Explore Cisco
How to Buy

Have an account?

  •   Personalized content
  •   Your products and support

Need an account?

Create an account

Cisco Identity Services Engine Administrator Guide, Release 2.0

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

Book Contents
Find Matches in This Book
Available Languages
Download Options

Book Title

Cisco Identity Services Engine Administrator Guide, Release 2.0

Chapter Title

Manage Network Devices

Results

Updated:
October 29, 2019

Chapter: Manage Network Devices

Manage Network Devices

Network Devices Definitions in Cisco ISE

A network device such as a switch or a router is an authentication, authorization, and accounting (AAA) client through which AAA service requests are sent to Cisco ISE. You must define network devices for Cisco ISE to interact with the network devices. You can configure network devices for RADIUS or TACACS AAA, Simple Network Management Protocol (SNMP) for the Profiling service to collect Cisco Discovery Protocol and Link Layer Discovery Protocol attributes for profiling endpoints, and Trustsec attributes for Trustsec devices. A network device that is not defined in Cisco ISE cannot receive AAA services from Cisco ISE.

In the network device definition:

  • You can select the vendor profile that fits the network device . The profile includes pre-defined configurations for the device, such as settings for URL direct and change of authorization.

  • You can configure the RADIUS protocol for RADIUS authentications. When Cisco ISE receives a RADIUS request from a network device, it looks for the corresponding device definition to retrieve the shared secret that is configured. If it finds the device definition, it obtains the shared secret that is configured on the device and matches it against the shared secret in the request to authenticate access. If the shared secrets match, the RADIUS server will process the request further based upon the policy and configuration. If they do not match, a reject response is sent to the network device. A failed authentication report is generated, which provides the failure reason.

  • You can configure the TACACS+ protocol for TACACS+ authentications. When Cisco ISE receives a TACACS+ request from a network device, it looks for the corresponding device definition to retrieve the shared secret that is configured. If it finds the device definition, it obtains the shared secret that is configured on the device and matches it against the shared secret in the request to authenticate access. If the shared secrets match, the TACACS+ server will process the request further based upon the policy and configuration. If they do not match, a reject response is sent to the network device. A failed authentication report is generated, which provides the failure reason.

  • You can configure the Simple Network Management Protocol (SNMP) in the network device definition for the Profiling service to communicate with the network devices and profile endpoints that are connected to the network devices.

  • You must define Trustsec-enabled devices in Cisco ISE to process requests from Trustsec-enabled devices that can be part of the Cisco Trustsec solution. Any switch that supports the Trustsec solution is an Trustsec-enabled device.

    Trustsec devices do not use the IP address. Instead, you must define other settings so that Trustsec devices can communicate with Cisco ISE.

    Trustsec-enabled devices use the Trustsec attributes to communicate with Cisco ISE. Trustsec-enabled devices, such as the Nexus 7000 series switches, Catalyst 6000 series switches, Catalyst 4000 series switches, and Catalyst 3000 series switches are authenticated using the Trustsec attributes that you define while adding Trustsec devices.


Note

When you configure a network device on Cisco ISE, we recommend that you do not include a backslash (\) in the shared secret. This is because when you upgrade Cisco ISE the backslash will not appear in the shared secret. Note, however, that if you reimage Cisco ISE instead of upgrading it, the backslash appears in the shared secret.

Default Network Device Definition in Cisco ISE

Cisco ISE supports the default device definition for RADIUS and TACACS authentications. You can define a default network device that Cisco ISE can use if it does not find a device definition for a particular IP address. This feature enables you to define a default RADIUS or TACACS shared secret and the level of access for newly provisioned devices.

Note

We recommend that you add the default device definition only for basic RADIUS and TACACS authentications. For advanced flows, you must add separate device definition for each network device.

Cisco ISE looks for the corresponding device definition to retrieve the shared secret that is configured in the network device definition when it receives a RADIUS or TACACS request from a network device.

Cisco ISE performs the following procedure when a RADIUS or TACACS request is received:

  1. Looks for a specific IP address that matches the one in the request.

  2. Looks up the ranges to see if the IP address in the request falls within the range that is specified.

  3. If both step 1 and 2 fail, it uses the default device definition (if defined) to process the request.

Cisco ISE obtains the shared secret that is configured in the device definition for that device and matches it against the shared secret in the RADIUS or TACACS request to authenticate access. If no device definitions are found, Cisco ISE obtains the shared secret from the default network device definition and processes the RADIUS or TACACS request.

Create a Network Device Definition in Cisco ISE

You can create a network device definition in Cisco ISE and use the default network device definition when there is no network device definition in Cisco ISE.

You can also create the network device definition in the Work Centers > Device Administration > Network Resources > Network Devices page.

Procedure

Step 1

Choose Administration > Network Resources > Network Devices.

Step 2

Click Add.

Step 3

Complete all mandatory fields.

Step 4

Check the RADIUS Authentication Settings check box to configure the RADIUS protocol for authentication.

Step 5

Check the TACACS Authentication Settings check box to configure the TACACS protocol for authentication.

Step 6

(Optional) Check the SNMP Settings check box to configure the Simple Network Management Protocol for the Profiling service to collect device information.

Step 7

(Optional) Check the Advanced Trustsec Settings check box to configure a Trustsec-enabled device.

