You are on page 1of 41

ISE Profiling Services Lab Guide

Developers and Lab Proctors


This lab was created by: James Burke

Lab Overview
This lab is designed to help attendees understand how to configure and deploy ISE Profiler. It covers the basic configuration and management for profiling devices in an 802.1X environment. Lab Users should be able to complete the lab within the allotted lab time of (2) hours.

Lab Exercises
This lab guide includes the following exercises: Lab Verification Lab Exercise 1: Enable ISE Probes for Profiling Lab Exercise 2: Configure and Verify NAD Communication with ISE Probes Lab Exercise 3: Verify Profiled Endpoints and Probe attribute information Lab Exercise 4: Create Profiles and Authorization Policies for Profiled Endpoints Lab Exercise 5: Verify IP Phone default Policy Lab Exercise 6: Logging and Reporting

02_ISE_1.0_Profiling_Services_Lab_Guide(EDCS-978790_rev12a).docx 1

10/20/2011

Product Overview: ISE


The Cisco Identity Services Engine (ISE) is an identity and access control policy platform that enables enterprises to enforce compliance, enhance infrastructure security and streamline their service operations. Its unique architecture allows enterprises to gather real time contextual information from network, users, and devices to make proactive governance decisions by tying identity back into various network elements including access switches, wireless controllers, VPN gateways, and datacenter switches. Cisco Identity Services Engine is a key component of the Cisco TrustSec Solution.

TrustSec Lab Topology

02_ISE_1.0_Profiling_Services_Lab_Guide(EDCS-978790_rev12a).docx 2

10/20/2011

02_ISE_1.0_Profiling_Services_Lab_Guide(EDCS-978790_rev12a).docx 3

10/20/2011

Internal IP addresses
The table that follows lists the internal IP addresses used by the devices in this setup.
Device Core Switch (Nexus 7k) Name/Ho stn ame 7k-core.demo.local IP Ad dress 10.1.100.1 10.1.250.1 Access Switch (3560X) Data Center Switch (3560X) ISE Appliance ISE Appliance ISE Appliance ISE Appliance AD Serv er (CA/DNS/DHCP) NTP Serv er Public Web Serv er Internal Web Serv er Admin (Management) Client (also F TP Serv er) Windows 7 Client PC 3k-access.demo.local 3k-serv er.demo.local ise-1.demo.local ise-2.demo.local ise-3.demo.local ise-4.demo.local ad.demo.local ntp.demo.local www-ext.demo.local www-int.demo.local admin.demo.local ftp.demo.local win7-pc.demo.local DHCP (10.1.10.x/24) 10.1.250.2 10.1.251.2 10.1.100.21 10.1.100.22 10.1.100.23 10.1.100.24 10.1.100.10

128.107.220.1
10.1.252.10 10.1.252.20 10.1.100.6

Internal VLANs and IP Subnets


The table that follows lists the internal VLANs and corresponding IP subnets used by the devices in this setup.
VL AN Nu mb er 10 20 30 VL AN Name IP Subn et Descrip tion

ACCESS MACHINE QUARANTINE

10.1.10.0/24 10.1.20.0/24 10.1.30.0/24

Network f or authenticated users or access network using ACLs Microsoft machine-authenticated dev ices (L2 segmentation) Unauthenticated or non-compliant dev ices (L2 segmentation) Dedicated Voice VLAN Network f or authenticated and compliant guest users VPN Client VLAN to ASA outside interface ASA inside network to IPEP untrusted interface Dedicated IPEP VLAN for trusted interface

40 50 60 70 80

VOICE GUEST VPN ASA (trusted) IPEP (trusted)

10.1.40.0/24 10.1.50.0/24 10.1.60.0/24 10.1.70.0/24 10.1.80.0/24

02_ISE_1.0_Profiling_Services_Lab_Guide(EDCS-978790_rev12a).docx 4

10/20/2011

90 100 (250) (251) 252

AP DATACENTER

10.1.90.0/24 10.1.100.0/24 10.1.250.0/24 10.1.251.0/24

Wireless AP connection for LWAAP tunnel Network serv ices (AAA, AD, DNS, DHCP, NTP, etc.) Dedicated interconnect subnet between Core and Access switch. Dedicated interconnect subnet between Core and Data Center switch. Web Serv er network

WEBSVR

10.1.252.0/24

No te:

Dedicated VLANs hav e been preconf igured for optional access policy assignments based on user identity , prof iling, or compliance status. These VLANs include MACHINE, QUARANTINE, and GUEST. This lab will focus on the use of downloadable ACLs (dACLs) rather than VLAN assignment f or policy enf orcement. By def ault, all client PC access will remain in the ACCESS VLAN 10 and IP phones will be placed in VOICE VLAN 40.

