How To Build A Basic Cisco Identity Services Engine ISE Home Lab - The Security Blogger

7/16/2020 How to build a basic Cisco Identity Services Engine ISE home lab – The Security Blogger
The Security Blogger 
07/12/2013
How to build a basic Cisco Identity Services

Engine ISE home lab
I’ve posted about con guring Cisco Identity Services Engine ISE for a few use cases however
have had requests to explain the steps to setup a basic lab. This post serves as a guide to get a
basic ISE lab running to test LAN or Mobile devices. My lab uses an Apple Macmini as an ESXI
5.1 server hosting the ISE virtual machine (explained HERE). See the con guration guides for
details on con guring a lab.
Virtual Machine Setup: Download the latest ISE .ISO le from cisco.com. Access the ESXI GUI
and select New Machine. The recommended specs for a custom New Machine:
Virtual Machine version 7

Linux 5 32 bit
2 virtual CPU
4 gig of memory
60 gig of space – thin provisioning (I nd thick isn’t necessary for a lab)
This video provides details on the ISE installation HERE
Once ISE is operational, log into your system with the user name and password set during the
installation process.
www.thesecurityblogger.com/how-to-build-a-basic-cisco-identity-services-engine-ise-home-lab/ 1/9
ISE Updates + Passwords: Select Administration Tab -> System -> Settings. On the left

column select the carrot for Posture and Updates. Click update now and also setup how often
you want to auto update.
To update ISE login policies so you don’t lock yourself out, go Admin Tab-> System -> Admin
Access. Select Authentication and the last tab for Password Policy. I suggest simplifying the
policies for a lab that is secure. You can also add a second administrator in the event your
primary login gets locked out via the Administrators -> Admin Users area under Admin
Access. NOTE: The password reset process is painful so have a backup plan built in.
Updates for ISE
Adding Active Directory: Select Administration -> Identity Management and External
Identity Sources. This is where you add your Active Directory information. The steps are
adding AD, joining AD, selecting the Groups tab and selecting which groups ISE will use to
authenticate.
This video covers the details HERE
Adding Network Devices: You need to adding Switches, Access Points, etc. to ISE. Go under
Administration -> Network Resources and Network Devices. Click ADD. Give it a name,
provide the IP address, shared Radius info under Authentication Settings and SNMP under
SNMP Settings.
Your network devices will need to have Radius enabled and pointing Radius to the new ISE
server. The best way to test a Switch is by scanning its con g with ISE for missing commands.
This ISE tool is found under Operations -> Diagnostic Tools. On the left column, select the
carrot for General Tools and select the Evaluate Con gure Validator. You will be asked to
input the device IP and login credentials as it scans the con guration. The tool will ag any
missing commands. Some are not necessary however the majority are required. Make sure to

pass this scan prior to adding your devices to ISE.
Con g Validation Tool
Cisco Con guration Evaluation Tool
Enabling Pro ling: Select Administration Tab -> System -> Deployment. After the popup,
select your ISE server. Click “enable pro ling services” and click pro ling and enable which
pro ling capabilities you wish to test.
To update ISE so devices can re-authenticate when the pro le changes, go to Administration -
> System -> Settings. Click the posture carrot and select pro ling. Change the CoA to reauth
and click save.
You can view default pro ling policies under Policy -> Pro ling as well as the conditions that
make up those policies under Policy Elements -> Conditions and select the pro ling tab.
Pro led devices are found under Administrator -> Identity Management -> Identities and
select Endpoints on the left column.
This post talks more about ISE pro ling HERE
Basic Policies:
Authentication: This is where you con gure the device access type and protocol used. For

example, you can select IF Wired_802.1x or Wireless_802.1x (using the + sign and adding a
new Condition such as one being Wired and the other being Wireless). Next select a speci c
authentication protocol or leave default for any. Last thing is selecting where users are
authenticated against by selecting the carrot after AND.. and choosing the USE eld. The
default is internal users however if you added Active Directory, you can update this to the AD
group con gured in a previous step.
Example of ISE Authentication for 802.1x Wireless users veri ed against ISE Internal Users
Database
Authorization: This is where you de ne authorization policies once a device is authenticated.

An Example could be “If a Apple iPhone OR Apple iPad” then provide a permission named
“Apple Access”. To build this, you would add a new RULE and give it a name. Next, select the IF
statement and change any to a pro led endpoint such as Apple iPhone. These won’t appear by
default until you follow the previous pro ling section to “Create Matching Identity Group” for
Apple iPhone. You can add multiple if statements that default as a OR.
Example of ISE Authorization for Any Pro led Apple Device and Username is joey then place in
Apple_Mobile_Acces Policy
To authenticate “If a Apple iPhone OR Apple iPad” AND “user must equal AD group ADMINS”
meaning an approved admin user on an ipad, you can select attributes -> create new
condition. Under Expression, select the attribute under your named Active Directory server
or go with internal user, select = and either the AD group or a speci c user. The previous
example users a internal user joey.
To Provide Apple_Access, you need to rst build this as explained under Permissions. Once
built, you can make your THEN statement Apple_Access. If its not built yet, select
PermitAccess until the proper permissions option is con gured and available to select.
ISE reads policies top down so think about how polices should ow. The end policy should be
a default policy of denying traf c once you are nished. For example, you may have a Main
policy for full access with lots of checks at the top, next have a Guest policy with limited

