Professional Documents
Culture Documents
Implementing and
Configuring Cisco
Identity Services
Engine
Version 2.3
COPYRIGHT
© 2018 Fast Lane GmbH. All rights reserved.
All other brands and product names are trademarks of their respective owners.
No part of this book covered by copyright may be reproduced in any form or by any means (graphic, electronic, or mechanical, including
photocopying, recording, taping, or storage in an electronic retrieval system) without prior written permission of the copyright owner.
Fast Lane reserves the right to change any products described herein at any time and without notice. Fast Lane assumes no
responsibility or liability arising from the use of products or materials described herein, except as expressly agreed to in writing by
Fast Lane. The use or purchase of this product or materials does not convey a license under any patent rights, trademark rights, or any
other intellectual property rights of Fast Lane.
The product described in this manual may be protected by one or more patents, foreign patents, or pending applications.
II Implementing and Configuring Cisco Identity Services Engine (SISE2.3) v2.3.0 © 2018 Fast Lane
Table of Contents
SISE Lab Guide 1
Overview 1
Outline 1
Lab 1-1: Complete Cisco ISE GUI Setup 3
Activity Objective 3
Visual Objective 3
Required Resources 3
Task 1: Verify Cisco ISE setup using CLI (skip if done Lab1-1) 4
Task 2: Initial Login and Initial Message Management 6
Task 3: Disable Profiling 12
Lab 2-1: Integrate Cisco ISE with Active Directory 23
Activity Objective 23
Visual Objective 23
Required Resources 23
Task 1: Configure Active Directory Integration 24
Task 2: Configure LDAP Integration 29
Lab 2-2: Basic Policy Configuration 33
Activity Objective 33
Visual Objective 33
Required Resources 33
Command List 34
Task 1: Adjusting Radius Settings 35
Task 2: Create Network Devices and Network Device Groups 37
Task 3: Create Wired and Wireless Policy Sets 47
Task 4: Create Authentication Policy for the Wired and Wireless Policy Set 50
Task 5: Authorization Policy Configuration for AD Employees and AD Contractors 53
Task 6: Client Access – Wired 59
Task 7: Client Access – Wireless 65
Task 8: Creating a Global Exception 70
Task 9: Network visibility with Context Visibility 72
Lab 3-1: Configure Guest Access 74
Activity Objective 74
Visual Objective 74
Required Resources 74
Task 1: Guest Settings 75
Task 2: Guest Locations 77
Lab 3-2: Guest Access Operations 78
Activity Objective 78
Visual Objective 78
Required Resources 79
Task 1: Hotspot Portal Operations 80
Task 2: Self-Registration Portal Operations (Optional) 96
Task 3: Enabling Self-Registration with Sponsor Approval (Optional) 110
Task 4: Sponsored Guest Logins 117
Task 5: Guest Account Management via the Sponsor Portal 132
Lab 3-3: Create Guest Reports 134
Activity Objective 134
Visual Objective 134
Required Resources 134
Task 1: Running Reports from Cisco ISE Dashboard 135
Lab 4-1: Configuring Profiling 138
Activity Objective 138
Visual Objective 138
Required Resources 138
Command List 138
Task 1: Configuring Profiling in Cisco ISE 139
Task 2: Configure the Feed Service 144
Task 3: Configuring Profiling in Cisco ISE 146
Task 4: NAD Configuration for Profiling 148
Lab 4-2: Customizing the Cisco ISE Profiling Configuration 150
Activity Objective 150
Visual Objective 150
Required Resources 150
Task 1: Examine Endpoint Data 151
Task 2: Create a Logical Profile 156
Task 3: Creating a New Authorization Policy using a Logical Profile 157
Task 4: Create a Custom Profile Policy 158
Task 5: Testing Authorization Policies with Profiling Data 162
Lab 4-3: ISE Profiling Reports 166
Activity Objective 166
Visual Objective 166
Required Resources 166
Task 1: Run Cisco ISE Profiling Reports 167
Task 2: Endpoint Profile Changes Report 169
Task 3: Context Visibility Dashlet Reports 170
Lab 5-1: BYOD Configuration 172
Activity Objective 172
Visual Objective 172
Required Resources 173
Task 1: Portal Provisioning 174
Task 2: Provisioning Configuration 178
Task 3: Policy Configuration 183
Task 4: Employee Tablet Registration 190
Lab 5-2: Device Blacklisting 197
Activity Objective 197
Visual Objective 197
Required Resources 198
Task 1: Blacklist a Device 199
Task 2: Lost Access Verification. 202
Task 3: Endpoint Record Observations 203
Task 4: Un-Blacklist the Device 207
Task 5: Verify Access Capability 208
Task 6: Blacklisting a Stolen Device 209
Lab 6-1: Compliance 212
Activity Objective 212
Visual Objective 212
Required Resources 212
Task 1: Posture Preparation 213
Task 2: Authorization Profiles 217
Task 3: Adjusting Authorization Policy for Compliance 220
Lab 6-2: Configuring Client Provisioning 224
Activity Objective 224
Visual Objective 224
Required Resources 224
Task 1: Client Updates 225
Task 2: Client Resources 226
Task 3: Client Provisioning Policies 231
Lab 6-3: Configuring Posture Policies 233
Activity Objective 233
Visual Objective 233
Required Resources 233
Task 1: Configuring Posture Conditions 234
Task 2: Configuring Posture Remediation 237
Task 3: Configuring Posture Requirements 240
Task 4: Configuring Posture Policies 243
Lab 6-4: Testing and Monitoring Compliance Based Access 245
Activity Objective 245
Visual Objective 245
IV Implementing and Configuring Cisco Identity Services Engine (SISE 2.3) v2.3.0 © 2018 Fast Lane
Required Resources 245
Command List 246
Task 1: Web Agent Access 247
Task 2: AnyConnect Unified Agent Access 253
Lab 6-5: Compliance Policy Testing 257
Activity Objective 257
Visual Objective 257
Required Resources 257
Task 1: Configure a Faulty Policy 258
Task 2: Use Posture Reports for Troubleshooting 259
Task 3: Using the Posture Troubleshooter 260
Task 4: Policy Correction and Testing 262
(Optional) Lab 6-6: MDM Integration with Cisco ISE 264
Activity Objective 264
Visual Objective 264
Required Resources 264
Task 1: MDM Integration 265
Task 2: Configuring Cisco ISE Policy for MDM 269
(Optional) Lab 6-7: MDM Access and Configuration 273
Activity Objective 273
Visual Objective 273
Required Resources 273
Task 1: MDM Access 274
(Optional) Lab 6-8: Client Access with MDM 277
Activity Objective 277
Visual Objective 277
Required Resources 277
Task 1: Preparing the Tablet 278
Task 2: Client Onboarding with MDM Enrollment 279
Lab 7-1: Using Cisco ISE for VPN Access 286
Activity Objective 286
Visual Objective 286
Required Resources 286
Command List 287
Task 1: Lab Preparation 288
Task 2: Testing VPN Client Access 295
Lab 7-2: Configuring Cisco AMP for ISE 301
Activity Objective 301
Visual Objective 301
Required Resources 301
Command List 302
Task 1: Configuring the Cisco AMP Cloud 303
Task 2: Configuring Posture Policies and Conditions 306
Task 3: Configuring Posture, AMP and AnyConnect Profiles 308
Task 4: Enabling and Provisoning TC-NAC Services 311
Task 5: Verify Provisioning of AMP for Endpoints (Optional) 314
Lab 8-1: Cisco ISE Integrated Solutions with APIs 317
Activity Objective 317
Visual Objective 317
Required Resources 317
Task 1: Configuring Cisco ISE System Certificates for REST and pxGrid 318
Task 2: Preparing the Cisco WSA 321
Task 3: Configuring Security Groups, Authorization Policy, and Enabling pxGrid on ISE 329
Task 4: Enabling pxGrid on WSA 331
Task 5: WSA Identity and Access Policies (Optional) 335
Task 6: Testing Corporate PC (Optional) 340
Lab 9-1: Configure TACACS+ for Cisco ISE for Basic Device Administration 345
Activity Objective 345
Visual Objective 345
Required Resources 345
VI Implementing and Configuring Cisco Identity Services Engine (SISE 2.3) v2.3.0 © 2018 Fast Lane
SISE Lab Guide
Overview
This guide presents the instructions and other information concerning the lab activities for
this course. You can find the solutions in the lab activity Answer Key.
Outline
This guide includes these activities:
Lab 1-1: Complete Cisco ISE GUI Setup
Lab 2-1: Integrate Cisco ISE with Active Directory
Lab 2-2: Basic Policy Configuration
Lab 3-1: Configure Guest Access
Lab 3-2: Guest Access Operations
Lab 3-3: Guest Reports
Lab 4-1: Configuring Profiling
Lab 4-2: Customizing the Cisco ISE Profiling Configuration
Lab 4-3: ISE Profiling Reports
Lab 5-1: BYOD Configuration
Lab 5-2: Device Blacklisting
Lab 6-1: Compliance
Lab 6-2: Configuring Client Provisioning
Lab 6-3: Configuring Posture Policies
Lab 6-4: Testing and Monitoring Compliance Based Access
Lab 6-5: Compliance Policy Testing
(Optional) Lab 6-6: MDM Integration with Cisco ISE
(Optional) Lab 6-7: MDM Access and Configuration
(Optional) Lab 6-8: Client Access with MDM
Lab 7-1: Configure Cisco ISE for VPN Access
Lab 7-2: Configuring Cisco AMP for ISE
Lab 8-1: Cisco ISE Integrated Solutions with APIs
Lab 9-1: Configure TACACS+ for Cisco ISE for Basic Device Administration
Lab 9-2: Configure TACACS+ Command Authorization
(Optional) Lab 9-3: Configuring Backups and Patching
(Optional) Lab 9-4: Configuring Administrative Access
(Optional) Lab 9-5: Review of General Tools
(Optional) Lab 9-6: Report Operations
2 Implementing and Configuring Cisco Identity Services Engine (SISE) v2.3 © 2018 Fast Lane.
Lab 1-1: Complete Cisco ISE GUI Setup
Complete this lab activity to practice what you learned in the related module.
Activity Objective
In this activity, you will you will complete the GUI portion of the setup for this lab
environment. After completing this activity, you will be able to meet these objectives:
Log into Cisco ISE and process initial information messages
Disable profiling
Perform administrative certificate management services for Cisco ISE with a CA
Visual Objective
The figure illustrates what you will accomplish in this activity.
Required Resources
These are the resources and equipment that are required to complete this activity:
Admin PC
ISE-1 (bootstrap)
Activity Procedure
Complete these steps:
Step 1 Access the Cisco ISE console according to your lab access procedures provided
by your instructor
Step 2 At the login prompt, enter a username of admin and password of 1234QWer
Step 4 Enter the following command and observe the following output and the status of
the services.
show application status ise
4 Implementing and Configuring Cisco Identity Services Engine (SISE) v2.3 © 2018 Fast Lane.
Step 5 Verify NTP synchronization. At the command prompt, type the following
command:
show ntp
ise-1/admin#
Step 6 Observe the following output paying attention to the * at the beginning of the line
and the text above indicating “synchronized to NTP Server…”
Step 7 Verify DNS Name Resolution. At the command prompt enter the following
command:
nslookup ise-1.demo.local
;; QUESTION SECTION:
;ise-1.demo.local. IN ANY
;; ANSWER SECTION:
ise-1.demo.local. 3600 IN A 10.1.100.21
ise-1/admin#
Activity Verification
You have completed this task when you attain this result:
Successfully observed Cisco ISE services status
Successfully observed NTP synchronization
Successfully performed a nslookup to verify proper name resolution
Activity Procedure
Complete these steps:
Step 1 Access your Admin PC. Use the credentials Administrator / 1234QWer
Step 2 Open the Firefox web browser and navigate to https://ise-1.demo.local
Step 3 Accept the Your connection is not secure message by expanding Advanced and
click Add Exception. Uncheck the Permanently store this exception checkbox
at the bottom.
6 Implementing and Configuring Cisco Identity Services Engine (SISE) v2.3 © 2018 Fast Lane.
Step 5 Login with the credentials that you configured during the setup script (admin /
1234QWer).
Step 6 If showing up, for the Visibility Setup Wizard pop-up, click Do not show this
again.
Step 7 Navigate the various sub-menu options available under the Home screen tab. In
later labs, you will be configuring other aspects of ISE and these dashboards will
be populated and updated accordingly. Since we have no devices or users who are
yet defined, many dashboards are empty.
Note Context Visibility provides the administrator with a more holistic view of the network. It
allows for quick sorting and filtering of context information. Administrators can view
dashlets to get detailed informational data.
Step 9 These dashboards and dashlets can be customized to meet your needs. By
clicking the “gear” icon on the right, you will find some of the options available
to you and customizable options.
These options will change depending on which main menu heading you are
viewing, Home, or Context Visibility. Take a moment to explore these options.
8 Implementing and Configuring Cisco Identity Services Engine (SISE) v2.3 © 2018 Fast Lane.
Step 10 Back under the Home tab, you can add additional dashboards in two ways. Click
the “gear” icon on the far right of the page. The wheel icon gives you more
option beyond this, such as adding additional dashlets to the present view. You
can also change the layout of the display and manage dashboards as well.
Step 11 Add a new test dashboard by using either method that is mentioned above. Name
it MYTEST and click Apply when done. Then select 2 or 3 dashlet parameters
of your choice to be included with that dashboard. Then click Save. You can then
view this new dashboard once complete and it will appear as a sub-menu option.
Step 12 By clicking the gear icon on the right, notice that you can rename this dashboard,
and add additional dashlets. If you click Add Dashlets, you will see that you can
configure the dashboard to display what is important to you, for your
environment. Click Close to exit.
Step 14 Similarly, by navigating to the Context Visibility page and clicking the gear
icon on the right, you are presented with options to create new views, or directly
jump to a preexisting dashboard. Again, you will be customizing these pages in
later labs where appropriate.
Step 15 Next, navigate to the other menu options available just to familiarize yourself
with GUI navigation. You will be accessing most of the configuration options
available in much more detail throughout the entire course.
The Operations tab will allow you to view live logs and live sessions for things
such as RADIUS and TACACS+ sessions.
The Policy tab is where you will perform authentication and
authorization configurations, as well as profiling, provisioning, and
posture. Take the time to view the default polices that come with ISE for
authentication, authorization, profiling, and provisioning. You will be
modifying some of these and adding new policy configurations in later
labs.
The Administrations tab is where you will perform system functions,
identity management, add network resources, device portals, and other
services available on Cisco ISE.
There is a new menu option available with ISE version 2.1 that is called
Work Centers. The Work Centers provide guided workflow process for
configuring various ISE services. Work Centers also provide direct links
to specific configuration pages. Take some time to click the various sub
menu options, and pay particular notice to the overview pages. These
help guide you through the ISE workflow process. For example, choose
the “Overview” option under the headings for BYOD, or Guest Access,
or Network Access.
10 Implementing and Configuring Cisco Identity Services Engine (SISE) v2.3 © 2018 Fast Lane.
Activity Verification
You have completed this task when you attain these results:
You have successfully logged in the Cisco ISE using the credentials provided during
the first lab.
You have processed the initial messages that are shown to the user upon login
Familiarized yourself with the Cisco ISE user interface
Activity Procedure
Complete these steps:
Step 1 Navigate to Administration > System > Deployment.
Step 2 Click the ise-1 hostname hyperlink.
Step 3 Uncheck the Enable Profiling Service checkbox. Verify with the following
screenshot.
12 Implementing and Configuring Cisco Identity Services Engine (SISE) v2.3 © 2018 Fast Lane.
Step 5 After a minute, you will see the following message. Click OK or let it restart
automatically.
Note System services are being reconfigured and restarted. The message will auto close and
the browser will automatically log you out if you do not click the OK button.
Step 6 After a few minutes, log back in to the ISE Admin Portal.
Note You may check the status of the service restart via the console or CLI using the
command show application status ise. Once the Application Server is running, you will
be able to log in. If you check before the service is reconfigured, you may see the service
still in a running state. An attempt to log in will show a “Server is undergoing
administrative maintenance. Please try again later.” Message.
Step 7 Once logged in, click the ise-1 in the upper right of the window and verify that
Session is the only Policy Service (Identity Mapping,Session) service running.
Activity Verification
You have completed this task when you attain this result:
You have disabled profiling in Cisco ISE
14 Implementing and Configuring Cisco Identity Services Engine (SISE) v2.3 © 2018 Fast Lane.
Task 4: Certificate Enrollment
In this task, you will enroll Cisco ISE with the certificate authority in your pod.
Activity Procedure
Complete these steps:
Download CA certificate
Step 1 In the web browser on the admin PC, open a new tab and navigate to
http://ad1.demo.local/certsrv.
Step 2 When prompted use the credentials administrator / 1234QWer.
Step 3 Click the link Download a CA certificate, certificate chain, or CRL.
Step 4 Click the Download CA certificate link.
Step 5 Click OK to save the file.
Note If using Firefox, you may have to click the install this CA certificate link at the top in order to
install the CA certificate in the browser. This must be performed due to the fact that Firefox
uses a separate certificate store from the operating system. Select Trust this CA to identify
websites and click OK.
Install CA certificate
Step 6 In the Cisco ISE admin portal tab, navigate to Administration > System >
Certificates.
Step 7 Then select Trusted Certificates under Certificate Management.
Step 8 Click the Import button in the right-hand pane.
Step 9 Click the Browse… button and navigate to your Downloads folder.
(C:\Users\Administrator\Downloads).
Step 10 Select the file certnew.cer and then select the Open button.
Note You may or may not see the.cer extension depending upon your Windows Explorer
configuration.
8. Click Generate
16 Implementing and Configuring Cisco Identity Services Engine (SISE) v2.3 © 2018 Fast Lane.
Step 18 You will receive a confirmation pop-up window notifying you that you have
successfully generated your CSR.
Step 26 Highlight (Ctrl-A) and copy the complete contents to the clipboard (Right-click
and selecting Copy or pressing Ctrl-C will both work).
Step 27 Click Close.
Step 28 Return to the tab for the Microsoft Active Directory Certificate Services page.
(http://ad1.demo.local/certsrv with username administrator, password 1234QWer)
Step 29 Click the Home link in the upper right-hand corner.
Step 30 Click the Request a certificate link.
Step 31 Click the advanced certificate request link.
18 Implementing and Configuring Cisco Identity Services Engine (SISE) v2.3 © 2018 Fast Lane.
Step 32 Right-click and paste the contents into the Saved Requests field.
Step 33 From the Certificate Template drop-down select Web Server.
Step 34 Click the Submit> button.
Step 35 Select Base 64 encoded.
Step 36 Click Download certificate.
Step 37 Click OK to save the file.
Step 38 Open the Downloads folder and rename the certnew(1).cer certificate into “ise-1
Admin Cert.cer”
Install (Bind) CA signed certificate
Step 39 Return to the Cisco ISE browser tab.
Step 40 In the Certificate Management > Certificate Signing Requests page, select the
check box to the left of the previously processed CSR.
Step 41 The small toolbar above, click the Bind Certificate button.
Step 42 Click Browse and navigate to the Downloads folder again if necessary.
Step 43 Select the file ise-1 Admin Cert.cer.
Step 44 Click Open.
Step 45 In the Friendly Name field enter ise-1 Admin Cert.
Step 46 Select Admin, to assign the certificate to the Admin role.
Step 47 Click Submit.
Step 48 If the following pop-up window appears, click Yes.
Step 49 The system will log you out and restart services.
Step 50 Log back in after a few minutes.
Certificate Verification
Step 51 In your browser URL bar, click the lock icon to the left of https://. Observe the
following field which indicates a trusted CA signed certificate.
Step 52 Click on the right side arrow and then More Information.
Step 53 Click View Certificate.
Step 54 Observe the Issued By is the root-CA for your pod.
20 Implementing and Configuring Cisco Identity Services Engine (SISE) v2.3 © 2018 Fast Lane.
Step 55 Click the Details tab and scroll down to Certificate > Extensions > Certificate
Subject Alt Name and observe your wildcard configuration.
Activity Verification
You have completed this task when you attain this result:
You have successfully installed the CA certificate on Cisco ISE
You have successfully enrolled Cisco ISE into your pod CA
You have verified the certificate via your web browser
You have additionally configured the installed certificate for EAP and Portal usage
22 Implementing and Configuring Cisco Identity Services Engine (SISE) v2.3 © 2018 Fast Lane.
Lab 2-1: Integrate Cisco ISE with Active Directory
Complete this lab activity to practice what you learned in the related module.
Activity Objective
In this activity, you will integrate Cisco ISE with Active Directory. After completing this
activity, you will be able to meet these objectives:
Perform a native immigration of Cisco ISE to Microsoft Active Directory
Populate the Cisco ISE dictionary with Active Directory attributes
Configure a LDAP integration
Populate the Cisco ISE dictionary with LDAP attributes
Visual Objective
The figure illustrates what you will accomplish in this activity.
Required Resources
These are the resources and equipment that are required to complete this activity:
Admin PC
ISE-1
Activity Procedure
Complete these steps:
Join Microsoft Active Directory
Step 1 In the ISE Admin Portal, navigate to Administration > Identity Management >
External Identity Sources and then in the left pane, select Active Directory.
Step 2 In the right pane, click Add in the toolbar.
Step 3 Enter demo.local in both the Join Point Name and the Active Directory
Domain fields.
Tip Since ISE 1.3 you can optionally specify the location that the ISE computer account(s)
will be created instead of using the default Computers container. If used, the OU must be
pre-created. ISE will not create an OU structure in Active Directory to match what is
entered here.
24 Implementing and Configuring Cisco Identity Services Engine (SISE) v2.3 © 2018 Fast Lane.
Step 10 Once the process is Completed, click the Close button.
Run Diagnostic Tools
Step 11 Select the ise-1.demo.local node from the list
Step 12 From the toolbar, click Diagnostic Tool.
Step 13 Observe the different test names and that some are external, referenced by the
join point demo.local, and some are internal, referenced by the join point System.
Step 14 Click the button Run All Tests.
Step 15 All tests should run with a status of Successful. Compare your output with the
following screenshot.
Note In the case that the NTP check failed, check the status on the CLI “show ntp”. It’s a
know bug in some version.
Tip You may also click any of the Result and Remedy hyperlinks for that test specific output.
26 Implementing and Configuring Cisco Identity Services Engine (SISE) v2.3 © 2018 Fast Lane.
Step 27 Click Save at the bottom.
Step 28 In the right pane, click the Attributes tab.
Step 29 Click the +Add button on the toolbar and choose Select Attributes from
Directory.
Step 30 Enter employee2 in the Sample User or Machine Account text box and click the
Retrieve Attributes… button.
Step 31 Select badPwdCount and userPrincipalName from the list and click OK.
Note Only set attributes will be shown. If one account does not have an attribute set and a
different account does, for example Job Title or Department, it will show those attributes
when retrieving attributes from the account with the attribute set. An attribute could be set
after this list is pulled, and if that user is queried again the additional attribute will show in
the list.
Activity Verification
You have completed this task when you attain these results:
You have successfully joined the Cisco ISE to demo.local.
You have successfully added active directory groups and user attributes to Cisco ISE.
You have successfully tested user authentication via all three authentication types.
28 Implementing and Configuring Cisco Identity Services Engine (SISE) v2.3 © 2018 Fast Lane.
Task 2: Configure LDAP Integration
In this task, you will configure Cisco ISE to integrate with LDAP. You will then configure
LDAP group and user attributes for utilization in Cisco ISE in later labs
Activity Procedure
Complete these steps:
Configure LDAP as an External Identity Source
Step 1 In the ISE Admin Portal, navigate to Administration > Identity Management >
External Identity Sources and then in the left pane, select LDAP.
Step 2 In the right pane, click +Add in the toolbar.
Step 3 In the Name field enter LDAP_demo_local.
Step 4 In the Description field enter demo.local LDAP configuration.
Step 5 In the drop-down for Schema, select Active Directory.
Step 6 Click the Connection tab.
Step 7 In the Hostname/IP field enter ad1.demo.local.
Step 8 Select Authenticated Access.
Step 9 In the Admin DN field enter cn=administrator,cn=users,dc=demo,dc=local.
Step 10 In the password field enter 1234QWer.
Step 11 Verify your settings with the screenshot below.
Note Observe the response time for future comparison. Make note of it in this lab guide if
needed.
Step 13 Now that you have successfully verified in LDAP connection, modify the
configuration to perform a secure LDAP (LDAPS) lookup. Change the Port from
389 to 636.
Step 14 Enable Secure Authentication.
Step 15 In the LDAP Server Root CA certificate drop-down, select demo.local CA
Certificate.
