Cisco Identity Services Engine Administrator Guide, Release 2.3

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

Book Contents
Find Matches in This Book
Available Languages
Download Options

Book Title

Cisco Identity Services Engine Administrator Guide, Release 2.3

Chapter Title

Navigate the Admin portal

Results

Updated:
August 1, 2018

Chapter: Navigate the Admin portal

Navigate the Admin portal

Administration Portal

The administration portal provides access to Cisco ISE configuration and reporting. The following figure shows the main elements of the menu bar of the administration portal.

Figure 1. Cisco ISE Administration Portal
Table 1. Components of the Cisco ISE Administration Portal

1

Menu Drop-downs

  • Context Visibility: The context visibility windows display information about endpoints, users, and network access devices (NAD). The context visibility information is segmented by features, applications, Bring Your Own Device (BYOD), and other categories, depending on the licenses you have registered. The context visibility windows use a central database and gather information from database tables, caches, and buffers. As a result, the content in the context visibility dashlets and lists updates quickly. The context visibility windows consist of dashlets at the top, and a list of information at the bottom. When you filter data by modifying the column attributes in the list, the dashlets refresh to display the modified content.

  • Policy: Policy windows include tools for managing network security in the areas of authentication, authorization, profiling, posture, and client provisioning.

  • Administration: Administration windows include tools for managing Cisco ISE nodes, licenses, certificates, network devices, users, endpoints, and guest services.

2

Top-Right Menu Icons

  • Use this icon to search for endpoints and display their distribution by profiles, failures, identity stores, location, device type, and so on.

  • Click this icon for a drop-down list that allows you to access the online help for the currently displayed page, and links to the Cisco ISE Community, Portal Builder, and more.

  • Click this icon to access the following options:

    • PassiveID Setup: The PassiveID Setup option launches the PassiveID Setup wizard to set up passive identity using Active Directory. Configure the server to gather user identities and IP addresses from external authentication servers and deliver the authenticated IP addresses to the corresponding subscriber.

    • Visibility Setup: The Visibility Setup option launches the ISE Visibility Setup wizard that allows you to add a list of IP address ranges for endpoint discovery.

    • Wireless Setup (BETA): The Wireless Setup (BETA) option provides an easy way to set up wireless flows for 802.1X, Guest services, and BYOD. This option also provides workflows to configure and customize each portal for Guest services and BYOD.

  • Click this icon for a menu of system activities, including launching online help, and configuring account settings.

Cisco ISE Home Dashboards

The Cisco ISE Home dashboard displays live consolidated and correlated statistical data that is essential for effective monitoring and troubleshooting. Dashboard elements typically display activity over 24 hours. The following figure is an example of the information available in a Cisco ISE dashboard. You can view the Cisco ISE dashboard data only in the primary Policy Administration node (PAN) portal.

Figure 2. Cisco ISE Home Dashboard

The home page has five default dashboards that display your Cisco ISE data. Each of these dashboards has several predefined dashlets.

  • Summary: This dashboard contains a linear metrics dashlet, pie chart dashlets, and list dashlets. The metrics dashlet is not configurable. By default this dashboard contains the dashletsStatus Endpoints, Endpoint Categories, and Network Devices.

  • Endpoints: By default, this dashboard contains the dashlets Status, Endpoints, Endpoint Categories, and Network Devices.

  • Guests: This dashboard contains dashlets that provide information on guest user type, log in failures, and location of acitivity.

  • Vulnerability: This dashboard displays the information that vulnerability servers report to Cisco ISE.

  • Threat: This dashboard displays information from the threat servers reports sent to Cisco ISE.

Configuring Home Dashboards

You can customize a home page dashboard by clicking the Gear icon in the top right corner of the window:

Figure 3. Customize A Dashboard

The following options are displayed in the drop-down list:

  • Add New Dashboard allows you to add a new dashboard. Enter a value in the field that is displayed and click Apply.

