provision authorization PACs for EAP-FAST clients and always perform phase two of EAP-FAST (default = enabled).

Uncheck this check box in the following cases:

If you do not want Cisco ISE to provision authorization PACs for EAP-FAST clients

To always perform phase two of EAP-FAST

When you check this option, you can enter the authorization period of the user authorization PAC. After this period, the PAC expires. When Cisco ISE receives an expired authorization PAC, it performs phase two EAP-FAST authentication.

  • Enable EAP Chaining —Check this check box if you want Cisco ISE to allow authentication multiple methods e.g. to perform both machine and user in the same EAP-FAST authentication.

3.TTL = Time To Live

Figure 16-3 shows an example of selections made for an allowed protocols service.

Figure 16-3 Allowed Protocols Service

 

Deleting Allowed Protocols

Prerequisites:

  • Every Cisco ISE administrator account is assigned one or more administrative roles. To perform the operations described in the following procedure, you must have one of the following roles assigned: Super Admin or Policy Admin. See Cisco ISE Admin Group Roles and Responsibilities for more information on the various administrative roles and the privileges associated with each of them.
  • Ensure that the allowed protocol service that you are about to delete is not referenced in any authentication policies.

To delete an allowed protocol service, complete the following steps:


Step 1 Choose Policy > Policy Elements > Results .

Step 2 Click the arrow next to Authentication in the Results navigation pane on the left.

Step 3 Click Allowed Protocols .

The Allowed Protocols page appears with the list of allowed protocols that you have defined.

Step 4 Check the check box next to the allowed protocol service or services that you want to delete, then click Delete . Alternatively, you can click the action icon and click the allowed protocol service from the navigation pane on the left.


Note If you have chosen more than one allowed protocol service to delete, and if one of them is referenced in an authentication policy, then the entire delete operation fails. Ensure that the allowed protocols that you want to delete are not referenced in any authentication policies.


Cisco ISE prompts you with the following message:

Are you sure you want to delete?

Step 5 Click OK to delete the allowed protocol service or services that you have selected.


 

Proxy Service

Cisco ISE acts as a RADIUS proxy server by proxying the requests from a Network Access Device (NAD) to a RADIUS server. The RADIUS server processes the request and returns the result to Cisco ISE. Cisco ISE then sends the response to the NAD. In both simple and rule-based authentication policies, you can use the RADIUS server sequences to proxy the requests to a RADIUS server.


Note The RADIUS server sequence strips the domain name from the RADIUS-Username attribute for RADIUS authentications. This domain stripping is not applicable for EAP authentications, which use the EAP-Identity attribute. The RADIUS proxy server obtains the username from the RADIUS-Username attribute and strips it from the character that you specify when you configure the RADIUS server sequence. For EAP authentications, the RADIUS proxy server obtains the username from the EAP-Identity attribute. EAP authentications that use the RADIUS server sequence will succeed only if the EAP-Identity and RADIUS-Username values are the same.


To use the RADIUS server sequence for authentication, you should successfully complete the following tasks:

Defining an External RADIUS Server

The Cisco ISE can function both as a RADIUS server and as a RADIUS proxy server. When it acts as a proxy server, the Cisco ISE receives authentication and accounting requests from the network access server (NAS) and forwards them to the external RADIUS server. The Cisco ISE accepts the results of the requests and returns them to the NAS. You must configure the external RADIUS servers in the Cisco ISE to enable it to forward requests to the external RADIUS servers. You can define the timeout period and the number of connection attempts.

The Cisco ISE can simultaneously act as a proxy server to multiple external RADIUS servers. You can use the external RADIUS servers that you configure here in RADIUS server sequences. This External RADIUS Server page lists all the external RADIUS servers that you have defined in Cisco ISE. You can use the filter option to search for specific RADIUS servers based on the name or description or both.


Note Every Cisco ISE administrator account is assigned one or more administrative roles. To perform the operations described in the following procedure, you must have one of the following roles assigned: Super Admin or Network Device Admin. See Cisco ISE Admin Group Roles and Responsibilities for more information on the various administrative roles and the privileges associated with each of them.


To search for RADIUS servers, complete the following steps:


Step 1 Choose Administration > Network Resources > External RADIUS Servers .

The External RADIUS Servers page appears.

Step 2 Click Filter > Advanced Filter to perform your search. The Filter page appears.

Step 3 You must define whether the search should match any or all of the rules that you define on this page.

Step 4 Enter your search criteria based on the name or description of the RADIUS server, choose an operator, and enter the value.

