The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
Cisco ISE is a policy-based, network-access-control solution, which offers network access policy sets, allowing you to manage
several different network access use cases such as wireless, wired, guest, and client provisioning. Policy sets (both network
access and device administration sets) enable you to logically group authentication and authorization policies within the
same set. You can have several policy sets based on an area, such as policy sets based on location, access type and similar
parameters. When you install ISE, there is always one policy set defined, which is the default policy set, and the default
policy set contains within it, predefined and default authentication, authorization and exception policy rules.
When creating policy sets, you can configure these rules (configured with conditions and results) in order to choose the network
access services on the policy set level, the identity sources on the authentication policy level, and network permissions
on the authorization policy levels. You can define one or more conditions using any of the attributes from the Cisco ISE-supported
dictionaries for different vendors. Cisco ISE allows you to create conditions as individual policy elements that can be reused.
The network access service to be used per policy set to communicate with the network devices is defined at the top level of
that policy set. Network access services include:
Allowed protocols—the protocols configured to handle the initial request and protocol negotiation.
A proxy service—sends requests to an external RADIUS server for processing.
Note
From the Work Centers > Device Administration , you can also select a relevant TACACS server sequence for your policy set. Use the TACACS server sequence to configure a
sequence of TACACS proxy servers for processing.
Policy sets are configured hierarchically, where the rule on the top level of the policy set, which can be viewed from the
Policy Set table, applies to the entire set and is matched before the rules for the rest of the policies and exceptions. Thereafter,
rules of the set are applied in this order:
Authentication policy rules
Local policy exceptions
Global policy exceptions
Authorization policy rules
Note
Policy Sets functionality is identical for network access and for device administration policies. All processes described
in this chapter can be applied when working with both the Network Access and the Device Administration work centers. This
chapter specifically discusses the Network Access work center policy sets. Choose Work Centers > Network Access > Policy Sets.
All the network access policies and policy sets, including authentication, authorization, and exceptions, are consolidated
together in the Policy Sets window in Cisco ISE 2.3 and later. Each policy set is a container that is defined at the top level of the policy hierarchy,
under which all relevant authentication and authorization policy and policy exception rules for that set are configured.
Multiple rules can be defined for both authentication and authorization, based on conditions. Conditions and additional related
configurations can now be accessed easily and reused directly from the new Policy Set interface. The order in which the policy sets are matched is determined by the order in which they appear in the new Policy Set interface. The check is started from the first row of the Policy Set table and is continued until a match is found. If no match is found, the system default policy set is used. The same logic
is used to match and select the correct authentication, and then the correct authorization rules. The check is started from
the top of each Policy Set table and each rule is checked until a match is found. The default rule is used if no other rule is matched.
The new policy model represents all policies that could also have been added in previous versions by using the old user interface,
but offering a much more simplified and improved interface from which you can logically manage network access.
Standalone Authentication and Authorization Policy Changes
When working with standalone authentication rules, the rules from ISE 2.2 and earlier versions are converted to the new policy
model. There are two separate scenarios based on the allowed protocols that are assigned to the authentication rules.
If all the “outer parts” in the system are assigned the same allowed protocol, including the default part, then all original
authentication rules are converted as follows:
All the “outer parts” are converted to a single policy set in the new policy model. The new policy set is called Default,
and on the Policy Set level, no conditions are defined and the uniform Allowed Protocol will be assigned. All inner parts
are converted to rules as part of the authentication policy within the new Default policy set.
The following table demonstrates the conversion for an old set of standalone authentication rules that use the same allowed
protocol (Scenario 1). In the table, each line is in the following format:
Name (Condition/Results)
For example, for Authentication outer part 1 (Outer Condition/Allowed Protocol A):
Name: Authentication outer part 1
Condition: Outer Condition
Results: Allowed Protocol A
Table 1. Standalone Authentication Policies Using Same Allowed Protocol
Before Cisco ISE 2.3 - Default Authentication
After Upgrade to Cisco ISE 2.3 or later - Policy Sets
Authentication outer part 1 (Outer Condition 1/Allowed Protocol A)
Authentication inner part 1.1 (Inner Condition 1.1/Identity Store A)
Authentication inner part 1.2 (Inner Condition 1.2/Identity Store A)
Authentication inner part 1.3 (Inner Condition 1.3/Identity Store A)
Authentication inner 1 Default (No conditions/Identity Store B)
Authentication outer part 2 (Outer Condition 2/Allowed Protocol A)
Authentication inner part 2.1 (Inner Condition 2.1/Identity Store A)
Authentication inner part 2.2 (Inner Condition 2.2/Identity Store A)
Authentication inner part 2.3 (Inner Condition 2.3/Identity Store A)
Authentication inner 2 Default (No conditions/Identity Store B)
Authentication outer part 3 (Outer Condition 3/Allowed Protocol A)
Authentication inner 3 Default (No conditions/Identity Store B)
Default Authentication Outer Part (No conditions/Allowed Protocol A/Default Identity Store)
Exception 1
Authorization Rule 1
Authorization Rule 2
Default (No conditions/Allowed Protocol A)
Authentication Policy (container)
Authentication outer part 1 - Authentication inner part 1.1 (Outer Condition 1 + Inner Condition 1.1/Identity Store A)
Authentication outer part 1 - Authentication inner part 1.2 (Outer Condition 1 + Inner Condition 1.2/Identity Store A)
Authentication outer part 1 - Authentication inner part 1.3 (Outer Condition 1 + Inner Condition 1.3/Identity Store A)
Authentication outer part 1 - Authentication inner 1 Default (Outer Condition 1/Identity Store B)
Authentication outer part 2 - Authentication inner part 2.1 (Outer Condition 2 + Inner Condition 2.1/Identity Store A)
Authentication outer part 2 - Authentication inner part 2.2 (Outer Condition 2 + Inner Condition 2.2/Identity Store A)
Authentication outer part 2 - Authentication inner part 2.3 (Outer Condition 2 + Inner Condition 2.3/Identity Store A)
Authentication outer part 2 - Authentication inner 2 Default (Outer Condition 2/Identity Store B)
Authentication outer part 3 - Authentication inner 3 Default (Outer Condition 3/Identity Store B)
Default Authentication Outer Part (No conditions/Default Identity Store)
Exception 1
Authorization Policy (container)
Authorization Rule 1
Authorization Rule 2
If at least one of the “outer parts” in the system are assigned a different allowed protocol than the others, including the
default part, then all original authentication rules are converted as follows:
Each of the “outer parts” is converted to a separate policy set in the new policy model. The new policy set will be named
based on the name of the original outer part for that specific new set. On the Policy Set level for each policy set, the original
outer part conditions, and the Allowed Protocol will be assigned. All inner parts for each outer part are converted to authentication
rules, one to one, as part of the authentication policy within their new policy set.
The following table demonstrates the conversion for an old set of standalone authentication rules that use different allowed
protocols (Scenario 2). In the table, each line is in the following format:
Name (Condition/Results)
For example, for Authentication outer part 1 (Outer Condition/Allowed Protocol A):
Name: Authentication outer part 1
Condition: Outer Condition
Results: Allowed Protocol A
Table 2. Standalone Authentication Policies Using Different Allowed Protocols
Before Cisco ISE 2.3 - Default Authentication
After Upgrade to Cisco ISE 2.3 or later - Policy Sets
Authentication outer part 1 (Outer Condition 1/Allowed Protocol A)
Authentication inner part 1.1 (Inner Condition 1.1/Identity Store A)
Authentication inner part 1.2 (Inner Condition 1.2/Identity Store A)
Authentication inner part 1.3 (Inner Condition 1.3/Identity Store A)
Authentication inner 1 Default (No conditions/Identity Store B)
Authentication outer part 2 (Outer Condition 2/Allowed Protocol B)
Authentication inner part 2.1 (Inner Condition 2.1/Identity Store A)
Authentication inner part 2.2 (Inner Condition 2.2/Identity Store A)
Authentication inner part 2.3 (Inner Condition 2.3/Identity Store A)
Authentication inner 2 Default (No conditions/Identity Store B)
Authentication outer part 3 (Outer Condition 3/Allowed Protocol C)
Authentication inner 3 Default (No conditions/Identity Store B)
Default Authentication Outer Part (No conditions/Allowed Protocol A/Identity Store C)
Exception 1
Authorization Rule 1
Authorization Rule 2
Default Authentication outer part 1 (Outer condition 1/Allowed Protocol A)
Authentication Policy (container)
Authentication inner part 1.1 (Inner Condition 1.1/Identity Store A)
Authentication inner part 1.2 (Inner Condition 1.2/Identity Store A)
Authentication inner part 1.3 (Inner Condition 1.3/Identity Store A)
Authentication inner 1 Default (No conditions/Identity Store B)
Exception 1
Authorization Policy (container)
Authorization Rule 1
Authorization Rule 2
Default Authentication outer part 2 (Outer Condition 2/Allowed Protocol B)
Authentication Policy (container)
Authentication inner part 2.1 (Inner Condition 2.1/Identity Store A)
Authentication inner part 2.2 (Inner Condition 2.2/Identity Store A)
Authentication inner part 2.3 (Inner Condition 2.3/Identity Store A)
Authentication inner 2 Default (No conditions/Identity Store B)
Exception 1
Authorization Policy (container)
Authorization Rule 1
Authorization Rule 2
Default Authentication outer part 3 (Outer Condition 3/Allowed Protocol C)
Authentication Policy (container)
Authentication inner 3 Default (No conditions/Identity Store B)
Exception 1
Authorization Policy (container)
Authorization Rule 1
Authorization Rule 2
Default (No conditions/Allowed Protocol A)
Authentication Policy (container)
Default Authentication Rule (No conditions/Identity Store C)
Exception 1
Authorization Policy (container)
Authorization Rule 1
Authorization Rule 2
Policy Set Changes
When upgrading to Cisco ISE 2.3 or later from previous versions, the new policy sets appear differently than older ISE versions
as described here, however, the behavior remains the same.
The following images illustrate the changes in the Policy Sets after upgrade to Cisco ISE 2.3 or above.
Figure 1. Before ISE 2.3 - Policy Sets
Figure 2. From ISE 2.3 - Policy Sets
The policies from ISE 2.2 and earlier versions are converted to the new policy model. There are two separate scenarios based
on the allowed protocols that are assigned to the authentication rules.
If all the “outer parts” in a single policy set are assigned the same allowed protocol, all original policy sets are converted
as follows:
All the “outer parts” are converted to a single policy set in the new policy model. The new policy set has the same name as
that of the original policy set. For example, if the policy set was named “All Employees” in the old model, it will be called
“All Employees” in the new model as well.
