Hostname

Displays the hostname of the node.

Node Type

Displays the node type. It can be one of the following:

• Cisco ISE (Administration, Policy Service, and Monitoring) nodes

• Inline Posture node

Personas

(Only appears if the node type is Cisco ISE) Lists the personas that an Cisco ISE node has assumed. For example, Administration, Policy Service.

Role

Indicates the role (primary, secondary, or standalone) that the Administration and Monitoring personas have assumed, if these personas are enabled on this node. The role can be any one or more of the following:

• PRI(A)—Refers to the Primary Administration Node (PAN)

• SEC(A)—Refers to the Secondary Administration Node

• PRI(M)—Refers to the Primary Monitoring Node

• SEC(M)—Refers to the Secondary Monitoring Node

Services

(Only appears if the Policy Service persona is enabled) Lists the services that run on this Cisco ISE node. Services can include any one of the following:

• Session

• Profiling

• All

Node Status

Indicates the status of each ISE node in a deployment for data replication.

• Green (Connected)—Indicates that an ISE node, which is already registered in the deployment is in sync with the PAN.

• Red (Disconnected)—Indicates that an ISE node is not reachable or is down or data replication is not happening.

• Orange (In Progress)—Indicates that an ISE node is newly registered with the PAN or you have performed a manual sync operation or the ISE node is not in sync (out of sync) with the PAN.

For more details, click the quick view icon for each ISE node in the Node Status column.

Check this check box if you want a Cisco ISE node to assume the Administration persona. You can enable the Administration persona only on nodes that are licensed to provide the administrative services.

Role—Displays the role that the Administration persona has assumed in the deployment. Could take on any one of the following values: Standalone, Primary, Secondary

Make Primary—Click this button to make this node your primary Cisco ISE node. You can have only one primary Cisco ISE node in a deployment. The other options on this page will become active only after you make this node primary. You can have only two Administration nodes in a deployment. If the node has a Standalone role, a Make Primary button appears next to it.If the node has a Secondary role, a Promote to Primary button appears next to it.If the node has a Primary role and there are no other nodes registered with it, a Make Standalone button appears next to it. You can click this button to make your primary node a standalone node.

Check this check box if you want a Cisco ISE node to assume the Monitoring persona and function as your log collector. There must be at least one Monitoring node in a distributed deployment. At the time of configuring your PAN, you must enable the Monitoring persona. After you register a secondary Monitoring node in your deployment, you can edit the PAN and disable the Monitoring persona, if required. To configure a Cisco ISE node on a VMware platform as your log collector, use the following guidelines to determine the minimum amount of disk space that you need: 180 KB per endpoint in your network, per day 2.5 MB per Cisco ISE node in your network, per day.

You can calculate the maximum disk space that you need based on how many months of data you want to have in your Monitoring node. If there is only one Monitoring node in your deployment, it assumes the standalone role. If you have two Monitoring nodes in your deployment, Cisco ISE displays the name of the other monitoring node for you to configure the Primary-Secondary roles. To configure these roles, choose one of the following:

• Primary—For the current node to be the primary Monitoring node.

• Secondary—For the current node to be the secondary Monitoring node.

• None—If you do not want the Monitoring nodes to assume the primary-secondary roles.

If you configure one of your Monitoring nodes as primary or secondary, the other Monitoring node automatically becomes the secondary or primary node, respectively. Both the primary and secondary Monitoring nodes receive Administration and Policy Service logs. If you change the role for one Monitoring node to None, the role of the other Monitoring node also becomes None, thereby cancelling the high availability pair After you designate a node as a Monitoring node, you will find this node listed as a syslog target in the following page: Administration > System > Logging > Remote Logging Targets

• Enable Session Services—Check this check box to enable network access, posture, guest, and client provisioning services. Choose the group to which this Policy Service node belongs from the Include Node in Node Group drop-down list.

  Choose <none> if you do not want this Policy Service node to be part of any group.

  All the nodes within the same node group should be configured on the network access device (NAD) as RADIUS clients and authorized for CoA, because any one of them can issue a CoA request for the sessions that are established through any node in the node group. If you are not using a load balancer, the nodes in a node group should be the same as, or a subset of the RADIUS servers and clients configured on the NAD. These nodes would also be configured as RADIUS servers.

  While a single NAD can be configured with many ISE nodes as RADIUS servers and dynamic-authorization clients, it is not necessary for all the nodes to be in the same node group.

  The members of a node group should be connected to each other using high-speed LAN connection such as Gigabit Ethernet. The node group members need not be L2 adjacent, but L2 adjacency is highly recommended to ensure sufficient bandwidth and reachability. See Create a Policy Service Node Group section for more details.

• Enable Profiling Service—Check this check box to enable the Profiler service. If you enable the Profiling service, you must click the Profiling Configuration tab and enter the details as required. When you enable or disable any of the services that run on the Policy Service node or make any changes to this node, you will be restarting the application server processes on which these services run. You must expect a delay while these services restart. You can determine when the application server has restarted on a node by using the show application status ise command from the CLI.

NetFlow

Check this check box if you want to enable NetFlow per Cisco ISE node that has assumed the Policy Service persona to receive Netflow packets sent from the routers.Choose these options:

• Interface—Choose the interface on the ISE node.

• Port—Enter the NetFlow listener port number on which NetFlow exports are received from the routers. The default port is 9996.

DHCP

Check this check box if you want to enable DHCP per Cisco ISE node that has assumed the Policy Service persona to listen for DHCP packets from IP helper.Choose these options:Port—Enter the DHCP server UDP port number. The default port is 67.

• Interface—Choose the interface on the ISE node.

• Port—Enter the DHCP server UDP port number. The default port is 67.

DHCP SPAN

Check this check box if you want to enable DHCP SPAN per Cisco ISE node that has assumed the Policy Service persona to collect DHCP packets.

• Interface—Choose the interface on the ISE node.

HTTP

Check this check box if you want to enable HTTP per Cisco ISE node that has assumed the Policy Service persona to receive and parse HTTP packets.

RADIUS

Check this check box if you want to enable RADIUS per ISE node that has assumed the Policy Service persona to collect RADIUS session attributes as well as CDP, LLDP attributes from the IOS Sensor enabled devices.

Network Scan (NMAP)

Check this box to enable the NMAP probe.

You can also do a manual scan of a subnet in this panel.

DNS

Check this check box if you want to enable DNS per ISE node that has assumed the Policy Service persona to perform a DNS lookup for the FQDN.Enter the timeout period in seconds.

SNMP Query

Check this check box if you want to enable SNMP Query per ISE node that has assumed the Policy Service persona to poll network devices at specified intervals.Enter values for the following fields: Retries, Timeout, Event Timeout, and an optional Description.

SNMP Trap

Time Sync Server

Enter the IP address of the primary, secondary, and tertiary time sync server.

DNS Server

Enter the IP address of the primary, secondary, and tertiary DNS server.

Trusted Interface (to protected network)

Enter the Management VLAN ID (all the other information is automatically populated for these options)

Untrusted Interface (to management network)

Enter the IP Address, Subnet Mask, Default Gateway, and Management VLAN ID for the untrusted interface.