Step 8

Click Submit.

Import Network Devices into Cisco ISE

You can import a list of device definitions into a Cisco ISE node using a comma-separated value (CSV) file. You must first update the imported template before you can import network devices into Cisco ISE. You cannot run an import of the same resource type at the same time. For example, you cannot concurrently import network devices from two different import files.

You can download the CSV template from the Admin portal, enter your device definition details in the template, and save it as a CSV file, which you can then import this back in to Cisco ISE.

While importing devices, you can create new records or update existing records. Cisco ISE displays the summary of the number of devices that are imported and also reports any errors that were found during the import process. When you import devices, you can also define whether you want Cisco ISE to overwrite the existing device definitions with the new definitions or stop the import process when Cisco ISE encounters the first error.

You cannot import network devices that are exported in previous releases of Cisco ISE, as the import template for these releases are different.

Procedure

Step 1

Choose Administration > Network Resources > Network Devices.

Step 2

Click Import.

Step 3

Click Browse to choose the CSV file from the system that is running the client browser.

Step 4

Check the Overwrite Existing Data with New Data check box.

Step 5

Check the Stop Import on First Error check box.

Step 6

Click Import.

Export Network Devices from Cisco ISE

You can export network devices configured in Cisco ISE in the form of a CSV file that you can use to import these network devices into another Cisco ISE node.

Procedure

Step 1

Choose Administration > Network Resources > Network Devices.

Step 2

Click Export.

Step 3

To export network devices, you can do one of the following:

  • Check the check boxes next to the devices that you want to export, and choose Export > Export Selected.

  • Choose Export > Export All to export all the network devices that are defined.

Step 4

Save the export.csv file to your local hard disk.

Configure Third-Party Network Device in Cisco ISE

Cisco ISE supports third-party network access devices (NADs) through the use of network device profiles. These profiles define the capabilities that Cisco ISE uses to enable flows such as Guest, BYOD, MAB, and Posture.

Before you begin

Read the definition for Network Device Profiles in the Cisco Identity Services Engine Administration Guide.

Procedure

Step 1

Ensure your device is configured in ISE. If you are configuring Guest, BYOD, or Posture workflows, ensure Change of Authorization (CoA) is defined and the NAD’s URL redirect mechanism is configured to point at the relevant ISE Portal. For the URL redirect, you can copy the ISE portal URL from the portal’s landing page. For more information about configuring CoA types and URL redirect for the NAD in ISE, see the Network Devices section in see Network Devices. In addition, refer to the third party device’s administration guide for instructions.

Step 2

Ensure an appropriate NAD profile for your device is available in ISE. To view existing profiles, choose Administration > Network Resources > Network Device Profiles. If an appropriate profile does not already exist in ISE, create a custom profile. See Create a Network Device Profile for information on how to create custom profiles.

Step 3

Assign a NAD profile to the NAD that you want to configure. Choose Administration > Network Resources > Network Devices. Open the device to which you would like to assign a profile and from Device Profile, select the correct profile from the dropdown list.

Step 4

When you configure your policy rules, the authorization profile should be explicitly set to the NAD profile in step 1, or “Any” if you are just using VLAN or ACL or if you have different devices from different vendors in your network. To set the NAD profile for the authorization profile, choose Policy > Policy Elements > Results > Authorization > Authorization Profiles. Open the relevant authorization profile and from Network Device Profile, select the relevant NAD profile from the dropdown list.

Network Device Profiles

Cisco ISE supports some third-party network access devices (NADs) through the use of network device profiles. These profiles define the capabilities that Cisco ISE uses to enable basic flows, and advanced flows such as Guest, BYOD, MAB, and Posture.

Cisco ISE includes predefined profiles for network devices from several vendors. Cisco ISE 2.0 has been tested with the vendor devices listed in the following table:

Table 1. Vendor Devices Tested With Cisco ISE 2.0

Device Type

Vendor

Supported/Validated Use Cases

802.1X/ MAB

Profiler without CoA

Profiler with CoA

Posture

Guest/BYOD

Wireless

Aruba 7000, InstantAP

Motorola RFS 4000

HP 830

Ruckus ZD 1200

Wired

HP 3800 (ProCurve)

Alcatel 6850

Brocade ICX 6610

For additional third-party NADs, you must identify the device properties and capabilities and create custom NAD profiles in Cisco ISE.

Requires CoA support

Requires CoA and URL-redirect support

Requires CoA and URL-redirect support

You can create custom NAD profiles for additional third-party network devices that do not have a predefined profile. For advanced flows such as Guest, BYOD, and Posture, the device needs to support RFC 5176, "Change of Authorization" (CoA), and a URL Redirection mechanism capable of redirecting to Cisco ISE portals. Support for these flows depends on the NAD's capabilities. You may need to refer to the device's administration guide for information on many of the attributes required for a network device profile.

A network device profile contains the following:

  • The protocols the network device support, such as RADIUS, TACACS+, and TrustSec. You can import any vendor-specific RADIUS dictionaries that exist for the device into Cisco ISE.

  • The attributes and values that the device uses for the various flows like Wired MAB and 802.1x. This allows Cisco ISE to detect the right flow type for your device according to the attributes it uses.

