A self-signed certificate indicates that it was signed by a subordinate ca.

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

Page 2

A trusted certificate in CTL may contain a name constraint extension. This extension defines a namespace for values of all subject name and subject alternative name fields of subsequent certificates in a certificate chain. Cisco ISE does not check constraints that are specified in a root certificate.

Cisco ISE supports the following name constraints:

Directory name

The directory name constraint should be a prefix of the directory name in the subject or subject alternative name field. For example:
- Correct subject prefix:
  
  CA certificate name constraint: Permitted: O=Cisco
  
  Client certificate subject: O=Cisco,CN=Salomon
- Incorrect subject prefix:
  
  CA certificate name constraint: Permitted: O=Cisco
  
  Client certificate subject: CN=Salomon,O=Cisco
DNS
Email
URI (The URI constraint must start with a URI prefix such as http://, https://, ftp://, or ldap://).

Cisco ISE does not support the following name constraints:

When a trusted certificate contains a constraint that is not supported and the certificate that is being verified does not contain the appropriate field, Cisco ISE rejects the certificate because it cannot verify unsupported constraints.

The following is an example of the name constraints definition within the trusted certificate:

X509v3 Name Constraints: critical Permitted: othername:<unsupported> email:.abcde.at email:.abcde.be email:.abcde.bg email:.abcde.by DNS:.dir DirName: DC = dir, DC = emea DirName: C = AT, ST = EMEA, L = AT, O = ABCDE Group, OU = Domestic DirName: C = BG, ST = EMEA, L = BG, O = ABCDE Group, OU = Domestic DirName: C = BE, ST = EMEA, L = BN, O = ABCDE Group, OU = Domestic DirName: C = CH, ST = EMEA, L = CH, O = ABCDE Group, OU = Service Z100 URI:.dir IP:172.23.0.171/255.255.255.255 Excluded: DNS:.dir URI:.dir

An acceptable client certificate subject that matches the above definition is as follows:

Subject: DC=dir, DC=emea, OU=+DE, OU=OU-Administration, OU=Users, OU=X1, CN=cwinwell

Page 3

When you install a patch on an ISE node, the node is rebooted after the installation is complete. You might have to wait for a few minutes before you can log in again. You can schedule patch installations during a maintenance window to avoid temporary outage.

Ensure that you install patches that are applicable for the Cisco ISE version that is deployed in your network. Cisco ISE reports any mismatch in versions as well as any errors in the patch file.

You cannot install a patch with a version that is lower than the patch that is currently installed on Cisco ISE. Similarly, you cannot roll back changes of a lower-version patch if a higher version is currently installed on Cisco ISE. For example, if patch 3 is installed on your Cisco ISE servers, you cannot install or roll back patch 1 or 2.

When you install a patch from the Primary PAN that is part of a distributed deployment, Cisco ISE installs the patch on the primary node and then all the secondary nodes in the deployment. If the patch installation is successful on the Primary PAN, Cisco ISE then continues patch installation on the secondary nodes. If it fails on the Primary PAN, the installation does not proceed to the secondary nodes. However, if the installation fails on any of the secondary nodes for any reason, it still continues with the next secondary node in your deployment.

When you install a patch from the Primary PAN that is part of a two-node deployment, Cisco installs the patch on the primary node and then on the secondary node. If the patch installation is successful on the Primary PAN, Cisco then continues patch installation on the secondary node. If it fails on the Primary PAN, the installation does not proceed to the secondary node.

Page 4

Cisco offers Smart Licensing, which enables you to monitor Cisco ISE software licenses and endpoint license consumption. You can monitor license usage easily and efficiently with a single registration token, rather than individually importing separate licenses. View and manage the details of all the Cisco products and licenses that you have purchased in a centralized database, the Cisco Smart Software Manager (CSSM). Log in to the CSSM portal to easily track the endpoint licenses that are available to you, and consumption statistics.

When a smart license token is active and registered in the Cisco ISE administration portal, the CSSM monitors the consumption of licenses by each endpoint session per product license. Smart Licensing notifies the administrator about license consumption by endpoint sessions with a simple table layout in Cisco ISE. Smart Licensing reports the peak usage of each enabled license to the centralized database daily. When licenses are available and not consumed, the administrator is notified of available licenses and can continue to monitor usage. When consumption exceeds the number of licenses available, an alarm is activated and the administrator is notified through alarms and notifications.

With Smart Licensing, you can also manage the different license entitlements included through your Cisco Smart Account, such as Base, Plus, Apex, or TACACS. From Cisco ISE, you can monitor basic consumption statistics per license entitlement. From your CSSM account, you can view additional information, statistics, and notifications, as well as make changes to your account and entitlements.

Note

CSSM satellite is not supported.

Cisco ISE takes internal samples of license consumption every 30 minutes. License compliancy and consumption is updated accordingly. To view this information in the Licenses table in Cisco ISE, from the main menu, choose , and click Refresh.

From the time you register your Cisco ISE Primary Administration node (PAN) with the CSSM, Cisco ISE reports peak counts of license consumption to the CSSM server every six hours. The peak count reports help ensure that license consumption in Cisco ISE is in compliance with the licenses purchased and registered. Cisco ISE communicates with the CSSM server by storing a local copy of the CSSM certificate. The CSSM certificate is automatically reauthorized during the daily synchronization, and when you refresh the Licenses table. Typically, CSSM certificates are valid for six months.

