Cisco Identity Services Engine User Guide, Release 1.2
Managing Authentication Policies
Downloads: This chapterpdf (PDF - 1.0MB) The complete bookPDF (PDF - 9.66MB) | Feedback

Table of Contents

Managing Authentication Policies

Cisco ISE Authentication Policies

Policy Condition Evaluation

Supported Authentication Protocols

Supported Authentication Types and Database

Types of Authentication Failures

Authentication Policy Terminology

Simple Authentication Policies

Simple Authentication Policy Flow

Guidelines for Configuring Simple Authentication Policies

Rule-Based Authentication Policies

Rule-Based Authentication Policy Flow

Supported Dictionaries for Rule-Based Authentication Policies

Attributes Supported by Dictionaries

Protocol Settings for Authentication

Guidelines for Using EAP-FAST as Authentication Protocol

Configuring EAP-FAST Settings

Generating the PAC for EAP-FAST

Configuring EAP-TLS Settings

Configuring PEAP Settings

Configuring RADIUS Settings

Network Access Service

Defining Allowed Protocols for Network Access

Enabling MAB from Non-Cisco Devices

Enabling MAB from Cisco Devices

Cisco ISE Acting as a RADIUS Proxy Server

Configuring External RADIUS Servers

RADIUS Server Sequence

Defining RADIUS Server Sequences

Policy Modes

Guidelines for Changing Policy Modes

Changing Policy Modes

Configuring a Simple Authentication Policy

Configuring a Rule-Based Authentication Policy

Policy Sets

Policy Set Evaluation Flow

Guidelines for Creating Policy Sets

Global Authorization Exception Policy

Configuring Policy Sets

Authentication Policy Built-In Configurations

Viewing Authentication Results

Authentication Dashlet

Authentication Reports and Troubleshooting Tools

Cisco ISE Authentication Policies

Authentication policies define the protocols that Cisco ISE uses to communicate with the network devices, and the identity sources that it uses for authentication. A policy is a set of conditions and a result. A policy condition consists of an operand (attribute), an operator (equal to, not equal to, greater than, and so on), and a value. Compound conditions are made up of one or more simple conditions that are connected by the AND or OR operator. At runtime, Cisco ISE evaluates a policy condition and then applies the result that you have defined based on whether the policy evaluation returns a true or a false value.

An authentication policy consists of the following:

  • Network Access Service—This service can be one of the following:

An allowed protocols service to choose the protocols to handle the initial request and protocol negotiation.

A proxy service that will proxy requests to an external RADIUS server for processing.

  • Identity Source—An identity source or an identity source sequence to be used for authentication.

After installation, a default identity authentication policy is available in Cisco ISE that is used for authentications. Any updates to the authentication policy will override the default settings.

Related Topics

Policy Condition Evaluation

During policy condition evaluation, Cisco ISE compares an attribute with a value. It is possible to run into a situation where the attribute specified in the policy condition may not have a value assigned in the request. In such cases, if the operator that is used for comparison is “not equal to,” then the condition will evaluate to true. In all other cases, the condition will evaluate to false.

For example, for a condition Radius.Calling_Station_ID Not Equal to 1.1.1.1, if the Calling Station ID is not present in the RADIUS request, then this condition will evaluate to true. This evaluation is not unique to the RADIUS dictionary and occurs because of the usage of the “Not Equal to” operator.

Supported Authentication Protocols

The following is a list of protocols that you can choose while defining your authentication policy:

  • Password Authentication Protocol (PAP)
  • Protected Extensible Authentication Protocol (PEAP)
  • Microsoft Challenge Handshake Authentication Protocol Version 2 (MS-CHAPv2)
  • Extensible Authentication Protocol-Message Digest 5 (EAP-MD5)
  • Extensible Authentication Protocol-Transport Layer Security (EAP-TLS)
  • Extensible Authentication Protocol-Flexible Authentication via Secure Tunneling (EAP-FAST)
  • Protected Extensible Authentication Protocol-Transport Layer Security (PEAP-TLS)

This section contains the following topics:

Supported Authentication Types and Database

The authentication type is based on the protocols that are chosen. Table 15-1 lists the authentication type and the protocols that are supported by the various databases.

The authentication type is password based, where the authentication is performed against a database with the username and password that is presented in the request. The identity method, which is the result of the authentication policy, can be any one of the following:

  • Deny access—Access to the user is denied and no authentication is performed.
  • Identity database—A single identity database that can be any one of the following:

Internal users

Guest users

Internal endpoints

Active Directory

Lightweight Directory Access Protocol (LDAP) database

RADIUS token server (RSA or SafeWord server)

Certificate authentication profile

  • Identity source sequences—A sequence of identity databases that is used for authentication.

By default, the identity source that Cisco ISE will look up for user information is the internal users database.

Types of Authentication Failures

If you choose the identity method as deny access, a reject message is sent as a response to the request. If you choose an identity database or an identity source sequence and the authentication succeeds, the processing continues to the authorization policy. Some of the authentications fail and these are classified as follows:

  • Authentication failed—Received explicit response that authentication has failed such as bad credentials, disabled user, and so on. The default course of action is reject.
  • User not found—No such user was found in any of the identity databases. The default course of action is reject.
  • Process failed—Unable to access the identity database or databases. The default course of action is drop.

