The Cisco ISE Dashboard displays live consolidated and correlated statistical data that is is essential for effective monitoring and troubleshooting. Dashboard elements show activity over 24 hours, unless otherwise noted. The following figure shows some of the information available on the Cisco ISE Dashboard.

Figure 2. Cisco ISE User Dashboard

Setup Assistant functionality depends on the Cisco ISE license that you have applied to your configuration.

When you start Cisco ISE for the first time, you are prompted to run the Setup Assistant. If you choose not to run it then, you can run it again later.

Each time you run the Setup Assistant, Cisco ISE overwrites previous settings, which can critically impact your configuration in the following ways:

• All authentication, authorization, client provisioning, and posture policies are deleted and replaced, including any that you added without using the Setup Assistant.

• Other settings, such as policy elements and web portal customizations, are overwritten with any newly specified values. If you do not enter anything for the optional settings, the Setup Assistant resets them to their default values.

Wired or Wireless

You must indicate whether you want to support wired or wireless connections, or both. If you are using a Cisco ISE Wireless License, the wired option is unavailable.

These choices impact the policies that Cisco ISE creates, and also dictate other required responses. For example, if you choose wired, you can also indicate whether your network supports IP phones.

You must also indicate whether or not the wired connections are monitored or if network access must be enforced based on compliance:

• Monitor generates non-compliance logs and reports, but does not require that users or devices comply with the defined policies.

  In monitoring mode, posture and guest policies are ignored. If you support wired connections in monitoring mode, the Setup Assistant disables the guest and posture choices on the next page to prevent unauthorized computer and guest access.

  If you support wired and wireless connections, you can enable the guest and posture features, but they will apply only to the wireless connections. The wireless connections always runs in enforcement mode.

• Enforce requires compliance with the defined policies.

Protected Subnets

You must indicate which subnets should are inaccessible by guests or noncompliant endpoints. This information is used when creating the downloadable ACLs.

User Authentication

Users belonging to these groups will be granted network access as employees and be allowed to create guest accounts using the Sponsor portal.

• Internal users—If you choose to create an internal user, Cisco ISE creates a single user using the name you enter and assigns the user to the default Employee and ALL_ACCOUNTS user identity groups. You can verify this in the Administration > Identity Management > Identities > Users page after setup completes.

  Because the Setup Assistant provides only the basic Cisco ISE configuration to demonstrate its functionality in your network, you cannot use it to import additional users into the internal user database. You can add additional internal users using the Admin portal after you complete the Setup Assistant.

• Active Directory—If you choose to join the Active Directory domain, Cisco ISE adds the indicated AD domain and joins to it. After joining the domain, you must choose an Active Directory group. All users belonging to this group will be able to authenticate using Dot1x and create guests using the Sponsor portal. You can verify this from the Administration > Identity Management > External Identity Sources > Active Directory page after setup completes.

Posture Compliance

When you enable posture using the Setup Assistant, Cisco ISE checks for antispyware and antivirus definitions and installations on connected endpoints.

You must indicate whether you want to assess or assess and enforce posture compliance for employees and guests:

• Assess generates reports about noncompliant users, but allows them to be authenticated.

• Enforce prevents authentication.

If you want to force Cisco ISE to redirect noncompliant endpoints to a remediation server before granting network access, enter the proxy server IP address.

If you enable posture compliance, Cisco ISE will:

• Download the Cisco NAC agents and update the Policy > Policy Elements > Results > Client Provisioning > Resources page.

• Create the downloadable ACLs on the Policy > Policy Elements > Results > Authorization > Downloadable ACLs page. All DACLs created by the Setup Assistant include the prefix AutoGen, such as: AutoGen_DACL_PrePostureWired.

• Create authorization profiles on the Policy > Policy Elements > Results > Authorization > Authorization Profiles page. Authorization profiles created by the Setup Assistant include the prefix AutoGen, such as: AutoGen_profile_Byod_CWA.

• Create authorization conditions on the Policy > Policy Elements > Conditions > Authorization > Simple Conditions and Policy > Policy Elements > Conditions > Authorization > Compound Conditions pages. Authorization conditions created by the Setup Assistant include the prefix AutoGen, such as: AutoGen_condition_Android_Devices or AutoGen_condition_GuestWired.

• Create client provisioning policies on the Policy > Client Provisioning page. Client provisioning policies created by the Setup Assistant include the prefix AutoGen, such as: AutoGen_Provisioning.

• Download posture updates from the Administration > System > Settings > Posture > Updates page.

• Create posture policies on the Policy > Posture page. Posture policies created by the Setup Assistant include the prefix AutoGen, such as: AutoGen_Policy_Check_For_AS_Definition_Mac_Employee.