If there is a change in the compliance status when Cisco ISE synchronizes with the CSSM server, the Last Authorization column of the Licenses table is updated accordingly. In addition, when entitlements are no longer compliant, the number of days for which they are out of compliancy appears in the Days Out of Compliancy column. Noncompliancy is also indicated in the notifications displayed at the top of the Licensing area, and on the Cisco ISE toolbar next to the License Warning link. In addition to notifications, you can view alarms.

Note

TACACS licenses are authorized when Cisco ISE communicates with the CSSM server, but they are not session-based, and therefore, no consumption count is associated with them in the Licenses table.

The compliance column of the Licenses table displays one of the following values:

In Compliance: The use of this license is in compliance.
Released Entitlement: The licenses have been purchased and released for use, but none have been consumed so far in this Cisco ISE deployment. In such a scenario, the Consumption Count for the license is 0.
Evaluation: Evaluation licenses are available for use.

Figure 1. Licenses Table

An air-gapped network does not allow any communication between a secured network and an external network. Cisco ISE Smart Licensing requires Cisco ISE to communicate with the CSSM. If your network is air-gapped, Cisco ISE is unable to report license usage to CSSM and this lack of reporting results in the loss of administrative access to Cisco ISE and restrictions in Cisco ISE features.

To avoid licensing issues in air-gapped networks and enable full Cisco ISE functionality, you can configure a Smart Software Manager (SSM) On-Premises server. This licensing method is available in releases.

You must configure an SSM On-Prem and ensure that Cisco ISE can reach this server. This server takes over the role of CSSM in your air-gapped network, releasing license entitlements, as needed, and tracking usage metrics. The SSM On-Prem server also sends notifications, alarms, and warning messages that are related to licensing consumption and validity.

Configure an SSM On-Prem server and ensure that Cisco ISE can reach this server. For more information, see Smart Software Manager On-Prem Resources.

If you buy more licenses or modify your license purchases, you must connect the SSM On-Prem server to CSSM for the changes to be available in your local server.

Note

ISE-PIC 2.7 and earlier do not support Smart Licensing.

Step 1	Choose.
Step 2	Click Cisco Smart Licensing.
Step 3	Choose SSM On-Prem Server from the Connection Method drop-down list. The Certificate window in the SSM On-Prem portal displays either the IP address or the hostname (or FQDN) of the connected SSM On-Prem server.
Step 4	Enter the configured IP address or the hostname (or FQDN) in the SSM On-Prem server Host field.
Step 5	In the Tier and Virtual Appliance areas, check the check boxes for all the licenses you need to enable. The chosen licenses are activated and their consumption is tracked by CSSM.
Step 6	Click Register.

Page 5

Mobile Device Management (MDM) servers secure, monitor, manage, and support mobile devices that are deployed across mobile operators, service providers, and enterprises. Traditionally, MDM servers have only supported mobile devices. Some MDM servers now manage all types of devices in a network (mobile phones, tablets, laptops, and desktops) and are called Unified Endpoint Management (UEM) servers. MDM servers act as a policy server that controls the use of some applications on a mobile device (for example, an email application) in the deployed environment. Cisco ISE queries a connected MDM server for information about various attributes that you can use to create network authorization policies.

You can run multiple active MDM servers on your network, from different vendors. This allows you to route different endpoints to different MDM servers based on device factors such as location or device type.

Cisco ISE also integrates with MDM servers using the Cisco MDM Server Info APIs, Version 2 and later versions, to allow devices to access the network over VPN via Cisco AnyConnect 4.1 and Cisco Adaptive Security Appliances 9.3.2 or later.

In the following illustration, Cisco ISE is the enforcement point and the MDM policy server is the policy information point. Cisco ISE obtains data from the MDM server to provide a complete solution.

Figure 3. MDM Interoperability with Cisco ISE

Configure Cisco ISE to interoperate with one or more external MDM servers. By setting up this type of third-party connection, you can use the detailed information available in the MDM database. Cisco ISE uses REST API calls to retrieve information from the external MDM server. Cisco ISE applies the appropriate access control policies to switches, access routers, wireless access points, and other network access points. The policies give you greater control of the remote devices that are accessing the Cisco ISE-enabled network.

For a list of the MDM vendors supported by Cisco ISE, see Supported Unified Endpoint Management and Mobile Device Management Servers.

Cisco ISE performs the following functions with external MDM servers:

Manages device registration: Unregistered endpoints that access the network are redirected to a registration page that is hosted on the MDM server. Device registration includes the user role, device type, and so on.
Handles device remediation: Endpoints are granted restricted access during remediation.
Augments endpoint data: The endpoint database is updated with information from the MDM server that you cannot gather using the Cisco ISE profiling services. Cisco ISE uses multiple device attributes that you can view in the Endpoints window. Choose .

The following are examples of the device attributes available.