Accounts and Passwords


The table that follows lists the accounts and passwords used in this lab.
Access To Core Switch (Nexus 7k) Access Switch (3560X) Data Center Switch (3560X) ASA (VPN gateway ) ISE Appliances AD Serv er (DNS/DHCP/DHCP) Web Serv ers Admin (Management) Client Windows 7 Client (Local = WIN7-PC) (Domain = DEMO) Accoun t (u sern ame/p asswo rd) admin / C!sco123 admin / cisco123 admin / cisco123 admin / cisco123 admin / def ault1A administrator / cisco123 administrator / cisco123 admin / cisco123 WIN7-PC\administrator / cisco123 WIN7-PC\admin / cisco123 DEMO\admin / cisco123 DEMO\employ ee1 / cisco123

Connecting to Lab Devices


No te: To access the lab, y ou must first connect to the Admin PC. The Admin PC prov ides a launching point f or access to all the other lab components Admin PC access is through RDP, therefore y ou must hav e an RDP client installed on y our computer

No te:

02_ISE_1.0_Profiling_Services_Lab_Guide(EDCS-978790_rev12a).docx 5

10/20/2011

Connect to a POD
Step 1

Launch the Remote Desktop application on your system. a. In the LabOps student portal, click on the Topology tab b. Click on the Admin PC, then click on the RDP Client option that appears:

c. Clicking on this option should launch your RDP client and connect you to the Admin PC. Log in as DEMO\admin / cisco123 (Domain = DEMO) d. All lab configurations can be performed from the Admin client PC.

Connect to ESX Server Virtual Machines


During the lab exercises, you may need to access and manage the computers running as virtual machines.
Step 1 Step 2

From the Admin client PC, click the VMware vSphere Client icon on the desktop The IP address of your pods ESX server is 10.1.11.X where X = 10+(your pod number) e.g. pod 1 = 10.1.11.11, pod 9 = 10.1.11.19, pod 15 = 10.1.11.25, pod 24 = 10.1.11.34

No te: Step 3

Be careful to only connect to y our pods ESX serv er. If unsure, contact y our class proctor.

Enter student / cisco123 for the username and password:

02_ISE_1.0_Profiling_Services_Lab_Guide(EDCS-978790_rev12a).docx 6

10/20/2011

Step 4

Click Login.
Step 2

Once logged in, you will see a list of VMs that are available on your ESX server:

Step 5

You have the ability to power on, power off, or open the console (view) these VMs. To do so, place the mouse cursor over VM name in the left-hand pane and right-click to select one of these options:

02_ISE_1.0_Profiling_Services_Lab_Guide(EDCS-978790_rev12a).docx 7

10/20/2011

Step 6 Step 7

To access the VM console, select Open Console from the drop-down. To login to a Windows VM, select Guest > Send Ctrl+Alt+del from the VM Console menu:

Connect to Lab Device Consoles:


Step 1

To access the consoles of the lab switches and ISE servers using SSH: a. From the Admin client PC, double-click the desired PuTTY shortcut on the Windows desktop. Example:

02_ISE_1.0_Profiling_Services_Lab_Guide(EDCS-978790_rev12a).docx 8

10/20/2011

You can also use the shortcuts in the Windows Quick Launch toolbar. b. If prompted, click Yes to cache the server host key and to continue login. c. Login using the credentials listed in the Accounts and Passwords table.
Step 2

To access the console for other devices using SSH: a. From the Admin client PC, go to Start and select Menu to open a terminal session using PuTTY. from the Windows Start

b. Refer to the Internal IP Addresses table, and then enter the hostname or IP address of the desired device in the Host Name (or IP address). c. Click Open. d. If prompted, click Yes to cache the server host key and to continue login. e. Login using the credentials listed in the Accounts and Passwords table

Pre-Lab Setup Instructions


Basic Connectivity Test
To perform a basic connectivity test for the primary lab devices, run the pingtest.bat script from the Windows desktop of the Admin client PC:

Verify that ping succeeds for all devices tested by script.


No te: The ping test may fail for VMs that hav e not y et completed the boot process.

02_ISE_1.0_Profiling_Services_Lab_Guide(EDCS-978790_rev12a).docx 9

10/20/2011

Lab Verification: Verify initial lab setup and configuration


Exercise Description
Initial lab setup and pre-configuration verification.