Step 5 You can do the following:

    • To add a filter condition, click the plus sign (+).
    • To remove a filter condition, click the minus sign (-).
    • To clear all filter conditions, click Clear Filter .

Step 6 Click Go to perform your search.

You can also save the filter criteria so that it can be used again. Click the Save icon to save the filter condition.


 

Results:

A list of external RADIUS servers that match your search criteria are displayed.

Related Topics

Creating RADIUS Servers

Prerequisites:

  • You cannot use the external RADIUS servers that you create in this section by themselves. You must create a RADIUS server sequence and configure it to use the RADIUS server that you create in this section. You can then use the RADIUS server sequence in authentication policies.

To create the RADIUS server sequence, see the “Defining a RADIUS Server Sequence” section.

  • Every Cisco ISE administrator account is assigned one or more administrative roles. To perform the operations described in the following procedure, you must have one of the following roles assigned: Super Admin or Network Device Admin. See Cisco ISE Admin Group Roles and Responsibilities for more information on the various administrative roles and the privileges associated with each of them.

To create an external RADIUS server, complete the following steps:


Step 1 Choose Administration > Network Resources > External RADIUS Servers .

The RADIUS Servers page appears with a list of external RADIUS servers that are defined in Cisco ISE.

Step 2 Click Add to add an external RADIUS server.

Step 3 Enter the values as described:

    • Name—(Required) Enter the name of the external RADIUS server.
    • Description—Enter a description of the external RADIUS server.
    • Host IP—(Required) Enter the IP address of the external RADIUS server.
    • Shared Secret—(Required) Enter the shared secret between Cisco ISE and the external RADIUS server that is used for authenticating the external RADIUS server. A shared secret is an expected string of text that a user must provide to enable the network device to authenticate a username and password. The connection is rejected until the user supplies the shared secret. The shared secret can be up to 128 characters in length.
    • Enable KeyWrap—This option increases RADIUS protocol security via an AES KeyWrap algorithm, to help enable FIPS 140-2 compliance in Cisco ISE.
    • Key Encryption Key—This key is used for session encryption (secrecy).
    • Message Authenticator Code Key—This key is used for keyed HMAC calculation over RADIUS messages.
    • Key Input Format—Specify the format you want to use to enter the Cisco ISE FIPS encryption key, so that it matches the configuration that is available on the WLAN controller. (The value you specify must be the correct [full] length for the key as defined below—shorter values are not permitted.)

ASCII—The Key Encryption Key must be 16 characters (bytes) long, and the Message Authenticator Code Key must be 20 characters (bytes) long.

Hexadecimal—The Key Encryption Key must be 32 bytes long, and the Message Authenticator Code Key must be 40 bytes long.

    • Authentication Port—(Required) Enter the RADIUS authentication port number. The valid range is from 1 to 65535. The default is 1812.
    • Accounting Port—(Required) Enter the RADIUS accounting port number. The valid range is from 1 to 65535. The default is 1813.
    • Server Timeout—(Required) Enter the number of seconds that the Cisco ISE waits for a response from the external RADIUS server. The default is 5 seconds. Valid values are from 5 to 120.
    • Connection Attempts—(Required) Enter the number of times that the Cisco ISE attempts to connect to the external RADIUS server. The default is 3 attempts. Valid values are from 1 to 9.

 

Step 4 Click Submit to save the external RADIUS server configuration.


 

Related Topics

Editing RADIUS Servers

Prerequisite:

Every Cisco ISE administrator account is assigned one or more administrative roles. To perform the operations described in the following procedure, you must have one of the following roles assigned: Super Admin or Network Device Admin. See Cisco ISE Admin Group Roles and Responsibilities for more information on the various administrative roles and the privileges associated with each of them.

To edit an external RADIUS server, complete the following steps:


Step 1 Choose Administration > Network Resources > External RADIUS Servers .

The RADIUS Servers page appears with a list of external RADIUS servers.

Step 2 Check the check box next to the RADIUS server that you want to edit, and click Edit .

Step 3 Modify the values as described in compcond" CLASS="Hypertext">Step 5 to add more conditions.

Step 10 After you have added all the conditions, click Submit to create this compound condition.


 

Figure 16-6 shows a compound conditions page. The table that follows the image provides a description of the user interface elements that appear in this page.

Figure 16-6 Compound Conditions Page

 

 

1

This element is the operand to be used between two or more conditions, and can be either AND or OR. For example, compound conditions can be of the following forms:

condition1 AND condition2 AND condition3 ...

or

condition1 OR condition2 OR condition3 ...

