Administration User Interface Reference

Deployment and Node Settings

The Deployment Nodes page enables you to configure Cisco ISE (Administration, Policy Service, and Monitoring) nodes and to set up a deployment.

Deployment Nodes List Window


Field Name	Usage Guidelines
Hostname	Displays the hostname of the node.
Node Type	Displays the node type. It can be one of the following: Cisco ISE (Administration, Policy Service, and Monitoring) nodes
Personas	(Only appears if the node type is Cisco ISE) Lists the personas that an Cisco ISE node has assumed. For example, Administration, Policy Service.
Role	Indicates the role (primary, secondary, or standalone) that the Administration and Monitoring personas have assumed, if these personas are enabled on this node. The role can be any one or more of the following: PRI(A): Refers to the Primary PAN SEC(A): Refers to the Secondary PAN PRI(M): Refers to the Primary Monitoring Node SEC(M): Refers to the Secondary Monitoring Node
Services	(Only appears if the Policy Service persona is enabled) Lists the services that run on this Cisco ISE node. Services can include any one of the following: Session Profiling All
Node Status	Indicates the status of each ISE node in a deployment for data replication. Green (Connected): Indicates that an ISE node, which is already registered in the deployment is in sync with the Primary PAN. Red (Disconnected): Indicates that an ISE node is not reachable or is down or data replication is not happening. Orange (In Progress): Indicates that an ISE node is newly registered with the Primary PAN or you have performed a manual sync operation or the ISE node is not in sync (out of sync) with the Primary PAN. For more details, click the quick view icon for each ISE node in the Node Status column.

General Node Settings

The following table describes the fields on the General Settings window of a Cisco ISE node. In this window, you can assign a persona to a node and configure the services to be run on it. The navigation path for this window is: Administration > System > Deployment > Deployment Node > Edit > General Settings.

Table 1. General Node Settings
Field Name	Usage Guidelines
Hostname	Displays the hostname of the Cisco ISE node.
FQDN	Displays the fully qualified domain name of the Cisco ISE node. For example, ise1.cisco.com.
IP Address	Displays the IP address of the Cisco ISE node.
Node Type	Displays the node type.
Personas
Administration	Check this check box if you want a Cisco ISE node to assume the Administration persona. You can enable the Administration persona only on nodes that are licensed to provide the administrative services. Role: Displays the role that the Administration persona has assumed in the deployment. Could take on any one of the following values: Standalone, Primary, Secondary Make Primary: Click this button to make this node your primary Cisco ISE node. You can have only one primary Cisco ISE node in a deployment. The other options on this page will become active only after you make this node primary. You can have only two Administration nodes in a deployment. If the node has a Standalone role, a Make Primary button appears next to it.If the node has a Secondary role, a Promote to Primary button appears next to it.If the node has a Primary role and there are no other nodes registered with it, a Make Standalone button appears next to it. You can click this button to make your primary node a standalone node.
Monitoring	Check this check box if you want a Cisco ISE node to assume the Monitoring persona and function as your log collector. There must be at least one Monitoring node in a distributed deployment. At the time of configuring your Primary PAN, you must enable the Monitoring persona. After you register a secondary Monitoring node in your deployment, you can edit the Primary PAN and disable the Monitoring persona, if required. To configure a Cisco ISE node on a VMware platform as your log collector, use the following guidelines to determine the minimum amount of disk space that you need: 180 KB per endpoint in your network, per day 2.5 MB per Cisco ISE node in your network, per day. You can calculate the maximum disk space that you need based on how many months of data you want to have in your Monitoring node. If there is only one Monitoring node in your deployment, it assumes the standalone role. If you have two Monitoring nodes in your deployment, Cisco ISE displays the name of the other monitoring node for you to configure the Primary-Secondary roles. To configure these roles, choose one of the following: Primary: For the current node to be the primary Monitoring node. Secondary: For the current node to be the secondary Monitoring node. None: If you do not want the Monitoring nodes to assume the primary-secondary roles. If you configure one of your Monitoring nodes as primary or secondary, the other Monitoring node automatically becomes the secondary or primary node, respectively. Both the primary and secondary Monitoring nodes receive Administration and Policy Service logs. If you change the role for one Monitoring node to None, the role of the other Monitoring node also becomes None, thereby cancelling the high availability pair after you designate a node as a Monitoring node, you will find this node listed as a syslog target in the Remote Logging Targets window: Administration > System > Logging > Remote Logging Targets.
Policy Service	Check this check box to enable any one or all of the following services: Enable Session Services: Check this check box to enable network access, posture, guest, and client provisioning services. Choose the group to which this Policy Service node belongs from the Include Node in Node Group drop-down list. Note that CA and EST services can only run on a Policy Service node that has session services enabled on it. For Include Node in Node Group, choose None if you do not want this Policy Service node to be part of any group. All the nodes within the same node group should be configured on the network access device (NAD) as RADIUS clients and authorized for CoA, because any one of them can issue a CoA request for the sessions that are established through any node in the node group. If you are not using a load balancer, the nodes in a node group should be the same as, or a subset of the RADIUS servers and clients configured on the NAD. These nodes would also be configured as RADIUS servers. While a single NAD can be configured with many ISE nodes as RADIUS servers and dynamic-authorization clients, it is not necessary for all the nodes to be in the same node group. The members of a node group should be connected to each other using high-speed LAN connection such as Gigabit Ethernet. The node group members need not be L2 adjacent, but L2 adjacency is highly recommended to ensure sufficient bandwidth and reachability. See the Create Policy Service Node Group section in See Create a Policy Service Node Group for more details. Enable Profiling Service: Check this check box to enable the Profiler service. If you enable the Profiling service, you must click the Profiling Configuration tab and enter the details as required. When you enable or disable any of the services that run on the Policy Service node or make any changes to this node, you will be restarting the application server processes on which these services run. You must expect a delay while these services restart. You can determine when the application server has restarted on a node by using the show application status ise command from the CLI. Enable SXP Service: Check this check box to enable SXP service on the node. You must also specify the interface to be used for SXP service. Enable Device Admin Service: Check this check box to create TACACS policy sets, policy results, and so on to control and audit the configuration of network devices.
pxGrid	Check this check box to enable pxGrid persona. Cisco pxGrid is used to share the context-sensitive information from Cisco ISE session directory to other policy network systems such as Cisco Adaptive Security Appliance (ASA). The pxGrid framework can also be used to exchange policy and configuration data between nodes like sharing tags and policy objects between ISE and third party vendors, and for non-ISE related information exchanges such as threat information.

Profiling Node Settings

The following table describes the fields on the Profiling Configuration window, which you can use to configure the probes for the profiler service. The navigation path for this window is: Administration > System > Deployment > ISE Node > Edit > Profiling Configuration.

Table 2. Profiling Node Settings

Field Name

Usage Guidelines

NetFlow

Check this check box if you want to enable NetFlow per Cisco ISE node that has assumed the Policy Service persona to receive Netflow packets sent from the routers.Choose these options:

Interface: Choose the interface on the ISE node.
Port: Enter the NetFlow listener port number on which NetFlow exports are received from the routers. The default port is 9996.

DHCP

Check this check box if you want to enable DHCP per Cisco ISE node that has assumed the Policy Service persona to listen for DHCP packets from IP helper.Choose these options:

Port: Enter the DHCP server UDP port number. The default port is 67.
Interface: Choose the interface on the ISE node.
Port: Enter the DHCP server UDP port number. The default port is 67.

DHCP SPAN

Check this check box if you want to enable DHCP SPAN per Cisco ISE node that has assumed the Policy Service persona to collect DHCP packets.

Interface: Choose the interface on the ISE node.

HTTP

Check this check box if you want to enable HTTP per Cisco ISE node that has assumed the Policy Service persona to receive and parse HTTP packets.

Interface: Choose the interface on the ISE node.

RADIUS

Check this check box if you want to enable RADIUS per ISE node that has assumed the Policy Service persona to collect RADIUS session attributes as well as CDP, LLDP attributes from the IOS Sensor enabled devices.

Network Scan (NMAP)

Check this box to enable the NMAP probe.

DNS

Check this check box if you want to enable DNS per ISE node that has assumed the Policy Service persona to perform a DNS lookup for the FQDN.Enter the timeout period in seconds.

Note

For the DNS probe to work on a particular Cisco ISE node in a distributed deployment, you must enable any one of the following probes: DHCP, DHCP SPAN, HTTP, RADIUS, or SNMP. For DNS lookup, one of the probes mentioned above must be started along with the DNS probe.

SNMP Query

Check this check box if you want to enable SNMP Query per ISE node that has assumed the Policy Service persona to poll network devices at specified intervals.Enter values for the following fields: Retries, Timeout, Event Timeout, and an optional Description.

Note

In addition to configuring the SNMP Query probe, you must also configure other SNMP settings in the following location: Administration > Network Resources > Network Devices. When you configure SNMP settings on the network devices, ensure that you enable the Cisco Device Protocol (CDP) and Link Layer Discovery Protocol (LLDP) globally on your network devices.

SNMP Trap

Check this check box if you want to enable SNMP Trap probe per ISE node that has assumed the Policy Service Persona to receive linkUp, linkDown, and MAC notification traps from the network devices.Choose any of the following:

Link Trap Query: Check this check box to receive and interpret linkup and linkdown notifications received through the SNMP Trap.
MAC Trap Query: Check this check box to receive and interpret MAC notifications received through the SNMP Trap.
Interface: Choose an interface on the ISE node.
Port: Enter the UDP port of the host to use. The default port is 162.

Active Directory

Scans the defined Active Directory servers for information about Windows users.

Certificate Store Settings

The Certificate Store page enables you to configure certificates in Cisco ISE that can be used for authentication.

Self-Signed Certificate Settings

Table 3. Self-Signed Certificate Settings
Field Name	Usage Guidelines
Select Node	(Required) The node for which you want to generate the system certificate.
Common Name (CN)	(Required if you do not specify a SAN) By default, the common name is the Fully Qualified Domain Name of the ISE node for which you are generating the self-signed certificate.
Organizational Unit (OU)	Organizational Unit name. For example, Engineering.
Organization (O)	Organization name. For example, Cisco.
City (L)	(Do not abbreviate) City name. For example, San Jose.
State (ST)	(Do not abbreviate) State name. For example, California.
Country (C)	Country name. You must enter the two-letter ISO country code. For example, US.
Subject Alternative Name (SAN)	An IP address, DNS name, or Uniform Resource Identifier (URI)that is associated with the certificate.
Key Length	Specify the bit size for the public key. The following options are available for RSA: 512 1024 2048 4096 The following options are available for ECDSA: 256 384 Choose 2048 if you plan to get a public CA-signed certificate or deploy Cisco ISE as a FIPS-compliant policy management system.
Digest to Sign With	Choose one of the following hashing algorithm: SHA-1 or SHA-256.
Certificate Policies	Enter the certificate policy OID or list of OIDs that the certificate should conform to. Use comma or space to separate the OIDs.
Expiration TTL	Specify the number of days after which the certificate will expire.
Friendly Name	Enter a friendly name for the certificate. If you do not specify a name, Cisco ISE automatically creates a name in the format <common name> # <issuer> # <nnnnn> where <nnnnn> is a unique five-digit number.
Allow Wildcard Certificates	Check this check box if you want to generate a self-signed wildcard certificate (a certificate that contains an asterisk () in any Common Name in the Subject and/or the DNS name in the Subject Alternative Name. For example, DNS name assigned to the SAN can be .amer.cisco.com.
Usage	Choose the service for which this system certificate should be used: Admin: Server certificate used to secure communication with the Admin portal and between ISE nodes in a deployment EAP Authentication: Server certificate used for authentications that use the EAP protocol for SSL/TLS tunneling pxGrid: Client and server certificate to secure communication between the pxGrid client and server Portal: Server certificate used to secure communication with all Cisco ISE web portals

Certificate-Signing Request Settings

Cisco ISE allows you to generate CSRs for all the nodes in your deployment from the Admin portal in a single request. Also, you can choose to generate the CSR for a single node or multiple both nodes in the deployment. If you choose to generate a CSR for a single node, ISE automatically substitutes the Fully Qualified Domain Name (FQDN) of the particular node in the CN= field of the certificate subject. If you choose to include an entry in the Subject Alternative Name (SAN) field of the certificate, you must enter the FQDN of the ISE node in addition to other SAN attributes. If you choose to generate CSRs for all the nodes in your deployment, check the Allow Wildcard Certificates check box and enter the wildcard FQDN notation in the SAN field (DNS name), for example, *.amer.example.com. If you plan to use the certificate for EAP Authentication, do not enter the wildcard value in the CN= field.

With the use of wildcard certificates, you no longer have to generate a unique certificate for each Cisco ISE node. Also, you no longer have to populate the SAN field with multiple FQDN values to prevent certificate warnings. Using an asterisk (*) in the SAN field allows you to share a single certificate across multiple both nodes in a deployment and helps prevent certificate name mismatch warnings. However, use of wildcard certificates is considered less secure than assigning a unique server certificate for each Cisco ISE node.

Field Usage Guidelines

Certificate(s) will be used for

Choose the service for which you are going to use the certificate:

Cisco ISE Identity Certificates

Multi-Use: Used for multiple services (Admin, EAP-TLS Authentication, pxGrid, and Portal). Multi-use certificates use both client and server key usages. The certificate template on the signing CA is often called a Computer or Machine certificate template. This template has the following properties:
- Key Usage: Digital Signature (Signing)
- Extended Key Usage: TLS Web Server Authentication (1.3.6.1.5.5.7.3.1) and TLS Web Client Authentication (1.3.6.1.5.5.7.3.2)
Admin: Used for server authentication (to secure communication with the Admin portal and between ISE nodes in a deployment). The certificate template on the signing CA is often called a Web Server certificate template. This template has the following properties:
- Key Usage: Digital Signature (Signing)
- Extended Key Usage: TLS Web Server Authentication (1.3.6.1.5.5.7.3.1)

EAP Authentication: Used for server authentication. The certificate template on the signing CA is often called a Computer or Machine certificate template. This template has the following properties:

Key Usage: Digital Signature (Signing)
Extended Key Usage: TLS Web Server Authentication (1.3.6.1.5.5.7.3.1)

Note

Digital signature key usage is required for EAP-TLS client certificates.