Exercise Objective
Verify the default bootstrap configuration and connectivity.

Lab Exercise Steps


Step 1

Go to the Admin client PC and open a web browser to log into your ISE appliance (https://ise-1.demo.local) with username/password = admin / default1A Verify your network access switch (3k-access) is configured and setup correctly. a. Go to Administration > Network Resources > Network Devices and select 3k-access b. Verify the IP address is 10.1.250.2 c. Verify the authentication settings shared secret being used. Click the Show button and verify cisco123 is the shared secret.

Step 2

02_ISE_1.0_Profiling_Services_Lab_Guide(EDCS-978790_rev12a).docx 10

10/20/2011

Step 3

Use the desktop shortcut for the PuTTY SSH client to launch a terminal session to the 3kaccess switch (10.1.250.2) using the credentials admin / cisco123 (enabled password cisco123 ). Make sure interface Gi 0/1 4 are administratively shutdown. In this lab we are only concerned about the IP Phone and IP Camera. On the access switch verify MAB is configured on the switch ports for non-authenticating devices. Also verify Multi-Auth authentication is enabled on the switch port. This is needed for the IP Phone to authenticate. Both voice and data domains will authenticate via 802.1X and then fall over to MAB.
interface Gi0/1 switchport access vlan 10 switchport mode access switchport voice vlan 40 ip access-group ACL-ALLOW in authentication host-mode multi-auth authentication open authentication order mab dot1x authentication port-control auto authentication periodic authentication timer reauthenticate server mab d t1 th ti t

Step 4

Step 5

Step 6

Step 7

Verify the change of authorization command is configured on your switch. This is essential for when devices change profiles or the authorization settings change for a device or user. The ISE node will send the new authorization parameters to the switch via this mechanism.
aaa server radius dynamic-author client 10.1.100.21 server-key cisco123

Step 8

Verify the AAA accounting records are enabled.


aaa accounting dot1x default start-stop group radius aaa accounting network default start-stop group radius

02_ISE_1.0_Profiling_Services_Lab_Guide(EDCS-978790_rev12a).docx 11

10/20/2011

radius-server vsa send accounting radius-server vsa send authentication

Step 9

Verify Radius VSA information is configured for accounting and authentication.

02_ISE_1.0_Profiling_Services_Lab_Guide(EDCS-978790_rev12a).docx 12

10/20/2011

Lab Exercise 1: Enable ISE, Probes, and Network Device for Profiling
Exercise Description
This exercise will enable the profiling probes and NAD communication on your ISE Policy Service node.

Exercise Objective
At the end of this exercise you will learn how to enable the probes for your ISE Policy Service node via the GUI.

Lab Exercise Steps


Step 1 Step 2 Step 3

Log into your ISE device via the admin GUI. Go to Administration > System > Deployment. Click on your ISE node. In General Settings, verify Policy Service is enabled. Verify the Enable Profiling Service is enabled. In the right hand pane click the Profiling Configuration tab. a. Leave Netflow Probe disabled b. Enable DHCP Probe. i. The device interface should be Gi0. (Gi0 is the interface on the ISE appliance) ii. Leave the default UDP port 67. c. Enable DHCPSPAN Probe. i. The device interface should be Gi0 d. Enable HTTP Probe. i. The device interface should be Gi0 e. Enable RADIUS Probe f. Enable DNS Probe i. Keep the defaults g. Enable SNMPQUERY Probe. i. Keep the defaults h. Enable SNMPTRAP Probe. i. Leave Link Trap Query Disabled ii. Enable MAC Trap Query iii. Device Interface should be Gi0 iv. Port 162 leave as default.

Step 4

02_ISE_1.0_Profiling_Services_Lab_Guide(EDCS-978790_rev12a).docx 13

10/20/2011

02_ISE_1.0_Profiling_Services_Lab_Guide(EDCS-978790_rev12a).docx 14

10/20/2011

Step 5 Step 6

Click the Save button and make sure your changes were saved successfully. Now go to your pre-configured NAD device on ISE to enable SNMP communication. Administration > Network Resources > Network Devices a. Click on the 3k-access switch b. In the configuration page enable the SNMP Settings section c. Expand the setting and select SNMP version 2c d. Enter ciscoro as the read only community string e. Verify Link Trap Query is enabled. f. Verify MAC Trap Query is enabled.

g. Set the polling interval to 600 seconds (LAB USE ONLY !) h. Leave all other settings the same and click Save.
No te: Y ou can use multiple interf aces to enable the ISE probes. You can also enable ISE Profiling on other Policy Serv ice nodes if y ou hav e the proper licensing in place.

