Cisco Identity Services Engine Administrator Guide, Release 2.3

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

Book Contents
Find Matches in This Book
Available Languages
Download Options

Book Title

Cisco Identity Services Engine Administrator Guide, Release 2.3

Chapter Title

Manage Administrators and Admin Access Policies

Results

Updated:
July 28, 2017

Chapter: Manage Administrators and Admin Access Policies

Manage Administrators and Admin Access Policies

Cisco ISE Administrators

Administrators can use the admin portal to:

  • Manage deployments, help desk operations, network devices, and node monitoring and troubleshooting.

  • Manage Cisco ISE services, policies, administrator accounts, and system configuration and operations.

  • Change administrator and user passwords.

A CLI administrator can start and stop the Cisco ISE application, apply software patches and upgrades, reload or shut down the Cisco ISE appliance, and view all the system and application logs. Because of the special privileges that are granted to a CLI administrator, we recommend that you protect the CLI administrator credentials and create web-based administrators for configuring and managing Cisco ISE deployments.

The username and password that you configure during setup is intended only for administrative access to the CLI. This role is considered to be the CLI admin user, also known as CLI administrator. By default, the username for a CLI admin user is admin, and the password is defined during setup. There is no default password. This CLI admin user is the default admin user, and this user account cannot be deleted. However, other administrators can edit it, including options to enable, disable, or change password for the corresponding account.

You can either create an administrator, or you can promote an existing user to an administrator role. Administrators can also be demoted to simple network user status by disabling the corresponding administrative privileges.

Administrators are users who have local privileges to configure and operate the Cisco ISE system.

Administrators are assigned to one or more admin groups.


Note

Starting with Cisco ISE Release 2.7, use alphanumeric values while creating user accounts in Cisco ISE.

Privileges of a CLI Administrator Versus a Web-Based Administrator

A CLI administrator can start and stop the Cisco ISE application, apply software patches and upgrades, reload or shut down the Cisco ISE appliance, and view all the system and application logs. Because of the special privileges granted to a CLI administrator, we recommend that you protect the CLI administrator credentials and create web-based administrators for configuring and managing Cisco ISE deployments.

Create a New Administrator

Cisco ISE administrators need accounts with specific roles assigned to them in order to perform specific administrative tasks. You can create multiple administrator accounts and assign one or more roles to these admins based on the administrative tasks that these admins have to perform.

Use the Admin Users window to view, create, modify, delete, change the status, duplicate, or search for attributes of Cisco ISE administrators.

Procedure

Step 1

Choose Administration > System > Admin Access > Administrators > Admin Users > Add.

Step 2

From the Add drop-down, choose one of the following options:

  • Create an Admin User

    If you choose Create an Admin User, a New Administrator window appears, from where you can configure account information for the new admin user.

  • Select from Network Access Users

    If you choose Select from Network Access Users, a list of current users appears, from which you can choose a user. Subsequently, the Admin User window corresponding to this user appears.

Step 3

Enter values in the fields. The characters supported for the Name field are # $ ’ ( ) * + - . / @ _.

The admin user name must be unique. If you have entered an existing user name, an error pop-up window displays the following message: 

User can't be created. A User with that name already exists.
Step 4

Click Submit to create a new administrator in the Cisco ISE internal database.

Cisco ISE Administrator Groups

Administrator groups are role-based access control (RBAC) groups in Cisco ISE. All the administrators who belong to the same group share a common identity and have the same privileges. An administrator’s identity as a member of a specific administrative group can be used as a condition in authorization policies. An administrator can belong to more than one administrator group.

An administrator account with any level of access can be used to modify or delete objects for which it has permission, on any window it has access to.

The Cisco ISE security model limits administrators to creating administrative groups that contain the same set of privileges that the administrator has. The privileges given are based on the administrative role of the user, as defined in the Cisco ISE database. Thus, administrative groups form the basis for defining privileges to access the Cisco ISE systems.

The following table lists the admin groups that are predefined in Cisco ISE, and the tasks that members from these groups can perform.

Table 1. Cisco ISE Admin Groups, Access Levels, Permissions, and Restrictions

Admin Group Role

Access Level

Permissions

Restrictions

Customization Admin

Manage sponsor, guest, and personal device portals.

  • Configure guest and sponsor access.

  • Manage guest access settings.

  • Customize end-user web portals.

  • Cannot perform any policy management, identity management, or system-level configuration tasks in Cisco ISE.

  • Cannot view any reports.

Helpdesk Admin

Query monitoring and troubleshooting operations

  • Run all reports.

  • Run all troubleshooting flows.

  • View the Cisco ISE dashboard and live logs.

  • View alarms.

Cannot create, update, or delete reports, troubleshooting flows, live authentications, or alarms.

Identity Admin

  • Manage user accounts and endpoints.

  • Manage identity sources.

  • Add, edit, and delete user accounts and endpoints.

  • Add, edit, and delete identity sources.

  • Add, edit, and delete identity source sequences.

  • Configure general settings for user accounts (attributes and password policy).

  • View the Cisco ISE dashboard, live logs, alarms, and reports.

  • Run all troubleshooting flows.