Step 16 Verify your configuration with the following screenshot.
30 Implementing and Configuring Cisco Identity Services Engine (SISE) v2.3 © 2018 Fast Lane.
Step 17 Click the Test Bind to Server button. This should be successful.
Note Observe the response time between the previous clear text LDAP bind in the LDAPS
bind. Additional time is required to set up and verify the SSL tunnel before the performing
of the LDAP lookup. Keep this in mind when designing and architecting the placement of
Cisco ISE in a production environment.
Note You have configured your pod Active Directory as an External Identity Source. This
configuration will be utilized for authentication in later labs.
Activity Verification
You have completed this task when you attain this result:
You have successfully configured and tested Cisco ISE to pull data from your pod’s
active directory via LDAP
You have successfully modified your configuration of Cisco ISE to authenticate and pull
data from your pod’s Active Directory server via LDAPS.
32 Implementing and Configuring Cisco Identity Services Engine (SISE) v2.3 © 2018 Fast Lane.
Lab 2-2: Basic Policy Configuration
Complete this lab activity to practice what you learned in the related module.
Activity Objective
In this activity, you will configure a basic access policy for employees and consultants. After
completing this activity, you will be able to meet these objectives:
Configure Cisco ISE to utilize Policy Sets
Configure Cisco ISE Policy Set differentiation filters
Configure an Identity Access Restricted global exception policy
Configure policies sets for both wired and wireless access
Configure a policy for Active Directory employees and consultants
Configure a policy for wired access
Configure a policy for wireless access
Visual Objective
The figure illustrates what you will accomplish in this activity.
Required Resources
These are the resources and equipment that are required to complete this activity:
Admin PC
ISE-1
AD
vWLC
Command Description
test aaa group radius <username> Perform a test authentication to the AAA
<password> new-code server via the internal switch AAA sub-
system.
34 Implementing and Configuring Cisco Identity Services Engine (SISE) v2.3 © 2018 Fast Lane.
Task 1: Adjusting Radius Settings
In this task, you will adjusting radius settings to prevent dropping client connections, base
don failed logins.
Activity Procedure
Complete these steps:
Note This step is traditionally used for troubleshooting. It is not recommended for normal Cisco
ISE operations.
Activity Verification
You have completed this task when you attain these results:
You have successfully enabled Cisco ISE to utilize Policy Sets.
You have successfully logged in and observe the policy set configuration.
36 Implementing and Configuring Cisco Identity Services Engine (SISE) v2.3 © 2018 Fast Lane.
Task 2: Create Network Devices and Network Device Groups
In this task, you will create and configure Network Devices for Wired and Wireless Access.
Addional you create Network Device Groups and you will assign the NDG to the NADs.
Activity Procedure
Complete these steps:
Create Network Access Devices
Step 1 In the Cisco ISE admin portal, navigate to Administration > Network
Resources > Network Devices.
Step 2 In the right pane click the +Add button from the toolbar.
Step 3 Add the following network device using the information in the table below.
Network Device – 3k-access
Attribute Value
Name 3k-access
Step 7 Perform a test authentication via the switch CLI. Your test results should be
User successfully authenticated.
3k-access# test aaa group radius employee1 1234QWer new-code
3k-access#test aaa group radius employee1 1234QWer new-code
User successfully authenticated
USER ATTRIBUTES
username 0 "employee1"
Step 8 Return to your ISE Admin portal and navigate to Operations > RADIUS > Live
Logs.
Step 9 Click the Details for the sucessful employee authentication.
38 Implementing and Configuring Cisco Identity Services Engine (SISE) v2.3 © 2018 Fast Lane.
Step 10 Observe in the opened tab that the authentication failed due to ambiguous
credentials. This is due to your lab using the same usernames and passwords for
simplicity in both Active Directory domains.
Step 11 In the right column examine the steps to see the specifics.
USER ATTRIBUTES
username 0 "demo\employee1"
Note You could also test the username in UPN format, employee1@demo.local
Step 13 Return to your ISE Admin portal and navigate to Operations > RADIUS > Live
Logs.
Step 14 Click the Details for the successful employee authentication.
40 Implementing and Configuring Cisco Identity Services Engine (SISE) v2.3 © 2018 Fast Lane.
Step 15 Observe in the opened tab that the authentication failed due to ambiguous
credentials. This is due to your lab using the same usernames and passwords for
simplicity in both Active Directory domains.
Step 16 In the right column examine the steps to see the specifics.
Attribute Value
Name vwlc
Name Description
Wireless WLCs
Step 22 When complete your configuration should match the following screenshot.
Name Description
HQ Headquarters
Branch Branch
Step 25 When complete your configuration should match the following screenshot.
44 Implementing and Configuring Cisco Identity Services Engine (SISE) v2.3 © 2018 Fast Lane.
Assign Network Device Groups
Step 26 Click Network Devices.
Step 27 Add the 3k-access and the wlc network devices with the following information,
using the screenshot as an example template.
Network Device – Network Device Group Configuration
3k-access Wired HQ
vwlc Wireless HQ
Step 28 Once completed your configuration should match the following screenshot.
46 Implementing and Configuring Cisco Identity Services Engine (SISE) v2.3 © 2018 Fast Lane.
Task 3: Create Wired and Wireless Policy Sets
In this task, you will create and configure multiple policy sets, one for wired and one for
wireless. For academic purposes, you will have the option to create an additional policy set
at the end of this task. This policy set will not contain any policies nor be used in this lab,
but instead is being created to give you one additional example of a possible policy set
option.
Activity Procedure
Complete these steps:
Policy Set Creation – Wired Access
Step 1 Navigate to Policy > Policy Sets.
Step 2 Click the plus icon (+) in the toolbar to create a new Policy Set.
Step 3 Verify that New Policy Set 1 is created above the default policy set.
Step 4 Click the words New Policy Set 1 to edit the field.
Step 5 Enter Wired_Access as the policy set Name.
Step 6 Enter Wired Access in the Description field.
Step 7 Click in the Conditions field to create a new condition and treat the following
condition:
Step 8 Click the New button.
Step 9 Click the words Click to add an attribute to select an attribute for the new
condition.
Step 10 Click the Symbol Network device.
Step 16 Assign the from the Allowed Protocols Dop-Down Menu Default Network
Access.
48 Implementing and Configuring Cisco Identity Services Engine (SISE) v2.3 © 2018 Fast Lane.
Step 19 Configure this policy set according to the following table and compare your
results with the following screenshot.
Policy Set – Wireless Access
Activity Verification
You have completed this task when you attain these results:
You have configured two policy sets
Wired Access
Wireless Access
Activity Procedure
Complete these steps:
You can’t delete or disable the default policy set, also you can’t delete authentication or
authorization rules in the default set. You can only modified rules in the default set. The
recommend way is, to configured your own policy sets and rules above the default set.
Step 1 Access the ISE admin portal via the Admin PC.
Step 2 Navigate to Policy > Policy Set > Wired_Access.
Step 3 Click the arrow > on the right side from your Wired_Access sets to change the
view.
50 Implementing and Configuring Cisco Identity Services Engine (SISE) v2.3 © 2018 Fast Lane.
Step 11 Click the gear symbol on the right side from the MAB rule.
Step 12 Click Insert new row below from the Drop-Down Menu.
Step 13 Enter the rule name DOT1X and assign the condition Wired_802.1X. Change
the Identity Source to All_User_ID_Stores.
Step 14 Change the Identity Source from the Default rule to DenyAccess.
Step 15 Your Authentication Policy should be the same as the screenshot below.
MAB Wireless_MAB
DOT1X Wireless_802.1X
Activity Verification
You have completed this task when you attain these results:
You have configured authentication rules for MAB and 802.1x in the Wired_Access and
Wireless_Access policy set.
52 Implementing and Configuring Cisco Identity Services Engine (SISE) v2.3 © 2018 Fast Lane.
Task 5: Authorization Policy Configuration for AD Employees
and AD Contractors
In this task, you will configure Cisco ISE to process domain employees and domain
contractors.
Activity Procedure
Complete these steps:
Create Authorization Profiles
Step 1 Navigate to Policy > Policy Elements > Results then to Authorization >
Downloadable ACLs.
Step 2 Click +Add in the right pane toolbar.
Step 3 Create a dACL for the employees with the following attributes:
Downloadable ACL – acl_employee
Attribute Value
Name acl_employee
Step 5 Click Check DCAL Syntax to verify you entered all ACL statements correctly.
Step 6 Create another dACL for the contractors using the following attributes:
Downloadable ACL – acl_contractor
Attribute Value
Name acl_contractor
Attribute Value
Name acl_machine
Description Domain computer ACL that only allows access to DHCP, DNS, and
the DC.
Common Tasks
Common Tasks
Common Tasks
Common Tasks
54 Implementing and Configuring Cisco Identity Services Engine (SISE) v2.3 © 2018 Fast Lane.
Step 20 Create another profile for the contractors (Wireless) using the following
attributes:
Contractor Authorization Profile
Common Tasks
Step 22 Create another profile for the domain computers (Wireless) using the following
attributes:
Domain Computer Authorization Profile
Common Tasks
Attribute Value
Note This will facilitate a more rapid use of this condition in future policies instead of having to
build it every time.
Step 28 In the Condition Name field enter Demo-Employees and click the green
checkmark.
Attribute Value
Step 33 Add another policy above the built-in Default policy by clicking on the gear icon
on the right. From the menu, select Insert new row above.
56 Implementing and Configuring Cisco Identity Services Engine (SISE) v2.3 © 2018 Fast Lane.
Step 34 Add the following policy for Domain Computers, saving (adding) the condition
to the library as Demo-Computers:
Computers Authorization Policy
Attribute Value
Note Rule order is important as rules are processed from top down.
Step 3 Scroll down and verify your Authorization Policy rule order is as follows.
Wireless_Access Authorization Policy Order
Enabled Default
Step 4 Change, if needed, the permissions from the Default policy to DenyAccess.
Step 5 Scroll down and click Save.
Activity Verification
You have completed this task when you attain these results:
Examined the built-in authentication and authorization policies.
Created employee, contractor and machine downloadable ACL’s (dACL’s )
Created employee, contractor, and domain computer authorization profiles
Created employee, contractor, and domain computer authorization policies saving the
conditions to the library.
58 Implementing and Configuring Cisco Identity Services Engine (SISE) v2.3 © 2018 Fast Lane.
Task 6: Client Access – Wired
In this task, you will be configuring Cisco ISE to provide wired access to clients.
Activity Procedure
Complete these steps:
Step 1 Access your 3k-access switch console.
Step 2 Perform the test using the NetBIOS name format for the username. This should
now rejected, there isn’t any matching authentication rules.
3k-access# test aaa group radius demo\employee1 1234QWer new-code
3k-access#test aaa group radius demo\employee1 1234QWer new-code
User rejected
Note You could also test the username in UPN format, employee1@demo.local
60 Implementing and Configuring Cisco Identity Services Engine (SISE) v2.3 © 2018 Fast Lane.
Step 15 Click OK.
Step 16 Click the Settings button.
Step 17 In the list of Trusted Root Certification Authorities select root–CA. Verify all
other settings with the screenshot below
Step 18 Click the Configure… button. And verify that Automatically use my Windows
login name and password (and domain if any) is enabled
Step 19 Click OK three times to close all the windows.
Step 20 Restart the client machine using the Start menu.
Step 21 While the PC is restarting access the 3k-access switch and verify that the
interface GigabitEthernet 1/0/1 is enabled. In the case that the interface is
disabled, enable the interface with a no shutdown command.
Step 22 Return to the ISE Admin portal and navigate to Operations > Radius > Live
Logs.
Step 23 After a minute or so, you should see the local machine login via 802.1X using
the machine credentials and be assigned the Domain Computer Access
Authorization Profile.
Step 24 Return to the W10PC-Corp and login using the credentials demo\employee1 /
1234QWer
Step 25 Open a command prompt and ping the following addresses. 10.1.30.1 and
10.1.90.1. The first address should fail with a request timeout in the second
should succeed according to the dACL which you configured for
employee access.
62 Implementing and Configuring Cisco Identity Services Engine (SISE) v2.3 © 2018 Fast Lane.
IPv4 Address: 10.1.10.201
User-Name: DEMO\employee1
Status: Authorized
Domain: DATA
Oper host mode: multi-auth
Oper control dir: both
Session timeout: N/A
Common Session ID: 0A01640100000FAF036F3ADA
Acct Session ID: 0x00000FA6
Handle: 0x19000002
Current Policy: POLICY_Gi1/0/1
Server Policies:
ACS ACL: xACSACLx-IP-acl_employee-575a8f87
Step 28 Return to the Cisco ISE admin portal and navigate to Operations > Radius >
Live Log.
Step 29 Observe the new record details for the employee1 access.
Step 30 Click the DEMO\employee1 authentication details icon. Observe the details on
the steps included in this record.
Step 31 Return to the W10PC-Corp and Log Off the employee1 user.
Step 32 Log in using the credentials demo\contractor1 / 1234QWer
Step 33 Open a command prompt and ping the following addresses. 10.1.30.1 and
10.1.90.1. The first address should fail with a request timeout in the second
should also fail according to the dACL which you configured for contractor
access.
Activity Verification
You have completed this task when you attain these results:
You have configured the 3k-access switch as a network device in Cisco ISE.
You have successfully performed test authentications via the switch CLI.
You have successfully configured the W10PC-Corp to authenticate via 802.1X.
You have successfully logged in as a both employee1 and contractor1 and observed the
dACL restrictions appropriate for each username.
You have observed the authentication records in Cisco ISE.
64 Implementing and Configuring Cisco Identity Services Engine (SISE) v2.3 © 2018 Fast Lane.
Task 7: Client Access – Wireless
In this task, you will configure the Cisco WLC as a network device in Cisco ISE, modify the
authorization profiles to process wireless access, and test a wireless authentication.
Activity Procedure
Complete these steps:
Step 1 On your Admin PC, open a new tab in your browser and access your pod vWLC.
Use the bookmark or https://wlc.demo.local.
Step 2 Log in with the Username admin and the password 1234QWer.
Step 3 Click WLANs and verify you have three (3) WLANs for your pod. A guest
WLAN, a wpa2e WLAN, and a hotspot WLAN.
Step 4 Make Note of the 3 WLAN SSID’s and the WLAN numbers as these are the
SSID’s for your specific POD.
Step 5 Enable each of these WLANs by clicking on the WLAN numbers and changing
the Status to Enabled and Applying the configuration.
Step 6 Navigate to SECURITY then AAA > RADIUS > Authentication and verify
that Cisco ISE has been configured as a RADIUS server.
Step 7 Navigate to AAA > RADIUS > Accounting and verify that Cisco ISE has also
been configured as a RADIUS server.
Step 8 Navigate to WIRELESS and observe your pod AP. In your pod’s default
configuration, the AP should be Admin Status Enabled.
If not, enable your AP by clicking on the AP Name and under the General tab
change Admin Status to Enabled. Then Apply your configuration.
Note It is critical to make sure that you only associate to your pod’s SSID’s.
Caution If you are having difficulty, notify your instructor. Do not attempt to modify configurations
in troubleshooting.
Tablet Clean up
It may be necessary to clean up your Tablet from a previous class. Perform the steps listed
below.
Step 13 Navigate to Settings > Security select Clear credentials (if not grayed out)
Step 14 Confirm the message.
66 Implementing and Configuring Cisco Identity Services Engine (SISE) v2.3 © 2018 Fast Lane.
Wireless Access via Tablet
Step 15 Press the home button (middle bottom button)
Step 16 Open the Widget/Icon for WLAN
Step 17 Enable WLAN if not already enabled, by clicking the slider.
Step 18 From the list identify and click your pod WPA SSID (##-wpa2e).
Note If you don’t find the SSID, then review your vWLC or notify your instructor.
Step 26 Scroll down to the results section and observe the Airespace ACL you
configured before being assigned.
Note If you do not see employee exactly as it is in the above screenshot, as UPPERCASE,
you will need to modify your authorization profile as ACL names are case-sensitive.
68 Implementing and Configuring Cisco Identity Services Engine (SISE) v2.3 © 2018 Fast Lane.
assigned ACL name, EMPLOYEE, which you configured in the Employee
Access Authorization Profile.
Clean up
Now that you have successfully accessed a wireless network, you will disconnect the
wireless device.
Step 32 Return to your Tablet.
Step 33 Via the WLAN icon, turn off WLAN by clicking the slider.
Step 34 Return to your Cisco ISE admin portal.
Activity Verification
You have completed this task when you attain this result:
You have verified the vWLC configuration
You have added the vWLC to Cisco ISE as a network device
You have adjusted RADIUS settings to show every authentication message in Cisco ISE
You have access the wireless network view your Tablet
You have verified proper authorization profile configuration from ISE to the vWLC.
Activity Procedure
Complete these steps:
Step 1 In your policy set navigate to Wired_Access > Authorization Policy - Global
Exceptions.
Step 2 Click the + button to create a new rule.
Step 3 Create the following rule. For this rule scenario you are creating an exception for
the demo.local IT staff who are performing an audit of the demo.local network.
Tip You could save the demo.local conditions to the library to facilitate a more efficient reuse
in the future.
Attribute Value
Step 4 Click Use and verify your policy against the following screenshot.
70 Implementing and Configuring Cisco Identity Services Engine (SISE) v2.3 © 2018 Fast Lane.
Step 10 Observe that the Authorization policy name is under Wired_Access and is
Domain IT Audit Exception, the name you created as a Global Exception policy
name.
Step 11 Return to your admin portal and navigate to Policies > Policy Sets.
Step 12 Navigate to your Wireless_Access > Authorization Policy – Global Exceptions
and notice there is an indicator of (1).
Step 13 Expand the exceptions policy and observe the global exceptions rule that you
created earlier.
Activity Verification
You have completed this task when you attain these results:
You have successfully created a global exception.
You have successfully performed a CLI test authentication using a local user account
and observe the matching of the employee authorization profile.
You have observed the global exception in each of the policy set rules.
Activity Procedure
Complete these steps:
Step 1 Return to the ISE Admin Portal, and navigate to Context Visibility > Endpoints
> Authentications. Notice the Android endpoint can also be seen here.
Step 2 By clicking the endpoints MAC address, you can drill down to view further
details on the chosen endpoint. By clicking the various tabs, you can view
additional details such as Authentication, Threats, and Vulnerabilities, for that
endpoint.
Step 3 From this screen, click the Network Devices option to view further information
on network devices that are seen by ISE.
Step 4 On the right side of this screen, clicking on the # of endpoints that are associated
with the network device, you can view additional useful information on endpoints
that are seen on the network by ISE.
72 Implementing and Configuring Cisco Identity Services Engine (SISE) v2.3 © 2018 Fast Lane.
a
Activity Verification
You have completed this task when you attain these results:
You observed network device details via the feature context visibility.
Activity Objective
In this activity, you will configure the settings in Cisco ISE that are the core components of
Guest Access. After completing this activity, you will be able to meet these objectives:
Configure Guest Settings for Guest Access in Cisco ISE
Configure the Guest Locations the SSID feature in Cisco ISE
Visual Objective
The figure illustrates what you will accomplish in this activity.
Required Resources
These are the resources and equipment that are required to complete this activity:
Admin PC
ISE-1
AD1
W10PC-Corp
vWLC
74 Implementing and Configuring Cisco Identity Services Engine (SISE) v2.3 © 2018 Fast Lane.
Task 1: Guest Settings
In this task, you will configure the basic settings for guest operations.
Activity Procedure
Complete these steps:
Step 1 On your pod Admin PC in the Cisco ISE admin portal navigate to Work Centers
> Guest Access> Settings.
Mail Settings
Step 2 Expand Guest Email Settings and modify the Default ‘From’ email address to
be sponsor@demo.local.
Step 3 Click Save.
Step 4 Still in the Guest Email Settings, click the helpful “Configure SMTP server at:
Work Centers > Guest Access > Administration > SMTP Server” hyperlink.
Step 5 In the SMTP Server settings enter mail.demo.local and click Save.
Custom Fields
Step 6 Return to Work Centers > Guest Access > Settings and expand Custom Fields.
Step 7 Add the following custom field and then click Add.
Guest Custom Field
Custom field name Data type Tip text
Person Visiting String Enter the person’s name you are visiting.
Activity Verification
You have completed this task when you attain these results:
You have configured mail (SMTP) settings for Cisco ISE.
You have added a custom field for guest access.
You have modified the guest username policy.
You have modified the guest password policy.
You have adjusted the purge policy time for either the Pacific or your local time zone.
76 Implementing and Configuring Cisco Identity Services Engine (SISE) v2.3 © 2018 Fast Lane.
Task 2: Guest Locations
In this task, you will configure locations. You will configure a few set locations and you will
also configure the location of your class. This will be used later to align the access times
with your local class time zone.
Activity Procedure
Complete these steps:
Step 1 Navigate to Work Centers > Guest Access > Settings and then select Guest
Locations and SSIDs.
Step 2 In the Guest Locations area enter the following location and time zone
information. Finish by adding your class city and time zone.
Guest Locations
Chicago America/Chicago
London Europe/London
Dubai Asia/Dubai
Sydney Australia/Sydney
Step 3 In the Guest SSID’s field enter your guest SSID (##-guest ) from your
vWLC WLAN.
This feature is helpful if for instance your organizational guest network has
different SSIDs based on location. For example, Guest-US, Guest-EU, Guest-
APAC, etc.
Tip Do not navigate away to your vWLC web page as you will lose your Guest Location
form data.
Activity Verification
You have completed this task when you attain this result:
You have configured the Guest Settings according to the task instructions.
Activity Objective
In this activity, you will explore multiple Cisco ISE guest access configurations and
operations. After completing this activity, you will be able to meet these objectives:
Configure Cisco ISE guest access using a hotspot portal
Configure Cisco ISE guest access for self-registration
Configure Cisco ISE guest access for self-registration with sponsor approval
Configure Cisco ISE guest access for sponsored guest access
Visual Objective
The figure illustrates what you will accomplish in this activity.
78 Implementing and Configuring Cisco Identity Services Engine (SISE) v2.3 © 2018 Fast Lane.
Required Resources
These are the resources and equipment that are required to complete this activity:
Admin PC
ISE-1
AD1
vWLC
W10PC-Corp
Activity Procedure
Complete these steps:
Configuration
Step 1 On the Admin PC in the Cisco ISE admin portal navigate to Work Centers >
Guest Access.
Step 2 Take a moment and read the Guest Access Overview. Note that at the bottom of
the overview screen a hyperlink for the reports is included. Do not click this now.
Step 3 In the top, click Portals & Components.
Step 4 In the left pane, click Guest Portals.
Step 5 In the right pane, click the Create button.
Step 6 In the pop-up select Hotspot Guest Portal and then click Continue…
Step 7 In the Portals Settings and Customization window configure the following:
Hotspot Portal Settings and Customization
Attribute Value
Portal Settings
Delay to release 1
Delay to CoA 8
Delay to renew 12
80 Implementing and Configuring Cisco Identity Services Engine (SISE) v2.3 © 2018 Fast Lane.
Once authenticated, take guest to Authentication Success page
Step 12 Click the down arrow in the upper right corner of Firefox the on the folder icon of
the file to open the location the file was saved.
Step 13 Right-click the file name and select Extract All. Accept the default location and
click Extract.
Step 14 Return to the ISE admin portal.
Step 15 In the customization setting area click Portal Page Customization.
82 Implementing and Configuring Cisco Identity Services Engine (SISE) v2.3 © 2018 Fast Lane.
Step 17 Scroll back up to the top and to the right of the Portal Theme select the
Tweaks…button.
Step 18 Observe the color options that you can modify. Click the color square at the end
of the Banner Color line. Play around with the color tool as you see fit. Pick a
custom color or enter #8a099b in the hex box.
Step 19 Click OK.
Step 20 Leave all other colors the default and click OK.
Step 21 Images can be uploaded by clicking on the buttons in the Images section. They
can also be deleted or reset to default with the X and circled arrow buttons
respectively.
Step 23 Scroll back to the preview area and click Refresh Preview and observe the
purple (or your custom color) banner.
Step 24 Upload the following images:
Banner C:\users\admin\Downloads\iseiscool-images\iseiscool_banner.png
Step 26 Click in the Footer Elements box to the right to activate the preview change and
review the preview
Step 27 Scroll down to the AUP text box. Wherever you see Cisco Systems in the AUP
change it to The Demo Shop.
Step 28 Select or highlight one of the “The Demo Shop” names and bold it using the
toolbar for the AUP text section. Make any other text modifications you desire.