Step 7

Enable the Change of Authorization globally for Profiling. This will allow any status changes of a device to be sent to the access device for an endpoint. a. Go to Administration > System > Settings > Profiling > CoA Type = Reauth

No te:

Use caution when enabling this feature when first profiling y our dev ices. The Change of Authorization will occur for all newly profiled dev ices.

Step 8

To verify the default actions for profiled devices, go to Policy > Policy Elements > Results > Profiling > Exception Actions (Advanced Exception actions will not be covered in this lab.)

02_ISE_1.0_Profiling_Services_Lab_Guide(EDCS-978790_rev12a).docx 15

10/20/2011

End of Exercise: You have successfully completed this exercise. Proceed to next section.

02_ISE_1.0_Profiling_Services_Lab_Guide(EDCS-978790_rev12a).docx 16

10/20/2011

Lab Exercise 2: Configure and Verify NAD Communication with ISE Probes
Exercise Description
Configure ISE probes

Exercise Objective
In this exercise, your goal is to configure and verify your ISE probes are w orking as advertised.

Lab Exercise Steps


Step 1 Step 2

Console into the 3k-access switch. Enable SNMP on the switch.


snmp-server community ciscoro RO snmp-server community ciscorw RW snmp-server enable traps snmp linkdown linkup snmp-server enable traps mac-notification change move snmp-server host 10.1.100.21 version 2c ciscoro

Step 3

Turn on SNMP debug by typing debug snmp packet at the exec shell prompt on the access switch. If using remote console (SSH/Telnet), then make sure you also enter terminal monitor on the command line so you will see the output. Verify SNMP communication between the ISE node and the switch. You should see the SNMP requests coming into the switch from ISE-1 similar to that shown below. You should also see responses from the switch for SNMP MIB requests from ISE Profiling Service.

Step 4

02_ISE_1.0_Profiling_Services_Lab_Guide(EDCS-978790_rev12a).docx 17

10/20/2011

3k-access# debug snmp packet *Apr 19 13:50:25.758: SNMP: Packet received via UDP from 10.1.100.21 on Gi0/24 *Apr 19 13:50:25.758: SNMP: Packet received via UDP from 10.1.100.21 on Gi0/24 *Apr 19 13:50:25.758: SNMP: Packet received via UDP from 10.1.100.21 on Gi0/24 *Apr 19 13:50:25.758: SNMP: Packet received via UDP from 10.1.100.21 on Gi0/24 *Apr 19 13:50:25.758: SNMP: Get-bulk request, reqid 2133241990, nonrptr 0, maxreps 10 system = NULL TYPE/VALUE9 13:50:25.758: SNMP: Response, reqid 2133241990, errstat 0, erridx 0 system.1.0 = Cisco IOS Software, C3560 Software (C3560-IPSERVICESK9-M), Version 12.2(55)SE, RELEASE SOFTWARE (fc2) system.2.0 = products.797 sysUpTime.0 = 428342588 system.4.0 = system.5.0 = 3k-access.demo.local system.6.0 = system.7.0 = 6 system.8.0 = 0 sysOREntry.2.1 = cisco.7.129

Step 5

Turn off the SNMP debug by typing no debug all from exec mode prompt on the switch command line interface. Bring up switchport Gi 0/2 by entering the command no shutdown under the interface in configuration mode. Verify RADIUS packets are being sent to ISE by entering debug radius authentication from exec mode on the access switch. These will be sent when a MAC Authentication Bypass (MAB) session is initiated for clientless devices. This information will be received by the Profiler Radius Probe and used in profiling endpoints. You will see the following output. MAB will take some time to initiate after the DOT1X authentication requests time out.