2

You can click the action icon to do the following:

  • Add new conditions from the library. These are the conditions that you have already created.
  • Create a condition by adding a new attribute or value.
  • Duplicate an existing condition.
  • Add new conditions to the library.
  • Delete a condition. This option deletes the condition that appears in the same row as the action icon.

3

If you are creating a new condition, you can enter a name here to reuse this condition in other policies. When you provide a name here, this object is created as a separate condition.

4

Choose the attribute based on the reason you want to create the new condition. Choose the operator and the value in the text boxes.

Next Step:

See the “Creating a Rule-Based Authentication Policy” section for information on how to define a rule-based authentication policy using the compound conditions that you created.

Deleting Compound Conditions

Prerequisites:

  • Every Cisco ISE administrator account is assigned one or more administrative roles. To perform the operations described in the following procedure, you must have one of the following roles assigned: Super Admin or Policy Admin. See Cisco ISE Admin Group Roles and Responsibilities for more information on the various administrative roles and the privileges associated with each of them.
  • Ensure that the compound condition or conditions that you are about to delete are not referenced in any authentication policies.

To delete a compound authentication condition, complete the following steps:


Step 1 Choose Policy > Policy Elements > Conditions .

Step 2 From the left navigation pane, click the arrow next to Authentication.

Step 3 From the left navigation pane, click Compound Conditions .

The Conditions page appears with a list of simple conditions that you have defined.

Step 4 Check the check box next to the compound condition or conditions that you want to delete, then click Delete . Alternatively, you can choose the compound condition that you want to delete in the navigation pane on the left, and click the action icon and click Delete Compound Condition .


Note If you are trying to delete multiple compound conditions at the same time and if one of them is used in any authentication policy, then the entire delete operation will fail.


Cisco ISE prompts you with the following message:

Are you sure you want to delete?

Step 5 Click OK to delete the compound condition or conditions.


 

Creating a Rule-Based Authentication Policy


Timesaver We recommend that you create the allowed protocol access services, conditions, and identity source sequences before you create the rule-based authentication policy. If you want to use the RADIUS server sequence, you can define the RADIUS server sequence before you create the policy. See the “Proxy Service” section for more information.


Prerequisites:

Defining Allowed Protocols

Creating Identity Source Sequences if you want to use an identity source sequence

Defining a RADIUS Server Sequence if you want to use the RADIUS server sequence in place of the Allowed Protocols access service

  • Cisco ISE comes with predefined rule-based authentication policies for the Wired 802.1X, Wireless 802.1X, and Wired MAB use cases. See the “Authentication Policy Built-In Configurations” section for more information on these predefined policies. You can edit these policies to suit your requirements.
  • Every Cisco ISE administrator account is assigned one or more administrative roles. To perform the operations described in the following procedure, you must have one of the following roles assigned: Super Admin or Policy Admin. See Cisco ISE Admin Group Roles and Responsibilities for more information on the various administrative roles and the privileges associated with each of them.

Note When you switch between a simple and a rule-based authentication policy, you will lose the policy that you configured earlier. For example, if you have a simple authentication policy configured and you want to move to a rule-based authentication policy, you will lose the simple authentication policy. Also, when you move from a rule-based authentication policy to a simple authentication policy, you will lose the rule-based authentication policy.


To create a rule-based authentication policy, complete the following steps:


Note If your users are defined in external identity sources, ensure that you have configured these identity sources in Cisco ISE. See Chapter 5, “Managing External Identity Sources” for information on how to configure the external identity sources.



Step 1 Choose Policy > Authentication .

The Authentication Policy page appears.

Step 2 Click the Rule-Based radio button.

The following message appears:

You switched from single to rule-based result selection. Any settings saved in the single mode will be lost when you submit. Click OK to continue.

Step 3 Click OK to continue.

This page contains default rule-based policies.

Step 4 To create a new rule-based policy, click the action icon ( ) and click Insert new row above or Insert new row below based on where you want the new policy to appear in this list. The policies will be evaluated sequentially.

Each row in this rule-based policy page is equivalent to the simple authentication policy. Each row contains a set of conditions that determine the allowed protocols and identity sources.

Step 5 From the Status drop-down list, choose the status of this policy. The Status can be any one of the following:

    • Enabled
    • Disabled
    • Monitor Only

Step 6 Enter a name for this policy. By default, it will be named Standard Policy 1, Standard Policy 2, and so on.