Routed Mode

Choose this option for this node to provide router (hop in the wire) functionality for Inline Posture.

Bridged Mode

MAC Address

Enter the MAC Address of the device on which to avoid policies. For security reasons, we recommend that you always include the IP address along with the MAC address in a MAC filter entry. Do not configure the MAC address in a MAC filter for a directly connected ASA VPN device without also entering the IP address. Without the addition of the optional IP address, VPN clients are allowed to bypass policy enforcement. This bypass happens because the VPN is a Layer 3 hop for clients, and the device uses its own MAC address as the source address to send packets along the network toward the Inline Posture node.

IP Address

Enter the IP Address of the device on which to avoid policies.

Description

Enter a description of the MAC Filter.

Subnet Address

Enter the subnet Address of the device on which to avoid policies.

Subnet Mask

Enter the subnet Mask of the device on which to avoid policies

Description

Enter a description of the Subnet Filter.

Primary Server

Enter the IP address, shared secret, timeout in seconds, and number of retries for the primary RADIUS server, usually the Policy Service node.

The timeout and retry values should be based on the timeout and retries that you define on the client such as WLC or ASA. We recommend the following: (IPN RADIUS Config Timeout * No. of Retries) < (Client device's Timeout * No. of Retries). For example, on the primary and secondary servers, you can configure the timeout to be 5 seconds and the number of retries to be 1, and on the client, you can configure the timeout to be 5 seconds and the number of retries to be 3. So the timeout * no. of retries configured on the IPN server (5*1=5) is lesser than the value configured on the client (5*3=15)

Secondary Server

Enter the IP address, shared secret, timeout in seconds, and number of retries for the secondary RADIUS server.

The timeout and retry values should be based on the timeout and retries that you define on the client such as WLC or ASA. We recommend the following: (IPN RADIUS Config Timeout * No. of Retries) < (Client device's Timeout * No. of Retries). For example, on the primary and secondary servers, you can configure the timeout to be 5 seconds and the number of retries to be 1, and on the client, you can configure the timeout to be 5 seconds and the number of retries to be 3. So the timeout * no. of retries configured on the IPN server (5*1=5) is lesser than the value configured on the client (5*3=15)

Client

Enable KeyWrap

Displays only if you have deployed an Inline Posture high availability pair.

HA Peer Node

Service IP (Trusted)

Enter the Trusted Service IP address (eth0) for the traffic interface of the primary node.

Service IP (Untrusted)

Enter the Untrusted Service IP address (eth1) for the traffic interface of the primary node.In the bridged mode, the service IP address is the same for both trusted and untrusted networks.

Link Detect (Trusted)

Enter the IP address (optional, but recommended as a best practice) for the Link-Detect system for the trusted and untrusted sides. This address is usually the IP address of the Policy Service node, because both the active and standby nodes should always be able to reach the Policy Service node.

Link Detect (Untrusted)

Enter the IP address for the Link-Detect system for the untrusted side.

Link Detect Timeout

Enter a Link-Detect Timeout value. The default value of 30 seconds is recommended. However, there is no maximum value.Link-detect ensures that the Inline Posture node maintains communication with the Policy Service node. If the active node does not receive notification (ping) from the Policy Service node at the specified intervals, the active node fails over to the standby node.

Heart Beat Timeout

Enter a Heart Beat Timeout value. The default value of 30 seconds is recommended. However, there is no maximum value.The heartbeat is a message that is sent between the two Inline Posture nodes at specified intervals. The heartbeat happens on eth2 and eth3 interfaces. If the heartbeat stops or does not receive a response in the allotted time, failover occurs.

Syncup Peer Node

If the sync status for any secondary node is out of sync, click Syncup Peer Node to force a full database replication.

Node Name

Name of the Policy Service node (PSN) that issued the certificate.

Endpoint Certificates Issued

Number of endpoint certificates issued by the PSN node.

Endpoint Certificates Revoked

Number of revoked endpoint certificates (certificates that were issued by the PSN node).

Endpoint Certificates Requests

Number of certificate-based authentication requests processed by the PSN node.

Endpoint Certificates Failed

Number of failed authentication requests processed by the PSN node.

Select Node

(Required) The node for which you want to generate the system certificate.

Common Name (CN)

(Required if you do not specify a SAN) By default, the common name is the Fully Qualified Domain Name of the ISE node for which you are generating the self-signed certificate.

Organizational Unit (OU)

Organizational Unit name. For example, Engineering.

Organization (O)

Organization name. For example, Cisco.

City (L)

(Do not abbreviate) City name. For example, San Jose.

State (ST)

(Do not abbreviate) State name. For example, California.

Country (C)

Country name. You must enter the two-letter ISO country code. For example, US.

Subject Alternative Name (SAN)

An IP address or DNS name that is associated with the certificate.

Key Length

Choose 2048 if you plan to get a public CA-signed certificate or deploy Cisco ISE as a FIPS-compliant policy management system.

Digest to Sign With

Choose one of the following hashing algorithm: SHA-1 or SHA-256.

Expiration TTL

Specify the number of days after which the certificate will expire.

Friendly Name

Enter a friendly name for the certificate. If you do not specify a name, Cisco ISE automatically creates a name in the format <common name> # <issuer> # <nnnnn> where <nnnnn> is a unique five-digit number.

Allow Wildcard Certificates

Check this check box if you want to generate a self-signed wildcard certificate (a certificate that contains an asterisk (*) in any Common Name in the Subject and/or the DNS name in the Subject Alternative Name. For example, DNS name assigned to the SAN can be *.amer.cisco.com.

Usage

Choose the service for which this system certificate should be used:

• Admin—Server certificate used to secure communication with the Admin portal and between ISE nodes in a deployment

• EAP Authentication—Server certificate used for authentications that use the EAP protocol for SSL/TLS tunneling

• pxGrid—Client and server certificate to secure communication between the pxGrid client and server

• Portal—Server certificate used to secure communication with all Cisco ISE web portals

Certificate(s) will be used for

Choose the service for which you are going to use the certificate:

Cisco ISE Identity Certificates

• Multi-Use—Used for multiple services (Admin, EAP-TLS Authentication, pxGrid, and Portal). Multi-use certificates use both client and server key usages. The certificate template on the signing CA is often called a Computer or Machine certificate template. This template has the following properties:

  • Key Usage: Digital Signature (Signing)

  • Extended Key Usage: TLS Web Server Authentication (1.3.6.1.5.5.7.3.1) and TLS Web Client Authentication (1.3.6.1.5.5.7.3.2)

• Admin—Used for server authentication (to secure communication with the Admin portal and between ISE nodes in a deployment). The certificate template on the signing CA is often called a Web Server certificate template. This template has the following properties:

  • Key Usage: Digital Signature (Signing)

  • Extended Key Usage: TLS Web Server Authentication (1.3.6.1.5.5.7.3.1)

• EAP Authentication—Used for server authentication. The certificate template on the signing CA is often called a Computer or Machine certificate template. This template has the following properties:

  • Key Usage: Digital Signature (Signing)

  • Extended Key Usage: TLS Web Server Authentication (1.3.6.1.5.5.7.3.1)

• Portal—Used for server authentication (to secure communication with all ISE web portals). The certificate template on the signing CA is often called a Computer or Machine certificate template. This template has the following properties:

  • Key Usage: Digital Signature (Signing)

  • Extended Key Usage: TLS Web Server Authentication (1.3.6.1.5.5.7.3.1)

• pxGrid—Used for both client and server authentication (to secure communication between the pxGrid client and server). The certificate template on the signing CA is often called a Computer or Machine certificate template. This template has the following properties:

  • Key Usage: Digital Signature (Signing)

  • Extended Key Usage: TLS Web Server Authentication (1.3.6.1.5.5.7.3.1) and TLS Web Client Authentication (1.3.6.1.5.5.7.3.2)

Cisco ISE Certificate Authority Certificates

• ISE Root CA—(Applicable only for the internal CA service ) Used for regenerating the entire internal CA certificate chain including the root CA on the PAN and subordinate CAs on the PSNs.

