Documente Academic
Documente Profesional
Documente Cultură
Configuration Guide
Contents
1. Deploy Cisco ISE on Virtual Machines Using OVA Templates ...................................... 1
5.1. Prerequisites for Integrating Active Directory and Cisco ISE ................................... 9
5.2. Add an Active Directory Join Point and Join Cisco ISE Node to the Join Point .... 9
Procedure
Logging (Outbound)
Syslog: UDP/20514, TCP/1468
KPASS: TCP/464
WMI : TCP/135
ODBC:
Note
The ODBC ports are configurable on the third-party database server.
Sybase: TCP/2638
PortgreSQL: TCP/5432
Oracle: TCP/1512
NTP: UDP/123
Email Guest account and user password expirations email notification: SMTP: TCP/25
Note
This port is route table dependent.
Note
Default ports are configurable for external logging.
KPASS: TCP/464
WMI: TCP/135
ODBC:
Note
The ODBC ports are configurable on the third-party database server.
Sybase: TCP/2638
PortgreSQL: TCP/5432
Oracle: TCP/1512
NTP: UDP/123
Note
For external identity sources and services reachable only through an
interface other than Gigabit Ethernet 0, configure static routes
accordingly.
Cisco ISE Service Ports on Gigabit Ethernet 0 or Bond 0 Ports on Other Ethernet Interfaces
(Gigabit Ethernet 1 through 5, or
Bond 1 and Bond 2)
Cisco ISE Service Ports on Gigabit Ethernet 0 or Bond 0 Ports on Other Ethernet Interfaces,
or Bond 1 and Bond 2
OCSP: TCP/2560
CA PKI TCP/9090 —
IPSec/ISAKMP UDP/500 —
TC-NAC TCP/443
KDC: TCP/88
KPASS: TCP/464
WMI : TCP/135
ODBC:
Note
The ODBC ports are configurable on the third-party database server.
Sybase: TCP/2638
PortgreSQL: TCP/5432
Oracle: TCP/1512
NTP: UDP/123
Note
For external identity sources and services reachable only through an
interface other than Gigabit Ethernet 0, configure static routes
accordingly.
AD Agent: tcp/9095
Web Portal Services: HTTPS (Interface must be enabled for service in Cisco ISE):
- Discovery Note
By default, TCP/80 is redirected to TCP/8443. See Web Portal Services:
- Provisioning Guest Portal and Client Provisioning.
- Assessment/ Cisco ISE presents the Admin certificate for Posture and Client
Heartbeat Provisioning on TCP port 8905.
Cisco ISE presents the Portal certificate on TCP port 8443 (or the port
that you have configured for portal use).
From Cisco ISE, Release 2.2 or later with AnyConnect, Release 4.4 or later, this
port is configurable.
Provisioning - URL Redirection: See Web Portal Services: Guest Portal and Client
Provisioning
Provisioning - Active-X and Java Applet Install including IP refresh, Web Agent
Install, and launch NAC Agent Install: See Web Portal Services: Guest Portal and
Client Provisioning.
Bring Your Own Device Provisioning - URL Redirection: See Web Portal Services: Guest Portal and Client
(BYOD) / Network Provisioning.
Service Protocol (NSP) For Android devices with EST authentication: TCP/8084. Port 8084 must be
- Redirection added to the Redirect ACL for Android devices.
- Provisioning Provisioning - Active-X and Java Applet Install (includes the launch of Wizard
- SCEP Install): See Web Portal Services: Guest Portal and Client Provisioning
Provisioning - Wizard Install from Cisco ISE (Windows and Mac OS): TCP/8443
Mobile Device URL Redirection: See Web Portal Services: Guest Portal and Client Provisioning
Management (MDM) API
API: Vendor specific
Integration
Agent Install and Device Registration: Vendor specific
Cisco ISE Service Ports on Gigabit Ethernet 0 or Bond 0 Ports on Other Ethernet Interfaces,
or Bond 1 and Bond 2
DHCP: UDP/67
Note
This port is configurable.
When the primary Administration ISE node becomes unavailable, you must log into the secondary
Administration ISE node and promote it to become the primary Administration ISE node. There is
no automatic failover for the Administration ISE node.
Use the Network Time Protocol (NTP) server settings to synchronize the time between the
Cisco ISE server and Active Directory. You can configure NTP settings from Cisco ISE CLI.
If your Active Directory structure has multidomain forest or is divided into multiple forests,
ensure that trust relationships exist between the domain to which Cisco ISE is connected
and the other domains that have user and machine information to which you need access.
For more information on establishing trust relationships, refer to Microsoft Active
Directory documentation.
You must have at least one global catalog server operational and accessible by Cisco ISE,
in the domain to which you are joining Cisco ISE.
5.2. Add an Active Directory Join Point and Join Cisco ISE Node to the Join Point
Procedure
Choose Administration > Identity Management > External Identity Sources > Active
Directory.
Click Add and enter the domain name and identity store name.
Click Submit.
A pop-up appears asking if you want to join the newly created join point to the domain.
Click Yes if you want to join immediately.
Saving the configuration saves the Active Directory domain configuration globally (in the
primary and secondary policy service nodes), but none of the Cisco ISE nodes are joined to
the domain yet.