Step 7 In the Condition(s) area, click the Expand ( ) button.

Step 8 Click Select Existing Condition from Library or Create New Condition as described in Creating Compound Conditions.

Step 9 From the Allow Protocols drop-down list, choose an allowed protocols service or a proxy service.

If you choose a proxy service, Cisco ISE forwards the request to the external policy server that is defined in the proxy service. The external policy server processes the request and returns the result to Cisco ISE. See the “Defining a RADIUS Server Sequence” section for information on how to create a RADIUS server sequence.

You have created a condition for selecting the allowed protocols. You must then create a condition for selecting the identity source.

Step 10 Click ( ) next to the word “and” to define conditions for the identity source selection.

The default identity source rule appears next to the current row, but is indented.

Step 11 Click the action icon in the default identity source row that is indented, and click Insert new row above .

Step 12 Enter a name for your identity source rule.

Step 13 Click the button to define the conditions based on which you want to choose the identity source.

Step 14 Click Select Existing Condition from Library or Create New Condition as described in Creating Compound Conditions.

Step 15 Click the Expand button to choose the identity source sequence or the identity source.

a. Choose the identity source from the Identity Source List box.

b. Choose the action that you want Cisco ISE to take if authentication fails, if the user is not found, or if the process fails.

c. Click Collapse to complete your selection.

Step 16 Click the action icon in this inner row to add more conditions for identity source selection.

Step 17 You can edit the default identity source that you want Cisco ISE to use in case none of the identity sources defined in this rule match the request.

Step 18 Click the action icon in the outer row to add more rule-based policies. Repeat the process from rule" CLASS="Hypertext">Step 5 .

Step 19 The last row in this policy page is the default policy that will be applied if none of the rules match the request. You can edit the allowed protocols and identity source selection for the default policy.


Note It is a good practice to choose Deny Access as the identity source in the default policy if the request does not match any of the other policies that you have defined.


Step 20 Click Save to save your rule-based authentication policies.


 

For more information:

See the “Understanding Authentication Policies” section.

Authentication Policy Built-In Configurations

The Cisco ISE software comes with several built-in configurations that are part of common use cases. These built-in configurations are called defaults. Table 16-6 describes the defaults that relate to authentication policies.

 

Table 16-6 Authentication Policy Configuration Defaults

Name
Path in the UI
Description
Additional Information

Default Network Access Allowed Protocols Access Service

Policy > Policy Elements > Configuration > Allowed Protocols

This default is the built-in network access allowed protocols service to be used in authentication policies.

You can use this access service for wired and wireless 802.1X, and wired MAB authentication policies.

Wired 802.1X Compound Condition

Policy > Policy Elements > Conditions > Authentication > Compound Conditions

This compound condition checks for the following attributes and values:

  • RADIUS:Service-Type equals Framed
  • RADIUS:NAS-Port-Type equals Ethernet

This compound condition is used in the wired 802.1X authentication policy. Any request that matches the criteria specified in this policy would be evaluated based on the wired 802.1X authentication policy.

Wireless 802.1X Compound Condition

Policy > Policy Elements > Conditions > Authentication > Compound Conditions

This compound condition checks for the following attributes and values:

  • RADIUS:Service-Type equals Framed
  • RADIUS:NAS-Port-Type equals Wireless-IEEE802.11

This compound condition is used in the wireless 802.1X authentication policy. Any request that matches the criteria specified in this policy would be evaluated based on the wireless 802.1X authentication policy.

Wired MAB Compound Condition

Policy > Policy Elements > Conditions > Authentication > Compound Conditions

This compound condition checks for the following attributes and values:

  • RADIUS:Service-Type equals Call-Check
  • RADIUS:NAS-Port-Type equals Ethernet

This compound condition is used in the wired MAB authentication policy. Any request that matches the criteria specified in this policy would be evaluated based on the wired MAB authentication policy.

Catalyst Switch Local Web Authentication Compound Condition

Policy > Policy Elements > Conditions > Authentication > Compound Conditions

This compound condition checks for the following attributes and values:

  • RADIUS:Service-Type equals Outbound
  • RADIUS:NAS-Port-Type equals Ethernet

To use this compound condition, you must create an authentication policy that would check for this condition. See Configuring the Rule-Based Authentication Policy for more information. You can also define an access service based on your requirements or use the default network access allowed protocols service for this policy. SeeNetwork Access Service for more information.

