Professional Documents
Culture Documents
Fl-Sise24 LG301 PDF
Fl-Sise24 LG301 PDF
Configuring Cisco
Identity Services
Engine
Version 2.4
Version 3.0.1
ATTENTION
The Information contained in this guide is intended for training purposes only. This guide contains information and activities that, while
beneficial for purposes of training in a close, non-production environment, can result in downtime or other severe consequences and
therefore are not intended as a reference guide. This guide is not a technical reference and should not, under any circumstances be used
in a production environment. Customers should refer to the published specifications applicable to specific products for technical
information. The information in this guide is distributed AS IS, and the use of this information or implementation of any recommendations
COPYRIGHT
© 2018 Fast Lane GmbH. All rights reserved.
All other brands and product names are trademarks of their respective owners.
No part of this book covered by copyright may be reproduced in any form or by any means (graphic, electronic, or mechanical, including
photocopying, recording, taping, or storage in an electronic retrieval system) without prior written permission of the copyright owner.
Fast Lane reserves the right to change any products described herein at any time and without notice. Fast Lane assumes no responsibility
or liability arising from the use of products or materials described herein, except as expressly agreed to in writing by Fast Lane. The use
or purchase of this product or materials does not convey a license under any patent rights, trademark rights, or any other intellectual
property rights of Fast Lane.
The product described in this manual may be protected by one or more patents, foreign patents, or pending applications.
II Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane
SISE Lab Guide 1
Overview 1
Outline 1
Lab 1-1: Complete Cisco ISE GUI Setup 3
Activity Objective 3
Visual Objective 3
Required Resources 3
Task 1: Verify Cisco ISE setup using CLI 4
Task 2: Initial Login and Initial Message Management 6
Task 3: Disable Profiling 11
Lab 2-1: Integrate Cisco ISE with Active Directory 22
Activity Objective 22
Visual Objective 22
Required Resources 22
Task 1: Configure Active Directory Integration 23
Task 2: Configure LDAP Integration 28
Lab 2-2: Basic Policy Configuration 32
Activity Objective 32
Visual Objective 32
Required Resources 32
Command List 33
Task 1: Adjusting Radius Settings 34
Task 2: Create Network Devices and Network Device Groups 36
Task 3: Create Wired and Wireless Policy Sets 46
Task 4: Create Authentication Policy for the Wired and Wireless Policy Set 49
Task 5: Authorization Policy Configuration for AD Employees and AD Contractors 52
Task 6: Client Access Wired 58
Task 7: Client Access Wireless 64
Task 8: Creating a Global Exception 69
Task 9: Network visibility with Context Visibility 71
Lab 3-1: Configure Guest Access 73
Activity Objective 73
Visual Objective 73
Required Resources 73
Task 1: Guest Settings 74
Task 2: Guest Locations 76
Lab 3-2: Guest Access Operations 77
Activity Objective 77
Visual Objective 77
Required Resources 78
Task 1: Hotspot Portal Operations 79
Task 2: Self-Registration Portal Operations 94
Task 3: Enabling Self-Registration with Sponsor Approval 107
Task 4: Sponsored Guest Logins 113
Task 5: Guest Account Management via the Sponsor Portal 126
Lab 3-3: Create Guest Reports 128
Activity Objective 128
Visual Objective 128
Required Resources 128
Task 1: Running Reports from Cisco ISE Dashboard 129
Lab 4-1: Configuring Profiling 132
Activity Objective 132
Visual Objective 132
Required Resources 132
Command List 132
Task 1: Configuring Profiling in Cisco ISE 133
Task 2: Configure the Feed Service 138
Task 3: Configuring Profiling in Cisco ISE 140
Task 4: NAD Configuration for Profiling 142
Lab 4-2: Customizing the Cisco ISE Profiling Configuration 144
Activity Objective 144
Visual Objective 144
Required Resources 144
Task 1: Examine Endpoint Data 145
Task 2: Create a Logical Profile 150
Task 3: Creating a New Authorization Policy using a Logical Profile 151
Task 4: Create a Custom Profile Policy 152
Task 5: Testing Authorization Policies with Profiling Data 156
Lab 4-3: ISE Profiling Reports 160
Activity Objective 160
Visual Objective 160
Required Resources 160
Task 1: Run Cisco ISE Profiling Reports 161
Task 2: Endpoint Profile Changes Report 163
Task 3: Context Visibility Dashlet Reports 164
Lab 5-1: BYOD Configuration 166
Activity Objective 166
Visual Objective 166
Required Resources 167
Task 1: Portal Provisioning 168
Task 2: Provisioning Configuration 172
Task 3: Policy Configuration 177
Task 4: Employee Tablet Registration 184
Lab 5-2: Device Blacklisting 191
Activity Objective 191
Visual Objective 191
Required Resources 191
Task 1: Blacklist a Device 192
Task 2: Lost Access Verification. 195
Task 3: Endpoint Record Observations 196
Task 4: Un-Blacklist the Device 199
Task 5: Verify Access Capability 200
Task 6: Blacklisting a Stolen Device 201
Lab 6-1: Compliance 204
Activity Objective 204
Visual Objective 204
Required Resources 204
Task 1: Posture Preparation 205
Task 2: Authorization Profiles 209
Task 3: Adjusting Authorization Policy for Compliance 212
Lab 6-2: Configuring Client Provisioning 216
Activity Objective 216
Visual Objective 216
Required Resources 216
Task 1: Client Updates 217
Task 2: Client Resources 218
Task 3: Client Provisioning Policies 223
Lab 6-3: Configuring Posture Policies 224
Activity Objective 224
Visual Objective 224
Required Resources 224
Task 1: Configuring Posture Conditions 225
Task 2: Configuring Posture Remediation 228
Task 3: Configuring Posture Requirements 231
Task 4: Configuring Posture Policies 234
Lab 6-4: Testing and Monitoring Compliance Based Access 236
Activity Objective 236
Visual Objective 236
IV Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane
Required Resources 236
Command List 237
Task 1: AnyConnect Unified Agent Access 238
Lab 6-5: Compliance Policy Testing 242
Activity Objective 242
Visual Objective 242
Required Resources 242
Task 1: Configure a Faulty Policy 243
Task 2: Use Posture Reports for Troubleshooting 244
Task 3: Using the Posture Troubleshooter 245
Task 4: Policy Correction and Testing 247
(Optional) Lab 7-1: Using Cisco ISE for VPN Access 249
Activity Objective 249
Visual Objective 249
Required Resources 249
Command List 250
Task 1: Lab Preparation 251
Task 2: Testing VPN Client Access 258
(Optional) Lab 7-2: Configuring Cisco AMP for ISE 264
Activity Objective 264
Visual Objective 264
Required Resources 264
Command List 265
Task 1: Configuring the Cisco AMP Cloud 266
Task 2: Configuring Posture Policies and Conditions 269
Task 3: Configuring Posture, AMP and AnyConnect Profiles 271
Task 4: Enabling and Provisoning TC-NAC Services 274
Task 5: Verify Provisioning of AMP for Endpoints (Optional) 277
Lab 8-1: Configure TACACS+ for Cisco ISE for Basic Device Administration 280
Activity Objective 280
Visual Objective 280
Required Resources 280
Task 1: Policy Configuration for AD Employees and AD Contractors 281
Lab 8-2: Configure TACACS+ Command Authorization 288
Activity Objective 288
Visual Objective 288
Required Resources 288
Task 1: Configure Command Sets 289
Task 2: TACACS+ Features 292
(Optional) Lab 8-3: Configuring Backups and Patching 295
Activity Objective 295
Visual Objective 295
Required Resources 295
Task 1: Configuring Backups 296
(Optional) Lab 8-4: Configuring Administrative Access 300
Activity Objective 300
Visual Objective 300
Required Resources 300
Task 1: Administrative Access 301
Task 2: Administrator Access and Authorization 302
Task 3: Testing AD Administrative Access 305
(Optional) Lab 8-5: Review of General Tools 306
Activity Objective 306
Visual Objective 306
Required Resources 306
Task 1: RADIUS Authentication Troubleshooting 307
Task 2: TCPDump 308
(Optional) Lab 8-6: Report Operations 310
Activity Objective 310
Visual Objective 310
VI Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane
This guide presents the instructions and other information concerning the lab activities for
this course. You can find the solutions in the lab activity Answer Key.
2 Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane
Complete this lab activity to practice what you learned in the related module.
In this activity, you will complete the GUI portion of the setup for this lab environment.
After completing this activity, you will be able to meet these objectives:
Log into Cisco ISE and process initial information messages
Disable profiling
Perform administrative certificate management services for Cisco ISE with a CA
These are the resources and equipment that are required to complete this activity:
Admin PC
ISE-1 (bootstrap)
Activity Procedure
Complete these steps:
Step 1 Access the Cisco ISE console according to your lab access procedures provided
by your instructor
Step 2 At the login prompt, enter a username of admin and password of 1234QWer
Step 4 Enter the following command and observe the following output and the status of
the services.
show application status ise
4 Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane
Step 5 Verify NTP synchronization. At the command prompt, type the following
command:
show ntp
Step 6 Observe the following output paying attention to the * at the beginning of the line
and the text
Step 7 Verify DNS Name Resolution. At the command prompt enter the following
command:
nslookup ise-1.demo.local
Activity Verification
You have completed this task when you attain this result:
Successfully observed Cisco ISE services status
Successfully observed NTP synchronization
Successfully performed a nslookup to verify proper name resolution
Activity Procedure
Complete these steps:
Step 1 Access your Admin PC. Use the credentials Administrator / 1234QWer
Step 2 Open the Firefox web browser and navigate to https://ise-1.demo.local
Step 3 Accept the Your connection is not secure message by expanding Advanced and
click Add Exception. Uncheck the Permanently store this exception checkbox
at the bottom.
6 Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane
Step 5 Login with the credentials admin / 1234QWer.
Step 6 If showing up, for the Visibility Setup Wizard pop-up, click Do not show this
again.
Step 7 Navigate the various sub-menu options available under the Home screen tab. In
later labs, you will be configuring other aspects of ISE and these dashboards will
be populated and updated accordingly. Since we have no devices or users who are
yet defined, many dashboards are empty.
Note Context Visibility provides the administrator with a more holistic view of the network. It
allows for quick sorting and filtering of context information. Administrators can view
dashlets to get detailed informational data.
Step 9 These dashboards and dashlets can be customized to meet your needs. By
gear
to you and customizable options.
These options will change depending on which main menu heading you are
viewing, Home, or Context Visibility. Take a moment to explore these options.
8 Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane
Step 10 Back under the Home tab, you can add additional dashboards in two ways. Click
gear
option beyond this, such as adding additional dashlets to the present view. You
can also change the layout of the display and manage dashboards as well.
Step 11 Add a new dashboard by using either method that is mentioned above. Name it
MYTEST and click Apply when done. Then select 2 or 3 dashlet parameters of
your choice to be included with that dashboard. Then click Save. You can then
view this new dashboard once complete and it will appear as a sub-menu option.
Step 12 By clicking the gear icon on the right, notice that you can rename this dashboard,
and add additional dashlets. If you click Add Dashlets, you will see that you can
configure the dashboard to display what is important to you, for your
environment. Click Close to exit.
Step 13 Now, go ahead and delete this Dashboard by clicking the X next to the MYTEST
name and click OK on the pop-up warning window to delete the dashboard. You
will be adding dashboards in later labs that will be more relevant to the task being
performed.
© 2018 Fast Lane Lab Guide 9
Step 14 Similarly, by navigating to the Context Visibility page and clicking the gear
icon on the right, you are presented with options to create new views, or directly
jump to a preexisting dashboard. Again, you will be customizing these pages in
later labs where appropriate.
Step 15 Next, navigate to the other menu options available just to familiarize yourself
with GUI navigation. You will be accessing most of the configuration options
available in much more detail throughout the entire course.
The Operations tab will allow you to view live logs and live sessions for things
such as RADIUS and TACACS+ sessions.
The Policy tab is where you will perform authentication and
authorization configurations, as well as profiling, provisioning, and
posture. Take the time to view the default polices that come with ISE for
authentication, authorization, profiling, and provisioning. You will be
modifying some of these and adding new policy configurations in later
labs.
The Administrations tab is where you will perform system functions,
identity management, add network resources, device portals, and other
services available on Cisco ISE.
There is a new menu option available with ISE version 2.1 that is called
Work Centers. The Work Centers provide guided workflow process for
configuring various ISE services. Work Centers also provide direct links
to specific configuration pages. Take some time to click the various sub
menu options, and pay particular notice to the overview pages. These
help guide you through the ISE workflow process. For example, choose
BYOD, or Guest Access,
or Network Access.
Activity Verification
You have completed this task when you attain these results:
You have successfully logged in the Cisco ISE using the credentials provided during
the first lab.
You have processed the initial messages that are shown to the user upon login
Familiarized yourself with the Cisco ISE user interface
10 Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane
In this test, you will disable profiling which is enabled by default during the Cisco ISE
installation process. You will be enabling profiling in a later lab.
Activity Procedure
Complete these steps:
Step 1 Navigate to Administration > System > Deployment.
Step 2 Click the ise-1 hostname hyperlink.
Step 3 Uncheck the Enable Profiling Service checkbox. Verify with the following
screenshot.
Note System services are being reconfigured and restarted. The message will auto close and
the browser will automatically log you out if you do not click the OK button.
Step 6 After a few minutes, log back in to the ISE Admin Portal.
Note You may check the status of the service restart via the console or CLI using the
command show application status ise. Once the Application Server is running, you will
be able to log in. If you check before the service is reconfigured, you may see the service
admini Message.
Step 7 Once logged in, click the gear in the upper right of the window and verify that
Session is the only Policy Service (Identity Mapping,Session) service running.
12 Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane
Note If you see (ALL) instead of (Session), perform steps 1 through 7 again paying attention to
step 5.
Activity Verification
You have completed this task when you attain this result:
You have disabled profiling in Cisco ISE
Activity Procedure
Complete these steps:
Download CA certificate
Step 1 In the web browser on the admin PC, open a new tab and navigate to
http://ad1.demo.local/certsrv.
Step 2 When prompted use the credentials administrator / 1234QWer.
Step 3 Click the link Download a CA certificate, certificate chain, or CRL.
Step 4 Click the Download CA certificate link.
Step 5 Click OK to save the file.
Note If using Firefox, you may have to click the install this CA certificate link at the top in order to
install the CA certificate in the browser. This must be performed due to the fact that Firefox
uses a separate certificate store from the operating system. Select Trust this CA to identify
websites and click OK.
Install CA certificate
Step 6 In the Cisco ISE admin portal tab, navigate to Administration > System >
Certificates.
Step 7 Then select Trusted Certificates under Certificate Management.
Step 8 Click the Import button in the right-hand pane.
Step 9 Click the button and navigate to your Downloads folder.
(C:\Users\Administrator\Downloads).
Step 10 Select the file certnew.cer and then select the Open button.
Note You may or may not see the.cer extension depending upon your Windows Explorer
configuration.
14 Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane
Generate Certificate Signing Request
Step 15 In the left pane, select Certificate Signing Requests under Certificate
Management.
Step 16 Click the button at the top of the right pane, Generate Certificate Signing
Requests (CSR).
Step 17 Perform the following procedure to generate your CSR.
Certificate Signing Request Procedure
Step Action Notes
4. In the Subject Alternative Name area, configure the Click the plus(+) sign to add
following: additional SAN entries.
The aaa name is a CNAME
record.
The ise name is a CNAE
record.
Adding the IP address as
both a DNS Name and IP
Address addresses a
compatibility issue with
Microsoft Windows Clients.
9. Click Generate
Step 26 Highlight (Ctrl-A) and copy the complete contents to the clipboard (Right-click
and selecting Copy or pressing Ctrl-C will both work).
Step 27 Click Close.
Step 28 Return to the tab for the Microsoft Active Directory Certificate Services page.
(http://ad1.demo.local/certsrv with username administrator, password 1234QWer)
Step 29 Click the Home link in the upper right-hand corner.
Step 30 Click the Request a certificate link.
Step 31 Click the advanced certificate request link.
Step 32 Right-click and paste the contents into the Saved Requests field.
Step 42 Click Browse and navigate to the Downloads folder again if necessary.
Step 43 Select the file ise-1 Admin Cert.cer.
Step 44 Click Open.
Step 45 In the Friendly Name field enter ise-1 Admin Cert.
Step 46 Select Admin, to assign the certificate to the Admin role.
Step 47 Click Submit.
Step 48 The system will log you out and restart services.
Step 49 Log back in after a few minutes.
Note You may check the status of the service restart via the console or CLI using the
command show application status ise. Once the Application Server is running, you will
be able to log in.
Certificate Verification
Step 50 In your browser URL bar, click the lock icon to the left of https://. Observe the
following field which indicates a trusted CA signed certificate.
18 Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane
Step 51 Click on the right side arrow and then More Information.
Step 52 Click View Certificate.
Step 53 Observe the Issued By is the root-CA for your pod.
20 Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane
Step 62 Select Portal and add a new Portal Group Tag by entering ISE Lab CGT.
Activity Verification
You have completed this task when you attain this result:
You have successfully installed the CA certificate on Cisco ISE
You have successfully enrolled Cisco ISE into your pod CA
You have verified the certificate via your web browser
You have additionally configured the installed certificate for EAP and Portal usage
In this activity, you will integrate Cisco ISE with Active Directory. After completing this
activity, you will be able to meet these objectives:
Perform a native immigration of Cisco ISE to Microsoft Active Directory
Populate the Cisco ISE dictionary with Active Directory attributes
Configure a LDAP integration
Populate the Cisco ISE dictionary with LDAP attributes
These are the resources and equipment that are required to complete this activity:
Admin PC
ISE-1
22 Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane
In this task, you will configure Cisco ISE to integrate with Microsoft Active Directory. You
will then configure active directory group and user attributes for utilization in Cisco ISE in
later labs.