84 Implementing and Configuring Cisco Identity Services Engine (SISE) v2.3 © 2018 Fast Lane.
Step 29 In the Left Pane select Authentication Success.
Step 30 Edit both Browser Page Title and the Content Title and modify them to Access
Granted.
Step 31 Scroll down to Optional Content 2 and add the following text: Use coupon code
130 at checkout for extra savings!
Step 32 Using the toolbar, bold and underline 130 then change the font color of 130 to
red. Then select the text and change the font size to large.
Step 33 Scroll to the right and click Refresh Preview to review your work.
Tip You might want to change the ui_invalid_license_error from “No valid system license
exists.” to something generic since this will be seen by customers.
86 Implementing and Configuring Cisco Identity Services Engine (SISE) v2.3 © 2018 Fast Lane.
Step 44 Create the following authorization profile:
Hotspot Authorization Profile
Common Tasks
Common Tasks
Note Make sure your WLAN ID for your ##_hotspot WLAN is correct.
Attribute Value
Step 51 Add another rule above the Hotspot rule you just created with the following
parameters.
Guest Access Authorization Policy
Attribute Value
88 Implementing and Configuring Cisco Identity Services Engine (SISE) v2.3 © 2018 Fast Lane.
Step 56 Click Demo – Hotspot to enter the configuration for that portal.
Step 57 In the right side, examine the Guest Flow. This diagram is based on the settings
you configured on the left. In this simple hotspot flow, the user will need to
accept the AUP (1) and then they will have successfully logged on the network
(2). You have enabled Support Information and that is represented in the block on
the right.
Step 58 When you test access in the next section, you will observe this flow.
Test Access
Step 59 On your W10PC-Corp log in as student / 1234QWer.
Step 60 Access your Tablet according to your lab specific instructions.
Caution If you are having difficulty, notify your instructor. Do not attempt to modify configurations
in troubleshooting.
90 Implementing and Configuring Cisco Identity Services Engine (SISE) v2.3 © 2018 Fast Lane.
Step 70 Observe the modifications that you made. For example, the Banner and “The
Demo Shop” and its initial name bolding.
Step 71 Click in the Access code box and enter an incorrect access code of 5678 and click
Accept and observe the result which should match the error message you
configured.
Hint Don’t use the keypad to enter the access code. In the case that you use the keypad, the
tablet will be lock and use must unlock the device again (PIN 1234). Use the keyboard on
the tablet´, to enter the access code.
92 Implementing and Configuring Cisco Identity Services Engine (SISE) v2.3 © 2018 Fast Lane.
Step 78 Now surf to Cisco.com again. This should succeed.
Step 79 Return to the Cisco ISE Admin Portal on the Admin PC.
Step 80 Navigate to Operations > Radius > Live Logs and observe the authentication
records. Notice the first Hotspot access and then the Identity Group
GuestEndpoints and Guest Access Authorization Profile match.
Note Observe the new Description feature. You can enter a description and scroll to the
bottom and click Save.
Tip You may have noticed that the system has effectively profiled the device as an Android
Tablet even though we disabled Profiling earlier in the lab. Further details will be
covered in detail later in the lecture, but briefly, the Cisco ISE always gathers HTTP
headers when a portal is access and the endpoint utilizing the portal is profiled based
solely on that data.
Activity Procedure
Complete these steps:
Configure Guest Type
In this section, you will configure a custom guest type that will restrict access to business
days and hours.
Step 1 In the Cisco ISE Admin portal, navigate to Work Centers > Guest Access >
Portals&Components and then select Guest Types.
Step 2 In the right pane observe the four default guest types, Contractor, Daily,
SocialLogin and Weekly.
Step 3 In the right pane click the Create button.
Step 4 Configure a guest type according to the following table.
Guest Type
Attribute Value
Required [ ]
From 9:00 AM
To 5:00 PM
From 9:00 AM
To 9:00 PM
Login Options
96 Implementing and Configuring Cisco Identity Services Engine (SISE) v2.3 © 2018 Fast Lane.
Account Expiration Notification
Email [X]
SMS [ ]
Provider
Sponsor Groups
Step 5 Scroll up and click Save. If you are sending a test SMS message, do so now.
Step 6 Click Close.
Configure Guest Portal
Step 7 Navigate to Work Centers > Guest Access > Portals & Components.
Step 8 In the left pane, click Guest Portals.
Step 9 In the right pane, click the Create button.
Step 10 In the pop-up window, select Self-Registered Guest Portal and then click
Continue…
Step 11 In the Portals Settings and Customization window configure the following:
Attribute Value
Portal Settings
[ X ] User name [ ]
[ X ] First name [X]
[ X ] Last name [X]
[ X ] Email address [ ]
[ X ] Phone number [ ]
[ X ] Company [ ]
[ X ] Location [X]
Custom Fields [ ]
Require acceptance [ ]
98 Implementing and Configuring Cisco Identity Services Engine (SISE) v2.3 © 2018 Fast Lane.
Send Credential Notification Automatically Using [ X ] Email [ ] SMS
BYOD Settings
Delay to release 1
Delay to CoA 8
Delay to renew 12
100 Implementing and Configuring Cisco Identity Services Engine (SISE) v2.3 © 2018 Fast Lane.
Step 12 Scroll up and click Save.
Step 13 Examine the Guest Flow and when you are comfortable in your understanding of
the flow continue to the next step.
Tip Remember if adding support information to the guest flow as an option, modify the
Support information text phone number from all Xs to an actual number.
Note You will not be modifying the AUP to change the company name from Cisco Systems to
The Demo Shop due to time constraints.
Step 18 Change to a different page by clicking on the boxes to the left and observe the
footer is consistent.
Step 19 Change the Banner title to Guest Portal.
Step 20 Scroll up and click Save.
Step 21 In the left pane, select Notifications and then Print.
Step 22 Observe the variables that are used in the text.
Step 23 Create a new line at the bottom of the text box. Add the text “Location: “
102 Implementing and Configuring Cisco Identity Services Engine (SISE) v2.3 © 2018 Fast Lane.
Step 24 In the toolbar, click the Insert Variable icon and observe variables which are
available. Select Location name to insert that variable.
Step 28 Select Hotspot Access and then click Duplicate in the tool bar.
Step 29 Modify the authorization profile according to the table below.
Self-Registration Authorization Profile
Common Tasks
Attribute Value
104 Implementing and Configuring Cisco Identity Services Engine (SISE) v2.3 © 2018 Fast Lane.
Step 38 Scroll down and click Save.
Test Access
Step 39 On your W10PC-Corp access your Tablet according to your lab specific
instructions.
Caution If you are having difficulty, notify your instructor. Do not attempt to modify configurations
in troubleshooting.
Note You may have to manually clear the client from the WLC (Naviagte to WLC GUI >
Monitor > Clients Click on the client to be cleared > Remove) if you perform these steps
quickly. As the WLC holds or caches association sessions to handle Wi-Fi signal
disruptions and roams.
Step 51 Use your mouse to scroll down to the bottom and click Or register for guest
access.
106 Implementing and Configuring Cisco Identity Services Engine (SISE) v2.3 © 2018 Fast Lane.
Step 52 Create an account using the following information.
Create Guest Account
Attribute Value
Username
Phone number
108 Implementing and Configuring Cisco Identity Services Engine (SISE) v2.3 © 2018 Fast Lane.
Step 64 Scroll down the Attributes list and observe the following fields which now
provide more meaningful information about the endpoint instead of just a MAC
address.
Activity Verification
You have completed this task when you attain these results:
You have created a guest self registration portal.
You have configured and customized the self registration portal.
You have configured a self registration authorization profile
You have modified the authorization policy for self registration access
You have accessed the open SSID network and processed through the self registration guest
flow.
You have observed the authentication process and records in Cisco ISE
Activity Procedure
Complete these steps:
Remove Endpoint from Cisco ISE
Step 1 On your W10PC-Corp, access your Tablet according to your lab specific
instructions.
Step 2 Navigate to WLAN.
Step 3 Turn off Wi-Fi.
Step 4 Return to the Cisco ISE admin portal.
Step 5 In Cisco ISE, navigate to Context Visibility > Endpoints and then in the left
pane select Endpoints.
Step 6 Select the Tablet and then delete (Click Trash > Selected) it using the toolbar.
Confirm YES to delete.
Note You may have to manually clear the client from the WLC if you perform these steps
quickly. As the WLC holds or caches association sessions to handle Wi-Fi signal
disruptions and roams.
110 Implementing and Configuring Cisco Identity Services Engine (SISE) v2.3 © 2018 Fast Lane.
Step 10 In the toolbar click Duplicate.
Step 11 Once the duplication process is complete, click the Demo-Self-Reg_Copy1
portal to edit it.
Step 12 In the Portals Settings and Customization window modify the following
settings only:
Self-Registration Portal Settings and Customization
Attribute Value
Step 15 Select Self-Registration Portal and then click Duplicate in the tool bar.
Step 16 Modify the authorization profile according to the table below.
Self-Registration with Approval Authorization Profile
Common Tasks
Attribute Value
Caution If you are having difficulty, notify your instructor. Do not attempt to modify configurations
in troubleshooting.
112 Implementing and Configuring Cisco Identity Services Engine (SISE) v2.3 © 2018 Fast Lane.
Step 29 Open a browser.
Step 30 If you are not automatically redirected to the ISE Self-Registration portal, type in
cisco.com, for example.
Step 31 On the Sponsored Guest Portal Page, use your mouse to scroll down to the
bottom and click Or register for guest access.
Step 32 Create an account using the following information.
Create Account
Attribute Value
Username
Phone number
Step 35 Since you have no credentials, username and password, you are unable to sign in.
Step 36 Return to the Cisco ISE admin portal.
Step 37 Navigate to Work Centers > Guest Access > Manage Accounts.
Step 38 Click the Managed Accounts button.
Step 39 The default sponsor portal opens open a new tab. Notice at the top under Pending
Accounts the 1 in parentheses (1) indicating an account pending approval.
114 Implementing and Configuring Cisco Identity Services Engine (SISE) v2.3 © 2018 Fast Lane.
Step 40 Click the tab Pending Accounts and observe the guest account pending approval.
Step 41 Select the account and click Approve.
Step 42 Enter the email address sponsor@demo.local and click OK to approve the
account.
Note If the approval popup won’t close when you click OK, please use Internet Explorer for this
task.
Step 43 Click Manage Accounts and click the Sherlock Holmes (sholmes) account to
view the username and the password.
Step 44 Return to the Tablet and in the browser enter your credentials. It may be
necessary to refresh or retry as your portal session may have timed out. Scroll to
the bottom of the AUP, click that you accept the AUP, and then click Sign On at
the bottom.
116 Implementing and Configuring Cisco Identity Services Engine (SISE) v2.3 © 2018 Fast Lane.
Task 4: Sponsored Guest Logins
In this task, you will perform sponsored guest account operations. You will be creating the
accounts as a sponsor and then providing and click Approve information to the guest.
Activity Procedure
Complete these steps:
Remove Endpoint from Cisco ISE
Step 1 On your W10PC-Corp access your Tablet according to your lab specific
instructions.
Step 2 Navigate to WLAN.
Step 3 Turn off Wi-Fi.
Step 4 Return to the Cisco ISE Admin portal.
Step 5 Navigate to Context Visibility > Endpoints.
Step 6 Select the Tablet and then Delete (click Trash > Selected) it using the toolbar.
Confirm YES to delete.
Note You may have to manually clear the client from the WLC if you perform these steps
quickly. As the WLC holds or caches association sessions to handle Wi-Fi signal
disruptions and roams.
Attribute Value
Portal Settings
118 Implementing and Configuring Cisco Identity Services Engine (SISE) v2.3 © 2018 Fast Lane.
Guest Change Password Settings
BYOD Settings
Delay to release 1
Delay to CoA 8
Delay to renew 12
120 Implementing and Configuring Cisco Identity Services Engine (SISE) v2.3 © 2018 Fast Lane.
Sponsored Portal Authorization Profile
Common Tasks
Attribute Value
Step 27 In the case you did the previous task, disable the Self-Reg with Approval rule.
Step 28 Verify your configuration with the following screenshot.
Step 32 Select in the left panel demo.local and move the authentication source to the right
panel.
122 Implementing and Configuring Cisco Identity Services Engine (SISE) v2.3 © 2018 Fast Lane.
Step 33 Click the Save button.
Step 34 Return to Work Centers > Guest Access > Portals & Components.
Step 35 In the left pane select Sponsor Groups.
Step 36 Select the ALL_ACCOUNTS (default) line in an open area (do not click any
text) and then click Duplicate in the toolbar above.
Step 37 Edit the ALL_ACCOUNTS (default)_copy1 Sponsor Group.
Step 38 Click the Members… button above the Sponsor Group Members section.
Step 39 In the pop-up window, on the Available User Groups side type Employees in the
search filter and click Search.
Step 40 Select the demo.local Employees group and move it to the Selected User Groups
side.
Attribute Value
Sponsor Permissions
Limit to batch of 25
Sponsor Can
124 Implementing and Configuring Cisco Identity Services Engine (SISE) v2.3 © 2018 Fast Lane.
View guests’ passwords [X]
Tip If you are having trouble selecting the Guest Types and/or the Locations, Save and
Close your work and open IE and edit this page in IE. When done, Save your work and
return to Firefox.
Attribute Value
Portal Settings
Idle timeout 10
Login Settings
Include an AUP [ ]
Require acceptance
Require acceptance [ ]
126 Implementing and Configuring Cisco Identity Services Engine (SISE) v2.3 © 2018 Fast Lane.
[ ] Failure could
Caution If you are having difficulty, notify your instructor. Do not attempt to modify configurations in
troubleshooting.
Note If you get a security error from Firefox, use Internet Explorer for this task.
Attribute Value
Number of accounts 2
Group tag
Duration 2
To Time 19:00
Username Password
d-guest-
d-guest-
130 Implementing and Configuring Cisco Identity Services Engine (SISE) v2.3 © 2018 Fast Lane.
Step 80 Click the ##-guest SSID for your pod. To log back in as a guest.
Step 81 Open a browser and try to navigate to cisco.com or trigger the web redirection by
browing to 1.1.1.1
Step 82 Login with one of the “d-guest-“accounts that were created by the
employee sponsor.
Step 83 Accept the AUP and click Sign On.
Step 84 Once logged in you should automatically be redirected to the Cisco ISE
product page.
Step 85 Return to the Cisco ISE Admin Portal on the Admin PC.
Step 86 Navigate to Operations > Radius > Live Logs and observe the authentication
records for both the Sponsored Portal access and the Rand Guest account Guest
Access.
Activity Verification
You have completed this task when you attain this result:
You have configured a Sponsored guest portal.
You have customized for Sponsored guest portal.
You have configured an authorization profile for the Sponsored guest portal.
You have modified the authorization policy to utilize the Sponsored guest portal.
You have created a new Sponsor Group that includes domain employees.
You have customized the Sponsor Portal.
You have accessed the network as a guest and see the sponsored guest portal.
You have logged in and seen the desktop sponsor portal.
You have logged in via the Tablet and seen the mobile sponsor portal.
You have created random accounts on the mobile sponsor portal.
You have logged in as a guest with a randomly generated guest account.
You have observed the authentication process records in Cisco ISE.
Activity Procedure
Complete these steps:
Step 1 On the Admin PC access your Sponsor Portal Firefox tab.
Step 2 Log in with the domain credentials in UPN format employee1@demo.local /
1234QWer if your session is timed out.
Step 3 Click the Manage Accounts tab.
Step 4 Observe the accounts that you have created during this lab. Notice that one of the
random accounts which was sponsored by the employee1 is in the state Created
132 Implementing and Configuring Cisco Identity Services Engine (SISE) v2.3 © 2018 Fast Lane.
Step 8 Notice now that the state of an account is Suspended.
Step 9 Reselect that account and notice the only options now are to Delete, Reinstate,
and Print.
Step 10 Click Reinstate and click Ok when prompted for confirmation.
Step 11 Edit the first random account which has the state Active.
Step 12 Enter the first name “G” and last name “Lestrade” and the company
“Scotland Yard”.
Step 13 Click Save.
Step 14 Confirm your data-entry and click Done.
Step 15 On the random account with the state of Created, reset the password. When
prompted do not select Print, SMS and Email just click OK.
Step 16 Click the account name to view the new password. Then click Done.
Step 17 Observe the Time Left on the jwatson account.
Step 18 Select the jwatson account and click Extend.
Step 19 Notice that the maximum number of days as five. Enter 5 in the box and click
OK.
Step 20 Observe the extension of the time via the Time Left field.
Step 21 Select the random account with the state of Created and Delete the account.
Confirm the deletion by clicking OK.
Activity Verification
You have completed this task when you attain these results:
You have suspended, reinstated, edited, reset the password, extended, and deleted guest
accounts via the sponsor portal
Activity Objective
In this activity, you will run guest reports that are directly available from the Cisco ISE
dashboard. After completing this activity, you will be able to meet these objectives:
Run guest reports from the Authenticated Guests dashlet
Run guest reports from the Authenticated Guests dashlet sparklines
Visual Objective
The figure illustrates what you will accomplish in this activity.
Required Resources
These are the resources and equipment that are required to complete this activity:
Admin PC
ISE-1
AD1
W10PC-Corp
vWLC
134 Implementing and Configuring Cisco Identity Services Engine (SISE) v2.3 © 2018 Fast Lane.
Task 1: Running Reports from Cisco ISE Dashboard
In this task, you will run reports for guest access from the Cisco ISE dashboard.
Activity Procedure
Complete these steps:
Step 1 On the Admin PC, navigate to the Cisco ISE dashboard by clicking Home. This
area shows statistical data, which improves your ability to monitor and
troubleshoot your system. Dashboard elements show activity over 24 hours,
unless otherwise noted.
Step 2 Observe Authenticated Guests in the metrics dashlet area. It shows the number of
guests currently authenticated. Click the number “1” in this area.
Step 3 You will see some more detailed information about connected endpoints.
Following that will be a list of endpoints. You should have a guest user in this
list. Click the MAC address of that user.
Step 4 Notice the four tabs you can use to get more information about this endpoint, as
shown. Leave it on the Attributes tab for now, and scroll down to briefly review
the types of information available here. You can scroll down to see some of the
following information: (the values that are shown are merely examples...do not
worry if yours do not match exactly)
EndPointMatchedProfile Android…
GuestUserName d-guest-xxxx
IdentityGroup GuestEndpoints
OperatingSystem Android X.X….
PortalName Demo-Sponsored
Step 5 Click the Authentication tab, scroll down, and peruse all the Authentication-
specific information available.
Step 8 You should see something similar to the example shown. You can see graphics
for GUESTS STATUS, GUESTS TYPE, FAILER REASON, AND MORE.
Following that, you see the list of devices, along with their MAC addresses.
136 Implementing and Configuring Cisco Identity Services Engine (SISE) v2.3 © 2018 Fast Lane.
Clicking the MAC address here would bring you to the same informational screen
you just looked at.
Step 9 Navigate to Context Visibility > Endpoints. The page is similar to the Home
screen, except that context visibility pages:
Retain your current context (browser window) when you filter the
displayed data
Are more customizable
Focus on Endpoint Data
Step 10 Click the Guest tab, as shown. Notice how it is similar to the information
displayed in the Home screen. However, a new tab did not open up. You stayed in
the same tab.
Step 11 Click the MAC address of your guest connection. Again, notice how the
information is similar to the Home screen, but new tabs do not open up.
Activity Verification
You have completed this task when you attain these results:
You have successfully viewed multiple reports from the Cisco ISE home dashboard
page.
Activity Objective
In this activity, you will configure the Cisco ISE Profiler service and service settings. After
completing this activity, you will be able to meet these objectives:
Enable the Profiler Service
Enable the use of the Cisco Profiler Feed Service
Configure the Cisco ISE NAD definitions for SNMP Profiling
Configure global SNMP profiler settings
Verify NAD configurations for profiling operations
Visual Objective
The figure illustrates what you will accomplish in this activity.
Required Resources
These are the resources and equipment that are required to complete this activity:
Admin PC
ISE-1
W10PC-Corp
vWLC
Command List
The table describes the commands that are used in this activity.
ISE Profiling CLI Commands
Command Description
show logging application Command used to observe the act of Profiler Feed
138 Implementing and Configuring Cisco Identity Services Engine (SISE) v2.3 © 2018 Fast Lane.
ise.psc.log tail | include FEED Service actions being written to the log.
Activity Procedure
Complete these steps:
Verification of Endpoint Data
To configure profiling in Cisco ISE, access the Cisco ISE Work Centers to view the
necessary steps to prepare, define, and monitor your profiler service configuration.
Step 1 From the Admin PC, navigate to Work Centers > Profiler > Overview to view
the required configuration steps that are needed to enable and configure the
profiler service.
140 Implementing and Configuring Cisco Identity Services Engine (SISE) v2.3 © 2018 Fast Lane.
Step 4 Select the Android tablet endpoint and click Edit, click Other Attibutes and
observe the attribute list data.
Note Notice that the assigned EndPointSource attribute is “Radius Probe” and the
MatchedPolicy is Android. This is the inherent HTTP profiling which automatically
profiles based on basic data received from the OUI and the HTTP data received at any
ISE portal.
Step 14 In the right pane, observe that the Profiling Configuration became available after
selecting the Enable Profiling Service feature. Select the Profiling
Configuration.
Step 15 Enabled the following probes:
DHCP
HTTP
RADIUS
Network Scan (NMAP)
SNMPQUERY
142 Implementing and Configuring Cisco Identity Services Engine (SISE) v2.3 © 2018 Fast Lane.
Step 16 Scroll down and click Save.
Step 17 Click OK on the pop-up window notifying you of the Policy Service persona
change.
Step 18 After a few minutes log back into the ISE admin portal using the credentials
Admin / 1234QWer. You can check the status from the ISE CLI with the
command, show application status ise, and noticing the Application Server
status.
Activity Verification
You have completed this task when you attain these results:
You have observed the default profile information of an important
You have deleted the endpoint from Cisco ISE.
You have enabled the Profiler Service.
Activity Procedure
Complete these steps:
Step 1 In the ISE admin portal, navigate to Administration > Feed Service > Profiler
(Or Work Centers > Profiler > Feeds).
Step 2 Select the checkbox for Enable Online Subscription Update, if not checked.
Step 3 Read the notification and click OK.
Step 4 Enable notification when a download occurs and use the email address
admin@demo.local
144 Implementing and Configuring Cisco Identity Services Engine (SISE) v2.3 © 2018 Fast Lane.
Step 7 Now click the Update Now button.
Step 8 Click Yes on the pop-up.
Step 12 You should briefly see a Server Response in the lower right-hand corner that
indicates the FeedService was successfully started.
Note The update process will take some time. At least 30-45 minutes.
Tip You can verify the operation of the Feed Service operations via the ISE console by using
the following command:
Tip
Tip Lines with FEEDMANUALDOWNLOAD are logs generated from a manual Update Now
process.
Tip Lines with FEEDAUTOMATICDOWNLOAD are logs generated from the scheduled
process.
Activity Verification
You have completed this task when you attain this result:
You have successfully enabled the Cisco ISE Profiler Feed Service
Activity Procedure
Complete these steps:
Configure Cisco ISE NAD configuration for Profiling
Step 1 Navigate to Administration > Network Resources> Network Devices (Or
Work Centers > Network Access > Network Ressources > Network Devices).
Step 2 Click the 3k-access switch to edit the NAD profile.
Step 3 Configure the following settings:
Attribute Value
SNMP Version 2c
Step 4 At the bottom of the section set the Originating Policy Services Node to ise-1.
Tip While not a mandatory step in the lab topology with a single ISE node, the practice of
setting the Originating Policy Service Node for SNMP profiling operations to the node
closest to the NAD is a best practice and tuning configuration. Especially in a larger or
geographically dispersed ISE deployment.
146 Implementing and Configuring Cisco Identity Services Engine (SISE) v2.3 © 2018 Fast Lane.
Step 7 Perform the same modification using the same values to the pod vWLC.
Modify Profiler Configuration
Step 8 Navigate to Work Centers > Profiler > Settings in the left pane select Profiler
Settings.
Step 9 Modify the Profiler Configuration according to the following table:
Attribute Value
Note This is the default action for all the Cisco provided exception actions.
Activity Verification
You have completed this task when you attain these results:
You have modified the NAD configuration for SNMP polling.
You have observed the default profile configuration and enabled the HTTP probe.
You have modified the profiler configuration to enable CoA and modify the default
SNMP string to ISEisC00L.
You have observed the profiler exception actions.
Activity Procedure
Complete these steps:
Step 1 On your Admin PC in Firefox, open a new tab.
Step 2 Click the vwlc bookmarking in the toolbar.