Step 6

Step 7

Step 8

02_ISE_1.0_Profiling_Services_Lab_Guide(EDCS-978790_rev12a).docx 18

10/20/2011

*Apr 20 14:40:45.339: %AUTHMGR-5-START: Starting 'mab' for client (001e.e599.fc5b) on Interface Gi0/2 AuditSessionID 0A0164010000000F04A3DB09 *Apr 20 14:40:45.339: AAA/AUTHEN/8021X (00000011): Pick method list 'default' *Apr 20 14:40:45.339: RADIUS/ENCODE(00000011):Orig. component type = DOT1X *Apr 20 14:40:45.339: RADIUS(00000011): Config NAS IP: 0.0.0.0 *Apr 20 14:40:45.339: Getting session id for DOT1X(000 *Apr 20 14:40:45.339: RADIUS/ENCODE(00000011): acct_session_id: 16 *Apr 20 14:40:45.339: RADIUS/ENCODE: Best Local IP-Address 10.1.250.2 for RadiusServer 10.1.100.21 *Apr 20 14:40:45.339: RADIUS(00000011): Send Access-Request to 10.1.100.21:1812 id 1645/56, len 206 *Apr 20 14:40:45.339: RADIUS: 24 5A 60 * Apr 20 14:40:45.339: RADIUS: *Apr 20 14:40:45.339: RADIUS: * Apr 20 14:40:45.339: RADIUS: *Apr 20 14:40:45.339: RADIUS: *Apr 20 14:40:45.348: RADIUS: * Apr 20 14:40:45.348: RADIUS: authenticator B7 9E 45 1D 55 C4 2F C2 - 4D 15 7F 5C B4

User-Name User-Password Service-Type Framed-MTU Called-Station-Id Calling-Station-Id

[1] [2] [6] [12] [30] [31]

14 18 6 6 19 19 18

"001ee599fc5b" * Call Check 1500 "1C-17-D3-43-73-83" "00-1E-E5-99-FC-5B " 3 4F 1C 47 96 7D FA B2 [10]

*Apr 20 14:40:45.348: RADIUS: Message-Authenticato[80] 40 F3 6D 62 B5 84 D3 [ OG}@mb] *Apr 20 14:40:45.348: RADIUS: *Apr 20 14:40:45.348: RADIUS: *Apr 20 14:40:45.348: RADIUS: id=0A0164010000000F04A3DB09" *Apr 20 14:40:45.348: RADIUS: [15] * Apr 20 14:40:45.348: RADIUS: *Apr 20 14:40:45.348: RADIUS: *Apr 20 14:40:45.348: RADIUS: EAP-Key-Name Vendor, Cisco Cisco AVpair

[102] 2 [26] [1] 49 43

"audit-session-

NAS-Port-Type

[61]

Ethernet

NAS-Port NAS-Port-Id NAS-IP-Address

[5] [87] [4]

6 17 6

50002 "GigabitEthernet0/2" 10.1.250.2

*Apr 20 14:40:45.348: RADIUS(00000011): Started 5 sec timeout *Apr 20 14:40:45.599: RADIUS: Accept, len 157 Received from id 1645/56 10.1.100.21:1812, Access-

02_ISE_1.0_Profiling_Services_Lab_Guide(EDCS-978790_rev12a).docx 19

10/20/2011

Step 9

Turn off the Radius debug when finished by typing no debug all on the command line.

Step 10 Configure an additional IP helper address to the ISE appliance on Interface Vlan10 (Access) and

Interface Vlan40 (Voice) for DHCP information to be sent to the ISE DHCP probe (ex.):

interface Vlan10 ip address 10.1.10.1 255.255.255.0 ip helper-address 10.1.100.10 ip helper-address 10.1.100.21

Step 11 Do a shut/no shut on the interfaces Gi 0/1 8. This will retrigger DHCP requests and send

DHCP requests to ISE


Step 12 Go to the Windows 7 PC and reboot it. Go to Start > Shutdown > Restart. This is needed due

to the VM and IP phone not detecting link state.

End of Exercise: You have successfully completed this exercise. Proceed to next section.

02_ISE_1.0_Profiling_Services_Lab_Guide(EDCS-978790_rev12a).docx 20

10/20/2011

Lab Exercise 3: Verify Profiled Endpoints and Probe information


Exercise Description
You will verify and endpoints and the received information collected by each probe.

Exercise Objective
In this exercise, your goal is to correctly identify newly profiled endpoints and their unique attributes collected on the network.

Lab Exercise Steps


Step 1

Go to the ISE-1 Home page and see if there are any Profiled Endpoints. Look at the Profiled Endpoints to see if you have endpoints being profiled.

Step 2 Step 3

Go to Administration > Identity Management > Identities > Endpoints You should now see MAC addresses show up in the Endpoints View

02_ISE_1.0_Profiling_Services_Lab_Guide(EDCS-978790_rev12a).docx 21

10/20/2011

Step 4

Click on one of the endpoints to verify attribute data received by the probes. The latest information received by a certain Probe will be listed as: EndPointSource = (ex. SNMPTrap Probe)

02_ISE_1.0_Profiling_Services_Lab_Guide(EDCS-978790_rev12a).docx 22

10/20/2011

Step 5

Go back to Endpoints and click on the Microsoft-Workstation a. You can verify the DNS probe is working by locating the host-name attribute. DNS was setup in the Bootstrap Lab 1. b. You can also verify the DHCP Probe is working by locating the dhcp-class-identifier which was sent by the DHCP request of the Windows Client.

