Administrator Access Settings
Cisco ISE allows you to define some rules for administrator accounts to enhance security. You can restrict access to the management interfaces, force administrators to use strong passwords, regularly change their passwords, and so on. The password policy that you define in the Administrator Account Settings in Cisco ISE applies to all administrator accounts.
Cisco ISE supports administrator passwords with UTF-8 characters.
Configure Maximum Number of Concurrent Administrative Sessions and Login Banners
You can configure the maximum number of concurrent administrative GUI or CLI (SSH) sessions and login banners that help and guide administrators who access your administrative web or CLI interface. You can configure login banners that appear before and after an administrator logs in. By default, these login banners are disabled. However, you cannot configure the maximum number of concurrent sessions for individual administrator accounts.
Before you begin
To perform the following task, you must be a Super Admin or System Admin.
Procedure
Step 1 |
Choose . |
Step 2 |
Enter the maximum number of concurrent administrative sessions that you want to allow through the GUI and CLI interfaces. The valid range for concurrent administrative GUI sessions is from 1 to 20. The valid range for concurrent administrative CLI sessions is 1 to 10. |
Step 3 |
If you want Cisco ISE to display a message before an administrator logs in, check the Pre-login banner check box and enter your message in the text box. |
Step 4 |
If you want Cisco ISE to display a message after an administrator logs in, check the Post-login banner check box and enter your message in the text box. |
Step 5 |
Click Save. |
Allow Administrative Access to Cisco ISE from Select IP Addresses
Cisco ISE allows you to configure a list of IP addresses from which administrators can access the Cisco ISE management interfaces.
The administrator access control settings are only applicable to Cisco ISE nodes that assume the Administration, Policy Service, or Monitoring personas. These restrictions are replicated from the primary to the secondary nodes.
Before you begin
To perform the following task, you must be a Super Admin or System Admin.
Procedure
Step 1 |
Choose . |
||
Step 2 |
Click the Allow only Listed IP addresses to Connect radio button.
|
||
Step 3 |
In the Configure IP List for Access Restriction area, click Add. |
||
Step 4 |
In the Add IP CIDR dialog box, enter the IP addresses in the classless interdomain routing (CIDR) format in the IP Address field.
|
||
Step 5 |
Enter the subnet mask in the Netmask in CIDR format field. |
||
Step 6 |
Click OK. Repeat steps 4 to 7 to add more IP address ranges to this list. |
||
Step 7 |
Click Save to save the changes. |
||
Step 8 |
Click Reset to refresh the IP Access window. |
Configure a Password Policy for Administrator Accounts
Cisco ISE also allows you to create a password policy for administrator accounts to enhance security. You can define whether you want a password-based or client certificate-based administrator authentication. The password policy that you define here is applied to all the administrator accounts in Cisco ISE.
Note |
|
Before you begin
-
To perform the following task, you must be a Super Admin or System Admin.
-
Turn off the automatic failover configuration, if this is enabled in your deployment. See Support for Automatic Failover for the Administration Node
When you change the authentication method, you restart the application server processes. There might be a delay while these services restart. Due to this delay in restart of services, automatic failover of secondary administration node might get initiated.
Procedure
Step 1 |
Choose . |
||
Step 2 |
Click the radio button for one of the following authentication methods:
|
||
Step 3 |
Click the Password Policy tab and enter the required values to configure the Cisco ISE GUI and CLI password requirements. |
||
Step 4 |
Click Save to save the administrator password policy.
|
Configure Account Disable Policy for Administrator Accounts
Cisco ISE allows you to disable an administrator account if the administrator account is not authenticated for the configured consecutive number of days.
Procedure
Step 1 |
Choose . |
Step 2 |
Check the Disable account after n days of inactivity check box, and enter the number of days in the corresponding field. This option allows you to disable the administrator account if the administrator account was inactive for the specified number of days. However, you can exclude individual administrator accounts from this account disable policy using the Inactive Account Never Disabled option in the window. |
Step 3 |
Click Save to configure the global account disable policy for administrators. |
Configure Lock or Suspend Settings for Administrator Accounts
Cisco ISE allows you to lock or suspend administrator accounts (including password-based internal administrator accounts and certificate-based administrator accounts) that have more than a specified number of failed login attempts.