The following table demonstrates the conversion for an old policy set that contains authentication rules which use the same
allowed protocol (Scenario 1). In the table, each line is in the following format:
Name (Condition/Results)
For example, for Authentication outer part 1 (Outer Condition/Allowed Protocol A):
Name: Authentication outer part 1
Condition: Outer Condition
Results: Allowed Protocol A
Table 3. Conversion of Policy Sets Using Same Allowed Protocol
Old policy set from Cisco ISE 2.2 or earlier
New policy sets after upgrade to Cisco ISE 2.3 or later
Policy Set A (Condition A/No results)
Authentication outer part 1 (Outer Condition 1/Allowed Protocol A)
Authentication inner part 1.1 (Inner Condition 1.1/Identity Store A)
Authentication inner part 1.2 (Inner Condition 1.2/Identity Store A)
Authentication inner part 1.3 (Inner Condition 1.3/Identity Store A)
Authentication inner 1 Default (No conditions/Identity Store B)
Authentication outer part 2 (Outer Condition 2/Allowed Protocol A)
Authentication inner part 2.1 (Inner Condition 2.1/Identity Store A)
Authentication inner part 2.2 (Inner Condition 2.2/Identity Store A)
Authentication inner part 2.3 (Inner Condition 2.3/Identity Store A)
Authentication inner 2 Default (No conditions/Identity Store B)
Authentication outer part 3 (Outer Condition 3/Allowed Protocol A)
Authentication inner 3 Default (No conditions/Identity Store B)
Default Authentication Outer Part (No conditions/Allowed Protocol A/Identity Store C)
Exception 1
Authorization Rule 1
Authorization Rule 2
Policy Set A (Condition A/Allowed Protocol A)
Authentication Policy (container)
Authentication outer part 1 - Authentication inner part 1.1 (Outer Condition 1 + Inner Condition 1.1/Identity Store A)
Authentication outer part 1 - Authentication inner part 1.2 (Outer Condition 1 + Inner Condition 1.2/Identity Store A)
Authentication outer part 1 - Authentication inner part 1.3 (Outer Condition 1 + Inner Condition 1.3/Identity Store A)
Authentication outer part 1 - Authentication inner 1 Default (Outer Condition 1/Identity Store B)
Authentication outer part 2 - Authentication inner part 2.1 (Outer Condition 2 + Inner Condition 2.1/Identity Store A)
Authentication outer part 2 - Authentication inner part 2.2 (Outer Condition 2 + Inner Condition 2.2/Identity Store A)
Authentication outer part 2 - Authentication inner part 2.3 (Outer Condition 2 + Inner Condition 2.3/Identity Store A)
Authentication outer part 2 - Authentication inner 2 Default (Outer Condition 2/Identity Store B)
Authentication outer part 3 - Authentication inner 3 Default (Outer Condition 3/Identity Store B)
Default Authentication Outer Part (No conditions/Identity Store C)
Exception 1
Authorization Policy (container)
Authorization Rule 1
Authorization Rule 2
The newly upgraded policy set contains a list of authentication rules that are converted by combining the outer and inner
conditions from the original policy set. Each new authentication rule that is created during conversion is named based on
the name of the old outer part with the suffix including the inner part name. For example, as in the table above, if the old
policy set is called "Policy Set A," one of its authentication "outer parts" is called Outer Part 1, and one of its authentication
"inner parts" is called Inner Part 1, then the newly created authentication rule is called "Outer Part 1 – Inner Part 1" within
Policy Set A. In the same manner, if the old policy set is called "All Employees" policy set, one of its authentication "outer
parts" is called London, and one of its authentication "inner parts" is called Wired - MAB, then the newly created authentication
rule is called "London – Wired-MAB" within the “All Employees” policy set. The Default outer part for the authentication policy
is converted as the default authentication rule. The system default policy rule appears as the last rule in the entire authentication
table, regardless of the other rules that were created, or converted, and this rule cannot be moved or deleted.
The conditions defined on the outer part (based on which the authentication rules are matched) are combined with the inner
part conditions (which indicate the identity store to be used for authentication). The new combined conditions are configured
in a single authentication rule within the policy set in the new model. A new individual rule within the policy set is created
for each separate outer part of the old policy set.
When there are two or more allowed protocols that are selected for the “outer parts” in a policy set, all original policy
sets are converted as follows:
Each “outer part” of each authentication rule within the old policy set is converted to a new, separate policy set in the
new model. This new policy set places the “conditions” from the same original “outer part” under the Authentication Policy
section in the new policy model.
The following table demonstrates the conversion for an old policy set from ISE 2.2 and previous versions to ISE 2.3 or later
(Scenario 2):
Table 4. Conversion of Policy Sets Using Different Allowed Protocols
Old policy set from Cisco ISE 2.2 or earlier
New policy sets after upgrade to Cisco ISE 2.3 or later
Policy Set A (Condition A/No results)
Authentication outer part 1 (Outer Condition 1/Allowed Protocol A)
Authentication inner part 1.1 (Inner Condition 1.1/Identity Store A)
Authentication inner part 1.2 (Inner Condition 1.2/Identity Store A)
Authentication inner part 1.3 (Inner Condition 1.3/Identity Store A)
Authentication inner 1 Default (No conditions/Identity Store B)
Authentication outer part 2 (Outer Condition 2/Allowed Protocol B)
Authentication inner part 2.1 (Inner Condition 2.1/Identity Store A)
Authentication inner part 2.2 (Inner Condition 2.2/Identity Store A)
Authentication inner part 2.3 (Inner Condition 2.3/Identity Store A)
Authentication inner 2 Default (No conditions/Identity Store B)
Authentication outer part 3 (Outer Condition 3/Allowed Protocol C)
Authentication inner 3 Default (No conditions/Identity Store B)
Default Authentication Outer Part (No conditions/Allowed Protocol A/Identity Store C)
Exception 1
Authorization Rule 1
Authorization Rule 2
Policy Set A - Authentication outer part 1 (Condition A + Outer condition 1/Allowed Protocol A)
Authentication Policy (container)
Authentication inner part 1.1 (Inner Condition 1.1/Identity Store A)
Authentication inner part 1.2 (Inner Condition 1.2/Identity Store A)
Authentication inner part 1.3 (Inner Condition 1.3/Identity Store A)
Authentication inner 1 Default (No conditions/Identity Store B)
Exception 1
Authorization Policy (container)
Authorization Rule 1
Authorization Rule 2
Policy Set A - Authentication outer part 2 (Condition A + Outer condition 2/Allowed Protocol B)
Authentication Policy (container)
Authentication inner part 2.1 (Inner Condition 2.1/Identity Store A)
Authentication inner part 2.2 (Inner Condition 2.2/Identity Store A)
Authentication inner part 2.3 (Inner Condition 2.3/Identity Store A)
Authentication inner 2 Default (No conditions/Identity Store B)
Exception 1
Authorization Policy (container)
Authorization Rule 1
Authorization Rule 2
Policy Set A - Default Authentication outer part 3 (Condition A + Outer Condition 3/Allowed Protocol C)
Authentication Policy (container)
Authentication inner 3 Default (No conditions/Identity Store B)
Exception 1
Authorization Policy (container)
Authorization Rule 1
Authorization Rule 2
Policy Set A - Default (Condition A/Allowed Protocol A)
Authentication Policy (container)
Default Authentication Rule (No conditions/Identity Store C)
Exception 1
Authorization Policy (container)
Authorization Rule 1
Authorization Rule 2
Each new policy set that is created during conversion is named based on the name of the old policy set from which it was extracted
with the suffix including the outer part name. For example, as in the table above, if the old policy set is called “Policy
Set A” and one of its authentication “outer parts” is called Outer Part 1, then the newly created policy set is called “Policy
Set A – Outer Part 1.” In the same manner, if the old policy set is called “London” and one of its authentication “outer parts”
is called Wired MAB, then the newly created policy set is called “London – Wired MAB.”
The Default outer part for each old policy set is also converted to a new policy set as are all the other outer parts, for
example “London – Default”. The system default policy set appears as the last policy set in the entire table, regardless of
the other policy sets that were created or converted, and cannot be moved or deleted.
The conditions that are defined on the top level of the old policy set are combined with the outer authentication part conditions,
which are designed to select the correct allowed protocol. The new combined conditions are configured in the top level rule
for each new policy set in the new model. A new individual policy set is created for each outer part of each old policy set.
Authorization Rule/Exception Changes
Authorization rules, and global and local exceptions, are also maintained from within the policy sets now. All authorization
rules and exceptions within the old policy set are applied to all the new policy sets resulting from the authentication policy
rule conversion as well. The authorization policy changes are applicable for all the policy sets that are upgraded, regardless
of the allowed protocols configured on the outer parts.
Policy Sets Evaluation
The policy sets in the new interface are checked for matches according to the order in which they appear in the Policy Set
table. For example, if the old “London” policy set has three outer parts with different statuses before conversion, and the
old “New York” set contains only the Default outer part, then the table in the new Policy Set interface appears with the new
policy sets and the system default policy set in the following order:
Policy Set Name
London – Wired MAB
London – Wireless MAB
London – Default
New York - Default
Default
If the first two sets don’t match, then the system checks “London –Default”. If “London – Default” does not match, then the
system checks “New York – Default”. The system only uses “Default” as the policy if “New York – Default” also does not match.
The same logic is used to match and select the correct authentication and then the correct authorization rules, beginning
from the top of each table and checking each rule until a match is found. The default rule is used, if no other rule is matched.
Status of the Newly Converted Policy Sets
While converting policy sets that use different Allowed Protocols for the authentication rules, the statuses of the newly
converted policy sets are determined based on the status of old policy sets and the status of the “outer part” of the old
policy sets, as follows:
Status of the old policy set
Status of “outer part” of the old policy set
Status of the new policy set
Disable
Disable
Disable
Disable
Monitor
Disable
Disable
Enable
Disable
Monitor
Disable
Disable
Monitor
Monitor
Monitor
Monitor
Enable
Monitor
Enable
Disable
Disable
Enable
Monitor
Monitor
Enable
Enable
Enable
Status of the Newly Converted Authentication Rules
While converting policy sets that use same Allowed Protocols for the authentication rules, the status of the newly converted
authentication rule is determined based on the status of the "outer part" of the old authentication rule and the status of
the “inner part” of the corresponding old authentication rule, as follows:
Status of "Outer Part" of Old Authentication Rule
Status of “Inner Part” of Corresponding Old Authentication Rule
Status of the Converted Authentication Rule
Disable
Disable
Disable
Disable
Monitor
Disable
Disable
Enable
Disable
Monitor
Disable
Disable
Monitor
Monitor
Monitor
Monitor
Enable
Monitor
Enable
Disable
Disable
Enable
Monitor
Monitor
Enable
Enable
Enable
Authentication Policies
Each policy set can contain multiple authentication rules that together represent the authentication policy for that set.
Priority of the authentication policies is determined based on the order to those policies as they appear within the policy
set itself (from the Set view page in the Authentication Policy area).
Cisco ISE dynamically chooses the network access service (either an allowed protocol a server sequence) based on the settings
configured on the policy set level, and thereafter checks the identity sources and results from the authentication and authorization
policy levels. You can define one or more conditions using any of the attributes from the Cisco ISE dictionary. Cisco ISE
allows you to create conditions as individual policy elements that can be stored in the Library and then can be reused for
other rule-based policies.
The identity method, which is the result of the authentication policy, can be any one of the following:
Deny access—Access to the user is denied and no authentication is performed.
Identity database—A single identity database that can be any one of the following:
Identity source sequences—A sequence of identity databases that is used for authentication.
The default policy set implemented at initial Cisco ISE installation includes the default ISE authentication and authorization
rules. The default policy set also includes additional flexible built-in rules (that are not defaults) for authentication
and authorization. You can add additional rules to those policies and you can delete and change the built-in rules but you
cannot remove the default rules and you cannot remove the default policy set.
Authentication Policy Flow
In authentication policies, you can define multiple rules, which consist of conditions and results. ISE evaluates the conditions
that you have specified and based on the result of the evaluation, assigns the corresponding results. The identity database
is selected based on the first rule that matches the criteria.
You can also define an identity source sequence consisting of different databases. You can define the order in which you want
Cisco ISE to look up these databases. Cisco ISE will access these databases in sequence until the authentication succeeds.
If there are multiple instances of the same user in an external database, the authentication fails. There can only be one
user record in an identity source.
We recommend that you use only three, or at most four databases in an identity source sequence.
Figure 3. Authentication Policy Flow
Authentication Failures—Policy Result Options
If you choose the identity method as deny access, a reject message is sent as a response to the request. If you choose an
identity database or an identity source sequence and the authentication succeeds, the processing continues to the authorization
policy configured for the same policy set. Some of the authentications fail and these are classified as follows:
Authentication
failed—Received explicit response that authentication has failed such as bad
credentials, disabled user, and so on. The default course of action is reject.