Step 3 Login with the credentials Admin / 1234QWer.
Step 4 Navigate to the WLANs tab.
Step 5 Click WLAN ID 1.
Step 6 Click the Advanced tab.
Step 7 Scroll down to the right-hand side section Radius Client Profiling.
Step 8 Verify both DHCP Profiling and HTTP Profiling are enabled.
Step 9 Click Apply at the top and click OK to the pop-up message.
Step 10 Click the < Back button.
Step 11 Verify the same configuration on your other WLANs (2 & 3).
Step 12 Return to the ISE Admin Portal tab.
Step 13 Access your 3k-access switch.
Step 14 Run the following commands to see the preconfigured SNMP configuration.
148 Implementing and Configuring Cisco Identity Services Engine (SISE) v2.3 © 2018 Fast Lane.
Note You may notice that the switch is configured for SNMP trap functionality. The switch
configuration is used for multiple classes. Some of which use the SNMP trap
functionality. Since the switch is preconfigured, if you desire to explore this functionality
after your lab is complete, all you would need to do is enable the SNMP trap probe and
enable the trap query functionality in your Cisco ISE NAD SNMP definition.
Activity Verification
You have completed this task when you attain these results:
You have verified the WLC WLAN configurations for DHCP and HTTP profiling.
You have verified the 3k-access configuration for SNMP and DHCP profiling.
Activity Objective
In this activity, you will configure the Cisco ISE profiler service to use profiling data to
make policy determinations. After completing this activity, you will be able to meet these
objectives:
Examine Endpoint profiled data
Create a Logical Profile
Utilize a Logical Profile as an Identity condition for authorization policy selection
Create a custom profiler policy based on observed endpoint data.
Visual Objective
The figure illustrates what you will accomplish in this activity.
Required Resources
These are the resources and equipment that are required to complete this activity:
Admin PC
ISE-1
AD1
W10PC-Corp
vWLC
150 Implementing and Configuring Cisco Identity Services Engine (SISE) v2.3 © 2018 Fast Lane.
Task 1: Examine Endpoint Data
In this task, you will examine the collective endpoint data since turning profiling on Cisco
ISE.
Activity Procedure
Complete these steps:
Step 1 On your Admin PC in the Cisco ISE Admin portal navigate to Work Centers >
Profiler > Endpoints Classification (Or Context Visibility > Endpoints).
Step 2 Observe the list of endpoints that have been learned since the enabling profiling.
You may have more than one page to view, and other pages can be viewed. Use
the arrows in the upper right near the Rows, Page column to view more pages.
Also, you can sort on any heading in either ascending or descending order.
Step 17 You should now have at least one Microsoft-Workstation or VMware Device
endpoint profile added to your list.
Step 18 You should also see the Hostname and IP Address for this record in the list.
Step 19 Edit this endpoint profile to observe the endpoint attribute data.
154 Implementing and Configuring Cisco Identity Services Engine (SISE) v2.3 © 2018 Fast Lane.
Step 20 Observe that the attribute list contains much more data than seen before for other
endpoints. Pay particular attention to the following list of attributes:
EndPointSource
IdentityGroup
MatchedPolicy
NAS-Port-Id
OUI
Total Certainty Factor
client-fqdn
dhcp-class-identifier
host-name
Step 21 Return to the Endpoint List.
Step 22 Disable the NIC on the W7PC-guest again.
Activity Verification
You have completed this task when you attain these results:
You have observed the endpoint data that was automatically discovered via your profiler
configuration of the previous lab.
You have brought online your pod Guest PC and observed the endpoint data associated
with its automatic profiling upon coming on to the network.
Activity Procedure
Complete these steps:
Step 1 In the ISE Admin portal, navigate to Work Centers > Profiler > Profiling
Policies and then in the left pane select Logical Profiles.
Step 2 In the right pane click the +Add button.
Step 3 Create the following Logical Profile:
Attribute Value
Name Approved_Smart_Devices
Activity Verification
You have completed this task when you attain this result:
You have created a logical profile for corporate approved smart devices.
156 Implementing and Configuring Cisco Identity Services Engine (SISE) v2.3 © 2018 Fast Lane.
Task 3: Creating a New Authorization Policy using a Logical
Profile
In this task, you will create an authorization policy assigning the previously configure
logical profile to a fixed authorization profile.
Activity Procedure
Complete these steps:
Step 1 In the ISE Admin portal, navigate to Work Centers > Profiler > Policy Sets
and enter the Wireless_Access policy set.
Step 2 Click the gear icon on the right to insert a new policy above the Guest Access
policy.
Smart Devices Authorization Policy
Attribute Value
Activity Verification
You have completed this task when you attain this result:
You have configured a Smart Devices authorization policy using the logical profile
corporately approved devices.
Activity Procedure
Complete these steps:
Step 1 In your Cisco ISE admin portal navigate to Work Centers > Profiler >
Endpoints Classification.
Step 2 Find the VMWare-Device for your pod vWLC. The IP address is 10.1.100.61. It
is possible that you may have a VMWare-Device (Endprofile Cisco-WLC)
without an IP address. Try that endpoint.
Step 3 Observe the following endpoint attribute data. You will be using this data to
create a custom policy to automatically profile your pod vWLC.
158 Implementing and Configuring Cisco Identity Services Engine (SISE) v2.3 © 2018 Fast Lane.
Step 4 Navigate to Work Centers > Profiler > Profiling Policies.
Step 5 Click the +Add button in the right pane of Profiling Policies.
Step 6 Create the following policy. Verify your configuration with the screenshot before
submitting.
Attribute Value
Name Cisco-vWLC
160 Implementing and Configuring Cisco Identity Services Engine (SISE) v2.3 © 2018 Fast Lane.
Step 10 Edit this endpoint.
Step 11 Observe the IdentityGroup has been set to Cisco-vWLC. This can now be
utilized in Authorization policies to assign specific authorization profiles if
desired.
Note Due to time constraints you will not be performing the task of setting an authorization
policy using the Identity Group. The process would be similar to when you created a
policy using the Logical Profile. Instead of creating a Condition you would utilize Identity
Groups selecting the Cisco –vWLC Identity Group.
Activity Verification
You have completed this task when you attain these results:
You have identified endpoint profile data that can be utilized to create a profile policy.
You have created a custom profile policy utilizing the data.
You have observed your custom profile policy being applied to your pod vWLC.
Activity Procedure
Complete these steps:
Step 1 Access your pod Tablet.
Step 2 Navigate to WLAN.
Step 3 If you are still connected to any Pod## SSID, select it and click FORGET in
order to clear any previous cached settings or credentials.
Step 4 Return to the Cisco ISE Admin Portal on the Admin PC.
Step 5 Navigate to Work Centers > Profiler > Endpoints Classification.
Step 6 Search for the Tablet by typing Android into the Endpoint Profile Search field.
Step 7 Select and then Delete (Trash > Selected) the Android using the toolbar.
Confirm Yes to delete.
Step 8 Go to your pod vWLC tab and remove all clients. (Monitor > Clients)
Step 9 Return to your Tablet.
Step 10 Click the ##-guest SSID for your pod.
Step 11 Open a browser and trigger the webauth by browsing to 1.1.1.1.
Step 12 Sign On with the credentials employee1@demo.local / 1234QWer.
Step 13 Return to the ISE Admin Portal and navigate to Operations > Radius > Live
Log and observe the authentication records.
Step 14 Observe that the employee1 login was assigned the Guest Access Authorization
Profile.
Step 15 Click the authentication details for this record.
Step 16 Scroll down to the Other Attributes section and observed the LogicalProfile
attribute.
162 Implementing and Configuring Cisco Identity Services Engine (SISE) v2.3 © 2018 Fast Lane.
Note If you receive the that is a known bug in the ISE 2.3.
Step 17 Click Authentication in the top of the Window. Scroll up and observe the Steps
section. Look for the following two step entries towards the end, 15048 and
15004.
Step 23 This same information can also be found from the Home tab and selecting Active
Endpoints or Authenticated Guests. If time permits, take some time to explore
this resource as well by clicking either location, and examining the options, and
information available to you.
164 Implementing and Configuring Cisco Identity Services Engine (SISE) v2.3 © 2018 Fast Lane.
Discussion
The policy you just configured is a hardware-based policy. As you can see from the previous
task steps, the employee1 user logging into a smart device was given Guest Access instead
of Wireless Employee Access. At this point in time if the smart devices policy was truly an
exclusive approved list of devices that was allowed to access the network, you could use the
Approved_Smart_Devices logical profile as an additional condition for each wireless
authorization policy. By adding this as an additional condition to the employees, contractors,
and guests authorization policies, you would be limiting those groups’ ability to access the
network. Only successfully profiled hardware that matches the individual or component
polices of the Logical Profile would be permitted.
Remember also, that policies are evaluated in a top-down order. This policy was purposely
placed near the top to exemplify this fact. It is important to always consider context-based
attributes or information when creating policies.
Due to limited lab time in this five-day class, you will not be configuring your policies as
such. In the next steps, you will disable the Smart Devices authorization policy for
simplicity and time sake
Disable the Logical Profile Authorization Policy
Step 24 Navigate to Work Centers > Profiler > Policy Sets and enter the
Wireless_Access policy set.
Step 25 Disable the Smart Devices authorization policy rule.
Step 26 Confirm that your policy is disabled and matches the following screenshot.
Activity Verification
You have completed this task when you attain these results:
You have successfully connected to the network via your pod Tablet and matched
authorization policy utilizing the Profiling Logical Profile condition configure earlier
in this lab.
You have observed a Guest Access authorization profile assigned to an employee based
on this rule.
You have read the Discussion section of this task.
You have disabled the Authorization Policy which utilizes the Profiling Logical
Profile condition.
Activity Objective
In this activity, you will run reports that focus on profiling data. After completing this
activity, you will be able to meet these objectives:
Run Profiler Feed Reports
Run Endpoint Profile Changes Reports
Run Profiled Endpoints Summary Report
Run profiling based reports from the Cisco ISE Dashboard
Visual Objective
The figure illustrates what you will accomplish in this activity.
Required Resources
These are the resources and equipment that are required to complete this activity:
Admin PC
ISE-1
AD1
W10PC-Corp
vWLC
166 Implementing and Configuring Cisco Identity Services Engine (SISE) v2.3 © 2018 Fast Lane.
Task 1: Run Cisco ISE Profiling Reports
In this task, you will run reports based on profiling data gathered in previous labs.
Activity Procedure
Complete these steps:
Step 1 In the ISE admin portal, navigate to Work Centers > Profiler > Feeds.
Step 2 Verify in the Update Information and Options section that a Latest applied feed
occurred.
Note If you have no timestamp indicating a successful update operation, you may have to
perform these steps at a later time. Please notify your instructor but your pod does not
have a timestamp.
Step 3 Click the Go to Update Report Page link as indicated in the above screenshot.
This will automatically run the Change Configuration Audit report from the
FeedService administrator.
Note If you receive the Error message “Oops. Something is wrong”, that is a known bug in
the ISE 2.3. Skip the next steps and junp to Task2.
Step 4 Observe the details of the Added and Changed configurations. If you see no
entrys, click the Update Now from the Feed Service Configuration page again.
Step 5 Click one of the Added configuration (if available) event hyperlinks.
Step 6 Observe the details paying specific attention to any Object Names and the data in
the Modified Properties.
Step 7 Close this tab and return to the Change Configuration Audit report tab.
Note Your number of OUI’s may vary depending upon the date of your class. This is an
indication of further updates since the above screenshot.
Step 14 Return to the Inbox and open the ISE System Message: Fee policies applied
update email.
Step 15 Observe the number of feed policies applied.
Note Your number of policies may vary depending upon the date of your class. This is an
indication of further updates since the above screenshot.
Activity Verification
You have completed this task when you attain these results:
You have observed the Feed Service updates and changes.
You have observed the email reports generated by the Feed Service.
168 Implementing and Configuring Cisco Identity Services Engine (SISE) v2.3 © 2018 Fast Lane.
Task 2: Endpoint Profile Changes Report
In this task, you will run reports that are related to profiled endpoints.
Activity Procedure
Complete these steps:
Step 1 Navigate to Work Centers > Profiler > Reports.
Step 2 In the Reports pane navigate to Profiler Reports > Endpoint Profile Changes.
Step 3 Filter the report using the Time Range of Last 7 Days.
Step 4 Compare the Endpoint Profile (Before) pie chart to the Endpoint Profile
(After) pie chart and observe the additional data as a result of enabling profiling.
Step 5 Scroll down to view a list of the Endpoint Profile Changes.
Step 6 Click a record detail to see which probe ran that caused the change.
Step 7 Return to the ISE Admin portal when done.
Profiled Endpoints Summary Report
Step 8 In the Reports pane navigate to Profiler Reports > Profiled Endpoint
Summary.
Step 9 Filter the report using the Time Range of Last 7 Days.
Step 10 Observe the Details and then the Raw details of a record.
Step 11 In the Raw details report page, click one of the Endpoint property hyperlinks and
observe the additional level of detail available in the pop-up message.
Activity Verification
You have completed this task when you attain these results:
Run Endpoint Profile Changes and Summary reports, and observe the data that is
contained in those reports.
Activity Procedure
Complete these steps:
Step 1 Navigate to the Context Visibility > Endpoints > Endpoints Classification tab.
Step 2 In the ENDPOINTS dashlet, click the new window icon to detach, and open the
dashlet in a new tab, to drill down for further details.
Step 3 In the new ENDPOINTS dashlet tab, click the Profile link to observe all profiled
endpoints that ISE has seen.
Step 4 By hovering your mouse over any individual section of the circle graph, ISE will
display the number of devices per that category.
Step 5 Similarly, the Home > Summary > Endpoints page will display the same
information, and other summary information. Both Context Visibility and Home
pages can be customized to meet your needs. You can add new Dashboards, or
Dashlets, by clicking the gear icon in the upper right corner of the pane.
Step 6 Close all newly opened tabs and return to the ISE Admin portal when done.
170 Implementing and Configuring Cisco Identity Services Engine (SISE) v2.3 © 2018 Fast Lane.
Activity Verification
You have completed this task when you attain these results:
You have run the Profile Feed report.
That you have on Endpoint Profile Changes report
You have run the Profile Endpoints Summary report.
You have observed metric – the date on the homepage and run a report from the Profiler
Activity dashlet.
Activity Objective
In this activity, you will configure Cisco ISE for BYOD on boarding. After completing this
activity, you will be able to meet these objectives:
Create a customized My Device portal
Configure Cisco ISE to provision certificates via the internal CA and deploy those
certificates via a Native Supplicant Provisioning profile
Configure a certificate authentication profile that utilizes the attributes from the
internally deployed CA certificates
Configure Cisco ISE authentication and authorization policies for BYOD access
Onboard a mobile BYOD device
Visual Objective
The figure illustrates what you will accomplish in this activity.
172 Implementing and Configuring Cisco Identity Services Engine (SISE) v2.3 © 2018 Fast Lane.
Required Resources
These are the resources and equipment that are required to complete this activity:
Admin PC
ISE-1
AD1
W10PC-Corp
vWLC
Activity Procedure
Complete these steps:
Portal Enablement
Step 1 Navigate to Work Centers > BYOD > Overview. Take a moment to review the
three major phases of BYOD configuration – Prepare, Define, Go Live and
Monitor.
Step 2 You have accomplished the “Prepare” phase items in previous labs. So, move on
to the “Define” phase by clicking the link for web portals. Then choose My
Devices Portals in the left column. You could also arrive here via Work Centers
> BYOD > Portals & Components > My Devices Portal, or via
Administration > Device Portal Management > My Devices.
Step 3 In the right pane click Create.
Step 4 Create the following portal.
My Devices Portal Settings and Customization
Attribute Value
Portal Settings
Idle timeout 10
174 Implementing and Configuring Cisco Identity Services Engine (SISE) v2.3 © 2018 Fast Lane.
Included Post–Login Banner page [X]
Tip Enabling the Support Information feature is an easy way to provide the end user with a
place to go to see their MAC address. Consider using some of the instructional or
optional fields on the My Devices and Add Devices page or others to provide this
information to the end user.
Note Later in the lab we will also be using a BYOD portal. For-time sake we will use the Cisco
default portal. If you want, you may optionally customize that portal by adding the same
images as above and saving the portal.
Step 12 You should see the My Devices Portal but you previously configured.
176 Implementing and Configuring Cisco Identity Services Engine (SISE) v2.3 © 2018 Fast Lane.
Step 17 Return to your Cisco ISE Admin portal.
Activity Verification
You have completed this task when you attain these results:
You have created a custom My Devices portal for Demo employees.
You have optimized the portal Authentication sequence processing by configuring it to
process AD accounts first.
You have reviewed the customized My Devices via a desktop browser.
Note It is important that any time a default template is used, it is modified to fit the specific
installation environment.
Activity Procedure
Complete these steps:
Certificate Provisioning
Step 1 In your Cisco ISE admin portal, navigate to Administration > System >
Certificates and then in the left pane select Certificate Management > Trusted
Certificates.
Note There exists some trusted third party CA certificates. If you need other CA certifiactes,
you can import certficates in these section.
Step 2 In the left pane select Certificate Management > Certificate Signing Requests.
Step 3 Click Generate Certificate Signing Requests (CSR).
Step 4 Select ISE Root CA as the Usage
Note Your ISE implies all CA functions and will act as the root CA, Node CA, endpoint sub CA
and OSCP responder CA.
178 Implementing and Configuring Cisco Identity Services Engine (SISE) v2.3 © 2018 Fast Lane.
Step 8 In your Cisco ISE admin portal, navigate to Work Centers > BYOD > Portals
& Components and then in the left pane select Certificates > Certificate
Templates.
Step 9 Edit the EAP_Authentication_Certificate_Template.
Step 10 Modify the template according to the following table. Verify configuration with
the subsequent screenshot.
Note In this configuration, you will be configuring the OU to be the distinguishing attribute that
will store the functional purpose of the certificate inside each certificate that is issued. By
performing the step, an Authorization Policy rule could be configured with a condition to
match this attribute and then apply the appropriate authorization profile.
Parameter Description
Name BYOD_EAP_AUTH_365
Country (C) US
Attribute Value
180 Implementing and Configuring Cisco Identity Services Engine (SISE) v2.3 © 2018 Fast Lane.
Inline Native Supplicant Profile Procedure
1. Expand Results.
5. Create a Native Supplicant Profile using the following data. It is important that your
Name Android_WPA2_TLS_BYOD pod SSID (##-wpa2e)
match what is exactly
Description Pod ## BYOD NSP configured for your pod.
Operating System Android Having your WLC portal
open in a separate tab and
Connection Type Wireless performing a copy/paste
SSID ##-wpa2e from there is the most
Security WPA2 Enterprise reliable method.
6. Click Save.
Activity Verification
You have completed this task when you attain these results:
You have configured a Certificate Template for BYOD access.
You have configured the Client Provisioning rule using an in-line created NSP specific
for your pod SSID and assigning the BYOD certificate template.
182 Implementing and Configuring Cisco Identity Services Engine (SISE) v2.3 © 2018 Fast Lane.
Task 3: Policy Configuration
In this task, you will configure the policy components for BYOD access.
Activity Procedure
Complete these steps:
Certificate Authentication Profile Creation
Step 1 Navigate to, to Work Centers > BYOD > Ext Id Sources > Certificate
Authentication Profile.
Step 2 In the right pane, click +Add to create a Certificate Authentication Profile
according to the following information.
Certificate Authentication Profile
Attribute Value
Name CN_USERNAME
Step 3 Verify your configuration with the following screenshot then click Submit.
Attribute Value
Name DOT1X_X509_Username
Selected All_AD_Join_Points
Internal Users
Guest Users
If the selected identity store cannot be Treat as if the user was not found and proceed to the
access for authentication next or in the sequence
Step 6 Verify your configuration with the following screenshot then click Submit.
184 Implementing and Configuring Cisco Identity Services Engine (SISE) v2.3 © 2018 Fast Lane.
Allowed Protocols Review
Step 7 Navigate to Work Centers > BYOD > Policy Elements > Results > Allowed
Protocols,
Step 8 In the right pane, click Default Network Access.
Observe that EAP-TLS and PEAP with an inner method to EAP-TLS are both
allowed. This is sufficient for this access use case (TLS client certificate-based
access).
Tip Take note of the option below both “Allow EAP-TLS” and the “Allow EAP-TLS” under
“Allow PEAP”. The option to “Allow Authentication of expired certificates to allow
certificate renewal in the Authorization Policy”. Using this feature allows for some
flexibility. Enabling this feature by itself weakens the security that is inherent in the
expiration process of X.509v3 certificates. However, Cisco ISE has a dictionary
condition, CertRenewRequired, which could be used in an Authorization Policy near the
top or as a Global Exception policy, which evaluates the expiration of the certificate and if
it is expired, can be used to apply an Authorization Profile that redirects to the CWA
portal. Hovering your mouse over the (i) icon at the end of the line will pop-up a message
indicating this as shown in the following screenshot.
Attribute Value
Name DOT1X_EAP_TLS
Options
186 Implementing and Configuring Cisco Identity Services Engine (SISE) v2.3 © 2018 Fast Lane.
Authorization Profile Configuration
Step 14 Navigate to Work Centers > BYOD > Policy Elements > Results >
Authorization Profiles.
Step 15 Create and Save the two following Authorization Profiles.
WLC Native Supplicant Provisioning Authorization Profile
Name WLC_NSP
Common Tasks
Common Tasks
Attribute Value
Attribute Value
Caution Be sure to select RADIUS attribute 31 instead of 30. Attribute 31 will give you the MAC
address of the endpoint whereas attribute 30 will give you the MAC address of the NAD.
Radius:Calling-Station-ID--[31] instead of
Radius:Called-Station-ID—[30]
188 Implementing and Configuring Cisco Identity Services Engine (SISE) v2.3 © 2018 Fast Lane.
Activity Verification
You have completed this task when you attain these results:
You have configured a certificate authentication profile that will use the subject
common name as the username.
You have configured in identity source sequence that utilizes the certificate
authentication profile.
You have reviewed the allowed authentication protocols to see that they allow EAP-
TLS.
You have configured authentication policy which matches certificate authentication and
uses the source sequence which you have configured.
You have configured authorization profiles to provision the certificate using NSP and to
permit BYOD access.
You have configured two authorization policy rules for NSP and for BYOD access.
Activity Procedure
Complete these steps:
Endpoint Cleaning from Previous Labs
Step 1 Access your Tablet according to your lab specific instructions.
Caution If you are having difficulty, notify your instructor. Do not attempt to modify configurations
in troubleshooting.
190 Implementing and Configuring Cisco Identity Services Engine (SISE) v2.3 © 2018 Fast Lane.
Tablet Onboarding
Step 8 Access the Tablet.
Step 9 Access the ##-wpa2e SSID for your pod. Log in using the credentials
employee1@demo.local / 1234QWer.
Step 10 Open a browser.
Step 11 If you are not automatically redirected to the ISE BYOD portal, trigger it by
typing 1.1.1.1, for example.
Step 12 Process through the BYOD portal process by clicking Start.
Step 13 Enter the device name employee1_Tablet in the description My Tablet. Also
observe that the Device ID or MAC address is included on the bottom.
Note The Cisco Network Setup Assistant has been preinstalled on the Tablet.
Step 16 Examine the page. For Android devices a Cisco proprietary application is needed
to perform the automatic profile and certificate installation process.
Step 17 On the Tablet press the Home button, then in the main view locate and open the
Cisco App Network Setup Assistant.
Step 18 Click Start inside the Network Setup Assistant and observe the provisioning
procedure. Click PROCEED and CONNECT, if prompted.
Step 19 If prompted, enter the Tablet PIN 1234.
Step 20 When presented with the certificate package for the user, leave all defaults and
click OK.
Step 21 When presented with the root certificate, leave all defaults and click OK.
192 Implementing and Configuring Cisco Identity Services Engine (SISE) v2.3 © 2018 Fast Lane.
Step 22 After the Cisco Network Setup Assistant downloaded and installed everything
successfully, you will be automatically connected to SSID from the configured
profile (##-wpa2e) and presented with the following seen left in the screenshot.
Step 23 Click Exit, open the browser and verify browsing to the Internet, e.g. cisco.com
is working.
Step 24 In your Tablet navigate to Settings > Security > Trusted Credentials.
Step 25 Under the section USER you should see the root-CA certificate, which you can
examine by clicking, seen right in the top screenshot.
Step 30 Click the Details icon for the record that was assigned the Authorization Profile
WLC_User Access.
Step 31 Observe the Overview section and notice the indicated sections below.
