-
- Administration User Interface Reference
- Guest Access User Interface Reference
- Web Portals Customization Reference
- Policy User Interface Reference
- Operations User Interface Reference
- Network Access Flows
- Switch and Wireless LAN Controller Configuration Required to Support Cisco ISE Functions
- Supported Management Information Bases in Cisco ISE
- Role-Based Access Control
- Cisco ISE Administrators
- Cisco ISE Administrator Groups
- Administrative Access to Cisco ISE
- Role-Based Access Control in Cisco ISE
- Configure Admin Access Policies
- Administrator Access Settings
- Configure the Maximum Number of Concurrent Administrative Sessions and Login Banners
- Allow Administrative Access to Cisco ISE from Select IP Addresses
- Configure a Password Policy for Administrator Accounts
- Configure Session Timeout for Administrators
- Terminate an Active Administrative Session
- Change Administrator Name
- Administrative Access to Cisco ISE Using an External Identity Store
- External Authentication and Authorization
- External Authentication Process Flow
- Configure a Password-Based Authentication Using an External Identity Store
- Create an External Administrator Group
- Configure Menu Access and Data Access Permissions for the External Administrator Group
- Create an RBAC Policy for External Administrator Authentication
- Configure Admin Access Using an External Identity Store for Authentication with Internal Authorization
Manage Administrators and Admin Access Policies
- Role-Based Access Control
- Cisco ISE Administrators
- Cisco ISE Administrator Groups
- Administrative Access to Cisco ISE
Role-Based Access Control
Cisco ISE allows you to define role-based access control (RBAC) policies that allow or deny certain system-operation permissions to an administrator. These RBAC policies are defined based on the identity of individual administrators or the admin group to which they belong.
To further enhance security and control who has access to the Admin portal, you can:
Cisco ISE Administrators
Cisco ISE administrators use the Admin portal to:
Manage deployments, help desk operations, network devices and node monitoring and troubleshooting.
Manage Cisco ISE services, policies, administrator accounts, and system configuration and operations.
Administrators can access Cisco ISE through the command-line interface (CLI) or web-based interface. The username and password that you configure during Cisco ISE setup is intended only for administrative access to the CLI. This role is considered to be the CLI-admin user, also known as CLI administrator. By default, the username for the CLI-admin user is admin and the password is defined during setup. There is no default password. This CLI-admin user is known as the default admin user. This default admin user account cannot be deleted, but can be edited by other administrators (which includes options to enable, disable, or change password for this account).
You can create an administrator or you can promote an existing user to an administrator role. Administrators can also be demoted to simple network user status by disabling the corresponding administrative privileges.
Administrators can be considered as users who have local privileges to configure and operate the Cisco ISE system.
- Privileges of a CLI Administrator Versus a Web-Based Administrator
- Create a New Cisco ISE Administrator
Privileges of a CLI Administrator Versus a Web-Based Administrator
A CLI administrator can start and stop the Cisco ISE application, apply software patches and upgrades, reload or shut down the Cisco ISE appliance, and view all system and application logs. Because of the special privileges granted to a CLI administrator, we recommend that you protect the CLI administrator credentials and create web-based administrators for configuring and managing Cisco ISE deployments.
Create a New Cisco ISE Administrator
Cisco ISE administrators need accounts with specific roles assigned to it to perform specific administrative tasks. You can create administrator accounts and assign one or more roles to it based on the administrative tasks that an administrator has to perform.
You can use the Admin Users page to view, create, modify, delete, change the status, duplicate, or search for attributes of Cisco ISE administrators.
Cisco ISE Administrator Groups
Administrator groups, also called as role-based access control (RBAC) groups in Cisco ISE, contain a number of administrators who belong to the same administrative group. All administrators who belong to the same group share a common identity and have the same privileges. An administrator’s identity as a member of a specific administrative group can be used as a condition in authorization policies. An administrator can belong to more than one administrator group.
Read-only functionality is unavailable for any administrative access in Cisco ISE. Regardless of the level of access, any administrator account can modify or delete objects for which it has permission, on any page that the administrator can access.
The Cisco ISE security model limits administrators to creating administrative groups that contain the same set of privileges that the administrator has, which is based on the administrative role of the user as defined in the Cisco ISE database. In this way, administrative groups form the basis for defining privileges for accessing the Cisco ISE systems.
