Administer Cisco ISE

Use the tasks and reference information in this chapter to specify global settings and configure essential functions in Cisco ISE.

Log in to Cisco ISE

Log in to Cisco ISE using your administrator username and password.

During the initial setup, if you do not enable SSH then you will not be able to access the ISE admin console via SSH. To enable SSH, enter the service sshd enable command in the global configuration mode, by accessing the Cisco ISE CLI. You can disable SSH by using the no service sshd command in the global configuration mode.

Procedure
    Step 1   Enter the Cisco ISE URL in the address bar of your browser (for example, https://<ise hostname or ip address>/admin/).
    Step 2   Enter the username and case-sensitive password, that was specified and configured during the initial Cisco ISE setup.
    Step 3   Click Login or press Enter.

    If your login is unsuccessful, click the Problem logging in? link in the Login page and follow the instructions.

    Administrator Login Browser Support

    The Cisco ISE Admin portal supports the following HTTPS-enabled browsers:

    • Mozilla Firefox versions 31.x ESR, 32.x, and 33.x

    • Microsoft Internet Explorer 10.x and 11.x

    Adobe Flash Player 11.2.0.0 or above must be installed on the system running your client browser.

    The minimum required screen resolution to view the Admin portal and for a better user experience is 1280*800 pixels.

    Administrator Lockout Following Failed Login Attempts

    If you enter an incorrect password for your specified administrator user ID enough times, the Admin portal “locks you out” of the system, adds a log entry in the Server Administrator Logins report, and suspends the credentials for that administrator ID until you have an opportunity to reset the password that is associated with that administrator ID, as described in the “Performing Post-Installation Tasks” chapter of the Cisco Identity Services Engine Hardware Installation Guide, Release 1.3. The number of failed attempts that is required to disable the administrator account is configurable according to the guidelines that are described in 'User Account Custom Attributes and Password Policies' section. After an administrator user account gets locked out, an e-mail is sent to the associated administrator user.

    Disabled System administrators' status can be enabled by any Super Admin, including Active Directory users.

    Related Concepts
    User Account Custom Attributes and Password Policies

    Specify Proxy Settings in Cisco ISE

    If your existing network topology requires you to use a proxy for Cisco ISE, to access external resources (such as the remote download site where you can find client provisioning and posture-related resources), you can use the Admin portal to specify proxy properties.

    The proxy settings impact the following Cisco ISE functions:

    • Partner Mobile Management
    • Endpoint Profiler Feed Service Update
    • Endpoint Posture Update
    • Endpoint Posture Agent Resources Download
    • CRL (Certificate Revocation List) Download

    The Cisco ISE proxy configuration supports basic authentication for proxy servers. NT LAN Manager (NTLM) authentication is not supported.

    Procedure
      Step 1   Choose Administration > System > Settings > Proxy.
      Step 2   Enter the proxy IP address or DNS-resolvable host mane and specify the port through which proxy traffic travels to and from Cisco ISE in Proxy host server : port .
      Step 3   Check Password required check box, if required.
      Step 4   Enter the user name and password used to authenticate to the proxy servers in the User Name and Password fields.
      Step 5   Enter the IP address or address range of hosts or domains to be bypassed in Bypass proxy for these hosts and domain.
      Step 6   Click Save.
      Related Tasks
      Enable Client Provisioning in Cisco ISE
      Download Client Provisioning Resources Automatically
      Related References
      Cannot Download Remote Client Provisioning Resources

      Ports Used by the Admin Portal

      The Admin portal is set to use HTTP port 80 and HTTPS port 443, and you cannot change these settings. Cisco ISE also prevents you from assigning any of the end-user portals to use the same ports, which reduces the risk to the Admin portal.

      Specify System Time and NTP Server Settings

      Cisco ISE allows you to configure up to three Network Time Protocol (NTP) servers. You can use the NTP servers to maintain accurate time and synchronize time across different timezones. You can also specify whether or not Cisco ISE should use only authenticated NTP servers, and you can enter one or more authentication keys for that purpose.

      Cisco recommends that you set all Cisco ISE nodes to the Coordinated Universal Time (UTC) timezone—especially if your Cisco ISE nodes are installed in a distributed deployment. This procedure ensures that the reports and logs from the various nodes in your deployment are always in sync with regard to the timestamps.

