Fl-Sise24 LG301 PDF

Implementing and
Configuring Cisco
Identity Services
Engine
Version 2.4
Version 3.0.1
ATTENTION
The Information contained in this guide is intended for training purposes only. This guide contains information and activities that, while
beneficial for purposes of training in a close, non-production environment, can result in downtime or other severe consequences and
therefore are not intended as a reference guide. This guide is not a technical reference and should not, under any circumstances be used
in a production environment. Customers should refer to the published specifications applicable to specific products for technical
information. The information in this guide is distributed AS IS, and the use of this information or implementation of any recommendations
COPYRIGHT
© 2018 Fast Lane GmbH. All rights reserved.
All other brands and product names are trademarks of their respective owners.
No part of this book covered by copyright may be reproduced in any form or by any means (graphic, electronic, or mechanical, including
photocopying, recording, taping, or storage in an electronic retrieval system) without prior written permission of the copyright owner.
Fast Lane reserves the right to change any products described herein at any time and without notice. Fast Lane assumes no responsibility
or liability arising from the use of products or materials described herein, except as expressly agreed to in writing by Fast Lane. The use
or purchase of this product or materials does not convey a license under any patent rights, trademark rights, or any other intellectual
property rights of Fast Lane.
The product described in this manual may be protected by one or more patents, foreign patents, or pending applications.
II Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane
SISE Lab Guide 1
Overview 1
Outline 1
Lab 1-1: Complete Cisco ISE GUI Setup 3
Activity Objective 3
Visual Objective 3
Required Resources 3
Task 1: Verify Cisco ISE setup using CLI 4
Task 2: Initial Login and Initial Message Management 6
Task 3: Disable Profiling 11
Lab 2-1: Integrate Cisco ISE with Active Directory 22
Visual Objective 22
Task 1: Configure Active Directory Integration 23
Task 2: Configure LDAP Integration 28
Lab 2-2: Basic Policy Configuration 32
Visual Objective 32
Command List 33
Task 1: Adjusting Radius Settings 34
Task 2: Create Network Devices and Network Device Groups 36
Task 3: Create Wired and Wireless Policy Sets 46
Task 4: Create Authentication Policy for the Wired and Wireless Policy Set 49
Task 5: Authorization Policy Configuration for AD Employees and AD Contractors 52
Task 6: Client Access Wired 58
Task 7: Client Access Wireless 64
Task 8: Creating a Global Exception 69
Task 9: Network visibility with Context Visibility 71
Lab 3-1: Configure Guest Access 73
Visual Objective 73
Task 1: Guest Settings 74
Task 2: Guest Locations 76
Lab 3-2: Guest Access Operations 77
Visual Objective 77
Task 1: Hotspot Portal Operations 79
Task 2: Self-Registration Portal Operations 94
Task 3: Enabling Self-Registration with Sponsor Approval 107
Task 4: Sponsored Guest Logins 113
Task 5: Guest Account Management via the Sponsor Portal 126
Lab 3-3: Create Guest Reports 128
Visual Objective 128
Task 1: Running Reports from Cisco ISE Dashboard 129
Lab 4-1: Configuring Profiling 132
Command List 132
Task 1: Configuring Profiling in Cisco ISE 133
Task 2: Configure the Feed Service 138
Task 3: Configuring Profiling in Cisco ISE 140
Task 4: NAD Configuration for Profiling 142
Lab 4-2: Customizing the Cisco ISE Profiling Configuration 144
Task 1: Examine Endpoint Data 145
Task 2: Create a Logical Profile 150
Task 3: Creating a New Authorization Policy using a Logical Profile 151
Task 4: Create a Custom Profile Policy 152
Task 5: Testing Authorization Policies with Profiling Data 156
Lab 4-3: ISE Profiling Reports 160
Task 1: Run Cisco ISE Profiling Reports 161
Task 2: Endpoint Profile Changes Report 163
Task 3: Context Visibility Dashlet Reports 164
Lab 5-1: BYOD Configuration 166
Task 1: Portal Provisioning 168
Task 2: Provisioning Configuration 172
Task 3: Policy Configuration 177
Task 4: Employee Tablet Registration 184
Lab 5-2: Device Blacklisting 191
Task 1: Blacklist a Device 192
Task 2: Lost Access Verification. 195
Task 3: Endpoint Record Observations 196
Task 4: Un-Blacklist the Device 199
Task 5: Verify Access Capability 200
Task 6: Blacklisting a Stolen Device 201
Lab 6-1: Compliance 204
Task 1: Posture Preparation 205
Task 2: Authorization Profiles 209
Task 3: Adjusting Authorization Policy for Compliance 212
Lab 6-2: Configuring Client Provisioning 216
Task 1: Client Updates 217
Task 2: Client Resources 218
Task 3: Client Provisioning Policies 223
Lab 6-3: Configuring Posture Policies 224
Task 1: Configuring Posture Conditions 225
Task 2: Configuring Posture Remediation 228
Task 3: Configuring Posture Requirements 231
Task 4: Configuring Posture Policies 234
Lab 6-4: Testing and Monitoring Compliance Based Access 236
IV Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane
Command List 237
Task 1: AnyConnect Unified Agent Access 238
Lab 6-5: Compliance Policy Testing 242
Task 1: Configure a Faulty Policy 243
Task 2: Use Posture Reports for Troubleshooting 244
Task 3: Using the Posture Troubleshooter 245
Task 4: Policy Correction and Testing 247
(Optional) Lab 7-1: Using Cisco ISE for VPN Access 249
Command List 250
Task 1: Lab Preparation 251
Task 2: Testing VPN Client Access 258
(Optional) Lab 7-2: Configuring Cisco AMP for ISE 264
Command List 265
Task 1: Configuring the Cisco AMP Cloud 266
Task 2: Configuring Posture Policies and Conditions 269
Task 3: Configuring Posture, AMP and AnyConnect Profiles 271
Task 4: Enabling and Provisoning TC-NAC Services 274
Task 5: Verify Provisioning of AMP for Endpoints (Optional) 277
Lab 8-1: Configure TACACS+ for Cisco ISE for Basic Device Administration 280
Task 1: Policy Configuration for AD Employees and AD Contractors 281
Lab 8-2: Configure TACACS+ Command Authorization 288
Task 1: Configure Command Sets 289
Task 2: TACACS+ Features 292
(Optional) Lab 8-3: Configuring Backups and Patching 295
Task 1: Configuring Backups 296
(Optional) Lab 8-4: Configuring Administrative Access 300
Task 1: Administrative Access 301
Task 2: Administrator Access and Authorization 302
Task 3: Testing AD Administrative Access 305
(Optional) Lab 8-5: Review of General Tools 306
Task 1: RADIUS Authentication Troubleshooting 307
Task 2: TCPDump 308
(Optional) Lab 8-6: Report Operations 310
2018 Fast Lane TOC V

Task 1: Running Report with Filters 311
Task 2: Saving and Scheduling Reports 312
Task 3: Favorite Reports 314
VI Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane
This guide presents the instructions and other information concerning the lab activities for
this course. You can find the solutions in the lab activity Answer Key.
This guide includes these activities:

Lab 1-1: Complete Cisco ISE GUI Setup
Lab 2-1: Integrate Cisco ISE with Active Directory
Lab 2-2: Basic Policy Configuration
Lab 3-1: Configure Guest Access
Lab 3-2: Guest Access Operations
Lab 3-3: Guest Reports
Lab 4-1: Configuring Profiling
Lab 4-2: Customizing the Cisco ISE Profiling Configuration
Lab 4-3: ISE Profiling Reports
Lab 5-1: BYOD Configuration
Lab 5-2: Device Blacklisting
Lab 6-1: Compliance
Lab 6-2: Configuring Client Provisioning
Lab 6-3: Configuring Posture Policies
Lab 6-4: Testing and Monitoring Compliance Based Access
Lab 6-5: Compliance Policy Testing
(Optional) Lab 7-1: Using Cisco ISE for VPN Access
(Optional) Lab 7-2: Configuring Cisco AMP for ISE
Lab 8-1: Configure TACACS+ for Cisco ISE for Basic Device Administration
Lab 8-2: Configure TACACS+ Command Authorization
(Optional) Lab 8-3: Configuring Backups and Patching
(Optional) Lab 8-4: Configuring Administrative Access
(Optional) Lab 8-5: Review of General Tools
(Optional) Lab 8-6: Report Operations
2 Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane
Complete this lab activity to practice what you learned in the related module.
In this activity, you will complete the GUI portion of the setup for this lab environment.
After completing this activity, you will be able to meet these objectives:
Log into Cisco ISE and process initial information messages
Disable profiling
Perform administrative certificate management services for Cisco ISE with a CA
The figure illustrates what you will accomplish in this activity.
These are the resources and equipment that are required to complete this activity:
Admin PC
ISE-1 (bootstrap)
© 2018 Fast Lane Lab Guide 3

In this task, ISE has been partially preconfigured for you. This task will allow you to get
console CLI to verify system setup.
Activity Procedure
Complete these steps:
Step 1 Access the Cisco ISE console according to your lab access procedures provided
by your instructor
Step 2 At the login prompt, enter a username of admin and password of 1234QWer
Step 3 You should see the following prompt:

ise-1/admin#
Step 4 Enter the following command and observe the following output and the status of
the services.
show application status ise
Step 5 Verify NTP synchronization. At the command prompt, type the following
command:
show ntp
Step 6 Observe the following output paying attention to the * at the beginning of the line
and the text
Step 7 Verify DNS Name Resolution. At the command prompt enter the following
command:
nslookup ise-1.demo.local
Activity Verification
You have completed this task when you attain this result:
Successfully observed Cisco ISE services status
Successfully observed NTP synchronization
Successfully performed a nslookup to verify proper name resolution

In this task, you will perform an initial login to Cisco ISE. During initial login, certain pop-
up messages are presented to the user. You will be observing these messages and selecting
options to reduce these messages during logins.
Activity Procedure
Step 1 Access your Admin PC. Use the credentials Administrator / 1234QWer
Step 2 Open the Firefox web browser and navigate to https://ise-1.demo.local
Note You can use the toolbar shortcut as well
Step 3 Accept the Your connection is not secure message by expanding Advanced and
click Add Exception. Uncheck the Permanently store this exception checkbox
at the bottom.
Step 4 Click Confirm Security Exception.
Step 5 Login with the credentials admin / 1234QWer.
Step 6 If showing up, for the Visibility Setup Wizard pop-up, click Do not show this
again.
Step 7 Navigate the various sub-menu options available under the Home screen tab. In
later labs, you will be configuring other aspects of ISE and these dashboards will
be populated and updated accordingly. Since we have no devices or users who are
yet defined, many dashboards are empty.

Step 8 Navigate to Context Visibility > Endpoints. Again, explore the various sub-
menus available here. Do the same with the Network Devices menu available
under Context Visibility.
Note Context Visibility provides the administrator with a more holistic view of the network. It
allows for quick sorting and filtering of context information. Administrators can view
dashlets to get detailed informational data.
Step 9 These dashboards and dashlets can be customized to meet your needs. By
gear
to you and customizable options.
These options will change depending on which main menu heading you are
viewing, Home, or Context Visibility. Take a moment to explore these options.
Step 10 Back under the Home tab, you can add additional dashboards in two ways. Click
gear
option beyond this, such as adding additional dashlets to the present view. You
can also change the layout of the display and manage dashboards as well.
Step 11 Add a new dashboard by using either method that is mentioned above. Name it
MYTEST and click Apply when done. Then select 2 or 3 dashlet parameters of
your choice to be included with that dashboard. Then click Save. You can then
view this new dashboard once complete and it will appear as a sub-menu option.
Step 12 By clicking the gear icon on the right, notice that you can rename this dashboard,
and add additional dashlets. If you click Add Dashlets, you will see that you can
configure the dashboard to display what is important to you, for your
environment. Click Close to exit.
Step 13 Now, go ahead and delete this Dashboard by clicking the X next to the MYTEST
name and click OK on the pop-up warning window to delete the dashboard. You
will be adding dashboards in later labs that will be more relevant to the task being
performed.
Step 14 Similarly, by navigating to the Context Visibility page and clicking the gear
icon on the right, you are presented with options to create new views, or directly
jump to a preexisting dashboard. Again, you will be customizing these pages in
later labs where appropriate.
Step 15 Next, navigate to the other menu options available just to familiarize yourself
with GUI navigation. You will be accessing most of the configuration options
available in much more detail throughout the entire course.
The Operations tab will allow you to view live logs and live sessions for things
such as RADIUS and TACACS+ sessions.
The Policy tab is where you will perform authentication and
authorization configurations, as well as profiling, provisioning, and
posture. Take the time to view the default polices that come with ISE for
authentication, authorization, profiling, and provisioning. You will be
modifying some of these and adding new policy configurations in later
labs.
The Administrations tab is where you will perform system functions,
identity management, add network resources, device portals, and other
services available on Cisco ISE.
There is a new menu option available with ISE version 2.1 that is called
Work Centers. The Work Centers provide guided workflow process for
configuring various ISE services. Work Centers also provide direct links
to specific configuration pages. Take some time to click the various sub
menu options, and pay particular notice to the overview pages. These
help guide you through the ISE workflow process. For example, choose
BYOD, or Guest Access,
or Network Access.
You have completed this task when you attain these results:
You have successfully logged in the Cisco ISE using the credentials provided during
the first lab.
You have processed the initial messages that are shown to the user upon login
Familiarized yourself with the Cisco ISE user interface
In this test, you will disable profiling which is enabled by default during the Cisco ISE
installation process. You will be enabling profiling in a later lab.
Activity Procedure
Step 1 Navigate to Administration > System > Deployment.
Step 2 Click the ise-1 hostname hyperlink.
Step 3 Uncheck the Enable Profiling Service checkbox. Verify with the following
screenshot.
Step 4 Scroll down and click Save.

Step 5 After a minute, you will see the following message. Click OK or let it restart
automatically.
Note System services are being reconfigured and restarted. The message will auto close and
the browser will automatically log you out if you do not click the OK button.
Step 6 After a few minutes, log back in to the ISE Admin Portal.
Note You may check the status of the service restart via the console or CLI using the
command show application status ise. Once the Application Server is running, you will
be able to log in. If you check before the service is reconfigured, you may see the service
admini Message.
Step 7 Once logged in, click the gear in the upper right of the window and verify that
Session is the only Policy Service (Identity Mapping,Session) service running.
Step 8 Click Server Information.
Note If you see (ALL) instead of (Session), perform steps 1 through 7 again paying attention to
step 5.
Step 9 Click OK of the notification to close it.
You have disabled profiling in Cisco ISE

Task 4: Certificate Enrollment
In this task, you will enroll Cisco ISE with the certificate authority in your pod.
Activity Procedure
Download CA certificate
Step 1 In the web browser on the admin PC, open a new tab and navigate to
http://ad1.demo.local/certsrv.
Step 2 When prompted use the credentials administrator / 1234QWer.
Step 3 Click the link Download a CA certificate, certificate chain, or CRL.
Step 4 Click the Download CA certificate link.
Step 5 Click OK to save the file.
Note If using Firefox, you may have to click the install this CA certificate link at the top in order to
install the CA certificate in the browser. This must be performed due to the fact that Firefox
uses a separate certificate store from the operating system. Select Trust this CA to identify
websites and click OK.
Install CA certificate
Step 6 In the Cisco ISE admin portal tab, navigate to Administration > System >
Certificates.
Step 7 Then select Trusted Certificates under Certificate Management.
Step 8 Click the Import button in the right-hand pane.
Step 9 Click the button and navigate to your Downloads folder.
(C:\Users\Administrator\Downloads).
Step 10 Select the file certnew.cer and then select the Open button.
Note You may or may not see the.cer extension depending upon your Windows Explorer
configuration.
Step 11 In the Friendly Name field enter demo.local CA Certificate.

Step 12 Select the following three options as indicated in the screenshot.
Step 13 In the Description field enter, CA cert from ad1.demo.local.

Step 14 Click Submit at the bottom.
Generate Certificate Signing Request
Step 15 In the left pane, select Certificate Signing Requests under Certificate
Management.
Step 16 Click the button at the top of the right pane, Generate Certificate Signing
Requests (CSR).
Step 17 Perform the following procedure to generate your CSR.
Certificate Signing Request Procedure
Step Action Notes
1. Verify Usage is set to Admin
2. Check Allow Wildcard Certificates Click the information (i) to read

important wildcard certificate
configuration information.
3. In the Subject area, use the following: $FQDN$ should be a preexisting

entry. There is no need to
modify it.
4. In the Subject Alternative Name area, configure the Click the plus(+) sign to add
following: additional SAN entries.
The aaa name is a CNAME
record.
The ise name is a CNAE
record.
Adding the IP address as
both a DNS Name and IP
Address addresses a
compatibility issue with
Microsoft Windows Clients.
5. Verify the Key Type is RSA
6. Verify the Key Length is 2048
7. Verify the Digest to Sign with is SHA-256
8. Verify your settings with the screenshot below
9. Click Generate

Step 18 You will receive a confirmation pop-up window notifying you that you have
successfully generated your CSR.
Step 19 Click the Export button.

Step 20 Save the file.
Process CSR with CA
Step 21 In the left pane, click Certificate Signing Requests again.
Step 22 In the right pane select the check box to the left of the previously processed CSR.
Step 23 Click the View button in the toolbar.

Step 24 Observe the CSR Details.
Step 25 Click the tab CSR Contents and observe the text of the certificate request.
Step 26 Highlight (Ctrl-A) and copy the complete contents to the clipboard (Right-click
and selecting Copy or pressing Ctrl-C will both work).
Step 27 Click Close.
Step 28 Return to the tab for the Microsoft Active Directory Certificate Services page.
(http://ad1.demo.local/certsrv with username administrator, password 1234QWer)
Step 29 Click the Home link in the upper right-hand corner.
Step 30 Click the Request a certificate link.
Step 31 Click the advanced certificate request link.
Step 32 Right-click and paste the contents into the Saved Requests field.

Step 33 From the Certificate Template drop-down select Web Server.
Step 34 Click the Submit> button.
Step 35 Select Base 64 encoded.
Step 36 Click Download certificate.
Step 37 Click OK to save the file.
Step 38 Open the Downloads folder and rename the certnew(1).cer certificate into ise-1
Admin Cert.cer
Install (Bind) CA signed certificate
Step 39 Return to the Cisco ISE browser tab.
Step 40 In the Certificate Management > Certificate Signing Requests page, select the
check box to the left of the previously processed CSR.
Step 41 The small toolbar above, click the Bind Certificate button.
Step 42 Click Browse and navigate to the Downloads folder again if necessary.
Step 43 Select the file ise-1 Admin Cert.cer.
Step 44 Click Open.
Step 45 In the Friendly Name field enter ise-1 Admin Cert.
Step 46 Select Admin, to assign the certificate to the Admin role.
Step 47 Click Submit.
Step 48 The system will log you out and restart services.
Step 49 Log back in after a few minutes.
Note You may check the status of the service restart via the console or CLI using the
command show application status ise. Once the Application Server is running, you will
be able to log in.
Certificate Verification
Step 50 In your browser URL bar, click the lock icon to the left of https://. Observe the
following field which indicates a trusted CA signed certificate.
Step 51 Click on the right side arrow and then More Information.
Step 52 Click View Certificate.
Step 53 Observe the Issued By is the root-CA for your pod.

Step 54 Click the Details tab and scroll down to Certificate > Extensions > Certificate
Subject Alt Name and observe your wildcard configuration.
Step 55 Close all of the pop-up windows.

Modify Certificate Usage
You will be adding other usages to the certificate you just installed. Since ISE 1.3, multiple
certificates can be utilized for different purposes. The system creates a self-signed certificate
as assigns all functions to that certificate. You will bring those roles over to the CA signed
certificate you installed in the previous section.
Step 56 Return to Administration > System > Certificates.
Step 57 In the left pane, select System Certificates.
Step 58 Select the ise-1 Admin Cert from the list.
Step 59 Click Edit in the toolbar.
Step 60 In the Usage area, select EAP Authentication.

Step 61 Click OK on the warning.
Step 62 Select Portal and add a new Portal Group Tag by entering ISE Lab CGT.

Step 64 Verify your results with the following screenshot.
You have successfully installed the CA certificate on Cisco ISE
You have successfully enrolled Cisco ISE into your pod CA
You have verified the certificate via your web browser
You have additionally configured the installed certificate for EAP and Portal usage

In this activity, you will integrate Cisco ISE with Active Directory. After completing this
activity, you will be able to meet these objectives:
Perform a native immigration of Cisco ISE to Microsoft Active Directory
Populate the Cisco ISE dictionary with Active Directory attributes
Configure a LDAP integration
Populate the Cisco ISE dictionary with LDAP attributes
Admin PC
ISE-1
In this task, you will configure Cisco ISE to integrate with Microsoft Active Directory. You
will then configure active directory group and user attributes for utilization in Cisco ISE in
later labs.
Activity Procedure
Join Microsoft Active Directory
Step 1 In the ISE Admin Portal, navigate to Administration > Identity Management >
External Identity Sources and then in the left pane, select Active Directory.
Step 2 In the right pane, click Add in the toolbar.
Step 3 Enter demo.local in both the Join Point Name and the Active Directory
Domain fields.

Step 5 In the pop-up window asking if you would like to join all ISE nodes to this
Active Directory Domain, click Yes.
Step 6 In the Join Domain box, use the credentials Administrator / 1234QWer
Step 7 Select Specify Organization Unit checkbox.
Step 8 Modify the DN value to match the following.
Tip Since ISE 1.3 you can optionally specify the location that the ISE computer account(s)
will be created instead of using the default Computers container. If used, the OU must be
pre-created. ISE will not create an OU structure in Active Directory to match what is
entered here.
Step 9 Click OK.

Step 10 Once the process is Completed, click the Close button.

Run Diagnostic Tools
Step 11 Select the ise-1.demo.local node from the list
Step 12 From the toolbar, click Diagnostic Tool.
Step 13 Observe the different test names and that some are external, referenced by the
join point demo.local, and some are internal, referenced by the join point System.
Step 14 Check all Tests and click the button Run Tests now.
Note The test may take a minute to run.
Step 15 All tests should run with a status of Successful. Compare your output with the
following screenshot.
Tip Click the toolbar button View Test Details to view a text based output report where data
can be copied out for a baseline to compare against in the future.
Note In the case that the N show ntp
know bug in some version.
Tip You may also click any of the Result and Remedy hyperlinks for that test specific output.
Step 16 Scroll down and click Close.

Add Active Directory attributes to Cisco ISE dictionary
Step 17 In the left pane, click the demo.local entry under Active Directory.
Step 18 In the right pane, click the Groups tab.
Step 19 Click the +Add button on the toolbar and choose Select Groups from Directory.
Step 20 Cisco ISE 1.3 and above has expanded the filter capabilities in selecting groups
from Active Directory. Leave the Type Filter as ALL and click the Retrieve
button.
Step 21 Observe the list and notice there are many groups that likely would not be
applicable for utilization in Cisco ISE for policy matching.
Step 22 Now change the Type Filter to GLOBAL and click the
button.
Step 23 The resulting list is now likely more appropriate for policy usage. Select the
entire list of groups by checking the box in the header field.
Step 24 From that list, deselect the following groups.

demo.local/Users/DnsUpdateProxy
demo.local/Users/Domain Controllers
demo.local/Users/Domain Guests
demo.local/Users/Group Policy Creator Owners
demo.local/Users/Read-only Domain Controllers
Step 25 Click OK.
Step 26 Your list should match the following screenshot.

Step 27 Click Save at the bottom.
Step 28 In the right pane, click the Attributes tab.
Step 29 Click the +Add button on the toolbar and choose Select Attributes from
Directory.
Step 30 Enter employee2 in the Sample User or Machine Account text box and click the
button.
Step 31 Select badPwdCount and userPrincipalName from the list and click OK.
Note Only set attributes will be shown. If one account does not have an attribute set and a
different account does, for example Job Title or Department, it will show those attributes
when retrieving attributes from the account with the attribute set. An attribute could be set
after this list is pulled, and if that user is queried again the additional attribute will show in
the list.

Test Authentication
A new feature since ISE 1.3 is the ability to perform various methods of testing user
authentication to Active Directory. You will explore this feature in this section.
Step 33 In the left pane, click the demo.local entry under Active Directory.
Step 34 In the right pane, select the ISE node ise-1.demo.local checkbox.
Step 35 Select Test User from the toolbar.
Step 36 Change the Authentication Type to Lookup.
Step 37 Enter the username employee2.
Step 38 Click the Test button.
Step 39 Observe the test result in the box below. Observe the Processing Steps in the
bottom of the Authentication Result tab. Click the Groups and then Attributes
tabs and observe the details therein.
Step 40 Change the Authentication Type to Kerberos.
Step 41 In the Password field enter 1234QWer.
Step 43 Observe the test results in the box below. Observe the Processing Steps at the
bottom of the Authentication Result tab. Notice that the Authentication Ticket
(TGT) requests succeeded and the next two line items indicating Kerberos
success.
Step 44 Change the Authentication Type to MS-RPC.

Step 46 Observe the test results in the box below. Observe the Processing Steps at the
bottom of the Authentication Result tab.
Step 47 Close the test user authentication pop-up window.
You have successfully joined the Cisco ISE to demo.local.
You have successfully added active directory groups and user attributes to Cisco ISE.
You have successfully tested user authentication via all three authentication types.

In this task, you will configure Cisco ISE to integrate with LDAP. You will then configure
LDAP group and user attributes for utilization in Cisco ISE in later labs
Activity Procedure
Configure LDAP as an External Identity Source
Step 1 In the ISE Admin Portal, navigate to Administration > Identity Management >
External Identity Sources and then in the left pane, select LDAP.
Step 2 In the right pane, click +Add in the toolbar.
Step 3 In the Name field enter LDAP_demo_local.
Step 4 In the Description field enter demo.local LDAP configuration.
Step 5 In the drop-down for Schema, select Active Directory.
Step 6 Click the Connection tab.
Step 7 In the Hostname/IP field enter ad1.demo.local.
Step 8 Select Authenticated Access.
Step 9 In the Admin DN field enter cn=administrator,cn=users,dc=demo,dc=local.
Step 10 In the password field enter 1234QWer.
Step 11 Verify your settings with the screenshot below.
Step 12 Scroll down and click the Test Bind to Server button. This should be successful.
Note Observe the response time for future comparison. Make note of it in this lab guide if
needed.
Step 13 Now that you have successfully verified in LDAP connection, modify the
configuration to perform a secure LDAP (LDAPS) lookup. Change the Port from
389 to 636.
Step 14 Enable Secure Authentication.
Step 15 In the LDAP Server Root CA certificate drop-down, select demo.local CA
Certificate.
Step 16 Verify your configuration with the following screenshot.

Step 17 Click the Test Bind to Server button. This should be successful.
Note Observe the response time between the previous clear text LDAP bind in the LDAPS
bind. Additional time is required to set up and verify the SSL tunnel before the performing
of the LDAP lookup. Keep this in mind when designing and architecting the placement of
Cisco ISE in a production environment.
Step 18 Click the Directory Organization tab.