02_ISE_1.0_Profiling_Services_Lab_Guide(EDCS-978790_rev12a).docx 23

10/20/2011

End of Exercise: You have successfully completed this exercise. Proceed to next section.

02_ISE_1.0_Profiling_Services_Lab_Guide(EDCS-978790_rev12a).docx 24

10/20/2011

Lab Exercise 4: Create Profiles and Authorization Policies for Profiled Endpoints
Exercise Description
In this exercise, your goal is to create Profile and Authorization Policies.

Exercise Objective
In this exercise, your goal is to verify your Profiles and Authorization Policies for your Profiled Endpoints by validating the authentication session and its policy.

Lab Exercise Steps


Step 1

We now want to create our own Profile based on more specific information than the generic Cisco-Device profile that some of these endpoints are being profiled into. Go to Administration > Identity Management > Identities > Endpoints a. You should now see a few Endpoints profiled as Cisco-Device b. Click on the MAC address that is connected to port Gi 0/2 c. Under the attributes details look for some information that is interesting based on device type. You should see this under the cdp information collected from the SNMP Probe. d. Write down the cdp Platform information. For example, CIVS-IPC-4500 e. Also note the MAC OUI information = Cisco Systems Example output below:
Formatted: Font: (Def ault) Arial, 10 pt

Step 2

Step 3

Go to Policy > Policy Elements > Conditions > Profiling to create a matching rule for the device attribute information to be used in a Profiling Policy.

02_ISE_1.0_Profiling_Services_Lab_Guide(EDCS-978790_rev12a).docx 25

10/20/2011

Step 4

Under Profiling Conditions click Create . a. Name = cdpIPCAMERA b. Type = SNMP c. Attribute Name = cdpCachePlatform d. Operator = Contains e. Attribute Value = CIVS-IPC

Step 5

Click Submit.

No te: Step 6 Step 7

Cisco OUI Conditions are already created.

Now go to Policy > Profiling > Profiling Policies Click Create . a. Name the Policy = MY_IP_Cameras b. Policy Enabled = Checked

02_ISE_1.0_Profiling_Services_Lab_Guide(EDCS-978790_rev12a).docx 26

10/20/2011

c. Minimum Certainty Factor = 25 d. Exception Action = None e. Create Matching Identity Group = Enabled (This will be used later in our Authorization Policy) f. Parent Policy = None

g. Rules: i. ii. If Condition Cisco-DeviceRule1Check1 Then Certainty Factor Increases 10 If Condition cdpIPCAMERA Then Certainty Factor Increases 25

Step 8 Step 9

Click Submit. Go to Administration > Identity Management > Groups > Endpoint Identity Groups and verify the new Identity Group = MY_IP_Cameras

02_ISE_1.0_Profiling_Services_Lab_Guide(EDCS-978790_rev12a).docx 27

10/20/2011

Step 10 Go to Policy > Authorization Step 11 Create a new Authorization Policy

a. Rule Name = Profiled IP_Cameras b. Identity Groups = MY_IP_Cameras c. Other Conditions = None d. Permissions = PermitAccess

02_ISE_1.0_Profiling_Services_Lab_Guide(EDCS-978790_rev12a).docx 28

10/20/2011

Step 12 Click Save. Step 13 Verify you have a default Authentication rule for MAB. This is crucial in making sure the MAB

authentication is matched and you are using the Internal Endpoints as the Identity store. Profiler Endpoints are stored in this Identity Store. a. Go to Policy > Authentication:
Formatted: Font: (Def ault) Arial, 10 pt

b. The MAB authentication rule states: If a Wired_MAB [Radius:Service-Type=10(Call Check) and Radius:NAS-PortType=15(Ethernet)] request is matched and has the allowed Protocols defined in the Default Network Access policy, then use Internal Endpoints as the Identity Store.

02_ISE_1.0_Profiling_Services_Lab_Guide(EDCS-978790_rev12a).docx 29

10/20/2011

Step 14 Go to the 3k-access switch and bounce interface Gi0/2 by using shut / no shut Step 15 Verify the MAB request was successful and the device was Authorized under the Profiled IP

_Cameras Authorization Policy. a. Go to Monitor > Authentications

Step 16 Click on the details icon to get more detailed information. There are details worth pointing out

based on the configurations: a. Authentication Method = MAB b. Username = MAC address of your device c. NAS Port ID = What port the device is connected d. Service Type = Call Check e. Identity Store = Internal Endpoints f. Identity Group Profiled:MY_IP_Cameras

g. Authorization Policy Matched Rule = Profiled IP Cameras

02_ISE_1.0_Profiling_Services_Lab_Guide(EDCS-978790_rev12a).docx 30

10/20/2011

End of Exercise: You have successfully completed this exercise. Proceed to next section.

