Name
|
Enter a name that identifies
the new authorization profile.
|
Description
|
Enter a description of the
authorization profile.
|
Access Type
|
Choose the access type
options (ACCESS_ACCEPT or
ACCESS_REJECT).
|
Service Template
|
Check the check box to enable
Cisco ISE to support sessions connecting from SAnet capable devices. ISE
implements service templates as authorization profiles that contain a special
flag that marks them as “Service Template” compatible. This way, the service
template, which is also an authorization profile, can be used in a single
policy to support connection with SAnet as well as non-SAnet devices.
|
Common Tasks
|
DACL Name
|
Check the check box and
choose existing downloadable ACL options available (for example, Cisco ISE
provides two default values in the drop-down list:
PERMIT_ALL_TRAFFIC
or
DENY_ALL_TRAFFIC). The list will include all current
DACLs in the local database.
|
VLAN
|
Check the check box and enter
an attribute value that identifies a virtual LAN (VLAN) ID that you want
associated with the new authorization profile you are creating (both integer
and string values are supported for the VLAN ID). The format for this entry
would be Tunnel-Private-Group-ID:VLANnumber.
Note
|
If you do not select a VLAN
ID, Cisco ISE uses a default value of VLAN ID = 1. For example, if you only
entered 123 as your VLAN number, the Attributes Details pane reflects the
following value: Tunnel-Private-Group-ID = 1:123.
|
|
Voice Domain Permission
|
Check the check box to enable
the vendor-specific attribute (VSA) of “cisco-av-pair” to be associated with a
value of “device-traffic-class=voice”. In a multi-domain authorization mode, if
the network switch receives this VSA, the endpoint is placed on to a voice
domain after authorization.
|
Posture Discovery
|
Check the check box to enable
a redirection process used for Posture discovery in Cisco ISE, and enter an ACL
on the device that you want to associate with this authorization profile. For
example, if the value you entered is acl119, this is reflected in the
Attributes Details pane as: cisco-av-pair = url-redirect-acl = acl119. The
Attributes Details pane also displays: cisco-av-pair =
url-redirect=https://ip:8443/guestportal/gateway?sessionid=
SessionValueIdValue&action=cpp.
|
Centralized Web
Authentication
|
Check the check box to enable
a redirection process that is similar to Posture discovery, but it redirects
guest user access requests to the Guest server in Cisco ISE. Enter an ACL on
the device that you want to associate with this authorization profile, and
select
Default
or
Manual as the redirect option. For example, if the
value you entered is acl-999, this is reflected in the Attributes Details pane
as: cisco-av-pair = url-redirect-acl = acl-99. The Attributes Details pane also
displays: cisco-av-pair =
url-redirect=https://ip:8443/guestportal/gateway?sessionid=SessionValueIdValue&action=cwa.
Check the
Static IP/Host Name
check box to specify an exact IP address or
hostname to which you want the user to be redirected to. If this check box is
not checked, the user will be redirected to the FQDN of the policy service node
that received this request.
|
Web Redirection (CWA, DRW,
MDM, NSP, CPP)
|
|
Auto SmartPort
|
Check the check box to enable
Auto SmartPort functionality and enter a corresponding event name value in the
text box. This enables the VSA cisco-av-pair with a value for this option as
“auto-smart-port=event_name”. Your choice is reflected in the Attributes
Details pane.
|
Filter-ID
|
Check the check box to enable
a RADIUS filter attribute that sends the ACL name that you define in the text
box (which is automatically appended with “.in”). Your choice is reflected in
the Attributes Details pane.
|
Reauthentication
|
Check the check box and enter
a value in seconds for maintaining connectivity during reauthentication. You
can also choose attribute values from the Timer drop-down list. You choose to
maintain connectivity during reauthentication by choosing to use either the
default (a value of 0) or
RADIUS-Request (a value of 1). Setting this to the
RADIUS-Request value maintains connectivity during the reauthentication
process.
|
MACSec Policy
|
Check the check box to enable
the MACSec encryption policy whenever a MACSec-enabled client connects to Cisco
ISE, and choose one of the following three options:
must-secure,
should-secure, or
must-not-secure. For example, your choice is
reflected in the Attributes Details pane as: cisco-av-pair =
linksec-policy=must-secure.
|
NEAT
|
Check the check box to enable
Network Edge Access Topology (NEAT), a feature that extends identity
recognition between networks. Checking this check box displays the following
value in the Attributes Details pane: cisco-av-pair =
device-traffic-class=switch.
|
Web Authentication (Local Web
Auth)
|
Check the check box to enable
local web authentication for this authorization profile. This value lets the
switch recognize authorization for web authentication by Cisco ISE sending a
VSA along with a DACL. The VSA is cisco-av-pair = priv-lvl=15 and this is
reflected in the Attributes Details pane.
|
Wireless LAN Controller (WLC)
|
Check the check box and enter
an ACL name in the text field. This value is used in a required Airespace VSA
to authorize the addition of a locally defined ACL to a connection on the WLC.
For example, if you entered rsa-1188, this would be reflected in the Attributes
Details pane as: Airespace-ACL-Name = rsa-1188.
|
ASA VPN
|
Check the check box to enable
an Adaptive Security Appliances (ASA) VPN group policy. From the Attribute
list, choose a value to configure this setting.
|
Advanced Attributes Settings
|
Dictionaries
|
Click the down-arrow icon to
display the available options in the Dictionaries window. Click to select the
desired dictionary and attribute to configure in the first field.
|
Attribute Values
|
Click the down-arrow icon to
display the available options in the Attribute Values window. Click to select
the desired attribute group and attribute value for the second field. This
value matches the one selected in the first field. Any Advanced Attributes
setting(s) that you configure will be displayed in the Attribute Details panel.
Note
|
To modify or delete any of
the read-only values that are displayed in the Attributes Details pane, you
must modify or delete these values in the corresponding Common Tasks field or
in the attribute that you selected in the Attribute Values text box in the
Advanced Attributes Settings pane.
|
|
Attributes Details
|
This pane displays any of the
configured attribute values that you set for the Common Tasks and Advanced
Attributes.
Note
|
The values displayed in the
Attributes Details pane are read-only and cannot be edited or deleted in this
pane.
|
|