Cisco Identity Services Engine User Guide, Release 1.1
Managing Resources
Downloads: This chapterpdf (PDF - 156.0KB) The complete bookPDF (PDF - 24.78MB) | Feedback

Managing Resources

Table Of Contents

Managing Resources

Dictionaries and Dictionary Attributes

Dictionary and Attribute User Interface

Configuring Dictionaries and Dictionary Attributes

Managing Dictionary Attributes in System-Defined Dictionaries

Configuring User-Defined Dictionaries and Dictionary Attributes

Configuring RADIUS Vendors

Creating and Editing RADIUS Vendors

Creating and Editing RADIUS VSAs

Deleting RADIUS Vendors

Importing and Exporting RADIUS Vendor Dictionary


Managing Resources


This chapter describes how to manage the resources in your Cisco Identity Services Engine (ISE) network. This chapter contains the following topics that provide information and procedures for managing the Cisco ISE network resources:

Dictionaries and Dictionary Attributes

Configuring Dictionaries and Dictionary Attributes

Configuring RADIUS Vendors

Dictionaries and Dictionary Attributes

A dictionary represents a collection of individual parameters for use in configuring vendor-specific attributes. The default supported dictionary and dictionary defaults are those for the IETF RADIUS set of attribute pairs defined by the Internet Engineering Task Force (IETF). When you display the Dictionary page, it lists two types of dictionaries that are supported by Cisco ISE: System and User.

The Cisco ISE system also contains Cisco ISE system-defined dictionaries with dictionary attributes that are read-only attributes. This type of system-defined dictionary is known as a system dictionary. All system-defined attributes are populated during the installation of the Cisco ISE system software. New dictionaries are created when you create any Active Directory or Lightweight Directory Access Protocol (LDAP) server instances.


Note You cannot create, modify, or delete any system-defined values or any attributes in a system dictionary. You can only perform a search using a quick filter that is based on dictionary name and description, or you can perform a more advanced search using an advanced filter search that is based on a search rule you define.


Cisco ISE allows you to create, edit, and delete user-defined dictionaries and dictionary attributes that you can use in policy conditions. This type of user-defined dictionary is known as a user dictionary. The RADIUS protocol supports vendors and vendor attributes. Cisco ISE provides a set of standard IETF RADIUS attributes that are part of the system-defined dictionaries.

However, Cisco ISE also allows you to define a set of vendors, and for each vendor, define a set of attributes. These attributes can be used in authorization profiles and in policy conditions. You can create, edit, and delete RADIUS vendor dictionaries and vendor-specific attributes.

The following topics provide descriptions of the Cisco ISE user interface controls you can use to configure a user dictionary and its attributes, and also procedures for performing dictionary- and attribute-related tasks:

Dictionary and Attribute User Interface

Configuring Dictionaries and Dictionary Attributes

Dictionary and Attribute User Interface

This section provides examples of the Cisco ISE user interface that you can use for managing dictionary and related attributes using the Policy, Policy Elements, and Dictionaries tabs. Use the Cisco ISE main window as your starting point for displaying and performing dictionary-related operations for the following Cisco ISE dictionary components:

System

User

To manage the System and User dictionaries, use the controls and the navigation pane within the corresponding user interface window. The following list identifies the Cisco ISE user interface tab or menu option choices sequence that contains the controls needed to perform these tasks:

To display or search for specific attributes in System-defined dictionaries—choose Policy > Policy Elements > Dictionaries > System

To display, create, modify, delete, or search for specific attributes in User-defined dictionaries—choose Policy > Policy Elements > Dictionaries > User

For more information:

For more information on displaying or searching for attributes in System dictionaries, see Managing Dictionary Attributes in System-Defined Dictionaries.

For more information on configuring User dictionaries, see Configuring User-Defined Dictionaries and Dictionary Attributes.

Configuring Dictionaries and Dictionary Attributes

This section provides procedures that apply to both System-defined and User-defined dictionaries.

Managing Dictionary Attributes in System-Defined Dictionaries

Because of the nature of System-defined dictionaries, you can only use the Dictionaries window to display existing System-defined dictionaries or perform two types of searches for dictionary attributes. The following topics provide procedures for performing these two management tasks:


Note The Cisco ISE system-defined dictionary and dictionary attributes are read-only. All system-defined attributes are populated during the installation of the Cisco ISE system software, and you cannot create, modify, or delete the system-defined values or any attributes in a system dictionary. You can only perform a Quick Filter search based on dictionary name and description, or an Advanced Filter search based on a search rule you define.