02_ISE_1.0_Profiling_Services_Lab_Guide(EDCS-978790_rev12a).docx 31

10/20/2011

Lab Exercise 5: Verify the IP Phone default Policy


Exercise Description
Verify the IP phone is authorized and active.

Exercise Objective
In this exercise, your goal is to verify the IP Phone has been successfully authenticated and authorized by ISE. With ISE there is a pre-configured Authorization Policy for Cisco IP Phones for convenience.

Lab Exercise Steps


Step 1 On the 3k-access switch, shutdown the port Gi0/1 using the shutdown command. Step 2 Use no shutdown to bounce the link for a new MAB request.

*Apr 22 15:00:14.654: %AUTHMGR-5-START: Starting 'mab' for client (1c17.d341.d18b) on Interface Gi0/1 AuditSessionID 0A0164010000001E0F026AA0 *Apr 22 15:00:14.914: %MAB-5-SUCCESS: Authentication successful for client (1c17.d341.d18b) on Interface Gi0/1 AuditSessionID 0A0164010000001E0F026AA0 *Apr 22 15:00:14.914: %AUTHMGR-7-RESULT: Authentication result 'success' from 'mab' for client (1c17.d341.d18b) on Interface Gi0/1 AuditSessionID 0A0164010000001E0F026AA0 *Apr 22 15:00:15.954: %AUTHMGR-5-SUCCESS : Authorization succeeded for client (1c17.d341.d18b) on Interface Gi0/1 AuditSessionID 0A0164010000001E0F026AA0

Step 3 Step 4

Verify the Authentication and Authorization was successful on the switch. On the 3k-acce ss switch, enter the command show authentication sessions interface Gi0/1 .

02_ISE_1.0_Profiling_Services_Lab_Guide(EDCS-978790_rev12a).docx 32

10/20/2011

3k-access # sh authentication sessions int Gi0/1 Interface: MAC Address: IP Address: User-Name: Status: Domain: GigabitEthernet0/1 1c17.d341.d18b Unknown 1C-17-D3-41-D1-8B

Authz Success VOICE Should Secure Unsecure multi-auth both

Security Policy: Security Status: Oper host mode: Oper control dir: Authorized By: ACS ACL:

Authentication Server

xACSACLx-IP-PERMIT_ALL_TRAFFIC-4d269051 N/A

Session timeout: Idle timeout:

N/A 0A0164010000002A24BB3A47

Common Session ID: Acct Session ID: Handle:

0x0000002B

0x1D00002A

Runnable methods list: Method dot1x State Failed over

Step 5

Log into ISE GUI and verify the Authentication. Go to Monitor > Authentications .

02_ISE_1.0_Profiling_Services_Lab_Guide(EDCS-978790_rev12a).docx 33

10/20/2011

Step 6 Click on the MAC address for the IP Phone connect to Gi0/1:

Step 7 Look into the details of the authentication and authentication result to verify the details of the

default permissions.
Step 8 Notice the cisco-av -pair=device-traffic-class=voice which tells the switch this MAC

belongs to the voice vlan.

02_ISE_1.0_Profiling_Services_Lab_Guide(EDCS-978790_rev12a).docx 34

10/20/2011

No te:

The IP Phone Authorization Profile details can be f ound here: Policy > Policy Elements > Results > Authorization Profiles > Cisco_IP_Phones

End of Exercise: You have successfully completed this exercise. Proceed to next section.

02_ISE_1.0_Profiling_Services_Lab_Guide(EDCS-978790_rev12a).docx 35

10/20/2011

Lab Exercise 6: Profiler Logging and Reporting


Exercise Description
Understand Profilers logging and reporting capabilities.

Exercise Objective
In this exercise you enable debug logging and generate a Profiled endpoint report.

Lab Exercise Steps


Step 1 You can create different Endpoint reports from Profiling. a. b. c.

Go to Monitor > Reports > Catalog > Endpoint Click on the Endpoint Profiler Summary You can run a report from the last 30 minutes to the last 30 Days

Step 2

You will get the output of the endpoints logged for the day and the Policy the endpoint has been profiled into.