Step 19 In the Subject Search Base field enter dc=demo,dc=local.
Step 20 In the Group Search Base field enter dc=demo,dc=local.
Step 21 As you will not be using LDAP for MAC address lookups, leave the search
pattern as is.
Step 22 Click Submit at the bottom to save this configuration.
Add LDAP attributes to Cisco ISE dictionary
Step 23 Select Groups from the tabs at the top.
Step 24 Click the +Add button on the toolbar and choose Select Groups from Directory.
Step 25 Accept the default filter (*) and click the button.
Step 26 Select CN=Contractors,OU=Groups,OU=HCC,DC=demo,DC=local from the
list.
Step 27 Click OK.
Step 28 Select Attributes from the tabs at the top.
Step 29 Click the +Add button on the toolbar and choose Select Attributes from
Directory.
Step 30 Enter contractor2@demo.local in the Example Subject text box and click the
button.
Step 31 From the list of attributes select userPrincipleName.
Step 32 Click OK.
Step 33 Scroll to the bottom and click Save.
Note You have configured your pod Active Directory as an External Identity Source. This
configuration will be utilized for authentication in later labs.
You
active directory via LDAP
You have successfully modified your configuration of Cisco ISE to authenticate and pull
data from your Active Directory server via LDAPS.

In this activity, you will configure a basic access policy for employees and consultants. After
completing this activity, you will be able to meet these objectives:
Configure Cisco ISE to utilize Policy Sets
Configure Cisco ISE Policy Set differentiation filters
Configure an Identity Access Restricted global exception policy
Configure policies sets for both wired and wireless access
Configure a policy for Active Directory employees and consultants
Configure a policy for wired access
Configure a policy for wireless access
Admin PC
ISE-1
AD
vWLC
The table describes the commands that are used in this activity.
Lab Commands
Command Description
Show the status of connections to AAA

servers configured on the switch.
Perform a test authentication to the AAA

server via the internal switch AAA sub-
system.
Show authentication information details

for Port GigabitEthernet1/0/1.

In this task, you will adjusting radius settings to prevent dropping client connections, based
on failed logins.
Activity Procedure
Adjusting RADIUS settings

In this section, you will be disabling log suppression. Log suppression is enabled by default
to reduce monitoring data storage. By disabling log suppression, you will be able to view
repeated successful authentications and anomalous clients. This will provide you with a
more functional flow of every authentication and authentication attempt in your lab
environment.
Note This step is traditionally used for troubleshooting. It is not recommended for normal Cisco
ISE operations.
Step 1 Navigate to Administration > System > Settings.

Step 2 In the left pane navigate to Protocols > RADIUS. In the right pane uncheck
Suppress repeated failed clients and Suppress repeated successful
authentications. Click OK to the pop-up notification messages.
Step 3 Confirm your settings with the following screenshot.
Step 4 Click Save and acknowledge the informational message.
Tip The Reset To Defaults button is the most convenient way to go back to the original
configuration.
You have successfully enabled Cisco ISE to utilize Policy Sets.
You have successfully logged in and observe the policy set configuration.

In this task, you will create and configure Network Devices for Wired and Wireless Access.
Addional you create Network Device Groups and you will assign the NDG to the NADs.
Activity Procedure
Create Network Access Devices
Step 1 In the Cisco ISE admin portal, navigate to Administration > Network
Resources > Network Devices.
Step 2 In the right pane click the +Add button from the toolbar.
Step 3 Add the following network device using the information in the table below.
Network Device 3k-access
Attribute Value
Name 3k-access
Description 3650 access switch
IP Address 10.1.100.1 /32
Device Profile Cisco
Model Name <blank>
Software Version <blank>
Network Device Group
Location All Locations
IPSEC Is IPSEC Device
Device Type All Device Types
RADIUS Authentication Settings Checked
Shared Secret 1234QWer

TACACS+ Authentication Settings Unchecked
SNMP Settings Unchecked
Advanced TrustSec Settings Unchecked

Step 5 Access your 3k-access switch console.
Step 6 To save time, your switch has been preconfigured for the appropriate AAA and
RADIUS configuration to interoperate with Cisco ISE. Verify communication
with the radius server by performing the following command. Your output should
resemble the screenshot below with a state of UP.
Step 7 Perform a test authentication via the switch CLI. Your test results should be
User successfully authenticated.
Step 8 Return to your ISE Admin portal and navigate to Operations > RADIUS > Live
Logs.
Step 9 Click the Details for the sucessful employee authentication.

Step 10 Observe the authentication details in the opened tab.
Step 11 In the right column examine the steps to see the specifics.
Step 12 Return to the switch and perform the same test again using the NetBIOS name
format for the username. This should also be successful.
Note You could also test the username in UPN format, employee1@demo.local
Step 13 Return to your ISE Admin portal and navigate to Operations > RADIUS > Live
Logs.
Step 14 Click the Details for the successful employee authentication.

Step 15 Observe in the opened tab that the authentication succeeded due to ambiguous
credentials. This is due to your lab using the same usernames and passwords for
simplicity in both Active Directory domains.
Step 16 In the right column examine the steps to see the specifics.
Step 17 Add the following network device using the information in the table below.
Network Device vwlc
Attribute Value
Name vwlc
Description Pod vWLC
IP Address 10.1.100.61 /32
Model Name <blank>
Location All Locations
IPSEC Is IPSEC Device
Device Type All Device Types
Radius Authentication Settings Checked

TACACS+ Authentication Settings Unchecked
Create and Assign Network Access Device Groups
Step 19 Navigate to Administration> Network Resources> Network Device Groups.
Step 20 In the top menu Choose group select All Device Types.
Step 21 In the menu click +Add and separately create the following network
device groups. Select All Device Types as Parent Group for each new group.
Network Device Groups Device Types
Name Description
Wired Wired Access Switches
Wireless WLCs
VPN VPN Access Devices
Step 22 When complete your configuration should match the following screenshot.
Step 23 In the top menu Choose group select All Locations.

Step 24 In the menu click +Add and separately create the following network device group
locations. Select All Locations as Parent Group for each new group.
Network Device Groups Locations
Name Description
HQ Headquarters
Branch Branch
RnD Lab Research and Development Lab
Step 25 When complete your configuration should match the following screenshot.

Assign Network Device Groups
Step 26 Click Network Devices.
Step 27 Edit the 3k-access and the wlc network devices with the following information,
using the screenshot as an example template.
Network Device Network Device Group Configuration
Device Name Device Type Location
3k-access Wired HQ
vwlc Wireless HQ
Step 28 Once completed your configuration should match the following screenshot.
You have configured the 3k-access switch as a network device in Cisco ISE.
You have configured the vwlc as a network device in Cisco ISE.
You have create different NDG and assign the groups to the network devices.
You have successfully performed test authentications via the switch CLI.

In this task, you will create and configure multiple policy sets, one for wired and one for
wireless. For academic purposes, you will have the option to create an additional policy set
at the end of this task. This policy set will not contain any policies nor be used in this lab,
but instead is being created to give you one additional example of a possible policy set
option.
Activity Procedure
Policy Set Creation Wired Access
Step 1 Navigate to Policy > Policy Sets.
Step 2 Click the plus icon (+) in the toolbar to create a new Policy Set.
Step 3 Verify that New Policy Set 1 is created above the default policy set.
Step 4 Click the words New Policy Set 1 to edit the field.
Step 5 Enter Wired_Access as the policy set Name.
Step 6 Enter Wired Access in the Description field.
Step 7 Click in the Conditions field to create a new condition and treat the following
condition:
Step 8 Click the words Click to add an attribute to select an attribute for the new
condition.
Step 9 Click the Symbol Network device.
DEVICE:Device Type EQUALS All Device Types#Wired
Step 10 Select DEVICE:Device Type in the menu.
Step 11 Leave the Operator unchanged (Equals).
Step 12 Select from the Drop-Down Menu (Choose from list or type) All Device
Types#Wired.
Step 13 Click Use at the bottom.

Step 14 Assign the from the Allowed Protocols Drop-Down Menu Default Network
Access.
Step 15 Your policy set condition should look like the following screenshot.
Step 16 Click Save.

Policy Set Creation - Wireless Access
Step 17 Click the Gear icon on the right side of the Wired_Access policy set and select
Duplicate below to create a new policy set for wireless access.

Step 18 Configure this policy set according to the following table and compare your
results with the following screenshot.
Policy Set Wireless Access
Name Description Condition(s) Allowed Protocols / Server Sequence
Wireless_Access Wireless DEVICE:Device Type EQUALS All Default Network Access

Access Device Types#Wireless
Step 19 Click Save.

Step 20 Your policy sets screen should match the following screenshot.
You have configured two policy sets
Wired Access
Wireless Access
In this task, you will create a few default policies to both wired and wireless policy sets.
Activity Procedure
authorization rules in the default set. You can only modified rules in the default set. The
recommend way is, to configured your own policy sets and rules above the default set.
Step 1 Access the ISE admin portal via the Admin PC.
Step 2 Navigate to Policy > Policy Set > Wired_Access.
Step 3 Click the arrow > on the right side from your Wired_Access sets to change the
view.
Step 4 Expand the Authentication Policy view.
Step 5 Click the + symbol to create a new authentication policy.

Step 6 Click the words Authentication Rule 1 and change the name to MAB.
Step 7 Click the + symbol to assign a condition to the rule.
Step 8 Move (Drag & Drop) the condition Wired_MAB from the Library to the
Editor.
Step 9 Click the Use button..

Step 10 Change the Identity Source to Internal Endpoints.

Step 11 Click the gear symbol on the right side from the MAB rule.
Step 12 Click Insert new row below from the Drop-Down Menu.
Step 13 Enter the rule name DOT1X and assign the condition Wired_802.1X. Change
the Identity Source to All_User_ID_Stores.
Step 14 Change the Identity Source from the Default rule to DenyAccess.
Step 15 Your Authentication Policy should be the same as the screenshot below.
Step 16 Click the Save button.

Step 17 Navigate to Policy > Policy Set > Wireless_Access.
Step 18 Click the arrow > on the right side from your Wireless_Access sets to change the
view.
Step 19 Repeat the steps 5 to 16 but use the following conditions from the library.
Authentication Rule Condition from Libary
MAB Wireless_MAB
DOT1X Wireless_802.1X
Step 20 The Authentication Policy should be as the screenshot below.
You have configured authentication rules for MAB and 802.1x in the Wired_Access and
Wireless_Access policy set.

In this task, you will configure Cisco ISE to process domain employees and domain
contractors.
Activity Procedure
Create Authorization Profiles
Step 1 Navigate to Policy > Policy Elements > Results then to Authorization >
Downloadable ACLs.
Step 2 Click +Add in the right pane toolbar.
Step 3 Create a dACL for the employees with the following attributes:
Downloadable ACL acl_employee
Attribute Value
Name acl_employee
Description Employee access ACL restricting access to the Quarantine

Network.
DACL Content
Step 4 Click Check DCAL Syntax to verify you entered all ACL statements correctly.

Step 6 Create another dACL for the contractors using the following attributes:
Downloadable ACL acl_contractor
Attribute Value
Name acl_contractor
Description Contractor access ACL restricting access to the Quarantine and

AP network.
DACL Content

Step 8 Create another dACL for Domain Computers using the following attributes:
Downloadable ACL acl_machine
Attribute Value
Name acl_machine
Description Domain computer ACL that only allows access to DHCP, DNS, and
the DC.
DACL Content
Step 10 In the left pane click Authorization Profiles.
Step 11 Add an Authorization Profile by clicking +Add in the right pane toolbar.
Step 12 Create the following Authorization Profile for employees (Wired):
Note Leave all other settings at their defaults.
Employee Authorization Profile

Attribute Name Value
Name Wired Employee Access
Common Tasks
DACL Name acl_employee

Step 14 Create another profile for the contractors (Wired) using the following attributes:
Contractor Authorization Profile
Name Wired Contractor Access
Common Tasks
DACL Name acl_contractor

Step 16 Create another profile for the domain computers (Wired) using the following
attributes:
Domain Computer Authorization Profile
Name Wired Domain Computer Access
Common Tasks
DACL Name acl_machine
Step 18 Create the following Authorization Profile for employees (Wireless):

Employee Authorization Profile
Name Wireless Employee Access
Common Tasks
Airespace ACL Name EMPLOYEE_ACL

Step 20 Create another profile for the contractors (Wireless) using the following
attributes:
Contractor Authorization Profile
Name Wireless Contractor Access
Common Tasks
Airespace ACL Name CONTRACTOR_ACL
Step 22 Create another profile for the domain computers (Wireless) using the following
attributes:
Domain Computer Authorization Profile
Name Wireless Domain Computer Access
Common Tasks
Airespace ACL Name MACHINE_ACL

Authorization Policy
Step 24 Return to the Policy > Policy Sets > Wired_Access > Authorization Policy.
Step 25 Add the following policy above the Default policy by clicking on the gear icon
on the right. From the menu, select Insert new row above.
Step 26 Add the following policy for Employees:

Employee Authorization Policy
Attribute Value
Rule Name Wired AD Employees

Conditions demo.local:ExternalGroups Equals
(identity groups and other demo.local/HCC/Groups/Employees
conditions)
Results (Profiles) Wired Employee Access
Step 27 While in the condition definition, save the condition to the library by clicking the
Save button.
Note This will facilitate a more rapid use of this condition in future policies instead of having to
build it every time.
Step 28 In the Condition Name field enter Demo-Employees and click the green
checkmark.
Step 29 Click Save at the bottom of the window.

Step 30 Click the Use button.
Step 31 Add another policy above the built-in Default policy policy by clicking on the
gear icon on the right. From the menu, select Insert new row above.
Step 32 Add the following policy for Contractors, saving (adding) the condition to the
library as Demo-Contractors:
Contractor Authorization Policy
Attribute Value
Rule Name Wired AD Contractors

Conditions demo.local:ExternalGroups Equals demo.local/HCC/Groups/Contractors
(identity groups and other
conditions)
Results (Profiles) Wired Contractor Access
Step 33 Add another policy above the built-in Default policy by clicking on the gear icon
on the right. From the menu, select Insert new row above.

Step 34 Add the following policy for Domain Computers, saving (adding) the condition
to the library as Demo-Computers:
Computers Authorization Policy
Attribute Value
Rule Name Wired AD Computers

Conditions demo.local:ExternalGroups Equals demo.local/Users/Domain Computers
conditions)
Results (Profiles) Standard > Wired Domain Computer Access
Step 35 Verify your policies with the following screenshot.
Note Rule order is important as rules are processed from top down.
Policy Rule Process for the Wireless Policy Set
Step 37 Navigate to the Policy > Policy Sets > Wireless_Access > Authorization
Policy.
Step 38 Add the following policy above the Default Policy. Use the following parameters
from the table below:
Rule Name Conditions (Library) Results (Profiles)
Wireless AD Employees Demo-Employee Wireless Employee Access
Wireless AD Contractors Demo-Contractors Wireless Contractor Access
Wireless AD Computers Demo-Computers Wireless Domain Computer Access
Step 39 Scroll down and verify your Authorization Policy rule order is as follows.
Wireless_Access Authorization Policy Order
Status Rule Name
Enabled Wireless AD Employees
Enabled Wireless AD Contractors
Enabled Wireless AD Computers
Enabled Default
Step 40 Change, if needed, the permissions from the Default policy to DenyAccess.
Examined the built-in authentication and authorization policies.
Created employee, contractor and machine s)
Created employee, contractor, and domain computer authorization profiles
Created employee, contractor, and domain computer authorization policies saving the
conditions to the library.

In this task, you will be configuring Cisco ISE to provide wired access to clients.
Activity Procedure
Step 1 Access your 3k-access switch console.
Step 2 Perform the test using the NetBIOS name format for the username. This should
now
Note You could also test the username in UPN format, employee1@demo.local
Test Client Wired Access

Step 3 Access your W10PC-Corp.
Step 4 Log in with the credentials W10PC-CORP\student / 1234QWer.
Step 5 Open up network settings and enable the NIC if not enabled.
Step 6 Open Services from Windows Administrative Tools in the Start menu.
Step 7 Verify and, if necessary, modify the Wired AutoConfig service to have a startup
type of Automatic and then Start the service.
Step 8 Click OK.
Step 9 Close the services console.
Step 10 Return to the NIC settings and open the properties for the NIC.
Step 11 Click the Authentication tab.
Step 12 Configure and verify the settings with the following screenshot.
Step 13 Click the button

Step 14 Enable the Specify authentication mode and verify the mode is User or
computer authentication.
Step 15 Click OK.

Step 16 Click the Settings button.

Step 17 In the list of Trusted Root Certification Authorities select root CA. Verify all
other settings with the screenshot below
Step 18 Click the button. And verify that Automatically use my Windows
login name and password (and domain if any) is enabled
Step 19 Click OK three times to close all the windows.
Step 20 Restart the client machine using the Start menu.
Step 21 While the PC is restarting access the 3k-access switch and verify that the
interface GigabitEthernet 1/0/1 is enabled. In the case that the interface is
disabled, enable the interface with a no shutdown command.
Step 22 Return to the ISE Admin portal and navigate to Operations > Radius > Live
Logs.
Step 23 After a minute or so, you should see the local machine login via 802.1X using
the machine credentials and be assigned the Domain Computer Access
Authorization Profile.
Note The Failed MAB access attempt was when the NIC came up and attempted to access
the network before the WiredAutoConfig services came online and sent the 802.1X
machine credentials.
Step 24 Return to the W10PC-Corp and login using the credentials demo\employee1 /
1234QWer
Step 25 Open a command prompt and ping the following addresses. 10.1.30.1 and
10.1.90.1. The first address should fail with a request timeout in the second
should succeed according to the dACL which you configured for
employee access.
Step 26 Access the 3k-access switch console.

Step 27 Perform the following command to observe the interface session information
paying particular attention to the username and the server policies which should
include the acl_employee dACL.

Step 28 Return to the Cisco ISE admin portal and navigate to Operations > Radius >
Live Log.
Step 29 Observe the new record details for the employee1 access.
Step 30 Click the DEMO\employee1 authentication details icon. Observe the details on
the steps included in this record.
Step 31 Return to the W10PC-Corp and Sign out the employee1 user.
Step 32 Log in using the credentials demo\contractor1 / 1234QWer
Step 33 Open a command prompt and ping the following addresses. 10.1.30.1 and
10.1.90.1. The first address should fail with a request timeout. In the second
should also fail according to the dACL which you configured for contractor
access.
Step 34 Now attempt to ping 10.1.100.1. This should succeed.
Step 35 Return to the Cisco ISE admin portal on the Admin PC.
Step 36 Observe the new contractor1 authentication success record. Also observe the
machine login that occurred between the employee1 logoff and the contractor1
logon.
You have configured the 3k-access switch as a network device in Cisco ISE.
You have successfully performed test authentications via the switch CLI.
You have successfully configured the W10PC-Corp to authenticate via 802.1X.
You have successfully logged in as a both employee1 and contractor1 and observed the
dACL restrictions appropriate for each username.
You have observed the authentication records in Cisco ISE.

In this task, you will configure the Cisco WLC as a network device in Cisco ISE, modify the
authorization profiles to process wireless access, and test a wireless authentication.
Activity Procedure
Step 1 On your Admin PC, open a new tab in your browser and access your pod vWLC.
Use the bookmark or https://wlc.demo.local.
Step 2 Log in with the Username admin and the password 1234QWer.
Step 3 Click WLANs and verify you have three (3) WLANs for your pod. A guest
WLAN, a wpa2e WLAN, and a hotspot WLAN.
Step 4 Make Note of the 3 WLAN and the WLAN numbers as these are the
Note If you do not have these WLANs, notify your instructor.
Step 5 Enable each of these WLANs by clicking on the WLAN numbers and changing
the Status to Enabled and Applying the configuration.
Step 6 Navigate to SECURITY then AAA > RADIUS > Authentication and verify
that Cisco ISE has been configured as a RADIUS server.
Step 7 Navigate to AAA > RADIUS > Accounting and verify that Cisco ISE has also
been configured as a RADIUS server.
Step 8 Navigate to WIRELESS a
configuration, the AP should be Admin Status Enabled.
If not, enable your AP by clicking on the AP Name and under the General tab
change Admin Status to Enabled. Then Apply your configuration.
Wireless Access
In this section, you will be using your pods wireless device to access the wireless networks
that are configured for your specific pod.
Note .
Step 9 On your W10PC-Corp, log off and login again as W10PC-CORP\student /

1234QWer.
Step 10 Access the Android tablet by launching the ANDROID CONTROL via Vysor
link on the desktop.
Step 11 The connection to the Tablet will automatically open, otherwise click View.
Step 12 If the Tablet is locked, you can unlock it with the PIN 1234
Caution If you are having difficulty, notify your instructor. Do not attempt to modify configurations
in troubleshooting.
Tablet Clean up
It may be necessary to clean up your Tablet from a previous class. Perform the steps listed
below.
Step 13 Navigate to Settings > Security select Clear credentials (if not grayed out)
Step 14 Confirm the message.

Wireless Access via Tablet
Step 15 Press the home button (middle bottom button)
Step 16 Open the Widget/Icon for WLAN
Step 17 Enable WLAN if not already enabled, by clicking the slider.
Step 18 From the list identify and click your pod WPA SSID (##-wpa2e).
Note review your vWLC or notify your instructor.
Step 19 Enter employee1@demo.local as Identity and 1234QWer as the password and

leave all other parameters at their defaults. Then click Connect.
Step 20 The WLAN should now mark as Connected.

Step 21 Return to the Admin Portal of Cisco ISE.
Step 22 Navigate to Operations > Radius > Live Logs.
Step 23 Identify the employee1 access record from the vwlc from the list.
Step 24 Click icon to see the Authentication Details.
Step 25 Identify the following fields to indicate that you matched the correct policy.
Step 26 Scroll down to the results section and observe the Airespace ACL you
configured before being assigned.
Note If you do not see employee exactly as it is in the above screenshot, as UPPERCASE,
you will need to modify your authorization profile as ACL names are case-sensitive.
Step 27 Navigate to your pod vWLC tab in the browser.

Step 28 On the MONITOR page, click Clients in the left pane.
Step 29 In the list of clients observe the client MAC address and the username
employee1@demo.local.
Step 30 Click the MAC address hyperlink.

Step 31 In the General tab, scroll down to the Security Information section. Observe
both the Radius NAC State as RUN and the IPv4 ACL Name field as the

assigned ACL name, EMPLOYEE_ACL, which you configured in the
Employee Access Authorization Profile.
Clean up
Now that you have successfully accessed a wireless network, you will disconnect the
wireless device.
Step 32 Return to your Tablet.
Step 33 Via the WLAN icon, turn off WLAN by clicking the slider.
Step 34 Return to your Cisco ISE admin portal.
You have verified the vWLC configuration
You have added the vWLC to Cisco ISE as a network device
You have adjusted RADIUS settings to show every authentication message in Cisco ISE
You have access the wireless network view your Tablet
You have verified proper authorization profile configuration from ISE to the vWLC.
In this task, you will configure a global exception authorization policy which will apply to
all policies (globally) and as an exception policy will be processed before all of the policies.
Activity Procedure
Step 1 In your policy set navigate to Wired_Access > Authorization Policy - Global
Exceptions.
Step 2 Click the + button to create a new rule.
Step 3 Create the following rule. For this rule scenario you are creating an exception for
the demo.local IT staff who are performing an audit of the demo.local network.
Tip You could save the demo.local conditions to the library to facilitate a more efficient reuse
in the future.
Global Exception Policy

Attribute Value
Rule Name Domain IT Audit Exception

Conditions demo.local:ExternalGroups Equals demo.local/HCC/Groups/IT Staff
conditions)
Results (Profiles) PermitAccess
Step 4 Click Use and verify your policy against the following screenshot.

Policy Test
Step 6 On your W10PC-Corp log in as demo\itadmin / 1234QWer.
Step 7 Return to your Cisco ISE admin portal
Step 8 Navigate to Operations > Radius > Live Logs and find the itadmin@demo.local
authentication.
Step 9 Click the authentication details icon.

Step 10 Observe that the Authorization policy name is under Wired_Access and is
Domain IT Audit Exception, the name you created as a Global Exception policy
name.
Step 11 Return to your admin portal and navigate to Policy > Policy Sets.
Step 12 Navigate to your Wireless_Access > Authorization Policy Global Exceptions
and notice there is an indicator of (1).
Step 13 Expand the exceptions policy and observe the global exceptions rule that you
created earlier.
You have successfully created a global exception.
You have successfully performed a CLI test authentication using a local user account
and observe the matching of the employee authorization profile.
You have observed the global exception in each of the policy set rules.
A new feature in Cisco ISE since 2.1 is Context Visibility. This feature allows you to see,
and create groups, for ease of visibility into your network environment.
Activity Procedure
Step 1 Return to the ISE Admin Portal, and navigate to Context Visibility > Endpoints
> Authentication. Notice the Android endpoint can also be seen here.
Step 2 By clicking the endpoints MAC address, you can drill down to view further
details on the chosen endpoint. By clicking the various tabs, you can view
additional details such as Authentication, Threats, and Vulnerabilities, for that
endpoint.
Step 3 From this screen, click the Network Devices option to view further information
on network devices that are seen by ISE.
Step 4 On the right side of this screen, clicking on the # of endpoints that are associated
with the network device, you can view additional useful information on endpoints
that are seen on the network by ISE.

You observed network device details via the feature context visibility.
In this activity, you will configure the settings in Cisco ISE that are the core components of
Guest Access. After completing this activity, you will be able to meet these objectives:
Configure Guest Settings for Guest Access in Cisco ISE
Configure the Guest Locations the SSID feature in Cisco ISE
Admin PC
ISE-1
AD1
W10PC-Corp
vWLC

In this task, you will configure the basic settings for guest operations.
Activity Procedure
Step 1 On your pod Admin PC in the Cisco ISE admin portal navigate to Work Centers
> Guest Access> Settings.
Mail Settings
Step 2 Expand Guest Email Settings and modify the Default email address to
be sponsor@demo.local.
Step 3 Click Save.
Step 4 Still in the Guest Email Settings, click the helpful Configure SMTP server at:
Work Centers > Guest Access > Administration > SMTP Server hyperlink.
Step 5 In the SMTP Server settings enter mail.demo.local and click Save.
Custom Fields
Step 6 Return to Work Centers > Guest Access > Settings and expand Custom Fields.
Step 7 Add the following custom field and then click Add.
Guest Custom Field
Custom field name Data type Tip text
Person Visiting String
Step 8 Click Save.

Guest Username Policy
Step 9 Expand Guest Username Policy.
Step 10 For lab purposes modify the Minimum username length to 4 and then also
modify the Characters Allowed in Randomly Generated Usernames,
Minimum alphabetic field to 4 as well.
Step 11 Click Save.
Guest Password Policy
Step 1 Expand Guest Password Policy.
Step 2 For lab purposes modify the Minimum password length to 4, and then also
modify the Minimum uppercase, to 2. Change the settings for Special to None.
Step 3 Click Save.
Guest Purge Policy
Step 4 Expand Guest Account Purge Policy.
Step 5 In the Time of purge field notice the time is set to 1:00 AM. Due to the fact that
Cisco ISE is set up for the UTC time zone, and adjustment needs to be made as
corporate policy dictates now that this occur after midnight local time.
Here you, the student, have an option, you can choose to configure according
to your actual local time zone of your class or you can configure according to the
Pacific Time zone.
If you are using the Pacific Time zone, enter 11:00 AM.
Step 6 Click Save or leave all fields unchanged.
You have configured mail (SMTP) settings for Cisco ISE.
You have added a custom field for guest access.
You have modified the guest username policy.
You have modified the guest password policy.
You have adjusted the purge policy time for either the Pacific or your local time zone.