Displaying Existing Cisco ISE System-Defined Dictionaries

Searching for Attributes in an Existing Cisco ISE System-Defined Dictionary

Displaying Existing Cisco ISE System-Defined Dictionaries

To display existing Cisco ISE System dictionaries, choose Policy > Policy Elements > Dictionaries > System. The System Dictionary page appears, which lists all current Cisco ISE System-defined dictionaries.


Searching for Attributes in an Existing Cisco ISE System-Defined Dictionary

To search for an attribute in an existing Cisco ISE System-defined dictionary, complete the following steps:


Step 1 Choose Policy > Policy Elements > Dictionaries > System.

The Dictionary pane appears, which lists all existing Cisco ISE System-defined dictionaries.

Step 2 Click Filter and select from one of the following options:

Quick Filter

Advanced Filter

To perform a Quick Filter, enter search criteria in one or more of the following attribute fields:

Name

Description

To perform an Advanced Filter, create a matching rule by performing the following:

In the Filter drop-down list, select one of the following options:

Description

Name

In the second drop-down list, select one of the following options:

Contains

Does not contain

Does not equal

Ends with

Is empty

Is exactly (or equals)

Is greater than

Is greater than or equal to

Is less than

Is less than or equal to

Is not empty

Starts with

In the text box, enter your desired search value.

Click Go to launch the filter process, or click plus (+) to add additional search criteria.

Click Clear Filter to reset the filter process.


Configuring User-Defined Dictionaries and Dictionary Attributes

The Dictionaries window lets you display, create, modify, delete, and search user dictionaries and dictionary attributes that are used within the Cisco ISE system. The following topics provide procedures for performing these tasks:

Displaying Existing Cisco ISE User-Defined Dictionaries

Creating a New Cisco ISE User-Defined Dictionary

Deleting an Existing Cisco ISE User-Defined Dictionary

Modifying an Existing Cisco ISE User-Defined Dictionary

Searching for Attributes in an Existing Cisco ISE User-Defined Dictionary

Creating a New Cisco ISE User-Defined Dictionary Attribute

Deleting an Existing Cisco ISE User-Defined Dictionary Attribute

Configuring RADIUS Vendors

Creating and Editing RADIUS Vendors

Creating and Editing RADIUS VSAs

Deleting RADIUS Vendors

Importing and Exporting RADIUS Vendor Dictionary

Displaying Existing Cisco ISE User-Defined Dictionaries

To display existing Cisco ISE User-defined dictionaries, choose Policy > Policy Elements > Dictionaries > User. The User Dictionary page appears, which lists all current Cisco ISE User-defined dictionaries.


Creating a New Cisco ISE User-Defined Dictionary

To create a new Cisco ISE use-defined dictionary, complete the following steps:


Step 1 Choose Policy > Policy Elements > Dictionaries > User.

The Dictionary pane appears, which lists all existing Cisco ISE User-defined dictionaries.

Step 2 Click action (icon) and choose New Dictionary to display the Create Dictionary page, or click Add (+).


Note When you click action, four options are displayed: New Dictionary, New Dictionary Attribute, Delete Dictionary, and Delete Dictionary Attribute.


Step 3 Enter or choose values for the following fields in the use-defined dictionary:

Dictionary Name*

Description

Version*

Dictionary Attribute Type*

Dictionary Type


Note All Dictionary fields marked with an asterisk (*) require you to enter a value. All other fields are optional.


Step 4 Click Submit to save this new Cisco ISE user-defined dictionary in the Cisco ISE system local database.


Deleting an Existing Cisco ISE User-Defined Dictionary

To delete an existing Cisco ISE user-defined dictionary, complete the following steps:


Step 1 Choose Administration> Resources> Dictionaries > User.

The Dictionary pane appears, which lists all existing Cisco ISE User-defined dictionaries.

Step 2 Choose the check box that corresponds to the user-defined dictionary you want to delete, and click Delete.

A delete confirmation page appears that indicates that you have deleted the selected user-defined dictionary.

Step 3 Click OK to close the delete confirmation page.


Modifying an Existing Cisco ISE User-Defined Dictionary

To modify values in an existing Cisco ISE user-defined dictionary, complete the following steps:


Step 1 Choose Policy > Policy Elements > Dictionaries > User.

The Dictionary pane appears, which lists all existing Cisco ISE User-defined dictionaries.

Step 2 Choose the check box that corresponds to the user dictionary that you want to modify, and click Edit.

The Edit Dictionary page is displayed.

Step 3 Modify the Description, Version, or Dictionary Attribute Type value as desired.


Note You cannot modify the values for Dictionary Name or Dictionary Type for an existing dictionary


Step 4 Click Save to save the modified Cisco ISE user-defined dictionary value(s) in the Cisco ISE system local database.