Step 32 Examine the Steps section and towards the bottom observe the 15048 messages
indicating the EAP authentication and the querying of the Subject Common
Name and the MAC address as the Radius Calling-Station-ID.
Step 33 Close this tab and return to the Cisco ISE admin portal.
Step 34 Navigate to Work Centers > BYOD >Identities > Endpoints.
Step 35 Find the Tablet MAC address and click the MAC address in this list.
Step 36 Find the Device Registration is Registered and BYOD Registration is Yes
indicating the Tablet status is an endpoint.
194 Implementing and Configuring Cisco Identity Services Engine (SISE) v2.3 © 2018 Fast Lane.
Step 37 If the Device Registration says Pending, this is unfortunately a know bug.
Step 38 Scroll down to the Subject attribute lines. Observe the certificate details paying
particular attention to the Subject Common Name values.
Step 39 Return to the Cisco ISE admin portal and navigate to Administration > System
> Certificates > Certificate Authority > Issued Certificates.
Step 40 Select the endpoint certificate which has been deployed to the employee1 Tablet,
click View in the toolbar and examine the details.
Note Use Google Chrome Browser, if the certificate details are not showing up correctly!
Activity Verification
You have completed this task when you attain this result:
You have successfully onboarded your pod Tablet and verified access according to the
task steps.
196 Implementing and Configuring Cisco Identity Services Engine (SISE) v2.3 © 2018 Fast Lane.
Lab 5-2: Device Blacklisting
In the previous lab, you learned how to configure a BYOD solution. In this activity, you
will learn how to manage that solution. The focus is on how to mark a device lost, and then
stolen.
You will examine Cisco ISE to see how the endpoint is processed for each of these
situations. You will then reinstate a lost or stolen device. You will also process an endpoint
for re-enrollment after a certificate has been revoked.
Activity Objective
In this activity, you will perform the steps to mark a device lost and then stolen. You will
examine Cisco ISE to see how the endpoint is processed for each of these situations. After
completing this activity, you will be able to meet these objectives:
Mark a device as lost
Mark a device is stolen
Reinstate a lost or stolen device
Process and endpoint for reenrollment after a certificate has been revoked
Visual Objective
The figure illustrates what you will accomplish in this activity.
198 Implementing and Configuring Cisco Identity Services Engine (SISE) v2.3 © 2018 Fast Lane.
Task 1: Blacklist a Device
In this task, you will mark an on-boarded device as “lost”.
Activity Procedure
Complete these steps:
Configure a local Exceptions Policy for the Blacklist devices
Step 1 Navigate to Policy > Policy Sets > Wireless_Access > Authorization Policy –
Local Exceptions.
Step 2 In the left pane click the + symbol to insert a new exception policy.
Authorization Policy – Local Exceptions
Attribute Value
Note If the device status is still pending, then consider up to 20min for the profiling process.
Tip Shutting the WLAN off and on might trigger the registration status from the tablet.
200 Implementing and Configuring Cisco Identity Services Engine (SISE) v2.3 © 2018 Fast Lane.
Step 19 Click Yes to acknowledge that you want to mark the device is lost.
Activity Verification
You have completed this task when you attain this result:
You have marked the employee1 Tablet endpoint as Lost.
Activity Procedure
Complete these steps:
Step 1 In the Cisco ISE admin portal navigate to Operations > RADIUS > Live Logs.
Step 2 You should already observe an authentication success record for the employee1
Tablet but has the resulting Blackhole_Wireless_Access authorization profile
result. Cisco ISE issued a CoA when the device was marked lost. The device
automatically re-authenticated as it normally would and matched the Wireless
Black List Default authorization policy rule.
Step 3 Return to your Tablet and in a browser navigate to any website ot to 1.1.1.1. You
should be redirected to the blacklist portal automatically.
Activity Verification
You have completed this task when you attain this result:
You have been redirected to the blacklist portal on the Tablet.
202 Implementing and Configuring Cisco Identity Services Engine (SISE) v2.3 © 2018 Fast Lane.
Task 3: Endpoint Record Observations
In this task, you will examine the endpoint data record for a “lost” device.
Activity Procedure
Complete these steps:
Step 1 Return to the Cisco ISE admin portal.
Step 2 Navigate to Context Visibility > Endpoints.
Step 3 Find the Tablet MAC address and observe the record in this list.
Step 4 Open the detail view for this endpoint.
204 Implementing and Configuring Cisco Identity Services Engine (SISE) v2.3 © 2018 Fast Lane.
Step 7 In the search results window, notice Blackhole_Wireless in the text. Click the
record to view the details.
Step 8 Observe that the current status is Authenticated & Authorized and assigned
Blachole_Wireless_Access.
Step 11 Close the result box by clicking on the X in the upper right-hand corner.
Activity Verification
You have completed this task when you attain this result:
You verified map the endpoint has been marked Lost.
206 Implementing and Configuring Cisco Identity Services Engine (SISE) v2.3 © 2018 Fast Lane.
Task 4: Un-Blacklist the Device
In this task, you will go through the process of on blacklisting a device which was “found”.
Activity Procedure
Complete these steps:
Step 1 On the Admin PC access the previously opened My Devices Portal tab.
Step 2 It is likely that your session has timed out. Login credentials
employee1@demo.local / 1234QWer if necessary.
Step 3 Click Accept to the AUP and then click Continue.
Step 4 Manage the device by clicking on the record.
Step 5 Click Reinstate.
Activity Verification
You have completed this task when you attain this result:
You have reinstated the employee1 Tablet and observe the status as Registered.
Activity Procedure
Complete these steps:
Step 1 In the Cisco ISE admin portal navigate to Operations > RADIUS > Live Logs.
Step 2 You should already observe an authentication success record for the employee1
Tablet but has the resulting WLC_User Access authorization profile result. Cisco
ISE issued a CoA when the device was marked Reinstated. The device
automatically re-authenticated as it normally would and matched the BYOD
Access authorization policy rule.
Step 3 Return to the Tablet and in a browser, navigate to cisco.com. You should be up to
successfully connect to the webpage.
Activity Verification
You have completed this task when you attain these results:
You have observed the proper authorization profile for the registered BYOD device.
You have successfully connected to a webpage.
208 Implementing and Configuring Cisco Identity Services Engine (SISE) v2.3 © 2018 Fast Lane.
Task 6: Blacklisting a Stolen Device
In this task, you will mark a device as stolen and observe the endpoint and certificate status.
You will then reinstate and then re-onboard device. You will not go through the process of
testing access while marked as stolen in the interest of brevity as you have already tested
blacklisted access a previous task.
Activity Procedure
Complete these steps:
Marking a Device as Stolen
Step 1 Return to the Admin PC and to the My Devices Portal.
Step 2 It is likely that your session has timed out. Login credentials
employee1@demo.local / 1234QWer if necessary.
Step 3 Click Accept to the AUP and then click Continue.
Step 4 Manage the device by clicking on the record.
Step 5 Click the Stolen button.
Step 6 Click Yes to acknowledge that you want to mark the device is still.
Step 7 Observed that the status is now Stolen.
Examining Endpoint Status and Record
Step 8 Return to the Cisco ISE admin portal and navigate to Operations > RADIUS >
Live Logs.
Step 9 You should see a denied access record for the Tablet.
Step 13 Use Google Chrome Browser, if the certificate details are not showing up correctly!
Step 14 In the list of certificates observed that the status is now Revoked for the
Tablet certificate.
Step 15 View the certificate details and observe the certificate status is revoked with a
red X icon.
210 Implementing and Configuring Cisco Identity Services Engine (SISE) v2.3 © 2018 Fast Lane.
Re-Onboarding Device
Step 22 Return to your Tablet and observe your ##-wpa2e WLAN SSID.
Step 23 You should notice that it is not possible to join the ##-wpa2e WLAN.
Step 24 Select the WLAN and at the bottom right, click FORGET.
Step 25 Navigate to Settings > Security > Clear credentials
Step 26 Click Clear credentials and Remove all the contents by clicking OK.
Step 27 Return to the WLAN list and attempt to join the ##-wpa2e WLAN. This should
succeed by prompting you for credentials.
Step 28 Enter the credentials employee1@demo.local / 1234QWer.
Step 29 Open a browser and trigger a redirection to the ISE portal.
Step 30 Go through the process of on boarding process before. Reference to previous lab
steps if necessary.
Step 31 Once complete navigate to cisco.com. This should succeed.
Step 32 Return to the Cisco ISE admin portal and navigate to Operations > RADIUS >
Live Logs.
Step 33 The employee1 Tablet should have been applied the WLC_User_Access
authorization profile. To the right the device should also be in the Identity Group
RegisteredDevices.
Activity Verification
You have completed this task when you attain these results:
You have successfully marked the device a stolen.
You have observed the device certificate authentication failure.
You have examined the certificate status and observed it has revoked.
You have reinstated the device via the My Devices Portal.
You have deleted the certificate profile and reenrolled the Tablet.
You have observed a successful BYOD certificate authentication.
Activity Objective
In this activity, you will configure Cisco ISE settings and polices for compliance based
access. After completing this activity, you will be able to meet these objectives:
Configure Cisco ISE Posture Settings
Configure Authorization Profile components for compliance based access
Configure Authorization Policy rules for compliance based access
Visual Objective
The figure illustrates what you will accomplish in this activity.
Required Resources
These are the resources and equipment that are required to complete this activity:
Admin PC
ISE-1
AD1
W10PC-Corp
vWLC
212 Implementing and Configuring Cisco Identity Services Engine (SISE) v2.3 © 2018 Fast Lane.
Task 1: Posture Preparation
In this task, you will configure Cisco ISE posture update settings that will be used later for
compliance to check posture compliance of clients.
Activity Procedure
Complete these steps:
Posture Updates
You will perform a manual posture update in this section.
Step 1 Navigate to Work Centers > Posture > Settings > Software Updates >
Posture Updates.
Step 2 Click the Automatically check for updates starting from initial delay check
box to enable auto updates. After the initial download, this will perform an
incremental update automatically from Cisco.
Note By default, posture updates are configured to be retrieved from the web and automatic
checking is disabled.
Posture updates include a set of predefined checks, rules, and support list for antivirus
and anti-spyware for both Windows and Macintosh operating systems. When you
perform your initial update process usually takes approximately 20 minutes.
Note You can safely navigate away from this page and continue on to the next steps while this
process works in the background.
Step 5 Observe the Update Information section below to view the status on updates. The
following fields are useful in determining proper functioning, Last successful
update on and Last update status since ISE was started.
Note Leaving the value at 0 would configure the client to not display login success screen.
This may be optimal in some organizations.
Posture Lease
The default configuration as indicated in this section is to perform a posture assessment
every time a user connects to the network. By enabling the second option, the system is
considered to be compliant for the configured number of days (range 1 – 365) and will be
checked at the configured interval.
Note Posture leases are only applicable to Cisco AnyConnect Unified Agent access.
214 Implementing and Configuring Cisco Identity Services Engine (SISE) v2.3 © 2018 Fast Lane.
Portal Modification
Step 10 Navigate to Work Centers > Guest Access > Portals & Components > Guest
Portals and edit the Demo-Sponsored portal.
Step 11 Scroll down to the Guest Device Compliance Settings section and enable
Require guest device compliance.
Activity Verification
You have completed this task when you attain these results:
You have configured Cisco ISE to retrieve posture update configurations from Cisco
online.
You have configured general posture settings for global posture processing.
You have reviewed posture lease settings.
You have modified the Demo Self-Reg portal to require guest compliance.
216 Implementing and Configuring Cisco Identity Services Engine (SISE) v2.3 © 2018 Fast Lane.
Task 2: Authorization Profiles
In this task, you will configure a simple compliance policy check.
Activity Procedure
Complete these steps:
Create Downloadable ACLs for Compliance
Step 1 Navigate to Work Centers > Posture > Policy Elements and then
Downloadable ACLs.
Step 2 Create the following AD Login Access dACL.
Attribute Value
Name acl_ad_login
Attribute Value
Name acl_posture_remediation
Attribute Value
Name acl_internet_only
Step 5 A URL redirect ACL needs to pre-exist on a switch and cannot be a dACL. Your
3k-access switch is preconfigured with the ACL that you will use. It is named
ISE-URL-REDIRECT. The contents of that ACL are included below for a time
saving convenience.
Note If you desire, you may open an SSH session via PuTTY and verify by issuing a show
ip access-list ISE-URL-REDIRECT.
Note You will be referencing the name of the URL in authorization profiles. Spelling must
match exactly.
218 Implementing and Configuring Cisco Identity Services Engine (SISE) v2.3 © 2018 Fast Lane.
Create Authorization Profiles for Compliance
Step 6 Navigate to Work Centers > Posture > Policy Elements and then
Authorization Profiles.
Step 7 By clicking +Add in the right pane, create each of the following authorization
profiles.
Posture Remediation - Authorization Profile
Common Tasks
Common Tasks
Common Tasks
Step 8 Modify the Wired Domain Computer Access authorization profile to use the
newer port restrictive dACL for AD Login, acl_ad_login and then click Save.
Activity Verification
You have completed this task when you attain this result:
You have configured dACLs for utilization in compliance based access.
You have configured Authorization profiles to be utilized during different stages of
compliance based processing.
Activity Procedure
Complete these steps:
Policy Set Evaluation
Step 1 Navigate to Work Centers > Posture > Policy Sets and then to Wired_Access >
Authorization Policy.
Examine the authorization policy rules and notice that right now things are pretty
clean. You have profiled IP phones, two rules for employees or contractors, a rule
for domain computer authentication, and a default deny rule at the end. Having
created all of the guest access rules under the wireless access policy has allowed
the wired policy to stay clean. By using the condition function of policy sets to
differentiate policy it’s possible, and in the situation, advantageous to split our
wired access into two different parts in a similar way that we split our overall
access into wired and wireless policy sets.
In the following section you will go to the process of creating a separate policy
set for wired MAB access. This will allow you to consolidate all of your policies
that would apply to wired map access in a central location without having to
evaluate whether policy would apply to an 802.1X session or a MAB session.
You will also modify the existing Wired_Access to apply to 802.1X sessions.
Policy Set Modification
Step 2 Click in the top Policy Sets to go back to the Policy Set overview.
Step 3 Click the + symbol on the left side to create a new Policy Set in the top of your
policy sets.
Note Policy sets are evaluated like Access control lists, top down. Like ACLs, the order of your
rules can determine if your policy functions as expected.
Wired_MAB_Access Wired MAB Device [ Drag & Drop Condition from Library ]
Access Compound Condition > Wired_MAB
Step 4 Click Use and verify your policy set with the following screenshot.
220 Implementing and Configuring Cisco Identity Services Engine (SISE) v2.3 © 2018 Fast Lane.
Policy Set – Wired_8021X_Access
Note While in this specific lab environment and configuration, it is not necessary to build a
compound condition of device type wired and Wired_802.1X, the purpose for doing so is
to illustrate the flexibility and capability of the policy set condition aspect of Cisco ISE.
Tip Applying this logic, it would be possible to create a condition matching a specific device
location and access method, wired or wireless, etc. and access type, MAB or 802.1X, to
create and maintain organized policy sets.
Step 7 Click Done and verify your modification with the following screenshot.
Attribute Value
Step 12 Modify the Default rule to use the authorization profile CWA Posture
Remediation.
Step 13 Verify your policy with the following screenshot.
Caution In a production environment it would be important to copy and create policy rules to
facilitate profiled devices which would access the network by way of MAB. For the sake
of time and due to the simplicity of this lab environment you will not be creating or
configuring such rules.
Tip Saving the posture status condition to the library for reuse with a simplified name would
make reading policy conditions in their final state easier than reading and attribute value
statement.
222 Implementing and Configuring Cisco Identity Services Engine (SISE) v2.3 © 2018 Fast Lane.
Step 22 Edit the Wired AD Contractors rule by adding the condition
Session:PostureStatus EQUALS Compliant and verifying the operand is AND.
Step 23 Click Use at the end of the line.
Step 24 Add the following authorization policy rule above the Default rule.
Attribute Value
Activity Verification
You have completed this task when you attain this result:
You have modified the Wired_Access Policy Set to process access based on
compliance status.
Activity Objective
In this activity, you will configure Cisco ISE to provision Cisco posture agents. After
completing this activity, you will be able to meet these objectives:
Configure Client Provisioning settings for updates from Cisco online.
Configure Client Resources for utilization in compliance based access.
Configure Client Provisioning policies for the utilization of posture agents
Visual Objective
The figure illustrates what you will accomplish in this activity.
Required Resources
These are the resources and equipment that are required to complete this activity:
Admin PC
ISE-1
AD1
W10PC-Corp
vWLC
224 Implementing and Configuring Cisco Identity Services Engine (SISE) v2.3 © 2018 Fast Lane.
Task 1: Client Updates
In this task, you will review client provisioning settings and then perform a posture
component update.
Activity Procedure
Complete these steps:
Client Provisioning Settings
Step 1 Navigate to Work Centers > Posture > Settings then to Software Updates >
Client Provisioning. This page can all be accessed via Administration >
System > Settings and then Client Provisioning.
Step 2 Observe the default configuration that client provisioning is enabled by default.
Activity Verification
You have completed this task when you attain these results:
You have reviewed the Client Provisioning settings.
You have configured Cisco ISE to perform automatic posture updates; and initiated a
manual update.
Activity Procedure
Complete these steps:
Downloading Resources to your PC
Step 1 In your Firefox browser, open a new tab and use your bookmark toolbar to
navigate to tools > cp. (http://tools.demo.local/cp)
Step 2 Download the following files. These files will be placed in your profile
Downloads folder.
anyconnect-win-4.5.04029.0-webdeploy-k9.pkg
anyconnect-VPN-disable.xml
anyconnect-NAM-EAP-FAST.xml
Step 3 Return to the Cisco ISE Admin portal.
Step 4 Navigate to Work Centers > Posture then to Client Provisioning > Resources.
Step 5 In the right pane, click +Add and from the menu select Agent resources from
Cisco Site.
Step 6 After a moment, the list should populate. Select the following list of items.
AnyConnectComplianceModuleWindows 4.2.1538.0 or latest 4.2.xxxxx.x
ComplianceModule 3.6.11017.2 or latest 3.6.xxxxx.x
CiscoTemporalAgentWindows 4.5.02036
Step 7 Click Save to start the download process.
Step 8 The Download will take several minutes.
Adding resources to Cisco ISE
Step 9 Navigate to Work Centers > Posture then to Client Provisioning > Resources.
Step 10 In the right pane, click +Add and from the menu select Agent resources from
local Disk.
Step 11 Select the category of Cisco Provided Packages.
Step 12 Click Browse and navigate to your Downloads folder and select
anyconnect-win-4.5.4029.0-webdeploy-k9.pkg and click Open.
Step 13 Click Submit
Step 14 Click Confirm when prompted to confirm the hash.
226 Implementing and Configuring Cisco Identity Services Engine (SISE) v2.3 © 2018 Fast Lane.
Step 15 Perform the same operation for the following files. Fill out the form according to
the tables below.
acNAMProfile - Customer Created Agent Resource Package
Attribute Value
Name acNAMProfile
Note The following profile is optional and cosmetic in nature. It is intended to hide the VPN tile
of the AnyConnect client.
Attribute Value
Name acVPNdisableProfile
Attribute Value
AnyConnect
*Name acWinPostureProfile
Agent behavior
IP Address Change
Posture Protocol
Note The discovery host needs to be something that will resolve via DNS to generate traffic
(packets) to hit the url-redirect. That traffic will then be redirected to the supporting ISE
node running the Policy Services persona.
228 Implementing and Configuring Cisco Identity Services Engine (SISE) v2.3 © 2018 Fast Lane.
Create the AnyConnect Configuration File.
Step 20 In the right pane, click +Add and from the menu select AnyConnect
Configuration.
Step 21 Create the following configuration.
Attribute Value
ISE Posture [X ]
VPN [ ]
Web Security [ ]
AMP Enabler [ ]
ASA Posture [ ]
Network Visibility [ ]
Profile Selection
VPN acVPNdisableProfile
Web Security
Customer Feedback
Customization Bundle
Localization Bundle
Deferred Update
Installation Options
Activity Verification
You have completed this task when you attain these results:
You have configured Cisco ISE to utilize the Cisco NAC Agent and created an
associated NAC Agent posture profile.
You have configured Cisco ISE to utilize the Cisco AnyConnect Unified Client and
created an associated profile and AnyConnect configuration.
230 Implementing and Configuring Cisco Identity Services Engine (SISE) v2.3 © 2018 Fast Lane.
Task 3: Client Provisioning Policies
In this task, you will configure Cisco ISE to provision Cisco posture agents in order to
enforce compliance base access.
Activity Procedure
Complete these steps:
Configuring Client Provisioning Policies.
Step 1 Navigate to Work Centers > Posture > Client Provisioning and then Client
Provisioning Policy.
Step 2 Add two new rules below Android_WPA2_BYOD according to the following
tables.
AC Employee Win All - Client Provisioning Policy Rule
Attribute Value
Attribute Value
Step 3 Verify your configuration with the following screenshot then click Save.
232 Implementing and Configuring Cisco Identity Services Engine (SISE) v2.3 © 2018 Fast Lane.
Lab 6-3: Configuring Posture Policies
Complete this lab activity to practice what you learned in the related module.
Activity Objective
In this activity, you will configure some simple Cisco ISE posture policies to provide for a
functional orientation to posture policies. After completing this activity, you will be able to
meet these objectives:
Configure posture conditions
Configure posture mediations
Configure posture requirements
Configure posture policies
Visual Objective
The figure illustrates what you will accomplish in this activity.
Required Resources
Admin PC
ISE-1
AD1
W10PC-Corp
vWLC
Activity Procedure
Complete these steps:
Step 1 Navigate to Work Centers > Posture > Policy Elements and then Conditions >
File.
Step 2 In the right pane, click +Add and create the following three File Conditions.
Caution Be aware of the case of the file name PUTTY. The Cisco NAC Agent file evaluation is
case sensitive but the Cisco AnyConnect is not.
Caution The operator is Later than, not Later than or Equal to. This is a common error in
configuration
Attribute Value
Name PuTTY_Version
Attribute Value
Name Bad_File
Operator DoesNotExist
234 Implementing and Configuring Cisco Identity Services Engine (SISE) v2.3 © 2018 Fast Lane.
File Condition – Good_File
Attribute Value
Name Good_File
Operator Exists
Attribute Value
Name ClamWin_AV_Installed
Vendor ClamWin
Attribute Value
Name ClamWin_AV_Current
Vendor ClamWin
Attribute Value
Name Any_FW_Running
Vendor Any
Wendor Any
Activity Verification
You have completed this task when you attain these results:
You have configured three posture file conditions.
You have configured an antivirus installation condition.
236 Implementing and Configuring Cisco Identity Services Engine (SISE) v2.3 © 2018 Fast Lane.
Task 2: Configuring Posture Remediation
In this task, you will configure remediation processes to instruct users on how to handle
systems that do not meet compliance requirements.
Activity Procedure
Complete these steps:
Step 1 Navigate to Work Centers > Posture > Policy Elements and then
Remediations > File.
Step 2 In the right pane, click +Add and create the following File Remediation.
File Remediation – PuTTY_62
Attribute Value
Name PuTTY_62
Version 0.62
Note The File to Upload—c:\tools\good.txt—in the table below does not yet exist on your
system. You will be creating it during the process of browsing for a file to upload.
Follow the procedure in the second table to create the good.txt file.
Attribute Value
Name Good_File
Version 1.0
7. Right-click on good.txt
10. Close the document by clicking on the X in You may alternately perform a File > Save
the upper right-hand corner and when before closing the file.
prompted click Save.
Attribute Value
Name Install_ClamWin_AV
Interval 0
Retry Count 0
URL http://tools.demo.local/updates/clamwin-0.99.1-
setup.exe
Step 8 Click Submit.
Step 9 In the left-hand pane, select Anti-Virus.
Step 10 In the right pane, click +Add and create the following AV Remediation.
238 Implementing and Configuring Cisco Identity Services Engine (SISE) v2.3 © 2018 Fast Lane.
AV Remediation – Update_ClamWin_AV
Attribute Value
Name Update_ClamWin_AV
Interval 0
Retry Count 0
Vendor ClamWIn
Step 11 Click Submit.
Step 12 Edit the default AnyAVDefRemediationWin remediation and change the
Remediation Type from Automatic to Manual and click Save.
Activity Verification
You have completed this task when you attain this result:
You have configured posture remediation actions for users who systems do not meet
compliance requirements.
Activity Procedure
Complete these steps:
Step 1 In the left pane, navigate to Work Centers > Posture > Policy Elements >
Requirements.