Cannot perform any policy management or system-level configuration tasks in Cisco ISE.

MnT Admin

Perform all the monitoring and troubleshooting operations.

  • Manage all the reports (run, create, and delete).

  • Run all the troubleshooting flows.

  • View the Cisco ISE dashboard and live logs.

  • Manage alarms (create, update, view, and delete).

Cannot perform any policy management, identity management, or system-level configuration tasks in Cisco ISE.

Network Device Admin

Manage Cisco ISE network devices and network device repository.

  • Read and write permissions on network devices

  • Read and write permissions on Network Device Groups and all network resource object types.

  • View the Cisco ISE dashboard, live logs, alarms, and reports.

  • Run all the troubleshooting flows.

Cannot perform any policy management, identity management, or system-level configuration tasks in Cisco ISE.

Policy Admin

Create and manage policies for all the Cisco ISE services across the network, which are related to authentication, authorization, posture, profiler, client provisioning, and work centers.

  • Read and write permissions on all the elements that are used in policies, such as authorization profiles, Network Device Groups (NDGs), and conditions.

  • Read and write permissions on identities, endpoints, and identity groups (user identity groups and endpoint identity groups).

  • Read and write permissions on services policies and settings.

  • View the Cisco ISE dashboard, live logs, alarms, and reports.

  • Run all the troubleshooting flows.

  • Device Administration— Access to device administration work centers. Permission for TACACS policy conditions and results. Network device permissions for TACACS proxy and proxy sequences.

Cannot perform any identity management or system-level configuration tasks in Cisco ISE.

Device Administration—Access to the work center does not guarantee access to the subordinate links.

RBAC Admin

All the tasks under the Operations menu, except for Endpoint Protection Services Adaptive Network Control, and partial access to some menu items under Administration.

  • View the authentication details.

  • Enable or disable Endpoint Protection Services Adaptive Network Control

  • Create, edit, and delete alarms; generate and view reports; and use Cisco ISE to troubleshoot problems in your network.

  • Read permissions on administrator account settings and admin group settings

  • View permissions on admin access and data access permissions in the RBAC Policy window.

  • View the Cisco ISE dashboard, live logs, alarms, and reports.

  • Run all the troubleshooting flows.

Cannot perform any identity management or system-level configuration tasks in Cisco ISE.

Read-Only Admin

Read-only access to the ISE GUI.

  • View and use the functions of the dashboard, reports, and live logs or sessions, such as filtering data, querying, saving options, printing, and exporting data.

  • Change passwords of their own accounts.

  • Query ISE using global search, reports, and live logs or sessions.

  • Filter and save data based on the attributes.

  • Export data pertaining to authentication policies, profile policies, users, endpoints, network devices, network device groups, identities (including groups), and other configurations.

  • Customize report queries, save, print, and export them.

  • Generate custom report queries, save, print, or export the results.

  • Save GUI settings for future reference.

  • Download logs, such as ise-psc-log from the Operations > Troubleshoot > Download Logs window.

  • Perform any configuration changes such as create, update, delete, import, quarantine, and Mobile Device Management (MDM) actions of objects, such as authorization policies, authentication policies, posture policies, profiler policies, endpoints, and users.

  • Perform system operations, such as backup and restore, registration or deregistration of nodes, synchronization of nodes, creating, editing, and deleting node groups, or upgrade and installation of patches.

  • Import data pertaining to policies, network devices, network device groups, identities (including groups), and other configurations.

  • Perform operations, such as CoA, endpoint debugging, modifying collection filters, bypassing suppression on live sessions data, modifying the PAN-HA failover settings, and editing the personas or services of Cisco ISE nodes.

  • Run commands that might have a heavy impact on performance. For example, access to the TCP Dump in the Operations > Troubleshoot > Diagnostic Tools > General Tools window is restricted.

  • Generate support bundles.

Super Admin

All Cisco ISE administrative functions. The default administrator account belongs to this group.

Create, read, update, delete, and eXecute (CRUDX) permissions on all Cisco ISE resources.

Note 

The super admin user cannot modify the default system-generated RBAC policies and permissions. To do this, you must create new RBAC policies with the necessary permissions based on your needs, and map these policies to an admin group.

Device Administration—Access to device administration work centers. Permission for TACACS policy conditions and results. Network device permissions for TACACS proxy and proxy sequences. In addition, permission to enable TACACS global protocol settings.

  • Device Administration— Access to the work center does not guarantee access to the subordinate links.

  • Only an admin user from the default Super Admin Group can modify or delete other admin users. Even an externally mapped user who is part of an Admin Group cloned with the Menu and Data Access privileges of the Super Admin Group cannot modify or delete an admin user.

System Admin

All Cisco ISE configuration and maintenance tasks.

Full access (read and write permissions) to perform all the activities under the Operations tab and partial access to some menu items under the Administration tab:

  • Read permissions on administrator account settings and administrator group settings.

  • Read permissions on admin access and data access permissions along with the RBAC policy window.

  • Read and write permissions for all options under Administration > System.

  • View authentication details.

  • Enable or disable Endpoint Protection Services Adaptive Network Control

  • Create, edit, and delete alarms; generate and view reports; and use Cisco ISE to troubleshoot problems in your network.