• ISE Intermediate CA—(Applicable only for the internal CA service when ISE acts as an intermediate CA of an external PKI) Used to generate an intermediate CA certificate on the PAN and subordinate CA certificates on the PSNs. The certificate template on the signing CA is often called a Subordinate Certificate Authority. This template has the following properties:

  • Basic Constraints: Critical, Is a Certificate Authority

  • Key Usage: Certificate Signing, Digital Signature

  • Extended Key Usage: OCSP Signing (1.3.6.1.5.5.7.3.9)

• Renew ISE OCSP Responder Certificates—(Applicable only for the internal CA service) Used to renew the ISE OCSP responder certificate for the entire deployment (and is not a certificate signing request). For security reasons, we recommend that you renew the ISE OCSP responder certificates every six months.

Allow Wildcard Certificates

Check this check box to use a wildcard character (*) in the CN and/or the DNS name in the SAN field of the certificate. If you check this check box, all the nodes in the deployment are selected automatically. You must use the asterisk (*) wildcard character in the left-most label position. If you use wildcard certificates, we recommend that you partition your domain space for greater security. For example, instead of *.example.com, you can partition it as *.amer.example.com. If you do not partition your domain, it can lead to security issues.

Generate CSRs for these Nodes

Check the check boxes next to the nodes for which you want to generate the certificate. To generate a CSR for select nodes in the deployment, you must uncheck the Allow Wildcard Certificates option.

Common Name (CN)

By default, the common name is the FQDN of the ISE node for which you are generating the CSR. $FQDN$ denotes the FQDN of the ISE node. When you generate CSRs for multiple nodes in the deployment, the Common Name field in the CSRs is replaced with the FQDN of the respective ISE nodes.

Organizational Unit (OU)

Organizational Unit name. For example, Engineering.

Organization (O)

Organization name. For example, Cisco.

City (L)

(Do not abbreviate) City name. For example, San Jose.

State (ST)

(Do not abbreviate) State name. For example, California.

Country (C)

Country name. You must enter the two-letter ISO country code. For example, US.

Subject Alternative Name (SAN)

Available options for SAN include:

• DNS Name—If you choose the DNS name, enter the fully qualified domain name of the ISE node. If you have enabled the Allow Wildcard Certificates option, specify the wildcard notation (an asterisk and a period before the domain name). For example, *.amer.example.com.

• IP Address—IP address of the ISE node to be associated with the certificate.

An IP address or DNS name that is associated with the certificate.

Key Length

Choose 2048 or greater if you plan to get a public CA-signed certificate or deploy Cisco ISE as a FIPS-compliant policy management system.

Digest to Sign With

Choose one of the following hashing algorithm: SHA-1 or SHA-256.

Select Node

(Required) Choose the Cisco ISE node on which you want to import the system certificate.

Certificate File

(Required) Click Browse to select the certificate file from your local system.

Private Key File

(Required) Click Browse to select the private key file.

Password

(Required) Enter the password to decrypt the private key file.

Friendly Name

Enter a friendly name for the certificate. If you do not specify a name, Cisco ISE automatically creates a name in the format <common name> # <issuer> # <nnnnn> where <nnnnn> is a unique five-digit number.

Allow Wildcard Certificates

Check this check box if you want to import a wildcard certificate (a certificate that contains an asterisk (*) in any Common Name in the Subject and/or the DNS name in the Subject Alternative Name. For example, DNS name assigned to the SAN can be *.amer.cisco.com. If you check this check box, Cisco ISE imports this certificate to all the other nodes in the deployment.

Enable Validation of Certificate

Check this check box if you want Cisco ISE to validate the certificate extensions. If you check this check box and the certificate that you are importing contains a basic constraints extension with the CA flag set to true, ensure that the key usage extension is present, and that the keyEncipherment bit or the keyAgreement bit, or both, are also set.

Usage

Choose the service for which this system certificate should be used:

• Admin—Server certificate used to secure communication with the Admin portal and between ISE nodes in a deployment

• EAP Authentication—Server certificate used for authentications that use the EAP protocol for SSL/TLS tunneling

• pxGrid—Client and server certificate to secure communication between the pxGrid client and server

• Portal—Server certificate used to secure communication with all Cisco ISE web portals

Friendly Name

Displays the name of the certificate.

Status

Enabled or Disabled. If Disabled, ISE will not use the certificate for establishing trust.

Trusted for

Displays the service for which the certificate is used.

Issued To

Common Name (CN) of the certificate subject.

Issued By

Common Name (CN) of the certificate issuer.

Valid From

The “Not Before” certificate attribute.

Expiration Date

The “Not After” certificate attribute.

Expiration Status

Provides information about the status of the certificate expiration. There are five icons and categories of informational message that appear in this column:

• Green—Expiring in more than 90 days

• Blue—Expiring in 90 days or less

• Yellow—Expiring in 60 days or less

• Orange—Expiring in 30 days or less

• Red—Expired

Certificate Issuer

Friendly Name

Enter a friendly name for the certificate.

Status

Choose Enabled or Disabled. If Disabled, ISE will not use the certificate for establishing trust.

Description

Enter an optional description.

Usage

Trust for authentication within ISE

Check the check box if you want this certificate to verify server certificates (from other ISE nodes or LDAP servers).

Trust for client authentication and Syslog

(Applicable only if you check the Trust for authentication within ISE check box) Check the check box if you want this certificate to be used to:

• Authenticate endpoints that connect to ISE using the EAP protocol

• Trust a Syslog server

Trust for authentication of Cisco Services

Check this check box if you want this certificate to be used to trust external Cisco services such as the feed service.

Certificate Status Validation

ISE supports two ways of checking the revocation status of a client or server certificate that is issued by a particular CA. The first is to validate the certificate using the Online Certificate Status Protocol (OCSP), which makes a request to an OCSP service maintained by the CA. The second is to validate the certificate against a Certificate Revocation List (CRL) which is downloaded from the CA into ISE. Both of these methods can be enabled, in which case OCSP is used first, and only if a status determination cannot be made then the CRL is used.

