Configure Admin Access Policies

An RBAC policy is represented in an if-then format, where "if" is the RBAC Admin Group value and "then" is the RBAC Permissions value.

The RBAC policies window ( Administration > System > Admin Access > Authorization) contains a list of default policies. You cannot edit or delete these default policies. However, you can edit the data access permissions for the Read-Only Admin policy. The RBAC policies page also allows you to create custom RBAC policies for an admin group specifically for your work place, and apply to personalized admin groups.

When you assign limited menu access, make sure that the data access permissions allow the administrator to access the data that is required to use the specified menus. For example, if you give menu access to the MyDevices portal, but don't allow data access to Endpoint Identity Groups, then that administrator cannot modify the portal.


Note

Admin users can move endpoint MAC addresses from the Endpoint Identity Groups they have read-only access to, to the Endpoint Identity Groups they have full access to. The other way around is not possible.

Before you begin

  • Create all the admin groups for which you want to define the role-based access control (RBAC) policies.

  • Ensure that these admin groups are mapped to individual admin users.

  • Ensure that you have configured the RBAC permissions such as menu access and data access permissions.

Procedure

Step 1

Choose Administration > System > Admin Access > Authorization > Policy.

The RBAC Policies page contains a set of ready-to-use predefined policies for default admin groups. You cannot edit or delete these default policies. However, you can edit the data access permissions for the default Read-Only Admin policy.

Step 2

Click Actions next to any of the default RBAC policy rule.

Here, you can insert new RBAC policies, duplicate an existing RBAC policy, and delete an existing RBAC policy.

Step 3

Click Insert new policy.

Step 4

Enter values for the Rule Name, RBAC Group(s), and Permissions fields.

You cannot select multiple menu access and data access permissions when creating an RBAC policy.

Step 5

Click Save.

Administrator Access Settings

Cisco ISE allows you to define some rules for administrator accounts to enhance security. You can restrict access to the management interfaces, force administrators to use strong passwords, regularly change their passwords, and so on. The password policy that you define in the Administrator Account Settings in Cisco ISE applies to all administrator accounts.

Cisco ISE supports administrator passwords with UTF-8 characters.

Configure Maximum Number of Concurrent Administrative Sessions and Login Banners

You can configure the maximum number of concurrent administrative GUI or CLI (SSH) sessions and login banners that help and guide administrators who access your administrative web or CLI interface. You can configure login banners that appear before and after an administrator logs in. By default, these login banners are disabled. However, you cannot configure the maximum number of concurrent sessions for individual administrator accounts.

Before you begin

To perform the following task, you must be a Super Admin or System Admin.

Procedure

Step 1

Choose Administration > System > Admin Access > Settings > Access > Session.

Step 2

Enter the maximum number of concurrent administrative sessions that you want to allow through the GUI and CLI interfaces. The valid range for concurrent administrative GUI sessions is from 1 to 20. The valid range for concurrent administrative CLI sessions is 1 to 10.

Step 3

If you want Cisco ISE to display a message before an administrator logs in, check the Pre-login banner check box and enter your message in the text box.

Step 4

If you want Cisco ISE to display a message after an administrator logs in, check the Post-login banner check box and enter your message in the text box.

Step 5

Click Save.

Allow Administrative Access to Cisco ISE from Select IP Addresses

Cisco ISE allows you to configure a list of IP addresses from which administrators can access the Cisco ISE management interfaces.

The administrator access control settings are only applicable to Cisco ISE nodes that assume the Administration, Policy Service, or Monitoring personas. These restrictions are replicated from the primary to the secondary nodes.

Before you begin

To perform the following task, you must be a Super Admin or System Admin.

Procedure

Step 1

Choose Administration > System > Admin Access > Settings > Access > IP Access.

Step 2

Click the Allow only Listed IP addresses to Connect radio button.

Note

 

Connection on Port 161 (SNMP) is used for administrative access. However, when IP Access restrictions are configured, the snmpwalk fails if the node from which it was performed is not configured for administrative access.

Step 3

In the Configure IP List for Access Restriction area, click Add.

Step 4

In the Add IP CIDR dialog box, enter the IP addresses in the classless interdomain routing (CIDR) format in the IP Address field.

Note

 

This IP address can be an IPv4 or an IPv6 address. You can configure multiple IPv6 addresses for an ISE node.

Step 5

Enter the subnet mask in the Netmask in CIDR format field.

Step 6

Click OK.