      Before You Begin

      You must have either the Super Admin or System Admin administrator role assigned.

      If you have both a primary and a secondary Cisco ISE node, you must log in to the user interface of the secondary node and configure the system time and NTP server settings on each Cisco ISE node in your deployment individually.

      Procedure
        Step 1   Choose Administration > System > Settings > System Time.
        Step 2   Enter unique IP addresses for your NTP servers.
        Step 3   Check the Only allow authenticated NTP servers check box if you want to restrict Cisco ISE to use only authenticated NTP servers to keep system and network time.
        Step 4   Click the NTP Authentication Keys tab and specify one or more authentication keys if any of the servers that you specify requires authentication via an authentication key, as follows:
        1. Click Add.
        2. Enter the necessary Key ID and Key Value, specify whether the key in question is trusted by activating or deactivating the Trusted Key option, and click OK. The Key ID field supports numeric values between 1 to 65535 and the Key Value field supports up to 15 alphanumeric characters.
        3. Return to the NTP Server Configuration tab when you are finished entering the NTP Server Authentication Keys.
        Step 5   Click Save.

        Change the System Time Zone

        Once set, you cannot edit the time zone from the Admin portal. To change the time zone setting, you must enter the following command in the Cisco ISE CLI:

        clock timezone timezone


        Caution

        Changing the time zone on a Cisco ISE appliance after installation requires ISE services to be restarted on that particular node. Hence we recommend that you perform such changes within a maintenance window. Also, it is important to have all the nodes in a single ISE deployment configured to the same time zone. If you have ISE nodes located in different geographical locations or time zones, you should use a global time zone such as UTC on all the ISE nodes.

        For more information on the clock timezone command, refer to the Cisco Identity Services Engine CLI Reference Guide.

        Configure SMTP Server to Support Notifications

        You must set up a Simple Mail Transfer Protocol (SMTP) server to send e-mail notifications for alarms, to enable sponsors to send email notification to guests with their login credentials and password reset instructions, and to enable guests to automatically receive their login credentials after they successfully register themselves and with actions to take before their guest accounts expire.

        Procedure
          Step 1   Choose Administration > System > Settings > SMTP Server.
          Step 2   Enter the host name of the outbound SMTP server in the SMTP server field. This SMTP host server must be accessible from the Cisco ISE server. The maximum length for this field is 60 characters.
          Step 3   Choose one of these options:

          • Use email address from Sponsor to send guest notification e-mail from the e-mail address of the sponsor and choose Enable Notifications.

          • Use Default email address to specify a specific e-mail address from which to send all guest notifications and enter it in the Default email addressfield.
          Step 4   Click Save.

          The recipient of alarm notifications can be any internal admin users with “Include system alarms in emails” option enabled. The sender’s email address for sending alarm notifications is hardcoded as ise@<hostname>.

          Related Tasks
          Customize Guest Notifications, Approvals and Error Messages
          Enable and Configure Alarms

          SMS Providers and Services

          SMS services are required when you and sponsors want to send SMS notifications to guests that are using credentialed Guest portals. Whenever possible, configure and provide free SMS service providers to lower your company's expenses.

          Cisco ISE provides a variety of cellular service providers that provide free SMS services to their own subscribers. You can use these providers without a service contract and without configuring their account credentials in Cisco ISE. These include ATT, Orange, Sprint, TMobile, and Verizon.

          You can also add other cellular service providers that offer free SMS services or a global SMS service provider, such as a Click-A-Tell. The default global SMS service provider requires a service contract and you must configure their account credentials in Cisco ISE.

          • If self-registering guests pick their free SMS service provider on the Self-Registration form, SMS notifications with their login credentials are sent to them free of cost. If they do not pick their SMS service provider, then the default global SMS service provider contracted by your company is used to send the SMS notifications.

          • If you allow sponsors to send SMS notifications to guests whose accounts they have created, you should also customize the sponsor portal and select all the appropriate SMS service providers that can be used by these sponsors. If you do not select any SMS service providers for the Sponsor portal, the default global SMS service provider contracted by your company will provide the SMS services.