The following table lists the admin groups that are predefined in Cisco ISE and the tasks that members from these groups can perform.
Create Admin Groups
The Admin Groups page allows you to view, create, modify, delete, duplicate, or filter Cisco ISE network admin groups.
To configure an external administrator group type, you must have already specified one or more external identity stores.
Step 1 | Choose . |
Step 2 | Click Add, and enter a Name and Description. Supported special characters for the name field are: space, # $ & ‘ ( ) * + - . / @ _ . |
Step 3 | Specify the Type of
administrator group you are configuring:
|
Step 4 | Click Add to add users to the Admin Group Users table. From the Users list, select the users to be added to the admin group. |
Step 5 | To delete users from the Admin Group Users table, check the check box corresponding to the user that you want to delete, and click Remove. |
Step 6 | Click Submit to save any changes made to the admin group that you created in the Cisco ISE database. |
Administrative Access to Cisco ISE
Cisco ISE administrators can perform various administrative tasks based on the administrative group to which they belong. These administrative tasks are critical and you must ensure that administrative access is restricted to users who are authorized to administer Cisco ISE in your network.
Cisco ISE allows you to control administrative access to its web interface through the following options:
- Role-Based Access Control in Cisco ISE
- Configure Admin Access Policies
- Administrator Access Settings
- Administrative Access to Cisco ISE Using an External Identity Store
Role-Based Access Control in Cisco ISE
Role-based access control policies (known as admin access) are access control policies that you define to provide limited access to the Cisco ISE administrative interface. These admin access policies allow you to customize the amount and type of access on a per-administrator or per-admin group basis using specified role-based access permission settings that apply to an individual admin user or an admin group.
Role-based access determines what each entity can access, which is controlled with an access control policy. Role-based access also determines the administrative role that is in use, the admin group to which the entity belongs, and the corresponding permissions and settings that are applied based upon the role of the entity.
- Role-Based Permissions
- RBAC Policies
- Default Menu Access Permissions
- Configure Menu Access Permissions
- Default Data Access Permissions
- Configure Data Access Permissions
Role-Based Permissions
Cisco ISE allows you to configure permissions at the menu and data levels, called the menu access and data access permissions.
The menu access permissions allow you to show or hide the menu items of the Cisco ISE administrative interface. This feature lets you create permissions so that you can restrict or enable access at the menu level.
The data access permissions allow you to grant read/write, or no access to the following data in the Cisco ISE interface: Admin Groups, User Identity Groups, Endpoint Identity Groups, Locations, and Device Types.
RBAC Policies
RBAC policies determine if an administrator can be granted a specific type of access to a menu item or other identity group data elements. You can grant or deny access to a menu item or identity group data element to an administrator based on the admin group by using RBAC policies. When administrators log in to the Admin portal, they can access menus and data that are based on the policies and permissions defined for the admin groups with which they are associated.
RBAC policies map admin groups to menu access and data access permissions. For example, you can prevent a network administrator from viewing the Admin Access operations menu and the policy data elements. This can be achieved by creating a custom RBAC policy for the admin group with which the network administrator is associated.
Default Menu Access Permissions
Menu Access Name |
RBAC Group |
Permissible Set of Menu Items |
---|---|---|
Super Admin Menu Access |
Super Admin |
Operations > All menu items Policy > All menu items Administration > All menu items |
Policy Admin Menu Access |
Policy Admin |
Operations > All menu items Policy > All menu items Administration >Identity Management > All menu items System > Settings |
Helpdesk Admin Menu Access |
Helpdesk Admin |
Operations > All menu items |
Identity Admin Menu Access |
Identity Admin |
Operations > All menu items Administration >Identity Management > All menu items |
Network Device Menu Access |
Network Device Admin |
Operations > All menu items Administration >Network Resources > All menu items |
System Admin Menu Access |
System Admin |
Operations > Authentications, Alarms, Reports, and Troubleshoot Administration >System > All menu items |
RBAC Admin Menu Access |
RBAC Admin |
Operations > All menu items exceptEndpoint Protection Services Adaptive Network Control Administration >Admin Access > All menu items |
MnT Admin Menu Access |
MnT Admin |
Operations > All menu items |
![]() Note | For Super Admin User, all the menu items are available. For other Admin Users, all the Menu Items in this column are available for Standalone deployment and Primary Node in Distributed Deployment. For Secondary Node in Distributed Deployment, the Menu Items under the Administration tab are not available. |
Configure Menu Access Permissions
Cisco ISE allows you to create custom menu access permissions that you can map to an RBAC policy. Depending on the role of the administrators, you can allow them to access only specific menu options.