Validate Against OCSP Service

Check the check box to validate the certificate against OCSP services. You must first create an OCSP Service to be able to check this box.

Reject the request if OCSP returns UNKNOWN status

Check the check box to reject the request if certificate status is not determined by OCSP. If you check this check box, an unknown status value returned by the OCSP service will cause ISE to reject the client or server certificate currently being evaluated.

Download CRL

Check the check box for the Cisco ISE to download a CRL.

CRL Distribution URL

Enter the URL to download the CRL from a CA. This field will be automatically populated if it is specified in the certificate authority certificate. The URL must begin with “http”, “https”, or “ldap.”

Retrieve CRL

The CRL can be downloaded automatically or periodically. Configure the time interval between downloads.

If download failed, wait

Configure the time interval to wait before Cisco ISE tries to download the CRL again.

Bypass CRL Verification if CRL is not Received

Check this check box, for the client requests to be accepted before the CRL is received. If you uncheck this check box, all client requests that use certificates signed by the selected CA will be rejected until Cisco ISE receives the CRL file.

Ignore that CRL is not yet valid or expired

Check this check box if you want Cisco ISE to ignore the start date and expiration date and continue to use the not yet active or expired CRL and permit or reject the EAP-TLS authentications based on the contents of the CRL.

Uncheck this check box if you want Cisco ISE to check the CRL file for the start date in the Effective Date field and the expiration date in the Next Update field. If the CRL is not yet active or has expired, all authentications that use certificates signed by this CA are rejected.

Browse

Click Browse to choose the certificate file from the computer that is running the browser.

Friendly Name

Enter a friendly name for the certificate. If you do not specify a name, Cisco ISE automatically creates a name in the format <common name>#<issuer>#<nnnnn>, where <nnnnn> is a unique five-digit number.

Trust for authentication within ISE

Check the check box if you want this certificate to be used to verify server certificates (from other ISE nodes or LDAP servers).

Trust for client authentication and Syslog

(Applicable only if you check the Trust for authentication within ISE check box) Check the check box if you want this certificate to be used to:

• Authenticate endpoints that connect to ISE using the EAP protocol

• Trust a Syslog server

Trust for authentication of Cisco Services

Check this check box if you want this certificate to be used to trust external Cisco services such as the feed service.

Enable Validation of Certificate Extensions

(Only if you check both the Trust for client authentication and Enable Validation of Certificate Extensions options) Ensure that the “keyUsage” extension is present and the “keyCertSign” bit is set, and that the basic constraints extension is present with the CA flag set to true.

Description

Enter an optional description.

Name

Name of the OCSP Client Profile.

Description

Enter an optional description.

Enable Secondary Server

Check this check box to enable a secondary OCSP server for high availability.

Always Access Primary Server First

Use this option to check the primary server before trying to move to the secondary server. Even if the primary was checked earlier and found to be unresponsive, Cisco ISE will try to send a request to the primary server before moving to the secondary server.

Fallback to Primary Server After Interval n Minutes

Use this option when you want Cisco ISE to move to the secondary server and then fall back to the primary server again. In this case, all other requests are skipped, and the secondary server is used for the amount of time that is configured in the text box. The allowed time range is 1 to 999 minutes.

URL

Enter the URL of the primary and/or secondary OCSP server.

Enable Nonce Extension Support

You can configure a nonce to be sent as part of the OCSP request. The Nonce includes a pseudo-random number in the OCSP request. It is verified that the number that is received in the response is the same as the number that is included in the request. This option ensures that old communications cannot be reused in replay attacks.

Validate Response Signature

The OCSP responder signs the response with one of the following certificates:

• The CA certificate

• A certificate different from the CA certificate

  In order for Cisco ISE to validate the response signature, the OCSP responder needs to send the response along with the certificate, otherwise the response verification fails, and the status of the certificate cannot be relied on. According to the RFC, OCSP can sign the response using different certificates. This is true as long as OCSP sends the certificate that signed the response for Cisco ISE to validate it. If OCSP signs the response with a different certificate that is not configured in Cisco ISE, the response verification will fail.

Cache Entry Time To Live n Minutes

Enter the time in minutes after which the cache entry expires.

Each response from the OCSP server holds a nextUpdate value. This value shows when the status of the certificate will be updated next on the server. When the OCSP response is cached, the two values (one from the configuration and another from response) are compared, and the response is cached for the period of time that is the lowest value of these two. If the nextUpdate value is 0, the response is not cached at all.

Cisco ISE will cache OCSP responses for the configured time. The cache is not replicated or persistent, so when Cisco ISE restarts, the cache is cleared.

Clear Cache

Click Clear Cache to clear entries of all the certificate authorities that are connected to the OCSP service.

In a deployment, Clear Cache interacts with all the nodes and performs the operation. This mechanism updates every node in the deployment.

Disable Certificate Authority

Click this button to disable the internal CA service.

Host Name

Host name of the Cisco ISE node that is running the CA service.

Personas

Cisco ISE node personas that are enabled on the node running the CA service. For example, Administration, Policy Service, etc.

Role(s)

The role(s) assumed by the Cisco ISE node running the CA service. For example, Standalone or Primary or Secondary.

CA & OCSP Responder Status

Enabled or disabled

OCSP Responder URL

URL for Cisco ISE node to access the OCSP server.

Name

(Required) Enter a name for the certificate template. For example, Internal_CA_Template.

Description

(Optional) Enter a description.

Common Name (CN)

(Display only) Common name is autopopulated with the username.

Organizational Unit (OU)

Organizational Unit name. For example, Engineering.

Organization (O)

Organization name. For example, Cisco.

City (L)

(Do not abbreviate) City name. For example, San Jose.

State (ST)

(Do not abbreviate) State name. For example, California.

Country (C)

Country name. You must enter the two-letter ISO country code. For example, US.

Subject Alternative Name (SAN)

(Display only) MAC address of the endpoint.

Key Size

Specify a key size of 1024 or higher.

SCEP RA Profile

Choose the ISE Internal CA or an external SCEP RA profile that you have created.

Valid Period

Enter the number of days after which the certificate expires.

Name

Enter the name of the new target.

Target Type

Select the target type. By default it is set to UDP Syslog.

Description

Enter a brief description of the new target.

IP Address

Enter the IP address of the destination machine where you want to store the logs.

Port

Enter the port number of the destination machine.

Facility Code

Choose the syslog facility code to be used for logging. Valid options are Local0 through Local7.

Maximum Length

Enter the maximum length of the remote log target messages. Valid options are from 200 to 1024 bytes.

Buffer Message When Server Down

Check this check-box if you want Cisco ISE to buffer the syslog messages when TCP syslog targets and secure syslog targets are unavailable. ISE retries sending the messages to the target when the connection resumes. After the connection resumes, messages are sent by the order from oldest to newest and buffered messages are always sent before new messages. If the buffer is full, old messages are discarded.

Buffer Size (MB)

Set the buffer size for each target. By default, it is set to 100 MB. Changing the buffer size clears the buffer and all existing buffered messages for the specific target are lost.

Reconnect Timeout (Sec)

Give in seconds how long will the TCP and secure syslogs be kept before being discarded, when the server is down.