          Configure SMS Gateways to Send SMS Notifications to Guests

          You must set up SMS gateways in Cisco ISE to enable:
          • Sponsors to manually send SMS notifications to guests with their login credentials and password reset instructions.
          • Guests to automatically receive SMS notifications with their login credentials after they successfully register themselves.
          • Guests to automatically receive SMS notifications with actions to take before their guest accounts expire.

          When entering information in the fields, you should update all text within [ ], such as [USERNAME], [PASSWORD], [PROVIDER_ID], etc., with information specific to your SMS provider's account.

          Before You Begin

          Configure a default SMTP server to use for the SMS Email Gateway option.

          Procedure
            Step 1   Choose Administration > System > Settings > SMS Gateway.
            Step 2   Click Add.
            Step 3   Enter an SMS Gateway Provider Name.
            Step 4   Select a Provider Interface Type and enter the required information:
            • SMS Email Gateway to send SMS via an email server.
            • SMS HTTP API to send SMS via an HTTP API (GET or POST method).
            Step 5   Check Break up long message into multiple parts to enable Cisco ISE to divide messages that exceed 140 bytes into multiple messages. Most SMS providers divide long SMS messages into multiple parts automatically. MMS messages can be longer than SMS messages.
            Step 6   Click Submit.
            Related References
            SMS Gateway Settings

            Install a Software Patch

            You can install patches on Cisco ISE servers in your deployment from the primary administration node. To install a patch from the Admin portal, you must download the patch from Cisco.com to the system that runs your client browser.


            Note

            Cisco ISE allows you to install a patch on an Inline Posture node only through the CLI.

            To install patches from the CLI, refer to Cisco Identity Services Engine CLI Reference Guide, Release 1.3.

            Before You Begin

            You must have the Super Admin or System Admin administrator role assigned.

            Procedure
              Step 1   Choose Administration > System > Maintenance > Patch Management > Install.
              Step 2   Click Browse and choose the patch that you downloaded from Cisco.com.
              Step 3   Click Install to install the patch.

              After the patch is installed on the primary administration node, Cisco ISE logs you out and you have to wait for a few minutes before you can log in again.

              Note   

              When patch installation is in progress, Show Node Status is the only function that is accessible on the Patch Management page.

              Step 4  
              Step 5   Choose Administration > System > Maintenance > Patch Management to return to the Patch Installation page.
              Step 6   Click the radio button next to the patch that you have installed on any secondary nodes and click Show Node Status to verify whether installation is complete.
              What to Do Next

              If you need to install the patch on one or more secondary nodes, ensure that the nodes are up and repeat the process to install the patch on the remaining nodes.

              Cisco ISE Software Patches

              Cisco ISE software patches are usually cumulative. However, any restrictions on the patch installation are described in the README file included with the patch. Cisco ISE allows you to perform patch installation and rollback from CLI or GUI.

              Software Patch Installation Guidelines

              When you install or roll back a patch from a standalone or primary administration node, Cisco ISE restarts the application. You might have to wait for a few minutes before you can log in again.

              Ensure that you install patches that are applicable for the Cisco ISE version that is deployed in your network. Cisco ISE reports any mismatch in versions as well as any errors in the patch file.

              You cannot install a patch with a version that is lower than the patch that is currently installed on      Cisco ISE. Similarly, you cannot roll back changes of a lower-version patch if a higher version is currently installed on Cisco ISE. For example, if patch 3 is installed on your Cisco ISE servers, you cannot install or roll back patch 1 or 2.

              When you install a patch from a primary administration node that is part of a distributed deployment, Cisco ISE installs the patch on the primary node and then all the secondary nodes in the deployment. If the patch installation is successful on the primary node, Cisco ISE then continues patch installation on the secondary nodes. If it fails on the primary node, the installation does not proceed to the secondary nodes. However, if the installation fails on any of the secondary nodes for any reason, it still continues with the next secondary node in your deployment. Secondary Cisco ISE nodes are restarted consecutively after the patch is installed on those nodes. While installing a patch on secondary nodes, you can continue to perform tasks on the primary administration node.

              Roll Back Software Patches

              When you roll back a patch from a primary administration node that is part of a distributed deployment, Cisco ISE installs the patch on the primary node and then all the secondary nodes in the deployment.