User not found—No such user
was found in any of the identity databases. The default course of action is
reject.
Process failed—Unable to
access the identity database or databases. The default course of action is
drop.
Cisco ISE allows you to
configure any one of the following courses of action for authentication
failures:
Reject—A reject response is
sent.
Drop—No response is sent.
Continue—Cisco ISE continues
with the authorization policy.
Even when you choose the
Continue option, there might be instances where Cisco ISE cannot continue
processing the request due to restrictions on the protocol that is being used.
For authentications using PEAP, LEAP, EAP-FAST, EAP-TLS, or RADIUS MSCHAP, it
is not possible to continue processing the request when authentication fails or
user is not found.
When authentication fails, it is possible to continue to process
the authorization policy for PAP/ASCII and MAC authentication bypass (MAB or
host lookup). For all other authentication protocols, when authentication
fails, the following happens:
Authentication failed—A
reject response is sent.
User or host not found—A
reject response is sent.
Process failure—No response
is sent and the request is dropped.
Configure Authentication Policies
Define an authentication policy per policy set by configuring and maintaining multiple authentication rules, as necessary.
Before you begin
To perform the following
task, you must be a Super Admin or Policy Admin.
Procedure
Step 1
For network access policies, choose Work Centers > Network Access > Policy Sets. For device administration policies, choose Work Centers > Device Administration > Device Admin Policy Sets.
Step 2
From the row for the policy set from which you would like to add or update an authentication policy, click from the View column in the Policy Sets table, in order to access all of the policy set details and to create authentication
and authorization policies as well as policy exceptions.
Step 3
Click the arrow icon next to the Authentication Policy part of the page to expand and view all of the Authentication Policy
rules in the table.
Step 4
From the Actions column on any row, click the cog icon. From the dropdown menu, insert a new authentication policy rule by selecting any of
the insert or duplicate options, as necessary.
A new row appears in the Authentication Policy table.
Step 5
From the Status column, click the current Status icon and from the dropdown list update the status for the policy set as necessary. For more information about status, seeAuthentication Policy Configuration Settings .
Step 6
For any rule in the table, click in the Rule Name or Description cells to make any free-text changes necessary.
Step 7
To add or change conditions, hover over the cell in the Conditions column and click . The Conditions Studio opens. For more information, see Policy Conditions.
Not all attributes you select will include the “Equals”, “Not Equals", "In", "Not In", “Matches", “Starts With" or “Not Starts
With” operator options.
The “Matches” operator supports and uses regular expressions (REGEX) not wildcards.
Note
You must use the “equals” operator for straight forward comparison. “Contains” operator can be used for multi-value attributes.
“Matches” operator should be used for regular expression comparison. When “Matches” operator is used, regular expression will
be interpreted for both static and dynamic values. In case of lists, the "in" operator checks whether a particular value exists
in a list. In case of a single string the "in" operator checks whether the strings are same like the "equals" operator.
Step 8
Organize the policies within the table according to the order by which they are to be checked and matched. To change the order
of the rules, drag and drop the rows in to their correct position.
Step 9
Click Save to save and implement your changes.
What to do next
Configure authorization policies
Authentication Dashlet
The Cisco ISE dashboard provides a summary of all authentications that take place in your network and for your devices. It
provides at-a-glance information about authentications and authentication failures in the Authentications dashlet.
The RADIUS Authentications dashlet provides the following statistical information about the authentications that Cisco ISE has handled:
The total number of RADIUS
authentication requests that Cisco ISE has handled, including passed
authentications, failed authentications, and simultaneous logins by the same
user.
The total number of failed
RADIUS authentications requests that Cisco ISE has processed.
You can also view a summary of TACACS+ authentications. The TACACS+ Authentications dashlet provides statistical information
for device authentications.
For more information about device administration authentications,
see TACACS Live Logs. For additional information about RADIUS Live Logs settings,
see RADIUS Live Logs.
Cisco ISE provides various
ways to view real-time authentication summary.
Before you begin
To perform the following
task, you must be a Super Admin or System Admin.
Procedure
Step 1
For network authentications (RADIUS), choose Operations > RADIUS > Live Logs or for device authentications (TACACS), choose Operations > TACACS > Live Logs to view the real-time authentication summaries.
Step 2
You can view the authentication summary in the following ways:
Hover your mouse cursor over the Status icon to view the results of the authentication and a brief summary. A pop-up with
status details appears.
Enter your search criteria in any one or more of the text boxes that appear at the top of the list, and press Enter, to filter your results.
Click the magnifier icon in the Details column to view a detailed report.
Note
As the Authentication Summary report or dashboard collects and displays the latest data corresponding to failed or passed authentications, the contents
of the report appear after a delay of a few minutes.
Authentication Reports and Troubleshooting Tools
Apart from the authentication details, Cisco ISE provides various reports and troubleshooting tools that you can use to efficiently
manage your network.
There are various reports that you can run to understand the authentication trend and traffic in your network. You can generate
reports for historical as well as current data. The following is a list of authentication reports:
AAA Diagnostics
RADIUS Accounting
RADIUS Authentication
Authentication Summary
Note
You must enable IPv6 snooping on Cisco Catalyst 4000 Series switches, otherwise IPv6 address will not be mapped to the authentication
sessions and will not be displayed in the show output. Use the following commands to enable IPv6 snooping:
Authorization policies are a component of the Cisco ISE network authorization service. This service allows you to define authorization
policies and configure authorization profiles for specific users and groups that access your network resources.
Authorization policies can contain conditional requirements that combine one or more identity groups using a compound condition
that includes authorization checks that can return one or more authorization profiles. In addition, conditional requirements
can exist apart from the use of a specific identity group.
Authorization profiles are used when creating authorization policies in Cisco ISE. An authorization policy is composed of
authorization rules. Authorization rules have three elements: name, attributes, and permissions. The permission element maps
to an authorization profile.
Cisco ISE Authorization Profiles
Authorization policies associate rules with specific user and group identities to create the corresponding profiles. Whenever
these rules match the configured attributes, the corresponding authorization profile that grants permission is returned by
the policy and network access is authorized accordingly.
For example, authorization
profiles can include a range of permissions that are contained in the following
types:
Standard profiles
Exception profiles
Device-based profiles
Profiles consist of attributes chosen from a set of resources, which are stored in any of the available vendor dictionaries,
and these are returned when the condition for the specific authorization policy matches. Because authorization policies can
include
condition mapping to a single network service rule, these can also include a list of authorization checks.
authorization verifications must comply with the authorization profiles to be returned. Authorization verifications typically
comprise one or more conditions, including a user-defined name that can be added to a library, which can then be reused by
other authorization policies.
Permissions for Authorization Profiles
Before you start configuring
permissions for authorization profiles, make sure you:
Understand the relationship between authorization policies and profiles.
Are familiar with the Authorization Profile page.
Know the basic guidelines to follow when configuring policies and profiles.
Understand what comprises permissions in an authorization profile.
To work with authorization profiles, choose Policy > Policy Elements > Results. From the menu on the left, choose Authorization > Authorization Profiles.
Use the Results navigation pane as your starting point in the process for displaying, creating, modifying, deleting, duplicating, or searching
policy element permissions for the different types of authorization profiles on your network. The Results pane initially displays Authentication, Authorization, Profiling, Posture, Client Provisioning, and Trustsec options.
Authorization profiles let you choose the attributes to be returned when a RADIUS request is accepted. Cisco ISE provides
a mechanism where you can configure Common Tasks Settings to support commonly used attributes. You must enter the value for Common Tasks Attributes, which Cisco ISE translates to the underlying RADIUS values.
Cisco ISE integrates
with Cisco Mobility Services Engine (MSE) to introduce physical location-based
authorization. Cisco ISE uses information from MSE to provide differentiated
network access based on the actual location of the user, as reported by MSE.
With this feature, you
can use the endpoint location information to provide network access when a user
is in an appropriate zone. You can also add the endpoint location as an
additional attribute for policies to define more granulated policy
authorization sets based on device location. You can configure conditions
within authorization rules that use location-based attributes, for example:
You can define the
location hierarchy (campus/building/floor structure) and configure the secure
and non-secure zones using the Cisco Prime Infrastructure application. After
defining the location hierarchy, you must synchronize the location hierarchy
data with the MSE servers. For more information on Cisco Prime Infrastructure,
see:
http://www.cisco.com/c/en/us/support/cloud-systems-management/prime-infrastructure/products-user-guide-list.html.
You can add one or
multiple MSE instances to integrate MSE-based location data to the
authorization process. You can retrieve the location hierarchy data from these
MSEs and configure location-based authorization rules using this data.
To track the endpoint
movement, check the Track Movement check box while creating an authorization
profile. Cisco ISE will query the relevant MSE for the endpoint location every
5 minutes to verify if the location was changed.
Add an MSE server
Before you begin
To perform the
following task, you must be a Super Admin or System Admin.
Enter the MSE
server details, such as server name, hostname/IP address, password, and so on.
Step 4
Click
Test to test
MSE connectivity using the server details that you have provided.
Step 5
(Optional)
Enter the MAC address of an endpoint in the
Find
Location field and click
Find to
check whether the endpoint is currently connected to this MSE.
If the endpoint location is found, it is displayed in the
following format:
Campus:Building:Floor:Zone. Sometimes, more than one entry can
be displayed depending on the location hierarchy and zone settings. For
example, if all the floors of a building (building1) in a campus named
Campus1 are defined as non-secure zones, and the Lab Area in
the first floor is defined as a secure zone, the following entries will be
displayed when the endpoint is located in the Lab Area:
Found in:
Campus1#building1#floor1#LabArea
Campus1#building1#floor1#NonSecureZone
Step 6
Click
Submit.
After a
new MSE is added, go to the Location Tree page and click
Get Update to retrieve its location hierarchy and add it to
the Location Tree. If there are filters defined on this tree, these filters are
applied on the new MSE entries as well.
Location
Tree
The Location Tree is created by using the location data retrieved from the MSE instances. To view the Location Tree, choose Administration > Network Resources > Location Services > Location Tree.
If one building has
multiple MSEs, Cisco ISE will collate the location details from all the MSEs
and present them as a single tree.
You can select the location entries that are exposed to the authorization policy by using the Location Tree. You can also
hide specific locations based on your requirements. It is recommended to update the Location Tree before hiding locations.
Hidden locations will remain hidden even when the tree is updated.
If the location
entries related to an authorization rule are modified or removed, you must
disable the affected rules and set these locations as Unknown or select a
replacement location for each affected rule. You must verify the new tree
structure before applying the change or canceling the update.
Click
Get Update to get the latest location hierarchy structure from all
MSEs. After verifying the new tree structure, click Save to apply your changes.
Downloadable ACLs
Access control lists (ACLs) are lists of access control entries (ACEs), which may be applied by a Policy Enforcement Point
(for example, a switch) to a resource. Each ACE identifies the permissions allowed per user for that object, such as read,
write, execute and more. For example, an ACL may be configured for use the Sales area of the network, with an ACE allowing
Write permissions for the Sales group and a separate ACE allowing Read permissions for all other employees of the organization.
With RADIUS protocol, ACLs grant authorization by filtering source and destination IP addresses, transport protocols, and
additional parameters. Static ACLs reside on and are directly configured from the switch and can be applied in your authorization
policies from the ISE GUI; downloadable ACLs (DACLs) can be configured, managed and applied in your authorization policies
from the ISE GUI.
To implement DACLs in your network authorization policy in ISE:
Configure a new or existing authorization profile from Policy > Policy Elements > Results > Authorization Profiles, using any of the DACLs you already configured.
Implement the authorization profiles you have configured when creating and configuring new and existing policy sets from Policy > Policy Sets.