Portal: Used for server authentication (to secure communication with all ISE web portals). The certificate template on the signing CA is often called a Computer or Machine certificate template. This template has the following properties:
- Key Usage: Digital Signature (Signing)
- Extended Key Usage: TLS Web Server Authentication (1.3.6.1.5.5.7.3.1)
pxGrid: Used for both client and server authentication (to secure communication between the pxGrid client and server). The certificate template on the signing CA is often called a Computer or Machine certificate template. This template has the following properties:
- Key Usage: Digital Signature (Signing)
- Extended Key Usage: TLS Web Server Authentication (1.3.6.1.5.5.7.3.1) and TLS Web Client Authentication (1.3.6.1.5.5.7.3.2)

Note

We recommend that you do not use a certificate that contains the value of 2.5.29.37.0 for the Any Purpose object identifier in the Extended Key Usage attribute. If you use a certificate that contains the value of 2.5.29.37.0 for the Any Purpose object identifier in the Extended Key Usage attribute, the certificate is considered invalid and the following error message is displayed:

source=local ; type=fatal ; message="unsupported certificate"

Cisco ISE Certificate Authority Certificates

ISE Root CA: (Applicable only for the internal CA service ) Used for regenerating the entire internal CA certificate chain including the root CA on the Primary PAN and subordinate CAs on the PSNs.
ISE Intermediate CA: (Applicable only for the internal CA service when ISE acts as an intermediate CA of an external PKI) Used to generate an intermediate CA certificate on the Primary PAN and subordinate CA certificates on the PSNs. The certificate template on the signing CA is often called a Subordinate Certificate Authority. This template has the following properties:
- Basic Constraints: Critical, Is a Certificate Authority
- Key Usage: Certificate Signing, Digital Signature
- Extended Key Usage: OCSP Signing (1.3.6.1.5.5.7.3.9)
Renew ISE OCSP Responder Certificates: (Applicable only for the internal CA service) Used to renew the ISE OCSP responder certificate for the entire deployment (and is not a certificate signing request). For security reasons, we recommend that you renew the ISE OCSP responder certificates every six months.

Allow Wildcard Certificates

Check this check box to use a wildcard character (*) in the CN and/or the DNS name in the SAN field of the certificate. If you check this check box, all the nodes in the deployment are selected automatically. You must use the asterisk (*) wildcard character in the left-most label position. If you use wildcard certificates, we recommend that you partition your domain space for greater security. For example, instead of *.example.com, you can partition it as *.amer.example.com. If you do not partition your domain, it can lead to security issues.

Generate CSRs for these Nodes

Check the check boxes next to the nodes for which you want to generate the certificate. To generate a CSR for select nodes in the deployment, you must uncheck the Allow Wildcard Certificates option.

Common Name (CN)

By default, the common name is the FQDN of the ISE node for which you are generating the CSR. $FQDN$ denotes the FQDN of the ISE node. When you generate CSRs for multiple nodes in the deployment, the Common Name field in the CSRs is replaced with the FQDN of the respective ISE nodes.

Organizational Unit (OU)

Organizational Unit name. For example, Engineering.

Organization (O)

Organization name. For example, Cisco.

City (L)

(Do not abbreviate) City name. For example, San Jose.

State (ST)

(Do not abbreviate) State name. For example, California.

Country (C)

Country name. You must enter the two-letter ISO country code. For example, US.

Subject Alternative Name (SAN)

An IP address, DNS name, Uniform Resource Identifier (URI), or Directory Name that is associated with the certificate.

DNS Name: If you choose the DNS name, enter the fully qualified domain name of the ISE node. If you have enabled the Allow Wildcard Certificates option, specify the wildcard notation (an asterisk and a period before the domain name). For example, *.amer.example.com.
IP Address: IP address of the ISE node to be associated with the certificate.
Uniform Resource Identifier: A URI that you want to associate with the certificate.
Directory Name: A string representation of distinguished name(s) (DNs) defined per RFC 2253. Use a comma (,) to separate the DNs. For “dnQualifier” RDN, escape the comma and use backslash-comma “\,” as separator. For example, CN=AAA,dnQualifier=O=Example\,DC=COM,C=IL

Key Length

Choose 2048 or greater if you plan to get a public CA-signed certificate or deploy Cisco ISE as a FIPS-compliant policy management system.

Digest to Sign With

Choose one of the following hashing algorithm: SHA-1 or SHA-256.

Certificate Policies

Enter the certificate policy OID or list of OIDs that the certificate should conform to. Use comma or space to separate the OIDs.

Endpoint Certificate Overview Page

Table 5. Certificate Management Overview
Field Names	Usage Guidelines
Node Name	Name of the Policy Service node (PSN) that issued the certificate.
Endpoint Certificates Issued	Number of endpoint certificates issued by the PSN node.
Endpoint Certificates Revoked	Number of revoked endpoint certificates (certificates that were issued by the PSN node).
Endpoint Certificates Requests	Number of certificate-based authentication requests processed by the PSN node.
Endpoint Certificates Failed	Number of failed authentication requests processed by the PSN node.

Check the Status of the Certificates (OCSP or CRL).

Cisco ISE checks the Certificate Revocation Lists (CRL) periodically. Using this page, you can configure Cisco ISE to check ongoing sessions against CRLs that are downloaded automatically. You can specify the time of the day when the OCSP or CRL checks should begin each day and the time interval in hours that Cisco ISE waits before checking the OCSP server or CRLs again.

Table 6. Certificate Periodic Check Settings
Field Name	Usage Guidelines
Certificate Check Settings
Check ongoing sessions against automatically retrieved CRL	Check this check box if you want Cisco ISE to check ongoing sessions against CRLs that are automatically downloaded.
CRL/OCSP Periodic Certificate Checks
First check at	Specify the time of the day when the CRL or OCSP check should begin each day. Enter a value between 00:00 and 23:59 hours.
Check every	Specify the time interval in hours that Cisco ISE waits before checking the CRL or OCSP server again.

System Certificate Import Settings

Table 7. System Certificate Import Settings

Field Name

Description

Select Node

(Required) Choose the Cisco ISE node on which you want to import the system certificate.

Certificate File

(Required) Click Browse to select the certificate file from your local system.

Private Key File

(Required) Click Browse to select the private key file.

Password

(Required) Enter the password to decrypt the private key file.

Friendly Name

Enter a friendly name for the certificate. If you do not specify a name, Cisco ISE automatically creates a name in the format <common name> # <issuer> # <nnnnn> where <nnnnn> is a unique five-digit number.

Allow Wildcard Certificates

Check this check box if you want to import a wildcard certificate (a certificate that contains an asterisk (*) in any Common Name in the Subject and/or the DNS name in the Subject Alternative Name. For example, DNS name assigned to the SAN can be *.amer.cisco.com. If you check this check box, Cisco ISE imports this certificate to all the other nodes in the deployment.

Validate Certificate Extensions

Check this check box if you want Cisco ISE to validate the certificate extensions. If you check this check box and the certificate that you are importing contains a basic constraints extension with the CA flag set to true, ensure that the key usage extension is present, and that the keyEncipherment bit or the keyAgreement bit, or both, are also set.

Usage

Choose the service for which this system certificate should be used:

Admin: Server certificate used to secure communication with the Admin portal and between ISE nodes in a deployment

Note

Changing the certificate of the admin role certificate on a Primary PAN restarts services on all other nodes.

EAP Authentication: Server certificate used for authentications that use the EAP protocol for SSL/TLS tunneling
pxGrid: Client and server certificate to secure communication between the pxGrid client and server
Portal: Server certificate used to secure communication with all Cisco ISE web portals

Trusted Certificate Store Page

Table 8. Certificate Store Page
Field Name	Usage Guidelines
Friendly Name	Displays the name of the certificate.
Status	Enabled or Disabled. If Disabled, ISE will not use the certificate for establishing trust.
Trusted for	Displays the service for which the certificate is used.
Issued To	Common Name (CN) of the certificate subject.
Issued By	Common Name (CN) of the certificate issuer.
Valid From	The “Not Before” certificate attribute.
Expiration Date	The “Not After” certificate attribute.
Expiration Status	Provides information about the status of the certificate expiration. There are five icons and categories of informational message that appear in this column: Green: Expiring in more than 90 days Blue: Expiring in 90 days or less Yellow: Expiring in 60 days or less Orange: Expiring in 30 days or less Red: Expired

Edit Certificate Settings

The following table describes the fields on the Certificate Store Edit Certificate page, which you can use to edit the Certificate Authority (CA) certificate attributes. The navigation path for this page is Administration > System > Certificates > Trusted Certificates > Certificate > Edit.

Table 9. Certificate Store Edit Settings
Field Name	Usage Guidelines
Certificate Issuer
Friendly Name	Enter a friendly name for the certificate.
Status	Choose Enabled or Disabled. If Disabled, ISE will not use the certificate for establishing trust.
Description	Enter an optional description.
Usage
Trust for authentication within ISE	Check the check box if you want this certificate to verify server certificates (from other ISE nodes or LDAP servers).
Trust for client authentication and Syslog	(Applicable only if you check the Trust for authentication within ISE check box) Check the check box if you want this certificate to be used to: Authenticate endpoints that connect to ISE using the EAP protocol Trust a Syslog server
Trust for authentication of Cisco Services	Check this check box if you want this certificate to be used to trust external Cisco services such as the feed service.
Certificate Status Validation	ISE supports two ways of checking the revocation status of a client or server certificate that is issued by a particular CA. The first is to validate the certificate using the Online Certificate Status Protocol (OCSP), which makes a request to an OCSP service maintained by the CA. The second is to validate the certificate against a Certificate Revocation List (CRL) which is downloaded from the CA into ISE. Both of these methods can be enabled, in which case OCSP is used first, and only if a status determination cannot be made then the CRL is used.
Validate Against OCSP Service	Check the check box to validate the certificate against OCSP services. You must first create an OCSP Service to be able to check this box.
Reject the request if OCSP returns UNKNOWN status	Check the check box to reject the request if certificate status is not determined by OCSP. If you check this check box, an unknown status value returned by the OCSP service will cause ISE to reject the client or server certificate currently being evaluated.
Reject the request if OCSP Responder is unreachable	Check the check box for ISE to reject the request if the OCSP Responder is not reachable.
Download CRL	Check the check box for the Cisco ISE to download a CRL.
CRL Distribution URL	Enter the URL to download the CRL from a CA. This field will be automatically populated if it is specified in the certificate authority certificate. The URL must begin with “http”, “https”, or “ldap.”
Retrieve CRL	The CRL can be downloaded automatically or periodically. Configure the time interval between downloads.
If download failed, wait	Configure the time interval to wait before Cisco ISE tries to download the CRL again.
Bypass CRL Verification if CRL is not Received	Check this check box, for the client requests to be accepted before the CRL is received. If you uncheck this check box, all client requests that use certificates signed by the selected CA will be rejected until Cisco ISE receives the CRL file.
Ignore that CRL is not yet valid or expired	Check this check box if you want Cisco ISE to ignore the start date and expiration date and continue to use the not yet active or expired CRL and permit or reject the EAP-TLS authentications based on the contents of the CRL. Uncheck this check box if you want Cisco ISE to check the CRL file for the start date in the Effective Date field and the expiration date in the Next Update field. If the CRL is not yet active or has expired, all authentications that use certificates signed by this CA are rejected.

Trusted Certificate Import Settings

Table 10. Trusted Certificate Import Settings
Fields	Description
Certificate File	Click Browse to choose the certificate file from the computer that is running the browser.
Friendly Name	Enter a friendly name for the certificate. If you do not specify a name, Cisco ISE automatically creates a name in the format <common name># <issuer># <nnnnn>, where <nnnnn> is a unique five-digit number.
Trust for authentication within ISE	Check the check box if you want this certificate to be used to verify server certificates (from other ISE nodes or LDAP servers).
Trust for client authentication and Syslog	(Applicable only if you check the Trust for authentication within ISE check box) Check the check box if you want this certificate to be used to: Authenticate endpoints that connect to ISE using the EAP protocol Trust a Syslog server
Trust for authentication of Cisco Services	Check this check box if you want this certificate to be used to trust external Cisco services such as the feed service.
Validate Certificate Extensions	(Only if you check both the Trust for client authentication and Enable Validation of Certificate Extensions options) Ensure that the “keyUsage” extension is present and the “keyCertSign” bit is set, and that the basic constraints extension is present with the CA flag set to true.
Description	Enter an optional description.