  • Add Dashlet(s) displays a dialog box with a list of dashlets available. Click Add or Remove next to the dashlet name to add or remove a dashlet from the dashboard.

  • Export saves the selected home page view to a PDF.

  • Layout Template configures the number of columns that are displayed in this view.

  • Manage Dashboards contains two options:

    • Mark As Default Dashboard: Choose this option to make the current dashboard the default view when you choose Home.

    • Reset All Dashboards: Use this option to also reset all the dashboards and remove your configurations on all the Home dashboards.

Context Visibility Views

The structure of a Context Visibility window is similar to the home page, except that the Context Visibility windows:

  • Retain your current context (browser window) when you filter the displayed data

  • Are more customizable

  • Focus on endpoint data

You can view the context visibility data only from the primary PAN.

Dashlets on the Context Visibility windows show information about endpoints, and endpoint connections to NADs. The information currently displayed is based on the content in the list of data below the dashlets on each window. Each window displays endpoint data, based on the name of the tab. As you filter the data, both the list and dashlets update. You can filter the data by clicking on parts of one or more of the circular graphs, by filtering rows on the table, or any combination those actions. As you select filters, the effects are additive, also referred to as cascading filter, which allows you to drill down to find the particular data you are looking for. You can also click an endpoint in the list, and get a detailed view of that endpoint.

There are four main views under Context Visibility:

  • Endpoints: Filter the endpoints you want to view based on types of devices, compliance status, authentication type, hardware inventory, and more. See The Hardware Dashboard for additional information.


    Note

    We recommend that you enable the accounting settings on the network access devices (NADs) to ensure that the accounting start and update information is sent to Cisco ISE.

    Cisco ISE can collect accounting information, such as the latest IP address, status of the session (Connected, Disconnected, or Rejected), the number of days an endpoint has been inactive, only if accounting is enabled. This information is displayed in the Live Logs, Live Sessions and Context Visibility windows in the Cisco ISE administration portal. When accounting is disabled on a NAD, there might be a missing, incorrect, or mismatched accounting information between the Live Sessions, Live Logs and Context Visibility windows.


    Note

    The Visibility Setup workflow that is available on the Cisco ISE administration portal home page allows you to add a list of IP address ranges for endpoints discovery. After this workflow is configured, Cisco ISE authenticates the endpoints, but the endpoints that are not included in the configured IP address ranges are not displayed in the Context Visibility > Endpoints window and the Endpoints listing page (Work Centers > Network Access > Identities > Endpoints).

  • Users: Displays user-based information from user identity sources.

    If there is a change in the username or password attribute, it reflects in the Users window when there is a change in the authentication status.

    If the username is changed in the Microsoft Active Directory, the updated change is displayed in the Users window immediately after re-authentication.

    If any other attributes such as Email, Phone, Department, etc are changed in the Microsoft Active Directory, the updated attributes are displayed in the Users window 24 hours after re-authentication.

    Note

    Updating User Attributes from AD depends on the interval configured under Active Directory Probe. For more information, see Active Directory Probe.

  • Network Devices: This window displays the list of NADs that have endpoints connected to them. For any NAD, click the number of endpoints that is displayed in the corresponding # of endpoints column. A window that lists all the devices filtered by that NAD is displayed.


    Note

    If you have configured your network device with SNMPv3 parameters, you cannot generate the Network Device Session Status Summary report that is provided by the Cisco ISE monitoring service (Operations > Reports > Catalog > Network Device > Session Status Summary). You can generate this report successfully if your network device is configured with SNMPv1 or SNMPv2c parameters.

  • Application: Use this window to identify the number of endpoints that have a specific application installed. The results are displayed in graphical and table formats. The graphical representation helps you make a comparative analysis. For example, you can find out the number of endpoints with the Google Chrome software along with their Version, Vendor, and Category (Anti-phishing, Browser, and so on) in a table as well as a bar chart. For more information, see The Application Tab.