  • Device Administration— Permission to enable TACACS global protocol settings.

Cannot perform any policy management or system-level configuration tasks in Cisco ISE.

External RESTful Services (ERS) Admin

Full access to all the ERS API requests such as GET, POST, DELETE, PUT

  • Create, read, update, and delete ERS API requests.

The role is meant only for ERS authorization supporting internal users, identity groups, endpoints, endpoint groups, and SGT .

External RESTful Services (ERS) Operator

Read-only access to ERS API, only GET

  • Can only read ERS API requests

The role is meant only for ERS authorization supporting internal users, identity groups, endpoints, endpoint groups, and SGT.

TACACS+ Admin

Full access

Access to:

  • Device Administration Work Center.

  • Deployment—To enable TACACS+ services.

  • External ID stores.

  • Operations > TACACS Live Logs window.

Create an Admin Group

The Admin Groups window allows you to view, create, modify, delete, duplicate, or filter Cisco ISE network admin groups.

Before you begin

To configure an external administrator group type, you must have already specified one or more external identity stores.

Procedure

Step 1

Choose Administration > System > Admin Access > Administrators > Admin Groups.

Step 2

Click Add, and enter a name and description.

The supported special characters for the Name field are: space, # $ & ‘ ( ) * + - . / @ _ .

Step 3

Check the corresponding check box to specify the Type of administrator group you are configuring:

  • Internal: Administrators assigned to this group type authenticate against the credentials that are stored in the Cisco ISE internal database.

  • External: Administrators assigned to this group authenticate against the credentials stored in the external identity store that you select in the Administration > System > Admin Access > Authentication > Authentication Method window. You can specify the external groups, if required.

Note 

If an internal user is configured with an external identity store for authentication, while logging in to the ISE Admin portal, the internal user must select the external identity store as the Identity Source. Authentication will fail if Internal Identity Source is selected.

Step 4

Click Add in the Member Users area to add users to this admin group. To delete users from the admin group, check the check box corresponding to the user that you want to delete, and click Remove.

Step 5

Click Submit.

Administrative Access to Cisco ISE

Cisco ISE administrators can perform various administrative tasks based on the administrative group to which they belong. These administrative tasks are critical. Grant administrative access only to users who are authorized to administer Cisco ISE in your network.

Cisco ISE allows you to control administrative access to its web interface through the options described here. .

Administrative Access Methods

You can connect to the Cisco ISE servers in several ways. The Policy Administration node (PAN) runs the Administrators portal. An admin password is required to log in. Other ISE persona servers are accessible through SSH or the console, where you run the CLI. This section describes the process and password options available for each connection type.

  • Admin password: The Cisco ISE Admin user that you created during installation times out in 45 days by default. You can prevent that by turning off the password lifetime from Administration > System > Admin Settings. Click the Password Policy tab, and uncheck theAdministrative passwords expire check box under Password Lifetime.

    If you do not do this, and the password expires, you can reset the admin password in the CLI by running the application reset-passwd command. You can reset the Admin password by connecting to the console to access the CLI, or by rebooting the ISE image file to access the boot options menu.

  • CLI password: You must enter a CLI password during installation. If you have a problem logging in to the CLI because of an invalid password, you can reset the CLI password. Connect to the console and run the password CLI command to rest the password. See the Cisco Identity Services Engine CLI Reference Guide for more information.

  • SSH access to the CLI: You can enable SSH access either during installation or after, using the service sshd command. You can also force SSH connections to use a key. Note that when you do this, SSH connections to all the network devices also use that key. For more information, see SSH Key Validation. You can force the SSH key to use the Diffie-Hellman algorithm. Note that ECDSA keys are not supported for SSH keys.

Role-Based Admin Access Control in Cisco ISE

Cisco ISE provides role-based access control (RBAC) policies that ensure security by restricting administrative privileges. RBAC policies are associated with default admin groups to define roles and permissions. A standard set of permissions (for menu as well as data access) is paired with each of the predefined admin groups, and is thereby aligned with the associated role and job function.

Some features in the user interface require certain permissions for their use. If a feature is unavailable, or you are not allowed to perform a specific task, your admin group may not have the necessary permissions to perform the task that utilizes the feature.

Regardless of the level of access, any administrator account can modify or delete objects for which it has permission, on any window that it can access.


Note

Only system-defined admin users with Super Admin or Read Only Admin permissions can see the identity-based users who are not a part of a user group. Admins you create without these permissions cannot see these users.

Role-Based Permissions

Cisco ISE allows you to configure permissions at the menu and data levels. These are called menu access and data access permissions.

The menu access permissions allow you to show or hide the menu and submenu items of the Cisco ISE administrative interface. This feature lets you create permissions so that you can restrict or enable access at the menu level.

The data access permissions allow you to grant read and write, read only, or no access to the Admin Groups, User Identity Groups, Endpoint Identity Groups, Locations, and Device Types data in the Cisco ISE interface.

RBAC Policies

RBAC policies determine if an administrator can be granted a specific type of access to a menu item or other identity group data elements. You can grant or deny access to a menu item or identity group data element to an administrator based on the admin group, by using RBAC policies. When administrators log in to the Admin portal, they can access menus and data that are based on the policies and permissions defined for the admin groups with which they are associated.