OCSP Client Profile Settings

Table 11. OCSP Client Profile Settings
Field Name	Usage Guidelines
Name	Name of the OCSP Client Profile.
Description	Enter an optional description.
Configure OCSP Responder
Enable Secondary Server	Check this check box to enable a secondary OCSP server for high availability.
Always Access Primary Server First	Use this option to check the primary server before trying to move to the secondary server. Even if the primary was checked earlier and found to be unresponsive, Cisco ISE will try to send a request to the primary server before moving to the secondary server.
Fallback to Primary Server After Interval n Minutes	Use this option when you want Cisco ISE to move to the secondary server and then fall back to the primary server again. In this case, all other requests are skipped, and the secondary server is used for the amount of time that is configured in the text box. The allowed time range is 1 to 999 minutes.
Primary and Secondary Servers
URL	Enter the URL of the primary and/or secondary OCSP server.
Enable Nonce Extension Support	You can configure a nonce to be sent as part of the OCSP request. The Nonce includes a pseudo-random number in the OCSP request. It is verified that the number that is received in the response is the same as the number that is included in the request. This option ensures that old communications cannot be reused in replay attacks.
Validate Response Signature	The OCSP responder signs the response with one of the following certificates: The CA certificate A certificate different from the CA certificate In order for Cisco ISE to validate the response signature, the OCSP responder needs to send the response along with the certificate, otherwise the response verification fails, and the status of the certificate cannot be relied on. According to the RFC, OCSP can sign the response using different certificates. This is true as long as OCSP sends the certificate that signed the response for Cisco ISE to validate it. If OCSP signs the response with a different certificate that is not configured in Cisco ISE, the response verification will fail.
Use OCSP URLs specified in Authority Information Access (AIA)	Click the radio button to use the OCSP URLs specified in the Authority Information Access extension.
Response Cache
Cache Entry Time To Live n Minutes	Enter the time in minutes after which the cache entry expires. Each response from the OCSP server holds a nextUpdate value. This value shows when the status of the certificate will be updated next on the server. When the OCSP response is cached, the two values (one from the configuration and another from response) are compared, and the response is cached for the period of time that is the lowest value of these two. If the nextUpdate value is 0, the response is not cached at all. Cisco ISE will cache OCSP responses for the configured time. The cache is not replicated or persistent, so when Cisco ISE restarts, the cache is cleared. The OCSP cache is used in order to maintain the OCSP responses and for the following reasons: To reduce network traffic and load from the OCSP servers on an already-known certificate To increase the performance of Cisco ISE by caching already-known certificate statuses
Clear Cache	Click Clear Cache to clear entries of all the certificate authorities that are connected to the OCSP service. In a deployment, Clear Cache interacts with all the nodes and performs the operation. This mechanism updates every node in the deployment.

Internal CA Settings

Table 12. Internal CA Settings
Field Name	Usage Guidelines
Disable Certificate Authority	Click this button to disable the internal CA service.
Host Name	Host name of the Cisco ISE node that is running the CA service.
Personas	Cisco ISE node personas that are enabled on the node running the CA service. For example, Administration, Policy Service, etc.
Role(s)	The role(s) assumed by the Cisco ISE node running the CA service. For example, Standalone or Primary or Secondary.
CA & OCSP Responder Status	Enabled or disabled
OCSP Responder URL	URL for Cisco ISE node to access the OCSP server.

Certificate Template Settings

Note

We do not support UTF-8 characters in the certificate template fields (Organizational Unit, Organization, City, State, and Country). Certificate provisioning fails if UTF-8 characters are used in the certificate template.


Field Name	Usage Guidelines
Name	(Required) Enter a name for the certificate template. For example, Internal_CA_Template.
Description	(Optional) Enter a description.
Common Name (CN)	(Display only) Common name is autopopulated with the username.
Organizational Unit (OU)	Organizational Unit name. For example, Engineering.
Organization (O)	Organization name. For example, Cisco.
City (L)	(Do not abbreviate) City name. For example, San Jose.
State (ST)	(Do not abbreviate) State name. For example, California.
Country (C)	Country name. You must enter the two-letter ISO country code. For example, US.
Subject Alternative Name (SAN)	(Display only) MAC address of the endpoint.
Key Size	Specify a key size of 1024 or higher.
SCEP RA Profile	Choose the ISE Internal CA or an external SCEP RA profile that you have created.
Valid Period	Enter the number of days after which the certificate expires.

Logging Settings

These pages allow you to configure the severity of debug logs, create an external log target, and enable Cisco ISE to send log messages to these external log targets.

Remote Logging Target Settings

The following table describes the fields on the Remote Logging Targets window, which you can use to create external locations (syslog servers) to store logging messages. The navigation path for this window is: Administration > System > Logging > Remote Logging Targets.

Table 13. Remote Logging Target Settings
Fields	Usage Guidelines
Name	Enter the name of the new target.
Target Type	Select the target type. By default it is set to UDP Syslog.
Description	Enter a brief description of the new target.
IP Address	Enter the IP address or hostname of the destination machine where you want to store the logs.
Port	Enter the port number of the destination machine.
Facility Code	Choose the syslog facility code to be used for logging. Valid options are Local0 through Local7.
Maximum Length	Enter the maximum length of the remote log target messages. Valid options are from 200 to 1024 bytes.
Buffer Message When Server Down	Check this check-box if you want Cisco ISE to buffer the syslog messages when TCP syslog targets and secure syslog targets are unavailable. ISE retries sending the messages to the target when the connection resumes. After the connection resumes, messages are sent by the order from oldest to newest and buffered messages are always sent before new messages. If the buffer is full, old messages are discarded.
Buffer Size (MB)	Set the buffer size for each target. By default, it is set to 100 MB. Changing the buffer size clears the buffer and all existing buffered messages for the specific target are lost.
Reconnect Timeout (Sec)	Give in seconds how long will the TCP and secure syslogs be kept before being discarded, when the server is down.
Select CA Certificate	Select a client certificate.
Ignore Server Certificate Validation	Check this check-box if you want ISE to ignore server certificate authentication and accept any syslog server. By default, this option is set to off unless the system is in FIPS mode when this is disabled.

Logging Category Settings

The following table describes the fields on the Logging Categories window, which you can use to configure the log severity level and choose logging targets for the logs of selected categories to be stored. The navigation path for this window is Administration > System > Logging > Logging Categories.

Table 14. Logging Category Settings
Fields	Usage Guidelines
Name	Displays the name of the logging category.
Log Severity Level	Allows you to choose the severity level for the diagnostic logging categories from the following options: FATAL—Emergency. This option means that Cisco ISE cannot be used and you must take action immediately ERROR—This option indicates a critical or error condition. WARN—This option indicates a normal but significant condition. This is the default condition. INFO—This option indicates an informational message. DEBUG—This option indicates a diagnostic bug message.
Local Logging	Check this check box to enable logging event for the category on the local node.
Target	Allows you to change the targets for a category by transferring the targets between the Available and the Selected boxes using the left and right icons. The Available box contains the existing logging targets, both local (predefined) and external (user-defined). The Selected box, which is initially empty, contains the selected targets for the specific category.

Maintenance Settings

These pages help you to manage data using the backup, restore, and data purge features.

Repository Settings

Table 15. Repository Settings

Fields

Usage Guidelines

Repository

Enter the name of the repository. Alphanumeric characters are allowed and the maximum length is 80 characters.

Protocol

Choose one of the available protocols that you want to use.

Server Name

(Required for TFTP, HTTP, HTTPS, FTP, SFTP, and NFS) Enter the hostname or IPv4 address of the server where you want to create the repository.

Note

Ensure that the ISE eth0 interface is configured with an IPv6 address if you are adding a repository with an IPv6 address.

Path

Enter the path to your repository. The path must be valid and must exist at the time you create the repository.

This value can start with two forward slashes (//) or a single forward slash (/) denoting the root directory of the server. However, for the FTP protocol, a single forward slash (/) denotes the FTP user's home directory and not the root directory.

User Name

(Required for FTP, SFTP, and NFS) Enter the username that has write permission to the specified server. Only alphanumeric characters are allowed.

Password

(Required for FTP, SFTP, and NFS) Enter the password that will be used to access the specified server. Passwords can consist of the following characters: 0 through 9, a through z, A through Z, -, ., |, @, #,$, %, ^, &, *, (, ), +, and =.

On-Demand Backup Settings

Scheduled Backup Settings

Admin Access Settings

These pages enable you to configure access settings for administrators.

Administrator Password Policy Settings

The following table describes the fields on the Administrator Password Policy window, which you can use to define a criteria that administrator passwords should meet. The navigation path for this window is:Administration > System > Admin Access > Authentication > Password Policy.

Table 16. Administrator Password Policy Settings
Fields	Usage Guidelines
Minimum Length	Specifies the minimum length of the password (in characters). The default is six characters.
Password should not contain the admin name or its characters in reversed order	Check this check box to restrict the use of the administrator username or its characters in reverse order.
Password should not contain “cisco” or its characters in reversed order	Check this check box to restrict the use of the word “cisco” or its characters in reverse order.
Password should not contain ________ or its characters in reversed order	Check this check box to restrict the use of any word that you define or its characters in reverse order.
Password should not contain repeated characters four or more times consecutively	Check this check box to restrict the use of repeated characters four or more times consecutively.
Required Characters	Specifies that the administrator password must contain at least one character of the type that you choose from the following choices: Lowercase alphabetic characters Uppercase alphabetic characters Numeric characters Non-alphanumeric characters
Password History	Specifies the number of previous passwords from which the new password must be different to prevent the repeated use of the same password. Also, specifies the number of characters that must be different from the previous password. Enter the number of days before which you cannot reuse a password.
Password Lifetime	Specifies the following options to force users to change passwords after a specified time period: Time (in days) before the administrator account is disabled if the password is not changed. (The allowable range is 0 to 2,147,483,647 days.) Reminder (in days) before the administrator account is disabled.
Lock or Suspend Account with Incorrect Login Attempts	Specifies the number of times Cisco ISE records incorrect administrator passwords before locking the administrator out of Cisco ISE, and suspending or disabling account credentials. An e-mail is sent to the administrator whose account gets locked out. You can enter a custom e-mail remediation message.

Session Timeout and Session Information Settings

The following table describes the fields on the Session window, which you can use to define session timeout and terminate an active administrative session. The navigation path for this window is:Administration > System > Admin Access > Settings > Session.

Table 17. Session Timeout and Session Info Settings
Fields	Usage Guidelines
Session Timeout
Session Idle Timeout	Enter the time in minutes that you want Cisco ISE to wait before it logs out the administrator if there is no activity. The default value is 60 minutes. The valid range is from 6 to 100 minutes.
Session Info
Invalidate	Check the check box next to the session ID that you want to terminate and click Invalidate.

Settings

These pages enable you to configure general settings for the various services.

Posture General Settings

The following table describes the fields on the Posture General Settings page, which you can use to configure general posture settings such as remediation time and posture status. The navigation path for this page is:Administration > System > Settings > Posture > General Settings.

These settings are the default settings for posture, which can be overridden by a posture profile.

General Posture Settings

Remediation Timer—Enter the time to wait before starting remediation. The default value is 4 minutes. The valid range is 1 to 300 minutes.
Network Transition Delay—Enter a time value in seconds. The default value is 3 seconds. The valid range is 2 to 30 seconds.
Default Posture Status—Choose Compliant or Noncompliant. The non-agent devices like Linux assumes this status while connecting to the network.
Automatically Close Login Success Screen After—Check the check box to close the login success screen automatically after the specified time. You can configure the timer to close the login screen automatically between 0 to 300 seconds. If the time is set to zero, then the agents on the client do not display the login success screen.

Posture Lease

Perform posture assessment every time a user connects to the network—Select this option to initiate posture assessment every time the user connects to network
Perform posture assessment every n days—Select this option to initiate posture assessment after the specified number of days, even if the client is already postured Compliant.

Posture Reassessment Configuration Settings

The following table describes the fields in the Posture Reassessment Configurations Page, which you can use to configure posture reassessment. The navigation path for this page is: Administration > System > Settings > Posture > Reassessments.

Table 18. Posture Reassessment Configuration Settings

Fields

Usage Guidelines

Configuration Name

Enter the name of PRA configuration.

Configuration Description

Enter a description for PRA configuration.

Use Reassessment Enforcement?

Check the check box to apply the PRA configurations for the user identity groups.

Enforcement Type

Choose the action to be enforced:

Continue — The user continues to have the privileged access without any user intervention to remediate the client irrespective of the posture requirement.
Logoff — If the client is not compliant, the user is forced to logoff from the network. When the client logs in again, the compliance status is unknown.
Remediate — If the client is not compliant, the agent waits for a specified time for the remediation to happen. Once the client has remediated, the agent sends the PRA report to the policy service node. If the remediation is ignored on the client, then the agent sends a logoff request to the policy service node to force the client to logoff from the network.

If the posture requirement is set to mandatory, then the RADIUS session will be cleared as a result of the PRA failure action and a new RADIUS session has to start for the client to be postured again.

If the posture requirement is set to optional, then the agent on the client allows the user to click the continue option from the agent. The user can continue to stay in the current network without any restriction.

Interval

Enter a time interval in minutes to initiate PRA on the clients after the first successful login.

The default value is 240 minutes. Minimum value is 60 minutes and maximum is 1440 minutes.

Grace time

Enter a time interval in minutes to allow the client to complete remediation. The grace time cannot be zero, and should be greater than the PRA interval. It can range between the default minimum interval (5 minutes) and the minimum PRA interval.

The minimum value is 5 minutes and the maximum value is 60 minutes.

Note

The grace time is enabled only when the enforcement type is set to remediate action after the client fails the posture reassessment.

Select User Identity Groups

Choose a unique group or a unique combination of groups for your PRA configuration.

PRA configurations

Displays existing PRA configurations and user identity groups associated to PRA configurations.

Posture Acceptable Use Policy Configuration Settings

The following table describes the fields in the Posture Acceptable Use Policy Configurations Page, which you can use to configure an acceptable use policy for posture. The navigation path for this page is: Administration > System > Settings > Posture > Acceptable Use Policy.