You can create a new tab in the Context Visibility windows and create a custom list for additional filtering. Dashlets are not supported in custom views.

Click a section of a circular graph in a dashlet to view a new window with filtered data from that dashlet in. From this new window, you can continue to filter the displayed data, as described in Filtering Displayed Data in a View.

For more information about using Context Visibility windows to find endpoint data, see the following Cisco YouTube video which uses ISE 2.1 https://www.youtube.com/watch?v=HvonGhrydfg.

Dashlets

The following image is an example of a dashlet:

  1. The stacked window symbol “detaches”,Open New Window icon opens this dashlet in a new browser window. The pie chart refreshes. Click the X to delete this dashlet. This option is only available on the home page. You delete dashlets in Context Visibility windows using the gear symbol in the top-right corner of the screen.

  2. Some dashlets have different categories of data. Click the category to see a pie chart with that set of data.

  3. The pie chart shows the data that you have selected. Click one of the pie segments to open a new tab in with the filtered data, based on that pie segment.

Click a section of the pie chart in a home page dashboard to open the chart in a new browser window. The new window displays data that is filtered by the section of the pie chart that you clicked on.

When you click a section of the pie chart in a Context Visibility window, the displayed data is filtered but context does not change. You view the filtered data in the same browser window.

The Application Dashboard

Table 2. Description of the Application Dashboard

Label

Description

1

The Summary tab is displayed by default on the home page. It displays the Application Categories dashlet, which contains a bar chart. Applications are classified into 13 categories. Applications that do not fall into any of these categories are grouped as Unclassified.

The available categories are Anti-Malware, Antiphishing, Backup, Browser, Data Loss Prevention, Data Storage, Encryption, Firewall, Messenger, Patch Management, Public File Sharing, Virtual Machine, and VPN Client.

2

Each bar corresponds to a classified category. Hover over each bar to view the total number of applications and endpoints that correspond to the selected application category.

3

The applications and endpoints that fall under the Classified category are displayed in blue. Unclassified applications and endpoints are displayed in gray. Hover over the classified or unclassified category bars to view the total number of applications and endpoints that belong to that category. You can click Classified and view the results in the bar chart and table in the window. When you click Unclassified, the bar chart is disabled and the results are displayed in the table in the window.

4
The applications and endpoints are displayed based on the selected filter. You can view the breadcrumb trail as you click different filters. You can click Deselect All to remove all the applied filters.

5

When you click multiple bars, the corresponding classified applications and endpoints are displayed in the table. For example, if you select the Antimalware and Patch Management categories, the following results are displayed:

Application Name Version Vendor Category Application OS Endpoints With This Software

Gatekeeper

9.9.5

Apple Inc.

Antimalware

 windows 7 64-bit,mac osx 10.10,mac osx 8,mac osx 9 5

Gatekeeper

10.9.5

Apple Inc.

Antimalware

 Windows 8 64-bit, mac osx 10.10 3

Software Update

2.3

Apple Inc.

Patch Management

Windows 7 64 bit, mac osx 10.10,mac osx 8,mac osx 9

5

6

Click an endpoint in the Endpoints With This Software column in the table to view the endpoint details, such as Mac address, NAD IP address, NAD port ID/SSID, IPv4 address, and so on.

7

You can select an application name and choose the Create App Compliance option from the Policy Actions drop-down list to create application compliance condition and remediation.

The Hardware Dashboard

The endpoint hardware tab under context visibility helps you collect, analyze, and report endpoint hardware inventory information within a short time. You can gather information, such as finding endpoints with low memory capacity or finding the BIOS model/version in an endpoint. You can increase the memory capacity or upgrade the BIOS version based on these findings. You can assess the requirements before you plan the purchase of an asset. You can ensure timely replacement of resources. You can collect this information without installing any modules or interacting with the endpoint. In summary, you can effectively manage the asset lifecycle.