Cisco ISE allows you to configure any one of the following courses of action for authentication failures:

  • Reject—A reject response is sent.
  • Drop—No response is sent.
  • Continue—Cisco ISE continues with the authorization policy.

Even when you choose the Continue option, there might be instances where Cisco ISE cannot continue processing the request due to restrictions on the protocol that is being used. When authentication fails, it is possible to continue to process the authorization policy for PAP/ASCII, EAP-TLS, or MAC authentication bypass (MAB or host lookup).

For all other authentication protocols, when authentication fails, the following happens:

  • Authentication failed—A reject response is sent.
  • User or host not found—A reject response is sent.
  • Process failure—No response is sent and the request is dropped.

Authentication Policy Terminology

The following are some of the commonly used terms in the authentication policy pages:

  • Allowed Protocols—Allowed protocols define the set of protocols that Cisco ISE can use to communicate with the device that requests access to the network resources.
  • Identity Source—Identity source defines which database Cisco ISE should use for user information. The database could be an internal database or an external identity source, such as Active Directory or LDAP. You can add a sequence of databases to an identity source sequence and list this sequence as the identity source in your policy. Cisco ISE will search for the credentials in the order in which the databases are listed in this sequence.
  • Failover Options—You can define what course of action Cisco ISE should take if the authentication fails, the user is not found, or if the process fails.

Simple Authentication Policies

A simple authentication policy allows you to statically define the allowed protocols and the identity source or identity source sequence that Cisco ISE should use for communication. You cannot define any condition for simple policies. Cisco ISE assumes that all conditions are met and uses the following definitions to determine the result:

  • You can create simple policies in situations where you can statically define the allowed protocols and the identity source that must be used always, and no condition needs to be checked.
  • You can also create proxy service-based simple policies. Cisco ISE proxies the request to a policy server to determine which identity source should be used for user authentication. If the request is proxied to a different policy server, the protocol negotiation does not happen. The policy server evaluates which identity source should be used for authentication and returns the response to Cisco ISE.

The procedure for configuring a simple authentication policy includes defining an allowed protocols service and configuring a simple authentication policy. See the “Defining Allowed Protocols for Network Access” section for information on how to create an allowed protocols service.

Related Topics

Simple Authentication Policy Flow

Figure 20-1 Simple Authentication Policy Flow

 

The result of a simple policy can be any one of the following:

  • Authentication passed
  • Authentication failed

An authentication can fail happens due to any of the following reasons:

  • Bad credentials or disabled user.
  • User not found.
  • Authentication process fails.

Guidelines for Configuring Simple Authentication Policies

The following are guidelines that you must adhere to while configuring simple authentication policies:

  • If you wish to use the RADIUS server sequence, then you must define this access service before you define the policy. See the “Cisco ISE Acting as a RADIUS Proxy Server” section for more information.
  • If your users are defined in external identity sources, ensure that you have configured these identity sources in Cisco ISE before you define the policy. See the “Managing Users and External Identity Sources” section for information on how to configure the external identity sources.
  • If you want to use an identity source sequence for authenticating users, ensure that you have created the identity source sequence before you define the policy. See the “Creating Identity Source Sequences” section for more information.
  • When you switch between simple and rule-based authentication policies, you will lose the policy that you configured earlier. For example, if you configured a simple authentication policy and you want to move to a rule-based authentication policy, you will lose the simple authentication policy. Also, when you move from a rule-based authentication policy to a simple authentication policy, you will lose the rule-based authentication policy.
  • Host authentication is performed with the MAC address only (MAB).

Rule-Based Authentication Policies

Rule-based authentication policies consist of attribute-based conditions that determine the allowed protocols and the identity source or identity source sequence to be used for processing the requests. In a simple authentication policy, you can define the allowed protocols and identity source statically. In a rule-based policy, you can define conditions that allows Cisco ISE to dynamically choose the allowed protocols and identity sources. You can define one or more conditions using any of the attributes from the Cisco ISE dictionary. See Table 20-1 , which lists the fixed attributes that are supported by dictionaries, which can be used in policy conditions.

Cisco ISE allows you to create conditions as individual, reusable policy elements that can be referred from other rule-based policies. You can also create conditions from within the policy creation page. The two types of conditions are:

  • Simple condition
  • Compound condition

Related Topics

Rule-Based Authentication Policy Flow

In rule-based policies, you can define multiple rules as illustrated in . The identity database is selected based on the first rule that matches the criteria.

You can also define an identity source sequence consisting of different databases. You can define the order in which you want Cisco ISE to look up these databases. Cisco ISE will access these databases in sequence until the authentication succeeds. If there are multiple instances of the same user in an external database, the authentication fails. There can only be one user record in an identity source.

We recommend that you use only three, or at most four databases in an identity source sequence.

Figure 20-2 Rule-Based Authentication Policy Flow

 

Supported Dictionaries for Rule-Based Authentication Policies

Cisco ISE supports the following dictionaries:

  • System-defined dictionaries

CERTIFICATE

DEVICE

RADIUS

  • RADIUS vendor dictionaries

Airespace

Cisco

Cisco-BBSM

Cisco-VPN3000

Microsoft

Network access

See the “Dictionaries and Dictionary Attributes” section for more information on the dictionaries in Cisco ISE.