MDMImei: xx xxxxxx xxxxxx x
MDMManufacturer: Apple
MDMModel: iPhone
MDMOSVersion: iOS 6.0.0
MDMPhoneNumber: 5550100
MDMSerialNumber: DNPGQZGUDTFx

Polls the MDM server every four hours for device compliance data. Configure the polling interval in the External MDM Servers window. (To view this window, choose .
Issues device instructions through the MDM server: Cisco ISE issues remote actions for user devices through the MDM server. Initiate remote actions from the Cisco ISE administration portal through the Endpoints window. To view this window, choose . Check the check box next to the MDM server and click MDM Actions. Choose the required action from the drop-down list displayed.

When you configure an MDM server in Cisco ISE, Cisco ISE queries the MDM server for device attribute information and adds the information to the MDM system dictionary. The following attributes are used for registration status, and are commonly supported by MDM vendors.

Cisco ISE uses APIs to query MDM servers for the required device attributes. Cisco ISE Release 3.1 and later releases support MDM APIs Version 3. The Version 3 APIs include APIs that allow Cisco ISE to send queries to MDM servers for device attributes that help Cisco ISE identify endpoints that use MAC address randomization. Cisco ISE queries the MDM server for the following attributes:

GUID: A unique device identifier that replaces the use of MAC address to identify a device.
MAC addresses: The list of MAC addresses that a UEM or MDM server has recorded for a particular device. A maximum of five MAC addresses are shared for a device.

If an MDM server does not provide values for the required attributes, Cisco ISE fills the attributes fields with the default values that are mentioned in the following table.

Table 4. MDM Attributes and Values

Attribute Name	Attribute Dictionary	Default Value	Data That is Expected From UEM or MDM Servers	Data That is Expected From Microsoft SCCM Servers
DaysSinceLastCheckin Supported from MDM API Version 3	MDM	None	The number of days since a user has last checked in or synchronized a device with the UEM or MDM server. The valid range is 1–365 days.	The number of days since a user has last checked in or synchronized a device with the SCCM server. The valid range is 1–365 days.
DeviceCompliantStatus	MDM	NonCompliant	Compliant or NonCompliant.	Compliant or NonCompliant.
DeviceRegisterStatus	MDM	UnRegistered	Registered or UnRegistered.	Registered or UnRegistered.
DiskEncryptionStatus	MDM	Off	On or Off.	On or Off.
IMEI	MDM	None	The IMEI number of the device.	Not applicable.
JailBrokenStatus	MDM	Unbroken	Reachable or UnReachable.	Reachable or UnReachable.
MDMFailureReason	MDM	None	The device failure reason.	The device failure reason.
MDMServerName	MDM	None	The name of the server.	The name of the server.
MDMServerReachable	MDM	Reachable	Reachable or UnReachable.	Reachable or UnReachable.
MEID	MDM	None	The MEID value of the device.	Not applicable.
Manufacturer	MDM	None	The name of the device manufacturer.	Not applicable.
Model	MDM	None	The name of the device model.	Not applicable.
OsVersion	MDM	None	The operating system version of the device.	Not applicable.
PhoneNumber	MDM	None	The phone number of the device.	Not applicable.
PinLockStatus	MDM	Off	On or Off.	Not applicable.
SerialNumber	MDM	None	The serial number of the device.	Not applicable.
ServerType	MDM	None	MDM for a Mobile Device Manager server. DM for Desktop Device Manager server.	DM for Desktop Device Manager server.
UDID	MDM	None	The UDID number of the device.	Not applicable.
UserNotified	MDM	No	Yes or No	Not applicable.

If a vendor's unique attributes are not supported, you may be able to use ERS APIs to exchange vendor-specific attributes. Check the vendor's documentation for information on the ERS APIs that are supported.

The new MDM dictionary attributes are available for use in authorization policies.

The following table lists the ports that must be open between Cisco ISE and an MDM server to enable them to communicate with each other. See the documentation from the MDM vendor for a list of ports that must be open on the MDM agent and server.

Table 5. Ports Used by the MDM Server

MDM Server	Ports
MobileIron	443
Zenprise	443
Good	19005
Airwatch	443
Afaria	443
Fiberlink MaaS	443
Meraki	443
Microsoft Intune	80 and 443
Microsoft SCCM	80 and 443

The user associates a device with an SSID.
Cisco ISE makes an API call to the MDM server.
This API call returns a list of devices for the user and the posture statuses for the devices.

Note

The input parameter is the MAC address of the endpoint device. For off-premise Apple iOS devices , the input parameter is the UDID.

If the user’s device is not on this list, it means that the device is not registered. Cisco ISE sends an authorization request to the NAD to redirect to Cisco ISE. The user is presented with the MDM server page.

Note

You must register a device that is enrolled on the MDM server outside of a Cisco ISE network via the MDM portal. This is applicable for Cisco ISE Release 1.4 and later. Earlier Cisco ISE versions allow devices that are enrolled outside the Cisco ISE-enabled network to be automatically enrolled if they are compliant with the posture policies.