Step 2 Edit the Any_AV_Installation_Win requirement and modify the Remediation
Action. Change the Message Text shown to Agent User to the following:
An approved Antivirus program was NOT detected on your PC. All users must
have a current AV program installed before access is granted to the network. If
you would like to install a free version of ClamWin AV, please go to
http://tools.demo.local/updates/clamwin-0.99.1-setup.exe
Tip You may access the following resource from a separate tab in Firefox to copy/paste
message text:
http://tools.demo.local/cp/Posture-Requirements-excercise-6.rtf
Step 3 Add the following Requirements by using the same method as adding policy rules
(Edit down arrow at end of line).
Posture Requirement – ClamWin AV Install Win
Attribute Value
Attribute Value
All users must have ClamWin with current signatures. Please click start
to update the signatures now.
240 Implementing and Configuring Cisco Identity Services Engine (SISE) v2.3 © 2018 Fast Lane.
Posture Requirement – PuTTY 62
Attribute Value
Name PuTTY 62
Attribute Value
Attribute Value
Attribute Value
Name Firewall
Step 4 You should have the following requirements at the bottom of your list.
Activity Verification
You have completed this task when you attain this result:
You have configured both the conditions you have previously configured and the
remediation actions into posture requirement configurations.
242 Implementing and Configuring Cisco Identity Services Engine (SISE) v2.3 © 2018 Fast Lane.
Task 4: Configuring Posture Policies
In this task, you will configure posture policies that will be utilized in client access
assessments. You will be adding these policies and a disabled state and enabling them in a
later lab.
Activity Procedure
Complete these steps:
Step 1 Navigate to Work Centers > Posture > Posture Policy.
Step 2 Create the following rules.
Note Posture Policy Status is configured by changing the icon at the beginning of the rule.
Note Requirement Status is configured by changing the icon in front of the Requirement
Name.
Status Disabled
Other Conditions -
Mandatory PuTTY 62
Attribute Value
Status Disabled
Status Disabled
Name Guest Windows AV
Identity Groups Any
Operating System Windows All
Compliance Module 4.x or later
Posture Type Temporal Agent
Other Conditions Network Access:UseCase EQUALS Guest Flow
Requirements Status Requirement Name
Mandatory Any_AM_Installation_Win
Optional Any_AM_Definition_Win
Mandatory Firewall
Step 3 Verify your configuration with the following screenshots. Order is not important.
Activity Verification
You have completed this task when you attain this result:
You have configured posture policies based on the elements that you have previously
configured in previous tasks.
244 Implementing and Configuring Cisco Identity Services Engine (SISE) v2.3 © 2018 Fast Lane.
Lab 6-4: Testing and Monitoring Compliance
Based Access
Complete this lab activity to practice what you learned in the related module.
Activity Objective
In this activity, you will perform client based access utilizing the previously configured
posture compliance configuration. After completing this activity, you will be able to meet
these objectives:
Perform client access utilizing NAC WebAgent for compliance checking.
Perform client access utilizing the Cisco NAC Agent for compliance checking.
Perform client access utilizing the Cisco AnyConnect Unified Agent for
compliance checking.
Visual Objective
The figure illustrates what you will accomplish in this activity.
Required Resources
These are the resources and equipment that are required to complete this activity:
Admin PC
ISE-1
AD1
W10PC-Corp
vWLC
Command Description
show authentication sessions interface Shows the applied session details for the
GigabitEthernet 1/0/2 detail current session(s) on the indicated
interface.
246 Implementing and Configuring Cisco Identity Services Engine (SISE) v2.3 © 2018 Fast Lane.
Task 1: Web Agent Access
In this task, you will use the Cisco NAC Web agent to perform compliance testing and
remediation.
Activity Procedure
Complete these steps:
Web Agent Access with No Policies Enabled
Step 1 Access your Win7-Guest PC and login with the credentials administrator /
1234QWer.
Step 2 Using the icon on the desktop, access the Win7-Guest PC Network
Connections.
Step 3 Enable the NIC, if needed.
Step 4 Open up Firefox and browser to cisco.com. You should be redirected to the
Guest Portal.
Note You may have to clear the auth session on interface gi1/0/2 or perform a shut / no shut.
Step 5 Use one of the accounts that you have created in the sponsor portal during the
guest portal labs. In the case that all accounts are expired, create a new account.
Step 6 Click Continue.
Step 7 Click the checkbox to accept the risk and want to run this application and
click Run.
Step 8 Click +This is what to do next, to start the posture process.
Step 9 Click on the link Click here to download Cisco Temoral Agent.
Step 10 Change to the download directory and double click the executable cisco-win-
4.5.02036-tempagent….exe.
Step 11 Wait a few seconds and click then the Run button.
Step 12 Accept the Certificate is not trusted message, click Connect Anyway.
Step 13 You should see a Network access allowed. Click Quit to close the Cisco
Temportal Agent window.
Step 14 Return to the Cisco ISE admin portal on the Admin PC.
Step 15 Navigate to Operations > RADIUS > Live Logs.
Step 16 Observe the guest PC access flow which first assigns the Authorization Profile
CWA Posture Remediation and then Internet Only with a Posture Status of
Compliant.
Note The following screenshot output is filtered to show only specific information for this task.
Server Policies:
ACS ACL: xACSACLx-IP-acl_internet_only-578cace7
248 Implementing and Configuring Cisco Identity Services Engine (SISE) v2.3 © 2018 Fast Lane.
Web Agent Access with Policies Enabled
Step 19 Return to the Cisco ISE admin portal.
Step 20 Navigate to Work Centers > Posture > Posture Policy.
Step 21 Enable the Guest Windows AV rule.
Server Policies:
URL Redirect: https://ise-
1.demo.local:8443/portal/gateway?sessionId=0A01640100000FC991A79356&portal=198
76a32-42a9-11e6-bf0b-
005056803295&action=cwa&token=b88f2f63dfcfa3134b6933859c4e0c6f
URL Redirect ACL: ISE-URL-REDIRECT
ACS ACL: xACSACLx-IP-acl_posture_remediation-578cacae
250 Implementing and Configuring Cisco Identity Services Engine (SISE) v2.3 © 2018 Fast Lane.
Step 31 Observe in the Cisco Temporal Agent pop-up that the Host is not compliant
with the network security policy.
Step 32 The Security Compliance Summary contains the details and the required steps to
remediate within the time remaining.
Step 33 Click Start and in the Search for Programs and Files text box, type services and
press Enter
Step 34 Check if the Windows Firewall services is disabled. Open the properties and
change the Startup type to Automatic if needed.
Step 35 Click the Apply button and then click the Start button.
Step 36 Click OK and close the Services window.
Step 37 Open the Control Panel and navigate to All Control Panel Items > Action
Center. Click the button Turn on now next to Network Firewall (Important).
Step 38 Click the Re-Scan button at the bottom of the agent.
Step 39 Observe that the Firewall check now passes.
Step 40 Observe the Temporal Agent, after scanning the System, continues with a
warning message, that your AM isn’t up to date. This message is optional so you
have the choice to update the AM or skip the update.
Step 41 Click Skip All.
Activity Verification
You have completed this task when you attain these results:
You have access the network via guest account and that session has been processed for
compliance via the Cisco NAC Web agent.
You have remediated your compliance requirements based on instructions received via
the Cisco NAC Web agent.
252 Implementing and Configuring Cisco Identity Services Engine (SISE) v2.3 © 2018 Fast Lane.
Task 2: AnyConnect Unified Agent Access
In this task, you will use the Cisco AnyConnect Unified Agent to perform compliance
testing and remediation.
Activity Procedure
Complete these steps:
AnyConnect Unified Agent Deployment.
Step 1 Return to the W10PC-Corp.
Step 2 Log in as student / 1234QWer.
Step 3 Open up network settings and enable the NIC if not enabled.
Step 4 Open Services from Windows Administrative Tools in the Start menu.
Step 5 Verify and, if necessary, modify the Wired AutoConfig service to have a startup
type of Automatic and then Start the service.
Step 6 Click OK.
Step 7 Close the services console.
Step 8 Return to the NIC settings and open the properties for the NIC.
Step 9 Click the Authentication tab.
Step 10 Click the Settings button.
Step 11 Uncheck the box to validate the server certificate.
Step 12 Click OK.
Step 13 Make sure the “Remember my credentials…” box is unchecked.
Step 14 Click OK.
Step 15 Restart the client machine using the Start menu and log back in as employee1 /
1234QWer.
Step 16 Open Firefox browser.
Step 17 Browse to http://www.cisco.com, you should be redirected to the Client
Provisioning Portal. Accept any security notices if presented.
Step 18 You should be notified that a Device Security Check is required, click Start.
Step 19 The process will attempt to detect if the AnyConnect Posture Agent is installed.
Once prompted, click + This is my first time here.
Step 20 In the instructions click the hyperlink to Click here to download, install
AnyConnect.
Step 21 Click Save File.
Step 22 Click the file in the download dialog box and will be presented the dialog box -
click Run.
Note If the installation process shows Failed to launch Cisco AnyConnect Secure Mobility
Client Downloader and does not promt for a reboot, proceed by logging off and continue
only if step 30 is not showing up as described, deinstall Cisco AnyConnect Security
Mobility Client, which will include a reboot, and perform the task from Step 20 again.
Step 26 Once the system is back up, login again as employee1 / 1234QWer.
Step 27 Once logged in, AnyConnect will log on via EAP-FAST and the ISE Posture
module will perform a scan. The results will show that the Good File update is
required. Click Start to begin remediation.
254 Implementing and Configuring Cisco Identity Services Engine (SISE) v2.3 © 2018 Fast Lane.
Step 29 You will be notified that the save operation was successful and given the
opportunity to open the folder location where the file was saved. Click Cancel.
Step 31 In the live authentications list observe the authentication process of Pending , and
then Compliant after remediation.
Activity Verification
You have completed this task when you attain this result:
You have access the network via an employee account and that session has been
processed for compliance via the Cisco AnyConnect Unified Agent.
You have remediated your compliance requirements based on instructions received via
the Cisco AnyConnect Unified Agent.
256 Implementing and Configuring Cisco Identity Services Engine (SISE) v2.3 © 2018 Fast Lane.
Lab 6-5: Compliance Policy Testing
Complete this lab activity to practice what you learned in the related module.
Activity Objective
In this activity, you will examine the effects of a faulty policy and review methods of
identifying and troubleshooting such a policy. After completing this activity, you will be
able to meet these objectives:
Use Posture Reports for troubleshooting
Use the Posture Troubleshooter tool
Visual Objective
The figure illustrates what you will accomplish in this activity.
Required Resources
These are the resources and equipment that are required to complete this activity:
Admin PC
ISE-1
AD1
W10PC-Corp
vWLC
Step 10 Do not remediate; wait for the timer to expire and then continue to the next
task.
Activity Verification
You have completed this task when you attain this result:
You have configured a faulty policy that has resulted in a failed compliance access
attempt
258 Implementing and Configuring Cisco Identity Services Engine (SISE) v2.3 © 2018 Fast Lane.
Task 2: Use Posture Reports for Troubleshooting
In this task, you will examine posture reports as a mechanism to troubleshoot compliance-
based access failures.
Activity Procedure
Complete these steps:
Step 1 In ISE, navigate to Work Centers > Posture > Reports and then Reports >
Posture Reports > Posture Assessment by Endpoint.
Step 2 Modify the Time Range from Today to Last 30 Minutes.
Step 3 Click on the Details icon for the failed posture assessment.
Step 4 Scroll to the bottom of the report and observe the Posture Policy Details.
Step 5 Observe that the Failed condition is PuTTY_Version,
Step 6 Also observe that the Bad File, which is in Audit enforcement mode, meaning
transparent to the user, is not in the Passed column either. This check was skipped
because the file checks are done serially one at a time.
Activity Verification
You have completed this task when you attain this result:
You have run a posture report and identified the failing condition.
Activity Procedure
Complete these steps:
Step 1 In ISE, navigate to Work Centers > Posture > Troubleshoot.
Step 2 In the form, click the Select button at the end of the Username field. In the next
pop-up click Search. From the list of Usernames select employee1 and click
Apply.
Step 3 Go to the bottom of the form and click Search.
Step 4 In the results, click the failed result and click Troubleshoot.
260 Implementing and Configuring Cisco Identity Services Engine (SISE) v2.3 © 2018 Fast Lane.
Step 6 Observe the details of what passed, what failed in another format.
Activity Verification
You have completed this task when you attain this result:
You have run the posture troubleshooter and identified the failing condition.
Activity Procedure
Complete these steps:
Policy Correction
Step 1 Navigate to Work Centers > Posture > Policy Elements and then Conditions >
File.
Step 2 Edit the PuTTY_Version you modified earlier.
Step 3 Change the file from PUTTTY.EXE to PUTTY.exe (you are removing the
extra ‘T’).
262 Implementing and Configuring Cisco Identity Services Engine (SISE) v2.3 © 2018 Fast Lane.
Step 7 Scroll to the bottom and observe that the only failed condition now is the Audit
mode Bad File condition.
Tip This is an effective way of analyzing systems upon access to determine the status of a
program without notifying the user.
Tip One example of using this feature would be to analyze systems for a file or files that are
suspicious. An administrator could determine if the files are on any of the systems, and
then make decisions on how to proceed.
Activity Verification
You have completed this task when you attain these results:
You have corrected the policy configuration. That you introduced at the beginning of
the lab.
You have observed the failed condition that is running an audit enforcement mode.
Activity Objective
In this activity, you will configure Cisco ISE to integrate with a Meraki MDM Cloud. After
completing this activity, you will be able to meet these objectives:
Integrate a MDM into Cisco ISE
Identify Cisco ISE MDM dictionary attributes
Configure Cisco ISE to process access based on external MDM Compliance status.
Visual Objective
The figure illustrates what you will accomplish in this activity.
Required Resources
These are the resources and equipment that are required to complete this activity:
Admin PC
ISE-1
AD1
W10PC-Corp
vWLC
264 Implementing and Configuring Cisco Identity Services Engine (SISE) v2.3 © 2018 Fast Lane.
Task 1: MDM Integration
In this task, you will perform the steps necessary to create an external MDM into Cisco ISE.
Activity Procedure
Complete these steps:
Install MDM Certificate
Step 1 Navigate to Administration > System > Certificates > Certificate
Management > Trusted Certificates.
Step 2 Verify there is not a Meraki certificate listed.
Step 3 In Firefox navigate to n192.meraki.com. You might use the prepared bookmark.
Step 4 Click the Lock Icon left from the URL, then click the Arrow on the right side.
Attribute Value
Location C:\Users\Admin\Desktop\Meraki\Meraki_Certificate.crt
266 Implementing and Configuring Cisco Identity Services Engine (SISE) v2.3 © 2018 Fast Lane.
Step 12 Click Submit.
Add MDM Server
Step 13 Navigate to Administration > Network Resources > External MDM.
Step 14 In the right pane, click +Add.
Step 15 Fill in the details as shown.
Note You will find the hostname, User Name and Password for copy and Paste in the file
Meraki Server details.txt in the folder Desktop\Meraki\
Attribute Value
Name Meraki_MDM
Port 443
Polling Intervall 15 (ONLY for Lab environment) See Hint in the GUI
Status Enabled
Step 16 Click Test Connection. This should succeed with the following message.
Activity Verification
You have completed this task when you attain these results:
You have installed the Meraki certificate in the trusted Store
You have added your pod Meraki server to Cisco ISE.
You have adjusted the MDM portal.
268 Implementing and Configuring Cisco Identity Services Engine (SISE) v2.3 © 2018 Fast Lane.
Task 2: Configuring Cisco ISE Policy for MDM
In this task, you will configure the necessary policy elements to facilitate MDM on boarding
compliant state access.
Activity Procedure
Complete these steps:
Authorization Profiles
Step 1 Navigate to Policy > Policy Elements > Results > Authorization >
Authorization Profiles.
Step 2 Create and Save the following Authorization Profile.
MDM Quarantine Authorization Profile
Common Tasks
Tip Using the Duplicate function for rule creation will speed this process quite a bit.
Attribute Value
Attribute Value
270 Implementing and Configuring Cisco Identity Services Engine (SISE) v2.3 © 2018 Fast Lane.
Step 7 Change the name to Reg with ISE AND MDM comp and add the missing
conditions referring to the following table:
Reg with ISE AND MDM comp - Authorization Policy rule
Attribute Value
Tip Due to the complexity and functionality added to the policy by MDM and BYOD, it would
be prudent to add modifiers to the Wireless AD Employees and Wireless AD Contractors
that additionally limits access based on access from a Domain computer. This can be
accomplished by Machine Access Restriction, EAP-Chaining, or Secondary logins.
Disabled Self-Registration
Disabled Hotspot
Enabled Default
Activity Verification
You have completed this task when you attain these results:
You have configured authorization policy elements to support MDM compliance-based
access
You have configured authorization policies to support MDM on boarding and
compliance processing.
272 Implementing and Configuring Cisco Identity Services Engine (SISE) v2.3 © 2018 Fast Lane.
(Optional) Lab 6-7: MDM Access and
Configuration
Complete this lab activity to practice what you learned in the related module.
Activity Objective
In this activity, you will access the Meraki MDM console and review the configuration.
After completing this activity, you will be able to meet these objectives:
Access the Meraki MDM web console
Review the preconfigured MDM policies for your lab
Visual Objective
The figure illustrates what you will accomplish in this activity.
Required Resources
These are the resources and equipment that are required to complete this activity:
Admin PC
ISE-1
AD1
W10PC-Corp
vWLC
Activity Procedure
Complete these steps:
Accessing the MDM Web Interface
Step 1 On your Admin PC, open a new tab in Firefox.
Step 2 Navigate to n192.meraki.com
Step 3 Login with the credentials ccnpsec@flane.de / 1234QWer!
Client and device enrollment
Step 4 Navigate to Systems manger > Monitor > Clients, maybe there are some
devices are registered from other lab pods. Verify that your device isn’t register,
you can regonize this based on the mail address. If you have any problems, ask
your instructor.
Step 5 Click Add devices, you are redirected to Systems manager > MDM > Add
devices
Step 6 Select Android from the choice
Step 7 Read the instructions of methods how to enroll an android device.
From the instructions, locate and write down the enrollment code as this is
needed for the enrollment tasks:
Enrollment code: - -
Application Policy Review
Step 8 Navigate to Systems manager > MDM > Apps.
Step 9 Select and Click the AnyConnect App.
Attribute Value
Platform Android
Description For Android 4.0+ and later devices. Connect to your network
with AnyConnect…
274 Implementing and Configuring Cisco Identity Services Engine (SISE) v2.3 © 2018 Fast Lane.
Attribute Value
Devices > Scope Install on devices with ANY of the following tags:
“recently-added” “Android devices”
276 Implementing and Configuring Cisco Identity Services Engine (SISE) v2.3 © 2018 Fast Lane.
(Optional) Lab 6-8: Client Access with MDM
Complete this lab activity to practice what you learned in the related module.
Activity Objective
In this activity, you will perform client access via your pod Tablet with MDM compliance
checking and remediation. After completing this activity, you will be able to meet these
objectives:
Perform mobile device access with Cisco ISE redirecting to an external MDM
Perform mobile device on boarding via Cisco ISE and external MDM
Remediate your mobile device per the external MDM policies
Run Cisco ISE MDM reports
Visual Objective
The figure illustrates what you will accomplish in this activity.
Required Resources
These are the resources and equipment that are required to complete this activity:
Admin PC
ISE-1
AD1
W10PC-Corp
vWLC
Activity Procedure
Complete these steps:
Acitvate Internet Access for the W10PC-Corp
Step 1 In ISE, navigate to Policy > Policy Sets > Wired_MAB_Access.
Step 2 Edit the Default Authorization policy rule from CWA Posture Remediation to
PermitAccess.
Step 3 Click Done and Save.
Activity Verification
You have completed this task when you attain this result:
You provided the W10PC-Corp with Internet access.
278 Implementing and Configuring Cisco Identity Services Engine (SISE) v2.3 © 2018 Fast Lane.
You have removed all Profiles from your pod Tablet and removed cached network
credentials
Activity Procedure
Complete these steps:
Tablet Network Access and BYOD Enrollment
Step 1 Join your pod ##-wpa2e network.
Step 2 Login using the credentials employee1@demo.local / 1234QWer.
Step 3 Open a browser and trigger a redirect with browsing to 1.1.1.1, this should
redirect you to the BYOD onboarding portal
Step 4 Process through the BYOD portal process by clicking Start.
Step 5 Enter the Device Name: employee1_Tablet, Description: My Tablet.
Step 6 Click Continue, click the HOME button and open the preinstalled Cisco
Network Setup Assistant.
Step 7 Click Start.
Step 8 PIN is 1234, install all profiles as before accepting all defaults.
Step 9 Click Exit after “Connected to you pod##-wpa2e” is displayed.
Step 10 Open a browser and browse to cisco.com. This should succeed.
MDM Enrollment
Step 11 Now browse to an internal resource http://tools.demo.local/cp. This should
redirect you to the Meraki Security Manager Setup page.
Note The reason you are able to surf to the outside, is because the session state on the WLC
is WEBAUTH_REQD and the applied ACL is MDM_Quarntine_ACL permits all traffic
except specific traffic to the inside network (line 5) to bypass the WEBAUTH_REQD
Redirect URL function.
Step 16 Click Download on the bottom to the security message to download the app and
if prompted, to replace an existing file.
Step 17 Open the downloaded AndoidSM.apk, click Next and click INSTALL.
280 Implementing and Configuring Cisco Identity Services Engine (SISE) v2.3 © 2018 Fast Lane.
Note If you missed clicking open to open the apk, you will find the file in the downloads folder
on the tablet.
Step 18 Click Done after the app install ended successfully or, if the install seems not to
end, wait about 5 minute.
Step 19 Click the HOME button and navigate to Settings > Security > Device
administrators.
Step 20 Click the Meraki Systems Manager, and in the popup confirm to activate the
app as device administrator by clicking ACTIVATE.
Step 21 Click the HOME button and go back to the tab of Meraki SM Registration by
opening the browser again.
282 Implementing and Configuring Cisco Identity Services Engine (SISE) v2.3 © 2018 Fast Lane.
Step 28 Click Enroll This Device.
Step 29 Via the menu on the top left, select Managed Apps.
Step 33 Check via the Meraki dashboard > Systems manager > Monitor > Clients and
selecting your tablet, that no apps are missing. Otherwise unenroll the device via
the app on the tablet and then enroll it again.
Step 34 Disable and re-enable WLAN on the tablet. You should automatically connect
to your pod ##-wpae2 SSID.
Note If you are being redirected to the MDM Enrollment procedure, ISE and MDM registration
and compliance negotiation might not be completed yet. Wait a few minutes and check
ISE authentications for applying the WLC_User Access authorization Profile to the
Android device, indicating compliance with ISE registration and the Meraki policy.
Step 38 You are now being granted access to the internal resources:
Authentication Review
Step 39 Return to the Meraki portal in Firefox on the Admin PC.
Step 40 Navigate to System managers > Monitor > Clients.
Step 41 You should see the Android tablet added.
284 Implementing and Configuring Cisco Identity Services Engine (SISE) v2.3 © 2018 Fast Lane.
Step 44 Scroll down and identify the device has recently installed AnyConnect.
Activity Verification
You have completed this task when you attain these results:
You have enrolled your pod Tablet as a BYOD device and performed MDM on
boarding.
You have processed through MDM compliance checking and perform the required
remediation.
You have reviewed the authentication records for this access process.
You have run MDM reports Cisco ISE and observed the device status.
Activity Objective
In this activity, you will access the network via an AnyConnect VPN connection and
compliance checking. After completing this activity, you will be able to meet these
objectives:
Configure Cisco ISE to process VPN access
Configure authorization components and policies to support compliance based VPN
access
Configure client provisioning for remote Cisco AnyConnect VPN access
Visual Objective
The figure illustrates what you will accomplish in this activity.
Required Resources
These are the resources and equipment that are required to complete this activity:
Admin PC
ISE-1
AD1
W10PC-Corp
vWLC
W10PC-CoA
ASAv
286 Implementing and Configuring Cisco Identity Services Engine (SISE) v2.3 © 2018 Fast Lane.
Command List
The table describes the commands that are used in this activity.
ASAv CLI Commands
Command Description
Copy Copies a file. In this lab you will copy a file to startup-config
Activity Procedure
Complete these steps:
ASAv Preparation
Step 1 From the Admin PC desktop, open ASDM/IDM Launcher.
Step 2 Connection to 10.1.100.4 using the credentials admin / 1234QWer.
Step 3 Navigate to the menu selection Tools > File Management.