RBAC policies map admin groups to menu access and data access permissions. For example, you can prevent a network administrator from viewing the Admin Access operations menu and the policy data elements. This can be achieved by creating a custom RBAC policy for the admin group with which that network administrator is associated.


Note

If you are using customized RBAC policies for admin access, ensure that you provide all the relevant menu access for a given data access. For example, to add or delete endpoints with data access of Identity or Policy Admin, you must provide menu access to Work Center > Network Access and Administration > Identity Management.

Default Menu Access Permissions

Cisco ISE provides an out-of-the-box set of permissions that are associated with a set of predefined admin groups. Having predefined admin group permissions allow you to set permissions so that a member of any admin group can have full or limited access to the menu items within the administrative interface (known as menu access) and to delegate an admin group to use the data access elements of other admin groups (known as data access). These permissions are reusable entities that can be further used to formulate RBAC policies for various admin groups. Cisco ISE provides a set of system-defined menu access permissions that are already used in the default RBAC policies. Apart from the predefined menu access permissions, Cisco ISE also allows you to create custom menu access permissions that you can use in RBAC policies. The key icon represents menu access privileges for the menus and submenus, and the key with a close icon represents no access for different RBAC groups.


Note

For a Super Admin user, all the menu items are available. For other admin users, all the menu items in the Menu Access Privileges column are available for standalone deployment and primary node in a distributed deployment. For secondary nodes in a distributed deployment, the menu items under the Administration tab are not available.

Configure Menu Access Permissions

Cisco ISE allows you to create custom menu access permissions that you can map to an RBAC policy. Depending on the role of the administrators, you can allow them to access only specific menu options.

Procedure
Step 1

Choose Administration > System > Admin Access > Authorization > Permissions > Menu Access.

Step 2

Click Add, and enter values for the Name and Description fields.

  1. Expand the ISE Navigation Structure menu to the desired level, and click the options for which you want to create permissions.

  2. In the Permissions for Menu Access pane, click Show.

Step 3

Click Submit.

Prerequisites for Granting Data Access Permissions

When an RBAC admin has Full Access permission to an object (for example, Employee in the User Identity Groups data type), the admin can view, add, update, and delete users who belong to that group. Ensure that the admin has menu access permission granted for the Users window (Administration > Identity Management > Identities > Users). This is applicable for network devices and endpoints objects (based on the permissions granted to the Network Device Groups and Endpoint Identity Groups data types).

You cannot enable or restrict data access for network devices that belong to the default network device group objects—All Device Types and All Locations. All the network devices are displayed if Full Access data permission is granted to an object created under these default network device group objects. Therefore,we recommend that you create a separate hierarchy for the Network Device Groups data type, which is independent of the default network device group objects. You should assign the network device objects to the newly created Network Devices Groups to create restricted access.


Note

You can enable or restrict data access permissions only for the User Identity Groups, Network Device Groups, and Endpoint Identity Groups, not to Admin Groups.

Default Data Access Permissions

Cisco ISE comes with a set of predefined data access permissions. These permissions enable multiple administrators to have the data access permissions within the same user population. You can enable or restrict the use of data access permissions to one or more admin groups. This process allows autonomous delegated control to administrators of one admin group to reuse data access permissions of the chosen admin groups through selective association. Data access permissions range from full access to no access for viewing selected admin groups or network device groups. RBAC policies are defined based on the administrator (RBAC) group, menu access, and data access permissions. You should first create menu access and data access permissions and then create an RBAC policy that associates an admin group with the corresponding menu access and data access permissions. The RBAC policy takes the form: If admin_group=Super Admin then assign SuperAdmin Menu Access permission + SuperAdmin Data Access permission. Apart from the predefined data access permissions, Cisco ISE also allows you to create custom data access permissions that you can associate with an RBAC policy.

There are three data access permissions, namely, Full Access, No Access, and Read Only access that can be granted to admin groups.

The Read Only permission can be granted to the following admin groups:

  • Administration > Admin Access > Administrators > Admin Groups

  • Administration > Groups > User Identity Group

  • Administration > Groups > Endpoint Identity Groups

  • Network Visibility > Endpoints

  • Administration > Network Resources > Network Device Groups

  • Administration > Network Resources > Network Devices

  • Administration > Identity Management > Identities

  • Administration > Identity Management > Groups > User Identity Groups

  • Administration > Identity Management > Groups > Endpoint Identity Groups

If you have read-Only permission for a data type (for example, Endpoint Identity Groups), you will not be able to perform CRUD operations on that data type. If you have read-only permission for an object (for example, GuestEndpoints), you cannot perform edit or delete operations on that object.

The following image describes how Data Access Privileges apply at the second-level or third-level menu that contains additional submenus or options for different RBAC groups.

Figure 1. Data Access Privileges


Label

Description

1

Denotes full access for the User Identity groups data type.

2

Denotes that Endpoint Identity groups derive the maximum permission (full access) that is granted to its child (Asia).

3

Denotes that there is no access for the object (blocked list).