Cisco ISE uses MDM to provision the device and presents the appropriate window for the user to register the device.
The user registers the device in the MDM server, and the MDM server redirects the request to Cisco ISE through automatic redirection or manual browser refresh.
Cisco ISE queries the MDM server again for the posture status.
If the user’s device is not compliant with the posture (compliance) policies that are configured on the MDM server, the user is notified that the device is out of compliance. The user must take the necessary action to ensure that the device is compliant.
When the user’s device is compliant, the MDM server updates the device's state in its internal tables.
If the user refreshes the browser now, the control is transferred back to Cisco ISE.
Cisco ISE polls the MDM server once every four hours to get compliance information and issues the appropriate Change of Authorization (CoA). You can configure the polling interval. Cisco ISE also checks the MDM server every five minutes to make sure that it is available.

The following figure illustrates the MDM process flow.

Note

A device can only be enrolled in a single MDM server at a time. If you want to enroll the same device to an MDM service from another vendor, the previous vendor's profiles must be removed from the device. The MDM service usually offers a "corporate wipe", which only deletes the vendor's configuration from the device (not the whole device). The user can also remove the files. For example, on an iOS device, the user can go to the Settings > General >Device management window, and click Remove Management. Or the user can go to the MyDevices portal in Cisco ISE and click Corporate Wipe.

Page 6

Dictionaries are domain-specific catalogs of attributes and allowed values that can be used to define access policies for a domain. An individual dictionary is a homogeneous collection of attribute type. Attributes that are defined in a dictionary have the same attribute type and the type indicates the source or context of a given attribute.

Attribute types can be one of the following:

MSG_ATTR
ENTITY_ATTR
PIP_ATTR

In addition to attributes and allowed values, a dictionary contains information about the attributes such as the name and description, data type, and the default values. An attribute can have one of the following data types: BOOLEAN, FLOAT, INTEGER, IPv4, IPv6, OCTET_STRING, STRING, UNIT32, and UNIT64.

Cisco ISE creates system dictionaries during installation and allows you to create user dictionaries.

Cisco ISE creates system dictionaries during installation that you can find in the System Dictionaries page. System-defined dictionary attributes are read-only attributes. Because of their nature, you can only view existing system-defined dictionaries. You cannot create, edit, or delete system-defined values or any attributes in a system dictionary.

A system-defined dictionary attribute is displayed with the descriptive name of the attribute, an internal name as understood by the domain, and allowed values.

Cisco ISE also creates dictionary defaults for the IETF RADIUS set of attributes that are also a part of the system-defined dictionaries, which are defined by the Internet Engineering Task Force (IETF). You can edit all free IETF RADIUS attribute fields except the ID.

Cisco ISE displays the user-defined dictionaries that you create in the User Dictionaries page. You cannot modify the values for Dictionary Name or Dictionary Type for an existing user dictionary once created and saved in the system.

You can do the following in the User Dictionaries page:

Edit and delete user dictionaries.
Search user dictionaries based on name and description.
Add, edit, and delete user-defined dictionary attributes in the user dictionaries.
Delete attributes of the NMAP extension dictionary, using the NMAP scan action. When custom ports are added or deleted in the NMAP Scan Actions page, the corresponding custom ports attributes are added, deleted, or updated in the dictionary.
Add or remove allowed values for dictionary attributes.

Page 7

The structure of a Context Visibility window is similar to the home page, except that the Context Visibility windows:

Retain your current context (browser window) when you filter the displayed data
Are more customizable
Focus on endpoint data

You can view the context visibility data only from the primary PAN.

Dashlets on the Context Visibility windows show information about endpoints, and endpoint connections to NADs. The information currently displayed is based on the content in the list of data below the dashlets on each window. Each window displays endpoint data, based on the name of the tab. As you filter the data, both the list and dashlets update. You can filter the data by clicking on parts of one or more of the circular graphs, by filtering rows on the table, or any combination those actions. As you select filters, the effects are additive, also referred to as cascading filter, which allows you to drill down to find the particular data you are looking for. You can also click an endpoint in the list, and get a detailed view of that endpoint.

There are four main views under Context Visibility:

Endpoints: Filter the endpoints you want to view based on types of devices, compliance status, authentication type, hardware inventory, and more. See The Hardware Dashboard for additional information.

Note

We recommend that you enable the accounting settings on the network access devices (NADs) to ensure that the accounting start and update information is sent to Cisco ISE.

Cisco ISE can collect accounting information, such as the latest IP address, status of the session (Connected, Disconnected, or Rejected), the number of days an endpoint has been inactive, only if accounting is enabled. This information is displayed in the Live Logs, Live Sessions and Context Visibility windows in the Cisco ISE administration portal. When accounting is disabled on a NAD, there might be a missing, incorrect, or mismatched accounting information between the Live Sessions, Live Logs and Context Visibility windows.

Note

The Visibility Setup workflow that is available on the Cisco ISE administration portal home page allows you to add a list of IP address ranges for endpoints discovery. After this workflow is configured, Cisco ISE authenticates the endpoints, but the endpoints that are not included in the configured IP address ranges are not displayed in the window and the Endpoints listing page ().

Users: Displays user-based information from user identity sources.

If there is a change in the username or password attribute, it reflects in the Users window when there is a change in the authentication status.

If the username is changed in the Microsoft Active Directory, the updated change is displayed in the Users window immediately after re-authentication.