Select CA Certificate

Select a client certificate.

Ignore Server Certificate Validation

Check this check-box if you want ISE to ignore server certificate authentication and accept any syslog server. By default, this option is set to off unless the system is in FIPS mode when this is disabled.

Name

Displays the name of the logging category.

Log Severity Level

Allows you to choose the severity level for the diagnostic logging categories from the following options:

Local Logging

Check this check box to enable logging event for the category on the local node.

Target

Allows you to change the targets for a category by transferring the targets between the Available and the Selected boxes using the left and right icons. The Available box contains the existing logging targets, both local (predefined) and external (user-defined). The Selected box, which is initially empty, contains the selected targets for the specific category.

Repository

Enter the name of the repository. Alphanumeric characters are allowed and the maximum length is 80 characters.

Protocol

Choose one of the available protocols that you want to use.

Server Name

(Required for TFTP, HTTP, HTTPS, FTP, SFTP, and NFS) Enter the hostname or IPv4 address of the server where you want to create the repository.

Path

Enter the path to your repository. The path must be valid and must exist at the time you create the repository.

This value can start with two forward slashes (//) or a single forward slash (/) denoting the root directory of the server. However, for the FTP protocol, a single forward slash (/) denotes the FTP user's home directory and not the root directory.

User Name

(Required for FTP, SFTP, and NFS) Enter the username that has write permission to the specified server. Only alphanumeric characters are allowed.

Password

(Required for FTP, SFTP, and NFS) Enter the password that will be used to access the specified server. Passwords can consist of the following characters: 0 through 9, a through z, A through Z, -, ., |, @, #,$, %, ^, &, *, (, ), +, and =.

Backup Name

Enter the name of your backup file.

Type

Repository Name

Repository where your backup file should be saved. You cannot enter a repository name here. You can only choose an available repository from the drop-down list. Ensure that you create the repository before you run a backup.

Encryption Key

This key is used to encrypt and decrypt the backup file.

Name

Enter a name for your backup file.You can enter a descriptive name of your choice. Cisco ISE appends the timestamp to the backup filename and stores it in the repository. You will have unique backup filenames even if you configure a series of backups.On the Scheduled Backup list page, the backup filename will be prepended with “backup_occur” to indicate that the file is a kron occurrence job

Description

Enter a description for the backup.

Repository Name

Select the repository where your backup file should be saved.You cannot enter a repository name here. You can only choose an available repository from the drop-down list. Ensure that you create the repository before you run a backup.

Encryption Key

Enter a key to encrypt and decrypt the backup file.

Schedule Options

Choose the frequency of your scheduled backup and fill in the other options accordingly.

Minimum Length

Specifies the minimum length of the password (in characters). The default is six characters.

Password should not contain the admin name or its characters in reversed order

Check this check box to restrict the use of the administrator username or its characters in reverse order.

Password should not contain ‘cisco’ or its characters in reversed order

Check this check box to restrict the use of the word “cisco” or its characters in reverse order.

Password should not contain variable or its characters in reversed order

Check this check box to restrict the use of any word that you define or these characters in reverse order.

Password should not contain repeated characters four or more times consecutively

Check this check box to restrict the use of repeated characters four or more times consecutively.

Password must contain at least one character of each of the selected types

Specifies that the administrator password must contain at least one character of the type that you choose from the following choices:

• Lowercase alphabetic characters

• Uppercase alphabetic characters

• Numeric characters

• Non-alphanumeric characters

Password History

Specifies the number of previous passwords from which the new password must be different to prevent the repeated use of the same password.

Also, specifies the number of characters that must be different from the previous password.

Enter the number of days before which you cannot reuse a password.

Password Lifetime

Specifies the following options to force users to change passwords after a specified time period:

• Time (in days) before the administrator account is disabled if the password is not changed. (The allowable range is 0 to 2,147,483,647 days.)

• Reminder (in days) before the administrator account is disabled.

Lock or Suspend Account with Incorrect Login Attempts

Specifies the number of times Cisco ISE records incorrect administrator passwords before locking the administrator out of Cisco ISE, and suspending or disabling account credentials.

An e-mail is sent to the administrator whose account gets locked out. You can enter a custom e-mail remediation message.

Session Timeout

Session Idle Timeout

Enter the time in minutes that you want Cisco ISE to wait before it logs out the administrator if there is no activity. The default value is 60 minutes. The valid range is from 6 to 100 minutes.

Session Info

Invalidate

Check the check box next to the session ID that you want to terminate and click Invalidate.

Remediation Timer

Enter a time value in minutes. The default value is 4 minutes. The valid range is 1 to 300 minutes.

Network Transition Delay

Enter a time value in seconds. The default value is 3 seconds. The valid range is 2 to 30 seconds.

Default Posture Status

Choose Compliant or Noncompliant. The non-agent devices like Linux assumes this status while connecting to the network.

Automatically Close Login Success Screen After

Check the check box to close the login success screen automatically after the specified time.

Enter a time value in seconds, in the field next to the check box.

You can configure the timer to close the login screen automatically between 0 to 300 seconds. If the time is set to zero, then the NAC Agents and Web Agents do not display the login success screen.

Posture Lease

Select this option to initiate posture assessment every time the user connects to network

Select this option to initiate posture assessment after the specified number of days although the client is already postured Compliant.

Configuration Name

Enter the name of PRA configuration.

Configuration Description

Enter a description for PRA configuration.

Use Reassessment Enforcement?

Check the check box to apply the PRA configurations for the user identity groups.

Enforcement Type

Choose the action to be enforced:

• Continue — The user continues to have the privileged access without any user intervention to remediate the client irrespective of the posture requirement.

• Logoff — If the client is not compliant, the user is forced to logoff from the network. When the client logs in again, the compliance status is unknown.

• Remediate — If the client is not compliant, the agent waits for a specified time for the remediation to happen. Once the client has remediated, the agent sends the PRA report to the policy service node. If the remediation is ignored on the client, then the agent sends a logoff request to the policy service node to force the client to logoff from the network.

  If the posture requirement is set to mandatory, then the RADIUS session will be cleared as a result of the PRA failure action and a new RADIUS session has to start for the client to be postured again.

  If the posture requirement is set to optional, then the NAC Agent allows the user to click the continue option from the agent. The user can continue to stay in the current network without any restriction.

Interval

Enter a time interval in minutes to initiate PRA on the clients after the first successful login.

The default value is 240 minutes. Minimum value is 60 minutes and maximum is 1440 minutes.

Grace time

Enter a time interval in minutes to allow the client to complete remediation. The grace time cannot be zero, and should be greater than the PRA interval. It can range between the default minimum interval (5 minutes) and the minimum PRA interval.

The minimum value is 5 minutes and the maximum value is 60 minutes.

Select User Identity Groups

Choose a unique group or a unique combination of groups for your PRA configuration.

PRA configurations

Displays existing PRA configurations and user identity groups associated to PRA configurations.

Configuration Name

Enter the name of the AUP configuration that you want to create.

Configuration Description

Enter the description of the AUP configuration that you want to create.