Attributes Supported by Dictionaries

Table 20-1 lists the fixed attributes that are supported by dictionaries, which can be used in policy conditions.

Not all of these attributes are available for creating all types of conditions. For example, while creating a condition to choose the access service in authentication policies, you will only see the following network access attributes: Device IP Address, ISE Host Name, Network Device Name, Protocol, and Use Case.

 

Table 20-1 List of Attributes Supported by Dictionaries

Dictionary
Attributes
Allowed Protocol Rules and Proxy
Identity Rules

Device

Device Type (predefined network device group)

Yes

Yes

Device Location (predefined network device group)

Other Custom Network Device Group

Software Version

Model Name

RADIUS

All attributes

Yes

Yes

Network Access

ISE Host Name

Yes

Yes

AuthenticationMethod

No

Yes

AuthenticationStatus

No

No

CTSDeviceID

No

No

Device IP Address

Yes

Yes

EapAuthentication (the EAP method that is used during authentication of a user of a machine)

No

Yes

EapTunnel (the EAP method that is used for tunnel establishment)

No

Yes

Protocol

Yes

Yes

UseCase

Yes

Yes

UserName

No

Yes

WasMachineAuthenticated

No

No

Certificate

Common Name

No

Yes

Country

E-mail

LocationSubject

Organization

Organization Unit

Serial Number

State or Province

Subject

Subject Alternative Name

Subject Alternative Name - DNS

Subject Alternative Name - E-mail

Subject Alternative Name - Other Name

Subject Serial Number

Issuer

Issuer - Common Name

Issuer - Organization

Issuer - Organization Unit

Issuer - Location

Issuer - Country

Issuer - Email

Issuer - Serial Number

Issuer - State or Province

Issuer - Street Address

Issuer - Domain Component

Issuer - User ID

Protocol Settings for Authentication

You must define global protocol settings in Cisco ISE before you can use these protocols to process an authentication request. You can use the Protocol Settings page to define global options for the Extensible Authentication Protocol-Flexible Authentication via Secure Tunneling (EAP-FAST), Extensible Authentication Protocol-Transport Layer Security (EAP-TLS), and Protected Extensible Authentication Protocol (PEAP) protocols, which communicate with the other devices in your network. This section contains the following topics:

Guidelines for Using EAP-FAST as Authentication Protocol

The following are a few guidelines for using EAP-FAST as an authentication protocol:

  • It is highly recommended to enable EAP-TLS inner method when the EAP-FAST accept client certificate is enabled on authenticated provisioning. EAP-FAST accept client certificate on authenticated provisioning is not a separate authentication method, but a shorter form of client certificate authentication that uses the same certificate credentials type to authenticate a user, but does not require to run an inner method.
  • Accept client certificate on authenticated provisioning works with PAC-less full handshake and authenticated PAC provisioning. It does not work for PAC-less session resume, anonymous PAC provisioning, and PAC-based authentication.
  • EAP attributes are displayed per identity (so in EAP chaining displayed twice) are shown in authentication details in monitoring tool in order user then machine even if authentication happens in different order.
  • When EAP-FAST authorization PAC is used then EAP authentication method shown in live logs is equal to the authentication method used for full authentication (as in PEAP) and not as Lookup.
  • In EAP chaining mode when tunnel PAC is expired then ISE falls back to provisioning and AC requests User and Machine authorization PACs - Machine Authorization PAC cannot be provisioned. It will be provisioned in the subsequent PAC-based authentication conversation when AC requests it.
  • When Cisco ISE is configured for chaining and AC for single mode then AC response with IdentityType TLV to ISE. However, the second identity authentication fails. You can see from this conversation that client is suitable to perform chaining but currently is configured for single mode.
  • Cisco ISE supports retrieval attributes and groups for both machine and user in EAP-FAST chaining only for AD. For LDAP and Internal DB ISE uses only the last identity attributes.
  • For EAP-TLS to perform machine authentication, it is required to use binary certificate comparison: Administration > External Identity Sources > Certificate authenticatoin profiles > Pick a profile > “Perform Binary Certificate Comparison with Certificate retrieved from LDAP or Active Directory” needs to be checked. Also, a certificate needs to be present in that AD or LDAP.

Configuring EAP-FAST Settings

You can configure the runtime characteristics of the EAP-FAST protocol from the Global Options page.

Before You Begin

To perform the following task, you must be a Super Admin or System Admin.


Step 1 Choose Administration > System > Settings > Protocols .

Step 2 Choose EAP-FAST > EAP Fast Settings .

Step 3 Enter the details as required to define the EAP-FAST protocol.

Step 4 Click Revoke if you want to revoke all the previously generated master keys and PACs.

Step 5 Click Save to save the EAP-FAST settings.


 

Related Topics

Generating the PAC for EAP-FAST

You can use the Generate PAC option in the Cisco ISE to generate a tunnel or machine PAC for the EAP-FAST protocol.

Before You Begin

To perform the following task, you must be a Super Admin or System Admin.


Step 1 Choose Administration > System > Settings .

Step 2 From the Settings navigation pane on the left, click Protocols .

Step 3 Choose EAP-FAST > Generate PAC .

Step 4 Enter the details as required to generate machine PAC for the EAP-FAST protocol.