Activity Procedure
Complete these steps:
Join Microsoft Active Directory
Step 1 In the ISE Admin Portal, navigate to Administration > Identity Management >
External Identity Sources and then in the left pane, select Active Directory.
Step 2 In the right pane, click Add in the toolbar.
Step 3 Enter demo.local in both the Join Point Name and the Active Directory
Domain fields.
Tip Since ISE 1.3 you can optionally specify the location that the ISE computer account(s)
will be created instead of using the default Computers container. If used, the OU must be
pre-created. ISE will not create an OU structure in Active Directory to match what is
entered here.
Step 15 All tests should run with a status of Successful. Compare your output with the
following screenshot.
Tip Click the toolbar button View Test Details to view a text based output report where data
can be copied out for a baseline to compare against in the future.
24 Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane
Note In the case that the N show ntp
know bug in some version.
Tip You may also click any of the Result and Remedy hyperlinks for that test specific output.
Note Only set attributes will be shown. If one account does not have an attribute set and a
different account does, for example Job Title or Department, it will show those attributes
when retrieving attributes from the account with the attribute set. An attribute could be set
after this list is pulled, and if that user is queried again the additional attribute will show in
the list.
26 Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane
Step 40 Change the Authentication Type to Kerberos.
Step 41 In the Password field enter 1234QWer.
Step 42 Click the Test button.
Step 43 Observe the test results in the box below. Observe the Processing Steps at the
bottom of the Authentication Result tab. Notice that the Authentication Ticket
(TGT) requests succeeded and the next two line items indicating Kerberos
success.
Activity Verification
You have completed this task when you attain these results:
You have successfully joined the Cisco ISE to demo.local.
You have successfully added active directory groups and user attributes to Cisco ISE.
You have successfully tested user authentication via all three authentication types.
Activity Procedure
Complete these steps:
Configure LDAP as an External Identity Source
Step 1 In the ISE Admin Portal, navigate to Administration > Identity Management >
External Identity Sources and then in the left pane, select LDAP.
Step 2 In the right pane, click +Add in the toolbar.
Step 3 In the Name field enter LDAP_demo_local.
Step 4 In the Description field enter demo.local LDAP configuration.
Step 5 In the drop-down for Schema, select Active Directory.
Step 6 Click the Connection tab.
Step 7 In the Hostname/IP field enter ad1.demo.local.
Step 8 Select Authenticated Access.
Step 9 In the Admin DN field enter cn=administrator,cn=users,dc=demo,dc=local.
Step 10 In the password field enter 1234QWer.
Step 11 Verify your settings with the screenshot below.
28 Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane
Step 12 Scroll down and click the Test Bind to Server button. This should be successful.
Note Observe the response time for future comparison. Make note of it in this lab guide if
needed.
Step 13 Now that you have successfully verified in LDAP connection, modify the
configuration to perform a secure LDAP (LDAPS) lookup. Change the Port from
389 to 636.
Step 14 Enable Secure Authentication.
Step 15 In the LDAP Server Root CA certificate drop-down, select demo.local CA
Certificate.
Step 16 Verify your configuration with the following screenshot.
Note Observe the response time between the previous clear text LDAP bind in the LDAPS
bind. Additional time is required to set up and verify the SSL tunnel before the performing
of the LDAP lookup. Keep this in mind when designing and architecting the placement of
Cisco ISE in a production environment.
Note You have configured your pod Active Directory as an External Identity Source. This
configuration will be utilized for authentication in later labs.
30 Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane
Activity Verification
You have completed this task when you attain this result:
You
active directory via LDAP
You have successfully modified your configuration of Cisco ISE to authenticate and pull
data from your Active Directory server via LDAPS.
In this activity, you will configure a basic access policy for employees and consultants. After
completing this activity, you will be able to meet these objectives:
Configure Cisco ISE to utilize Policy Sets
Configure Cisco ISE Policy Set differentiation filters
Configure an Identity Access Restricted global exception policy
Configure policies sets for both wired and wireless access
Configure a policy for Active Directory employees and consultants
Configure a policy for wired access
Configure a policy for wireless access
These are the resources and equipment that are required to complete this activity:
Admin PC
ISE-1
AD
vWLC
32 Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane
The table describes the commands that are used in this activity.
Lab Commands
Command Description
Activity Procedure
Complete these steps:
Note This step is traditionally used for troubleshooting. It is not recommended for normal Cisco
ISE operations.
Tip The Reset To Defaults button is the most convenient way to go back to the original
configuration.
34 Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane
Activity Verification
You have completed this task when you attain these results:
You have successfully enabled Cisco ISE to utilize Policy Sets.
You have successfully logged in and observe the policy set configuration.
Activity Procedure
Complete these steps:
Create Network Access Devices
Step 1 In the Cisco ISE admin portal, navigate to Administration > Network
Resources > Network Devices.
Step 2 In the right pane click the +Add button from the toolbar.
Step 3 Add the following network device using the information in the table below.
Network Device 3k-access
Attribute Value
Name 3k-access
36 Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane
Step 6 To save time, your switch has been preconfigured for the appropriate AAA and
RADIUS configuration to interoperate with Cisco ISE. Verify communication
with the radius server by performing the following command. Your output should
resemble the screenshot below with a state of UP.
Step 7 Perform a test authentication via the switch CLI. Your test results should be
User successfully authenticated.
Step 8 Return to your ISE Admin portal and navigate to Operations > RADIUS > Live
Logs.
Step 9 Click the Details for the sucessful employee authentication.
Step 11 In the right column examine the steps to see the specifics.
38 Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane
Step 12 Return to the switch and perform the same test again using the NetBIOS name
format for the username. This should also be successful.
Note You could also test the username in UPN format, employee1@demo.local
Step 13 Return to your ISE Admin portal and navigate to Operations > RADIUS > Live
Logs.
Step 14 Click the Details for the successful employee authentication.
Step 16 In the right column examine the steps to see the specifics.
40 Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane
© 2018 Fast Lane Lab Guide 41
Step 17 Add the following network device using the information in the table below.
Network Device vwlc
Attribute Value
Name vwlc
42 Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane
Create and Assign Network Access Device Groups
Step 19 Navigate to Administration> Network Resources> Network Device Groups.
Step 20 In the top menu Choose group select All Device Types.
Step 21 In the menu click +Add and separately create the following network
device groups. Select All Device Types as Parent Group for each new group.
Network Device Groups Device Types
Name Description
Wireless WLCs
Step 22 When complete your configuration should match the following screenshot.
HQ Headquarters
Branch Branch
Step 25 When complete your configuration should match the following screenshot.
3k-access Wired HQ
vwlc Wireless HQ
Step 28 Once completed your configuration should match the following screenshot.
44 Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane
Activity Verification
You have completed this task when you attain these results:
You have configured the 3k-access switch as a network device in Cisco ISE.
You have configured the vwlc as a network device in Cisco ISE.
You have create different NDG and assign the groups to the network devices.
You have successfully performed test authentications via the switch CLI.
Activity Procedure
Complete these steps:
Policy Set Creation Wired Access
Step 1 Navigate to Policy > Policy Sets.
Step 2 Click the plus icon (+) in the toolbar to create a new Policy Set.
Step 3 Verify that New Policy Set 1 is created above the default policy set.
Step 4 Click the words New Policy Set 1 to edit the field.
Step 5 Enter Wired_Access as the policy set Name.
Step 6 Enter Wired Access in the Description field.
Step 7 Click in the Conditions field to create a new condition and treat the following
condition:
Step 8 Click the words Click to add an attribute to select an attribute for the new
condition.
Step 9 Click the Symbol Network device.
46 Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane
Step 10 Select DEVICE:Device Type in the menu.
Step 11 Leave the Operator unchanged (Equals).
Step 12 Select from the Drop-Down Menu (Choose from list or type) All Device
Types#Wired.
Step 15 Your policy set condition should look like the following screenshot.
Activity Verification
You have completed this task when you attain these results:
You have configured two policy sets
Wired Access
Wireless Access
48 Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane
In this task, you will create a few default policies to both wired and wireless policy sets.
Activity Procedure
Complete these steps:
authorization rules in the default set. You can only modified rules in the default set. The
recommend way is, to configured your own policy sets and rules above the default set.
Step 1 Access the ISE admin portal via the Admin PC.
Step 2 Navigate to Policy > Policy Set > Wired_Access.
Step 3 Click the arrow > on the right side from your Wired_Access sets to change the
view.
Step 14 Change the Identity Source from the Default rule to DenyAccess.
Step 15 Your Authentication Policy should be the same as the screenshot below.
MAB Wireless_MAB
DOT1X Wireless_802.1X
50 Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane
Step 20 The Authentication Policy should be as the screenshot below.
Activity Verification
You have completed this task when you attain these results:
You have configured authentication rules for MAB and 802.1x in the Wired_Access and
Wireless_Access policy set.
Activity Procedure
Complete these steps:
Create Authorization Profiles
Step 1 Navigate to Policy > Policy Elements > Results then to Authorization >
Downloadable ACLs.
Step 2 Click +Add in the right pane toolbar.
Step 3 Create a dACL for the employees with the following attributes:
Downloadable ACL acl_employee
Attribute Value
Name acl_employee
DACL Content
Step 4 Click Check DCAL Syntax to verify you entered all ACL statements correctly.
Name acl_contractor
DACL Content
Name acl_machine
Description Domain computer ACL that only allows access to DHCP, DNS, and
the DC.
DACL Content
52 Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane
Step 9 Click Submit.
Step 10 In the left pane click Authorization Profiles.
Step 11 Add an Authorization Profile by clicking +Add in the right pane toolbar.
Step 12 Create the following Authorization Profile for employees (Wired):
Common Tasks
Common Tasks
Common Tasks
Common Tasks
Common Tasks
Step 22 Create another profile for the domain computers (Wireless) using the following
attributes:
Domain Computer Authorization Profile
Attribute Name Value
Common Tasks
54 Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane
Step 27 While in the condition definition, save the condition to the library by clicking the
Save button.
Note This will facilitate a more rapid use of this condition in future policies instead of having to
build it every time.
Step 28 In the Condition Name field enter Demo-Employees and click the green
checkmark.
Step 33 Add another policy above the built-in Default policy by clicking on the gear icon
on the right. From the menu, select Insert new row above.
Note Rule order is important as rules are processed from top down.
56 Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane
Policy Rule Process for the Wireless Policy Set
Step 37 Navigate to the Policy > Policy Sets > Wireless_Access > Authorization
Policy.
Step 38 Add the following policy above the Default Policy. Use the following parameters
from the table below:
Rule Name Conditions (Library) Results (Profiles)
Step 39 Scroll down and verify your Authorization Policy rule order is as follows.
Wireless_Access Authorization Policy Order
Status Rule Name
Enabled Default
Step 40 Change, if needed, the permissions from the Default policy to DenyAccess.
Step 41 Scroll down and click Save.
Activity Verification
You have completed this task when you attain these results:
Examined the built-in authentication and authorization policies.
Created employee, contractor and machine s)
Created employee, contractor, and domain computer authorization profiles
Created employee, contractor, and domain computer authorization policies saving the
conditions to the library.
Activity Procedure
Complete these steps:
Step 1 Access your 3k-access switch console.
Step 2 Perform the test using the NetBIOS name format for the username. This should
now
Note You could also test the username in UPN format, employee1@demo.local
58 Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane
Step 9 Close the services console.
Step 10 Return to the NIC settings and open the properties for the NIC.
Step 11 Click the Authentication tab.
Step 12 Configure and verify the settings with the following screenshot.
Step 18 Click the button. And verify that Automatically use my Windows
login name and password (and domain if any) is enabled
Step 19 Click OK three times to close all the windows.
Step 20 Restart the client machine using the Start menu.
Step 21 While the PC is restarting access the 3k-access switch and verify that the
interface GigabitEthernet 1/0/1 is enabled. In the case that the interface is
disabled, enable the interface with a no shutdown command.
Step 22 Return to the ISE Admin portal and navigate to Operations > Radius > Live
Logs.
Step 23 After a minute or so, you should see the local machine login via 802.1X using
the machine credentials and be assigned the Domain Computer Access
Authorization Profile.
60 Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane
Note The Failed MAB access attempt was when the NIC came up and attempted to access
the network before the WiredAutoConfig services came online and sent the 802.1X
machine credentials.
Step 24 Return to the W10PC-Corp and login using the credentials demo\employee1 /
1234QWer
Step 25 Open a command prompt and ping the following addresses. 10.1.30.1 and
10.1.90.1. The first address should fail with a request timeout in the second
should succeed according to the dACL which you configured for
employee access.
Step 30 Click the DEMO\employee1 authentication details icon. Observe the details on
the steps included in this record.
Step 31 Return to the W10PC-Corp and Sign out the employee1 user.
Step 32 Log in using the credentials demo\contractor1 / 1234QWer
Step 33 Open a command prompt and ping the following addresses. 10.1.30.1 and
10.1.90.1. The first address should fail with a request timeout. In the second
should also fail according to the dACL which you configured for contractor
access.
62 Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane
Step 35 Return to the Cisco ISE admin portal on the Admin PC.
Step 36 Observe the new contractor1 authentication success record. Also observe the
machine login that occurred between the employee1 logoff and the contractor1
logon.
Activity Verification
You have completed this task when you attain these results:
You have configured the 3k-access switch as a network device in Cisco ISE.
You have successfully performed test authentications via the switch CLI.
You have successfully configured the W10PC-Corp to authenticate via 802.1X.
You have successfully logged in as a both employee1 and contractor1 and observed the
dACL restrictions appropriate for each username.
You have observed the authentication records in Cisco ISE.
Activity Procedure
Complete these steps:
Step 1 On your Admin PC, open a new tab in your browser and access your pod vWLC.
Use the bookmark or https://wlc.demo.local.
Step 2 Log in with the Username admin and the password 1234QWer.
Step 3 Click WLANs and verify you have three (3) WLANs for your pod. A guest
WLAN, a wpa2e WLAN, and a hotspot WLAN.
Step 4 Make Note of the 3 WLAN and the WLAN numbers as these are the
Step 5 Enable each of these WLANs by clicking on the WLAN numbers and changing
the Status to Enabled and Applying the configuration.
Step 6 Navigate to SECURITY then AAA > RADIUS > Authentication and verify
that Cisco ISE has been configured as a RADIUS server.
Step 7 Navigate to AAA > RADIUS > Accounting and verify that Cisco ISE has also
been configured as a RADIUS server.
Step 8 Navigate to WIRELESS a
configuration, the AP should be Admin Status Enabled.
If not, enable your AP by clicking on the AP Name and under the General tab
change Admin Status to Enabled. Then Apply your configuration.
64 Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane
Wireless Access
In this section, you will be using your pods wireless device to access the wireless networks
that are configured for your specific pod.
Note .
Caution If you are having difficulty, notify your instructor. Do not attempt to modify configurations
in troubleshooting.
Tablet Clean up
It may be necessary to clean up your Tablet from a previous class. Perform the steps listed
below.
Step 13 Navigate to Settings > Security select Clear credentials (if not grayed out)
Step 14 Confirm the message.
Step 18 From the list identify and click your pod WPA SSID (##-wpa2e).
66 Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane
Step 24 Click icon to see the Authentication Details.
Step 25 Identify the following fields to indicate that you matched the correct policy.
Step 26 Scroll down to the results section and observe the Airespace ACL you
configured before being assigned.
Note If you do not see employee exactly as it is in the above screenshot, as UPPERCASE,
you will need to modify your authorization profile as ACL names are case-sensitive.
Clean up
Now that you have successfully accessed a wireless network, you will disconnect the
wireless device.
Step 32 Return to your Tablet.
Step 33 Via the WLAN icon, turn off WLAN by clicking the slider.
Step 34 Return to your Cisco ISE admin portal.
Activity Verification
You have completed this task when you attain this result:
You have verified the vWLC configuration
You have added the vWLC to Cisco ISE as a network device
You have adjusted RADIUS settings to show every authentication message in Cisco ISE
You have access the wireless network view your Tablet
You have verified proper authorization profile configuration from ISE to the vWLC.
68 Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane
In this task, you will configure a global exception authorization policy which will apply to
all policies (globally) and as an exception policy will be processed before all of the policies.
Activity Procedure
Complete these steps:
Step 1 In your policy set navigate to Wired_Access > Authorization Policy - Global
Exceptions.
Step 2 Click the + button to create a new rule.
Step 3 Create the following rule. For this rule scenario you are creating an exception for
the demo.local IT staff who are performing an audit of the demo.local network.
Tip You could save the demo.local conditions to the library to facilitate a more efficient reuse
in the future.
Step 4 Click Use and verify your policy against the following screenshot.
Step 11 Return to your admin portal and navigate to Policy > Policy Sets.
Step 12 Navigate to your Wireless_Access > Authorization Policy Global Exceptions
and notice there is an indicator of (1).
Step 13 Expand the exceptions policy and observe the global exceptions rule that you
created earlier.
Activity Verification
You have completed this task when you attain these results:
You have successfully created a global exception.
You have successfully performed a CLI test authentication using a local user account
and observe the matching of the employee authorization profile.
You have observed the global exception in each of the policy set rules.
70 Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane
A new feature in Cisco ISE since 2.1 is Context Visibility. This feature allows you to see,
and create groups, for ease of visibility into your network environment.
Activity Procedure
Complete these steps:
Step 1 Return to the ISE Admin Portal, and navigate to Context Visibility > Endpoints
> Authentication. Notice the Android endpoint can also be seen here.
Step 2 By clicking the endpoints MAC address, you can drill down to view further
details on the chosen endpoint. By clicking the various tabs, you can view
additional details such as Authentication, Threats, and Vulnerabilities, for that
endpoint.