• Create authorization policies on the Policy > Authorization page. Authorization policies created by the Setup Assistant include the prefix AutoGen, such as: AutoGen_policy_Registered_Wireless_Devices.

• Create authentication policies on the Policy > Authentication page. Authorization policies created by the Setup Assistant include the prefix AutoGen, such as: AutoGen_AuthNPolicy_MAB.

Endpoint Profiling

Endpoint profiling discovers, identifies, and determines the capabilities of all attached endpoints on your network. If you enable endpoint profiling, Cisco ISE will:

• Enable these endpoint profiling features on the Administration > System > Deployment > Edit Node > Profiling Configuration page.

  • DHCP

  • RADIUS

  • Network Scan (NMAP)

  • SNMP Query Probes

• Configure SNMP on the Administration > Network Resources > Network Devices page.

Proxy Settings

Cisco ISE uses the proxy server to download Cisco-defined posture checks and client provisioning resources required for assessing posture of endpoints and allowing personal devices on the network. If you configure these proxy settings, Cisco ISE will update the settings on the Administration > System > Settings > Proxy page.

Guest User Support

To support guest users, you must create a sponsor user. Cisco ISE creates a single user using the name you enter and assigns the user to the default ALL_ACCOUNTS user identity group, which defines the user as a sponsor user. You can verify this from the Administration > Identity Management > Identities > Userspage after setup completes.

If you add a simplified URL, Cisco ISE updates the Portal Name settings at the top of the Guest Access > Configure > Sponsor Portals > Edit page.

Support for Personal Devices

You can add a simplified URL for employees to use to access the My Devices portal, and Cisco ISE updates the Portal Namesettings at the top of the the Administration > Device Portal Management > My Devices > Edit page.

Web Portal Customizations

Switches and Wireless Controllers

Cisco ISE adds the switches and wireless controllers to the Administration > Network Resources > Network Devices page, updates the SNMP settings, and adds the RADIUS shared secret to the Authentication Settings option.

Depending on the choices you made previously, you must configure the switches and wireless controllers. Click the Wired or Wireless Network Diagram links to display sample network topologies that illustrate the required configuration details.

Review Your Selection

You can verify your responses to each of the questions.

Network Device Configuration

Configuration details for each configured switch and WLC display separately. Cisco ISE does not automatically update these configurations on the devices. If you want to completely replace the current device configuration, copy and paste the entire configuration. Alternatively, you can just copy the specific sections with the configuration changes you need. You can access the most current copy of the settings after exiting the Setup Assistant by choosing Setup Assistant > View network device configuration.

ISE Configuration

The ISE Configuration tab displays details about each setting, policy, profile, DACL, and network device added to Cisco ISE.

You can customize and filter the information that displays in the listing pages using the settings and filter icons.

Figure 3. Data Filters Example

You can customize the field attributes displayed in the listing pages. The available and default options vary based on the specific listing page.

The Quick Filter allows you to enter a value for any of the field attributes displayed in the listing page, refreshes the page, and lists only those records that match your filter criteria.

The Advanced Filter allows you to filter information based on specified conditions, such as, First Name = Mike and User Group = Employee. You can specify more than one condition.

You can create and save custom filters and modify the filter criteria in preset filters. Custom filters are not saved in the Cisco ISE database. You can only access them using the same computer and browser used to create them.

Cisco ISE, provides localization and internalization support for the following languages and browser locales:

The Guest, Sponsor, My Devices, and Client Provisioning portals are localized into all supported languages and locales. This includes text, labels, messages, field names, and button labels. If the client browser requests a locale that is not mapped to a template in Cisco ISE, the portals display content using the English template.

Using the Admin portal, you can modify the fields used for the Guest, Sponsor, and My Devices portals for each language individually, and you can add additional languages. Currently, you cannot customize these fields for the Client Provisioning portal.

You can further customize the Guest portal by uploading HTML pages to Cisco ISE. When you upload customized pages, you are responsible for the appropriate localization support for your deployment. Cisco ISE provides a localization support example with sample HTML pages, which you can use as a guide. Cisco ISE provides the ability to upload, store, and render custom internationalized HTML pages.

Note	NAC and MAC agent installers and WebAgent pages are not localized.

Cisco ISE fields that are exposed to the end user (through the Cisco NAC agent, or supplicants, or through the Sponsor, Guest, My Devices, and Client Provisioning portals) support UTF-8 character sets for all languages. UTF-8 is a multibyte-character encoding for the unicode character set, which includes many different language character sets, such as Hebrew, Sanskrit, and Arabic.

Character values are stored in UTF-8 in the administration configuration database, and the UTF-8 characters display correctly in reports and user interface components.