Step 5 Click Generate PAC .


 

Related Topics

Configuring EAP-TLS Settings

You can configure the runtime characteristics of the EAP-TLS protocol from the Global Options page.

Before You Begin

To perform the following task, you must be a Super Admin or System Admin.


Step 1 Choose Administration > System > Settings .

Step 2 From the Settings navigation pane on the left, click Protocols .

Step 3 Choose EAP-TLS .

Step 4 Enter the details as required to define the EAP-TLS protocol.

Step 5 Click Save to save the EAP-TLS settings.


 

Related Topics

Configuring PEAP Settings

You can configure the runtime characteristics of the PEAP protocol from the Global Options page.

Before You Begin

To perform the following task, you must be a Super Admin or System Admin.


Step 1 Choose Administration > System > Settings .

Step 2 From the Settings navigation pane on the left, click Protocols .

Step 3 Choose PEAP .

Step 4 Enter the details as required to define the PEAP protocol.

Step 5 Click Save to save the PEAP settings.


 

Related Topics

Configuring RADIUS Settings

You can configure the RADIUS settings to detect the clients that fail to authenticate and to suppress the repeated reporting of successful authentications.


Step 1 Choose Administration > System > Settings .

Step 2 From the Settings navigation pane, click Protocols .

Step 3 Choose RADIUS .

Step 4 Enter the details as required to define the RADIUS settings.

Step 5 Click Save to save the settings.


 

Related Topics

Network Access Service

A network access service contains the authentication policy conditions for requests. You can create separate network access services for different use cases, for example, Wired 802.1X, Wired MAB, and so on. These are the two types of network access services that you can use in authentication policies:

Related Topics

Defining Allowed Protocols for Network Access

Allowed protocols define the set of protocols that Cisco ISE can use to communicate with the device that requests access to the network resources. An allowed protocols access service is an independent entity that you should create before you configure authentication policies. Allowed protocols access service is an object that contains your chosen protocols for a particular use case.

The Allowed Protocols Services page lists all the allowed protocols services that you create. There is a default network access service that is predefined in the Cisco ISE.

Before You Begin

Before you begin this procedure, you should have a basic understanding of the protocol services that are used for authentication.

Review the Cisco ISE Authentication Policies to understand authentication type and the protocols that are supported by various databases.

Review the PAC Options sections to understand the functions and options for each protocol service, so you can make the selections that are appropriate for your network.

Ensure that you have defined the global protocol settings. See the “Protocol Settings for Authentication” section for more information.

To perform the following task, you must be a Super Admin or System Admin.


Step 1 Choose Policy > Policy Elements > Results > Authentication > Allowed Protocols .

If Cisco ISE is set to operate in FIPS mode, some protocols are disabled by default and cannot be configured.

Step 2 Click Add .

Step 3 Enter the required information.

Step 4 Select the appropriate authentication protocols and options for your network.

Step 5 If you choose to use PACs, make the appropriate selections.

To enable Anonymous PAC Provisioning, you must choose both the inner methods, EAP-MSCHAPv2 and Extensible Authentication Protocol-Generic Token Card (EAP-GTC). Also, be aware that Cisco ISE only supports Active Directory as an external identity source for machine authentication.

Step 6 Click Submit to save the allowed protocols service.

The allowed protocols service appears as an independent object in the simple and rule-based authentication policy pages. You can use this object in different rules.

You can now create a simple or rule-based authentication policy.


 

If you disable EAP-MSCHAP as inner method and enable EAP-GTC and EAP-TLS inner methods for PEAP or EAP-FAST, ISE starts EAP-GTC inner method during inner method negotiation. Before the first EAP-GTC message is sent to the client, ISE executes identity selection policy to obtain GTC password prompt from the identity store. During the execution of this policy, Network Access:EapAuthentication attribute is equal to EAP-GTC. If EAP-GTC inner method is rejected by the client and EAP-TLS is negotiated, identity store policy is not executed again. In case identity store policy is based on Network Access:EapAuthentication attribute, it might have unexpected results since the real EAP authentication is EAP-TLS but was set after identity policy evaluation.

Related Topics

Enabling MAB from Non-Cisco Devices

Configure the following settings sequentially, as described in Table 20-2 to configure MAB from non-Cisco devices.

 

Table 20-2 Settings for Enabling MAB from Non-Cisco Devices

Task
More Information

Step 1

Ensure that the MAC address of the endpoints that are to be authenticated are available in the Endpoints database. You can add these endpoints or have them profiled automatically by the Profiler service.

See the “Creating a Network Device Definition in Cisco ISE” section for more information.

Step 2

Create an Allowed Protocol service based on the type of MAC authentication used by the non-Cisco device (PAP, CHAP, or EAP-MD5).

1. Choose Policy > Policy Elements > Results >Authentication > Allowed Protocols .

2. Enter a name for the Allowed Protocol service. For example, MAB for NonCisco Devices

3. Select the protocol based on the MAC authentication type used by the non-Cisco device:

PAP—Check the Allow PAP/ASCII check box and check the Detect PAP as Host Lookup check box.

CHAP—Check the Allow CHAP check box and check the Detect CHAP as Host Lookup check box.

EAP-MD5—Check the Allow EAP-MD5 check box and check Detect EAP-MD5 as Host Lookup check box.