Default Data Access Permissions
Cisco ISE comes with a set of predefined data access permissions. The data access permissions enable multiple administrators to have the data access permissions within the same user population. You can enable or restrict the use of data access permissions to one or more admin groups. This process allows autonomous delegated control to administrators of one admin group to reuse data access permissions of the chosen admin groups through selective association. Data access permissions range from full access to no access for viewing selected admin groups or the network device groups. The following table lists the default data access permissions. RBAC policies are defined based on the administrator (RBAC) group, menu access, and data access permissions. You first create menu access and data access permissions and then create an RBAC policy that associates an admin group with the corresponding menu access and data access permissions. The RBAC policy takes the form:If admin_group=Super Admin then assign SuperAdmin Menu Access permission + SuperAdmin Data Access permission. Apart from the predefined data access permissions, Cisco ISE also allows you to create custom data access permissions that you can associate with an RBAC policy.
Data Access Name |
RBAC Group |
Permissible Admin Groups |
Permissible Network Device Groups |
---|---|---|---|
Super Admin Data Access |
Super Admin |
Admin Groups, User Identity Groups, Endpoint Identity Groups |
All Locations, All Device Types |
Policy Admin Data Access |
Policy Admin |
User Identity Groups, Endpoint Identity Groups |
None |
Identity Admin Data Access |
Identity Admin |
User Identity Groups, Endpoint Identity Groups |
None |
Network Admin Data Access |
Network Device Admin |
None |
All Locations, All Device Types |
System Admin Data Access |
System Admin |
Admin Groups |
None |
RBAC Admin Data Access |
RBAC Admin |
Admin Groups |
None |
Configure Data Access Permissions
Cisco ISE allows you to create custom data access permissions that you can map to an RBAC policy. Based on the role of the administrator, you can choose to provide them access only to select data.
Configure Admin Access Policies
An Admin Access (RBAC) policy is represented in an if-then format, where if is the RBAC Admin Group value and then is the RBAC Permissions value.
The RBAC policies page contains a list of default policies. These default policies cannot be modified or deleted. This page also allows you to create custom RBAC policies for an admin group specifically for your work place, and apply to personalized admin groups.
Step 1 | Choose
.
The RBAC Policies page contains a set of ready-to-use predefined policies for default admin groups. |
Step 2 | Click
Actions next to
any of the default RBAC policy rule.
Here, you can insert new RBAC policies, duplicate an existing RBAC policy, and delete an existing RBAC policy. |
Step 3 | Click Insert new policy. |
Step 4 | Enter values for the Rule
Name, RBAC Group(s), and Permissions fields.
You cannot select multiple menu access and data access permissions when creating an RBAC policy. |
Step 5 | Click Save. |
Administrator Access Settings
Cisco ISE allows you to define some rules for administrator accounts to enhance security. You can restrict access to the management interfaces, force administrators to use strong passwords, regularly change their passwords, and so on. The password policy that you define under the Administrator Account Settings in Cisco ISE applies to all administrator accounts.
Cisco ISE does not support administrator passwords with UTF-8 characters.
- Configure the Maximum Number of Concurrent Administrative Sessions and Login Banners
- Allow Administrative Access to Cisco ISE from Select IP Addresses
- Configure a Password Policy for Administrator Accounts
- Configure Session Timeout for Administrators
- Terminate an Active Administrative Session
- Change Administrator Name
Configure the Maximum Number of Concurrent Administrative Sessions and Login Banners
You can configure the maximum number of concurrent administrative GUI or CLI (SSH) sessions and login banners that help and guide administrators who access your administrative web or CLI interface. You can configure login banners that appear before and after an administrator logs in. By default, these login banners are disabled.
To perform the following task, you must be a Super Admin or System Admin.