If any other attributes such as Email, Phone, Department, etc are changed in the Microsoft Active Directory, the updated attributes are displayed in the Users window 24 hours after re-authentication.

Note

Updating User Attributes from AD depends on the interval configured under Active Directory Probe. For more information, see Active Directory Probe.

Network Devices: This window displays the list of NADs that have endpoints connected to them. For any NAD, click the number of endpoints that is displayed in the corresponding # of endpoints column. A window that lists all the devices filtered by that NAD is displayed.

Note

If you have configured your network device with SNMPv3 parameters, you cannot generate the Network Device Session Status Summary report that is provided by the Cisco ISE monitoring service (). You can generate this report successfully if your network device is configured with SNMPv1 or SNMPv2c parameters.

Application: Use this window to identify the number of endpoints that have a specific application installed. The results are displayed in graphical and table formats. The graphical representation helps you make a comparative analysis. For example, you can find out the number of endpoints with the Google Chrome software along with their Version, Vendor, and Category (Anti-phishing, Browser, and so on) in a table as well as a bar chart. For more information, see The Application Tab.

You can create a new tab in the Context Visibility windows and create a custom list for additional filtering. Dashlets are not supported in custom views.

Click a section of a circular graph in a dashlet to view a new window with filtered data from that dashlet in. From this new window, you can continue to filter the displayed data, as described in Filtering Displayed Data in a View.

For more information about using Context Visibility windows to find endpoint data, see the following Cisco YouTube video which uses ISE 2.1 https://www.youtube.com/watch?v=HvonGhrydfg.

Page 8

User authentication policies in Cisco ISE enable you to provide authentication for a number of user login session types using a variety of standard authentication protocols including, but not limited to, Password Authentication Protocol (PAP), Challenge-Handshake Authentication Protocol (CHAP), Protected Extensible Authentication Protocol (PEAP), and Extensible Authentication Protocol (EAP). Cisco ISE specifies the allowable protocol(s) that are available to the network devices on which the user tries to authenticate and specifies the identity sources from which user authentication is validated.

Cisco ISE allows for a wide range of variables within authorization policies to ensure that only authorized users can access the appropriate resources when they access the network. The initial release of Cisco ISE supports only RADIUS-governed access to the internal network and its resources.

At the most fundamental level, Cisco ISE supports 802.1X, MAC authentication bypass (MAB), and browser-based Web authentication login for basic user authentication and access via both wired and wireless networks. Upon receiving an authentication request, the “outer part” of the authentication policy is used to select the set of protocols that are allowed when processing the request. Then, the “inner part” of the authentication policy is used to select the identity source that is used to authenticate the request. The identity source may consist of a specific identity store or an identity store sequence that lists a set of accessible identities until the user received a definitive authorization response.

Once authentication succeeds, the session flow proceeds to the authorization policy. (There are also options available that allow Cisco ISE to process the authorization policy even when the authentication did not succeed.) Cisco ISE enables you to configure behavior for “authentication failed,” “user not found,” and “process failed” cases, and also to decide whether to reject the request, drop the request (no response is issued), or continue to the authorization policy. In cases where Cisco ISE continues to perform authorization, you can use the “AuthenticationStaus” attribute in the “NetworkAccess” dictionary to incorporate the authentication result as part of the authorization policy.

The authorization policy result is Cisco ISE assigning an authorization profile that might also involve a downloadable ACL specifying traffic management on the network policy enforcement device. The downloadable ACL specifies the RADIUS attributes that are returned during authentication and that define the user access privileges granted once authenticated by Cisco ISE.

Note

Cisco ISE processes the attributes in the following order while identifying the Authentication session for the incoming accounting packet:

For Cisco devices:
1. Class/State
2. audit-session-id
For third party devices:
1. Class/State
2. Calling-Station-ID
3. If the authentication session cannot be identified, Cisco ISE creates a new session ID based on the Calling-Station-ID, NAS-Port, and NAS-IP-Address.

Page 9

Wireless Setup is disabled by default after fresh installation of Cisco ISE. You can enable Wireless Setup from the Cisco ISE CLI with the application configure ise command (select option 17) or by using the Wireless Setup option (
) available in the top right-hand corner in the Cisco ISE GUI home page.
Wireless Setup does not work if you upgrade Cisco ISE from a previous version. Wireless Setup is supported only for new Cisco ISE installations.
Wireless Setup works only on a standalone node.
Run only one instance of Wireless Setup at a time. Only one person can run Wireless Setup at a time.
Wireless Setup requires ports 9103 and 9104 to be open. To close these ports, use the CLI to disable Wireless Setup.
If you would like to start a fresh installation of Wireless Setup after running some flows, you can use the CLI command application reset-config ise. This command resets the Cisco ISE configuration and clears the Cisco ISE database, but keeps the network definitions. So you can reset Cisco ISE and Wireless Setup, without having to reinstall Cisco ISE and running setup.