  • The CoA capabilities the device has. While RFC 5176 defines the types of CoA requests, the required attributes in the requests vary depending on the device. Most non-Cisco devices with RFC 5176 support will also support the "Push" and "Disconnect" functions.

  • The attributes and protocols the device uses for MAB. Network devices from different vendors perform MAB authentication differently.

  • The VLAN and ACL permissions used by the device. After the profile is saved, Cisco ISE automatically generates authorization profiles for each configured permission.

  • URL redirection is necessary for flows like BYOD, Guest, and Posture. The device needs to be capable of redirect to an ISE portal. There are two types of URL redirection found on a device: static and dynamic. For static URL redirection, you can copy and paste the ISE portal URL into the configuration. For dynamic URL redirection, ISE uses a RADIUS attribute to tell the network device where to redirect to.

If you have deployed non-Cisco NADs prior to Release 2.0 and created policy rules/RADIUS dictionaries to use them, after upgrade these will continue to work as usual.

Create a Network Device Profile

Before you begin

  • For more information about creating a custom profile, read the Network Access Device Profiles with Cisco Identity Services Engine document.

  • Most NADs have a vendor-specific RADIUS dictionary that provides a number of vendor-specific attributes in addition to the standard IETF RADIUS attributes. If the network device has a vendor-specific RADIUS dictionary, import it into Cisco ISE. Refer to the third party device’s administration guide for instructions on which RADIUS dictionary is required. From ISE, choose Policy Elements > Dictionaries > System > Radius > RADIUS Vendors. For more information about importing RADIUS dictionaries, see the Create RADIUS-Vendor Dictionaries section in see Create RADIUS-Vendor Dictionaries.

  • For complex flows such as Guest and Posture, the device needs to support RFC 5176, Change of Authorization (CoA), and URL redirect.

  • For more information about the fields and possible values for creating a network device profile, see the Network Device Profiles Settings section in see Network Device Profile Settings.

Procedure

Step 1

Choose Administration > Network Resources > Network Device Profiles.

Step 2

Click Add.

Step 3

Enter a name and description for the network device.

Step 4

Select the vendor of the network device.

Step 5

Check the check boxes for the protocols that the device supports. Check each box if your device supports RADIUS, TACACS+ and/or TrustSec. It is only necessary to check the protocols you want to actually use. If the device supports RADIUS, select the RADIUS dictionary to use with the network device from the dynamic dropdown list in the RADIUS Dictionaries field.

Step 6

From the Templates section, enter relevant details as follows:

  1. From Authentication/Authorization configure the device's default settings for flow types, attribute aliasing, and host lookup: From Flow Type Conditions, enter the attributes and values that your device uses for the various flows such as Wired MAB, or 802.1x. This enables ISE to detect the correct flow type for your device according to the attributes it uses. There is no IETF standard for MAB and different vendors use different values for Service-Type. Refer to the device's user guide or use a sniffer trace of a MAB authentication to determine the correct settings. From Attribute Aliasing, map device specific attribute names to common names to simplify policy rules. Currently, only SSID is defined. If you device has the concept of wireless SSID and then to set this to the attribute it uses. ISE maps this to an attribute called SSID in the Normalised Radius dictionary. This simplifies policy rule configuration as you can refer to SSID in one rule and it will work for multiple devices even if the underlying attributes are different. From Host Lookup, enable the Process Host Lookup option and select the relevant MAB protocols and attributes for your device, based on the third-party instructions.

  2. From Permissions configure the network device's default settings for VLAN and ACL. These are automatically mapped based on the authorization profiles you created in ISE.

  3. From Change of Authorization (CoA) configure the device's CoA capabilities .

  4. Expand the Redirect section to configure the device's URL redirect capabilities. URL redirection is necessary for Guest, BYOD, and Posture.

Step 7

Click Submit.

Import Network Device Profiles into Cisco ISE

You can import a single or multiple network device profiles into ISE using a single XML file with the Cisco ISE XML structure. You cannot concurrently import network device profiles from multiple import files.

Typically, you would first export an existing profile from the Admin portal to use as a template. Enter your device profile details as necessary in the file and save it as an XML file, and then import the edited file back in to Cisco ISE. In order to work with multiple profiles, you can export multiple profiles structured together as a single XML file, edit the file and then import them together, creating multiple files in ISE.

While importing device profiles, you can only create new records. You cannot overwrite an existing profile. In order to edit an existing profile and then overwrite it, export the existing profile, delete the profile from ISE and then import that profile once you have edited it accordingly.

Before you begin

Read the Network Access Device Profiles with Cisco Identity Services Engine document.

Procedure

Step 1

Choose Administration > Network Resources > Network Device Profiles.

Step 2

Click Import.

Step 3

Click Browse to choose the XML file from the system that is running the client browser.

Step 4

Click Import.

Export Network Device Profiles from Cisco ISE

Export single or multiple network device profiles configured in Cisco ISE in the form of an XML file in order to edit the XML file and then import the file as new network profiles.

Before you begin

Read the Network Access Device Profiles with Cisco Identity Services Engine document.

Procedure

Step 1

Choose Administration > Network Resources > Network Device Profiles.

Step 2

Click Export.

Step 3

Check the check boxes next to the devices that you want to export, and choose Export > Export Selected

Step 4

Th DeviceProfiles.xml file downloads to your local hard disk.