In this task, you will configure locations. You will configure a few set locations and you will
also configure the location of your class. This will be used later to align the access times with
your local class time zone.
Activity Procedure
Step 1 Navigate to Work Centers > Guest Access > Settings and then select Guest
Locations and SSIDs.
Step 2 In the Guest Locations area enter the following location and time zone
information. Finish by adding your class city and time zone.
Tip In the time zone area begin typing to activating filtering.
Guest Locations
Location name Time Zone
New York America/New_York
Chicago America/Chicago
London Europe/London
Dubai Asia/Dubai
Sydney Australia/Sydney
<YOUR CITY> <YOUR TIME ZONE>
Step 3 guest SSID (##-guest ) from your

vWLC WLAN.
This feature is helpful if for instance your organizational guest network has
different SSIDs based on location. For example, Guest-US, Guest-EU, Guest-
APAC, etc.
Tip Do not navigate away to your vWLC web page as you will lose your Guest Location
form data.
Step 4 Click Save.
You have configured the Guest Settings according to the task instructions.
This activity has you exploring multiple Cisco ISE guest access configurations and
operations. The lab helps you to really understand how various guest access scenarios work
and why you might want to use them in your organization. You will start with configuring
Cisco ISE guest access using a hotspot portal. This portal is for organizations who want the
simplest method of providing guest access, with less concern for strict control over who uses
the service, or tracking who uses the service. Some organizations require a bit more control
and awareness concerning who uses guest access. You will learn how to accommodate these
scenarios, such as guest access for self-registration, and self-registration with sponsor
approval. Finally, you will configure and validate sponsored guest access.
In this activity, you will explore multiple Cisco ISE guest access configurations and
operations. After completing this activity, you will be able to meet these objectives:
Configure Cisco ISE guest access using a hotspot portal
Configure Cisco ISE guest access for self-registration
Configure Cisco ISE guest access for self-registration with sponsor approval
Configure Cisco ISE guest access for sponsored guest access

Admin PC
ISE-1
AD1
vWLC
W10PC-Corp
In this task, you will configure Cisco ISE guest access with a hotspot portal. This type of
access is appropriate were accepting and AUP only is sufficient to meet network security
policy.
Activity Procedure
Configuration
Step 1 On the Admin PC in the Cisco ISE admin portal navigate to Work Centers >
Guest Access.
Step 2 Take a moment and read the Guest Access Overview. Note that at the bottom of
the overview screen a hyperlink for the reports is included. Do not click this now.
Step 3 In the top, click Portals & Components.
Step 4 In the left pane, click Guest Portals.
Step 5 In the right pane, click the Create button.
Step 6 In the pop-up select Hotspot Guest Portal and then click
Step 7 In the Portals Settings and Customization window configure the following:
Hotspot Portal Settings and Customization
Attribute Value
Portal Name Demo Hotspot
Description The demo.local Hotspot
Portal Behavior and Flow Settings
Portal Settings
HTTPS Port 8443
Allowed interfaces Gigabit Ethernet 0
Certificate group tag ISE Lab CGT
Endpoint identity group GuestEndpoints
Display language Use browser locale
Acceptable Use Policy (AUP) Page Settings
Include in AUP page [X]
Require an access code [X] 1234
Require scrolling to the end of AUP [ ]
Post Access Banner Page Settings
Included Post Access Banner page [ ]
VLAN DHCP Release Page Settings
Enable VLAN DHCP release [ ]
Delay to release 1
Delay to CoA 8
Delay to renew 12
Authentication Success Settings
Once authenticated, take guest to Authentication Success page

Support Information Is Settings
Included Support Information page [X]
Fields to include [ X ] MAC address

[ X ] IP address
[ X ] Browser user agent
[ ] Policy server
[ X ] Failure could
Empty fields Hide field
Step 8 Scroll to the top and click Save.

Step 9 In the pop-up window, click OK to change the certificate for all the portals on the
same port.
Step 10 In your Firefox browser, open the tools/guest toolbar hyperlink in a new tab.
(Right-click guest).
Step 11 Click the link the iseiscool-images.zip link and save the file.
Step 12 Click the down arrow in the upper right corner of Firefox the on the folder icon of
the file to open the location the file was saved.
Step 13 Right-click the file name and select Extract All. Accept the default location and
click Extract.
Step 14 Return to the ISE admin portal.
Step 15 In the customization setting area click Portal Page Customization.
Step 16 Before making any modifications, observe the Preview on the right side of the
page. This is the Mobile preview page. Below this preview is the Desktop
Preview link. Clicking on it will open up a new browser window.

Step 17 Scroll back up to the top and to the right of the Portal Theme select the
button.
Step 18 Observe the color options that you can modify. Click the color square at the end
of the Banner Color line. Play around with the color tool as you see fit. Pick a
custom color or enter #8a099b in the hex box.
Step 19 Click OK.
Step 20 Leave all other colors the default and click OK.
Step 21 Images can be uploaded by clicking on the buttons in the Images section. They
can also be deleted or reset to default with the X and circled arrow buttons
respectively.
Step 22 Delete the Banner Image.
Step 23 Scroll back to the preview area and click Refresh Preview and observe the
purple (or your custom color) banner.
Step 24 Upload the following images:
Image File Location
Logo (Mobile) C:\users\admin\Downloads\iseiscool-images\iseiscool_logo_hotspot.png
Logo (Desktop) C:\users\admin\Downloads\iseiscool-images\iseiscool_logo_hotspot.png
Banner C:\users\admin\Downloads\iseiscool-images\iseiscool_banner.png
Step 25 Remove the Text Elements > Banner title, as the image contains the text in
graphical format.
Step 26 Click in the Footer Elements box to the right to activate the preview change and
review the preview
Step 27 Scroll down to the AUP text box. Wherever you see Cisco Systems in the AUP
change it to The Demo Shop.
Step 28 bold it using the
toolbar for the AUP text section. Make any other text modifications you desire.

Step 29 In the Left Pane select Authentication Success.
Step 30 Edit both Browser Page Title and the Content Title and modify them to Access
Granted.
Step 31 Scroll down to Optional Content 2 and add the following text: Use coupon code
130 at checkout for extra savings!
Step 32 Using the toolbar, bold and underline 130 then change the font color of 130 to
red. Then select the text and change the font size to large.
Step 33 Scroll to the right and click Refresh Preview to review your work.
Step 34 In the left pane, click Support Information.
Step 35 Scroll down and in the Support Information Text field; modify the phone
number from (xxx)-xxx-xxxx to (555) 555-1234.
Step 36 In the left pane, click Messages > Error Messages.
Step 37 Observe the error messages and the message text that the users would be shown
in the event of an error.
Step 38 Each line of the message Text is inline editable. Modify the
ui_invalid_access_code_error message text to read: Wrong access code. See
the front desk for assistance.
Tip Yo
Step 39 Scroll to the top and click Save.

Step 40 In the left pane, click Acceptable Use Policy and under the preview section click
the link Desktop Preview and observe the desktop preview in a new tab. Close
the tab when you are done.
Step 41 Back in the Admin Portal click Close.
Step 42 As indicated below the Guest Portals list in the right pane, you must create an
authorization profile. Click the hyperlink to go there now. Your portal will not be
Authorized until you create an Authorization Profile referencing this portal and
then an Authorization policy that references the related Authorization Profile.

Step 44 Create the following authorization profile:
Hotspot Authorization Profile
Name Hotspot Access
Common Tasks
Web Redirection Hot Spot

ACL: ACL-WEBAUTH-REDIRECT
Value: Demo - Hotspot
Step 45 Scroll down and click Submit.

Step 47 Create the following authorization profile for guest access. .
Guest Authorization Profile
Name Guest Access
Common Tasks
Airespace ACL Name GUEST_ACL

Step 49 Navigate to Policy > Policy Sets and access the Wireless_Access >
Authorization Policy policy set.
Step 50 Add the following Authorization Policy rule above the Wireless AD Employees
rule.
Note Make sure your WLAN ID for your ##_hotspot WLAN is correct.
Hotspot Authorization Policy

Attribute Value
Rule Name Hotspot

Conditions Airespace:Airespace-Wlan-Id EQUALS 2
conditions)
Results (Profiles) Hotspot Access
Step 51 Add another rule above the Hotspot rule you just created with the following
parameters.
Guest Access Authorization Policy
Attribute Value
Rule Name Guest Access

Conditions IdentityGroup:Name CONTAINS Endpoint Identity
(identity groups and other Groups:GuestEndpoints
conditions)
Results (Profiles) Guest Access

Step 54 Navigate to Work Centers > Guest Access > Portals & Components and then
click Guest Portals.
Step 55 Observe that the Demo Hotspot portal is now Authorized compared to the
other default portals.
Step 56 Click Demo Hotspot to enter the configuration for that portal.
Step 57 In the right side, examine the Guest Flow. This diagram is based on the settings
you configured on the left. In this simple hotspot flow, the user will need to
accept the AUP (1) and then they will have successfully logged on the network
(2). You have enabled Support Information and that is represented in the block on
the left.

Step 58 When you test access in the next section, you will observe this flow.
Test Access
Step 59 On your W10PC-Corp log in as student / 1234QWer.
Step 60 Access your Tablet according to your lab specific instructions.
in troubleshooting.
Step 61 Use the link WLAN to open the Wlan list.

Step 62 Enable WLAN.
Step 63 From the list identify your pod ##-wpa2e SSID. The Tablet should automatically
connect to this WLAN. Click this WLAN.
Step 64 At the bottom, click FORGET in order to clear any previous cached settings or
credentials.
Step 65 Click the hotspot SSID for your pod.
Step 66 Open a browser on the Tablet.
Step 67 If you are not automatically redirected to the ISE hotspot portal, try to open a
webpage on cisco.com, for example.
Step 68 Your connection .
Step 69 Click Advanced and then click Proceed to ise-1.demo.local (unsafe).
Step 70
Step 71 Click in the Access code box and enter an incorrect access code of 5678 and click
Accept and observe the result which should match the error message you
configured.
Hint
tablet will be locked and use must unlock the device again (PIN 1234). Use the keyboard
on the tablet´, to enter the access code.

Step 72 Click the Contact Support link at the bottom. Observe the Support Information
page opens in a new tab. Observe the modification of the help desk phone
number.
Step 73 Close this tab to return to the AUP page.

Step 74 Now enter to correct access code: 1234 and click Accept.
Step 75 This is correlates to the AUP, step 1, in the previous flow diagram.
Step 76 You should see the customized Access Granted messages with the coupon code
that you configured at the bottom.
Step 77 This correlates to the Success, step 2, in the previous flow diagram.
Step 78 Now surf to Cisco.com again. This should succeed.
Step 79 Return to the Cisco ISE Admin Portal on the Admin PC.
Step 80 Navigate to Operations > Radius > Live Logs and observe the authentication
records. Notice the first Hotspot access and then the Identity Group
GuestEndpoints and Guest Access Authorization Profile match.
Step 81 Note the endpoint MAC address below.
Step 82 Navigate to Context Visibility > Endpoints .

Step 83 Find the Tablets MAC address and click the Endpoint Profile name or select the
checkbox and click Edit in the toolbar.
Step 84 Observe the following fields which correlate with the configuration you made
earlier. Also notice the device has been statically assigned to the GuestEndpoints
Identity Group.
Note Observe the new Description feature. You can enter a description and scroll to the
bottom and click Save.
Tip You may have noticed that the system has effectively profiled the device as an Android
Tablet even though we disabled Profiling earlier in the lab. Further details will be
covered in detail later in the lecture, but briefly, the Cisco ISE always gathers HTTP
headers when a portal is access and the endpoint utilizing the portal is profiled based
solely on that data.

You have created a guest hotspot portal.
You have configured and customized the guest hotspot portal.
You have configured a guest and hotspot authorization profile.
You have modified the authorization policy for hotspot access and subsequent guest
access.
You have accessed the hotspot SSID network and processed through the hotspot guest
flow.
You have observed the authentication process and records in Cisco ISE.

In this task, you will configure Cisco ISE guest access for guest self-registration. This type of
access is appropriate where to start I do connect to the network and create their own parameter
limited accounts.
Activity Procedure
Configure Guest Type
In this section, you will configure a custom guest type that will restrict access to business
days and hours.
Step 1 In the Cisco ISE Admin portal, navigate to Work Centers > Guest Access >
Portals&Components and then select Guest Types.
Step 2 In the right pane observe the four default guest types, Contractor, Daily,
SocialLogin and Weekly.
Step 3 In the right pane click the Create button.
Step 4 Configure a guest type according to the following table.
Guest Type
Attribute Value
Guest type name Business Daily
Description Business Hours on Business Days
Collect Additional Data
Person Visiting
Required [ ]
Tip <leave default>
Maximum Access Time
Maximum account duration 5 days Default 2
Allow access only on these days [ X ]

and times
From 5:00 AM
To 11:00 PM
Days [ ] Sun [ X ] Mon [ X ] Tue [ X ] Wed [ X ] Thu [ X ] Fri [ ] Sat
From 7:00 AM
To 10:00 PM
Days [ X ] Sun [ ] Mon [ ] Tue [ ] Wed [ ] Thu [ X ] Fri [ X ] Sat
Login Options
Maximum simultaneous logins [X] 2
When guest exceeds limit Disconnect the oldest connection
Maximum devices guest can 2

register
Store device information in GuestEndpoints

endpoint identity group
Allow guest to bypass the Guest [ ]

portal
Account Expiration Notification
Send account expiration [X] 5 hours Before account

notification expires
Email [X]
Use customization from Self Registered Guest Portal (default)
Messages Your account at The Demo Shop is going to expiring 5 hours.
Copy text from
Send test email to me at
SMS [ ]
Messages Your account at The Demo Shop is going to expire in 5 hours.
Copy text from
Send test SMS to me at
Provider
Sponsor Groups
All_Accounts (default) , Group_Accounts (default), Own Accounts (default)
Step 5 Scroll up and click Save. If you are sending a test SMS message, do so now.
Step 6 Click Close.
Configure Guest Portal
Step 7 Navigate to Work Centers > Guest Access > Portals & Components.
Step 9 In the right pane, click the Create button.
Step 10 In the pop-up window, select Self-Registered Guest Portal and then click
Step 11 In the Portals Settings and Customization window configure the following:
Self-Registration Portal Settings and Customization

Attribute Value
Portal Name Demo-Self-Reg
Description The Demo Self-Registration Portal
Portal Settings
HTTPS Port 8443
Authentication method Guest_Portal_Sequence
Employees using this portal as guest inherent Weekly (default)

login options from
Login Page Settings

Require an access code [ ]
Maximum failed login attempts before rate 5

limiting
Time between login attempts when rate limiting 2
Include in AUP page [X] on page
Require acceptance [X]
Allow guest to create their own accounts [X]
Allow social login [ ]
Allow guest to change password after login [ ]
Registration Form Settings
Assign to guest type Business Daily
Account valid for 1 Days
Require a registration code [ ]
Fields to include Required
[ X ] User name [ ]
[ X ] First name [X]
[ X ] Last name [X]
[ X ] Email address [ ]
[ X ] Phone number [ ]
[ X ] Company [ ]
[ X ] Location [X]
Guest can choose from these locations to set San Jose

their time zone <SELECT YOUR LOCATION FROM THE LIST>
SMS Service Provider [ ] [ ]
Guest can choose from these SMS providers [ ] Global Default

[ ] T Mobile
[ ] ATT
[ ] Verizon
[ ] ClickatellViaSMTP
[ ] Orange
[ ] In mobile
[ ] TheRingRingCompany
[ ] Sprint
Person being visited [X] [X ]
Reason for visit [X] [X]
Custom Fields [ ]
Include in AUP [X] on page
Require acceptance [ ]
Only allow guests with an email address from [ ]
Do not allow guests with an email address from [ X ] example.com
Require guest to be approved [ ]
After registration submission, direct guest to Self-registration Success page
Send Credential Notification Automatically Using [ X ] Email [ ] SMS
Self-Registration Success Settings
Include this information on the Self-Registration [ X ] User name

Success page [ X ] Password
[ X ] First name
[ X ] Last name
[ X ] Email address
[ X ] Phone number
[ X ] Company
[ X ] Location
[ ] SMS Service Provider
[ X ] Person being visited
[ X ] Reason for visit
Allow guest to send information to solve using [ X ] Print

[ X ] Email
[ ] SMS
Include in AUP [X] on page
Require scrolling to end of the AUP [ ]
Allow guest to log in directly from the Self- [X]

Registration Success Page
Use different AUP for employees [ ]
Skip AUP for employees [X]
Require scrolling to end of AUP [ ]
Show AUP Every 1 days
Guest Change Password Settings
Require guest to change password at first login [ ]
Guest Device Registration Settings
Automatically register Guest devices [X]
Allow guest register devices [X]
BYOD Settings
Allow employees to use personal devices on the [ ]

network
Endpoint identity group RegisteredDevices
Allow employees to choose to guest access only [ ]
Display Device ID field during restriction [ ]
After successful device configuration take Success page

employee to
Guest Device Compliance Settings
Require guest device compliance [ ]
Post-Login Banner Page Settings
Included Post Login Banner page [ ]

Delay to release 1
Delay to CoA 8
Delay to renew 12
Once authenticated, take guest to Authentication Success page

[ X ] IP address
[ X ] Policy server
[ X ] Failure could
Step 12 Scroll up and click Save.

Step 13 Examine the Guest Flow and when you are comfortable in your understanding of
the flow continue to the next step.
Step 14 Click Portal Page Customization.
Step 15 Examine the customization options. They are similar to the Hotspot portal
customizations with the option to customize the additional pages in this self-
registration flow. For time sake you will only add a footer and modify one other
field. Add the following text to the Footer Elements: All access is logged.
Tip Remember if adding support information to the guest flow as an option, modify the
Support information text phone number from all Xs to an actual number.
Note You will not be modifying the AUP to change the company name from Cisco Systems to
The Demo Shop due to time constraints.
Step 16 Scroll down in on the right side, click Refresh Preview.

Step 17 Observe the footer you created.
Step 18 Change to a different page by clicking on the boxes to the left and observe the
footer is consistent.
Step 20 In the left pane, select Notifications and then Print.
Step 21 Observe the variables that are used in the text.
Step 22 Create a new line at the bottom of the text box. Add the text Location:

Step 23 In the toolbar, click the Insert Variable icon and observe variables which are
available. Select Location name to insert that variable.
Step 24 Verify your work with the following screenshot.
Step 25 Scroll up and click Save then Close.

Step 26 Use the shortcut hyperlink to create and Authorization profile at the bottom of
the page.
Step 27 Select Hotspot Access and then click Duplicate in the tool bar.
Step 28 Modify the authorization profile according to the table below.
Self-Registration Authorization Profile
Name Self-Registration Portal
Common Tasks
Web Redirection Centralized Web Auth
Value: Demo-Self-Reg
Display Certificates Renewal [X]

Message
Static IP/Host name [ ]
Supress Profiler CoA for [ ]

endpoints in Logical Profile

Step 30 Navigate to Policy > Policy Sets and access the Wireless_Access policy set.
Step 31 Expand the Authorization Policy.
Step 32 At the end of the line for the Hotspot rule, click the gear icon and select Insert
new row Above
Step 33 Create the new rule to match the following Authorization Policy rule.
Self-Registration Authorization Policy
Attribute Value
Rule Name Self-Registration

conditions)
Results (Profiles) Self-Registration Portal
Step 34 Click Use at the end of the line.

Step 35 Disable the Hotspot rule.

Test Access
Step 38 On your W10PC-Corp access your Tablet according to your lab specific
instructions.
in troubleshooting.
Step 39 Navigate to WLAN.

Step 40 From the list identify your hotspot SSID you used previously.
credentials.
Step 42 Turn off Wi-Fi.
Step 43 Return to the Cisco ISE admin portal.
Step 44 Navigate to Context Visibility > Endpoints.
Step 45 Select the Tablet and then Delete it using the toolbar. Confirm Yes to delete.
Note You may have to manually clear the client from the WLC (Naviagte to WLC GUI >
Monitor > Clients Click on the client to be cleared > Remove) if you perform these steps
quickly. As the WLC holds or caches association sessions to handle Wi-Fi signal
disruptions and roams.
Step 46 Access the Tablet and enable the Wi-Fi.
Step 47 Access the Guest SSID for your pod.
Step 48 Open a browser and try to browse to cisco.com.
Step 49 You are automatically redirected to the ISE hotspot portal.
Step 50 Use your mouse to scroll down to the bottom and click Or register for guest
access.

Step 51 Create an account using the following information.
Create Guest Account
Attribute Value
Username
First name John
Last name Watson
Email address guest@ffmlab.com
Phone number
Company Holmes Investigations
Location <SELECT YOUR LOCATION>
Person being visited (email) admin@demo.local
Reason for visit Consultation
Person visiting Mycroft
Step 52 Click Register.
Step 53 Observe your account details.
Step 54 Observe the details.

Step 55 Click I agree to the terms and then Sign On.
Step 56 Accept the AUP.
Step 57 In the Device Registration window Click No, skip registration.
Step 58 Now try to access Cisco.com. This should succeed.
Step 60 Navigate to Operations > Radius > Live Log and observe the authentication
records. Notice the first Self-Registration Portal access was based on the MAC
address and then the records switch to using the username identity with the Guest
Access Authorization Profile match.
Step 61 Navigate to Conext Visibility > Endpoints.

Step 62 Find the Tablets MAC address and click it.

Step 63 Scroll down the Attributes list and observe the following fields which now
provide more meaningful information about the endpoint instead of just a MAC
address.
You have created a guest self registration portal.
You have configured and customized the self registration portal.
You have configured a self registration authorization profile
You have modified the authorization policy for self registration access
You have accessed the open SSID network and processed through the self registration guest
flow.
You have observed the authentication process and records in Cisco ISE
In this task, you will enable self-registration with the requirement of obtaining sponsor
approval before access is granted to the network.
Activity Procedure
Remove Endpoint from Cisco ISE
Step 1 On your W10PC-Corp, access your Tablet according to your lab specific
instructions.
Step 5 In Cisco ISE, navigate to Context Visibility > Endpoints.
Step 6 Select the Tablet and then delete (Click Trash > Selected) it using the toolbar.
Confirm YES to delete.
Note You may have to manually clear the client from the WLC if you perform these steps
Modify Self-Registration portal to require Sponsor Approval

Step 7 Navigate to Work Centers > Guest Access > Portals & Components.
Step 9 In the right pane, activate or select the Demo-Self-Reg by left-clicking on the
blue area with no text (see screenshot below). The box will turn a darker blue
once selected.
Step 10 In the toolbar click Duplicate.

Step 11 Once the duplication process is complete, click the Demo-Self-Reg_Copy1
portal to edit it.

Step 12 In the Portals Settings and Customization window modify the following
settings only:
Self-Registration Portal Settings and Customization
Attribute Value
Portal Name Demo-Self-Reg-Approval-Required
Description The Demo Self-Registration Portal
Registration From Settings
Require guest to be approved [X]
Email approval request to sponsor email addresses listed below

sponsor@demo.local
Step 13 Scroll up and click Save then Close.

the page.
Step 15 Select Self-Registration Portal and then click Duplicate in the tool bar.
Step 16 Modify the authorization profile according to the table below.
Self-Registration with Approval Authorization Profile
Name Self-Registration Portal with Approval
Common Tasks

Value: Demo-Self-Reg-Approval-Required
Display Certificates [X]

Renewal Message
Supress Profiler CoA [ ]

for endpoints in
Logical Profile

Step 19 Expand Authorization Policy.
Step 20 At the end of the line for the Self-Registration rule, click the gear icon and select
Insert new row above
Step 21 Create a new rule to match the following Authorization Policy rule.
Self-Registration with Approval Authorization Policy

Attribute Value
Rule Name Self-Reg with Approval

conditions)
Results (Profiles) Self-Registration Portal with Approval

Step 23 Disable the Self-Registration rule.

Test Access
instructions.
in troubleshooting.

Step 28 Enable the Wi-Fi. Your Tablet should associate to the ##-guest SSID.
Step 29 Open a browser.
Step 30 If you are not automatically redirected to the ISE Self-Registration portal, type in
cisco.com, for example.
Step 31 On the Sponsored Guest Portal Page, use your mouse to scroll down to the
bottom and click Or register for guest access.

Step 32 Create an account using the following information.
Create Account
Attribute Value
Username
First name Sherlock
Last name Holmes
Email address guest@ffmlab.com
Phone number
Company Holmes Investigations
Location <Your Location>
Person being visited (email) admin@demo.local
Reason for visit To find Watson!
Person visiting Mycroft
Step 33 Click Register.

Step 34 Note that your account is created but there are no credentials. Select the checkbox
to agree to the terms and conditions, then click Sign On.
Step 35 Since you have no credentials, username and password, you are unable to sign in.
Step 37 Navigate to Work Centers > Guest Access > Manage Accounts.
Step 38 Click the Managed Accounts button.
Step 39 The default sponsor portal opens open a new tab. Notice at the top under Pending
Accounts the 1 in parentheses (1) indicating an account pending approval.
Step 40 Click the tab Pending Accounts and observe the guest account pending approval.
Step 41 Select the account and click Approve.
Step 42 Enter the email address sponsor@demo.local and click OK to approve the
account.
Note If the approval p

task.
Step 43 Click Manage Accounts and click the Sherlock Holmes (sholmes) account to
view the username and the password.
Step 44 Return to the Tablet and in the browser enter your credentials. It may be
necessary to refresh or retry as your portal session may have timed out. Scroll to
the bottom of the AUP, click that you accept the AUP, and then click Sign On at
the bottom.
Note If you timed out, just login after clicking Retry.