Wireless Lan Controller (WLC) Local Web Authentication Compound Condition

Policy > Policy Elements > Conditions > Authentication > Compound Conditions

This compound condition checks for the following attributes and values:

  • RADIUS:Service-Type equals Outbound
  • RADIUS:NAS-Port-Type equals Wireless-IEEE802.11

To use this compound condition, you must create an authentication policy that would check for this condition. See Configuring the Rule-Based Authentication Policy for more information. You can also define an access service based on your requirements or use the default network access allowed protocols service for this policy. SeeNetwork Access Service for more information.

Wired 802.1X Authentication Policy

Policy > Authentication > Rule-Based

This policy uses the wired 802.1X compound condition and the default network access allowed protocols service. This policy will evaluate requests that match the criteria specified in the wired 802.1X compound condition.

This default policy uses the internal endpoints database as its identity source. You can edit this policy to configure any identity source sequence or identity source based on your needs.

Wireless 802.1X Authentication Policy

Policy > Authentication > Rule-Based

This policy uses the wireless 802.1X compound condition and the default network access allowed protocols service. This policy will evaluate requests that match the criteria specified in the wireless 802.1X compound condition.

This default policy uses the internal endpoints database as its identity source. You can edit this policy to configure any identity source sequence or identity source based on your needs.

Wired MAB Authentication Policy

Policy > Authentication > Rule-Based

This policy uses the wired MAB compound condition and the default network access allowed protocols service. This policy will evaluate requests that match the criteria specified in the wired MAB compound condition.

This default policy uses the internal endpoints database as its identity source.

Viewing Authentication Results

The Cisco ISE dashboard provides a summary of all authentications that take place in your network. To view real-time authentication summary, choose Operations > Authentications . A page similar to the one shown in Figure 16-7 appears.


Note Every Cisco ISE administrator account is assigned one or more administrative roles. To view the reports in Cisco ISE, you must have one of the following roles assigned: Super Admin or Helpdesk Admin or Monitoring Admin. See Cisco ISE Admin Group Roles and Responsibilities for more information on the various administrative roles and the privileges associated with each of them.


Figure 16-7 Authentications Page

 

You can hover your mouse cursor over the Status icon to view the results of the authentication and a brief summary. A pop-up that is similar to the one shown in Figure 16-7 appears.

To filter your results, enter your search criteria in any one or more of the text boxes that appear at the top of the list, and press Enter . You can click the magnifier icon in the Details column to view a detailed report, as shown in Figure 16-8.

Figure 16-8 Detailed Authentication Summary Report

 

Cisco ISE also provides at-a-glance information about authentications and authentication failures in the form of dashlets that appear on the Cisco ISE dashboard.

Figure 16-9 shows the Cisco ISE dashboard.

Figure 16-9 Cisco ISE Dashboard

 

The Authentications and Authentication Failure dashlets provide the following statistical information about the RADIUS authentications that Cisco ISE has handled:

  • The total number that appears in the Authentications dashlet is the total number of RADIUS authentication requests that Cisco ISE has handled including passed authentications, failed authentications, and simultaneous logins by the same user.
  • The total number that appears in the Authentication Failure dashlet is the total number of failed RADIUS authentications requests that Cisco ISE has processed.

For information on dashboard and dashlets and how to drill down to look for more information, see Chapter 2, “Introducing the Dashboard” and Chapter24, “Cisco ISE Dashboard Monitoring”

Apart from the authentication details, Cisco ISE provides various reports and troubleshooting tools that you can use to efficiently manage your network.

Table 16-7 provides a list of reports that you can run to understand the authentication trend and traffic in your network. You can generate reports for historical as well as current data.

 

Table 16-7 List of Reports

Report
AAA Protocol Reports

AAA Diagnostics

Authentication Trend

RADIUS Accounting

RADIUS Authentication

Allowed Protocol Reports

Allowed Protocol Authentication Summary

Top N Authentications By Allowed Protocol

Server Instance Reports

Server Authentication Summary

Top N Authentications By Server

Endpoint Reports

Endpoint MAC Authentication Summary

Top N Authentications By Endpoint MAC Address

Top N Authentications By Machine

Failure Reason Reports

Authentication Failure Code Lookup

Failure Reason Authentication Summary

Top N Authentications By Failure Reason

Network Device Reports

Network Device Authentication Summary

Top N Authentications By Network Device

User Reports

Top N Authentications By User

User Authentication Summary

Session Directory Reports

RADIUS Active Sessions

RADIUS Session History

RADIUS Terminated Sessions

For more information on how to generate reports and work with the interactive viewer, see
Chapter25, “Reporting”