              Before You Begin

              You must have either the Super Admin or System Admin administrator role assigned.

              Procedure
                Step 1   Choose Administration > System > Maintenance > Patch Management.
                Step 2   Click the radio button for the patch version whose changes you want to roll back and click Rollback.
                Note   

                When a patch rollback is in progress, Show Node Status is the only function that is accessible on the Patch Management page.

                After the patch is rolled back from the primary administration node, Cisco ISE logs you out and you have to wait a few minutes before you can log in again.

                Step 3  
                Step 4   Choose Administration > System > Maintenance > Patch Management
                Step 5   To view the progress of the patch rollback, choose the patch in the Patch Management page and click Show Node Status.
                Step 6   Click the radio button for the patch and click Show Node Status on any secondary nodes to ensure that the patch is rolled back from all the nodes in your deployment.

                If the patch is not rolled back from any of the secondary nodes, ensure that the node is up and repeat the process to roll back the changes from the remaining nodes. Cisco ISE only rolls back the patch from the nodes that still have this version of the patch installed.

                Software Patch Rollback Guidelines

                To roll back a patch from Cisco ISE nodes in a deployment, you must first roll back the change from the primary node. If this is successful, the patch is then rolled back from the secondary nodes. If the rollback process fails on the primary node, the patches are not rolled back from the secondary nodes. However, if the patch fails on any of the secondary nodes, it still continues to roll back the patch from the next secondary node in your deployment.

                While Cisco ISE rolls back the patch from the secondary nodes, you can continue to perform other tasks from your primary administration node GUI. The secondary nodes will be restarted after the rollback.

                View Patch Install and Rollback Changes

                The monitoring and troubleshooting component of Cisco ISE provides information on the patch installation and rollback operations that are performed on your Cisco ISE nodes according to a time period that you specify.

                Before You Begin

                You must have either the Super Admin or System Admin administrator role assigned.

                Procedure
                  Step 1   Choose Operations > Reports > Catalog > Server Instance.
                  Step 2   Click the Server Operations Audit radio button, click Run, and choose the time period for which you want to generate the report.
                  Step 3   Click the Launch Interactive Viewer link in the upper right corner of the page to view, sort, and filter the data in this report.

                  Enable FIPS Mode in Cisco ISE

                  You can provide Federal Information Processing Standard (FIPS) 140-2 compliant encryption and decryption in your Cisco ISE network.

                  Procedure
                    Step 1   Choose Administration > System > Settings > FIPS Mode.
                    Step 2   Choose the Enabled option from the FIPS Mode drop-down list.
                    Step 3   Click Save and restart your machine.
                    What to Do Next

                    Once you have enabled FIPS mode, enable and configure the following FIPS 140-2 compliant functions:

                    In addition, you may want to enable administrator account authorization using a Common Access Card (CAC) function. Although using CAC functions for authorization is not strictly a FIPS 140-2 requirement, it is a well-known secure-access measure that is used in a number of environments to bolster FIPS 140-2 compliance.

                    Related Information
                    Configure Guest Access

                    FIPS Mode Support

                    Cisco ISE supports Federal Information Processing Standard (FIPS) 140-2 Common Criteria EAL2 compliance. FIPS 140-2 is a United States government computer security standard that is used to accredit cryptographic modules. Cisco ISE uses an embedded FIPS 140-2 implementation using validated C3M and Cisco ACS NSS modules, per FIPS 140-2 Implementation Guidance section G.5 guidelines.

                    When FIPS mode is enabled, the Cisco ISE administrator interface displays a FIPS mode icon to the left of the node name in the upper-right of the page.

                    If Cisco ISE detects at least one protocol or certificate that is not supported by the FIPS 140-2 level 1 standard, Cisco ISE displays a warning with the names of the protocols and FIPS mode is not enabled until the protocols have been addressed appropriately.

                    After you enable FIPS mode, you must reboot all other nodes in the deployment. To minimize disruption to your network, Cisco ISE automatically performs a rolling restart by first restarting the primary Administration node and then restarting each secondary node, one at a time.


                    Tip

                    Tip Cisco recommends that you do not enable FIPS mode before completing any database migration process.