Procedure
Step 1 |
Choose . |
Step 2 |
Check the Suspend Or Lock Account With Incorrect Login Attempts check box and enter the number of failed attempts after which action should be taken. The valid range is from 3 through 20. Click the radio button for one of the following options:
You can enter a custom email remediation message, such as asking the end user to contact the helpdesk to unlock the account. |
Configure Session Timeout for Administrators
Cisco ISE allows you to determine the length of time an administration GUI session can be inactive and still remain connected. You can specify a time in minutes after which Cisco ISE logs out the administrator. After a session timeout, the administrator must log in again to access the Cisco ISE Admin portal.
Before you begin
To perform the following task, you must be a Super Admin or System Admin.
Procedure
Step 1 |
Choose . |
Step 2 |
Enter the time in minutes that you want Cisco ISE to wait before it logs out the administrator if there is no activity. The default value is 60 minutes. The valid range is from 6 to 100 minutes. |
Step 3 |
Click Save. |
Terminate an Active Administrative Session
Cisco ISE displays all active administrative sessions from which you can select any session and terminate at any point of time, if a need to do so arises. The maximum number of concurrent administrative GUI sessions is 20. If the maximum number of GUI sessions is reached, an administrator who belongs to the super admin group can log in and terminate some of the sessions.
Before you begin
To perform the following task, you must be a Super Admin.
Procedure
Step 1 |
Choose . |
Step 2 |
Check the check box next to the session ID that you want to terminate and click Invalidate. |
Change Administrator Name
Cisco ISE allows you to change your username from the Cisco ISE GUI.
Before you begin
To perform the following task, you must be a Super Admin or System Admin.
Procedure
Step 1 |
Log in to the Cisco ISE administration portal. |
Step 2 |
Click the Gear icon () at the upper right corner of the Cisco ISE GUI, and choose Account Settings from the drop-down list. |
Step 3 |
Enter the new username in the Admin User dialog box that is displayed. |
Step 4 |
Edit any other details about your account that you want to change. |
Step 5 |
Click Save. |
Admin Access Settings
These sections enable you to configure access settings for administrators.
Administrator Password Policy Settings
The following table describes the fields in the Password Policy tab that you can use to define a criteria that administrator passwords should meet. The navigation path for this window is: .
Field Name |
Usage Guidelines |
---|---|
Minimum Length |
Specify the minimum length of the password (in characters). The default is six characters. |
Password must not contain |
Admin name or its characters in reverse order: Check this check box to restrict the use of the administrator username or its characters in reverse order as the password. |
Cisco or its characters in reverse order: Check this check box to restrict the use of the word "Cisco" or its characters in the reverse order as the password. |
|
This word or its characters in reverse order: Check this check box to restrict the use of any word that you define or its characters in the reverse order as the password. |
|
Repeated characters four or more times consecutively: Check this check box to restrict the use of repeated characters four or more times consecutively as the password. |
|
Dictionary words, their characters in reverse order, or their letters replaced with other characters: Check this check box to restrict the use of dictionary words, their characters in reverse order, or their letters replaced with other characters, as the password. Substitution of $ for s, @ for a, 0 for o, 1 for l, ! for i, 3 for e, and so on, is not permitted. For example, Pa$$w0rd is not permitted.
|
|
Password must contain at least one character of each of the selected types |
Check the check box for the type of characters an administrator's password must contain. Choose one or more of the following options:
|
Password History |
Specify the number of previous passwords from which the new password must be different, to prevent the repeated use of the same password. Check the Password must be different from the previous nversions check box, and enter the number in the corresponding field. Enter the number of days before which you cannot reuse a password. Check the Cannot reuse password within n days check box, and enter the number in the corresponding field. |
Password Lifetime |
Check the check boxes for the following options to force users to change passwords after a specified time period:
|
Display Network Device-Sensitive Data |
|
Require Admin Password |
Check this check box if you want the admin user to enter the login password to view network device-sensitive data such as shared secrets and passwords. |
Password cached for n Minutes |
The password that is entered by the admin user is cached for this time period. The admin user will not be prompted to enter the password again during this period to view the network device-sensitive data. The valid range is from 1 to 60 minutes. |
Session Timeout and Session Information Settings
The following table describes the fields in the Session window that you can use to define session timeout and terminate an active administrative session. The navigation path for this window is: .
Field Name |
Usage Guidelines |
---|---|
Session Timeout |
|
Session Idle Timeout |
Enter the time, in minutes, that you want Cisco ISE to wait for, before it logs out the administrator if there is no activity. The default value is 60 minutes. The valid range is from 6 to 100 minutes. |
Session Info |
|
Invalidate |
Check the check box adjacent to the session ID that you want to terminate and click Invalidate. |