Step 1 | Choose . |
Step 2 | Enter the maximum number of concurrent administrative sessions that you want to allow through the GUI and CLI interfaces. The valid range for concurrent administrative GUI sessions is from 1 to 20. The valid range for concurrent administrative CLI sessions is 1 to 10. |
Step 3 | If you want Cisco ISE to display a message before an administrator logs in, check the Pre-login banner check box and enter your message in the text box. |
Step 4 | If you want Cisco ISE to display a message after an administrator logs in, check the Post-login banner check box and enter your message in the text box. |
Step 5 | Click Save. |
Allow Administrative Access to Cisco ISE from Select IP Addresses
Cisco ISE allows you to configure a list of IP addresses from which administrators can access the Cisco ISE management interfaces.
The administrator access control settings are only applicable for Cisco ISE nodes that assume the Administration, Policy Service, or Monitoring personas. These restrictions are replicated from the primary to the secondary nodes. These restrictions are not applicable for the Inline Posture nodes.
To perform the following task, you must be a Super Admin or System Admin.
Step 1 | Choose . |
Step 2 | From the Configure IP List for Access Restriction area, click Add. |
Step 3 | Enter IP addresses in the classless interdomain routing (CIDR) format in the IP address field. |
Step 4 | Enter the subnet mask in the Netmask in CIDR format field. |
Step 5 | Click OK. Repeat the process to add more IP address ranges to this list. |
Step 6 | Click Save to save the changes. |
Configure a Password Policy for Administrator Accounts
Cisco ISE also allows you to create a password policy for administrator accounts to enhance security. You can define whether you want a password based or client certificate based administrator authentication. The password policy that you define here is applied to all administrator accounts in Cisco ISE.
![]() Note | Cisco ISE does not support administrator passwords with UTF-8 characters. |
-
To perform the following task, you must be a Super Admin or System Admin.
-
Make sure that the auto-failover configuration, if enabled in your deployment, is turned off. When you change the authentication method, you will be restarting the application server processes. There might be a delay while these services restart. Due to this delay in restart of services, auto-failover of secondary Administration node might get initiated.
Step 1 | Choose . | ||
Step 2 | Select either of these
authentication methods:
| ||
Step 3 | Click the Password Policy tab and enter the values. | ||
Step 4 | Click
Save to save the
administrator password policy.
|
Configure Session Timeout for Administrators
Cisco ISE allows you to determine the length of time an administration GUI session can be inactive and still remain connected. You can specify a time in minutes after which Cisco ISE logs out the administrator. After a session timeout, the administrator must log in again to access the Cisco ISE Admin portal.
To perform the following task, you must be a Super Admin or System Admin.
Terminate an Active Administrative Session
Cisco ISE displays all active administrative sessions from which you can select any session and terminate at any point of time, if a need to do so arises. The maximum number of concurrent administrative GUI sessions is 20. If the maximum number of GUI sessions is reached, an administrator who belongs to the super admin group can log in and terminate some of the sessions.
Change Administrator Name
To perform the following task, you must be a Super Admin or System Admin.
Administrative Access to Cisco ISE Using an External Identity Store
In Cisco ISE, you can authenticate administrators via an external identity store such as Active Directory, LDAP, or RSA SecureID. There are two models you can use to provide authentication via an external identity store:
External Authentication and Authorization—There are no credentials that are specified in the local Cisco ISE database for the administrator, and authorization is based on external identity store group membership only. This model is used for Active Directory and LDAP authentication.
External Authentication and Internal Authorization—The administrator’s authentication credentials come from the external identity source, and authorization and administrator role assignment take place using the local Cisco ISE database. This model is used for RSA SecurID authentication. This method requires you to configure the same username in both the external identity store and the local Cisco ISE database.
During the authentication process, Cisco ISE is designed to “fall back” and attempt to perform authentication from the internal identity database, if communication with the external identity store has not been established or if it fails. In addition, whenever an administrator for whom you have set up external authentication launches a browser and initiates a login session, the administrator still has the option to request authentication via the Cisco ISE local database by choosing “Internal” from the Identity Store drop-down selector in the login dialog.
![]() Note | You can configure this method of providing external administrator authentication only via the Admin portal. The Cisco ISE Command Line Interface (CLI) does not feature these functions. |
If your network does not already have one or more existing external identity stores, ensure that you have installed the necessary external identity stores and configured Cisco ISE to access those identity stores.