                    FIPS Mode Operational Parameters

                    The FIPS standard places limitations on the use of certain algorithms. In order to enforce this standard, you must enable FIPS operation in Cisco ISE. Cisco ISE enables FIPS 140-2 compliance via RADIUS shared secret and key management measures. While in FIPS mode, any functions using non-FIPS-compliant algorithms fail, and certain authentication functionality is disabled.

                    Enabling FIPS mode also automatically disables Password Authentication Protocol (PAP) and Challenge Handshake Authentication Protocol (CHAP) protocols, which the guest login function of Cisco ISE requires.

                    Cisco NAC Agent Requirements when FIPS Mode is Enabled

                    The Cisco NAC Agent always looks for the Windows Internet Explorer TLS 1.0 settings to discover the Cisco ISE network. (These TLS 1.0 settings should be enabled in Internet Explorer.) Therefore, client machines must have Windows Internet Explorer Version 7, 8, or 9 installed and TLS1.0 enabled to allow for Cisco ISE posture assessment functions to operate on client machines accessing the network. The Cisco NAC Agent can automatically enable the TLS 1.0 setting in Windows Internet Explorer if FIPS mode has been enabled in Cisco ISE.

                    Configure Cisco ISE for Administrator CAC Authentication

                    Before You Begin

                    Before beginning configuration, do the following:

                    • (Optional) Turn on FIPS mode. FIPS mode is not required for certificate-based authentication, but the two security measures often go hand-in-hand. If you do plan to deploy Cisco ISE in a FIPS 140-2 compliant deployment and to use CAC certificate-based authorization as well, be sure to turn FIPS mode on and specify the appropriate private keys and encryption/decryption settings first.

                    • Ensure that the domain name server (DNS) in Cisco ISE is set for Active Directory.

                    • Ensure that Active Directory user and user group membership has been defined for each administrator certificate.

                    To ensure that Cisco ISE can authenticate and authorize an administrator based on the CAC-based client certificate that is submitted from the browser, be sure that you have configured the following:

                    • The external identity source (Active Directory in the following example)

                    • The user groups in Active Directory to which the administrator belongs

                    • How to find the user's identity in the certificate

                    • Active Directory user groups to Cisco ISE RBAC permissions mapping

                    • The Certificate Authority (trust) certificates that sign the client certificates

                    • A method to determine if a client certificate has been revoked by the CA

                    You can use a Common Access Card (CAC) to authenticate credentials when logging into Cisco ISE.

                    Procedure
                      Step 1   Enable FIPS mode. You will be prompted to restart your system after you enable the FIPS mode. You can defer the restart if you are going to import CA certificates as well.
                      Step 2   Configure an Active Directory identity source in Cisco ISE and join all Cisco ISE nodes to Active Directory.
                      Step 3   Configure a certificate authentication profile according to the guidelines.

                      Be sure to select the attribute in the certificate that contains the administrator user name in the Principal Name X.509 Attribute field. (For CAC cards, the Signature Certificate on the card is normally used to look up the user in Active Directory. The Principal Name is found in this certificate in the "Subject Alternative Name" extension, specifically in a field in that extension that is called "Other Name." So the attribute selection here should be "Subject Alternative Name - Other Name.")

                      If the AD record for the user contains the user's certificate, and you want to compare the certificate that is received from the browser against the certificate in AD, check the Binary Certificate Comparison check box, and select the Active Directory instance name that was specified earlier.

                      Step 4   Enable Active Directory for Password-Based Admin Authentication. Choose the Active Directory instance name that you connected and joined to Cisco ISE earlier.
                      Note   

                      You must use password-based authentication until you complete other configurations. Then, you can change the authentication type to client certificate based at the end of this procedure.

                      Step 5   Create an External Administrator Group and map it to an Active Directory Group. Choose Administration > System > Admin Access > Administrators > Admin Groups. Create an external system administrator group.
                      Step 6   Configure an admin authorization policy to assign RBAC permissions to the external admin groups.
                      Caution   

                      We strongly recommend that you create an external Super Admin group, map it to an Active Directory group, and configure an admin authorization policy with Super Admin permissions (menu access and data access), and create at least one user in that Active Directory Group. This mapping ensures that at least one external administrator has Super Admin permissions once Client Certificate-Based Authentication is enabled. Failure to do this may lead to situations where the Cisco ISE administrator is locked out of critical functionality in the Admin Portal.