4

Denotes that the parent (Continents) derives the maximum access permission granted to its child (Asia).

5

Denotes Read-Only access for the object (Australia).

6

Denotes that when full access is granted to the parent (Network Device groups), it results in the children automatically inheriting permissions.

7

Denotes that when full access is granted to the parent (Asia), it results in the objects inheriting the Full Access permission, unless permissions are explicitly granted to the objects.

Configure Data Access Permissions

Cisco ISE allows you to create custom data access permissions that you can map to an RBAC policy. Based on the role of the administrator, you can choose to provide them access only to select data.

Procedure
Step 1

Choose Administration > System > Admin Access > Authorization > Permissions.

Step 2

Choose Permissions > Data Access.

Step 3

Click Add, and enter values for the Name and Description fields.

  1. Click to expand the admin group and select the corresponding admin group.

  2. Click Full Access, Read Only Access, or No Access.

Step 4

Click Save.

Read-Only Admin Policy

The default Read-Only Admin policy is available in the Administration > System > Admin Access > Authorization > Policy window. This policy is available for both new installations and upgraded deployments. The Read-Only Admin policy is applicable to the Read-Only Admin group. By default, Super Admin Menu Access and Read-Only Data Access permissions are granted to Read-Only administrators. This policy cannot be duplicated and the associated Data Access permission cannot be edited.


Note

  • The default read-only policy is mapped to the Read Only Admin group. You cannot create custom RBAC policy using the Read Only Admin group.

  • Cisco ISE supports the read-only functionality based on the static check of Read-Only Admin Group only.

Customize Menu Access for the Read-Only Administrator

By default, Read-Only Administrators are given Super Admin Menu Access and Read Only Admin Data Access. However, if the Super Admin requires that the Read-Only Administrator view only the Home and Administration tabs, the Super Admin can create a custom menu access or customize the default Permissions to, for example, MnT Admin Menu Access or Policy Admin Menu Access. The Super Admin cannot modify the Read Only Data Access mapped to the Read Only Admin Policy.

Procedure
Step 1

Log in to the Admin portal as a Super Admin.

Step 2

Navigate to the Administration > System > Admin Access > Authorization > Permissions > Menu Access page.

Step 3

Click Add and enter a Name (for example, MyMenu) and Description.

Step 4

In the Menu Access Privileges section, you can select the Show/Hide option to choose the required options (for example, Home and Administration tabs) that should be displayed for the Read-Only Administrator.

Step 5

Click Submit.

The custom menu access permission is displayed in the Permissions drop-down correspoinding to the Read-Only Admin Policy displayed in the Administration > System > Admin Access > Authorization > Policy window.
Step 6

Choose Administration > System > Admin Access > Authorization > Policy window.

Step 7

Click the Permissions drop-down corresponding to the Read-Only Admin Policy and choose a default (MnT Admin Menu Access) or custom menu access permission (MyMenu) that you have created in the Administration > System > Admin Access > Authorization > Permissions > Menu Access window.

Step 8

Click Save.

Note 

  • You will encounter an error if you choose Data Access permissions for the Read-Only Admin policy.

  • When you log in to the Read-Only Admin portal, a Read-Only icon appears at the top of the window and you can view only the specified menu options without data access.

Configure Admin Access Policies

An RBAC policy is represented in an if-then format, where "if" is the RBAC Admin Group value and "then" is the RBAC Permissions value.

The RBAC policies window ( Administration > System > Admin Access > Authorization) contains a list of default policies. You cannot edit or delete these default policies. However, you can edit the data access permissions for the Read-Only Admin policy. The RBAC policies page also allows you to create custom RBAC policies for an admin group specifically for your work place, and apply to personalized admin groups.

When you assign limited menu access, make sure that the data access permissions allow the administrator to access the data that is required to use the specified menus. For example, if you give menu access to the MyDevices portal, but don't allow data access to Endpoint Identity Groups, then that administrator cannot modify the portal.


Note

Admin users can move endpoint MAC addresses from the Endpoint Identity Groups they have read-only access to, to the Endpoint Identity Groups they have full access to. The other way around is not possible.

Before you begin

  • Create all the admin groups for which you want to define the role-based access control (RBAC) policies.

  • Ensure that these admin groups are mapped to individual admin users.

  • Ensure that you have configured the RBAC permissions such as menu access and data access permissions.

Procedure

Step 1

Choose Administration > System > Admin Access > Authorization > Policy.

The RBAC Policies page contains a set of ready-to-use predefined policies for default admin groups. You cannot edit or delete these default policies. However, you can edit the data access permissions for the default Read-Only Admin policy.

Step 2

Click Actions next to any of the default RBAC policy rule.

Here, you can insert new RBAC policies, duplicate an existing RBAC policy, and delete an existing RBAC policy.

Step 3

Click Insert new policy.

Step 4

Enter values for the Rule Name, RBAC Group(s), and Permissions fields.

You cannot select multiple menu access and data access permissions when creating an RBAC policy.

Step 5

Click Save.