Configure Permissions for Downloadable ACLs
With ISE, downloadable ACLs (DACLs) can be configured and implemented in your authorization policies for control of how the
network is accessed by different users and groups of users. Default authorization DACLs are available with installation of
ISE, including the following default profiles:
DENY_ALL_TRAFFIC
PERMIT_ALL_TRAFFIC
When working with DACLs, these defaults cannot be changed, but you can duplicate them in order to create additional, similar,
DACLs.
Click Add from the top of the Downloadable ACLs table or alternatively, choose any of the existing DACLs and click Duplicate from the top of the table.
Step 3
Enter or edit the desired values for the DACL, keeping in mind the following rules:
Supported characters for the name field are: alphanumeric, hyphen(-), dot( .) and underscore( _ )
The keyword Any must be the source in all ACEs in the DACL. Once the DACL is pushed, the Any in the source is replaced with the IP address of the client that is connecting to the switch.
Note
The IP Version field is noneditable when DACL is mapped to any authorization profile. In this case, remove the DACL reference from Authorization Profiles, edit the IP version and remap the DACL in Authorization Profiles.
Step 4
Optionally, when you finish creating the complete list of ACEs, click Check DACL Syntax to validate the list. If there are validation errors, the check returns specific instructions identifying the invalid syntax
in the window that opens automatically.
Step 5
Click
Submit.
Machine Access Restriction for Active Directory User
Authorization
Cisco ISE contains a Machine
Access Restriction (MAR) component that provides an additional means of
controlling authorization for Microsoft Active Directory-authentication users.
This form of authorization is based on the machine authentication of the
computer used to access the Cisco ISE network. For every successful machine
authentication, Cisco ISE caches the value that was received in the RADIUS
Calling-Station-ID attribute (attribute 31) as evidence of a successful machine
authentication.
Cisco ISE retains each
Calling-Station-ID attribute value in cache until the number of hours that was
configured in the “Time to Live” parameter in the Active Directory Settings
page expires. Once the parameter has expired, Cisco ISE deletes it from its
cache.
When a user authenticates
from an end-user client, Cisco ISE searches the cache for a Calling-Station-ID
value from successful machine authentications for the Calling-Station-ID value
that was received in the user authentication request. If Cisco ISE finds a
matching user-authentication Calling-Station-ID value in the cache, this
affects how Cisco ISE assigns permissions for the user that requests
authentication in the following ways:
If the Calling-Station-ID
value matches one found in the Cisco ISE cache, then the authorization profile
for a successful authorization is assigned.
If the Calling-Station-ID
value is not found to match one in the Cisco ISE cache, then the authorization
profile for a successful user authentication without machine authentication is
assigned.
Guidelines for Configuring Authorization Policies and
Profiles
Observe the following
guidelines when managing or administering authorization polices and profiles:
Rule names you create must
use only the following supported characters:
Symbols: plus (+), hyphen
(-), underscore (_), period (.), and a space ( ).
Alphabetic characters: A-Z
and a-z.
Numeric characters: 0-9.
Identity groups default to
“Any” (you can use this global default to apply to all users).
Conditions allow you to set one or more policy values. However, conditions are optional and are not required to create an
authorization policy. These are the two methods for creating conditions:
Choose an existing condition
or attribute from a corresponding dictionary of choices.
Create a custom condition
that allows you to select a suggested value or use a text box to enter a custom
value.
Condition names you create
must use only the following supported characters:
Symbols: hyphen (-),
underscore (_), and period (.).
Alphabetic characters: A-Z
and a-z.
Numeric characters: 0-9.
Permissions are important
when choosing an authorization profile to use for a policy. A permission can
grant access to specific resources or allow you to perform specific tasks. For
example, if a user belongs to a specific identity group (such as Device
Admins), and the user meets the defined conditions (such as a site in Boston),
then this user is granted the permissions associated with that group (such as
access to a specific set of network resources or permission to perform a
specific operation on a device).
When you use the radius attribute Tunnel-Private-Group-ID in an authorization condition, you must mention both the tag and the value in the condition when the EQUALS operator is being used, for example:
Tunnel-Private-Group-ID EQUALS (tag=0) 77
Note
As of Cisco ISE 1.4, ANC replaces Endpoint Protection Services (EPS). ANC provides additional classifications, and performance
improvements. While using ERS attributes in a policy might still work for some ANC actions some of the time, you should use
ANC attributes. For example, Session:EPSStatus=Quarantine may fail. Use Session:ANCPolicy as a condition in a policy.
Configure Authorization Policies
After creating attributes and building blocks for authorization policies from the Policy menu, create authorization policies
within policy sets from the Policy Sets menu.
Before you begin
Before you begin this procedure, you should have a basic understanding of the different building blocks used to create authorization
policies such as identify groups and conditions.
Procedure
Step 1
For network access policies, choose Work Centers > Network Access > Policy Sets. For device administration policies, choose Work Centers > Device Administration > Device Admin Policy Sets.
Step 2
From the View column, click to access all of the policy set details and to create authentication and authorization policies as well as policy exceptions.
Step 3
Click the arrow icon next to the Authorization Policy part of the page to expand and view the Authorization Policy table.
Step 4
From the Actions column on any row, click the cog icon. From the dropdown menu, insert a new authorization policy rule by selecting any of
the insert or duplicate options, as necessary.
A new row appears in the Authorization Policy table.
Step 5
To set the status for a policy, click the current Status icon and from the dropdown list select the necessary status from the Status column. For more information about statuses, see Authorization Policy Settings.
Step 6
For any policy in the table, click in the Rule Name cells to make any free-text changes necessary and to create a unique rule name.
Step 7
To add or change conditions, hover over the cell in the Conditions column and click . The Conditions Studio opens. For more information, see Policy Conditions.
Not all attributes you select will include the “Equals”, “Not Equals", "In", "Not In", “Matches", “Starts With" or “Not Starts
With” operator options.
The “Matches” operator supports and uses regular expressions (REGEX) not wildcards.
Note
You must use the “equals” operator for straight forward comparison. “Contains” operator can be used for multi-value attributes.
“Matches” operator should be used for regular expression comparison. When “Matches” operator is used, regular expression will
be interpreted for both static and dynamic values. In case of lists, the "in" operator checks whether a particular value exists
in a list. In case of a single string the "in" operator checks whether the strings are same like the "equals" operator.
Step 8
For network access results profiles, select the relevant authorization profile from the Results Profiles dropdown list or choose or click , choose Create a New Authorization Profile and when the Add New Standard Profile screen opens, perform the following steps:
Enter values as required to configure a new authorization profile. Keep the following in mind:
Supported characters for the name field are: space, ! # $ % & ‘ ( ) * + , - . / ; = ? @ _ {.
You can double-check the authorization profile RADIUS syntax from the Attributes Details that dynamically appear at the bottom of the screen.
Click Save to save your changes to the Cisco ISE system database to create an authorization profile.
To create, manage, edit, and delete profiles outside of the Policy Sets area, choose Policy > Policy Elements > Results > Authorization > Authorization Profiles.
Step 9
For network access results security groups, select the relevant security group from the Results Security Groupsdropdown list or click , choose Create a New Security Group and when the Create New Security Group screen opens, perform the following steps:
Enter a name and description (optional) for the new security group.
Check the Propagate to ACI check box if you want to propagate this SGT to Cisco ACI. The SXP mappings that are related to this SGT will be propagated
to Cisco ACI only if they belong to a VPN that is selected in the Cisco ACI Settings page.
This option is disabled by default.
Enter a Tag Value. Tag value can be set to be entered manually or autogenerate. You can also reserve a range for the SGT.
You can configure it from the General TrustSec Settings page (Work Centers > TrustSec > Settings > General TrustSec Settings).
For TACACS+ results, select the relevant Command Sets and Shell Profiles from the Results drop-down lists or click in the Command Sets or Shell Profiles column to open the Add Commands Screen or Add Shell Profile respectively. Choose Create a New Command Set or Create a New Shell Profile and enter the fields.
Step 11
Organize the order by which the policies are to be checked and matched within the table.
Step 12
Click Save to save your changes to the Cisco ISE system database and create this new authorization policy.
Authorization Policy Exceptions
Within each policy set, you can define regular authorization policies, as well as local exception rules (defined from the
Authorization Policy Local Exceptions part in the Set view for each policy set) and global exception rules (defined from the
Authorization Policy Global Exceptions part in the Set view for each policy set) .
Global authorization exception policies enable you to define rules that override all authorization rules in all of your policy
sets. Once you configure a global authorization exception policy, it is added to to all policy sets. Global authorization
exception policies can then be updated from within any of the currently configured policy sets. Every time you update a global
authorization exception policy, those updates are applied to all policy sets.
The local authorization exception rule overwrites the global exception rule. The authorization rules are processed in the
following order: first the local exception rule, then the global exception rule, and finally, the regular rule of the authorization
policy.
Authorization exception policy rules are configured identically to authorization
policy rules. For information about authorization policies, see Configure Authorization Policies.
Note
Cisco ISE does not support the use of % character in the authorization policies
to avoid security issues.
Policy Conditions
Cisco ISE uses rule-based policies to provide network access. A policy is a set of rules and results, where the rules are
made up of conditions. Cisco ISE allows you to create conditions as individual policy elements that can be stored in the system
library and then reused for other rule-based policies from the Conditions Studio.
Conditions can be as simple or complex as necessary using an operator (equal to, not equal to, greater than, and so on), and
a value, or by including multiple attributes, operators and complex hierarchies. At runtime, Cisco ISE evaluates a policy
condition and then applies the result that you have defined based on whether the policy evaluation returns a true or a false
value.
After you create a condition and assign it a unique name, you can reuse this condition multiple times across various rules
and policies by selecting it from the Conditions Studio Library, for example:
Network Conditions.MyNetworkCondition EQUALS true
You cannot delete conditions from the Condition Studio that are used in a policy or are part of another condition.
Each condition defines a list of objects that can be included in policy conditions, resulting in a set of definitions that
are matched against those presented in the request.
You can use the operator, EQUALS true, to check if the network condition evaluates to true (whether the value presented in the request matches at least one entry
within the network condition) or EQUALS false to test whether the network condition evaluates to false (does not match any entry in the network condition).
Cisco ISE also offers predefined smart conditions that you can use in your policies separately or as building blocks in your
own customized conditions, and which you can update and change based on your needs.
You can create the following unique network conditions to restrict access to the network:
Endstation Network Conditions—Based on endstations that initiate and terminate the connection.
Cisco ISE evaluates the remote address TO field (which is obtained based on whether it is a TACACS+ or RADIUS request) to
identity whether it is the IP address, MAC address, calling line identification (CLI), or dialed number identification service
(DNIS) of the endpoint.
In a RADIUS request, this identifier is available in Attribute 31 (Calling-Station-Id).
In a TACACS+ request, if the remote address includes a slash (/), the part before the slash is taken as the FROM value and
the part after the slash is taken as the TO value. For example, if a request has CLI/DNIS, CLI is taken as the FROM value
and DNIS is taken as the TO value. If a slash is not included, the entire remote address is taken as the FROM value (whether
IP address, MAC address, or CLI).
Device Network Conditions—Based on the AAA client that processes the request.
A network device can be identified by its IP address, device name that is defined in the network device repository, or Network
Device Group.
In a RADIUS request, if Attribute 4 (NAS-IP-Address) is present, Cisco ISE obtains the IP address from this attribute. If
Attribute 32 (NAS-Identifier) is present, Cisco ISE obtains the IP address from Attribute 32. If these attributes are not
found, it obtains the IP address from the packet that it receives.
The device dictionary (NDG dictionary) contains network device group attributes such as Location, Device Type, or other dynamically
created attributes that represent NDGs. These attributes contain the groups that the current device is related to.