If you would like to start over with Wireless Setup, you can reset both Cisoc ISE and Wireless Setup's configuration with the following steps:
- In the CLI, run application reset-config to reset all Cisco ISE configuration. If you were testing Wireless Setup on a fresh installation, this command removes the configurations done by Wireless Setup in Cisco ISE.
- In the CLI, run application configure ise, and choose [18]Reset Config Wi-Fi Setup. This cleans the Wireless Setup configuration database.
- On the Wireless Controller, remove the configurations added by Wireless Setup on the Wireless Controller. For information about what Wireless Setup configures on the Wireless Controller, see Changes on Cisco ISE and Wireless Controller by the Wireless Setup flow.
You can avoid these steps by taking a snapshot of the VM after you finish a fresh installation of Cisco ISE.

For more information about the CLI, see the Cisco Identity Services Engine CLI Reference Guide for your version of ISE.
You must be a Cisco ISE Super Admin user to use Wireless Setup.
Wireless Setup requires at least two CPU cores and 8 GB of memory.
Only Active Directory (AD) groups and users are supported. After you have created one or more flows in Wireless Setup, other types of users, groups, and authorizations are available for Wireless Setup, but they must be configured on ISE.
If you already defined Active Directory in Cisco ISE, and you plan to use this AD for Wireless Setup, then:
- The join name and domain name must be the same. If the names are not the same, then make them the same in Cisoc ISE before using that AD in Wireless Setup.
- If your Wireless Controller is already configured on Cisco ISE, the Wireless Controller must have a shared secret configured. If the Wireless Controller definition does not have the shared secret, then either add the shared secret, or delete the Wireless Controller from Cisco ISE, before configuring that Wireless Controller in Wireless Setup.
Wireless Setup can configure Cisco ISE components, but it can't delete or modify them after a flow has been started. For a list of all the things that Wireless Setup configures in Cisco ISE, see Cisco Identity Services Engine CLI Reference Guide for your version of Cisco ISE.
When you start a flow, you must complete the flow. Clicking a breadcrumb in the flow stops the flow. As you step through a flow, changes are made to the Cisco ISE configuration dynamically. Wireless Setup provides a list of configuration changes, so you can manually revert. You can't back up in a flow to make extra changes, with one exception. You can go back to change Guest or BYOD portal customization.
Multiple Wireless Controllers and Active Directory domains are supported, but each flow can only support one Wireless Controller and one Active Directory.
Wireless Setup requires a Cisco ISE Basic license to operate. BYOD requires a Cisco ISE Plus license.
If you have configured Cisco ISE resources before configuring Wireless Setup, Wireless Setup may have conflicts with an existing policy. If this happens, Wireless Setup advises you to review the authorization policy after running through the tool. We recommended that you start with a clean setup of Ciisco ISE when running Wireless Setup. Support for a mixed configuration of Wireless Setup and Cisco ISE is limited.
Wireless Setup is available in English, but not other languages. If you want to use other languages with your portal, configure that in Cisco ISE after running Wireless Setup.
Dual SSID is supported for BYOD. The Open SSID used in this configuration does not support guest access, due to conflicts. If you need a portal that supports both guest and BYOD, you cannot use Wireless Setup, and is out of the scope of this document.
Email and SMS Notifications
- For self-registered guests, SMS and email notification is supported. These notifications are configured in the portal customization notification section. You must configure an SMTP server to support SMS and email notifications. The cellular providers built in Cisco ISE, which include AT&T, T Mobile, Sprint, Orange and Verizon, are pre-configured, and are free to email to the SMS gateways.
- A guest chooses their cell provider in the portal. If their provider is not in the list, then they can't receive a message. You can also configure a global provider, but that is outside of the scope of this guide. If the guest portal is configured for SMS and email notification, then they must enter values for both those services.
- The Sponsored guest flow does not provide configuration for SMS or email notification in Wireless Setup. For that flow, you must configure notification services in Cisco ISE.
- Do not select the SMS provider Global Default when configuring notifications for a portal. This provider is not configured (by default).
Wireless setup only supports a standalone setup without HA. If you decide to use extra PSNs for authentication, then add the Cisco ISE IP address of those PSNs to your Wireless Controller’s RADIUS configuration.

Page 10

In this scenario, the network access device (NAD) makes a new authorization request to the Cisco ISE RADIUS server from an unknown endpoint connection. The endpoint then receives a url-redirect to Cisco ISE.

Note

webauth-vrf-aware command is supported only in IOS XE 3.7E, IOS 15.2(4)E or later versions. Other switches do not support WebAuth URL redirect in virtual routing and forwarding (VRF) environment. In such cases, as a workaround, you can add a route in the global routing table to leak the traffic back into the VRF.

If the guest device is connected to a NAD, the guest service interaction takes the form of a MAC Authentication Bypass (MAB) request that leads to a Guest portal Central WebAuth login. The following is an outline of the subsequent Central Web Authentication (Central WebAuth) process, which applies to both wireless and wired network access devices.

The guest device connects to the NAD through a hard-wired connection. There is no 802.1X supplicant on the guest device.
An authentication policy with a service type for MAB allows a MAB failure to continue and return a restricted network profile containing a url-redirect for the Central WebAuth user interface.
The NAD is configured to authenticate MAB requests to the Cisco ISE RADIUS server.
The Cisco ISE RADIUS server processes the MAB request and does not find an endpoint for the guest device.