For each of the protocol listed above, it is recommended to check the following check boxes:

Check Password—Enable this for checking of the trivial MAB password to authenticate the sending network device.

Check Calling-Station-Id equals MAC address—Enable this as an extra security check, when Calling-Station-Id is being sent.

4. Save the Allowed Protocol service.

See Defining Allowed Protocols for Network Access and Allowed Protocols Services Settings for details.

Step 3

Configure an authentication policy rule for enabling MAB from non-Cisco devices.

1. Choose Policy > Authentication .

2. Select the Rule-Based authentication policy.

3. Insert a new rule for MAB.

4. Select the Allowed Protocol service (MAB for NonCisco Devices) that you created in Step 2 in this rule.

5. Select the Internal Endpoints database as the Identity Source in this rule.

6. Save the authentication policy.

See Configuring a Rule-Based Authentication Policy for more information.

Enabling MAB from Cisco Devices

Configure the following settings sequentially, as described in Table 20-3 to configure MAB from Cisco devices.

 

Table 20-3 Settings for Enabling MAB from Cisco Devices

Task
More Information

Step 1

Ensure that the MAC address of the endpoints that are to be authenticated are available in the Endpoints database. You can add these endpoints or have them profiled automatically by the Profiler service.

See the “Creating a Network Device Definition in Cisco ISE” section for more information.

Step 2

Create an Allowed Protocol service based on the type of MAC authentication used by the Cisco device (PAP, CHAP, or EAP-MD5).

1. Choose Policy > Policy Elements > Results >Authentication > Allowed Protocols .

2. Enter a name for the Allowed Protocol service. For example, MAB for Cisco Devices.

3. Check the Process Host Lookup check box.

4. Select the protocol based on the MAC authentication type used by the Cisco device:

PAP—Check the Allow PAP/ASCII check box and check the Detect PAP as Host Lookup check box.

CHAP—Check the Allow CHAP check box and check the Detect CHAP as Host Lookup check box.

EAP-MD5—Check the Allow EAP-MD5 check box and check Detect EAP-MD5 as Host Lookup check box.

For each of the protocol listed above, it is recommended to check the following check boxes:

Check Password—Enable this for checking of the trivial MAB password to authenticate the sending network device.

Check Calling-Station-Id equals MAC address—Enable this as an extra security check, when Calling-Station-Id is being sent.

5. Save the Allowed Protocol service.

See Defining Allowed Protocols for Network Access and Allowed Protocols Services Settings for details.

Step 3

Configure an authentication policy rule for enabling MAB from Cisco devices.

1. Choose Policy > Authentication .

2. Select the Rule-Based authentication policy.

3. Insert a new rule for MAB.

4. Select the Allowed Protocol service (MAB for Cisco Devices) that you created in Step 2 in this rule.

5. Select the Internal Endpoints database as the Identity Source in this rule.

6. Save the authentication policy.

See Configuring a Rule-Based Authentication Policy for more information.

Cisco ISE Acting as a RADIUS Proxy Server

Cisco ISE can function both as a RADIUS server and as a RADIUS proxy server. When it acts as a proxy server, Cisco ISE receives authentication and accounting requests from the network access server (NAS) and forwards them to the external RADIUS server. Cisco ISE accepts the results of the requests and returns them to the NAS.

Cisco ISE can simultaneously act as a proxy server to multiple external RADIUS servers. You can use the external RADIUS servers that you configure here in RADIUS server sequences. The External RADIUS Server page lists all the external RADIUS servers that you have defined in Cisco ISE. You can use the filter option to search for specific RADIUS servers based on the name or description, or both. In both simple and rule-based authentication policies, you can use the RADIUS server sequences to proxy the requests to a RADIUS server.

The RADIUS server sequence strips the domain name from the RADIUS-Username attribute for RADIUS authentications. This domain stripping is not applicable for EAP authentications, which use the EAP-Identity attribute. The RADIUS proxy server obtains the username from the RADIUS-Username attribute and strips it from the character that you specify when you configure the RADIUS server sequence. For EAP authentications, the RADIUS proxy server obtains the username from the EAP-Identity attribute. EAP authentications that use the RADIUS server sequence will succeed only if the EAP-Identity and RADIUS-Username values are the same.

To use the RADIUS server sequence for authentication, you should successfully complete the following tasks:

Configuring External RADIUS Servers

You must configure the external RADIUS servers in the Cisco ISE to enable it to forward requests to the external RADIUS servers. You can define the timeout period and the number of connection attempts.

Before You Begin

  • You cannot use the external RADIUS servers that you create in this section by themselves. You must create a RADIUS server sequence and configure it to use the RADIUS server that you create in this section. You can then use the RADIUS server sequence in authentication policies.

To create the RADIUS server sequence, see the “RADIUS Server Sequence” section.

  • To perform the following task, you must be a Super Admin or System Admin.

Step 1 Choose Administration > Network Resources > External RADIUS Servers .

The RADIUS Servers page appears with a list of external RADIUS servers that are defined in Cisco ISE.

Step 2 Click Add to add an external RADIUS server.

Step 3 Enter the values as required.

Step 4 Click Submit to save the external RADIUS server configuration.