- External Authentication and Authorization
- External Authentication Process Flow
- Configure a Password-Based Authentication Using an External Identity Store
- Create an External Administrator Group
- Configure Menu Access and Data Access Permissions for the External Administrator Group
- Create an RBAC Policy for External Administrator Authentication
- Configure Admin Access Using an External Identity Store for Authentication with Internal Authorization
External Authentication and Authorization
By default, Cisco ISE provides internal administrator authentication. To set up external authentication, you must create a password policy for the external administrator accounts that you define in the external identity stores. You can then apply this policy to the external administrator groups that eventually become a part of the external administrator RBAC policy.
In addition to providing authentication via an external identity store, your network may also require you to use a Common Access Card (CAC) authentication device.
External Authentication Process Flow
When the administrator logs in, the login session passes through the following steps in the process:
The administrator enters a user name and the RSA SecurID challenge response in the Cisco ISE login dialog, as if entering the user ID and password.
The administrator ensures that the specified Identity Store is the external RSA SecurID resource.
Upon logging in, the administrator sees only the menu and data access items that are specified in the RBAC policy.
Configure a Password-Based Authentication Using an External Identity Store
You must first configure password-based authentication for administrators who authenticate using an external identity store such as Active Directory or LDAP.
Step 1 | Choose . |
Step 2 | On the Authentication Method tab, select Password Based and choose one of the external identity sources you should have already configured. For example, the Active Directory instance that you have created. |
Step 3 | Configure any other specific password policy settings that you want for administrators who authenticate using an external identity store. |
Step 4 | Click Save. |
Create an External Administrator Group
You will need to create an external Active Directory or LDAP administrator group. This ensures that Cisco ISE uses the username that is defined in the external Active Directory or LDAP identity store to validate the administrator username and password that you entered upon login.
Cisco ISE imports the Active Directory or LDAP group information from the external resource and stores it as a dictionary attribute. You can then specify that attribute as one of the policy elements when it is time to configure the RBAC policy for this external administrator authentication method.
Step 1 | Choose . |
Step 2 | Enter a name and optional description. |
Step 3 | Choose the External radio
button.
If you have connected and joined to an Active Directory domain, your Active Directory instance name appears in the Name field. |
Step 4 | From the External Groups
drop-down list box, choose the Active Directory group that you want to map for
this external administrator group.
Click the “+” sign to map additional Active Directory groups to this external administrator group. |
Step 5 | Click Save. |
Configure Menu Access and Data Access Permissions for the External Administrator Group
You must configure menu access and data access permissions that can be assigned to the external administrator group.
Step 1 | Choose . |
Step 2 | Click one of the following:
|
Step 3 | Specify menu access or data access permissions for the external administrator group. |
Step 4 | Click Save. |
Create an RBAC Policy for External Administrator Authentication
In order to configure Cisco ISE to authenticate the administrator using an external identity store and to specify custom menu and data access permissions at the same time, you must configure a new RBAC policy. This policy must have the external administrator group for authentication and the Cisco ISE menu and data access permissions to manage the external authentication and authorization.
![]() Note | You cannot modify an existing (system-preset) RBAC policy to specify these new external attributes. If you have an existing policy that you would like to use as a “template,” be sure to duplicate that policy, rename it, and then assign the new attributes. |
Step 1 | Choose . |
Step 2 | Specify the rule name,
external administrator group, and permissions.
Remember that the appropriate external administrator group must be assigned to the correct administrator user IDs. Ensure that the administrator in question is associated with the correct external administrator group. |
Step 3 | Click
Save.
If you log in as an administrator, and the Cisco ISE RBAC policy is not able to authenticate your administrator identity, Cisco ISE displays an “unauthenticated” message, and you cannot access the Admin portal. |
Configure Admin Access Using an External Identity Store for Authentication with Internal Authorization
This method requires you to configure the same username in both the external identity store and the local Cisco ISE database. When you configure Cisco ISE to provide administrator authentication using an external RSA SecurID identity store, administrator credential authentication is performed by the RSA identity store. However, authorization (policy application) is still done according to the Cisco ISE internal database. In addition, there are two important factors to remember that are different from external authentication and authorization:
Step 1 | Choose . | ||
Step 2 | Ensure that the administrator
username in the external RSA identity store is also present in Cisco ISE.
Ensure that you click the
External option under Password.
| ||
Step 3 | Click Save. |