Table Of Contents
Managing Resources
Dictionaries and Dictionary Attributes
Dictionary and Attribute User Interface
Configuring Dictionaries and Dictionary Attributes
Managing Dictionary Attributes in System-Defined Dictionaries
Configuring User-Defined Dictionaries and Dictionary Attributes
Configuring RADIUS Vendors
Creating and Editing RADIUS Vendors
Creating and Editing RADIUS VSAs
Deleting RADIUS Vendors
Importing and Exporting RADIUS Vendor Dictionary
Managing Resources
This chapter describes how to manage the resources in your Cisco Identity Services Engine (ISE) network. This chapter contains the following topics that provide information and procedures for managing the Cisco ISE network resources:
•Dictionaries and Dictionary Attributes
•Configuring Dictionaries and Dictionary Attributes
•Configuring RADIUS Vendors
Dictionaries and Dictionary Attributes
A dictionary represents a collection of individual parameters for use in configuring vendor-specific attributes. The default supported dictionary and dictionary defaults are those for the IETF RADIUS set of attribute pairs defined by the Internet Engineering Task Force (IETF). When you display the Dictionary page, it lists two types of dictionaries that are supported by Cisco ISE: System and User.
The Cisco ISE system also contains Cisco ISE system-defined dictionaries with dictionary attributes that are read-only attributes. This type of system-defined dictionary is known as a system dictionary. All system-defined attributes are populated during the installation of the Cisco ISE system software. New dictionaries are created when you create any Active Directory or Lightweight Directory Access Protocol (LDAP) server instances.
Note You cannot create, modify, or delete any system-defined values or any attributes in a system dictionary. You can only perform a search using a quick filter that is based on dictionary name and description, or you can perform a more advanced search using an advanced filter search that is based on a search rule you define.
Cisco ISE allows you to create, edit, and delete user-defined dictionaries and dictionary attributes that you can use in policy conditions. This type of user-defined dictionary is known as a user dictionary. The RADIUS protocol supports vendors and vendor attributes. Cisco ISE provides a set of standard IETF RADIUS attributes that are part of the system-defined dictionaries.
However, Cisco ISE also allows you to define a set of vendors, and for each vendor, define a set of attributes. These attributes can be used in authorization profiles and in policy conditions. You can create, edit, and delete RADIUS vendor dictionaries and vendor-specific attributes.
The following topics provide descriptions of the Cisco ISE user interface controls you can use to configure a user dictionary and its attributes, and also procedures for performing dictionary- and attribute-related tasks:
•Dictionary and Attribute User Interface
•Configuring Dictionaries and Dictionary Attributes
Dictionary and Attribute User Interface
This section provides examples of the Cisco ISE user interface that you can use for managing dictionary and related attributes using the Policy, Policy Elements, and Dictionaries tabs. Use the Cisco ISE main window as your starting point for displaying and performing dictionary-related operations for the following Cisco ISE dictionary components:
•System
•User
To manage the System and User dictionaries, use the controls and the navigation pane within the corresponding user interface window. The following list identifies the Cisco ISE user interface tab or menu option choices sequence that contains the controls needed to perform these tasks:
•To display or search for specific attributes in System-defined dictionaries—choose Policy > Policy Elements > Dictionaries > System
•To display, create, modify, delete, or search for specific attributes in User-defined dictionaries—choose Policy > Policy Elements > Dictionaries > User
For more information:
•For more information on displaying or searching for attributes in System dictionaries, see Managing Dictionary Attributes in System-Defined Dictionaries.
•For more information on configuring User dictionaries, see Configuring User-Defined Dictionaries and Dictionary Attributes.
Configuring Dictionaries and Dictionary Attributes
This section provides procedures that apply to both System-defined and User-defined dictionaries.
Managing Dictionary Attributes in System-Defined Dictionaries
Because of the nature of System-defined dictionaries, you can only use the Dictionaries window to display existing System-defined dictionaries or perform two types of searches for dictionary attributes. The following topics provide procedures for performing these two management tasks:
Note The Cisco ISE system-defined dictionary and dictionary attributes are read-only. All system-defined attributes are populated during the installation of the Cisco ISE system software, and you cannot create, modify, or delete the system-defined values or any attributes in a system dictionary. You can only perform a Quick Filter search based on dictionary name and description, or an Advanced Filter search based on a search rule you define.
•Displaying Existing Cisco ISE System-Defined Dictionaries
•Searching for Attributes in an Existing Cisco ISE System-Defined Dictionary
Displaying Existing Cisco ISE System-Defined Dictionaries
To display existing Cisco ISE System dictionaries, choose Policy > Policy Elements > Dictionaries > System. The System Dictionary page appears, which lists all current Cisco ISE System-defined dictionaries.