Show AUP to Agent users (for NAC Agent and Web Agent on Windows only)

If checked, the Show AUP to Agent users check box displays users (for NAC Agents, and Web Agents on Windows only) the link to network usage terms and conditions for your network and click it to view the AUP upon successful authentication and posture assessment.

Use URL for AUP message radio button

When selected, you must enter the URL to the AUP message in the AUP URL, which clients must access upon successful authentication and posture assessment.

Use file for AUP message radio button

When selected, you must browse to the location and upload a file in a zipped format in the AUP File, which contains the index.html at the top level.

The .zip file can include other files and subdirectories in addition to the index.html file. These files can reference each other using HTML tags.

AUP URL

Enter the URL to the AUP, which clients must access upon successful authentication and posture assessment.

AUP File

In the AUP File, browse to the file and upload it to the Cisco ISE server. It should be a zipped file and the zipped file should contain the index.html file at the top level.

Select User Identity Groups

In the Select User Identity Groups drop-down list, choose a unique user identity group, or a unique combination of user identity groups, for your AUP configuration.

Note the following while creating an AUP configuration:

• Posture AUP is not applicable for a guest flow

• Each configuration must have a unique user identity group, or a unique combination of user identity groups

• No two configurations have any user identity group in common

• If you want to create a AUP configuration with a user identity group “Any”, then delete all other AUP configurations first

• If you create a AUP configuration with a user identity group “Any”, then you cannot create other AUP configurations with a unique user identity group, or user identity groups. To create an AUP configuration with a user identity group other than Any, either delete an existing AUP configuration with a user identity group “Any” first, or update an existing AUP configuration with a user identity group “Any” with a unique user identity group, or user identity groups.

Acceptable use policy configurations—Configurations list

Lists existing AUP configurations and end user identity groups associated with AUP configurations.

Authority Identity Info Description

Enter a user-friendly string that describes the Cisco ISE node that sends credentials to a client. The client can discover this string in the Protected Access Credentials (PAC) information for type, length, and value (TLV). The default value is Identity Services Engine.

Master Key Generation Period

Specifies the master key generation period in seconds, minutes, hours, days, or weeks. The value must be a positive integer in the range 1 to 2147040000 seconds. The default is 604800 seconds, which is equivalent to one week.

Revoke all master keys and PACs

Click Revoke to revoke all master keys and PACs.

Enable PAC-less Session Resume

Check this check box if you want to use EAP-FAST without the PAC files.

PAC-less Session Timeout

Specifies the time in seconds after which the PAC-less session resume times out. The default is 7200 seconds.

Tunnel PAC

Click this radio button to generate a tunnel PAC.

Machine PAC

Click this radio button to generate a machine PAC.

Trustsec PAC

Click this radio button to generate a Trustsec PAC.

Identity

(For the Tunnel and Machine PAC identity field) Specifies the username or machine name that is presented as the “inner username” by the EAP-FAST protocol. If the identity string does not match that username, authentication fails. This is the hostname as defined on the Adaptive Security Appliance (ASA). The identity string must match the ASA hostname otherwise, ASA cannot import the PAC file that is generated. If you are generating a Trustsec PAC, the Identity field specifies the Device ID of a Trustsec network device and is provided with an initiator ID by the EAP-FAST protocol. If the Identity string entered here does not match that Device ID, authentication fails.

PAC Time to Live

(For the Tunnel and Machine PAC) Enter a value in seconds that specifies the expiration time for the PAC. The default is 604800 seconds, which is equivalent to one week. This value must be a positive integer between 1 and 157680000 seconds. For the Trustsec PAC, enter a value in days, weeks, months, or years. By default, the value is one year. The minimum value is one day and the maximum is 10 years.

Encryption Key

Enter an encryption key. The length of the key must be between 8 and 256 characters. The key can contain uppercase or lowercase letters, or numbers, or a combination of alphanumeric characters.

Expiration Data

(For Trustsec PAC only) The expiration date is calculated based on the PAC Time to Live.

Enable EAP-TLS Session Resume

EAP-TLS Session Timeout

Specifies the time in seconds after which the EAP-TLS session times out. The default value is 7200 seconds.

Enable PEAP Session Resume

Check this check box for the Cisco ISE to cache the TLS session that is created during phase one of PEAP authentication, provided the user successfully authenticates in phase two of PEAP. If a user needs to reconnect and the original PEAP session has not timed out, the Cisco ISE uses the cached TLS session, resulting in faster PEAP performance and a reduced AAA server load. You must specify a PEAP session timeout value for the PEAP session resume features to work.

PEAP Session Timeout

Specifies the time in seconds after which the PEAP session times out. The default value is 7200 seconds.

Enable Fast Reconnect

Check this check box to allow a PEAP session to resume in the Cisco ISE without checking user credentials when the session resume feature is enabled.

Suppress Anomalous Clients

Check this check box to detect the clients for which the authentications fail repeatedly. A summary of the failures will be reported every Reporting Interval.

Detection Interval

Enter the time interval in minutes for the clients to be detected.

Reporting Interval

Enter the time interval in minutes for the failed authentications to be reported.

Reject Requests After Detection

Check this check box to reject the requests from a client that is identified as anomalous or misconfigured. The requests from anomalous clients will be rejected during the Request Rejection Interval.

Request Rejection Interval

Enter the time interval in minutes for which the requests are to be rejected. This option is available only when you have checked Reject Requests After Detection check box.

Suppress Repeated Successful Authentications

Check this check box to prevent repeated reporting of successful authentication requests in last 24 hours that have no change in identity context, network device, and authorization.

Accounting Suppression Interval

Enter the time interval in seconds for which the reporting of accounting requests to be suppressed.

Long Processing Step Threshold Interval

Enter the time interval in milliseconds. The steps are displayed in authentication details reports. If execution of a single step exceeds the specified threshold, then it will be highlighted in the authentication details report.

Tunnel PAC Time to Live

Proactive PAC Update Will Occur After

Cisco ISE proactively provides a new PAC to the client after successful authentication when a configured percentage of the Tunnel PAC TTL remains. The server initiates the tunnel PAC update if the first successful authentication happens before the PAC expiration. This mechanism allows the client to be always updated with a valid PAC. The default value is 10%.

SMS Gateway Provider Domain

Enter the provider domain, which is used as the host portion and the guest account's mobile number as the user portion of the email address to send the message to the provider's SMS/MMS gateway.

Provider account address

(Optional)

Enter the account address, which is used as the FROM address (typically the account address) for the email and overrides the Default Email Address global setting in Guest Access > Settings.

SMTP API destination address

(Optional)

Enter the SMTP API Destination Address, if you are using an SMTP SMS API that requires a specific account recipient address, such as Clickatell SMTP API.

This is used as the TO address for the email and the guest account's mobile number is substituted into the message's body template.

SMTP API body template

(Optional)

Enter the SMTP API Body Template, if you are using an SMTP SMS API that requires a specific email body template for sending the SMS, such as Clicketell SMTP API.

The supported dynamic substitutions are $mobilenumber$ and $message$.

URL

Enter the URL for the API.

This field is not URL encoded. The guest account's mobile number is substituted into the URL. The supported dynamic substitutions are $mobilenumber$ and $message$.