 

Related Topics

RADIUS Server Sequence

RADIUS server sequences in Cisco ISE allow you to proxy requests from a NAD to an external RADIUS server that will process the request and return the result to Cisco ISE, which forwards the response to the NAD.

RADIUS Server Sequences page lists all the RADIUS server sequences that you have defined in Cisco ISE. You can create, edit, or duplicate RADIUS server sequences from this page.

Related Topics

Defining RADIUS Server Sequences

You can add RADIUS Server Sequences from this page.

Before You Begin

  • Before you begin this procedure, you should have a basic understanding of the Proxy Service and must have successfully completed the task for Configuring External RADIUS Servers.
  • To perform the following task, you must be a Super Admin or System Admin.

Step 1 Choose Administration > Network Resources > RADIUS Server Sequences .

Step 2 Click Add.

Step 3 Enter the values as required.

Step 4 Click Submit to save the RADIUS server sequence to be used in policies.


 

What to do Next

See the “Configuring a Rule-Based Authentication Policy” section for information on how to configure a simple authentication policy using the RADIUS server sequence that you created.

Related Topics

Policy Modes

Cisco ISE provides two types of policy modes, the Simple mode and the Policy Set mode. You can select either one of these to configure authentication and authorization policies. When you change the policy mode, you are prompted to login again to the Cisco ISE interface. If you switch from the Policy Set mode to the Simple mode, all the policy set data is deleted except the default policy. The Policy menu options change based on the policy mode selection.

  • Simple Mode—If you select Simple mode, you can define authentication and authorization policies separately in the Policy menu.

Figure 20-3 Simple Mode Policy Menu

 

  • Policy Set Mode—If you select Policy Set mode, you can create policy sets and logically group authentication and authorization within the same group. You can have several groups based on what you need.

Figure 20-4 Policy Set Mode Policy Menu

 

Related Topics

Guidelines for Changing Policy Modes

The following are the guidelines for changing the policy modes:

  • After you do a fresh install or upgrade from Cisco ISE, Release 1.1, the Simple Mode policy model is selected by default.
  • If you choose to switch to Policy Set Mode from Simple Mode, the authentication and authorization policies are migrated to the default policy set.
  • If you choose to switch to Simple Mode from Policy Set Mode, the authentication and authorization of the default policy set are migrated to be the authentication and authorization policies. All other policy set policies are deleted.

Changing Policy Modes

You can use this page to change the policy modes.


Step 1 Choose Administration > System > Settings > Policy Sets .

Step 2 Enable or Disable the Policy Set mode.

Step 3 Click Save .

You will be prompted to login again, for the new policy mode to come into effect.


 

Related Topics

Configuring a Simple Authentication Policy

The procedure for configuring a simple authentication policy includes defining an allowed protocols service and configuring a simple authentication policy. See the “Defining Allowed Protocols for Network Access” section for information on how to create an allowed protocols service.

Before You Begin

  • Before you begin this procedure, you should have successfully completed the task for Defining Allowed Protocols for Network Access.
  • To configure a simple authentication policy using the RADIUS server sequence, you should have a basic understanding of the Proxy Service and have successfully completed the task for RADIUS Server Sequence.
  • To configure a simple authentication policy using the RADIUS server sequence, you should have a basic understanding of the Cisco ISE Authentication Policies to understand authentication type and the protocols that are supported by various databases.
  • To perform the following task, you must be a Super Admin or System Admin.

You can also use this process to configuring a simple policy using RADIUS server sequence.


Step 1 Choose Policy > Authentication .

Step 2 Click OK on the message that appears.

Step 3 Enter the values as required.

Step 4 Click Save to save your simple authentication policy.


 

Related Topics

Configuring a Rule-Based Authentication Policy

In a rule-based policy, you can define conditions that allows Cisco ISE to dynamically choose the allowed protocols and identity sources. You can define one or more conditions using any of the attributes from the Cisco ISE dictionary. See Table 20-1 lists the fixed attributes that are supported by dictionaries, which can be used in policy conditions..


Timesaver We recommend that you create the allowed protocol access services, conditions, and identity source sequences before you create the rule-based authentication policy. If you want to use the RADIUS server sequence, you can define the RADIUS server sequence before you create the policy. See the “Cisco ISE Acting as a RADIUS Proxy Server” section for more information.


Before You Begin

Defining Allowed Protocols for Network Access

Creating Identity Source Sequences if you want to use an identity source sequence

RADIUS Server Sequence if you want to use the RADIUS server sequence in place of the Allowed Protocols access service

  • Cisco ISE comes with predefined rule-based authentication policies for the Wired 802.1X, Wireless 802.1X, and Wired MAB use cases. See the “Authentication Policy Built-In Configurations” section for more information on these predefined policies. You can edit these policies to suit your requirements.
  • To perform the following task, you must be a Super Admin or System Admin.
  • If your users are defined in external identity sources, ensure that you have configured these identity sources in Cisco ISE. See Chapter 15, “Managing Users and External Identity Sources” for information on how to configure the external identity sources.

Note When you switch between a simple and a rule-based authentication policy, you will lose the policy that you configured earlier. For example, if you have a simple authentication policy configured and you want to move to a rule-based authentication policy, you will lose the simple authentication policy. Also, when you move from a rule-based authentication policy to a simple authentication policy, you will lose the rule-based authentication policy.



Step 1 Choose Policy > Authentication .