Step 3 From this screen, click the Network Devices option to view further information
on network devices that are seen by ISE.
Step 4 On the right side of this screen, clicking on the # of endpoints that are associated
with the network device, you can view additional useful information on endpoints
that are seen on the network by ISE.
72 Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane
Complete this lab activity to practice what you learned in the related module.
In this activity, you will configure the settings in Cisco ISE that are the core components of
Guest Access. After completing this activity, you will be able to meet these objectives:
Configure Guest Settings for Guest Access in Cisco ISE
Configure the Guest Locations the SSID feature in Cisco ISE
These are the resources and equipment that are required to complete this activity:
Admin PC
ISE-1
AD1
W10PC-Corp
vWLC
Activity Procedure
Complete these steps:
Step 1 On your pod Admin PC in the Cisco ISE admin portal navigate to Work Centers
> Guest Access> Settings.
Mail Settings
Step 2 Expand Guest Email Settings and modify the Default email address to
be sponsor@demo.local.
Step 3 Click Save.
Step 4 Still in the Guest Email Settings, click the helpful Configure SMTP server at:
Work Centers > Guest Access > Administration > SMTP Server hyperlink.
Step 5 In the SMTP Server settings enter mail.demo.local and click Save.
Custom Fields
Step 6 Return to Work Centers > Guest Access > Settings and expand Custom Fields.
Step 7 Add the following custom field and then click Add.
Guest Custom Field
Custom field name Data type Tip text
74 Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane
Guest Purge Policy
Step 4 Expand Guest Account Purge Policy.
Step 5 In the Time of purge field notice the time is set to 1:00 AM. Due to the fact that
Cisco ISE is set up for the UTC time zone, and adjustment needs to be made as
corporate policy dictates now that this occur after midnight local time.
Here you, the student, have an option, you can choose to configure according
to your actual local time zone of your class or you can configure according to the
Pacific Time zone.
If you are using the Pacific Time zone, enter 11:00 AM.
Step 6 Click Save or leave all fields unchanged.
Activity Verification
You have completed this task when you attain these results:
You have configured mail (SMTP) settings for Cisco ISE.
You have added a custom field for guest access.
You have modified the guest username policy.
You have modified the guest password policy.
You have adjusted the purge policy time for either the Pacific or your local time zone.
Activity Procedure
Complete these steps:
Step 1 Navigate to Work Centers > Guest Access > Settings and then select Guest
Locations and SSIDs.
Step 2 In the Guest Locations area enter the following location and time zone
information. Finish by adding your class city and time zone.
Guest Locations
Location name Time Zone
Chicago America/Chicago
London Europe/London
Dubai Asia/Dubai
Sydney Australia/Sydney
Tip Do not navigate away to your vWLC web page as you will lose your Guest Location
form data.
Activity Verification
You have completed this task when you attain this result:
You have configured the Guest Settings according to the task instructions.
76 Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane
This activity has you exploring multiple Cisco ISE guest access configurations and
operations. The lab helps you to really understand how various guest access scenarios work
and why you might want to use them in your organization. You will start with configuring
Cisco ISE guest access using a hotspot portal. This portal is for organizations who want the
simplest method of providing guest access, with less concern for strict control over who uses
the service, or tracking who uses the service. Some organizations require a bit more control
and awareness concerning who uses guest access. You will learn how to accommodate these
scenarios, such as guest access for self-registration, and self-registration with sponsor
approval. Finally, you will configure and validate sponsored guest access.
In this activity, you will explore multiple Cisco ISE guest access configurations and
operations. After completing this activity, you will be able to meet these objectives:
Configure Cisco ISE guest access using a hotspot portal
Configure Cisco ISE guest access for self-registration
Configure Cisco ISE guest access for self-registration with sponsor approval
Configure Cisco ISE guest access for sponsored guest access
78 Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane
In this task, you will configure Cisco ISE guest access with a hotspot portal. This type of
access is appropriate were accepting and AUP only is sufficient to meet network security
policy.
Activity Procedure
Complete these steps:
Configuration
Step 1 On the Admin PC in the Cisco ISE admin portal navigate to Work Centers >
Guest Access.
Step 2 Take a moment and read the Guest Access Overview. Note that at the bottom of
the overview screen a hyperlink for the reports is included. Do not click this now.
Step 3 In the top, click Portals & Components.
Step 4 In the left pane, click Guest Portals.
Step 5 In the right pane, click the Create button.
Step 6 In the pop-up select Hotspot Guest Portal and then click
Step 7 In the Portals Settings and Customization window configure the following:
Hotspot Portal Settings and Customization
Attribute Value
Portal Settings
Delay to release 1
Delay to CoA 8
Delay to renew 12
Step 12 Click the down arrow in the upper right corner of Firefox the on the folder icon of
the file to open the location the file was saved.
Step 13 Right-click the file name and select Extract All. Accept the default location and
click Extract.
Step 14 Return to the ISE admin portal.
Step 15 In the customization setting area click Portal Page Customization.
80 Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane
Step 16 Before making any modifications, observe the Preview on the right side of the
page. This is the Mobile preview page. Below this preview is the Desktop
Preview link. Clicking on it will open up a new browser window.
Step 23 Scroll back to the preview area and click Refresh Preview and observe the
purple (or your custom color) banner.
Step 24 Upload the following images:
Image File Location
Banner C:\users\admin\Downloads\iseiscool-images\iseiscool_banner.png
82 Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane
Step 25 Remove the Text Elements > Banner title, as the image contains the text in
graphical format.
Step 26 Click in the Footer Elements box to the right to activate the preview change and
review the preview
Step 27 Scroll down to the AUP text box. Wherever you see Cisco Systems in the AUP
change it to The Demo Shop.
Step 28 bold it using the
toolbar for the AUP text section. Make any other text modifications you desire.
Step 30 Edit both Browser Page Title and the Content Title and modify them to Access
Granted.
Step 31 Scroll down to Optional Content 2 and add the following text: Use coupon code
130 at checkout for extra savings!
Step 32 Using the toolbar, bold and underline 130 then change the font color of 130 to
red. Then select the text and change the font size to large.
Step 33 Scroll to the right and click Refresh Preview to review your work.
84 Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane
Step 34 In the left pane, click Support Information.
Step 35 Scroll down and in the Support Information Text field; modify the phone
number from (xxx)-xxx-xxxx to (555) 555-1234.
Step 36 In the left pane, click Messages > Error Messages.
Step 37 Observe the error messages and the message text that the users would be shown
in the event of an error.
Step 38 Each line of the message Text is inline editable. Modify the
ui_invalid_access_code_error message text to read: Wrong access code. See
the front desk for assistance.
Tip Yo
Common Tasks
Common Tasks
Note Make sure your WLAN ID for your ##_hotspot WLAN is correct.
Step 51 Add another rule above the Hotspot rule you just created with the following
parameters.
Guest Access Authorization Policy
Attribute Value
86 Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane
Step 52 Verify your configuration with the following screenshot.
Step 56 Click Demo Hotspot to enter the configuration for that portal.
Step 57 In the right side, examine the Guest Flow. This diagram is based on the settings
you configured on the left. In this simple hotspot flow, the user will need to
accept the AUP (1) and then they will have successfully logged on the network
(2). You have enabled Support Information and that is represented in the block on
the left.
Caution If you are having difficulty, notify your instructor. Do not attempt to modify configurations
in troubleshooting.
88 Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane
Step 70
Step 71 Click in the Access code box and enter an incorrect access code of 5678 and click
Accept and observe the result which should match the error message you
configured.
Hint
tablet will be locked and use must unlock the device again (PIN 1234). Use the keyboard
on the tablet´, to enter the access code.
90 Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane
Step 78 Now surf to Cisco.com again. This should succeed.
Step 79 Return to the Cisco ISE Admin Portal on the Admin PC.
Step 80 Navigate to Operations > Radius > Live Logs and observe the authentication
records. Notice the first Hotspot access and then the Identity Group
GuestEndpoints and Guest Access Authorization Profile match.
Note Observe the new Description feature. You can enter a description and scroll to the
bottom and click Save.
Tip You may have noticed that the system has effectively profiled the device as an Android
Tablet even though we disabled Profiling earlier in the lab. Further details will be
covered in detail later in the lecture, but briefly, the Cisco ISE always gathers HTTP
headers when a portal is access and the endpoint utilizing the portal is profiled based
solely on that data.
Activity Procedure
Complete these steps:
Configure Guest Type
In this section, you will configure a custom guest type that will restrict access to business
days and hours.
Step 1 In the Cisco ISE Admin portal, navigate to Work Centers > Guest Access >
Portals&Components and then select Guest Types.
Step 2 In the right pane observe the four default guest types, Contractor, Daily,
SocialLogin and Weekly.
Step 3 In the right pane click the Create button.
Step 4 Configure a guest type according to the following table.
Guest Type
Attribute Value
Person Visiting
Required [ ]
From 5:00 AM
To 11:00 PM
From 7:00 AM
To 10:00 PM
Login Options
94 Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane
Account Expiration Notification
Email [X]
SMS [ ]
Provider
Sponsor Groups
Step 5 Scroll up and click Save. If you are sending a test SMS message, do so now.
Step 6 Click Close.
Configure Guest Portal
Step 7 Navigate to Work Centers > Guest Access > Portals & Components.
Step 8 In the left pane, click Guest Portals.
Step 9 In the right pane, click the Create button.
Step 10 In the pop-up window, select Self-Registered Guest Portal and then click
Step 11 In the Portals Settings and Customization window configure the following:
Portal Settings
[ X ] User name [ ]
[ X ] First name [X]
[ X ] Last name [X]
[ X ] Email address [ ]
[ X ] Phone number [ ]
[ X ] Company [ ]
[ X ] Location [X]
Custom Fields [ ]
Require acceptance [ ]
96 Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane
Self-Registration Success Settings
BYOD Settings
Delay to release 1
Delay to CoA 8
Delay to renew 12
98 Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane
Step 14 Click Portal Page Customization.
Step 15 Examine the customization options. They are similar to the Hotspot portal
customizations with the option to customize the additional pages in this self-
registration flow. For time sake you will only add a footer and modify one other
field. Add the following text to the Footer Elements: All access is logged.
Tip Remember if adding support information to the guest flow as an option, modify the
Support information text phone number from all Xs to an actual number.
Note You will not be modifying the AUP to change the company name from Cisco Systems to
The Demo Shop due to time constraints.
Step 18 Change to a different page by clicking on the boxes to the left and observe the
footer is consistent.
Step 19 Scroll up and click Save.
Step 20 In the left pane, select Notifications and then Print.
Step 21 Observe the variables that are used in the text.
Step 22 Create a new line at the bottom of the text box. Add the text Location:
Step 27 Select Hotspot Access and then click Duplicate in the tool bar.
Step 28 Modify the authorization profile according to the table below.
Self-Registration Authorization Profile
Attribute Name Value
Common Tasks
100 Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane
ACL: ACL-WEBAUTH-REDIRECT
Value: Demo-Self-Reg
Caution If you are having difficulty, notify your instructor. Do not attempt to modify configurations
in troubleshooting.
Note You may have to manually clear the client from the WLC (Naviagte to WLC GUI >
Monitor > Clients Click on the client to be cleared > Remove) if you perform these steps
quickly. As the WLC holds or caches association sessions to handle Wi-Fi signal
disruptions and roams.
102 Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane
Step 46 Access the Tablet and enable the Wi-Fi.
Step 47 Access the Guest SSID for your pod.
Step 48 Open a browser and try to browse to cisco.com.
Step 49 You are automatically redirected to the ISE hotspot portal.
Step 50 Use your mouse to scroll down to the bottom and click Or register for guest
access.
Username
Phone number
104 Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane
Step 52 Click Register.
Step 53 Observe your account details.
Activity Verification
You have completed this task when you attain these results:
You have created a guest self registration portal.
You have configured and customized the self registration portal.
You have configured a self registration authorization profile
You have modified the authorization policy for self registration access
You have accessed the open SSID network and processed through the self registration guest
flow.
You have observed the authentication process and records in Cisco ISE
106 Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane
In this task, you will enable self-registration with the requirement of obtaining sponsor
approval before access is granted to the network.
Activity Procedure
Complete these steps:
Remove Endpoint from Cisco ISE
Step 1 On your W10PC-Corp, access your Tablet according to your lab specific
instructions.
Step 2 Navigate to WLAN.
Step 3 Turn off Wi-Fi.
Step 4 Return to the Cisco ISE admin portal.
Step 5 In Cisco ISE, navigate to Context Visibility > Endpoints.
Step 6 Select the Tablet and then delete (Click Trash > Selected) it using the toolbar.
Confirm YES to delete.
Note You may have to manually clear the client from the WLC if you perform these steps
quickly. As the WLC holds or caches association sessions to handle Wi-Fi signal
disruptions and roams.
Step 15 Select Self-Registration Portal and then click Duplicate in the tool bar.
Step 16 Modify the authorization profile according to the table below.
Self-Registration with Approval Authorization Profile
Attribute Name Value
Common Tasks
108 Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane
Step 21 Create a new rule to match the following Authorization Policy rule.
Caution If you are having difficulty, notify your instructor. Do not attempt to modify configurations
in troubleshooting.
Username
Phone number
110 Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane
Step 35 Since you have no credentials, username and password, you are unable to sign in.
Step 36 Return to the Cisco ISE admin portal.
Step 37 Navigate to Work Centers > Guest Access > Manage Accounts.
Step 38 Click the Managed Accounts button.
Step 39 The default sponsor portal opens open a new tab. Notice at the top under Pending
Accounts the 1 in parentheses (1) indicating an account pending approval.
Step 40 Click the tab Pending Accounts and observe the guest account pending approval.
Step 41 Select the account and click Approve.
Step 42 Enter the email address sponsor@demo.local and click OK to approve the
account.
Step 43 Click Manage Accounts and click the Sherlock Holmes (sholmes) account to
view the username and the password.
Step 44 Return to the Tablet and in the browser enter your credentials. It may be
necessary to refresh or retry as your portal session may have timed out. Scroll to
the bottom of the AUP, click that you accept the AUP, and then click Sign On at
the bottom.
Activity Verification
You have completed this task when you attain this result:
You have created a guest self-registration portal with the requirement of guest accounts
having sponsor approval.
You have configured a self-registration with approval authorization profile.
You have modified the authorization policy for self-registration with approval access.
You have access to the open SSID network and process through the self-registration
guest flow.
You have logged into the sponsor portal and approved the pending account.
You have logged in as the guest with the approved account credentials.
You have observed the authentication process records in Cisco ISE.
112 Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane
In this task, you will perform sponsored guest account operations. You will be creating the
accounts as a sponsor and then providing and click Approve information to the guest.
Activity Procedure
Complete these steps:
Remove Endpoint from Cisco ISE
Step 1 On your W10PC-Corp access your Tablet according to your lab specific
instructions.
Step 2 Navigate to WLAN.
Step 3 Turn off Wi-Fi.
Step 4 Return to the Cisco ISE Admin portal.
Step 5 Navigate to Context Visibility > Endpoints.
Step 6 Select the Tablet and then Delete (click Trash > Selected) it using the toolbar.
Confirm YES to delete.
Note You may have to manually clear the client from the WLC if you perform these steps
quickly. As the WLC holds or caches association sessions to handle Wi-Fi signal
disruptions and roams.
Portal Settings
114 Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane
Guest Device Registration Settings
BYOD Settings
Delay to release 1
Delay to CoA 8
Delay to renew 12
116 Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane
Sponsored Portal Authorization Profile
Attribute Name Value
Common Tasks
Step 27 In the case you did the previous task, disable the Self-Reg with Approval rule.
Step 28 Verify your configuration with the following screenshot.
Step 32 Select in the left panel demo.local and move the authentication source to the right
panel.
118 Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane
Step 39 In the pop-up window, on the Available User Groups side type Employees in the
search filter and click Search.
Step 40 Select the demo.local Employees group and move it to the Selected User Groups
side.
Sponsor Permissions
Limit to batch of 25
Sponsor Can
[X]
number)
[X]
[X]
Tip If you are having trouble selecting the Guest Types and/or the Locations, Save and
Close your work and open IE and edit this page in IE. When done, Save your work and
return to Firefox.
120 Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane
Step 45 Select, not edit, the Sponsor Portal (default) portal.
Step 46 Click Duplicate in the toolbar above.
Step 47 Edit the Sponsor Portal (default)_copy1 portal.
Step 48 Modify the sponsor portal according to the settings below.
Sponsor Portal Settings and Customization
Attribute Value
Portal Settings
Idle timeout 10
Login Settings
Include an AUP [ ]
Require acceptance
Caution If you are having difficulty, notify your instructor. Do not attempt to modify configurations in
troubleshooting.
Note If you get a security error from Firefox, use Internet Explorer for this task.
Step 59 Notice that the Sponsor Portal with new logo is shown and that Cisco ISE
automatically redirected the URL to port 8443.
122 Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane
Step 61 Under Create Accounts in the Guest Information section click Random and
observe the Username prefix is pre-populated with d-guest- as per the policy
you created earlier.
Number of accounts 2
Group tag
Duration 1
To Time 19:00
124 Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane
Step 77 Navigate using your mouse to WLAN
Step 78 From the list identify your pod ##-wpa2e SSID.
Step 79 At the bottom, click FORGET in order to clear any previous cached settings or
credentials.
Step 80 Click the ##-guest SSID for your pod. To log back in as a guest.
Step 81 Open a browser and try to navigate to cisco.com or trigger the web redirection by
browing to 1.1.1.1
Step 82 -guest-
employee sponsor.
Step 83 Accept the AUP and click Sign On.
Step 84 Once logged in you should automatically be redirected to the Cisco ISE
product page.