This MAB failure resolves to the restricted network profile and returns the url-redirect value in the profile to the NAD in an access-accept. To support this function, ensure that an authorization policy exists and features the appropriate wired or wireless MAB (under compound conditions) and, optionally, “Session:Posture Status=Unknown” conditions. The NAD uses this value to redirect all guest HTTPS traffic on the default port 8443 to the url-redirect value.

The standard URL value in this case is: https://ip:port/guestportal/gateway?sessionId=NetworkSessionId&portal=<PortalID>&action=cwa
The guest device initiates an HTTP request to redirect URL via a web browser.
The NAD redirects the request to the url-redirect value returned from the initial access-accept.
The gateway URL value with action CWA redirects to the Guest portal login page.
The guest enters their login credentials and submits the login form.
The guest server authenticates the login credentials.
Depending on the type of flow, the following occurs:
- If it is a non-posture flow (authentication without further validation), where the Guest portal is not configured to perform client provisioning, the guest server sends a CoA to the NAD. This CoA causes the NAD to reauthenticate the guest device using the Cisco ISE RADIUS server. A new access-accept is returned to the NAD with the configured network access. If client provisioning is not configured and the VLAN needs to be changed, the Guest portal performs VLAN IP renew. The guest does not have to re-enter login credentials. The username and password entered for the initial login are used automatically.
- If it is a posture flow, where the Guest portal is configured to perform client provisioning, the guest device web browser displays the Client Provisioning page for posture agent installation and compliance. (You can also optionally configure the client provisioning resource policy to feature a “NetworkAccess:UseCase=GuestFlow” condition.)

The Guest portal redirects to the Client Provisioning portal (because there is no client provisioning or posture agent for Linux), which in turn redirects back to a guest authentication servlet to perform optional IP release/renew and then CoA.

With redirection to the Client Provisioning portal, the Client Provisioning service downloads a non-persistent web agent to the guest device and performs a posture check of the device. You can optionally configure the posture policy with a “NetworkAccess:UseCase=GuestFlow” condition.

If the guest device is non-compliant, ensure that you have configured an authorization policy that features “NetworkAccess:UseCase=GuestFlow” and “Session:Posture Status=NonCompliant” conditions.

When the guest device is compliant, ensure that you have an authorization policy configured with the conditions “NetworkAccess:UseCase=GuestFlow” and “Session:Posture Status=Compliant.” From here, the Client Provisioning service issues a CoA to the NAD. This CoA causes the NAD to reauthenticate the guest using the Cisco ISE RADIUS server. A new access-accept is returned to the NAD with the configured network access.

Note

“NetworkAccess:UseCase=GuestFlow” can also apply for Active Directory and LDAP users who log in as guests.

Page 11

Employees can access the My Devices portal directly.

Some network devices that need network access are not supported by native supplicant provisioning and cannot be registered using the BYOD portal. However, employees can add and register personal devices, whose operating systems are not supported or do not have web browsers (such as printers, internet radios, and other devices), using the My Devices portal.

Employees can add and manage new devices by entering the MAC address for the device. When employees add devices using the My Devices portal, Cisco ISE adds the devices to the Endpoints window () as members of the RegisteredDevices endpoint identity group (unless already statically assigned to a different endpoint identity group). The devices are profiled like any other endpoint in Cisco ISE and go through a registration process for network access.

When two MAC addresses from one device are entered into the My Devices portal by a user, profiling determines that they have the same hostname, and they are merged together as a single entry in Cisco ISE. For example, a user registers a laptop with wired and wireless addresses. Any operations on that device, such as delete, acts on both addresses.

When a registered device is deleted from the portal, the DeviceRegistrationStatus and BYODRegistration attributes change to Not Registered and No, respectively. However, these attributes remain unchanged when a guest (who is not an employee) registers a device using the Guest Device Registration window in the credentialed Guest portals, because these BYOD attributes are used only during employee device registration.

Regardless of whether employees register their devices using the BYOD or the My Devices portals, they can use the My Devices portal to manage them.

Note

The My Devices portal is not available when the Administrator's portal is down.

Page 12

Cisco ISE retrieves user or machine attributes and groups from Active Directory for use in authorization policy rules. These attributes can be used in Cisco ISE policies and determine the authorization level for a user or machine. Cisco ISE retrieves user and machine Active Directory attributes after successful authentication and can also retrieve attributes for an authorization that is independent of authentication.

Cisco ISE may use groups in external identity stores to assign permissions to users or computers; for example, to map users to sponsor groups. You should note the following restrictions on group memberships in Active Directory:

Policy rule conditions may reference any of the following: a user’s or computer’s primary group, the groups of which a user or computer is a direct member, or indirect (nested) groups.
Domain local groups outside a user’s or computer’s account domain are not supported.

Note

You can use the value of the Active Directory attribute, msRadiusFramedIPAddress, as an IP address. This IP address can be sent to a network access server (NAS) in an authorization profile. The msRADIUSFramedIPAddress attribute supports only IPv4 addresses. Upon user authentication, the msRadiusFramedIPAddress attribute value fetched for the user will be converted to IP address format.