Step 45 In the Device Registration window, click No, skip registration.
Step 46 Now try to visit Cisco.com. This should succeed.
records.
You have created a guest self-registration portal with the requirement of guest accounts
having sponsor approval.
You have configured a self-registration with approval authorization profile.
You have modified the authorization policy for self-registration with approval access.
You have access to the open SSID network and process through the self-registration
guest flow.
You have logged into the sponsor portal and approved the pending account.
You have logged in as the guest with the approved account credentials.
You have observed the authentication process records in Cisco ISE.
In this task, you will perform sponsored guest account operations. You will be creating the
accounts as a sponsor and then providing and click Approve information to the guest.
Activity Procedure
Remove Endpoint from Cisco ISE
instructions.
Step 4 Return to the Cisco ISE Admin portal.
Step 6 Select the Tablet and then Delete (click Trash > Selected) it using the toolbar.
Confirm YES to delete.
Note You may have to manually clear the client from the WLC if you perform these steps
Configure Guest Portal

Step 7 Navigate to Work Centers > Guest Access > Identities and select Identity
Source Sequence.
Step 8 Select Guest_Portal_Sequence and click the Edit button.
Step 9 Adjust the sequence to the following screenshot:

Step 11 Navigate to Guest Access > Portals & Components.
Step 13 In the right pane, activate or select the Sponsored Guest Portal (default) by left-
clicking on the blue area with no text (see screenshot below). The box will turn a
darker blue once selected.
Step 15 Once the duplication process is complete, click the Sponsored Guest Portal
(default)_copy1 portal to edit it.
Step 16 In the Portals Settings and Customization window modify the following
settings only:
Sponsored Portal Settings and Customization
Attribute Value
Portal Name Demo-Sponsored
Description The Demo Sponsored Guest Portal
Portal Settings
HTTPS Port 8443
Identity source sequence Guest_Portal_Sequence
Employees using this portal as guest inherent Weekly (default)

login options from
Login Page Settings
Require an access code [ ]

limiting
Allow guest to create their own accounts [ ]
Allow social login [ ]
Allow guest to change password after login [X]
Use different AUP for employees [ ]
Skip AUP for employees [ ]
Show AUP On first login only
Guest Change Password Settings
Require guest to change password at first login [ ]
Guest Device Registration Settings
Automatically register Guest devices [X]
Allow guest register devices [ ]
BYOD Settings
Allow employees to use personal devices on the [ ]

network
Allow employees to choose to guest access only [ ]
Display Device ID field during restriction [ ]
After successful device configuration take Success page

employee to
Guest Device Compliance Settings
Require guest device compliance [ ]
Included Post Access Banner page [ ]
Delay to release 1
Delay to CoA 8
Delay to renew 12
Once authenticated, take guest to URL http://www.cisco.com/go/ise
Included Support Information page [ ]

[ X ] IP address
[ X ] Policy server
[ X ] Failure could

Step 18 Examine the Guest Flow and when you are comfortable in your understanding of
the flow continue to the next step.
Step 19 Click the Close button.

the page.
Step 21 Create the authorization profile according to the table below.
Sponsored Portal Authorization Profile
Name Sponsored Portal
Common Tasks

Value: Demo-Sponsored
Display Certificates Renewal [X]

Message
Supress Profiler CoA for [ ]

endpoints in Logical Profile

Step 24 Expand the Authorization Policy.
Step 25 At the end of the line for the Hotspot rule, click the gear icon and select Insert
new row above.
Step 26 Creat a new rule to match the following Authorization Policy rule.
Sponsored Portal Authorization Policy
Attribute Value
Rule Name Sponsored Portal

conditions)
Results (Profiles) Sponsored Portal
Step 27 In the case you did the previous task, disable the Self-Reg with Approval rule.

Sponsor Group Modification
Step 30 Navigate to Work Centers > Guest Access > Identities and click then Identity
Source Sequence.
Step 31 Select Sponsor_Portal_Sequence and click the Edit button.
Step 32 Select in the left panel demo.local and move the authentication source to the right
panel.

Step 34 Return to Work Centers > Guest Access > Portals & Components.
Step 35 In the left pane select Sponsor Groups.
Step 36 Select the ALL_ACCOUNTS (default) line in an open area (do not click any
text) and then click Duplicate in the toolbar above.
Step 37 Edit the ALL_ACCOUNTS (default)_copy1 Sponsor Group.
Step 38 Click the button above the Sponsor Group Members section.
Step 39 In the pop-up window, on the Available User Groups side type Employees in the
search filter and click Search.
Step 40 Select the demo.local Employees group and move it to the Selected User Groups
side.
Step 41 Click OK.

Step 42 Modify the rest of this sponsor group according to the following table.
Sponsor Group
Attribute Value
Disable Sponsor Group [ ]
Sponsor group name DEMO_ALL
Description All Guest Accounts for Local ALL_ACCOUNTS

and demo.local Employees

Sponsor Group Members ALL_ACCOUNTS (default)
demo.local:demo.local/HCC/Groups/Employees
This sponsor group and create accounts using Contractor (default)

these guest types Daily (default)
Weekly (default)
Create Guest Types at San Jose

<YOUR CLASS LOCATION>
Sponsor Permissions
Sponsor Can Create
Multiple guest accounts assigned to specific guests [ ]

(Import)
Limit to batch of 200
Multiple guest accounts to be assigned to any [X]

guess (Random)
Default username prefix d-guest-
Allow sponsor to specify a username prefix [ ]
Limit to batch of 25
Start date cannot be more than # days into the [X] 31

future
Sponsor Can Manage All guest accounts
Sponsor Can
[X]
number)
[X]
Send SMS notifications with credentials [X]
[X]
Extend guest accounts [X]
Delete account [X]
Suspend account [X]
Require sponsor to provide a reason [X]
Reinstate suspended accounts [X]
Approve request from self-registering guests [X]
Any pending accounts [X]
Only pending accounts assigned to this sponsor [ ]
Access Cisco ISE guest accounts using the [ ]

programmatic interface (Guest REST API)
Tip If you are having trouble selecting the Guest Types and/or the Locations, Save and
Close your work and open IE and edit this page in IE. When done, Save your work and
return to Firefox.

Customize Sponsor Portal
Step 44 Navigate to Work Centers > Guest Access> Portals & Components then select
Sponsor Portals.
Step 45 Select, not edit, the Sponsor Portal (default) portal.
Step 46 Click Duplicate in the toolbar above.
Step 47 Edit the Sponsor Portal (default)_copy1 portal.
Step 48 Modify the sponsor portal according to the settings below.
Sponsor Portal Settings and Customization
Attribute Value
Portal Name DEMO Sponsor Portal
Description DEMO Sponsor Portal
Portal Settings
HTTPS Port 8443
Fully qualified domain name (all FQDN) sponsor.demo.local
Identity source sequence Sponsor_Portal_Sequence
Idle timeout 10
SSIDs available to sponsors <Your pod SSID if you configured it>
Login Settings

limiting
Include an AUP [ ]
Require acceptance
Include in AUP page [ ]
Sponsor Change Password Settings
Allow sponsor to change their own passwords [ ]
Included Post Login Banner page [ ]
Included Support Information page [ ]
Fields to include [ ] MAC address

[ ] IP address
[ ] Browser user agent
[ ] Policy server
[ ] Failure could

Step 49 Scroll up and click Save and then Close.
Test Access
instructions.
Caution If you are having difficulty, notify your instructor. Do not attempt to modify configurations in
troubleshooting.
Step 51 Navigate to WLAN

Step 52 Access the Tablet and enable the Wi-Fi. Your Tablet should associate to the ##-
guest SSID. If not, connect to the ##-guest SSID.
Step 54 If you are not automatically redirected to the ISE guest portal, type cisco.com, for
example.
Step 55 On the Sponsored Guest Portal Page use your mouse to scroll down to the bottom
and notice there is no link Or register for guest access?
Step 56 Return to Firefox on the Admin PC.
Step 57 Open a new tab.
Step 58 Enter the URL https://sponsor.demo.local or use the sponsor bookmark on the
bookmark toolbar and press Enter.
Note If you get a security error from Firefox, use Internet Explorer for this task.
Step 59 Notice that the Sponsor Portal with new logo is shown and that Cisco ISE
automatically redirected the URL to port 8443.
Step 60 Log in with the domain credentials in UPN format employee1@demo.local /

1234QWer
Step 61 Under Create Accounts in the Guest Information section click Random and
observe the Username prefix is pre-populated with d-guest- as per the policy
you created earlier.
Step 62 Return to your Tablet and navigate to WLAN.

Step 63 From the list identify your pod ##-guest SSID.
credentials.
Step 65 Click the pod##-wpa2e SSID.
Step 66 Enter employee1@demo.local as Identity and 1234QWer as the password and
leave all other parameters at their defaults. Then click CONNECT.
Step 67 Open a browser and navigate to https://sponsor.demo.local
Step 68 Accept any certificate warning and by continuing via Advanced > Proceed to
sponsor.demo.local.
1234QWer

Step 70 Observe the Sponsor Portal on the tablet.
Step 71 On Create Accounts, click the button.

Step 72 Select Weekly as the Guest type and click Next.
Step 73 Click Random under Guest Information.
Step 74 Use the following information to create two guest accounts.
Create Random Accounts
Attribute Value
Number of accounts 2
Username prefix <LEAVE DEFAULT> d-guest-
Group tag
Language English - English
Duration 1
From Date (yyyy-mm-dd) <ENTER TODAYS DATE>
From Time 06:00
To Date (yyyy-mm-dd) <ENTER TOMORROWS DATE>
To Time 19:00
Location <SELECT YOUR CLASS LOCATION>
Step 75 Click Create.

Step 76 Record the created guest account information below.
Created Guest Accounts
Username Password
Step 77 Navigate using your mouse to WLAN
Step 78 From the list identify your pod ##-wpa2e SSID.
credentials.
Step 80 Click the ##-guest SSID for your pod. To log back in as a guest.
Step 81 Open a browser and try to navigate to cisco.com or trigger the web redirection by
browing to 1.1.1.1
Step 82 -guest-
employee sponsor.
Step 83 Accept the AUP and click Sign On.
Step 84 Once logged in you should automatically be redirected to the Cisco ISE
product page.
records for both the Sponsored Portal access and the Rand Guest account Guest
Access.
You have configured a Sponsored guest portal.
You have customized for Sponsored guest portal.
You have configured an authorization profile for the Sponsored guest portal.
You have modified the authorization policy to utilize the Sponsored guest portal.
You have created a new Sponsor Group that includes domain employees.
You have customized the Sponsor Portal.
You have accessed the network as a guest and see the sponsored guest portal.
You have logged in and seen the desktop sponsor portal.
You have logged in via the Tablet and seen the mobile sponsor portal.
You have created random accounts on the mobile sponsor portal.
You have logged in as a guest with a randomly generated guest account.
You have observed the authentication process records in Cisco ISE.

In this task, you will perform guest account management via the sponsor portal. You will
suspend and then reinstate an account, you will examine guest account properties, reset a
guest password, and you will then delete a guest account. Optionally, you will also send
guest account details via SMS.
Activity Procedure
Step 1 On the Admin PC access your Sponsor Portal Firefox tab.
1234QWer if your session is timed out.
Step 3 Click the Manage Accounts tab.
Step 4 Observe the accounts that you have created during this lab. Notice that one of the
random accounts which was sponsored by the employee1 is in the state Created
Step 5 Select that account and click Suspend.

Step 6 Notice in the pop-up window, you are prompted, Are you sure you want to
suspend the selected accounts? And then you are prompted for a reason for
suspension as per the policy you have configured in task 4.
Step 7 Second guest did not show up for meeting and
click OK.
Step 8 Notice now that the state of an account is Suspended.
Step 9 Reselect that account and notice the only options now are to Delete, Reinstate,
and Print.
Step 10 Click Reinstate and click Ok when prompted for confirmation.
Step 11 Edit the first random account which has the state Active.
Step 12 Enter the G Lestrade and the company
Scotland Yard .
Step 13 Click Save.
Step 14 Confirm your data-entry and click Done.
Step 15 On the random account with the state of Created, reset the password. When
prompted do not select Print, SMS and Email just click OK.
Step 16 Click the account name to view the new password. Then click Done.
Step 17 Observe the Time Left on the jwatson account.
Step 18 Select the jwatson account and click Extend.
Step 19 Notice that the maximum number of days as five. Enter 5 in the box and click
OK.
Step 20 Observe the extension of the time via the Time Left field.
Step 21 Select the random account with the state of Created and Delete the account.
Confirm the deletion by clicking OK.
You have suspended, reinstated, edited, reset the password, extended, and deleted guest
accounts via the sponsor portal

In this activity, you will run guest reports that are directly available from the Cisco ISE
dashboard. After completing this activity, you will be able to meet these objectives:
Run guest reports from the Authenticated Guests dashlet
Run guest reports from the Authenticated Guests dashlet sparklines
Admin PC
ISE-1
AD1
W10PC-Corp
vWLC
In this task, you will run reports for guest access from the Cisco ISE dashboard.
Activity Procedure
Step 1 On the Admin PC, navigate to the Cisco ISE dashboard by clicking Home. This
area shows statistical data, which improves your ability to monitor and
troubleshoot your system. Dashboard elements show activity over 24 hours,
unless otherwise noted.
Step 2 Observe Authenticated Guests in the metrics dashlet area. It shows the number of
guests 1
Step 3 You will see some more detailed information about connected endpoints.
Following that will be a list of endpoints. You should have a guest user in this
list. Click the MAC address of that user.
Step 4 Notice the five tabs you can use to get more information about this endpoint, as
shown. Leave it on the Attributes tab for now, and scroll down to briefly review
the types of information available here. You can scroll down to see some of the
following information: (the values that are shown are merely examples...do not
worry if yours do not match exactly)
EndPointPolicy Android
User-Name d-guest-xxxx
IdentityGroup GuestEndpoints
OperatingSystem
PortalName Demo-Sponsored
Step 5 Click the Authentication tab, scroll down, and peruse all the Authentication-
specific information available.

Step 6 Move back to the main Cisco ISE Administration page in the browser, and
Navigate to Home > Guests.
Step 7 You should see that 100 percent of your guests have a status of Connected. Click
the circular graphic in the Guest Status area.
Step 8 You should see something similar to the example shown. You can see graphics
for GUESTS STATUS, GUESTS TYPE, FAILER REASON, AND MORE.
Following that, you see the list of devices, along with their MAC addresses.
Clicking the MAC address here would bring you to the same informational screen
you just looked at.
Step 9 Navigate to Context Visibility > Endpoints. The page is similar to the Home
screen, except that context visibility pages:
Retain your current context (browser window) when you filter the
displayed data
Are more customizable
Focus on Endpoint Data
Step 10 Click the Guest tab, as shown. Notice how it is similar to the information
displayed in the Home screen. However, a new tab did not open up. You stayed in
the same tab.
Step 11 Click the MAC address of your guest connection. Again, notice how the
information is similar to the Home screen, but new tabs do not open up.
You have successfully viewed multiple reports from the Cisco ISE home dashboard
page.

In this activity, you will configure the Cisco ISE Profiler service and service settings. After
Enable the Profiler Service
Enable the use of the Cisco Profiler Feed Service
Configure the Cisco ISE NAD definitions for SNMP Profiling
Configure global SNMP profiler settings
Verify NAD configurations for profiling operations
Admin PC
ISE-1
W10PC-Corp
vWLC
ISE Profiling CLI Commands
Command Description
Command used to observe the act of Profiler Feed

Service actions being written to the log.
In this task, you will enable and configure profiling in Cisco ISE.
Activity Procedure
Verification of Endpoint Data
To configure profiling in Cisco ISE, access the Cisco ISE Work Centers to view the
necessary steps to prepare, define, and monitor your profiler service configuration.
Step 1 From the Admin PC, navigate to Work Centers > Profiler > Overview to view
the required configuration steps that are needed to enable and configure the
profiler service.

Step 2 In the lab, network devices and active directory configuration were done in
previous labs. Also, some preparation is required in this lab environment before
enabling the Profiler service. On your Admin PC in the Cisco ISE admin portal
navigate to Work Centers > Profiler > Endpoint Classification.
Step 3 Observe the endpoint assigned the Android Tablet endpoint profile. Scroll to the
right in the device list and observe which fields are present and which are not.
Step 4 Select the Android tablet endpoint and click Edit, click Attibutes and observe
the attribute list data.
Note Notice that the assigned EndPointSource Radius Probe

MatchedPolicy is Android. This is the inherent HTTP profiling which automatically
profiles based on basic data received from the OUI and the HTTP data received at any
ISE portal.

Clean Endpoint data from ISE before Enabling Profiling
Step 6 From the list identify your Pod##-guest SSID.
Step 7 At the bottom right, click FORGET to clear any previous cached settings or
credentials
Step 8 Return to the Cisco ISE Admin Portal on the Admin PC
Step 9 Navigate to Work Centers > Profiler > Endpoint Classification.
Step 10 Select the Tablet and then Delete it using the toolbar. Confirm Yes to delete.
Enable Profiling Service
Step 11 Navigate to Administration > System > Deployment (Or Work Centers >
Profiler > Deployment).
Step 12 In the right pane select your ISE node to edit it.
Step 13 At the bottom under Policy Service, select the Enable Profiling Service.
Step 14 In the right pane, observe that the Profiling Configuration became available after
selecting the Enable Profiling Service feature. Select the Profiling
Configuration.
Step 15 Enabled the following probes:
DHCP
HTTP
RADIUS
Network Scan (NMAP)
SNMPQUERY
Step 17 Click OK on the pop-up window notifying you of the Policy Service persona
change.
Step 18 After a few minutes log back into the ISE admin portal using the credentials
Admin / 1234QWer. You can check the status from the ISE CLI with the
command, show application status ise, and noticing the Application Server
status.
You have observed the default profile information of an important
You have deleted the endpoint from Cisco ISE.
You have enabled the Profiler Service.

In this task, you will enable and configure notification settings for the Cisco Profiler Feed
Service. You will also force a manual update.
Activity Procedure
Step 1 In the ISE admin portal, navigate to Administration > Feed Service > Profiler
(Or Work Centers > Profiler > Feeds).
Step 2 Select the checkbox for Enable Online Subscription Update, if not checked.
Step 3 Read the notification and click OK.
Step 4 Enable notification when a download occurs and use the email address
admin@demo.local

Step 6 Test the connection to feed service. Click the button Test Feed Service
Connection.
Step 7 Now click the Update Now button.
Step 8 Click Yes on the pop-up.
Step 12 You should briefly see a Server Response in the lower right-hand corner that
indicates the FeedService was successfully started.
Note The update process will take some time. At least 30-45 minutes.
Tip You can verify the operation of the Feed Service operations via the ISE console by using
the following command:
ise-1# show logging | include FEED
Tip Lines with FEEDMANUALDOWNLOAD are logs generated from a manual Update Now
process.
Tip Lines with FEEDAUTOMATICDOWNLOAD are logs generated from the scheduled
process.
Step 9 Continue to the next task.
You have successfully enabled the Cisco ISE Profiler Feed Service

In this task, you will modify the NAD definition configuration for profiling in Cisco ISE.
Activity Procedure
Configure Cisco ISE NAD configuration for Profiling
Step 1 Navigate to Administration > Network Resources> Network Devices (Or
Work Centers > Network Access > Network Ressources > Network Devices).
Step 2 Click the 3k-access switch to edit the NAD profile.
Step 3 Configure the following settings:
Attribute Value
SNMP Settings Enabled
SNMP Version 2c
SNMP RO Community
Polling Interval 600
Link Trap Query Unchecked
MAC Trap Query Unchecked
Step 4 At the bottom of the section set the Originating Policy Services Node to ise-1.
Tip While not a mandatory step in the lab topology with a single ISE node, the practice of
setting the Originating Policy Service Node for SNMP profiling operations to the node
closest to the NAD is a best practice and tuning configuration. Especially in a larger or
geographically dispersed ISE deployment.

Step 6 Return to the list of Network Devices.
Step 7 Perform the same modification using the same values to the pod vWLC.
Modify Profiler Configuration
Step 8 Navigate to Work Centers > Profiler > Settings in the left pane select Profiler
Settings.
Step 9 Modify the Profiler Configuration according to the following table:
Attribute Value
CoA Type Reauth
Change custom SNMP community strings
Confirm change custom SNMP community strings
EndPoint Attribute Filter Disabled

Enable Anomalous Behaviour Detection Disabled
Enable Anomalous Behaviour Enforcement Disabled
Enable Custom Attribute for Profiling Enforcement Disabled
Step 10 Click Save.

Verify Profiler Exception Action
Step 11 Navigate to Work Centers > Profiler > Policy Elements and in the left pane
select Exception Actions.
Step 12 Click FirstTimeProfile to view the action details.
Step 13 Observe that the COA Action is to Force COA. This occurs, when an endpoint
s profile for the first time.
Note This is the default action for all the Cisco provided exception actions.
You have modified the NAD configuration for SNMP polling.
You have observed the default profile configuration and enabled the HTTP probe.
You have modified the profiler configuration to enable CoA and modify the default
SNMP string to .
You have observed the profiler exception actions.

In this task, you will verify the profiling configuration on your pod WLC and 3k-access
switch. Your pods NADs are already preconfigured.
Activity Procedure
Step 1 On your Admin PC in Firefox, open a new tab.
Step 2 Click the vwlc bookmarking in the toolbar.
Step 3 Login with the credentials Admin / 1234QWer.
Step 4 Navigate to the WLANs tab.
Step 5 Click WLAN ID 1.
Step 6 Click the Advanced tab.
Step 7 Scroll down to the right-hand side section Radius Client Profiling.
Step 8 Verify both DHCP Profiling and HTTP Profiling are enabled.
Step 9 Click Apply at the top and click OK to the pop-up message.
Step 10 Click the < Back button.
Step 11 Verify the same configuration on your other WLANs (2 & 3).
Step 12 Return to the ISE Admin Portal tab.
Step 13 Access your 3k-access switch.
Step 14 Run the following commands to see the preconfigured SNMP configuration.
Note You may notice that the switch is configured for SNMP trap functionality. The switch
configuration is used for multiple classes. Some of which use the SNMP trap
functionality. Since the switch is preconfigured, if you desire to explore this functionality
after your lab is complete, all you would need to do is enable the SNMP trap probe and
enable the trap query functionality in your Cisco ISE NAD SNMP definition.
Step 15 Run the following command to see the preconfigured ip helper-address

configuration for the ACCESS VLAN 10, and GUEST VLAN 50, that send
DHCP packets to both the DHCP server, and the ISE node.
Step 13 Enable interface GigabitEthernet1/0/2 with a no shutdown command to

prepare it for the next Lab.
You have verified the WLC WLAN configurations for DHCP and HTTP profiling.
You have verified the 3k-access configuration for SNMP and DHCP profiling.

In this activity, you will configure the Cisco ISE Profiler service to use profiling data to
make policy determinations. You will examine profiled endpoint data, create logical profiles,
and use that profile as an identity condition for authorization policy. Finally, you will create a
custom profiler policy based on observed endpoint data.
In this activity, you will configure the Cisco ISE profiler service to use profiling data to
make policy determinations. After completing this activity, you will be able to meet these
objectives:
Examine Endpoint profiled data
Create a Logical Profile
Utilize a Logical Profile as an Identity condition for authorization policy selection
Create a custom profiler policy based on observed endpoint data.
Admin PC
ISE-1
AD1
W10PC-Corp
vWLC
In this task, you will examine the collective endpoint data since turning profiling on Cisco
ISE.
Activity Procedure
Step 1 On your Admin PC in the Cisco ISE Admin portal navigate to Work Centers >
Profiler > Endpoints Classification (Or Context Visibility > Endpoints).
Step 2 Observe the list of endpoints that have been learned since the enabling profiling.
You may have more than one page to view, and other pages can be viewed. Use
the arrows in the upper right near the Rows, Page column to view more pages.
Also, you can sort on any heading in either ascending or descending order.
Step 3 Click the endpoint profile for the Cisco-WLC endpoint.

Step 4 Observe the indicated attributes for this endpoint and that the EndPointSource is
the SNMP Query Probe. If you scroll down, you also observe CDP related
attributes as indicated in the second screenshot.

Step 5 Return to the Endpoint List.
Profile your pod Guest PC
Step 6 Access your W7PC-Guest.
Step 7 Log in with the credentials Administrator / 1234QWer.
Step 8 On the desktop double-click the Win7-Guest PC Network Connections icon or
alternately open the Control Panel and select View network status and tasks
under the Networking and Internet section. Click Change adapter settings.
Step 9 Observe the Win7pc-Guest-wired NIC is disabled.
Step 10 Enable the Win7pc-Guest-wired.

Step 11 Wait a moment for the NIC to come up.
Step 12 Right-click the NIC and choose Status.
Step 13 Click the Details button.

Step 14 Your machine should have an IP address in the 10.1.50.x network. Record the
Physical Address (MAC Address) below.
Physical Address:
Step 15 Close all open dialog boxes.

Step 16 Return to your admin PC and on your list of endpoints click the refresh button.
Step 17 You should now have at least one Microsoft-Workstation or VMware Device
endpoint profile added to your list.
Step 18 You should also see the Hostname and IP Address for this record in the list.
Step 19 Edit this endpoint profile to observe the endpoint attribute data.
Step 20 Observe that the attribute list contains much more data than seen before for other
endpoints. Pay particular attention to the following list of attributes:
EndPointSource
IdentityGroup
MatchedPolicy
NAS-Port-Id
OUI
Total Certainty Factor
client-fqdn
dhcp-class-identifier
host-name
Step 21 Return to the Endpoint List.
Step 22 Disable the NIC on the W7PC-guest again.
You have observed the endpoint data that was automatically discovered via your profiler
configuration of the previous lab.
You have brought online your pod Guest PC and observed the endpoint data associated
with its automatic profiling upon coming on to the network.

In this task, you will create a logical profile that will be utilized in a future authorization
policy.
Activity Procedure
Step 1 In the ISE Admin portal, navigate to Work Centers > Profiler > Profiling
Policies and then in the left pane select Logical Profiles.
Step 2 In the right pane click the +Add button.
Step 3 Create the following Logical Profile:
Attribute Value
Name Approved_Smart_Devices
Description Devices on the corporate approved Smart Devices list
Assigned Polices mark all available Android-
You have created a logical profile for corporate approved smart devices.
In this task, you will create an authorization policy assigning the previously configure
logical profile to a fixed authorization profile.
Activity Procedure
Step 1 In the ISE Admin portal, navigate to Work Centers > Profiler > Policy Sets
and enter the Wireless_Access policy set.
Step 2 Click the gear icon on the right to insert a new policy above the Guest Access
policy.
Smart Devices Authorization Policy
Attribute Value
Rule Name Smart Devices

Conditions EndPoints:LogicalProfile EQUALS Approved_Smart_Devices
conditions
Results (Profiles) Guest Access
You have configured a Smart Devices authorization policy using the logical profile
corporately approved devices.

In this task, you will create a custom profile policy for your pod vWLC. .
Activity Procedure
Step 1 In your Cisco ISE admin portal navigate to Work Centers > Profiler >
Endpoints Classification.
Step 2 Find the VMWare-Device for your pod vWLC. The IP address is 10.1.100.61. It
is possible that you may have a VMWare-Device (Endprofile Cisco-WLC)
without an IP address. Try that endpoint.
Step 3 Observe the following endpoint attribute data. You will be using this data to
create a custom policy to automatically profile your pod vWLC.
Step 4 Navigate to Work Centers > Profiler > Profiling Policies.
Step 5 Click the +Add button in the right pane of Profiling Policies.
Step 6 Create the following policy. Verify your configuration with the screenshot before
submitting.

Cisco vWLC Profiling Policy
Attribute Value
Cisco-vWLC
Policy to detect Cisco vWLC
100
VMWare-Device
SNMP:sysDescr EQUALS Cisco Controller

AND
SNMP:sysObjectID EQUALS 1.3.6.1.4.1.9.1.1631
100

Step 8 Return to Work Centers > Profiler > Endpoints Classification.
Step 9 In your Endpoints list you should now see an endpoint that has been assigned the
Cisco-vWLC endpoint profile. It may be necessary to click the refresh button in
the upper right of the list.
Step 10 Edit this endpoint.
Step 11 Observe the IdentityGroup has been set to Cisco-vWLC. This can now be
utilized in Authorization policies to assign specific authorization profiles if
desired.
Note Due to time constraints you will not be performing the task of setting an authorization
policy using the Identity Group. The process would be similar to when you created a
policy using the Logical Profile. Instead of creating a Condition you would utilize Identity
Groups selecting the Cisco vWLC Identity Group.
You have identified endpoint profile data that can be utilized to create a profile policy.
You have created a custom profile policy utilizing the data.
You have observed your custom profile policy being applied to your pod vWLC.