Device Port Network Conditions—Based on the device's IP address, name, NDG, and port (physical port of the device that the
endstation is connected to).
In a RADIUS request, if Attribute 5 (NAS-Port) is present in the request, Cisco ISE obtains the value from this attribute.
If Attribute 87 (NAS-Port-Id) is present in the request, Cisco ISE obtains the request from Attribute 87.
In a TACACS+ request, Cisco ISE obtains this identifier from the port field of the start request (of every phase).
Dictionaries are domain-specific catalogs of attributes and allowed values that can be used to define access policies for
a domain. An individual dictionary is a homogeneous collection of attribute type. Attributes that are defined in a dictionary
have the same attribute type and the type indicates the source or context of a given attribute.
Attribute types can be one of the following:
MSG_ATTR
ENTITY_ATTR
PIP_ATTR
In addition to attributes and allowed values, a dictionary contains information about the attributes such as the name and
description, data type, and the default values. An attribute can have one of the following data types: BOOLEAN, FLOAT, INTEGER,
IPv4, IPv6, OCTET_STRING, STRING, UNIT32, and UNIT64.
Cisco ISE creates system dictionaries during installation and allows you to create user dictionaries.
Attributes are
stored in different system dictionaries. Attributes are used to configure
conditions. Attributes can be reused in multiple conditions.
To reuse a valid attribute when creating policy conditions,
select it from a dictionary that contains the supported attributes. For
example, Cisco ISE provides an attribute named AuthenticationIdentityStore,
which is located in the NetworkAccess dictionary. This attribute identifies the
last identity source that was accessed during the authentication of a user:
When a single identity
source is used during authentication, this attribute includes the name of the
identity store in which the authentication succeeded.
When an identity source
sequence is used during authentication, this attribute includes the name of the
last identity source accessed.
You can use the AuthenticationStatus attribute in combination
with the AuthenticationIdentityStore attribute to define a condition that
identifies the identity source to which a user has successfully been
authenticated. For example, to check for a condition where a user authenticated
using an LDAP directory (LDAP13) in the authorization policy, you can define
the following reusable condition:
If NetworkAccess.AuthenticationStatus EQUALS AuthenticationPassed AND NetworkAccess.AuthenticationIdentityStore EQUALS LDAP13
Note
The AuthenticationIdentityStore represents a text field that
allows you to enter data for the condition. Ensure that you enter or copy the
name correctly into this field. If the name of the identity source changes, you
must ensure to modify this condition to match the change to the identity
source.
To define conditions that are based on an endpoint identity
group that has been previously authenticated, Cisco ISE supports authorization
that was defined during endpoint identity group 802.1X authentication status.
When Cisco ISE performs 802.1X authentication, it extracts the MAC address from
the “Calling-Station-ID” field in the RADIUS request and uses this value to
look up and populate the session cache for the device's endpoint identity group
(defined as an endpointIDgroup attribute). This process makes the
endpointIDgroup attribute available for use in creating authorization policy
conditions, and allows you to define an authorization policy based on endpoint
identity group information using this attribute, in addition to user
information.
The condition for the endpoint identity group can be defined in
the ID Groups column of the authorization policy configuration page. Conditions
that are based on user-related information need to be defined in the “Other
Conditions” section of the authorization policy. If user information is based
on internal user attributes, then use the ID Group attribute in the internal
user dictionary. For example, you can enter the full value path in the identity
group using a value like “User Identity Group:Employee:US”.
Supported
Dictionaries for Network Access Policies
Cisco ISE supports the
following system-stored dictionaries that contain the different attributes
necessary when building conditions and rules for your authentication and
authorization policies:
System-defined dictionaries
CERTIFICATE
DEVICE
RADIUS
RADIUS vendor dictionaries
Airespace
Cisco
Cisco-BBSM
Cisco-VPN3000
Microsoft
Network access
For authorization policy
types, the verification configured in the condition must comply with the
authorization profiles to be returned.
Verifications typically
include one or more conditions that include a user-defined name that can then
be added to a library and reused by other policies.
The following
sections describe the supported attributes and dictionaries available for
configuring conditions.
Attributes
Supported by Dictionaries
The table lists the fixed
attributes that are supported by dictionaries, which can be used in policy
conditions. Not all of these attributes are available for creating all types of
conditions.
For example, while creating a
condition to choose the access service in authentication policies, you will
only see the following network access attributes: Device IP Address, ISE Host
Name, Network Device Name, Protocol, and Use Case.
You can use the
attributes listed in the following table in policy conditions.
Dictionary
Attributes
Allowed Protocol Rules and
Proxy
Identity Rules
Device
Device Type (predefined
network device group)
Yes
Yes
Device Location (predefined
network device group)
Other Custom Network Device
Group
Software Version
Model Name
RADIUS
All attributes
Yes
Yes
Network Access
ISE Host Name
Yes
Yes
AuthenticationMethod
No
Yes
AuthenticationStatus
No
No
CTSDeviceID
No
No
Device IP Address
Yes
Yes
EapAuthentication (the EAP
method that is used during authentication of a user of a machine)
No
Yes
EapTunnel (the EAP method
that is used for tunnel establishment)
No
Yes
Protocol
Yes
Yes
UseCase
Yes
Yes
UserName
No
Yes
WasMachineAuthenticated
No
No
Certificate
Common Name
No
Yes
Country
E-mail
LocationSubject
Organization
Organization Unit
Serial Number
State or Province
Subject
Subject Alternative Name
Subject Alternative Name -
DNS
Subject Alternative Name -
E-mail
Subject Alternative Name -
Other Name
Subject Serial Number
Issuer
Issuer - Common Name
Issuer - Organization
Issuer - Organization Unit
Issuer - Location
Issuer - Country
Issuer - Email
Issuer - Serial Number
Issuer - State or Province
Issuer - Street Address
Issuer - Domain Component
Issuer - User ID
Navigate the Conditions Studio
Use the Conditions Studio to create, manage and re-use conditions. Conditions can include more than one rule, and can be built
with any complexity including only one level, or multiple hierarchical levels. When using the Conditions Studio to create
new conditions, you can use the condition blocks that you have already stored in the Library and you can also update and change
those stored condition blocks. While creating and managing conditions later, easily find the blocks and attributes that you
need by using quick category filters, and more.
For network access policies, choose Work Centers > Network Access > Policy Sets. For device administration policies, choose Work Centers > Device Administration > Device Admin Policy Sets.
To edit or change conditions that have already been applied to the specific rule in any of your policy sets, hover over the
cell in the Conditions column and click , or click the plus sign from the Conditions column in the Policy Set table in order to create a new condition, which you can then immediately apply to the same policy
set or alternatively you can also save in the Library for future use.
The following figure shows the main elements of the Conditions Studio.
Figure 4. Conditions Studio
The Condition Studio is divided into two main parts: the Library and the Editor. The Library stores condition blocks for reuse
while the Editor enables you to edit those saved blocks and create new ones.
The following table describes the different parts of the Conditions Studio:
Fields
Usage Guidelines
Library
Displays the list of all condition blocks that were created and saved in the ISE database for reuse. To use these condition
blocks as part of your currently edited condition, drag and drop them from the Library to the relevant level in the Editor
and update the operators as necessary.
Conditions stored in the Library are all represented by the Library icon , because conditions can be associated with more than one category.
Next to each condition in the Library you can also find the i icon. Hover over this icon to view a full description of the
condition, view the categories to which it is associated, and to delete the condition from the library entirely. You cannot
delete conditions if they are used by policies.
Drag and drop any of the Library conditions into the Editor in order to use it for the currently edited policy on its own
or as a building block for a more complex condition to be used in the current policy or saved as a new condition in the Library.
You can also drag and drop the condition in the Editor in order to make changes to that condition and then save it under the
same or a new name in the Library.
There are also predefined conditions upon installation. These conditions can also be changed and deleted.
Search and filter
Search conditions by name or filter them by category. In a similar manner, you can also search and filter attributes from
the Click to add an attribute field in the Editor. The icons on the toolbar represent different attribute categories such as subject, address and so forth.
Click an icon to view attributes related to the specific category and click a highlighted icon from the category toolbar in
order to deselect it, thereby removing the filter.
Conditions List
The complete list of all conditions in the Library, or the list of conditions in the Library based on the search or filter
results.
Editor
Create new conditions to use immediately as well as to save them in the system Library for future use, and edit existing conditions
and save those changes in the Library for immediate and future use.
When opening the Conditions Studio in order to create a new condition (click the plus sign from any of the policy set tables),
the Editor appears with only a single, empty, line to which you can add your first rule.
When the Editor opens with empty fields, no operator icons appear
The Editor is divided into different virtual columns and rows.
Columns represent different hierarchical levels, and each column is indented based on its position in the hierarchy; rows
represent individual rules. You can create single or multiple rules per level, and you can include multiple levels.
The example in the image above displays a condition that is in the process of being built or edited and includes a hierarchy
of rules, where both the first and second levels in the figure are marked with the number 5. The rules on the top parent level
use the operator OR.
In order to change the operator once you have selected it and created the hierarchical level, simply select the relevant option
from the dropdown list that appears in this column.
In addition to the operator dropdown list, each rule has a relevant icon in this column, indicating what category it belongs
to. If you hover over the icon, a tooltip indicates the name of the category.
Once saved to the library, all condition blocks are assigned the Library icon, replacing the category icons that appeared
in the Editor.
Finally, if a rule is configured to exclude all relevant matched items, then the Is-Not indicator also appears in this column. For example, if a location attribute with
the value London is set to Is-Not then all devices from London will be denied access.
This area displays the options available when working with hierarchical levels as well as multiple rules within a condition.
When you hover over any column or row the relevant actions appear. When you select an action, it is applied to that section
and all of the children sections. For example, with five levels in Hierarchy A, if you choose AND from any rule in the third
level, then a new hierarchy, Hierarchy B, is created under the original rule so that the original rule becomes the parent
rule for Hierarchy B, which is embedded in Hierarchy A.
When you first open the Condition Studio in order to create a new condition from scratch, the Editor area includes only one
line for a single rule that you can configure, as well as the option to select relevant operators or to drag and drop relevant
conditions from the Library.
Additional levels can be added to the condition with the AND and OR operator options. Choose New to create a new rule on the same level from which you clicked the option. The New option only appears once you have configured at least one rule on the top level of the hieararchy.
Configure, Edit and Manage Policy Conditions
Use the Conditions Studio to create, manage and re-use conditions. Conditions can include more than one rule, and can be built
with any complexity including only one level, or multiple hierarchical levels. Manage the condition hierarchy from the Editor
side of the Conditions Studio as in the following image:
Figure 5. Editor—Conditions Hierarchy
When creating new conditions, you can use the condition blocks that you have already stored in the Library and you can also
update and change those stored condition blocks. While creating and managing conditions, easily find the blocks and attributes
that you need by using quick category filters, and more.
When creating and managing condition rules, use attributes, operators and values.
Cisco ISE also includes predefined condition blocks for some of the most common use cases. You can edit these predefined conditions
to suit your requirements. Conditions saved for re-use, including the out-of-the-box blocks, are stored in the Library of
the Condition Studio, as described in this task.
To perform the following task, you must be a Super Admin or Policy Admin.
Access the Conditions Studio to create a new condition and to edit existing condition blocks, in order to then use those conditions
as part of the rules you configure for the specific policy set (and its associated policies and rules), or in order to save
to the Library for future use:
Click from the Conditions column in the Policy Set table on the main Policy Set page in order to create conditions that are relevant for the entire
policy set (conditions that are checked prior to matching authentication policy rules).
Alternatively, click from a specific policy set row in order to view the Set view, including all rules for authentication and authorization. From
the Set view, hover over the cell in the Conditions column from any of the rule tables and click to open the Conditions Studio.