Administrator Access Settings

Cisco ISE allows you to define some rules for administrator accounts to enhance security. You can restrict access to the management interfaces, force administrators to use strong passwords, regularly change their passwords, and so on. The password policy that you define in the Administrator Account Settings in Cisco ISE applies to all administrator accounts.

Cisco ISE supports administrator passwords with UTF-8 characters.

Configure Maximum Number of Concurrent Administrative Sessions and Login Banners

You can configure the maximum number of concurrent administrative GUI or CLI (SSH) sessions and login banners that help and guide administrators who access your administrative web or CLI interface. You can configure login banners that appear before and after an administrator logs in. By default, these login banners are disabled.

Before you begin

To perform the following task, you must be a Super Admin or System Admin.

Procedure
Step 1

Choose Administration > System > Admin Access > Settings > Access > Session.

Step 2

Enter the maximum number of concurrent administrative sessions that you want to allow through the GUI and CLI interfaces. The valid range for concurrent administrative GUI sessions is from 1 to 20. The valid range for concurrent administrative CLI sessions is 1 to 10.

Step 3

If you want Cisco ISE to display a message before an administrator logs in, check the Pre-login banner check box and enter your message in the text box.

Step 4

If you want Cisco ISE to display a message after an administrator logs in, check the Post-login banner check box and enter your message in the text box.

Step 5

Click Save.

Allow Administrative Access to Cisco ISE from Select IP Addresses

Cisco ISE allows you to configure a list of IP addresses from which administrators can access the Cisco ISE management interfaces.

The administrator access control settings are only applicable to Cisco ISE nodes that assume the Administration, Policy Service, or Monitoring personas. These restrictions are replicated from the primary to the secondary nodes.

Before you begin

To perform the following task, you must be a Super Admin or System Admin.

Procedure
Step 1

Choose Administration > System > Admin Access > Settings > Access > IP Access.

Step 2

Click the Allow only listed IP addresses to connect radio button.

Note 

Connection on Port 161 (SNMP) is used for administrative access. However, when IP Access restrictions are configured, the snmpwalk fails if the node from which it was performed is not configured for administrative access.

Step 3

In the Configure IP List for Access Restriction area, click Add.

Step 4

In the Add IP CIDR dialog box, enter the IP addresses in the classless interdomain routing (CIDR) format in the IP Address field.

Note 

This IP address can be an IPv4 or an IPv6 address. You can configure multiple IPv6 addresses for an ISE node.
Step 5

Enter the subnet mask in the Netmask in CIDR format field.

Step 6

Click OK. Repeat steps 4 to 7 to add more IP address ranges to this list.

Step 7

Click Save to save the changes.

Step 8

Click Reset to refresh the IP Access window.

Configure a Password Policy for Administrator Accounts

Cisco ISE also allows you to create a password policy for administrator accounts to enhance security. You can define whether you want a password-based or client certificate-based administrator authentication. The password policy that you define here is applied to all the administrator accounts in Cisco ISE.


Note

  • Email notifications for internal admin users are sent to root@host. You cannot configure the email address, and many SMTP servers reject this email.

    Follow open defect CSCui5583, which is an enhancement to allow you to change the email address.

  • Cisco ISE supports administrator passwords with UTF-8 characters.

Before you begin

  • To perform the following task, you must be a Super Admin or System Admin.

  • Turn off the automatic failover configuration, if this is enabled in your deployment. See Support for Automatic Failover for the Administration Node

    When you change the authentication method, you restart the application server processes. There might be a delay while these services restart. Due to this delay in restart of services, automatic failover of secondary administration node might get initiated.

Procedure
Step 1

Choose Administration > System > Admin Access > Authentication.

Step 2

Click the radio button for one of the following authentication methods:

  • Password Based: Choose this option to use the standard user ID and password credentials for administrator logins. Choose Internal or External from the Identity Source drop-down list.

    Note 

    If you have configured an external identity source such as LDAP and want to use that as your authentication source to grant access to the admin user, you must select that particular identity source from the Identity Source list box.

  • Client Certificate Based: Choose this option to specify a certificate-based policy. From the Certificate Authentication Profile drop-down list, choose an existing authentication profile. Choose the required value from the Identity Source drop-down list.

Step 3

Click the Password Policy tab and enter the required values to configure the Cisco ISE GUI and CLI password requirements.

Step 4

Click Save to save the administrator password policy.

Note 

If you use an external identity store to authenticate administrators at login, note that even if this setting is configured for the password policy applied to the administrator profile, the external identity store will still validate the administrator’s username and password.

Configure Account Disable Policy for Administrator Accounts

Cisco ISE allows you to disable an administrator account if the administrator account is not authenticated for the configured consecutive number of days.

Procedure
Step 1

Choose Administration > System > Admin Access > Authentication > Account Disable Policy.

Step 2

Check the Disable account after n days of inactivity check box, and enter the number of days in the corresponding field.

This option allows you to disable the administrator account if the administrator account was inactive for the specified number of days. However, you can exclude individual administrator accounts from this account disable policy using the Inactive Account Never Disabled option in the Administration > System > Admin Access > Administrators > Admin Users window.
Step 3

Click Save to configure the global account disable policy for administrators.