Searching for Attributes in an Existing Cisco ISE User-Defined Dictionary

To search for an attribute in an existing Cisco ISE user-defined dictionary, complete the following steps:


Step 1 Choose Policy > Policy Elements > Dictionaries > User.

The Dictionary pane appears, which lists all existing Cisco ISE User-defined dictionaries.

Step 2 Click Filter and choose one of the following options:

Quick Filter

Advanced Filter

To perform a Quick Filter, enter search criteria in one or more of the following attribute fields:

Name

Description

To perform an Advanced Filter, create a matching rule by performing the following:

In the Filter drop-down list, choose one of the following options:

Description

Name

In the second drop-down list, chooser one of the following options:

Contains

Does not contain

Does not equal

Ends with

Is empty

Is exactly (or equals)

Is greater than

Is greater than or equal to

Is less than

Is less than or equal to

Is not empty

Starts with

In the text box, enter your desired search value.

Click Go to launch the filter process, or click plus (+) to add additional search criteria.

Click Clear Filter to reset the filter process.


Creating a New Cisco ISE User-Defined Dictionary Attribute

To create a new Cisco ISE user-defined dictionary attribute, complete the following steps:


Step 1 Choose Policy > Policy Elements > Dictionaries > User.

The Dictionary pane appears, which lists all existing Cisco ISE User-defined dictionaries.

Step 2 In the User navigation pane, choose the user dictionary in which you want to create a new attribute, click action (icon), and choose New Dictionary Attribute to display the Edit Dictionary page.

(Optional) In the list of existing User-defined dictionaries, choose the check box that corresponds to the user dictionary in which you want to create a new dictionary attribute, click Edit, and click Dictionary Attributes tab.

The Dictionary Attributes page appears.

Step 3 Enter or choose values for the following fields for the dictionary attribute that is being created:

Attribute Name*

Description

Internal Name*

Data Type*

Dictionary*


Note All attribute fields marked with an asterisk (*) require that you enter a value. All other fields are optional. The Data Type and Dictionary fields are drop-down lists that allow you to choose from a list of options.


Step 4 In the Allowed Values table, click Add (+) and click on the new line to display the configurable fields.

Step 5 Enter or choose values for each of the following attribute types in the corresponding fields:

Name

Value

IsDefault (choose Yes or No)

Step 6 Click Save to save the configured attribute value, or click Cancel to close the configurable fields.


Note When you click Cancel it does not delete this allowed attribute value. Use Step 7 to delete an attribute value.


Step 7 (Optional) If you want to delete an allowed attribute value, in the Allowed Values table, choose the check box that corresponds to the attribute value that you want to delete, and click Remove to delete this attribute from the table.

Step 8 Click Submit to save your attribute changes in the Cisco ISE system database.


Deleting an Existing Cisco ISE User-Defined Dictionary Attribute

To delete an existing Cisco ISE user-defined dictionary attribute, complete the following steps:


Step 1 Choose Policy > Policy Elements > Dictionaries > User.

The Dictionary pane appears, which lists all existing Cisco ISE User-defined dictionaries.

Step 2 In the User navigation pane, choose the user dictionary in which you want to delete a dictionary attribute.

Step 3 Click the Dictionary Attributes tab.

A list of dictionary attributes for the selected dictionary is displayed.

Step 4 Choose the check box that corresponds to the attribute that you want to delete, and click Delete.

A delete confirmation page appears that indicates that you have deleted the selected dictionary attribute.

Step 5 Click OK to close the delete confirmation page.


Configuring RADIUS Vendors

To access the RADIUS vendor list in Cisco ISE, choose Policy > Policy Elements > Dictionaries > System > RADIUS > RADIUS Vendors. This page lists the RADIUS vendors that Cisco ISE supports. Each vendor definition in the list contains the vendor name, vendor ID, and a brief description. If you click on any of the listed vendor names, you can also view the following two properties, which are also related to the relevant RADIUS vendor dictionary attribute:

Type Field Length—The number of bytes taken from the attribute value, which are used to specify the attribute type.

Size Field Length—The number of bytes taken from the attribute value to specify the attribute length.

Each vendor attribute has a name, data type, direction (which specifies whether it is relevant to requests only, responses only, or both), and description.

The following default vendor dictionaries are available in Cisco ISE:

Cisco

Cisco-BBSM

Cisco-VPN3000

Microsoft

This section contains the following topics:

Creating and Editing RADIUS Vendors

Creating and Editing RADIUS VSAs

Deleting RADIUS Vendors

Importing and Exporting RADIUS Vendor Dictionary

Creating and Editing RADIUS Vendors

To create and edit a RADIUS vendor, complete the following steps:


Step 1 From the Policy mega menu, choose Policy Elements > Dictionaries > System > RADIUS > RADIUS Vendors.