Table 19. Posture AUP Configurations Settings
Fields	Usage Guidelines
Configuration Name	Enter the name of the AUP configuration that you want to create.
Configuration Description	Enter the description of the AUP configuration that you want to create.
Show AUP to Agent users (for Windows only)	If checked, the Show AUP to Agent users check box displays users (for Windows only) the link to network usage terms and conditions for your network and click it to view the AUP upon successful authentication and posture assessment.
Use URL for AUP message radio button	When selected, you must enter the URL to the AUP message in the AUP URL, which clients must access upon successful authentication and posture assessment.
Use file for AUP message radio button	When selected, you must browse to the location and upload a file in a zipped format in the AUP File, which contains the index.html at the top level. The .zip file can include other files and subdirectories in addition to the index.html file. These files can reference each other using HTML tags.
AUP URL	Enter the URL to the AUP, which clients must access upon successful authentication and posture assessment.
AUP File	In the AUP File, browse to the file and upload it to the Cisco ISE server. It should be a zipped file and the zipped file should contain the index.html file at the top level.
Select User Identity Groups	In the Select User Identity Groups drop-down list, choose a unique user identity group, or a unique combination of user identity groups, for your AUP configuration. Note the following while creating an AUP configuration: Posture AUP is not applicable for a guest flow Each configuration must have a unique user identity group, or a unique combination of user identity groups No two configurations have any user identity group in common If you want to create a AUP configuration with a user identity group “Any”, then delete all other AUP configurations first If you create a AUP configuration with a user identity group “Any”, then you cannot create other AUP configurations with a unique user identity group, or user identity groups. To create an AUP configuration with a user identity group other than Any, either delete an existing AUP configuration with a user identity group “Any” first, or update an existing AUP configuration with a user identity group “Any” with a unique user identity group, or user identity groups.
Acceptable use policy configurations—Configurations list	Lists existing AUP configurations and end user identity groups associated with AUP configurations.

EAP-FAST Settings

The following table describes the fields on the Protocol Settings page, which you can use to configure the EAP-FAST, EAP-TLS, and PEAP protocols. The navigation path for this page is: Administration > System > Settings > Protocols > EAP-FAST > EAP FAST Settings.

Table 20. Configuring EAP-FAST Settings
Fields	Usage Guidelines
Authority Identity Info Description	Enter a user-friendly string that describes the Cisco ISE node that sends credentials to a client. The client can discover this string in the Protected Access Credentials (PAC) information for type, length, and value (TLV). The default value is Identity Services Engine.
Master Key Generation Period	Specifies the primary key generation period in seconds, minutes, hours, days, or weeks. The value must be a positive integer in the range 1 to 2147040000 seconds. The default is 604800 seconds, which is equivalent to one week.
Revoke all master keys and PACs	Click Revoke to revoke all primary keys and PACs.
Enable PAC-less Session Resume	Check this check box if you want to use EAP-FAST without the PAC files.
PAC-less Session Timeout	Specifies the time in seconds after which the PAC-less session resume times out. The default is 7200 seconds.

PAC Settings

The following table describes the fields on the Generate PAC page, which you can use to configure protected access credentials for EAP-FAST authentication. The navigation path for this page is: Administration > System > Settings > Protocols > EAP-FAST > Generate PAC.

Table 21. Generating PAC for EAP-FAST Settings
Fields	Usage Guidelines
Tunnel PAC	Click this radio button to generate a tunnel PAC.
Machine PAC	Click this radio button to generate a machine PAC.
Trustsec PAC	Click this radio button to generate a Trustsec PAC.
Identity	(For the Tunnel and Machine PAC identity field) Specifies the username or machine name that is presented as the “inner username” by the EAP-FAST protocol. If the identity string does not match that username, authentication fails. This is the hostname as defined on the Adaptive Security Appliance (ASA). The identity string must match the ASA hostname otherwise, ASA cannot import the PAC file that is generated. If you are generating a Trustsec PAC, the Identity field specifies the Device ID of a Trustsec network device and is provided with an initiator ID by the EAP-FAST protocol. If the Identity string entered here does not match that Device ID, authentication fails.
PAC Time to Live	(For the Tunnel and Machine PAC) Enter a value in seconds that specifies the expiration time for the PAC. The default is 604800 seconds, which is equivalent to one week. This value must be a positive integer between 1 and 157680000 seconds. For the Trustsec PAC, enter a value in days, weeks, months, or years. By default, the value is one year. The minimum value is one day and the maximum is 10 years.
Encryption Key	Enter an encryption key. The length of the key must be between 8 and 256 characters. The key can contain uppercase or lowercase letters, or numbers, or a combination of alphanumeric characters.
Expiration Data	(For Trustsec PAC only) The expiration date is calculated based on the PAC Time to Live.

EAP-TTLS Settings

The following table describes the fields on the EAP-TTLS Settings page. The navigation path for this page is: Administration > System > Settings > Protocols > EAP-TTLS.

Table 22. EAP-TTLS Settings

Fields

Usage Guidelines

Enable EAP-TTLS Session Resume

If you check this check box, Cisco ISE will cache the TLS session that is created during phase one of EAP-TTLS authentication, provided the user successfully authenticates in phase two of EAP-TTLS. If a user needs to reconnect and the original EAP-TTLS session has not timed out, Cisco ISE uses the cached TLS session, resulting in faster EAP-TTLS performance and a reduced AAA server load.

Note

When the EAP-TTLS session is resumed, the inner method is skipped.

EAP-TTLS Session Timeout

Specifies the time in seconds after which the EAP-TTLS session times out. The default value is 7200 seconds.

EAP-TLS Settings

The following table describes the fields on the EAP-TLS Settings page, which you can use to configure the EAP-TLS protocol settings. The navigation path for this page is: Administration > System > Settings > Protocols > EAP-TLS.

Table 23. EAP-TLS Settings
Fields	Usage Guidelines
Enable EAP-TLS Session Resume	Check this check box to support an abbreviated reauthentication of a user who has passed full EAP-TLS authentication. This feature provides reauthentication of the user with only a Secure Sockets Layer (SSL) handshake and without applying the certificates. EAP-TLS session resume works only if the EAP-TLS session has not timed out.
EAP-TLS Session Timeout	Specifies the time in seconds after which the EAP-TLS session times out. The default value is 7200 seconds.

PEAP Settings

The following table describes the fields on the PEAP Settings page, which you can use to configure the PEAP protocol settings. The navigation path for this page is: Administration > System > Settings > Protocols > PEAP.

Table 24. PEAP Settings
Fields	Usage Guidelines
Enable PEAP Session Resume	Check this check box for the Cisco ISE to cache the TLS session that is created during phase one of PEAP authentication, provided the user successfully authenticates in phase two of PEAP. If a user needs to reconnect and the original PEAP session has not timed out, the Cisco ISE uses the cached TLS session, resulting in faster PEAP performance and a reduced AAA server load. You must specify a PEAP session timeout value for the PEAP session resume features to work.
PEAP Session Timeout	Specifies the time in seconds after which the PEAP session times out. The default value is 7200 seconds.
Enable Fast Reconnect	Check this check box to allow a PEAP session to resume in the Cisco ISE without checking user credentials when the session resume feature is enabled.

RADIUS Settings

The following table describes the fields on the RADIUS Settings page. The navigation path for this page is:Administration > System > Settings > Protocols > RADIUS.

When you enable anomalous client suppression and an endpoint authentication fails twice within the configured detection interval, Cisco ISE marks the supplicant as misconfigured and suppresses additional failed authentications with the same failure reason. You can find more details about the suppression by clicking the Misconfigured Supplicant Counter link on the Live Authentications page. A successful authentication from a suppressed endpoint clears the suppression, and results in a decrease in the Misconfigured Supplicant Counter value on the Live Authentications page. Also, if there is no authentication activity from the suppressed endpoint for a period of six hours, the suppression is cleared automatically.

Cisco ISE allows you to enable strong suppression by enabling the Reject Requests After Detection option. If you check the Reject Requests After Detection check box, and an endpoint authentication fails five times with the same failure reason, Cisco ISE activates strong suppression. All subsequent authentications, whether successful or not, are suppressed, and authentication does not occur. This “strong” suppression is cleared after the configured Request Rejection Interval elapses or after six hours of authentication inactivity from the endpoint.

Note

If you configure suppression of RADIUS failures, you may still receive the error "5440 Endpoint Abandoned EAP Session and started a new one" after you configure Radius log suppression. For more information, see the following ISE Community post:

https://community.cisco.com/t5/network-access-control/authentication-failed-quot-5440-endpoint-abandoned-eap-session/td-p/3191944

Table 25. RADIUS Settings
Fields	Usage Guidelines
Suppress Anomalous Clients	Check this check box to detect the clients for which the authentications fail repeatedly. A summary of the failures will be reported every Reporting Interval.
Detection Interval	Enter the time interval in minutes for the clients to be detected.
Reporting Interval	Enter the time interval in minutes for the failed authentications to be reported.
Reject Requests After Detection	Check this check box to reject the requests from a client that is identified as anomalous or misconfigured. The requests from anomalous clients will be rejected during the Request Rejection Interval.
Request Rejection Interval	Enter the time interval in minutes for which the requests are to be rejected. This option is available only when you have checked Reject Requests After Detection check box.
Suppress Repeated Successful Authentications	Check this check box to prevent repeated reporting of successful authentication requests in last 24 hours that have no change in identity context, network device, and authorization.
Accounting Suppression Interval	Enter the time interval in seconds for which the reporting of accounting requests to be suppressed.
Long Processing Step Threshold Interval	Enter the time interval in milliseconds. The steps are displayed in authentication details reports. If execution of a single step exceeds the specified threshold, then it will be highlighted in the authentication details report.
RADIUS UDP Ports

General TrustSec Settings

Define the global TrustSec settings for Cisco ISE to function as a TrustSec server and provide TrustSec services. The following table describes the fields in the TrustSec Settings window (Work Centers > TrustSec > Settings > General TrustSec Settings).

Verify Trustsec Deployment

This option helps you to verify that the latest TrustSec policies are deployed on all network devices. Alarms are displayed in the Alarms dashlet, under Work Centers > TrustSec > Dashboard and Home > Summary, if there are any discrepancies between the policies configured on Cisco ISE and on the network device. The following alarms are displayed in the TrustSec dashboard:

An alarm displays with an Info icon whenever the verification process starts or completes.
An alarm displays with an Info icon if the verification process was cancelled due to a new deployment request.
An alarm displays with a Warning icon if the verification process fails with an error. For example, failure to open the SSH connection with the network device, or if the network device is unavailable, or if there is any discrepancy between the policies configured on Cisco ISE and on the network device.

The Verify Deployment option is also available in the following windows:

Work Centers > TrustSec > Components > Security Groups
Work Centers > TrustSec > Components > Security Group ACLs
Work Centers > TrustSec > TrustSec Policy > Egress Policy > Matrix
Work Centers > TrustSec > TrustSec Policy > Egress Policy > Source Tree
Work Centers > TrustSec > TrustSec Policy > Egress Policy > Destination Tree

Automatic Verification After Every Deploy: Check this check box if you want Cisco ISE to verify the updates on all the network devices after every deployment. When the deployment process is complete, the verification process starts after the time you specify in the Time after Deploy Process field.

Time After Deploy Process: Specify the time for which you want Cisco ISE to wait for after the deployment process is complete, before starting the verification process. The valid range is 10–60 minutes.

The current verification process is cancelled if a new deployment request is received during the waiting period or if another verification is in progress.

Verify Now: Click this option to start the verification process immediately.

Protected Access Credential (PAC)

Tunnel PAC Time to Live :

Specify the expiry time for the PAC. The tunnel PAC generates a tunnel for the EAP-FAST protocol. You can specify the time in seconds, minutes, hours, days, or weeks. The default value is 90 days. The following are the valid ranges:
- 1–157680000 seconds
- 1–2628000 minutes
- 1–43800 hours
- 1–1825 days
- 1–260 weeks
Proactive PAC Update Will Occur After: Cisco ISE proactively provides a new PAC to a client after successful authentication when a configured percentage of the Tunnel PAC TTL remains. The server starts the tunnel PAC update if the first successful authentication occurs before the PAC expires. This mechanism updates the client with a valid PAC. The default value is 10%.

Security Group Tag Numbering

System will Assign SGT Numbers: Choose this option if you want Cisco ISE to automatically generate the SGT numbers.
Except Numbers in Range: Choose this option to reserve a range of SGT numbers for manual configuration. Cisco ISE will not use the values in this range while generating the SGTs.
User Must Enter SGT Numbers Manually: Choose this option to define the SGT numbers manually.

Security Group Tag Numbering for APIC EPGs

Security Group Tag Numbering for APIC EPGs : Check this check box and specify the range of numbers to be used for the SGTs created based on the EPGs learnt from APIC.

Automatic Security Group Creation

Auto Create Security Groups When Creating Authorization Rules: Check this check box to create the SGTs automatically while creating the authorization policy rules.

IF you select this option, the following message displays at the top of the Authorization Policy window: Auto Security Group Creation is On

The autocreated SGTs are named based on the rule attributes. Click the plus (+) sign displayed in the Permissions field to edit the SGT name and value.

Note

The autocreated SGTs are not deleted if you delete the corresponding authorization policy rule.

By default, this option is disabled after a fresh install or upgrade.

Automatic Naming Options: Use this option to define the naming convention for the autocreated SGTs.
(Mandatory) Name Will Include: Choose one of the following options:
- Rule name
- SGT number
- Rule name and SGT number
By default, the Rule name option is selected.

Optionally, you can add the following information to the SGT name:
- Policy Set Name (this option is available only if Policy Sets are enabled)
- Prefix (up to 8 characters)
- Suffix (up to 8 characters)
Cisco ISE displays a sample SGT name in the Example Name field, based on your selections.

If an SGT exists with the same name, ISE appends _x to the SGT name, where x is the first value, starting with 1 (if 1 is not used in the current name). If the new name is longer than 32 characters, Cisco ISE truncate its to the first 32 characters.

IP SGT static mapping of hostnames

IP SGT Static Mapping of Hostnames: If you use FQDN and hostnames, Cisco ISE looks for the corresponding IP addresses in the PAN and PSN nodes while deploying the mappings and checking the deployment status. You can use this option to specify the number of mappings that are created for the IP addresses returned by the DNS query. You can select one of the following options:

Create mappings for all IP addresses returned by a DNS query
Create mappings only for the first IPv4 address and the first IPv6 address that is returned by a DNS query

TrustSec Matrix Settings

The following table describes the fields on the TrustSec Matrix Settings page. The navigation path for this page is: Work Centers > TrustSec > Settings > TrustSec Matrix Settings.