Searching for Attributes in an Existing Cisco ISE System-Defined Dictionary
To search for an attribute in an existing Cisco ISE System-defined dictionary, complete the following steps:
Step 1 Choose Policy > Policy Elements > Dictionaries > System.
The Dictionary pane appears, which lists all existing Cisco ISE System-defined dictionaries.
Step 2 Click Filter and select from one of the following options:
•Quick Filter
•Advanced Filter
To perform a Quick Filter, enter search criteria in one or more of the following attribute fields:
•Name
•Description
To perform an Advanced Filter, create a matching rule by performing the following:
•In the Filter drop-down list, select one of the following options:
–Description
–Name
•In the second drop-down list, select one of the following options:
–Contains
–Does not contain
–Does not equal
–Ends with
–Is empty
–Is exactly (or equals)
–Is greater than
–Is greater than or equal to
–Is less than
–Is less than or equal to
–Is not empty
–Starts with
•In the text box, enter your desired search value.
•Click Go to launch the filter process, or click plus (+) to add additional search criteria.
•Click Clear Filter to reset the filter process.
Configuring User-Defined Dictionaries and Dictionary Attributes
The Dictionaries window lets you display, create, modify, delete, and search user dictionaries and dictionary attributes that are used within the Cisco ISE system. The following topics provide procedures for performing these tasks:
•Displaying Existing Cisco ISE User-Defined Dictionaries
•Creating a New Cisco ISE User-Defined Dictionary
•Deleting an Existing Cisco ISE User-Defined Dictionary
•Modifying an Existing Cisco ISE User-Defined Dictionary
•Searching for Attributes in an Existing Cisco ISE User-Defined Dictionary
•Creating a New Cisco ISE User-Defined Dictionary Attribute
•Deleting an Existing Cisco ISE User-Defined Dictionary Attribute
•Configuring RADIUS Vendors
•Creating and Editing RADIUS Vendors
•Creating and Editing RADIUS VSAs
•Deleting RADIUS Vendors
•Importing and Exporting RADIUS Vendor Dictionary
Displaying Existing Cisco ISE User-Defined Dictionaries
To display existing Cisco ISE User-defined dictionaries, choose Policy > Policy Elements > Dictionaries > User. The User Dictionary page appears, which lists all current Cisco ISE User-defined dictionaries.
Creating a New Cisco ISE User-Defined Dictionary
To create a new Cisco ISE use-defined dictionary, complete the following steps:
Step 1 Choose Policy > Policy Elements > Dictionaries > User.
The Dictionary pane appears, which lists all existing Cisco ISE User-defined dictionaries.
Step 2 Click action (icon) and choose New Dictionary to display the Create Dictionary page, or click Add (+).
Note When you click action, four options are displayed: New Dictionary, New Dictionary Attribute, Delete Dictionary, and Delete Dictionary Attribute.
Step 3 Enter or choose values for the following fields in the use-defined dictionary:
•Dictionary Name*
•Description
•Version*
•Dictionary Attribute Type*
•Dictionary Type
Note All Dictionary fields marked with an asterisk (*) require you to enter a value. All other fields are optional.
Step 4 Click Submit to save this new Cisco ISE user-defined dictionary in the Cisco ISE system local database.
Deleting an Existing Cisco ISE User-Defined Dictionary
To delete an existing Cisco ISE user-defined dictionary, complete the following steps:
Step 1 Choose Administration> Resources> Dictionaries > User.
The Dictionary pane appears, which lists all existing Cisco ISE User-defined dictionaries.
Step 2 Choose the check box that corresponds to the user-defined dictionary you want to delete, and click Delete.
A delete confirmation page appears that indicates that you have deleted the selected user-defined dictionary.
Step 3 Click OK to close the delete confirmation page.
Modifying an Existing Cisco ISE User-Defined Dictionary
To modify values in an existing Cisco ISE user-defined dictionary, complete the following steps:
Step 1 Choose Policy > Policy Elements > Dictionaries > User.
The Dictionary pane appears, which lists all existing Cisco ISE User-defined dictionaries.
Step 2 Choose the check box that corresponds to the user dictionary that you want to modify, and click Edit.
The Edit Dictionary page is displayed.
Step 3 Modify the Description, Version, or Dictionary Attribute Type value as desired.
Note You cannot modify the values for Dictionary Name or Dictionary Type for an existing dictionary
Step 4 Click Save to save the modified Cisco ISE user-defined dictionary value(s) in the Cisco ISE system local database.