Network Device Groups

Cisco ISE allows you to create hierarchical Network Device Groups (NDGs). NDGs can be used to logically group network devices based on various criteria, such as geographic location, device type, or the relative place in the network (Access Layer, Data Center, and so on). For example, to organize your network devices based on geographic location, you can group them by continent, region, or country:

  • Africa -> Southern -> Namibia

  • Africa -> Southern -> South Africa

  • Africa -> Southern -> Botswana

You can also group the network devices based on the device type:

  • Africa -> Southern -> Botswana -> Firewalls

  • Africa -> Southern -> Botswana -> Routers

  • Africa -> Southern -> Botswana -> Switches

Network devices can be assigned to one or more hierarchical NDGs. Thus, when Cisco ISE processes the ordered list of configured NDGs to determine the appropriate group to assign to a particular device, it may find that the same device profile applies to multiple Device Groups, and will apply the first Device Group matched.

There is no limit on the maximum number of NDGs that can be created. There is also no restriction on the maximum number of hierarchy levels.

Root Network Device Groups

Cisco ISE includes two predefined root NDGs: All Device Types and All Locations. You cannot edit, duplicate, or delete these predefined NDGs, but you can add new device groups under them.

You can create a root Network Device Group (NDG), and then create child NDGs under the root group in the Network Device Groups page. When you create a new root NDG, you must provide the name and type of the NDG. This information is not required when you create a child under the root NDG.

Network Device Attributes Used By Cisco ISE in Policy Evaluation

When you create a new network device group, a new network device attribute is added to the Device dictionary defined in the system, which you can use in policy definitions. Cisco ISE allows you to configure authentication and authorization policies based on Device dictionary attributes, such as device type, location, model name, and software version that is running on the network device.

Import Network Device Groups in to Cisco ISE

You can import network device groups in to a Cisco ISE node using a comma-separated value (CSV) file. You cannot run import of the same resource type at the same time. For example, you cannot concurrently import network device groups from two different import files.

You can download the CSV template from the Admin portal, enter your device group details in the template, and save the template as a CSV file, which you can then import back into Cisco ISE.

While importing device groups, you can create new records or update existing records. When you import device groups, you can also define whether you want Cisco ISE to overwrite the existing device groups with the new groups or stop the import process when Cisco ISE encounters the first error.

Procedure

Step 1

Choose Administration > Network Resources > Network Device Groups > Groups.

Step 2

Click Import.

Step 3

Click Browse to choose the CSV file from the system that is running the client browser.

Step 4

Check the Overwrite Existing Data with New Data check box.

Step 5

Check the Stop Import on First Error check box.

Step 6

Click Import or click the Network Device Groups List link to return to the Network Device Groups list page.

Export Network Device Groups from Cisco ISE

You can export network device groups configured in Cisco ISE in the form of a CSV file that you can use to import these network device groups into another Cisco ISE node.

Procedure

Step 1

Choose Administration > Network Resources > Network Device Groups > Groups.

Step 2

To export the network device groups, you can do one of the following:

  • Check the check boxes next to the device groups that you want to export, and choose mExport > Export Selected.

  • Choose Export > Export All to export all the network device groups that are defined.

Step 3

Save the export.csv file to your local hard disk.

Import Templates in Cisco ISE

Cisco ISE allows you to import a large number of network devices and network device groups using comma-separated value (CSV) files. The template contains a header row that defines the format of the fields. The header row should not be edited, and should be used as is.

By default, you can use the Generate a Template link to download a CSV file in the Microsoft Office Excel application and save the file format locally on your system. When you click the Generate a Template link, the Cisco ISE server displays the Opening template.csv dialog. This dialog allows you to open the template.csv file and save the template.csv file locally on your system with an appropriate name for network devices and network device groups. If you choose to open the template.csv file from the dialog, the file opens in the Microsoft Office Excel application by default.

Network Devices Import Template Format

The following table lists the fields in the template header and provides a description of the fields in the Network Device CSV file.

Table 2. CSV Template Fields and Description for Network Devices

Field

Description

Name:String(32):

(Required) This field is the network device name. It is an alphanumeric string, with a maximum of 32 characters in length.

Description:String(256)

This field is an optional description for the network device. A string, with a maximum of 256 characters in length.

IP Address:Subnets(a.b.c.d/m|...)

(Required) This field is the IP address and subnet mask of the network device. (It can take on more than one value separated by a pipe “|” symbol).

IPv4 is supported for network device (TACACS and RADIUS) configuration and for external RADIUS server configuration.

Model Name:String(32):

(Required) This field is the network device model name. It is a string, with a maximum of 32 characters in length.

Software Version:String(32):

(Required) This field is the network device software version. It is a string, with a maximum of 32 characters in length.

Network Device Groups:String(100):

(Required) This field should be an existing network device group. It can be a subgroup, but must include both the parent and subgroup separated by a space. It is a string, with a maximum of 100 characters, for example, Location#All Location#US

Authentication:Protocol:String(6)

This is an optional field. It is the protocol that you want to use for authentication. The only valid value is RADIUS (not case sensitive).

Authentication:Shared Secret:String(128)

(Required, if you enter a value for the Authentication Protocol field) This field is a string, with a maximum of 128 characters in length.