In this task, you will access the network with your Tablet and makes the previously
configured Smart Devices authorization policy.
Activity Procedure
Step 1 Access your pod Tablet.
Step 3 If you are still connected to any Pod## SSID, select it and click FORGET in
order to clear any previous cached settings or credentials.
Step 5 Navigate to Work Centers > Profiler > Endpoints Classification.
Step 6 Search for the Tablet by typing Android into the Endpoint Profile Search field.
Step 7 Select and then Delete (Trash > Selected) the Android using the toolbar.
Confirm Yes to delete.
Step 8 Go to your pod vWLC tab and remove all clients. (Monitor > Clients)
Step 10 Click the ##-guest SSID for your pod.
Step 11 Open a browser and trigger the webauth by browsing to 1.1.1.1.
Step 12 Sign On with the credentials employee1@demo.local / 1234QWer.
Step 13 Return to the ISE Admin Portal and navigate to Operations > Radius > Live
Log and observe the authentication records.
Step 14 Observe that the employee1 login was assigned the Guest Access Authorization
Profile.
Step 15 Click the authentication details for this record.
Step 16 Scroll down to the Other Attributes section and observed the LogicalProfile
attribute.
Note If you receive the Device ID instead of the Logical Profile that is a known bug in the ISE
2.4.
Step 17 Click Authentication in the top of the Window. Scroll up and observe the Steps
section. Look for the following two step entries towards the end, 15048 and
15004.

Step 19 Navigate to Work Centers > Profiler > Endpoints Classification.
Step 20 Find and click the Tablet Endpoint Profile name or select the checkbox and click
Edit it in the toolbar.
Step 21 Observe the LogicalProfile assigned.

Step 22 Click Authentication in the top of the Window. Scroll up and observe the Steps
section. Look for the following two step entries towards the end, 15048 and
15004.
Step 23 This same information can also be found from the Home tab and selecting Active
Endpoints or Authenticated Guests. If time permits, take some time to explore
this resource as well by clicking either location, and examining the options, and
information available to you.
Discussion
The policy you just configured is a hardware-based policy. As you can see from the previous
task steps, the employee1 user logging into a smart device was given Guest Access instead of
Wireless Employee Access. At this point in time if the smart devices policy was truly an
exclusive approved list of devices that was allowed to access the network, you could use the
Approved_Smart_Devices logical profile as an additional condition for each wireless
authorization policy. By adding this as an additional condition to the employees, contractors,
an
network. Only successfully profiled hardware that matches the individual or component
polices of the Logical Profile would be permitted.
Remember also, that policies are evaluated in a top-down order. This policy was purposely
placed near the top to exemplify this fact. It is important to always consider context-based
attributes or information when creating policies.
Due to limited lab time in this five-day class, you will not be configuring your policies as
such. In the next steps, you will disable the Smart Devices authorization policy for simplicity
and time sake
Disable the Logical Profile Authorization Policy
Step 24 Navigate to Work Centers > Profiler > Policy Sets and enter the
Wireless_Access policy set.
Step 25 Disable the Smart Devices authorization policy rule.
Step 26 Confirm that your policy is disabled and matches the following screenshot.
You have successfully connected to the network via your pod Tablet and matched
authorization policy utilizing the Profiling Logical Profile condition configure earlier
in this lab.
You have observed a Guest Access authorization profile assigned to an employee based
on this rule.
You have read the Discussion section of this task.
You have disabled the Authorization Policy which utilizes the Profiling Logical
Profile condition.

In this activity, you will run reports that focus on profiling data. After completing this
Run Profiler Feed Reports
Run Endpoint Profile Changes Reports
Run Profiled Endpoints Summary Report
Run profiling based reports from the Cisco ISE Dashboard
Admin PC
ISE-1
AD1
W10PC-Corp
vWLC
In this task, you will run reports based on profiling data gathered in previous labs.
Activity Procedure
Step 1 In the ISE admin portal, navigate to Work Centers > Profiler > Feeds.
Step 2 Verify in the Update Information and Options section that a Latest applied feed
occurred.
Note If you have no timestamp indicating a successful update operation, you may have to
perform these steps at a later time. Please notify your instructor but your pod does not
have a timestamp.
Step 3 Click the Go to Update Report Page link as indicated in the above screenshot.
This will automatically run the Change Configuration Audit report from the
FeedService administrator.
Note Oops. Something went wrong

in the ISE 2.4. Skip the next steps and jump to Task2.
Step 4 Observe the details of the Added and Changed configurations. If you see no
entrys, click the Update Now from the Feed Service Configuration page again.
Step 5 Click one of the Added configuration (if available) event hyperlinks.
Step 6 Observe the details paying specific attention to any Object Names and the data in
the Modified Properties.
Step 7 Close this tab and return to the Change Configuration Audit report tab.
Step 8 Click one of the Changed configuration event hyperlinks.

Step 9 Observe the details for this event.
Step 10 Close this tab and then close the Change Configuration Audit report tab.
Step 11 Open Thunderbird.
Step 12 Navigate to the inbox of the admin@demo.local account and find the ISE System
Message: Feed OUI applied update email and open it.
Step 13
Note upon the date of your class. This is an

indication of further updates since the above screenshot.
Step 14 Return to the Inbox and open the ISE System Message: Fee policies applied
update email.
Step 15 Observe the number of feed policies applied.
Note Your number of policies may vary depending upon the date of your class. This is an
indication of further updates since the above screenshot.
Step 16 Return to the ISE Admin Portal.
You have observed the Feed Service updates and changes.
You have observed the email reports generated by the Feed Service.
In this task, you will run reports that are related to profiled endpoints.
Activity Procedure
Step 1 Navigate to Work Centers > Profiler > Reports.
Step 2 In the Reports pane navigate to Profiler Reports > Endpoint Profile Changes.
Step 3 Filter the report using the Time Range of Last 7 Days.
Step 4 Compare the Endpoint Profile (Before) pie chart to the Endpoint Profile
(After) pie chart and observe the additional data as a result of enabling profiling.
Step 5 Scroll down to view a list of the Endpoint Profile Changes.
Step 6 Click a record detail to see which probe ran that caused the change.
Step 7 Return to the ISE Admin portal when done.
Profiled Endpoints Summary Report
Step 8 In the Reports pane navigate to Profiler Reports > Profiled Endpoint
Summary.
Step 9 Filter the report using the Time Range of Last 7 Days.
Step 10 Observe the Details and then the Raw details of a record.
Step 11 In the Raw details report page, click one of the Endpoint property hyperlinks and
observe the additional level of detail available in the pop-up message.
Step 12 Return to the ISE Admin portal when done.
Run Endpoint Profile Changes and Summary reports, and observe the data that is
contained in those reports.

In this task, you will view the metrics available via the Context Visibility feature in the Cisco
ISE admin Portal.
Activity Procedure
Step 1 Navigate to the Context Visibility > Endpoints > Endpoints Classification tab.
Step 2 In the ENDPOINTS dashlet, click the new window icon to detach, and open the
dashlet in a new tab, to drill down for further details.
Step 3 In the new ENDPOINTS dashlet tab, click the Profile link to observe all profiled
endpoints that ISE has seen.
Step 4 By hovering your mouse over any individual section of the circle graph, ISE will
display the number of devices per that category.
Step 5 Similarly, the Home > Summary > Endpoints page will display the same
information, and other summary information. Both Context Visibility and Home
pages can be customized to meet your needs. You can add new Dashboards, or
Dashlets, by clicking the gear icon in the upper right corner of the pane.
Step 6 Close all newly opened tabs and return to the ISE Admin portal when done.
You have run the Profile Feed report.
That you have on Endpoint Profile Changes report
You have run the Profile Endpoints Summary report.
You have observed metric the date on the homepage and run a report from the Profiler
Activity dashlet.

In this activity, you will configure Cisco ISE for BYOD onboarding. You will start by
creating e a customized My Device portal. Next, you will how Cisco ISE can dramatically
reduce your operational overhead. You will configure a scenario in which certificates are
automatically provisioned, via the Cisco ISE internal CA. These certificates will be deployed
via a Native Supplicant Provisioning profile, which you will define. You will configure a
certificate authentication profile, and this profile will use attributes from internally deployed
CA certificates. With all this in place, you will configure Cisco ISE authentication and
authorization policies for BYOD access. You will then use this configuration to onboard a
mobile BYOD device.
In this activity, you will configure Cisco ISE for BYOD on boarding. After completing this
Create a customized My Device portal
Configure Cisco ISE to provision certificates via the internal CA and deploy those
certificates via a Native Supplicant Provisioning profile
Configure a certificate authentication profile that utilizes the attributes from the
internally deployed CA certificates
Configure Cisco ISE authentication and authorization policies for BYOD access
Onboard a mobile BYOD device
Admin PC
ISE-1
AD1
W10PC-Corp
vWLC

In this task, you will create a customized My Devices portal for employee device
management.
Activity Procedure
Portal Enablement
Step 1 Navigate to Work Centers > BYOD > Overview. Take a moment to review the
three major phases of BYOD configuration Prepare, Define, Go Live &
Monitor.
Step 2
My
Devices Portals via Work Centers > BYOD > Portals & Components > My
Devices Portal, or via Administration > Device Portal Management > My
Devices.
Step 3 In the right pane click Create.
Step 4 Create the following portal.
My Devices Portal Settings and Customization
Attribute Value
Portal Name Demo My Devices
Description Device Portal for Demo Employees
Portal Settings
HTTPS Port 8443
Allowed interface Gigabit Ethernet 0
Fully qualified domain name (all FQDN) mydevices.demo.local
Authentication method MyDevices_Portal_Sequence
Idle timeout 10
Login Page Settings

limiting
Included Post Login Banner page [X]
Employee Change Password Settings
Allow internal users to change their own [ ]

passwords

[ X ] IP address
[ X ] Policy server
[ X ] Failure could
Step 5 Scroll up and click Save and then Close.
Tip Enabling the Support Information feature is an easy way to provide the end user with a
place to go to see their MAC address. Consider using some of the instructional or
optional fields on the My Devices and Add Devices page or others to provide this
information to the end user.
Note Later in the lab we will also be using a BYOD portal. For-time sake we will use the Cisco
default portal. If you want, you may optionally customize that portal by adding the same
images as above and saving the portal.
Portal Authentication Modification

Step 6 Navigate to Work Centers > BYOD > Identities > Identity Source Sequences.
Step 7 Edit the MyDevices_Portal_Sequence
Step 8 Move the All-AD-Join_Points to the top of the list in the Authentication Search
List Selected box in order to optimize processing since most user accounts who
will be using this feature are located in Active Directory

Portal Authentication Test
Step 10 Return to Work Centers > BYOD > Portals & Components > My Devices
Portals and edit the Demo My Devices portal.
Step 11 At the top to the right of the Description field click the Portal test URL.

Note If Firefox returns an error, please access the portal with Internet Explorer
Step 12 You should see the My Devices Portal but you previously configured.
Step 13 Login with the Active Directory user credentials employee1@demo.local /

1234QWer
Step 14 Accept the AUP and click Sign On.
Step 15 Then press Continue.
Step 16 You have successfully logged into the My Devices Portal using Active Directory
credentials.
Step 17 Return to your Cisco ISE Admin portal.
You have created a custom My Devices portal for Demo employees.
You have optimized the portal Authentication sequence processing by configuring it to
process AD accounts first.
You have reviewed the customized My Devices via a desktop browser.

In this task, you will configure certificate provisioning using the internal CA functionality
Cisco ISE. You will then configure a supplicant provisioning policy utilizing that internal
CA provisioning configuration.
Cisco ISE comes with a default certificate template which could be used for BYOD. You
will use that default certificate template with a few modifications that are specific to this
deployment.
Note It is important that any time a default template is used, it is modified to fit the specific
installation environment.
Activity Procedure
Certificate Provisioning
Step 1 In your Cisco ISE admin portal, navigate to Administration > System >
Certificates and then in the left pane select Certificate Management > Trusted
Certificates.
Note There are some trusted third party CA certificates existing. If you need other CA
certifiactes, you can import certificates in these section.
Step 2 In the left pane select Certificate Management > Certificate Signing Requests.
Step 3 Click Generate Certificate Signing Requests (CSR).
Step 4 Select ISE Root CA as the Usage
Step 5 Click Replace ISE Root CA Certificate chain.

Step 6 Wait until Generation has finished.
Note Your ISE implies all CA functions and will act as the root CA, Node CA, endpoint sub CA
and OSCP responder CA.
Step 7 Observe Root CA certificate and the sub certificates generated.
Step 8 In your Cisco ISE admin portal, navigate to Work Centers > BYOD > Portals
& Components and then in the left pane select Certificates > Certificate
Templates.
Step 9 Edit the EAP_Authentication_Certificate_Template.
Step 10 Modify the template according to the following table. Verify configuration with
the subsequent screenshot.
Note In this configuration, you will be configuring the OU to be the distinguishing attribute that
will store the functional purpose of the certificate inside each certificate that is issued. By
performing the step, an Authorization Policy rule could be configured with a condition to
match this attribute and then apply the appropriate authorization profile.
BYOD EAP Authentication Certificate Template

Parameter Description
Name BYOD_EAP_AUTH_365
Description BYOD certificate template for approved Demo access
Organizational Unit (OU) BYOD
Organization (O) The Demo Shop
City (L) San Jose
State (ST) California
Country (C) US
Subject Alternative Name MAC Address
Key Type RSA
Key Size 2048
SCEP RA Profile ISE Internal CA
Valid Period 365

Step 11 Scroll down and click Save
Client Provisioning and Native Supplicant Provisioning

Step 12 Navigate to Work Centers > BYOD > Client Provisioning.
Step 13 Create a new policy rule in the top of the policy according to the following table.
You will be creating a new Native Supplicant Profile (NSP) in line. Perform the
instructions after the table for the creation of the NSP. Insert the new rule in the
top of the policy.
iOS_WPA2_BYOD Client Provisioning Policy Rule
Attribute Value
Rule Name Android_WPA2_BYOD
Identity Groups Any
Operating Systems Android
Other Conditions demo.local:ExternalGroups EQUALS demo.local/Users/Domain Users
Results Android_WPA2_TLS_BYOD <See below>
Inline Native Supplicant Profile Procedure
Step Action Notes
1. Expand Results.
2. Click the down selector icon to Choose a Wizard Profile.
3. Click the cog in the toolbar area.
4. Select Create New Profile.
5. Create a Native Supplicant Profile using the following data. It is important that your
Name Android_WPA2_TLS_BYOD pod SSID (##-wpa2e)
match what is exactly
Description Pod ## BYOD NSP configured for your pod.
Operating System Android Having your WLC portal
open in a separate tab
Connection Type Wireless and performing a
SSID ##-wpa2e copy/paste from there is
Security WPA2 Enterprise the most reliable method.
Allowed Protocol TLS Pod 00 is used to make
the screenshot generic.
Certificate Template BYOD_EAP_AUTH_365 Replace 00 with your
actual pod number.
6. Click Save.
Step 14 Click Save.

Step 15 Compare your configuration with the following screenshot.

Step 16 Scroll down and click Save
You have configured a Certificate Template for BYOD access.
You have configured the Client Provisioning rule using an in-line created NSP specific
for your pod SSID and assigning the BYOD certificate template.
In this task, you will configure the policy components for BYOD access.
Activity Procedure
Certificate Authentication Profile Creation
Step 1 Navigate to, to Work Centers > BYOD > Ext Id Sources > Certificate
Authentication Profile.
Step 2 In the right pane, click +Add to create a Certificate Authentication Profile
according to the following information.
Certificate Authentication Profile
Attribute Value
Name CN_USERNAME
Description Subject contains CN=username
Identity Store [not applicable]
Use Identity From Subject Common Name
Match Client Certificate Against Never

Certificate In Identity Store
Step 3 Verify your configuration with the following screenshot then click Submit.
Identity Source Sequence Creation

Step 4 Navigate to Work Centers > BYOD > Identities > Identity Source Sequences.
Step 5 Click +Add to create an Identity Source Sequence according to the following
information.
Identity Source Sequence
Attribute Value
Identity Source Sequence
Name DOT1X_X509_Username
Description ISS to get username from certificate

Attribute Value
Certificate Based Authentication
Select Certificate Authentication Profile CN_USERNAME
Authentication Search List
Selected All_AD_Join_Points
Internal Users
Guest Users
Advanced Search List Settings
If the selected identity store cannot be Treat as if the user was not found and proceed to the
access for authentication next or in the sequence
Step 6 Verify your configuration with the following screenshot then click Submit.
Allowed Protocols Review
Step 7 Navigate to Work Centers > BYOD > Policy Elements > Results > Allowed
Protocols,
Step 8 In the right pane, click Default Network Access.
Observe that EAP-TLS and PEAP with an inner method to EAP-TLS are both
allowed. This is sufficient for this access use case (TLS client certificate-based
access).
Tip - low EAP-
flexibility. Enabling this feature by itself weakens the security that is inherent in the
expiration process of X.509v3 certificates. However, Cisco ISE has a dictionary
condition, CertRenewRequired, which could be used in an Authorization Policy near the
top or as a Global Exception policy, which evaluates the expiration of the certificate and if
it is expired, can be used to apply an Authorization Profile that redirects to the CWA
portal. Hovering your mouse over the (i) icon at the end of the line will pop-up a message
indicating this as shown in the following screenshot.
Authentication Policy Configuration

Step 9 Navigate to Work Centers > BYOD > Policy Sets and then Wireless_Access >
Authentication Policy.
Step 10 Clone the Dot1X authentication policy rule by clicking on the gear icon at the
far right. Select from the menu Duplicate above.

Step 11 Modify the rule with the following parameters.
Authentication Policy Rule
Attribute Value
Name DOT1X_EAP_TLS
Condition Wireless_802.1X AND

Network Access:EapAuthentication equals EAP-TLS
Use DOT1X_X509_Username
Options
If authentication failed Reject
If user not found Reject
If process failed Drop
Step 12 Compare your rule with the following screenshot.
Authorization Profile Configuration
Step 14 Navigate to Work Centers > BYOD > Policy Elements > Results >
Authorization Profiles.
Step 15 Create and Save the two following Authorization Profiles.
WLC Native Supplicant Provisioning Authorization Profile
Name WLC_NSP
Common Tasks
Web Redirection Native Supplicant Provisioning

ACL: NSP_ACL
Value: BYOD Portal (default)
WLC User Access Authorization Profile

Name WLC_User Access
Common Tasks
Airespace ACL Name USER_ACL
Authorization Policy Configuration

Step 16 Navigate to Work Centers > BYOD > Policy Sets and then Wireless_Access >
Authorization Policy.
Step 17 Insert the two following authorization policy rules in the top of the authorization
policy.
BYOD NSP Authorization Policy
Attribute Value
Rule Name BYOD NSP
Network Access:EapAuthentication EQUALS EAP-MSCHAPv2

Conditions
AND
conditions) demo.local:ExternalGroups NOT_EQUALS
demo.local/Users/Domain Computers
Results (Profiles) WLC_NSP

BYOD Access Authorization Policy
Attribute Value
Rule Name BYOD Access
Network Access:EapAuthentication EQUALS EAP-TLS

Conditions
AND
conditions) CERTIFICATE:Subject Alternative Name EQUALS Radius:Calling-
Station-ID
Results (Profiles) WLC_User Access
Caution Be sure to select RADIUS attribute 31 instead of 30. Attribute 31 will give you the MAC
address of the endpoint whereas attribute 30 will give you the MAC address of the NAD.
Radius:Calling-Station-ID--[31] instead of
Radius:Called-Station-ID [30]

Step 19 Compare your configuration with the following screenshot.
You have configured a certificate authentication profile that will use the subject
common name as the username.
You have configured in identity source sequence that utilizes the certificate
authentication profile.
You have reviewed the allowed authentication protocols to see that they allow EAP-
TLS.
You have configured authentication policy which matches certificate authentication and
uses the source sequence which you have configured.
You have configured authorization profiles to provision the certificate using NSP and to
permit BYOD access.
You have configured two authorization policy rules for NSP and for BYOD access.

In this task, you will login to the Tablet as an employee to perform the BYOD registration.
You will then connect with the provisioned configuration and deployed certificate.
Activity Procedure
Endpoint Cleaning from Previous Labs
Step 1 Access your Tablet according to your lab specific instructions.
in troubleshooting.
Step 2 Navigate using your mouse to WLAN.

Step 3 Click the saved/connected SSID(if any applicable) and at the bottom right, click
FORGET in order to clear any previous cached settings or credentials.
Step 5 Navigate to Work Centers > BYOD > Identities and then in the left pane select
Endpoints.
Step 6 Select the Tablet, if present and then delete it using the toolbar. Confirm Yes to
delete.
Step 7 You may have to manually clear the client from the WLC if you perform these
steps quickly. As the WLC holds or caches association sessions to handle Wi-Fi
signal disruptions and roams.
Tablet Onboarding
Step 8 Access the Tablet.
Step 9 Access the ##-wpa2e SSID for your pod. Log in using the credentials
employee1@demo.local / 1234QWer.
Step 11 If you are not automatically redirected to the ISE BYOD portal, trigger it by
typing 1.1.1.1, for example.
Step 12 Process through the BYOD portal process by clicking Start.
Step 13 Enter the device name employee1_Tablet in the description My Tablet. Also
observe that the Device ID or MAC address is included on the bottom.
Step 14 Click Continue.

Step 15 DO NOT CLICK
Note The Cisco Network Setup Assistant has been preinstalled on the Tablet.
Step 16 Examine the page. For Android devices a Cisco proprietary application is needed
to perform the automatic profile and certificate installation process.
Step 17 On the Tablet press the Home button, then in the main view locate and open the
Cisco App Network Setup Assistant.
Step 18 Click Start inside the Network Setup Assistant and observe the provisioning
procedure. Click PROCEED and CONNECT, if prompted.
Step 19 If prompted, enter the Tablet PIN 1234.
Step 20 When presented with the certificate package for the user, leave all defaults and
click OK.
Step 21 When presented with the root certificate, leave all defaults and click OK.
Step 22 After the Cisco Network Setup Assistant downloaded and installed everything
successfully, you will be automatically connected to SSID from the configured
profile (##-wpa2e) and presented with the following seen left in the screenshot.
Step 23 Click Exit, open the browser and verify browsing to the Internet, e.g. cisco.com
is working.
Step 24 In your Tablet navigate to Settings > Security > Trusted Credentials.
Step 25 Under the section USER you should see the root-CA certificate, which you can
examine by clicking, seen right in the top screenshot.

Cisco ISE Admin Portal Verification
Step 27 Navigate to Operations > RADIUS > Live Logs and observe the authentication
records.
Step 28 Enter Android in the quick Filter Endpoint Profile for better verification.
Step 29 Observe the following Logs.
Step 30 Click the Details icon for the record that was assigned the Authorization Profile
WLC_User Access.
Step 31 Observe the Overview section and notice the indicated sections below.
Step 32 Examine the Steps section and towards the bottom observe the 15048 messages
indicating the EAP authentication and the querying of the Subject Common
Name and the MAC address as the Radius Calling-Station-ID.
Step 33 Close this tab and return to the Cisco ISE admin portal.
Step 34 Navigate to Work Centers > BYOD >Identities > Endpoints.
Step 35 Find the Tablet MAC address and click the MAC address in this list.
Step 36 Find the DeviceRegistrationStatus is Registered and BYODRegistration is Yes
indicating the Tablet status is an endpoint.
Step 37 If the Device Registration says Pending, this is unfortunately a know bug.
Step 38 Scroll down to the Subject attribute lines. Observe the certificate details paying
particular attention to the Subject Common Name values.
Step 39 Return to the Cisco ISE admin portal and navigate to Administration > System
> Certificates > Certificate Authority > Issued Certificates.
Step 40 Select the endpoint certificate which has been deployed to the employee1 Tablet,
click View in the toolbar and examine the details.
Note Use Google Chrome Browser, if the certificate details are not showing up correctly!

Tip If you scroll to the bottom you will see a SHA-1 and MD5 hash fingerprints. This could be
useful for helpdesk operator to be able to verify a certificate with the user over the phone,
for example.
Step 41 Click Close.
You have successfully onboarded your pod Tablet and verified access according to the
task steps.
In the previous lab, you learned how to configure a BYOD solution. In this activity, you
will learn how to manage that solution. The focus is on how to mark a device lost, and then
stolen.
You will examine Cisco ISE to see how the endpoint is processed for each of these
situations. You will then reinstate a lost or stolen device. You will also process an endpoint
for re-enrollment after a certificate has been revoked.
In this activity, you will perform the steps to mark a device lost and then stolen. You will
examine Cisco ISE to see how the endpoint is processed for each of these situations. After
Mark a device as lost
Mark a device is stolen
Reinstate a lost or stolen device
Process and endpoint for reenrollment after a certificate has been revoked
Admin PC
ISE-1
AD1
W10PC-Corp
vWLC

In this task, you will mark an on-
Activity Procedure
Configure a local Exceptions Policy for the Blacklist devices
Step 1 Navigate to Policy > Policy Sets > Wireless_Access > Authorization Policy
Local Exceptions.
Step 2 Click the + symbol to insert a new exception policy.
Authorization Policy Local Exceptions
Attribute Value
Rule Name Blacklist

Conditions IdentityGroup:Name equals Endpoint Identity Group:Blacklist
conditions
Results (Profiles) Blackhole_Wireless_Access
Step 3 Click Save.

Updating the Blacklist Portal to use Configured Certificate Group Tag
Step 4 Navigate to Administration > Device Portal Management > Blacklist.
Step 5 Edit the Blacklist portal (default).
Step 6 Change the certificate of the group tag from Default Portal Certificate Group to
ISE Lab CGT.
Step 7 At the top click Save.
Update the Blacklist Authorization profile
Step 8 Navigate to Policy > Policy Elements > Results > Authorization >
Step 9 Edit the Blackhole_Wireless_Access profile.
Step 10 Scroll down and change the world redirect ACL from BLACKHOLE to
BLACKLIST.
Marking a Device as Lost
Step 12 Open a new tab and navigate to the My Devices Portal either using the
yDevices bookmarking in the toolbar or by using the URL
https://mydevices.demo.local
Step 13 Login with the credentials employee1@demo.local / 1234QWer.
Step 14 Click the checkbox to accept to the AUP and then click Sign On.
Step 15 Click Continue.
Step 16 Observed that the status is Registered, else read the following Note.
Note If the device status is still pending, then consider up to 20min for the profiling process.
Tip Shutting the WLAN off and on might trigger the registration status from the tablet.
Step 17 Manage the device by clicking on the record.
Step 18 Click the Lost button.