Searching for Attributes in an Existing Cisco ISE User-Defined Dictionary
To search for an attribute in an existing Cisco ISE user-defined dictionary, complete the following steps:
Step 1 Choose Policy > Policy Elements > Dictionaries > User.
The Dictionary pane appears, which lists all existing Cisco ISE User-defined dictionaries.
Step 2 Click Filter and choose one of the following options:
•Quick Filter
•Advanced Filter
To perform a Quick Filter, enter search criteria in one or more of the following attribute fields:
•Name
•Description
To perform an Advanced Filter, create a matching rule by performing the following:
•In the Filter drop-down list, choose one of the following options:
–Description
–Name
•In the second drop-down list, chooser one of the following options:
–Contains
–Does not contain
–Does not equal
–Ends with
–Is empty
–Is exactly (or equals)
–Is greater than
–Is greater than or equal to
–Is less than
–Is less than or equal to
–Is not empty
–Starts with
•In the text box, enter your desired search value.
•Click Go to launch the filter process, or click plus (+) to add additional search criteria.
•Click Clear Filter to reset the filter process.
Creating a New Cisco ISE User-Defined Dictionary Attribute
To create a new Cisco ISE user-defined dictionary attribute, complete the following steps:
Step 1 Choose Policy > Policy Elements > Dictionaries > User.
The Dictionary pane appears, which lists all existing Cisco ISE User-defined dictionaries.
Step 2 In the User navigation pane, choose the user dictionary in which you want to create a new attribute, click action (icon), and choose New Dictionary Attribute to display the Edit Dictionary page.
(Optional) In the list of existing User-defined dictionaries, choose the check box that corresponds to the user dictionary in which you want to create a new dictionary attribute, click Edit, and click Dictionary Attributes tab.
The Dictionary Attributes page appears.
Step 3 Enter or choose values for the following fields for the dictionary attribute that is being created:
•Attribute Name*
•Description
•Internal Name*
•Data Type*
•Dictionary*
Note All attribute fields marked with an asterisk (*) require that you enter a value. All other fields are optional. The Data Type and Dictionary fields are drop-down lists that allow you to choose from a list of options.
Step 4 In the Allowed Values table, click Add (+) and click on the new line to display the configurable fields.
Step 5 Enter or choose values for each of the following attribute types in the corresponding fields:
•Name
•Value
•IsDefault (choose Yes or No)
Step 6 Click Save to save the configured attribute value, or click Cancel to close the configurable fields.
Note When you click Cancel it does not delete this allowed attribute value. Use Step 7 to delete an attribute value.
Step 7 (Optional) If you want to delete an allowed attribute value, in the Allowed Values table, choose the check box that corresponds to the attribute value that you want to delete, and click Remove to delete this attribute from the table.
Step 8 Click Submit to save your attribute changes in the Cisco ISE system database.
Deleting an Existing Cisco ISE User-Defined Dictionary Attribute
To delete an existing Cisco ISE user-defined dictionary attribute, complete the following steps:
Step 1 Choose Policy > Policy Elements > Dictionaries > User.
The Dictionary pane appears, which lists all existing Cisco ISE User-defined dictionaries.
Step 2 In the User navigation pane, choose the user dictionary in which you want to delete a dictionary attribute.
Step 3 Click the Dictionary Attributes tab.
A list of dictionary attributes for the selected dictionary is displayed.
Step 4 Choose the check box that corresponds to the attribute that you want to delete, and click Delete.
A delete confirmation page appears that indicates that you have deleted the selected dictionary attribute.
Step 5 Click OK to close the delete confirmation page.
Configuring RADIUS Vendors
To access the RADIUS vendor list in Cisco ISE, choose Administration > Resources > RADIUS Vendors. This page lists the RADIUS vendors that Cisco ISE supports. Each vendor definition will contain the vendor name, vendor ID, description, and two properties that are related to the attributes in their dictionaries:
•Type Field Length—The number of bytes taken from the attribute value, which are used to specify the attribute type.
•Size Field Length—The number of bytes taken from the attribute value to specify the attribute length.
Each vendor attribute has a name, internal name, description, data type, and properties for the following items:
•Direction—To determine if they are relevant to requests only, responses only, or both
•Cardinality—To determine if only one or multiple instances of an attribute might be placed in a packet
The following vendor dictionaries are available in Cisco ISE:
•Cisco
•Cisco-BBSM
•Cisco-VPN3000
•Microsoft
This section contains the following topics:
•Creating and Editing RADIUS Vendors
•Creating and Editing RADIUS VSAs
•Deleting RADIUS Vendors
•Importing and Exporting RADIUS Vendor Dictionary
Creating and Editing RADIUS Vendors
To create and edit a RADIUS vendor, complete the following steps:
Step 1 From the Administration mega menu, choose Resources > RADIUS Vendors.