If you are editing conditions that have already been applied to the policy set, then click to access the Conditions Studio.
The Conditions Studio opens. If you have opened it in order to create new conditions, then it appears as in the following
image. For a description of the fields and to see an example of the Conditions Studio when you have opened it to edit conditions
that were already applied to the policy set, see Navigate the Conditions Studio.
Figure 6. Conditions Studio—Creating a New Condition
Step 3
Use an existing condition block from the Library as a rule in the condition that you are creating or editing.
Filter by selecting the relevant category from the category toolbar—in the Library, all blocks that contain an attribute from
the selected category are displayed. Condition blocks that contain more than one rule but that use an attribute from the selected
category for at least one of those rules, are also displayed. If there are additional filters added, then the results displayed
include only condition blocks from the specific filter that also match the other filters that were included. For example,
if you select the Ports category from the toolbar and you also enter "auth" as free text in the Search by Name field, then all blocks related to ports with "auth" in their names are displayed. Click the highlighted icon again from the
category toolbar in order to deselect it, thereby removing that filter.
Search for condition blocks with free text—in the Search by Name free text field, enter any term, or part of a term, that appears in the name of the block for which you are searching. As
you type, the system dynamically searches for relevant results in real time. If no category is selected (none of the icons
are highlighted) then the results include condition blocks from all categories. If a category icon is already selected (the
displayed list is already filtered), then the results displayed include only blocks in the specific category that use the
specific text.
Once you find the condition block, drag it to the Editor and drop it in the correct level of the block that you are building.
If you drop it in the incorrect location, you can drag and drop it again from within the Editor, until it is placed correctly.
Hover over the block from the Editor and click Edit to change the rule, in order make changes relevant for the condition you are working on, to overwrite the rule in the Library
with those changes or alternatively to save the rule as a new block in the Library.
The block, which is read-only when dropped into the Editor can now be edited and has the same fields, structures, lists and
actions as all other customized rules in the Editor. Continue to the next steps for more information in editing this rule.
Step 4
Add an operator to the current level in order to then add additional rules on the same level—choose AND, OR or Set to 'Is not'. Set to 'Is not' can also be applied to individual rules.
Step 5
Create and edit rules using the attribute dictionaries—click in the Click to add an attribute field. The Attribute Selector opens as in the following image:
The parts of the Attribute Selector are as described in the following table:
Fields
Usage Guidelines
Attribute Category toolbar
Contains a unique icon for each of the different attribute categories. Choose any attribute category icon to filter the view
by category.
Click a highlighted icon in order to deselect it, thereby removing the filter.
Dictionary
Indicates the name of the dictionary in which the attribute is stored. Select a specific dictionary from the dropdown in order
to filter attributes by vendor dictionary.
Attribute
Indicates the name of the attribute. Filter attributes by typing free text for the attribute name in the available field.
As you type, the system dynamically searches for relevant results in real time.
ID
Indicates the unique attribute identification number. Filter attributes by typing the ID number in the available field. As
you type, the system dynamically searches for relevant results in real time.
Info
Hover the information icon on the relevant attribute row to view extra details about the attribute.
From the Attribute Selector search, filter and search for the attribute you need. When you filter or enter free text in any
part of the Attribute Selector, if there are no other filters activated, then the results include all attributes relevant
for the selected filter only. If more than one filter is used, then the search results that are displayed match all filters.
For example, if you click the Port icon from the toolbar and type "auth" in the Attribute column, then only attributes from
the Port category that have "auth" in their name are displayed. When you choose a category, the icon in the toolbar is highlighted
in blue and the filtered list is displayed. Click the highlighted icon again from the category toolbar in order to deselect
it, thereby removing the filter.
Choose the relevant attribute in order to add it to the rule.
The Attribute Selector closes and the attribute you selected is added to the Click to add an attribute field.
From the Equals dropdown list, select the relevant operator.
Not all attributes you select will include the “Equals,” “Not Equals,” “Matches,” “Starts With,” or “Not Starts With” operator
options.
The “Matches” operator supports and uses regular expressions (REGEX) not wildcards.
You must use the “equals” operator for straight forward comparison. “Contains” operator can be used for multi-value attributes.
“Matches” operator should be used for regular expression comparison. When “Matches” operator is used, regular expression will
be interpreted for both static and dynamic values.
From the Attribute value field do one of the following:
Type a free text value in the field
Select a value from the list that dynamically loads ( when relevant—depending on the attribute selected in the previous step)
Use another attribute as the value for the condition rule—choose the table icon next to the field in order to open the Attribute
Selector and then search, filter and select the relevant attribute. The Attribute Selector closes and the attribute you selected
is added to the Attribute value field.
Step 6
Save rules in the Library as a condition block.
Hover over the rule or hierarchy of rules that you would like to save as a block in the Library. The Duplicate and Save buttons appear for any rule or group of rules that can be saved as a single condition block. If you would like to save a
group of rules as a block, choose the action button from the bottom of the entire hierarchy in the blocked area for the entire
hierarchy.
Click Save. The Save condition screen pops up.
Choose:
Save to Existing Library Condition—choose this option to overwrite an existing condition block in the Library with the new
rule you have created and then select the condition block that you want to overwrite from the Select from list dropdown list.
Save as a new Library Condition—type a unique name in the Condition Name field for the block.
Optionally, enter a description in the Description field. This description appears when you hover over the info icon for any condition block from within the Library, enabling
you to quickly identify the different condition blocks and their uses.
Click Save to save the condition block in the Library.
Step 7
To create a new rule on a new child level—click AND or OR to apply the correct operator between the existing parent hierarchy and the child hierarchy that you are creating. A new
section is added to the Editor hierarchy with the selected operator, as a child of the rule or hierarchy from which you chose
the operator.
Step 8
To create a new rule on a a current existing level—click New from the relevant level. A new empty row appears for a new rule in the same level as the level from which you began.
Step 9
Click X to remove any condition from the Editor and all of its children.
Step 10
Click Duplicate to automatically copy and paste the specific condition within the hierarchy, thereby creating additional identical children
at the same level. You can duplicate individual rules with or without their children, depending on the level from which you
click the Duplicate button.
Step 11
Click Use from the bottom of the page to save the condition you created in the Editor and to implement that condition in your policy
set.
Special Network Access Conditions
This section describes unique conditions that can be useful when creating your policy sets. These conditions cannot be created
from the Conditions Studio and so have their own unique processes.
Enter a name
and description for the network condition.
Step 4
Enter the
following details:
IP
Addresses—You can add a list of IP addresses or subnets, one per line. The IP
address/subnet can be in IPv4 or IPv6 format.
Device
Name—You can add a list of device names, one per line. You must enter the same
device name that is configured in the Network Device object.
Device
Groups—You can add a list of tuples in the following order: Root NDG, comma,
and an NDG (that it under the root NDG). There must be one tuple per line.
Step 5
Click
Submit.
Configure Device
Port Network Condition
Procedure
Step 1
Choose Policy > Policy Elements > Conditions > Network Conditions > Device Port Network Conditions.
Step 2
Click
Add.
Step 3
Enter a name
and description for the network condition.
Step 4
Enter the
following details:
IP
Addresses—Enter the details in the following order: IP address or subnet,
comma, and a port (that is used by the device). There must be one tuple per
line.
Devices—
Enter the details in the following order: device name, comma, and a port. There
must be one tuple per line. You must enter the same device name that is
configured in the Network Device object.
Device
Groups— Enter the details in the following order: Root NDG, comma, NDG (that it
under the root), and a port. There must be one tuple per line.
Enter a name
and description for the network condition.
Step 4
Enter the
following details:
IP
Addresses—You can add a list of IP addresses or subnets, one per line. The IP
address/subnet can be in IPv4 or IPv6 format.
MAC
Addresses—You can enter a list of Endstation MAC addresses and Destination MAC
addresses, separated by a comma. Each MAC address must include 12 hexadecimal
digits and must be in one of the following formats: nn:nn:nn:nn:nn:nn,
nn-nn-nn-nn-nn-nn, nnnn.nnnn.nnnn, or nnnnnnnnnnnn.
If the
Endstation MAC or the Destination MAC is not required, use the token "-ANY-"
instead.
CLI/DNIS—You can add a list of Caller IDs (CLI) and Called IDs (DNIS),
separated by a comma. If the Caller ID (CLI) or the Called ID (DNIS) is not
required, use the token "-ANY-" instead.
Step 5
Click
Submit.
Create Time and Date Conditions
Use the Policy Elements Conditions page to display, create, modify, delete, duplicate, and search time and date policy element
conditions. Policy elements are shared objects that define a condition that is based on specific time and date attribute settings
that you configure.
Time and date conditions let you set or limit permission to access Cisco ISE system resources to specific times and days as
directed by the attribute settings you make.
Before you begin
To perform the following
task, you must be a Super Admin or Policy Admin.
Procedure
Step 1
Choose Policy > Policy Elements > Conditions > Common > Time and Date > Add.
Step 2
Enter appropriate values in
the fields.
In the Standard Settings
area, specify the time and date to provide access.
In the Exceptions area,
specify the time and date range to limit access.
Step 3
Click
Submit.
Use IPv6 Condition Attributes in Authorization Policies
Cisco ISE can
detect, manage, and secure IPv6 traffic from endpoints.
When an IPv6-enabled endpoint connects to the Cisco ISE network, it communicates with the Network Access Device (NAD) over
an IPv6 network. The NAD conveys the accounting and profiling information from the endpoint (including IPv6 values) to Cisco
ISE over an IPv4 network. You can configure authorization profiles and policies in Cisco ISE using the IPv6 attributes in
your rule conditions to process such requests from IPv6-enabled endpoints and ensure that the endpoint is compliant.
You can use wildcard characters in IPv6 prefix and IPv6 interface values. For example: 2001:db8:1234::/48.
Supported IPv6
address formats include:
Full notation:
Eight groups of four hexadecimal digits separated by colons. For example,
2001:0db8:85a3:0000:0000:8a2e:0370:7334
Shortened
notation: Exclude leading zeros in a group; replace groups of zeros with two
consecutive colons. For example: 2001:db8:85a3::8a2e:370:7334
Dotted-quad
notation (IPv4-mapped and IPv4 compatible-IPv6 addresses): For example,
::ffff:192.0.2.128
Supported IPv6
attributes include:
NAS-IPv6-Address
Framed-Interface-Id
Framed-IPv6-Prefix
Login-IPv6-Host
Framed-IPv6-Route
Framed-IPv6-Pool
Delegated-IPv6-Prefix
Framed-IPv6-Address
DNS-Server-IPv6-Address
Route-IPv6-Information
Delegated-IPv6-Prefix-Pool
Stateful-IPv6-Address-Pool
The following table lists Supported Cisco Attribute-Value pairs and their equivalent IETF attributes:
Cisco
Attribute-Value Pairs
IETF
Attributes
ipv6:addrv6=<ipv6 address>
Framed-ipv6-Address
ipv6:stateful-ipv6-address-pool=<name>
Stateful-IPv6-Address-Pool
ipv6:delegated-ipv6-pool=<name>
Delegated-IPv6-Prefix-Pool
ipv6:ipv6-dns-servers-addr=<ipv6 address>
DNS-Server-IPv6-Address
The RADIUS Live Logs page, RADIUS Authentication report, RADIUS Accounting report, Current Active Session report, RADIUS Error
report, Misconfigured NAS report, EPS Audit report, and Misconfigured Supplicant report support IPv6 addresses. You can view the details about these sessions from the RADIUS
Live Logs page or from any of these reports. You can filter the records by IPv4, IPv6, or MAC addresses.