Step 2 Click the Rule-Based radio button.

Step 3 Click OK on the message that appears.

Step 4 Click the action icon and click Insert new row above or Insert new row below based on where you want the new policy to appear in this list. The policies will be evaluated sequentially.

Each row in this rule-based policy page is equivalent to the simple authentication policy. Each row contains a set of conditions that determine the allowed protocols and identity sources.

Step 5 Enter the values as required to create a new authentication policy.

Step 6 Click Save to save your rule-based authentication policies.


 

You can edit the default identity source that you want Cisco ISE to use in case none of the identity sources defined in this rule match the request.

The last row in this policy page is the default policy that will be applied if none of the rules match the request. You can edit the allowed protocols and identity source selection for the default policy.

You cannot specify the “UserName” attribute when configuring an authentication policy when the EAP-FAST client certificate is sent in the outer TLS negotiation. Cisco recommends using certificate fields like “CN” and “SAN,” for example.

It is a good practice to choose Deny Access as the identity source in the default policy if the request does not match any of the other policies that you have defined.

Related Topics

Policy Sets

Policy sets enable you to logically group authentication and authorization policies within the same set. You can have several policy sets based on an area, such as policy sets based on location, access type and similar parameters.

Policy sets are first-match policies. Each policy has a condition that can be a simple or a compound condition, and have the following supported dictionaries:

  • Airspace
  • Cisco
  • Cisco-BBSM
  • Cisco-VPN3000
  • Device, Microsoft
  • NetworkAccess
  • RADIUS

Once the policy set is matched and selected, its authentication and authorization policies are evaluated. In addition, a global authorization exception policy is available as part of the policy set model.

There is always one policy set defined, which is the default policy set.

Related Topics

Policy Set Evaluation Flow

Figure 20-5 Policy Set Authentication and Authorization Evaluation Flow

 

The sequence of policy set and the authentication and authorization evaluation flow is as follows:

1. Evaluate policy set (by evaluating the policy set condition). As a result, one policy set is selected.

2. Evaluate allowed protocols rules of the selected policy set.

3. Evaluate ID store rules of the selected policy set.

4. Evaluate authorization rules of the selected policy set, based on the following paradigm:

a. Evaluate the local exception policy in case it is defined

b. If no match is found in Step 1 above, evaluate global exception policy if defined

c. If no match is found in Step 2 above, evaluate authorization rules

If none of the policy set matches, the default policy set will be selected.

Guidelines for Creating Policy Sets

The following are the guidelines for creating policy sets:

  • Rules should be specified with names, conditions, and results. You cannot save a policy set as long as all the authentication and authorization rules are not defined.
  • You can duplicate rules as long as they are from the same rule type (authentication or authorization) and only from the same policy set.
  • Rules cannot be shared by different policy sets; each policy set has its own rule, however conditions can be shared in case you use the condition library.

Global Authorization Exception Policy

The global authorization exception policy allows you to define rules that apply to all policy sets. The global authorization exception policy is added to each authorization policy of all the policy set. Global authorization exception policy can be updated by selecting the Global Exceptions option from the policy set list.

Each authorization policy can have local exception rule, global exception rule, and regular rules. Once you configure the local authorization exception rule, (for some authorization policies) the global exception authorization rules are displayed in read-only mode in conjunction to the local authorization exception rule. The local authorization exception rule can overwrite the global exception rule. The authorization rules are processed in the following order: first the local exception rule, then the global exception rule, and finally, the regular rule of the authorization policy.

Configuring Policy Sets

You can use this page to configure Policy sets.

Before You Begin

You should have selected the policy mode as Policy Set to be able to configure Policy sets. To do this, go to Administration > System > Settings > Policy Sets .


Step 1 Choose Policy > Policy Sets .

Step 2 Click the Default policy. The default policy is displayed in the right.

Step 3 Click the plus (+) sign on top and choose Create Above .

Step 4 Enter the name, description and a condition for this group policy.

Step 5 Define the authentication policy.

Step 6 Define the authorization policy.

Step 7 Click Submit . After you configure a policy set, Cisco ISE logs you out. You must log in again to access the Admin portal.


 

Related Topics

Authentication Policy Built-In Configurations

The Cisco ISE software comes with several built-in configurations that are part of common use cases. These built-in configurations are called defaults. Table 20-4 describes the defaults that relate to authentication policies.

 

Table 20-4 Authentication Policy Configuration Defaults

Name
Path in the User Interface
Description
Additional Information

Default Network Access Allowed Protocols Access Service

Policy > Policy Elements > Configuration > Allowed Protocols

This default is the built-in network access allowed protocols service to be used in authentication policies.

You can use this access service for wired and wireless 802.1X, and wired MAB authentication policies.

Wired 802.1X Compound Condition

Policy > Policy Elements > Conditions > Authentication > Compound Conditions

This compound condition checks for the following attributes and values:

  • RADIUS:Service-Type equals Framed
  • RADIUS:NAS-Port-Type equals Ethernet

This compound condition is used in the wired 802.1X authentication policy. Any request that matches the criteria specified in this policy would be evaluated based on the wired 802.1X authentication policy.