The Context Visibility > Endpoints > Hardware page displays the Manufacturers and Endpoint Utilizations dashlets. These dashlets reflect the changes based on the selected filter. The Manufacturers dashlet displays hardware inventory details for endpoints with Windows and Mac OS. The Endpoint Utilizations dashlet displays the CPU, Memory, and Disk utilization for endpoints. You can select any of the three options to view the utilization in percentage.

  • Devices With Over n% CPU Usage.

  • Devices With Over n% Memory Usage.

  • Devices With Over n% Disk Usage.


Note

The hardware inventory data takes 120 seconds to be displayed in the ISE GUI. The hardware inventory data is collected for posture compliant and non-compliant states.

The hardware attributes of an endpoint and their connected external devices are displayed in a table format. The following hardware attributes are displayed:

  • MAC Address

  • BIOS Manufacturer

  • BIOS Serial Number

  • BIOS Model

  • Attached Devices

  • CPU Name

  • CPU Speed (GHz)

  • CPU Usage (%)

  • Number of Cores

  • Number of Processors

  • Memory Size (GB)

  • Memory Usage (%)

  • Total Internal Disk(s) Size (GB)

  • Total Internal Disk(s) Free Size (GB)

  • Total Internal Disk(s) Usage (%)

  • Number of Internal Disks

  • NAD Port ID

  • Status

  • Network Device Name

  • Location

  • UDID

  • IPv4 Address

  • Username

  • Hostname

  • OS Types

  • Anomalous Behavior

  • Endpoint Profile

  • Description

  • Endpoint Type

  • Identity Group

  • Registration Date

  • Identity Store

  • Authorization Profile

You can click the number in the Attached Devices column that corresponds to an endpoint to view the Name, Category, Manufacturer, Type, Product ID, and Vendor ID of the USB devices that are currently attached to the endpoint.


Note

Cisco ISE profiles the hardware attributes of a client’s system, however, there may be a few hardware attributes Cisco ISE does not profile. These hardware attributes may not appear in the Hardware Context Visibility page.

The hardware inventory data collection interval can be controlled in the Administration > System > Settings > Posture > General Settings page. The default interval is 5 minutes.

Filtering Displayed Data in a View

When you click a dashlet in a Context Visibility window, the corresponding data is filtered by the item you click and displayed. For example, when you click a section of a pie chart, the data for the chosen section is filtered and displayed.

If you click mobil…vices in the Endpoints dashlet, the window refreshes to disaplay two Endpoints dashlets, a Network Devices dashlet, and a list of data. The dashlets and list show data for mobile devices, as shown in the following examplea new window displays the data, as shown in the following image:

You can continue to filter data by clicking more sections of the pie charts, or by using the controls on the list of data.

  1. The gear icon filters the displayed columns. From the drop-down list, choose the columns that you want to view in this dashboard’s list.

  2. The Quick Filter is displayed by default. Enter characters into the box (label number 3) to filter the list based on the result. The Custom Filter provides a more granular filter, as shown in the following image:

Save your custom filters.

Endpoint Actions in Dashlet Views

The toolbar at the top of the list allows you to act on endpoints in the list that you select. Not all actions are enabled for every list. Some actions depend on the feature that is enabled for use. The following list shows two endpoint actions that must be enabled in Cisco ISE before you can use them.

  • Adaptive Network Control Actions

    If you enable the Adaptive Network Control service, you can select endpoints in the list and assign or revoke network access. You can also issue a change of authorization.

    Enable the Adaptive Network Services or Endpoint Protection Services in Cisco ISE in the Adaptive Network Service window. In the Cisco ISE GUI, click the Menu icon () and chooseAdministration > System > Settings > Endpoint Protection Service > Adaptive Network Control. For more information, see Enable Adaptive Network Control in Cisco ISE.