EnableKeyWrap:Boolean(true|false)

This is an optional field. It is enabled only when it is supported on the network device. Valid value is true or false.

EncryptionKey:String(ascii:16|hexa:32)

(Required, if you enable KeyWrap) Indicates the encryption key that is used for session encryption.

ASCII—16 characters (bytes) long

Hexadecimal—32 characters (bytes) long.

AuthenticationKey:String(ascii:20|hexa:40)

(Required, if you enable KeyWrap). Indicates the keyed Hashed Message Authentication Code (HMAC) calculation over RADIUS messages.

ASCII—20 characters (bytes) long

Hexadecimal—40 characters (bytes) long.

InputFormat:String(32)

Indicates encryption and authentication keys input format. Valid value is ASCII or Hexadecimal.

SNMP:Version:Enumeration (|2c|3)

This is an optional field, used by the Profiler service. It is the version of the SNMP protocol. Valid value is 1, 2c, or 3.

SNMP:RO Community:String(32)

(Required, if you enter a value for the SNMP Version field) SNMP Read Only community. It is a string, with a maximum of 32 characters in length.

SNMP:RW Community:String(32)

(Required, if you enter a value for the SNMP Version field) SNMP Read Write community. It is a string, with a maximum of 32 characters in length.

SNMP:Username:String(32)

This is an optional field. It is a string, with a maximum of 32 characters in length.

SNMP:Security Level:Enumeration(Auth|No Auth|Priv)

(Required if you choose SNMP version 3) Valid value is Auth, No Auth, or Priv.

SNMP:Authentication Protocol:Enumeration(MD5|SHA)

(Required if you have entered Auth or Priv for the SNMP security level) Valid value is MD5 or SHA.

SNMP:Authentication Password:String(32)

(Required if you have entered Auth for the SNMP security level) It is a string, with a maximum of 32 characters in length.

SNMP:Privacy Protocol:Enumeration(DES|AES128|AES192|AES256|3DES)

(Required if you have entered Priv for the SNMP security level) Valid value is DES, AES128, AES192, AES256, or 3DES.

SNMP:Privacy Password:String(32)

(Required if you have entered Priv for the SNMP security level) It is a string, with a maximum of 32 characters in length.

SNMP:Polling Interval:Integer:600-86400 seconds

This is an optional field to set the SNMP polling interval. Valid value is an integer between 600 and 86400.

SNMP:Is Link Trap Query:Boolean(true|false)

This is an optional field to enable or disable the SNMP link trap. Valid value is true or false.

SNMP:Is MAC Trap Query:Boolean(true|false)

This is an optional field to enable or disable the SNMP MAC trap. Valid value is true or false.

SNMP:Originating Policy Services Node:String(32)

This is an optional field. Indicates which ISE server to be used to poll for SNMP data. By default, it is automatic, but you can overwrite the setting by assigning different values.

Trustsec:Device Id:String(32)

This is an optional field. It is the Trustsec device ID, and is a string, with a maximum of 32 characters in length.

Trustsec:Device Password:String(256)

(Required if you have entered Trustsec device ID) This is the Trustsec device password and is a string, with a maximum of 256 characters in length.

Trustsec:Environment Data Download Interval:Integer:1-2147040000 seconds

This is an optional field. It is the Trustsec environment data download interval. Valid value is an integer between 1 and 24850.

Trustsec:Peer Authorization Policy Download Interval:Integer:1-2147040000 seconds

This is an optional field. It is the Trustsec peer authorization policy download interval. Valid value is an integer between 1 and 24850.

Trustsec:Reauthentication Interval:Integer:1-2147040000 seconds

This is an optional field. It is the Trustsec reauthentication interval. Valid value is an integer between 1 and 24850.

Trustsec:SGACL List Download Interval:Integer:1-2147040000 seconds

This is an optional field. It is the Trustsec SGACL list download interval. Valid value is an integer between 1 and 24850.

Trustsec:Is Other Trustsec Devices Trusted:Boolean(true|false)

This is an optional field. Indicates whether Trustsec is trusted. Valid value is true or false.

Trustsec:Notify this device about Trustsec configuration changes:String(ENABLE_ALL|DISABLE_ALL)

This is an optional field. Notifies Trustsec configuration changes to the Trustsec device. Valid value is ENABLE_ALL or DISABLE_ALL

Trustsec:Include this device when deploying Security Group Tag Mapping Updates:Boolean(true|false)

This is an optional field. It is the Trustsec device included on SGT. Valid value is true or false.

Deployment:Execution Mode Username:String(32)

This is an optional field. It is the username that has privileges to edit the device configuration. It is a string, with a maximum of 32 characters in length.

Deployment:Execution Mode Password:String(32)

This is an optional field. It is the device password and is a string, with a maximum of 32 characters in length.

Deployment:Enable Mode Password:String(32)

This is an optional field. It is the enable password of the device that would allow you to edit its configuration and is a string, with a maximum of 32 characters in length.

Trustsec:PAC issue date:Date

This is the field that displays the issuing date of the last Trustsec PAC that has been generated by Cisco ISE for the Trustsec device.

Trustsec:PAC expiration date:Date

This is the field that displays the expiration date of the last Trustsec PAC that has been generated by Cisco ISE for the Trustsec device.