Configure Lock or Suspend Settings for Administrator Accounts

Cisco ISE allows you to lock or suspend administrator accounts (including password-based internal administrator accounts and certificate-based administrator accounts) that have more than a specified number of failed login attempts.

Procedure
Step 1

Choose Administration > System > Admin Access > Authentication > Lock/Suspend Settings.

Step 2

Check the Suspend Or Lock Account With Incorrect Login Attempts check box and enter the number of failed attempts after which action should be taken. The valid range is from 3 through 20. Click the radio button for one of the following options:

  • Suspend Account For n Minutes: Choose this option to suspend any account that exceeds a specified number of incorrect login attempts. The valid range is from 15 through 1440.
  • Lock Account: Choose this option to lock an account that exceeds a specified number of incorrect login attempts.

You can enter a custom email remediation message, such as asking the end user to contact the helpdesk to unlock the account.

Note 

In Cisco ISE Release 2.3 and earlier, the Lock/Suspend Settings are available in the Password Policy tab (Administration > System > Admin Access > Authentication > Password Policy.

Configure Session Timeout for Administrators

Cisco ISE allows you to determine the length of time an administration GUI session can be inactive and still remain connected. You can specify a time in minutes after which Cisco ISE logs out the administrator. After a session timeout, the administrator must log in again to access the Cisco ISE Admin portal.

Before you begin

To perform the following task, you must be a Super Admin or System Admin.

Procedure
Step 1

Choose Administration > System > Admin Access > Settings > Session > Session Timeout.

Step 2

Enter the time in minutes that you want Cisco ISE to wait before it logs out the administrator if there is no activity. The default value is 60 minutes. The valid range is from 6 to 100 minutes.

Step 3

Click Save.

Terminate an Active Administrative Session

Cisco ISE displays all active administrative sessions from which you can select any session and terminate at any point of time, if a need to do so arises. The maximum number of concurrent administrative GUI sessions is 20. If the maximum number of GUI sessions is reached, an administrator who belongs to the super admin group can log in and terminate some of the sessions.

Before you begin

To perform the following task, you must be a Super Admin.

Procedure
Step 1

Choose Administration > System > Admin Access > Settings > Session > Session Info.

Step 2

Check the check box next to the session ID that you want to terminate and click Invalidate.

Change Administrator Name

Cisco ISE allows you to change your username from the Cisco ISE GUI.

Before you begin

To perform the following task, you must be a Super Admin or System Admin.

Procedure
Step 1

Log in to the Cisco ISE administration portal.
Step 2

Click the Gear icon () at the upper right corner of the Cisco ISE GUI, and choose Account Settings from the drop-down list.

Step 3

Enter the new username in the Admin User dialog box that is displayed.

Step 4

Edit any other details about your account that you want to change.

Step 5

Click Save.

Administrative Access to Cisco ISE Using an External Identity Store

In Cisco ISE, you can authenticate administrators via an external identity store such as Active Directory, LDAP, or RSA SecureID. There are two models you can use to provide authentication via an external identity store:

  • External Authentication and Authorization: There are no credentials that are specified in the local Cisco ISE database for the administrator, and authorization is based on external identity store group membership only. This model is used for Active Directory and LDAP authentication.

  • External Authentication and Internal Authorization: The administrator’s authentication credentials come from the external identity source, and authorization and administrator role assignment take place using the local Cisco ISE database. This model is used for RSA SecurID authentication. This method requires you to configure the same username in both the external identity store and the local Cisco ISE database.

During the authentication process, Cisco ISE is designed to “fall back” and attempt to perform authentication from the internal identity database, if communication with the external identity store has not been established or if it fails. In addition, whenever an administrator for whom you have set up external authentication launches a browser and initiates a login session, the administrator still has the option to request authentication via the Cisco ISE local database by choosing Internal from the Identity Store drop-down list in the login dialog box.

Administrators who belong to a Super Admin group, and are configured to authenticate and authorize using an external identity store, can also authenticate with the external identity store for Command Line Interface (CLI) access.


Note

You can configure this method of providing external administrator authentication only via the Admin portal. Cisco ISE CLI does not feature these functions.

If your network does not already have one or more existing external identity stores, ensure that you have installed the necessary external identity stores and configured Cisco ISE to access those identity stores.

External Authentication and Authorization

By default, Cisco ISE provides internal administrator authentication. To set up external authentication, you must create a password policy for the external administrator accounts that you define in the external identity stores. You can then apply this policy to the external administrator groups that eventually become a part of the external administrator RBAC policy.

To configure external authentication, you must:

  • Configure password-based authentication using an external identity store.

  • Create an external administrator group.

  • Configure menu access and data access permissions for the external administrator group.

  • Create an RBAC policy for external administrator authentication.

In addition to providing authentication via an external identity store, your network may also require you to use a Common Access Card (CAC) authentication device.

Configure a Password-Based Authentication Using an External Identity Store

You must first configure password-based authentication for administrators who authenticate using an external identity store such as Active Directory or LDAP.

Procedure
Step 1
Step 2

On the Authentication Method tab, click Password Based and choose one of the external identity sources you have already configured. For example, the Active Directory instance that you have created.

Step 3

Configure any other specific password policy settings that you want for administrators who authenticate using an external identity store.