Step 85 Return to the Cisco ISE Admin Portal on the Admin PC.
Step 86 Navigate to Operations > Radius > Live Logs and observe the authentication
records for both the Sponsored Portal access and the Rand Guest account Guest
Access.
Activity Verification
You have completed this task when you attain this result:
You have configured a Sponsored guest portal.
You have customized for Sponsored guest portal.
You have configured an authorization profile for the Sponsored guest portal.
You have modified the authorization policy to utilize the Sponsored guest portal.
You have created a new Sponsor Group that includes domain employees.
You have customized the Sponsor Portal.
You have accessed the network as a guest and see the sponsored guest portal.
You have logged in and seen the desktop sponsor portal.
You have logged in via the Tablet and seen the mobile sponsor portal.
You have created random accounts on the mobile sponsor portal.
You have logged in as a guest with a randomly generated guest account.
You have observed the authentication process records in Cisco ISE.
Activity Procedure
Complete these steps:
Step 1 On the Admin PC access your Sponsor Portal Firefox tab.
Step 2 Log in with the domain credentials in UPN format employee1@demo.local /
1234QWer if your session is timed out.
Step 3 Click the Manage Accounts tab.
Step 4 Observe the accounts that you have created during this lab. Notice that one of the
random accounts which was sponsored by the employee1 is in the state Created
126 Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane
Step 9 Reselect that account and notice the only options now are to Delete, Reinstate,
and Print.
Step 10 Click Reinstate and click Ok when prompted for confirmation.
Step 11 Edit the first random account which has the state Active.
Step 12 Enter the G Lestrade and the company
Scotland Yard .
Step 13 Click Save.
Step 14 Confirm your data-entry and click Done.
Step 15 On the random account with the state of Created, reset the password. When
prompted do not select Print, SMS and Email just click OK.
Step 16 Click the account name to view the new password. Then click Done.
Step 17 Observe the Time Left on the jwatson account.
Step 18 Select the jwatson account and click Extend.
Step 19 Notice that the maximum number of days as five. Enter 5 in the box and click
OK.
Step 20 Observe the extension of the time via the Time Left field.
Step 21 Select the random account with the state of Created and Delete the account.
Confirm the deletion by clicking OK.
Activity Verification
You have completed this task when you attain these results:
You have suspended, reinstated, edited, reset the password, extended, and deleted guest
accounts via the sponsor portal
In this activity, you will run guest reports that are directly available from the Cisco ISE
dashboard. After completing this activity, you will be able to meet these objectives:
Run guest reports from the Authenticated Guests dashlet
Run guest reports from the Authenticated Guests dashlet sparklines
These are the resources and equipment that are required to complete this activity:
Admin PC
ISE-1
AD1
W10PC-Corp
vWLC
128 Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane
In this task, you will run reports for guest access from the Cisco ISE dashboard.
Activity Procedure
Complete these steps:
Step 1 On the Admin PC, navigate to the Cisco ISE dashboard by clicking Home. This
area shows statistical data, which improves your ability to monitor and
troubleshoot your system. Dashboard elements show activity over 24 hours,
unless otherwise noted.
Step 2 Observe Authenticated Guests in the metrics dashlet area. It shows the number of
guests 1
Step 3 You will see some more detailed information about connected endpoints.
Following that will be a list of endpoints. You should have a guest user in this
list. Click the MAC address of that user.
Step 4 Notice the five tabs you can use to get more information about this endpoint, as
shown. Leave it on the Attributes tab for now, and scroll down to briefly review
the types of information available here. You can scroll down to see some of the
following information: (the values that are shown are merely examples...do not
worry if yours do not match exactly)
EndPointPolicy Android
User-Name d-guest-xxxx
IdentityGroup GuestEndpoints
OperatingSystem
PortalName Demo-Sponsored
Step 5 Click the Authentication tab, scroll down, and peruse all the Authentication-
specific information available.
Step 8 You should see something similar to the example shown. You can see graphics
for GUESTS STATUS, GUESTS TYPE, FAILER REASON, AND MORE.
Following that, you see the list of devices, along with their MAC addresses.
Clicking the MAC address here would bring you to the same informational screen
you just looked at.
130 Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane
Step 9 Navigate to Context Visibility > Endpoints. The page is similar to the Home
screen, except that context visibility pages:
Retain your current context (browser window) when you filter the
displayed data
Are more customizable
Focus on Endpoint Data
Step 10 Click the Guest tab, as shown. Notice how it is similar to the information
displayed in the Home screen. However, a new tab did not open up. You stayed in
the same tab.
Step 11 Click the MAC address of your guest connection. Again, notice how the
information is similar to the Home screen, but new tabs do not open up.
Activity Verification
You have completed this task when you attain these results:
You have successfully viewed multiple reports from the Cisco ISE home dashboard
page.
In this activity, you will configure the Cisco ISE Profiler service and service settings. After
completing this activity, you will be able to meet these objectives:
Enable the Profiler Service
Enable the use of the Cisco Profiler Feed Service
Configure the Cisco ISE NAD definitions for SNMP Profiling
Configure global SNMP profiler settings
Verify NAD configurations for profiling operations
These are the resources and equipment that are required to complete this activity:
Admin PC
ISE-1
W10PC-Corp
vWLC
The table describes the commands that are used in this activity.
ISE Profiling CLI Commands
Command Description
132 Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane
In this task, you will enable and configure profiling in Cisco ISE.
Activity Procedure
Complete these steps:
Verification of Endpoint Data
To configure profiling in Cisco ISE, access the Cisco ISE Work Centers to view the
necessary steps to prepare, define, and monitor your profiler service configuration.
Step 1 From the Admin PC, navigate to Work Centers > Profiler > Overview to view
the required configuration steps that are needed to enable and configure the
profiler service.
134 Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane
Step 4 Select the Android tablet endpoint and click Edit, click Attibutes and observe
the attribute list data.
Step 14 In the right pane, observe that the Profiling Configuration became available after
selecting the Enable Profiling Service feature. Select the Profiling
Configuration.
Step 15 Enabled the following probes:
DHCP
HTTP
RADIUS
Network Scan (NMAP)
SNMPQUERY
136 Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane
Step 16 Scroll down and click Save.
Step 17 Click OK on the pop-up window notifying you of the Policy Service persona
change.
Step 18 After a few minutes log back into the ISE admin portal using the credentials
Admin / 1234QWer. You can check the status from the ISE CLI with the
command, show application status ise, and noticing the Application Server
status.
Activity Verification
You have completed this task when you attain these results:
You have observed the default profile information of an important
You have deleted the endpoint from Cisco ISE.
You have enabled the Profiler Service.
Activity Procedure
Complete these steps:
Step 1 In the ISE admin portal, navigate to Administration > Feed Service > Profiler
(Or Work Centers > Profiler > Feeds).
Step 2 Select the checkbox for Enable Online Subscription Update, if not checked.
Step 3 Read the notification and click OK.
Step 4 Enable notification when a download occurs and use the email address
admin@demo.local
138 Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane
Step 7 Now click the Update Now button.
Step 8 Click Yes on the pop-up.
Step 12 You should briefly see a Server Response in the lower right-hand corner that
indicates the FeedService was successfully started.
Note The update process will take some time. At least 30-45 minutes.
Tip You can verify the operation of the Feed Service operations via the ISE console by using
the following command:
Tip Lines with FEEDMANUALDOWNLOAD are logs generated from a manual Update Now
process.
Tip Lines with FEEDAUTOMATICDOWNLOAD are logs generated from the scheduled
process.
Activity Verification
You have completed this task when you attain this result:
You have successfully enabled the Cisco ISE Profiler Feed Service
Activity Procedure
Complete these steps:
Configure Cisco ISE NAD configuration for Profiling
Step 1 Navigate to Administration > Network Resources> Network Devices (Or
Work Centers > Network Access > Network Ressources > Network Devices).
Step 2 Click the 3k-access switch to edit the NAD profile.
Step 3 Configure the following settings:
Attribute Value
SNMP Version 2c
SNMP RO Community
Step 4 At the bottom of the section set the Originating Policy Services Node to ise-1.
Tip While not a mandatory step in the lab topology with a single ISE node, the practice of
setting the Originating Policy Service Node for SNMP profiling operations to the node
closest to the NAD is a best practice and tuning configuration. Especially in a larger or
geographically dispersed ISE deployment.
Note This is the default action for all the Cisco provided exception actions.
Activity Verification
You have completed this task when you attain these results:
You have modified the NAD configuration for SNMP polling.
You have observed the default profile configuration and enabled the HTTP probe.
You have modified the profiler configuration to enable CoA and modify the default
SNMP string to .
You have observed the profiler exception actions.
Activity Procedure
Complete these steps:
Step 1 On your Admin PC in Firefox, open a new tab.
Step 2 Click the vwlc bookmarking in the toolbar.
Step 3 Login with the credentials Admin / 1234QWer.
Step 4 Navigate to the WLANs tab.
Step 5 Click WLAN ID 1.
Step 6 Click the Advanced tab.
Step 7 Scroll down to the right-hand side section Radius Client Profiling.
Step 8 Verify both DHCP Profiling and HTTP Profiling are enabled.
Step 9 Click Apply at the top and click OK to the pop-up message.
Step 10 Click the < Back button.
Step 11 Verify the same configuration on your other WLANs (2 & 3).
Step 12 Return to the ISE Admin Portal tab.
Step 13 Access your 3k-access switch.
Step 14 Run the following commands to see the preconfigured SNMP configuration.
142 Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane
Note You may notice that the switch is configured for SNMP trap functionality. The switch
configuration is used for multiple classes. Some of which use the SNMP trap
functionality. Since the switch is preconfigured, if you desire to explore this functionality
after your lab is complete, all you would need to do is enable the SNMP trap probe and
enable the trap query functionality in your Cisco ISE NAD SNMP definition.
Activity Verification
You have completed this task when you attain these results:
You have verified the WLC WLAN configurations for DHCP and HTTP profiling.
You have verified the 3k-access configuration for SNMP and DHCP profiling.
In this activity, you will configure the Cisco ISE profiler service to use profiling data to
make policy determinations. After completing this activity, you will be able to meet these
objectives:
Examine Endpoint profiled data
Create a Logical Profile
Utilize a Logical Profile as an Identity condition for authorization policy selection
Create a custom profiler policy based on observed endpoint data.
These are the resources and equipment that are required to complete this activity:
Admin PC
ISE-1
AD1
W10PC-Corp
vWLC
144 Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane
In this task, you will examine the collective endpoint data since turning profiling on Cisco
ISE.
Activity Procedure
Complete these steps:
Step 1 On your Admin PC in the Cisco ISE Admin portal navigate to Work Centers >
Profiler > Endpoints Classification (Or Context Visibility > Endpoints).
Step 2 Observe the list of endpoints that have been learned since the enabling profiling.
You may have more than one page to view, and other pages can be viewed. Use
the arrows in the upper right near the Rows, Page column to view more pages.
Also, you can sort on any heading in either ascending or descending order.
Step 17 You should now have at least one Microsoft-Workstation or VMware Device
endpoint profile added to your list.
Step 18 You should also see the Hostname and IP Address for this record in the list.
Step 19 Edit this endpoint profile to observe the endpoint attribute data.
148 Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane
Step 20 Observe that the attribute list contains much more data than seen before for other
endpoints. Pay particular attention to the following list of attributes:
EndPointSource
IdentityGroup
MatchedPolicy
NAS-Port-Id
OUI
Total Certainty Factor
client-fqdn
dhcp-class-identifier
host-name
Step 21 Return to the Endpoint List.
Step 22 Disable the NIC on the W7PC-guest again.
Activity Verification
You have completed this task when you attain these results:
You have observed the endpoint data that was automatically discovered via your profiler
configuration of the previous lab.
You have brought online your pod Guest PC and observed the endpoint data associated
with its automatic profiling upon coming on to the network.
Activity Procedure
Complete these steps:
Step 1 In the ISE Admin portal, navigate to Work Centers > Profiler > Profiling
Policies and then in the left pane select Logical Profiles.
Step 2 In the right pane click the +Add button.
Step 3 Create the following Logical Profile:
Attribute Value
Name Approved_Smart_Devices
Activity Verification
You have completed this task when you attain this result:
You have created a logical profile for corporate approved smart devices.
150 Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane
In this task, you will create an authorization policy assigning the previously configure
logical profile to a fixed authorization profile.
Activity Procedure
Complete these steps:
Step 1 In the ISE Admin portal, navigate to Work Centers > Profiler > Policy Sets
and enter the Wireless_Access policy set.
Step 2 Click the gear icon on the right to insert a new policy above the Guest Access
policy.
Smart Devices Authorization Policy
Attribute Value
Activity Verification
You have completed this task when you attain this result:
You have configured a Smart Devices authorization policy using the logical profile
corporately approved devices.
Activity Procedure
Complete these steps:
Step 1 In your Cisco ISE admin portal navigate to Work Centers > Profiler >
Endpoints Classification.
Step 2 Find the VMWare-Device for your pod vWLC. The IP address is 10.1.100.61. It
is possible that you may have a VMWare-Device (Endprofile Cisco-WLC)
without an IP address. Try that endpoint.
Step 3 Observe the following endpoint attribute data. You will be using this data to
create a custom policy to automatically profile your pod vWLC.
152 Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane
Step 4 Navigate to Work Centers > Profiler > Profiling Policies.
Step 5 Click the +Add button in the right pane of Profiling Policies.
Step 6 Create the following policy. Verify your configuration with the screenshot before
submitting.
Cisco-vWLC
100
VMWare-Device
100
154 Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane
Step 10 Edit this endpoint.
Step 11 Observe the IdentityGroup has been set to Cisco-vWLC. This can now be
utilized in Authorization policies to assign specific authorization profiles if
desired.
Note Due to time constraints you will not be performing the task of setting an authorization
policy using the Identity Group. The process would be similar to when you created a
policy using the Logical Profile. Instead of creating a Condition you would utilize Identity
Groups selecting the Cisco vWLC Identity Group.
Activity Verification
You have completed this task when you attain these results:
You have identified endpoint profile data that can be utilized to create a profile policy.
You have created a custom profile policy utilizing the data.
You have observed your custom profile policy being applied to your pod vWLC.
Activity Procedure
Complete these steps:
Step 1 Access your pod Tablet.
Step 2 Navigate to WLAN.
Step 3 If you are still connected to any Pod## SSID, select it and click FORGET in
order to clear any previous cached settings or credentials.
Step 4 Return to the Cisco ISE Admin Portal on the Admin PC.
Step 5 Navigate to Work Centers > Profiler > Endpoints Classification.
Step 6 Search for the Tablet by typing Android into the Endpoint Profile Search field.
Step 7 Select and then Delete (Trash > Selected) the Android using the toolbar.
Confirm Yes to delete.
Step 8 Go to your pod vWLC tab and remove all clients. (Monitor > Clients)
Step 9 Return to your Tablet.
Step 10 Click the ##-guest SSID for your pod.
Step 11 Open a browser and trigger the webauth by browsing to 1.1.1.1.
Step 12 Sign On with the credentials employee1@demo.local / 1234QWer.
Step 13 Return to the ISE Admin Portal and navigate to Operations > Radius > Live
Log and observe the authentication records.
Step 14 Observe that the employee1 login was assigned the Guest Access Authorization
Profile.
Step 15 Click the authentication details for this record.
Step 16 Scroll down to the Other Attributes section and observed the LogicalProfile
attribute.
156 Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane
Note If you receive the Device ID instead of the Logical Profile that is a known bug in the ISE
2.4.
Step 17 Click Authentication in the top of the Window. Scroll up and observe the Steps
section. Look for the following two step entries towards the end, 15048 and
15004.
Step 23 This same information can also be found from the Home tab and selecting Active
Endpoints or Authenticated Guests. If time permits, take some time to explore
this resource as well by clicking either location, and examining the options, and
information available to you.
158 Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane
Discussion
The policy you just configured is a hardware-based policy. As you can see from the previous
task steps, the employee1 user logging into a smart device was given Guest Access instead of
Wireless Employee Access. At this point in time if the smart devices policy was truly an
exclusive approved list of devices that was allowed to access the network, you could use the
Approved_Smart_Devices logical profile as an additional condition for each wireless
authorization policy. By adding this as an additional condition to the employees, contractors,
an
network. Only successfully profiled hardware that matches the individual or component
polices of the Logical Profile would be permitted.
Remember also, that policies are evaluated in a top-down order. This policy was purposely
placed near the top to exemplify this fact. It is important to always consider context-based
attributes or information when creating policies.
Due to limited lab time in this five-day class, you will not be configuring your policies as
such. In the next steps, you will disable the Smart Devices authorization policy for simplicity
and time sake
Disable the Logical Profile Authorization Policy
Step 24 Navigate to Work Centers > Profiler > Policy Sets and enter the
Wireless_Access policy set.
Step 25 Disable the Smart Devices authorization policy rule.
Step 26 Confirm that your policy is disabled and matches the following screenshot.
Activity Verification
You have completed this task when you attain these results:
You have successfully connected to the network via your pod Tablet and matched
authorization policy utilizing the Profiling Logical Profile condition configure earlier
in this lab.
You have observed a Guest Access authorization profile assigned to an employee based
on this rule.
You have read the Discussion section of this task.
You have disabled the Authorization Policy which utilizes the Profiling Logical
Profile condition.
In this activity, you will run reports that focus on profiling data. After completing this
activity, you will be able to meet these objectives:
Run Profiler Feed Reports
Run Endpoint Profile Changes Reports
Run Profiled Endpoints Summary Report
Run profiling based reports from the Cisco ISE Dashboard
These are the resources and equipment that are required to complete this activity:
Admin PC
ISE-1
AD1
W10PC-Corp
vWLC
160 Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane
In this task, you will run reports based on profiling data gathered in previous labs.