Trustsec:PAC issued by:String

This is a field that displays the name of the issuer (a Trustsec administrator) of the last Trustsec PAC that has been generated by Cisco ISE for the Trustsec device. It is a string.

Network Device Groups Import Template Format

The following table lists the fields in the template header and provides a description of the fields in the Network Device Group CSV file.

Table 3. CSV Template Fields and Description for Network Device Groups

Field

Description

Name:String(100):

(Required) This field is the network device group name. It is a string with a maximum of 100 characters in length. The full name of an NDG can have a maximum of 100 characters in length. For example, if you are creating a subgroup India under the parent groups Global > Asia, then the full name of the NDG that you are creating would be Global#Asia#India and this full name cannot exceed 100 characters in length. If the full name of the NDG exceeds 100 characters in length, the NDG creation fails.

Description:String(1024)

This is an optional network device group description. It is a string, with a maximum of 1024 characters in length.

Type:String(64):

(Required) This field is the network device group type. It is a string, with a maximum of 64 characters in length.

Is Root:Boolean(true|false):

(Required) This is a field that determines if the specific network device group is a root group. Valid value is true or false.

Mobile Device Manager Interoperability with Cisco ISE

Mobile Device Management (MDM) servers secure, monitor, manage, and support mobile devices deployed across mobile operators, service providers, and enterprises. MDM servers act as a policy server that controls the use of some applications on a mobile device (for example, an e-mail application) in the deployed environment. However, the network is the only entity that can provide granular access to endpoints based on ACLs. Cisco ISE queries the MDM servers for the necessary device attributes to create ACLs that provide network access control for those devices.

You can run multiple active MDM servers on your network, including ones from different vendors. This allows you to route different endpoints to different MDM servers based on device factors such as location or device type.

Cisco ISE also integrates with MDM servers using Cisco's MDM API version 2 to allow devices access the network over VPN via AnyConnect 4.1 and Cisco ASA 9.3.2 or later.

In this illustration, Cisco ISE is the enforcement point and the MDM policy server is the policy information point. Cisco ISE obtains data from the MDM server to provide a complete solution.

Figure 1. MDM Interoperability with Cisco ISE

You can configure Cisco ISE to interoperate with one or more external Mobile Device Manager (MDM) servers. By setting up this type of third-party connection, you can leverage the detailed information available in the MDM database. Cisco ISE uses REST API calls to retrieve information from the external MDM server. Cisco ISE applies appropriate access control policies to switches, access routers, wireless access points, and other network access points to achieve greater control of remote device access to your Cisco ISE network.

The supported MDM vendors are listed here: Supported MDM Servers.

Supported MDM Use Cases

The functions Cisco ISE performs with the external MDM server are as follows:

  • Managing device registration—Unregistered endpoints accessing the network are redirected to a registration page, which is hosted on the MDM server. Device registration includes user role, device type, and so on.

  • Handling device remediation—Endpoints are granted only restricted access during remediation.

  • Augmenting endpoint data—Update the endpoint database with information from the MDM server that you cannot gather using the Cisco ISE Profiler. Cisco ISE uses six device attributes you can view using the Administration > Identity Management > Identities > Endpoints page if an endpoint is an MDM monitored device. For example:

    • MDMImei: 99 000100 160803 3

    • MDMManufacturer: Apple

    • MDMModel: iPhone

    • MDMOSVersion: iOS 6.0.0

    • MDMPhoneNumber: 9783148806

    • MDMSerialNumber: DNPGQZGUDTF9

  • Cisco ISE polls the MDM server once every 4 hours for device compliance data. This is configurable by the administrator.

  • Issuing device instructions through the MDM server—Issues remote actions for users’ devices through the MDM server. Administrators initiate remote actions from the ISE console.

Vendor MDM Attributes

When you configure an MDM server in ISE, that vendor's attributes are added to a new entry in the ISE system dictionary, named mdm. The following attributes are used for registration status, and are commonly supported by MDM vendors.

  • DeviceRegisterStatus

  • DeviceCompliantStatus

  • DiskEncryptionStatus

  • PinLockStatus

  • JailBrokenStatus

  • Manufacturer

  • IMEI

  • SerialNumber

  • OsVersion

  • PhoneNumber

  • MDMServerName

  • MDMServerReachable

  • MEID

  • Model

  • UDID

Vendor's unique attributes are not supported, but you may be able to use ERS APIs to exchange vendor-specific attributes, if the vendor supports that.

The new MDM dictionary attributes are available to use in authorization policies.

Supported MDM Servers

Supported MDM servers include products from the following vendors:

  • Airwatch, Inc.

  • Good Technology

  • MobileIron, Inc.

  • Zenprise, Inc.

  • SAP Afaria

  • Fiberlink/IBM MaaS

  • Meraki

Ports Used by the MDM Server

The following table lists the ports that must be open between the Cisco ISE and the MDM server to enable them to communicate with each other. Refer to the MDM Server Documentation for a list of ports that must be open on the MDM agent and server.