Table 26. Configuring TrustSec Matrix Settings

Fields

Usage Guidelines

Allow Multiple SGACLs

Check this check box if you want to allow multiple SGACLs in a cell. If this option is not selected, Cisco ISE will allow only one SGACL per cell.

By default, this option is disabled upon fresh install.

After upgrade, Cisco ISE will scan the Egress cells and if it identifies at least one cell with multiple SGACLs assigned to it, it allows the admin to add multiple SGACLs in a cell. Otherwise, it allows only one SGACL per cell.

Note

Before disabling multiple SGACLs, you must edit the cells containing multiple SGACLs to include only one SGACL.

Allow Monitoring

Check this check box to enable monitoring for all cells in the matrix. If monitoring is disabled, Monitor All icon is greyed out and the Monitor option is disabled in the Edit Cell dialog.

By default, monitoring is disabled upon fresh install.

Note

Before disabling monitoring at matrix level, you must disable monitoring for the cells that are currently being monitored.

Show SGT Numbers

Use this option to display or hide the SGT values (both decimal and hexadecimal) in the matrix cells.

By default, the SGT values are displayed in the cells.

Appearance Settings

The following options are available:

Custom settings—The default theme (colors with no patterns) is displayed initially. You can set your own colors and patterns.
Default settings—Predefined list of colors with no patterns (not editable).
Accessibility settings—Predefined list of colors with patterns (not editable).

Color/Pattern

To make the matrix more readable, you can apply coloring and patterns to the matrix cells based on the cell contents.

The following display types are available:

Permit IP/Permit IP Log—Configured inside the cell
Deny IP/Deny IP Log—Configured inside the cell
SGACLs—For SGACLs configured inside the cell
Permit IP/Permit IP Log (Inherited)—Taken from the default policy (for non-configured cells)
Deny IP/Deny IP Log (Inherited)—Taken from the default policy (for non-configured cells)
SGACLs (Inherited)—Taken from the default policy (for non-configured cells)

SMS Gateway Settings

The navigation path for these settings is Guest Access > Settings > SMS Gateway.

Use these settings to configure sending SMS messages to guests and sponsors via an email server.

Table 27. SMS Gateway Settings for SMS Email Gateway
Field	Usage Guidelines
SMS Gateway Provider Domain	Enter the provider domain, which is used as the host portion and the guest account's mobile number as the user portion of the email address to send the message to the provider's SMS/MMS gateway.
Provider account address	(Optional) Enter the account address, which is used as the FROM address (typically the account address) for the email and overrides the Default Email Address global setting in Guest Access > Settings.
SMTP API destination address	(Optional) Enter the SMTP API Destination Address, if you are using an SMTP SMS API that requires a specific account recipient address, such as Clickatell SMTP API. This is used as the TO address for the email and the guest account's mobile number is substituted into the message's body template.
SMTP API body template	(Optional) Enter the SMTP API Body Template, if you are using an SMTP SMS API that requires a specific email body template for sending the SMS, such as Clicketell SMTP API. The supported dynamic substitutions are $mobilenumber$, , and $message$.

The navigation path for these settings is Guest Access > Settings > SMS Gateway.

Use these settings to configure sending SMS messages to guests and sponsors via an HTTP API (GET or POST method).

Table 28. SMS Gateway Settings for SMS HTTP API
Field	Usage Guidelines
URL	Enter the URL for the API. This field is not URL encoded. The guest account's mobile number is substituted into the URL. The supported dynamic substitutions are $mobilenumber$ and $message$. If you are using HTTPS with the HTTP API, include HTTPS in the URL string and upload your provider's trusted certificates into Cisco ISE. Choose Administration > System > Certificates > Trusted Certificates.
Data (Url encoded portion)	Enter the Data (Url encoded portion) for the GET or POST request. This field is URL encoded. If using the default GET method, the data is appended to the URL specified above.
Use HTTP POST method for data portion	If using the POST method, check this option. The data specified above is used as the content of the POST request.
HTTP POST data content type	If using the POST method, specify the content type such as "plain/text" or "application/xml".
HTTPS Username HTTPS Password HTTPS Host name HTTPS Port number	Enter this information.

DHCP and DNS Services

The navigation path for these settings is Administration > System > Settings > DHCP & DNS Services.

Use these settings to configure a DHCP, and optionally DNS, in order to enable Auth VLAN URL redirect simulation. You can create multiple scopes in order to apply them to different ISE nodes. If you apply multiple scopes to one ISE node, they should be configured on the same network interface.

Note

For Profiling, you may need a DHCP probe. ISE DHCP probe uses the same UDP port 67 as the Auth VLAN DHCP service. Therefore the DHCP probe should be configured on a different interface or can be disabled on this ISE node. For more information about DHCP probes, see DHCP Probe.

Table 29. DHCP & DNS Service Settings for Auth VLAN URL Redirect Simulation
Field	Usage Guidelines
Scope Name	Enter a name by which you can easily remember the purpose of this scope.
Status	Select Enabled or Disabled. The scope can only be used for an ISE node when enabled.
ISE Node	Apply an ISE node to act as the DHCP/DNS server. From the dropdown list, select the ISE node with which to use this scope. The Auth VLAN is defined per ISE node/network interface and no two interfaces or two nodes can share the same VLAN.
Network Interface	The network interfaces available for the ISE node that you selected appear in this dropdown list dynamically based on the ISE node that you selected. The Auth VLAN is defined per ISE node/network interface and no two interfaces or two nodes can share the same VLAN. Select the interface from which the DHCP/DNS server listens. Multiple VLANs may be connected to one network interface card by configuring a VLAN IP-helper on the NAD. For more information about configuring an IP helper, refer to the administration guide for the device for instructions.
Domain Name	Enter the domain name for the DHCP server to be used in this scope.
DHCP Address range	Based on your network definitions, select the range of DHCP addresses available to be used for this scope.
Subnet mask	Based on your network definitions, select the network mask to be used for this scope.
Network ID	Automatically determined by Cisco ISE based on the DHCP attributes you enter.
Exclusion address range	Based on your network definitions, select the range of DHCP addresses that should not be used for this scope.
Default gateway	Enter the IP address of the default gateway.
DHCP lease time	Define the the DHCP lease time.
External DNS servers	If you would like users to be allowed access to external domains outside of the Auth VLAN before receiving authentication to access the entire corporate network, enter the IP addresses of the DNS servers to resolve the external DNS names.
External Domains	If you would like users to be allowed to access a specific site before receiving authentication to access the entire corporate network, enter the domain names of those sites in these fields.

Identity Management

These pages enable you to configure and manage identities in Cisco ISE.

Endpoints

These pages enable you to configure and manage endpoints that connect to your network.

Endpoint Settings

The following table describes the fields on the Endpoints page, which you can use to create endpoints and assign policies for endpoints. The navigation path for this page is: Administration > Identity Management > Identities > Endpoints .

Table 30. Endpoint Settings
Fields	Usage Guidelines
MAC Address	Enter the MAC address in hexadecimal format to create an endpoint statically. The MAC address is the device identifier for the interface that is connected to the Cisco ISE enabled network
Static Assignment	Check this check box when you want to create an endpoint statically in the Endpoints page and the status of static assignment is set to static. You can toggle the status of static assignment of an endpoint from static to dynamic or from dynamic to static.
Policy Assignment	(Disabled by default unless the Static Assignment is checked) Choose a matching endpoint policy from the Policy Assignment drop-down list. You can do one of the following: If you do not choose a matching endpoint policy, but use the default endpoint policy Unknown, then the static assignment status is set to dynamic for the endpoint that allows dynamic profiling of an endpoint. If you choose a matching endpoint policy other than Unknown, then the static assignment status is set to static for that endpoint and the Static Assignment check box is automatically checked.
Static Group Assignment	(Disabled by default unless the Static group Assignment is checked) Check this check box when you want to assign an endpoint to an identity group statically. In you check this check box, the profiling service does not change the endpoint identity group the next time during evaluation of the endpoint policy for these endpoints, which were previously assigned dynamically to other endpoint identity groups. If you uncheck this check box, then the endpoint identity group is dynamic as assigned by the ISE profiler based on policy configuration. If you do not choose the Static Group Assignment option, then the endpoint is automatically assigned to the matching identity group the next time during evaluation of the endpoint policy.
Identity Group Assignment	Choose an endpoint identity group to which you want to assign the endpoint. You can assign an endpoint to an identity group when you create an endpoint statically, or when you do not want to use the Create Matching Identity Group option during evaluation of the endpoint policy for an endpoint. Cisco ISE includes the following system created endpoint identity groups: Blacklist GuestEndpoints Profiled Cisco IP-Phone Workstation RegisteredDevices Unknown

Endpoint Import from LDAP Settings

The following table describes the fields on the Import from LDAP page, which you can use to import endpoints from an LDAP server. The navigation path for this page is: Administration > Identity Management > Identities > Endpoints.

Table 31. Endpoint Import from LDAP Settings

Fields

Usage Guidelines

Connection Settings

Host

Enter the hostname, or the IP address of the LDAP server.

Port

Enter the port number of the LDAP server. You can use the default port 389 to import from an LDAP server, and the default port 636 to import from an LDAP server over SSL.

Note

Cisco ISE supports any configured port number. The configured value should match the LDAP server connection details.

Enable Secure Connection

Check the Enable Secure Connection check box to import from an LDAP server over SSL.

Root CA Certificate Name

Click the drop-down arrow to view the trusted CA certificates.

The Root CA Certificate Name refers to the trusted CA certificate that is required to connect to an LDAP server. You can add (import), edit, delete, and export trusted CA certificates in Cisco ISE.

Anonymous Bind

Check the Anonymous Bind check box to enable the anonymous bind.

You must enable either the Anonymous Bind check box, or enter the LDAP administrator credentials from the slapd.conf configuration file.

Admin DN

Enter the distinguished name (DN) configured for the LDAP administrator in the slapd.conf configuration file.

Admin DN format example: cn=Admin, dc=cisco.com, dc=com

Password

Enter the password configured for the LDAP administrator in the slapd.conf configuration file.

Base DN

Enter the distinguished name of the parent entry.

Base DN format example: dc=cisco.com, dc=com.

Query Settings

MAC Address objectClass

Enter the query filter, which is used for importing the MAC address. For example, ieee802Device.

MAC Address Attribute Name

Enter the returned attribute name for import. For example, macAddress.

Profile Attribute Name

Enter the name of the LDAP attribute. This attribute holds the policy name for each endpoint entry that is defined in the LDAP server.

When you configure the Profile Attribute Name field, consider the following:

If you do not specify this LDAP attribute in the Profile Attribute Name field or configure this attribute incorrectly, then endpoints are marked “Unknown” during an import operation, and these endpoints are profiled separately to the matching endpoint profiling policies.
If you configure this LDAP attribute in the Profile Attribute Name field, the attribute values are validated to ensure that the endpoint policy matches with an existing policy in Cisco ISE, and endpoints are imported. If the endpoint policy does not match with an existing policy, then those endpoints will not be imported.

Time Out [seconds]

Enter the time in seconds between 1 and 60 seconds.

Groups

These pages enable you to configure and manage endpoint identity groups.

Endpoint Identity Group Settings

The following table describes the fields on the Endpoint Identity Groups page, which you can use to create an endpoint group. The navigation path for this page is: Administration > Identity Management > Groups > Endpoint Identity Groups.

Table 32. Endpoint Identity Group Settings
Fields	Usage Guidelines
Name	Enter the name of the endpoint identity group that you want to create.
Description	Enter a description for the endpoint identity group that you want to create.
Parent Group	Choose an endpoint identity group from the Parent Group drop-down list to which you want to associate the newly created endpoint identity group. Cisco ISE includes the following five endpoint identity groups: Blacklist GuestEndpoints Profiled RegisteredDevices Unknown In addition, it creates two more identity groups, Cisco-IP-Phone and Workstation, which are associated to the Profiled (parent) identity group.

External Identity Sources

These pages enable you to configure and manage external identity sources that contain user data that Cisco ISE uses for authentication and authorization.

LDAP Identity Source Settings

The following table describes the fields on the LDAP Identity Sources page, which you can use to create an LDAP instance and connect to it. The navigation path for this page is: Administration > Identity Management > External Identity Sources > LDAP.

LDAP General Settings

The following table describes the fields in the General tab.

Table 33. LDAP General Settings

Fields

Usage Guidelines

Name

Enter a name for the LDAP instance. This value is used in searches to obtain the subject DN and attributes. The value is of type string and the maximum length is 64 characters.

Description

Enter a description for the LDAP instance. This value is of type string, and has a maximum length of 1024 characters.

Schema

You can choose any one of the following built-in schema types or create a custom schema:

Active Directory
Sun Directory Server
Novell eDirectory

You can click the arrow next to Schema to view the schema details.

If you edit the attributes of the predefined schema, Cisco ISE automatically creates a Custom schema.

Note

The following fields can be edited only when you choose the Custom schema.

Subject Objectclass

Enter a value to be used in searches to obtain the subject DN and attributes. The value is of type string and the maximum length is 256 characters.

Subject Name Attribute

Enter the name of the attribute containing the username in the request. The value is of type string and the maximum length is 256 characters.

Certificate Attribute

Enter the attribute that contains the certificate definitions. For certificate-based authentication, these definitions are used to validate certificates that are presented by clients.

Group Objectclass

Enter a value to be used in searches to specify the objects that are recognized as groups. The value is of type string and the maximum length is 256 characters.

Group Map Attribute

Specifies the attribute that contains the mapping information. This attribute can be a user or group attribute based on the reference direction that is chosen.

Subject Objects Contain Reference To Groups

Click this radio button if the subject objects contain an attribute that specifies the group to which they belong.

Group Objects Contain Reference To Subjects

Click this radio button if the group objects contain an attribute that specifies the subject. This value is the default value.

Subjects in Groups Are Stored in Member Attribute As

(Only available when you select the Group Objects Contain Reference To Subjects radio button) Specifies how members are sourced in the group member attribute and defaults to the DN.