Activity Procedure
Complete these steps:
Step 1 In the ISE admin portal, navigate to Work Centers > Profiler > Feeds.
Step 2 Verify in the Update Information and Options section that a Latest applied feed
occurred.
Note If you have no timestamp indicating a successful update operation, you may have to
perform these steps at a later time. Please notify your instructor but your pod does not
have a timestamp.
Step 3 Click the Go to Update Report Page link as indicated in the above screenshot.
This will automatically run the Change Configuration Audit report from the
FeedService administrator.
Step 4 Observe the details of the Added and Changed configurations. If you see no
entrys, click the Update Now from the Feed Service Configuration page again.
Step 5 Click one of the Added configuration (if available) event hyperlinks.
Step 6 Observe the details paying specific attention to any Object Names and the data in
the Modified Properties.
Step 7 Close this tab and return to the Change Configuration Audit report tab.
Step 8 Click one of the Changed configuration event hyperlinks.
Step 14 Return to the Inbox and open the ISE System Message: Fee policies applied
update email.
Step 15 Observe the number of feed policies applied.
Note Your number of policies may vary depending upon the date of your class. This is an
indication of further updates since the above screenshot.
Activity Verification
You have completed this task when you attain these results:
You have observed the Feed Service updates and changes.
You have observed the email reports generated by the Feed Service.
162 Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane
In this task, you will run reports that are related to profiled endpoints.
Activity Procedure
Complete these steps:
Step 1 Navigate to Work Centers > Profiler > Reports.
Step 2 In the Reports pane navigate to Profiler Reports > Endpoint Profile Changes.
Step 3 Filter the report using the Time Range of Last 7 Days.
Step 4 Compare the Endpoint Profile (Before) pie chart to the Endpoint Profile
(After) pie chart and observe the additional data as a result of enabling profiling.
Step 5 Scroll down to view a list of the Endpoint Profile Changes.
Step 6 Click a record detail to see which probe ran that caused the change.
Step 7 Return to the ISE Admin portal when done.
Profiled Endpoints Summary Report
Step 8 In the Reports pane navigate to Profiler Reports > Profiled Endpoint
Summary.
Step 9 Filter the report using the Time Range of Last 7 Days.
Step 10 Observe the Details and then the Raw details of a record.
Step 11 In the Raw details report page, click one of the Endpoint property hyperlinks and
observe the additional level of detail available in the pop-up message.
Activity Verification
You have completed this task when you attain these results:
Run Endpoint Profile Changes and Summary reports, and observe the data that is
contained in those reports.
Activity Procedure
Complete these steps:
Step 1 Navigate to the Context Visibility > Endpoints > Endpoints Classification tab.
Step 2 In the ENDPOINTS dashlet, click the new window icon to detach, and open the
dashlet in a new tab, to drill down for further details.
Step 3 In the new ENDPOINTS dashlet tab, click the Profile link to observe all profiled
endpoints that ISE has seen.
Step 4 By hovering your mouse over any individual section of the circle graph, ISE will
display the number of devices per that category.
Step 5 Similarly, the Home > Summary > Endpoints page will display the same
information, and other summary information. Both Context Visibility and Home
pages can be customized to meet your needs. You can add new Dashboards, or
Dashlets, by clicking the gear icon in the upper right corner of the pane.
Step 6 Close all newly opened tabs and return to the ISE Admin portal when done.
164 Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane
Activity Verification
You have completed this task when you attain these results:
You have run the Profile Feed report.
That you have on Endpoint Profile Changes report
You have run the Profile Endpoints Summary report.
You have observed metric the date on the homepage and run a report from the Profiler
Activity dashlet.
In this activity, you will configure Cisco ISE for BYOD on boarding. After completing this
activity, you will be able to meet these objectives:
Create a customized My Device portal
Configure Cisco ISE to provision certificates via the internal CA and deploy those
certificates via a Native Supplicant Provisioning profile
Configure a certificate authentication profile that utilizes the attributes from the
internally deployed CA certificates
Configure Cisco ISE authentication and authorization policies for BYOD access
Onboard a mobile BYOD device
166 Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane
These are the resources and equipment that are required to complete this activity:
Admin PC
ISE-1
AD1
W10PC-Corp
vWLC
Activity Procedure
Complete these steps:
Portal Enablement
Step 1 Navigate to Work Centers > BYOD > Overview. Take a moment to review the
three major phases of BYOD configuration Prepare, Define, Go Live &
Monitor.
Step 2
My
Devices Portals via Work Centers > BYOD > Portals & Components > My
Devices Portal, or via Administration > Device Portal Management > My
Devices.
Step 3 In the right pane click Create.
Step 4 Create the following portal.
My Devices Portal Settings and Customization
Attribute Value
Portal Settings
Idle timeout 10
168 Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane
Employee Change Password Settings
Tip Enabling the Support Information feature is an easy way to provide the end user with a
place to go to see their MAC address. Consider using some of the instructional or
optional fields on the My Devices and Add Devices page or others to provide this
information to the end user.
Note Later in the lab we will also be using a BYOD portal. For-time sake we will use the Cisco
default portal. If you want, you may optionally customize that portal by adding the same
images as above and saving the portal.
Step 12 You should see the My Devices Portal but you previously configured.
170 Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane
Step 17 Return to your Cisco ISE Admin portal.
Activity Verification
You have completed this task when you attain these results:
You have created a custom My Devices portal for Demo employees.
You have optimized the portal Authentication sequence processing by configuring it to
process AD accounts first.
You have reviewed the customized My Devices via a desktop browser.
Note It is important that any time a default template is used, it is modified to fit the specific
installation environment.
Activity Procedure
Complete these steps:
Certificate Provisioning
Step 1 In your Cisco ISE admin portal, navigate to Administration > System >
Certificates and then in the left pane select Certificate Management > Trusted
Certificates.
Note There are some trusted third party CA certificates existing. If you need other CA
certifiactes, you can import certificates in these section.
Step 2 In the left pane select Certificate Management > Certificate Signing Requests.
Step 3 Click Generate Certificate Signing Requests (CSR).
Step 4 Select ISE Root CA as the Usage
Note Your ISE implies all CA functions and will act as the root CA, Node CA, endpoint sub CA
and OSCP responder CA.
172 Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane
Step 8 In your Cisco ISE admin portal, navigate to Work Centers > BYOD > Portals
& Components and then in the left pane select Certificates > Certificate
Templates.
Step 9 Edit the EAP_Authentication_Certificate_Template.
Step 10 Modify the template according to the following table. Verify configuration with
the subsequent screenshot.
Note In this configuration, you will be configuring the OU to be the distinguishing attribute that
will store the functional purpose of the certificate inside each certificate that is issued. By
performing the step, an Authorization Policy rule could be configured with a condition to
match this attribute and then apply the appropriate authorization profile.
Name BYOD_EAP_AUTH_365
Country (C) US
174 Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane
Inline Native Supplicant Profile Procedure
Step Action Notes
1. Expand Results.
5. Create a Native Supplicant Profile using the following data. It is important that your
Name Android_WPA2_TLS_BYOD pod SSID (##-wpa2e)
match what is exactly
Description Pod ## BYOD NSP configured for your pod.
Operating System Android Having your WLC portal
open in a separate tab
Connection Type Wireless and performing a
SSID ##-wpa2e copy/paste from there is
Security WPA2 Enterprise the most reliable method.
Allowed Protocol TLS Pod 00 is used to make
the screenshot generic.
Certificate Template BYOD_EAP_AUTH_365 Replace 00 with your
actual pod number.
6. Click Save.
Activity Verification
You have completed this task when you attain these results:
You have configured a Certificate Template for BYOD access.
You have configured the Client Provisioning rule using an in-line created NSP specific
for your pod SSID and assigning the BYOD certificate template.
176 Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane
In this task, you will configure the policy components for BYOD access.
Activity Procedure
Complete these steps:
Certificate Authentication Profile Creation
Step 1 Navigate to, to Work Centers > BYOD > Ext Id Sources > Certificate
Authentication Profile.
Step 2 In the right pane, click +Add to create a Certificate Authentication Profile
according to the following information.
Certificate Authentication Profile
Attribute Value
Name CN_USERNAME
Step 3 Verify your configuration with the following screenshot then click Submit.
Name DOT1X_X509_Username
Selected All_AD_Join_Points
Internal Users
Guest Users
If the selected identity store cannot be Treat as if the user was not found and proceed to the
access for authentication next or in the sequence
Step 6 Verify your configuration with the following screenshot then click Submit.
178 Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane
Allowed Protocols Review
Step 7 Navigate to Work Centers > BYOD > Policy Elements > Results > Allowed
Protocols,
Step 8 In the right pane, click Default Network Access.
Observe that EAP-TLS and PEAP with an inner method to EAP-TLS are both
allowed. This is sufficient for this access use case (TLS client certificate-based
access).
flexibility. Enabling this feature by itself weakens the security that is inherent in the
expiration process of X.509v3 certificates. However, Cisco ISE has a dictionary
condition, CertRenewRequired, which could be used in an Authorization Policy near the
top or as a Global Exception policy, which evaluates the expiration of the certificate and if
it is expired, can be used to apply an Authorization Profile that redirects to the CWA
portal. Hovering your mouse over the (i) icon at the end of the line will pop-up a message
indicating this as shown in the following screenshot.
Name DOT1X_EAP_TLS
Use DOT1X_X509_Username
Options
180 Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane
Authorization Profile Configuration
Step 14 Navigate to Work Centers > BYOD > Policy Elements > Results >
Authorization Profiles.
Step 15 Create and Save the two following Authorization Profiles.
WLC Native Supplicant Provisioning Authorization Profile
Attribute Name Value
Name WLC_NSP
Common Tasks
Common Tasks
Caution Be sure to select RADIUS attribute 31 instead of 30. Attribute 31 will give you the MAC
address of the endpoint whereas attribute 30 will give you the MAC address of the NAD.
Radius:Calling-Station-ID--[31] instead of
Radius:Called-Station-ID [30]
182 Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane
Activity Verification
You have completed this task when you attain these results:
You have configured a certificate authentication profile that will use the subject
common name as the username.
You have configured in identity source sequence that utilizes the certificate
authentication profile.
You have reviewed the allowed authentication protocols to see that they allow EAP-
TLS.
You have configured authentication policy which matches certificate authentication and
uses the source sequence which you have configured.
You have configured authorization profiles to provision the certificate using NSP and to
permit BYOD access.
You have configured two authorization policy rules for NSP and for BYOD access.
Activity Procedure
Complete these steps:
Endpoint Cleaning from Previous Labs
Step 1 Access your Tablet according to your lab specific instructions.
Caution If you are having difficulty, notify your instructor. Do not attempt to modify configurations
in troubleshooting.
184 Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane
Tablet Onboarding
Step 8 Access the Tablet.
Step 9 Access the ##-wpa2e SSID for your pod. Log in using the credentials
employee1@demo.local / 1234QWer.
Step 10 Open a browser.
Step 11 If you are not automatically redirected to the ISE BYOD portal, trigger it by
typing 1.1.1.1, for example.
Step 12 Process through the BYOD portal process by clicking Start.
Step 13 Enter the device name employee1_Tablet in the description My Tablet. Also
observe that the Device ID or MAC address is included on the bottom.
Note The Cisco Network Setup Assistant has been preinstalled on the Tablet.
Step 16 Examine the page. For Android devices a Cisco proprietary application is needed
to perform the automatic profile and certificate installation process.
Step 17 On the Tablet press the Home button, then in the main view locate and open the
Cisco App Network Setup Assistant.
Step 18 Click Start inside the Network Setup Assistant and observe the provisioning
procedure. Click PROCEED and CONNECT, if prompted.
Step 19 If prompted, enter the Tablet PIN 1234.
Step 20 When presented with the certificate package for the user, leave all defaults and
click OK.
Step 21 When presented with the root certificate, leave all defaults and click OK.
186 Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane
Step 22 After the Cisco Network Setup Assistant downloaded and installed everything
successfully, you will be automatically connected to SSID from the configured
profile (##-wpa2e) and presented with the following seen left in the screenshot.
Step 23 Click Exit, open the browser and verify browsing to the Internet, e.g. cisco.com
is working.
Step 24 In your Tablet navigate to Settings > Security > Trusted Credentials.
Step 25 Under the section USER you should see the root-CA certificate, which you can
examine by clicking, seen right in the top screenshot.
Step 30 Click the Details icon for the record that was assigned the Authorization Profile
WLC_User Access.
Step 31 Observe the Overview section and notice the indicated sections below.
Step 32 Examine the Steps section and towards the bottom observe the 15048 messages
indicating the EAP authentication and the querying of the Subject Common
Name and the MAC address as the Radius Calling-Station-ID.
Step 33 Close this tab and return to the Cisco ISE admin portal.
Step 34 Navigate to Work Centers > BYOD >Identities > Endpoints.
Step 35 Find the Tablet MAC address and click the MAC address in this list.
Step 36 Find the DeviceRegistrationStatus is Registered and BYODRegistration is Yes
indicating the Tablet status is an endpoint.
Step 37 If the Device Registration says Pending, this is unfortunately a know bug.
188 Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane
Step 38 Scroll down to the Subject attribute lines. Observe the certificate details paying
particular attention to the Subject Common Name values.
Step 39 Return to the Cisco ISE admin portal and navigate to Administration > System
> Certificates > Certificate Authority > Issued Certificates.
Step 40 Select the endpoint certificate which has been deployed to the employee1 Tablet,
click View in the toolbar and examine the details.
Note Use Google Chrome Browser, if the certificate details are not showing up correctly!
Activity Verification
You have completed this task when you attain this result:
You have successfully onboarded your pod Tablet and verified access according to the
task steps.
190 Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane
In the previous lab, you learned how to configure a BYOD solution. In this activity, you
will learn how to manage that solution. The focus is on how to mark a device lost, and then
stolen.
You will examine Cisco ISE to see how the endpoint is processed for each of these
situations. You will then reinstate a lost or stolen device. You will also process an endpoint
for re-enrollment after a certificate has been revoked.
In this activity, you will perform the steps to mark a device lost and then stolen. You will
examine Cisco ISE to see how the endpoint is processed for each of these situations. After
completing this activity, you will be able to meet these objectives:
Mark a device as lost
Mark a device is stolen
Reinstate a lost or stolen device
Process and endpoint for reenrollment after a certificate has been revoked
These are the resources and equipment that are required to complete this activity:
Admin PC
ISE-1
AD1
W10PC-Corp
vWLC
Activity Procedure
Complete these steps:
Configure a local Exceptions Policy for the Blacklist devices
Step 1 Navigate to Policy > Policy Sets > Wireless_Access > Authorization Policy
Local Exceptions.
Step 2 Click the + symbol to insert a new exception policy.
Authorization Policy Local Exceptions
Attribute Value
192 Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane
Step 11 Scroll down and click Save.
Marking a Device as Lost
Step 12 Open a new tab and navigate to the My Devices Portal either using the
yDevices bookmarking in the toolbar or by using the URL
https://mydevices.demo.local
Step 13 Login with the credentials employee1@demo.local / 1234QWer.
Step 14 Click the checkbox to accept to the AUP and then click Sign On.
Step 15 Click Continue.
Step 16 Observed that the status is Registered, else read the following Note.
Note If the device status is still pending, then consider up to 20min for the profiling process.
Tip Shutting the WLAN off and on might trigger the registration status from the tablet.
Activity Verification
You have completed this task when you attain this result:
You have marked the employee1 Tablet endpoint as Lost.
194 Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane
Activity Procedure
Complete these steps:
Step 1 In the Cisco ISE admin portal navigate to Operations > RADIUS > Live Logs.
Step 2 You should already observe an authentication success record for the employee1
Tablet but has the resulting Blackhole_Wireless_Access authorization profile
result. Cisco ISE issued a CoA when the device was marked lost. The device
automatically re-authenticated as it normally would and matched the Wireless
Black List Default authorization policy rule.
Step 3 Return to your Tablet and in a browser navigate to any website ot to 1.1.1.1. You
should be redirected to the blacklist portal automatically.
Activity Verification
You have completed this task when you attain this result:
You have been redirected to the blacklist portal on the Tablet.
196 Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane
Step 5 In the upper right search bar type employee1@demo.local.
Step 6 Select employee1@demo.local from the suggestions box.
Step 7 In the search results window, notice Blackhole_Wireless in the text. Click the
record to view the details.
Step 8 Observe that the current status is Authenticated & Authorized and assigned
Blachole_Wireless_Access.
Step 11 Close the result box by clicking on the X in the upper right-hand corner.
Activity Verification
You have completed this task when you attain this result:
You verified map the endpoint has been marked Lost.
198 Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane
Activity Procedure
Complete these steps:
Step 1 On the Admin PC access the previously opened My Devices Portal tab.
Step 2 It is likely that your session has timed out. Login credentials
employee1@demo.local / 1234QWer if necessary.
Step 3 Click Accept to the AUP and then click Continue.
Step 4 Manage the device by clicking on the record.
Step 5 Click Reinstate.
Activity Verification
You have completed this task when you attain this result:
You have reinstated the employee1 Tablet and observe the status as Registered.
Activity Procedure
Complete these steps:
Step 1 In the Cisco ISE admin portal navigate to Operations > RADIUS > Live Logs.
Step 2 You should already observe an authentication success record for the employee1
Tablet but has the resulting WLC_User Access authorization profile result. Cisco
ISE issued a CoA when the device was marked Reinstated. The device
automatically re-authenticated as it normally would and matched the BYOD
Access authorization policy rule.
Step 3 Return to the Tablet and in a browser, navigate to cisco.com. You should be up to
successfully connect to the webpage.
Activity Verification
You have completed this task when you attain these results:
You have observed the proper authorization profile for the registered BYOD device.