Table 4. Ports Used by the MDM Server

MDM Server

Ports

MobileIron

443

Zenprise

443

Good

19005

Airwatch

443

Afaria

443

Fiberlink MaaS

443

Meraki

443

Microsoft Intune

80 and 443

Microsoft SCCM

80 and 443

MDM Integration Process Flow

This section describes the MDM integration process:

  1. The user associates a device to SSID.

  2. Cisco ISE makes an API call to the MDM server.

  3. This API call returns a list of devices for this user and the posture status for the devices.


    Note

    The input parameter is the MAC address of the endpoint device. For off-premise Apple iOS devices, this is the UDID.

  4. If the user’s device is not in this list, it means the device is not registered. Cisco ISE sends an authorization request to the NAD to redirect to Cisco ISE. The user is presented the MDM server page.


    Note

    You must register a device that is enrolled on the MDM server outside of a Cisco ISE network via the MDM portal. This is applicable for Cisco ISE, Release 1.4 and later. Earlier ISE versions allow devices enrolled outside of a Cisco ISE network to be automatically enrolled if they are compliant with the posture policies.

  5. Cisco ISE uses MDM to provision the device and presents an appropriate page for the user to register the device.

  6. The user registers the device in the MDM server, and the MDM server redirects the request to Cisco ISE (through automatic redirection or manual browser refresh).

  7. Cisco ISE queries the MDM server again for the posture status.

  8. If the user’s device is not compliant to the posture (compliance) policies configured on the MDM server, the user is notified that the device is out of compliance and must be compliant.

  9. After the user’s device becomes compliant, the MDM server updates the device state in its internal tables.

  10. If the user refreshes the browser now, the control is transferred back to Cisco ISE.

  11. Cisco ISE polls the MDM server once every four hours to get compliance information and issues Change of Authorization (CoA) appropriately. This can be configured by the administrator. Cisco ISE also checks the MDM server every 5 minutes to make sure that it is available.

The following figure illustrates the MDM process flow.


Note

A device can only be enrolled to a single MDM server at a time. If you want to enroll the same device to an MDM service from another vendor, the previous vendor's profiles must be removed from the device. The MDM service usually offers a "corporate wipe", which only deletes the vendor's configuration from the device (not the whole device). The user can also remove the files. For example, on an IOS device, the user can go to Settings > General >Device management, and click remove management. Or the user can go to the MyDevices portal in ISE, and click corporate wipe.

Set Up MDM Servers with Cisco ISE

To set up MDM servers with Cisco ISE, you must perform the following high-level tasks:

Procedure

Step 1

Import MDM server certificate into Cisco ISE.

Step 2

Create mobile device manager definitions.

Step 3

Configure ACLs on the Wireless LAN Controllers.

Step 4

Configure an authorization profile that redirects non-registered devices to the MDM server.

Step 5

If there is more than one MDM server on the network, configure separate authorization profiles for each vendor.

Step 6

Configure authorization policy rules for the MDM use cases.

Import MDM Server Certificate into Cisco ISE

For Cisco ISE to connect with the MDM server, you must import the MDM server certificate into the Cisco ISE Certificate Store. If your MDM server has a CA-signed certificate, you must import the root CA into the Cisco ISE Certificate Store.

Procedure

Step 1

Export the MDM server certificate from your MDM server and save it on your local machine.

Step 2

Choose Administration > System > Certificates > Trusted Certificate > Import.

Step 3

Click Browse to select the MDM server certificate that you obtained from the MDM server.

Step 4

Add a friendly name.

Step 5

Check Trust for authentication within ISE check box.

Step 6

Click Submit.

Step 7

Verify that the Certificate Store list page lists the MDM server certificate.

Create Mobile Device Manager Definitions

You can create one or more Mobile Device Manager (MDM) definitions for external MDM servers to help ensure Cisco ISE is able to obtain the most up-to-date device connection status from logged-in user devices as possible on demand.

Before you begin

Ensure that you have imported the MDM server certificate into Cisco ISE.

Procedure

Step 1

Choose Administration > Network Resources > External MDM.

Step 2

Click Add.

Step 3

Enter the name and description of the MDM server that you want to add.

Step 4

Enter the MDM server IP address or hostname (FQDN) in the MDM server host field.

Step 5

Specify the network/proxy port through which Cisco ISE must communicate with the MDM server.

Step 6

Specify a server instance name for the MDM server you are adding. (This depends on the vendor.)

Step 7

Specify the MDM server administrator username and password so that Cisco ISE can log in to and interoperate with the MDM server database.

Step 8

Enter the polling interval in minutes for Cisco ISE to poll the MDM server for compliance check information. This value should be the same as the polling interval on your MDM server. The default value is 240 minutes.

We recommend that you set the polling interval below 60 minutes only for testing a few active clients on your network. If you set this value below 60 minutes for a production environment with many active clients, the system’s load increases significantly and might negatively impact performance.

If you set the polling interval to 0, ISE disables communication with the MDM server.

Step 9

Specify the time interval in minutes for Cisco ISE to poll the MDM server for device re-authentication for compliant devices in the Time Interval For Compliance Device ReAuth Query field. The valid range is from 1 to 1440 minutes. The default value is 1 minute.

If the device is non-compliant, Cisco ISE queries the MDM server every one minute for device re-authentication.
Step 10

Check the Enable check box to activate the MDM server connection with Cisco ISE.

Step 11

Click Test Connection to test Cisco ISE’s connection to the MDM server.