Wireless 802.1X Compound Condition

Policy > Policy Elements > Conditions > Authentication > Compound Conditions

This compound condition checks for the following attributes and values:

  • RADIUS:Service-Type equals Framed
  • RADIUS:NAS-Port-Type equals Wireless-IEEE802.11

This compound condition is used in the wireless 802.1X authentication policy. Any request that matches the criteria specified in this policy would be evaluated based on the wireless 802.1X authentication policy.

Wired MAB Compound Condition

Policy > Policy Elements > Conditions > Authentication > Compound Conditions

This compound condition checks for the following attributes and values:

  • RADIUS:Service-Type equals Call-Check
  • RADIUS:NAS-Port-Type equals Ethernet

This compound condition is used in the wired MAB authentication policy. Any request that matches the criteria specified in this policy would be evaluated based on the wired MAB authentication policy.

Catalyst Switch Local Web Authentication Compound Condition

Policy > Policy Elements > Conditions > Authentication > Compound Conditions

This compound condition checks for the following attributes and values:

  • RADIUS:Service-Type equals Outbound
  • RADIUS:NAS-Port-Type equals Ethernet

To use this compound condition, you must create an authentication policy that would check for this condition. See Configuring a Rule-Based Authentication Policy for more information. You can also define an access service based on your requirements or use the default network access allowed protocols service for this policy. SeeNetwork Access Service for more information.

Wireless Lan Controller (WLC) Local Web Authentication Compound Condition

Policy > Policy Elements > Conditions > Authentication > Compound Conditions

This compound condition checks for the following attributes and values:

  • RADIUS:Service-Type equals Outbound
  • RADIUS:NAS-Port-Type equals Wireless-IEEE802.11

To use this compound condition, you must create an authentication policy that would check for this condition. See Configuring a Rule-Based Authentication Policy for more information. You can also define an access service based on your requirements or use the default network access allowed protocols service for this policy. SeeNetwork Access Service for more information.

Wired 802.1X Authentication Policy

Policy > Authentication > Rule-Based

This policy uses the wired 802.1X compound condition and the default network access allowed protocols service. This policy will evaluate requests that match the criteria specified in the wired 802.1X compound condition.

This default policy uses the internal endpoints database as its identity source. You can edit this policy to configure any identity source sequence or identity source based on your needs.

Wireless 802.1X Authentication Policy

Policy > Authentication > Rule-Based

This policy uses the wireless 802.1X compound condition and the default network access allowed protocols service. This policy will evaluate requests that match the criteria specified in the wireless 802.1X compound condition.

This default policy uses the internal endpoints database as its identity source. You can edit this policy to configure any identity source sequence or identity source based on your needs.

Wired MAB Authentication Policy

Policy > Authentication > Rule-Based

This policy uses the wired MAB compound condition and the default network access allowed protocols service. This policy will evaluate requests that match the criteria specified in the wired MAB compound condition.

This default policy uses the internal endpoints database as its identity source.

Viewing Authentication Results

Cisco ISE provides various ways to view real-time authentication summary.

Before You Begin

To perform the following task, you must be a Super Admin or System Admin.


Step 1 Choose Operations > Authentications to view real-time authentication summary. A page similar to the one shown in Figure 20-6 appears.

Figure 20-6 Live Authentications Page

 

Step 2 You can view the authentication summary in the following ways:

    • Hover your mouse cursor over the Status icon to view the results of the authentication and a brief summary. A pop-up that is similar to the one shown in Figure 20-6 appears.
    • Enter your search criteria in any one or more of the text boxes that appear at the top of the list, and press Enter, to filter your results.
    • Click the magnifier icon in the Details column to view a detailed report.

Note As the Authentication Summary report or dashboard collects and displays the latest data corresponding to failed or passed authentications, the contents of the report appear after a delay of a few minutes.


Step 3 Click Show Live Sessions to view the real-time session summary. A page similar to the one shown in Figure 20-7 appears.

Figure 20-7 Live Sessions Page

 

Step 4 Click the Details icon corresponding to the desired entry in the Live Session page to view the drill-down report of the live authentications. A page similar to the one shown in Figure 20-8 appears.

Figure 20-8 Live Authentication Details Drill-down Report

 


 

Related Topics

Cisco ISE Admin Groups, Access Levels, Permissions, and Restrictions

Authentication Dashlet

The Cisco ISE dashboard provides a summary of all authentications that take place in your network. It provides at-a-glance information about authentications and authentication failures in the Authentications dashlet.

The Authentications dashlet provide the following statistical information about the RADIUS authentications that Cisco ISE has handled:

  • The total number of RADIUS authentication requests that Cisco ISE has handled, including passed authentications, failed authentications, and simultaneous logins by the same user.
  • The total number of failed RADIUS authentications requests that Cisco ISE has processed.

For information on dashboard and dashlets and how to access more information, see the “Cisco ISE Dashboard” section and Monitoring Database.

Authentication Reports and Troubleshooting Tools

Apart from the authentication details, Cisco ISE provides various reports and troubleshooting tools that you can use to efficiently manage your network.

There are various reports that you can run to understand the authentication trend and traffic in your network. You can generate reports for historical as well as current data. The following is a list of authentication reports:

  • AAA Diagnostics
  • RADIUS Accounting
  • RADIUS Authentication
  • Authentication Summary

 

For more information on how to generate and use reports, see Chapter27, “Reporting”