Attributes and groups are retrieved and managed per join point. They are used in authorization policy (by selecting first the join point and then the attribute). You cannot define attributes or groups per scope for authorization, but you can use scopes for authentication policy. When you use a scope in authentication policy, it is possible that a user is authenticated via one join point, but attributes and/or groups are retrieved via another join point that has a trust path to the user's account domain. You can use authentication domains to ensure that no two join points in one scope have any overlap in authentication domains.

Note

During the authorization process in a multi join point configuration, Cisco ISE will search for join points in the order in which they listed in the authorization policy, only until a particular user has been found. Once a user has been found the attributes and groups assigned to the user in the join point, will be used to evaluate the authorization policy.

An authorization policy fails if the rule contains an Active Directory group name with special characters such as /, !, @, \, #, $, %, ^, &, *, (, ), _, +, or ~.

Admin user login through Active Directory might fail if the admin username contains $ character.

To reduce ambiguity when matching user information against Active Directory's User-Principal-Name (UPN) attributes, you must configure Active Directory to use Explicit UPN. Using Implicit UPN can produce ambiguous results if two users have the same value for sAMAccountName.

To set Explicit UPN in Active Directory, open the Advanced Tuning page, and set the attribute REGISTRY.Services\lsass\Parameters\Providers\ActiveDirectory\UseExplicitUPN to 1.

Cisco ISE supports retrieving Boolean attributes from Active Directory and LDAP identity stores.

You can configure the Boolean attributes while configuring the directory attributes for Active Directory or LDAP. These attributes are retrieved upon authentication with Active Directory or LDAP.

The Boolean attributes can be used for configuring policy rule conditions.

The Boolean attribute values are fetched from Active Directory or LDAP server as String type. Cisco ISE supports the following values for the Boolean attributes:

Boolean attribute	Supported values
True	t, T, true, TRUE, True, 1
False	f, F, false, FALSE, False, 0

Note

Attribute substitution is not supported for the Boolean attributes.

If you configure a Boolean attribute (for example, msTSAllowLogon) as String type, the Boolean value of the attribute in the Active Directory or LDAP server will be set for the String attribute in Cisco ISE. You can change the attribute type to Boolean or add the attribute manually as Boolean type.

Page 13

You can customize a report and save the changes as a new report, or restore the default report settings in My Reports at the top right corner of the report summary page.

You can also customize and schedule Cisco ISE reports to run and re-run at specific time or time intervals. You can also send and receive email notifications for the reports generated.

When scheduling reports with Hourly frequency, you can have the report run over multiple days, but the timeframe cannot spread across two days.

For example, when scheduling an hourly report from May 4, 2019, to May 8, 2019, you can set the time interval as between 6:00 a.m. and 11:00 p.m. each day, but not between 6:00 p.m. of one day and 11:00 a.m. of the next. Cisco ISE displays an error message that the time range is invalid in the latter case.

Note

If an external administrator (for example: Active Directory Administrator) creates a scheduled report without filling the email-id field, no email notifications will be sent.

You cannot schedule the following reports:

Authentication Summary
Health Summary
RBACL Drop Summary
Guest Sponsor summary
Endpoint Profile Changes
Network Device Session Status

Note

You can save or schedule (customize) Cisco ISE reports only from the PAN.

Note

iI Primary MnT is down, the Secondary MnT executes the scheduled report job. The scheduled report job runs on both Primary MnT and Secondary MnT. On Secondary MnT, before running the export job, it tries to ping the Primary MnT. In case if the ping fails, then only it runs the export job otherwise the export job gets skipped.

When you go back to a saved report, all the filter options are checked by default. Uncheck the filters that you do not wish to use.

You can also remove a saved report from My Reports category.

Page 14

Cisco ISE checks the username and password pair against the identity stores, until it eventually acknowledges the authentication or terminates the connection.

You can use different levels of security concurrently with Cisco ISE for different requirements. PAP applies a two-way handshaking procedure. If authentication succeeds, Cisco ISE returns an acknowledgment; otherwise, Cisco ISE terminates the connection or gives the originator another chance.

The originator is in total control of the frequency and timing of the attempts. Therefore, any server that can use a stronger authentication method will offer to negotiate that method prior to PAP. RFC 1334 defines PAP.

Cisco ISE supports standard RADIUS PAP authentication that is based on the RADIUS UserPassword attribute. RADIUS PAP authentication is compatible with all identity stores.

The RADIUS-with-PAP-authentication flow includes logging of passed and failed attempts.

Page 15

A logging category is a bundle of message codes that describe a function, a flow, or a use case. In Cisco ISE, each log is associated with a message code that is bundled with the logging categories according to the log message content. Logging categories help describe the content of the messages that they contain.

Logging categories promote logging configuration. Each category has a name, target, and severity level that you can set, as per your application requirement.

Cisco ISE provides predefined logging categories for services, such as Posture, Profiler, Guest, AAA (authentication, authorization, and accounting), and so on, to which you can assign log targets.

For the logging category Passed Authentications, the option to allow local logging is disabled by default. Enabling local logging for this category will result in high utilization of operational space, and fill prrt-server.log along with the iseLocalStore.log.

If you choose to enable local logging for Passed Authentications, go to , click Passed Authentications from the category section, and check the check box against Local Logging.