The RADIUS Vendors page appears with a list of RADIUS vendors that ISE supports.

Step 2 Click Add to create a new RADIUS vendor, or click the check box next to the RADIUS vendor that you want to edit and click Edit.

Step 3 Enter the following information:

Name—(Required) Name of the RADIUS vendor.

Description—An optional description for the vendor.

Vendor ID—(Required) The Internet Assigned Numbers Authority (IANA)-approved ID for the vendor.

Vendor Attribute Type Field Length—(Required) The number of bytes taken from the attribute value to be used to specify the attribute type. Valid values are 1, 2, and 4. The default value is 1.

Vendor Attribute Size Field Length—(Required) The number of bytes taken from the attribute value to be used to specify the attribute length. Valid values are 0 and 1. The default value is 1.

Step 4 Click Submit to save the RADIUS vendor.


For more information:

See the "Configuring RADIUS Vendors" section.

Creating and Editing RADIUS VSAs

To create and edit RADIUS vendor-specific attributes (VSAs), complete the following steps:


Step 1 From the Policy mega menu, choose Policy Elements > Dictionaries > System > RADIUS > RADIUS Vendors.

The RADIUS Vendors page appears with a list of vendors.

Step 2 Click the check box next to the RADIUS vendor dictionary for which you to want add attributes or whose attributes you want to edit.

Step 3 Click Edit Attributes.

The RADIUS Vendor Attributes page appears.

Step 4 Click Add to create an attribute, or click the check box next to the attribute that you want to edit, and then click Edit.

Step 5 Enter the following information:

Name—(Required) Name of the VSA

Description—An optional description

Internal Name—Internal name of the VSA

Data Type—Could be one of the following:

STRING

INTEGER

FLOAT

BOOLEAN

IPv4

OCTET_STRING

UINT32

UINT64

Direction—Could be one of the following:

IN—Requests only

OUT—Responses only

BOTH—Bidirectional

ID—The vendor attribute ID. Click the Allowed Values tab to enter allowed values for the vendor attribute ID. The allowed values for the vendor attribute ID depend on the type and size specified for the corresponding vendor. For example, if 1 byte is chosen, then a range of 1 to 255 is permitted and 0 is not permitted. For n bytes, the range would be 1 to ((2^n) - 1).

Step 6 To add an allowed value, click the Allowed Values tab.

Click Add.

Enter the name in the Please enter name for new Attribute Allowed Value dialog box.

A record is created.

Choose the record to add value and choose Yes from the isDefault drop-down list box if you want this value to be the default value.

Click Submit to save your changes.

You can add additional allowed values for this VSA.

Step 7 Click Submit to save the VSA.


For more information:

Configuring RADIUS Vendors

Creating and Editing RADIUS Vendors

Deleting RADIUS Vendors

To delete a RADIUS vendor, complete the following steps:


Step 1 From the Policy mega menu, choose Policy Elements > Dictionaries > System > RADIUS > RADIUS Vendors.

The RADIUS Vendors page appears with a list of vendors.

Step 2 Click the check box next to the vendor that you want to delete, then click Delete.

A dialog box displays the following message: Are you sure you want to delete this vendor?

Step 3 Click OK to delete the RADIUS vendor.


For more information:

For more information on configuring RADIUS vendors, see Configuring RADIUS Vendors.

For more information on configuring RADIUS vendors, see Creating and Editing RADIUS Vendors.

Importing and Exporting RADIUS Vendor Dictionary

You can import RADIUS vendor dictionaries into Cisco ISE and export the RADIUS vendor dictionaries from Cisco ISE.

To import a RADIUS vendor dictionary, complete the following steps:

Before you can import a RADIUS vendor dictionary into Cisco ISE, ensure that you have the dictionary in the file system that is running the Cisco ISE browser.


Step 1 From the Policy mega menu, choose Policy Elements > Dictionaries > System > RADIUS > RADIUS Vendors.

Step 2 The RADIUS Vendors page appears.

Step 3 Click Import.

Step 4 Click the Import Vendor radio button.

Step 5 Click Browse to choose the vendor dictionary from the file system that is running your client browser.

Step 6 Click Import to import the vendor dictionary.


To export a RADIUS vendor dictionary, complete the following steps:


Step 1 From the Policy mega menu, choose Policy Elements > Dictionaries > System > RADIUS > RADIUS Vendors.

Step 2 Click the check box next to the vendor dictionary that you want to export and click Export.

Step 3 Save the vendor dictionary on the file system that is running your client browser.