    When you click the pie chart on a home page dashlet, the new window that is displayed contains the options ANC and Change Authorization. Check the check box for the endpoint you want to perform an action on, and choose the necessary action from the drop-down lists ofANC and Change Authorization.

    Figure 4. Endpoint Actions in Dashlet Views

  • MDM Actions

    If you connect an MDM server to Cisco ISE, you can perform MDM actions on selected endpoints. Choose the necessary action from the MDM Actions drop-down list.

Attributes in Context Visibility

The systems and services that provide attributes for Context Visibility sometimes have different values for the same attribute name. The following are a few examples:

For Operating System

  • OperatingSystem: Posture operating system.

  • operating-system: NMAP operating system.

  • operating-system-result: Profiler consolidated operating system.


Note

There might be some discrepancies in the endpoint operating system data that is displayed in the Context Visibility window when you enable multiple probes in Cisco ISE for an endpoint.

For Portal Name

  • Portal.Name: Guest portal name when device registration is turned on.

  • PortalName: Guest portal name when device registration is not turned on.

For Portal User

  • User-Name: Username from RADIUS authentication.

  • GuestUserName: Guest username.

  • PortalUser: Portal username.

Cisco ISE Internationalization and Localization

Cisco ISE internationalization adapts the user interface to the supported languages. Localization of the user interface incorporates location-specific components and translated text. In Windows, MAC OSX, and Android devices, the native supplicant provisioning wizard can be used in any of the following supported languages.

In Cisco ISE, internalization and localization support focuses on support for non-English text in UTF-8 encoding to the end user-facing portals and on selective fields in the administration portal.

Supported Languages

Cisco ISE provides localization and internalization support for the following languages and browser locales.

Table 3. Supported Languages and Locales

Language

Browser Locale

Chinese traditional

zh-tw

Chinese simplified

zh-cn

Czech

cs-cz

Dutch

nl-nl

English

en

French

fr-fr

German

de-de

Hungarian

hu-hu

Italian

it-it

Japanese

ja-jp

Korean

ko-kr

Polish

pl-pl

Portuguese (Brazil)

pt-br

Russian

ru-ru

Spanish

es-es

End-User Web Portal Localization

The Guest, Sponsor, My Devices, and Client Provisioning portals are localized into all the supported languages and locales. This includes text, labels, messages, field names, and button labels. If a client browser requests a locale that is not mapped to a template in Cisco ISE, the portal displays content using the English template.

Using the administration portal, you can modify the fields that are used in the Guest, Sponsor, and My Devices portals for each language. You can also add other languages. Currently, you cannot customize these fields for the Client Provisioning portal.

You can further customize the Guest portal by uploading HTML pages to Cisco ISE. When you upload customized pages, you are responsible for the appropriate localization support for your deployment. Cisco ISE provides a localization support example with sample HTML pages, which you can use as a guide. Cisco ISE allows you to upload, store, and render custom internationalized HTML pages.


Note

NAC and MAC agent installers, and WebAgent pages are not localized.

Support for UTF-8 Character Data Entry

Cisco ISE fields that are exposed to the end user (through the Cisco client agent or supplicants, or the Sponsor, Guest, My Devices, and Client Provisioning portals) support UTF-8 character sets for all languages. UTF-8 is a multibyte character encoding for the Unicode character set, which includes many different language character sets including Hebrew, Sanskrit, and Arabic.

Character values are stored in UTF-8 in the administration configuration database, and the UTF-8 characters display correctly in reports and user interface components.

UTF-8 Credential Authentication

Network access authentication supports UTF-8 username and password credentials. This includes RADIUS, Extensible Authentication Protocol (EAP), RADIUS proxy, RADIUS token, and web authentication from the Guest and administration portal login authentications. UTF-8 support for username and password applies to authentication against the local identity store and external identity stores.

UTF-8 authentication depends on the client supplicant that is used for network login. Some Windows native supplicants do not support UTF-8 credentials.