Step 19 Click Yes to acknowledge that you want to mark the device is lost.
Step 20 Observed that the status is now Lost.
You have marked the employee1 Tablet endpoint as Lost.
Activity Procedure
Step 1 In the Cisco ISE admin portal navigate to Operations > RADIUS > Live Logs.
Step 2 You should already observe an authentication success record for the employee1
Tablet but has the resulting Blackhole_Wireless_Access authorization profile
result. Cisco ISE issued a CoA when the device was marked lost. The device
automatically re-authenticated as it normally would and matched the Wireless
Black List Default authorization policy rule.
Step 3 Return to your Tablet and in a browser navigate to any website ot to 1.1.1.1. You
should be redirected to the blacklist portal automatically.
You have been redirected to the blacklist portal on the Tablet.

Activity Procedure
Step 3 Find the Tablet MAC address and observe the record in this list.
Step 4 Open the detail view for this endpoint.
Step 5 In the upper right search bar type employee1@demo.local.
Step 6 Select employee1@demo.local from the suggestions box.
Step 7 In the search results window, notice Blackhole_Wireless in the text. Click the
record to view the details.
Step 8 Observe that the current status is Authenticated & Authorized and assigned
Blachole_Wireless_Access.

Step 9 Click Endpoint Details at the top.
Step 10 Observe the Identity Group in the Authorization Profile.
Step 11 Close the result box by clicking on the X in the upper right-hand corner.
You verified map the endpoint has been marked Lost.
Activity Procedure
Step 1 On the Admin PC access the previously opened My Devices Portal tab.
Step 2 It is likely that your session has timed out. Login credentials
employee1@demo.local / 1234QWer if necessary.
Step 3 Click Accept to the AUP and then click Continue.
Step 5 Click Reinstate.
Step 6 Click Yes to the pop-up.

Step 7 Observe the device status has been returned to Registered.
You have reinstated the employee1 Tablet and observe the status as Registered.

In this task, you will verify network access after the device was Reinstated.
Activity Procedure
Step 1 In the Cisco ISE admin portal navigate to Operations > RADIUS > Live Logs.
Step 2 You should already observe an authentication success record for the employee1
Tablet but has the resulting WLC_User Access authorization profile result. Cisco
ISE issued a CoA when the device was marked Reinstated. The device
automatically re-authenticated as it normally would and matched the BYOD
Access authorization policy rule.
Step 3 Return to the Tablet and in a browser, navigate to cisco.com. You should be up to
successfully connect to the webpage.
You have observed the proper authorization profile for the registered BYOD device.
You have successfully connected to a webpage.
In this task, you will mark a device as stolen and observe the endpoint and certificate status.
You will then reinstate and then re-onboard device. You will not go through the process of
testing access while marked as stolen in the interest of brevity as you have already tested
blacklisted access a previous task.
Activity Procedure
Marking a Device as Stolen
Step 1 Return to the Admin PC and to the My Devices Portal.
Step 2 It is likely that your session has timed out. Login credentials
employee1@demo.local / 1234QWer if necessary.
Step 3 Click Accept to the AUP and then click Continue.
Step 5 Click the Stolen button.
Step 6 Click Yes to acknowledge that you want to mark the device is still.
Step 7 Observed that the status is now Stolen.
Examining Endpoint Status and Record
Step 8 Return to the Cisco ISE admin portal and navigate to Operations > RADIUS >
Live Logs.
Step 9 You should see a denied access record for the Tablet.
Examine Certificate Status

Step 10 Click the authentication record detail icon.
Step 11 In the Authentication Detail section observe the following fields indicating that
the certificate has been revoked.

Step 12 Return to the Cisco ISE admin portal and navigate to Administration > System
> Certificates > Certificate Authority > Issued Certificates.
Step 13 Use Google Chrome Browser, if the certificate details are not showing up correctly!
Step 14 In the list of certificates observed that the status is now Revoked for the
Tablet certificate.
Step 15 View the certificate details and observe the certificate status is revoked with a
red X icon.
Step 16 Close the certificate detail.

Reinstating Device
Step 17 Return to the My Devices Portal.
Step 18 Notice in the toolbar there is no toolbar button to reinstate or un-revoke a
certificate.
Step 19 Click the Reinstate button.
Step 20 Click Yes.
Step 21 Observe the device status is now Not Registered.
Re-Onboarding Device
Step 22 Return to your Tablet and observe your ##-wpa2e WLAN SSID.
Step 23 You should notice that it is not possible to join the ##-wpa2e WLAN.
Step 24 Select the WLAN and at the bottom right, click FORGET.
Step 25 Navigate to Settings > Security > Clear credentials
Step 26 Click Clear credentials and Remove all the contents by clicking OK.
Step 27 Return to the WLAN list and attempt to join the ##-wpa2e WLAN. This should
succeed by prompting you for credentials.
Step 28 Enter the credentials employee1@demo.local / 1234QWer.
Step 29 Open a browser and trigger a redirection to the ISE portal.
Step 30 Go through the process of on boarding process before. Reference to previous lab
steps if necessary.
Step 31 Once complete navigate to cisco.com. This should succeed.
Step 32 Return to the Cisco ISE admin portal and navigate to Operations > RADIUS >
Live Logs.
Step 33 The employee1 Tablet should have been applied the WLC_User_Access
authorization profile. To the right the device should also be in the Identity Group
RegisteredDevices.
You have successfully marked the device a stolen.
You have observed the device certificate authentication failure.
You have examined the certificate status and observed it has revoked.
You have reinstated the device via the My Devices Portal.
You have deleted the certificate profile and reenrolled the Tablet.
You have observed a successful BYOD certificate authentication.

In this activity, you will configure Cisco ISE settings and polices for compliance based
access. After completing this activity, you will be able to meet these objectives:
Configure Cisco ISE Posture Settings
Configure Authorization Profile components for compliance based access
Configure Authorization Policy rules for compliance based access
Admin PC
ISE-1
AD1
W10PC-Corp
vWLC
In this task, you will configure Cisco ISE posture update settings that will be used later for
compliance to check posture compliance of clients.
Activity Procedure
Posture Updates
You will perform a manual posture update in this section.
Step 1 Navigate to Work Centers > Posture > Settings > Software Updates >
Posture Updates.
Step 2 Click the Automatically check for updates starting from initial delay check
box to enable auto updates. After the initial download, this will perform an
incremental update automatically from Cisco.
Note By default, posture updates are configured to be retrieved from the web and automatic
checking is disabled.
Posture updates include a set of predefined checks, rules, and support list for antivirus
and anti-spyware for both Windows and Macintosh operating systems. When you
perform your initial update process usually takes approximately 20 minutes.
Step 3 Click Save.

Step 4 Click Update Now to start the initial posture update process. As mentioned
above this process can take approximately 15 minutes.
Note You can safely navigate away from this page and continue on to the next steps while this
process works in the background.
Step 5 Observe the Update Information section below to view the status on updates. The
following fields are useful in determining proper functioning, Last successful
update on and Last update status since ISE was started.

Posture General Settings
Step 6 Navigate to Work Centers > Posture > Settings > Posture General Settings.
The settings on this page are used when there is no profile under the client
provisioning policy. You will be configuring the client provisioning policy later
in the lab. However, it is a good practice to set a baseline configuration here in
the event that a policy is misconfigured or absent in the future.
Step 7 Change the Remediation Timer field from 4 minutes to 20 minutes to allow for
patching or other required remediation steps to be performed by the end-user.
Step 8 Change the Default Posture Status setting from NonCompliant to Compliant.
Step 9 Enable the Automatically Close Login Success Screen After setting and change
the value from 0 to 3 seconds.
Step 10 Click Save.
Note Leaving the value at 0 would configure the client to not display login success screen.
This may be optimal in some organizations.
Posture Lease
The default configuration as indicated in this section is to perform a posture assessment
every time a user connects to the network. By enabling the second option, the system is
considered to be compliant for the configured number of days (range 1 365) and will be
checked at the configured interval.
Note No configuration change will be performed at this time.
Note Posture leases are only applicable to Cisco AnyConnect Unified Agent access.
Portal Modification
Step 11 Navigate to Work Centers > Guest Access > Portals & Components > Guest
Portals and edit the Demo-Sponsored portal.
Step 12 Scroll down to the Guest Device Compliance Settings section and enable
Require guest device compliance.
Step 13 Scroll up and click Save, then click Close.

Step 14 Navigate to Administration > Device Portal Management > Settings.
Step 15 Configure the Retry URL as http://www.cisco.com/go/ise
Step 16 Click Save.

You have configured Cisco ISE to retrieve posture update configurations from Cisco
online.
You have configured general posture settings for global posture processing.
You have reviewed posture lease settings.
You have modified the Demo Self-Reg portal to require guest compliance.
In this task, you will configure a simple compliance policy check.
Activity Procedure
Create Downloadable ACLs for Compliance
Step 1 Navigate to Work Centers > Posture > Policy Elements and then
Downloadable ACLs.
Step 2 Create the following AD Login Access dACL.
Tip You can copy-and-paste the DACL content from

http://tools.demo.local/cp/DACL_AD_LOGIN_ACCESS.txt
Downloadable ACL ACL_AD_LOGIN

Attribute Value
Name acl_ad_login
Description Permit access to AD login services and deny everything else.
DACL Content

Step 3 Create the following Posture Remediation dACL.
Tip You can copy-and-paste the DACL content from

http://tools.demo.local/cp/DACL_POSTURE_REMEDIATION.txt
Downloadable ACL ACL_POSTURE_REMEDIATION

Attribute Value
Name acl_posture_remediation
Description Permit access to posture services and remediation and deny

everything else.
DACL Content
Step 4 Create the following Internet only dACL.
Tip Copy-and-paste the DACL content from

http://tools.demo.local/cp/DACL_GUEST_INTERNET.txt
Downloadable ACL ACL_INTERNET_ONLY

Attribute Value
Name acl_internet_only
Description Permit DHCP/DNS, Deny Internal, Permit everything else.
DACL Content
Step 5 A URL redirect ACL needs to pre-exist on a switch and cannot be a dACL. Your
3k-access switch is preconfigured with the ACL that you will use. It is named
ISE-URL-REDIRECT. The contents of that ACL are included below for a time
saving convenience.
Note If you desire, you may open an SSH session via PuTTY and verify by issuing a
.
Note You will be referencing the name of the URL in authorization profiles. Spelling must
match exactly.
Create Authorization Profiles for Compliance
Step 7 By clicking +Add in the right pane, create each of the following authorization
profiles.
Posture Remediation - Authorization Profile
Name Posture Remediation
Common Tasks
DACL Name acl_posture_remediation
Web Redirection Client Provisioning (Posture)

ACL: ISE-URL-REDIRECT
Value: Client Provisioning Portal (default)
CWA Posture Remediation - Authorization Profile
Name CWA Posture Remediation
Common Tasks
DACL Name acl_posture_remediation

ACL: ISE-URL-REDIRECT
Value: Demo-Sponsored
Internet Only - Authorization Profile
Name Internet Only
Common Tasks
DACL Name acl_internet_only
Step 8 Modify the Wired Domain Computer Access authorization profile to use the
newer port restrictive dACL for AD Login, acl_ad_login and then click Save.
You have configured dACLs for utilization in compliance based access.
You have configured Authorization profiles to be utilized during different stages of
compliance based processing.

In this task, you will adjust the authorization policy for compliance checking.
Activity Procedure
Policy Set Evaluation
Step 1 Navigate to Work Centers > Posture > Policy Sets and then to Wired_Access >
Authorization Policy.
Examine the authorization policy rules and notice that right now things are pretty
clean. You have profiled IP phones, two rules for employees or contractors, a rule
for domain computer authentication, and a default deny rule at the end. Having
created all of the guest access rules under the wireless access policy has allowed
the wired policy to stay clean. By using the condition function of policy sets to
wired access into two different parts in a similar way that we split our overall
access into wired and wireless policy sets.
In the following section you will go to the process of creating a separate policy
set for wired MAB access. This will allow you to consolidate all of your policies
that would apply to wired map access in a central location without having to
evaluate whether policy would apply to an 802.1X session or a MAB session.
You will also modify the existing Wired_Access to apply to 802.1X sessions.
Policy Set Modification
Step 2 Click in the top Policy Sets to go back to the Policy Set overview.
Step 3 Click the + symbol on the left side to create a new Policy Set in the top of your
policy sets.
Note Policy sets are evaluated like Access control lists, top down. Like ACLs, the order of your
rules can determine if your policy functions as expected.
Policy Set Wired_MAB_Access

Name Description Condition(s) Allowed Protocols / Server
Sequence
Wired_MAB_Access Wired MAB [ Drag & Drop Condition from Library ] Default Network Access
Device Compound Condition >
Access Wired_MAB
Step 4 Click Use and verify your policy set with the following screenshot.
Step 5 Click Save at the bottom or top.

Step 6 Modify the Wired_Access policy set according to the table below.
Policy Set Wired_8021X_Access
Name Desciption Condition(s) Allowed Protocols / Server
Sequence
Wired_8021X_Access Wired DEVICE:Device Type EQUALS All Device Default Network Access
802.1X Types#Wired
Device AND
Access
Compound Condition > Wired_802.1X
[ Drag & Drop Condition from Library ]
Note While in this specific lab environment and configuration, it is not necessary to build a
compound condition of device type wired and Wired_802.1X, the purpose for doing so is
to illustrate the flexibility and capability of the policy set condition aspect of Cisco ISE.
Tip Applying this logic, it would be possible to create a condition matching a specific device
location and access method, wired or wireless, etc. and access type, MAB or 802.1X, to
create and maintain organized policy sets.
Step 7 Click Done and verify your modification with the following screenshot.
Step 8 Click Save.

Wired MAB Policy Set Modification
Step 9 Select the Wired_MAB_Access policy set.
Step 10 Edit the Default Authentication policy rule to Continue if the user is not found
and select as Identity Source All_User_ID_Stores.

Step 11 Add the following Authorization policy rule above the Default rule.
Guest Internet - Authorization Policy
Attribute Value
Rule Name Guest Internet

Conditions NetworkAccess:UseCase EQUALS Guest Flow
conditions)
Results (Profiles) Internet Only
Step 12 Modify the Default rule to use the authorization profile CWA Posture
Remediation.
Step 13 Verify your policy with the following screenshot.
Caution In a production environment it would be important to copy and create policy rules to
facilitate profiled devices which would access the network by way of MAB. For the sake
of time and due to the simplicity of this lab environment you will not be creating or
configuring such rules.
Wired 802.1X Policy Set Modification

Step 15 Select the Wired_8021X_Access policy set.
Step 16 Edit the Wired AD Employees authorization policy rule.
Step 17 Open the Conditions section.
Step 18 Add a new Attribute/Value.
Step 19 Configure the following condition: Session:PostureStatus EQUALS
Compliant.
Step 20 Verify the operand that is set to AND.

Tip Saving the posture status condition to the library for reuse with a simplified name would
make reading policy conditions in their final state easier than reading and attribute value
statement.
Step 22 Edit the Wired AD Contractors rule by adding the condition

Session:PostureStatus EQUALS Compliant and verifying the operand is AND.
Step 24 Add the following authorization policy rule above the Default rule.
AD Posture Assessment - Authorization Policy
Attribute Value
Rule Name AD Posture Assessment
demo.local:ExternalGroups Equals demo.local/Users/Domain

Conditions Users
AND
conditions)
Session:PostureStatus NOT_EQUALS Compliant
Results (Profiles) Posture Remediation

You have modified the Wired_Access Policy Set to process access based on
compliance status.

In this activity, you will configure Cisco ISE to provision Cisco posture agents. You will
configure client provisioning settings for updates from Cisco online. You will configure
client resources for utilization in compliance-based access. Finally, you will configure client
provisioning policies for the utilization of posture agents.
In this activity, you will configure Cisco ISE to provision Cisco posture agents. After
Configure Client Provisioning settings for updates from Cisco online.
Configure Client Resources for utilization in compliance based access.
Configure Client Provisioning policies for the utilization of posture agents
Admin PC
ISE-1
AD1
W10PC-Corp
vWLC
In this task, you will review client provisioning settings and then perform a posture
component update.
Activity Procedure
Client Provisioning Settings
Step 1 Navigate to Work Centers > Posture > Settings then to Software Updates >
Client Provisioning. This page can all be accessed via Administration >
System > Settings and then Client Provisioning.
Step 2 Observe the default configuration that client provisioning is enabled by default.
You have reviewed the Client Provisioning settings.
You have configured Cisco ISE to perform automatic posture updates; and initiated a
manual update.

In this task, you will configure Cisco ISE for utilization of Cisco posture agents (Cisco NAC
Agent, Cisco NAC WebAgent, and Cisco AnyConnect Unified Client).
Activity Procedure
Downloading Resources to your PC
Step 1 In your Firefox browser, open a new tab and use your bookmark toolbar to
navigate to tools > cp. (http://tools.demo.local/cp)
Step 2 Download the following files. These files will be placed in your profile
Downloads folder.
anyconnect-win-4.5.04029.0-webdeploy-k9.pkg
anyconnect-VPN-disable.xml
anyconnect-NAM-EAP-FAST.xml
Step 4 Navigate to Work Centers > Posture then to Client Provisioning > Resources.
Step 5 In the right pane, click +Add and from the menu select Agent resources from
Cisco Site.
Step 6 After a moment, the list should populate. Select the following list of items.
AnyConnectComplianceModuleWindows 4.3.50.0 or latest 4.3.xxxxx.x
ComplianceModule 3.6.11017.2 or latest 3.6.xxxxx.x
CiscoTemporalAgentWindows 4.5.02036
Step 7 Click Save to start the download process.
Step 8 The Download will take several minutes.
Adding resources to Cisco ISE
Step 9 Navigate to Work Centers > Posture then to Client Provisioning > Resources.
Step 10 In the right pane, click +Add and from the menu select Agent resources from
local Disk.
Step 11 Select the category of Cisco Provided Packages.
Step 12 Click Browse and navigate to your Downloads folder and select
anyconnect-win-4.5.4029.0-webdeploy-k9.pkg and click Open.
Step 13 Click Submit
Step 14 Click Confirm when prompted to confirm the hash.
Step 15 Perform the same operation for the following files. Fill out the form according to
the tables below.
acNAMProfile - Customer Created Agent Resource Package
Attribute Value
Category Customer Created Packages
Type AnyConnect Profile
Name acNAMProfile
Description AnyConnect NAM EAP-FAST Config
File C:\Users\Administrator\Downloads\ anyconnect-NAM-EAP-FAST.xml
Note The following profile is optional and cosmetic in nature. It is intended to hide the VPN tile
of the AnyConnect client.
acVPNdisableProfile - Customer Created Agent Resource Package

Attribute Value
Category Customer Created Packages
Type AnyConnect Profile
Name acVPNdisableProfile
Description Profile to disable the VPN tile in AnyConnect
File C:\Users\Administrator\Downloads\ anyconnect-VPN-disable.xml

Configure AnyConnect Agent Profile
Step 16 In the right pane, click +Add and from the menu select NAC Agent or
AnyConnect Posture Profile.
Step 17 Select AnyConnect from the dropdown box.
Step 18 Create the following profile.
AnyConnect Posture Agent Profile Settings
Attribute Value
AnyConnect
*Name acWinPostureProfile
Description AnyConnect Windows Posture Profile
Agent behavior
Enable debug log No
Operate on non-802.1X wireless No
Enable signature check No
Log file size 5 MB
Remediation timer 20 mins
IP Address Change
Enable agent IP refresh Yes
VLAN detection interval 0 secs
Ping or ARP Ping
Maximum timeout for ping 1 secs
DHCP renew delay 1 secs
DHCP release delay 4 secs
Network transition delay 3 secs
Posture Protocol
PRA retransmission time 120 secs
Discovery host tools.demo.local
* Server name rules *.demo.local
Note The discovery host needs to be something that will resolve via DNS to generate traffic
(packets) to hit the url-redirect. That traffic will then be redirected to the supporting ISE
node running the Policy Services persona.
Create the AnyConnect Configuration File.
Step 20 In the right pane, click +Add and from the menu select AnyConnect
Configuration.
Step 21 Create the following configuration.
acConfigWin - AnyConnect Configuration

Attribute Value
* Select AnyConnect Package AnyConnectDesktopWindows 4.5.4029.0
* Configuration Name acConfigWin
Description AnyConnect agent config for Windows
* Compliance Module Anyconnect-win-compliance-4.3.50.0 or latest 4.3.*
AnyConnect Module Selection
ISE Posture [X ]
VPN [ ]
Network Access Manager [X ]
Web Security [ ]
AMP Enabler [ ]
ASA Posture [ ]
Network Visibility [ ]
Umbrella Roaming Security [ ]
Start Before Login [ ]
Diagnostic and Reporting Tool [X ]
Profile Selection
ISE Posture acWinPostureProfile
VPN acVPNdisableProfile
Network Access Manager acNAMProfile
Web Security
Customer Feedback
Customization Bundle
Localization Bundle
Deferred Update
Allowed for AnyConnect Software No
Minimum Version Required for AnyConnect 0.0.0

Software
Allowed for Compliance Module No
Minimum Version Required for Compliance Module 0.0.0.0
Prompt Auto Dismiss Timeout None
Prompt Auto Dismiss Default Response Update
Installation Options
Uninstall Cisco NAC Agent [ ]

You have configured Cisco ISE to utilize the Cisco NAC Agent and created an
associated NAC Agent posture profile.
You have configured Cisco ISE to utilize the Cisco AnyConnect Unified Client and
created an associated profile and AnyConnect configuration.
In this task, you will configure Cisco ISE to provision Cisco posture agents in order to
enforce compliance base access.
Activity Procedure
Configuring Client Provisioning Policies.
Step 1 Navigate to Work Centers > Posture > Client Provisioning and then Client
Provisioning Policy.
Step 2 Add two new rules below Android_WPA2_BYOD according to the following
tables.
AC Employee Win All - Client Provisioning Policy Rule
Attribute Value
Rule Status Enable
Rule Name AC Employee Win All
Identity Groups Any
Operating Systems Windows All
Other Conditions demo.local:External Groups EQUALS

demo.local/HCC/Groups/Employees
Results Agent: acConfigWin
Step 3 Verify your configuration with the following screenshot then click Save.
You have configured client provisioning policies for Cisco AnyConnect, Cisco NAC
Agent, and Cisco NAC WebAgent.

In this activity, you will configure some simple Cisco ISE posture policies to provide for a
functional orientation to posture policies. After completing this activity, you will be able to
meet these objectives:
Configure posture conditions
Configure posture mediations
Configure posture requirements
Configure posture policies
Admin PC
ISE-1
AD1
W10PC-Corp
vWLC
In this task, you will configure some simple file conditions as well as antivirus compound
conditions for both installation and definition age.
Activity Procedure
Step 1 Navigate to Work Centers > Posture > Policy Elements and then Conditions >
File.
Step 2 In the right pane, click +Add and create the following three File Conditions.
Caution Be aware of the case of the file name PUTTY. The Cisco NAC Agent file evaluation is
case sensitive but the Cisco AnyConnect is not.
Caution The operator is Later than, not Later than or Equal to. This is a common error in
configuration
File Condition PuTTY_Version

Attribute Value
Name PuTTY_Version
Description Check for an acceptable PuTTY Version
Operating System
File Type FileVersion
File Path ABSOLUTE_PATH c:\tools\PUTTY.EXE
Operator
File Version 0.61
File Condition Bad_File

Attribute Value
Name Bad_File
Description Check for a Bad file
Operating System
File Type FileExistence
File Path ABSOLUTE_PATH C:\test\virus.txt
Operator DoesNotExist

File Condition Good_File
Attribute Value
Name Good_File
Description Check for a Good file
Operating System Windows All
File Type FileExistence
File Path ABSOLUTE_PATH C:\test\good.txt
Operator Exists
Step 3 In the left pane, select Anti-Virus.

Step 4 In the right pane, click +Add and create the following AV Compound
Conditions.
Caution Be sure to Submit after each one.
AV Compound Condition ClamWin_AV_Installed

Attribute Value
Name ClamWin_AV_Installed
Description Check for ClamWin AV Install
Vendor ClamWin
Check Type [ X ] Installation [ ] Definition
Products for Selected Vendor
Product Name ClamWin Antivirus

ClamWin Free Antivirus
AV Compound Condition ClamWin_AV_Current

Attribute Value
Name ClamWin_AV_Current
Description Check for ClamWin AV Definition
Vendor ClamWin
Check Type [ ] Installation [ X ] Definition
Option Allow virus definition file to be [ 7 ] days older than ( X ) current

system date
Products for Selected Vendor
Product Name Any
Step 5 In the left pane, select Firewall Condition.

Step 6 In the right pane, click +Add and create the following Firewall Compound
Conditions.
You have configured three posture file conditions.
You have configured an antivirus installation condition.

In this task, you will configure remediation processes to instruct users on how to handle
systems that do not meet compliance requirements.
Activity Procedure
Remediations > File.
Step 2 In the right pane, click +Add and create the following File Remediation.
File Remediation PuTTY_62
Attribute Value
Name PuTTY_62
Description Approved PuTTY version 0.62
Version 0.62
File to Upload

Step 4 Click +Add again and create the following File Remediation.
Note The File to Upload c:\tools\good.txt in the table below does not yet exist on your
system. You will be creating it during the process of browsing for a file to upload.
Follow the procedure in the second table to create the good.txt file.
File Remediation Good_File

Attribute Value
Name Good_File
Description Our corporate good file
Version 1.0
File to Upload (See procedure below)
Procedure to create good.txt

Step Action Notes
1. In the Files to Upload line Click Browse
2. Right-click in an open area See image below
3. Select New from the menu See image below
4. Select Text Document from the submenu See image below
5. Rename the newly created New Text

Document.txt to good.txt
6. Click off of the file to complete the file

renaming process
7. Right-click on good.txt
Step Action Notes
8. From the menu select Edit
9. In the notepad write the following:
good file v1.0
10. Close the document by clicking on the X You may alternately perform a File > Save
in the upper right-hand corner and when before closing the file.
prompted click Save.

Step 6 In the left-hand pane, select Link.
Step 7 In the right pane, click +Add and create the following Link Remediation.
Link Remediation Install_ClamWin_AV
Attribute Value
Install_ClamWin_AV
Description URL link to install ClamAV package
Remediation Type Manual
Interval 0
Retry Count 0
URL

Step 9 In the left-hand pane, select Anti-Virus.
Step 10 In the right pane, click +Add and create the following AV Remediation.
AV Remediation Update_ClamWin_AV
Attribute Value
Update_ClamWin_AV
Description Update ClamWin definitions

Attribute Value
Operating System Windows
Remediation Type Manual
Interval 0
Retry Count 0
Vendor ClamWIn
Step 12 Edit the default AnyAVDefRemediationWin remediation and change the
Remediation Type from Automatic to Manual and click Save.
You have configured posture remediation actions for users who systems do not meet
compliance requirements.
In this task, you will configure posture requirements that utilize the previously configured
conditions and remediations.
Activity Procedure
Step 1 In the left pane, navigate to Work Centers > Posture > Policy Elements >
Requirements.
Step 2 Edit the Any_AV_Installation_Win requirement and modify the Remediation
Action. Change the Message Text shown to Agent User to the following:
An approved Antivirus program was NOT detected on your PC. All users must
have a current AV program installed before access is granted to the network. If
you would like to install a free version of ClamWin AV, please go to
http://tools.demo.local/updates/clamwin-0.99.1-setup.exe
Tip You may access the following resource from a separate tab in Firefox to copy/paste
message text:
http://tools.demo.local/cp/Posture-Requirements-excercise-6.rtf
Step 3 Add the following Requirements by using the same method as adding policy rules
(Edit down arrow at end of line).
Posture Requirement ClamWin AV Install Win
Attribute Value
ClamWin AV Install Win
Compliance Module 3.x or earlier
Posture Type AnyConnect
Conditions User Defined Conditions > Anti-Virus Condition > ClamWin_AV_Installed
Remediation Actions Action: Install_ClamWin_AV
Posture Requirement ClamWin AV Current Win

Attribute Value
ClamWin AV Current Win
Conditions User Defined Conditions > Anti-Virus Condition > ClamWin_AV-Current
Remediation Actions Action: Update_ClamWin_AV

Message shown to Agent User:
All users must have ClamWin with current signatures. Please click start
to update the signatures now.

