Cisco ISE Users
In this chapter, the term user refers to employees and contractors who access the network regularly as well as sponsor and guest users. A sponsor user is an employee or contractor of the organization who creates and manages guest-user accounts through the sponsor portal. A guest user is an external visitor who needs access to the organization’s network resources for a limited period of time.
You must create an account for any user to gain access to resources and services on the Cisco ISE network. Employees, contractors, and sponsor users are created from the Admin portal.
User Identity
User identity is like a container that holds information about a user and forms their network access credentials. Each user’s identity is defined by data and includes: a username, e-mail address, password, account description, associated administrative group, user group, and role.
User Groups
User groups are a collection of individual users who share a common set of privileges that allow them to access a specific set of Cisco ISE services and functions.
User Identity Groups
A user’s group identity is composed of elements that identify and describe a specific group of users that belong to the same group. A group name is a description of the functional role that the members of this group have. A group is a listing of the users that belong to this group.
Default User Identity Groups
Cisco ISE comes with the following predefined user identity groups:
-
Employee—Employees of your organization belong to this group.
-
SponsorAllAccount—Sponsor users who can suspend or reinstate all guest accounts in the Cisco ISE network.
-
SponsorGroupAccounts—Sponsor users who can suspend guest accounts created by sponsor users from the same sponsor user group.
-
SponsorOwnAccounts—Sponsor users who can only suspend the guest accounts that they have created.
-
Guest—A visitor who needs temporary access to resources in the network.
-
ActivatedGuest—A guest user whose account is enabled and active.
User Role
A user role is a set of permissions that determine what tasks a user can perform and what services they can access on the Cisco ISE network. A user role is associated with a user group. For example, a network access user.
User Account Custom Attributes
Cisco ISE allows you to restrict network access based on user attributes for both network access users and administrators. Cisco ISE comes with a set of predefined user attributes and also allows you to create custom attributes. Both types of attributes can be used in conditions that define the authentication policy. You can also define a password policy for user accounts so that passwords meet specified criteria.
Custom User Attributes
On the User Custom Attributes Setting page, you can use the Custom Attributes pane to define more user-account attributes. Cisco ISE provides a list of predefined attributes that are not configurable. However, you can define custom attributes by configuring the following:
-
Attribute name
-
Data type
User Authentication Settings
Not all external identity stores allow network access users to change their passwords. See the section for each identity source for more information.
Network use password rules are configured on
.The following content has additional information about some of the fields on the Password Policy tab.
- Required Characters:
If you configure a user-password policy that requires upper or lowercase characters, and the user’s language does not support these characters, the user cannot set a password. To support UTF-8 characters, uncheck the following check box options:
-
Lowercase alphabetic characters.
-
Uppercase alphabetic characters
-
-
Password Change Delta:
Specifies the minimum number of characters that must change when changing the current password to a new password. Cisco ISE does not consider changing the position of a character as a change.
For Example, if the password delta is 3, and the current password is "?Aa1234?", then "?Aa1567?" ("5","6" and "7" are the three new characters) is a valid new password. "?Aa1562?" fails, since the "?","2", and "?" characters are in the current password. "Aa1234??" fails, because even though the character positions changed, the same characters are in the current password.
Password change delta also considers the previous X passwords, where X is the value of Password must be different from the previous versions. If your password delta is 3, and your password history is 2, then you must change 4 characters that are not part of the past 2 passwords.
The end- users are required to change the password periodically failing to which the user account will be disabled temporarily. You can use the Password Lifetime section to update the password reset interval and reminder. To set the lifetime of the password, check the Disable user account after __ days if password was not changed check box and enter the number of days in the input box. To enable a reminder for password reset, check the Display reminder __ days prior to password expiration check box and enter the number days in the input value to send notification to the user before the password is expired.
The Account Disable Policy tab is where you configure rules about when to disable an existing user account. See Disable User Accounts Globally for more information.
Generate Automatic Password for Users and Administrators
Cisco ISE introduces a Generate Password option on the user and administrator creation page to generate instant password adhering to Cisco ISE password policies. This helps the users or administrators to use the password generated by Cisco ISE than spending time in thinking of a safe password to be configured.
-
Users—Administration > Identity Management > Identities > Users.
-
Administrators—Administration > System > Admin Access > Administrators > Admin Users.
-
Logged in Administrator(Current Administrator)—Settings > Account Settings > Change Password.
Add Users
Cisco ISE allows you to view, create, modify, duplicate, delete, change the status, import, export, or search for attributes of Cisco ISE users.