LDAP Connection Settings

The following table describes the fields in the Connection Settings tab.

Table 34. LDAP Connection Settings
Fields	Usage Guidelines
Enable Secondary Server	Check this option to enable the secondary LDAP server to be used as a backup if the primary LDAP server fails. If you check this check box, you must enter configuration parameters for the secondary LDAP server.
Primary and Secondary Servers
Hostname/IP	Enter the IP address or DNS name of the machine that is running the LDAP software. The hostname can contain from 1 to 256 characters or a valid IP address expressed as a string. The only valid characters for hostnames are alphanumeric characters (a to z, A to Z, 0 to 9), the dot (.), and the hyphen (-).
Port	Enter the TCP/IP port number on which the LDAP server is listening. Valid values are from 1 to 65,535. The default is 389, as stated in the LDAP specification. If you do not know the port number, you can find this information from the LDAP server administrator.
Access	Anonymous Access—Click to ensure that searches on the LDAP directory occur anonymously. The server does not distinguish who the client is and will allow the client read access to any data that is configured as accessible to any unauthenticated client. In the absence of a specific policy permitting authentication information to be sent to a server, a client should use an anonymous connection. Authenticated Access—Click to ensure that searches on the LDAP directory occur with administrative credentials. If so, enter information for the Admin DN and Password fields.
Admin DN	Enter the DN of the administrator. The Admin DN is the LDAP account that has permission to search all required users under the User Directory Subtree and to search groups. If the administrator specified does not have permission to see the group name attribute in searches, group mapping fails for users who are authenticated by that LDAP server.
Password	Enter the LDAP administrator account password.
Secure Authentication	Click to use SSL to encrypt communication between Cisco ISE and the primary LDAP server. Verify that the Port field contains the port number used for SSL on the LDAP server. If you enable this option, you must choose a root CA.
LDAP Server Root CA	Choose a trusted root certificate authority from the drop-down list to enable secure authentication with a certificate.
Server Timeout	Enter the number of seconds that Cisco ISE waits for a response from the primary LDAP server before determining that the connection or authentication with that server has failed. Valid values are 1 to 99. The default is 10.
Max. Admin Connections	Enter the maximum number of concurrent connections (greater than 0) with LDAP administrator account permissions that can run for a specific LDAP configuration. These connections are used to search the directory for users and groups under the User Directory Subtree and the Group Directory Subtree. Valid values are 1 to 99. The default is 20.
Test Bind to Server	Click to test and ensure that the LDAP server details and credentials can successfully bind. If the test fails, edit your LDAP server details and retest.
Failover
Always Access Primary Server First	Click this option if you want Cisco ISE to always access the primary LDAP server first for authentications and authorizations.
Failback to Primary Server After	If the primary LDAP server that Cisco ISE attempts to contact cannot be reached, Cisco ISE attempts to contact the secondary LDAP server. If you want Cisco ISE to use the primary LDAP server again, click this option and enter a value in the text box.

LDAP Directory Organization Settings

The following table describes the fields in the Directory Organization tab.

Table 35. LDAP Directory Organization Settings

Fields

Usage Guidelines

Subject Search Base

Enter the DN for the subtree that contains all subjects. For example:

o=corporation.com

If the tree containing subjects is the base DN, enter:

o=corporation.com

dc=corporation,dc=com

as applicable to your LDAP configuration. For more information, refer to your LDAP database documentation.

Group Search Base

Enter the DN for the subtree that contains all groups. For example:

ou=organizational unit, ou=next organizational unit, o=corporation.com

If the tree containing groups is the base DN, type:

o=corporation.com

dc=corporation,dc=com

as applicable to your LDAP configuration. For more information, refer to your LDAP database documentation.

Search for MAC Address in Format

Enter a MAC Address format for Cisco ISE to use for search in the LDAP database. MAC addresses in internal identity sources are sourced in the format xx-xx-xx-xx-xx-xx. MAC addresses in LDAP databases can be sourced in different formats. However, when Cisco ISE receives a host lookup request, Cisco ISE converts the MAC address from the internal format to the format that is specified in this field.

Use the drop-down list to enable searching for MAC addresses in a specific format, where <format> can be any one of the following:

xxxx.xxxx.xxxx
xxxxxxxxxxxx
xx-xx-xx-xx-xx-xx
xx:xx:xx:xx:xx:xx

The format you choose must match the format of the MAC address sourced in the LDAP server.

Strip Start of Subject Name Up To the Last Occurrence of the Separator

Enter the appropriate text to remove domain prefixes from usernames.

If, in the username, Cisco ISE finds the delimiter character that is specified in this field, it strips all characters from the beginning of the username through the delimiter character. If the username contains more than one of the characters that are specified in the <start_string> box, Cisco ISE strips characters through the last occurrence of the delimiter character. For example, if the delimiter character is the backslash (\) and the username is DOMAIN\user1, Cisco ISE submits user1 to an LDAP server.

Note

The <start_string> cannot contain the following special characters: the pound sign (#), the question mark (?), the quotation mark (“), the asterisk (*), the right angle bracket (>), and the left angle bracket (<). Cisco ISE does not allow these characters in usernames.

Strip End of Subject Name from the First Occurrence of the Separator

Enter the appropriate text to remove domain suffixes from usernames.

If, in the username, Cisco ISE finds the delimiter character that is specified in this field, it strips all characters from the delimiter character through the end of the username. If the username contains more than one of the characters that are specified in this field, Cisco ISE strips characters starting with the first occurrence of the delimiter character. For example, if the delimiter character is @ and the username is user1@domain, then Cisco ISE submits user1 to the LDAP server.

Note

The <end_string> box cannot contain the following special characters: the pound sign (#), the question mark (?), the quotation mark ("), the asterisk (*), the right angle bracket (>), and the left angle bracket (<). Cisco ISE does not allow these characters in usernames.

LDAP Group Settings

Table 36. LDAP Group Settings
Fields	Usage Guidelines
Add	Choose Add > Add Group to add a new group or choose Add > Select Groups From Directory to select the groups from the LDAP directory. If you choose to add a group, enter a name for the new group. If you are selecting from the directory, enter the filter criteria, and click Retrieve Groups. Check the check boxes next to the groups that you want to select and click OK. The groups that you have selected will appear in the Groups page.

LDAP Attribute Settings

Table 37. LDAP Attribute Settings
Fields	Usage Guidelines
Add	Choose Add > Add Attribute to add a new attribute or choose Add > Select Attributes From Directory to select attributes from the LDAP server. If you choose to add an attribute, enter a name for the new attribute. If you are selecting from the directory, enter the username and click Retrieve Attributes to retrieve the user’s attributes. Check the check boxes next to the attributes that you want to select, and then click OK.

RADIUS Token Identity Sources Settings

The following table describes the fields on the RADIUS Token Identity Sources page, which you can use to configure and connect to an external RADIUS identity source. The navigation path for this page is: Administration > Identity Management > External Identity Sources > RADIUS Token.

Table 38. RADIUS Token Identity Source Settings
Fields	Usage Guidelines
Name	Enter a name for the RADIUS token server. The maximum number of characters allowed is 64.
Description	Enter a description for the RADIUS token server. The maximum number of characters is 1024.
SafeWord Server	Check this check box if your RADIUS identity source is a SafeWord server.
Enable Secondary Server	Check this check box to enable the secondary RADIUS token server for Cisco ISE to use as a backup in case the primary fails. If you check this check box, you must configure a secondary RADIUS token server.
Always Access Primary Server First	Click this radio button if you want Cisco ISE to always access the primary server first.
Fallback to Primary Server after	Click this radio button to specify the amount of time in minutes that Cisco ISE can authenticate using the secondary RADIUS token server if the primary server cannot be reached. After this time elapses, Cisco ISE reattempts to authenticate against the primary server.
Primary Server
Host IP	Enter the IP address of the primary RADIUS token server. This field can take as input a valid IP address that is expressed as a string. Valid characters that are allowed in this field are numbers and dot (.).
Shared Secret	Enter the shared secret that is configured on the primary RADIUS token server for this connection.
Authentication Port	Enter the port number on which the primary RADIUS token server is listening.
Server Timeout	Specify the time in seconds that Cisco ISE should wait for a response from the primary RADIUS token server before it determines that the primary server is down.
Connection Attempts	Specify the number of attempts that Cisco ISE should make to reconnect to the primary server before moving on to the secondary server (if defined) or dropping the request if a secondary server is not defined.
Secondary Server
Host IP	Enter the IP address of the secondary RADIUS token server. This field can take as input a valid IP address that is expressed as a string. Valid characters that are allowed in this field are numbers and dot (.).
Shared Secret	Enter the shared secret configured on the secondary RADIUS token server for this connection.
Authentication Port	Enter the port number on which the secondary RADIUS token server is listening. Valid values are from 1 to 65,535. The default is 1812.
Server Timeout	Specify the time in seconds that Cisco ISE should wait for a response from the secondary RADIUS token server before it determines that the secondary server is down.
Connection Attempts	Specify the number of attempts that Cisco ISE should make to reconnect to the secondary server before dropping the request.

RSA SecurID Identity Source Settings

The following table describes the fields on the RSA SecurID Identity Sources page, which you can use to create and connect to an RSA SecurID identity source. The navigation path for this page is:Administration > Identity Management > External Identity Sources > RSA SecurID.

RSA Prompt Settings

The following table describes the fields in the RSA Prompts tab.

Table 39. RSA Prompt Settings
Fields	Usage Guidelines
Enter Passcode Prompt	Enter a text string to obtain the passcode.
Enter Next Token Code	Enter a text string to request the next token.
Choose PIN Type	Enter a text string to request the PIN type.
Accept System PIN	Enter a text string to accept the system-generated PIN.
Enter Alphanumeric PIN	Enter a text string to request an alphanumeric PIN.
Enter Numeric PIN	Enter a text string to request a numeric PIN.
Re-enter PIN	Enter a text string to request the user to re-enter the PIN.

RSA Message Settings

The following table describes the fields in the RSA Messages tab.

Table 40. RSA Messages Settings
Fields	Usage Guidelines
Display System PIN Message	Enter a text string to label the system PIN message.
Display System PIN Reminder	Enter a text string to inform the user to remember the new PIN.
Must Enter Numeric Error	Enter a message that instructs users to enter only numbers for the PIN.
Must Enter Alpha Error	Enter a message that instructs users to enter only alphanumeric characters for PINs.
PIN Accepted Message	Enter a message that the users see when their PIN is accepted by the system.
PIN Rejected Message	Enter a message that the users see when the system rejects their PIN.
User Pins Differ Error	Enter a message that the users see when they enter an incorrect PIN.
System PIN Accepted Message	Enter a message that the users see when the system accepts their PIN.
Bad Password Length Error	Enter a message that the users see when the PIN that they specify does not fall within the range specified in the PIN length policy.

Network Resources

Network Devices

These pages enable you to add and manage network devices.

Network Device Definition Settings

The following table describes the fields in the Network Devices window, which you can use to configure a network access device in Cisco ISE. The navigation path for this page is: Administration > Network Resources > Network Devices.

Network Device Settings

The following table describes the fields in the Network Device Settings section.

Table 41. Network Device Settings

Fields

Description

Name

Enter the name for the network device.

You can provide a descriptive name to the network device that can be different from the hostname of the device. The device name is a logical identifier.

Note

You cannot edit the name of a device once configured.

Description

Enter a description for the device.

IP Address/Mask

Enter a single IP address and a subnet mask.

The following are the guidelines that must be followed while defining the IP addresses and subnet masks:

You can define a specific IP address or a range with a subnet mask. If device A has an IP address range defined, you can configure another device B with an individual address from the range that is defined in device A.
You cannot define two devices with the same specific IP addresses.
You cannot define two devices with the same IP range. The IP ranges must not overlap either partially or completely.

Device Type

Click the drop-down list to choose the vendor of the network device.

You can use the tool tip next to the drop-down list to see the flows and services that the selected vendor's network devices support, as well as the RADIUS CoA port and type of URL redirect used by the device. These attributes are defined in the device type's network device profile.

Model Name

Click the drop-down list to choose the device model.

You can use the model name as one of the parameters while checking for conditions in rule-based policies. This attribute is present in the device dictionary.

Software Version

Click the drop-down list to choose the version of the software running on the network device.

You can use the software version as one of the parameters while checking for conditions in rule-based policies. This attribute is present in the device dictionary.

Network Device Group

Click the Location and Device Type drop-down lists to choose the location and device type that can be associated with the network device.

If you do not specifically assign a device to a group, it becomes a part of the default device groups (root NDGs), which is All Locations by location and All Device Types by device type.

RADIUS Authentication Settings

The following table describes the fields in the RADIUS Authentication Settings section.

Table 42. RADIUS Authentication Settings

Fields

Usage Guidelines

Protocol

Displays RADIUS as the selected protocol.

Shared Secret

Enter a shared secret, which can be up to 127 characters in length.

The shared secret is the key that you have configured on the network device using the radius-host command with the pac option.

Enable KeyWrap

Check this check box only when supported on the network device. This option is used to increase RADIUS security via an AES KeyWrap algorithm.

Note

When you run Cisco ISE in FIPS mode, you must enable KeyWrap on the network device.

Key Encryption Key

(Only appears when you enable KeyWrap) Enter an encryption key that is used for session encryption (secrecy).

Message Authenticator Code Key

(Only appears when you enable KeyWrap) Enter the key that is used for keyed Hashed Message Authentication Code (HMAC) calculation over RADIUS messages.

Key Input Format

Choose one of the following formats:

ASCII: The Key Encryption Key must be 16 characters (bytes) long, and the Message Authenticator Code Key must be 20 characters (bytes) long.
Hexadecimal: The Key Encryption Key must be 32 bytes long, and the Message Authenticator Code Key must be 40 bytes long.