Posture Requirement PuTTY 62
Attribute Value
PuTTY 62
Compliance Module Any version
Conditions User Defined Conditions > File Condition > PuTTY_Version
Remediation Actions Action: PuTTY_62

Message Shown to Agent User:
Save this file to C:\tools\
Posture Requirement Good File

Attribute Value
Good File
Conditions User Defined Conditions > File Condition > Good_File
Remediation Actions Action: Good_File

Right-click and save this file to C:\test\

Create a New Folder if needed.
Posture Requirement Bad File

Attribute Value
Bad File
Conditions User Defined Conditions > File Condition > Bad_File
Remediation Actions Action: Message Text Only

You have a bad file. Go delete the file C:\test\virus.txt
Step 4 You should have the following requirements at the bottom of your list.
You have configured both the conditions you have previously configured and the
remediation actions into posture requirement configurations.

In this task, you will configure posture policies that will be utilized in client access
assessments. You will be adding these policies and a disabled state and enabling them in a
later lab.
Activity Procedure
Step 1 Navigate to Work Centers > Posture > Posture Policy.
Step 2 Create the following rules.
Note Posture Policy Status is configured by changing the icon at the beginning of the rule.
Note Requirement Status is configured by changing the icon in front of the Requirement
Name.
Posture Policy File Checks

Attribute Value
Policy Options -
Status Disabled
File Checks
Identity Groups Any
Other Conditions -
Requirements Status Requirement Name
Mandatory Good File
Mandatory PuTTY 62
Audit Bad File
Posture Policy AD Win7 Users AV
Attribute Value
Policy Options -
Status Disabled
AD Win Users AV
Identity Groups Any
Other Conditions demo.local:ExternalGroups EQUALS demo.local/Users/Domain Users
Requirements Status Requirement Name
Mandatory ClamWin AV Install Win
Mandatory ClamWin AV Current Win
Step 3 Verify your configuration with the following screenshots. Order is not important.
You have configured posture policies based on the elements that you have previously
configured in previous tasks.

In this activity, you will perform client based access utilizing the previously configured
posture compliance configuration. After completing this activity, you will be able to meet
these objectives:
Perform client access utilizing the Cisco AnyConnect Unified Agent for
compliance checking.
Admin PC
ISE-1
AD1
W10PC-Corp
vWLC
3650 Switch Commands
Command Description
Shows the applied session details for the

current session(s) on the indicated
interface.

In this task, you will use the Cisco AnyConnect Unified Agent to perform compliance
testing and remediation.
Activity Procedure
AnyConnect Unified Agent Deployment.
Step 1 Return to the W10PC-Corp.
Step 2 Log in as student / 1234QWer.
Step 3 Open up network settings and enable the NIC if not enabled.
Step 4 Open Services from Windows Administrative Tools in the Start menu.
Step 5 Verify and, if necessary, modify the Wired AutoConfig service to have a startup
type of Automatic and then Start the service.
Step 6 Click OK.
Step 7 Close the services console.
Step 8 Return to the NIC settings and open the properties for the NIC.
Step 9 Click the Authentication tab.
Step 10 Click the Settings button.
Step 11 Uncheck the box to validate the server certificate.
Step 12 Click OK.
Step 13 Make sure the box is unchecked.
Step 14 Click OK.
Step 15 Restart the client machine using the Start menu and log back in as employee1 /
1234QWer.
Step 16 Open Firefox browser.
Step 17 Browse to http://www.cisco.com, you should be redirected to the Client
Provisioning Portal. Accept any security notices if presented.
Step 18 You should be notified that a Device Security Check is required, click Start.
Step 19 The process will attempt to detect if the AnyConnect Posture Agent is installed.
Once prompted, click + This is my first time here.
Step 20 In the instructions click the hyperlink to Click here to download, install
AnyConnect.
Step 21 Click Save File.
Step 22 Click the file in the download dialog box and will be presented the dialog box -
click Run.
Step 23 The Cisco Network Setup Assistant should notify you that you are connected to
ise-1.demo.local, whose identity has been certified. Click Connect.
Step 24 Cisco AnyConnect will install automatically.

Step 25 At the end you will be notified that a restart is required. Click Yes.
Note If the installation process shows Failed to launch Cisco AnyConnect Secure Mobility
Client Downloader and does not promt for a reboot, proceed by logging off and continue
only if step 30 is not showing up as described, deinstall Cisco AnyConnect Security
Mobility Client, which will include a reboot, and perform the task from Step 20 again.
Step 26 Once the system is back up, login again as employee1 / 1234QWer.
Step 27 Once logged in, AnyConnect will log on via EAP-FAST and the ISE Posture
module will perform a scan. The results will show that the Good File update is
required. Click Start to begin remediation.
Step 28 Navigate to c:\test\ and click Save.

Step 29 You will be notified that the save operation was successful and given the
opportunity to open the folder location where the file was saved. Click Cancel.
Step 30 Observe your system is now Complaint. Trigger a reauthentication/rescan by

clicking the EAP-FAST profile if needed.
Step 31 In the live authentications list observe the authentication process of Pending , and
then Compliant after remediation.
Step 32 Open Windows Explorer and navigate to C:\test\.

Step 33 Right-click and from the menu select New, then Text Document. Name the new
file without an extension. Extensions are hidden by default so the .txt
will not show in this view.
Step 34 Log off and log back on as demo\employee1.
Step 35 As the Bad File check is in audit mode only, the system will still be compliant.
Step 36 In ISE, navigate to Operations > RADIUS > Live Logs.
Step 37 Find the most recent logon for the employee1 user but was assigned the Wired
Employee Access authorization profile.
Step 38 Click on the Posture Status of Compliant hyperlink. This will run a summary
report from the endpoint in a new tab.
You have access the network via an employee account and that session has been
processed for compliance via the Cisco AnyConnect Unified Agent.
You have remediated your compliance requirements based on instructions received via
the Cisco AnyConnect Unified Agent.

In this activity, you will examine the effects of a faulty policy and review methods of
identifying and troubleshooting such a policy. After completing this activity, you will be
able to meet these objectives:
Use Posture Reports for troubleshooting
Use the Posture Troubleshooter tool
Admin PC
ISE-1
AD1
W10PC-Corp
vWLC
In this task you will configure a faulty policy in order to generate failure events that will be
utilized in future tasks.
Activity Procedure
Step 1 On the admin PC, in the Cisco ISE admin portal navigate to Policy > Policy
Elements > Conditions and then Posture > File Condition.
Step 2 Edit the PuTTY_Version you created earlier.
Step 3 Change the file from PUTTY.EXE to PUTTTY.exe (you are adding an extra
Step 4 Click Save.

Step 5 Navigate to Administration > System > Settings > Posture > General
Settings.
Step 6 Set the Remediation Timer to 5 minutes to shorten the waiting time for the next
task.
Step 8 Return to the W10PC-Corp, log off and log back on as employee1 / 1234QWer.
Step 9 The PuTTY 62 requirement should fail.
Step 10 Do not remediate; wait for the timer to expire and then continue to the next
task.
You have configured a faulty policy that has resulted in a failed compliance access
attempt
In this task, you will examine posture reports as a mechanism to troubleshoot compliance-
based access failures.
Activity Procedure
Step 1 In ISE, navigate to Work Centers > Posture > Reports and then Reports >
Posture Reports > Posture Assessment by Endpoint.
Step 2 Modify the Time Range from Today to Last 30 Minutes.
Step 3 Click on the Details icon for the failed posture assessment.
Step 4 Scroll to the bottom of the report and observe the Posture Policy Details.
Step 5 Observe that the Failed condition is PuTTY_Version,
Step 6 Also observe that the Bad File, which is in Audit enforcement mode, meaning
transparent to the user, is not in the Passed column either. This check was skipped
because the file checks are done serially one at a time.
You have run a posture report and identified the failing condition.
In this task, you will examine posture troubleshooter as a mechanism to identify compliance-
based access failures.
Activity Procedure
Step 1 In ISE, navigate to Work Centers > Posture > Troubleshoot.
Step 2 In the form, click the Select button at the end of the Username field. In the next
pop-up click Search. From the list of Usernames select employee1 and click
Apply.
Step 3 Go to the bottom of the form and click Search.
Step 4 In the results, click the failed result and click Troubleshoot.

Step 5 Click Show Results Summary once complete.
Step 6 Observe the details of what passed, what failed in another format.
Step 7 Click Done.
You have run the posture troubleshooter and identified the failing condition.
In this task, you will correct the policy you purposely misconfigured being of this lab. You
will also observe the result of an audit condition via posture reports.
Activity Procedure
Policy Correction
Step 1 Navigate to Work Centers > Posture > Policy Elements and then Conditions >
File.
Step 2 Edit the PuTTY_Version you modified earlier.
Step 3 Change the file from PUTTTY.EXE to PUTTY.exe (you are removing the
extra
Step 4 Click Save.

Testing Policy Correction
Step 1 Return to the W10PC-Corp.
Step 2 In the AnyConnect drop-down, select EAP-FAST. This will cause a re-
authentication and then the posture module will reconnect to ISE and perform
another posture check. Your posture check should succeed.
Posture Report Verification
Step 4 Navigate to Work Centers > Posture > Reports and then Reports > Posture
Reports > Posture Assessment by Endpoint.
Step 5 Modify the Time Range from Today to Last 30 Minutes.
Step 6 Click on the details for the recent passed assessment.

Step 7 Scroll to the bottom and observe that the only failed condition now is the Audit
mode Bad File condition.
Tip This is an effective way of analyzing systems upon access to determine the status of a
program without notifying the user.
Tip One example of using this feature would be to analyze systems for a file or files that are
suspicious. An administrator could determine if the files are on any of the systems, and
then make decisions on how to proceed.
You have corrected the policy configuration. That you introduced at the beginning of
the lab.
You have observed the failed condition that is running an audit enforcement mode.
In this activity, you will access the network via an AnyConnect VPN connection and
compliance checking. After completing this activity, you will be able to meet these
objectives:
Configure Cisco ISE to process VPN access
Configure authorization components and policies to support compliance based VPN
access
Configure client provisioning for remote Cisco AnyConnect VPN access
Admin PC
ISE-1
AD1
W10PC-Corp
vWLC
W10PC-CoA
ASAv

ASAv CLI Commands
Command Description
Erases startup configuration
Copies a file. In this lab you will copy a file to startup-config
Restarts or reboots the device.
Shows AnyConnect client access details
In this task, you will modify the ASAv configuration in preparation for the VPN Access.
Activity Procedure
ASAv Preparation
Step 1 From the Admin PC desktop, open ASDM/IDM Launcher.
Step 2 Connection to 10.1.100.4 using the credentials admin / 1234QWer.
Step 3 Navigate to the menu selection Tools > File Management.
Step 4 Verify that anyconnect-win-4.5.04029.0-webdeploy-k9.pkg is present on the
flash.
Adding the ASAv as a NAD

Step 6 Navigate the Administration > Network Resources> Network Devices.
Step 7 In the right pane, click +Add and create the following Network Device entry.
Network Device ASAv
Attribute Value
Name ASAv
Description Pod ASAv
IP Address 10.1.100.4 /32
Model Name <blank>
Location HQ
IPSec Is IPSEC Device
Device Type VPN
RADIUS Authentication Settings Checked


Policy Set Modification
Step 10 Click the gear icon next to the Default Policy Set.
Step 11 From the Drop-Down Menu select Insert new row above.
Step 12 Create the following Policy Set.

Policy Set VPN Access
Name Description Condition(s) Allowed Protocols
VPN_Access VPN Access DEVICE:Device Type EQUALS All Device Default Network Access
Types#VPN
Step 13 Click Use.

Authorization Profiles and dACLs
Step 15 Navigate to Policy > Policy Elements > Results and then to Authorization >
Downloadable ACLs.
Step 16 Create the two following dACLs:
Downloadable ACL acl_vpn_permit
Attribute Value
Name acl_vpn_permit
Description Allow VPN Full Access
DACL Content
Downloadable ACL acl_vpn_remediate

Attribute Value
Name acl_vpn_remediate
Description Allow Only Remediation Traffic
DACL Content
Step 17 Navigate to Policy > Policy Elements > Results and then to Authorization >
Step 18 Create the three following authorization profiles. Submit your changes after each
entry.
VPN Full Access Authorization Profile
Name VPN Full Access
Common Tasks
DACL Name acl_vpn_permit
VPN Remediation Access Authorization Profile

Name VPN Remediation Access
Common Tasks
DACL Name acl_vpn_remediate

VPN Posture Authorization Profile
Name VPN Posture
Common Tasks
Web Redirection Client Provisioning (Posture)

ACL ACL-WEBAUTH-REDIRECT
Value Client Provisioning Portal (default)
Authentication Policy
Step 20 Open the VPN_Access policy set.
Step 21 Modify the Default Authentication Policy.
Step 22 Change the authentication source to All_AD_Join_Points.
Step 23 Add the two following Authorization Rules in order above the Default rule.
VPN Compliant Authorization Policy
Attribute Value
Rule Name VPN Compliant

Conditions Session:PostureStatus EQUALS Compliant
conditions)
Results (Profiles) VPN Full Access
VPN Remediate Authorization Policy
Attribute Value
Rule Name VPN Remediate

Conditions Session:PostureStatus EQUALS NonCompliant
conditions)
Results ( Profiles) VPN Remediation Access
Step 24 Change the Default rule to VPN Posture.
Step 25 Compare your configuration with the following screenshot. It is imperative that
the rules are in proper order with the VPN Redirect is the bottom rule.

Creating the Client Provisioning Resources for VPN Based Posture Access
Step 27 Navigate to Policy > Policy Elements > Results and then Client Provisioning >
Resources.
Step 28 In the right pane, find the acConfigWin profile that you created earlier and select
it.
Step 30 Make the following modifications.

acConfigWin_VPN - AnyConnect Configuration
Attribute Value
* Select AnyConnect Package AnyConnectDesktopWindows 4.5.4029.0
* Configuration Name acConfigWin_VPN
Description AnyConnect agent config for Windows VPN
* Compliance Module AnyConnectComplianceModuleWindows 4.3.XXXXX.X
AnyConnect Module Selection
ISE Posture [X]
VPN [X]
Network Access Manager [ ]
Web Security [ ]
ASA Posture [ ]
Start Before Login [ ]
Diagnostic and Reporting Tool [X]
Profile Selection
ISE Posture acWinPostureProfile
VPN <delete>
Network Access Manager <delete>
Web Security
Customer Feedback
Customization Bundle
Localization Bundle
Deferred Update
Allowed AnyConnect Software No
Minimum Version Required for AnyConnect 0.0.0

Software
Allowed for Compliance Module No
Minimum Version Required for Compliance Module 0.0.0.0
Prompt Auto Dismiss Timeout None
Prompt Auto Dismiss Default Response Update
Installation Options
Uninstall Cisco NAC Agent [ ]
Creating the Client Provisioning Policy
Step 32 Navigate to Policy > Client Provisioning.
Step 33 Create a new policy at the top of the list with the following parameters.
AC Employee Win All VPN Client Provisioning Policy Rule
Attribute Value
Rule Name AC Employee Win All VPN
Identity Groups Any
Operating Systems Windows All
Other Conditions DEVICE:Device Type EQUALS All Devices Types#VPN
Results Agent: acConfigWin_VPN
Step 34 Click Done.

Adjusting Remediation Timer
Step 36 Navigate to Administration > System > Settings > Posture > General Settings
Step 37 Set the Remediation Timer to 20 minutes, as the Client provisioning packages
will take some time to download.
Step 38 Click Save.
You have prepared the ASAv for operation with this lab.
You have added the ASAv as a NAD.
You have created a policy set for VPN access.
You have configured authorization policies for VPN access.

You have configured Client Provisioning components and policy for VPN based
Postured access.

.
Activity Procedure
Step 1 Access your pod W10-CoA PC and login with the credentials student \
1234QWer
Initial VPN Connection
Step 2 From the system tray, Open AnyConnect.
Step 3 For this lab environment, ensure that connections are allowed to untrusted
servers. Click on the cog icon in the lower left corner.
Step 4 On the Preferences tab page, uncheck the Block connections to untrusted
servers.
Step 5 Close this window.
Step 6 Connect to the VPN server asav.demo.local.
Step 7 At the Security Warning pop-up, click Connect Anyway.
Step 8 When prompted for credentials for the ISE_VPN group, use the credentials
employee2@demo.local / 1234QWer.
Step 9 Connect by clicking OK, then select Connect Anyway.
Note If you are not prompted to connect to the ISE_VPN group, notify your instructor.
Step 10 A certificate warning might be displayed. Click Connect and reconnect to the
VPN. Vou will see in the lower right corner that the VPN is Connected.
Examine Cisco ISE Authentication Records
Step 11 Return to the Cisco ISE admin portal on the admin PC.
Step 12 Navigate to Operations > RADIUS > Live Logs.
Step 13 Observe the authentication record details for the employee2@demo.local user
who was assigned the VPN Posture authorization profile.

Observe the following highlighted fields indicating that the host that accessed the
network by VPN was profiled. The CiscoAVPair section contains the ACIDex
attributes conveyed by AnyConnect and the ASA. In the Results section, you can
see the URL-Redirect being applied to this session in its current state.
Step 14 Access the ASAv via PuTTY and enter the following command to observe the
ISE Posture Section at the end.
Step 15 Return to the W10-CoA PC.
Step 16 Open Firefox and browse to http://tools.demo.local
Step 17 - website, click Advanced and then Add
Step 18 Click Confirm Security Exception.

Step 19 After about 20 seconds you will be presented with the Client Provisioning Portal.
Reload the page if necessary.
Step 20 Click Start.
Step 21 The process will attempt to detect if the AnyConnect Posture Agent is installed.
Once prompted, click + This is my first time here.
Step 22 In the instructions click the hyperlink to Click here to download, install
AnyConnect.
Step 23 Click Save File.
Step 24 After the file downloaded, click the file in the download dialog box and after
about 30 seconds you should be presented with the installation prompt.
Step 25 Click Run.

Step 26 The Cisco Network Setup Assistant should notify you that you are connected to
ise-1.demo.local. Click Connect Anyway.
Step 27 If a Untrusted Security Certificate message appears, click
and click Apply Change int the AnyConnect Downloader window. Select
Always trust this server and import the certificate and click Connect
Anyway.
Step 28 Cisco AnyConnect will download for approximately 20 minutes and install
automatically and then reconnect the VPN.

Step 29 After restart, Connect to the VPN as employee2@demo.local / 1234QWer.
Step 30 System Scan will run and you will be presented with the Update Required pop-
up.
Step 31 The results will show that the Good File update is required. Click Start to begin
remediation.
Step 32 Navigate to C:\ create the Test folder, enter the folder and then click Save.
Step 33 You will be notified that the save operation was successful and given the
opportunity to open the folder location where the file was saved. Click Cancel.
Step 34 System Scan will evaluate the system and then determine the system is
compliant.
Step 35 On the Admin PC, return to the ASAv CLI in Putty and run the following
command again. Observe the Filter Name is the dACL from ISE.

Step 37 Navigate to Operations > RADIUS > Live Logs.
Step 38 Observer the connection flow and the ultimate result of the Authorization Profile
VPN Full Access and the Posture Status of Compliant.
You have successfully performed a Cisco AnyConnect VPN access and had the
AnyConnect client be upgraded to support compliance checking.
Performed remediation over VPN and reviewed the associated authentication results.

In this activity, you will configure Cisco ISE to provision Cisco posture agents. The AMP
Enabler will download the AMP for Endpoints connector, formerly known as FireAMP.
The activities in this lab will facilitate the following scenario:

Client connects to the network, the AMP_Profile is assigned, and user is redirected
to Anyconnect Provisioning Portal. If Anyconnect is not detected on the machine,
all configured modules (VPN, AMP, and Posture) are installed. Configuration is
pushed for each module along with that profile.
Once Anyconnect is installed, posture assessment runs.
AMP Enabler module installs FireAMP connector.
Admin PC
ISE-1
AD1
W10PC-Corp
vWLC
W10PC-CoA
ASAv
ASAv CLI Commands
Command Description
Erases startup configuration
Copies a file. In this lab you will copy a file to startup-config
Restarts or reboots the device.
Shows AnyConnect client access details

This task requires an AMP for Endpoints administrative login and password.
Activity Procedure
ASAv Preparation
Step 1 On the Admin-PC, open Firefox. Connect to https://console.eu.amp.cisco.com/
Step 2 In the top left of the window, click the small green lock symbol.
Step 3 Click the arrow and then More Information.
Step 4 Click View Certificate.
Step 5 Click the Details tab, and then click
Step 6 Save the Certificate to the Desktop accepting the default name.
Step 7 Login to AMP for Endpoints. Your Instructor will provide the necessary
credentials.
Step 8 Navigate to Management > Download Connector. Select Group > Audit and
click Show URL.

Step 9 Click Copy URL.
Step 10 On the Desktop of the Admin PC, create a new textfile and insert the URL from
clipboard (CRTL + V). REMOVE the https:// at the beginning of the link!!
Step 11 Save the file. It should look like the following screenshot.
Step 12 In Cisco ISE Gui, navigate to Administration > System > Certificates >
Certificate Management > Trusted Certificates
Step 13 In the right pane click Import.
Step 14 Browse to the Desktop and select the previously added euampciscocom.crt
certificate.
Step 15 Set FireAMP Cisco Cert as Friendly Name and trust the Certificate for
Authentication within ISE as well as Authentication of Cisco Services.
Connected to the AMP for Endpoints Portal and made the ISE ready to download the
AMP Connector for Windows.
In this task, you will review client provisioning settings and then perform a posture
component update and build a compliance rule.
Activity Procedure
ASAv Preparation
Step 1 On the Admin-PC, using the Cisco ISE admin interface, navigate to Policy >
Policy Elements > Conditions > Posture > File Condition.Review the
Bad_File condition. If the file is not present, the PC will be deemed Compliant.
Verify your configuration with the screen shot shown.
Step 2 Navigate to Policy > Policy Elements > Results > Posture > Requirements.
Review the Bad File requirement. Verify with the screenshot shown.
Step 3 Navigate to Policy > Posture.

Step 4 Edit the File Checks Posture Policy an make the Bad File requirement
mandatory.
Step 5 Click Done

Step 6 Click Save.

You have modified a simple file requirement to drive the compliance check on the
endpoint.
In this task, you will configure Cisco ISE for the download and management of Cisco
AnyConnect posture agents, and the AMP Connector.
Activity Procedure
ASAv Preparation
Step 1 Edit the Posture Policy. Navigate to Policy > Policy Elements > Results >
Client Provisioning > Resources.
Step 2 Select and edit the acWinPostureProfile posture agent Profile
Step 3 Scroll down to the Posture Protocol section of the template, delete the
tools.demo.local Discovery host entry and set the Server Name Rules field
to *. Save your configuration.
Configure an AMP Profile. AMP Profiles contain a pointer to the location of the AMP
Connector for Windows Installer (as downloaded earlier from the AMP Cloud to the AD
Server).
Step 4 Navigate to Policy > Policy Elements > Results > Client Provisioning >
Resources.
Step 5 Add a new AMP Enabler Profile named AMPwinProfile as shown in the figure
below.
Step 6 For the Windows Installer URL insert the URL from your previously created
textfile on the Desktop.
Step 7 Click Check next to the inserted link. File found must show up!

Step 8 Submit your configuration when finished
Step 9 Modify the AnyConnect Configuration to tie together the components that must
be installed on the endpoint to allow for authorization to access network
resources.
Step 10 Navigate to Policy > Policy Elements > Results > Client Provisioning >
Resources.
Step 11 Select and edit the acConfigWin AnyConnect configuration.
Step 12 Additional, select the AnyConnect module AMP Enabler.
Step 13 In Profile Selection, choose the profiles for AMP Enabler (AMPwinProfile).
Verify your configuration with the example shown.
You have assigned a Client Provisioning Policy that utilizes an AnyConnect
Configuration profile that references:
The AnyConnect Compliance Module
Profiles defined for AMP additionally.
You have configured an Authorization policy that will be used to drive the state of
a connecting endpoint to Compliant, and assigned this profile to an authorization
rule.(done in previous labs)

In this task, you will configure Cisco ISE for Threat-Centric NAC. You will configure the
AMP Adapter that will be used by ISE to interface with the AMP Cloud.
Activity Procedure
ASAv Preparation
Step 1 Enable TC-NAC Services under Administration > System > Deployment >
Edit Node. Check the Enable Threat Centric NAC Service check box under
Policy Service. This selection will add the Threat Centric Menu Options to the
ISE GUI under Administration. Save your configuration.
Step 2 To configure the AMP Adapter, navigate to Administration > Threat Centric
NAC > Third Party Vendors > Add. Add a vendor instance for AMP. Save the
instance.
Note This process can take several minutes to start up before allowing you to continue.
Step 3 Once the required fields are added, the instance status will transition to Ready to
Configure. Click this field to begin the AMP adapter configuration. Click Next
to bypass the proxy configuration screen.
Step 4 Select the EU Cloud for the AMP Public Cloud option. Then click Next.
Step 5 Click the AMP link under SAS External URL. You will then be required to log
in to the AMP for Endpoints account as an administrator. Your instructor will
provide your credentials.

Step 6 Click Allow in the Applications panel to authorize the Streaming Event Export
request.
Step 7 You will be returned to the Cisco ISE Admin portal, click Finish, and verify the
AMP Instance is Connected to the cloud, and is Active. It may take a couple of
minutes to connect.
You have enabled and provisioned Threat Centric NAC services.
In this task, you will verify your configurations.
Activity Procedure
Step 1 Access the W10PC-Corp PC
Step 2 Restart the PC and then log in as demo\employee1 / 1234QWer.
Step 3 Wait for the AnyConnect System Scan to show up the waring about the Bad File
found.
Step 4 Open windows explorer and delete the virus.txt under C:\test\ you created in an
earlier lab.
Step 5 Click Start to recheck with the requirements. You should now be compliant.
Step 6 Then, the AMP Enabler module should start downloading and installing AMP
for Endpoints. See the following screenshots for the procedure:

Step 7 Open a browser and attempt to connect to any website. You should be successful.
Step 8 In Cisco ISE live log, observe the employee1 on the W10PC-Corp went through
the AD Posture Assessment Authorization Profile again and was granted Wired
AD Employees finally.
Verified provisioning of AMP for Endpoints on the client PC.