Note

UTF-8 authentication with RSA is not supported as RSA does not support UTF-8 users. RSA servers, which are compatible with Cisco ISE, also do not support UTF-8.

UTF-8 Policies and Posture Assessment

Policy rules in Cisco ISE that are conditioned on attribute values may include UTF-8 text. Rule evaluation supports UTF-8 attribute values. You can also configure conditions with UTF-8 values through the administration portal.

Posture requirements are modified as File, Application, and Service conditions based on a UTF-8 character set.

UTF-8 Support for Messages Sent to Supplicant

RSA prompts and messages are forwarded to the supplicant using a RADIUS attribute REPLY-MESSAGE, or within EAP data. If the text contains UTF-8 data, it is displayed by the supplicant, based on the client’s local operating system language support. Some Windows-native supplicants do not support UTF-8 credentials.

Cisco ISE prompts and messages may not be in synchrony with the locale of the client operating system on which the supplicant is running. You must align the end-user supplicant locale with the languages that are supported by Cisco ISE.

Reports and Alerts UTF-8 Support

Monitoring and troubleshooting reports and alerts support UTF-8 values for relevant attributes for the languages that are supported in Cisco ISE. The following activities are supported:

  • Viewing live authentications.

  • Viewing detailed pages of report records.

  • Exporting and saving reports.

  • Viewing the Cisco ISE dashboard.

  • Viewing alert information.

  • Viewing tcpdump data.

UTF-8 Character Support in the Portals

More character sets are supported in Cisco ISE fields (UTF-8) than are currently supported for localizations in portals and end-user messages. For example, Cisco ISE does not support right-to-left languages, such as Hebrew or Arabic, although the character sets themselves are supported.

The following table lists the fields in the Admin and end-user portals that support UTF-8 characters for data entry and viewing, with the following limitations:

  • Cisco ISE does not support guest usernames and passwords with UTF-8 characters.

  • Cisco ISE does not support UTF-8 characters in certificates.

Table 4. Administration Portal UTF-8 Character Fields

Administration Portal Element

UTF-8 Fields

Network access user configuration

  • Username

  • First Name

  • Last Name

  • Email

User list

  • All filter fields.

  • Values displayed in the User List window.

  • Values displayed in the left navigation quick view.

User password policy

The passwords can contain any combination of upper and lowercase letters, numbers, and special characters (including !, @, #, $, ^, &, *, (, and ). The password field accepts any characters including UTF-8 characters, but it does not accept control characters.

Some languages do not have uppercase or lowercase alphabets. If your user password policy requires the user to enter a password with uppercase or lowercase characters and the user’s language does not support these characters, the user cannot set a password. For the user password field to support UTF-8 characters, uncheck the following check boxes in the user password policy page (Administration > Identity Management > Settings > User Authentication Settings > Password Policy):

  • Lowercase alphabetic characters

  • Uppercase alphabetic characters

You cannot use dictionary words, their characters in reverse order, or their letters replaced with other characters.

Administrator list

  • All filter fields.

  • Values that aredisplayed in the administrator list window.

  • Values that are displayed in the left navigation quick view.

Admin login page

  • Username

RSA

  • Messages

  • Prompts

RADIUS token

  • Authentication tab > Prompt

Posture Requirement

  • Name

  • Remediation action > Message shown to Agent User

  • Requirement list display

Posture conditions

The following fields in the Policy > Policy Elements > Conditions > Posture windows:

  • File Condition > Add > File Path.

  • Application Condition > Add > Process Name.

  • Service Condition > Add > Service Name.

  • Conditions list displays.

Guest and My Devices settings

  • Sponsor > Language Template: all supported languages, all fields.

  • Guest > Language Template: all supported languages, all fields.

  • My Devices >Language Template: all supported languages, all fields.