Note
If you connect an Android device to an IPv6 enabled DHCPv6 network, it receives only the link-local IPv6 address from the
DHCP server. Hence, global IPv6 address is not displayed in the Live Logs and in the Endpoints page (Work Centers > Network Access > Identities > Endpoints).
The following
procedure describes how to configure IPv6 attributes in authorization policies.
Before you begin
Ensure that the NADs in your deployment support AAA with IPv6. See AAA Support for IPv6 for information on how to enable AAA support for IPv6 on your NADs.
Procedure
Step 1
For network access policies, choose Work Centers > Network Access > Policy Sets. For device administration policies, choose Work Centers > Device Administration > Device Admin Policy Sets.
Step 2
Create authorization rules.
Step 3
When creating authorization rules, create a condition from the Conditon Studio. In the Condition Studio, from the RADIUS dictionary,
choose the RADIUS IPv6 attribute, the operator, and the value.
Step 4
Click Save to save the authorization rules in the policy set.
Policy Set Protocol Settings
You must define global protocol settings in Cisco ISE before you can use these protocols to create, save and implement a policy set. You can use the Protocol Settings page to define global options for the Extensible Authentication Protocol-Flexible Authentication
via Secure Tunneling (EAP-FAST), Extensible Authentication Protocol-Transport Layer Security (EAP-TLS), and Protected Extensible
Authentication Protocol (PEAP) protocols, which communicate with the other devices in your network.
Supported Network Access Policy Set Protocols
The following is a list of protocols that you can choose while defining your Network Access Policy Set policy:
Follow these guidelines when
using EAP-FAST as an authentication protocol:
It is highly recommended to
enable EAP-TLS inner method when the EAP-FAST accept client certificate is
enabled on authenticated provisioning. EAP-FAST accept client certificate on
authenticated provisioning is not a separate authentication method but a
shorter form of client certificate authentication that uses the same
certificate credentials type to authenticate a user but does not require to run
an inner method.
Accept client certificate on
authenticated provisioning works with PAC-less full handshake and authenticated
PAC provisioning. It does not work for PAC-less session resume, anonymous PAC
provisioning, and PAC-based authentication.
EAP attributes are displayed
per identity (so in EAP chaining displayed twice) are shown in authentication
details in monitoring tool in order user then machine even if authentication
happens in different order.
When EAP-FAST authorization
PAC is used then EAP authentication method shown in live logs is equal to the
authentication method used for full authentication (as in PEAP) and not as
Lookup.
In EAP chaining mode when
tunnel PAC is expired then ISE falls back to provisioning and AC requests User
and Machine authorization PACs - Machine Authorization PAC cannot be
provisioned. It will be provisioned in the subsequent PAC-based authentication
conversation when AC requests it.
When Cisco ISE is configured
for chaining and AC for single mode then AC response with IdentityType TLV to
ISE. However, the second identity authentication fails. You can see from this
conversation that client is suitable to perform chaining but currently is
configured for single mode.
Cisco ISE supports retrieval
attributes and groups for both machine and user in EAP-FAST chaining only for
AD. For LDAP and Internal DB ISE uses only the last identity attributes.
Note
“EAP-FAST cryptobinding verification failed” message might be seen if EAP-FAST authentication protocol is used for High Sierra,
Mojave, or Catalina MAC OSX devices. We recommend that you configure the Preferred EAP Protocol field in the Allowed Protocols
page to use PEAP or EAP-TLS instead of EAP-FAST for these MAC OSX devices.
Configure EAP-FAST Settings
Before you begin
To perform the following
task, you must be a Super Admin or System Admin.
Procedure
Step 1
Choose
Administration
> System
>
Settings > Protocols
> EAP-FAST
> EAP Fast Settings.
Step 2
Enter the details as required
to define the EAP-FAST protocol.
Step 3
Click Revoke if you want to revoke all the previously generated primary keys and PACs.
Step 4
Click
Save to save the
EAP-FAST settings.
Generate the PAC for EAP-FAST
You can use the Generate PAC
option in the Cisco ISE to generate a tunnel or machine PAC for the EAP-FAST
protocol.
Before you begin
To perform the following
task, you must be a Super Admin or System Admin.
Procedure
Step 1
Choose
Administration
> System
>
Settings.
Step 2
From the Settings navigation
pane on the left, click
Protocols.
Step 3
Choose
EAP-FAST
> Generate
PAC.
Step 4
Enter the details as required
to generate machine PAC for the EAP-FAST protocol.
Step 5
Click
Generate PAC.
Using EAP-TTLS as
Authentication Protocol
EAP-TTLS is a
two-phase protocol that extends the functionality of EAP-TLS protocol. Phase 1
builds the secure tunnel and derives the session keys used in Phase 2 to
securely tunnel attributes and inner method data between the server and the
client. You can use the attributes tunneled during Phase 2 to perform
additional authentications using a number of different mechanisms.
Cisco ISE can process
authentications from a variety of TTLS supplicants including:
AnyConnect
Network Access Manager (NAM) on Windows
Windows 8.1
native supplicant
Secure W2 (also
called as JoinNow on MultiOS)
MAC OS X native
supplicant
IOS native
supplicant
Android based
native supplicant
Linux WPA
supplicant
Note
If cryptobinding is required, you must use EAP-FAST as the inner
method.
Configure EAP-TTLS
Settings
Before you begin
To perform the
following task, you must be a Super Admin or System Admin.
Procedure
Step 1
Choose Administration > System > Settings > Protocols > EAP-TTLS.
Step 2
Enter the
required details in the EAP-TTLS Settings page.
Step 3
Click
Save.
Configure EAP-TLS Settings
Before you begin
To perform the following
task, you must be a Super Admin or System Admin.
Procedure
Step 1
Choose
Administration
> System
>
Settings > Protocols
> EAP-TLS.
Step 2
Enter the details as required
to define the EAP-TLS protocol.
Step 3
Click
Save to save the
EAP-TLS settings.
Configure PEAP Settings
Before you begin
To perform the following
task, you must be a Super Admin or System Admin.
Procedure
Step 1
Choose
Administration
> System
>
Settings.
Step 2
From the Settings navigation
pane on the left, click
Protocols.
Step 3
Choose
PEAP.
Step 4
Enter the details as required
to define the PEAP protocol.
Step 5
Click
Save to save the
PEAP settings.
Configure RADIUS Settings
You can configure the RADIUS
settings to detect the clients that fail to authenticate and to suppress the
repeated reporting of successful authentications.
Procedure
Step 1
Choose Administration > System > Settings.
Step 2
From the Settings navigation
pane, click
Protocols.
Step 3
Choose
RADIUS.
Step 4
Enter the details as required
to define the RADIUS settings.
On the Security Settings page, select the required options:
Allow TLS 1.0: Allows TLS 1.0 for communication with legacy peers for the following workflows:
Cisco ISE is configured as an EAP server
Cisco ISE downloads CRL from HTTPS or a secure LDAP server
Cisco ISE is configured as a secure syslog client
Cisco ISE is configured as a secure LDAP client
Allow TLS 1.1: Allows TLS 1.1 for communication with legacy peers for the following workflows:
Cisco ISE is configured as an EAP server
Cisco ISE downloads CRL from HTTPS or a secure LDAP server
Cisco ISE is configured as a secure syslog client
Cisco ISE is configured as a secure LDAP client
Allow SHA1 Ciphers: Allows SHA-1 ciphers for
communication with peers for the following workflows:
Cisco ISE is configured as an EAP server
Cisco ISE is configured as a RADIUS DTLS server
Cisco ISE is configured as a RADIUS DTLS client
Cisco ISE downloads CRL from HTTPS or a secure LDAP server
Cisco ISE is configured as a secure syslog client
Cisco ISE is configured as a secure LDAP client
Note
We recommended using SHA-256 or SHA-384 ciphers for enhanced
security.
Allow ECDHE-RSA Ciphers: Allows ECDHE-RSA ciphers for communication
with peers for the following workflows:
Cisco ISE is configured as an EAP server
Cisco ISE is configured as a RADIUS DTLS server
Cisco ISE is configured as a RADIUS DTLS client
Cisco ISE downloads CRL from HTTPS or a secure LDAP server
Cisco ISE is configured as a secure syslog client
Cisco ISE is configured as a secure LDAP client
Allow 3DES ciphers: Allows 3DES ciphers for communication with
peers for the following workflows:
Cisco ISE is configured as an EAP server
Cisco ISE is configured as a RADIUS DTLS server
Cisco ISE is configured as a RADIUS DTLS client
Cisco ISE downloads CRL from HTTPS or a secure LDAP server
Cisco ISE is configured as a secure syslog client
Cisco ISE is configured as a secure LDAP client
Accept Certificates without Validating Purpose: When ISE acts as an EAP or RADIUS DTLS server, client certificates are accepted without checking whether the Key Usage extension
contains keyAgreement bit for ECDHE-ECDSA ciphers or keyEncipherment bit for other ciphers.
Allow DSS ciphers for ISE as a client: When Cisco ISE acts as a client, allow DSS ciphers for communication with a server for the following workflows:
Cisco ISE is configured as a RADIUS DTLS client
Cisco ISE downloads CRL from HTTPS or a secure LDAP server
Cisco ISE is configured as a secure syslog client
Cisco ISE is configured as a secure LDAP client
Allow Legacy Unsafe TLS Renegotiation for ISE as a Client: Allows communication with legacy TLS servers that do not support safe TLS renegotiation for the following workflows:
Cisco ISE downloads CRL from HTTPS or a secure LDAP server
Cisco ISE is configured as a secure syslog client
Cisco ISE is configured as a secure LDAP client
Step 3
Click
Save.
Cisco ISE Acting as a RADIUS Proxy Server
Cisco ISE can function both
as a RADIUS server and as a RADIUS proxy server. When it acts as a proxy
server, Cisco ISE receives authentication and accounting requests from the
network access server (NAS) and forwards them to the external RADIUS server.
Cisco ISE accepts the results of the requests and returns them to the NAS.
Cisco ISE can simultaneously
act as a proxy server to multiple external RADIUS servers. You can use the
external RADIUS servers that you configure here in RADIUS server sequences. The
External RADIUS Server page lists all the external RADIUS servers that you have
defined in Cisco ISE. You can use the filter option to search for specific
RADIUS servers based on the name or description, or both. In both simple and
rule-based authentication policies, you can use the RADIUS server sequences to
proxy the requests to a RADIUS server.
The RADIUS server sequence
strips the domain name from the RADIUS-Username attribute for RADIUS
authentications. This domain stripping is not applicable for EAP
authentications, which use the EAP-Identity attribute. The RADIUS proxy server
obtains the username from the RADIUS-Username attribute and strips it from the
character that you specify when you configure the RADIUS server sequence. For
EAP authentications, the RADIUS proxy server obtains the username from the
EAP-Identity attribute. EAP authentications that use the RADIUS server sequence
will succeed only if the EAP-Identity and RADIUS-Username values are the same.
Configure External RADIUS Servers
You must configure the
external RADIUS servers in the Cisco ISE to enable it to forward requests to
the external RADIUS servers. You can define the timeout period and the number
of connection attempts.
Before you begin
You cannot use the external
RADIUS servers that you create in this section by themselves. You must create a
RADIUS server sequence and configure it to use the RADIUS server that you
create in this section. You can then use the RADIUS server sequence in
authentication policies.
To perform the following
task, you must be a Super Admin or System Admin.
The RADIUS Servers page appears with a list of external RADIUS servers that are defined in Cisco ISE.
Step 2
Click
Add to add an
external RADIUS server.
Step 3
Enter the values as required.
Step 4
Click
Submit to save
the external RADIUS server configuration.
Define RADIUS Server Sequences
RADIUS server sequences in
Cisco ISE allow you to proxy requests from a NAD to an external RADIUS server
that will process the request and return the result to Cisco ISE, which
forwards the response to the NAD.