You can specify the key input format that you want to use to enter the Cisco ISE FIPS encryption key, so that it matches the configuration that is available on the WLC. The value that you specify must be the correct (full) length for the key. Shorter values are not permitted.

CoA Port

Enter the number for device port that's listening for the Change of Authorization.

The default CoA port for the device is defined in the device type's network device profile.

SNMP Settings

The following table describes the fields in the SNMP Settings section.

Table 43. SNMP Settings

Fields

Usage Guidelines

SNMP Version

Choose one of the following options from the Version drop-down list:

1: SNMPv1 does not support informs.
2c

3: SNMPv3 is the most secure model because it allows packet encryption when you choose the Priv security level.

Note

If you have configured your network device with SNMPv3 parameters, you cannot generate the Network Device Session Status Summary report that is provided by the Monitoring service (Operations > Reports > Catalog > Network Device > Session Status Summary). You can generate this report successfully if your network device is configured with SNMPv1 or SNMPv2c parameters.

SNMP RO Community

(Applicable only for SNMP Versions 1 and 2c) Enter the Read Only Community string that provides Cisco ISE with a particular type of access to the device.

SNMP Username

(Only for SNMP Version 3) Enter SNMP username.

Security Level

(Only for SNMP Version 3) Choose the security level from the following:

Auth: Enables Message Digest 5 or Secure Hash Algorithm (SHA) packet authentication
No Auth: No authentication and no privacy security level
Priv: Enables Data Encryption Standard (DES) packet encryption

Auth Protocol

(Only for SNMP Version 3 when the security levels Auth and Priv are selected) Choose the authentication protocol that you want the network device to use.

Authentication Protocol includes one of the following for Auth and Priv security levels:

Auth Password

(Only for SNMP Version 3 when the Auth and Priv security levels are selected) Enter the authentication key. It must be at least 8 characters in length.

Click Show to display the Auth Password that is already configured for the device.

Privacy Protocol

(Only for SNMP Version 3 when Priv security level is selected) Choose the privacy protocol that you want the network device to use.

Choose one of the following:

DES
AES128
AES192
AES256
3DES

Privacy Password

(Only for SNMP Version 3 when Priv security level is selected) Enter the privacy key.

Click Show to display the Privacy Password that is already configured for the device.

Polling Interval

Enter the polling interval in seconds. The default is 3600 seconds.

Link Trap Query

Check this check box to receive and interpret linkup and linkdown notifications received through the SNMP Trap.

Mac Trap Query

Check this check box to receive and interpret MAC notifications received through the SNMP Trap

Originating Policy Service Node

Indicates which ISE server to be used to poll for SNMP data. By default, it is automatic, but you can overwrite the setting by assigning different values.

Advanced TrustSec Settings

The following table describes the fields in the Advanced TrustSec Settings section.

Table 44. Advanced TrustSec Settings
Fields	Usage Guidelines
HTTP REST API Settings
TrustSec Device Notification and Updates Settings
Use Device ID for TrustSec Identification	Check this check box if you want the device name to be listed as the device identifier in the Device ID field.
Device ID	You can enter the device ID in this field only if you have not checked the Use Device ID for TrustSec Identification check box.
Password	Enter the password that you have configured on the TrustSec device CLI to authenticate the TrustSec device. Click Show to display the password that is used to authenticate the TrustSec device.
Download Environment Data Every <...>	Specify the time interval at which the device must download its environment data from Cisco ISE. You can specify the time in seconds, minutes, hours, weeks, or days. The default value is 1 day.
Download Peer Authorization Policy Every <...>	Specify the time interval at which the device must download the peer authorization policy from Cisco ISE. You can specify the time in seconds, minutes, hours, weeks, or days. The default value is 1 day.
Reauthentication Every <...>	Specify the time interval at which the device reauthenticates itself against Cisco ISE after the initial authentication. You can configure the time interval in seconds, minutes, hours, weeks or days. For example, if you enter 1000 seconds, the device will authenticate itself against Cisco ISE every 1000 seconds. The default value is 1 day.
Download SGACL Lists Every <...>	Specify the time interval at which the device downloads SGACL lists from Cisco ISE. You can configure the time interval in seconds, minutes, hours, weeks or days. The default value is 1 day.
Other TrustSec Devices to Trust This Device (TrustSec Trusted)	Check this check box if you want all the peer devices to trust this TrustSec device. If you uncheck this check box, the peer devices do not trust this device, and all the packets that arrive from this device are colored or tagged accordingly.
Notify this device about TrustSec configuration changes	Check this check box if you want Cisco ISE to send TrustSec CoA notifications to this TrustSec device.
Device Configuration Deployment Settings
Include this device when deploying Security Group Tag Mapping Updates	Check this check box if you want the TrustSec device to obtain the IP-SGT mappings using device interface credentials.
EXEC Mode Username	Enter the username that you use to log in to the TrustSec device.
EXEC Mode Password	Enter the device password.
Enable Mode Password	(Optional) Enter the enable password that is used to edit the configuration of the TrustSec device in privileged mode.
Out Of Band TrustSec PAC Display
Issue Date	Displays the issuing date of the last TrustSec PAC that has been generated by Cisco ISE for the TrustSec device.
Expiration Date	Displays the expiration date of the last TrustSec PAC that has been generated by Cisco ISE for the TrustSec device.
Issued By	Displays the name of the issuer (a TrustSec administrator) of the last TrustSec PAC that has been generated by Cisco ISE for the TrustSec device.
Generate PAC	Click this option to generate the out-of-band TrustSec PAC for the TrustSec device.

Default Network Device Definition Settings

The following table describes the fields on the Default Network device page, which allows you to configure a default network device that Cisco ISE can use for RADIUS and TACACS+ authentications. The navigation path for this page is: Administration > Network Resources > Network Devices > Default Device.

Table 45. Default Network Device Definition Settings
Fields	Usage Guidelines
Default Network Device Status	Choose Enable from the Default Network Device Status drop-down list to enable the default network device definition.
Device Profile	Displays Cisco as the default device vendor.
Protocol	Displays RADIUS as the selected protocol.
Shared Secret	Enter the shared secret that can be up to 128 characters in length. The shared secret is the key that you have configured on the network device using the radius-host command with the pac option.
Enable KeyWrap	Check this check box only when supported on the network device, which increases RADIUS security via an AES KeyWrap algorithm. When you run Cisco ISE in FIPS mode, you must enable KeyWrap on the network device.
Key Encryption Key	Enter an encryption key that is used for session encryption (secrecy) when you enable KeyWrap.
Message Authenticator Code Key	Enter the key that is used for keyed Hashed Message Authentication Code (HMAC) calculation over RADIUS messages when you enable KeyWrap.
Key Input Format	Choose one of the following formats: ASCII—The Key Encryption Key must be 16 characters (bytes) long, and the Message Authenticator Code Key must be 20 characters (bytes) long. Hexadecimal—The Key Encryption Key must be 32 bytes long, and the Message Authenticator Code Key must be 40 bytes long. You can specify the key input format that you want to use to enter the Cisco ISE FIPS encryption key, so that it matches the configuration that is available on the WLC. (The value that you specify must be the correct [full] length for the key, and shorter values are not permitted.)
Shared Secret	A string of text assigned to a network device when TACACS+ protocol is enabled. A user must enter the text before the network device authenticates a username and password. The connection is rejected until the user supplies the shared secret.
Enable Single Connect Mode	Check to use a single TCP connection for all TACACS+ communication with the network device. Choose one of the following: Legacy Cisco Devices Or, TACACS+ Draft Compliance Single Connect Support. If you disable this option, ISE uses a new TCP connection for every TACACS+ request.

Device Security Settings

Specify the minimum length for the RADIUS shared secret. For new installation and upgraded deployment, by default, this value is 4 characters. For the RADIUS server, best practice is to have 22 characters.

Note

The length of the shared secret entered in the Network Devices page must be equal to or greater than the value configured in the Minimum RADIUS Shared Secret Length field in the Device Security Settings page.

Network Device Import Settings

The following table describes the fields on the Network Device Import Page, which you can use to import network device details into Cisco ISE. The navigation path for this page is: Administration > Network Resources > Network Devices.

Table 46. Network Devices Import Settings
Fields	Usage Guidelines
Generate a Template	Click this link to create a comma-separated value (.csv) template file. You must update the template with network devices information in the same format, and save it locally to import those network devices into any Cisco ISE deployment.
File	Click Browse to the location of the comma-separated value file that you might have created or previously exported from any Cisco ISE deployment. You can import network devices in another Cisco ISE deployment with new and updated network devices information using import.
Overwrite Existing Data with New Data	Check this check box if you want Cisco ISE to replace existing network devices with the devices in your import file. If you do not check this check box, new network device definitions that are available in the import file are added to the network device repository. Duplicate entries are ignored.
Stop Import on First Error	Check this check box if you want Cisco ISE to discontinue import when it encounters an error during import, but Cisco ISE imports network devices until that time of an error. If this check box is not checked and an error is encountered, the error is reported, and Cisco ISE continues to import devices.

Network Device Groups

These pages enable you to configure and manage network device groups.

Network Device Group Settings

The following table describes the fields on the Network Device Groups window, which you can use to create network device groups. The navigation path for this window is: Administration > Network Resources > Network Device Groups > All Groups.

You can also create network device groups in the Work Centers > Device Administration > Network Device Groups > All Groups window.

Table 47. Network Device Group Settings
Fields	Usage Guidelines
Name	Enter the name for the root Network Device Group (NDG). For all subsequent child network device groups under the root NDG, enter the name of the new network device group. The full name of the Network Device Group that can have a maximum of 100 characters. For example, if you are creating a subgroup India under the parent groups Global > Asia, then the full name of the NDG that you are creating would be Global#Asia#India and this full name should not exceed 100 characters. If the full name of the NDG exceeds 100 characters, the NDG creation fails.
Description	Enter the description for the root or the child Network Device Group.
Parent Group	You can select an already existing group as the parent group or add this new group as a root group.
Type	Enter the type for the root Network Device Group. For all subsequent child network device groups under the root NDG, the type is inherited from the parent NDG and therefore all the child NDGs under a root NDG will be of the same type. If this NDG is a root NDG, then the type will be available as an attribute in the device dictionary. You can define conditions based on this attribute. The name of the NDG is one of the values that this attribute can take.

Network Device Group Import Settings

The following table describes the fields on the Network Device Group Import Page, which you can use to import network device groups into Cisco ISE. The navigation path for this page is: Administration > Network Resources > Network Device Groups > Groups.

Table 48. Network Device Groups Import Settings
Fields	Usage Guidelines
Generate a Template	Click this link to create a comma-separated value (.csv) template file. You must update the template with network device groups information in the same format, and save it locally to import those network device groups into any Cisco ISE deployment.
File	Click Browse to the location of the comma-separated value file that you might have created or previously exported from any Cisco ISE deployment. You can import network device groups in another Cisco ISE deployment with new and updated network device groups information using import.
Overwrite Existing Data with New Data	Check this check box if you want Cisco ISE to replace existing network device groups with the device groups in your import file. If you do not check this check box, new network device group that are available in the import file are added to the network device group repository. Duplicate entries are ignored.
Stop Import on First Error	Check this check box if you want Cisco ISE to discontinue import when it encounters an error during import, but Cisco ISE imports network device groups until that time of an error. If this check box is not checked and an error is encountered, the error is reported, and Cisco ISE continues to import device groups.

Support for Session Aware Networking (SAnet)

Cisco ISE provides limited support for Session Aware Networking (SAnet). SAnet is a session management framework that runs on many Cisco switches. SAnet manages access sessions, including visibility, authentication, and authorization. SAnet uses a service template, which contains RADIUS authorization attributes. Cisco ISE includes a service template inside an authorization profile. Cisco ISE identifies service templates in an authorization profile using a flag that identifies the profile as “Service Template” compatible.

Cisco ISE authorization profiles contain RADIUS authorization attributes that are transformed into a list of attributes. SAnet service templates also contain of RADIUS authorization attributes, but those attributes are not transformed into a list.

For SAnet devices, Cisco ISE sends the name of the service template. The device downloads the content of the service template, unless it already has that content in a cache or statically defined configuration. Cisco ISE sends a CoA notification to the device when a service template changes RADIUS attributes.

Network Device Profiles Settings

The following table describes the fields on the Network Device Profiles page, which you can use to configure the default settings for a type of network device from a specific vendor, such as the device's support for protocols, redirect URLs, and CoA settings. You then use the profile to define specific network devices.

The navigation path for this page is: Administration > Network Resources > Network Device Profiles.

Network Device Profile Settings

The following table describes the fields in the Network Device Profile section.

Table 49. Network Device Profile Settings
Fields	Description
Name	Enter the name for the network device profile.
Description	Enter the description for the network device profile.
Icon	Select the icon to use for the network device profile. This icon will default to the icon for the vendor that you select. The icon you select must be a 16 x 16 PNG file.
Vendor	Select the vendor of the network device profile. The vendors available for selection are Cisco, Aruba, HP, Motorola, Brocade, Alcatel, and Other.
Supported Protocols
RADIUS	Check this check box if this network device profile supports RADIUS.
TACACS+	Check this check box if this network device profile supports TACACS+.
TrustSec	Check this check box if this network device profile supports TrustSec.
RADIUS Dictionaries	Select one or more RADIUS dictionaries supported by this profile. Import any vendor-specific RADIUS dictionaries before you create the profile.

Authentication/Authorization Template Settings

The following table describes the fields in the Authentication/Authorization section.