You have successfully connected to a webpage.
200 Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane
In this task, you will mark a device as stolen and observe the endpoint and certificate status.
You will then reinstate and then re-onboard device. You will not go through the process of
testing access while marked as stolen in the interest of brevity as you have already tested
blacklisted access a previous task.
Activity Procedure
Complete these steps:
Marking a Device as Stolen
Step 1 Return to the Admin PC and to the My Devices Portal.
Step 2 It is likely that your session has timed out. Login credentials
employee1@demo.local / 1234QWer if necessary.
Step 3 Click Accept to the AUP and then click Continue.
Step 4 Manage the device by clicking on the record.
Step 5 Click the Stolen button.
Step 6 Click Yes to acknowledge that you want to mark the device is still.
Step 7 Observed that the status is now Stolen.
Examining Endpoint Status and Record
Step 8 Return to the Cisco ISE admin portal and navigate to Operations > RADIUS >
Live Logs.
Step 9 You should see a denied access record for the Tablet.
Step 13 Use Google Chrome Browser, if the certificate details are not showing up correctly!
Step 14 In the list of certificates observed that the status is now Revoked for the
Tablet certificate.
Step 15 View the certificate details and observe the certificate status is revoked with a
red X icon.
202 Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane
Re-Onboarding Device
Step 22 Return to your Tablet and observe your ##-wpa2e WLAN SSID.
Step 23 You should notice that it is not possible to join the ##-wpa2e WLAN.
Step 24 Select the WLAN and at the bottom right, click FORGET.
Step 25 Navigate to Settings > Security > Clear credentials
Step 26 Click Clear credentials and Remove all the contents by clicking OK.
Step 27 Return to the WLAN list and attempt to join the ##-wpa2e WLAN. This should
succeed by prompting you for credentials.
Step 28 Enter the credentials employee1@demo.local / 1234QWer.
Step 29 Open a browser and trigger a redirection to the ISE portal.
Step 30 Go through the process of on boarding process before. Reference to previous lab
steps if necessary.
Step 31 Once complete navigate to cisco.com. This should succeed.
Step 32 Return to the Cisco ISE admin portal and navigate to Operations > RADIUS >
Live Logs.
Step 33 The employee1 Tablet should have been applied the WLC_User_Access
authorization profile. To the right the device should also be in the Identity Group
RegisteredDevices.
Activity Verification
You have completed this task when you attain these results:
You have successfully marked the device a stolen.
You have observed the device certificate authentication failure.
You have examined the certificate status and observed it has revoked.
You have reinstated the device via the My Devices Portal.
You have deleted the certificate profile and reenrolled the Tablet.
You have observed a successful BYOD certificate authentication.
In this activity, you will configure Cisco ISE settings and polices for compliance based
access. After completing this activity, you will be able to meet these objectives:
Configure Cisco ISE Posture Settings
Configure Authorization Profile components for compliance based access
Configure Authorization Policy rules for compliance based access
These are the resources and equipment that are required to complete this activity:
Admin PC
ISE-1
AD1
W10PC-Corp
vWLC
204 Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane
In this task, you will configure Cisco ISE posture update settings that will be used later for
compliance to check posture compliance of clients.
Activity Procedure
Complete these steps:
Posture Updates
You will perform a manual posture update in this section.
Step 1 Navigate to Work Centers > Posture > Settings > Software Updates >
Posture Updates.
Step 2 Click the Automatically check for updates starting from initial delay check
box to enable auto updates. After the initial download, this will perform an
incremental update automatically from Cisco.
Note By default, posture updates are configured to be retrieved from the web and automatic
checking is disabled.
Posture updates include a set of predefined checks, rules, and support list for antivirus
and anti-spyware for both Windows and Macintosh operating systems. When you
perform your initial update process usually takes approximately 20 minutes.
Note You can safely navigate away from this page and continue on to the next steps while this
process works in the background.
Step 5 Observe the Update Information section below to view the status on updates. The
following fields are useful in determining proper functioning, Last successful
update on and Last update status since ISE was started.
Note Leaving the value at 0 would configure the client to not display login success screen.
This may be optimal in some organizations.
Posture Lease
The default configuration as indicated in this section is to perform a posture assessment
every time a user connects to the network. By enabling the second option, the system is
considered to be compliant for the configured number of days (range 1 365) and will be
checked at the configured interval.
Note Posture leases are only applicable to Cisco AnyConnect Unified Agent access.
206 Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane
Portal Modification
Step 11 Navigate to Work Centers > Guest Access > Portals & Components > Guest
Portals and edit the Demo-Sponsored portal.
Step 12 Scroll down to the Guest Device Compliance Settings section and enable
Require guest device compliance.
208 Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane
In this task, you will configure a simple compliance policy check.
Activity Procedure
Complete these steps:
Create Downloadable ACLs for Compliance
Step 1 Navigate to Work Centers > Posture > Policy Elements and then
Downloadable ACLs.
Step 2 Create the following AD Login Access dACL.
Name acl_ad_login
DACL Content
Name acl_posture_remediation
DACL Content
Name acl_internet_only
DACL Content
Step 5 A URL redirect ACL needs to pre-exist on a switch and cannot be a dACL. Your
3k-access switch is preconfigured with the ACL that you will use. It is named
ISE-URL-REDIRECT. The contents of that ACL are included below for a time
saving convenience.
Note If you desire, you may open an SSH session via PuTTY and verify by issuing a
.
Note You will be referencing the name of the URL in authorization profiles. Spelling must
match exactly.
210 Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane
Create Authorization Profiles for Compliance
Step 6 Navigate to Work Centers > Posture > Policy Elements and then
Authorization Profiles.
Step 7 By clicking +Add in the right pane, create each of the following authorization
profiles.
Posture Remediation - Authorization Profile
Common Tasks
Common Tasks
Common Tasks
Step 8 Modify the Wired Domain Computer Access authorization profile to use the
newer port restrictive dACL for AD Login, acl_ad_login and then click Save.
Activity Verification
You have completed this task when you attain this result:
You have configured dACLs for utilization in compliance based access.
You have configured Authorization profiles to be utilized during different stages of
compliance based processing.
Activity Procedure
Complete these steps:
Policy Set Evaluation
Step 1 Navigate to Work Centers > Posture > Policy Sets and then to Wired_Access >
Authorization Policy.
Examine the authorization policy rules and notice that right now things are pretty
clean. You have profiled IP phones, two rules for employees or contractors, a rule
for domain computer authentication, and a default deny rule at the end. Having
created all of the guest access rules under the wireless access policy has allowed
the wired policy to stay clean. By using the condition function of policy sets to
wired access into two different parts in a similar way that we split our overall
access into wired and wireless policy sets.
In the following section you will go to the process of creating a separate policy
set for wired MAB access. This will allow you to consolidate all of your policies
that would apply to wired map access in a central location without having to
evaluate whether policy would apply to an 802.1X session or a MAB session.
You will also modify the existing Wired_Access to apply to 802.1X sessions.
Policy Set Modification
Step 2 Click in the top Policy Sets to go back to the Policy Set overview.
Step 3 Click the + symbol on the left side to create a new Policy Set in the top of your
policy sets.
Note Policy sets are evaluated like Access control lists, top down. Like ACLs, the order of your
rules can determine if your policy functions as expected.
Wired_MAB_Access Wired MAB [ Drag & Drop Condition from Library ] Default Network Access
Device Compound Condition >
Access Wired_MAB
Step 4 Click Use and verify your policy set with the following screenshot.
212 Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane
Policy Set Wired_8021X_Access
Name Desciption Condition(s) Allowed Protocols / Server
Sequence
Wired_8021X_Access Wired DEVICE:Device Type EQUALS All Device Default Network Access
802.1X Types#Wired
Device AND
Access
Compound Condition > Wired_802.1X
[ Drag & Drop Condition from Library ]
Note While in this specific lab environment and configuration, it is not necessary to build a
compound condition of device type wired and Wired_802.1X, the purpose for doing so is
to illustrate the flexibility and capability of the policy set condition aspect of Cisco ISE.
Tip Applying this logic, it would be possible to create a condition matching a specific device
location and access method, wired or wireless, etc. and access type, MAB or 802.1X, to
create and maintain organized policy sets.
Step 7 Click Done and verify your modification with the following screenshot.
Attribute Value
Step 12 Modify the Default rule to use the authorization profile CWA Posture
Remediation.
Step 13 Verify your policy with the following screenshot.
Caution In a production environment it would be important to copy and create policy rules to
facilitate profiled devices which would access the network by way of MAB. For the sake
of time and due to the simplicity of this lab environment you will not be creating or
configuring such rules.
Attribute Value
Activity Verification
You have completed this task when you attain this result:
You have modified the Wired_Access Policy Set to process access based on
compliance status.
In this activity, you will configure Cisco ISE to provision Cisco posture agents. After
completing this activity, you will be able to meet these objectives:
Configure Client Provisioning settings for updates from Cisco online.
Configure Client Resources for utilization in compliance based access.
Configure Client Provisioning policies for the utilization of posture agents
These are the resources and equipment that are required to complete this activity:
Admin PC
ISE-1
AD1
W10PC-Corp
vWLC
216 Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane
In this task, you will review client provisioning settings and then perform a posture
component update.
Activity Procedure
Complete these steps:
Client Provisioning Settings
Step 1 Navigate to Work Centers > Posture > Settings then to Software Updates >
Client Provisioning. This page can all be accessed via Administration >
System > Settings and then Client Provisioning.
Step 2 Observe the default configuration that client provisioning is enabled by default.
Activity Verification
You have completed this task when you attain these results:
You have reviewed the Client Provisioning settings.
You have configured Cisco ISE to perform automatic posture updates; and initiated a
manual update.
Activity Procedure
Complete these steps:
Downloading Resources to your PC
Step 1 In your Firefox browser, open a new tab and use your bookmark toolbar to
navigate to tools > cp. (http://tools.demo.local/cp)
Step 2 Download the following files. These files will be placed in your profile
Downloads folder.
anyconnect-win-4.5.04029.0-webdeploy-k9.pkg
anyconnect-VPN-disable.xml
anyconnect-NAM-EAP-FAST.xml
Step 3 Return to the Cisco ISE Admin portal.
Step 4 Navigate to Work Centers > Posture then to Client Provisioning > Resources.
Step 5 In the right pane, click +Add and from the menu select Agent resources from
Cisco Site.
Step 6 After a moment, the list should populate. Select the following list of items.
AnyConnectComplianceModuleWindows 4.3.50.0 or latest 4.3.xxxxx.x
ComplianceModule 3.6.11017.2 or latest 3.6.xxxxx.x
CiscoTemporalAgentWindows 4.5.02036
Step 7 Click Save to start the download process.
Step 8 The Download will take several minutes.
Adding resources to Cisco ISE
Step 9 Navigate to Work Centers > Posture then to Client Provisioning > Resources.
Step 10 In the right pane, click +Add and from the menu select Agent resources from
local Disk.
Step 11 Select the category of Cisco Provided Packages.
Step 12 Click Browse and navigate to your Downloads folder and select
anyconnect-win-4.5.4029.0-webdeploy-k9.pkg and click Open.
Step 13 Click Submit
Step 14 Click Confirm when prompted to confirm the hash.
218 Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane
Step 15 Perform the same operation for the following files. Fill out the form according to
the tables below.
acNAMProfile - Customer Created Agent Resource Package
Attribute Value
Name acNAMProfile
Note The following profile is optional and cosmetic in nature. It is intended to hide the VPN tile
of the AnyConnect client.
Name acVPNdisableProfile
AnyConnect
*Name acWinPostureProfile
Agent behavior
IP Address Change
Posture Protocol
Note The discovery host needs to be something that will resolve via DNS to generate traffic
(packets) to hit the url-redirect. That traffic will then be redirected to the supporting ISE
node running the Policy Services persona.
220 Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane
Create the AnyConnect Configuration File.
Step 20 In the right pane, click +Add and from the menu select AnyConnect
Configuration.
Step 21 Create the following configuration.
ISE Posture [X ]
VPN [ ]
Web Security [ ]
AMP Enabler [ ]
ASA Posture [ ]
Network Visibility [ ]
Profile Selection
VPN acVPNdisableProfile
Web Security
Customer Feedback
Customization Bundle
Localization Bundle
Deferred Update
Installation Options
Activity Verification
You have completed this task when you attain these results:
You have configured Cisco ISE to utilize the Cisco NAC Agent and created an
associated NAC Agent posture profile.
You have configured Cisco ISE to utilize the Cisco AnyConnect Unified Client and
created an associated profile and AnyConnect configuration.
222 Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane
In this task, you will configure Cisco ISE to provision Cisco posture agents in order to
enforce compliance base access.
Activity Procedure
Complete these steps:
Configuring Client Provisioning Policies.
Step 1 Navigate to Work Centers > Posture > Client Provisioning and then Client
Provisioning Policy.
Step 2 Add two new rules below Android_WPA2_BYOD according to the following
tables.
AC Employee Win All - Client Provisioning Policy Rule
Attribute Value
Step 3 Verify your configuration with the following screenshot then click Save.
Activity Verification
You have completed this task when you attain this result:
You have configured client provisioning policies for Cisco AnyConnect, Cisco NAC
Agent, and Cisco NAC WebAgent.
In this activity, you will configure some simple Cisco ISE posture policies to provide for a
functional orientation to posture policies. After completing this activity, you will be able to
meet these objectives:
Configure posture conditions
Configure posture mediations
Configure posture requirements
Configure posture policies
Admin PC
ISE-1
AD1
W10PC-Corp
vWLC
224 Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane
In this task, you will configure some simple file conditions as well as antivirus compound
conditions for both installation and definition age.
Activity Procedure
Complete these steps:
Step 1 Navigate to Work Centers > Posture > Policy Elements and then Conditions >
File.
Step 2 In the right pane, click +Add and create the following three File Conditions.
Caution Be aware of the case of the file name PUTTY. The Cisco NAC Agent file evaluation is
case sensitive but the Cisco AnyConnect is not.
Caution The operator is Later than, not Later than or Equal to. This is a common error in
configuration
Name PuTTY_Version
Operating System
Operator
Name Bad_File
Operating System
Operator DoesNotExist
Name Good_File
Operator Exists
Name ClamWin_AV_Installed
Vendor ClamWin
Name ClamWin_AV_Current
Vendor ClamWin
226 Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane
Activity Verification
You have completed this task when you attain these results:
You have configured three posture file conditions.
You have configured an antivirus installation condition.
Activity Procedure
Complete these steps:
Step 1 Navigate to Work Centers > Posture > Policy Elements and then
Remediations > File.
Step 2 In the right pane, click +Add and create the following File Remediation.
File Remediation PuTTY_62
Attribute Value
Name PuTTY_62
Version 0.62
File to Upload
Note The File to Upload c:\tools\good.txt in the table below does not yet exist on your
system. You will be creating it during the process of browsing for a file to upload.
Follow the procedure in the second table to create the good.txt file.
Name Good_File
Version 1.0
7. Right-click on good.txt
228 Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane
Step Action Notes
10. Close the document by clicking on the X You may alternately perform a File > Save
in the upper right-hand corner and when before closing the file.
prompted click Save.
Install_ClamWin_AV
Interval 0
Retry Count 0
URL
Update_ClamWin_AV
Interval 0
Retry Count 0
Vendor ClamWIn
Step 11 Click Submit.
Step 12 Edit the default AnyAVDefRemediationWin remediation and change the
Remediation Type from Automatic to Manual and click Save.
Activity Verification
You have completed this task when you attain this result:
You have configured posture remediation actions for users who systems do not meet
compliance requirements.
230 Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane
In this task, you will configure posture requirements that utilize the previously configured
conditions and remediations.
Activity Procedure
Complete these steps:
Step 1 In the left pane, navigate to Work Centers > Posture > Policy Elements >
Requirements.
Step 2 Edit the Any_AV_Installation_Win requirement and modify the Remediation
Action. Change the Message Text shown to Agent User to the following:
An approved Antivirus program was NOT detected on your PC. All users must
have a current AV program installed before access is granted to the network. If
you would like to install a free version of ClamWin AV, please go to
http://tools.demo.local/updates/clamwin-0.99.1-setup.exe
Tip You may access the following resource from a separate tab in Firefox to copy/paste
message text:
http://tools.demo.local/cp/Posture-Requirements-excercise-6.rtf
Step 3 Add the following Requirements by using the same method as adding policy rules
(Edit down arrow at end of line).
Posture Requirement ClamWin AV Install Win
Attribute Value
All users must have ClamWin with current signatures. Please click start
to update the signatures now.
PuTTY 62
Good File
Bad File
232 Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane
Step 4 You should have the following requirements at the bottom of your list.
Activity Verification
You have completed this task when you attain this result:
You have configured both the conditions you have previously configured and the
remediation actions into posture requirement configurations.
Activity Procedure
Complete these steps:
Step 1 Navigate to Work Centers > Posture > Posture Policy.
Step 2 Create the following rules.
Note Posture Policy Status is configured by changing the icon at the beginning of the rule.
Note Requirement Status is configured by changing the icon in front of the Requirement
Name.
Policy Options -
Status Disabled
File Checks
Other Conditions -
Mandatory PuTTY 62
234 Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane
Posture Policy AD Win7 Users AV
Attribute Value
Policy Options -
Status Disabled
AD Win Users AV
Step 3 Verify your configuration with the following screenshots. Order is not important.
Activity Verification
You have completed this task when you attain this result:
You have configured posture policies based on the elements that you have previously
configured in previous tasks.
In this activity, you will perform client based access utilizing the previously configured
posture compliance configuration. After completing this activity, you will be able to meet
these objectives:
Perform client access utilizing the Cisco AnyConnect Unified Agent for
compliance checking.