Step 4 Verify that anyconnect-win-4.5.04029.0-webdeploy-k9.pkg is present on the
flash.
Attribute Value
Name ASAv
Location HQ
288 Implementing and Configuring Cisco Identity Services Engine (SISE) v2.3 © 2018 Fast Lane.
Policy Set Modification
Step 9 Navigate to Policy > Policy Sets.
Step 10 Click the gear icon next to the Default Policy Set.
Step 11 From the Drop-Down Menu select Insert new row above.
VPN_Access VPN Access DEVICE:Device Type EQUALS All Device Default Network Access
Types#VPN
Attribute Value
Name acl_vpn_permit
Attribute Value
Name acl_vpn_remediate
Common Tasks
Common Tasks
290 Implementing and Configuring Cisco Identity Services Engine (SISE) v2.3 © 2018 Fast Lane.
VPN Posture Authorization Profile
Common Tasks
Authentication Policy
Step 19 Navigate to Policy > Policy Sets.
Step 20 In the left pane, click on the VPN_Access policy set.
Step 21 Modify the Authentication Policy.
Step 22 Change the authentication source to All_AD_Join_Points.
Step 23 Add the two following Authorization Rules in order above the Default rule.
VPN Compliant Authorization Policy
Attribute Value
Attribute Value
292 Implementing and Configuring Cisco Identity Services Engine (SISE) v2.3 © 2018 Fast Lane.
acConfigWin_VPN - AnyConnect Configuration
Attribute Value
VPN [X]
Web Security [ ]
ASA Posture [ ]
Profile Selection
VPN <delete>
Web Security
Customer Feedback
Customization Bundle
Localization Bundle
Deferred Update
Installation Options
Attribute Value
Activity Verification
You have completed this task when you attain these results:
You have prepared the ASAv for operation with this lab.
You have added the ASAv as a NAD.
You have created a policy set for VPN access.
You have configured authorization profiles are associated dACL’s
You have configured authorization policies for VPN access.
You have configured Client Provisioning components and policy for VPN based
Postured access.
294 Implementing and Configuring Cisco Identity Services Engine (SISE) v2.3 © 2018 Fast Lane.
Task 2: Testing VPN Client Access
In this task, you will test VPN access using the policies that you’ve configured in task 1.
Activity Procedure
Complete these steps:
Step 1 Access your pod W10-CoA PC and login with the credentials student \
1234QWer
Initial VPN Connection
Step 2 From the system tray, Open AnyConnect.
Step 3 For this lab environment, ensure that connections are allowed to untrusted
servers. Click on the cog icon in the lower left corner.
Step 4 On the Preferences tab page, uncheck the Block connections to untrusted
servers.
Step 5 Close this window.
Step 6 Connect to the VPN server asav.demo.local.
Step 7 At the Security Warning pop-up, click Connect Anyway.
Step 8 When prompted for credentials for the ISE_VPN group, use the credentials
employee2@demo.local / 1234QWer.
Step 9 Connect by clicking OK, then select Connect Anyway.
Note If you are not prompted to connect to the ISE_VPN group, notify your instructor.
Step 10 After connection, AnyConnect will receive instruction from the ASAv that an
upgrade is available.
296 Implementing and Configuring Cisco Identity Services Engine (SISE) v2.3 © 2018 Fast Lane.
Examine Cisco ISE Authentication Records
Step 12 Return to the Cisco ISE admin portal on the admin PC.
Step 13 Navigate to Operations > RADIUS > Live Logs.
Step 14 Observe the authentication record details for the employee2@demo.local user
who was assigned the VPN Posture authorization profile.
Observe the following highlighted fields indicating that the host that accessed the
network by VPN was profiled. The CiscoAVPair section contains the ACIDex
attributes conveyed by AnyConnect and the ASA. In the Results section, you can
see the URL-Redirect being applied to this session in its current state.
298 Implementing and Configuring Cisco Identity Services Engine (SISE) v2.3 © 2018 Fast Lane.
Step 30 After restart, Connect to the VPN as employee2@demo.local / 1234QWer.
Step 31 System Scan will run and you will be presented with the Update Required pop-
up.
Step 32 The results will show that the Good File update is required. Click Start to begin
remediation.
Step 33 Navigate to C:\ create the Test folder, enter the folder and then click Save.
Step 34 You will be notified that the save operation was successful and given the
opportunity to open the folder location where the file was saved. Click Cancel.
Step 35 System Scan will evaluate the system and then determine the system is
compliant.
Activity Verification
You have completed this task when you attain these results:
You have successfully performed a Cisco AnyConnect VPN access and had the
AnyConnect client be upgraded to support compliance checking.
Performed remediation over VPN and reviewed the associated authentication results.
300 Implementing and Configuring Cisco Identity Services Engine (SISE) v2.3 © 2018 Fast Lane.
Lab 7-2: Configuring Cisco AMP for ISE
Complete this lab activity to practice what you learned in the related module.
Activity Objective
In this activity, you will configure Cisco ISE to provision Cisco posture agents. The AMP
Enabler will download the AMP for Endpoints connector, formerly known as FireAMP.
Visual Objective
The figure illustrates what you will accomplish in this activity.
Required Resources
These are the resources and equipment that are required to complete this activity:
Admin PC
ISE-1
AD1
W10PC-Corp
vWLC
W10PC-CoA
ASAv
Command Description
copy Copies a file. In this lab you will copy a file to startup-config
302 Implementing and Configuring Cisco Identity Services Engine (SISE) v2.3 © 2018 Fast Lane.
Task 1: Configuring the Cisco AMP Cloud
This task requires an AMP for Endpoints administrative login and password.
Activity Procedure
Complete these steps:
ASAv Preparation
Step 1 On the Admin-PC, open Firefox. Connect to https://console.eu.amp.cisco.com/
Step 2 In the top left of the window, click the small green lock symbol.
Step 6 Save the Certificate to the Desktop accepting the default name.
Step 7 Login to AMP for Endpoints. Your Instructor will provide the necessary
credentials.
Step 8 Navigate to Management > Download Connector. Select Group > Audit and
click Show URL.
304 Implementing and Configuring Cisco Identity Services Engine (SISE) v2.3 © 2018 Fast Lane.
Step 9 Click Copy URL.
Step 10 On the Desktop of the Admin PC, create a new textfile and insert the URL from
clipboard (CRTL + V). REMOVE the “https://” at the beginning of the link!!
Step 11 Save the file. It should look like the following screenshot.
Step 12 In Cisco ISE Gui, navigate to Administration > System > Certificates >
Certificate Management > Trusted Certificates
Step 13 In the right pane click Import.
Step 14 Browse to the Desktop and select the previously added euampciscocom.crt
certificate.
Step 15 Set FireAMP Cisco Cert as Friendly Name and trust the Certificate for
Authentication within ISE as well as Authentication of Cisco Services.
Activity Verification
You have completed this task when you attain these results:
Connected to the AMP for Endpoints Portal and made the ISE ready to download the
AMP Connector for Windows.
Activity Procedure
Complete these steps:
ASAv Preparation
Step 1 On the Admin-PC, using the Cisco ISE admin interface, navigate to Policy >
Policy Elements > Conditions > Posture > File Condition.Review the
Bad_File condition. If the file is not present, the PC will be deemed Compliant.
Verify your configuration with the screen shot shown.
Step 2 Navigate to Policy > Policy Elements > Results > Posture > Requirements.
Review the Bad File requirement. Verify with the screenshot shown.
306 Implementing and Configuring Cisco Identity Services Engine (SISE) v2.3 © 2018 Fast Lane.
Step 6 Click Save.
Activity Verification
You have completed this task when you attain these results:
You have modified a simple file requirement to drive the compliance check on the
endpoint.
Activity Procedure
Complete these steps:
ASAv Preparation
Step 1 Edit the Posture Policy. Navigate to Policy > Policy Elements > Results >
Client Provisioning > Resources.
Step 2 Select and edit the acWinPostureProfile posture agent Profile
Step 3 Scroll down to the Posture Protocol section of the template, delete the
“tools.demo.local” as Discovery host entry and set the Server Name Rules field
to *. Save your configuration.
Configure an AMP Profile. AMP Profiles contain a pointer to the location of the AMP
Connector for Windows Installer (as downloaded earlier from the AMP Cloud to the AD
Server).
Step 4 Navigate to Policy > Policy Elements > Results > Client Provisioning >
Resources.
Step 5 Add a new AMP Enabler Profile named AMPwinProfile as shown in the figure
below.
Step 6 For the Windows Installer URL insert the URL from your previously created
textfile on the Desktop.
Step 7 Click Check next to the inserted link. File found must show up!
308 Implementing and Configuring Cisco Identity Services Engine (SISE) v2.3 © 2018 Fast Lane.
Step 8 Submit your configuration when finished
Step 9 Modify the AnyConnect Configuration to tie together the components that must
be installed on the endpoint to allow for authorization to access network
resources.
Step 10 Navigate to Policy > Policy Elements > Results > Client Provisioning >
Resources.
Step 11 Select and edit the acConfigWin AnyConnect configuration.
Step 12 Additional, select the AnyConnect module AMP Enabler.
Activity Verification
You have completed this task when you attain these results:
You have assigned a Client Provisioning Policy that utilizes an AnyConnect
Configuration profile that references:
− The AnyConnect Compliance Module
− Profiles defined for AMP additionally.
You have configured an Authorization policy that will be used to drive the state of
a connecting endpoint to Compliant, and assigned this profile to an authorization
rule.(done in previous labs)
310 Implementing and Configuring Cisco Identity Services Engine (SISE) v2.3 © 2018 Fast Lane.
Task 4: Enabling and Provisoning TC-NAC Services
In this task, you will configure Cisco ISE for Threat-Centric NAC. You will configure the
AMP Adapter that will be used by ISE to interface with the AMP Cloud.
Activity Procedure
Complete these steps:
ASAv Preparation
Step 1 Enable TC-NAC Services under Administration > System > Deployment >
Edit Node. Check the Enable Threat Centric NAC Service check box under
Policy Service. This selection will add the Threat Centric Menu Options to the
ISE GUI under Administration. Save your configuration.
Step 2 To configure the AMP Adapter, navigate to Administration > Threat Centric
NAC > Third Party Vendors > Add. Add a vendor instance for AMP. Save the
instance.
Note This process can take several minutes to start up before allowing you to continue.
Step 3 Once the required fields are added, the instance status will transition to Ready to
Configure. Click this field to begin the AMP adapter configuration. Click Next
to bypass the proxy configuration screen.
Step 5 Click the AMP link under SAS External URL. You will then be required to log
in to the AMP for Endpoints account as an administrator. Your instructor will
provide your credentials.
312 Implementing and Configuring Cisco Identity Services Engine (SISE) v2.3 © 2018 Fast Lane.
Step 6 Click Allow in the Applications panel to authorize the Streaming Event Export
request.
Step 7 You will be returned to the Cisco ISE Admin portal, click Finish, and verify the
AMP Instance is Connected to the cloud, and is Active. It may take a couple of
minutes to connect.
Activity Verification
You have completed this task when you attain these results:
You have enabled and provisioned Threat Centric NAC services.
Activity Procedure
Complete these steps:
Step 1 Access the W10PC-Corp PC
Step 2 Restart the PC and then log in as demo\employee1 / 1234QWer.
Step 3 Wait for the AnyConnect System Scan to show up the waring about the Bad File
found.
Step 4 Open windows explorer and delete the virus.txt under C:\test\ you created in an
earlier lab.
Step 5 Click Start to recheck with the requirements. You should now be compliant.
Step 6 Then, the AMP Enabler module should start downloading and installing AMP
for Endpoints. See the following screenshots for the procedure:
314 Implementing and Configuring Cisco Identity Services Engine (SISE) v2.3 © 2018 Fast Lane.
© 2018 Fast Lane Lab Guide 315
Step 7 Open a browser and attempt to connect to any website. You should be successful.
Step 8 In Cisco ISE live log, observe the employee1 on the W10PC-Corp went through
the AD Posture Assessment Authorization Profile again and was granted Wired
AD Employees finally.
Activity Verification
You have completed this task when you attain these results:
Verified provisioning of AMP for Endpoints on the client PC.
316 Implementing and Configuring Cisco Identity Services Engine (SISE) v2.3 © 2018 Fast Lane.
Lab 8-1: Cisco ISE Integrated Solutions with APIs
Complete this lab activity to practice what you learned in the related module.
This lab covers integration between Cisco Web Security Appliance (WSA) and Cisco
Platform Exchange
Grid (pxGrid). In this lab, you will generate Certificate Signing Requests (CSR) on all the
digital certificates that are required for ISE, pxGrid, and HTTPS proxy. You will also
perform configuration tasks on the Cisco Web Security Appliance (WSA) and register the
WSA as a pxGrid client to Cisco ISE. Also, you will download the Security Group Tag
(SGT) information. You will create a decryption policy and a web access policy.
Activity Objective
In this activity, you will configure Cisco ISE to for backup and examine the process to
patch. After completing this activity, you will be able to meet these objectives:
Configure Cisco ISE backups
Patch a Cisco ISE instance
Visual Objective
The figure illustrates what you will accomplish in this activity.
Required Resources
These are the resources and equipment that are required to complete this activity:
Admin PC
AD1
ISE-1
WSA
Activity Procedure
Complete these steps:
Configuring Repositories.
Step 1 From Admin PC, log in to ISE using admin / 1234QWer.
Step 2 Inspect the existing system certificate. Navigate to Administration > System >
Certificates > System Certificates. Select ise-1 Admin Cert and then Edit.
Note The certificate has a wildcard SAN – DNS: *.demo.local. Wildcard certficates cannot be
used for pxGrid and REST API operations.
318 Implementing and Configuring Cisco Identity Services Engine (SISE) v2.3 © 2018 Fast Lane.
Step 4 Click Generate.
Step 5 Click OK on Successfully generate CSR(s) pop-up to close it.
Step 6 Select ise-1#pxGrid > View > CSR Contents.
Step 7 Select all (Ctrl + A) and copy (Ctrl + C) everything in between starting from -----
BEGIN CERTIFICATE REQUEST---- to the end of -----END
CERTIFICATE REQUEST----- .
Step 8 Click Close.
Step 9 Using Firefox, Go to http://ad1.demo.local/certsrv and login as administrator /
1234QWer.
Step 10 Select Request a certificate > Advanced Certificate Request, and paste (Ctrl +
V) the copied text from the previous into the text box for Base-64-encoded
certificate request.
Step 11 Select the pxGrid certifiacte template and click Submit.
320 Implementing and Configuring Cisco Identity Services Engine (SISE) v2.3 © 2018 Fast Lane.
Task 2: Preparing the Cisco WSA
The Cisco WSA needs to be configured for network and Cisco ISE operation. The System
Wizard from the WSA will be used to configure these parameters. The HTTPS proxy will
be enabled for website decryption to deny employees from accessing Facebook. WCCPv2
will also be configured.
Activity Procedure
Complete these steps:
Configuring Repositories.
Step 1 From the Admin PC, using Firefox, browse to the WSA admin portal at
http://10.1.100.30:8080.
Step 2 Accept the Security warning by clicking Advanced > Add Exception and then
Confirm Security Exception.
Step 3 Log in with the default credentials admin / ironport.
Step 4 Navigate to System Administration > System Setup > System Setup Wizard >
System Settings. Set the Default System Hostname to wsa.demo.local and
update the NTP server to ntp.demo.local, as time.sco.cisco.com is not reachable
from this lab network. Leave the rest of the settings at their defaults: (hostname,
DNS server, timezone, application mode of operation).
Step 12 For the Security Settings, leave all settings at their defaults. Then click Next.
Step 13 Review your configuration and then click Install This Configuration.
322 Implementing and Configuring Cisco Identity Services Engine (SISE) v2.3 © 2018 Fast Lane.
Step 14 Log in to the WSA with the new admin password !234QWer.
Step 15 Navigate to Security Services > Proxy Settings > HTTPS Proxy.
Step 16 Click Enable and Edit Settings… > HTTPS Proxy License Agreement. Then
click Accept.
Step 17 Under HTTPS Proxy Settings > Enable HTTPS Proxy > Root Certificate for
Signing, Select Use Generated Certificate and Key.
Step 18 Click Generate New Certificate and Key, use the parameters from the figure
below. Then click Generate.
324 Implementing and Configuring Cisco Identity Services Engine (SISE) v2.3 © 2018 Fast Lane.
Step 26 At the end of the .pem-file, copy (CRTL+C) everything in between starting from
-----BEGIN CERTIFICATE REQUEST---- to the end of -----END
CERTIFICATE REQUEST-----, like the following figure shows.
Step 27 Open a new browser tab and go to Microsoft Active Directory Services
(http://ad1.demo.local/certsrv) and login as administrator / 1234QWer.
Step 28 Click Request a certificate > advanced request, and paste the copied
information into the text box for Base-64-encoded certificate request.
Step 29 Select Certificate Template Subordinate Certificate Authority as the WSA
HTTPS proxy will generate certificates for various sites to decrypt the
connections.
Step 30 Click Submit.
Step 31 Select Base 64 encoded and then Download Certificate.
Step 32 Rename the downloaded certnew(1).cer to WSA_HTTPS_proxy.cer.
Step 33 Open the certificate, go to details, and confirm SubCA being the certificate
template.
326 Implementing and Configuring Cisco Identity Services Engine (SISE) v2.3 © 2018 Fast Lane.
Step 50 Click Submit at the bottom of the page (new Success at the top of the page).
Step 51 Select Commit Changes > Commit Changes.
Step 52 Navigate to Network > Transparent Redirection.
Step 53 Click Edit Device… . From the Type drop-down menu, select WCCP v2
Router. Then click Submit.
Activity Verification
You have completed this task when you attain these results:
Run WSA Setup Wizard and change admin credentials
Enable HTTPS proxy, and generate CSR request for a signed-CA cert
Enable “Decrypt for Website Application”
Configure WCCPv2
Configure 3k-access switch for WCCPv2
328 Implementing and Configuring Cisco Identity Services Engine (SISE) v2.3 © 2018 Fast Lane.
Task 3: Configuring Security Groups, Authorization Policy,
and Enabling pxGrid on ISE
Cisco TrustSec Security Groups can be used to enforce network access. Two Security Groups
(Employees and Guests) will be used and assigned to ISE authorization rules. They will
differentiate between 802.1X authenticated employees and unauthenticated guests.
In the later exercises, the WSA will subscribe to the TrustsecMetaData pxGrid capability and
download the SGT information. WSA identification profiles, and web security access
policies, will be created to deny Facebook access for users who are tagged as Employees. It
will also allow nonrestricted Internet access for those users who are tagged as Guests.
ISE will also be configured for pxGrid operation.
Activity Procedure
Complete these steps:
Configuring Repositories.
Step 1 If needed, log back in to ISE as admin / 1234QWer.
Step 2 Navigate to Work Centers > TrustSec > Components > Security Groups.
Step 3 The right-hand pane shows a list of built-in entries. You will use two security
groups from the list, Employees and Guests.
Step 4 Navigate to Policy > Policy Set.
Step 5 In the Wired_8021X_Access policy set, edit the Wired AD Employees
authorization Policy. Delete the Session:PostureStatus condition and add the
Security Group Employees as Permission.
Note It takes up to 10 minutes to see Connected to pxGrid. You may monitor the progress via
the ISE admin CLI using the command show application status ise, and by clicking
various psgrid debug logs.
Step 14 Click Settings tab and enable Automatically approve new accounts and click
Save. Answer Yes in the pop-up info dialog Are you sure you want to save
settings.
Activity Verification
You have completed this task when you attain these results:
Reviewed two existing Security Groups: Guests and Employees.
Created an authorization policy for each security group to assign users and hosts
to the SGTs.
Enabled the ISE node for pxGrid operation.
330 Implementing and Configuring Cisco Identity Services Engine (SISE) v2.3 © 2018 Fast Lane.
Task 4: Enabling pxGrid on WSA
Cisco pxGrid requires that a pxGrid client, such as WSA, to present a client digital certificate
to secure connections to the ISE pxGrid controller. It is best practice to use an enterprise CA
to sign certificates for both the pxGrid client and the ISE pxGrid node. In previous section,
ISE pxGrid controller has been configured with a CA-signed pxGrid certificate. Please note
that pxGrid certificates use a customized template containing an EKU for both client
authentication, and server authentication.
Activity Procedure
Complete these steps:
Configuring Repositories.
Step 1 If needed, reopen the WSA URL, https://10.1.100.30:8443.
Step 2 Go to System Administration > Log Subscriptions.
Step 3 Click accesslogs. Under Custom Fields (optional), add %m.
332 Implementing and Configuring Cisco Identity Services Engine (SISE) v2.3 © 2018 Fast Lane.
Step 29 Under Primary ISE Monitoring Node Admin Certificate, click Browse…, select
the root-CA.cer > Open > Upload Files.
Step 30 Delete “admin” under Secondary ISE pxGrid Node (optional), if present.
Otherwise the Test will fail.
Step 31 Scroll to the bottom and under Test Communication with ISE Server, choose
Start Test. You should see that all tests completed successfully.
Note If the connection to the ISE pxGrid server timed out, check ISE pxGrid Services page to
see whether it is waiting for approval on the pxGrid client registration.
Note This may take a moment to show. Click Refresh to monitor the progress.
Activity Verification
You have completed this task when you attain these results:
Created ISE customized accesslogs.
Generated the WSA CSR certificate request for CA-signed cert to be used as
pxGrid client.
Registered WSA to ISE pxGrid node and subscribed to Session and
TrustsecMetadata Capability.
334 Implementing and Configuring Cisco Identity Services Engine (SISE) v2.3 © 2018 Fast Lane.
Task 5: WSA Identity and Access Policies (Optional)
The WSA will use the Identification profiles to identify users who are authenticated with ISE
and associate them to the Security Group Tags (SGT). The WSA access policies then
determine the corporate web security profiles based on these SGTs. In this exercise, an
identification profile will be created for ISE. A WSA access policy will be created to deny
802.1X authenticated users who are tagged as Employees from accessing Facebook.
Activity Procedure
Complete these steps:
Configuring Repositories.
Step 1 If needed, reopen the WSA URL, http://10.1.100.30:8080.
Step 2 Navigate to Web Security Manager > Authentication > Identification
Profiles.
Step 3 Click Add Identification Profile….
Perform the following changes:
Client / User Identification Profile Settings Name: ID by ISE.
User Authentication Methods > Identification and Notification, select
Transparently identify users with ISE.
Fallback to Authentication Realm or Guest Privileges: select Block
Transactions.
336 Implementing and Configuring Cisco Identity Services Engine (SISE) v2.3 © 2018 Fast Lane.
Step 10 Scroll down and click Done.
Step 11 Click Submit. You should see the following:
Step 12 Click (global policy) in the URL Filtering section for ISE Corp Access to
override the default URL Filtering for ISE Corp Access.
Step 13 Under Predefined URL Category Filtering, select Social Networking for
Block
Step 15 Click (global policy) in the Applications section for ISE Corp Access to
override the default Applications policy for ISE Corp Access.
Step 16 Under Edit Application Settings, select Define Applications and Custom
Settings from the drop-down.
Step 17 Under Application Settings, scroll to Facebook. Select Edit all, then Select
Block.
Step 18 Click Apply and then Submit. You should then see the following:
338 Implementing and Configuring Cisco Identity Services Engine (SISE) v2.3 © 2018 Fast Lane.
Activity Verification
You have completed this task when you attain these results:
Created an Identification Policy Profile for ISE.
Created a Web Access policy to deny users who are tagged as Employees from
Facebook access, and added a URL Filtering- Block Social Network, and an
Applications- Block Facebook policy.
Activity Procedure
Complete these steps:
Configuring Repositories.
Step 1 On the Admin PC, access the 3k-access switch. If prompted, enter credentials
admin / 1234QWer.
Step 2 Enter the following configuration commands.
terminal monitor
Server Policies:
ACS ACL: xACSACLx-IP-acl_employee-587e4b26
SGT Value: 4
Step 6 On the W10PC-Corp, open Internet Explorer (Firefox will not work due to
HSTS).
Step 7 In IE, open the webpage https://www.facebook.com. As IE cannot validate the
WSA certificate you will be prompted with a security warning. Read the
following note:
340 Implementing and Configuring Cisco Identity Services Engine (SISE) v2.3 © 2018 Fast Lane.
Note In a real enterprise environment you would add the WSA_HTTPS_proxy certificate to a
trusted certificate store in the domain PKI, which will be enrolled to the domain
computers certificate store, which is used by IE for validation. The WSA certificate would
then be trusted as a CA and the https-website would open with a certificate issued by the
WSA. For Firefox you would need to enroll the certificate manually into the certificate
store of Firefox to be trusted as CA.