02_ISE_1.0_Profiling_Services_Lab_Guide(EDCS-978790_rev12a).docx 36

10/20/2011

Step 3

You can enable Profiler Log collection to Debug for advanced troubleshooting
a. b. c. d. e. f.

Go to Administration > System > Logging > Debug Log Configuration Select ise-1 from right pane Scroll down the list and click on the Profiler radial button. Click on current log setting to display a drop-down list. Set the Log setting to DEBUG. Click Save.

Step 4

To display the debug logs go to Monitor > Troubleshoot > Download Logs > ISE-1 Under the Debug log type select profiler.log

End of Exercise: You have successfully completed this exercise. Proceed to next section.

02_ISE_1.0_Profiling_Services_Lab_Guide(EDCS-978790_rev12a).docx 37

10/20/2011

Appendix: Additional Resources


SNMP Attributes MAC Notification: MacStatus Vlan MACAddress dot1dBasePort MoveFromPort (for mac move notifcation) MoveToPort (for mac move notifcation) Timestamp Link Notification: ifIndex ifAdminStatus ifOperStatus ifD escr ifType ifSpeed ifPhysAddress Switch Information mib walk: Switch IP Address/Subnet Switch D escription if available sysUpTime sysContact sysName sysLocation Switch ifIndex All portIfIndex Configured Vlan information (VLAN state, name, port, ifIndex)

02_ISE_1.0_Profiling_Services_Lab_Guide(EDCS-978790_rev12a).docx 38

10/20/2011

CD P Information cdpCacheVersion cdpCacheNativeVLAN cdpCacheD evicePort MACAddress cdpCacheLastChange cdpCacheAddressType cdpCacheD eviceId cdpCacheAddress cdpCachePlatform cdpCacheCapabilities cdpCacheD uplex CISCO-AUTH -FRAMEWORK-MIB cafSessionAuthorizedBy cafSessionAuthUserName cafSessionAuthVlan cafSessionClientMacAddress cafSessionDomain cafSessionStatus VlanName

DHCP Attributes Any attribute parsed out of the DH CP traffic will be mapped into an endpoint attribute. For a list of possible attributes see: http://www.iana.org/assignments/bootp-dhcp-parameters/

HTTP User Agent The browser user agent as well as any http attributes present will be captured and added to the endpoint to add to the profiling capability. For a full list of possible attributes see: http://www.rfc-editor.org/rfc/rfc2616.txt

02_ISE_1.0_Profiling_Services_Lab_Guide(EDCS-978790_rev12a).docx 39

10/20/2011

DNS Probe Upon endpoint creation, a DNS lookup will try to determine the endpoint name FQDN. A new attribute will be added to the endpoint FQDN. Reverse DNS lookup will be done only when an endpoint detected by the DH CP, Radius and SNMP probes contains following attributes. This means that, for DNS lookup, at least one of the following probes need to started along with DNS probe. DH CP IP H elper, DH CP Span dhcp-requested-address Radius Probe Framed-IP-Address SNMP Probe cdpCacheAddress H TTP Probe Source IP Radius Attributes We will be collecting and assigning to endpoints Radius attributes from both the request and the response. For a list of Radius attributes, see the RFCs defined at http://en.wikipedia.org/wiki/RAD IUS.

Netflow Attributes We will be collecting any an all attributes sent through Netflow. Please consult http://www.faqs.org/rfcs/rfc3954.html for details on netflow attributes. H ere is a sample: IN_BYTES IN_PKTS FLOWS PROTOCOL TOS TCP_FLAGS L4_SRC_PORT IPV4_SRC_AD D R SRC_MASK L4_D ST_PORT IPV4_D ST_AD D R D ST_MASK IPV4_NEXT_H OP LAST_SWITCH ED FIRST_SWITCH ED OUT_BYTES OUT_PKTS IPV6_SRC_AD D R IPV6_D ST_AD D R IPV6_SRC_MASK IPV6_D ST_MASK IPV6_FLOW_LABEL ICMP_TYPE D ST_TOS SRC_MAC D ST_MAC SRC_VL AN D ST_VLAN

02_ISE_1.0_Profiling_Services_Lab_Guide(EDCS-978790_rev12a).docx 40

10/20/2011

IP_PROTOCOL_VERSION D IRECTION

End of Lab: Congratulations! You have successfully completed the lab. Please let your
proctor know you finished and provide any feedback to help improve the lab experience.

02_ISE_1.0_Profiling_Services_Lab_Guide(EDCS-978790_rev12a).docx 41

10/20/2011