Step 4

Click Save.

Create an External Administrator Group

You will need to create an external Active Directory or LDAP administrator group. This ensures that Cisco ISE uses the username that is defined in the external Active Directory or LDAP identity store to validate the administrator username and password that you entered upon login.

Cisco ISE imports the Active Directory or LDAP group information from the external resource and stores it as a dictionary attribute. You can then specify that attribute as one of the policy elements while configuring the RBAC policy for this external administrator authentication method.

Procedure
Step 1

Choose Administration > System > Admin Access > Administrators > Admin Groups.

The External Groups Mapped column displays the number of external groups that are mapped to internal RBAC roles. You can click the number corresponding to a admin role to view the external groups (for example, if you click 2 displayed against Super Admin, the names of two external groups are displayed).

Step 2

Click Add.

Step 3

Enter a name and optional description.

Step 4

Click External.

If you have connected and joined to an Active Directory domain, your Active Directory instance name appears in the Name field.

Step 5

From the External Groups drop-down list box, choose the Active Directory group that you want to map for this external administrator group.

Click the “+” sign to map additional Active Directory groups to this external administrator group.

Step 6

Click Save.

Create an Internal Read-Only Admin
Procedure
Step 1

Choose Administration > System > Admin Access > Administrators > Admin Users .

Step 2

Click Add and select Create An Admin User.

Step 3

Check the Read Only check box to create a Read-Only administrator.

Map External Groups to the Read-Only Admin Group
Procedure
Step 1

Choose Administration > Identity Management > External Identity Sources to configure the external authentication source.

Step 2

Click the required external identity source, such as Active Directory or LDAP, and then retrieve the groups from the selected identity source.

Step 3

Choose Administration > System > Admin Access > Authentication to map the authentication method for the admin access with the identity source.

Step 4

Choose Administration > System > Admin Access > Administrators > Admin Groups and select Read Only Admin group.

Step 5

Check the External check box and select the required external groups for whom you intend to provide read-only privileges.

Step 6

Click Save.

An external group that is mapped to a Read-Only Admin group cannot be assigned to any other admin group.
Configure Menu Access and Data Access Permissions for External Administrator Group

You must configure menu access and data access permissions that can be assigned to the external administrator group.

Procedure
Step 1

Choose Administration > System > Admin Access > Permissions.

Step 2

Click one of the following:

  • Menu Access: All administrators who belong to the external administrator group can be granted permission at the menu or submenu level. The menu access permission determines the menus or submenus that they can access.

  • Data Access: All administrators who belong to the external administrator group can be granted permission at the data level. The data access permission determines the data that they can access.

Step 3

Specify menu access or data access permissions for the external administrator group.

Step 4

Click Save.

Create an RBAC Policy for External Administrator Authentication

You must configure a new RBAC policy to authenticate an administrator using an external identity store and to specify custom menu and data access permissions. This policy must have the external administrator group for authentication and the Cisco ISE menu and data access permissions to manage the external authentication and authorization.


Note

You cannot modify an existing (system-preset) RBAC policy to specify these new external attributes. If you have an existing policy that you would like to use as a template, you must duplicate that policy, rename it, and then assign the new attributes.

Procedure
Step 1

Choose Administration > System > Admin Access > Authorization > Policy.

Step 2

Specify the rule name, external administrator group, and permissions.

Remember that the appropriate external administrator group must be assigned to the correct administrator user IDs. Ensure that the administrator is associated with the correct external administrator group.

Step 3

Click Save.

If you log in as an administrator, and the Cisco ISE RBAC policy is not able to authenticate your administrator identity, Cisco ISE displays an “unauthenticated” message, and you cannot access the Admin portal.

Configure Admin Access Using an External Identity Store for Authentication with Internal Authorization

This method requires you to configure the same username in both the external identity store and the local Cisco ISE database. When you configure Cisco ISE to provide administrator authentication using an external RSA SecurID identity store, administrator credential authentication is performed by the RSA identity store. However, authorization (policy application) is still done according to the Cisco ISE internal database. In addition, there are two important factors to remember that are different from external authentication and authorization:

  • You do not need to specify any particular external administrator groups for the administrator.

  • You must configure the same username in both the external identity store and the local Cisco ISE database.

Procedure
Step 1
Step 2

Ensure that the administrator username in the external RSA identity store is also present in Cisco ISE. Ensure that you click the External option under Password.

Note 

You do not need to specify a password for this external administrator user ID, nor are you required to apply any specially configured external administrator group to the associated RBAC policy.

Step 3

Click Save.

External Authentication Process Flow

When the administrator logs in, the login session passes through the following steps in the process:

  1. The administrator sends an RSA SecurID challenge.

  2. RSA SecurID returns a challenge response.

  3. The administrator enters a user name and the RSA SecurID challenge response in the Cisco ISE login dialog, as if entering the user ID and password.

  4. The administrator ensures that the specified Identity Store is the external RSA SecurID resource.

  5. The administrator clicks Login.

Upon logging in, the administrator sees only the menu and data access items that are specified in the RBAC policy.

Was this Document Helpful?

FeedbackFeedback

Contact Cisco