Step 8 Click Continue to this website to trust the wsa-https certificate for the session.
Step 10 Also note that the site certificate is wildcard and issued by WSA HTTPS Proxy:
Click on Certificate Report right next to the address field and in the popup click
View certificates.
Step 12 From the Admin PC, use PuTTY to open a SSH connection to the WSA
(10.1.100.30). Log in as admin with the password !234QWer.
Issue in turn the commands: ”isedata”, “cache”, “show”. Note the IP-Name-SGT
mapping.
342 Implementing and Configuring Cisco Identity Services Engine (SISE) v2.3 © 2018 Fast Lane.
Step 13 Log in to the WSA admin web portal at http://10.1.100.30:8080.
Step 14 Navigate to System Administration > Policy Trace.
Step 15 Select ISE as Authentication / Identification.
Step 16 Enter the URL https://www.facebook.com and Client IP address <W10PC-
Corp’s IP address>.
Activity Verification
You have completed this task when you attain these results:
Performed no shut on the switch access and monitored the results.
Performed a Login as employee and accessed Facebook.
Checked the certificate to verify that Facebook was blocked.
344 Implementing and Configuring Cisco Identity Services Engine (SISE) v2.3 © 2018 Fast Lane.
Lab 9-1: Configure TACACS+ for Cisco ISE for
Basic Device Administration
Complete this lab activity to practice what you learned in the related module.
Activity Objective
Device administration in ISE involves controlling network administrator access to network
devices. Network administrators often have different levels of access to different network
equipment, depending on their role. Most organizations prefer to centralize the control and
maintenance of this function. The TACACS+ function of Cisco ISE enables this central
control. Through TACACS Live Logs and reports, ISE provides centralized monitoring,
reporting, and troubleshooting of an organization’s network administration. In this lab, you
will configure ISE for basic Device Administration of IOS devices.
You will begin by configuring the policy elements that are required for network device
administration.These policy elements will then be used in the basic authentication and
authorization policies, which you will create. Of course, each Network Access Device
(NAD) must be configured to support TACACS+, and so you must configure the required
AAA commands to fulfill this need. You will then log in with different users to validate both
your authentication policies, and your authorization policies. You will know that you have
granular control of not only who can access your network devices, but also what they can do.
Visual Objective
The figure illustrates what you will accomplish in this activity.
Required Resources
These are the resources and equipment that are required to complete this activity:
Admin PC
AD1
ISE-1
Activity Procedure
Complete these steps:
Configuring Repositories.
Step 1 Access the Admin PC and connect to the ISE GUI via https://ise-1.demo.local.
Step 2 To enable device administration, navigate to Administration > System >
Deployment. Edit the ISE node by clicking on ise-1. Under General Settings,
enable the Device Admin Service and Save the settings.
346 Implementing and Configuring Cisco Identity Services Engine (SISE) v2.3 © 2018 Fast Lane.
Step 4 Select and edit the 3k-access switch.
Step 5 Scroll down, enable TACACS Authentication settings with the shared secret
1234QWer.
Step 9 Add a second profile named “Privilege_Level_15”, with a default privilege level
of 1 and maximum privilege level 15. Click Submit.
Step 16 Next, edit the Authentication Policy to use All_AD_Join_Points as the Identity
Store.
Step 17 Click Done.
348 Implementing and Configuring Cisco Identity Services Engine (SISE) v2.3 © 2018 Fast Lane.
Step 18 Next, insert a new authorization policy above the Default authorization policy.
Configure this new rule according to the chart below.
Attribute Value
Attribute Value
Step 21 Click Save and check your work against the example below.
Step 22 To configure switch, access the 3k-access switch console, and enter the
commands that are shown below. You can find a textfile for copy and paste under
http://tools.demo.local/cp as tacacs-switch-config.txt
conf t
tacacs server ISETAC
address ipv4 10.1.100.21
key 1234QWer
exit
aaa group server tacacs+ myTplusServers
server name ISETAC
exit
aaa authentication login MyTplus group myTplusServers local
aaa authorization exec MyTplus group myTplusServers local
aaa authentication enable default group myTplusServers enable
aaa accounting exec default start-stop group myTplusServers
line vty 0 4
login authentication MyTplus
authorization exec MyTplus
end
wr
350 Implementing and Configuring Cisco Identity Services Engine (SISE) v2.3 © 2018 Fast Lane.
Step 23 To test various users, return to your Admin PC, and use PUTTY to open a SSH
session to 3k-access switch (10.1.100.1)
Login using the credentials contractor1 / 1234QWer. This should
succeed.
Type enable to get higher privilege. When prompted for a password,
enter 1234QWer. This authentication fails, according to the policy you
created. In ISE, navigate to Opertations > TACACS >Live Logs for
verification.
Open another Putty SSH session to the 3k-access switch (10.1.100.1) and
login using employee1 / 1234QWer. This should succeed.
Type enable to get higher privilege. When prompted for a password,
enter 1234QWer. This authentication succeeds, according to the policy
you created.
If you like, you can enter the show privilege command to verify your
privilege level is 15.
Step 25 For the failed contractor entry, click the Details icon, as shown above. You can
analyze the details of each session. Some of the more pertinent information
includes the Authorization details, as shown below.
Activity Verification
You have completed this task when you attain these results:
You have enabled device administration on the Cisco ISE.
You have configured a new Network Device Group (NDG).
You have modified a NAD definition in Cisco ISE to accommodate device
management.
You have added new TACACS+ Profiles to accommodate unique privilege levels.
You have created a new device admin policy set that uses differentiates between
employee and contractors, assigning the profiles that you created, as appropriate.
You successfully tested access control policy with employee and contractor user
accounts.
352 Implementing and Configuring Cisco Identity Services Engine (SISE) v2.3 © 2018 Fast Lane.
Lab 9-2: Configure TACACS+ Command
Authorization
Complete this lab activity to practice what you learned in the related module.
Activity Objective
In this exercise, you will configure TACACS+ command authorization and bind these
commands to a device administration policy. Privilege-level authorization associates
commands with privilege levels, per network device. ISE can then apply the default and
maximum privilege level to a user upon log in. Privilege level authorization requires each
device be configured with privilege levels and command sets (overriding the default privilege
levels). TACACS+ command authorization centralizes the administration of commands to be
allowed or denied. When TACACS+ command authorization is enabled, each command that
is entered on a device is authorized against the TACACS+ service.
You will begin this lab by configuring TACACS Command sets. Then you will modify the
authorization policy to use these command sets. You will modify the switch configuration to
support command authorization, and then test the various users to check their access levels.
Visual Objective
The figure illustrates what you will accomplish in this activity.
Required Resources
These are the resources and equipment that are required to complete this activity:
Admin PC
AD1
ISE-1
Activity Procedure
Complete these steps:
Configuring Repositories.
Step 1 Navigate to Work Centers > Device Administration > Policy Elements >
Results > TACACS Command Sets. You are about to create two command sets,
one with full access, and one with limited access to a specific set of commands.
Step 2 Click Add to create a new command set. Configure the name as
Permit_All_Commands, and click the checkbox for Permit any command that
is not listed below.
permit ping
Note Click the Add button to add each command. After entering each command, make sure to
click the checkmark at the end of the line to save the command.
354 Implementing and Configuring Cisco Identity Services Engine (SISE) v2.3 © 2018 Fast Lane.
Step 5 Validate your work against the example that is shown below.
Step 7 Navigate to Work Centers > Device Administration > Device Admin Policy
Sets > Wired_Devices.
Step 8 Modify the rule named Contractor_Privilege_1.
Step 9 Click the into the Command Sets box, and choose Limited_Access.
Step 10 Click the down-arrow in the Shell Profiles box, and choose Privilege_Level_15.
Note Although the contractors now have access to privilege level 15, they are limited to the
commands specified in the assigned command set.
Step 16 Close the PuTTY session and open a new PUTTY SSH session to 3k-access.
Login using the credentials contractor1 / 1234QWer.This should
succeed.
Type enable. When prompted, enter the password “1234QWer”.
Notice that this access now succeeds, because you modified the
authorization policy to apply the Privilege_level_15 shell profile.
Execute the following commands and observe which commands pass and
fail.
o show privilege
o show running-config
o ping 10.1.100.10
o show interface (should not succeed)
o configure terminal (should not succeed)
Check the Live Logs to see the information for command passes and failures.
Click a Details icon if you would like to see more information about any failures.
Step 17 Open another PuTTY SSH session to the 3k-access switch and login using the
credentials employee1 / 1234QWer. This action should succeed.
Type enable to gain a higher privilege level. Use 1234QWer as the
enable password. This action should succeed, as it did in the previous lab.
Execute the same commands as per Step 12. You should notice that
employee1 can execute all the commands.
356 Implementing and Configuring Cisco Identity Services Engine (SISE) v2.3 © 2018 Fast Lane.
Task 2: TACACS+ Features
This task is focused on two additional TACACS features:
1. Login authentication and enable authorization differentiation: Sometimes an
organization will choose to use different identity stores for login and enable. For
example, for device login, the organization may choose to use existing Active
Directory credentials, minimizing the administrative burden of creating new
credentials. For network administrators who need a higher level of access through
enable, the organization may want to manage the enable passwords via the ISE
internal user database or one-time passwords. This lab uses ISE internal users. These
users are pre-configured.
2. CLI Password change: TACACS+ supports inline password changes by the network
administrator. The network administrator can invoke this functionality by just hitting
return when prompted for a password.
Activity Procedure
Complete these steps:
Configuring Repositories.
Step 1 To enable login authentication and authorization differentiation, modify the
authentication policy to use different ID stores for login and enable. Navigate to
Work Centers > Device Administration > Device Admin Policy Sets >
Wired_Devices.
Step 2 Select the Wired_Devices Policy Set.
Step 3 Observe the Authentication Policy default rule.
Step 4 Click the gear icon of the Default Rule and insert a new rule above the default
rule.
Step 5 Create a new authentication policy rule as defined below.
Attribute Value
Step 11 For TACACS+ password change ability, open a new PUTTY SSH session to the
3k-access switch. Log in as employee1 / 1234QWer. When asked for enable
password, press Enter. You will be prompted for old password Cisco123,
followed by the new password 1234QWer.
358 Implementing and Configuring Cisco Identity Services Engine (SISE) v2.3 © 2018 Fast Lane.
Step 12 Close this PUTTY session.
Step 13 Launch another PuTTY SSH session to the 3k-access switch and log in as
employee1 / 1234QWer.
Try using the old enable password Cisco123. This password should fail.
Try the password that was defined in Step 6. This password should now
succeed.
Step 14 Check the TACACS Live Logs to see the login fail and pass.
Activity Verification
You have completed this task when you attain these results:
You have configured TACACS command sets to differentiate user access.
You have modified the authorization policy to use the new command sets.
You have configured the switch for command authorization
You have tested various users to check their access levels
You have validated the ability to change passwords
Activity Objective
In this activity, you will configure Cisco ISE to for backup and examine the process to
patch. After completing this activity, you will be able to meet these objectives:
Configure Cisco ISE backups
Patch a Cisco ISE instance
Visual Objective
The figure illustrates what you will accomplish in this activity.
Required Resources
These are the resources and equipment that are required to complete this activity:
Admin PC
AD1
ISE-1
360 Implementing and Configuring Cisco Identity Services Engine (SISE) v2.3 © 2018 Fast Lane.
Task 1: Configuring Backups
In this task, you will configure Cisco ISE to perform backups.
Activity Procedure
Complete these steps:
Configuring Repositories.
Step 1 In the Cisco ISE admin portal navigate to Administration > System >
Maintenance and then Repository.
Step 2 In the right-hand pane, click +Add.
Step 3 Create the following Repository.
Admin_PC - Repository Configuration
Attribute Value
Repository Configuration
Protocol FTP
Location
Path /
Credentials
Password 1234QWer
Attribute Value
Name Backup_CFG
Repository Admin_PC
Frequency Weekly
At Time 12:00AM
On Day Sunday
Step 8 Verify your configuration with the following screenshot and then click Save.
362 Implementing and Configuring Cisco Identity Services Engine (SISE) v2.3 © 2018 Fast Lane.
Monitoring Database Backup Configuration.
Step 9 On the same screen in Backup & Restore, click Schedule under Schedule
Backup > Operational Data Backup.
Step 10 Configure the following Backup Configuration Schedule.
Backup_CFG – Schedule Configuration Backup
Attribute Value
Name Backup_MnT
Repository Admin_PC
Frequency Daily
At Time 02:00AM
Step 11 Verify your configuration with the following screenshot and then click Save.
Note Your instructor will notify you if there is a patch file to install and where it is located.
Step 18 You would then click Install. Cisco ISE would then upload the file via the
browser and process the patch. All services would be stopped and then restarted.
Note Patching is a maintenance window operation. All functional services are stopped and
restarted.
Activity Verification
You have completed this task when you attain these results:
You have configured the repository for Cisco ISE.
You have configured the configuration database backup
You have configured the monitoring database backup
You have reviewed the process to patch Cisco ISE.
364 Implementing and Configuring Cisco Identity Services Engine (SISE) v2.3 © 2018 Fast Lane.
(Optional) Lab 9-4: Configuring Administrative
Access
Complete this lab activity to practice what you learned in the related module.
Activity Objective
In this activity, you will configure administrative access settings for Cisco ISE. After
completing this activity, you will be able to meet these objectives:
Ability to control administrative access to Cisco ISE
Configure administered of access and authorization for administrative session
Visual Objective
The figure illustrates what you will accomplish in this activity.
Required Resources
These are the resources and equipment that are required to complete this activity:
Admin PC
AD1
ISE-1
Activity Procedure
Complete these steps:
Session Settings
Step 1 Navigate to Administration > System > Admin Access and then Settings >
Session.
Step 2 The Session Idle Timeout range is 6 to 100 minutes.
Step 3 Click the Session Info tab.
Step 4 You should see your current session.
Step 5 Open Google Chrome, login to the ISE admin portal and open the Live Logs.
Step 6 Return to Firefox and click Refresh in the upper right section above the toolbar.
Step 7 Select your session and then attempt to click Invalidate. You are not able to
invalidate your own session.
Step 8 Select the new session and click Invalidate and confirm you want to invalidate
this administrative session by clicking OK.
Step 9 Return to Google Chrome and attempt to navigate anywhere in the portal. You
will be returned to the login screen.
Step 10 Close Google Chrome browser and return to Firefox.
Access Settings
Step 11 In the left pane navigate to Admin Access > Settings > Access.
Step 12 Observe the ability to limit concurrent sessions and configure pre and post login
banners for bot GUI and CLI access.
Step 13 Click the IP Access tab.
Step 14 Select Allow only listed IP addresses to connect.
Step 15 In the IP List section click +Add.
Step 16 In the pop-up form enter 10.1.100.0 for the IP Address and 24 for the netmask in
CIDR format.
Step 17 Click OK and click Save.
Activity Verification
You have completed this task when you attain these results:
You have configured administrative access session settings.
You have invalidated an administrative session.
You have configured IP access restrictions for administrative sessions.
366 Implementing and Configuring Cisco Identity Services Engine (SISE) v2.3 © 2018 Fast Lane.
Task 2: Administrator Access and Authorization
In this task, you will configure administrative access to the Cisco ISE admin portal.
Activity Procedure
Complete these steps:
Microsoft Active Directory Integration
Step 1 Navigate to Administration > System > Admin Access and then
Authentication.
Step 2 In the right pane, for password access, select the Identity Source AD:demo.local.
Step 3 Click Save.
Create AD Shadow Account
Step 4 In the left pane, navigate to Admin Access > Administrators > Admin Users.
Step 5 In the right pane, click +Add and select Create an Admin User.
Step 6 For the Name type ITAdmin.
Step 7 Delete the contents from the Email field.
Step 8 Select the External Box.
Step 9 Scroll down and select the Admin Group Super Admin.
Step 10 Click Submit.
Link External AD Group to Super Admins
Step 11 In the left pane, navigate to Admin Access > Administrators > Admin Groups.
Step 12 From the list, Edit the Super Admin group.
Step 13 Add External to the Type.
Step 14 In the External Groups drop-down, select demo.local/HCC/Groups/IT Staff.
Step 15 Scroll down and click Save.
Creating AD Permission Sets
Note It’s possible to create purely external administrative groups. New External groups require
additional configuration.
Step 16 In the left pane, navigate to Admin Access > Administrators > Admin Groups.
Step 17 Click +Add in the right pane tool bar.
Step 18 Enter the Name AD Staff.
Step 19 Configure the type to only be External.
Step 20 In the External Groups drop-down, select demo.local/HCC/Groups/Staff.
Step 21 Click Submit.
Creating an External Group RBAC Policy
Data Access
Step 22 In the left pane, navigate to Admin Access > Authorization > Permissions >
Data Access.
Step 23 In the right pane, click +Add.
Note Select only the items listed above. Do not assign Show privileges to Operations,
Administration, only the indicated sub-menu.
Attribute Value
Permissions AD_Staff_Menu
Step 36 Verify your configuration with the following screenshot and then scroll down and
click Save.
368 Implementing and Configuring Cisco Identity Services Engine (SISE) v2.3 © 2018 Fast Lane.
Step 39 For the Name type Admin1.
Step 40 Clear the Email field.
Step 41 Select the External Box.
Step 42 Scroll down and select the Admin Group AD Staff.
Step 43 Click Submit.
Activity Verification
You have completed this task when you attain these results:
You configure Cisco ISE to authenticate administrative access via Active Directory
You have created the shadow account Cisco ISE that is linked to an external Active
Directory account.
You have modified the Super Admin’s account to include a specific Active Directory
group.
You have created a custom Active Directory permissions set.
You have called the entire process of creating an external RBAC policy
Activity Procedure
Complete these steps:
Step 1 To make the process easier by maintaining your existing administrative session in
Firefox, open Googel Chrome browser.
Step 2 Navigate to the URL https://ise-1.demo.local.
Step 3 On the login page, select the Identity Source demo.local.
Step 4 Use ITAdmin as the Username with the password 1234QWer.
Step 5 Click Login.
Step 6 Observed that you have full super admin access to the entire Cisco ISE admin
portal.
Step 7 In the upper right click Logout.
Step 8 Re-login using the credentials Staff1 / 1234QWer.
Step 9 Observed that the Cisco ISE admin portal is limited to just Home and
Operations > RADIUS.
Activity Verification
You have completed this task when you attain this result:
You have successfully logged in to Cisco ISE with Active Directory credentials.
You have successfully observed the RBAC restrictions in the Cisco ISE admin
portal interface.
370 Implementing and Configuring Cisco Identity Services Engine (SISE) v2.3 © 2018 Fast Lane.
(Optional) Lab 9-5: Review of General Tools
Complete this lab activity to practice what you learned in the related module.
Activity Objective
In this activity, you will review some of the diagnostic tools available via the Cisco ISE
admin portal. After completing this activity, you will be able to meet these objectives:
Run the RADIUS Authentication Troubleshooting tool
Perform a TCPDump traffic capture on Cisco ISE.
Visual Objective
The figure illustrates what you will accomplish in this activity.
Required Resources
These are the resources and equipment that are required to complete this activity:
Admin PC
AD1
ISE-1
Activity Procedure
Complete these steps:
Step 1 Return to the Cisco ISE admin portal in Firefox.
Step 2 Navigate to Operations > Troubleshoot > Diagnostic Tools and then General
Tools > RADIUS Authentication Troubleshooting.
Step 3 Examine the troubleshooting form and the available fields.
Step 4 Click the Select button at the end of the NAS IP line.
Step 5 In the pop-up, clock Search
Step 6 Select 10.1.100.1 from the criteria list and click Apply.
Step 7 Change the Authentication Status drop-down to Fail.
Step 8 Change the Time Range drop-down to Last7 days.
Step 9 Click Search.
Step 10 Select any Failure Reason.
Step 11 Scroll down and click Troubleshoot.
Step 12 When presented, click Show Results Summary.
Step 13 Examine the presented data expanding lines in the Troubleshooting Summary if
possible.
Step 14 At the bottom click Show Progress Details and you are returned to the overview.
Step 15 Click Done to close the this troubleshooting session.
Activity Verification
You have completed this task when you attain this result:
You have run the RADIUS Authentication Troubleshooting tool using the selected
parameters.
372 Implementing and Configuring Cisco Identity Services Engine (SISE) v2.3 © 2018 Fast Lane.
Task 2: TCPDump
In this task, you will use the TCPDump functionality in Cisco ISE to capture RADIUS
traffic that is seen by the Cisco ISE interface GigabirEthernet0.
Activity Procedure
Complete these steps:
Step 1 Return to the Cisco ISE admin portal in Firefox.
Step 2 Navigate to Operations > Troubleshoot > Diagnostic Tools and then General
Tools > TCP Dump.
Step 3 Examine the options and in the Filter field enter port 1812.
Note There is a bug in verison 2.3 that the ISE didn’t accept the filter. In this case use as filter
ip host 10.1.100.1.
Tip You can choose Raw Packet Data, and the data will be in libpcap format. Wireshark is a
free application that can open that file type.
Note The login for the switch depends on the TACACS lab done before! The standard login if
not done the TACACS lab would be admin with the password 1234QWer.
Note Another way to access the switch is via the RemotelabsClient topology overview by
clicking the Switch symbol. This will open a console session privilege level 15.
Step 8 Enter configuration mode and shut and not shut interface GigabitEthernet1/0/1
login as: employee1
Using keyboard-interactive authentication.
Password: 1234QWer
3k-access>en
Password: 1234QWer
3k-access#conf t
Enter configuration commands, one per line. End with CNTL/Z.
3k-access(config)# int gi1/0/2
3k-access(config-if)# shut
3k-access(config-if)# no shut
3k-access(config-if)# exit
Step 9 Return the Cisco ISE admin portal. You should have some traffic captured as
indicated by a file size of something other than 0 bytes.
Step 10 Click Stop
Activity Verification
You have completed this task when you attain this result:
You have captured RADIUS traffic at the Cisco ISE GigabitEthernet 0 interface and
examined it in human readable form.
374 Implementing and Configuring Cisco Identity Services Engine (SISE) v2.3 © 2018 Fast Lane.
(Optional) Lab 9-6: Report Operations
Complete this lab activity to practice what you learned in the related module.
Activity Objective
In this activity, you will explore some Report operation capabilities in Cisco ISE. After
completing this activity, you will be able to meet these objectives:
Run a report with Filters
Save scheduled Report
Designate a Report and save the Report in My Reports
Visual Objective
The figure illustrates what you will accomplish in this activity.
Required Resources
These are the resources and equipment that are required to complete this activity:
Admin PC
AD1
ISE-1
Activity Procedure
Complete these steps:
Step 1 Navigate to Operations > Reports. Then Reports > Endpoints and Users >
Top Authorizations by User.
Step 2 Click Filters and select Identity from the Dropdown. Click OK.
Step 3 In the Identity Store filter, enter *@demo.local to filter out all local and guest
authentications.
Step 4 Create a a filter with the settings from the screenshot below.
Note Do not close or leave this report. You will use it in the ne next task.
Activity Verification
You have completed this task when you attain this result:
You have run a report with a filter.
376 Implementing and Configuring Cisco Identity Services Engine (SISE) v2.3 © 2018 Fast Lane.
Task 2: Saving and Scheduling Reports
In this task, you will schedule the filtered report from the last task to be run weekly.
Activity Procedure
Complete these steps:
Step 1 In the upper right corner of this report, click the Schedule button.
Attribute Value
Name Weekly_Top_AD_Authorizations
Description
Repository Admin_PC
Schedule
Frequency Weekly
At Time 6:00 AM
On Day Monday
Activity Verification
You have completed this task when you attain this result:
You have saved scheduled report.
378 Implementing and Configuring Cisco Identity Services Engine (SISE) v2.3 © 2018 Fast Lane.
Task 3: Favorite Reports
In this task, you will re-run a modified form of the report from the previous task and
designate the report as a favorite. The Favorite Report section is the one that opens by
default when entering the Reports section. Favoriting a reports makes it faster to execute in
the future.
Activity Procedure
Complete these steps:
Step 1 Navigate to Operations > Reports. Then Report Selector> Reports >
Endpoints and Users > Top Authorizations by User.
Step 2 Click the plus sign right of the Time Range filter and select Identity from the
Dropdown.
Step 3 In the Identity filter, enter *@demo.local to filter out all local and guest
authentications.
Step 4 Select the Time Range of Yesterday.
Tip If you ever desire to remove a report from My Report list, run the report and in the upper
right, select – My Reports.
Activity Verification
You have completed this task when you attain this result:
You have run and report and made it a My Report entry.