Table 50. Authentication/Authorization Settings
Fields	Description
Flow Type Conditions	Cisco ISE supports 802.1X, MAC authentication bypass (MAB), and browser-based Web authentication login for basic user authentication and access via both wired and wireless networks. Check the check boxes for the authentication logins that this type of network device supports. It could be one or more of the following: Wired MAC authentication bypass (MAB) Wireless MAB Wired 802.1X Wireless 802.1X Wired Web Authentication Wireless Web Authentication After you check the authentication logins that the network device profile supports, specify the conditions for the login.
Attribute Aliasing	Check the SSID check box to use the device's Service Set Identifier (SSID) as the friendly name in policy rules. This allows you to create a consistent name to use in policy rules and it will work for multiple devices.
Host Lookup (MAB)
Process Host Lookup	Check this check box to define the protocols for host lookup used by the network device profile. Network devices from different vendors perform MAB authentication differently. Depending on the device type, check the Check Password check, the Checking Calling-Station-Id equals MAC Address check box, or both, for the protocol you are using.
Via PAP/ASCII	Check this check box to configure Cisco ISE to detect a PAP request from the network device profile as a Host Lookup request.
Via CHAP	Check this check box to configure Cisco ISE to detect this type of request from the network devices as a Host Lookup request. This option enables CHAP authentication. CHAP uses a challenge-response mechanism with password encryption. CHAP does not work with Microsoft Active Directory.
Via EAP-MD5	Check this check box to enable EAP-based MD5 hashed authentication for the network device profile.

Permissions Template Settings

You can define the VLAN and ACL permissions that will be used for this network device profile. After the profile is saved, Cisco ISE automatically generates authorization profiles for each configured permission. The following table describes the fields in the Permissions section.

Table 51. Permissions Settings
Fields	Description
Set VLAN	Check this check box to set the VLAN permissions for this network device profile. Choose of the following options: IETF 802.1X Attributes. This is a set of default RADIUS attributes defined by the Internet Engineering Task Force. Unique Attributes. You can specify multiple RADIUS attribute-value pairs.
Set ACL	Check this check box to select the RADIUS attribute to set for the ACL on the network device profile.

Change of Authorization (CoA) Template Settings

This template defines how the CoA is sent to this type of network device. The following table describes the fields in the Change of Authorization (CoA) section.

Redirect Template Settings

The network devices can redirect a client's HTTP requests if it's configured as part of the authorization profile. This template specifies whether this network device profile supports URL redirect. You will use the URL parameter names specific to the device type.

Note

HP network devices only provide the client IP address parameter in the URL redirect (i.e,. no client MAC address or Session ID parameters). The Monitoring role must be enabled on all PSN nodes serving these devices.

The following table describes the fields in the Redirect section.

Table 52. Redirect Settings
Fields	Definition
Type	Select whether the network device profile supports a static or dynamic URL redirect.
Redirect URL Parameter Names
Client IP Address	Enter the parameter name that the network devices use for a client's IP address.
Client MAC Address	Enter the parameter name that the network devices use for a client's MAC address.
Originating URL	Enter the parameter name that the network devices use for the originating URL.
Session ID	Enter the parameter name that the network devices use for the session ID.
SSID	Enter the parameter name that the network devices use for the Service Set Identifier (SSID).
Dynamic URL Parameters
Parameter	When you select to use a Dynamic URL for redirection, you will need to specify how these network devices create the redirect URL. You can also specify whether the redirect URL uses the session ID or client MAC address.

Advanced Settings

You can use the Network Device Profile to generate a number of policy elements to make it easy to use a network device in policy rules. These elements include compound conditions, authorization profiles, and allowed protocols.

Click the Generate Policy Elements button to create these elements.

External RADIUS Server Settings

The following table describes the fields on the External RADIUS Server page, which you can use to configure a RADIUS server. For Cisco ISE to act as a RADIUS server, you must configure it in this page. The navigation path for this page is: Administration > Network Resources > External RADIUS Servers.

Table 53. External RADIUS Server Settings
Fields	Usage Guidelines
Name	Enter the name of the external RADIUS server.
Description	Enter a description of the external RADIUS server.
Host IP	Enter the IP address of the external RADIUS server.
Shared Secret	Enter the shared secret between Cisco ISE and the external RADIUS server that is used for authenticating the external RADIUS server. A shared secret is an expected string of text that a user must provide to enable the network device to authenticate a username and password. The connection is rejected until the user supplies the shared secret. The shared secret can be up to 128 characters in length.
Enable KeyWrap	Enable this option to increase the RADIUS protocol security via an AES KeyWrap algorithm, to help enable FIPS 140-2 compliance in Cisco ISE.
Key Encryption Key	(Only if you check the Enable Key Wrap check box) Enter a key to be used for session encryption (secrecy).
Message Authenticator Code Key	(Only if you check the Enable Key Wrap check box) Enter a key to be used for keyed HMAC calculation over RADIUS messages.
Key Input Format	Specify the format you want to use to enter the Cisco ISE encryption key, so that it matches the configuration that is available on the WLAN controller. (The value you specify must be the correct [full] length for the key as defined below—shorter values are not permitted.) ASCII—The Key Encryption Key must be 16 characters (bytes) long, and the Message Authenticator Code Key must be 20 characters (bytes) long. Hexadecimal—The Key Encryption Key must be 32 bytes long, and the Message Authenticator Code Key must be 40 bytes long.
Authentication Port	Enter the RADIUS authentication port number. The valid range is from 1 to 65535. The default is 1812.
Accounting Port	Enter the RADIUS accounting port number. The valid range is from 1 to 65535. The default is 1813.
Server Timeout	Enter the number of seconds that the Cisco ISE waits for a response from the external RADIUS server. The default is 5 seconds. Valid values are from 5 to 120.
Connection Attempts	Enter the number of times that the Cisco ISE attempts to connect to the external RADIUS server. The default is 3 attempts. Valid values are from 1 to 9.

RADIUS Server Sequences

The following table describes the fields on the RADIUS Server Sequences page, which you can use to create a RADIUS server sequence. The navigation path for this page is: Administration > Network Resources > RADIUS Server Sequences > Add.

Table 54. RADIUS Server Sequences
Fields	Usage Guidelines
Name	Enter the name of the RADIUS server sequence.
Description	Enter an optional description.
Host IP	Enter the IP address of the external RADIUS server.
User Selected Service Type	Choose the external RADIUS servers that you want to use as policy servers from the Available list box and move them to the Selected list box.
Remote Accounting	Check this check box to enable accounting in the remote policy server.
Local Accounting	Check this check box to enable accounting in Cisco ISE.
Advanced Attribute Settings
Strip Start of Subject Name up to the First Occurrence of the Separator	Check this check box to strip the username from the prefix. For example, if the subject name is acme\userA and the separator is \, the username becomes userA.
Strip End of Subject Name from the Last Occurrence of the Separator	Check this check box to strip the username from the suffix. For example, if the subject name is userA@abc.com and the separator is @, the username becomes userA. You must enable the strip options to extract the username from NetBIOS or User Principle Name (UPN) format usernames (user@domain.com or /domain/user), because only usernames are passed to the RADIUS server for authenticating the user. If you activate both the \ and @ stripping functions, and you are using Cisco AnyConnect, Cisco ISE does not accurately trim the first \ from the string. However, each stripping function that is used individually, however, works as it is designed with Cisco AnyConnect.
Modify Attributes in the Request to the External RADIUS Server	Check this check box to allow Cisco ISE to manipulate attributes that come from or go to the authenticated RADIUS server. The attribute manipulation operations include these: Add—Add additional attributes to the overall RADIUS request/response. Update—Change the attribute value (fixed or static) or substitute an attribute by another attribute value (dynamic). Remove—Remove an attribute or an attribute-value pair. RemoveAny—Remove any occurrences of the attribute.
Continue to Authorization Policy	Check this check box to divert the proxy flow to run the authorization policy for further decision making, based on identity store group and attribute retrieval. If you enable this option, attributes from the response of the external RADIUS server will be applicable for the authentication policy selection. Attributes that are already in the context will be updated with the appropriate value from the AAA server accept response attribute.
Modify Attributes before send an Access-Accept	Check this check box to modify the attribute just before sending a response back to the device.

NAC Manager Settings

The following table describes the fields on the New NAC Managers page, which you can use to add a NAC Manager. The navigation path for this page is: Administration > Network Resources > NAC Managers.

Table 55. NAC Manager Settings

Fields

Usage Guidelines

Name

Enter the name of the Cisco Access Manager (CAM).

Status

Click the Status check box to enable REST API communication from the Cisco ISE profiler that authenticates connectivity to the CAM.

Description

Enter the description of the CAM.

IP Address

Enter the IP address of the CAM. Once you have created and saved a CAM in Cisco ISE, the IP address of the CAM cannot be edited.

You cannot use 0.0.0.0 and 255.255.255.255, as they are excluded when validating the IP addresses of the CAMs in Cisco ISE, and so, they are not valid IP addresses that you can use in the IP Address field for the CAM.

Note

You can use the virtual service IP address that a pair of CAMs share in a high-availability configuration. This allows a failover support of CAMs in a high-availability configuration.

Username

Enter the username of the CAM administrator that allows you to log on to the user interface of the CAM.

Password

Enter the password of the CAM administrator that allows you to log on to the user interface of the CAM.

Device Portal Management

Configure Device Portal Settings

Global Settings for Device Portals

Choose Work Centers > BYOD > Settings > Employee Registered Devices or Administration > Device Portal Management > Settings.

You can configure the following general settings for the BYOD and My Devices portals:

Employee Registered Devices—Enter the maximum number of devices that an employee can register in Restrict employees to. By default, this value is set to 5 devices.
Retry URL—Enter a URL that can be used to redirect the device back to Cisco ISE in Retry URL for onboarding.

Once you configure these general settings, they apply to all BYOD and My Devices portals that you set up for your company.

Portal Identification Settings for Device Portals

The navigation path for these settings is Administration > Device Portal Managment > Blacklist Portal, Client Provisioning Portals, BYOD Portals, MDM Portals, or My Device Portals > Create, Edit or Duplicate > Portals Settings and Customization.

Portal Name: Enter a unique portal name to access this portal. Do not use this portal name for any other Sponsor, Guest, or nonguest portals, such as Blacklist, Bring Your Own Device (BYOD), Client Provisioning, Mobile Device Management (MDM), or My Devices portals.

This name appears in the authorization profile portal selection for redirection choices. It is applied to the list of portals for easy identification among other portals.
Description—Optional.

Portal test URL—A system-generated URL displays as a link after you click Save. Use it to test the portal.

Click the link to open a new browser tab that displays the URL for this portal. Policy Services Node (PSN) with Policy Services must be turned on. If Policy Services are disabled, the PSN only displays the Admin portal.

Note

The test portal does not support RADIUS sessions, so you won't see the entire portal flow for all portals. BYOD and Client Provisioning are examples of portals that depend on RADIUS sessions. For example, a redirect to an external URL will not work. If you have more than one PSN, ISE chooses the first active PSN.

Language File—Each portal type supports 15 languages by default, which are available as individual properties files bundled together in a single zipped language file. Export or import the zipped language file to use with the portal. The zipped language file contains all the individual language files that you can use to display text for the portal.

The language file contains the mapping to the particular browser locale setting (for example, for French: fr, fr-fr, fr-ca) along with all of the string settings for the entire portal in that language. A single language file contains all the supported languages, so that it can easily be used for translation and localization purposes.

If you change the browser locale setting for one language, the change is applied to all the other end-user web portals. For example, if you change the French.properties browser locale from fr,fr-fr,fr-ca to fr,fr-fr in the Hotspot Guest portal, the changes also apply to the My Devices portal.

An alert icon displays when you customize any of the text on the Portal Page Customizations tab. The alert message reminds you that any changes made to one language while customizing the portal must also be added to all the supported languages properties files. You can manually dismiss the alert icon using the drop-down list option; or it is automatically dismissed after you import the updated zipped language file.

Portal Settings for the Blacklist Portal

The navigation path for these settings is Administration > Device Portal Management > Blacklist Portal > Edit > Portal Behavior and Flow

Cisco Identity Services Engine Administrator Guide, Release 2.0

Bias-Free Language

Results

Chapter: Administration User Interface Reference

Administration User Interface Reference

Deployment and Node Settings

Deployment Nodes List Window

General Node Settings

Profiling Node Settings

Certificate Store Settings

Self-Signed Certificate Settings

Certificate-Signing Request Settings

Endpoint Certificate Overview Page

Check the Status of the Certificates (OCSP or CRL).

System Certificate Import Settings

Trusted Certificate Store Page

Edit Certificate Settings

Trusted Certificate Import Settings

OCSP Client Profile Settings

Internal CA Settings

Certificate Template Settings

Logging Settings

Remote Logging Target Settings

Logging Category Settings

Maintenance Settings

Repository Settings

On-Demand Backup Settings

Scheduled Backup Settings

Admin Access Settings

Administrator Password Policy Settings

Session Timeout and Session Information Settings

Settings

Posture General Settings

General Posture Settings

Posture Lease

Posture Reassessment Configuration Settings

Posture Acceptable Use Policy Configuration Settings

EAP-FAST Settings

PAC Settings

EAP-TTLS Settings

EAP-TLS Settings

PEAP Settings

RADIUS Settings

General TrustSec Settings

Verify Trustsec Deployment

Protected Access Credential (PAC)

Security Group Tag Numbering

Security Group Tag Numbering for APIC EPGs

Automatic Security Group Creation

IP SGT static mapping of hostnames

TrustSec Matrix Settings

SMS Gateway Settings

DHCP and DNS Services

Identity Management

Endpoints

Endpoint Settings

Endpoint Import from LDAP Settings

Groups

Endpoint Identity Group Settings

External Identity Sources

LDAP Identity Source Settings

LDAP General Settings

LDAP Connection Settings

LDAP Directory Organization Settings

LDAP Group Settings

LDAP Attribute Settings

RADIUS Token Identity Sources Settings

RSA SecurID Identity Source Settings

RSA Prompt Settings

RSA Message Settings

Network Resources

Network Devices

Network Device Definition Settings

Network Device Settings

RADIUS Authentication Settings

SNMP Settings

Advanced TrustSec Settings

Default Network Device Definition Settings

Device Security Settings

Network Device Import Settings