RADIUS Server Sequences
page lists all the RADIUS server sequences that you have defined in Cisco ISE.
You can create, edit, or duplicate RADIUS server sequences from this page.
Before you begin
Before you begin this
procedure, you should have a basic understanding of the Proxy Service and must
have successfully completed the task in the first entry of the Related Links.
To perform the following task, you must be a Super Admin or System Admin.
Procedure
Step 1
ChooseAdministration > Network Resources > RADIUS Server Sequences.
Step 2
Click
Add.
Step 3
Enter the values as required.
Step 4
Click
Submit to save
the RADIUS server sequence to be used in policies.
Cisco ISE Acting as
a TACACS+ Proxy Client
Cisco ISE can act as
proxy client to external TACACS+ servers. When it acts as a proxy client, Cisco
ISE receives authentication, authorization, and accounting requests from the
Network Access Server (NAS) and forwards them to the external TACACS+ server.
Cisco ISE accepts the results of the requests and returns them to the NAS.
The TACACS+ External
Servers page lists all the external TACACS+ servers that you have defined in
Cisco ISE. You can use the filter option to search for specific TACACS+ servers
based on the name or description, or both.
Cisco ISE can
simultaneously act as a proxy client to multiple external TACACS+ servers. In
order to configure multiple external servers, you can use the TACACS+ server
sequence page. Refer to the
TACACS+
Server Sequence Settings page for more information.
TACACS+ External
Server Settings
The following table describes the fields in the TACACS External Servers page. The navigation path isWork Centers > Device Administration > Network Resources > TACACS External Servers page.
Table 5. TACACS+ External
Server Settings
Fields
Usage
Guidelines
Name
Enter the name of
the TACACS+ external server.
Description
Enter a
description for the TACACS+ external server setting.
Host IP
Enter the IP address (IPv4 or IPv6 address) of the remote TACACS+ external server.
Connection Port
Enter the port number of the remote TACACS+ external server.
The port number is 49.
Timeout
Specify the number of seconds that ISE should wait for a
response from the external TACACS+ server. The default is 5 seconds. Valid
values are from 1 to 120.
Shared Secret
A string of text that is used to secure a connection with the
TACACS+ External Server. The connection will be rejected by the TACACS+
External server if this is not configured correctly.
Use Single Connect
The TACACS protocol supports two modes for associating
sessions to connections: Single Connect and Non-Single Connect. Single connect
mode reuses a single TCP connection for many TACACS+ sessions that a client may
initiate. Non-Single Connect opens a new TCP connection for every TACACS+
session that a client initiates. The TCP connection is closed after each
session.
You can check the Use Single Connect check box for
high-traffic environment and uncheck it for low-traffic environment.
Configure External
TACACS+ Servers
You must configure
the external TACACS servers in the Cisco ISE to enable it to forward requests
to the external TACACS servers. You can define the timeout period and the
number of connection attempts.
Before you begin
You cannot use
the external TACACS servers that you create in this section directly in the
policy. You must create a TACACS server sequence and configure it to use the
TACACS server that you create in this section. You can then use the TACACS
server sequence in the policy sets.
To perform the
following task, you must be a Super Admin or System Admin.
The TACACS External Servers page appears with a list of external TACACS servers that are defined in Cisco ISE.
Step 2
Click
Add to add an external TACACS server.
Step 3
Enter the values
as required.
Step 4
Click
Submit to save the external TACACS server
configuration.
TACACS+ Server
Sequence Settings
The following table describes the fields in the TACACS Server Sequence page. The navigation path is Work Centers > Device Administration > Network Resources > TACACS Server Sequence page.
Table 6. TACACS+ Server Sequence
Settings
Fields
Usage Guidelines
Name
Enter the name of the TACACS
proxy server sequence.
Description
Enter a description for the
TACACS proxy server sequence.
Server List
Select the
required TACACS proxy servers from the Available list. The available list
contains the list of TACACS proxy servers configured in the TACACS External
Services Page.
Logging
Control
Check to
enable logging control:
Local
Accounting: Accounting messages are logged by the server that handles requests
from devices.
Remote
Accounting: Accounting messages are logged by the proxy server that handles
requests from devices.
Username
Stripping
Username
Prefix/Suffix Stripping:
Prefix
Strip: Check to strip the username from the prefix. For example, if the subject
name is acme\smith and the separator is \, the username becomes smith. The
default separator is \.
Suffix
Strip: Check to strip the username from the suffix. For example, if the subject
name is smith@acme.com and the separator is @, the username becomes smith. The
default separator is @.
Define TACACS+
Server Sequences
TACACS+ server
sequences in Cisco ISE allow you to proxy requests from a NAD to an external
TACACS+ server that will process the request and return the result to Cisco
ISE, which forwards the response to the NAD. The TACACS+ Server Sequences page
lists all the TACACS+ server sequences that you have defined in Cisco ISE. You
can create, edit, or duplicate TACACS+ server sequences from this page.
Before you begin
You should have
a basic understanding of the Proxy Service, Cisco ISE Admin Groups, Access
Levels, Permissions, and Restrictions.
To perform the
following task, you must be a Super Admin or System Admin.
Ensure that the external TACACS+ servers that you intend to use in
the TACACS+ server sequence are already defined.
Click
Submit to save the TACACS+ server sequence to be
used in policies.
Network Access Service
A network access service contains the authentication policy conditions for requests. You can create separate network access
services for different use cases, for example, Wired 802.1X, Wired MAB, and so on. To create a network access service, configure
allowed protocols or server sequences. The network access service for network access policies is then configured from the Policy Sets page.
Define Allowed Protocols for Network Access
Allowed protocols define the
set of protocols that Cisco ISE can use to communicate with the device that
requests access to the network resources. An allowed protocols access service
is an independent entity that you should create before you configure
authentication policies. Allowed protocols access service is an object that
contains your chosen protocols for a particular use case.
The Allowed Protocols
Services page lists all the allowed protocols services that you create. There
is a default network access service that is predefined in the Cisco ISE.
Before you begin
Before you begin this
procedure, you should have a basic understanding of the protocol services that
are used for authentication.
Review the Cisco ISE
Authentication Policies section in this chapter to understand authentication
type and the protocols that are supported by various databases.
Review the PAC Options to
understand the functions and options for each protocol service, so you can make
the selections that are appropriate for your network.
Ensure that you have defined
the global protocol settings.
To perform the following
task, you must be a Super Admin or System Admin.
If Cisco ISE is set to
operate in FIPS mode, some protocols are disabled by default and cannot be
configured.
Step 2
Click
Add.
Step 3
Enter the required
information.
Step 4
Select the appropriate
authentication protocols and options for your network.
Step 5
If you choose to use PACs,
make the appropriate selections.
To enable Anonymous PAC
Provisioning, you must choose both the inner methods, EAP-MSCHAPv2 and
Extensible Authentication Protocol-Generic Token Card (EAP-GTC). Also, be aware
that Cisco ISE only supports Active Directory as an external identity source
for machine authentication.
Step 6
Click
Submit to save
the allowed protocols service.
The allowed protocols service
appears as an independent object in the simple and rule-based authentication
policy pages. You can use this object in different rules.
You can now create a simple
or rule-based authentication policy.
If you disable EAP-MSCHAP as
inner method and enable EAP-GTC and EAP-TLS inner methods for PEAP or EAP-FAST,
ISE starts EAP-GTC inner method during inner method negotiation. Before the
first EAP-GTC message is sent to the client, ISE executes identity selection
policy to obtain GTC password from the identity store. During the execution of
this policy, EAP authentication is equal to EAP-GTC. If EAP-GTC inner method is
rejected by the client and EAP-TLS is negotiated, identity store policy is not
executed again. In case identity store policy is based on EAP authentication
attribute, it might have unexpected results since the real EAP authentication
is EAP-TLS but was set after identity policy evaluation.
Enable MAB from Non-Cisco Devices
Configure the following
settings sequentially to configure MAB from non-Cisco devices.
Procedure
Step 1
Ensure that the
MAC address of the endpoints that are to be authenticated are available in the
Endpoints database. You can add these endpoints or have them profiled
automatically by the Profiler service.
Step 2
Create a
Network Device Profile based on the type of MAC authentication used by the
non-Cisco device (PAP, CHAP, or EAP-MD5).
Enter a
name and description for the network device profile.
Select
the vendor name from the
Vendor
drop-down list.
Check the
check boxes for the protocols that the device supports. If the device supports
RADIUS, select the RADIUS dictionary to use with the network device.
Expand the
Authentication/Authorization section to configure the
device's default settings for flow types, attribute aliasing, and host lookup.
In the
Host
Lookup (MAB) section, do the following:
Process Host Lookup—Check this check box to define the protocols
for host lookup used by the network device profile.
Network devices from different vendors perform MAB
authentication differently. Depending on the device type, check the
Check Password check box and/or
Check Calling-Station-Id equals MAC Address check box, for
the protocol you are using.
Via
PAP/ASCII—Check this check box to configure Cisco ISE to detect a PAP request
from the network device profile as a Host Lookup request.
Via
CHAP—Check this check box to configure Cisco ISE to detect this type of request
from the network devices as a Host Lookup request.
Via
EAP-MD5—Check this check box to enable EAP-based MD5 hashed authentication for
the network device profile.
Enter the
required details in the Permissions, Change of Authorization (CoA), and
Redirect sections, and then click
Submit.
Select the device for which you want to enable MAB, and then click
Edit.
Step 5
In the Network Device page, select the network device profile that
you created in step 2 from the
Device Profile drop-down list.
Step 6
Click
Save.
Note
For Cisco NADs,
the Service-Type values used for MAB and web/user authentication are different.
This allows ISE to differentiate MAB from web authentication when Cisco NADs
are used. Some non-Cisco NADs use the same value for the Service-Type attribute
for both MAB and web/user authentication; this may lead to security issues in
your access policies. If you are using MAB with non-Cisco devices, we recommend
that you configure additional authorization policy rules to ensure that your
network security is not compromised. For example, if a printer is using MAB,
you could configure an authorization policy rule to restrict it to printer
protocol ports in the ACL.
Enable MAB from Cisco Devices
Configure the
following settings sequentially to configure MAB from Cisco devices.
Procedure
Step 1
Ensure that the
MAC address of the endpoints that are to be authenticated are available in the
Endpoints database. You can add these endpoints or have them profiled
automatically by the Profiler service.
Step 2
Create a Network
Device Profile based on the type of MAC authentication used by the Cisco device
(PAP, CHAP, or EAP-MD5).
Enter a name
and description for the network device profile.
Check the
check boxes for the protocols that the device supports. If the device supports
RADIUS, select the RADIUS dictionary to use with the network device.
Expand the
Authentication/Authorization section to configure the
device's default settings for flow types, attribute aliasing, and host lookup.
In the
Host
Lookup (MAB) section, do the following:
Process
Host Lookup—Check this check box to define the protocols for host lookup used
by the network device profile.
Depending on the device type, check the
Check Password check box and/or
Check Calling-Station-Id equals MAC Address
check box, for the protocol you are using.
Via
PAP/ASCII—Check this check box to configure Cisco ISE to detect a PAP request
from the network device profile as a Host Lookup request.
Via
CHAP—Check this check box to configure Cisco ISE to detect this type of request
from the network devices as a Host Lookup request.
Via
EAP-MD5—Check this check box to enable EAP-based MD5 hashed authentication for
the network device profile.
Enter the
required details in the Permissions, Change of Authorization (CoA), and
Redirect sections, and then click
Submit.
from the View column in the Policy Sets table, in order to access all of the policy set details and to create authentication
and authorization policies as well as policy exceptions.
. The Conditions Studio opens. For more information, see 
, choose 
, because conditions can be associated with more than one category.
Feedback