If you are using HTTPS with the HTTP API, include HTTPS in the URL string and upload your provider's trusted certificates into Cisco ISE. Choose Administration > System > Certificates > Trusted Certificates.

Data (Url encoded portion)

Enter the Data (Url encoded portion) for the GET or POST request.

This field is URL encoded. If using the default GET method, the data is appended to the URL specified above.

Use HTTP POST method for data portion

If using the POST method, check this option.

The data specified above is used as the content of the POST request.

HTTP POST data content type

If using the POST method, specify the content type such as "plain/text" or "application/xml".

HTTPS Username

HTTPS Password

HTTPS Host name

HTTPS Port number

Enter this information.

Minimum Length

Sets the minimum length of password (in characters)

Username

Restricts the use of the username or its characters in reversed order

Cisco

Restricts the use of “cisco” or its characters in reversed order

Special characters

Restricts the use of special characters that you define in reverse order

Repeated characters

Restricts the use of characters repeated four or more times consecutively

Required characters

Requires that the password include at least one of each of the following types:

• Lowercase alphabetic characters

• Uppercase alphabetic characters

• Numeric characters

• Non-alphanumeric characters

Password History

Enter the number of previous versions from which the password must be different to prevent the repeated use of the same password

You can also enter the number of characters that must be different from the previous password

Enter the number of days before which you cannot reuse a password

Password Lifetime

Sets the following options to force users to change passwords after a specified time period:

• Time (in days) before the user account is disabled if the password is not changed

• Reminder (in days) before the user account is disabled

Lock or Suspend Account with Incorrect Login Attempts

Specifies the number of times Cisco ISE records incorrect administrator passwords before locking the administrator out of Cisco ISE, and suspending or disabling account credentials.

An e-mail is sent to the administrator whose account gets locked out. You can enter a custom e-mail remediation message.

Name

Enter the name for the network device.

You can provide a descriptive name to the network device that can be different from the hostname of the device. The device name is a logical identifier.

Description

Enter the description for the device.

IP Address/Mask

Enter a single IP address and a subnet mask.

The following are the guidelines that must be followed while defining the IP addresses and subnet masks:

• You can define a specific IP address, or a range with a subnet mask. If device A has an IP address range defined, you can configure another device B with an individual address from the range that is defined in device A.

• You cannot define two devices with the same specific IP addresses.

• You cannot define two devices with the same IP range. The IP ranges must not overlap either partially or completely.

Model Name

Click the drop-down list to choose the device model, for example.

You can use the model name as one of the parameters while checking for conditions in rule-based policies. This attribute is present in the device dictionary.

Software Version

Click the drop-down list d to choose the version of the software running on the network device.

You can use the software version as one of the parameters while checking for conditions in rule-based policies. This attribute is present in the device dictionary.

Network Device Group

Click the Location and Device Type drop-down lists to choose a location and device type that can be associated with the network device.

If you do not specifically assign a device to a group when you configure it, it becomes a part of the default device groups (root NDGs), which is All Locations by location and All Device Types by device type and the default device groups (root NDGs) are assigned. For example, All Locations and All Device Groups.

Protocol

Displays RADIUS as the selected protocol.

Shared Secret

Enter a shared secret, which can be up to 127 characters in length.

The shared secret is the key that you have configured on the network device using the radius-host command with the pac option.

Enable KeyWrap

Check this check box only when supported on the network device, which increases RADIUS security via an AES KeyWrap algorithm.

Key Encryption Key

(Only appears when you enable KeyWrap) Enter an encryption key that is used for session encryption (secrecy).

Message Authenticator Code Key

(Only appears when you enable KeyWrap) Enter the key that is used for keyed Hashed Message Authentication Code (HMAC) calculation over RADIUS messages.

Key Input Format

Choose one of the following formats:

• ASCII—The Key Encryption Key must be 16 characters (bytes) long, and the Message Authenticator Code Key must be 20 characters (bytes) long.

• Hexadecimal—The Key Encryption Key must be 32 bytes long, and the Message Authenticator Code Key must be 40 bytes long.

You can specify the key input format that you want to use to enter the Cisco ISE FIPS encryption key, so that it matches the configuration that is available on the WLC. (The value that you specify must be the correct [full] length for the key, and shorter values are not permitted.)

SNMP Version

Choose an SNMP version from the Version drop-down list to be used for requests.

Version includes the following:

• 1—SNMPv1 does not support informs.

• 2c

• 3—SNMPv3 is the most secure model because it allows packet encryption when you choose the Priv security level.

  Note

  If you have configured your network device with SNMPv3 parameters, you cannot generate the Network Device Session Status Summary report that is provided by the Monitoring service (Operations > Reports > Catalog > Network Device > Session Status Summary). You can generate this report successfully if your network device is configured with SNMPv1 or SNMPv2c parameters.

SNMP RO Community

(Only for SNMP Versions 1 and 2c when selected) Enter the Read Only Community string that provides Cisco ISE with a particular type of access to the device.

SNMP Username

(Only for SNMP Version 3) Enter SNMP username.

Security Level

(Only for SNMP Version 3) Choose the security level from the following:

• Auth—Enables Message Digest 5 or Secure Hash Algorithm (SHA) packet authentication

• No Auth—No authentication and no privacy security level

• Priv—Enables Data Encryption Standard (DES) packet encryption

Auth Protocol

(Only for SNMP Version 3 when the security levels Auth and Priv are selected) Choose the authentication protocol that you want the network device to use.

Authentication Protocol includes one of the following for security levels of Auth and Priv:

• MD5

• SHA

Auth Password

(Only for SNMP Version 3 when the security levels Auth and Priv are selected) Enter the authentication key that must be at least 8 characters in length.

Click Show to display the Auth Password that is already configured for the device.

Privacy Protocol

(Only for SNMP Version 3 when the security level Priv is selected) Choose the privacy protocol that you want the network device to use.

Privacy Protocols are one of the following:

• DES

• AES128

• AES192

• AES256

• 3DES

Privacy Password

(Only for SNMP Version 3 when the security level Priv is selected) Enter the privacy key.

Click Show to display the Privacy Password that is already configured for the device.

Polling Interval

Enter the polling interval in seconds. The default is 3600 seconds.

Link Trap Query

Check this check box to receive and interpret linkup and linkdown notifications received through the SNMP Trap.

Mac Trap Query

Check this check box to receive and interpret MAC notifications received through the SNMP Trap

Originating Policy Service Node

Indicates which ISE server to be used to poll for SNMP data. By default, it is automatic, but you can overwrite the setting by assigning different values.

Trustsec Device Notification and Updates Settings

Use Device ID for Trustsec Identification

Check this check box if you want the Device Name to be listed as the device identifier in the Device ID field.

If you check this check box, then the Device Name appears in the Device Id field. You can also change this Device Id to a descriptive name of your choice.

Device Id

(Only when the Use Device ID for Trustsec Identification check box is not checked). You can use the Device Name as the logical identifier when populated in this field.

Password

Enter the password to authenticate the Trustsec device (the same password that you have configured on the Trustsec device command-line interface [CLI]).