System settings

  • SMTP Server > Default email address

Operations > Alarms > Rule

  • Criteria > User

  • Notification > email notification user list

Operations > Reports

  • Operations > Live Authentications > Filter fields

  • Operations > Reports > Catalog > Report filter fields

Operations > Troubleshoot

  • General Tools > RADIUS Authentication Troubleshooting > Username

Policies

  • Authentication > value for the antivirus expression within policy conditions

  • Authorization or posture or client provisioning > other conditions > value for the antivirus expression within policy conditions

Attribute value in policy library conditions

  • Authentication > simple condition or compound condition > value for the antivirus expression

  • Authentication > simple condition list display

  • Authentication > simple condition list > left navigation quick view display

  • Authorization > simple condition or compound condition > value for the antivirus expression

  • Authorization > simple condition list > left navigation quick view display

  • Posture > Dictionary simple condition or dictionary compound condition > value for the antivirus expression

  • Guest > simple condition or compound condition > value for the antivirus expression

UTF-8 Support Outside the Cisco ISE User Interface

This section contains the areas outside the Cisco ISE user interface that provide UTF-8 support.

Debug Log and CLI-Related UTF-8 Support

Attribute values and posture condition details appear in some debug logs. All debug logs accept UTF-8 values. You can download debug logs containing raw UTF-8 data that can be viewed with a UTF-8-supported viewer.

Cisco Secure ACS Migration UTF-8 Support

Cisco ISE allows the migration of Cisco Secure Access Control Server (ACS) UTF-8 configuration objects and values. Migration of some UTF-8 objects may not be supported by Cisco ISE UTF-8 languages, which might render some of the UTF-8 data that is provided during migration unreadable using the administration portal or report methods. Convert the unreadable UTF-8 values (that are migrated from Cisco Secure ACS) into ASCII text. For more information about migrating from Cisco Secure ACS to Cisco ISE, see the Cisco Secure ACS to Cisco ISE Migration Tool for your version of Cisco ISE.

Support for Importing and Exporting UTF-8 Values

The administration and Sponsor portals support plaintext and CSV files with the UTF-8 values to use when importing user account details. Exported files are provided as CSV files.

UTF-8 Support on REST

External Representational State Transfer (REST) communication supports UTF-8 values. This applies to configurable items that have UTF-8 support in the Cisco ISE user interface, except for administrator authentication. Administrator authentication in REST requires ASCII text credentials for login.

UTF-8 Support for Identity Stores Authorization Data

Cisco ISE allows Microsoft Active Directory and Lightweight Directory Access Protocol (LDAP) to use UTF- 8 data in authorization policies for policy processing.

MAC Address Normalization

Cisco ISE supports normalization of the MAC address that you enter in any of the following formats:

  • 00-11-22-33-44-55

  • 0011.2233.4455

  • 00:11:22:33:44:55

  • 001122334455

  • 001122-334455

Provide full or partial MAC addresses in the following Cisco ISE windows:

  • Policy > Policy Sets

  • Policy > Policy Elements > Conditions > Authorization

  • Authentications > Filters (Endpoint and Identity columns)

  • Global search

  • Operations > Reports > Report Filters

  • Operations > Troubleshoot > Diagnostic Tools > General Tools > Endpoint Debug

Provide full MAC addresses (six octets separated by ‘:’ or ‘-’ or ‘.’) in the following Cisco ISE windows:

  • Operations > Endpoint Protection Services Adaptive Network Control

  • Operations > Troubleshoot > Diagnostic Tools > General Tools > RADIUS Authentication Troubleshooting

  • Operations > Troubleshooting > Diagnostic Tools > General Tools > Posture Troubleshooting

  • Administration > Identities > Endpoints

  • Administration > System > Deployment

  • Administration > Logging > Collection Filters

REST APIs also support normalization of full MAC address.

The valid ranges for an octet are 0 to 9, a to f, or A to F.

Was this Document Helpful?

FeedbackFeedback

Contact Cisco