Repeat steps 4 to 7 to add more IP address ranges to this list.

Step 7

Click Save to save the changes.

Step 8

Click Reset to refresh the IP Access window.

Configure a Password Policy for Administrator Accounts

Cisco ISE also allows you to create a password policy for administrator accounts to enhance security. You can define whether you want a password-based or client certificate-based administrator authentication. The password policy that you define here is applied to all the administrator accounts in Cisco ISE.


Note

  • Email notifications for internal admin users are sent to root@host. You cannot configure the email address, and many SMTP servers reject this email.

    Follow open defect CSCui5583, which is an enhancement to allow you to change the email address.

  • Cisco ISE supports administrator passwords with UTF-8 characters.

Before you begin

  • To perform the following task, you must be a Super Admin or System Admin.

  • Turn off the automatic failover configuration, if this is enabled in your deployment. See Support for Automatic Failover for the Administration Node

    When you change the authentication method, you restart the application server processes. There might be a delay while these services restart. Due to this delay in restart of services, automatic failover of secondary administration node might get initiated.

Procedure

Step 1

Choose Administration > System > Admin Access > Authentication.

Step 2

Click the radio button for one of the following authentication methods:

  • Password Based: Choose this option to use the standard user ID and password credentials for administrator logins. Choose Internal or External from the Identity Source drop-down list.

    Note

     

    If you have configured an external identity source such as LDAP and want to use that as your authentication source to grant access to the admin user, you must select that particular identity source from the Identity Source list box.

  • Client Certificate Based: Choose this option to specify a certificate-based policy. From the Certificate Authentication Profile drop-down list, choose an existing authentication profile. Choose the required value from the Identity Source drop-down list.

Step 3

Click the Password Policy tab and enter the required values to configure the Cisco ISE GUI and CLI password requirements.

Step 4

Click Save to save the administrator password policy.

Note

 

If you use an external identity store to authenticate administrators at login, note that even if this setting is configured for the password policy applied to the administrator profile, the external identity store will still validate the administrator’s username and password.

Configure Account Disable Policy for Administrator Accounts

Cisco ISE allows you to disable an administrator account if the administrator account is not authenticated for the configured consecutive number of days.

Procedure

Step 1

Choose Administration > System > Admin Access > Authentication > Account Disable Policy.

Step 2

Check the Disable account after n days of inactivity check box, and enter the number of days in the corresponding field.

This option allows you to disable the administrator account if the administrator account was inactive for the specified number of days. However, you can exclude individual administrator accounts from this account disable policy using the Inactive Account Never Disabled option in the Administration > System > Admin Access > Administrators > Admin Users window.

Step 3

Click Save to configure the global account disable policy for administrators.

Configure Lock or Suspend Settings for Administrator Accounts

Cisco ISE allows you to lock or suspend administrator accounts (including password-based internal administrator accounts and certificate-based administrator accounts) that have more than a specified number of failed login attempts.

Procedure

Step 1

Choose Administration > System > Admin Access > Authentication > Lock/Suspend Settings.

Step 2

Check the Suspend Or Lock Account With Incorrect Login Attempts check box and enter the number of failed attempts after which action should be taken. The valid range is from 3 through 20. Click the radio button for one of the following options:

  • Suspend Account For n Minutes: Choose this option to suspend any account that exceeds a specified number of incorrect login attempts. The valid range is from 15 through 1440.
  • Lock Account: Choose this option to lock an account that exceeds a specified number of incorrect login attempts.

You can enter a custom email remediation message, such as asking the end user to contact the helpdesk to unlock the account.

Configure Session Timeout for Administrators

Cisco ISE allows you to determine the length of time an administration GUI session can be inactive and still remain connected. You can specify a time in minutes after which Cisco ISE logs out the administrator. After a session timeout, the administrator must log in again to access the Cisco ISE Admin portal.

Before you begin

To perform the following task, you must be a Super Admin or System Admin.

Procedure

Step 1

Choose Administration > System > Admin Access > Settings > Session > Session Timeout.

Step 2

Enter the time in minutes that you want Cisco ISE to wait before it logs out the administrator if there is no activity. The default value is 60 minutes. The valid range is from 6 to 100 minutes.

Step 3

Click Save.

Terminate an Active Administrative Session

Cisco ISE displays all active administrative sessions from which you can select any session and terminate at any point of time, if a need to do so arises. The maximum number of concurrent administrative GUI sessions is 20. If the maximum number of GUI sessions is reached, an administrator who belongs to the super admin group can log in and terminate some of the sessions.