Check the check-box next to the relevant Cisco ISE nodes and click Join to join the Cisco
ISE node to the Active Directory domain.
Enter the Active Directory administrator username and password.
Click OK.
Procedure
Choose Administration > Identity Management > External Identity Sources > Active
Directory > Select the Joint Point
Click the Groups tab.
Do one of the following:
o Choose Add > Select Groups from Directory to choose an existing group.
o Do not use double quotes (”) in the group name for the user interface login.
If you are manually selecting a group, you can search for them using a filter. For example,
enter admin* as the filter criteria and click Retrieve Groups to view user groups that begin
with admin. You can also enter the asterisk (*) wildcard character to filter the results. You
can retrieve only 500 groups at a time.
Check the check boxes next to the groups that you want to be available for use in
authorization policies and click OK.
Click Save.
Procedure
You can also group the network devices based on the device type:
There is no limit on the maximum number of NDGs that can be created. You can create up to 6 levels of
hierarchy (including the parent group) for the NDGs.
Administration > Network Resources > Network Device Groups > Add
It matches the command in the request with the commands specified in the command set
list using the wildcard matching paradigm.
Example: Sh?? or S*
It matches the arguments in the request with the arguments specified in the command set
list using regular expressions (regex) matching paradigm.
Example: Show interface[1-4] port[1-9]:tty*
o Case insensitivity
o Any character in the command in the command set may be "?", which matches any individual
character that must exist in the requested command
o Any character in the command in the command set may be "*", which matches zero or more
characters in the requested command
Examples:
show show Y —
show SHOW Y Case insensitive
show Sho?? N Second "?" intersects with the character that does not exist
The command set list will include a space-delimited set of arguments for each command.
1. Argument 1: interface[1-4]
2. Argument 2: port[1-9]:tty.*
The command arguments in the request are taken in the position-significant order they appear in
the packet. If all the arguments in the command definition match the arguments in the request,
then this command/argument is said to be matched. Note that any extraneous arguments in the
request are ignored.
Common tasks
Custom attributes
There are two views in the TACACS+ Profiles page (Work Centers > Device Administration > Policy
Elements > Results > TACACS Profiles)—Task Attribute View and Raw View. Common tasks can be entered
using the Task Attribute View and custom attributes can be created in the Task Attribute View as well as
the Raw View.
The Common Tasks section allows you to select and configure the frequently used attributes for a profile.
The attributes that are included here are those defined by the TACACS+ protocol draft specifications.
However, the values can be used in the authorization of requests from other services. In the Task Attribute
View, the ISE administrator can set the privileges that will be assigned to the device administrator. The
common task types are:
Shell
WLC
Nexus
Generic
The Custom Attributes section allows you to configure additional attributes. It provides a list of attributes
that are not recognized by the Common Tasks section. Each definition consists of the attribute name, an
indication of whether the attribute is mandatory or optional, and the value for the attribute. In the Raw
View, you can enter the mandatory attributes using a equal to (=) sign between the attribute name and its
value and optional attributes are entered using an asterisk (*) between the attribute name and its value.
The attributes entered in the Raw View are reflected in the Custom Attributes section in the Task Attribute
View and vice versa. The Raw View is also used to copy paste the attribute list (for example, another
product's attribute list) from the clipboard onto ISE. Custom attributes can be defined for nonshell services.
Step 4 In the Task Attribute View tab, check the required Common Tasks. Refer to the Common Tasks
Settings page.
Step 5 In the Task Attribute View tab, in the Custom Attributes section, click Add to enter the required
attributes.
Ensure that the Enable Device Admin Service checkbox in the Administration > System >
Deployment > Edit Node > General Settings page is enabled for Enable Device Admin Service.
Ensure that the User Identity Group for Internal or External, (for example, System_Admin, Helpdesk)
is created.
o Work Centers > Device Administration > User Identity Groups > page
o Work Centers > Device Administration > Ext ID Resources > page
Ensure to configure TACACS settings on devices that need to be administered. (Work Centers >
Device Administration > Network Resources > Network Devices > Add > TACACS Authentication
Settings check box is enabled and the shared secret for TACACS and devices are identical to
facilitate the devices to query ISE.)
Ensure that the Network Device Group, based on the Device Type and Location, is created. (Work
Centers > Device Administration > Network Device Groups page)
Example 1: Rule Name: Sys_Admin_rule, Conditions: if SysAdmin and TACACS User Equals ABC then
cmd_Sys_Admin AND Profile_priv_8—The policy matches system administrators with user name
ABC and allows the specified commands to be executed and assigns a privilege level of 8.
Example 2: Rule Name: HelpDesk AND TACACS User EQUALS XYZ then cmd_HDesk_show AND
cmd_HDesk_ping AND Profile_priv_1—The policy matches system administrators with user name
XYZ and allows the specified commands to be executed and assigns a privilege level of 1.
The command sets, cmd_Sys_Admin and cmd_HDesk, are created in the Work Centers >
Device Administration > Policy Elements > Results >TACACS Command Sets > Add page.
The TACACS profiles, Profile_Priv_1 and Profile_priv_8, are created in the Work Centers >
Device Administration > Policy Elements > Results > TACACS Profiles > Add page.
It is recommended that the policy results are created prior to the creation of the policy set
Note
such that it will be readily available when creating the authorization results.