If Cisco ISE displays a connection error, the issue may be with the certificate, the username/password, or the server not being reachable. If you are using a proxy for the internet connection and MDM server is part of internal network then you have to put the MDM server name or its IP address in the Proxy-Bypass list. Choose Administration > Settings > Proxy Settings to perform this action.

Step 12

Click Submit to save the MDM server definition. Only after you successfully connect Cisco ISE with the MDM server, the MDM dictionary gets populated in Cisco ISE.

What to do next

Configure an authorization profile for redirecting non-registered devices.

Open Firewall Ports for WMI Access

The firewall software on the Active Directory Domain Controller may block access to WMI. You can either turn the firewall off, or allow access on a specific IP (ISE IP address) to the following ports:

  • TCP 135: General RPC Port. When doing asynchronous RPC calls, the service listening on this port tells the client which port the component servicing this request is using.

  • UDP 138: Netbios Datagram Service

  • TCP 139: Netbios Session Service

  • TCP 445: SMB


    Note

    Cisco ISE 1.3 and above support SMB 2.0.

Higher ports are assigned dynamically or you can configure them manually. We recommend that you add %SystemRoot%\System32\dllhost.exe as a target. This program manages ports dynamically.

All firewall rules can be assigned to specific IP (ISE IP).

Configure an Authorization Profile for Redirecting Nonregistered Devices

You must configure an authorization profile in Cisco ISE to redirect nonregistered devices for each external MDM server.

Before you begin

  • Ensure that you have created an MDM server definition in Cisco ISE. Only after you successfully integrate ISE with the MDM server does the MDM dictionary gets populated and you can create authorization policy using the MDM dictionary attributes.
  • Configure ACLs on the Wireless LAN Controller for redirecting unregistered devices.

  • If you are using a proxy for the internet connection and MDM server is part of internal network then you have to put the MDM server name or its IP address in the Proxy-Bypass list. Choose Administration > Settings > Proxy Settings to perform this action.

Procedure

Step 1

Choose Policy > Policy Elements > Results > Authorization > Authorization Profiles > Add.

Step 2

Create an authorization profile for redirecting nonregistered devices that are not compliant or registered.

Step 3

Enter a name for the authorization profile that matches the MDM server name.

Step 4

Choose ACCESS_ACCEPT as the Access Type.

Step 5

Check the Web Redirection check box and choose MDM Redirect from the drop-down list.

Step 6

Enter the name of the ACL that you configured on the wireless LAN controller in the ACL field.

Step 7

Select the MDM portal from the Value drop-down list.

Step 8

Select the MDM server you want to use from the drop-down list.

Step 9

Click Submit.

What to do next

Configure Authorization Policy Rules for MDM.

Configure Authorization Policy Rules for the MDM Use Cases

You must configure authorization policy rules in Cisco ISE to complete the MDM configuration.

Before you begin

  • Add the MDM server certificate to the Cisco ISE certificate store.

  • Ensure that you have created the MDM server definition in Cisco ISE. Only after you successfully integrate ISE with the MDM server, the MDM dictionary gets populated and you can create authorization policy using the MDM dictionary attributes.

  • Configure ACLs on the Wireless LAN Controller for redirecting unregistered or noncompliant devices.

Procedure

Step 1

Choose Policy > Authorization > Insert New Rule Below.

Step 2

Choose Policy > Policy Sets, and expand the policy set to view the authorization policy rules.

Step 3

Add the following rules:

  • MDM_Un_Registered_Non_Compliant—For devices that are not yet registered with an MDM server or compliant with MDM policies. Once a request matches this rule, the ISE MDM page appears with information on registering the device with MDM.

  • PERMIT—If the device is registered with Cisco ISE, registered with MDM, and is compliant with Cisco ISE and MDM policies, it will be granted access to the network based on the access control policies configured in Cisco ISE.

    The following illustration shows an example of this configuration.

    Figure 2. Authorization Policy Rules for the MDM Use Cases
Step 4

Click Save.

Wipe or Lock a Device

Cisco ISE allows you to wipe or turn on pin lock for a device that is lost. You can do this from the Endpoints page.

Procedure

Step 1

Choose Administration > Identity Management > Identities > Endpoints .

Step 2

Check the check box next to the device that you want to wipe or lock.

Step 3

From the MDM Access drop-down list, choose any one of the following options:

  • Full Wipe—Depending on the MDM vendor, this option either removes the corporate apps or resets the device to the factory settings.

  • Corporate Wipe—Removes applications that you have configured in the MDM server policies

  • PIN Lock—Locks the device

Step 4

Click Yes to wipe or lock the device.

View Mobile Device Manager Reports

Cisco ISE records all additions, updates, and deletions of MDM server definitions. You can view these event in the “Change Configuration Audit” report, which provides all the configuration changes from any system administrator for a selected time period.

Choose Operations > Reports > Change Configuration Audit > MDM, and specify the period of time to display in the resulting report.

View Mobile Device Manager Logs

You can use the Message Catalog page to view Mobile Device Manager log messages. Choose Administration > System > Logging > Message Catalog. The default reporting level for MDM log entries is "INFO." You can change the reporting level to "DEBUG" or "TRACE."

Was this Document Helpful?

FeedbackFeedback

Contact Cisco