If you are using a Cisco ISE internal database, you must create an account for any new user who needs access to resources or services on a Cisco ISE network.
Procedure
Step 1 |
Choose .You can also create users by accessing the page. |
Step 2 |
Click Add (+) to create a new user. |
Step 3 |
Enter values for the fields. |
Step 4 |
Click Submit to create a new user in the Cisco ISE internal database. |
Export Cisco ISE User Data
You might have to export user data from the Cisco ISE internal database. Cisco ISE allows you to export user data in the form of a password-protected csv file.
Procedure
Step 1 |
Choose . |
Step 2 |
Check the check box that corresponds to the user(s) whose data you want to export. |
Step 3 |
Click Export Selected. |
Step 4 |
Enter a key for encrypting the password in the Key field. |
Step 5 |
Click Start Export to create a users.csv file. |
Step 6 |
Click OK to export the users.csv file. |
Import Cisco ISE Internal Users
You can import new user data into ISE with a csv file to create new internal accounts. A template csv file is available for download on the pages where you can import user accounts. You can import users on
.Procedure
Step 1 |
Choose . |
Step 2 |
Click Import to import users from a comma-delimited text file. If you do not have a comma-delimited text file, click Generate a Template to create a csv file with the heading rows filled in. |
Step 3 |
In the File text box, enter the filename containing the users to import, or click Browse and navigate to the location where the file resides. |
Step 4 |
Check the Create new user(s) and update existing user(s) with new data check boxes if you want to both create new users and update existing users. |
Step 5 |
Click Save to save your changes to the Cisco ISE internal database. |
![]() Note |
We recommend that you do not delete all the network access users at a time, because this may lead to CPU spike and the services to crash, especially if you are using a very large database. |
Create a User Identity Group
You must create a user identity group before you can assign a user to it.
Procedure
Step 1 |
Choose .You can also create a user identity group by accessing the page. |
Step 2 |
Enter values in the Name and Description fields. Supported characters for the Name field are space # $ & ‘ ( ) * + - . / @ _ . |
Step 3 |
Click Submit. |
Export User Identity Groups
Cisco ISE allows you to export locally configured user identity groups in the form of a csv file.
Procedure
Step 1 |
Choose Administration > Identity Management > Groups > Identity Groups > User Identity Groups. |
Step 2 |
Check the check box that corresponds to the user identity group that you want to export, and click Export. |
Step 3 |
Click OK. |
Import User Identity Groups
Cisco ISE allows you to import user identity groups in the form of a csv file.
Procedure
Step 1 |
Choose . |
Step 2 |
Click Generate a Template to get a template to use for the import file. |
Step 3 |
Click Import to import network access users from a comma-delimited text file. |
Step 4 |
Check the Overwrite existing data with new data check box if you want to both add a new user identity group and update existing user identity groups. |
Step 5 |
Click Import. |
Step 6 |
Click Save to save your changes to the Cisco ISE database. |
Create Authorization Policy Using External Identity Sources
Following are the steps for creating an authorization policy using external identity sources:
Procedure
Step 1 |
Choose to create a new authorization policy rule under Standard policies.If you enabled Policy Sets, choose , pick the Policy Set you plan to use for this portal, expand Authorization Policy, and add a new rule. |
Step 2 |
For Conditions, select an endpoint identity group that you want to use for the portal validation. When the external identity source (for example, RSA SecurID) is used with the internal user group, you should create the condition using the following syntax:
Prefix the group name with "User Identity Groups:" without the quotes. |
Step 3 |
For Permissions, select the portal authorization profile that you created. |
Disable Individual User Accounts
Cisco ISE allows you to disable the user account for each individual user if the disable account date exceeds the date specified by the admin user.
Procedure
Step 1 |
Choose Administration > Identity Management > Identities > Users. |
||
Step 2 |
Click Add to create a new user or check the check box next to an existing user and click Edit to edit the existing user details. |
||
Step 3 |
Check the Disable account if the date exceeds check box and select the date. This option allows you to disable the user account when the configured date exceeds at user level. You can configure different expiry dates for different users as required. This option overrules the global configuration for each individual user. The configured date can either be the current system date or a future date.
|
||
Step 4 |
Click Submit to configure the account disable policy for an individual user. |
Disable User Accounts Globally
You can disable user accounts on a certain date, several days after account creation or last access date, and after several days of account inactivity.
Procedure
Step 1 |
Choose Administration > Identity Management > Settings > User Authentication Settings > Account Disable Policy. |
Step 2 |
Perform one of the following actions:
|
Step 3 |
Click Submit to configure the global account disable policy. |