Click Show to display the password that is used to authenticate the Trustsec device.

Download Environment Data Every

Specify the expiry time that allows you to configure the time interval in seconds, minutes, hours, weeks, or days between to download the Trustsec device environment information from Cisco ISE.

For example, if you enter 60 in seconds, the device would download its environment data from Cisco ISE every minute. The default value is 86,400 seconds or one day. The valid range is from 1 to 24850.

Download Peer Authorization Policy Every

Specify the expiry time that allows you to configure the time interval in seconds, minutes, hours, weeks, or days between to download the peer authorization policy from Cisco ISE.

For example, if you enter 60 in seconds, the device would download its peer authorization policy from Cisco ISE every minute. The default value is 86,400 seconds or one day. The valid range is from 1 to 24850.

Reauthentication Every

Specify the 802.1X reauthentication period that allows you to configure the time interval in seconds, minutes, hours, weeks or days between for reauthentication.

In a network that is configured with the Trustsec solution, after initial authentication, the Trustsec device re authenticates itself against Cisco ISE.

For example, if you enter 1000 seconds, the device would authenticate itself against Cisco ISE every 1000 seconds. The default value is 86,400 seconds or one day. The valid range is from 1 to 24850.

Download SGACL Lists Every

Specify the expiry time for SGACL lists that allow you to configure the time interval in seconds, minutes, hours, weeks or days between to download SGACLs from Cisco ISE.

For example, if you enter 3600 seconds, the network device obtains the SGACL lists from Cisco ISE every 3600 seconds. The default value is 86,400 seconds or one day. The valid range is from 1 to 24850.

Other Trustsec Devices to Trust This Device (Trustsec Trusted)

Check this check box if you want all the peer devices to trust this Trustsec device. If you uncheck this check box, the peer devices do not trust this device, and all packets that arrive from this device will be colored or tagged accordingly.

Notify this device about Trustsec configuration changes

Check this check box if you want Cisco ISE to send Trustsec CoA notifications to this Trustsec device.

Device Configuration Deployment Settings

Include this device when deploying Security Group Tag Mapping Updates

Check this check box if you want this Trustsec device to obtain the IP-SGT mappings using device interface credentials.

Exec Mode Username

Enter the username that has privileges to edit the device configuration in the Exec mode.

Exec Mode Password

Enter the password of the user having privileges to edit the device configuration in the Exec mode.

Enable Mode Password

Enter the password to enable Exec mode password for the device that would allow you to edit its configuration.

Click Show to display the Exec mode password that is already configured for this device.

Out Of Band (OOB) Trustsec PAC Display

Issue Date

Displays the issuing date of the last Trustsec PAC that has been generated by Cisco ISE for this Trustsec device.

Expiration Date

Displays the expiration date of the last Trustsec PAC that has been generated by Cisco ISE for this Trustsec device.

Issued By

Displays the name of the issuer (a Trustsec administrator) of the last Trustsec PAC that has been generated by Cisco ISE for this device.

Generate PAC

Click Generate PAC to create Trustsec Protected Access Credentials (PAC).

By default, Out Of Band Trustsec Protected Access Credentials (PAC) information is empty, but appears disabled when populated. Trustsec PAC information can be automatically populated when you generate Trustsec PAC for any Trustsec enabled device.

Default Network Device Status

Choose Enable from the Default Network Device Status drop-down list to enable the default network device definition.

Protocol

Displays RADIUS as the selected protocol.

Shared Secret

Enter the shared secret that can be up to 128 characters in length.

The shared secret is the key that you have configured on the network device using the radius-host command with the pac option.

Enable KeyWrap

Check this check box only when supported on the network device, which increases RADIUS security via an AES KeyWrap algorithm.

When you run Cisco ISE in FIPS mode, you must enable KeyWrap on the network device.

Key Encryption Key

Enter an encryption key that is used for session encryption (secrecy) when you enable KeyWrap.

Message Authenticator Code Key

Enter the key that is used for keyed Hashed Message Authentication Code (HMAC) calculation over RADIUS messages when you enable KeyWrap.

Key Input Format

Choose one of the following formats:

• ASCII—The Key Encryption Key must be 16 characters (bytes) long, and the Message Authenticator Code Key must be 20 characters (bytes) long.

• Hexadecimal—The Key Encryption Key must be 32 bytes long, and the Message Authenticator Code Key must be 40 bytes long.

You can specify the key input format that you want to use to enter the Cisco ISE FIPS encryption key, so that it matches the configuration that is available on the WLC. (The value that you specify must be the correct [full] length for the key, and shorter values are not permitted.)

Generate a Template

Click this link to create a comma-separated value (.csv) template file.

You must update the template with network devices information in the same format, and save it locally to import those network devices into any Cisco ISE deployment.

File

Click Browse to the location of the comma-separated value file that you might have created or previously exported from any Cisco ISE deployment.

You can import network devices in another Cisco ISE deployment with new and updated network devices information using import.

Overwrite Existing Data with New Data

Check this check box if you want Cisco ISE to replace existing network devices with the devices in your import file.

If you do not check this check box, new network device definitions that are available in the import file are added to the network device repository. Duplicate entries are ignored.

Stop Import on First Error

Check this check box if you want Cisco ISE to discontinue import when it encounters an error during import, but Cisco ISE imports network devices until that time of an error.

If this check box is not checked and an error is encountered, the error is reported, and Cisco ISE continues to import devices.

Name

Enter the name for the root Network Device Group (NDG). For all subsequent child network device groups under the root NDG, enter the name of the new network device group.

The full name of the Network Device Group that can have a maximum of 100 characters. For example, if you are creating a subgroup India under the parent groups Global > Asia, then the full name of the NDG that you are creating would be Global#Asia#India and this full name should not exceed 100 characters. If the full name of the NDG exceeds 100 characters, the NDG creation fails.

Description

Enter the description for the root or the child Network Device Group.

Type

Enter the type for the root Network Device Group.

For all subsequent child network device groups under the root NDG, the type is inherited from the parent NDG and therefore all the child NDGs under a root NDG will be of the same type.

If this NDG is a root NDG, then the type will be available as an attribute in the device dictionary. You can define conditions based on this attribute. The name of the NDG is one of the values that this attribute can take.

Generate a Template

Click this link to create a comma-separated value (.csv) template file.

You must update the template with network device groups information in the same format, and save it locally to import those network device groups into any Cisco ISE deployment.

File

Click Browse to the location of the comma-separated value file that you might have created or previously exported from any Cisco ISE deployment.

You can import network device groups in another Cisco ISE deployment with new and updated network device groups information using import.

Overwrite Existing Data with New Data

Check this check box if you want Cisco ISE to replace existing network device groups with the device groups in your import file.

If you do not check this check box, new network device group that are available in the import file are added to the network device group repository. Duplicate entries are ignored.

Stop Import on First Error

Check this check box if you want Cisco ISE to discontinue import when it encounters an error during import, but Cisco ISE imports network device groups until that time of an error.

If this check box is not checked and an error is encountered, the error is reported, and Cisco ISE continues to import device groups.