The RADIUS Vendors page appears with a list of RADIUS vendors that ISE supports.
Step 2 Click Create to create a new RADIUS vendor or click the radio button next to the RADIUS vendor that you want to edit and click Edit.
Step 3 Enter the following information:
•Name—(Required) Name of the RADIUS vendor.
•Description—An optional description for the vendor.
•Vendor ID—(Required) The Internet Assigned Numbers Authority (IANA)-approved ID for the vendor.
•Vendor Attribute Type Field Length—(Required) The number of bytes taken from the attribute value to be used to specify the attribute type. Valid values are 1, 2, and 4. The default value is 1.
•Vendor Attribute Size Field Length—(Required) The number of bytes taken from the attribute value to be used to specify the attribute length. Valid values are 0 and 1. The default value is 1.
Step 4 Click Submit to save the RADIUS vendor.
For more information:
See the "Configuring RADIUS Vendors" section.
Creating and Editing RADIUS VSAs
To create and edit RADIUS vendor-specific attributes (VSAs), complete the following steps:
Step 1 From the Administration mega menu, choose Resources > RADIUS Vendors.
The RADIUS Vendors page appears with a list of vendors.
Step 2 Click the radio button next to the RADIUS vendor dictionary for which you to want add attributes or whose attributes you want to edit.
Step 3 Click Edit Attributes.
The RADIUS Vendor Attributes page appears.
Step 4 Click Create to create an attribute or click the radio button next to the attribute that you want to edit, and then click Edit.
Step 5 Enter the following information:
•Name—(Required) Name of the VSA
•Description—An optional description
•Internal Name—Internal name of the VSA
•Data Type—Could be one of the following:
–STRING
–INTEGER
–FLOAT
–BOOLEAN
–IPv4
–OCTET_STRING
–UINT32
–UINT64
•Direction—Could be one of the following:
–IN—Requests only
–OUT—Responses only
–BOTH—Bidirectional
•ID—The vendor attribute ID. Click the Allowed Values tab to enter allowed values for the vendor attribute ID. The allowed values for the vendor attribute ID depend on the type and size specified for the corresponding vendor. For example, if 1 byte is chosen, then a range of 1 to 255 is permitted and 0 is not permitted. For n bytes, the range would be 1 to ((2^n) - 1).
Step 6 To add an allowed value, click the Allowed Values tab.
•Click Add.
•Enter the name in the Please enter name for new Attribute Allowed Value dialog box.
A record is created.
•Choose the record to add value and choose Yes from the isDefault drop-down list box if you want this value to be the default value.
•Click Submit to save your changes.
You can add additional allowed values for this VSA.
Step 7 Click Submit to save the VSA.
For more information:
•Configuring RADIUS Vendors
•Creating and Editing RADIUS Vendors
Deleting RADIUS Vendors
To delete a RADIUS vendor, complete the following steps:
Step 1 From the Administration mega menu, choose Resources > RADIUS Vendors.
The RADIUS Vendors page appears with a list of vendors.
Step 2 Click the radio button next to the vendor that you want to delete, then click Delete.
A dialog box displays the following message: Are you sure you want to delete this vendor?
Step 3 Click OK to delete the RADIUS vendor.
For more information:
•For more information on configuring RADIUS vendors, see Configuring RADIUS Vendors.
•For more information on configuring RADIUS vendors, see Creating and Editing RADIUS Vendors.
Importing and Exporting RADIUS Vendor Dictionary
You can import RADIUS vendor dictionaries into Cisco ISE and export the RADIUS vendor dictionaries from Cisco ISE.
To import a RADIUS vendor dictionary, complete the following steps:
Before you can import a RADIUS vendor dictionary into Cisco ISE, ensure that you have the dictionary in the file system that is running the Cisco ISE browser.
Step 1 From the Administration mega menu, choose Resources > RADIUS Vendors.
Step 2 The RADIUS Vendors page appears.
Step 3 Click Import.
Step 4 Click the Import Vendor radio button.
Step 5 Click Browse to choose the vendor dictionary from the file system that is running your client browser.
Step 6 Click Import to import the vendor dictionary.
To export a RADIUS vendor dictionary, complete the following steps:
Step 1 From the Administration mega menu, choose Resources > RADIUS Vendors.
Step 2 Click the radio button next to the vendor dictionary that you want to export and click Export.
Step 3 Save the vendor dictionary on the file system that is running your client browser.