access and end with a default deny all. The default last policy is PermitAccess.
Permissions: This is where you de ne where devices that pass ISE authentication end up.
Select Policy -> Policy Elements -> Results. On the left column select the carrot for
Authorization, and folder for authorization pro les. Click ADD to create a new pro le. Give it
a name and scroll down to choose what you want to do with authenticated devices. For
example, you can select a speci c VLAN or Dynamic ACL. DACLs are con gured in the folder
directly under the Authorization Pro les.
Once you build your pro le, it will be available as a THEN option under authorization.
ISE Authorization Pro lers used for the THEN part of Authorization policies.
There is a lot more that can be done with cisco ISE however this should be a good starting
point to see some traf c in your lab. To verify endpoints, go under Operations ->
Authentications to see if devices are being authenticated.
User Employee using a Apple Device gaining switchport acces
You can also click Administration -> Identity Management and select the Endpoints folder to
see if Pro ler has captured anything.
Example of endpoints pro led by ISE
Rating: 5.0/5 (1 vote cast) 

How to build a basic Cisco Identity Services Engine ISE home lab, 5.0 out of 5 based on 1
rating
Related Posts:
Cisco Identity Are you 802.1x Cisco Identity Identifying

Services Engine ready? What it Services Engine Advanced
7 thoughts on “How to build a basic Cisco Identity

Services Engine ISE home lab”
Vergauwen Simon
08/14/2014 at 8:00 am
Hi,
I’m assuming you can only make this “home lab” if you have a physical switch?
I need to implement wired security with Cisco ISE on C3750(X) switches. I’d love to try this
out rst in a home lab. I currently have a VM running Cisco ISE and Windows Server for AD. I
also have a server running RADIUS. The only problem I have left I don’t have a 3750 switch or
software able to simulate one.
You only described how to create a home lab with Cisco ISE in it. But you are currently not
doing anything with it???
Rating: 5.0/5 (1 vote cast)
REPLY
admin 
08/14/2014 at 10:25 am
Hi Vergauwen. Yes the assumption is you will be adding a network device since this is

network admission control technology. This can be a switch, wireless AP or VPN
concentrator. I try to keep posts short so trying to summarize the entire con guration
process is tough without writing a million lines. Plus there are detailed con guration
documents for speci c tasks such as adding a device.
To address your concern, you will rst need to verify if the device is supported. That list can
be found via http://www.cisco.com/c/en/us/td/docs/security/ise/1-
2/compatibility/ise_sdt.html for 1.2. Next you need to manage a device. Those steps can be
found here
http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_man_network_device
s.html. Hope this helps. You don’t need a 3750x to test. I’m using a 8 port 3560 for my
personal lab.
Rating: 0.0/5 (0 votes cast)
REPLY
Jose Anda
04/08/2015 at 5:56 pm
Can you please point me to the correct link to watch the videos? Thanks, Jose
REPLY
admin 
04/09/2015 at 11:47 am
Fixed the links. Thanks for the heads up. In summary, check out the labminutes.com website
via their ISE section.
REPLY
Demond
11/29/2016 at 7:25 pm

will this work if I use Centos Linux
REPLY
Leave a Reply
Your email address will not be published.
Comment
Name
Email
Website
3 − 2 = 
POST COMMENT
Previous
My Article in PenTest Magazine – Backtrack Compendium July20
Next
Malwarebytes annouces FBI Ransomware Now Targeting Apple’s M
http://www.thesecurityblogger.com does not represent or endorse the accuracy or reliability of any

information’s, content or advertisements contained on, distributed through, or linked, downloaded or
accessed from any of the services contained on this website, nor the quality of any products,
information’s or any other material displayed,purchased, or obtained by you as a result of an
advertisement or any other information’s or offer in or in connection with the services herein.
Everything on this blog is based on personal opinion and should be interoperated as such.

How To Build A Basic Cisco Identity Services Engine ISE Home Lab - The Security Blogger

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

How To Build A Basic Cisco Identity Services Engine ISE Home Lab - The Security Blogger

Uploaded by

Copyright:

Available Formats

7/16/2020 How to build a basic Cisco Identity Services Engine ISE home lab – The Security Blogger

The Security Blogger 

How to build a basic Cisco Identity Services

Virtual Machine version 7

This video provides details on the ISE installation HERE

Updates for ISE

This video covers the details HERE

Con g Validation Tool

Cisco Con guration Evaluation Tool

This post talks more about ISE pro ling HERE

Authorization: This is where you de ne authorization policies once a device is authenticated.

User Employee using a Apple Device gaining switchport acces

Example of endpoints pro led by ISE

Rating: 5.0/5 (1 vote cast) 

Cisco Identity Are you 802.1x Cisco Identity Identifying

7 thoughts on “How to build a basic Cisco Identity

Rating: 5.0/5 (1 vote cast)

Rating: 0.0/5 (0 votes cast)

Rating: 0.0/5 (0 votes cast)

Rating: 0.0/5 (0 votes cast)

will this work if I use Centos Linux

Rating: 0.0/5 (0 votes cast)

Your email address will not be published.

My Article in PenTest Magazine – Backtrack Compendium July20

Malwarebytes annouces FBI Ransomware Now Targeting Apple’s M

http://www.thesecurityblogger.com does not represent or endorse the accuracy or reliability of any

You might also like