These are the resources and equipment that are required to complete this activity:
Admin PC
ISE-1
AD1
W10PC-Corp
vWLC
236 Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane
The table describes the commands that are used in this activity.
3650 Switch Commands
Command Description
Activity Procedure
Complete these steps:
AnyConnect Unified Agent Deployment.
Step 1 Return to the W10PC-Corp.
Step 2 Log in as student / 1234QWer.
Step 3 Open up network settings and enable the NIC if not enabled.
Step 4 Open Services from Windows Administrative Tools in the Start menu.
Step 5 Verify and, if necessary, modify the Wired AutoConfig service to have a startup
type of Automatic and then Start the service.
Step 6 Click OK.
Step 7 Close the services console.
Step 8 Return to the NIC settings and open the properties for the NIC.
Step 9 Click the Authentication tab.
Step 10 Click the Settings button.
Step 11 Uncheck the box to validate the server certificate.
Step 12 Click OK.
Step 13 Make sure the box is unchecked.
Step 14 Click OK.
Step 15 Restart the client machine using the Start menu and log back in as employee1 /
1234QWer.
Step 16 Open Firefox browser.
Step 17 Browse to http://www.cisco.com, you should be redirected to the Client
Provisioning Portal. Accept any security notices if presented.
Step 18 You should be notified that a Device Security Check is required, click Start.
Step 19 The process will attempt to detect if the AnyConnect Posture Agent is installed.
Once prompted, click + This is my first time here.
Step 20 In the instructions click the hyperlink to Click here to download, install
AnyConnect.
Step 21 Click Save File.
Step 22 Click the file in the download dialog box and will be presented the dialog box -
click Run.
238 Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane
Step 23 The Cisco Network Setup Assistant should notify you that you are connected to
ise-1.demo.local, whose identity has been certified. Click Connect.
Note If the installation process shows Failed to launch Cisco AnyConnect Secure Mobility
Client Downloader and does not promt for a reboot, proceed by logging off and continue
only if step 30 is not showing up as described, deinstall Cisco AnyConnect Security
Mobility Client, which will include a reboot, and perform the task from Step 20 again.
Step 26 Once the system is back up, login again as employee1 / 1234QWer.
Step 27 Once logged in, AnyConnect will log on via EAP-FAST and the ISE Posture
module will perform a scan. The results will show that the Good File update is
required. Click Start to begin remediation.
Step 31 In the live authentications list observe the authentication process of Pending , and
then Compliant after remediation.
240 Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane
Step 37 Find the most recent logon for the employee1 user but was assigned the Wired
Employee Access authorization profile.
Step 38 Click on the Posture Status of Compliant hyperlink. This will run a summary
report from the endpoint in a new tab.
Activity Verification
You have completed this task when you attain this result:
You have access the network via an employee account and that session has been
processed for compliance via the Cisco AnyConnect Unified Agent.
You have remediated your compliance requirements based on instructions received via
the Cisco AnyConnect Unified Agent.
In this activity, you will examine the effects of a faulty policy and review methods of
identifying and troubleshooting such a policy. After completing this activity, you will be
able to meet these objectives:
Use Posture Reports for troubleshooting
Use the Posture Troubleshooter tool
These are the resources and equipment that are required to complete this activity:
Admin PC
ISE-1
AD1
W10PC-Corp
vWLC
242 Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane
In this task you will configure a faulty policy in order to generate failure events that will be
utilized in future tasks.
Activity Procedure
Complete these steps:
Step 1 On the admin PC, in the Cisco ISE admin portal navigate to Policy > Policy
Elements > Conditions and then Posture > File Condition.
Step 2 Edit the PuTTY_Version you created earlier.
Step 3 Change the file from PUTTY.EXE to PUTTTY.exe (you are adding an extra
Step 10 Do not remediate; wait for the timer to expire and then continue to the next
task.
Activity Verification
You have completed this task when you attain this result:
You have configured a faulty policy that has resulted in a failed compliance access
attempt
© 2018 Fast Lane Lab Guide 243
In this task, you will examine posture reports as a mechanism to troubleshoot compliance-
based access failures.
Activity Procedure
Complete these steps:
Step 1 In ISE, navigate to Work Centers > Posture > Reports and then Reports >
Posture Reports > Posture Assessment by Endpoint.
Step 2 Modify the Time Range from Today to Last 30 Minutes.
Step 3 Click on the Details icon for the failed posture assessment.
Step 4 Scroll to the bottom of the report and observe the Posture Policy Details.
Step 5 Observe that the Failed condition is PuTTY_Version,
Step 6 Also observe that the Bad File, which is in Audit enforcement mode, meaning
transparent to the user, is not in the Passed column either. This check was skipped
because the file checks are done serially one at a time.
Activity Verification
You have completed this task when you attain this result:
You have run a posture report and identified the failing condition.
244 Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane
In this task, you will examine posture troubleshooter as a mechanism to identify compliance-
based access failures.
Activity Procedure
Complete these steps:
Step 1 In ISE, navigate to Work Centers > Posture > Troubleshoot.
Step 2 In the form, click the Select button at the end of the Username field. In the next
pop-up click Search. From the list of Usernames select employee1 and click
Apply.
Step 3 Go to the bottom of the form and click Search.
Step 4 In the results, click the failed result and click Troubleshoot.
Step 6 Observe the details of what passed, what failed in another format.
Activity Verification
You have completed this task when you attain this result:
You have run the posture troubleshooter and identified the failing condition.
246 Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane
In this task, you will correct the policy you purposely misconfigured being of this lab. You
will also observe the result of an audit condition via posture reports.
Activity Procedure
Complete these steps:
Policy Correction
Step 1 Navigate to Work Centers > Posture > Policy Elements and then Conditions >
File.
Step 2 Edit the PuTTY_Version you modified earlier.
Step 3 Change the file from PUTTTY.EXE to PUTTY.exe (you are removing the
extra
Tip This is an effective way of analyzing systems upon access to determine the status of a
program without notifying the user.
Tip One example of using this feature would be to analyze systems for a file or files that are
suspicious. An administrator could determine if the files are on any of the systems, and
then make decisions on how to proceed.
Activity Verification
You have completed this task when you attain these results:
You have corrected the policy configuration. That you introduced at the beginning of
the lab.
You have observed the failed condition that is running an audit enforcement mode.
248 Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane
Complete this lab activity to practice what you learned in the related module.
In this activity, you will access the network via an AnyConnect VPN connection and
compliance checking. After completing this activity, you will be able to meet these
objectives:
Configure Cisco ISE to process VPN access
Configure authorization components and policies to support compliance based VPN
access
Configure client provisioning for remote Cisco AnyConnect VPN access
These are the resources and equipment that are required to complete this activity:
Admin PC
ISE-1
AD1
W10PC-Corp
vWLC
W10PC-CoA
ASAv
250 Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane
In this task, you will modify the ASAv configuration in preparation for the VPN Access.
Activity Procedure
Complete these steps:
ASAv Preparation
Step 1 From the Admin PC desktop, open ASDM/IDM Launcher.
Step 2 Connection to 10.1.100.4 using the credentials admin / 1234QWer.
Step 3 Navigate to the menu selection Tools > File Management.
Step 4 Verify that anyconnect-win-4.5.04029.0-webdeploy-k9.pkg is present on the
flash.
Name ASAv
Location HQ
VPN_Access VPN Access DEVICE:Device Type EQUALS All Device Default Network Access
Types#VPN
Name acl_vpn_permit
DACL Content
Name acl_vpn_remediate
DACL Content
252 Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane
Step 17 Navigate to Policy > Policy Elements > Results and then to Authorization >
Authorization Profiles.
Step 18 Create the three following authorization profiles. Submit your changes after each
entry.
VPN Full Access Authorization Profile
Attribute Name Value
Common Tasks
Common Tasks
Common Tasks
Authentication Policy
Step 19 Navigate to Policy > Policy Sets.
Step 20 Open the VPN_Access policy set.
Step 21 Modify the Default Authentication Policy.
Step 22 Change the authentication source to All_AD_Join_Points.
Step 23 Add the two following Authorization Rules in order above the Default rule.
VPN Compliant Authorization Policy
Attribute Value
Attribute Value
254 Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane
Step 24 Change the Default rule to VPN Posture.
Step 25 Compare your configuration with the following screenshot. It is imperative that
the rules are in proper order with the VPN Redirect is the bottom rule.
VPN [X]
Web Security [ ]
ASA Posture [ ]
Profile Selection
VPN <delete>
Web Security
Customer Feedback
Customization Bundle
Localization Bundle
Deferred Update
Installation Options
256 Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane
Creating the Client Provisioning Policy
Step 32 Navigate to Policy > Client Provisioning.
Step 33 Create a new policy at the top of the list with the following parameters.
AC Employee Win All VPN Client Provisioning Policy Rule
Attribute Value
Activity Verification
You have completed this task when you attain these results:
You have prepared the ASAv for operation with this lab.
You have added the ASAv as a NAD.
You have created a policy set for VPN access.
Activity Procedure
Complete these steps:
Step 1 Access your pod W10-CoA PC and login with the credentials student \
1234QWer
Initial VPN Connection
Step 2 From the system tray, Open AnyConnect.
Step 3 For this lab environment, ensure that connections are allowed to untrusted
servers. Click on the cog icon in the lower left corner.
Step 4 On the Preferences tab page, uncheck the Block connections to untrusted
servers.
Step 5 Close this window.
Step 6 Connect to the VPN server asav.demo.local.
Step 7 At the Security Warning pop-up, click Connect Anyway.
Step 8 When prompted for credentials for the ISE_VPN group, use the credentials
employee2@demo.local / 1234QWer.
Step 9 Connect by clicking OK, then select Connect Anyway.
Note If you are not prompted to connect to the ISE_VPN group, notify your instructor.
Step 10 A certificate warning might be displayed. Click Connect and reconnect to the
VPN. Vou will see in the lower right corner that the VPN is Connected.
258 Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane
Examine Cisco ISE Authentication Records
Step 11 Return to the Cisco ISE admin portal on the admin PC.
Step 12 Navigate to Operations > RADIUS > Live Logs.
Step 13 Observe the authentication record details for the employee2@demo.local user
who was assigned the VPN Posture authorization profile.
Step 14 Access the ASAv via PuTTY and enter the following command to observe the
ISE Posture Section at the end.
260 Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane
Step 15 Return to the W10-CoA PC.
Step 16 Open Firefox and browse to http://tools.demo.local
Step 17 - website, click Advanced and then Add
Step 31 The results will show that the Good File update is required. Click Start to begin
remediation.
Step 32 Navigate to C:\ create the Test folder, enter the folder and then click Save.
Step 33 You will be notified that the save operation was successful and given the
opportunity to open the folder location where the file was saved. Click Cancel.
Step 34 System Scan will evaluate the system and then determine the system is
compliant.
262 Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane
Step 35 On the Admin PC, return to the ASAv CLI in Putty and run the following
command again. Observe the Filter Name is the dACL from ISE.
Activity Verification
You have completed this task when you attain these results:
You have successfully performed a Cisco AnyConnect VPN access and had the
AnyConnect client be upgraded to support compliance checking.
Performed remediation over VPN and reviewed the associated authentication results.
In this activity, you will configure Cisco ISE to provision Cisco posture agents. The AMP
Enabler will download the AMP for Endpoints connector, formerly known as FireAMP.
These are the resources and equipment that are required to complete this activity:
Admin PC
ISE-1
AD1
W10PC-Corp
vWLC
W10PC-CoA
ASAv
264 Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane
The table describes the commands that are used in this activity.
ASAv CLI Commands
Command Description
Activity Procedure
Complete these steps:
ASAv Preparation
Step 1 On the Admin-PC, open Firefox. Connect to https://console.eu.amp.cisco.com/
Step 2 In the top left of the window, click the small green lock symbol.
266 Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane
Step 5 Click the Details tab, and then click
Step 6 Save the Certificate to the Desktop accepting the default name.
Step 7 Login to AMP for Endpoints. Your Instructor will provide the necessary
credentials.
Step 8 Navigate to Management > Download Connector. Select Group > Audit and
click Show URL.
Step 12 In Cisco ISE Gui, navigate to Administration > System > Certificates >
Certificate Management > Trusted Certificates
Step 13 In the right pane click Import.
Step 14 Browse to the Desktop and select the previously added euampciscocom.crt
certificate.
Step 15 Set FireAMP Cisco Cert as Friendly Name and trust the Certificate for
Authentication within ISE as well as Authentication of Cisco Services.
Activity Verification
You have completed this task when you attain these results:
Connected to the AMP for Endpoints Portal and made the ISE ready to download the
AMP Connector for Windows.
268 Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane
In this task, you will review client provisioning settings and then perform a posture
component update and build a compliance rule.
Activity Procedure
Complete these steps:
ASAv Preparation
Step 1 On the Admin-PC, using the Cisco ISE admin interface, navigate to Policy >
Policy Elements > Conditions > Posture > File Condition.Review the
Bad_File condition. If the file is not present, the PC will be deemed Compliant.
Verify your configuration with the screen shot shown.
Step 2 Navigate to Policy > Policy Elements > Results > Posture > Requirements.
Review the Bad File requirement. Verify with the screenshot shown.
270 Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane
In this task, you will configure Cisco ISE for the download and management of Cisco
AnyConnect posture agents, and the AMP Connector.
Activity Procedure
Complete these steps:
ASAv Preparation
Step 1 Edit the Posture Policy. Navigate to Policy > Policy Elements > Results >
Client Provisioning > Resources.
Step 2 Select and edit the acWinPostureProfile posture agent Profile
Step 3 Scroll down to the Posture Protocol section of the template, delete the
tools.demo.local Discovery host entry and set the Server Name Rules field
to *. Save your configuration.
Configure an AMP Profile. AMP Profiles contain a pointer to the location of the AMP
Connector for Windows Installer (as downloaded earlier from the AMP Cloud to the AD
Server).
Step 4 Navigate to Policy > Policy Elements > Results > Client Provisioning >
Resources.
Step 5 Add a new AMP Enabler Profile named AMPwinProfile as shown in the figure
below.
Step 6 For the Windows Installer URL insert the URL from your previously created
textfile on the Desktop.
Step 7 Click Check next to the inserted link. File found must show up!
272 Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane
Step 13 In Profile Selection, choose the profiles for AMP Enabler (AMPwinProfile).
Verify your configuration with the example shown.
Activity Verification
You have completed this task when you attain these results:
You have assigned a Client Provisioning Policy that utilizes an AnyConnect
Configuration profile that references:
The AnyConnect Compliance Module
Profiles defined for AMP additionally.
You have configured an Authorization policy that will be used to drive the state of
a connecting endpoint to Compliant, and assigned this profile to an authorization
rule.(done in previous labs)
Activity Procedure
Complete these steps:
ASAv Preparation
Step 1 Enable TC-NAC Services under Administration > System > Deployment >
Edit Node. Check the Enable Threat Centric NAC Service check box under
Policy Service. This selection will add the Threat Centric Menu Options to the
ISE GUI under Administration. Save your configuration.
Step 2 To configure the AMP Adapter, navigate to Administration > Threat Centric
NAC > Third Party Vendors > Add. Add a vendor instance for AMP. Save the
instance.
Note This process can take several minutes to start up before allowing you to continue.
Step 3 Once the required fields are added, the instance status will transition to Ready to
Configure. Click this field to begin the AMP adapter configuration. Click Next
to bypass the proxy configuration screen.
274 Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane
Step 4 Select the EU Cloud for the AMP Public Cloud option. Then click Next.
Step 5 Click the AMP link under SAS External URL. You will then be required to log
in to the AMP for Endpoints account as an administrator. Your instructor will
provide your credentials.
Activity Verification
You have completed this task when you attain these results:
You have enabled and provisioned Threat Centric NAC services.
276 Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane
In this task, you will verify your configurations.
Activity Procedure
Complete these steps:
Step 1 Access the W10PC-Corp PC
Step 2 Restart the PC and then log in as demo\employee1 / 1234QWer.
Step 3 Wait for the AnyConnect System Scan to show up the waring about the Bad File
found.
Step 4 Open windows explorer and delete the virus.txt under C:\test\ you created in an
earlier lab.
Step 5 Click Start to recheck with the requirements. You should now be compliant.
Step 6 Then, the AMP Enabler module should start downloading and installing AMP
for Endpoints. See the following screenshots for the procedure:
Activity Verification
You have completed this task when you attain these results:
Verified provisioning of AMP for Endpoints on the client PC.
These are the resources and equipment that are required to complete this activity:
Admin PC
AD1
ISE-1
280 Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane
In this task, you will configure Cisco ISE to perform backups.
Activity Procedure
Complete these steps:
Configuring Repositories.
Step 1 Access the Admin PC and connect to the ISE GUI via https://ise-1.demo.local.
Step 2 To enable device administration, navigate to Administration > System >
Deployment. Edit the ISE node by clicking on ise-1. Under General Settings,
enable the Device Admin Service and Save the settings.
Step 9 Privilege_Level_15
of 1 and maximum privilege level 15. Click Submit.
282 Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane
Step 10 For policy creation, navigate to Work Centers > Device Administration >
Device Admin Policy Sets. You are about to create a new policy set to handle
Network Devices that use Cisco IOS software.
Step 11 Click the Plus icon or click the gear icon and select Insert new row above to
create a new Policy Set above the Default Policy Set.
Step 16 Next, edit the Authentication Policy to use All_AD_Join_Points as the Identity
Store.
Step 17 Click Done.
284 Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane
Step 20 Now add a policy for contractors. Start by clicking the gear icon at the end of the
new employee policy, and choose Insert New Rule Above. Configure this new
rule according to the chart below.
Attribute Value
Step 21 Click Save and check your work against the example below.