                      Step 7   Choose Administration > System > Certificates > Certificate Store to import certificate authority certificates into the Cisco ISE certificate trust store.

                      Cisco ISE does not accept a client certificate unless the CA certificates in the client certificate’s trust chain are placed in the Cisco ISE Certificate Store. You must import the appropriate CA certificates in to the Cisco ISE Certificate Store.

                      1. Click Browse to choose the certificate.
                      2. Check the Trust for client authentication check box.
                      3. Click Submit.

                        Cisco ISE prompts you to restart all the nodes in the deployment after you import a certificate. You can defer the restart until you import all the certificates. However, after importing all the certificates, you must restart Cisco ISE before you proceed.

                      Step 8   Configure the certificate authority certificates for revocation status verification.
                      1. Choose Administration > System > Certificates > OSCP Services.
                      2. Enter the name of an OSCP server, an optional description, and the URL of the server.
                      3. Choose Administration > System > Certificates > Certificate Store.
                      4. For each CA certificate that can sign a client certificate, specify how to do the revocation status check for that CA. Choose a CA certificate from the list and click Edit. On the edit page, choose OCSP and/or CRL validation. If you choose OCSP, choose an OCSP service to use for that CA. If you choose CRL, specify the CRL Distribution URL and other configuration parameters.
                      Step 9   Enable client certificate-based authentication. Choose Administration > System > Admin Access > Authentication.
                      1. Choose Client Certificate Based authentication type on the Authentication Method tab.
                      2. Choose the certificate authentication profile that you configured earlier.
                      3. Select the Active Directory instance name.
                      4. Click Save.

                        Here, you switch from password-based authentication to client certificate-based authentication. The certificate authentication profile that you configured earlier determines how the administrator’s certificate is authenticated. The administrator is authorized using the external identity source, which in this example is Active Directory.

                        The Principal Name attribute from the certificate authentication profile is used to look up the administrator in Active Directory.

                        You have now configured Cisco ISE for administrator CAC authentication.

                      Related Tasks
                      Add a Certificate Authentication Profile
                      Configure a Password Policy for Administrator Accounts
                      Create an External Administrator Group
                      Create an RBAC Policy for External Administrator Authentication
                      Edit a Trusted Certificate
                      Related References
                      Configure Active Directory as an External Identity Source
                      OCSP Services

                      Supported Common Access Card Standards

                      Cisco ISE supports U.S. government users who authenticate themselves using Common Access Card (CAC) authentication devices. A CAC is an identification badge with an electronic chip containing a set of X.509 client certificates that identify a particular employee. Access via the CAC requires a card reader into which you insert the card and enter a PIN. The certificates from the card are then transferred into the Windows certificate store, where they are available to applications such as the local browser running Cisco ISE.

                      Windows Internet Explorer Version 8 and 9 users running the Windows 7 operating system must install the ActiveIdentity ActivClient Version 6.2.0.133 third-party middleware software product for Cisco ISE to interoperate with CAC. For more information on ActiveIdentity security client products, refer to http:/​/​www.actividentity.com/​products/​securityclients/​ActivClient/​.

                      Common Access Card Operation in Cisco ISE

                      The Admin portal can be configured so that you authentication with Cisco ISE is permitted only by using a client certificate. Credentials-based authentication—such as providing a user ID and password—is not permitted. In client certificate authentication, you insert a Common Access Card (CAC) card, enter a PIN and then enter the Cisco ISE Admin portal URL into the browser address field. The browser forwards the certificate to Cisco ISE, and Cisco ISE authenticates and authorizes your login session, based on the contents of the certificate. If this process is successful, you are presented with the Cisco ISE Monitoring and Troubleshooting home page and given the appropriate RBAC permissions.