Device administration in ISE involves controlling network administrator access to network

devices. Network administrators often have different levels of access to different network
equipment, depending on their role. Most organizations prefer to centralize the control and
maintenance of this function. The TACACS+ function of Cisco ISE enables this central
control. Through TACACS Live Logs and reports, ISE provides centralized monitoring,
report administration. In this lab, you
will configure ISE for basic Device Administration of IOS devices.
You will begin by configuring the policy elements that are required for network device
administration.These policy elements will then be used in the basic authentication and
authorization policies, which you will create. Of course, each Network Access Device
(NAD) must be configured to support TACACS+, and so you must configure the required
AAA commands to fulfill this need. You will then log in with different users to validate both
your authentication policies, and your authorization policies. You will know that you have
granular control of not only who can access your network devices, but also what they can do.
Admin PC
AD1
ISE-1
In this task, you will configure Cisco ISE to perform backups.
Activity Procedure
Configuring Repositories.
Step 1 Access the Admin PC and connect to the ISE GUI via https://ise-1.demo.local.
Step 2 To enable device administration, navigate to Administration > System >
Deployment. Edit the ISE node by clicking on ise-1. Under General Settings,
enable the Device Admin Service and Save the settings.
Step 3 Navigate to Administration > Network Resources > Network Devices.

Step 4 Select and edit the 3k-access switch.

Step 5 Scroll down, enable TACACS Authentication settings with the shared secret
1234QWer.

Step 7 To add policy elements, navigate to Work Centers > Device Administration >
Policy Elements > Results > TACACS Profiles. You will add two different
TACACS profiles with different privilege levels.
Step 8 Click Add Privilege_Level_1
privilege level is 1, and maximum privilege level is 1. Click Submit.
Step 9 Privilege_Level_15
of 1 and maximum privilege level 15. Click Submit.
Step 10 For policy creation, navigate to Work Centers > Device Administration >
Device Admin Policy Sets. You are about to create a new policy set to handle
Network Devices that use Cisco IOS software.
Step 11 Click the Plus icon or click the gear icon and select Insert new row above to
create a new Policy Set above the Default Policy Set.
Step 12 Name the new Policy Set Wired_Devices.

Step 13 Create a new Condition of Device: Device Type EQUALS All Device
Types#Wired.
Step 14 Select Default Device Admin from the Drop-Down Menu under Allowed
Protocols/Server Sequence.
Step 15 Click Save.
Step 16 Next, edit the Authentication Policy to use All_AD_Join_Points as the Identity
Store.
Step 17 Click Done.

Step 18 Next, insert a new authorization policy above the Default authorization policy.
Configure this new rule according to the chart below.
Attribute Value
Rule Name Employee_Privilege_15

demo.local/HCC/Groups/Employees
Command Sets Leave at default
Shell Profiles Privilege_Level_15
Step 19 Click Save.
Step 20 Now add a policy for contractors. Start by clicking the gear icon at the end of the
new employee policy, and choose Insert New Rule Above. Configure this new
rule according to the chart below.
Attribute Value
Rule Name Contractor_Privilege_1

demo.local/HCC/Groups/Contractors
Command Sets Leave at default
Shell Profiles Privilege_Level_1
Step 21 Click Save and check your work against the example below.
Step 22 To configure switch, access the 3k-access switch console, and enter the
commands that are shown below. You can find a textfile for copy and paste under
http://tools.demo.local/cp as tacacs-switch-config.txt

Step 23 To test various users, return to your Admin PC, and use PUTTY to open a SSH
session to 3k-access switch (10.1.100.1)
Login using the credentials contractor1 / 1234QWer. This should
succeed.
Type enable to get higher privilege. When prompted for a password,
enter 1234QWer. This authentication fails, according to the policy you
created. In ISE, navigate to Operations > TACACS > Live Logs for
verification.
Open another Putty SSH session to the 3k-access switch (10.1.100.1) and
login using employee1 / 1234QWer. This should succeed.
Type enable to get higher privilege. When prompted for a password,
enter 1234QWer. This authentication succeeds, according to the policy
you created.
If you like, you can enter the show privilege command to verify your
privilege level is 15.
Step 24 Navigate to Operations > TACACS > Live Logs to see the authentication and
authorization
Step 25 For the failed contractor entry, click the Details icon, as shown above. You can
analyze the details of each session. Some of the more pertinent information
includes the Authorization details, as shown below.
You have enabled device administration on the Cisco ISE.
You have configured a new Network Device Group (NDG).
You have modified a NAD definition in Cisco ISE to accommodate device
management.
You have added new TACACS+ Profiles to accommodate unique privilege levels.
You have created a new device admin policy set that uses differentiates between
employee and contractors, assigning the profiles that you created, as appropriate.
You successfully tested access control policy with employee and contractor user
accounts.

In this exercise, you will configure TACACS+ command authorization and bind these
commands to a device administration policy. Privilege-level authorization associates
commands with privilege levels, per network device. ISE can then apply the default and
maximum privilege level to a user upon log in. Privilege level authorization requires each
device be configured with privilege levels and command sets (overriding the default privilege
levels). TACACS+ command authorization centralizes the administration of commands to be
allowed or denied. When TACACS+ command authorization is enabled, each command that
is entered on a device is authorized against the TACACS+ service.
You will begin this lab by configuring TACACS Command sets. Then you will modify the
authorization policy to use these command sets. You will modify the switch configuration to
support command authorization, and then test the various users to check their access levels.
Admin PC
AD1
ISE-1
In this task, you will configure Cisco ISE to control admin access to IOS devices.
Activity Procedure
Step 1 Navigate to Work Centers > Device Administration > Policy Elements >
Results > TACACS Command Sets. You are about to create two command sets,
one with full access, and one with limited access to a specific set of commands.
Step 2 Click Add to create a new command set. Configure the name as
Permit_All_Commands, and click the checkbox for Permit any command that
is not listed below.

Step 4 Create a new command set named Limited_Access to permit/deny the following
commands
Permission Command Argument
permit ping
permit show run*
permit show privilege
Deny show inter*
Note Click the Add button to add each command. After entering each command, make sure to
click the checkmark at the end of the line to save the command.

Step 5 Validate your work against the example that is shown below.
Step 7 Navigate to Work Centers > Device Administration > Device Admin Policy
Sets > Wired_Devices.
Step 8 Modify the rule named Contractor_Privilege_1.
Step 9 Click the into the Command Sets box, and choose Limited_Access.
Step 10 Click the down-arrow in the Shell Profiles box, and choose Privilege_Level_15.
Note Although the contractors now have access to privilege level 15, they are limited to the
commands specified in the assigned command set.
Step 11 Modify the rule named Employee_Privilege_15.

Step 12 Change the command set to Permit_All_Commands, and leave the Shell Profile
to Privilege_Level_15
Step 13 Check your work against the example that is shown below.
Step 15 To configure the switch, access the 3k-access switch(10.1.100.1) via PuTTY
again as employee1 / 1234QWer and the enable password 1234QWer.
Enter the following commands to enforce command authorization via TACACS+.
Step 16 Close the PuTTY session and open a new PUTTY SSH session to 3k-access.
Login using the credentials contractor1 / 1234QWer.This should
succeed.
Type enable. When prompte 1234QWer
Notice that this access now succeeds, because you modified the
authorization policy to apply the Privilege_level_15 shell profile.
Execute the following commands and observe which commands pass and
fail.
show privilege
show running-config
ping 10.1.100.10
show interface (should not succeed)
configure terminal (should not succeed)
Check the Live Logs to see the information for command passes and failures.
Click a Details icon if you would like to see more information about any failures.
Step 17 Open another PuTTY SSH session to the 3k-access switch and login using the
credentials employee1 / 1234QWer. This action should succeed.
Type enable to gain a higher privilege level. Use 1234QWer as the
enable password. This action should succeed, as it did in the previous lab.
Execute the same commands as per Step 12. You should notice that
employee1 can execute all the commands.
Step 18 Close all PuTTY sessions.

Step 19 Navigate to Operations > TACACS > Live Logs to see the
authentication/authorization/command authorization information. You should see
Live Logs for the two different users that show the successful and unsuccessful
execution of commands.

This task is focused on two additional TACACS features:
1. Login authentication and enable authorization differentiation: Sometimes an
organization will choose to use different identity stores for login and enable. For
example, for device login, the organization may choose to use existing Active
Directory credentials, minimizing the administrative burden of creating new
credentials. For network administrators who need a higher level of access through
enable, the organization may want to manage the enable passwords via the ISE
internal user database or one-time passwords. This lab uses ISE internal users. These
users are pre-configured.
2. CLI Password change: TACACS+ supports inline password changes by the network
administrator. The network administrator can invoke this functionality by just hitting
return when prompted for a password.
Activity Procedure
Step 1 To enable login authentication and authorization differentiation, modify the
authentication policy to use different ID stores for login and enable. Navigate to
Work Centers > Device Administration > Device Admin Policy Sets >
Wired_Devices.
Step 2 Select the Wired_Devices Policy Set.
Step 3 Observe the Authentication Policy default rule.
Step 4 Click the gear icon of the Default Rule and insert a new rule above the default
rule.
Step 5 Create a new authentication policy rule as defined below.
Attribute Value
Rule Name Enable_Password
Conditions If (Create New Condition) TACACS:Service EQUALS Enable
Use Internal Users

Step 7 Configure the ISE user employee1 in its local identity database. Navigate to
Work Centers > Network Access > Identities > Network Access Users.
Step 8 Add a user named employee1 with a Login Password of 1234QWer, and an
Enable Password of Cisco123.
Step 10 Using PUTTY, open a SSH session to the 3k-access switch.
Login using the credentials employee1 / 1234QWer.This should
succeed.
Type enable and use the 1234QWer password. This process will fail as
the enable password is checked against the Internal Users database where
the password for employee1 is different.
Type enable and use Cisco123 as the password. This process should pass
as it matched with the password stored in the Internal Users database.
Go to TACACS Live Logs to check the logging records.
Step 11 For TACACS+ password change ability, open a new PUTTY SSH session to the
3k-access switch. Log in as employee1 / 1234QWer. When asked for enable
password, press Enter. You will be prompted for old password Cisco123,
followed by the new password 1234QWer.
Step 12 Close this PUTTY session.

Step 13 Launch another PuTTY SSH session to the 3k-access switch and log in as
employee1 / 1234QWer.
Try using the old enable password Cisco123. This password should fail.
Try the password that was defined in Step 6. This password should now
succeed.
Step 14 Check the TACACS Live Logs to see the login fail and pass.
You have configured TACACS command sets to differentiate user access.
You have modified the authorization policy to use the new command sets.
You have configured the switch for command authorization
You have tested various users to check their access levels
You have validated the ability to change passwords
In this activity, you will configure Cisco ISE to for backup and examine the process to
patch. After completing this activity, you will be able to meet these objectives:
Configure Cisco ISE backups
Patch a Cisco ISE instance
Admin PC
AD1
ISE-1

In this task, you will configure Cisco ISE to perform backups.
Activity Procedure
Step 1 In the Cisco ISE admin portal navigate to Administration > System >
Maintenance and then Repository.
Step 2 In the right-hand pane, click +Add.
Step 3 Create the following Repository.
Admin_PC - Repository Configuration
Attribute Value
Repository Configuration
Repository Name Admin_PC
Protocol FTP
Location
Server Name 10.1.100.6
Path /
Credentials
User Name Anonymous
Password 1234QWer

Configuration Database Backup Configuration
Step 5 Navigate to Administration > System > Backup & Restore.
Step 6 Under Schedule Backup > Configuration Data Backup click Schedule.
Step 7 Configure the following Backup Configuration Schedule.
Backup_CFG Schedule Configuration Backup
Attribute Value
Name Backup_CFG
Description Configuration Backup
Repository Admin_PC
Encryption Key 1234QWer
Re-Enter Encryption Key 1234QWer
Frequency Weekly
At Time 12:00AM
On Day Sunday
Start Date <Tomorrows Date>
End Date 01/01/2020
Step 8 Verify your configuration with the following screenshot and then click Save.

Monitoring Database Backup Configuration.
Step 9 On the same screen in Backup & Restore, click Schedule under Schedule
Backup > Operational Data Backup.
Step 10 Configure the following Backup Configuration Schedule.
Backup_CFG Schedule Configuration Backup
Attribute Value
Name Backup_MnT
Description Operations Backup
Repository Admin_PC
Encryption Key 1234QWer
Re-Enter Encryption Key 1234QWer
Frequency Daily
At Time 02:00AM
End Date 01/01/2020
Step 11 Verify your configuration with the following screenshot and then click Save.
Review the Process to Performing an On Demand Backup
Step 12 Click the Backup Now button in the upper left corner of this page.
Step 13 Examine the form and observe it is a cleaner version of the scheduled backup for
without a description and ability to schedule. Also the ability to select
Configuration or Operational backup types
Step 14 Click Cancel.
Note Do not perform a backup at this time.
Patching Management Process for Cisco ISE Review

Step 15 Navigate to Administration > System > Maintenance and then Maintenance >
Patch Management.
Step 16 In the right pane, click Install in the toolbar.
Step 17 You would then click Browse and browse for the patch file selecting it and then
click Open.
Note Your instructor will notify you if there is a patch file to install and where it is located.
Step 18 You would then click Install. Cisco ISE would then upload the file via the
browser and process the patch. All services would be stopped and then restarted.
Note Patching is a maintenance window operation. All functional services are stopped and
restarted.
You have configured the repository for Cisco ISE.
You have configured the configuration database backup
You have configured the monitoring database backup
You have reviewed the process to patch Cisco ISE.

In this activity, you will configure administrative access settings for Cisco ISE. After
Ability to control administrative access to Cisco ISE
Configure administered of access and authorization for administrative session
Admin PC
AD1
ISE-1
In this task, you will review and configure administrative access settings.
Activity Procedure
Session Settings
Step 1 Navigate to Administration > System > Admin Access and then Settings >
Session.
Step 2 The Session Idle Timeout range is 6 to 100 minutes.
Step 3 Click the Session Info tab.
Step 4 You should see your current session.
Step 5 Open Google Chrome, login to the ISE admin portal and open the Live Logs.
Step 6 Return to Firefox and click Refresh in the upper right section above the toolbar.
Step 7 Select your session and then attempt to click Invalidate. You are not able to
invalidate your own session.
Step 8 Select the new session and click Invalidate and confirm you want to invalidate
this administrative session by clicking OK.
Step 9 Return to Google Chrome and attempt to navigate anywhere in the portal. You
will be returned to the login screen.
Step 10 Close Google Chrome browser and return to Firefox.
Access Settings
Step 11 In the left pane navigate to Admin Access > Settings > Access.
Step 12 Observe the ability to limit concurrent sessions and configure pre and post login
banners for bot GUI and CLI access.
Step 13 Click the IP Access tab.
Step 14 Select Allow only listed IP addresses to connect.
Step 15 In the IP List section click +Add.
Step 16 In the pop-up form enter 10.1.100.0 for the IP Address and 24 for the netmask in
CIDR format.
Step 17 Click OK and click Save.
You have configured administrative access session settings.
You have invalidated an administrative session.
You have configured IP access restrictions for administrative sessions.

In this task, you will configure administrative access to the Cisco ISE admin portal.
Activity Procedure
Microsoft Active Directory Integration
Step 1 Navigate to Administration > System > Admin Access and then
Authentication.
Step 2 In the right pane, for password access, select the Identity Source AD:demo.local.
Step 3 Click Save.
Create AD Shadow Account
Step 4 In the left pane, navigate to Admin Access > Administrators > Admin Users.
Step 5 In the right pane, click +Add and select Create an Admin User.
Step 6 For the Name type ITAdmin.
Step 7 Delete the contents from the Email field.
Step 8 Select the External Box.
Step 9 Scroll down and select the Admin Group Super Admin.
Link External AD Group to Super Admins
Step 11 In the left pane, navigate to Admin Access > Administrators > Admin Groups.
Step 12 From the list, Edit the Super Admin group.
Step 14 In the External Groups drop-down, select demo.local/HCC/Groups/IT Staff.
Creating AD Permission Sets
Note
additional configuration.
Step 16 In the left pane, navigate to Admin Access > Administrators > Admin Groups.
Step 17 Click +Add in the right pane tool bar.
Step 18 Enter the Name AD Staff.
Step 19 Configure the type to only be External.
Step 20 In the External Groups drop-down, select demo.local/HCC/Groups/Staff.
Creating an External Group RBAC Policy
Data Access
Step 22 In the left pane, navigate to Admin Access > Authorization > Permissions >
Data Access.
Step 23 In the right pane, click +Add.
Step 24 Enter the Name AD_Staff_Access.
Step 25 In the Data Access Privileges, expand Endpoint Identity Groups .
Step 26 With Endpoint Identity Groups select, click Full Access on the right. After
saving, that will give access to that level and all sub levels below.
Menu Access
Step 28 In the left pane, navigate to Admin Access > Authorization > Permissions >
Menu Access.
Step 29 In the right pane, click +Add.
Step 30 Enter the Name AD_Staff_Menu.
Step 31 In the same method that you issues Data Access Privileges, give the following
Menu Access Privileges Show access.
Home
Operations >RADIUS
Note Select only the items listed above. Do not assign Show privileges to Operations,
Administration, only the indicated sub-menu.

RBAC Policy Assignment
Step 33 In the left pane, navigate to Admin Access > Authorization > Policy.
Step 34 Using the Actions button at the left, Insert a new Policy.
Step 35 Configure the following policy.
AD Staff - RBAC Policy
Attribute Value
Rule Name AD Staff Policy
Admin Groups AD Staff
Permissions AD_Staff_Menu
Step 36 Verify your configuration with the following screenshot and then scroll down and
click Save.
Create Shadow Accounts for the AD Admin Group

Step 37 In the left pane, navigate to Admin Access > Administrators > Admin Users.
Step 38 In the right pane, click +Add and select Create an Admin User.
Step 39 For the Name type Admin1.

Step 40 Clear the Email field.
Step 42 Scroll down and select the Admin Group AD Staff.
You configure Cisco ISE to authenticate administrative access via Active Directory
You have created the shadow account Cisco ISE that is linked to an external Active
Directory account.
group.
You have created a custom Active Directory permissions set.
You have called the entire process of creating an external RBAC policy
In this task, you will test administrative access based on the configuration in your previous
task.
Activity Procedure
Step 1 To make the process easier by maintaining your existing administrative session in
Firefox, open Googel Chrome browser.
Step 2 Navigate to the URL https://ise-1.demo.local.
Step 3 On the login page, select the Identity Source demo.local.
Step 4 Use ITAdmin as the Username with the password 1234QWer.
Step 5 Click Login.
Step 6 Observed that you have full super admin access to the entire Cisco ISE admin
portal.
Step 7 In the upper right click Logout.
Step 8 Re-login using the credentials Staff1 / 1234QWer.
Step 9 Observed that the Cisco ISE admin portal is limited to just Home and
Operations > RADIUS.
Step 10 Click Logout.

Step 11 Close Internet Explorer.
You have successfully logged in to Cisco ISE with Active Directory credentials.
You have successfully observed the RBAC restrictions in the Cisco ISE admin
portal interface.

In this activity, you will review some of the diagnostic tools available via the Cisco ISE
admin portal. After completing this activity, you will be able to meet these objectives:
Run the RADIUS Authentication Troubleshooting tool
Perform a TCPDump traffic capture on Cisco ISE.
Admin PC
AD1
ISE-1
In this task, you will explore the RADIUS Authentication Troubleshooting tool.
Activity Procedure
Step 1 Return to the Cisco ISE admin portal in Firefox.
Step 2 Navigate to Operations > Troubleshoot > Diagnostic Tools and then General
Tools > RADIUS Authentication Troubleshooting.
Step 3 Examine the troubleshooting form and the available fields.
Step 4 Click the Select button at the end of the NAS IP line.
Step 5 In the pop-up, clock Search
Step 6 Select 10.1.100.1 from the criteria list and click Apply.
Step 7 Change the Authentication Status drop-down to Fail.
Step 8 Change the Time Range drop-down to Last7 days.
Step 9 Click Search.
Step 10 Select any Failure Reason.
Step 11 Scroll down and click Troubleshoot.
Step 12 When presented, click Show Results Summary.
Step 13 Examine the presented data expanding lines in the Troubleshooting Summary if
possible.
Step 14 At the bottom click Show Progress Details and you are returned to the overview.
Step 15 Click Done to close the this troubleshooting session.
You have run the RADIUS Authentication Troubleshooting tool using the selected
parameters.

In this task, you will use the TCPDump functionality in Cisco ISE to capture RADIUS
traffic that is seen by the Cisco ISE interface GigabirEthernet0.
Activity Procedure
Step 1 Return to the Cisco ISE admin portal in Firefox.
Step 2 Navigate to Operations > Troubleshoot > Diagnostic Tools and then General
Tools > TCP Dump.
Step 3 Examine the options and in the Filter field enter port 1812.
Note There is a bug in verison 2.4 filter

ip host 10.1.100.1.
Step 4 Change the Format to Human Readable.
Tip You can choose Raw Packet Data, and the data will be in libpcap format. Wireshark is a
free application that can open that file type.
Step 5 At the top, click Start.

Step 6 Generate some RADIUS traffic, by accessing your 3k-access switch via PuTTY.
Step 7 Log in to the Switch via SSH using the credentials employee1 / 1234QWer and
the enable password 1234QWer.
Note The login for the switch depends on the TACACS lab done before! The standard login if
not done the TACACS lab would be admin with the password 1234QWer.
Note Another way to access the switch is via the RemotelabsClient topology overview by
clicking the Switch symbol. This will open a console session privilege level 15.
Step 8 Enter configuration mode and shut and not shut interface GigabitEthernet1/0/1
Step 9 Return the Cisco ISE admin portal. You should have some traffic captured as
indicated by a file size of something other than 0 bytes.
Step 10 Click Stop
Step 11 Examine the output details at the bottom.
Step 12 Click Download.
Step 13 Save the TCPDump.txt file to your Desktop.
Step 14 Navigate to your Admin PC desktop and find the TCPDump.txt file.
Step 15 Right-click on it and select Open with WordPad.
Step 16 Examine the file contents and when done, close the file.
Step 17 Return to the Cisco ISE Admin Portal.
You have captured RADIUS traffic at the Cisco ISE GigabitEthernet 0 interface and
examined it in human readable form.

In this activity, you will explore some Report operation capabilities in Cisco ISE. After
Run a report with Filters
Save scheduled Report
Designate a Report and save the Report in My Reports
Admin PC
AD1
ISE-1
In this task, you will run a report with a filter.
Activity Procedure
Step 1 Navigate to Operations > Reports. Then Reports > Endpoints and Users >
Top Authorizations by User.
Step 2 Click Filters and select Identity from the Dropdown. Click OK.
Step 3 In the Identity Store filter, enter *@demo.local to filter out all local and guest
authentications.
Step 4 Create a a filter with the settings from the screenshot below.
Step 5 Click Go.

Step 6 Observe the results.
Note Do not close or leave this report. You will use it in the ne next task.
You have run a report with a filter.

In this task, you will schedule the filtered report from the last task to be run weekly.
Activity Procedure
Step 1 In the upper right corner of this report, click the Schedule button.
Step 2 Fill out the form with the following details.

Weekly_Top_AD_Authorizations - Scheduled Report
Attribute Value
Name Weekly_Top_AD_Authorizations
Description
Repository Admin_PC
Send email Notification
Schedule
Frequency Weekly
At Time 6:00 AM
On Day Monday
End Date <One year Later and select an Monday>
Step 3 Click Save.
Step 4 In the left pane, navigate down to Scheduled Reports > Scheduled Reports.
Step 5 Observe the successfully saved report.
You have saved scheduled report.

In this task, you will re-run a modified form of the report from the previous task and
designate the report as a favorite. The Favorite Report section is the one that opens by
default when entering the Reports section. Favoriting a reports makes it faster to execute in
the future.
Activity Procedure
Step 1 Navigate to Operations > Reports. Then Reports > Endpoints and Users >
Top Authorizations by User.
Step 2 Click the plus sign right of the Time Range filter and select Identity from the
Dropdown.
Step 3 In the Identity filter, enter *@demo.local to filter out all local and guest
authentications.
Step 4 Select the Time Range of Yesterday.
Step 5 Click Go.

Step 6 In the upper right, click My Reports. Click the Save button in the new window.
Step 7 In the left pane, open the My Reports section on the top.
Step 8 Click on Top Authorizations by User and review the Report.
Tip If you ever desire to remove a report from My Report list, run the report and in the upper
right, select My Reports.
You have run, report and made a My Report entry.

Fl-Sise24 LG301 PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Fl-Sise24 LG301 PDF

Uploaded by

Copyright:

Available Formats

Implementing and

2018 Fast Lane TOC V

This guide includes these activities:

The figure illustrates what you will accomplish in this activity.

© 2018 Fast Lane Lab Guide 3

Step 3 You should see the following prompt:

© 2018 Fast Lane Lab Guide 5

Note You can use the toolbar shortcut as well

Step 4 Click Confirm Security Exception.

© 2018 Fast Lane Lab Guide 7

Step 4 Scroll down and click Save.

© 2018 Fast Lane Lab Guide 11

Step 8 Click Server Information.

Step 9 Click OK of the notification to close it.

© 2018 Fast Lane Lab Guide 13

Step 11 In the Friendly Name field enter demo.local CA Certificate.

Step 13 In the Description field enter, CA cert from ad1.demo.local.

1. Verify Usage is set to Admin

2. Check Allow Wildcard Certificates Click the information (i) to read

3. In the Subject area, use the following: $FQDN$ should be a preexisting

5. Verify the Key Type is RSA

6. Verify the Key Length is 2048

7. Verify the Digest to Sign with is SHA-256

8. Verify your settings with the screenshot below

© 2018 Fast Lane Lab Guide 15

Step 19 Click the Export button.

Step 23 Click the View button in the toolbar.

© 2018 Fast Lane Lab Guide 17

© 2018 Fast Lane Lab Guide 19

Step 55 Close all of the pop-up windows.

Step 60 In the Usage area, select EAP Authentication.

Step 63 Scroll down and click Save.

© 2018 Fast Lane Lab Guide 21

The figure illustrates what you will accomplish in this activity.

Step 4 Click Submit.

Step 9 Click OK.

© 2018 Fast Lane Lab Guide 23

Note The test may take a minute to run.

Step 16 Scroll down and click Close.

Step 24 From that list, deselect the following groups.

© 2018 Fast Lane Lab Guide 25

Step 32 Click Save at the bottom.

Step 44 Change the Authentication Type to MS-RPC.

Step 47 Close the test user authentication pop-up window.

© 2018 Fast Lane Lab Guide 27

© 2018 Fast Lane Lab Guide 29

Step 18 Click the Directory Organization tab.

© 2018 Fast Lane Lab Guide 31

The figure illustrates what you will accomplish in this activity.

Show the status of connections to AAA

Perform a test authentication to the AAA

Show authentication information details

© 2018 Fast Lane Lab Guide 33

Adjusting RADIUS settings

Step 1 Navigate to Administration > System > Settings.

Step 4 Click Save and acknowledge the informational message.

© 2018 Fast Lane Lab Guide 35

Description 3650 access switch

IP Address 10.1.100.1 /32

Device Profile Cisco

Model Name <blank>

Software Version <blank>

Network Device Group