Before you begin

To perform the following task, you must be a Super Admin.

Procedure

Step 1

Choose Administration > System > Admin Access > Settings > Session > Session Info.

Step 2

Check the check box next to the session ID that you want to terminate and click Invalidate.

Change Administrator Name

Cisco ISE allows you to change your username from the Cisco ISE GUI.

Before you begin

To perform the following task, you must be a Super Admin or System Admin.

Procedure

Step 1

Log in to the Cisco ISE administration portal.

Step 2

Click the Gear icon () at the upper right corner of the Cisco ISE GUI, and choose Account Settings from the drop-down list.

Step 3

Enter the new username in the Admin User dialog box that is displayed.

Step 4

Edit any other details about your account that you want to change.

Step 5

Click Save.

Admin Access Settings

These sections enable you to configure access settings for administrators.

Administrator Password Policy Settings

The following table describes the fields in the Password Policy tab that you can use to define a criteria that administrator passwords should meet. The navigation path for this window is: Administration > System > Admin Access > Authentication > Password Policy.

Table 1. Administrator Password Policy Settings

Field Name

Usage Guidelines

Minimum Length

Specify the minimum length of the password (in characters). The default is six characters.

Password must not contain

Admin name or its characters in reverse order: Check this check box to restrict the use of the administrator username or its characters in reverse order as the password.

Cisco or its characters in reverse order: Check this check box to restrict the use of the word "Cisco" or its characters in the reverse order as the password.

This word or its characters in reverse order: Check this check box to restrict the use of any word that you define or its characters in the reverse order as the password.

Repeated characters four or more times consecutively: Check this check box to restrict the use of repeated characters four or more times consecutively as the password.

Dictionary words, their characters in reverse order, or their letters replaced with other characters: Check this check box to restrict the use of dictionary words, their characters in reverse order, or their letters replaced with other characters, as the password.

Substitution of $ for s, @ for a, 0 for o, 1 for l, ! for i, 3 for e, and so on, is not permitted. For example, Pa$$w0rd is not permitted.

  • Default Dictionary: Choose this option to use the default Linux dictionary in Cisco ISE. The default dictionary contains approximately 480,000 English words.

    This option is selected by default.

  • Custom Dictionary: Choose this option to use your customized dictionary. Click Choose File to select a custom dictionary file. The text file must comprise newline-delimited (JSON format) words, .dic extension, and a size less than 20 MB.

Password must contain at least one character of each of the selected types

Check the check box for the type of characters an administrator's password must contain. Choose one or more of the following options:

  • Lowercase alphabetic characters

  • Uppercase alphabetic characters

  • Numeric characters

  • Non-alphanumeric characters

Password History

Specify the number of previous passwords from which the new password must be different, to prevent the repeated use of the same password. Check the Password must be different from the previous nversions check box, and enter the number in the corresponding field.

Enter the number of days before which you cannot reuse a password. Check the Cannot reuse password within n days check box, and enter the number in the corresponding field.

Password Lifetime

Check the check boxes for the following options to force users to change passwords after a specified time period:

  • Administrator passwords expire n days after creation or last change: Time (in days) before the administrator account is disabled if the password is not changed. The valid range is 1 to 3650 days.

  • Send an email reminder to administrators n days prior to password expiration: Time (in days) before which administrators are reminded that their password will expire. The valid range is 1 to 3650 days.

Display Network Device-Sensitive Data

Require Admin Password

Check this check box if you want the admin user to enter the login password to view network device-sensitive data such as shared secrets and passwords.

Password cached for n Minutes

The password that is entered by the admin user is cached for this time period. The admin user will not be prompted to enter the password again during this period to view the network device-sensitive data. The valid range is from 1 to 60 minutes.

Session Timeout and Session Information Settings

The following table describes the fields in the Session window that you can use to define session timeout and terminate an active administrative session. The navigation path for this window is:Administration > System > Admin Access > Settings > Session.

Table 2. Session Timeout and Session Information Settings

Field Name

Usage Guidelines

Session Timeout

Session Idle Timeout

Enter the time, in minutes, that you want Cisco ISE to wait for, before it logs out the administrator if there is no activity. The default value is 60 minutes. The valid range is from 6 to 100 minutes.

Session Info

Invalidate

Check the check box adjacent to the session ID that you want to terminate and click Invalidate.