Step 22 To configure switch, access the 3k-access switch console, and enter the
commands that are shown below. You can find a textfile for copy and paste under
http://tools.demo.local/cp as tacacs-switch-config.txt
Open another Putty SSH session to the 3k-access switch (10.1.100.1) and
login using employee1 / 1234QWer. This should succeed.
Type enable to get higher privilege. When prompted for a password,
enter 1234QWer. This authentication succeeds, according to the policy
you created.
If you like, you can enter the show privilege command to verify your
privilege level is 15.
286 Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane
Step 24 Navigate to Operations > TACACS > Live Logs to see the authentication and
authorization
Step 25 For the failed contractor entry, click the Details icon, as shown above. You can
analyze the details of each session. Some of the more pertinent information
includes the Authorization details, as shown below.
Activity Verification
You have completed this task when you attain these results:
You have enabled device administration on the Cisco ISE.
You have configured a new Network Device Group (NDG).
You have modified a NAD definition in Cisco ISE to accommodate device
management.
You have added new TACACS+ Profiles to accommodate unique privilege levels.
You have created a new device admin policy set that uses differentiates between
employee and contractors, assigning the profiles that you created, as appropriate.
You successfully tested access control policy with employee and contractor user
accounts.
In this exercise, you will configure TACACS+ command authorization and bind these
commands to a device administration policy. Privilege-level authorization associates
commands with privilege levels, per network device. ISE can then apply the default and
maximum privilege level to a user upon log in. Privilege level authorization requires each
device be configured with privilege levels and command sets (overriding the default privilege
levels). TACACS+ command authorization centralizes the administration of commands to be
allowed or denied. When TACACS+ command authorization is enabled, each command that
is entered on a device is authorized against the TACACS+ service.
You will begin this lab by configuring TACACS Command sets. Then you will modify the
authorization policy to use these command sets. You will modify the switch configuration to
support command authorization, and then test the various users to check their access levels.
These are the resources and equipment that are required to complete this activity:
Admin PC
AD1
ISE-1
288 Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane
In this task, you will configure Cisco ISE to control admin access to IOS devices.
Activity Procedure
Complete these steps:
Configuring Repositories.
Step 1 Navigate to Work Centers > Device Administration > Policy Elements >
Results > TACACS Command Sets. You are about to create two command sets,
one with full access, and one with limited access to a specific set of commands.
Step 2 Click Add to create a new command set. Configure the name as
Permit_All_Commands, and click the checkbox for Permit any command that
is not listed below.
permit ping
Note Click the Add button to add each command. After entering each command, make sure to
click the checkmark at the end of the line to save the command.
Step 7 Navigate to Work Centers > Device Administration > Device Admin Policy
Sets > Wired_Devices.
Step 8 Modify the rule named Contractor_Privilege_1.
Step 9 Click the into the Command Sets box, and choose Limited_Access.
Step 10 Click the down-arrow in the Shell Profiles box, and choose Privilege_Level_15.
Note Although the contractors now have access to privilege level 15, they are limited to the
commands specified in the assigned command set.
290 Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane
Step 15 To configure the switch, access the 3k-access switch(10.1.100.1) via PuTTY
again as employee1 / 1234QWer and the enable password 1234QWer.
Enter the following commands to enforce command authorization via TACACS+.
Step 16 Close the PuTTY session and open a new PUTTY SSH session to 3k-access.
Login using the credentials contractor1 / 1234QWer.This should
succeed.
Type enable. When prompte 1234QWer
Notice that this access now succeeds, because you modified the
authorization policy to apply the Privilege_level_15 shell profile.
Execute the following commands and observe which commands pass and
fail.
show privilege
show running-config
ping 10.1.100.10
show interface (should not succeed)
configure terminal (should not succeed)
Check the Live Logs to see the information for command passes and failures.
Click a Details icon if you would like to see more information about any failures.
Step 17 Open another PuTTY SSH session to the 3k-access switch and login using the
credentials employee1 / 1234QWer. This action should succeed.
Type enable to gain a higher privilege level. Use 1234QWer as the
enable password. This action should succeed, as it did in the previous lab.
Execute the same commands as per Step 12. You should notice that
employee1 can execute all the commands.
Activity Procedure
Complete these steps:
Configuring Repositories.
Step 1 To enable login authentication and authorization differentiation, modify the
authentication policy to use different ID stores for login and enable. Navigate to
Work Centers > Device Administration > Device Admin Policy Sets >
Wired_Devices.
Step 2 Select the Wired_Devices Policy Set.
Step 3 Observe the Authentication Policy default rule.
Step 4 Click the gear icon of the Default Rule and insert a new rule above the default
rule.
Step 5 Create a new authentication policy rule as defined below.
Attribute Value
292 Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane
Step 10 Using PUTTY, open a SSH session to the 3k-access switch.
Login using the credentials employee1 / 1234QWer.This should
succeed.
Type enable and use the 1234QWer password. This process will fail as
the enable password is checked against the Internal Users database where
the password for employee1 is different.
Type enable and use Cisco123 as the password. This process should pass
as it matched with the password stored in the Internal Users database.
Go to TACACS Live Logs to check the logging records.
Step 11 For TACACS+ password change ability, open a new PUTTY SSH session to the
3k-access switch. Log in as employee1 / 1234QWer. When asked for enable
password, press Enter. You will be prompted for old password Cisco123,
followed by the new password 1234QWer.
Activity Verification
You have completed this task when you attain these results:
You have configured TACACS command sets to differentiate user access.
You have modified the authorization policy to use the new command sets.
You have configured the switch for command authorization
You have tested various users to check their access levels
You have validated the ability to change passwords
294 Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane
Complete this lab activity to practice what you learned in the related module.
In this activity, you will configure Cisco ISE to for backup and examine the process to
patch. After completing this activity, you will be able to meet these objectives:
Configure Cisco ISE backups
Patch a Cisco ISE instance
These are the resources and equipment that are required to complete this activity:
Admin PC
AD1
ISE-1
Activity Procedure
Complete these steps:
Configuring Repositories.
Step 1 In the Cisco ISE admin portal navigate to Administration > System >
Maintenance and then Repository.
Step 2 In the right-hand pane, click +Add.
Step 3 Create the following Repository.
Admin_PC - Repository Configuration
Attribute Value
Repository Configuration
Protocol FTP
Location
Path /
Credentials
Password 1234QWer
296 Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane
Step 7 Configure the following Backup Configuration Schedule.
Backup_CFG Schedule Configuration Backup
Attribute Value
Name Backup_CFG
Repository Admin_PC
Frequency Weekly
At Time 12:00AM
On Day Sunday
Step 8 Verify your configuration with the following screenshot and then click Save.
Name Backup_MnT
Repository Admin_PC
Frequency Daily
At Time 02:00AM
Step 11 Verify your configuration with the following screenshot and then click Save.
298 Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane
Review the Process to Performing an On Demand Backup
Step 12 Click the Backup Now button in the upper left corner of this page.
Step 13 Examine the form and observe it is a cleaner version of the scheduled backup for
without a description and ability to schedule. Also the ability to select
Configuration or Operational backup types
Step 14 Click Cancel.
Note Your instructor will notify you if there is a patch file to install and where it is located.
Step 18 You would then click Install. Cisco ISE would then upload the file via the
browser and process the patch. All services would be stopped and then restarted.
Note Patching is a maintenance window operation. All functional services are stopped and
restarted.
Activity Verification
You have completed this task when you attain these results:
You have configured the repository for Cisco ISE.
You have configured the configuration database backup
You have configured the monitoring database backup
You have reviewed the process to patch Cisco ISE.
In this activity, you will configure administrative access settings for Cisco ISE. After
completing this activity, you will be able to meet these objectives:
Ability to control administrative access to Cisco ISE
Configure administered of access and authorization for administrative session
These are the resources and equipment that are required to complete this activity:
Admin PC
AD1
ISE-1
300 Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane
In this task, you will review and configure administrative access settings.
Activity Procedure
Complete these steps:
Session Settings
Step 1 Navigate to Administration > System > Admin Access and then Settings >
Session.
Step 2 The Session Idle Timeout range is 6 to 100 minutes.
Step 3 Click the Session Info tab.
Step 4 You should see your current session.
Step 5 Open Google Chrome, login to the ISE admin portal and open the Live Logs.
Step 6 Return to Firefox and click Refresh in the upper right section above the toolbar.
Step 7 Select your session and then attempt to click Invalidate. You are not able to
invalidate your own session.
Step 8 Select the new session and click Invalidate and confirm you want to invalidate
this administrative session by clicking OK.
Step 9 Return to Google Chrome and attempt to navigate anywhere in the portal. You
will be returned to the login screen.
Step 10 Close Google Chrome browser and return to Firefox.
Access Settings
Step 11 In the left pane navigate to Admin Access > Settings > Access.
Step 12 Observe the ability to limit concurrent sessions and configure pre and post login
banners for bot GUI and CLI access.
Step 13 Click the IP Access tab.
Step 14 Select Allow only listed IP addresses to connect.
Step 15 In the IP List section click +Add.
Step 16 In the pop-up form enter 10.1.100.0 for the IP Address and 24 for the netmask in
CIDR format.
Step 17 Click OK and click Save.
Activity Verification
You have completed this task when you attain these results:
You have configured administrative access session settings.
You have invalidated an administrative session.
You have configured IP access restrictions for administrative sessions.
Activity Procedure
Complete these steps:
Microsoft Active Directory Integration
Step 1 Navigate to Administration > System > Admin Access and then
Authentication.
Step 2 In the right pane, for password access, select the Identity Source AD:demo.local.
Step 3 Click Save.
Create AD Shadow Account
Step 4 In the left pane, navigate to Admin Access > Administrators > Admin Users.
Step 5 In the right pane, click +Add and select Create an Admin User.
Step 6 For the Name type ITAdmin.
Step 7 Delete the contents from the Email field.
Step 8 Select the External Box.
Step 9 Scroll down and select the Admin Group Super Admin.
Step 10 Click Submit.
Link External AD Group to Super Admins
Step 11 In the left pane, navigate to Admin Access > Administrators > Admin Groups.
Step 12 From the list, Edit the Super Admin group.
Step 13 Select the External Box.
Step 14 In the External Groups drop-down, select demo.local/HCC/Groups/IT Staff.
Step 15 Scroll down and click Save.
Creating AD Permission Sets
Note
additional configuration.
Step 16 In the left pane, navigate to Admin Access > Administrators > Admin Groups.
Step 17 Click +Add in the right pane tool bar.
Step 18 Enter the Name AD Staff.
Step 19 Configure the type to only be External.
Step 20 In the External Groups drop-down, select demo.local/HCC/Groups/Staff.
Step 21 Click Submit.
Creating an External Group RBAC Policy
Data Access
Step 22 In the left pane, navigate to Admin Access > Authorization > Permissions >
Data Access.
Step 23 In the right pane, click +Add.
Step 24 Enter the Name AD_Staff_Access.
302 Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane
Step 25 In the Data Access Privileges, expand Endpoint Identity Groups .
Step 26 With Endpoint Identity Groups select, click Full Access on the right. After
saving, that will give access to that level and all sub levels below.
Step 27 Click Submit.
Menu Access
Step 28 In the left pane, navigate to Admin Access > Authorization > Permissions >
Menu Access.
Step 29 In the right pane, click +Add.
Step 30 Enter the Name AD_Staff_Menu.
Step 31 In the same method that you issues Data Access Privileges, give the following
Menu Access Privileges Show access.
Home
Operations >RADIUS
Note Select only the items listed above. Do not assign Show privileges to Operations,
Administration, only the indicated sub-menu.
Permissions AD_Staff_Menu
Step 36 Verify your configuration with the following screenshot and then scroll down and
click Save.
Activity Verification
You have completed this task when you attain these results:
You configure Cisco ISE to authenticate administrative access via Active Directory
You have created the shadow account Cisco ISE that is linked to an external Active
Directory account.
group.
You have created a custom Active Directory permissions set.
You have called the entire process of creating an external RBAC policy
304 Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane
In this task, you will test administrative access based on the configuration in your previous
task.
Activity Procedure
Complete these steps:
Step 1 To make the process easier by maintaining your existing administrative session in
Firefox, open Googel Chrome browser.
Step 2 Navigate to the URL https://ise-1.demo.local.
Step 3 On the login page, select the Identity Source demo.local.
Step 4 Use ITAdmin as the Username with the password 1234QWer.
Step 5 Click Login.
Step 6 Observed that you have full super admin access to the entire Cisco ISE admin
portal.
Step 7 In the upper right click Logout.
Step 8 Re-login using the credentials Staff1 / 1234QWer.
Step 9 Observed that the Cisco ISE admin portal is limited to just Home and
Operations > RADIUS.
Activity Verification
You have completed this task when you attain this result:
You have successfully logged in to Cisco ISE with Active Directory credentials.
You have successfully observed the RBAC restrictions in the Cisco ISE admin
portal interface.
In this activity, you will review some of the diagnostic tools available via the Cisco ISE
admin portal. After completing this activity, you will be able to meet these objectives:
Run the RADIUS Authentication Troubleshooting tool
Perform a TCPDump traffic capture on Cisco ISE.
These are the resources and equipment that are required to complete this activity:
Admin PC
AD1
ISE-1
306 Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane
In this task, you will explore the RADIUS Authentication Troubleshooting tool.
Activity Procedure
Complete these steps:
Step 1 Return to the Cisco ISE admin portal in Firefox.
Step 2 Navigate to Operations > Troubleshoot > Diagnostic Tools and then General
Tools > RADIUS Authentication Troubleshooting.
Step 3 Examine the troubleshooting form and the available fields.
Step 4 Click the Select button at the end of the NAS IP line.
Step 5 In the pop-up, clock Search
Step 6 Select 10.1.100.1 from the criteria list and click Apply.
Step 7 Change the Authentication Status drop-down to Fail.
Step 8 Change the Time Range drop-down to Last7 days.
Step 9 Click Search.
Step 10 Select any Failure Reason.
Step 11 Scroll down and click Troubleshoot.
Step 12 When presented, click Show Results Summary.
Step 13 Examine the presented data expanding lines in the Troubleshooting Summary if
possible.
Step 14 At the bottom click Show Progress Details and you are returned to the overview.
Step 15 Click Done to close the this troubleshooting session.
Activity Verification
You have completed this task when you attain this result:
You have run the RADIUS Authentication Troubleshooting tool using the selected
parameters.
Activity Procedure
Complete these steps:
Step 1 Return to the Cisco ISE admin portal in Firefox.
Step 2 Navigate to Operations > Troubleshoot > Diagnostic Tools and then General
Tools > TCP Dump.
Step 3 Examine the options and in the Filter field enter port 1812.
Tip You can choose Raw Packet Data, and the data will be in libpcap format. Wireshark is a
free application that can open that file type.
Note The login for the switch depends on the TACACS lab done before! The standard login if
not done the TACACS lab would be admin with the password 1234QWer.
Note Another way to access the switch is via the RemotelabsClient topology overview by
clicking the Switch symbol. This will open a console session privilege level 15.
Step 8 Enter configuration mode and shut and not shut interface GigabitEthernet1/0/1
Step 9 Return the Cisco ISE admin portal. You should have some traffic captured as
indicated by a file size of something other than 0 bytes.
Step 10 Click Stop
Step 11 Examine the output details at the bottom.
308 Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane
Step 12 Click Download.
Step 13 Save the TCPDump.txt file to your Desktop.
Step 14 Navigate to your Admin PC desktop and find the TCPDump.txt file.
Step 15 Right-click on it and select Open with WordPad.
Step 16 Examine the file contents and when done, close the file.
Step 17 Return to the Cisco ISE Admin Portal.
Activity Verification
You have completed this task when you attain this result:
You have captured RADIUS traffic at the Cisco ISE GigabitEthernet 0 interface and
examined it in human readable form.
In this activity, you will explore some Report operation capabilities in Cisco ISE. After
completing this activity, you will be able to meet these objectives:
Run a report with Filters
Save scheduled Report
Designate a Report and save the Report in My Reports
These are the resources and equipment that are required to complete this activity:
Admin PC
AD1
ISE-1
310 Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane
In this task, you will run a report with a filter.
Activity Procedure
Complete these steps:
Step 1 Navigate to Operations > Reports. Then Reports > Endpoints and Users >
Top Authorizations by User.
Step 2 Click Filters and select Identity from the Dropdown. Click OK.
Step 3 In the Identity Store filter, enter *@demo.local to filter out all local and guest
authentications.
Step 4 Create a a filter with the settings from the screenshot below.
Note Do not close or leave this report. You will use it in the ne next task.
Activity Verification
You have completed this task when you attain this result:
You have run a report with a filter.
Activity Procedure
Complete these steps:
Step 1 In the upper right corner of this report, click the Schedule button.
Name Weekly_Top_AD_Authorizations
Description
Repository Admin_PC
Schedule
Frequency Weekly
At Time 6:00 AM
On Day Monday
312 Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane
Step 3 Click Save.
Step 4 In the left pane, navigate down to Scheduled Reports > Scheduled Reports.
Step 5 Observe the successfully saved report.
Activity Verification
You have completed this task when you attain this result:
You have saved scheduled report.
Activity Procedure
Complete these steps:
Step 1 Navigate to Operations > Reports. Then Reports > Endpoints and Users >
Top Authorizations by User.
Step 2 Click the plus sign right of the Time Range filter and select Identity from the
Dropdown.
Step 3 In the Identity filter, enter *@demo.local to filter out all local and guest
authentications.
Step 4 Select the Time Range of Yesterday.
Tip If you ever desire to remove a report from My Report list, run the report and in the upper
right, select My Reports.
Activity Verification
You have completed this task when you attain this result:
You have run, report and made a My Report entry.
314 Implementing and Configuring Cisco Identity Services Engine (SISE 2.4) v3.0.1 © 2018 Fast Lane