                      Securing SSH Key Exchange Using Diffie-Hellman Algorithm

                      You can configure Cisco ISE to only allow Diffie-Hellman-Group14-SHA1 SSH key exchanges. To do this, you must enter the following commands from the Cisco ISE Command-Line Interface (CLI) Configuration Mode:

                      service sshd key-exchange-algorithm diffie-hellman-group14-sha1

                      Here’s an example:

                      ise/admin#conf t

                      ise/admin (config)#service sshd key-exchange-algorithm diffie-hellman-group14-sha1

                      Configure Cisco ISE to Send Secure Syslog for Common Criteria Compliance

                      The Common Criteria (CC) Compliance Certification requires Cisco ISE to send only TLS-protected secure syslog between the Cisco ISE nodes and to the Monitoring nodes. To configure Cisco ISE to send TLS-protected secure syslog between the Cisco ISE nodes and to the Monitoring node, you must perform the following tasks:

                      Before You Begin

                      • Ensure that all the Cisco ISE nodes in your deployment are configured with appropriate server certificates. If you want your setup to be FIPS 140-2 compliant, the certificate keys must have a key size of 2048 bits or greater.

                      • Enable the FIPS mode in the Admin portal.

                      • Ensure that the default network access authentication policy does not allow any version of the SSL protocol. Use the TLS protocol in the FIPS mode along with FIPS-approved algorithms.

                      • Ensure that all the nodes in your deployment are registered with the primary Administration node. Also, ensure that at least one node in your deployment has the Monitoring persona enabled to function as the secure syslog receiver (TLS server).

                      Procedure
                        Step 1   Configure secure syslog remote logging target.
                        Step 2   Enable Logging Categories to send auditable events to the secure syslog remote logging target.
                        Step 3   Disable TCP Syslog and UDP syslog collectors. Only TLS-protected syslog collectors should be enabled.

                        Configure Secure Syslog Remote Logging Target

                        Cisco ISE system logs are collected and stored by log collectors for various purposes. You must choose the Cisco ISE Monitoring node as your log collector for configuring a secure syslog target.

                        Procedure
                          Step 1   Log in to the Admin portal.
                          Step 2   Choose Administration > System > Logging > Remote Logging Targets.
                          Step 3   Click Add.
                          Step 4   Enter a name for the secure syslog server.
                          Step 5   Choose Secure Syslog from the Target Type drop-down list.
                          Step 6   Choose Enabled from the Status drop-down list.
                          Step 7   Enter the IP address of the Cisco ISE Monitoring node in your deployment.
                          Step 8   Enter 6514 as the port number. The secure syslog receiver listens on TCP port 6514.
                          Step 9   Choose the syslog facility code. The default is LOCAL6.
                          Step 10   Check the Buffer Messages When Server is Down check box. If this option is checked, Cisco ISE stores the logs if the secure syslog receiver is unreachable, periodically checks the secure syslog receiver, and forwards them when the secure syslog receiver comes up.
                          1. Enter the buffer size.
                          2. Enter the Reconnect Timeout in seconds for Cisco ISE to periodically check the secure syslog receiver.
                          Step 11   Select a CA certificate that you want Cisco ISE to present to the secure syslog server.
                          Step 12   Uncheck the Ignore Server Certificate validation check box. You must not check this option.
                          Step 13   Click Submit.

                          Enable Logging Categories to Send Auditable Events to the Secure Syslog Target

                          You must enable logging categories for Cisco ISE to send auditable events to the secure syslog target.

                          Procedure
                            Step 1   Log in to the Admin portal.
                            Step 2   Choose Administration > System > Logging > Logging Categories.
                            Step 3   Click the radio button next to the AAA Audit logging category, then click Edit.
                            Step 4   Choose WARN from the Log Severity Level drop-down list.
                            Step 5   Move the secure syslog remote logging target that you created earlier to the Selected box.
                            Step 6   Click Save.
                            Step 7   Repeat this procedure to enable the following logging categories:

                            • Administrative and Operational Audit

                            • Posture and Client Provisioning Audit

                            Disable the TCP Syslog and UDP Syslog Collectors

                            For Common Criteria compliance, you must disable the TCP and UDP syslog collectors, and only the secure syslog collector must be enabled.

                            Procedure
                              Step 1   Log in to the Admin portal.
                              Step 2   Choose Administration > System > Logging > Remote Logging Targets.
                              Step 3   Click the radio button next to the TCP or UDP syslog collector.
                              Step 4   Click Edit.
                              Step 5   Choose Disabled from the Status drop-down list.
                              Step 6   Click Save.
                              Step 7   Repeat this process until you disable all the TCP or UDP syslog collectors.